Re: [Leaf-user] CIPE/VPN for Windows Networking
Hi, I managed to dig a crypted tunnel between 2 LEAF boxes . ( through a pppoe adsl connexion ) each box is giving internet access to a small lan ( a few windows machines). As far of tcp/ip is concerned, everything is in place ( routing, reconnexion if one one gets another dynamic external address.) I can use vnc to take control of one machine in the other lan I can map network drives using the \\Ip.ad.dr.ess\share Name resolution ( dns and netbios ) isn't working yet Network browsing ( My network places in W2K) isn't working yet and I found very little info how to make it work ( each subnet has its own windows domain/workgroup ). I based my work on the CIPED-1.LRP ( http://leaf.sourceforge.net link on the home page) (thanks Sandro) but I had to recompile the module (I use and dachstein normal ide kernel) I had a permission problem, Moving every cipe file in /cipe instead of /etc/cipe and set chmod 6|700 everything solved the problem. I'm still working on the name resolution/network browsing Regards Etienne Charlier - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; DPG [EMAIL PROTECTED] Sent: Friday, October 26, 2001 7:55 AM Subject: Re: [Leaf-user] CIPE/VPN for Windows Networking DPG wrote: Can anyone point me to resources for this? Is this feasible? Yes. I have collected three books that I found informative: O'Reilly's Virtual Private Networks McGraw Hill's Unix Secure Shell O'Reilly's Building Internet Firewalls lrp.c0wz.com has links to CIPE. You may want to visit the mirror at http://c0wz.steinkuehler.net/ http://sites.inka.de/~bigred/devel/cipe.html http://www.linuxdoc.org/HOWTO/mini/Cipe+Masq.html I found this link helpful. It talks about VNC but it provides a picture what you would be doing with cipe. CIPE provides a tunnel from one LAN to another. http://www.uk.research.att.com/vnc/sshvnc.html I am trying to develop a secure VPN between two small Windows-based LANs, There are some ideas here in the cipe faq http://sites.inka.de/~bigred/devel/cipe-faq.html. If you are on a budget you can use a samba server for the WINS server. (See http://www.samba.org.) such that for all intents and purposes, the users can't tell the difference between resources that are truly local vs. those that are on the remote network. The scenario involves two small real estate offices using 1.1 Mb SDSL, with the intent of sharing files and printers between the two sites. Does anyone know of such an implementation existing now? Are there any specific How-tos for this? Any pointers appreciated. First pointer: you are advertising a service that can be attacked. Encryption helps minimize attacks and keeping private data scrambled from packet sniffers. Some of the Real Estate data may have people's sensitive personal information flowing over the public network segment of the VPN. There are people out there that want to play with you. There are people that want to destroy your business. Just be aware of this. CIPE evolved from secure shell. That is why I provided the secure shell links and books. I found the information helpful, but you will not need all of it for implementation. Secure shell was used to run other protocols over the secure shell protocol producing the same result you desire. However, there are some problems doing this. CIPE was developed to still use secure protocols but solve some of the problem of executing one protocol over another protocol. (See http://sites.inka.de/~bigred/devel/tcp-tcp.html.) Here's a picture of what you want to do. +---+ +---+ | leaf | | leaf | win net | fwall |--VPN--| fwall | win net | + | | + | | CIPE | | CIPE | +---+ +---+ Any VPN technology implies that you have a firewall securing each LAN on either side of the VPN. You would put a CIPE package on each LEAF/LRP firewall. Then follow the how to and other links above to configure. I have not done this yet, but here's all the conceptual information. I hope this helps, Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] syslinux VGA= syntax?
On Thu, 25 Oct 2001, Matthew Schalit wrote: Would someone post the syntax for the syslinux.cfg command VGA=? Thanks. I've tried VGA=auto--- Works, sets default screen size, 80x25. VGA=ask --- Works, asks you for the mode you want. VGA=1 --- Broken: trying to set mode 1 = 0F01 = 80x50 VGA=0F01--- Broken: trying to set mode 1 = 0F01 = 80x50 VGA=80x50 --- Broken: trying to set mode 1 = 0F01 = 80x50 I think it is similar to lilo.conf. From that manpage: vga=mode This specifies the VGA text mode that should be selected when booting. The following values are recognized (case is ignored): normal: select normal 80x25 text mode. extended (or ext): select 80x50 text mode. ask: stop and ask for user input (at boot time). number: use the corresponding text mode (can specify the number in decimal or in hex with the usual '0x' convention). A list of available modes can be obtained by booting with vga=ask and pressing [Enter]. If this variable is omitted, the VGA mode setting contained in the kernel image is used. (And that is set at compile time using the SVGA_MODE variable in the kernel Makefile, and can later be changed with the rdev(8) program.) --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] CIPE/VPN for Windows Networking
Greg and Etienne, This is exactly the kind of information I was looking for. I will post back when I have it working, and hopefully, I can add a detailed how-to to the project. Regards, Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Etienne Charlier Sent: Friday, October 26, 2001 2:03 AM To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] CIPE/VPN for Windows Networking Hi, I managed to dig a crypted tunnel between 2 LEAF boxes . ( through a pppoe adsl connexion ) each box is giving internet access to a small lan ( a few windows machines). As far of tcp/ip is concerned, everything is in place ( routing, reconnexion if one one gets another dynamic external address.) I can use vnc to take control of one machine in the other lan I can map network drives using the \\Ip.ad.dr.ess\share Name resolution ( dns and netbios ) isn't working yet Network browsing ( My network places in W2K) isn't working yet and I found very little info how to make it work ( each subnet has its own windows domain/workgroup ). I based my work on the CIPED-1.LRP ( http://leaf.sourceforge.net link on the home page) (thanks Sandro) but I had to recompile the module (I use and dachstein normal ide kernel) I had a permission problem, Moving every cipe file in /cipe instead of /etc/cipe and set chmod 6|700 everything solved the problem. I'm still working on the name resolution/network browsing Regards Etienne Charlier - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; DPG [EMAIL PROTECTED] Sent: Friday, October 26, 2001 7:55 AM Subject: Re: [Leaf-user] CIPE/VPN for Windows Networking DPG wrote: Can anyone point me to resources for this? Is this feasible? Yes. I have collected three books that I found informative: O'Reilly's Virtual Private Networks McGraw Hill's Unix Secure Shell O'Reilly's Building Internet Firewalls lrp.c0wz.com has links to CIPE. You may want to visit the mirror at http://c0wz.steinkuehler.net/ http://sites.inka.de/~bigred/devel/cipe.html http://www.linuxdoc.org/HOWTO/mini/Cipe+Masq.html I found this link helpful. It talks about VNC but it provides a picture what you would be doing with cipe. CIPE provides a tunnel from one LAN to another. http://www.uk.research.att.com/vnc/sshvnc.html I am trying to develop a secure VPN between two small Windows-based LANs, There are some ideas here in the cipe faq http://sites.inka.de/~bigred/devel/cipe-faq.html. If you are on a budget you can use a samba server for the WINS server. (See http://www.samba.org.) such that for all intents and purposes, the users can't tell the difference between resources that are truly local vs. those that are on the remote network. The scenario involves two small real estate offices using 1.1 Mb SDSL, with the intent of sharing files and printers between the two sites. Does anyone know of such an implementation existing now? Are there any specific How-tos for this? Any pointers appreciated. First pointer: you are advertising a service that can be attacked. Encryption helps minimize attacks and keeping private data scrambled from packet sniffers. Some of the Real Estate data may have people's sensitive personal information flowing over the public network segment of the VPN. There are people out there that want to play with you. There are people that want to destroy your business. Just be aware of this. CIPE evolved from secure shell. That is why I provided the secure shell links and books. I found the information helpful, but you will not need all of it for implementation. Secure shell was used to run other protocols over the secure shell protocol producing the same result you desire. However, there are some problems doing this. CIPE was developed to still use secure protocols but solve some of the problem of executing one protocol over another protocol. (See http://sites.inka.de/~bigred/devel/tcp-tcp.html.) Here's a picture of what you want to do. +---+ +---+ | leaf | | leaf | win net | fwall |--VPN--| fwall | win net | + | | + | | CIPE | | CIPE | +---+ +---+ Any VPN technology implies that you have a firewall securing each LAN on either side of the VPN. You would put a CIPE package on each LEAF/LRP firewall. Then follow the how to and other links above to configure. I have not done this yet, but here's all the conceptual information. I hope this helps, Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Do You Yahoo!? Get your free
Re: [Leaf-user] DNS flood?
I've checked, double checked, and triple checked this a number of times - the culprit is ads.x10.com. Every time I see this ad, I check my lrp. Consistently, this is the onlysite for me that causes this DNS flood in my logs. Unfortunately, this ad site is attaching to more and more web sites including yahoo and my local small town newspaper site! Try putting ads.x10.com127.0.0.1 in your hosts file. Should stop them from popping up, I think. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Debug Script Available
Robert Williams wrote: Hi all, I have written a shell script to automatically creates data useful in diagnosing LRP/LEAF problems. [snip] http://home.pacbell.net/rcw1/lrp/debug/debug.html Enjoy, Robert Williams I like it. I was working on something similar, but I went off topic :) I'd suggest you have the script include cat /etc/hosts cat /etc/resolv.conf cat /etc/nsswitch.conf and maybe write a couple of lines of code that ping the network cards with the output perhaps, and maybe then include arp -an. Also you might want to code the commands into IPCHAINS = /sbin/ipchains CAT = cat NETSTAT = blah blah, and make it test for each command to be sure it's there. Some of the commands are not available in Oxygen until you load their package (netstat, ipchains, ifconfig)... Happy, Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Hot to display current masqueraded connections??
[EMAIL PROTECTED] wrote: Hi all, I´m trying to display how many users are accesing the internet thru my firewall I´ve tryed with netstat / # netstat -Mn masq_info.c: Internal Error `ip_masquerade unknown type'. Does enyone know why do I get this error?? Is there any other way of doing this?? I´m using Eigerstein - Linux 2.2.16 #2 Mon Jul 31 09:38:22 CDT 2000 i386 unknown Thanks Do you have ipchains -M -L -n ??? Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DNS flood?
On Fri, 26 Oct 2001 14:44:02 -0300 you wrote: Brad, when you go to Weather.com, do you happen to notice one of those stupid pop-under ads from x10.com? It's been a long time since I've been to weather.com (because of the irritating popups, and overuse of graphics and applets), but I do seem to recall the x10.com popups being the root cause. Hmm...checking... [brad@wml brad]$ grep x10 /etc/hosts 127.0.0.1 ads.x10.com Yep, probably was x10.com. :) Great technique for killing banner ads and cross-site doubleclick-style tracking. I've checked, double checked, and triple checked this a number of times - the culprit is ads.x10.com. Every time I see this ad, I check my lrp. Consistently, this is the onlysite for me that causes this DNS flood in my logs. Unfortunately, this ad site is attaching to more and more web sites including yahoo and my local small town newspaper site! Even the local paper? That's really unfortunate. --Brad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein-CD-rc3: mail anomolies
Michael D. Schleif wrote: [ snip ] [3] /var/log/mail.log exists; but, I've not yet seen anything write to it. In order to facilitate debugging Email issues, as well as to keep track of outgoing Email attempts, I suggest adding the following subroutine to /lib/POSIXness/POSIXness.mail: log () { LOG=/var/log/mail.log STR=`date '+%b %d %T'` STR=${STR} ${HOSTNAME} mail[$$]: $user = [$envelopes]: $subject echo $STR $LOG } I suggest calling log prior to that final `exit 0' and the last `done'; but, there maybe a more sane location ; Of course, I meant this: done log exit 0 -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Help with getting weblet logs into weblet
I've been messing with the weblet logs in EigenSteinB2, trying to figure out how to get them to show up in the weblet along with messages.log and the others. There seem to be some interacting problems with this, though. If I move the weblet sh-log's into /var/log, everything works peachy until the next log rotation, at which point the ownership of the files revert to root and the weblet can't access them anymore. (One of the commands buried in the scripts has a 'preserve' option which I think is supposed to keep this from happening but it didn't seem to work) I tried the reverse, leaving the sh-log's in /var/sh-log but don't seem to be able to find a way to get the weblet cgi to access the logs in the other directory. Check this out, though. I tried creating a set of symbolic links in /var/log that don't rotate but point to the /var/sh-log's and that actually worked great. Except.. I lose all the symlinks on a reboot. So, has anyone figured out how to do this independently? Or can someone point out how to set up symlinks during the boot-up? Incidentally, the logs section of my weblet looks like this now (note the new sh-httpd.log entry): --- 8 --- Log Files: Current Archives All Description messages 0 1 2 3 All System Messages, including denied packets syslog 0 1 2 3 All General log file - lots of info auth.log 0 1 2 3 All Who's logged in recently debug 0 1 2 3 All debugging information daemon.log 0 1 2 3 All daemon (server programs) messages kern.log 0 1 2 3 All kernel messages ppp.log 0 1 2 3 All ppp log files pslave.log 0 1 2 3 All portslave log files user.log 0 1 2 3 All user log files sh-httpd.log 0 1 2 3 All http log files --- 8 --- -John __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] small issues with D-CD rc2
Sorry I didn't mention these early enough to be looked at for rc3, but I noticed the following two issues (may not even be problems in rc2!). 1) syslinux.cfg on bootdisk.bin has boot=/dev/fd0,msdos According to the docs, that should read boot=/dev/fd0:msdos 2) backup doesn't work quite right. I'm using a floppy boot with CD on hda (almost completely unmodified). I used the lrcfg backup and set most packages to none and on three (etc, dhclient and modules) I set the device to the floppy and the backup type to part. When I did a L (backup except logs), it tried to backup everything (including the none packages). Then when I tried to backup one package at a time, it complained of a device not existing or being invalid (sorry, as important as it is, I forget the exact complaint!). Then when I retried it worked. Could this be caused by item 1)? Keith Laidlaw Manager of Engineering Dakins Engineering Group Ltd. tel: (905) 814-6024 fax: (905) 814-6029 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein-CD-rc3 available: bash.lrp error
Charles Steinkuehler wrote: I haven't tried bash.lrp since pre-release. There used to be two (2) bash-related problems; now, I find one (1): Mounting local filesystems... ramdisk.pkg: Uncompressing archives - log.tgz/etc/rcS.d/S36ramdisk.pkg: line 33: 1001 Broken pipegunzip -c $pkgdir/$pkg 1002 Done | qt tar -x -Finished. I'm not sure what is wrong here -- I do not see wrong with the scripts. log.tgz *does* get un-archived and bash is working. Nevertheless, this is some kind of error -- hopefully *not* to manifest itself elsewhere . . . P.S. I am using ramlog.lrp -- *not* ramdisk.lrp . . . I'm running bash (and vim) on my development systems here, and I have not seen this problem. Can you provide more details about your system: Hardware details (cpu, memory, NIC's, etc) DECpc LPv+ 450d2 PC 486d2 50 MHz 64 MB, 36-bit SIMM's 3c509 ISA NIC's (2x) see below for boot lines from syslog Configuration (packages modules loaded from CD) lrpkg.cfg == etc,local,bash,bwidth22,dhclient,dhcpd,dnscache,ifconfig,libpcap,lncurses,lrdline2,mawk,modules,ramlog,rsync,snmp,ssh-1,sshd-1,tcpdump,vim,weblet Which packages you have local configuration information for on your floppy. I boot from floppy, so the standard linux, root.lrp, c. is on floppy; but, *nothing* else LRP is loaded from floppy . . . I'm not sure what the problem could be... Boot lines from syslog = Oct 26 00:51:50 trout syslogd 1.3-3#31.slink1: restart. Oct 26 00:51:51 trout kernel: klogd 1.3-3#31.slink1, log source = /proc/kmsg started. Oct 26 00:51:51 trout kernel: Cannot find map file. Oct 26 00:51:51 trout kernel: Loaded 18 symbols from 14 modules. Oct 26 00:51:51 trout kernel: Linux version 2.2.19 (root@debian) (gcc version 2.7.2.3) #6 Mon Oct 22 17:21:06 CDT 2001 Oct 26 00:51:51 trout kernel: BIOS-provided physical RAM map: Oct 26 00:51:51 trout kernel: BIOS-88: 0009f000 @ (usable) Oct 26 00:51:51 trout kernel: BIOS-88: 03f0 @ 0010 (usable) Oct 26 00:51:51 trout kernel: Console: colour VGA+ 80x25 Oct 26 00:51:51 trout kernel: Calibrating delay loop... 24.93 BogoMIPS Oct 26 00:51:51 trout kernel: Memory: 62156k/65536k available (1112k kernel code, 412k reserved, 1024k data, 52k init) Oct 26 00:51:51 trout kernel: Checking if this processor honours the WP bit even in supervisor mode... Ok. Oct 26 00:51:51 trout kernel: Dentry hash table entries: 8192 (order 4, 64k) Oct 26 00:51:51 trout kernel: Buffer cache hash table entries: 65536 (order 6, 256k) Oct 26 00:51:51 trout kernel: Page cache hash table entries: 16384 (order 4, 64k) Oct 26 00:51:51 trout kernel: CPU: Intel 486 DX/2 stepping 05 Oct 26 00:51:51 trout kernel: Checking 386/387 coupling... OK, FPU using exception 16 error reporting. Oct 26 00:51:51 trout kernel: Checking 'hlt' instruction... OK. Oct 26 00:51:51 trout kernel: POSIX conformance testing by UNIFIX Oct 26 00:51:51 trout kernel: PCI: No PCI bus detected Oct 26 00:51:51 trout kernel: Linux NET4.0 for Linux 2.2 Oct 26 00:51:51 trout kernel: Based upon Swansea University Computer Society NET3.039 Oct 26 00:51:51 trout kernel: NET4: Unix domain sockets 1.0 for Linux NET4.0. Oct 26 00:51:51 trout kernel: NET4: Linux TCP/IP 1.0 for NET4.0 Oct 26 00:51:51 trout kernel: IP Protocols: ICMP, UDP, TCP, IGMP Oct 26 00:51:51 trout kernel: TCP: Hash tables configured (ehash 65536 bhash 65536) Oct 26 00:51:51 trout kernel: Linux IP multicast router 0.06 plus PIM-SM Oct 26 00:51:51 trout kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.91 Oct 26 00:51:51 trout kernel: early initialization of device ipsec0 is deferred Oct 26 00:51:51 trout kernel: early initialization of device ipsec1 is deferred Oct 26 00:51:51 trout kernel: early initialization of device ipsec2 is deferred Oct 26 00:51:51 trout kernel: early initialization of device ipsec3 is deferred Oct 26 00:51:51 trout kernel: Initializing RT netlink socket Oct 26 00:51:51 trout kernel: Starting kswapd v 1.5 Oct 26 00:51:51 trout kernel: Detected PS/2 Mouse Port. Oct 26 00:51:51 trout kernel: Serial driver version 4.27 with MANY_PORTS MULTIPORT SHARE_IRQ enabled Oct 26 00:51:51 trout kernel: Software Watchdog Timer: 0.05, timer margin: 60 sec Oct 26 00:51:51 trout kernel: Real Time Clock Driver v1.09 Oct 26 00:51:51 trout kernel: RAM disk driver initialized: 16 RAM disks of 20480K size Oct 26 00:51:51 trout kernel: hda: CD-ROM 40X/AKU, ATAPI CDROM drive Oct 26 00:51:51 trout kernel: ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Oct 26 00:51:51 trout kernel: Floppy drive(s): fd0 is 1.44M Oct 26 00:51:51 trout kernel: FDC 0 is a post-1991 82077 Oct 26 00:51:51 trout kernel: md driver 0.90.0 MAX_MD_DEVS=256, MAX_REAL=12 Oct 26 00:51:51 trout kernel: raid5: measuring checksumming speed Oct 26 00:51:51 trout kernel:8regs :28.575 MB/sec Oct 26 00:51:51 trout kernel:32regs:16.764 MB/sec Oct 26 00:51:51 trout kernel: using fastest
Re: [Leaf-user] Dachstein-CD-rc3 available: bash.lrp error
I haven't tried bash.lrp since pre-release. There used to be two (2) bash-related problems; now, I find one (1): Mounting local filesystems... ramdisk.pkg: Uncompressing archives - log.tgz/etc/rcS.d/S36ramdisk.pkg: line 33: 1001 Broken pipegunzip -c $pkgdir/$pkg 1002 Done | qt tar -x -Finished. I'm not sure what is wrong here -- I do not see wrong with the scripts. log.tgz *does* get un-archived and bash is working. Nevertheless, this is some kind of error -- hopefully *not* to manifest itself elsewhere . . . P.S. I am using ramlog.lrp -- *not* ramdisk.lrp . . . I'm running bash (and vim) on my development systems here, and I have not seen this problem. Can you provide more details about your system: Hardware details (cpu, memory, NIC's, etc) Configuration (packages modules loaded from CD) Which packages you have local configuration information for on your floppy. I'm not sure what the problem could be... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user