[Leaf-user] Opening Ports on Dachstein
Hi, I'm unsure how to open ports to allow an FTP server running behind it on port 6660 (or 21 if for example). I have a feeling it's todo with ip_masq_ftp. As i'm a n00bie to this step-by-step instructions would be usefull. Thanks in advance... STU.
[Leaf-user] LRP -DMZ hoses box
I have set up LRP from the Dachstein floppy-It works great. The only problem is that when I added a third NIC to set up a DMZ for a game server, the box becomes confused. I can ping the interfaces from the box, but nothing outside it-neither my LAN or public IP. At one point I had actually gotten it to see the other boxes, but not the external interface. Is there something I've been doing wrong? My internal NAT addressing is 192.168.1.x and the DMZ is 192.168.2.x. Can this be done, share one IP for two NAT networks? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LRP -DMZ hoses box
I have set up LRP from the Dachstein floppy-It works great. The only problem is that when I added a third NIC to set up a DMZ for a game server, the box becomes confused. I can ping the interfaces from the box, but nothing outside it-neither my LAN or public IP. At one point I had actually gotten it to see the other boxes, but not the external interface. Is there something I've been doing wrong? My internal NAT addressing is 192.168.1.x and the DMZ is 192.168.2.x. Can this be done, share one IP for two NAT networks? Yes, it can be done. From your symptoms, I'd suspect some sort of hardware in-compatibility with the newly added NIC. Are they ISA cards (with potentially conflicting I/O IRQ settings) or PCI? Some PCI cards don't gracefully support more than one of the same card in the same box. You may also simply have a problem identifying which card is which. When adding new cards, the numbering of your old network interfaces can change, so you could simply have the networks physically wired up incorrectly. Exactly which card is seen first is a complex interaction of the motherboard (PCI slot numbering), the order you load the drivers, and finally, the driver itself (which has to number multiple cards of the same type). A change in any of these can cause the ethernet device numbering to change. Short of guessing which NIC is which, the 100% accurate way to identify which NIC is eth0, eth1, etc is to look at their MAC addresses. The MAC is usually listed on the card somewhere (it's a 6 byte long number, sometimes the bytes are seperated by colons). You can see which MAC address linux has associated with each ethernet device by doing an ip addr command...the 6 bytes following link/ether are the MAC address. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Opening Ports on Dachstein
Stewart Adey wrote: Hi, I'm unsure how to open ports to allow an FTP server running behind it on port 6660 (or 21 if for example). You have to edit /etc/network.conf. In there are directions. Search this list by using the search engine at sourceforge and you'll find similar questions. I have a feeling it's todo with ip_masq_ftp. Nope, that module is used for outgoing ftp, not incoming. It's used to help outgoing ftp work behind a masq'ing firewall. Outgoing active ftp needs that help. As i'm a n00bie to this step-by-step instructions would be usefull. Thanks in advance... STU. I defintely haven't had enough coffee yet for step by step anything :-o Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Opening Ports on Dachstein
On Tue, 11 Dec 2001, Matthew Schalit wrote: Stewart Adey wrote: [...] I have a feeling it's todo with ip_masq_ftp. Nope, that module is used for outgoing ftp, not incoming. It's used to help outgoing ftp work behind a masq'ing firewall. Outgoing active ftp needs that help. With older kernels, that was the case. With 2.2.19 they merged some capabilities into that module that help support servers. As i'm a n00bie to this step-by-step instructions would be usefull. Thanks in advance... STU. I defintely haven't had enough coffee yet for step by step anything :-o I don't use Dachstein, and I don't run an FTP server, so I cannot give step-by-step help. However, you can learn about the issue by reading ftp://ftp.echogent.com/docs/FTP_and_Firewalls.pdf, and you can activate the module support for servers by modifying modules.conf (ip_masq_ftp in_ports=21). You can ask Maxim Heijndijk [EMAIL PROTECTED] whether it worked for him, because he asked this question last week. And if it works for you, let us know (maybe write down the steps you had to take to make it work). --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Privileged DMZ Access
Some of you using DMZ's may have noticed there's no automated way to provide
restricted access to your DMZ network (allow a service only to specific
remote IP's). The current rules only allow all (0/0) or nothing. While
it's easy enough to hand-code a couple of rules in ipchains.forward (that's
kind of what it's for), I recently had need for a more general solution for
this, and thought others might be interested in the functionality.
The directory /etc/privileged/ is scanned for files, which should have the
naming convention of protocol[.port] with protocol being a protocol
understood by ipchains (ie tcp, udp, all, 50, 88), and the optional port
also being a port specification as understood by ipchains (note that this
can include numeric specifications and ranges, and you can't specify ports
for protocols that don't support them).
Inside each of these files is a list of which remote IP's are allowed to
access the service, and (optionally) which DMZ systems they are allowed to
connect to. If left blank, the remote IP is allowed to communicate on the
specified protocol/port to all DMZ IP's.
Comments and blank lines are allowed. See the example
/etc/privileged/tcp.pop-3, below.
NOTE: You may find it easier to administer a system like this by indexing
on the remote IP's or networks, rather than the protocol/port.
Modifications for this functionality are left to the reader...
And now, on with the code:
START /etc/ipchains.forward
# Read File procedure
# Skip blank lines and comments
ReadFile() {
local IFS='
'
while read line ; do
case $line in
\#*|) continue ;;
*) echo $line ;;
esac
done $1
}
OIFS=$IFS
[ -d /etc/privileged ] || exit 0
cd /etc/privileged
for FILE in * ; do
[ -r $FILE ] || continue
PROTO=${FILE%.*}
PORT=${FILE#$PROTO}
PORT=${PORT#.}
IFS='
'# linefeed
for line in `ReadFile $FILE` ; do
IFS= # spacetab
set -- $line
$IPCH -A forward -j ACCEPT -p $PROTO \
-s $1 -d ${2:-$DMZ_NET} $PORT -i $DMZ_IF
done
done
IFS=$OIFS
END /etc/ipchains.forward
START /etc/privileged/tcp.pop-3
# Comments and blank lines allowed
# Comments must start at beginning of line
#
# Filename Format:
# Protocol[.port]
#
# File Format:
# SourceIP [DestIP]
#
# If DestIP is not specified, it defaults to the whole DMZ network
1.2.65.53 3.4.8.236
1.2.78.155 3.4.8.236
END /etc/privileged/tcp.pop-3
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] uninstall option for lrpkg
David Douthitt wrote: # Remove package from packages list: PKGD=/var/lib/lrpkg mv $PKGD/packages $PKGD/pkg.old grep -v $PKGD/pkg.old $PKGD/packages This has an error; should be: # Remove package from packages list PKGD=/var/lib/lrpkg mv $PKGD/packages $PKGD/pkg.old grep -v '^'$PKGNAME'$' $PKGD/pkg.old $PKGD/packages ...note that this will remove ALL package entries with the same name. Since lrpkg will blithely allow you to install the package more than once, this may be useful :) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Still unable to run Dachstein
Matt Schalit wrote: I agree here with the pci-scan loading before the nic module(s) and that Dachstein is the simplest and most surefire release to get you up an running with little effort. There are two major things to setup: 1) # echo 'export EDITOR=e3vi' /etc/profile # exit and login again so that you can use vi. Don't need to relogin; just do: # echo 'export EDITOR=e3vi' /etc/profile # export EDITOR=e3vi ...and it's done. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Still unable to run Dachstein
Dr. Richard W. Tibbs wrote: I had the same problem (t:t:t:t:) at the boot prompt with the latest oxygen release loading on a Gateway 2000 pentium-1 machine. A serial port (actually two) are certainly present on the Gateway -- so no serial port present shouldn't be the issue, unless having two of them causes no serial port to be spec'd. I will try the development version if you think that will help, David. The t:t:t:t: prompt is a problem with that version of SYSLINUX. The best thing to do is to go into the syslinux.cfg file on the disk, and then comment the sections that deal with the serial console. That would be a line that started with serial; also delete things at the end of the lines that say console=/dev/ttyS0 or something like that. That should help - especially the first. However, this doesn't help with problems after you've loaded the system... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] How to configure dnscache in Oxygen?
Hi. I am trying to use the latest Oxygen with the firewall data disk as a second disk. Everything boots up fine (using IBM aptiva doorstop as my firewall device, with 2 netgear ethernet NICs). When asked to configure the system, I answer yes, and I get an edit session of a script to kick off dnscache. What do I do here? I have looked at some dnscache how-to's at linux on-line, but not sure if there is any specific thing I should do here. Not even sure how to exit the emacs-emulated editor ;-) Is there a complete soup-to-nuts how to on config of Oxygen? I have read thru the Leaf how-to's including xDSL (but it seems to be based on 2.9.4 with ifwadm instead of ipchains... hmmm..) Eventual goal is to run the firewall between my internal network (say eth0) and my DSL modem (eth1) and have a secure internet connection. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Utilizing two broadband connections
I know this question has been touched on before, but I don't think I saw an answer that really fits my situation. I have a wireless connection and will soon have a DSL connection as well. Both are handled by the same ISP. I would like to build a box that will do either or both of the following: 1) utilize both connections to increase the bandwidth 2) utilize one connection, switching automatically to the other if connectivity problems appear. The bonus here is the ISP will play ball within reason. So if we need to have a script or even another box at the ISP to make this work, they may cooperate. Both connections have public addresses on them, and I have a /29 public subnet on my side of this proposed router (I currently us a Linksys router to share the wireless connection with another company, both of us using LRP/FreeS/WAN boxes on the /29 network). The ISP has his routing table configured to send the /29 addresses to our wireless address for further routing. R Brock Nanson, P.Eng. [EMAIL PROTECTED] TRUE Consulting Group 201 - 2079 Falcon Road Kamloops BC V2C4J2 www.true.bc.ca ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
SUMMARY: [Leaf-user] eepro100.o module troubles...(HD install)
Thanks (Charles and Matt). Sorry for the simple question (this is my first attempt not using a basic coyote install). Added the pci-scan module and updated all the ip_masq_xxx modules...everything is running smooth. -Original Message- From: Matt Schalit [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 11, 2001 12:13 AM To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] eepro100.o module troubles...(HD install) Adrian Stovall wrote: I can still boot, but now when the network moduled try to load, I get eepro100 - /lib/modules/eepro100.o: unresolved symbol acpi_set_pwr_state /lib/modules/eepro100.o: unresolved symbol pci_drv_unregister /lib/modules/eepro100.o: unresolved symbol pci_drv_register Anybody have any pointers on eepro100 modules and IDE-enabled kernels? Most frequently asked question these days. As Charles said, uncomment pci-scan and be sure it is loaded before eepro100 in /etc/modules.conf. Cheers, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] uninstall option for lrpkg
Great! Thanks Exactly what I was looking for. - Original Message - From: David Douthitt [EMAIL PROTECTED] To: LEAF Users List [EMAIL PROTECTED] Sent: Tuesday, December 11, 2001 9:54 AM Subject: Re: [Leaf-user] uninstall option for lrpkg David Douthitt wrote: # Remove package from packages list: PKGD=/var/lib/lrpkg mv $PKGD/packages $PKGD/pkg.old grep -v $PKGD/pkg.old $PKGD/packages This has an error; should be: # Remove package from packages list PKGD=/var/lib/lrpkg mv $PKGD/packages $PKGD/pkg.old grep -v '^'$PKGNAME'$' $PKGD/pkg.old $PKGD/packages ...note that this will remove ALL package entries with the same name. Since lrpkg will blithely allow you to install the package more than once, this may be useful :) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Hdsupp package for dachstein CD 1.0.2
I'm trying to upgrade my installations to dachstein cd and I didn't found the hdsupp hdsupp_s packages can I use the old ones from charles' site ? You should be able to...at least I haven't heard from anyone who's had problems with them yet, and several folks have reported getting HDD installs working... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] How to configure dnscache in Oxygen?
Dr. Richard W. Tibbs wrote: I am trying to use the latest Oxygen with the firewall data disk as a second disk. Everything boots up fine (using IBM aptiva doorstop as my firewall device, with 2 netgear ethernet NICs). When asked to configure the system, I answer yes, and I get an edit session of a script to kick off dnscache. What do I do here? I have looked at some dnscache how-to's at linux on-line, but not sure if there is any specific thing I should do here. Not even sure how to exit the emacs-emulated editor ;-) Is there a complete soup-to-nuts how to on config of Oxygen? Well, there are two things you mentioned here: * How to configure dnscache... I don't know - I don't use it. * How to exit the editor - now THAT I know :) The editor shouldn't be emulating emacs. However, here's how to exit from emacs (what you said) and from vi (the Oxygen standard editor mode): * vi: Hit (in sequence) ':q' and press enter. * emacs: Hit in sequence 'Ctrl-X Ctrl-C' ... Both are two characters long (excluding return). Oxygen aims to be as similar to standard UNIX (whatever that is :) as is possible. The only blight is the missing netstat / ifconfig / route; however, those are available as add-on packages, and are not necessary to the system's operation. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Squid redirect dachstein floppy
Kevin Kropf wrote: I have Squid running on dachstein-rc2-1680.exe and would like to redirect all internal port 80 requests to the default Squid port of 3128 on the LRP box. I have read through the archives and found very little of use. What is the best way to do this? This is in the Squid FAQ - in fact, it's an entire section (#17); go to the Squid home page at http://www.squid-cache.org/ . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] uninstall option for lrpkg
On Tue, 11 Dec 2001, David Douthitt wrote: [...] grep -v '^'$PKGNAME'$' $PKGD/pkg.old $PKGD/packages why the rigamarole with the single quotes? grep -v ^$PKGNAME$ $PKGD/pkg.old $PKGD/packages --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] uninstall option for lrpkg
Jeff Newmiller wrote:
On Tue, 11 Dec 2001, David Douthitt wrote:
[...]
grep -v '^'$PKGNAME'$' $PKGD/pkg.old $PKGD/packages
why the rigamarole with the single quotes?
grep -v ^$PKGNAME$ $PKGD/pkg.old $PKGD/packages
I was playing chicken :)
The first breaks down this way:
string (not scanned by shell): '^'
variable: $PKGNAME
string (not scanned by shell): '$'
The second is a little more dicey - how does one know that the shell
won't get confused or upset by the final '$'? With the double-quotes,
the shell scans the string. Given your example, I think I'd prefer
using:
^${PKGNAME}$
because it forces the name upon the shell - prevents even more
confusion...
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Now trying dachstien rc1
Dr. Richard W. Tibbs wrote: OK, per some other advice, dachstien is easier to use as basic firewall. I built a boot disk based on rc1. Loaded up on doorstop IBM Aptiva. Several questions: What is the difference between the various dachstein .bin's? (rc1, rc2, pr1pr4)? Versions. How do you get the moral equivalent of ifconfig? Read up on the 'ip' command. THe ip command doesn't seem to have the same functionality. It does - and more. How do you build a boot floppy with ifconfig, route etc. as add-on packages? You need the package binaries; Oxygen's Setup Disk has these - I forget the exact names... I can't seem to find out if the boot process successfully found the devices and whether a driver was loaded. Try these commands (in the answers): Q: Are the network interfaces configured? A: ip addr show Q: Are the routes configured? A: ip route show Q: Are the modules loaded? A: lsmod Q: What messages did the kernel give (during module loading)? A: dmesg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Squid redirect dachstein floppy
I am not that familiar with ipchains and was hoping for a little more detail. I put together the following command from the info on the squid FAQ: $IPCH -A input -p tcp -d 0/0 80 -j REDIRECT 3128 However I am not sure what else is needed and where to put it in ipfilter.conf Thanks for any help on this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Douthitt Sent: Tuesday, December 11, 2001 5:32 PM To: LEAF Users List Subject: Re: [Leaf-user] Squid redirect dachstein floppy Kevin Kropf wrote: I have Squid running on dachstein-rc2-1680.exe and would like to redirect all internal port 80 requests to the default Squid port of 3128 on the LRP box. I have read through the archives and found very little of use. What is the best way to do this? This is in the Squid FAQ - in fact, it's an entire section (#17); go to the Squid home page at http://www.squid-cache.org/ . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
