RE: [Leaf-user] Dachstein 1.0.2 with PPPoE
On Tue, 18 Dec 2001, Simon Bolduc wrote: Running a 486/66 on a cable line - my router does 3mb/s without a hitch - mind you I only ever see about 300KB/s max (instead of the 375KB/s I should - but that has nothing to do with the router). Math below is wrong BTW (sorry to be picky). 1 byte = 8 bits thus 62KB/s would equate to 496kb/s Michael Leone [EMAIL PROTECTED] wrote: I routinely average 62KB (that equates to 620Kb) downloads. I don't think 8 bits per byte is necessarily a better number than 10. Just for comparison, a serial line's start and stop bits on 8N1 asynchronous characters yields an effective 11 bit-times per byte, plus TCP overhead. For TCP over ethernet, the rate is somewhere between an ideal 8.5 bit-times per byte and dozens of bits per byte, depending on how efficiently the protocol fills the packets, and what the MTU is. For ethernet over ATM (static ip on DSL) the additional overhead amounts to a line rate of roughly 10 bit-times per byte, optimally. I don't know if DSL bit rates are quoted for their ATM rate or the ethernet rate, but it looks to me like either of you could be right, depending on your assumptions. cf http://sd.wareonearth.com/~phil/net/overhead/ --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance
I need. Here's my preliminary list of design goals: * No moving parts: Loading from a floppy or CD is a no-no; and if I can avoid a hard drive I'll be quite pleased. Having worked extensively with Apple DEC RISC machines, I know a floppy is a worthless POS; * Since the price of Compact Flash cards is dirt cheap, and since they conform to the IDE standard, I'm thinking of using these. This way, I can easily deploy upgrades by mailing out replacement cards... No big shake, as Pee Wee would say; This is probably the easiest way to go. * The throughput (encryption rate) needs to be plenty, with room for expansion. Fortunately, hardware is cheap, so a 1.4 gHz Athlon package is no problem whatsoever; * Along the NIC lines, how well do the Pro/100 S (i82550-based) http://www.intel.com/network/connectivity/products/server_adapters.htm adapters work with LEAF? This looks like a nice way to gain throughput .IF. there are linix drivers. I think the NIC's will function properly (ie send/recieve traffic), but getting the crypto acceleration hardware working with IPSec is another thing entirely. The current FreeS/WAN code isn't really setup to easily integrate hardware acceleration, although there are a few folks who have been working on this. Troll the FreeS/WAN mailing list for more info, and check out their documentation: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/compat.html#hardwar e I think you're comitted to patching FreeS/WAN, KLIPS, and building custom kernels if you want hardware acceleration in today's FreeS/WAN. Given the data rates you're talking about, and the speed of today's hardware, I doubt you really need the HW acceleration, however...see the performance page: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/performance.html Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] CPU loading monitor
Ya gotta load the lncurses.lrp library. Later Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Kropf Sent: Wednesday, December 19, 2001 00:17 To: 'Kenneth Hadley'; Leaf-User (E-mail) Subject: RE: [Leaf-user] CPU loading monitor I get the following error: # top top: error in loading shared libraries libncurses.so.4: cannot open shared object file: No such file or directory Help... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth Hadley Sent: Tuesday, December 18, 2001 8:49 PM To: [LEAF-user] Subject: Re: [Leaf-user] CPU loading monitor Not that im aware of, though I do know that I a have a top (which can watch CPU usage among other things) package on my site under the packages section ( http://leaf.sourceforge.net/devel/khadley/ ) and yes, I am doing shameless advertising ;-) -Kenneth Hadley - Original Message - From: Kevin Kropf [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Leaf-User (E-mail) [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 5:32 PM Subject: RE: [Leaf-user] CPU loading monitor Has anyone made an lrpStat.lrp? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of KP Kirchdörfer Sent: Tuesday, December 18, 2001 3:31 PM To: [EMAIL PROTECTED]; Leaf-User (E-mail) Subject: Re: [Leaf-user] CPU loading monitor Am Dienstag, 18. Dezember 2001 21:58 schrieb Kevin Kropf: Is anyone aware of a CPU monitor for LRP that I could use to see what my box is doing? lrpStat from http://leaf.sourceforge.net/devel/hejl Read there about using the C-program lrpStat instead of stat.sh, which is used in weblet from dachstein. kp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] CPU loading monitor
you need to install lncurses.lrp which is a part of the Dachstein CD - if you are running Dachstein - but not the CD version you can find it here: http://lrp2.steinkuehler.net/files/diskimages/dachstein-CD/CD-Contents/ S From: Kevin Kropf [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: 'Kenneth Hadley' [EMAIL PROTECTED], Leaf-User (E-mail) [EMAIL PROTECTED] Subject: RE: [Leaf-user] CPU loading monitor Date: Tue, 18 Dec 2001 21:17:07 -0800 I get the following error: # top top: error in loading shared libraries libncurses.so.4: cannot open shared object file: No such file or directory Help... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth Hadley Sent: Tuesday, December 18, 2001 8:49 PM To: [LEAF-user] Subject: Re: [Leaf-user] CPU loading monitor Not that im aware of, though I do know that I a have a top (which can watch CPU usage among other things) package on my site under the packages section ( http://leaf.sourceforge.net/devel/khadley/ ) and yes, I am doing shameless advertising ;-) -Kenneth Hadley - Original Message - From: Kevin Kropf [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Leaf-User (E-mail) [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 5:32 PM Subject: RE: [Leaf-user] CPU loading monitor Has anyone made an lrpStat.lrp? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of KP Kirchdörfer Sent: Tuesday, December 18, 2001 3:31 PM To: [EMAIL PROTECTED]; Leaf-User (E-mail) Subject: Re: [Leaf-user] CPU loading monitor Am Dienstag, 18. Dezember 2001 21:58 schrieb Kevin Kropf: Is anyone aware of a CPU monitor for LRP that I could use to see what my box is doing? lrpStat from http://leaf.sourceforge.net/devel/hejl Read there about using the C-program lrpStat instead of stat.sh, which is used in weblet from dachstein. kp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ez-ipupdate
I'm working on building an LRP for ez-ipupdate. I've also updated the program to allow use of dyndns custom domains. I've made the executable available for those who don't want to wait for me to finish getting the LRP built :) http://sort.net/ez-ipupdate.tgz Use system type dyndns-custom for custom dyndns domains jd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David B. Cook Sent: Tuesday, December 18, 2001 11:47 PM To: Charles Steinkuehler Cc: [EMAIL PROTECTED] Subject: [Leaf-user] ez-ipupdate Could somebody out there with a valid development system for Dachstein compile a copy of ez-ipupdate to be included on Charles' CD? Thanks, dbc. -- David B. Cook, [EMAIL PROTECTED] Linux -- up 50 days because it can. 11:32pm up 50 days, 2:24, 0 users, load average: 0.02, 0.01, 0.00 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ssh / openssh?
Hi All, I use ssh to access and administer my Dachstein firewalls. (one home, one office). I'm a bit confused because there seem to be two versions of sshd.lrp available at the moment - The one I've always used is quite small, is called sshd.lrp, is available at ftp://ftp.linuxrouter.org/linux-router/dists/2.9.8/packages/ and is referenced in Steve Peck's sshd howto http://c0wz.steinkuehler.net/dox/sshd.txt. The other one is much bigger (too big for my floppy), is also called sshd.lrp, requires that I use libz.lrp and is part of openssh maintained by Jaques Nilo at http://leaf.sourceforge.net/devel/jnilo/index.html. Could someone explain the differences? Are the differences worth worrying about? Should I consider upgrading? cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Help! Can not ping past outside interface.
I have an OS/2 Firewall I am currently trying to convert to a Dachstein v.1.0.2 box. It has (2) NE2000 compliant ISA cards. I uncomment the 8390 and the appropriate modules with the IO address set to 300, 340 I need a static Outside IP because it is actually the inside address of my DMZ. So set it with 192.168.16.2/24 The cards are the same as is the driver. I can ping both cards from the Dachstein box. I can ping the internal network (192.168.1.1-199 assigned by DHCP from the Dachstein box) from the Dachstein box. I can ping the internal card (192.168.1.1) from the internal network. I can ping through to the external card (192.168.16.2) from the internal network. I CAN NOT ping past the external card either from the Dachstein box or the internal network. I CAN NOT telnet on any port past the external card either from the Dachstein box or the internal network, so it is not just ICMP. The error is NOT a network unreachable error, and I think the IP is configured right. The response from the failed ping says not permitted. I do not think it is a driver or card config issue, because I switched the IO addresses and the same thing happened with oppisite cards(had to swap the cables of course). Could it be a default frewall config that denies everything. The docs say it should be set to be a masq firewall out of the box. Thank you in advance for your help. And if I missed a similar post, please forgive me I did look for a long time. Jason Massey
Re: [Leaf-user] Help! Can not ping past outside interface. Dachstein v.1.0.2
At 02:24 PM 12/19/01 -0500, [EMAIL PROTECTED] wrote: [...] I need a static Outside IP because it is actually the inside address of my DMZ. So set it with 192.168.16.2/24 [...] I CAN NOT ping past the external card either from the Dachstein box or the internal network. I CAN NOT telnet on any port past the external card either from the Dachstein box or the internal network, so it is not just ICMP. The error is NOT a network unreachable error, and I think the IP is configured right. The response from the failed ping says not permitted. If the actual message is sendto: operation not permitted (quoting error messages EXACTLY is always better than paraphrasing them), then this is most likely a firewall problem. Especially since your external address is in the private-address range, and stock LEAF firewalls block private-range addresses on the external interface. Check your firewall ruleset with ipchains -L -n -v, and see if there is an input-chain rule that ALLOWs 192.168.16.0/24 BEFORE the one that DENYs (or REJECTs) 192.168.0.0/16 on the external interface. If there is, then you have a different problem. If there isn't, then you need to add one ... I'm not exactly sure what the best way is to do this. (One option is to use the EchoWall firewall scripts, which handle the external interface differently.) -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help! Can not ping past outside interface. Dachstein v.1.0.2
Ray, Sorry for the paraphrase. I do not have access to the machine today. Yes that is the exact message. That sounds like it could very well be the problem. I will test it tomorrow and let you know the results. Thank you very much. I did not even think about the private address being handled differently than a valid one. Jason Massey Ray Olszewski [EMAIL PROTECTED] 12/19/2001 02:22 PM To:[EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject:Re: [Leaf-user] Help! Can not ping past outside interface. Dachstein v.1.0.2 At 02:24 PM 12/19/01 -0500, [EMAIL PROTECTED] wrote: [...] I need a static Outside IP because it is actually the inside address of my DMZ. So set it with 192.168.16.2/24 [...] I CAN NOT ping past the external card either from the Dachstein box or the internal network. I CAN NOT telnet on any port past the external card either from the Dachstein box or the internal network, so it is not just ICMP. The error is NOT a network unreachable error, and I think the IP is configured right. The response from the failed ping says not permitted. If the actual message is sendto: operation not permitted (quoting error messages EXACTLY is always better than paraphrasing them), then this is most likely a firewall problem. Especially since your external address is in the private-address range, and stock LEAF firewalls block private-range addresses on the external interface. Check your firewall ruleset with ipchains -L -n -v, and see if there is an input-chain rule that ALLOWs 192.168.16.0/24 BEFORE the one that DENYs (or REJECTs) 192.168.0.0/16 on the external interface. If there is, then you have a different problem. If there isn't, then you need to add one ... I'm not exactly sure what the best way is to do this. (One option is to use the EchoWall firewall scripts, which handle the external interface differently.) -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED]
Re: [Leaf-user] Help understand unusual packets
Scott wrote: I've been getting tons of these mysterious packets. Eth0 is my external interface so it's unusual that these two private IPs are hitting it. I checked it against that ipchains log decoder (forgot the website) which mostly brushed it off as non-threatening. However, 216.231.46.238 was the result of a big nasty DOS attack last weekend so I'm suspicious of everything. Any insight is most helpfull. The offending packets (they are constantly coming in): Dec 19 09:30:19 mail kernel: Packet log: input DENY eth0 PROTO=6 192.168.27.31:80 216.231.46.238:14641 L=41 S=0x00 I=35612 F=0x4000 T=51 (#10) Dec 19 09:30:26 mail kernel: Packet log: input DENY eth0 PROTO=6 172.16.0.110:80 216.231.46.238:32992 L=40 S=0x00 I=34533 F=0x4000 T=238 (#9) -Scott Scott, Is there a chance that your ISP uses those private nrs. on their internal network? My ISP uses 192.168.x.x and 172.17.x.x. That could be a hint to why you're getting packets on your eth0...Do you know if your ISP uses any sort of proxies with http? -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Puzzled about Port Forwarding (Victor McAllisteer)
Message: 9 Date: Tue, 18 Dec 2001 22:13:36 -0800 From: Victor McAllisteer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Puzzled about Port Forwarding Rob Dover wrote: There seems to be so many different ways of doing port forwarding, I confess to being totally stumped. I am running an E2B firewall which has been working quite nicely for several months now. I am now adding a new machine behind the firewall and need to open a few ports. The only option I seem to have available is either ipmasqadm autofw or ipmasqadm portfw. I have tried using ipmasqadm portfw -a -P tcp -L InternetIP port -R ServerIP port which didn't give any errors yet when I do a ipmasqadm portfw -l I get... Could not open /proc/net/ip_masq/portfw Could not open /proc/net/ip_portfw Check if you have enabled portforwarding # Neither of the two portfw files exist nor do I seem to be able to create them. I have also tried ipfwadm -F -i accept -P udp -S InternetIP -D ServerIP 2074 which gives me the error ipfwadm: setsockopt failed: Invalid argument. I think I have port forwarding enabled; at least I have these two entries in my network.conf; IPFWDING_KERNEL=YES IPFWDING_FW=YES Can someone clue me into what I am doing wrong? Thanks It might be helpful if you give some more particulars about what you are trying to forward and where. There are values in /etc/network.conf that, if configured, open the firewall and forward to internal machines. I need to have either Telnet or SSH (preferably SSH) forwarded to a machine inside (IP 192.168.0.4) plus I need SSH to manage the FW from the inside from a different machine (192.168.0.1). I also need to open udp ports 2074 and 2075 as well as tcp ports 15425, 15426 and 15427 to the same machine for incoming connections. -Rob- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: ez-ipupdate
[EMAIL PROTECTED] 12/19/01 01:22PM I'm working on building an LRP for ez-ipupdate. I've also updated the program to allow use of dyndns custom domains. I've made the executable available for those who don't want to wait for me to finish getting the LRP built :) http://sort.net/ez-ipupdate.tgz Use system type dyndns-custom for custom dyndns domains jd Thank you very much !!! This is very much needed. Having the custom dyndns domains working will be great. Does anybody know if setting the backup MX address is working yet ? Doug ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ez-ipupdate
Could somebody out there with a valid development system for Dachstein compile a copy of ez-ipupdate to be included on Charles' CD? Thanks, dbc. See http://leaf.sourceforge.net/devel/jnilo/packages/ez-ipupd.lrp It's 3.0.11b5 stripped to 24K It's also on Shane Boulder page at http://leaf.sourceforge.net/devel/sboulter/ but I am not sure of the version and the package is bigger (45K - not stripped) Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DELETE ME!
Ignore me: I'm using a freebie (imail.com) mail service for this list; and it appears only a few messages are making it. Sorry for the inconvenience... -- ___ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup 1 cent a minute calls anywhere in the U.S.! http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJurl=http://www.getpennytalk.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance, part 2
Good afternoon, folks! Well, it looks like at least part of the capacity answer was in the Linux FreeS/WAN Compatibility Guide, right above the crypto hardware section at: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/compat.html#multipro cessor, namely the dual processor option. I've long used dual CPU machines with NT4 NT5, all the way back to dual PPro machines. On the other hand, the article cited above glosses over a problem with multiple CPU's: The linux 2.2x kernel does *not* have a multithreaded IP stack. If you remember about 2½ years ago, NetCraft had a shootout between NT4/IIS and linux 2.2x/apache, on quad Xeon Dell's... And IIS blew apache out of the water as the load increased. As it turns out after long analysis, the bottleneck was the IP stack only using one CPU; and the problem wasn't fixed until the v2.4 kernel was released. As I look at the FreeS/WAN documentation with an eye towards a dual CPU mobo, I notice that it still uses the 2.2x kernel, which means I lose the symmetric multiprocessing capacity, and end up somewhere between NetWare 4 and MacOS 9 running on dual CPU boxes. Are there any FreeS/WAN implementations using the v2.4x kernel? Cheers! Dan Schwartz Cherry Hill, NJ --- PREVIOUSLY, MR. BROCK NANSON WROTE... From: Brock Nanson [EMAIL PROTECTED] Subject: [Leaf-user] Re: Starting from scratch to build a high capacity VPN tunnel appliance Date: Wed, 19 Dec 2001 09:44:45 -0800 Hi Dan, I don't think you are alone in this quest... There are several prebuilt options out there (firecard for instance) that can make the VPN more of an appliance than a PC. However, it's nice to have some control over the configuration, and more satisfying to do it yourself rather than just buy a canned product! I believe the CF-IDE idea has been done, at least for the regular LRP concept. You could snoop around the various LRP sites. I don't see why it couldn't be extended to include the FreeS/WAN stuff as well. I've got the Steinkuehler version of 1.5 going in several locations, without issue. I just use the floppy drive versions - they are only read on boot - and have yet to have a floppy-caused failure. I avoided the 'superfloppy' by adding a second drive. So I have two 1.44 MB floppies to handle all the modules I need. I'm not sure that the Compact Flash idea is really going to solve all your problems... Why not try the floppy method first? A second set of floppies kept at each site would allow a failsafe should the first set meet an untimely demise. And if you're planning to courier updated CF cards, you could just as easily courier a new set of floppies. Or for that matter, create new disk images you could email and have the remote office write them to floppy. Or SSH and SCP stuff to the remote offices. Using a CD would be even more reliable... In fact I'd be tempted to say more reliable than CF. Given that my floppies see use once a month or less, I don't think you should be overly concerned! Once you build a stable system, you could practically through the floppies away and run the gateway on a UPS - they are that solid. R Brock Nanson, P.Eng. [EMAIL PROTECTED] TRUE Consulting Group 201 - 2079 Falcon Road Kamloops BC V2C4J2 www.true.bc.ca (250) 828-0881 fax: (250) 828-0717 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance, part 2
On Wednesday 19 December 2001 03:19 pm, Dan Schwartz wrote: Are there any FreeS/WAN implementations using the v2.4x kernel? I've been running FreeS/WAN on 2.4 kernels for months. I'm currently using FreeS/WAN version 1.94 with kernel 2.4.16. -Tom -- Tom Eastep\ [EMAIL PROTECTED] AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Update: ATT Transition Woes
Hello- I have a cable modem on ATT (a motorola SB4100) and have been using Charles latest Dachstein relase on floppy without any problems. The disk image it totally stock, all I did was edit my DHCP client options (the send-host-name option needs to be your user id given by ATT, the Cxxx-A format that it is in). I am using a P100 w/24 megs ram, 2 3COM nic's a 3C905B and a 3C905B-M Totally stock otherwise in config files, just added the modules for the NIC's, changed send-host-name, backed up, re-booted, had an IP within seconds, running for almost 2 weeks without a hitch. Check your DHCP client config, I think thats your problem. DONT use any of the options EXCEPT send-host-name and I think you'll be fine... Regards, Cliff Rosenberg [EMAIL PROTECTED] - Original Message - From: gc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 19, 2001 9:16 PM Subject: [Leaf-user] Update: ATT Transition Woes First of all, thanks to all who responded to my initial post. This includes Mark, Scott, Matt, Charles, David, Sean, Michael, and Richard. I've tried pretty much everything that's been suggested: setting various dhclient parameters, setting HOSTNAME and HOSTS0, etc. Unfortunately, I'm still having the same problem. I figured it was time to post a more thorough support request. Problem description: After being transitioned off of home.com to attbi.com, I wasn't able to ping any addresses from my old LRP box. I upgraded to Dachstein 1.0.2, but that didn't seem to make much difference. If I hook my win2k box directly into the cable modem, things work fine. It gets assigned address 12.237.7.206, subnet 255.255.240.0, and default gateway 12.237.0.1. The fact that the router gets such a different configuration makes me suspect its some sort of DHCP problem. But by all appearences, DHCP works fine. It acquires its addresses from 12.237.0.1, which happens to be the default gateway for the win2k box AND appears to be the ONLY address that I can successfully ping from the router. I've included the following information: . network diagram . dmesg output . ip addr show . ip route show . ip neighbor show . ip -s link show . /etc/network.conf . /etc/lrp.conf . /etc/dhclient.conf | __|__ | | | Cable Modem | |_| | _| eth0 DHCP12.255.173.135 | | |LRP Router | |__| | eth1 192.168.1.1 __|__ | | win2k PC 192.168.1.x | H | win2k PC 192.168.1.y | u | printer 192.168.1.z | b | |_| c696585-b: -root- # dmesg Linux version 2.2.19-3-LEAF (root@debian) (gcc version 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001 BIOS-provided physical RAM map: BIOS-88: 000a @ (usable) BIOS-88: 00f0 @ 0010 (usable) Console: colour VGA+ 80x25 Calibrating delay loop... 33.07 BogoMIPS Memory: 14064k/16384k available (732k kernel code, 412k reserved, 432k data, 44k init) Checking if this processor honours the WP bit even in supervisor mode... Ok. Dentry hash table entries: 2048 (order 2, 16k) Buffer cache hash table entries: 16384 (order 4, 64k) Page cache hash table entries: 4096 (order 2, 16k) CPU: Intel 486 DX/2 stepping 05 Checking 386/387 coupling... OK, FPU using exception 16 error reporting. Checking 'hlt' instruction... OK. POSIX conformance testing by UNIFIX PCI: No PCI bus detected Linux NET4.0 for Linux 2.2 Based upon Swansea University Computer Society NET3.039 NET4: Unix domain sockets 1.0 for Linux NET4.0. NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP TCP: Hash tables configured (ehash 16384 bhash 16384) Initializing RT netlink socket Starting kswapd v 1.5 Software Watchdog Timer: 0.05, timer margin: 60 sec Real Time Clock Driver v1.09 RAM disk driver initialized: 16 RAM disks of 6144K size Floppy drive(s): fd0 is 1.44M FDC 0 is an 8272A RAMDISK: Compressed image found at block 0 RAMDISK: Uncompressing root archive: done. RAMDISK: Auto Filesystem - minix: 2048i 6144bk 68fdz(68) 1024zs 2147483647ms VFS: Mounted root (minix filesystem). RAMDISK: Extracting root archive: done. VFS: Disk change detected on device fd(2,44) Freeing unused kernel memory: 44k freed ne.c:v1.10 9/23/94 Donald Becker ([EMAIL PROTECTED]) NE*000 ethercard probe at 0x300: 00 40 05 fa 1b 80 eth0: NE2000 found at 0x300, using IRQ 10. NE*000 ethercard probe at 0x340: 00 40 05 fa 00 52 eth1: NE2000 found at 0x340, using IRQ 11. ip_masq_icq: using TCP port range 60200-61000 ip_masq_icq: loaded support on port 4000/UDP Serial driver version 4.27 with MANY_PORTS MULTIPORT SHARE_IRQ enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A Packet log: input DENY eth0 PROTO=1
RE: [Leaf-user] Update: ATT Transition Woes
And just when you ATT cable users thought it was safe to go back into the water: Comcast wins ATT Broadband in $72 billion deal http://www.cnn.com/money/2001/12/19/deals/att/index.htm Get ready to change your settings yet again... Cheers! Dan ...Still waiting for a cable modem connection from Suburban - ATT - Comcast on my trunk. -Original Message- From: Cliff Rosenberg Subject: RE: [Leaf-user] Update: ATT Transition Woes Yeah, I hear what you're saying, but it just isn't working for me. I've tried with and without the send host-name in the dhclient.conf. I've also tried it with send client-identifier. No apparent difference. - Gary -Original Message- From: Cliff Rosenberg [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 8:55 PM Subject: Re: [Leaf-user] Update: ATT Transition Woes Hello- I have a cable modem on ATT (a motorola SB4100) and have been using Charles latest Dachstein relase on floppy without any problems. The disk image it totally stock, all I did was edit my DHCP client options (the send-host-name option needs to be your user id given by ATT, the Cxxx-A format that it is in). I am using a P100 w/24 megs ram, 2 3COM nic's a 3C905B and a 3C905B-M Totally stock otherwise in config files, just added the modules for the NIC's, changed send-host-name, backed up, re-booted, had an IP within seconds, running for almost 2 weeks without a hitch. Check your DHCP client config, I think thats your problem. DONT use any of the options EXCEPT send-host-name and I think you'll be fine... Regards, Cliff Rosenberg [EMAIL PROTECTED] [Balance cut] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Update: ATT Transition Woes
It looks like Charles and Dan nailed it. My ISP seemed to be keying off of the MAC address. When I spoofed the router's MAC address (as per Charles' instructions below), it was able to get a good IP address. It still bugs me, though, that the ISP WAS giving me an IP address, just not a good one. I guess they just didn't want to make it easy on me :) Now, I guess I'll try figuring out how to get my ISP to accept the new MAC address. Or, I guess I can just change the MAC address as the router boots. Thanks for the good ideas, gentlemen. And thanks to Charles for the Dachstein release - wonderfully simple and easy to use. - Gary -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 8:56 PM To: gc; [EMAIL PROTECTED] Subject: Re: [Leaf-user] Update: ATT Transition Woes Since you're getting much different DHCP data using linux instead of windows, you might try to see if you can change some dhcp settings and get something more similar to your working windows config. First try removing any dhcp client leases (in /var/state/dhcp)...shut down dhclient restart (svi dhclient stop/start). If that doesn't work, try tricking the DHCP server by giving your external interface the same MAC address as the card in your windows box (just make sure you don't have both interfaces on the same ethernet segment...things would get massively confused). You can do this with the ip command (ip link set eth0 address 00:80:c8:ca:ab:11)...repace the MAC address with the right one, of course, and make sure you've cleared any dhclient leases as well... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Update: ATT Transition Woes
Not too shabby for a linux newbie! :) Anyway, Gary, Don't rock the boat: Spoof the MAC address in your router and put it to bed. By the way, the IP address assigned by ATT was probably valid, but the connection was blocked by the router at the head end since the MAC address didn't match up... Just a vain attempt to slow down the script kiddies. Cheers! Dan -Original Message- From: gc Subject: RE: [Leaf-user] Update: ATT Transition Woes It looks like Charles and Dan nailed it. My ISP seemed to be keying off of the MAC address. When I spoofed the router's MAC address (as per Charles' instructions below), it was able to get a good IP address. It still bugs me, though, that the ISP WAS giving me an IP address, just not a good one. I guess they just didn't want to make it easy on me :) Now, I guess I'll try figuring out how to get my ISP to accept the new MAC address. Or, I guess I can just change the MAC address as the router boots. Thanks for the good ideas, gentlemen. And thanks to Charles for the Dachstein release - wonderfully simple and easy to use. - Gary ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein CD 1.02 RTL8139 headache
I installed cd 1.0.2 and cant seem to get an address from isp via cable modem. Rtl8139 drivers are loaded via cd from ! dir /lib/modules/net in lib/modules along with pci-scan.o (which is loaded first).while looking at nic card in back I notice it drops link when drivers are loaded . P.S. had the whole thing working when using cd 1.0.1
Re: [Leaf-user] Update: ATT Transition Woes
gc wrote: It looks like Charles and Dan nailed it. My ISP seemed to be keying off of the MAC address. When I spoofed the router's MAC address (as per Charles' instructions below), it was able to get a good IP address. It still bugs me, though, that the ISP WAS giving me an IP address, just not a good one. I guess they just didn't want to make it easy on me :) Now, I guess I'll try figuring out how to get my ISP to accept the new MAC address. Or, I guess I can just change the MAC address as the router boots. Thanks for the good ideas, gentlemen. And thanks to Charles for the Dachstein release - wonderfully simple and easy to use. [ snip ] Good! You're making progress . . . I suggest that you post the contents of: /var/state/dhcp/dhclient.leases from Dachstein *after* it negotiates _both_ a good and a bad lease. Make certain that you reboot the firewall in between, so the file is clean each time. Then, for grins, bootup on the w2k box. Once you successfully negotiate a good lease, goto a dos prompt and do this: ipconfig /release Then, unplug that box from the cable modem and plug in your powered OFF firewall. Turn that ON, see what happens and if that doesn't successfully negotiate a good lease, publish a third instance of /var/state/dhcp/dhclient.leases Unfortunately, the isp-end hardware for att.broadband is so diverse throughout the country that this great variation obtains. In my case, I couldn't successfully negotiate a good lease until I *stopped* sending the client-id. Prior to the transition, I could not negotiate a good lease *without* the client-id ; What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] (Wireless) Aironet 342 ISA card with Dachstein LEAF?
Has anyone used the Aironet 342 ISA card in a LEAF system running the Dachstein (or other) release? We are planning to set-up several of these as firewalls and routers in our neighborhood. The 802.11b Aironet will be at eth0 serving the public side. One system will also serve as an access point repeater, receiving on the Aironet ISA card and routing, still on the public side, to a third NIC in the LEAF, which then goes to an access point. The second NIC in that box will support the private (local/firewalled) side. Any pointers would be greatly appreciated. Pete Dubler Fort Collins, Colorado pete at dublerfamily dot com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Leaf-user digest, Vol 1 #461 - 8 msgs
Message: 4 From: Charles Steinkuehler [EMAIL PROTECTED] To: Rob Dover [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Leaf-user] Re: Puzzled about Port Forwarding (Victor McAllisteer) Date: Wed, 19 Dec 2001 14:50:47 -0600 You need to load the kernel modules that support port-forwarding: ip_masq_portfw ip_masq_autofw Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) They should both be loaded. Both files are in /lib/modules with coresponding entries in /etc/modules lsmod shows.. lsmod Module PagesUsed by ip_gre 6148 0 (unused) ip_masq_ipsec 7228 0 (unused) ip_masq_pptp4016 0 (unused) ip_masq_autofw 2380 0 (unused) ip_masq_ftp 2368 0 (unused) ip_masq_irc 1316 0 (unused) ip_masq_mfw 3100 0 (unused) ip_masq_portfw 2380 0 (unused) ip_masq_raudio 2380 0 (unused) ip_masq_user2380 0 (unused) ip_masq_vdolive 1084 0 (unused) ewrk3 12672 1 3c59x 18436 1 -Rob- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Update: ATT Transition Woes
Here's the IPCONFIG syntax in Win2k: Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\AdministratorIPCONFIG /? Windows 2000 IP Configuration USAGE: ipconfig [/? | /all | /release [adapter] | /renew [adapter] | /flushdns | /registerdns | /showclassid adapter | /setclassid adapter [classidtoset] ] adapterFull name or pattern with '*' and '?' to 'match', * matches any character, ? matches one character. Options /? Display this help message. /all Display full configuration information. /release Release the IP address for the specified adapter. /renew Renew the IP address for the specified adapter. /flushdnsPurges the DNS Resolver cache. /registerdns Refreshes all DHCP leases and re-registers DNS names /displaydns Display the contents of the DNS Resolver Cache. /showclassid Displays all the dhcp class IDs allowed for adapter. /setclassid Modifies the dhcp class id. The default is to display only the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. For Release and Renew, if no adapter name is specified, then the IP address leases for all adapters bound to TCP/IP will be released or renewed. For SetClassID, if no class id is specified, then the classid is removed. Examples: ipconfig ... Show information. ipconfig /all ... Show detailed information ipconfig /renew... renew all adapaters ipconfig /renew EL*... renew adapters named EL ipconfig /release *ELINK?21* ... release all matching adapters, eg. ELINK-21, myELELINKi21adapter. -Original Message- From: Simon Bolduc Sent: Wednesday, December 19, 2001 11:37 PM Subject: Re: [Leaf-user] Update: ATT Transition Woes Sorry that I haven't been following this thread from the get go but here goes: I know certain ISPs cache the MAC address of the PC that is connected - I believe that the head end modems at the ISP end can be set up to cache them for different periods of time - possibly even to what would appear to be a completely static setting. From working at an @home ISP I know that generally the IP was statically mapped back to your host id (or client-id depending on the ISP vernacular) - but this had some drawbacks (say someone is set up with a static IP cause the @home dhcp servers are flaky and then the IP block gets reconfigured - IP address conflict). From what I understand, at least the ISP I used to work for, MAC to IP mapping that is cached for 3 days has been implemented. A situation similar to yours happened to a friend of mine - he never got a valid lease much like yourself - and the IP being offered was strange as well - came from some DHCP server way out on the @home network... The 3 day cache thing is a pain - but it has a solution: IF this is the problem effecting you - connect the 2K box that works to the Modem, and release your IP ( start - run - ipconfig /? ) I'd give you the exact syntax but I'm not sure how ipconfig references your NIC - or what model it is. ipconfig /? will give you the correct syntax of the command, ipconfig /all will give you your NIC name. After you've done that - unplug the 2K box from the hub (just to make sure it doesn't decide to request its' IP again). Plug in your router and hopefully you'll get a valid lease. If this doesn't work - call ATT tech supp. Ask about MAC caching on the Router/Headend modem - if 1st level support doesn't know the answer, ask for 2nd level support - either group should be able to tell you about both, and if they are using proper troubleshooting tools (well at least the ones I used) they should be able to tell you if you currently have a lease. S Note Dhclient 2 (the version on Dachstein) does not allow you to release your IP - so if you decide to change NICs in your router - you're gonna have to put it in a M$ or *nix box which allows you to release your IP. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance, part 2
Dan Schwartz wrote: Dear Charles: Thank you *very* much for the offer. Right now they are in the process of getting the T-1 line provisioned (still 30+ days away, courtesy of Verizon); and as they get closer to deciding on whether they want a VPN channel between their offices I'll shepherd them towards this. [By the way, you're probably wondering why they would need a dual CPU encryption appliance: The firm is a service bureau, scanning in over 100,000 documents per day - About 5 gigabytes per day. Then, they send the image files to Manila, where a crew of 200 operators key in and verify the data (sort of a manual OCR), then FTP the text back to NJ where it's put on disk or tape for the customer. Right now, they're sending a DVD every day via DHL to Manila with the scans: It's actually slightly cheaper than a T-1; but they lose a day. Basically, with T-1 lines on both ends (they are 4 miles from the Pennsauken peering point) the 1.544 megabit line will be fully loaded for 11 hours just transmitting the data. Where the encryption (VPN circuit) comes in is that some of the customers are financial institutions, and it's a selling point in the highly competitive business.] [ snip ] What am I missing? How is that you think that you can saturate a single 500 MHz celeron with an encrypted 1.5 Mbps connection? Unless I'm missing something, you might do well to redo that math . . . -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
