[Leaf-user] pppd and PPPoe together
Hello all, I am running an Eigersteinbeta variant with PPPOE. I want to be able to add an incoming dialup account using pppd that would be masq'ed like any other client. I'm worried that if I install pppd that it may overwrite configuration files for the PPP and PPPOE packages I already have installed. Has anyone attempted this setup successfully? I'm not constrained by space as I have a nice fat 35 M package partition thanks to Charles's Hard-disk how-to. TIA RedGuru
Re: [Leaf-user] LEAF (LRP)
At 11:06 PM 6/18/01 -0500, NOC wrote: >Well, I hate to say it... but the daemons have just gotten to big >to keep updated with a floppy based router. There is NO way I can >get the basics on a single floppy (sshd, telnet, psentry) and have >the thing boot. My drive just doesnt like the larger floppies. Depends on your definition of "the basics". Personally, I wouldn't include telnet on that list, and I manage well enough without psentry. I usually run 1.68 MB floppies these days, but I *think* I could get a carefully selected set of "the basics" on a 1.44 if I really had to. >The only sshd, for instance, that I can get to fit is 1.2.26 >or something like that. I cant leave my network open by using >using a daemon that may have a security hole. Well, that concern certainly reinforces what I suggested above -- don't include telnet on the router. It's hardly one of "the basics" any more, not with the more secure ssh available. And its unencrypted communications channel certainly has more of a security hole than *any* version of sshd might present. >So, am I forced, with the masses, to get a hardware router? I find >it hard to believe that they could be any more secure Me too ... but you won't find any "hardware router" (none I can think of, anyway) with ssh-based command-line configuration, or anything comparably secure. So if that's your standard (and I think it *should* be your standard, personally), you have to look to other options. Possibilities: 1. Replace your drive with one that does "like" superformatted floppies. Many of us use them routinely, so while your problem isn't unique, neither is it commonly true of floppy drives. New drives only cost about $10 in my area, so this is likely to be an inexpensive solution. (BTW, your problem may be the controlle or even the disks, not the drive ... how much have you actually experimented to isolate the problem?) 2. Go to a 2-floppy-drive setup. I know Oxygen is set up to use 2 floppies if they are present; I'm not sure about EigerStein (LRP 2.9.8 isn't, though older LRPs had a 2-drive add-in available). 3. Use a small hard disk, or a superdrive, or a ZIP drive, or a solid-state disk emulator like a JumpTec or a DiskOnChip. Which will work for you depends on what your hardware/BIOS supports and what is available wherever you are located at modest cost. You can even set up a standard Linux distribution (like Debian Potato) to work as a router, using a relatively old computer (486/40, 16 megs RAM, 40 meg hard disk, for example)and a modest size hard disk. I've gotten Debian down to 20 megs of filesystem space for a dedicated router, and I could do better if I needed to. Not to discourage you from using LEAF, but there are decent Linux alternatives even if Oxygen, EigerStein, or LRP don't suit your specific needs. -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LEAF (LRP)
How about a second floppy drive for $15 to $25? I have two in my firewall just for easy of use. You would have to set your syslinux package path variable so that LEAF can find the modules on the second drive. >From the optional section of http://lrp.steinkuehler.net/files/diskimages/eiger/EigerStein.readme You could use a path of PKGPATH=/dev/fd0u1440,/dev/fd1u1440 if you are having problems with large format floppies. OPTIONAL: Use two floppies for more space: You can hook a second 3 1/2" floppy drive up for more storage. Edit syslinux.cfg on your boot disk and add the second floppy drive to the PKGPATH variable (ie PKGPATH=/dev/fd0u1680,/dev/fd1u1440). Put your new packages on the second floppy, and add the package names to the LRP variable in syslinux.cfg (ie LRP=etc,log,local,modules,newpkg) to load them automatically. Greg > NOC wrote: > > Well, I hate to say it... but the daemons have just gotten to big > to keep updated with a floppy based router. There is NO way I can get > the basics on a single floppy (sshd, telnet, psentry) and have the > thing boot. My drive just doesnt like the larger floppies. > > The only sshd, for instance, that I can get to fit is 1.2.26 or > something like that. I cant leave my network open by using using a > daemon that may have a security hole. > > So, am I forced, with the masses, to get a hardware router? I > find it hard to believe that they could be any more secure > > Thanks for your input! > Chris Kulish ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LRP 2.9.8 (2.0.x) and sshd
From: "Ray Olszewski" <[EMAIL PROTECTED]>
> Chris -- the Koon Wong versions of ssh and sshd are pretty old. I
believe
> there has been (at least) one security-update release since it day. I
did
> find what I think are newer versions of ssh and sshd ("Openssh
v2.9p1") on
> the LEAF site, at URL
>
> http://leaf.sourceforge.net/article.php?sid=25
>
> (Mike - or anyone - was there some easy way to find this via the menu
tree?
> I got it through a search on "ssh" after hitting several dead ends in
the
> menus.)
If you want a direct link to the latest openssh lrp package, here it is:
http://leaf.sourceforge.net/devel/jnilo/openssh.html
Jacques
___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] LEAF (LRP)
Ack, html email. You could always just go with a second floppy drive. Other solutions, zip drive, LS-120 and Compaq Flash memory. http://leaf.sourceforge.net/article.php?sid=25&mode=&order=0 for sshd v2.9p1 Though I suspect you already know that. I hope to set up a dual floppy drive system after I regain connectivity after my move. -- Steven Peck [EMAIL PROTECTED] Sacramento, CA http://leaf.blkmtn.org -Original Message- From: NOC [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 9:06 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] LEAF (LRP) Well, I hate to say it... but the daemons have just gotten to big to keep updated with a floppy based router. There is NO way I can get the basics on a single floppy (sshd, telnet, psentry) and have the thing boot. My drive just doesnt like the larger floppies. The only sshd, for instance, that I can get to fit is 1.2.26 or something like that. I cant leave my network open by using using a daemon that may have a security hole. So, am I forced, with the masses, to get a hardware router? I find it hard to believe that they could be any more secure Thanks for your input! Chris Kulish ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LEAF (LRP)
> NOC wrote: > > Well, I hate to say it... but the daemons have just > gotten to big to keep updated with a floppy based router. > There is NO way I can get the basics on a single floppy > (sshd, telnet, psentry) and have the thing boot. My drive > just doesnt like the larger floppies. > > The only sshd, for instance, that I can get to fit is > 1.2.26 or something like that. I cant leave my network > open by using using a daemon that may have a security > hole. > > So, am I forced, with the masses, to get a hardware > router? I find it hard to believe that they could be any > more secure You could use two floppies -. You need a floppy cable with two sets of plugs ( end one has seven wires twisted around). These were common on older computers. Then you have 1.44 x 2 = 2.88 megs. LRP can load and backup packages automatically to the appropriate floppy. If you need help changing your system from 1.68 to 2 1.44 search I can send you the procedure. You could go with an old ide CD and a floppy (see Charles' CD version). You could use a compact flash hooked up to the ide cable. ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vnc through lrp
> Dean Moreton wrote:
>
> Hey there thanks alot for your advice much appreciated. I
> understand most of what it is doing, but being a bit of a
> newbie just need a bit of clarification with what the dhcp
> bit is doing.
>
> so this is entered into/edited in the /etc/dhcp.conf on my
> lrp box?
that is /etc/dhcpd.conf. Why would you want a static IP
with dhcp? Well Windows boxes can get all their
configuration - gateway etc, AND you can check the box <>
Use DHCP for WINS Resolution.
> >dynamic-bootp-lease-length 604800;
> >max-lease-time 1209600;
> >subnet 192.168.1.0 netmask 255.255.255.0 {
> >option routers 192.168.1.254;
> >option domain-name "private.network";
> >option domain-name-servers 192.168.1.254;
> >range 192.168.1.10 192.168.1.100;
> The last bit, do i put in the mac address of the nic in
> the computer that i will be wanting to connect to via vnc?
> and inplace of host computername do i enter the name of
> the computer or is this irrelevent?
YES put in both the computer name and the NIC number.
> >host computername {
> >hardware ethernet 00:40:f5:5f:2e:3e;
> >fixed-address 192.168.1.1;
> >}
>
> Im comfortable with the rest of the info you gave me. In
> regards to the lrp box emailing me my dynamic ip so i know
> where to connect to from work, is there a problem with
> mail on some of the eigerstein distros? I have tried using
> it before, entering the appropriate settings in lrp.conf
> like you said but still get errors stating host unkown,
> maybe im missing something, but i can ping my smtp server,
> it resolves it etc but mail says its unknown. Just saw
> your comment about mail and thought id ask.
The simplest way, as Scott suggested, is to get one of those
free dyndns accounts so that you can access your box by name
instead of IP. There is an lrp that will report the change
to the dns hosting server.
By the way, I think there is also another change I would
make to ESB2 if my ISP assigned my IP via dhcp or PPPoE.
I think it is in /etc/dnscache.conf ( I use a different
version now so can't check).
Comment the line that says #IPSEND=$EXTERN_IP
and uncomment the line that says
IPSEND=0.0.0.0
This prevents dnscache from freezing if your isp suddenly
changes your IP number
___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vnc through lrp
Dean: I use VNC in a manner very similar to what you want to do. You should try out the echowall.lrp firewall config script: I designed it specifically for people "a bit new to this stuff", and it's pretty tiny (~11k I think). It's got the VNC rules built in, plays nice with PPPoE, and works with DHCP-assigned internal machines. Also, for getting to your external interface easily, give a thought to a dynamic DNS service, like www.no-ip.com. Big list at: www.kvtek.com/ddnsservices.asp Good luck! -Scott http://leaf.sourceforge.net/devel/sbest > Hi, im using a modified version of Eigersteinbeta 2 with a pppoe = > package. What id like to achieve is to be able to vnc into a machine on = > my internal network through my lrp box from an external ip (i.e work). I = > take it this will require some modifying of the ip ruleset i.e port = > forwarding etc. Is there a howto someone could point me to? My external = > ip is dynamic so i guess using mail to email me my ip is the way to go. = > Is the fact that my internal machines are dhcp assigned a problem for = > forwarding the vnc stuff through to a specific machine or do i just = > static assign an ip to the machine running vnc? Any suggestions/help = > would be appreciated, im a bit new to this stuff > > Cheers > Dean ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] LEAF (LRP)
Well, I hate to say it... but the daemons have just gotten to big to keep updated with a floppy based router. There is NO way I can get the basics on a single floppy (sshd, telnet, psentry) and have the thing boot. My drive just doesnt like the larger floppies. The only sshd, for instance, that I can get to fit is 1.2.26 or something like that. I cant leave my network open by using using a daemon that may have a security hole. So, am I forced, with the masses, to get a hardware router? I find it hard to believe that they could be any more secure Thanks for your input! Chris Kulish
RE: [Leaf-user] vnc through lrp
Hey there thanks alot for your advice much
appreciated. I understand most of what it is doing, but being a bit of a newbie
just need a bit of clarification with what the dhcp bit is doing.
so this is entered into/edited in the
/etc/dhcp.conf on my lrp box?
>dynamic-bootp-lease-length
604800;>max-lease-time 1209600;>subnet 192.168.1.0 netmask
255.255.255.0 {> option routers
192.168.1.254;> option domain-name
"private.network";> option domain-name-servers
192.168.1.254;> range 192.168.1.10
192.168.1.100;
The last bit, do i put in the mac address of the
nic in the computer that i will be wanting to connect to via vnc?
and inplace of host computername do i enter the
name of the computer or is this irrelevent?
>host computername
{> hardware ethernet
00:40:f5:5f:2e:3e;>
fixed-address 192.168.1.1;>
}
Im comfortable with the rest of the info you gave
me. In regards to the lrp box emailing me my dynamic ip so i know where to
connect to from work, is there a problem with mail on some of the eigerstein
distros? I have tried using it before, entering the appropriate settings in
lrp.conf like you said but still get errors stating host unkown, maybe im
missing something, but i can ping my smtp server, it resolves it etc but mail
says its unknown. Just saw your comment about mail and thought id
ask.
>The dynamic part you will have to solve with
/etc/lrp.conf>lrp_MAIL_SERVER="mail.yourisp.com">You may have to
check if your version has grep fixed for>mailing from the lrp box.
See Charles' information.
Cheers
Dean
RE: [Leaf-user] Routing in Prozy ARP DMZ
Charles, We are definitely making progress, but a few kinks remain. Subject: Re: [Leaf-user] Routing in Prozy ARP DMZ RE: Ping failures >You've got me on this one...I don't know why pings are not working. There are no denies of ICMP packets in your firewall rules listed above. Is the machine you're trying to ping setup to send back reply packets? Is it possible you've got ICMP messages blocked on the server you're trying to ping? I don't see anything in your LRP setup that would keep pings from working... Yeah, I've gotcha alright ;) You have proven your troubleshooting methodology is sound. I had Norton Internet Security running on that box --- and after a recent re-install, it apparently dumped my allow ICMP settings. It was responsible for blocking the ping replies. Beat me with the duh stick --- sorry for the extra trouble... >> I have added temporary entries to my network.conf to place .172 fully outside. >> Everything seems to be working fine at the moment. >I think I know why the game-server is breaking inside the firewall. Matthew masquerades outbound UDP packets by default, which is somewhat more secure than allowing direct UDP connections between the DMZ and the outside world, but tends to break any inbound UDP services (note there are exceptions to the UDP masquerading for BIND, typically the only public UDP based service run on a DMZ). I think you are on it here --- this is consistent with the random port above 64000 that my testers were seeing. Howeversee below: >To fix this for your game server, you'll need to edit /etc/ipfilter.conf as follows: >Find the following code section in /etc/ipfilter.conf (very near the end, near the comment # COnnect DMZ to internet: $IPCH -A forward -j ACCEPT -p icmp -s 0/0 -d $DMZ_NET -i $DMZ_IF $IPCH -A forward -j ACCEPT -p tcp -s $DMZ_NET -d 0/0 -i $EXTERN_IF $IPCH -A forward -j ACCEPT -p icmp -s $DMZ_NET -d 0/0 -i $EXTERN_IF $IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET domain \ -d 0/0 -i $EXTERN_IF $IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF Chage the last line from: $IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF to: $IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF ^ Did this --- and re-read it for typos, etc. >This will provide normal (un-masqueraded) UDP connections between the DMZ and the outside internet. As long as you only allow specific UDP ports inbound using the DMZ_OPEN_DEST variable, you should be secure (other than any potential security bugs in the services you're specifically allowing). This didn't seem to work. While the line above was in place, tcp and icmp worked fine (ping and http in and out). But, UDP services stopped working altogether (time, game server). The game server looks for its auth server at startup, and barfs when it doesn't find it. When I changed it back to the original setting, the game servers started without a hiccup, but are back to the original problem of broken inbound UDP for the remote console function. I believe my DMZ_OPEN_DEST settings are working --- I commented them out to verify they work individually. I also tried the tips in Rick O's MiniHOWTo on ensuring all arps on all are devices are up to date --- including just letting it all "sit" for an hour. What do you recommend I re-check? Thanks again, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LRP 2.9.8 (2.0.x) and sshd
Ray Olszewski, 2001-06-18 15:27 -0700
>Chris -- the Koon Wong versions of ssh and sshd are pretty old. I
>believe there has been (at least) one security-update release since it
>day. I did find what I think are newer versions of ssh and sshd
>("Openssh v2.9p1") on the LEAF site, at URL
>
> http://leaf.sourceforge.net/article.php?sid=25
>
>(Mike - or anyone - was there some easy way to find this via the menu
>tree? I got it through a search on "ssh" after hitting several dead ends
>in the menus.)
Ray,
There will be as soon as I get the packages page done. The openssh version
you found is in an article. Here is the link for our packages page. It
needs a lot of work.
http://leaf.sourceforge.net/content.php?menu=12&page_id=14
Other ssh packages can be found in the package tarballs in our files area.
http://sourceforge.net/project/showfiles.php?group_id=13751
ELD_LRP-2.9.8_pkg_packages.tar.gz
ELD_Eiger-3.1.0a_pkg_packages.tar.gz
I don't think there are ssh packages in the following tarballs.
EigerStein_2-beta_pkg_packages.tar.gz
Oxygen_Mar.2001_pkg_packages.tar.gz
--
Mike Noyes <[EMAIL PROTECTED]>
http://leaf.sourceforge.net/
___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vnc through lrp
Dean Moreton wrote:
> Hi, im using a modified version of Eigersteinbeta 2 with a
> pppoe package. What id like to achieve is to be able to
> vnc into a machine on my internal network through my lrp
> box from an external ip (i.e work). I take it this will
> require some modifying of the ip ruleset i.e port
> forwarding etc. Is there a howto someone could point me
> to? My external ip is dynamic so i guess using mail to
> email me my ip is the way to go. Is the fact that my
> internal machines are dhcp assigned a problem for
> forwarding the vnc stuff through to a specific machine or
> do i just static assign an ip to the machine running vnc?
> Any suggestions/help would be appreciated, im a bit new to
> this stuff CheersDean
The dynamic part you will have to solve with /etc/lrp.conf
lrp_MAIL_SERVER="mail.yourisp.com"
You may have to check if your version has grep fixed for
mailing from the lrp box. See Charles' information.
***
Lets do static dhcpd assignment first:
edit /etc/dhcpd.conf
dynamic-bootp-lease-length 604800;
max-lease-time 1209600;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
option domain-name "private.network";
option domain-name-servers 192.168.1.254;
range 192.168.1.10 192.168.1.100;
host computername {
hardware ethernet 00:40:f5:5f:2e:3e;
fixed-address 192.168.1.1;
}
if you don't know the nic number
# grep dhcp /var/log/syslog
to find the information.
Change the range that your dhcpd uses so that the static
number that will be assigned by dhcpd is outside the range.
If you don't do this it will still work, but you will get
messages about both dynamic and static leases being present.
save file and
# svi dhcpd reload
***
Next the port VNC uses is 5900
In /etc/network.conf (1, 1 from the menu)
add
EXTERN_TCP_PORTS="0/0_smtp ip.you.connect.from/32_5900"
The ip.you connect.from is the ip number, e.g. if you
always connect from 123.134.145.156 then put in
123.134.145.156/32 - if you only know the network you are
connecting from use 123.134.145.0/24. You could use
0/0_5900 (any network/any mask) but I recommended you
restrict access.
in /etc/ipfilter.conf at the very end of the file before the
last } put in :
# For VNC
$IPMASQADM autofw -A -v -r tcp 5900 5900 -h 192.168.1.1
}
save ipfilter.conf
# svi network ipfilter flush
# svi network ipfilter reload
test
when you get it working satisfactorily back up dhcpd and etc
___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] vnc through lrp
hey thanks for the advice, only problem is my lrp disk is full. Ive always wanted to add ssh to it but theres not enough room for it. Im not too fussed about it being too secure as its only my home box so theres nothing too important on it. Is there away you can tunnel it without ssh?? >I would use SSHD on the LRP and tunnel VNC through SSH. You'd establish the>ssh connection to your LRP with tunnels set up (For a Windoze clt, I'd use>SecureCRT if you use the SSH1 package (30 day free trial which you can>reload), and SSH Communications software with an individual license if you>use the SSH2 package -- it doesn't let you do tunnels to SSH1 servers).>>I use it myself and it works great.>>>mike. wrote:>Hi, im using a modified version of Eigersteinbeta 2 with a pppoe package.>What id like to achieve is to be able to vnc into a machine on my internal>network through my lrp box from an external ip (i.e work). I take it this>will require some modifying of the ip ruleset i.e port forwarding etc. Is>there a howto someone could point me to? My external ip is dynamic so i>guess using mail to email me my ip is the way to go. Is the fact that my>internal machines are dhcp assigned a problem for forwarding the vnc stuff>through to a specific machine or do i just static assign an ip to the>machine running vnc? Any suggestions/help would be appreciated, im a bit>new to this stuff>>Cheers>Dean
Re: [Leaf-user] eigersteinbeta2 Docs
At 07:03 PM 6/18/01 -0500, NOC - KP2 wrote: >I have 2 questions about eigerstein. > >1.) Where can I find different modules (sshd, psentry, etc) that can >be used with this? I know about lrp.c0wz.com, but I am unsure where >I need to bee looking for the proper modules. You mean packages; modules are something different. Try lrp.steinkuehler.net . But there is no single answer; things are (still) somewhat scattered, so I can't offer a specific suggestion about "etc". Earlier today, I posted here the link for sshd. There is a listing for an old version of PortSentry on lrp.c0wz.com . >2.) Is there a guide anywhere for someone that is converting from >LRP 2.9.8 (ipfwadm) to eigerstein, which looks like it used ipchains. >I am forwarding some services to servers behind the LRP box (http, >email stuffs, etc). The real difference is the kernel -- 2.0.36 with ipfwadm versus 2.2.x (.18, I think) with ipchains. c0wz lists several ipchains info sources, none specific to EigerStein. But if you use the EigerStein setup scripts, they hide the details of ipchains configuration from you, at least for the basic services you mention in your message, so you should not need EigerStein-specific help there. -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] eigersteinbeta2 Docs
I have 2 questions about eigerstein. 1.) Where can I find different modules (sshd, psentry, etc) that can be used with this? I know about lrp.c0wz.com, but I am unsure where I need to bee looking for the proper modules. 2.) Is there a guide anywhere for someone that is converting from LRP 2.9.8 (ipfwadm) to eigerstein, which looks like it used ipchains. I am forwarding some services to servers behind the LRP box (http, email stuffs, etc). Thanks for your time! Chris Kulish ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vnc through lrp
I would use SSHD on the LRP and tunnel VNC through SSH. You'd establish the ssh connection to your LRP with tunnels set up (For a Windoze clt, I'd use SecureCRT if you use the SSH1 package (30 day free trial which you can reload), and SSH Communications software with an individual license if you use the SSH2 package -- it doesn't let you do tunnels to SSH1 servers). I use it myself and it works great. mike. [EMAIL PROTECTED] wrote: >Hi, im using a modified version of Eigersteinbeta 2 with a pppoe package. >What id like to achieve is to be able to vnc into a machine on my internal >network through my lrp box from an external ip (i.e work). I take it this >will require some modifying of the ip ruleset i.e port forwarding etc. Is >there a howto someone could point me to? My external ip is dynamic so i >guess using mail to email me my ip is the way to go. Is the fact that my >internal machines are dhcp assigned a problem for forwarding the vnc stuff >through to a specific machine or do i just static assign an ip to the >machine running vnc? Any suggestions/help would be appreciated, im a bit >new to this stuff > >Cheers >Dean -- Michael McClure [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] vnc through lrp
Hi, im using a modified version of Eigersteinbeta 2 with a pppoe package. What id like to achieve is to be able to vnc into a machine on my internal network through my lrp box from an external ip (i.e work). I take it this will require some modifying of the ip ruleset i.e port forwarding etc. Is there a howto someone could point me to? My external ip is dynamic so i guess using mail to email me my ip is the way to go. Is the fact that my internal machines are dhcp assigned a problem for forwarding the vnc stuff through to a specific machine or do i just static assign an ip to the machine running vnc? Any suggestions/help would be appreciated, im a bit new to this stuff Cheers Dean
Re: [Leaf-user] Now here's an interesting auction
Nope. He's got kernels for FPU emulation on 2.2.16 and 2.2.16 with the VPN patches, but not both options together. -J - Original Message - From: "Steven Peck" <[EMAIL PROTECTED]> To: "'James Barrett '" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, June 18, 2001 5:42 PM Subject: RE: [Leaf-user] Now here's an interesting auction > Dude, > > http://lrp.steinkuehler.net/files/kernels/ > > There might be a few more poking around the leaf developers sites. > > -sp > > -Original Message- > From: James Barrett > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Sent: 6/18/2001 2:11 PM > Subject: Re: [Leaf-user] Now here's an interesting auction > > I would find it valuable as I have not yet been able to find anyone > willing > to compile a 2.2.16 w/patches for VPN Masq'ing (or 2.2.18 or 2.0.38) > kernel > with the FPU emulation for a 486SX2. > > I can easily get the modules I need to build my own disk -- the problem > I'm > having is finding the right compiled kernel. > > Thanks, > -James > > - Original Message - > From: "James Sturdevant" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 18, 2001 2:42 PM > Subject: Re: [Leaf-user] Now here's an interesting auction > > > > Actually, I made the changes to Paul's modmaker to create LRPGen. Paul > > hosted it for a while to test it. I gave up on it when I couldn't make > it > > work on WinXX machines with 1.68MB formats and it appeared that the > newer, > > unofficial releases were getting more support and use. (Dave's > attitude > > didn't help either.) > > > > I have given some thought recently to restarting it as part of the > LEAF > > project. I will need a number of things to make it viable: > > - a version of rawrite which can support 1.68MB formats. > > - a description of the directory structure on sourceforge for the LEAF > project > > - ideas for defining the custom values in packages > > - an indication that this is worth the effort > > > > JamesS > > > > At 10:06 AM 6/18/01 -0700, Ray Olszewski wrote: > > >At 07:54 AM 6/18/01 -0400, James Barrett wrote: > > > >I remember there used to be those places where you entered what you > wanted > > > >and an image was built for you -- do they still exist anywhere? > > > > > >No, at least not if you mean in a LEAF or LRP context. There was > modmaker, a > > >system used with LRP 2.9.3 to make modules.lrp packages. The same guy > who > > >did modmaker, Paul Wouters (I think), did build a site that created > custom > > >images (you might find its URL still listed on lrp.c0wz.com). As I > recall, > > >though, the site wasn't maintained and does not work with any modern > version > > >of LEAF or LRP. > > > > > >But my memory could be wrong. Please check the links at c0wx to be > sure. > > > > > > > > >-- > > >"Never tell me the odds!"--- > > >Ray Olszewski-- Han Solo > > >Palo Alto, CA[EMAIL PROTECTED] > > > > > > > > > > > >___ > > >Leaf-user mailing list > > >[EMAIL PROTECTED] > > >http://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > > ___ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > http://lists.sourceforge.net/lists/listinfo/leaf-user > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/leaf-user > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] A strange firewall log
Jacques -- the additional information doesn't give me any great ideas. You do mention that you get a dynamic address. Might it be that it was *once* 195.132.172.176 that that you're getting the packets due to some arp cache not updating properly (especially plausible since the address seems not to be in use at the moment, according you your latest report)? At 10:46 PM 6/18/01 +0200, Jacques Nilo wrote: ... > >But I cannot traceroute to 195.132.172.176: > >[root@versa root]# traceroute 195.132.172.176 >traceroute to 195.132.172.176 (195.132.172.176), 30 hops max, 38 byte packets > 1 192.168.1.254 (192.168.1.254) 0.885 ms 0.722 ms 0.616 ms > 2 * * * > 3 * * * > >> Without knowing more about your setup, it is hard to do more than guess. >> I'm assuming, for example that you do not have a block of 195.132.172.dd/yy >> addresses assigned to you, just the one you conceal as 195.132.172.XX . >That's correct: I only get one dynamic IP from my ISP -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] LRP 2.9.8 (2.0.x) and sshd
I have never understood the urge to use Koon Wong's ssh. I have always
used the ssh from the kernel for the distribution I setup.
-sp
-Original Message-
From: Ray Olszewski
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: 6/18/2001 3:27 PM
Subject: Re: [Leaf-user] LRP 2.9.8 (2.0.x) and sshd
At 04:14 PM 6/18/01 -0500, Chris wrote:
>Quick question about sshd. I am running the sshd.lrp from the Koon
Wong lrp
>archive and every so often it seems that the daemon just dies. It wont
>accept connections for a period of time, then all of a sudden, its back
up
>and running as it should. There doesnt seem to be any pattern to the
amount
>of time it will stay locked up or anything. And there doesnt seem to
be any
>info in the logs, other than the login and logouts (I admit, I could be
>looking in the wrong spot). Is there a known issue with this version
of
>sshd? Is there a newer version that I can try?
Chris -- the Koon Wong versions of ssh and sshd are pretty old. I
believe
there has been (at least) one security-update release since it day. I
did
find what I think are newer versions of ssh and sshd ("Openssh v2.9p1")
on
the LEAF site, at URL
http://leaf.sourceforge.net/article.php?sid=25
(Mike - or anyone - was there some easy way to find this via the menu
tree?
I got it through a search on "ssh" after hitting several dead ends in
the
menus.)
--
"Never tell me the odds!"---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]
___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Newbie questions
Keep in mind that any speed increase you see from using switches instead of hubs (I use 10/100 Netgear hubs at home) will only be on your internal network. I have had great luck with the Netgear FA-310tx NIC. It uses the tulip driver. I was so happy with it, that I replaced all my internal NICs on all my home systems. Save your money, unless you are doing large file transfers on your internal net, I wouldn't worry about hub vs switch speed. | | [lrp router] | | [hub or switch]---[other side of house hub]--comps | | | | comp comp This way, you have one broadcast domain internally. Once you get this setup working, if you want, then setup a second internal network, add a second NIC and have fun from there. Start simple, that way you will have a base config that works, then complicate as needed. One complication that routers introduce is that NetBEUI info doesn't cross routers without some tricks so Windows Network Neighborhood won't work across routers without some config tricks. Switched or Hubs, to me doesn't matter with less than 25 systems. just my $.02 -sp -Original Message- From: Hilton Travis To: [EMAIL PROTECTED] Sent: 6/18/2001 3:19 PM Subject: RE: [Leaf-user] Stupid Newbie questions Hi, I tend to agree with Jon here. Since you are new to Linux and networking in general, you need to have the simplest setup you can, so that there are fewer things to go wrong. In your case, I'd install 2 NICs in the LRP box as per Jon's suggestions, locate the box at one end of the house, run the DSL box into one of the NICs, and a switch (not a hub) into the other NIC. This switch should be big enough for all the computers PLUS the router PLUS the link to the other switch. Then run a link from the uplink port on the switch to the switch/hub at the other end of the house (into a regular port, not the uplink port), and away you go. I'd strongly recommend a switch for the end with the router (and realistically one at the other end too) over a hub as you will have better network performance with a switch than with a hub. With ethernet networking, it works with what is known as "collision domains". Basically a hub is a single collision domain - only one device attached to a hub can communicate at a time - if two devices try to talk at the same time, they are both told to keep quiet for a bit and try again later. These "collisions" reduces network performance. Now with a switch, every port is a separate collision domain. This means that if your machine (A) wants to talk to the LRP box (R), and another machine (B) wants to copy a file from a third computer (C), then all of this can happen simultaneously without any collisions. However, a collision will occur if two machines try to talk to the LRP box (or any other box) at the same time - this is unavoidable. Also, hubs are half-duplex devices. This means that a computer (or any other network device attached to it) can either talk or listen - they cannot both talk AND listen. This means that a 100Mbps hub can have a single computer talking to another computer at 100 Mbps, but then a collision occurs if the "listening" computer needs to reply to the "talking" computer before the "talking" computer has finished what it has to say. Switches are full-duplex devices. A device attached to a switch port can walk and chew gum... oops - talk and listen simultaneously. Basically, this means that if you are copying a large file from machine (A) to machine (B), and also copying from machine (B) to (A), the copy will take well under half the time on a switch than on a hub. Generally, switches look at the devices attached to each port and determine if the device is able to talk in full-duplex (all NICs, routers, bridges, etc) or half-duplex (a hub) and configures that port according to the device attached to it. The 10/100 switches also determine if the device attached will talk at 100Mbps or only 10Mbps, and configures the port accordingly (as do 10/100 hubs). In reality, if you have a number of machines attached to a 100Mbps hub, and the same number of machines attached to a 10Mbps switch, the network based on the switch will be the faster network. Even though it is operating at 20% of the maximum speed of the hub (10Mbps full-duplex, vs 100Mbps half-duplex), the far reduced number of collisions due to the multiple collision domains will greatly increase the network performance. Now, of course at home you may not care about this increase in speed, therefore stick to hubs as they are cheaper. However, I'd recommend that at least the device that YOUR computer and the router are connected to be switches. :-) Regards, Hilton Travis > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Jonathan French > Sent: Tuesday, 19 June 2001 7:15 AM > To: [EMAIL PROTECTED] > Subject: Re: [Leaf-user] Stupid Newbie questions > > > > To follow up on Danny's answers, and to save you
Re: [Leaf-user] LRP 2.9.8 (2.0.x) and sshd
At 04:14 PM 6/18/01 -0500, Chris wrote:
>Quick question about sshd. I am running the sshd.lrp from the Koon Wong lrp
>archive and every so often it seems that the daemon just dies. It wont
>accept connections for a period of time, then all of a sudden, its back up
>and running as it should. There doesnt seem to be any pattern to the amount
>of time it will stay locked up or anything. And there doesnt seem to be any
>info in the logs, other than the login and logouts (I admit, I could be
>looking in the wrong spot). Is there a known issue with this version of
>sshd? Is there a newer version that I can try?
Chris -- the Koon Wong versions of ssh and sshd are pretty old. I believe
there has been (at least) one security-update release since it day. I did
find what I think are newer versions of ssh and sshd ("Openssh v2.9p1") on
the LEAF site, at URL
http://leaf.sourceforge.net/article.php?sid=25
(Mike - or anyone - was there some easy way to find this via the menu tree?
I got it through a search on "ssh" after hitting several dead ends in the
menus.)
--
"Never tell me the odds!"---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]
___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Stupid Newbie questions
Hi, I tend to agree with Jon here. Since you are new to Linux and networking in general, you need to have the simplest setup you can, so that there are fewer things to go wrong. In your case, I'd install 2 NICs in the LRP box as per Jon's suggestions, locate the box at one end of the house, run the DSL box into one of the NICs, and a switch (not a hub) into the other NIC. This switch should be big enough for all the computers PLUS the router PLUS the link to the other switch. Then run a link from the uplink port on the switch to the switch/hub at the other end of the house (into a regular port, not the uplink port), and away you go. I'd strongly recommend a switch for the end with the router (and realistically one at the other end too) over a hub as you will have better network performance with a switch than with a hub. With ethernet networking, it works with what is known as "collision domains". Basically a hub is a single collision domain - only one device attached to a hub can communicate at a time - if two devices try to talk at the same time, they are both told to keep quiet for a bit and try again later. These "collisions" reduces network performance. Now with a switch, every port is a separate collision domain. This means that if your machine (A) wants to talk to the LRP box (R), and another machine (B) wants to copy a file from a third computer (C), then all of this can happen simultaneously without any collisions. However, a collision will occur if two machines try to talk to the LRP box (or any other box) at the same time - this is unavoidable. Also, hubs are half-duplex devices. This means that a computer (or any other network device attached to it) can either talk or listen - they cannot both talk AND listen. This means that a 100Mbps hub can have a single computer talking to another computer at 100 Mbps, but then a collision occurs if the "listening" computer needs to reply to the "talking" computer before the "talking" computer has finished what it has to say. Switches are full-duplex devices. A device attached to a switch port can walk and chew gum... oops - talk and listen simultaneously. Basically, this means that if you are copying a large file from machine (A) to machine (B), and also copying from machine (B) to (A), the copy will take well under half the time on a switch than on a hub. Generally, switches look at the devices attached to each port and determine if the device is able to talk in full-duplex (all NICs, routers, bridges, etc) or half-duplex (a hub) and configures that port according to the device attached to it. The 10/100 switches also determine if the device attached will talk at 100Mbps or only 10Mbps, and configures the port accordingly (as do 10/100 hubs). In reality, if you have a number of machines attached to a 100Mbps hub, and the same number of machines attached to a 10Mbps switch, the network based on the switch will be the faster network. Even though it is operating at 20% of the maximum speed of the hub (10Mbps full-duplex, vs 100Mbps half-duplex), the far reduced number of collisions due to the multiple collision domains will greatly increase the network performance. Now, of course at home you may not care about this increase in speed, therefore stick to hubs as they are cheaper. However, I'd recommend that at least the device that YOUR computer and the router are connected to be switches. :-) Regards, Hilton Travis > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Jonathan French > Sent: Tuesday, 19 June 2001 7:15 AM > To: [EMAIL PROTECTED] > Subject: Re: [Leaf-user] Stupid Newbie questions > > > > To follow up on Danny's answers, and to save you a lot of > trouble, if it doesn't cost too much skip the 3 NICs and just > use two and buy an extra hub. Use one NIC for the DSL, and > plug the second NIC into the extra hub (or switch) which then > services the other two hubs. That way you won't have any > problems sharing data between the machines, as they will all > be on the same subnet. It just takes a bit of extra effort > to make the machines talk across subnets with Windows, and > having one subnet will make your new life as a system admin > much easier. > Good Luck, > Jon > > > Danny Carter wrote: > > > > First off, there are NO stupid questions. > > > > > What we would like to do is build a box with thre NICs. > > > The first would be for the DSL line and the other two > > > NICs would each service a hub. Is this feasible? > > > > Yes > > > > > I also have the questions: > > > > > > 1: I've never used hubs before, how do you assign IP > > > addresses to each port. Can somebody post a URL(s) > > > for HOW-TOs about this? > > > > Hubs are passive devices and do not need to be set for IP > > addresses. You usually have an uplink port (depending on > > the make/model), that will be either the highest or lowest > > numbered port on the hub. > > > >
Re: [Leaf-user] Stupid Newbie questions
At 01:10 PM 6/18/01 -0700, James A Roush wrote: >We recently moved into a house with a DSL line and more 7 comuters. Half >the computers are on one end of the the house and half more or les on the >other end. What we would like to do is build a box with thre NICs. The >first would be for the DSL line and the other two NICs would each service a >hub. Is this feasible? FYI, I'm a Linux newbie. Yes, but it is doing things the hard way. It would be easier to connect the router to one hub, then daisy-chain a second hub to that hub for the other end of the ouse. Unless you have some more fundamental reason for wanting the two sets of hosts on separate LANs. >I also have the questions: > > 1: I've never used hubs before, how do you assign IP addresses to each >port. Can somebody post a URL(s) for HOW-TOs about this? You don't. You assign IP addresses to the hosts on the LAN. The hub just connects everything together. The only time you assign an IP address to a hub is when you are using a service to manage the hub (like SNMP) that requires the hub itself to have an IP address. The same is true of switches, BTW. > 2: When using multiple hubs like this, are these referred to as subnet? What makes it a subnet is that it is on a different interface in the router, not that it uses multiple hubs. In fact, "subnet" isn't quite th right term here; the two groups of computers are on different LANs or networks. The term "subnet" really applies to breaking a large IP address space into two or more smaller ones. But a lot of people will use the term "subnetting" to describe what you are asking about ... it's a "mostly harmless" bit of imprecision. > > 3: Is it possible to "daisy-chain" the hubs? Probably. You don't say if this is a 10Mbps or 100 Mbps setup. The 10BaseT standards allow for up to 5 hubs (I think) between any two hosts on the LAN. The 100BaseT standards are more restrictive, allowing only 2 (I think). Either way, it should work for you, though. Remember that for daisy chaining, you need to use either an "uplink" port on one (not both) of the hubs, or a crossover cable between them. > 4: What are good brands for inexpensive hubs? What gotchas shouod I >watch out for? Also, I'll need to PCI NICs. Recommendations? I've always bought whatever was cheap that week at my local supplier, and I've never been disappointed. Hubs are simple devices; little can go wrong with them. NICs are trickier. 3Com NICs are great but pricey. I've had a lot of luck with many brands of tulip-driver NICs, and they tend to be cheap. Also, RTL8139-based NICs and motherboards that include NICs using the eepro100 module have served me well. Others can probablt make more current recommendations, though; it's been 6 months or more since I've needed to buy a NIC, and things change fast here. -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] George Metz' 2.4.3 image
> So knowing that 2.4 kernels are definitely experimental, I grabbed > George Metz' 2.4.3 distribution of his site and booted it up. It booted > up fine (though I had issues with the newest syslinux, had to use 1.54 > instead of 1.62), but it doesn't include IDE support (unless I totally > missed something), so I can't mount and configure my HDD to boot off > of... I didn't see any modules that looked like they provided IDE > support and I thought that IDE was not a modularizable feature to begin > with. Do I have this wrong? I don't know how George compiled the 2.4.x kernels. If there are ide-*.o modules available, you can probably get IDE support running...if not (and if it's not already compiled in), it's time to compile your own kernel. > In hopes that I could do better myself, I compiled a 2.4.5 kernel off > my Redhat 7.1 box and made it as a bzipped image... I replaced the 2.4.3 > kernel with the new one and I get as far as "Uncompressing Linux... Ok, > booting the kernel" when it stalls. The kernel I built with initrd > support and ramdisk support in hopes of using it with LEAF... What I > don't know is if I compressed right (should I have included UPX > support?). > I read through the LEAF-devel guide, but this 2.4.3 distro looked to be > using gcc 2.95? So I figured that I should be able to kernel compile on > my RH7.1 box. Somebody please straighten me out! UPX doesn't do anything but make the kernel a bit smaller...the uncompressed kernel is the same once it's running. The key piece you missed is the LRP patches to allow the kernel to read a tar.gz file as it's initial ramdisk. Without this, you need to provide a raw filesystem image (optionally gzipped) for the kernel to boot. You can grab the patches I ported to the 2.4 kernel here: http://lrp.steinkuehler.net/files/kernels/2.4.0-test11/initrd-archive-2.4.0- test11.diff.gz http://lrp.steinkuehler.net/files/kernels/2.4.0-test11/linuxrc-always-2.4.0- test11.diff.gz George may also have the patches available on his site somewhere... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Using PoPToP behind LRP
> > > I was looking at installing PoPToP (PPTP server) on a RedHat server on > my > > > internal network so users at home, mobile etc. can access our Samba > shares > > > using a dialup connection. > > > > > > I know I need to open ports 1723 (tcp) and protocol 47 to allow the PPTP > > > protocol to work, and I can do this with my LRP box. I assume I will > need to > > > portforward 1723 to the internal server. But how can I > 'protocolforward'? > > > /usr/sbin/ipfwd my_server_ip 47 & > > Thanks all for the help on this - I now have my Windows machine able to > connect to my internal RedHat box. I haven't yet installed the new kernel > and modules to my LRP (ES2B) box, since I don't want to risk screwing > everything up when I'm not in the office (I'm using SSH currently..) > > Checking the logs on the RedHat box reveal that the connection is dying due > to a reason (from the PoPToP faq) that is fixed by applying the > 'ip_masq_vpn.patch' to my kernel. Now, I know I'm getting off topic here, > but which kernel? The internal RedHat box, or my LRP box? Or both? Or will > it be fixed by installing the new kernel on my LRP box plus the relevant > ip_masq_pptpd.o module? The ip_masq_* modules are known as IP Masquerade helper modules, and exist to 'help' or fix protocols that generally don't like going through a router that mangles their IP headers. Therefore, if you need the ip_masq_vpn patch, or any ip_masq_* modules, they should go on your firewall/router box, which I'm assuming is the LRP machine. I have some LRP kernels compiled with the VPN patches available: http://lrp.steinkuehler.net/files/kernels/Eiger-VPNMasq/ Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Now here's an interesting auction
Dude, http://lrp.steinkuehler.net/files/kernels/ There might be a few more poking around the leaf developers sites. -sp -Original Message- From: James Barrett To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: 6/18/2001 2:11 PM Subject: Re: [Leaf-user] Now here's an interesting auction I would find it valuable as I have not yet been able to find anyone willing to compile a 2.2.16 w/patches for VPN Masq'ing (or 2.2.18 or 2.0.38) kernel with the FPU emulation for a 486SX2. I can easily get the modules I need to build my own disk -- the problem I'm having is finding the right compiled kernel. Thanks, -James - Original Message - From: "James Sturdevant" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 18, 2001 2:42 PM Subject: Re: [Leaf-user] Now here's an interesting auction > Actually, I made the changes to Paul's modmaker to create LRPGen. Paul > hosted it for a while to test it. I gave up on it when I couldn't make it > work on WinXX machines with 1.68MB formats and it appeared that the newer, > unofficial releases were getting more support and use. (Dave's attitude > didn't help either.) > > I have given some thought recently to restarting it as part of the LEAF > project. I will need a number of things to make it viable: > - a version of rawrite which can support 1.68MB formats. > - a description of the directory structure on sourceforge for the LEAF project > - ideas for defining the custom values in packages > - an indication that this is worth the effort > > JamesS > > At 10:06 AM 6/18/01 -0700, Ray Olszewski wrote: > >At 07:54 AM 6/18/01 -0400, James Barrett wrote: > > >I remember there used to be those places where you entered what you wanted > > >and an image was built for you -- do they still exist anywhere? > > > >No, at least not if you mean in a LEAF or LRP context. There was modmaker, a > >system used with LRP 2.9.3 to make modules.lrp packages. The same guy who > >did modmaker, Paul Wouters (I think), did build a site that created custom > >images (you might find its URL still listed on lrp.c0wz.com). As I recall, > >though, the site wasn't maintained and does not work with any modern version > >of LEAF or LRP. > > > >But my memory could be wrong. Please check the links at c0wx to be sure. > > > > > >-- > >"Never tell me the odds!"--- > >Ray Olszewski-- Han Solo > >Palo Alto, CA[EMAIL PROTECTED] > > > > > > > >___ > >Leaf-user mailing list > >[EMAIL PROTECTED] > >http://lists.sourceforge.net/lists/listinfo/leaf-user > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] LRP 2.9.8 (2.0.x) and sshd
While I haven't had any problems with mine. It has been reported and some suspect it is a session timeout setting. I forget where the setting is, but hopefully someone will pop up with it before I get home tonight and have to look myself. -sp -Original Message- From: Chris To: [EMAIL PROTECTED] Sent: 6/18/2001 2:14 PM Subject: [Leaf-user] LRP 2.9.8 (2.0.x) and sshd Quick question about sshd. I am running the sshd.lrp from the Koon Wong lrp archive and every so often it seems that the daemon just dies. It wont accept connections for a period of time, then all of a sudden, its back up and running as it should. There doesnt seem to be any pattern to the amount of time it will stay locked up or anything. And there doesnt seem to be any info in the logs, other than the login and logouts (I admit, I could be looking in the wrong spot). Is there a known issue with this version of sshd? Is there a newer version that I can try? Thanks for you time! Chris Kulish ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Routing in Prozy ARP DMZ
> >I assume your reports of ping failures are accurate, but the cause is not. Your routing tables are setup properly (assuming your server machines are on the DMZ and not plugged directly into the cable-modem network). > > OK...now it's just the pings that are failing. I can access the server in the DMZ from the internal network, and outsiders can see it as well. > > >I'm going to need more info to figure out what's broken, as your network.conf and routing tables look OK to me. Please provide your current firewall rules (svi network ipfilter list), and details regarding: > > Current rules output: http://64.81.226.171/viewfw.htm > This is the output provided by weblet --- is this the same output obtained with ?? It appears to be, and is much easier to access. Yes, actually, weblet just captures the output of "svi network ipfilter list" and spits it back as a web-page... > >Accessing the DMZ servers from the internal net...what services on which machines...does accessing the same service & machine work from the internet? > > Hmmmthe game server at .173 was magically granted existence on the internet without further intervention from me. I am thinking this may have had to do with the arp cache on the ISP's router (my default gw 64.81.226.1) --- is my guess anywhere in the ballpark? Some functionality is still missing, but I'll get to the UDP filtering rules later. > > I can now see the http server on .173 from my inside machines, so I am assuming this problem is solved. > Pinging from the LRP box and from client machines...it looks like you've got > ICMP forwarding enabled for the DMZ, so this *should* be working...please > provide details on exactly what you tried, and the exact error message ping > returned (if any). > >From a Windows machine inside: "Request timed out" > >From the LRP command line: No output until Cntl-C then >"X packets transmitted, 0 packets received, 100% packet loss" You've got me on this one...I don't know why pings are not working. There are no denies of ICMP packets in your firewall rules listed above. Is the machine you're trying to ping setup to send back reply packets? Is it possible you've got ICMP messages blocked on the server you're trying to ping? I don't see anything in your LRP setup that would keep pings from working... > I have added temporary entries to my network.conf to place .172 fully outside. > Everything seems to be working fine at the moment. I think I know why the game-server is breaking inside the firewall. Matthew masquerades outbound UDP packets by default, which is somewhat more secure than allowing direct UDP connections between the DMZ and the outside world, but tends to break any inbound UDP services (note there are exceptions to the UDP masquerading for BIND, typically the only public UDP based service run on a DMZ). To fix this for your game server, you'll need to edit /etc/ipfilter.conf as follows: Find the following code section in /etc/ipfilter.conf (very near the end, near the comment # COnnect DMZ to internet: $IPCH -A forward -j ACCEPT -p icmp -s 0/0 -d $DMZ_NET -i $DMZ_IF $IPCH -A forward -j ACCEPT -p tcp -s $DMZ_NET -d 0/0 -i $EXTERN_IF $IPCH -A forward -j ACCEPT -p icmp -s $DMZ_NET -d 0/0 -i $EXTERN_IF $IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET domain \ -d 0/0 -i $EXTERN_IF $IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF Chage the last line from: $IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF to: $IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF This will provide normal (un-masqueraded) UDP connections between the DMZ and the outside internet. As long as you only allow specific UDP ports inbound using the DMZ_OPEN_DEST variable, you should be secure (other than any potential security bugs in the services you're specifically allowing). You also need to move your game server back behind the LRP box. Let me know if this fixes the game server when running behind LRP. Sorry I don't know what to do about your broken pings other than fish for more data: Does pinging your servers work from the internet? Did you try to ping any servers before capturing the firewall rules posted above? > >[adding manual route statements] is handled by the _ROUTES variable in my proxy-arp scripts, so you don't need to do any hacking on the scripts... > > Would there ever be a case in which XXX_ROUTES would be used for eth1? > I just noticed that there is no ETH1_ROUTES var in my current .conf - Yes, there are several situations where you might want to use the eth1_ROUTES variable. Say for instance you had two internal networks, 10.1.2.0/24 and 192.168.1.0/24. The LRP box would be directly connected to one of these networks, but would need to have an explicit route entered into eth1_ROUTES to inform the LRP machine about the additional internal network and how to reach it. You don't need to use the _ROUTES variables for interfac
[Leaf-user] LRP 2.9.8 (2.0.x) and sshd
Quick question about sshd. I am running the sshd.lrp from the Koon Wong lrp archive and every so often it seems that the daemon just dies. It wont accept connections for a period of time, then all of a sudden, its back up and running as it should. There doesnt seem to be any pattern to the amount of time it will stay locked up or anything. And there doesnt seem to be any info in the logs, other than the login and logouts (I admit, I could be looking in the wrong spot). Is there a known issue with this version of sshd? Is there a newer version that I can try? Thanks for you time! Chris Kulish ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Stupid Newbie questions
--- Jonathan French <[EMAIL PROTECTED]> wrote: > To follow up on Danny's answers, and to save you a lot of trouble, if it > doesn't cost too much skip the 3 NICs and just use two and buy an extra > hub. Use one NIC for the DSL, and plug the second NIC into the extra > hub (or switch) which then services the other two hubs. That way you > won't have any problems sharing data between the machines, as they will > all be on the same subnet. It just takes a bit of extra effort to make > the machines talk across subnets with Windows, and having one subnet > will make your new life as a system admin much easier. pn] OTOH, it would be nice to have some scripts (E2B or later variety) that provide for 2 private networks in cases (maybe like this one) where you want to isolate traffic for separate users. = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. __ Do You Yahoo!? Spot the hottest trends in music, movies, and more. http://buzz.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Now here's an interesting auction
I would find it valuable as I have not yet been able to find anyone willing to compile a 2.2.16 w/patches for VPN Masq'ing (or 2.2.18 or 2.0.38) kernel with the FPU emulation for a 486SX2. I can easily get the modules I need to build my own disk -- the problem I'm having is finding the right compiled kernel. Thanks, -James - Original Message - From: "James Sturdevant" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 18, 2001 2:42 PM Subject: Re: [Leaf-user] Now here's an interesting auction > Actually, I made the changes to Paul's modmaker to create LRPGen. Paul > hosted it for a while to test it. I gave up on it when I couldn't make it > work on WinXX machines with 1.68MB formats and it appeared that the newer, > unofficial releases were getting more support and use. (Dave's attitude > didn't help either.) > > I have given some thought recently to restarting it as part of the LEAF > project. I will need a number of things to make it viable: > - a version of rawrite which can support 1.68MB formats. > - a description of the directory structure on sourceforge for the LEAF project > - ideas for defining the custom values in packages > - an indication that this is worth the effort > > JamesS > > At 10:06 AM 6/18/01 -0700, Ray Olszewski wrote: > >At 07:54 AM 6/18/01 -0400, James Barrett wrote: > > >I remember there used to be those places where you entered what you wanted > > >and an image was built for you -- do they still exist anywhere? > > > >No, at least not if you mean in a LEAF or LRP context. There was modmaker, a > >system used with LRP 2.9.3 to make modules.lrp packages. The same guy who > >did modmaker, Paul Wouters (I think), did build a site that created custom > >images (you might find its URL still listed on lrp.c0wz.com). As I recall, > >though, the site wasn't maintained and does not work with any modern version > >of LEAF or LRP. > > > >But my memory could be wrong. Please check the links at c0wx to be sure. > > > > > >-- > >"Never tell me the odds!"--- > >Ray Olszewski-- Han Solo > >Palo Alto, CA[EMAIL PROTECTED] > > > > > > > >___ > >Leaf-user mailing list > >[EMAIL PROTECTED] > >http://lists.sourceforge.net/lists/listinfo/leaf-user > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] LRPGen for LEAF
James Sturdevant, 2001-06-18 13:42 -0500 >Actually, I made the changes to Paul's modmaker to create LRPGen. Paul >hosted it for a while to test it. I gave up on it when I couldn't make it >work on WinXX machines with 1.68MB formats and it appeared that the newer, >unofficial releases were getting more support and use. (Dave's attitude >didn't help either.) > >I have given some thought recently to restarting it as part of the LEAF >project. I will need a number of things to make it viable: >- a version of rawrite which can support 1.68MB formats. >- a description of the directory structure on sourceforge for the LEAF project >- ideas for defining the custom values in packages >- an indication that this is worth the effort James, This is an interesting idea, but I think it should be discussed on the leaf-devel list. To facilitate the move I added the devel list to this post, and changed the subject. Please join the discussion there. Thanks. -- Mike Noyes <[EMAIL PROTECTED]> http://leaf.sourceforge.net/ ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Stupid Newbie questions
To follow up on Danny's answers, and to save you a lot of trouble, if it doesn't cost too much skip the 3 NICs and just use two and buy an extra hub. Use one NIC for the DSL, and plug the second NIC into the extra hub (or switch) which then services the other two hubs. That way you won't have any problems sharing data between the machines, as they will all be on the same subnet. It just takes a bit of extra effort to make the machines talk across subnets with Windows, and having one subnet will make your new life as a system admin much easier. Good Luck, Jon Danny Carter wrote: > > First off, there are NO stupid questions. > > What we would like to do is build a box with thre NICs. The > > first would be for the DSL line and the other two NICs would each > service a > > hub. Is this feasible? > > Yes > > > I also have the questions: > > > >1: I've never used hubs before, how do you assign IP addresses to > each > > port. Can somebody post a URL(s) for HOW-TOs about this? > > > > Hubs are passive devices and do not need to be set for IP addresses. You > usually have an uplink port (depending on the make/model), that will be > either the highest or lowest numbered port on the hub. > > >2: When using multiple hubs like this, are these referred to as > subnet? > > Yes, you can have a subnet to each hub, depending on what IP address > range that you set for each nic. > > >3: Is it possible to "daisy-chain" the hubs? > > Yes. This was answered in the answer to Number 1 above. > > >4: What are good brands for inexpensive hubs? What gotchas shouod > I > > watch out for? Also, I'll need to PCI NICs. Recommendations? > > I use a 3com hub and nics, but there are some very good units available > from Linksys also. For the type of nics to use, that depends on your > particular setup. > Look for nics that have Linux packages available. > > > > Leaf-user mailing list > > [EMAIL PROTECTED] > > http://lists.sourceforge.net/lists/listinfo/leaf-user > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] George Metz' 2.4.3 image
Howdy all- I recently started toying with the idea of deploying a LEAF based firewall/VPN in our colo after I saw Exodus wants $4000/mo. for a "managed" Cisco Pix. I figure LEAF probably can save me some of that $48,000. So my questions revolve around the possibilities of using 2.4.3+ kernels in production and how exactly I get custom built kernels to boot. I would like to use a 2.4 kernel because I want the functionality of iptables, especially one-to-one NAT (what's that, static NAT?) for my production environment. I have an LRP 2.9.8 router (2.2.18) here at the corporate office, but it took me some while to get port forwarding working to my satisfaction (actually it was screwing around with BIND for an internal DNS, but then Jacques Nilo came out with the wonderful Tinydns package, hats off to you). So knowing that 2.4 kernels are definitely experimental, I grabbed George Metz' 2.4.3 distribution of his site and booted it up. It booted up fine (though I had issues with the newest syslinux, had to use 1.54 instead of 1.62), but it doesn't include IDE support (unless I totally missed something), so I can't mount and configure my HDD to boot off of... I didn't see any modules that looked like they provided IDE support and I thought that IDE was not a modularizable feature to begin with. Do I have this wrong? In hopes that I could do better myself, I compiled a 2.4.5 kernel off my Redhat 7.1 box and made it as a bzipped image... I replaced the 2.4.3 kernel with the new one and I get as far as "Uncompressing Linux... Ok, booting the kernel" when it stalls. The kernel I built with initrd support and ramdisk support in hopes of using it with LEAF... What I don't know is if I compressed right (should I have included UPX support?). I read through the LEAF-devel guide, but this 2.4.3 distro looked to be using gcc 2.95? So I figured that I should be able to kernel compile on my RH7.1 box. Somebody please straighten me out! Thanks again... Zack ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Stupid Newbie questions
First off, there are NO stupid questions. What we would like to do is build a box with thre NICs. The > first would be for the DSL line and the other two NICs would each service a > hub. Is this feasible? Yes > I also have the questions: > >1: I've never used hubs before, how do you assign IP addresses to each > port. Can somebody post a URL(s) for HOW-TOs about this? > Hubs are passive devices and do not need to be set for IP addresses. You usually have an uplink port (depending on the make/model), that will be either the highest or lowest numbered port on the hub. >2: When using multiple hubs like this, are these referred to as subnet? Yes, you can have a subnet to each hub, depending on what IP address range that you set for each nic. >3: Is it possible to "daisy-chain" the hubs? Yes. This was answered in the answer to Number 1 above. >4: What are good brands for inexpensive hubs? What gotchas shouod I > watch out for? Also, I'll need to PCI NICs. Recommendations? I use a 3com hub and nics, but there are some very good units available from Linksys also. For the type of nics to use, that depends on your particular setup. Look for nics that have Linux packages available. > Leaf-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Now here's an interesting auction
Actually, I made the changes to Paul's modmaker to create LRPGen. Paul hosted it for a while to test it. I gave up on it when I couldn't make it work on WinXX machines with 1.68MB formats and it appeared that the newer, unofficial releases were getting more support and use. (Dave's attitude didn't help either.) I have given some thought recently to restarting it as part of the LEAF project. I will need a number of things to make it viable: - a version of rawrite which can support 1.68MB formats. - a description of the directory structure on sourceforge for the LEAF project - ideas for defining the custom values in packages - an indication that this is worth the effort JamesS At 10:06 AM 6/18/01 -0700, Ray Olszewski wrote: >At 07:54 AM 6/18/01 -0400, James Barrett wrote: > >I remember there used to be those places where you entered what you wanted > >and an image was built for you -- do they still exist anywhere? > >No, at least not if you mean in a LEAF or LRP context. There was modmaker, a >system used with LRP 2.9.3 to make modules.lrp packages. The same guy who >did modmaker, Paul Wouters (I think), did build a site that created custom >images (you might find its URL still listed on lrp.c0wz.com). As I recall, >though, the site wasn't maintained and does not work with any modern version >of LEAF or LRP. > >But my memory could be wrong. Please check the links at c0wx to be sure. > > >-- >"Never tell me the odds!"--- >Ray Olszewski-- Han Solo >Palo Alto, CA[EMAIL PROTECTED] > > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Using PoPToP behind LRP
> > I was looking at installing PoPToP (PPTP server) on a RedHat server on my > > internal network so users at home, mobile etc. can access our Samba shares > > using a dialup connection. > > > > I know I need to open ports 1723 (tcp) and protocol 47 to allow the PPTP > > protocol to work, and I can do this with my LRP box. I assume I will need to > > portforward 1723 to the internal server. But how can I 'protocolforward'? > /usr/sbin/ipfwd my_server_ip 47 & Thanks all for the help on this - I now have my Windows machine able to connect to my internal RedHat box. I haven't yet installed the new kernel and modules to my LRP (ES2B) box, since I don't want to risk screwing everything up when I'm not in the office (I'm using SSH currently..) Checking the logs on the RedHat box reveal that the connection is dying due to a reason (from the PoPToP faq) that is fixed by applying the 'ip_masq_vpn.patch' to my kernel. Now, I know I'm getting off topic here, but which kernel? The internal RedHat box, or my LRP box? Or both? Or will it be fixed by installing the new kernel on my LRP box plus the relevant ip_masq_pptpd.o module? TIA John ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] A strange firewall log
At 07:23 PM 6/18/01 +0200, Jacques Nilo wrote: >Dear Leaf fellows ! >I have been receiving in my syslog for the past few days this type if >record: >Jun 18 19:04:49 firewall kernel: Packet log: input DENY eth0 PROTO=6 >210.232.219.66:3377 195.132.172.176:25 L=44 S=0x10 I=24833 F=0x4000 T=95 >SYN (#45) >The strange thing is that the destination adress which shows up in the >log (195.132.172.176) is not my adress ! >My adress (as shown by ip addr show on the LRP box) is of the form >195.132.172.XX/24 but XX is not 176. >What is going on there ?? Any idea ?? Just a guess -- some other router thinks that your IP address (195.132.172.XX) is its route to some network of the form 195.132.172.dd/yy, where dd and yy take values that include 195.132.172.176 . Try traceouting to 210.232.219.66 and see what close-to-you router might have this misconfiguration present, then check with its admin. This might not work, though, if, for example, somebody else on the same ISP network (95.132.172.0/24) has a misconfigured router (since your system won't think it is on its route to 210.232.219.66). Without knowing more about your setup, it is hard to do more than guess. I'm assuming, for example that you do not have a block of 195.132.172.dd/yy addresses assigned to you, just the one you conceal as 195.132.172.XX . -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Using PoPToP behind LRP
let's see. SOmeone will correct me if I am wrong. I think you will need to change your kernel with one compiled with the pptp stuff compiled in. See Charles' site for one. Or peruse the devlopers sites on Leaf and replace the one on your system. then you will probably need a combination of ipmasqadm portfw -and- ipchains Not much help I know, but at least some pointers. -sp -Original Message- From: John P To: [EMAIL PROTECTED] Sent: 6/17/2001 5:38 PM Subject: [Leaf-user] Using PoPToP behind LRP Hi All I was looking at installing PoPToP (PPTP server) on a RedHat server on my internal network so users at home, mobile etc. can access our Samba shares using a dialup connection. I know I need to open ports 1723 (tcp) and protocol 47 to allow the PPTP protocol to work, and I can do this with my LRP box. I assume I will need to portforward 1723 to the internal server. But how can I 'protocolforward'? Also, PPTP seems to work by assigning a separate network (eg. I will set up 10.0.1.x with my current network of 10.0.0.x) - do I have to do anything special on my LRP box or just use ipchains rules to do it on my internal server (and enable ip forwarding on it)? Thanks John ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] A strange firewall log
Dear Leaf fellows ! I have been receiving in my syslog for the past few days this type if record: Jun 18 19:04:49 firewall kernel: Packet log: input DENY eth0 PROTO=6 210.232.219.66:3377 195.132.172.176:25 L=44 S=0x10 I=24833 F=0x4000 T=95 SYN (#45) The strange thing is that the destination adress which shows up in the log (195.132.172.176) is not my adress ! My adress (as shown by ip addr show on the LRP box) is of the form 195.132.172.XX/24 but XX is not 176. What is going on there ?? Any idea ?? Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Now here's an interesting auction
At 07:54 AM 6/18/01 -0400, James Barrett wrote: >I remember there used to be those places where you entered what you wanted >and an image was built for you -- do they still exist anywhere? No, at least not if you mean in a LEAF or LRP context. There was modmaker, a system used with LRP 2.9.3 to make modules.lrp packages. The same guy who did modmaker, Paul Wouters (I think), did build a site that created custom images (you might find its URL still listed on lrp.c0wz.com). As I recall, though, the site wasn't maintained and does not work with any modern version of LEAF or LRP. But my memory could be wrong. Please check the links at c0wx to be sure. -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: Commands for the Eigerstein
Martin Randall wrote:Eigerstein. > > Does anyone else have problems with :- > > A) Occasional problems saving/exiting the setups. Sometimes ctrl-c and > alt-q don't work and I have to use ctrl-k/alt-k. > > B) Quite often, doing a simple change (removing a singles #) will prevent > me from backing up without logs. It will complain that /root is full or > whatever. Further, when this happens, it destroys the disk making it > unbootable. Have no experience with A. B sounds like problems with not enough memory to do the backup. The backup takes all the files from the file system (ram) compresses and writes the lrp file to the ramdisk (/dev/ram0) and then asks you if you want to write it to the media. The symptoms you have indicate not enough ram. Are you on a cable system? Logs can fill up memory and may have to be deleted before backup. NEVER reboot until after you have checked the size of the backups on the floppy. # mount -t msdos /dev/fd0u1680 /mnt # ls -l /mnt # umount /mnt If root has changed size, delete some logs and try again until you get it right - it may be tricky if you are running on a marginal amount of memory. You can check your memory status # df Filesystem 1024-blocks Used Available Capacity Mounted on /dev/ram0 60763358 2718 55% / Free tells you about the memory used by the OS for files, buffers, etc. # free total:used:free: shared: buffers: cached: Mem: 23375872 12251136 11124736 6168576 4046848 2539520 Swap:000 MemTotal: 22828 kB MemFree: 10864 kB MemShared: 6024 kB Buffers: 3952 kB Cached:2480 kB SwapTotal:0 kB SwapFree: 0 kB There is usually no reason to backup everything - especially root - since you rarely change anything there. (Exception - configuring a dialup modem or replacing a particular file such as grep in the file system) All your network configs go in etc, and individual packages back up individually. ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Routing in Prozy ARP DMZ
>I think you're getting close...I'll try to help you get everything working properly. Much appreciated :) >I assume your reports of ping failures are accurate, but the cause is not. Your routing tables are setup properly (assuming your server machines are on the DMZ and not plugged directly into the cable-modem network). Don't know if it makes any difference, but the connection is SDSL, with the Flowpoint 2200 router in dumbdumb bridge mode. >> What is NOT happening -- I can't access or ping DMZ servers from the internal network or from the LRP command line on the router itself. I assume this is caused by eth0 and eth1 not knowing how to get to eth2 --- but I don't know what might make this happen. Is that accurate? >I assume your reports of ping failures are accurate, but the cause is not. Your routing tables are setup properly (assuming your server machines are on the DMZ and not plugged directly into the cable-modem network). OK...now it's just the pings that are failing. I can access the server in the DMZ from the internal network, and outsiders can see it as well. >I'm going to need more info to figure out what's broken, as your network.conf and routing tables look OK to me. Please provide your current firewall rules (svi network ipfilter list), and details regarding: Current rules output: http://64.81.226.171/viewfw.htm This is the output provided by weblet --- is this the same output obtained with ?? It appears to be, and is much easier to access. >Accessing the DMZ servers from the internal net...what services on which machines...does accessing the same service & machine work from the internet? Hmmmthe game server at .173 was magically granted existence on the internet without further intervention from me. I am thinking this may have had to do with the arp cache on the ISP's router (my default gw 64.81.226.1) --- is my guess anywhere in the ballpark? Some functionality is still missing, but I'll get to the UDP filtering rules later. I can now see the http server on .173 from my inside machines, so I am assuming this problem is solved. >Pinging from the LRP box and from client machines...it looks like you've got ICMP forwarding enabled for the DMZ, so this *should* be working...please provide details on exactly what you tried, and the exact error message ping returned (if any). From a Windows machine inside: "Request timed out" From the LRP command line: No output until Cntl-C then "X packets transmitted, 0 packets received, 100% packet loss" >This is because your LRP box still thinks these IP's are on eth2. If you move one of your servers from the DMZ to the 'outside', you'll need to remove it's IP from eth2_ROUTES, and add it's IP to DMZ_EXT_ADDRS for everything to work properly. I have added temporary entries to my network.conf to place .172 fully outside. Everything seems to be working fine at the moment. >NOTE: ...this might be handy for testing... Why, yesit is :) >[adding manual route statements] is handled by the _ROUTES variable in my >proxy-arp scripts, so you don't need to do any hacking on the scripts... Would there ever be a case in which XXX_ROUTES would be used for eth1? I just noticed that there is no ETH1_ROUTES var in my current .conf - >> An updated network diagram is here http://64.81.226.171/netdiagram2.txt >> Current network.conf is here: http://64.81.226.171/net.txt Thanks again! Dan ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Compiling cipe for lrp
> Ok I have been trying to make CIPE work with eigersteinbeta2 I have > tried 3 different cipe lrp packages and juest about every lrp kernel > version 2.2.16 I could get my hands on. Every single one of them throws > errors beyond config issues. I found on the CIPE website a comment about > the types of erros I've been getting being caused by running CIPE > without making sure that the kernel and ALL modules and CIPE were > compiled against the same exact source tree and on the same compiler. I > have tryed downloading the 2.2.16 kernel source and the lrp patches and > compiling my own kernel but have been getting horrible errors. The > closest to apparently working version of CIPE I have was compiled > against a kernel 2.2.16-doc. > > Does anyone have a complete and working kernel source tree with config > for lrp kernel 2.2.x that I could compile a kernel and modules from? Or > would someone be willing to compile a matching kernel/modules and CIPE > for me? > > I apologise if I am asking stupid questions. I have searched and > searched the web on this and have found myself hopelessly stuck. No, these are not stupid questions. There's information on compiling a kernel for LRP in the LEAF FAQ's: http://sourceforge.net/docman/display_doc.php?docid=1453&group_id=13751 I think the links to the kernel tarball on Matthew Grant's site are probably broken. You can get the kernel.readme file and appropriate patches from my site, along with a kernel configuration file to use: http://lrp.steinkuehler.net/files/kernels/Eiger/kernel.readme http://lrp.steinkuehler.net/files/kernels/Eiger/2.2.16-1-LRP-patches/ http://lrp.steinkuehler.net/files/kernels/Eiger/2.2.16-1-LRP-FloppyImage-con fig NOTE: If you want IDE support, use one of these config files as a starting point: http://lrp.steinkuehler.net/files/kernels/Eiger/2.2.16-1-LRP-IDE-config http://lrp.steinkuehler.net/files/kernels/Eiger/2.2.16-1-LRP-config This should get you a kernel and CIPE module that work together. If you also need to compile any CIPE user-space programs, make sure you're on a system with the proper C libraries for LRP (typically Debian Slink or RedHat 5.x). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Routing in Prozy ARP DMZ
> I have my game servers in the DMZ, and they can "see" the internet, browse the web, etc. I have tested an http server running on one of them, and it is accessible from the outside. My external testers still can't see the game servers --- but I'll park that concern for now, since the http server works. So in short, 64.81.226.173 appears to be working with proper proxy arp configuration and filters for one service at least --- hooray for small progress :) I think you're getting close...I'll try to help you get everything working properly. > What is NOT happening -- I can't access or ping DMZ servers from the internal network or from the LRP command line on the router itself. I assume this is caused by eth0 and eth1 not knowing how to get to eth2 --- but I don't know what might make this happen. Is that accurate? I assume your reports of ping failures are accurate, but the cause is not. Your routing tables are setup properly (assuming your server machines are on the DMZ and not plugged directly into the cable-modem network). I'm going to need more info to figure out what's broken, as your network.conf and routing tables look OK to me. Please provide your current firewall rules (svi network ipfilter list), and details regarding: Accessing the DMZ servers from the internal net...what services on which machines...does accessing the same service & machine work from the internet? Pinging from the LRP box and from client machines...it looks like you've got ICMP forwarding enabled for the DMZ, so this *should* be working...please provide details on exactly what you tried, and the exact error message ping returned (if any). > When I park a server outside the DMZ, in the public space via one of my DSL bridge ports, I can't see it from inside --- but the whole world can. That's my Linux server --- when plugged directly into one of the Flowpoint's external hub ports it hums along --- for everyone but me. This is because your LRP box still thinks these IP's are on eth2. If you move one of your servers from the DMZ to the 'outside', you'll need to remove it's IP from eth2_ROUTES, and add it's IP to DMZ_EXT_ADDRS for everything to work properly. NOTE: Swapping an IP between DMZ_EXT_ADDRS and eth2_ROUTES *should* be all that's required to migrate a server from your DMZ net to the outside world...this might be handy for testing...you can leave the other DMZ rules in place for the server, as any in-bound packets for that machine will be ignored by the LRP box when the IP is listed in DMZ_EXT_ADDRS. > I have read several threads from last year discussing where to put the route statements in Eiger configs. Most of the explanations were a bit over my head, since I lack any clue when it comes to scipts. If you could give me some baby-step instructions on how these statements are constructed, and exactly how and where they are implemented in the configuration files, that would be helpful. This is handled by the _ROUTES variable in my proxy-arp scripts, so you don't need to do any hacking on the scripts... > Also, are there local setting on each of the 3 DMZ machines that need to be changed? Do they need persistent special routes configured? The DMZ machines should be configured just like they were tied directly to your cable-modem. They should be configured with the full /24 subnet, and can use either your LRP box (.172 IIRC) or the cable gateway (.1) IP for their default gateway. If you use the cable-gateway (.1) as the gateway, you won't have to do any re-configuration to move your servers from a direct connection to being firewalled behind the LRP system (hence why proxy-arp systems are called transparent firewalls). > An updated network diagram is here http://64.81.226.171/netdiagram2.txt > Current network.conf is here: http://64.81.226.171/net.txt Could you also provide the current firewall rules? > Current routing table: > > Kernel IP routing table > Destination Gateway Genmask Flags Metric RefUse Iface > 64.81.226.174 0.0.0.0 255.255.255.255 UH0 00 eth2 > 64.81.226.172 0.0.0.0 255.255.255.255 UH0 00 eth2 > 64.81.226.173 0.0.0.0 255.255.255.255 UH0 00 eth2 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth1 > 64.81.226.0 0.0.0.0 255.255.255.0 U 0 00 eth0 > 0.0.0.0 64.81.226.1 0.0.0.0 UG0 00 eth0 Your routing table looks fine. I don't think you need any changes... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] IP Packet Rejection
> I am using the newest Eiger2Beta from Charles Steinkuehler's site. I > have set it up exactly as specified on the leaf site with Rich Lohman's > How-to at: > http://nw-hoosier.dyndns.org/rlohman/linux/eiger-contents.html > > The main problem I have is, when everything is connected I can ping > all of my internal hosts just fine. I can ping the router gateway as > well as my external IP address. When I try to ping my ISP gateway, I get > a host cannot be reached error. I cannot browse anywhere on the internet > either. Also, when I try and use the weblett that shows log statistics > through your browser, I get page cannot be accessed. This is very weird. > > I am using a standard 2 NIC configuration with my outside assigned > static IP. I am using DHCPD for the internal network for ease of use for > my Windoze LAN users. I have double and tripple checked my connections. > I know the connections are correct, I know the NIC's are working, I can > ping all my internal hosts as well as the router gateways. I cannot > route an packets beyond the router itself though. > > I am an infant to IPCHAINS still, but I did a quick check with: > ipchains -L and I found that all rules are setup to deny by default. Am > I poking at the wrong area maybe? I also noticed that my Hosts.deny is > set to paranoid as well as ALL:ALL and the only entry in hosts.allow is > for sh-httpd on 192.168.1.0. > > I would appreciate any advice anyone could give me. I am stuck at the > end of my setup and yet I my network is so secure, that nothing can > route either in or out of the network. I was hoping for at least a few > ports for basic internet browsing. Please send help soon. This sounds like it could be the problem with the dhclient package on the EigerStein2Beta disk. Try replacing the dhclient.lrp package on the floppy with the latest one from my site. Also, some folks have reported things are fixed if they re-start the dhclient package after boot by running: svi dhclient restart If this command fixes your problem, you definately need to upgrade to the new dhclient package. If you're still not connected to the 'net, you have something else wrong (maybe your ISP assigning you a private IP). In this case, you'll need to provide more details for us to help you. See the support page on my site, and the How-to-ask-for-help HOWTO. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Now here's an interesting auction
I think what you were thinking of was the modmaker, which made the modules on the fly for what you needed. That thing has been dead since before I logged onto the list (May 2000). That was for the old 2.9.4 which ran the 2.0.36 kernel (I think that was the kernel). All that has been solved by the repositories like Charles has on his site. Later Tony > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > James Barrett > Sent: Monday, June 18, 2001 07:54 > To: [EMAIL PROTECTED] > Subject: Re: [Leaf-user] Now here's an interesting auction > > > I remember there used to be those places where you entered > what you wanted > and an image was built for you -- do they still exist anywhere? > > Thanks, > > http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Commands for the Eigerstein
Hello Martin On 17-Jun-01, you wrote: > Hello Charles. > > I've got a problem. ah...forget it.. just tired. Comes from supporting 13 OS's. Eigerstein. Does anyone else have problems with :- A) Occasional problems saving/exiting the setups. Sometimes ctrl-c and alt-q don't work and I have to use ctrl-k/alt-k. B) Quite often, doing a simple change (removing a singles #) will prevent me from backing up without logs. It will complain that /root is full or whatever. Further, when this happens, it destroys the disk making it unbootable. As Freesco has been mentioned. I see that they are at 0.2.7 (I had 0.2.5) but are still using kernel 2.0.38. What I do like about it is the good use of color during the boot process. The ease of setting up. They have a nice web browsable remote control that can be set anwhere or just within your private lan. The docs are really good and clear. There is a really nice web meaage board. Let me re-iterate. I'm not saying Freesco is great but it is interesting to compare the projects. Perhap's the 'movers and the shakers' in LRP might want to look at what Freesco are doing and take some of the better points. http://www.Freesco.com or http://www.freesco.org Regards...Martin -- --- A beard signifies lice, not brains. ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Now here's an interesting auction
I remember there used to be those places where you entered what you wanted and an image was built for you -- do they still exist anywhere? Thanks, -J - Original Message - From: "Michael McClure" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, June 17, 2001 10:28 PM Subject: Re: [Leaf-user] Now here's an interesting auction > About 8 months ago, when I was trying to get LRP up and running, I was > getting very frustrated. Freesco was configured in running in 15 > minutes and worked great. The documentation and setup by script was > easy. I wanted the flexibility of LRP, though, but I couldn't get > anything to load properly given the images that I had. I had even tried > a couple different custom-image configuration sites on the net with no > luck... > > Then I found EigerStein. > > thanks, Charles. > > mike. > > Tony wrote: > > > Morning all, > > > > I think some of you missed my point. I am not really interested in > > using freesco, more to the point: > > > > 1. It was interesting to see someone trying to make a go of selling > > computers with a floppy based firewall. > > > > 2. Since they claim it runs in 6 MB, I would be interested in seeing how > > they have the web-based setup routine work in the limited space. > > > > 3. I wonder if the web based setup would be something that could be > > adapted to LRP without alot of overhead (mainly space requirements). > > > > > > I am glad to see some have used it before. My question to you all is, > > what is the setup routine like? Was it comprehensive? Was it web-based > > or text-based? I have only tried Oxygen's setup a couple of times, and > > it is effective, but unless you know the layout of the system and where > > you should edit for your situation, it can be a little difficult to > > configure. Now, in all honesty, I have not RTFM's, I have "perused" > > them and thought I could figure it out as I went. I was only half > > effective in that approach. > > > > The weird thought I had was what if, like in Oxygen, you had a basic > > boot disk, then you loaded whatever data disk you wanted, followed only > > on the initial boot, a setup diskette. The setup diskette would do the > > grunt work of setting up the basic system (web-based with brief > > explanations on the various screens of what needed to go where). Then > > you could use the package system to setup the individual packages as > > needed. > > > > I hope all that made some sense, and more importantly, I hope I have my > > facts straight on Oxygen since I have only used it twice like I said. > > It took me about a week the first time I tried LRP to figure out that > > when I rebooted, the settings weren't being saved (ramdisk...D'OH!). If > > I am wrong, or misguided, I apologize and would appreciate being pointed > > in the right direction. > > > > Thanks, > > > > Tony > > > > P.S. The DNS scans have faded out for the most part, but it seems to be > > tied to that damn X-10 advertisement. Whenever I have one pop up, I get > > scanned. I can go for a week or two, nothing, then boom, scan-o-rama. > > I implemented the filter pointing to an external file with the IP's > > listed and that has taken care of it. > > > > > > > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED]]On Behalf Of kp vander > >> kleut > >> Sent: Sunday, June 17, 2001 06:38 > >> To: [EMAIL PROTECTED] > >> Cc: David Zilm > >> Subject: Re: [Leaf-user] Now here's an interesting auction > >> > >> > >> Hi, > >> > >> last I checked (some months ago) Freesco did only Modem > >> (PPP)lines, no dsl > >> or cable or ethernet, running on a 2.0.36 kernel. their > >> webconfig is a nice > >> setup though slightly confusing at times. Didn't try to find out more > >> because I prefer 2.2.* kernels and use a cable modem. if you > >> decide to try > >> and adept some of it for LRP I would be intrested of course > >> (as would others > >> I presume). > >> I read through their site quickly and found a newer release > >> than the one I > >> saw some time back, they apperently support eth-eth and cable > >> nowadays, > >> maybe I'll take another shot at it. I couldn't find a kernel > >> version in > >> their docs quickly, don't now whether they use ipchains or > >> tables. (They do > >> have a nice setup manual) > >> Good luck > >> Greetings Peter vanderkleut > >> > >> > >> - Original Message - > >> From: "David Zilm" <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Sunday, June 17, 2001 10:42 AM > >> Subject: [Leaf-user] Now here's an interesting auction > >> > >> > Message: 1 > From: "Tony" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Sat, 16 Jun 2001 11:08:31 -0400 > Subject: [Leaf-user] OT: Now here's an interesting auction > Reply-To: [EMAIL PROTECTED] > > First, Hi to all the recently displaced (?) LRP list > >>> > >> members, glad to > >> > join you over here. Second, sorry abo
RE: [Leaf-user] problem with itapi cdrom
It is probably just that, a VERY old CD-ROM. The lens is probably full of dirt and therefore, the CD-ROM is almost blind :) Try the same thing with a new one. -Original Message- From: douglas orr [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 16, 2001 10:23 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] problem with itapi cdrom Hi, I'm trying to use an ITAPI cdrom with the eigerstein+ide+ipsec kernel from charles' site and getting some unappy results: The kernel recognizes the drive, it tells me it's hdb (hda if I make it a master... I've tried both). I insmod cdrom.o, ide-cd.o, and isofs.o; ide-cd.o tells me it recognizes hdb. I try and mount it and I get an ITAPI error, status=0x51 error=0x40 (there is some more verbiage). Then, there are some retries, where the sense=0. This cd is pretty old (2x). It was working in the recent past. Is it possible I'm missing a module? Any suggestions? Thanks, Doug ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Routing in Prozy ARP DMZ
OKit seems I have straightened out the first layer of problems with my setup --- thanks Charles. Now, I am running into my limitations on proper routing statements. I have my game servers in the DMZ, and they can "see" the internet, browse the web, etc. I have tested an http server running on one of them, and it is accessible from the outside. My external testers still can't see the game servers --- but I'll park that concern for now, since the http server works. So in short, 64.81.226.173 appears to be working with proper proxy arp configuration and filters for one service at least --- hooray for small progress :) What is NOT happening -- I can't access or ping DMZ servers from the internal network or from the LRP command line on the router itself. I assume this is caused by eth0 and eth1 not knowing how to get to eth2 --- but I don't know what might make this happen. Is that accurate? When I park a server outside the DMZ, in the public space via one of my DSL bridge ports, I can't see it from inside --- but the whole world can. That's my Linux server --- when plugged directly into one of the Flowpoint's external hub ports it hums along --- for everyone but me. I have read several threads from last year discussing where to put the route statements in Eiger configs. Most of the explanations were a bit over my head, since I lack any clue when it comes to scipts. If you could give me some baby-step instructions on how these statements are constructed, and exactly how and where they are implemented in the configuration files, that would be helpful. Also, are there local setting on each of the 3 DMZ machines that need to be changed? Do they need persistent special routes configured? As always, your assistance is appreciated. Dan An updated network diagram is here http://64.81.226.171/netdiagram2.txt Current network.conf is here: http://64.81.226.171/net.txt Current routing table: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 64.81.226.174 0.0.0.0 255.255.255.255 UH0 00 eth2 64.81.226.172 0.0.0.0 255.255.255.255 UH0 00 eth2 64.81.226.173 0.0.0.0 255.255.255.255 UH0 00 eth2 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth1 64.81.226.0 0.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0 64.81.226.1 0.0.0.0 UG0 00 eth0 ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
