[Leaf-user] Subnet string length
Title: Subnet string length I am a little confused about the subnet string length (for the network.conf file in E2B ) for subnet of 255.255.255.252. Would that be 30, or did I mess something up? Thanks Wayne
Re: [Leaf-user] DMZ considerations ???
Can you perhaps describe exactly what you're trying to get working, and perhaps there's a better network architecture (ie safer easier to impliment) to do what you want. You can e-mail me directly if this is sensitive info you don't want on-list... We have a client that insists on exposing a critical internal server to the Internet ; They want their internal application and file server to also host their Exchange server and -- god help us all -- possibly IIS, as well ; sigh I didn't feel so bad when considering the server's masq'd address can only be accessed from the Internet insofar as we port forward to it. Actually, they asked us to put this server on the dmz ; Hmm...so you're not looking to port-forward anymore? That should make things much easier. If it's sitting on the DMZ, access is configured like any other system to the DMZ. WARNING: The internal nets are masqueraded to the DMZ 'net. This isn't a problem for most things, but it will coufuse MS Networking to no end (assuming you can get your MS systems talking across a router in the first place...no small accomplishmet). So, for the Internet to find this server via DNS on the customer's domain, how else might we accomplish this? This part is the same regardless of what you setup. Just make an A record for the hostname that points to it's IP. The IP will either be the systems real IP on the DMZ, the IP being port-forwarded to the system, or the IP being static-NAT'ed to the system. What do you think? Sorry to hear about your net connection problems : Reading between the lines, I think you're going to have to setup a static-NAT from a DMZ IP to the internal system. Without going to a 2.4 kernel and iptables, where you can specify the source IP for outbound masquerading, there's no simple solution for getting a port-forwarded system running with a DMZ public IP. The two other options I can think of are: A 'two-step' process, where a DMZ IP is port-forwarded to the internal server, with all return packets routed out to the DMZ net, where a box masqerades them to look like their source IP is the DMZ ip. This is ugly, and requires lots of advanced routing configuration. Just port-forward the service from the public IP of the firewall (the near end IP of the T1 link). The reverse masqerade rules will do the right thing, and everything should work fine. There are also hooks in place to do this already, so no custom forwarding and static-NAT rules, making the system easier to maintain. The public IP of the server system will fall outside the DMZ range, but unless your customer has their own IP range (unlikely, since you mentioned it's a /26), they're using 'borrowed' IP's from the ISP anyway...might as well make effective use of ALL the IP's you've been given, and save yourself some trouble in the process... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Ram disk full on EigerStein2BETA.exe
I have a full ram disk after 3 days, and I think it may be from the file below? What is it and why is it so large? I seams to contain a bunch of control characters. # dir -l w*-rw-r- 1 root root 2764800 Dec 3 10:10 wtmp Thanks Kevin
Re: [Leaf-user] Ram disk full on EigerStein2BETA.exe
At 10:09 AM 12/3/01 -0800, Kevin Kropf wrote: I have a full ram disk after 3 days, and I think it may be from the file below? What is it and why is it so large? I seams to contain a bunch of control characters. # dir -l w* -rw-r- 1 root root 2764800 Dec 3 10:10 wtmp [html duplicate deleted] wtmp (more exactly, /var/log/wtmp) is a file that contains cumulative records of logins and logouts. On a full-size Linux system, you use a specialized program like last to read out its contents, which are kept in a file-specific data structure (for an example of it, look at the man page for wtmp or utmp). A log file that grows to 2.7 MB in 3 days will certainly cause a full ram disk on many LEAF-scale hosts (ones with 12 MB or so of RAM in total). Why it is so large depends on what your system is doing. I just checked my (non-LEAF) everyday development system, and it has a wtmp that is only about 25 KB for a month of logins (on full-size systems, this is one of the files that gets trimmed by the logrotate app), so certainly something is odd in your case. But with no information about your setup, I cannot suggest anything specific about *why* the file might be getting so large. I don't recall any prior reports to the list of EigerSteinBETA doing this (anyone else?). To get a scale of the problem, figure about 800 bytes per login/logout. That means your file size translates to about 34,000 logins over 3 days, or about one every 8 seconds. Something that happens this often should be leaving other indications of its presence. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Subnet string length
--- Wayne Fool [EMAIL PROTECTED] wrote: I am a little confused about the subnet string length (for the network.conf file in E2B ) for subnet of 255.255.255.252. Would that be 30, or did I mess something up? Thanks Wayne Sometimes I remember this stuff, sometimes I don't. When it doubt I consult the net: http://www.networkdesigner.net/cisco/ccna/subnetting.htm A chart relating: # of bits, old style subnet mask and CIDR. = [EMAIL PROTECTED] Hacking is a Good Thing! See http://www.tuxedo.org/~esr/faqs/hacker-howto.html __ Do You Yahoo!? Buy the perfect holiday gifts at Yahoo! Shopping. http://shopping.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] rc2.d links
Hi: I'm trying to get a daemon to start automagicly upon boot. I made a init.d file based on the bind-8 package. I'm not sure how to get the symbolic links from /etc/rc2.d - /etc/init.d I thought the RCDLINKS var in the init.d script had something to do with. Mine doesn't seem to work. Any suggestions? Thanks, glenn ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein + port-forwarded DMZ
Hi guys, The recent months I have been running E2B, then Dachstein RC2, without any problems whatsoever. My setup is what I would guess pretty conventional; A P100 with 2 NICs on a static DSL line. Yesterday I decided to add a another NIC to set up a port-forwarded DMZ. When doing that, I rearranged the NICs so that eth0 is a 10Mbit 3Com card, and the two internal interfaces uses a couple of Realtek 8139c 100Mbit cards. I continued to load the appropriate drivers for each NIC, and all of them now show up during the boot process. My problem is that DHCP no longer works (message: No subnet declaration for eth1 (0.0.0.0)), pinging to the outside world does not work, and none of the machines on the subnets can ping the firewall. In other words, nothing works.. :-) I guess something is wrong in my network.conf. What settings should be changed to allow such a configuration? Is there a HOWTO/FAQ on this topic? Svein H. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: SSH with Secure iXplorer - no remote tree displayed
Ok, thanks Charles. You really are going to make learn my way around linux a little better eh? ;-) Once again I must face up to the fact that I know only enough to be dangerous! Commenting out /usr/sbin/lrcfg at the end of /root/.profile and retrying the connection proves successful. so, uh (sheepishly) . how do I backup root's .profile as backing up neither root nor etc does it? - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: LRPLEAF [EMAIL PROTECTED]; Lars Gunnarsson [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, December 03, 2001 7:28 PM Subject: Re: [Leaf-user] Re: SSH with Secure iXplorer - no remote tree displayed I am betting now that the problem is that at login, LRP runs its configuration tool and IXplorer is expecting to be at a command prompt. This might explain the ability to copy files, since pscp performs this function, and the inability to navigate or create directories. Now all I need is for someone to tell me where to disable the loading of lrcfg upon login, as I've not come across it in the init.d scripts. See /etc/profile and ~/.profile Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] POLL: Doc-Book Editors
pn] If you've written a document in Doc-Book format, please let me know if you like a certain editor (and perhaps why). Thanks. --- Peter Nosko _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DMZ considerations ???
Charles Steinkuehler wrote: Just port-forward the service from the public IP of the firewall (the near end IP of the T1 link). The reverse masqerade rules will do the right thing, and everything should work fine. There are also hooks in place to do this already, so no custom forwarding and static-NAT rules, making the system easier to maintain. The public IP of the server system will fall outside the DMZ range, but unless your customer has their own IP range (unlikely, since you mentioned it's a /26), they're using 'borrowed' IP's from the ISP anyway...might as well make effective use of ALL the IP's you've been given, and save yourself some trouble in the process... If DNS can be setup -- on the customer's side -- to point server.customer.com to and address in ISP.com's domain, then this appears straightforward. Is this what you're suggesting? Yes. Remember, you typically have full control over forward lookups in yourdomain.com. So I could (for instance) point lrp.steinkuehler.net to www.whitehouse.gov, if I really wanted to. Your DNS server just translates arbitrary names in the domain you lease from the IANA to IP addresses...you control what IP addresses you want to map to various names. Our concern is about forward lookup of an address from outside of customer.com domain, using a name from within that domain and within our domain configuration ; That being said, you may or may not be able to create a reverse DNS entry, although this shouldn't be too much of a problem. Your ISP 'owns' the IP range you're using (likely the range for both the point-point T1 and the /26 subnet they route to you). You'll have to talk to their DNS guru if you want reverse lookups of your IP's to say something other than their default (typically something like ip.city.bigisp.com). This, too, is a legitimate concern. In general, as long as your ISP is actually running a valid reverse DNS for your IP range (lots of things will time out cause delays if your IP doesn't reverse resolve), you probably don't need to worry about the reverse lookups... To us, being in control and truly managing our domain necessitates doing so from within our DNS configuration. We find that we can do our job most reliably if we only require the ISP to forward to our domain from within their upstream DNS. Although, many ISP's are eminently competent, it is becoming all too common for us to bump into incompetently setup DNS - especially those run from wintel ; Actually, we did this: wan1_IP_EXTRA_ADDRS=x.y.z.65 and, without any DMZ, we get what we want. Actually, going to the Internet from the internal, private network, we appear to the Internet as a.b.c.157, which does not appear to be any conceivable issue. Most importantly, when we do http://x.y.z.65/ from a remote Internet site, we can get to our port-forwarded internal server !!! This is what our customer wants, so we are pleased. The confusion stems from doing this: wan1_IP_EXTRA_ADDRS=x.y.z.64/26 Although this is accepted by ipchains, only x.y.z.64 is pingable from the Internet; but, as the network itself, we couldn't get to anything, port-forwarding or not. What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinumrefcd=PT97 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Why can't I see my DNS on the public interface?
I am using the EigerStein2Beta image on my router/firewall, with a two-floppy setup. I am also running the dnscache, tinydns, and axfrdns packages. I would like my router to be the authoritative nameserver for my domain. I have set the tinydns package to serve DNS for both private and public clients. On the private side, everything works fine. On the public side, it is not so fine. Here's a quick picture of the scenario: | | DSL | 216.87.136.178 (static) --- |eth0 | | | |eth1 | --- 192.168.1.254/24 NAT | (internal addresses are static) | | |10/100 Switch--| || 192.168.1.252 192.168.1.251 LAN ServerWorkstation SuSE 7.1 Win98 I have created the necessary DNS records for tinydns to serve up to the outside world. I have also set up axfrdns to accept requests for zone transfers from the current DNS hosting provider. (They do a zone transfer prior to transferring the primary nameserver control.) My problem is that I am simply unable to get this machine to respond to UDP and TCP requests from the public interface. This applies to both DNS (port 53) and the port-forwarded SMTP (port 25). I suspect something in the firewall rules, which I've not edited in the default setup, is causing problems. I suspect it's a bit TOO secure. Filtering rules are where my understanding of everything starts to break down, and perhaps that's not even the problem. Does anyone have any ideas why this isn't working? Here's the output of netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 216.87.136.178:53 0.0.0.0:* LISTEN tcp0 0 192.168.1.254:530.0.0.0:* LISTEN tcp0 0 192.168.1.254:220.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN udp0 0 192.168.1.254:530.0.0.0:* udp0 0 216.87.136.178:53 0.0.0.0:* udp0 0 192.168.1.254:530.0.0.0:* udp0 0 0.0.0.0:69 0.0.0.0:* raw0 0 0.0.0.0:1 0.0.0.0:* raw0 0 0.0.0.0:6 0.0.0.0:* Active UNIX domain sockets (including servers) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 1496 /dev/log unix 1 [ ] STREAM CONNECTED 1499 @0001 unix 1 [ ] STREAM CONNECTED 1511 @0003 unix 1 [ ] STREAM CONNECTED 1512 /dev/log unix 1 [ ] STREAM CONNECTED 1500 /dev/log Here's the output of ipchains -L -n -v: Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0