RE: [Leaf-user] OT: Question about hubs

[Luis.F.Correia]

Peter, I have a similar problem at home.

I have a cheapo D-Link mini-hub. I don't even know the model :)

When I connect my laptop, which uses a Xircom RealPort adapter, and transfer
large files from the laptop to the other PC's, the collision led seems like
the power led :)

Although my connection is 10Mb, My boss says that Ethernet as it is, 
saturates at half the rate.

This is why in the OfficeConnect hubs from 3Com, the LED bar goes from 5%
to 80%, never to 100%.

I guess that this is the result of poorly implemented hubs/nics.

-Original Message-
From: Peter Nosko [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 03, 2001 12:25 AM
To: Leaf-User
Subject: [Leaf-user] OT: Question about hubs


pn] I've noticed when FTPing large files between two machines on the same
subnet/hub, the collision light alternates between flickering and almost
solid-on.  Is this normal and of any real concern?  Does it have anything to
do with hub "quality?"

pn] FWIW, I'm using Kingston KND800TX 10/100 hubs, and both machines in this
case have 3C905B-TX (100) NICs.

---
Peter Nosko


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] 2.2.19 and freeswan 1.9

[Fred Forester]

Thanx Charles

Fred

- Original Message -
From: Charles Steinkuehler <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 02, 2001 1:56 PM
Subject: Re: [Leaf-user] 2.2.19 and freeswan 1.9


> > has anyone built a 2.2.19 kernel with Freeswan 1.9 for LRP?
> > currently using the latest LRP-CD Eiger image. Works great but would
like
> > to run something a little newer.
>
> I got the code downloaded, but didn't quite get it compiled & packaed
before
> I had to move my office.  I'm now moved, but still unpacking...
>
> An updated FreeS/WAN with a 2.2.19 kernel is real high on my list of
> to-do's, as I need to bring my VPN back online, and I'd like to do so with
> the newer software.  Hopefully, I'll get this cranked out sometime this
> week...
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
>


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] 2.2.19 and freeswan 1.9

[Fred Forester]

Roland,

Thanx. Charles posted saying he may have one in a week or so.

Fred


- Original Message -
From: Roland Bevan <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 02, 2001 2:26 PM
Subject: Re: [Leaf-user] 2.2.19 and freeswan 1.9


> Quoting Fred Forester <[EMAIL PROTECTED]>:
>
> > Hi all
> >
> > has anyone built a 2.2.19 kernel with Freeswan 1.9 for LRP?
> > currently using the latest LRP-CD Eiger image. Works great but would
> > like
> > to run something a little newer.
> >
> >
> > Thanx
> > Fred
>
> I have, but there are a couple of caveats.  First, I'm working with
Oxygen, not LRP-CD, so there may be differences I'm not aware of in the LRP
patches applied to the stock kernel.  Second, I'm building an Oxygen system
to replace my current Red Hat-based firewall, which is running Freeswan
(among other things) 24x7 and I haven't yet tested Freeswan on the LRP box,
so while it built correctly and I've done some auditing of the various
Freeswan scripts, I don't know if everything works yet.
> However I can say I have succesfully built the 2.2.19 kernel with
pcmcia-cs 3.1.26 and Freeswan 1.91, plus LRP and Openwall patches, and
everything I've used seems fine so far.
> Since Charles is working on it, you might want to wait for his expert
touch; otherwise I'll be glad to provide what I've got if you're in a
hurry - just be prepared to hunt down the odd Freeswan script problem that I
haven't found yet.
>
> -Roland
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
>


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] mnc and scripts

[Tim Hicks]

- Original Message - 
From: "Mike Sensney" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 03, 2001 6:36 AM
Subject: Re: [Leaf-user] mnc and scripts


> However, there is another rather crude way that I think will work. 
> 
> 
> echo $data | mnc $address $port &
> pid=$!
> sleep 5
> kill $pid
> 

Thanks Mike, it works just how I want to, crude or not :-).

> What this does is
> 1)run mnc as a background task 
> 2)saves the background task PID
> 3)sleeps 5 seconds
> 4)kills the background task (mnc)

And thanks for the rundown on what's happening.

tim


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] IPSEC, VPN et al

[smorilla]

Hi all,

I have two LRP (Eigerstein), one at work, one at the office.
I would like to be able to connect my home W98 to my office network.
So far I'm using ssh at both LRP so I can admin them remotely. So far so good!!

   Home   
---Office
  -| LRP 2 |---( internet )--| LRP
1|--
   Network ---    
-- Network
 |
 |
  ---
  | Remote |
  | Users|
  ---

LRP 1 is an Eigerstein 2.2.16
LRP 2 is an Eigerstein 2.2.16
Remote users using any imaginable version os M$ OS
Computers on Office Network are a mix of Netware and NT

Now, there are some tasks I need to do at my office servers, so here are the
questions.
1) Do I need to set up IPSEC on both machines in order to log in at my office NT
Terminal Server? This is a computer
behind LRP2 talking to a computer behind LRP1

2) If a remote user (connected to internet somewhere on the world) needs to
access this Terminal Server, what software does he need? This is through LRP1

3) What will be the easiest way to accomplish this? My objective is to access
the computers behind LRP1 with the minimal installation/configuration on
travelling computers. So there is a lot few thing an user can break. 

4) Some good reference on IPSEC, and other software needed will ve VERY
appreciates!!! How-TOs??


Thanks

Sergio Morilla


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] PCAnywhere vs. LRP-CD ???

[Michael D. Schleif]

OK, we know how to open ports tcp 5631 and udp 5632, and we can connect
to PCAnywhere hosts behind LRP-CD -- from the Internet in general.

However, specifically, when site A is behind LRP-CD(A) and site B is
behind LRP-CD(B) and we are inside site B, we *cannot* connect to
PCAnywhere hosts inside site A.

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] OT: Question about hubs

[Charles Steinkuehler]

> pn] I've noticed when FTPing large files between two machines on the same
> subnet/hub, the collision light alternates between flickering and almost
> solid-on.  Is this normal and of any real concern?  Does it have anything
to
> do with hub "quality?"

This has nothing to do with hub "quality", and everything to do with the
ethernet specification.  When running a hub, you will get collisions.  It's
just how ethernet works.  Since the hubs usually stretch the LED on time for
colisions & data (ie any data or colision turns the LED on for about .2
seconds), you will frequently see the LED's stay on solid, even though
you're obviously not transmitting data or incurring collisions 100% of the
time.

> > Are they big files that should tax the network?  If so, you're probably
> > maxing out the network in which case it's "normal" and not a reason for
> > concern.  I've heard people target 5% collisions.  You can check each
> > machine's interface with ifconfig (or, I guess newer distro's use ip):
I
> > believe you divide the collisions by the bytes out.  If the error
> > rate seems
> > high then maybe you have some trouble to worry about.
> >
> > As I understand it, you should be able to get about half the bandwidth.
A
> > 100 Mb connection will transfer 50*1000*1024/8 bytes per second (half
the
> > 100 times a million bits divided by 8 bits per byte).  Are you
> > getting these
> > kind of throughputs?
>
> pn] Well, I just ftp'ed on again to check.  It transferred a 639,453,184
> byte file in 132.83 seconds for 4814.11Kbytes/sec.  Isn't this only about
> 38.5Mb/sec?  This is with no other significant activity on the network.
Not
> that's it's bad (overall), but I'm just wondering if it is normal or if it
> indicates a problem somewhere.

This looks pretty normal to me.

You generally won't saturate an ethernet connection with a single
machine-machine connection (think of the problems that would result if you
did).  I'd bet if you run multiple FTP connections between your two boxes at
the same time, you'll wind up with more aggregate bandwidth (ie each
connection will be a bit slower, but the total of all of them will be faster
than the 38.5 Mb/sec you see with one).  You'll also see more bandwidth used
if you add more than two machines to the network (up to a point, then
excessive collisions start to reduce the effective bandwidth, and it's time
to buy a switch).

If you really need to, you can probably tweak some TCP/IP parameters and get
a single FTP connection to come much closer to saturating your ethernet link
(somewhere around 70-80 Mb/sec, or roughly 2x what you're measuring),
assuming your CPU's, NIC's, and other infrastructure are not the bottleneck.
Doing this, however, could very well cause some other applications (like
telnet/ssh, which send small packets and want low latency) to perform worse.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Serial port Console?

[Charles Steinkuehler]

> I was wondering if the kenel needs special configuration in order to boot
> up with a console on a serial port?

Yes, you need a 2.2 or newer kernel, with serial support compiled in (not as
a module).  You can then pass the kernel a parameter on boot, telling it to
use the serial port instead of a 'normal' VGA console.

> I'm planning on building a router with soekris.com's net4501 little SBC
> computer, but it doesn't have a VGA port, only a serial port. So the only
> way I can control it is via serial port console.
>
> Can someone help me with that?

As previously mentioned, see the serial how-to.  I'm not sure how linux
talks to the console, but if it uses standard BIOS calls, your SBC will
probably work as-is, since most SBC's with a serial port allow console
redirection in BIOS, replacing the KB/VGA with a serial port.  If your board
supports this, it's worth trying.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] IPSEC, VPN et al

[Charles Steinkuehler]

> I have two LRP (Eigerstein), one at work, one at the office.
> I would like to be able to connect my home W98 to my office network.
> So far I'm using ssh at both LRP so I can admin them remotely. So far so
good!!
>
>Home 
> ---Office
>   -| LRP 2 |---( internet )--|
LRP
> 1|--
>Network --- 
> -- Network
>  |
>  |
>   ---
>   | Remote |
>   | Users|
>   ---
>
> LRP 1 is an Eigerstein 2.2.16
> LRP 2 is an Eigerstein 2.2.16
> Remote users using any imaginable version os M$ OS
> Computers on Office Network are a mix of Netware and NT
>
> Now, there are some tasks I need to do at my office servers, so here are
the
> questions.
> 1) Do I need to set up IPSEC on both machines in order to log in at my
office NT
> Terminal Server? This is a computer
> behind LRP2 talking to a computer behind LRP1

You don't need IPSec at all to log into terminal server.  If you want the
terminal server data encrypted as it passes through the internet, you will
need IPSec (or some other VPN solution) on both ends.  You can run IPSec on
the LRP boxes, windows boxes, or wherever you want, as long as you're using
IPSec implementations that interoperate, and you've got one on each end.

> 2) If a remote user (connected to internet somewhere on the world) needs
to
> access this Terminal Server, what software does he need? This is through
LRP1

Obviously the Terminal Server client, and whatever VPN software you decide
you need, if any.  If you use IPSec, there are many clients available for
windows, but most cost money.

> 3) What will be the easiest way to accomplish this? My objective is to
access
> the computers behind LRP1 with the minimal installation/configuration on
> travelling computers. So there is a lot few thing an user can break.

Can't help you here...there are MANY different ways to set this up,
requiring different knowledge and expertise, different amounts of money
spent to purchase software, and many other factors.  You'll have to read up
on possible solutions and decide what makes sense for your particular
situation.

> 4) Some good reference on IPSEC, and other software needed will ve VERY
> appreciates!!! How-TOs??

For linux IPSec, see the FreeS/WAN site www.freeswan.org  There are many
example configurations and explinations.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] mailonerr does *not* work!

[Charles Steinkuehler]

> We've *not* been able to get mailonerr/moe.config to work (from Charles'
> website: ).
>
> root@bluetrout:/var/log
> # /usr/local/bin/mailonerr
> /usr/local/bin/mailonerr: 56: Syntax error: end of file unexpected
> (expecting "}")
>
> root@bluetrout:/var/log
> # /usr/local/bin/mailonerr moe.config
> /usr/local/bin/mailonerr: 56: Syntax error: end of file unexpected
> (expecting "}")
>
> It fails at this line:
>
> { su $su_usr -c "$cmd" } 2>$prefix.err 1>$prefix.out
>
> The command:
>
> su $su_usr -c "$cmd"
>
> works from the CLI; but, *fails* when called from this script.  Yes, of
> course, we have accounted for variable expansion . . .
>
> What do you think?

Hmm...barring a problem with the script itself (like DOS end-of-lines or
something when it got downloaded), I don't know what's wrong.  Verify the
script didn't get mangled, and if it looks OK, provide details on the system
you're running.  I did have to make some mods to moe when I migrated it to a
'full' linux system (a RH 7.0 system running bash).  I don't think this was
one of the problems I encountered, but it could have been...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PCAnywhere vs. LRP-CD ???

[Charles Steinkuehler]

> OK, we know how to open ports tcp 5631 and udp 5632, and we can connect
> to PCAnywhere hosts behind LRP-CD -- from the Internet in general.
>
> However, specifically, when site A is behind LRP-CD(A) and site B is
> behind LRP-CD(B) and we are inside site B, we *cannot* connect to
> PCAnywhere hosts inside site A.
>
> What do you think?

Does PCAnywhere make other connections?  The behavior described would be
expected if the system behind LRP-CD(A) tried to make a TCP (or other)
connection to the system behind LRP-CD(B) after system (B) initiated the
session.

Check your firewall logs on both LRP-CD systems looking for denied packets.
I'd bet you're dropping some traffic PCAnywhere needs to function...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] mailonerr does *not* work!

[Michael D. Schleif]

Charles Steinkuehler wrote:
> 
> > We've *not* been able to get mailonerr/moe.config to work (from Charles'
> > website: ).
> >
> > root@bluetrout:/var/log
> > # /usr/local/bin/mailonerr
> > /usr/local/bin/mailonerr: 56: Syntax error: end of file unexpected
> > (expecting "}")
> >
> > root@bluetrout:/var/log
> > # /usr/local/bin/mailonerr moe.config
> > /usr/local/bin/mailonerr: 56: Syntax error: end of file unexpected
> > (expecting "}")
> >
> > It fails at this line:
> >
> > { su $su_usr -c "$cmd" } 2>$prefix.err 1>$prefix.out
> >
> > The command:
> >
> > su $su_usr -c "$cmd"
> >
> > works from the CLI; but, *fails* when called from this script.  Yes, of
> > course, we have accounted for variable expansion . . .
> >
> > What do you think?
> 
> Hmm...barring a problem with the script itself (like DOS end-of-lines or
> something when it got downloaded), I don't know what's wrong.  Verify the
> script didn't get mangled, and if it looks OK, provide details on the system
> you're running.  I did have to make some mods to moe when I migrated it to a
> 'full' linux system (a RH 7.0 system running bash).  I don't think this was
> one of the problems I encountered, but it could have been...

First, let me say that we're still struggling with mail server issues;
so, success on this issue probably does *not* require mail received ;<

Yes, we cleanse all scripts of the dreaded ^M, including this one.  If
there is some other mangling issue, we remain unaware . . .

I'm puzzled by the use of curly braces '{  }' in that line.  *Without*
the braces, we can call mailonerr from CLI _without_ error.

Once this issue is resolved, the next question is, How does LRP call
mailonerr?  Ought we to put it in some crontab file?

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PCAnywhere vs. LRP-CD ???

[Michael D. Schleif]

Charles Steinkuehler wrote:
> 
> > OK, we know how to open ports tcp 5631 and udp 5632, and we can connect
> > to PCAnywhere hosts behind LRP-CD -- from the Internet in general.
> >
> > However, specifically, when site A is behind LRP-CD(A) and site B is
> > behind LRP-CD(B) and we are inside site B, we *cannot* connect to
> > PCAnywhere hosts inside site A.
> >
> > What do you think?
> 
> Does PCAnywhere make other connections?  The behavior described would be
> expected if the system behind LRP-CD(A) tried to make a TCP (or other)
> connection to the system behind LRP-CD(B) after system (B) initiated the
> session.
> 
> Check your firewall logs on both LRP-CD systems looking for denied packets.
> I'd bet you're dropping some traffic PCAnywhere needs to function...

Yes, our first thoughts also -- however, neither side has anything in
/var/log/kern.log . . .

Actually, we're hoping that somebody has experienced -- and resolved --
precisely this, because symantec's website is worthless when it comes to
troubleshooting ;<

Anybody tried VNC?

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] mailonerr does *not* work!

[Michael D. Schleif]

"Michael D. Schleif" wrote:
> 
> Charles Steinkuehler wrote:
> >
> > > We've *not* been able to get mailonerr/moe.config to work (from Charles'
> > > website: ).
> > >
> > > It fails at this line:
> > >
> > > { su $su_usr -c "$cmd" } 2>$prefix.err 1>$prefix.out
> > >
> > > The command:
> > >
> > > su $su_usr -c "$cmd"
> >
> > Hmm...barring a problem with the script itself (like DOS end-of-lines or
> > something when it got downloaded), I don't know what's wrong.  Verify the
> > script didn't get mangled, and if it looks OK, provide details on the system
> > you're running.  I did have to make some mods to moe when I migrated it to a
> > 'full' linux system (a RH 7.0 system running bash).  I don't think this was
> > one of the problems I encountered, but it could have been...
> 
> First, let me say that we're still struggling with mail server issues;
> so, success on this issue probably does *not* require mail received ;<
> 
> Yes, we cleanse all scripts of the dreaded ^M, including this one.  If
> there is some other mangling issue, we remain unaware . . .
> 
> I'm puzzled by the use of curly braces '{  }' in that line.  *Without*
> the braces, we can call mailonerr from CLI _without_ error.

In fact, removing the braces results in mail received!

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PCAnywhere vs. LRP-CD ???

[Charles Steinkuehler]

> > Check your firewall logs on both LRP-CD systems looking for denied
packets.
> > I'd bet you're dropping some traffic PCAnywhere needs to function...
>
> Yes, our first thoughts also -- however, neither side has anything in
> /var/log/kern.log . . .

Only packets acutally flagged for logging show up here...make sure you check
the actual ipchains rules with "svi network ipfilter list", and look for
non-zero counts by any deny or reject rules...

> Actually, we're hoping that somebody has experienced -- and resolved --
> precisely this, because symantec's website is worthless when it comes to
> troubleshooting ;<

Sorry, I don't run PCAnywhere...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] mailonerr does *not* work!

[Charles Steinkuehler]

> > Hmm...barring a problem with the script itself (like DOS end-of-lines or
> > something when it got downloaded), I don't know what's wrong.  Verify
the
> > script didn't get mangled, and if it looks OK, provide details on the
system
> > you're running.  I did have to make some mods to moe when I migrated it
to a
> > 'full' linux system (a RH 7.0 system running bash).  I don't think this
was
> > one of the problems I encountered, but it could have been...
>
> First, let me say that we're still struggling with mail server issues;
> so, success on this issue probably does *not* require mail received ;<
>
> Yes, we cleanse all scripts of the dreaded ^M, including this one.  If
> there is some other mangling issue, we remain unaware . . .
>
> I'm puzzled by the use of curly braces '{  }' in that line.  *Without*
> the braces, we can call mailonerr from CLI _without_ error.

IIRC, this was to get the redirects to working properly...there are probably
several other ways to do this (as is typical in *nix).

> Once this issue is resolved, the next question is, How does LRP call
> mailonerr?  Ought we to put it in some crontab file?

I use mailonerr in my crontab file.  How you set it up depends on what you
want it to do...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] mailonerr does *not* work!

[Charles Steinkuehler]

> > First, let me say that we're still struggling with mail server issues;
> > so, success on this issue probably does *not* require mail received ;<
> >
> > Yes, we cleanse all scripts of the dreaded ^M, including this one.  If
> > there is some other mangling issue, we remain unaware . . .
> >
> > I'm puzzled by the use of curly braces '{  }' in that line.  *Without*
> > the braces, we can call mailonerr from CLI _without_ error.
>
> In fact, removing the braces results in mail received!
>
> What do you think?

Go with what works.  I'll have to take a look at what's actually happening.
Can you let me know what system you're running?  Is this on the LRP-CD
systems you've been talking about?  Have you made any updates or
modifications?

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] PCAnywhere vs. LRP-CD ???

[Dan]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael D.
Schleif
Sent: Tuesday, July 03, 2001 10:11 AM
To: [EMAIL PROTECTED]
Subject: Re: [Leaf-user] PCAnywhere vs. LRP-CD ???





>>Anybody tried VNC?

Yes.  I have tried VNC to both Windows and Linux machines thru my system
(also based on the LRP-CD scripts).  It works very well, but provides no
security on its own.  I'd like to hear other's comments on the best way to
configure external access to internal VNC hosts --- i.e., restricting
connections to specific hosts, ranges of host addresses, encrypting the VNC
session, etc.

Dan



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PCAnywhere vs. LRP-CD ???

[Victor McAllister]

According to  http://www.tsmservices.com/masq/detailform.php3?104  older versions
of pcanywhere did use unregistered ports.  Shouldn't be a problem with  > v 8
"Michael D. Schleif" wrote:

> Charles Steinkuehler wrote:
> >
> > > OK, we know how to open ports tcp 5631 and udp 5632, and we can connect
> > > to PCAnywhere hosts behind LRP-CD -- from the Internet in general.
> > >
> > > However, specifically, when site A is behind LRP-CD(A) and site B is
> > > behind LRP-CD(B) and we are inside site B, we *cannot* connect to
> > > PCAnywhere hosts inside site A.
> > >
> > > What do you think?
> >
> > Does PCAnywhere make other connections?  The behavior described would be
> > expected if the system behind LRP-CD(A) tried to make a TCP (or other)
> > connection to the system behind LRP-CD(B) after system (B) initiated the
> > session.
> >
> > Check your firewall logs on both LRP-CD systems looking for denied packets.
> > I'd bet you're dropping some traffic PCAnywhere needs to function...
>
> Yes, our first thoughts also -- however, neither side has anything in
> /var/log/kern.log . . .
>
> Actually, we're hoping that somebody has experienced -- and resolved --
> precisely this, because symantec's website is worthless when it comes to
> troubleshooting ;<
>
> Anybody tried VNC?

VNC works fine and can be tunneled through ssh.




___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] mailonerr does't work!

[Michael D. Schleif]

Charles Steinkuehler wrote:
> 
> > > First, let me say that we're still struggling with mail server issues;
> > > so, success on this issue probably does *not* require mail received ;<
> > >
> > > Yes, we cleanse all scripts of the dreaded ^M, including this one.  If
> > > there is some other mangling issue, we remain unaware . . .
> > >
> > > I'm puzzled by the use of curly braces '{  }' in that line.  *Without*
> > > the braces, we can call mailonerr from CLI _without_ error.
> >
> > In fact, removing the braces results in mail received!
> >
> > What do you think?
> 
> Go with what works.  I'll have to take a look at what's actually happening.
> Can you let me know what system you're running?  Is this on the LRP-CD
> systems you've been talking about?  Have you made any updates or
> modifications?

Yes, LRP-CD.

No, no modifications to the kernel, &c.  However, we are using several
of your utilities, like mailonerr; as well as, optimizing several
configuration files . . .

We were not sure how this modification would handle error conditions;
but, calling /usr/local/bin/mailonerr *without* any argument (e.g., sans
moe.config) results in this Email:

Tue Jul  3 10:58:07 CDT 2001

Command:
echo No command defined! && exit 1

Exit Status:
1

StdOut:
No command defined!

ErrOut:



Is that right?

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] OT: Question about hubs

[Peter Nosko]

pn] Thanks to all that replied.  I'm happy with my transfer speed (a whole
CD in just over 2 minutes), but was just wondering what the deal was with a
constant collision light.  Charles' explanation that the led is on longer
than amount of time for an actual collision makes perfect sense (I wish I
would've realized this myself!).

---
Peter Nosko


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] mailonerr does't work!

[Charles Steinkuehler]

> We were not sure how this modification would handle error conditions;
> but, calling /usr/local/bin/mailonerr *without* any argument (e.g., sans
> moe.config) results in this Email:
>
> Tue Jul  3 10:58:07 CDT 2001
>
> Command:
> echo No command defined! && exit 1
>
> Exit Status:
> 1
>
> StdOut:
> No command defined!
>
> ErrOut:
>
>
>
> Is that right?

It looks right.  You might watch and make sure that err out shows up (I
don't think the default generates any err out), but otherwise everything
looks good.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] (no subject)

[Scott C. Best]

Michael:

Have you given echowall a try? It supports both
PC-Anywhere and VNC pretty easily. I ask because it sounds
like you've got the right firewall rules (ports 5631:5632,
both tcp and udp) but maybe not the right port-forwarding 
rules?
Worth asking...

-Scott

PS: BTW, VNC is much easier than PC-Anywhere for these 
things. One TCP port, good with SSH tunnels, nicer 
price too. :)


> > > OK, we know how to open ports tcp 5631 and udp 5632, and we can connect
> > > to PCAnywhere hosts behind LRP-CD -- from the Internet in general.
> > >
> > > However, specifically, when site A is behind LRP-CD(A) and site B is
> > > behind LRP-CD(B) and we are inside site B, we *cannot* connect to
> > > PCAnywhere hosts inside site A.
> > >
> > > What do you think?
> > 
> > Does PCAnywhere make other connections?  The behavior described would be
> > expected if the system behind LRP-CD(A) tried to make a TCP (or other)
> > connection to the system behind LRP-CD(B) after system (B) initiated the
> > session.
> > 
> > Check your firewall logs on both LRP-CD systems looking for denied packets.
> > I'd bet you're dropping some traffic PCAnywhere needs to function...
> 
> Yes, our first thoughts also -- however, neither side has anything in
> /var/log/kern.log . . .
> 
> Actually, we're hoping that somebody has experienced -- and resolved --
> precisely this, because symantec's website is worthless when it comes to
> troubleshooting ;<
> 
> Anybody tried VNC?




___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] IPSEC, VPN et al

[smorilla]

Thanks Charles.

Some more questions.

I don't want anyone accessing my servers without an encrypted connection.
So as you said I will need IPSec or other VPN solution on my office LRP.

1) What components do I need? I undertand freeswan is an IPSec "daemon", is this
true? So, will I need client software? Can I use plain W98 to access through an
IPSec LRP?

2) What protocol does M$ VPN use? I would like my remote users to access my
Terminal Server using just the Terminal Server software and out of the box M$
software. Is this possible?

3) In order to have an "static or permanent encrypted" (sorry about the terms)
connection between two LRPs, I would need IPSec on both od them. Is this
practical, doable?? Hints please.

4) Is there some easier wy to do this??? Am I on track??

Thanks

Sergio Morilla

>  -Mensaje original-
> De:   [EMAIL PROTECTED]  
> Enviado el:   Tuesday, July 03, 2001 11:27
> Para: [EMAIL PROTECTED]
> Asunto:   Re: [Leaf-user] IPSEC, VPN et al
> 
> > I have two LRP (Eigerstein), one at work, one at the office.
> > I would like to be able to connect my home W98 to my office network.
> > So far I'm using ssh at both LRP so I can admin them remotely. So far so
> good!!
> >
> >Home 
> > ---Office
> >   -| LRP 2 |---( internet )--|
> LRP
> > 1|--
> >Network --- 
> > -- Network
> >  |
> >  |
> >   ---
> >   | Remote |
> >   | Users|
> >   ---
> >
> > LRP 1 is an Eigerstein 2.2.16
> > LRP 2 is an Eigerstein 2.2.16
> > Remote users using any imaginable version os M$ OS
> > Computers on Office Network are a mix of Netware and NT
> >
> > Now, there are some tasks I need to do at my office servers, so here are
> the
> > questions.
> > 1) Do I need to set up IPSEC on both machines in order to log in at my
> office NT
> > Terminal Server? This is a computer
> > behind LRP2 talking to a computer behind LRP1
> 
> You don't need IPSec at all to log into terminal server.  If you want the
> terminal server data encrypted as it passes through the internet, you will
> need IPSec (or some other VPN solution) on both ends.  You can run IPSec on
> the LRP boxes, windows boxes, or wherever you want, as long as you're using
> IPSec implementations that interoperate, and you've got one on each end.
> 
> > 2) If a remote user (connected to internet somewhere on the world) needs
> to
> > access this Terminal Server, what software does he need? This is through
> LRP1
> 
> Obviously the Terminal Server client, and whatever VPN software you decide
> you need, if any.  If you use IPSec, there are many clients available for
> windows, but most cost money.
> 
> > 3) What will be the easiest way to accomplish this? My objective is to
> access
> > the computers behind LRP1 with the minimal installation/configuration on
> > travelling computers. So there is a lot few thing an user can break.
> 
> Can't help you here...there are MANY different ways to set this up,
> requiring different knowledge and expertise, different amounts of money
> spent to purchase software, and many other factors.  You'll have to read up
> on possible solutions and decide what makes sense for your particular
> situation.
> 
> > 4) Some good reference on IPSEC, and other software needed will ve VERY
> > appreciates!!! How-TOs??
> 
> For linux IPSec, see the FreeS/WAN site www.freeswan.org  There are many
> example configurations and explinations.
> 
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
> 
> 
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
> 
> 


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] IPSEC, VPN et al

[Charles Steinkuehler]

> I don't want anyone accessing my servers without an encrypted connection.
> So as you said I will need IPSec or other VPN solution on my office LRP.
>
> 1) What components do I need? I undertand freeswan is an IPSec "daemon",
is this
> true? So, will I need client software? Can I use plain W98 to access
through an
> IPSec LRP?

The components you need depend on the VPN solution you choose, which can be
anything from a small VPN gateway box (hardware) to configuration settings
(of your high-end cisco pix w/IPSec support) to software packages.

Regarding IPSec: It's a common mis-conception to think of a 'server' and
'client', when in reality, they are peers.  You create an IPSec connection
with IPSec software on both ends...neither end is the 'client'.  That said,
the FreeS/WAN IPSec software runs as a background process (like a daemon),
and can be configured to listen for inbound connection requests, as well as
attempting to bring up default connections when it starts.

Once you build a VPN (using whatever method you desire), it looks like just
another route to the machines using the tunnel.  My machines think they are
one router hop away from the corperate HQ network, although they are really
going through about 14 hops on the internet.  Since the packets are
encrypted & sent through the VPN tunnel, the remote & local IPSec gateway
look like they are connected by a dedicated wire to my secure traffic.

> 2) What protocol does M$ VPN use? I would like my remote users to access
my
> Terminal Server using just the Terminal Server software and out of the box
M$
> software. Is this possible?

There are a couple forms of M$ VPN, PPTP and IPSec.  You want to stay away
from PPTP if you're at all concerned with security.  While it's a bit harder
to sniff PPTP traffic than data sent in the clear, your average high-school
student with a late-model 'gamer' machine could crack the security in about
a day.  In addition to the M$ IPSec software built into windows 2K, there
are many after-market IPSec solutions available.  If you mainly need to hook
windows machines, or especially windows notebooks calling 'home' from random
locations on the internet, you may want to persue a windows based software
solution (at least for the 'road-warrior' systems).

> 3) In order to have an "static or permanent encrypted" (sorry about the
terms)
> connection between two LRPs, I would need IPSec on both od them. Is this
> practical, doable?? Hints please.

This is the sort of VPN I run.  I have LRP boxes at both sites, IPSec is
loaded on both machines, and they are configured to build a tunnel between
the two protected internal networks when IPSec starts (on either box).  This
is the easiest way to configure and use the FreeS/WAN IPSec software.

NOTE:  Since windows likes for all machines to be in the same broadcast
domain, setting up a 'static' VPN like this still doesn't let windows
machines 'browse' the entire network.  To do this, you have to configure
your windows networking like it's crossing a router (which it is).  This can
be done using Samba, or by putting at least one properly configured NT
server on each subnet.  Using NT servers, only domains can cross the subnet
boundry.  With Samba, you can get workgroups to browse across the subnet
boundry as well.

> 4) Is there some easier wy to do this??? Am I on track??

I think you're generally on the right track, but you'll have to determine
which VPN solution is 'easiest' for you to implement...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Need firewall design advice

[Michael D. Schleif]

"Michael D. Schleif" wrote:
> 
> We have a network of (64) public addresses connected to the Internet via
> DSL modem.
> 
> This network consists of wintels and macs, and management of each is by
> different groups.  Other than the Netopia DSL router, everything inside
> this network is 100% switched.  Management insists that any user must be
> able to plug in anywhere on the network, regardless of platform -- so,
> we cannot divide platforms or systems by different switches.  Two (2) of
> the wintels require remote (internet) PC Anywhere access.  All of the
> macs require remote (internet) access via Timbuktu (tcp 407) and
> Retrospect remote backup (tcp/udp 497).
> 
> The environment is growing and constantly in flux.  Currently, there are
> a couple free IP addresses; but, keeping track of which are in use or
> free is nearly impossible!  Clearly, that is what DHCP is for ;>
> 
> We tried putting LRP-CD into this network, using eth1 for a MASQ'd,
> DHCP'd, private network and a public DMZ on eth2 for those that require
> remote access.  Unfortunately, broadcasts from eth1 are broadcast to
> eth2 by the switches, and vice versa, all of which are seen as
> martians!?!?
> 
> It appears to us that this martian overhead is excessive and probably
> not a good network design ;<
> 
> Is there away to port forward on a given port (e.g., 407 *OR* 497) to a
> _group_ of systems?  That way, we could assign private addresses to
> everything, and never worry about running out of public addresses . . .
> 
> What other designs/solutions ought we to consider?
> 
> What do you think?

One thing we noticed in /etc/network.conf:

# One (or more) Internal network(s):
#
# INTERN_NET="192.168.1.0/24 192.168.2.0/24 192.168.4.0/24"

How does this work with *multiple* networks?

Could we use something like this on eth1?

INTERN_NET="192.168.1.0/24 pu.bl.ic.0/26"

Then, run DHCP on the private segment and statically assign addresses,
as required, to the public segment?

How would we set the value of MASQ_SWITCH ???

What else need we consider, to put two (2) or more networks on one (1)
interface?

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] LEAF/LRP & VNC ???

[Michael D. Schleif]

We are investigating using VNC, instead of PCAnywhere and that ilk, for
remote system access and management.

By itself, VNC has little or no security; however, look at this link:


We have been using Putty, for quite awhile, from wintel boxen.  It works
very well with LEAF/LRP.

Has anybody successfully tunneled VNC through SSH on LEAF/LRP?

Have you been able to pass required port arguments to Putty?

We are very interested in all experiences, in this regard . . .

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] IPSEC, VPN et al

[smorilla]

Charles,

Thanks for the feedback!!!

I will start experimenting with freeswan and look around for a cheap (and
secure) way to handle my road warriors!!

Sergio Morilla

 -Mensaje original-
De: [EMAIL PROTECTED]  
Enviado el: Tuesday, July 03, 2001 15:59
Para:   [EMAIL PROTECTED]
Asunto: Re: [Leaf-user] IPSEC, VPN et al

> I don't want anyone accessing my servers without an encrypted connection.
> So as you said I will need IPSec or other VPN solution on my office LRP.
>
> 1) What components do I need? I undertand freeswan is an IPSec "daemon",
is this
> true? So, will I need client software? Can I use plain W98 to access
through an
> IPSec LRP?

The components you need depend on the VPN solution you choose, which can be
anything from a small VPN gateway box (hardware) to configuration settings
(of your high-end cisco pix w/IPSec support) to software packages.

Regarding IPSec: It's a common mis-conception to think of a 'server' and
'client', when in reality, they are peers.  You create an IPSec connection
with IPSec software on both ends...neither end is the 'client'.  That said,
the FreeS/WAN IPSec software runs as a background process (like a daemon),
and can be configured to listen for inbound connection requests, as well as
attempting to bring up default connections when it starts.

Once you build a VPN (using whatever method you desire), it looks like just
another route to the machines using the tunnel.  My machines think they are
one router hop away from the corperate HQ network, although they are really
going through about 14 hops on the internet.  Since the packets are
encrypted & sent through the VPN tunnel, the remote & local IPSec gateway
look like they are connected by a dedicated wire to my secure traffic.

> 2) What protocol does M$ VPN use? I would like my remote users to access
my
> Terminal Server using just the Terminal Server software and out of the box
M$
> software. Is this possible?

There are a couple forms of M$ VPN, PPTP and IPSec.  You want to stay away
from PPTP if you're at all concerned with security.  While it's a bit harder
to sniff PPTP traffic than data sent in the clear, your average high-school
student with a late-model 'gamer' machine could crack the security in about
a day.  In addition to the M$ IPSec software built into windows 2K, there
are many after-market IPSec solutions available.  If you mainly need to hook
windows machines, or especially windows notebooks calling 'home' from random
locations on the internet, you may want to persue a windows based software
solution (at least for the 'road-warrior' systems).

> 3) In order to have an "static or permanent encrypted" (sorry about the
terms)
> connection between two LRPs, I would need IPSec on both od them. Is this
> practical, doable?? Hints please.

This is the sort of VPN I run.  I have LRP boxes at both sites, IPSec is
loaded on both machines, and they are configured to build a tunnel between
the two protected internal networks when IPSec starts (on either box).  This
is the easiest way to configure and use the FreeS/WAN IPSec software.

NOTE:  Since windows likes for all machines to be in the same broadcast
domain, setting up a 'static' VPN like this still doesn't let windows
machines 'browse' the entire network.  To do this, you have to configure
your windows networking like it's crossing a router (which it is).  This can
be done using Samba, or by putting at least one properly configured NT
server on each subnet.  Using NT servers, only domains can cross the subnet
boundry.  With Samba, you can get workgroups to browse across the subnet
boundry as well.

> 4) Is there some easier wy to do this??? Am I on track??

I think you're generally on the right track, but you'll have to determine
which VPN solution is 'easiest' for you to implement...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] modules.conf

[Kim Oppalfens]

Hi listmembers,


I am looking for the file that would replace the modules.conf file of
a normal complete linux distribution in Eigerstein beta 2

Kim
-- Kim Oppalfens, [EMAIL PROTECTED] on 03/07/2001


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Re:

[Kenneth Hadley]

http://leaf.sourceforge.net/devel/khadley/
where there is a copy available, let me know what kind of results you get

though most sites will top you off at 100 odd kps a sec...and Ive found the
best way to saturate a DSL connection is to use multiple machines behind you
LEAF box downloading from multiple sites.one client with a couple of
downloads going wont saturate a line (or give you a accurate enough idea
about your firewalls speed)

al Message -
From: "Kevin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 03, 2001 1:17 PM


> can you e-mail me the top.lrp program to test?
>
> I am using a Pentium I with 75 mhz cpu and 32 meg of ram with ISA cards on
a
> DSL line
>
> Most of the time on large downloads from fast sites, will sustain 125-150
> speed on the download
>
>
>
> Message: 12
> From: "Kenneth Hadley" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Re: [Leaf-user] Re: LRP PPPoE
> Date: Fri, 29 Jun 2001 09:17:42 -0700
> Reply-To: [EMAIL PROTECTED]
>
> with top
> I will send you a top.lrp package if you wish to test your CPU
usage..my
> tests are subjective untill I get more data
>
>
> 
> Kenneth Hadley
> PC / Network Specialist
> McCormick Selph Inc.
> [EMAIL PROTECTED]
>
>




___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Help with DNS error logs on Eiger2Beta with PPPoP

[Kevin]

I need some help in not logging the following DNS error types:

Packet log: input DENY ppp0 PROTO=6 64.37.200.46:41613 66.20.176.251:53 L=44
S=0x00 I=0 F=0x T=242 (#42)

I am using the Eiger2beta with PPPoP from Ken on a two floppy disk set-up.

I have a dsncache.lrp module running and have three IP's for the DNS servers
to ensure these all find a way home.

from /etc/network.conf
DNS0=192.168.1.254
DNS1=205.152.0.20
DNS2=205.152.0.5

What else is needed to help?



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] LRP-CD, mailonerr & weird Email behavior ???

[Michael D. Schleif]

OK, that other problem about curly braces and mailonerr is considered
fixed.

Now, when I receive Email generated by mailonerr/moe.config, the _From:_
address is strangely formed:

Full headers from received message:

Return-Path:
<[EMAIL PROTECTED]>
Received:   from 207.155.183.72 (thejenkinsgroup.com [64.120.86.68]) by
[216.234.189.108] (8.10.2/8.10.2) with SMTP id f63L1Lk01913 for
<[EMAIL PROTECTED]>; Tue, 3 Jul 2001 15:01:22 -0600
Message-ID:
<[EMAIL PROTECTED]>
Received:   from bluetrout.LRP-CD_domain.net ([64.135.66.2]) by
207.155.183.72; Tue, 03 Jul 2001 16:01:01 -0500
Date:   Tue, 3 Jul 2001 16:01:01 -0500
From:   [EMAIL PROTECTED]
Subject:Important message from LRP
To: [EMAIL PROTECTED]
X-Mozilla-Status:   8005
X-Mozilla-Status2:  
X-UIDL: Xg*#!$E'"!F/c!!]4W!!


lrp.conf:

lrp_MAIL_SERVER="my_working_smtp_server.com"
lrp_MAIL_ADMIN="[EMAIL PROTECTED]"


moe.config:

su_usr=root
mailto="[EMAIL PROTECTED]"


Notice, the From: and Return-Path: headers!

>From what I know about sendmail, they _should_ be:

Return-Path:<[EMAIL PROTECTED]>
From:   [EMAIL PROTECTED]


I also know that our local GroupWise server will *not* route Email from
our LRP-CD, claiming that helices.org server is down ;<

"my_working_smtp_server.com" is also a  GroupWise server; but,
for some reason, it routes the Email -- in this fashion.

Notice, that I have substituted real names with bogus substitutes. 
Please, don't pull out RFC's about underscores, dashes, &c.  Outside of
LRP-CD, all of these Email servers and addresses work properly and as
expected . . .

What is going on here?  How can this be rectified?

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] FTP package

[David Douthitt]

[EMAIL PROTECTED] wrote:

> I´m using Eigerstein at home and want to add a FTP daemon at it.
> Does anyone know of a "up to date" FTP package??

I've been attempting to maintain proftpd; I may have a glibc 2.0 version
around here somewhere.  The tendency of sources these days is to be
incompatable with glibc 2.0 - we'll see.  In any case, the Oxygen
Networking Disk should have one, as should the Oxygen packages
directory:

http://leaf.sourceforge.net/pub/oxygen/packages/

http://leaf.sourceforge.net

> I would like to setup a host to compile packages. What is the "minimum"
> configuration for such a host. Performance is not an issue, my main concern is
> disk space and memory.

Simple answer: use any Linux distribution based on glibc 2.0; I've had
good operations with Debian 2.1, Red Hat 5.2, and Mandrake 5.3.

> I've downloaded debian 2.1.r4. Is there a minimal configuration in order to
> compile LRP packages??

Not really - make sure you have gcc and the *-devel packages as
necessary.

> I know I need some patches to compile for LRP, where can I get them?

Oxygen/LRP Resource CDROM has them.

> Where can I get some sort of How-To?

http://leaf.sourceforge.net

Look for the Guides under Documentation: the LRP Developer's Guide is
there.

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PCAnywhere vs. LRP-CD ???

[Michael D. Schleif]

Charles Steinkuehler wrote:
> 
> > > Check your firewall logs on both LRP-CD systems looking for denied
> packets.
> > > I'd bet you're dropping some traffic PCAnywhere needs to function...
> >
> > Yes, our first thoughts also -- however, neither side has anything in
> > /var/log/kern.log . . .
> 
> Only packets acutally flagged for logging show up here...make sure you check
> the actual ipchains rules with "svi network ipfilter list", and look for
> non-zero counts by any deny or reject rules...

OK, I understand that not all DENY/REJECT/RETURN's are logged.

Neither do I see any packet/byte quantities next to any
DENY/REJECT/RETURN line that does not also sport the log flag.

Let's recap:

OK:   wintel(A) -> PCAnywhere -> Internet -> LRP-CD(B) -> wintel(B)

NOT:   wintel(A) -> PCAnywhere -> LRP-CD(A) -> Internet -> LRP-CD(B) ->
wintel(B)

So, it appears that there is something other than ports tcp 5631 and udp
5632 required -- on the connector's side -- to establish connection.

Since nobody, apparently, has direct experience, we remain open to other
guesses and recommendations . . .

-- 

Best Regards,

mds
mds resource
888.250.3987

"Dare to fix things before they break . . . "

"Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . . "

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] LRP-CD, mailonerr & weird Email behavior ???

[Charles Steinkuehler]

> OK, that other problem about curly braces and mailonerr is considered
> fixed.
>
> Now, when I receive Email generated by mailonerr/moe.config, the _From:_
> address is strangely formed:
>
> Full headers from received message:
>
> Return-Path:
> <[EMAIL PROTECTED]>
> Received: from 207.155.183.72 (thejenkinsgroup.com [64.120.86.68]) by
> [216.234.189.108] (8.10.2/8.10.2) with SMTP id f63L1Lk01913 for
> <[EMAIL PROTECTED]>; Tue, 3 Jul 2001 15:01:22 -0600
> Message-ID:
> <[EMAIL PROTECTED]>
> Received: from bluetrout.LRP-CD_domain.net ([64.135.66.2]) by
> 207.155.183.72; Tue, 03 Jul 2001 16:01:01 -0500
> Date: Tue, 3 Jul 2001 16:01:01 -0500
> From: [EMAIL PROTECTED]
> Subject: Important message from LRP
> To: [EMAIL PROTECTED]
> X-Mozilla-Status: 8005
> X-Mozilla-Status2: 
> X-UIDL: Xg*#!$E'"!F/c!!]4W!!
>
>
> lrp.conf:
>
> lrp_MAIL_SERVER="my_working_smtp_server.com"
> lrp_MAIL_ADMIN="[EMAIL PROTECTED]"
>
> moe.config:
>
> su_usr=root
> mailto="[EMAIL PROTECTED]"
>
>
> Notice, the From: and Return-Path: headers!
>
> From what I know about sendmail, they _should_ be:
>
> Return-Path: <[EMAIL PROTECTED]>
> From: [EMAIL PROTECTED]
>
>
> I also know that our local GroupWise server will *not* route Email from
> our LRP-CD, claiming that helices.org server is down ;<
>
> "my_working_smtp_server.com" is also a  GroupWise server; but,
> for some reason, it routes the Email -- in this fashion.
>
> Notice, that I have substituted real names with bogus substitutes.
> Please, don't pull out RFC's about underscores, dashes, &c.  Outside of
> LRP-CD, all of these Email servers and addresses work properly and as
> expected . . .
>
> What is going on here?  How can this be rectified?

Are you sure your smtp server is working *properly*?  It looks like it's
doing header mangaling...adding helices_pop_server_domain.com to the end of
your e-mail headers.  The mail command on LRP uses your default FQDN to
create the headers, so they should be of the form:

From: @

You can see what LRP thinks your hostname is by running "hostname -f".  This
is what should be after the "@" if you haven't modified anything.  You can
override the FQDN setting using either the lrp_MAIL_DOMAIN setting in
lrp.conf or the -d switch to the mail command.

If the above looks correct, and you refuse to believe your mail server is
causing problems, you can uncomment the debugging output of the mail
command.  Find the following line in the mail procedure and remove the
leading #:

#  eecho "$state: $nrep $line"

This will cause the mail script to dump it's conversation with your smtp
server to err out.  You should be able to see if it's sending the correct or
bogus From: and Reply-to: headers.  This will at least tell you for sure if
your LRP system is broken, or if there's something wacky with your smtp
server config...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PCAnywhere vs. LRP-CD ???

[David Douthitt]

Dan wrote:

> > Anybody tried VNC?
> 
> Yes.  I have tried VNC to both Windows and Linux machines thru my system
> (also based on the LRP-CD scripts).  It works very well, but provides no
> security on its own.  I'd like to hear other's comments on the best way to
> configure external access to internal VNC hosts --- i.e., restricting
> connections to specific hosts, ranges of host addresses, encrypting the VNC
> session, etc.

The standard method is to encrypt using SSH.  VNC uses ports 5900 (:0),
5901 (:1), 5902 (:2), and so forth.  The web browser/java version uses
5800, 5801, etc.

Just use ssh to tunnel the protocol across.  One important thing though:
in using ssh over a modem, use compression (-c) and if using a UNIX
client with compression and port forwarding from the local host, tell
VNC to use hextile encoding, or it will send much more data than
necessary.

The details are at the main VNC web site - and well explained.

I use VNC daily; puts a UNIX desktop right over the top of my NT
desktop...

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PCAnywhere vs. LRP-CD ???

[David Douthitt]

"Michael D. Schleif" wrote:

> Let's recap:
> 
> OK:   wintel(A) -> PCAnywhere -> Internet -> LRP-CD(B) -> wintel(B)
> 
> NOT:   wintel(A) -> PCAnywhere -> LRP-CD(A) -> Internet -> LRP-CD(B) ->
> wintel(B)
> 
> So, it appears that there is something other than ports tcp 5631 and udp
> 5632 required -- on the connector's side -- to establish connection.
> 
> Since nobody, apparently, has direct experience, we remain open to other
> guesses and recommendations . . .

Always, always: get tcpdump and watch the traffic.  Let me ramble a bit
here:

1. PCA host: -> Remote Firewall -> Remote (works)
 so: this remote firewall accepts connections to a port (5631 and
5632?) on the Remote, and allows responses back.

2. PCA host -> Local Firewall -> Remote Firewall (fails)
 given: Remote Firewall is unchanged from #1
 so we can resolve: 1) Remote Firewall is not defective.

 now look at the Local firewall.  Are the ports open on it?  And
does it allow responses?

I'd use tcpdump on both sides and see what is going on.  Also check DNS:
if you wait 3 minutes (60 seconds x 3!) and it works, then DNS is
probably failing.

For a tcpdump command, try this:

tcpdump -s 1024 port 5631 or port 5632 or port 53

...or perhaps...

tcpdump -s 1024 host pcahost.myhome.whatever.local

Try this both inside the firewall and outside, using the "-i "
option.  I like to use two virtual terms (switching with Alt-F1 Alt-F2
etc) and use one on one side and the other on the other side: then you
can flip back and forth and see what is happening.

Don't forget to use the right host if you use the "host" form:
masquerading changes the host you want to track in the packet...

Another thing I like to do is rules like the following (going from
memory) - using you as an example:

ipchains -I input -p tcp -s 0/0 -d 0/0 5163 -l -b
ipchains -I output -p tcp -s 0/0 -d 0/0 5163 -l -b

(warning: I don't use -b much...)

Note the absence of a -j option: this is a "match" only and the packet
continues on down the chain without alteration or other effect.  Using
-I (input) puts the chain at the top.  I'm sure I missed syntax slightly
(is there a line number with -I?) but you get the idea I'm trying to get
across.

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] PPPd & LCP Conf-Req Time-outs.

[Daniel Hoffman]

I'm using an older computer as a Linux Router Project box
(www.linuxrouter.org) to share my dial-up connection across my small home
LAN.
I've got a 3Com/USR external faxmodem and an internal 3com NIC.
I've gone through configuration hell, but I've got it working. It actually
works, packets are forwarded across the network just beautifully. You'd
think there's no problem at all, everything runs perfectly.
Then, at seemingly random and unconnected intervals, say, if i don't use the
LRP box for a few days, then fire it up, dial up, stay on for a few hours,
get disconnected, reconnect, get disconnected again (not the most reliable
ISP), then try to redial, it won't work. Not then, not for a while. Getting
it to work again is the really interesting part. I've tried tinkering with
every option on there--to no avail. Logs and all are below, so you can see
exactly what's happening--the peer doesn't respond when a LCP Conf Req is
sent out, which normally it Ack's just fine.
The funny thing that I've discovered is that it WILL work if i switch the
modem (it's external, remember, so i just move the serial cable) from the
LRP box to one of the clients, a win2k box. Once i successfully connect with
the win2k box, then move the modem back to the LRP box, it will connect just
fine.
Keep in mind that it works most of the time--but then this strange problem
manifests itself. I've included all of the relevant logs and such below:

my connect script: /etc/ppp/ppp-go

#!/bin/sh
#erols connection script
exec pppd ttyS0 115200 defaultroute user davidhoffman connect
"/usr/sbin/chat -v -T3019178111 '' AT OK ATDT3019178111 CONNECT  '\d\c'"

My /etc/ppp/options

# /etc/ppp/options
#
# $Id: options,v 1.4 1996/05/01 18:57:04 alvar Exp $
#
# Originally created by Jim Knoble <[EMAIL PROTECTED]>
# Modified for Debian by alvar Bray <[EMAIL PROTECTED]>
# Modified for PPP Server setup by Christoph Lameter <[EMAIL PROTECTED]>
#
# Use the command  egrep -v '#|^ *$' /etc/ppp/options to quickly see what
# options are active in this file.

# Specify which DNS Servers the incoming Win95 or WinNT Connection should
use
# Two Servers can be remotely configured
# ms-dns 192.168.1.1
# ms-dns 192.168.1.2

# Specify which WINS Servers the incoming connection Win95 or WinNT should
use
# ms-wins 192.168.1.50
# ms-wins 192.168.1.51

# Run the executable or shell command specified after pppd has
# terminated the link.  This script could, for example, issue commands
# to the modem to cause it to hang up if hardware modem control signals
# were not available.
#disconnect "/etc/ppp/ppp-go"

# async character map -- 32-bit hex; each bit is a character
# that needs to be escaped for pppd to receive it.  0x0001
# represents '\x01', and 0x8000 represents '\x1f'.
asyncmap 0

# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
# Please do not disable this setting. It is expected to be standard in
# future releases of pppd. Use the call option (see manpage) to disable
# authentication for specific peers.
#auth

# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts

# Use software flow control (i.e. XON/XOFF) to control the flow of data
# on the serial port.
#xonxoff

# Specifies that certain characters should be escaped on transmission
# (regardless of whether the peer requests them to be escaped with its
# async control character map).  The characters to be escaped are
# specified as a list of hex numbers separated by commas.  Note that
# almost any character can be specified for the escape option, unlike
# the asyncmap option which only allows control characters to be
# specified.  The characters which may not be escaped are those with hex
# values 0x20 - 0x3f or 0x5e.
#escape 11,13,ff

# Don't use the modem control lines.
#local

# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock

# Use the modem control lines.  On Ultrix, this option implies hardware
# flow control, as for the crtscts option.  (This option is not fully
# implemented.)
modem

# Set the MRU [Maximum Receive Unit] value to  for negotiation.  pppd
# will ask the peer to send packets of no more than  bytes. The
# minimum MRU value is 128.  The default MRU value is 1500.  A value of
# 296 is recommended for slow links (40 bytes for TCP/IP header + 256
# bytes of data).
#mru 542

# Set the interface netmask to , a 32 bit netmask in "decimal dot"
# notation (e.g. 255.255.255.0).
#netmask 255.255.255.0

# Disables the default behaviour when no local IP address is specified,
# which is to determine (if possible) the local IP address from the
# hostname. With this option, the peer will have to supply the local IP
# address during IPCP negotiation (unless it specified explicitly on the
# command line or in an options file).
noipdefault

# Enables the "passive" option in the LCP.  With this option, pppd will
# attempt to initiate a conne

Re: [Leaf-user] Help with DNS error logs on Eiger2Beta with PPPoP

[Victor McAllister]

64.37.200.46 is one of the IPs used by some companies for geographic load
balancing.  A whole list of machines all hit your port 53 at the same time.  It
doesn't do any damage, but  the log entries can run to 100k or more.
I use Charles' little script to modify the firewall to not log this garbage.
There was a message on this lit a couple of days ago with the script for
esb2...  If you can't find -- holler.

> I need some help in not logging the following DNS error types:
>
> Packet log: input DENY ppp0 PROTO=6 64.37.200.46:41613 66.20.176.251:53 L=44
> S=0x00 I=0 F=0x T=242 (#42)
>
> I am using the Eiger2beta with PPPoP from Ken on a two floppy disk set-up.
>
> I have a dsncache.lrp module running and have three IP's for the DNS servers
> to ensure these all find a way home.
>
> from /etc/network.conf
> DNS0=192.168.1.254
> DNS1=205.152.0.20
> DNS2=205.152.0.5
>
> What else is needed to help?


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] modules.conf

[Jeff Newmiller]

On Tue, 3 Jul 2001, Kim Oppalfens wrote:

> Hi listmembers,
> 
> 
> I am looking for the file that would replace the modules.conf file of 
> a normal complete linux distribution in Eigerstein beta 2

Omitted to save disk space.

To specify which modules get loaded, do it IN THE RIGHT ORDER in
/etc/modules.  /etc/modules.conf allows you to do it out of order and have
the software compensate for your forgetfulness.  That is an excessive
luxury in a floppy-sized system. 

---
Jeff NewmillerThe .   .  Go Live...
DCN:<[EMAIL PROTECTED]>Basics: ##.#.   ##.#.  Live Go...
Work:<[EMAIL PROTECTED]>  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user