[Leaf-user] Exchange server behind EigerStein s/NAT can not send to some sites
Hello, I'm running a small PC network, including an Exchange server, behind an EigerStein using NAT. Most of the time everything works great. However, e-mail sent by the Exchange server to a few domains fails, I understand, because there is no public reverse DNS for the Exchange server, and some mail servers therefore suspect e-mail coming from it is spam. Only the EigerStein router has a public IP. In other words, e-mail from the Exchange server includes headers like this... Received: from server.aac.edu (gw.aac.edu [195.113.149.145]) by ... ... where server.aac.edu is the Exchange server, which has no external DNS entry, and gw.aac.edu is the NATing EigerStein router with public IP 195.113.149.145. What do I need to do to make this failing e-mail go through? Add DNS entries for server.aac.edu? Can I rename the Exchange Server gw (since there's no gw.aac.edu on the internal network)? Thanks for your attention! Barbara Miller ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Exchange server behind EigerStein s/NAT can not send to some sites
Hi Barbara, I would do as Mark said regarding trying to locate headers of failed messages from the server that isn't accepting your mail. To solve it correctly though, you have two options, both of which will reflect the correct reverse DNS for all outside mail servers. 1. Your exchange server should masquerade the dns name of the outside entry point to your network. ie, if your entry to your network from the outside is outside.mynetwork.com, and that has an MX record for receiving all mail for mynetwork.com, then you you would alter exchange so that it shows all mail as being sent from outside.mynetwork.com as that is what the reverse mail lookups are looking for. And don't forget that whatever the actual address is that is masqueraded, must also be an email name for the clients in your exchange system so that exchange will accept the mail ie [EMAIL PROTECTED] or [EMAIL PROTECTED] 2. You set up a linux relay box using postfix to accept and send all mail to/from the outside world, as an intermediary between outside and the exchange server. This is preferred as exchange should not be talking directly to the outside world -- security problems. You also get a plus in this as it allows you to set up scripting, etc., to help scan inbound mail which strengthens you virus/spam posture. Sam Mark Plowman wrote: Barbara, From: Barbara Miller [EMAIL PROTECTED] Date: Tue, 13 Nov 2001 15:58:49 +0100 Hello, I'm running a small PC network, including an Exchange server, behind an EigerStein using NAT. Most of the time everything works great. We are doing the same, but using Postfix (which I can recommend) under Linux. I also follow the Postfix mailing list and have learnt a *lot* about mail servers there... However, e-mail sent by the Exchange server to a few domains fails, I understand, because there is no public reverse DNS for the Exchange server, and some mail servers therefore suspect e-mail coming from it is spam. Only the EigerStein router has a public IP. If mail is being rejected by a domain, send a mail to the [EMAIL PROTECTED] and ask him/her what you are doing wrong. Perhaps the failure notification from the remote server gives you a few clues. Be careful, I understand that Exchange helpfully massages the messages and alters the content, this may be a pain... Perhaps you could post one of the bounce messages so that we could study it? In other words, e-mail from the Exchange server includes headers like this... Received: from server.aac.edu (gw.aac.edu [195.113.149.145]) by ... ... where server.aac.edu is the Exchange server, which has no external DNS entry, and gw.aac.edu is the NATing EigerStein router with public IP 195.113.149.145. I think that it unlikely that *that* is the problem. Mail servers rarely look at received lines. Things they do look at include: 1) The name your server gives when it says HELO myname or EHLO myname. Myname should be the fully qualified DNS name of your server and some people check this (i.e. do a lookup of the name and see if matches the IP of your LEAF). Having said that, our server name (duif.hexapole.nl) doesn't resolve and I have never knowingly lost an email. The MX for hexapole.nl does resolve to the IP of our LEAF, so that *is* good. 2) More things that escape me at the moment ;-) What do I need to do to make this failing e-mail go through? More information. The bounce message, info from the remote postmaster Add DNS entries for server.aac.edu? Can I rename the Exchange Server gw (since there's no gw.aac.edu on the internal network)? Niether would do any harm and could well do some good. Try it! Thanks for your attention! Barbara Miller Greetings Mark Plowman ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [leaf-user] Floppy 2 HD
At 17:47 12/11/01, Patrick Benson wrote: Please keep in mind that your Linux knowledge will certainly increase dramatically after reading this!. :-) http://leaf.sourceforge.net/devel/cstein/Documentation/LRPHardDiskHOWTO.txt Keep an eye on the WARNING message about installing it on a hard disk.. My question isn't directly related, but is in the same arena. I've got a laptop that I use primarily for windows development/games/surfing etc but I would like to have relatively small linux distro on it for those occasions when only Linux will do (network sniffing/configuration/testing etc) But I'm humming and hahing about whether to go with leaf + all the other stuff I find I need or whether to just bite the bullet and install a mainstream distro with pretty much everything turned off. I guess my prime consideration is that I don't want to waste any more disk space than necessary (as if windows isn't wasting enough of it ;o) Any thoughts? --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.295 / Virus Database: 159 - Release Date: 01/11/01
Re: [Leaf-user] Moving off of SourceForge...
If in fact the section of the url stating the new SourceForge copyright assingment is reality, then it would appear that SourceForce (VA Linux) has drifted away from their initial position in respect to free software. Once copyright is assigned to them, they can do with it whatever they want... which could be quite contrary to the goals and intent of the original/actual author. Another case in point is what happened to the ex-Walnut Creek, really hardcore pushers of FreeBSD and Slackware among otherthings. They sold out and were bought by another company that changed the direction, and Slackware had to find another home, SourceForge... h so now is Slackware going to have to move again, or sign away copyright... how can you sign away copyright on material based on free software that isn't yours to sign a copyright away on?? A lot of questions buried in there. I guess the first stage really boils down to what the actual fact is regarding the FSF Europe URL. If it is in fact solid truth, it wouldn't appear to offer much choice, either sign over your rights, or move on. David Douthitt wrote: FSF Europe is advising authors to move away from SourceForge. What do you think? http://www.fsfeurope.org/news/article2001-10-20-01.en.html ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Distributions...
Patrick Benson wrote: Why not try: Trinux - http://trinux.sourceforge.net/ All the tools you'll ever need you can find on a 3-disk setup... Not LEAF-based - no login security. Specialized tool for network security. muLinux - http://mulinux.nevalabs.org/ Requires 1.72M disks... breaks most floppies. tomsrtbt - http://www.toms.net/rb/home.html Not designed for network testing - specialized tool for system rescue. Why not use: Oxygen - http://leaf.sourceforge.net/pub/oxygen Oxygen offers: * Full flexibility * Expanded tools - choose from network diagnostics, system rescue, development, etc. * Can be used to boot from CDROM * Can load packages from network, multiple floppies, or other locations - with or without pauses (and user-configured prompts) * Has possibility of loading using TFTP, GOPHER, FTP, HTTP... * Kernel has OpenWall patches added... Development version adds: * Much higher boot-time configurability: - Load configuration file from any disk - Specify any filename for configuration file - Tool used to decompress files can be configured (bzip2, zip, gzip...) - Create any set of volumes, with any size * Easy upgradability to glibc 2.2: just replace glibc 2.1 (libc.lrp) package (and make rom.) The development version is approaching a pre-release; I'd recommend people try it if you are able. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] [Leaf-user]Dachstein Firewall status
Mart Kempen wrote: :: Firewall Status :: Tue Nov 13 20:26:18 UTC 2001 firewall Firewall Status: error You have 609 denied or rejected packets in your recent packet logs. See the messages log files for details I have it running only for 10 minutes or so, at the number keeps growing, is there something wrong with my settings, and will it make my logfiles really big? Don't want to reset it everytime... Any suggestion if this could cause any troubles? Regards, Joris You can change the settings in /etc/weblet by going to 3) Packages - weblet - 2) LRP web page configuration. Look for: # Warning/Error thresholds for the weblet utility # Disable checking of any value by setting it to -1 # Firewall thresholds: deny/reject messages WRN_FW=5 ERR_FW=50 The yellow sign comes up with 5 - 49 and the red sign 50 -. If you receive a lot of denied packets just increase the ERR_FW= with whatever you want. No harm in doing that, very customable. Check what sort of packets are getting denied, probably non-SYN packets destined to your IP address at port 53... -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] email virus filtering
Hey all. I do some volunteering with a local non-profit which is thinking of setting up a router/gateway/firewall for their small (5-6 machines) win95 win98 network. I immediately thought of LEAF, having got it working well at home, but the director thinks the router should also handle email virus filtering. Seems like a whole different kettle of fish to me, and complicated to boot. I'd lean toward just putting Norton AV on each client, but then you've got to buy a subscription for each one. Is there a better way of filtering email for viruses? Thanks for any suggestions. -Steve ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Exchange server behind EigerStein w/NAT can not send to some sites
I scanned that link and it looks very useful - thanks for passing it along. (And I fall at the feet of the people who make the effort to explain this stuff for the Rest of Us!) Lee - Original Message - From: Barbara Miller [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 13, 2001 11:06 AM Subject: RE: [Leaf-user] Exchange server behind EigerStein w/NAT can not send to some sites Hello, Thanks, Mark and Sam and Lee, for your replies. I've just come across this page, http://bind8nt.meiway.com/itsaDNSmess.cfm, which provides clear explanations of several reasons why a mail server sitting behind a NATing firewall without its own public IP address and proper DNS records might fail to send to some domains while successfully sending to many. I can't find a place in Exchange (5.5) where I can tweak what it says in an SMTP session. I have neither the documentation nor the training to be confident, however, that such tweaking is impossible. Does anyone out there know? Otherwise, I will try, as a quick fix, changing the Exchange server's DNS name, that is, its name under the DNS tab of the TCP/IP section of its Network control panel, to the firewall's. I can't think of anyplace else this name gets used on our network... so this shouldn't break anything... I will have a look at postfix, too. Thanks again, Barbara Miller ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Exchange server behind EigerStein s/NAT can notsend to some site s
Ha ha, yeah I did mail them about it a while back. I'm expecting a reply any time now. ;-) - Original Message - From: Zack Mully [EMAIL PROTECTED] To: Lee [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, November 13, 2001 11:13 AM Subject: Re: [Leaf-user] Exchange server behind EigerStein s/NAT can notsend to some site s Lee- Good luck getting AOL to help you out... I just spend the past eight weeks tracking down a problem with email sent to AOL. It turned out our email distributor was sending too much email to AOL and wasn't on their approved high-volume list (this is all based on inference, AOL won't actually tell you that such a thing exists). AOL will also silently drop email that it doesn't like, so the problem was a total biatch to track down... Check out their postmaster website, it might shed some light on your problems with those other domains: http://postmaster.info.aol.com And yes, rDNS will need to be working if you're doing any volume to AOL. Zack ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] [Leaf-user]Dachstein Firewall status
On Tue, 13 Nov 2001, Mart Kempen wrote: Follow the instructions: myrouter# more /var/log/messages Could you be a little bit more specific what you mean by this? Where can I find this instructions? The instructions included in the web page said: See the messages log files for details. I guess I was too brief in my hint as to how to do this. There may be more than one way to look at the message log depending on what niceties you have, but the most common way is to log into the router the same way you configured it, quit the menu system, and use the more command to look through the /var/log/messages file. Thus, you would be faced with a command prompt something like myrouter# and would enter more /var/log/messages and press the Enter key to use the more program to view the file. I checked my firewall rules, in the 'routerstatus' (web based) and found this line: pkts bytes target prot opttosa tosx ifname mark outsize source 697 31396 DENY all l- 0xFF 0x00 eth0 0.0.0.0/0 destination ports 0.0.0.0/0 n/a This first number is exact the number of packets that are denied. Can anyone conclude something from this line? On its own, not much. It looks like the line at the bottom of the list that covers everything not specifically ALLOWed by the lines above it. The message log should have lines indicating a little more detail about what packets were denied and why. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re:[Leaf-user] Dachstein Firewall status
Mart Kempen wrote: Follow the instructions: myrouter# more /var/log/messages Could you be a little bit more specific what you mean by this? Where can I find this instructions? I checked my firewall rules, in the 'routerstatus' (web based) and found this line: pkts bytes target prot opt ifname source destination ports 697 31396 DENYall l- eth0 0.0.0.0/0 0.0.0.0/0n/a Yikes. This rule says deny and log all traffic coming into eth0, your external nic. This first number is exact the number of packets that are denied. Understandable. Can anyone conclude something from this line? Somewhere in your router this rule is created and run during boot time (my guess). You probably need to inspect your /etc/network.conf, and the output of ip addr show netstat -rn Good Luck, Matthew Regards, Joris ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein RC 2 floppy and restarting firewall, network
Over the weekend, I upragded my existing Eigerstein to Dachstein RC 2 floppy version. I have a DMZ and 2 internal networks and the upgrade went OK. Then I found out that the 2 internal networks cannot see each other, so I added the set x to the network.conf and ipfilter.conf and restart the firewall to see why. Both commands: /etc/init.d/network ipfilter reload /etc/init.d/network reload caused the box to stop in the middle and I had to reboot it. Do you have any idea? Thank you. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Update to the FAQ
I was hoping one of the project developers can update the FAQ: http://sourceforge.net/docman/display_doc.php?docid=1966group_id=13751 The list of branches does not include: Coyote Linux Is that an oversight or on purpose? It looks like it's on purpose. Coyote linux is a relative of LRP, along with freesco, share-the-net (costs $), the various LEAF distributions, and many others I'm probably missing. The list at the link above is not a list of LRP branches, but a list of LEAF branches, a much smaller catagory. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein-CD RC4: loading modules
anyone else got any more hints they can give? I put the pci-scan driver in but it still won't load any network card modules. But it sure seems to load everything else off the CD OK. thanks Alec - Original Message - From: Alec Miller [EMAIL PROTECTED] To: LEAF [EMAIL PROTECTED] Sent: Monday, November 12, 2001 5:43 PM Subject: Re: [Leaf-user] Dachstein-CD RC4: loading modules I think I missed something in the module loading process. I get everything loading in the boot process and its missing loading the modules for the network cards. I am sure its in the module file in \etc but I don't know if I am doing this correctly. I am booting from the floppy to load the CD. I have no HDD so the CD player is ' /hda '. I am sure this is pretty obvious but I am only used to doing dual floppies. All my Nics are PCI or integrated and I have been using the dual floppy version for almost a year. anyone got a clue train ticket to sell me? Why its not loading the modules? thanks Alec ### ! mount iso9660 /dev/hda # You can directly reference modules, like this: #/scsi/aic7xxx #/fs/ext2 # Or change the default directory, like this: ! dir /lib/modules/net # PCI ethernet cards #3c59x rtl8139 3c509 .. !umount ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] email virus filtering
From: Steve Cayford [EMAIL PROTECTED] Date: Tue, 13 Nov 2001 13:30:15 -0600 Hey all. I do some volunteering with a local non-profit which is thinking of setting up a router/gateway/firewall for their small (5-6 machines) win95 win98 network. I immediately thought of LEAF, having got it working well at home, but the director thinks the router should also handle email virus filtering. Seems like a whole different kettle of fish to me, and complicated to boot. I'd lean toward just putting Norton AV on each client, but then you've got to buy a subscription for each one. Is there a better way of filtering email for viruses? Thanks for any suggestions. I would agree with you that it is a good thing (TM) to separate the firewall from the mail server. Lots of little boxes. The LEAF configuration shouldn't vary very often and a write protected floppy is perfect - extra security! A Mail Server must buffer email and therefore needs a hard disk and a Virus Scanner with regular updates again needs a hard disk. What I have done here, is a LEAF firewall (actually two - one ADSL, one backup ISDN) and a Postfix (http://www.postfix.org/) mail server on an old Pentium 133 with a hard disk within the private network. I haven't yet done Anti-virus on the Mail Server (the company already had a company-wide subscription to a client anti-virus product) and I gather that Anti virus *can* cost quite a lot of resources (chiefly CPU cycles, but also disk - zip files etc. must be unpacked before scanning). The one the Postfix people keep seem to be using is AMaViS (http://amavis.org/) and I believe there are *free* anti-virus products with regular updates still available which can be used with amavis under Linux! YMMV -Steve Greetings Mark Plowman ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein-CD RC4: loading modules
You put the pci-scan module before the NIC modules, right? --On Tuesday, November 13, 2001 4:41 PM -0600 Alec Miller [EMAIL PROTECTED] wrote: anyone else got any more hints they can give? I put the pci-scan driver in but it still won't load any network card modules. But it sure seems to load everything else off the CD OK. thanks Alec - Original Message - From: Alec Miller [EMAIL PROTECTED] To: LEAF [EMAIL PROTECTED] Sent: Monday, November 12, 2001 5:43 PM Subject: Re: [Leaf-user] Dachstein-CD RC4: loading modules I think I missed something in the module loading process. I get everything loading in the boot process and its missing loading the modules for the network cards. I am sure its in the module file in \etc but I don't know if I am doing this correctly. I am booting from the floppy to load the CD. I have no HDD so the CD player is ' /hda '. I am sure this is pretty obvious but I am only used to doing dual floppies. All my Nics are PCI or integrated and I have been using the dual floppy version for almost a year. anyone got a clue train ticket to sell me? Why its not loading the modules? thanks Alec ### ! mount iso9660 /dev/hda # You can directly reference modules, like this: # /scsi/aic7xxx # /fs/ext2 # Or change the default directory, like this: ! dir /lib/modules/net # PCI ethernet cards # 3c59x rtl8139 3c509 .. !umount ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein-CD RC4: loading modules
anyone else got any more hints they can give? I put the pci-scan driver in but it still won't load any network card modules. But it sure seems to load everything else off the CD OK. Try scrolling back to where the modules are getting loaded, and look for any error messages or abnormal output. Use the shiftpage-up key to scroll back in the screen buffer. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein-CD RC4: loading modules
Yup, this is what I currently have..upon boot it loads all LRP packages then tries to init the network cards and then starts claiming that eth0, eth1 doesn't exist and then DHCPd fails (for obviouse reasons). ! mount iso9660 /dev/hda -- this is correct?? Where 'hda' is the CD drive? I know everything works 'cause I can reboot with my current Eiger static floppies and it works fine and under the CD RC4 install I can edit and save any changes with a partial/full backup to the floppy. ## # More modules available from: # http://lrp.steinkuehler.net/files/kernels/ ## # ! mount iso9660 /dev/hda ! mount iso9660 /dev/hda # You can directly reference modules, like this: #/scsi/aic7xxx #/fs/ext2 # Or change the default directory, like this: ! dir /lib/modules/net # PCI ethernet cards #3c59x pci-scan rtl8139 3c509 #eepro io=0x300 ###Some 8390 based ethernet cards #8390 # card1,card2 #ne io=0x300,0x350 #ne2k-pci #e2100 # PCI ethernet cards #pci-scan # pci-scan required by drivers below... #3c59x #eepro100 #natsemi #tulip ! dir /lib/modules/ipv4 ip_masq_autofw ip_masq_cuseeme #ip_masq_dplay ip_masq_ftp #ip_masq_h323 ip_masq_icq ip_masq_ipsec ip_masq_irc ip_masq_mfw #ip_masq_mms ip_masq_portfw #ip_masq_pptp ip_masq_quake ip_masq_raudio ip_masq_user ip_masq_vdolive ! umount - Original Message - From: James Duberg [EMAIL PROTECTED] To: Alec Miller [EMAIL PROTECTED]; LEAF [EMAIL PROTECTED] Sent: Tuesday, November 13, 2001 5:00 PM Subject: Re: [Leaf-user] Dachstein-CD RC4: loading modules You put the pci-scan module before the NIC modules, right? --On Tuesday, November 13, 2001 4:41 PM -0600 Alec Miller [EMAIL PROTECTED] wrote: anyone else got any more hints they can give? I put the pci-scan driver in but it still won't load any network card modules. But it sure seems to load everything else off the CD OK. thanks Alec - Original Message - From: Alec Miller [EMAIL PROTECTED] To: LEAF [EMAIL PROTECTED] Sent: Monday, November 12, 2001 5:43 PM Subject: Re: [Leaf-user] Dachstein-CD RC4: loading modules I think I missed something in the module loading process. I get everything loading in the boot process and its missing loading the modules for the network cards. I am sure its in the module file in \etc but I don't know if I am doing this correctly. I am booting from the floppy to load the CD. I have no HDD so the CD player is ' /hda '. I am sure this is pretty obvious but I am only used to doing dual floppies. All my Nics are PCI or integrated and I have been using the dual floppy version for almost a year. anyone got a clue train ticket to sell me? Why its not loading the modules? thanks Alec ### ! mount iso9660 /dev/hda # You can directly reference modules, like this: # /scsi/aic7xxx # /fs/ext2 # Or change the default directory, like this: ! dir /lib/modules/net # PCI ethernet cards # 3c59x rtl8139 3c509 .. !umount ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein Firewall status
All this talk about the weblet message logs has me wondering. My firewall log states that since yesterday I have almost 3000 denied or rejected packets. I included a sample of the log entries below. Can someone please explain what these lines mean? Do I have a problem? Is there a way to reset the logs from the browser? Thanks, Kory Nov 13 18:53:27 markii kernel: Packet log: input DENY eth0 PROTO=6 65.11.220.95:2905 65.28.237.42:80 L=48 S=0x00 I=30599 F=0x4000 T=110 SYN (#39) Nov 13 18:55:25 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.237.196:427 224.0.1.22:427 L=675 S=0x00 I=5278 F=0x T=253 (#39) Nov 13 18:57:23 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=60946 F=0x T=31 (#39) Nov 13 19:07:17 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=47352 F=0x T=31 (#39) Nov 13 19:07:59 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.236.136:42 224.0.1.24:42 L=47 S=0x00 I=21740 F=0x T=1 (#39) Nov 13 19:14:04 markii kernel: Packet log: input DENY eth0 PROTO=6 65.14.161.151:4929 65.28.237.42:80 L=48 S=0x00 I=34082 F=0x4000 T=112 SYN (#39) Nov 13 19:17:11 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=33817 F=0x T=31 (#39) Nov 13 19:27:06 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=20302 F=0x T=31 (#39) Nov 13 19:37:00 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=6786 F=0x T=31 (#39) Matt Schalit wrote: Mart Kempen wrote: Follow the instructions: myrouter# more /var/log/messages SNIP ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein Firewall status
On Tue, 13 Nov 2001, Kory Krofft wrote: All this talk about the weblet message logs has me wondering. My firewall log states that since yesterday I have almost 3000 denied or rejected packets. I included a sample of the log entries below. Can someone please explain what these lines mean? Do I have a problem? Is there a way to reset the logs from the browser? Thanks, Kory Nov 13 18:53:27 markii kernel: Packet log: input DENY eth0 PROTO=6 65.11.220.95:2905 65.28.237.42:80 L=48 S=0x00 I=30599 F=0x4000 T=110 SYN (#39) cc1932507-c.jrsycty1.nj.home.com poked at woh-65-28-237-42.woh.rr.com hoping to get an http response (web page). Could be NIMDA or similar. The name can be obtained from www.samspade.org (I used dig -x on my Linux workstation). The source port numbers are not usually relevant. The destination port numbers are usually relevant, and you can find basic names in /etc/services, or you can search the web with google.com. The fact that it is input DENY eth0 means it was stopped on its way into eth0. PROTO=6 is tcp, PROTO=17 is udp, other protocol numbers can be found in RFC1340 (http://RFC.net/rfc1340.html). You can find more useful information at http://leaf.sourceforge.net/devel/thc/#Security. Nov 13 18:55:25 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.237.196:427 224.0.1.22:427 L=675 S=0x00 I=5278 F=0x T=253 (#39) woh-65-28-237-196.woh.rr.com sent out a multicast udp packet to 224.0.1.22 port 427. This is apparently the behavior of netware 5.0 clients now (see http://www.sans.org/infosecFAQ/novell/exposure.htm). I would suggest adding a rule to your firewall ruleset that denies these packets without logging. [... more of the same...] Nov 13 19:07:59 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.236.136:42 224.0.1.24:42 L=47 S=0x00 I=21740 F=0x T=1 (#39) woh-65-28-236-136.woh.rr.com is offering WINS replication services to the world... (http://ntsec.inet-one.com/dir.1998-08/msg00070.html) Nov 13 19:14:04 markii kernel: Packet log: input DENY eth0 PROTO=6 65.14.161.151:4929 65.28.237.42:80 L=48 S=0x00 I=34082 F=0x4000 T=112 SYN (#39) cp54227-a.mtgmry1.md.home.com poking around for a webserver... NIMDA? [...] Matt Schalit wrote: Mart Kempen wrote: Follow the instructions: myrouter# more /var/log/messages SNIP ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [leaf-user] Floppy 2 HD
On Tue, 13 Nov 2001, Patrick Benson wrote: Patrick Lambe wrote: My question isn't directly related, but is in the same arena. I've got a laptop that I use primarily for windows development/games/surfing etc but I would like to have relatively small linux distro on it for those occasions when only Linux will do (network sniffing/configuration/testing etc) But I'm humming and hahing about whether to go with leaf + all the other stuff I find I need or whether to just bite the bullet and install a mainstream distro with pretty much everything turned off. I guess my prime consideration is that I don't want to waste any more disk space than necessary (as if windows isn't wasting enough of it ;o) Any thoughts? Why not try: Trinux - http://trinux.sourceforge.net/ All the tools you'll ever need you can find on a 3-disk setup... muLinux - http://mulinux.nevalabs.org/ tomsrtbt - http://www.toms.net/rb/home.html with a few more... http://www.hardcorelinux.com/floppy-distros.htm Another possibility which works nicely for me is cygwin. It even does X, though I'm having trouble getting XFce to work :-) Here's a good starting point for network tools under Cygwin: http://www.caida.org/tools/measurement/netramet/changes.xml -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein Firewall status
Kory Krofft wrote: All this talk about the weblet message logs has me wondering. My firewall log states that since yesterday I have almost 3000 denied or rejected packets. I included a sample of the log entries below. Can someone please explain what these lines mean? Do I have a problem? Is there a way to reset the logs from the browser? Thanks, Kory Nov 13 18:53:27 markii kernel: Packet log: input DENY eth0 PROTO=6 65.11.220.95:2905 65.28.237.42:80 L=48 S=0x00 I=30599 F=0x4000 T=110 SYN (#39) This one was one of those code red scans, destined for your web port (80). Nov 13 18:55:25 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.237.196:427 224.0.1.22:427 L=675 S=0x00 I=5278 F=0x T=253 (#39) Nov 13 18:57:23 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=60946 F=0x T=31 (#39) Nov 13 19:07:17 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=47352 F=0x T=31 (#39) Nov 13 19:07:59 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.236.136:42 224.0.1.24:42 L=47 S=0x00 I=21740 F=0x T=1 (#39) These four were UDP packets that were sent to a multicast ip address (224.any.thi.ng). As 99% of us do no mutlticast client or server activity, you can safely ignore those. If you don't want to see them (and if there's too many of them) then you can change rule #39 so that the '-l' log command is no there. Then the packets will be denied, but not logged. Nov 13 19:14:04 markii kernel: Packet log: input DENY eth0 PROTO=6 65.14.161.151:4929 65.28.237.42:80 L=48 S=0x00 I=34082 F=0x4000 T=112 SYN (#39) Another code red to port 80 (or could be a valid request to port 80, but my guess is you have no public web server, and it's code red). Nov 13 19:17:11 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=33817 F=0x T=31 (#39) Nov 13 19:27:06 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=20302 F=0x T=31 (#39) Nov 13 19:37:00 markii kernel: Packet log: input DENY eth0 PROTO=17 65.28.234.99:427 224.0.1.22:427 L=81 S=0x00 I=6786 F=0x T=31 (#39) More of the same multicast traffic destined for a 224.x.y.z address. Also, on the sourceforge website, there's a ipchains log file howto decode faq. Good Luck, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Moving off of SourceForge...
On Tue, 13 Nov 2001, Jeff Newmiller wrote: but b) a distributed LEAF web system should be maintained. Charles Steinkuehler's site is about the only well-known alternate at this time. I am working toward a setup that might allow mirroring, but it will be on a flaky connection. Flaky connections is what most of us have to offer; all the same, seems to me that rsync and round-robin DNS could get us places without putting heavy load on any one or two home users... -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] OT: Just Plain 'ole OT
pn] Hey Charles, what's the chance of me getting a miniature of your battle 'bot in a happy meal? :) --- Peter Nosko _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein with PPPoE
Charles: Awhile ago you posted something about Dachstein with PPPoE and you were looking for volunteers to try it. Where can I download a copy of it? Also it needs to be a floppy version since I do not have a cd burner. Robert Chambers ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Announcing Dachstein CD RC5
The latest, greatest, (and hopefully final) release candidate of Dachstein-CD is now available (rc5). The persistent problem with snmpBlock is finally fixed in ipfilter.conf, but the big news is migration from my dnscache package to Jacques Nilo's, along with switching to the latest version of Jacques' openssh packages. If you run dnscache, and have customized it's configuration, you should probably delete the dnscache package from your config floppy, and re-configure Jacques' package from scratch. Otherwise, simply pop in the new CD and reboot to get the latest. If you boot off a floppy disk, there's no need to re-create your boot disk, as neither root.lrp or the kernel have changed. If you are upgrading from a previous version, please note the INTERN_SERVERn and INTERN_AUTOFWn indexed lists...these have always been supported, but I put stubbs for them in the network.conf file, pending the ability to actually write current documentation for these settings...you probably won't need them, just remember they're there, and you won't have them in your network.conf if you migrate from an old configuration. -- Changes from Dachstein-CD rc4 to Dachstein-CD rc5: -- Fixed snmpBlock procedure in /etc/ipfilter.conf Added stubs in network.conf for INTERN_SERVERn and INTERN_AUTOFWn variables Added leaf and tinydns users to /etc/passwd /etc/shadow Rebuilt log.tgz (part of ramlog.lrp) using busybox tar in hopes of eliminating broken pipe messages appering on some systems. Switched to Jacques Nilo's dnscache Switched init script to ash so USR variable can be set Added /var/lib/lrpkg/dnscache.local Added Jacques Nilo's tinydns and djbutils pacakges Switched to Jacques Nilo's openssh 3.0p1 packages Modified /etc/init.d/sshd to start sshd as daemon by default Migrated /etc/ssh/ssh_config to ssh.lrp from sshd.lrp Added /var/lib/lrpkg/sshd.local Added /var/lib/lrpkg/ssh.local -- Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user