Re: [Leaf-user] Outbound VPN
Alec Miller wrote: I have had no luck with the Nortel Access Client working thru the Eiger images. I just had to convince my firewall expert to make an IPSec connection to the actual LRP box from the corporate firewall, but it helps if you work in the IT dept. I do have a friend that got his Nortel Access Client working thru the Oxygen? (not exactly 100% sure) image. - Original Message - From: Don [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2001 3:23 PM Subject: [Leaf-user] Outbound VPN Hello, I've recently installed Dachstein RC2. Is this version able to masq an ipsec type of VPN connection? Are there any special IPChains rules that I need to enable? I've confirmed that I can connect without the firewall, but cannot from the inside. When I try to connect I can see port 500 being blocked in the log through the weblet interface, then the firewall status goes to warning. The VPN software is Nortel's Extranet Access Client. You need to open port 50 500; the relevent code in my firewall is: at the top of the input chains /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $VPNHOST1 500 -d $EXTIP /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p 50 -s $VPNHOST1 -d $EXTIP at the top of the output chains /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP 500 -d $VPNHOST1 /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p 50 -s $EXTIP -d $VPNHOST1 where: EXTIF is eth0 or the one on the internet EXTIP is the external ip assisgned by your ISP VPNHOST1 is the ip address of the remote Nortel host Also must have the VPN masq patch in the kernel Works fine for me under 3.0.? Best Cokey -- -- F. 'Cokey' de Percin, DBA Email: CSC (formerly Mynd) Work - [EMAIL PROTECTED] Columbia, South Carolina Home - [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Fw: [Leaf-user] sending router log files to another machine
Oooops! Should have RTFM! That's short for Read The FRIENDLY Manual Thanks a bunch Mark! Cliff - Original Message - From: Mark Plowman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, November 15, 2001 8:51 AM Subject: Re: [Leaf-user] sending router log files to another machine Cliff, From: Cliff Rosenberg [EMAIL PROTECTED] Date: Wed, 14 Nov 2001 23:25:30 -0500 Hello, all - I'm a router newbie, even though I have a RedHat system up and running for about a year. I would like any info on offloading my Dachstein logs to another maching on my local net for storage. Any scripts available for sending the logs to another box? Thanks a lot for any info here... Quick answer: man syslog.conf Slightly longer answer: Quote from man syslog.conf: Remote Machine This syslogd(8) provides full remote logging, i.e. is able to send messages to a remote host running syslogd(8) and to receive messages from remote hosts. The remote host won't forward the message again, it will just log them locally. To forward messages to another host, prepend the hostname with the at sign (``@''). Using this feature you're able to control all syslog mes- sages on one host, if all other machines will log remotely to that. This tears down administration needs. Works like a dream! *Add* it to your syslog.conf. You can then browse the log files on the RAM disk from the Weblet browser but the are safely stored away on the harddisk of your server for future reference! C. Rosenberg [EMAIL PROTECTED] Greetings Mark Plowman ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] RC5 -- SSHD
I need some help on this small little issue.. I'm running RC5 of Charles greatest work of the day, but before I make a backup of my SSHD daemon 3.x from J. Nilo, I have about 86% disk space on my Boot flop, (My x486 is not CD-Bootable)... Once I try to save the package, it tells me there is not enough space. Currently on my boot flop I only have weblet.lrp root.lrp modules.lrp dnscache.lrp pppoe.lrp and etc.lrp Can someone explain to me why is SSHD so large, it's looking for about 300k where I only have 231k left over.. Charles maybe u can answer this one... I was looking in the LRP pakages on the CD, to see if I can find the .conf files for some of the packages that I know won't change to often at my site, eg DNSCACHE, WEBLET, so that I can modify the settings there, and won't have to save them to flop, so that I can have some space over for other pakages, that might need regular changes.. I think you're missing one of the major points of using the CD...you don't have to backup the full package to your floppy. Please note, however, that until you do a partial backup to your config floppy, the default backup type for all packages is full. You should go to the lrcfg backup menu, and type t e followed by p, to set the backup type for everything to partial. Then do d e and select your floppy as the destination for all backups. Finally, backup any packages you've configured...you should find you have plenty of disk space. Sorry this is not explained better in the documentation... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] OT - Disable @home proxy permanently
Hey all, Just as a follow up - here is the command to disable the automatic proxy setting configuration that continually turns the proxy on after it has been disabled. You'll know if this is the case if you shut down all IE windows after disabling it and when you open IE again your proxy server is once again set to http://proxy:8080 I can't guarantee that this will work - so try it at your own risk (personally I'd recommend backing up your registry first - and checking to make sure ahiehelp.dll and regsvr32.exe exist before attempting any of this). Here are the steps to unregister this dll: Go into Start Run and type: command at the command prompt type this: regsvr32 -u ahiehelp.dll -or if you get an error message type this- regsvr32 /u ahiehelp.dll That should work for IE - with netscape if you try this and have no success (i.e. the proxy setting keeps returing) you'll have to uninstall Netscape communicator (delete all folders etc), then reinstall Netscape from a non @home version (i.e. obtained from netscape's site) S. Hope it helps From: Simon Bolduc [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [Leaf-user] [leaf-user]Win2000 LRP Date: Wed, 14 Nov 2001 17:22:58 -0500 Your steps normally would work - except that @home uses a DLL to make the proxy settings pseudo permanent (sure you can turn 'em off - and they'll stay that way until you restart IE). I mentioned before that there is a way to undo this - I just can't seem to remember how - it has something to do with regsvr32 -u somethin.dll unfortunately I can't remember the dll name. Call @home tech support and tell them you want to remove this proxy setting permanently - and they should be able to tell you the exact command used to unregister the dll. S. From: Todd Pearsall [EMAIL PROTECTED] To: Mart Kempen [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [Leaf-user] [leaf-user]Win2000 LRP Date: Wed, 14 Nov 2001 15:03:02 -0500 Well I just the settings that where set by the @home, @home doesn't use a proxy server, only a adres called http://proxy:8080 for an automated configuration script. But I turn those options off I still can browse the internet. And when IE gets started again, this option is 'checked' again automatically... That address is the @home proxy server, but since you're connect through the firewall now, it can't resolve the proxy:8080 address. In IE 5.5, go to Tools - Connections - Setup and walk through the wizard settings: - I want to setup connection manually or through a LAN - Connect through LAN - No auto discovery, No auto config, No proxy - No Mail account now This should change your connection to not use a proxy. Try again. Can it be that my Windows2000 acount is logging in my domain of work. Doesn't it need to log on the domain of the LRP box? Or doesn't this have a domain? And do I need to change my domain I log in, everytime I replace to another network? Or am I talking completely bulloks here? This is all TCP/IP stuff which is lower level than Windows domains, so you're Windows login shouldn't matter. When you log in to you laptop using your office domain, it really just checks the cached version of your logon information since your domain server isn't accessable. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] QoS on eth0 - not possible if using DHCP !?
hi i noticed that FAIRQ/QoS rules do only apply to these interfaces which are listed in $IF_AUTO. Since my externel interface (eth0) is dynamic (DHCP), QoS rules are not applied. is there a workaround for this? general QoS question: does anyone have a working example? Jack's howto is very nice and useful but there are still a lot of open questions. can anyone post a working example and explain what it does? i mean, how the posted parameters affect and what experiences you made with QoS. (the QoS part of network.conf would be nice) thank you --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola - worldcontrol:~ # rm -rf /bin/laden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] [leaf-user]Win2000 LRP
Or, create a proxy server by the same name on your home LAN :-) (Makes life real easy to go back and forth between the office and home). dbc. On Wed, 14 Nov 2001, Charles Steinkuehler wrote: Look at ipconfig, the following IP-adres . . . . . . . . . . . : 192.168.1.2 Subnetmasker . . . . . . . . . : 255.255.255.0 Standaardgateway . . . . . . . : 192.168.1.254 So the computer gets it's IP from the DHCP server and I can ping. This is all good. What am I doing wrong? IExplorer has the same settings as on my Win98 box. Find IExplorer settings automatically checked Use auto config script checked @ adres http://proxy:8080 What is my problem? It sounds like you've got a connection to the internet. Are you sure you're internet explorer is configured correctly? The above looks like you may be trying to go through a proxy, which may exist at your office, but is certianly not on your home network. Make sure IE is set for 'direct connection', and NO proxy. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- David B. Cook, [EMAIL PROTECTED] Linux -- up 16 days because it can. 12:53pm up 16 days, 15:45, 1 user, load average: 0.00, 0.00, 0.00 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] help in adding linux-Wlan Support
Hello Marc Hello leaf-users ( I am also online again ;) ) Leaf-users. Has anyone tried to include support for linux-wlan in lrp/leaf floppies? I don't have done this :( I own a Zoomair 4000 wireless pcmcia card which is only supported by the drivers in http://www.linux-wlan.com This means that the floppy needs PCMCIA support also. I have experience compiling kernels, drivers, and this kind of things, but I'm not used to putting all together in a floppy. I'm very interested in creating this Leaf witch Wlan support, but some help is needed. Has anybody written some guide to do that? Or some step-by-step, documentation,...? As you have experience in compiling kernels, you could make your own kernel. Remember to apply the patches for the kernel. You could include the pcmcia support direct or as module. did you read the developer guide at : http://leaf.sourceforge.net/pub/doc/guide/developer.rtf IMHO the easiest way to compose a floppy is the use of an existing floppy. You will have to replace the kernel with the self- created one. Eventually you must change some settings to run a support of the card. sorry to give you so a vague answer, feel free to ask if you want some more help :=) Any help will be received happily. Eric Wolzak http://leaf.sourceforge.net/devel/ericw ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Outbound VPN
Don: Heya. Easiest thing to do is grab the echowalll.lrp package and setup your IPSEC_HOST as per the instructions in the README. To answer your questions...yes, Dachstein (and the others) can masq and forward an IPSec connection much like any other sorta connection *provided* that you have a VPN kernel running (eg, Dachstein-normal or Eiger-VPNMasq from Charles' site) along with the ip_masq_ipsec.o kernel module loaded. If these are enabled, your firewall needs to allow *protocol* 50 (not *port* 50) thru, as well as UDP port-500. Finally, to forward the packets on to an internal machine, you need to use the ipfwd utility which can handle IP protocol 50, rather than the more common ipmasqadm which only handles IP protocols 6 and 17 (TCP and UDP, respectively) . If you have all 5 of those in place, you can run a VPN client behind your LEAF firewall/router. It's easier than it sounds, honest. Am doing it here right now, in fact. :) Good luck! -Scott Alec Miller wrote: I have had no luck with the Nortel Access Client working thru the Eiger images. I just had to convince my firewall expert to make an IPSec connection to the actual LRP box from the corporate firewall, but it helps if you work in the IT dept. I do have a friend that got his Nortel Access Client working thru the Oxygen? (not exactly 100% sure) image. - Original Message - From: Don [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2001 3:23 PM Subject: [Leaf-user] Outbound VPN Hello, I've recently installed Dachstein RC2. Is this version able to masq an ipsec type of VPN connection? Are there any special IPChains rules that I need to enable? I've confirmed that I can connect without the firewall, but cannot from the inside. When I try to connect I can see port 500 being blocked in the log through the weblet interface, then the firewall status goes to warning. The VPN software is Nortel's Extranet Access Client. You need to open port 50 500; the relevent code in my firewall is: at the top of the input chains /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $VPNHOST1 500 -d $EXTIP /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p 50 -s $VPNHOST1 -d $EXTIP at the top of the output chains /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP 500 -d $VPNHOST1 /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p 50 -s $EXTIP -d $VPNHOST1 where:EXTIF is eth0 or the one on the internet EXTIP is the external ip assisgned by your ISP VPNHOST1 is the ip address of the remote Nortel host Also must have the VPN masq patch in the kernel Works fine for me under 3.0.? Best Cokey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Wishing to upgrade to Dachstein
Well, I've been off the lists for several months now. I would probably still be in the shadows but if it wasn't for upgrading to ICQ 2001b. So, as luck would have it, I began visiting the old sites and found some new (and potentially exciting) changes. I have a slightly older version of Charles' LRP, with plenty of settings I have made and some extra masq modules. What I need to know is: What do I do to bring my version up to Dachstein without finding and recreating all the little settings I have made? Is this going to be an easy upgrade? I have been using an IDE version almost since I started. I have copied down the normal Dachstein which, upon reading, has IDE support and the necessary VPN (for future, I don't yet use that) in the kernal. So I'm thinking that it shouldn't be too bad. Another concern is if the masq modules are compatible and if I can locate updated ones if necessary. Thanks in advance for any help *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* John Mullan - Technical Manager Ontario Lottery and Gaming Corporation Direct Gaming Distribution Center Personal: mailto:[EMAIL PROTECTED] Business: mailto:[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] QoS on eth0 - not possible if using DHCP !?
On Thu, 15 Nov 2001, Sandro Minola wrote: hi i noticed that FAIRQ/QoS rules do only apply to these interfaces which are listed in $IF_AUTO. Since my externel interface (eth0) is dynamic (DHCP), QoS rules are not applied. is there a workaround for this? Probably, but it would require thinking, and that makes my head hurt :-) Seriously, how are you determining that the rules aren't applying? I would think that the functions aren't applied until after the DHCP address discovery is done; that said, my experience with DHCP (using some PPP packages) is that address assignment (and hence, everything else) doesn't work the first time when you boot, so you need to do killall pppd and an svi network reload. That one was caused by a package with an /etc/init.d/ppp script, seems the same problems would occur in PPPoE. general QoS question: does anyone have a working example? Jack's howto is very nice and useful but there are still a lot of open questions. can anyone post a working example and explain what it does? i mean, how the posted parameters affect and what experiences you made with QoS. (the QoS part of network.conf would be nice) ppp_BNDWIDTH=50Kbit ppp_FAIRQ=YES ppp_TXQLEN=40 ppp_IABURST=20 ppp_IARATE=10Kbit ppp_PXMTU=1500 ppp_FAIRQ=YES ppp_HNDL=3 ppp0_IABURST=10 ppp0_IARATE=10 ppp0_PXMTU=1500 I still don't understand the IA stuff, but I know the BNDWIDTH parameter is effective because I've dialed it down to 5Kbit and seen truly lousy performance. thank you --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola - worldcontrol:~ # rm -rf /bin/laden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user