RE: [Leaf-user] RIP?
Thanks Dave. Upstream router suddenly decided against RIP. John Rodley To do RIP, you need the routed daemon. From a security standpoint, using routed is not a good idea. In theory, you should not have to use routed, even if the upstream router does: just put in statically whatever routes the upstream router wants you to have. The reason routed (and RIP) are security risks are several: one, RIP is not designed to be secure and private. Secondly, and more importantly, it is possible for someone to corrupt your routing tables and thus reroute your traffic through THEIR site instead of your normal upstream router. Hacking a site can be made MUCH easier if you can scan the traffic - and this lets the cracker do this. Scanning any traffic from FTP, Telnet, POP, IMAP will show passwords. Also opens the FTP server, Telnet server, POP server, and IMAP servers up to being hacked too. ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] RIP?
Hi John, Sounds like your upstream router's brain came online again! :-) Regards, Hilton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Rodley Sent: Saturday, 30 June 2001 12:41 AM To: [EMAIL PROTECTED] Subject: RE: [Leaf-user] RIP? Thanks Dave. Upstream router suddenly decided against RIP. John Rodley To do RIP, you need the routed daemon. From a security standpoint, using routed is not a good idea. In theory, you should not have to use routed, even if the upstream router does: just put in statically whatever routes the upstream router wants you to have. The reason routed (and RIP) are security risks are several: one, RIP is not designed to be secure and private. Secondly, and more importantly, it is possible for someone to corrupt your routing tables and thus reroute your traffic through THEIR site instead of your normal upstream router. Hacking a site can be made MUCH easier if you can scan the traffic - and this lets the cracker do this. Scanning any traffic from FTP, Telnet, POP, IMAP will show passwords. Also opens the FTP server, Telnet server, POP server, and IMAP servers up to being hacked too. ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/le af-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall testing
Dale Long, 2001-06-29 09:58 +0930 On Thu, 28 Jun 2001, Mike Noyes wrote: Do you still need me to complete the scanning task, or is the web based scanner enough for each user/leader to do? Yes. I think they will provide a good reference for users to compare there setup with. Also, scans from the DMZ, and the internal network can't be performed by these web based audits. Are there any particular builds you want me to test against? I am planning to redo the latest Oxygen and EigerStein on my LAN. What is the official release of each type as opposed to the development releases? Dale, The official releases are in our files area. (ES2b O2 May 2001) Do you want me to try each affiliated firewall with them, of just with the 'out of the box' product? Start with the 'out of the box' products. If you get ambitious you can do the rest. :) -- Mike Noyes [EMAIL PROTECTED] http://leaf.sourceforge.net/ ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: LRP PPPoE
causes a 486 computer to bog down and not be able to handle the DSL connection with speeds over 500k. How have you been monitoring the CPU usage? With top or something else? I have been running your pppoe-image now for a couple of weeks, my connection is rated 1.5M/512k, but I have been able to get only something like 800k/400k out of it. Anyway, my LRP-machine is 486DX2-66 with 32M and it does not seem to be having any problems with that kind of traffic. But then, without means to actually measure the CPU load I would not probably knew even if it was having problems... /mek ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: LRP PPPoE
with top I will send you a top.lrp package if you wish to test your CPU usage..my tests are subjective untill I get more data Kenneth Hadley PC / Network Specialist McCormick Selph Inc. [EMAIL PROTECTED] - Original Message - From: Mika Kouhia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 29, 2001 9:07 AM Subject: Re: [Leaf-user] Re: LRP PPPoE causes a 486 computer to bog down and not be able to handle the DSL connection with speeds over 500k. How have you been monitoring the CPU usage? With top or something else? I have been running your pppoe-image now for a couple of weeks, my connection is rated 1.5M/512k, but I have been able to get only something like 800k/400k out of it. Anyway, my LRP-machine is 486DX2-66 with 32M and it does not seem to be having any problems with that kind of traffic. But then, without means to actually measure the CPU load I would not probably knew even if it was having problems... /mek ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] pppd
Meanwhile, did you check http://lrp.c0wz.com ? Rick has a mini-HOWTO on ppp servers. The howto was written with 2.9.4, and works with 2.9.8 also. As it is pretty package specific, as long as you can get a ppp(d).lrp and a mgetty.lrp and the required modules, you should be fine. Good Luck, Jon ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: LRP PPPoE
Yes, I would like to get the top.lrp package. I have not yet had the time to build up development machine for LRP, so I cannot compile the package myself. I am using ISA nic-cards on the 486-machine, (and not even good ones, cheap ne2000 clones), but I think I was not clear enough on my post; at the moment I do not believe the LRP-machine is a bottleneck for me (but would like to find out if it actually is, because I have a bunch of P100-P133 machines with PCI bus on the closet). I have tried, though briefly, to test my connection without the 486, just used PPPoE client on my Linux box and the results were not any better. Then again, my ADSL-link is provided by NTT, so nobody expects them to deliver what they promise... Thanks, /mek ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] And the winner is?
This is a bit OT, but it's an outstanding map that you will certainly enjoy, if you haven't seen it yet. Best, Matthew http://www.atai.org/softwarewar.gif ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LRP-CD internal, NAT'ed network ???
[2] We are confused about usage of: INTERN_SERVERS Format is given: protocol_extern-ip_extern-port_intern-ip_intern-port Suppose that we want 192.168.0.250 ping-able by the world -- how ought this be var be constructed? INTERN_SERVERS creates port-forwarding rules. I don't think you can port-forward ICMP packets, so your example has no valid answer. If, however, you wanted to port-forward web requests, you would do something like: INTERN_SERVERS=tcp_publicIP_80_192.168.0.250_80 Or, by extern-ip, does this mean -- literally -- the external interface of the firewall? Extern-IP is a public IP assigned to the firewall. It could be the primary (or only) IP, or an IP alias assigned to the main external interface. Is there a way to make NAT'ed, internal addresses accessible from the DMZ? Yes, you port-forward them just like you would to get access from the internet. Be careful, however, as you're usually better off (from a security standpoint) making connections from your internal net to the DMZ. Any connections allowed from the DMZ (or internet) to your internal network represent potential areas to exploit security holes in the programs 'listining' to those ports. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Archives for OpenSSH question
I am new to the list, and have a question I am sure must be in an archive or FAQ. Without going into too much detail, I want to poke a hole in my LRP firewall so that I can ssh directly through the firewall into an internal server. I'm still using an LRP version that uses ipfwadm. I'd be happy to upgrade if that makes it easier, but would like to stay on my present firewall HW (486SX w/ 16 Meg Ram, /dev/fd0 and no HD). I'd be grateful if someone could point me to the right reading -- HOWTOs, FAQs, or even chapters in O'Reilly books. Also if upgrading is needed, I would be grateful for the URL(s) of the appropriate idiot images and modules. Let me apologize in advance for any breaches of list culture or courtesy. I've only lurked for a few days, having immigrated from the old LRP list. TIA, -- Lan Barnes [EMAIL PROTECTED] Icon Consulting, Inc 858-273-6677 Within the soul of each Vietnam veteran there is probably something that says, 'Bad war, good solider.' - Max Cleland ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Setting up DSL PPPoA on router????
I've got a question concerning DSL service via PPPoA, yes oA for PPP over ATM, which is what is what my ISP uses. Ok, the way it was explained to me is that my DSL modem, Zyxel Prestige 642MA will have an ethernet port for my connection, it will have a set IP of 192.168.1.1 on that ethernet port, it hen expects you in house machine to have an address of 192.168.1.2. Ok, that means in order to talk out to the internet, my router, or any machine has uses 192.168.1.1 as the gateway machine with the routing table defaulting to it. Now, about ipmasq and firewalling. Since the DSL modem expects the connected machine to be 192.168.1.1, then the DSL modem would have to do NAT/ipmasq for it. So how would the LRP machine be set up for firewall and ipmasqurading for the second nic local network of say 192.168.2.xxx? Since it's internet connection is also a private network number, not a dynamically allocated global number like a normal ppp connection would get. The settings for the local networked machines would be ip 192.168.2.xxx, gateway 192.168.2.1, ip of the LRP's nic on that network, and DNS being the same as before. Anybody set up a router like this before?? I am not new to LRP, I have been running one for many months, switching over to eiger2beta a month or so ago to fix an AOL Instant Messenger problem. I have about ten days to two weeks to get ready for this. -- Jeff Pierce [EMAIL PROTECTED] http://pages.preferred.com/~piercej ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Setting up DSL PPPoA on router????
On Fri, 29 Jun 2001, Jeff Pierce wrote: I've got a question concerning DSL service via PPPoA, yes oA for PPP over ATM, which is what is what my ISP uses. Ok, the way it was explained to me is that my DSL modem, Zyxel Prestige 642MA will have an ethernet port for my connection, it will have a set IP of 192.168.1.1 on that ethernet port, it hen expects you in house machine to have an address of 192.168.1.2. ... or any address 192.168.1.[2-254] Ok, that means in order to talk out to the internet, my router, or any machine has uses 192.168.1.1 as the gateway machine with the routing table defaulting to it. Now, about ipmasq and firewalling. Since the DSL modem expects the connected machine to be 192.168.1.1 no, see above. , then the DSL modem would have to do NAT/ipmasq for it. So how would the LRP machine be set up for firewall and ipmasqurading for the second nic local network of say 192.168.2.xxx? Since it's internet connection is also a private network number, not a dynamically allocated global number like a normal ppp connection would get. This could be a simple masqed static two-nic configuration, but you would have to fix the no-private-address-routing problem as described in the FAQ at leaf.sourceforge.net. Another approach would be a transparent firewall, but this is not so easy. The settings for the local networked machines would be ip 192.168.2.xxx, gateway 192.168.2.1, ip of the LRP's nic on that network, and DNS being the same as before. sounds right. Anybody set up a router like this before?? Not I. I expect most of the flexibility with picky network applications that LEAF has will be lost with the hardware router. I am not new to LRP, I have been running one for many months, switching over to eiger2beta a month or so ago to fix an AOL Instant Messenger problem. I have about ten days to two weeks to get ready for this. should be easy to get basic functionality. However, you may find that your firewall never gets hit, because it will take some doing to get through the Zyxel (I don't know that it is possible, but then I don't know that it is impossible, either.) If you trust the Zyxel, you can forget the LEAF. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user