[Leaf-user] Help!

2001-12-27 Thread Jim Van Eeckhoutte 








Guys I need help with this rtl8139 issue. Eth0 connects to cable
modem ….while watching back of Eth0….link drops when it trys to get
address from ATT ….i take out UTP wire from cable modem and hook into switch
and link light comes back and Dachstein CD 1.0.2 gets address from 2k server in
garage (dhcp scope). What could this be … im pullin my hair out ..hehe.

 

P.S.   I have reset the modem several times.

  ATT pushes out dhcp address to client via
mac address which I have set via (ip link set eth0 address ma:ca:dd:re:ss:00 in
network.cfg)  

Re: [Leaf-user] Help!

2001-12-27 Thread guitarlynn 

release your leases on both boxes before changing them on the WAN 
connection.

~Lynn Avants


-- 
If linux isn't the answer, you've got the wrong problem.

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein-CD: port forward w/dmz & proxy_arp ???

2001-12-27 Thread Charles Steinkuehler 

> My normal attempts resulted in failed connections.  Since this box uses
> wanpipe for EXTERN_IP, I couldn't troubleshoot with the normal tools
> (e.g., iptraf, tcpdump, &c.)  I kept thinking that I should see
> 5563[1|2] in the output of ipchains -nvL -- I was wrong ;>
>
> I found the problem, which is nothing to do with /etc/network.conf --
> indeed, the normal INTERN_SERVERS stuff works perfectly with this
> network!
>
> However, why is it that EXTERN_IP *and* port do not show up in ipchains
> -nvL ?  Is it because 5563[1|2] are already open?

The EXTERN_IP *and* port don't show up because you haven't explicitly opened
them.  You don't need to, since ports >=1024 are already open.

You don't see the port-forwarding entries in ipchains -nvL, because ipchains
doesn't control the port-forwarding.  Do a "net ipfilter list" and you'll
see the configured port-forwards...the output of the command: "ipmasqadm
portfw -nl"

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] VPN - Error with Dachstein v.1.0.2 box.

2001-12-27 Thread jmassey 

I have a Dachstein v.1.0.2 box with Tiny DNS, dnscache,mawk, ifconfig, and ipsec mods.
When I start ipsec it tells me:

ipsec_setup: kernal appears to lack KLIPS

When I stop it I recieve:

/usr/local/lib/ipsec/klipsdebug: Trouble opening PF_KEY family socket witherror: Unknown foile open error 97. Please report as much detail as possible to development team.
/usr/local/lib/ipsec/eroute: Trouble opening PF_KEY family socket witherror: Unknown foile open error 97. Please report as much detail as possible to development team.
/usr/local/lib/ipsec/spi: Trouble opening PF_KEY family socket witherror: Unknown foile open error 97. Please report as much detail as possible to development team.

When I query the status I get:

IPsec running
but...
orphaned Pluto running!
KLIPS module is not loaded!

I think I have all the required modules and an IPsecenabled kernal. 
Any help would be greatly appreciated.

Jason

Re: [Leaf-user] Dachstein-CD: port forward w/dmz & proxy_arp ???

2001-12-27 Thread Michael D. Schleif 


Doh!  Of course -- again, not thinking -- addled by all of this holiday
spirit ;>

Thank you.

Charles Steinkuehler wrote:
> 
> > My normal attempts resulted in failed connections.  Since this box uses
> > wanpipe for EXTERN_IP, I couldn't troubleshoot with the normal tools
> > (e.g., iptraf, tcpdump, &c.)  I kept thinking that I should see
> > 5563[1|2] in the output of ipchains -nvL -- I was wrong ;>
> >
> > I found the problem, which is nothing to do with /etc/network.conf --
> > indeed, the normal INTERN_SERVERS stuff works perfectly with this
> > network!
> >
> > However, why is it that EXTERN_IP *and* port do not show up in ipchains
> > -nvL ?  Is it because 5563[1|2] are already open?
> 
> The EXTERN_IP *and* port don't show up because you haven't explicitly opened
> them.  You don't need to, since ports >=1024 are already open.
> 
> You don't see the port-forwarding entries in ipchains -nvL, because ipchains
> doesn't control the port-forwarding.  Do a "net ipfilter list" and you'll
> see the configured port-forwards...the output of the command: "ipmasqadm
> portfw -nl"

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] adding a subnet

2001-12-27 Thread Charles Steinkuehler 

> We were correct in that when I removed the extra IP from the interface
> it solved the initial problems at least partially. I can now ping eth1
> and eth2 on the lrp but not eth0. In other words both subnets can ping
> the others interface on the router but not past it to the rest of the
> subnet. If the DMZ (192.168.10.1) can see the interface at 192.168.1.254
> (eth1on lrp) shouldn't the router handle the rest of the routing?
> As well as out to the internet? The route command on the DMZ shows:

A bit of background...

The default dachstein firewall scripts will NOT route traffic between
interfaces unless EXPLICITLY told to do so.  If you simply add a third (or
fourth, or fifth...) interface, it will come up, and the router will be able
to ping devices on the new network, but NO TRAFFIC will be forwarded between
this new interface and other interfaces without properly setting up the
firewall rules (ie making the new interface a DMZ or additional internal
net) or creating some custom firewall rules in one of the /etc/ipchains.*
files.

NOTE:  If you add your new interface to the list of internal networks,
systems on the new network will be able to see the internet, but systems on
different internal networks will NOT be able to communicate with each other,
unless you add explicit rules to /etc/ipchains.forward to allow this.

It sounds like you're to the point where everything is setup except systems
on your new DMZ interface cannot talk to the internet or to systems on your
internal net.  If you properly configure the DMZ settings (probably for a
port-forwarded DMZ), everything should begin to work.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] portfw to *multiple* hosts ???

2001-12-27 Thread Michael D. Schleif 


Quite simply, what is the simplest, secure way to forward to two (2)
hosts?  There are probably better ways to accomplish the end goal; but,
we have an application whereby we may need to push very large files from
the internet to two (or, more) locations behind a Dachstein firewall.

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)

2001-12-27 Thread Charles Steinkuehler 

> >I've seen a number of reports from folks successfully using hardware
> >acceleration with FreeS/WAN,
>
> Oh? I didn't see any drivers for hardware accelerators - Or did
> I miss something.

I don't think you missed anything...there's no hardware support in the
mainstream code for FreeS/WAN.  I have, however, seen several reports of
folks adding hardware support to the FreeS/WAN code base on the mailing
list.  I have no idea if their code is available, or under what terms, but
there are reports of folks who have done this.  The libdes used by FreeS/WAN
is the same libdes provided with OpenSSL, and since most crypto hardware
makers who support linux provide OpenSSL patches, it may not be too hard to
interface FreeS/WAN to acceleration hardware, although such a project is
likely not for the feint of heart (there are still several
kernel-mode/user-mode issues...AFAIK, OpenSSL is generally designed to run
in user-space, while the FreeS/WAN software crypto routines are running in
kernel space, which makes a big difference in how you talk to the hardware).

> >although this is not a particularly main-stream
> >thing.  If you really want to burst to 155 MBits/sec, you'll probably
need
> >some form of hardware acceleration (at least for a year or two, until the
> >5-6 GHz CPU's come out).
>
> If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead.

Sounds like a plan...I've seen reports of 3DES routines that really smoke
running on Alphas, taking advantage of the true 64 bit architecture to run
bit-sliced algorithms which really speed things up vs the clunky x86
systems.  If you go with an alpha system, you'll probably want to use a
mainstream disto...you might want to do this anyway, depending on how 'thin'
you want to make your VPN gateways.

You might also consider seperating your VPN gateway and firewall functions
into seperate boxes, but that introduces complications of a different sort
(especially routing)...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] serial port in Dachstein cd 1.02

2001-12-27 Thread Charles Steinkuehler 

> Is Dachstein CD Serial port ready? If not I think I need a HowTo.

Dachstein-CD is "serial port ready".  Floppy versions do not include the
serial driver built-in (to save space), so you'll need to load the serial.o
module before using the serial ports.

You can find a mini-HOWTO on my site:
http://lrp.steinkuehler.net/Documentation/LRP-Serial-HOWTO.txt

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] portfw to *multiple* hosts ???

2001-12-27 Thread Jeff Newmiller 

On Thu, 27 Dec 2001, Michael D. Schleif wrote:

> 
> Quite simply, what is the simplest, secure way to forward to two (2)
> hosts?  There are probably better ways to accomplish the end goal; but,
> we have an application whereby we may need to push very large files from
> the internet to two (or, more) locations behind a Dachstein firewall.
> 
> What do you think?

scp or https/PUT to separate ports (22 and 2022, or 443 and 4443, for
example), one port for each host.  The hosts could each see input on the
nominal port (22 or 443).

---
Jeff NewmillerThe .   .  Go Live...
DCN:<[EMAIL PROTECTED]>Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein-CD V1.0.2 Available

2001-12-27 Thread Charles Steinkuehler 

> The /dev/cdrom symlink is created in the /linuxrc script, but
> the actual code to do this is in /var/lib/lrpkg/root.dev.mk

Found it, thanks!

> This should be part of the root.lrp package, which is part of
> the bootable floppy disk image embedded on the CD-ROM (or on your boot
> floppy, if you're not booting directly from the CD).

Ok, next question.  I update and backup my root.lrp to floppy.  When I
reboot, it does not read my root.lrp from the floppy, all my settings (i.e.
my .ssh directory in /root) is missing.  So, what the heck am I missing?  I
don't have to use that root.lrp to burn a new cd in order to use the it, do
I?

I know I must be missing something simple.

CS> Actually, if you really want to us a new root.lrp, you do have to burn
it to a new CD (or boot off a floppy disk containing the new root.lrp).  As
an alternative, you can add root.lrp to the package list (LRP=root,...), but
this is kind of klunky, and I'm not sure a system setup this way would
properly backup root.lrp a second time.

CS> Probably the best solution would be to add the contents you wish to
backup (ie either the /root directory or the /root/.ssh directory) to a
package other than root (like sshd or local) and backup that package.

CS> To add files to a package for backup, simply add the file/directory
specifier (shell wildcards are OK) to the /var/lib/lrpkg/.list
file.  If you want to include the files in a partial backup, you'll need to
add them to the /var/lib/lrpkg/.local file as well.  See the CD-ROM
readme for details on the .local file format, although you probably
just need to add an "I" in front of the filespec you used in the
.list file (ie "I ") for the .local file.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN - Error with Dachstein v.1.0.2 box.

2001-12-27 Thread Charles Steinkuehler 

> I have a Dachstein v.1.0.2 box with Tiny DNS, dnscache,mawk, ifconfig, and
> ipsec mods.
> When I start ipsec it tells me:
>
> ipsec_setup: kernal appears to lack KLIPS
>
> When I stop it I recieve:
>
> /usr/local/lib/ipsec/klipsdebug: Trouble opening PF_KEY family socket
> witherror: Unknown foile open error 97. Please report as much detail as
> possible to development team.
> /usr/local/lib/ipsec/eroute: Trouble opening PF_KEY family socket
> witherror: Unknown foile open error 97. Please report as much detail as
> possible to development team.
> /usr/local/lib/ipsec/spi: Trouble opening PF_KEY family socket witherror:
> Unknown foile open error 97. Please report as much detail as possible to
> development team.
>
> When I query the status I get:
>
> IPsec running
> but...
> orphaned Pluto running!
> KLIPS module is not loaded!
>
> I think I have all the required modules and an IPsecenabled kernal.
> Any help would be greatly appreciated.

Actually, it sounds like your kernel does not have KLIPS (the kernel level
IPSec support) enabled.  You should not see this error if you're using my
CD-ROM version, but the floppy disk version doesn't inlcude IPSec support by
default (to save space).  The smallest kernel that includes IPSec support
for FreeS/WAN is:
http://lrp.steinkuehler.net/files/kernels/Dachstein-small/linux-2.2.19-3-LEA
F-small-IPSec.zImage.upx

It's about 65K larger than the kernel w/o IPSec support.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN - Error with Dachstein v.1.0.2 box.

2001-12-27 Thread jmassey 

Thanks! I thought all Dachstein releases ( floppy or otherwise) were IPsec enabled. 
Since I JUST got it on 1 floppy with IPsec I will look at the CD version.
I was really hoping to keep it all on 1 floppy by hey, thats life.
Thank you so muc h for your help, and your product.

Jason

Re: [Leaf-user] portfw to *multiple* hosts ???

2001-12-27 Thread Michael D. Schleif 


Jeff Newmiller wrote:
> 
> On Thu, 27 Dec 2001, Michael D. Schleif wrote:
> 
> >
> > Quite simply, what is the simplest, secure way to forward to two (2)
> > hosts?  There are probably better ways to accomplish the end goal; but,
> > we have an application whereby we may need to push very large files from
> > the internet to two (or, more) locations behind a Dachstein firewall.
> >
> > What do you think?
> 
> scp or https/PUT to separate ports (22 and 2022, or 443 and 4443, for
> example), one port for each host.  The hosts could each see input on the
> nominal port (22 or 443).

Yes, I see this; but, is there someway to accomplish this --
simultaneously -- with one (1) remote operation?

If possible, we'd like the tee to be done at the firewall, *not* in user
space . . .

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] portfw to *multiple* hosts ???

2001-12-27 Thread Charles Steinkuehler 

> Quite simply, what is the simplest, secure way to forward to two (2)
> hosts?  There are probably better ways to accomplish the end goal; but,
> we have an application whereby we may need to push very large files from
> the internet to two (or, more) locations behind a Dachstein firewall.

Simplest is to simply create multiple INTERN_SERVERS entries.  You'll need
to port-forward from different ports (or have more than one external IP
address).

Security of a port-forwarded service is only as secure as the service
itself.  If you really need tight security, you might consider an
application level proxy.  For instance, if you're port-forwarding to a MS
IIS web-server, you might want to run all requests through a *nix based
proxy that filters out (and logs) any *default.ida web-requests.  If you can
afford the overhead (and potential cost...there are many good application
level proxies that are for sale commercial products), this can be a good way
to shield yourself from various attacks, both known and (at least some)
unknown...stuff like buffer overflow attacks, broken protocol attacks, and
the like.

If you want to use a proxy, just port-forward the service to the proxy
instead of your 'real' server, and configure the proxy to talk to your real
server(s)...

If you're looking at pushing/syncing a large number of files to various
remote sites, you might also want to look into rsync and/or ssh.  If the
files aren't terribly sensitive (ie can traverse the internet unencrypted),
you can setup an rsync server at the 'master' site and sync all the clients
periodically.  This is more of a 'pull' architecture, but it can be made
into a 'push' system by having the master run the rsync download command on
the clients via ssh.  If you need to encrypt the transfers, you can tunnel
the entire session through ssh.  You can keep security as tight as you want
with proper ssh configuration...for something like this I usually disable
general logins, setup ssh authentication by RSA/DSA keys only, and have the
ssh session automatically invoke the proper behavior on the client end (ie
fire off an rsync session in your case).  This way, even if the master
server is compromised, you won't autmoatically get user-level access to the
clients...all you'll be able to do is force them to rsync to the master
server whenever you want...

You can also get rsync/ssh for windows (see cygwin
http://www.redhat.com/download/cygwin.html ) if your network is of the M$
persuasion...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN - Error with Dachstein v.1.0.2 box.

2001-12-27 Thread Charles Steinkuehler 

> Thanks! I thought all Dachstein releases ( floppy or otherwise) were IPsec
> enabled.
> Since I JUST got it on 1 floppy with IPsec I will look at the CD version.
> I was really hoping to keep it all on 1 floppy by hey, thats life.
> Thank you so muc h for your help, and your product.

All Dachstein kernels are "IPSec enabled", but there are two flavors:

The "IPSec" kernels (ie the kernels with -IPSec in their names) include
KLIPS, the kernel mode support for FreeS/WAN.  These kernels can be used to
create a VPN gateway.

The kernels without -IPSec in their name (and the one on the floppy disto by
default) only include support for masquerading IPSec connections to an
internal host.  These kernels can be used if you need to run a VPN client on
an internal system, a frequent requirement of home users needing connecting
to the corperate VPN with their windows based VPN client.

Saddly, at this point, the two options are mutually exclusive (at least for
IPSec)...no masquerading an internal VPN client and running as a VPN gateway
at the same time :(

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] LCDproc help for Dachstein

2001-12-27 Thread Charles Steinkuehler 

> I can't seem to find the Samsung LCD display as used on charles's site.
As i live in Australia, is there anyone who knows where to get it?  Will
import if needed. thanks.

I got most of my LCD's from Marlin P Jones: http://www.mpja.com/ I think
they'll ship internationally.  The parallel-port LCD panels are pretty
common, and come in a variety of sizes.  As long as the controller is
compatible (and almost all small 14 pin parallel "smart" LCD modules I've
seen are), you should be able to make it work...you don't need the exact
models I tried.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] portfw to *multiple* hosts ???

2001-12-27 Thread Charles Steinkuehler 

> > > Quite simply, what is the simplest, secure way to forward to two (2)
> > > hosts?  There are probably better ways to accomplish the end goal;
but,
> > > we have an application whereby we may need to push very large files
from
> > > the internet to two (or, more) locations behind a Dachstein firewall.
> > >
> > > What do you think?
> >
> > scp or https/PUT to separate ports (22 and 2022, or 443 and 4443, for
> > example), one port for each host.  The hosts could each see input on the
> > nominal port (22 or 443).
>
> Yes, I see this; but, is there someway to accomplish this --
> simultaneously -- with one (1) remote operation?

???
Please explain a bit more about exactly what you're trying to accomplish...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Bug in Dachstein's linuxrc

2001-12-27 Thread Rodney Barnett 

Dachstein's linuxrc script rewrites the previous line to the backdisk file
when it can't find a package file making it appear that the same package was
loaded more than once.

Changing

[ -n "$backdisk"  ] && echo $backdisk >>$PFX/backdisk

if [ $fnd -eq 0 ]; then
echo -n " (nf!)"
fi

to

if [ $fnd -eq 0 ]; then
echo -n " (nf!)"
else
[ -n "$backdisk"  ] && echo $backdisk >>$PFX/backdisk
fi

seems to resolve the problem.

Rodney


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)

2001-12-27 Thread Dan Schwartz 



>-Original Message-
>From:  Charles Steinkuehler
>Subject: Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF?
(Summary)
>
>
>> >I've seen a number of reports from folks successfully using hardware
>> >acceleration with FreeS/WAN,
>>
>> Oh? I didn't see any drivers for hardware accelerators - Or did
>> I miss something.
>
>I don't think you missed anything...there's no hardware support in the
>mainstream code for FreeS/WAN.  I have, however, seen several reports of
>folks adding hardware support to the FreeS/WAN code base on the mailing
>list.  I have no idea if their code is available, or under what terms, but
>there are reports of folks who have done this.  The libdes used by FreeS/WAN
>is the same libdes provided with OpenSSL, and since most crypto hardware
>makers who support linux provide OpenSSL patches, it may not be too hard to
>interface FreeS/WAN to acceleration hardware, although such a project is
>likely not for the feint of heart (there are still several
>kernel-mode/user-mode issues...

I'll pass at this time...

However: Also check out PowerCrypt at:


>AFAIK, OpenSSL is generally designed to run
>in user-space, while the FreeS/WAN software crypto routines are running in
>kernel space, which makes a big difference in how you talk to the hardware).

Yeah, you could say that

>>>although this is not a particularly main-stream
>>>thing.  If you really want to burst to 155 MBits/sec, you'll probably need
>>>some form of hardware acceleration (at least for a year or two, until the
>>>5-6 GHz CPU's come out).
>>
>> If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead.
>
>Sounds like a plan...I've seen reports of 3DES routines that really smoke
>running on Alphas, taking advantage of the true 64 bit architecture to run
>bit-sliced algorithms which really speed things up vs the clunky x86
>systems.

Yes, I've been using Alpha's for 5 years now - I have 3 Multia's in boxes in
my basement; plus an AlphaPC 164SX (with 533 mHz 21164PC CPU) running
Win2k/RC2 server. [I also have another identical 164SX mobo on the way that
was shipped last week, so I'll be building an NT4/Datacenter cluster for
Exchange 5.5, to work as my "home & family" email server(!)]

>If you go with an alpha system, you'll probably want to use a
>mainstream disto...you might want to do this anyway, depending on how 'thin'
>you want to make your VPN gateways.



>You might also consider seperating your VPN gateway and firewall functions
>into seperate boxes, but that introduces complications of a different sort
>(especially routing)...
>
>
>Charles Steinkuehler
>http://lrp.steinkuehler.net
>http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Don't understand how to configure 'mail' with Dachstein 1.0.2

2001-12-27 Thread Maxim Heijndijk 

Hi, I have this in my logs:

Dec 27 21:30:01 deflector /USR/SBIN/CRON[11150]: (root) MAIL (mailed 253 bytes of 
output but got status 0x0001 )

Why is that ?

How do I configure the following vars to mail output to a host on my 
LAN ? The host is called warpcore.positronic.net. It is running postfix.

# Host SMTP server for the 'mail' command. If blank the host 'mail' is used.
#lrp_MAIL_SERVER=""

# Email address to use for notices and alerts. If blank alerts won't be sent.
#lrp_MAIL_ADMIN=""

-- 
Best regards, M@X.

* Climate Control Psychedelic Soundscapes - http://go.to/cchq/
* Linux Shell Scripts & RPM Software Packages - http://go.to/conmen/

 10:56pm  up  6:02,  3 users,  load average: 1.59, 1.59, 1.55

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] How can I protect the network from the webserver

2001-12-27 Thread djoutlaw outlaw 

I am using Charles Steinkuehler's LEAF/LRP 2.2.19 and I have changed the Tcp 
ports to be able to see my apache webserver.  What do I need to change in 
the network.cfg file to be able to stop someone from getting into the 
webserver and then moving on into the network?

Please be gentle this is my frst post.


_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] adding a subnet

2001-12-27 Thread Kory Krofft 

Charles,
Thanks for the confirmation. We pretty much came to this understanding
as we went.
With Ray's help I now have the subnet functioning well enough for my
private 
network tasks. I can telnet and FTP to the server on the DMZ. Would it
be 
possible for you to assist me with the DMZ? I have stumbled through the 
network.conf file and turned on all the settings I thought would relate
but it still doesn't work. Here is what I need the DMZ to offer.
I want to have FTP access. I want to have web browsing from the DMZ.
I want to port forward all ports between 27000 and 3000 to the DMZ
server.
There will most likely never be more than one machine on the DMZ.

Thank you,
Kory Krofft

Charles Steinkuehler wrote:

> A bit of background...
> 
> The default dachstein firewall scripts will NOT route traffic between
> interfaces unless EXPLICITLY told to do so.  If you simply add a third (or
> fourth, or fifth...) interface, it will come up, and the router will be able
> to ping devices on the new network, but NO TRAFFIC will be forwarded between
> this new interface and other interfaces without properly setting up the
> firewall rules (ie making the new interface a DMZ or additional internal
> net) or creating some custom firewall rules in one of the /etc/ipchains.*
> files.
> 
> NOTE:  If you add your new interface to the list of internal networks,
> systems on the new network will be able to see the internet, but systems on
> different internal networks will NOT be able to communicate with each other,
> unless you add explicit rules to /etc/ipchains.forward to allow this.
> 
> It sounds like you're to the point where everything is setup except systems
> on your new DMZ interface cannot talk to the internet or to systems on your
> internal net.  If you properly configure the DMZ settings (probably for a
> port-forwarded DMZ), everything should begin to work.
> 
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] cipe or ipip tunnels...

2001-12-27 Thread David Fallin 

i'm having problems with ipip and cipe tunnels, but i'm beginning to think
the problem has nothing to do with ipip or cipe.

i've got an eigerstein box and a dachstein box, both with static ips, and
otherwise functioning fine. they also both have seawall 4.1 running on them.

the dachstein box HAD eigerstein running and an ipip tunnel between them
worked fine. now, when i manually attempt to create the tunnel with
dachstein, everything appears ok but when i try to ping across it, i get:

ping: sendto: operation not permitted

ip addr returns this for the tunnel device:
6: tunl0@NONE:  mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
7: fw2@NONE:  mtu 1480 qdisc noqueue
link/ipip 0.0.0.0 peer A.B.C.D
inet 192.168.4.254 peer 192.168.2.254/32 scope global fw2

any ideas?
thanks!
dwf



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] LEAF Performance monitor

2001-12-27 Thread Jan Linders 

Hi all,

does somebody know if there is an lrp package or simply a binary tool
which shows me the status of my LEAF router ?. (IP stats & CPU/Memory stats)
Like the unix "top" utility !

Thx.


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] OT (was IPSec discussion)

2001-12-27 Thread Charles Steinkuehler 

> >> If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead.
> >
> >Sounds like a plan...I've seen reports of 3DES routines that really smoke
> >running on Alphas, taking advantage of the true 64 bit architecture to
run
> >bit-sliced algorithms which really speed things up vs the clunky x86
> >systems.
>
> Yes, I've been using Alpha's for 5 years now - I have 3 Multia's in boxes
in
> my basement; plus an AlphaPC 164SX (with 533 mHz 21164PC CPU) running
> Win2k/RC2 server. [I also have another identical 164SX mobo on the way
that
> was shipped last week, so I'll be building an NT4/Datacenter cluster for
> Exchange 5.5, to work as my "home & family" email server(!)]

>From what I've heard about exchange, your cluster of 4 Alphas should work OK
for a home/family e-mail system (although it'll probably be sluggish), as
long as you've got a few gig of RAM and several terabytes of HDD in each
system :-}

> 

Been there, done that :-)  I've actually got several DEC Personal
Workstation 500a's running RedHat 7.1 for the Alpha.  Nice systems.

BTW:  How are you running Win2K on the Alpha's?  I thought M$ had dropped
support for them...(lucky for me, that's how I managed to end up with the
system's I've got :)

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] OT (was IPSec discussion)

2001-12-27 Thread Dan Schwartz 


Dear Charles,

When I joined your fine list, I wrote a short intro... It's a tradition we
have on the AlphaNT Mailing List - Which, by the way, I'm the moderator!

More inline...

>-Original Message-
>From:  Charles Steinkuehler
>Subject: Re: [Leaf-user] OT (was IPSec discussion)
>
>
>> >> If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead.
>> >
>> >Sounds like a plan...I've seen reports of 3DES routines that really smoke
>> >running on Alphas, taking advantage of the true 64 bit architecture to run
>> >bit-sliced algorithms which really speed things up vs the clunky x86
>> >systems.

One of the *big* reasons why there was no NT4 past SP3 on the 21264 was
because of problems with the kernel. However, for the 21164, 21164PC and
earlier, there was no problem whatsoever with NT4/SP4 and up.

Going back to the 21264 kits from Samsung's Alpha Processor, Inc, one of the
big issues had been the firmware (BIOS): For the longest time, if you wanted
to run Tru64 or (especially) OpenVMS, you needed the SRM firmware, which was
only available on Compaq. Otherwise, you were stuck with Advanced RISC Console
(ARC BIOS) if you bought an API kit. For linux, you had to boot into ARC and
run MILO or LILO (Mini-loader or linux-loader) to finish booting.

At some point in the last few months, though, you can now download the latest
SRM for your API machine. This Is Good, because SRM is much more robust than
ARC.

For later machines - Like my 164SX - that run NT, you use AlphaBIOS, which
provides specific support for NT; and starting with v5.69, full support for
Win2k.


>> Yes, I've been using Alpha's for 5 years now - I have 3 Multia's in boxes
in
>> my basement; plus an AlphaPC 164SX (with 533 mHz 21164PC CPU) running
>> Win2k/RC2 server. [I also have another identical 164SX mobo on the way that
>> was shipped last week, so I'll be building an NT4/Datacenter cluster for
>> Exchange 5.5, to work as my "home & family" email server(!)]

Actually, Exchange 5.5's SP4 for Alpha was released in December 2000, fully
15 months after Win2k/Alpha was dropped by Q & MS.

[For the uninitiated, Compaq killed off AlphaNT development support on August
18, 1999; and six days later MS killed off Win64/Alpha development.]

>From what I've heard about exchange, your cluster of 4 Alphas should work OK
>for a home/family e-mail system (although it'll probably be sluggish), as
>long as you've got a few gig of RAM and several terabytes of HDD in each
>system :-}

We, my old Prosignia 300 running Exch5.5/SP3 and NT4/SP6a ran quite
nicely servicing about 50 users, all on a rePentium 90 with 64 MB of RAM. But
No, I didn't take the pIIS. In other words, I didn't run Outlook Web Access.
:)

>> 
>
>Been there, done that :-)  I've actually got several DEC Personal
>Workstation 500a's running RedHat 7.1 for the Alpha.  Nice systems.

IIRC, PWS500a's have enough room in the flash for both AlphaBIOS & SRM. I'm
assuming you're running SRM...

>BTW:  How are you running Win2K on the Alpha's?  I thought M$ had dropped
>support for them...(lucky for me, that's how I managed to end up with the
>system's I've got :)

Heh heh heh! Actually, the AlphaNT gang (of about a thousand members) has/had
a number of guys up in the MS-Q lab in Redmond; as well as a whole bunch from
Salem & Nashua. Many, many copies of the RC2 (Build 2072) AlphaBits made it
out the door; and I even have a copy of Pro/RC3 (Build 2128)... Which leaked
out 3 months AFTER Q & MS killed the project!

To halt the 444 day time bomb, simply edit the SETUPREG.HIV file in the ALPHA
folder.

[Actually, Dave Cutler still uses Alpha's to make sure NT is still portable
to platforms besides inHell. Judging by all the delays in Itanic, he was
right!]

 -

One of the best deals going is the Hobbyist Kit: Compaq has them for both
OpenVMS and Tru64 - I have both; but VMS chokes on the AlphaPC series.

One of the tricks is to use the Tru64 libraries with linux. Since I don't
follow the AlphaLinux
 stuff, they may have since GPL'd the coveted DEQ
libraries.

>Charles Steinkuehler
>http://lrp.steinkuehler.net
>http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)

Cheers!
Dan


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Dachstein-CD V1.0.2 Available

2001-12-27 Thread Tony 

CS> Actually, if you really want to us a new root.lrp, you do have to burn
it to a new CD (or boot off a floppy disk containing the new root.lrp).  As
an alternative, you can add root.lrp to the package list (LRP=root,...), but
this is kind of klunky, and I'm not sure a system setup this way would
properly backup root.lrp a second time.

Nope, it don't work.  I thought I'd try that after I messaged the group, and
what I got was 2 listings for root, neither of which would mount the
diskette to backup.  Even though the destination was the floppy, and it was
not mounted, backup failed.



CS> Probably the best solution would be to add the contents you wish to
backup (ie either the /root directory or the /root/.ssh directory) to a
package other than root (like sshd or local) and backup that package.

Ah, yet another way to skin the cat


CS> To add files to a package for backup, simply add the file/directory
specifier (shell wildcards are OK) to the /var/lib/lrpkg/.list
file.  If you want to include the files in a partial backup, you'll need to
add them to the /var/lib/lrpkg/.local file as well.  See the CD-ROM
readme for details on the .local file format, although you probably
just need to add an "I" in front of the filespec you used in the
.list file (ie "I ") for the .local file.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


Thank you sir for the pointers.

Later

Tony



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re:[Leaf-user] loading PCMCIA modules

2001-12-27 Thread Patrick Nixon 

Hey, just to confirm what Brock already said, here's what I load upon boot

ray_cs 18368   1
ds  6120   1 [ray_cs]
i82365 21340   1
pcmcia_core48864   0 [ray_cs ds i82365]

However, just to voice my experience, I can't get my wireless card to be 
anything but eth0 if I boot up with it in it, which required me to fix the 
configs to make eth1 my external interface.

--Pat


On Tue, 25 Dec 2001, Brock Nanson wrote:

> Pete,
> 
> When I built my (Eiger) BreezeCOM box, I loaded, in this order:
> 
> pcmcia_core
> i82365
> ds
> 
> I'm not real sure of what each does exactly but I *think*:
> 
> pcmcia_core is the basic pcmcia functionality
> i82365 is the driver for the pcmcia chip (in my case an ISA - PCMCIA adapter
> board)
> ds is the actual card services to recognize a card has been inserted and
> load the appropriate driver.
> 
> This only laces your skates - it doesn't win the hockey game.  There is a
> directory /etc/pcmcia that has some config files for the card services.  The
> actual wireless card driver is in /lib/modules/pcmcia.  From what I can see
> (and someone can correct me if I'm wrong), the regular LRP modules file
> causes the listed modules to be loaded.  In the order they appear.  So the
> PCMCIA capability gets started, and probably a regular NIC if you have one.
> But the big catch is - the wireless card doesn't get loaded until the
> card services gets run!  This is well after the modules file is read.  In
> other words, wireless and other PCMCIA devices don't get loaded from the
> modules file.
> 
> A side issue that comes from this is - there doesn't seem to be a simple way
> to cause your PCMCIA device to be eth0... it gets loaded after the NIC in
> modules, so by default becomes eth1.  This means adjusting the remainder of
> the config files.
> 
> Hopefully someone will jump in and correct my mistakes!  As well, note that
> this is all based on Eiger - I have no idea what Dachstein does in this
> regard!
> 
> Good luck,
> 
> Brock
> 
> 
> > Message: 7
> > Date: Tue, 25 Dec 2001 20:09:06 -0800
> > From: Pete Dubler <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: [Leaf-user] loading PCMCIA modules
> >
> > The saga continues...  I refuse to ask a question until after I have
> > spent a good 18 hours suffering and researching on my own...
> >
> > I am trying to get a wireless router going based on  the Cisco Aironet
> > 342 ISA card and the Dachstein release, combined with IDE and PCMCIA
> > services, as posted by FABbnet (http://www.fabbnet.net/lrp.htm).  (I
> > promise to write a very explicit HOWTO about all this once I (with your
> > help) get it working.)  We are going to be building several of these for
> > our neighborhood, so the days and days I have put into it will
> > eventually pay so dividends in terms of public service...
> >
> > I must not be loading all of the necessary modules.  Do you have any
> > pointers?.
> >
> > I am loading:
> >
> > airo irq=5 io=0x340
> > airo_cs
> > pcmcia_core
> >
> > What else, and if necesary, in what order, must I have them?
> >
> > I am getting the following messages at boottime:
> >
> > airo: Trying to configure ISA adapter at irq=5 io=0x340
> > airo: Rid ff15 has a length of -2 which is too short
> > airo: bad MAC enable reason=85, rid=ff10, offset=16
> > airo: MAC could not be enabled
> > ...
> > airo_cs:...
> > insmod: unresolved symbol register_pccard_driver
> > insmod: unresolved symbol unregistered_pccard_driver
> > insmod: unresolved symbol CardServices
> >
> >
> > Looking forward to 11mbs before the new year
> >
> > Happy Holidays,
> >
> > Pete Dubler
> > Fort Collins, CO
> 
> 
> 
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> 


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] LCDproc help for Dachstein

2001-12-27 Thread Dave Hng 

> I can't seem to find the Samsung LCD display as used on charles's site.
As i live in Australia, is there anyone who knows where to get it?  Will
import if needed. thanks.

Anything based on the HD44780 microcontroller will work with LCDProc, as
long as you wire it up correctly. I've made a couple of these based on the
'winamp' wiring configuration, you just need to tell LCDProc that you're
using that wiring schematic when you run it.

I'm using one LCD from Altronics in Perth:
http://www.altronics.com.au/cat.asp?cat=2&grp=102&id=Z+7011

Dick Smith and Jaycar have similar models too. If you want to be sure, ask
for a datasheet from them and check that the pins are the same as in the
schematic you want to use. This diagram's worked for me:
http://www.markuszehnder.ch/projects/lcdplugin/images/lcd_parallel_8bit.gif

Just be careful where you tap the +5v off.. Try taking it off a USB port or
something with low current. The 5v power rails can be a bit nasty esp for a
small trimpot. :)

Hope that helps!

Dave Hng



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] How can I protect the network from the webserver

2001-12-27 Thread Ray Olszewski 

At 10:13 PM 12/27/01 +, djoutlaw outlaw wrote:
>I am using Charles Steinkuehler's LEAF/LRP 2.2.19 and I have changed the Tcp 
>ports to be able to see my apache webserver.  What do I need to change in 
>the network.cfg file to be able to stop someone from getting into the 
>webserver and then moving on into the network?
>
>Please be gentle this is my frst post.

To get a meaningful answer, I think you'll need to explain in a bit more
detail what you did. Particularly, in "I have changed the Tcp ports to be
able to see my apache webserver", what does "see" mean exactly? 

Are we talking about a Web server with its own real IP address, for example,
or one with a private-range address and port 80 forwarded to it from the
router? If you are port forwarding, what ports besides 80 (and perhaps 443)
are you forwarding?

If you are forwarding only ports 80 and 443 to a private address, you should
need to do nothing special on the LEAF router (assuming "Charles
Steinkuehler's LEAF/LRP 2.2.19" refers to something reasonably up to date,
like EigerStein or DachStein). You do need to make sure your Web server OS
and apache are sufficiently up to date that they pose no security risks.

If you are firewalling a Web server with its own IP address, you probably
want to limit which ports incoming traffic from off-LAN can access. There is
no one-size-fits-all rule for this, though; you need a security setup that
is adapted to what you want to accomplish.


--
"Never tell me the odds!"---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] HELP HELP!!

2001-12-27 Thread Jim Van Eeckhoutte 








Guys I need help with this rtl8139 issue. Eth0 connects to
cable modem ….while watching back of Eth0….link drops when it trys
to get address from ATT ….i take out UTP wire from cable modem and hook
into switch and link light comes back and Dachstein CD 1.0.2 gets address from
2k server in garage (dhcp scope). What could this be … im pullin my hair
out ..hehe.

 

P.S.   I have reset the modem several times.

  ATT pushes
out dhcp address to client via mac address which I have set via (ip link set
eth0 address ma:ca:dd:re:ss:00 in network.cfg) 


 

Re: [Leaf-user] LEAF Performance monitor

2001-12-27 Thread Simon Bolduc 

Hey there, 
You can get top.lrp here:
http://leaf.sourceforge.net/pub/packages/top.lrp
S

>From: "Jan Linders" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Subject: [Leaf-user] LEAF Performance monitor 
>Date: Fri, 28 Dec 2001 00:04:43 +0100 
>MIME-Version: 1.0 
>Received: from [216.136.171.252] by hotmail.com (3.2) with ESMTP id MHotMailBDF4F424001640043888D888ABFCF86C0; Thu, 27 Dec 2001 15:05:08 -0800 
>Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id 16JjaA-0003bG-00; Thu, 27 Dec 2001 15:05:02 -0800 
>Received: from mail1.home.nl ([213.51.129.225])by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))id 16JjZE-0003WZ-00for <[EMAIL PROTECTED]>; Thu, 27 Dec 2001 15:04:04 -0800 
>Received: from kwik ([213.51.164.22]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20011227230401.SEZO417.mail1.home.nl@kwik> for <[EMAIL PROTECTED]>; Fri, 28 Dec 2001 00:04:01 +0100 
>From [EMAIL PROTECTED] Thu, 27 Dec 2001 15:05:33 -0800 
>Message-ID: <[EMAIL PROTECTED]>
>X-Priority: 3 (Normal) 
>X-MSMail-Priority: Normal 
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) 
>Importance: Normal 
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 
>Sender: [EMAIL PROTECTED] 
>Errors-To: [EMAIL PROTECTED] 
>X-BeenThere: [EMAIL PROTECTED] 
>X-Mailman-Version: 2.0.5 
>Precedence: bulk 
>List-Help: 
>List-Post: 
>List-Subscribe: , 
>List-Id: LEAF user list 
>List-Unsubscribe: , 
>List-Archive: 
>X-Original-Date: Fri, 28 Dec 2001 00:04:43 +0100 
> 
>Hi all, 
> 
>does somebody know if there is an lrp package or simply a binary tool 
>which shows me the status of my LEAF router ?. (IP stats & CPU/Memory stats) 
>Like the unix "top" utility ! 
> 
>Thx. 
> 
> 
>___ 
>Leaf-user mailing list 
>[EMAIL PROTECTED] 
>https://lists.sourceforge.net/lists/listinfo/leaf-user 
MSN Photos is the easiest way to share and print your photos: Click Here

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] HELP HELP!!

2001-12-27 Thread Victor McAllisteer 

Jim Van Eeckhoutte wrote:

> Guys I need help with this rtl8139 issue. Eth0 connects to cable
> modem ….while watching back of Eth0….link drops when it trys to get
> address from ATT ….i take out UTP wire from cable modem and hook
> into switch and link light comes back and Dachstein CD 1.0.2 gets
> address from 2k server in garage (dhcp scope). What could this be …
> im pullin my hair out ..hehe.
> I have reset the modem several times.
>
> ATT pushes out dhcp address to client via mac address which I have
> set via (ip link set eth0 address ma:ca:dd:re:ss:00 in network.cfg)
>
Several list members have remarked that it is necessary to release the
lease with AT&T.  You may have to hook your windows box up directly
w/o the router and use winipcfg to release all on your lease.  Then
shut everything down and plug the LEAF box in.  Maybe then AT&T will
give you a lease.

PS - html on this list makes your mail very difficult to read.  Please
set your email software to send in text mode to the list.



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] portfw to *multiple* hosts ???

2001-12-27 Thread Michael D. Schleif 


Charles Steinkuehler wrote:
> 
> > > > Quite simply, what is the simplest, secure way to forward to two (2)
> > > > hosts?  There are probably better ways to accomplish the end goal;
> but,
> > > > we have an application whereby we may need to push very large files
> from
> > > > the internet to two (or, more) locations behind a Dachstein firewall.
> > > >
> > > > What do you think?
> > >
> > > scp or https/PUT to separate ports (22 and 2022, or 443 and 4443, for
> > > example), one port for each host.  The hosts could each see input on the
> > > nominal port (22 or 443).
> >
> > Yes, I see this; but, is there someway to accomplish this --
> > simultaneously -- with one (1) remote operation?
> 
> ???
> Please explain a bit more about exactly what you're trying to accomplish...

Large medical images -- some approaching gigabyte sizes.

The internal network connects multiple facilities.  The images may need
to be shared across multiple facilities.

Our preferred solution is to put one (1) copy of each image on a large
and robust fileserver inside their network.  The catch is, they are
using proprietary systems for viewing and analyzing the images and we
may not be granted access nor information adequate to implementing our
preferred solution.  Currently, the remote sources are using their
proprietary systems (black boxes) to auto-magically transfer the files
directly to one (1) proprietary system inside our customer's network. 
Yes, this looks everyway like ftp -- except the proprietary system
vendor says, no, it is not that simple ;>

When one of these images is needed on another proprietary system inside
this network, somebody needs to push the required file to another
proprietary system.  Our customer wants ``pull'' access from any given
system.

In brainstorming alternatives, this occured to me:

send images
|
V
 internet
|
V
 firewall
|
  -
  | | |
  V V V
host_1host_2host_n ...

Regardless, whether or not this is the best solution for this
application, how can this be done?

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] portfw to *multiple* hosts ???

2001-12-27 Thread David Douthitt 

On 12/27/01 at 10:21 PM, Michael D. Schleif <[EMAIL PROTECTED]> wrote:

> Large medical images -- some approaching gigabyte sizes.
> 
> The internal network connects multiple facilities.  The
> images may need to be shared across multiple facilities.
> 
> Our preferred solution is to put one (1) copy of each
> image on a large and robust fileserver inside their
> network.  The catch is, they are using proprietary systems
> for viewing and analyzing the images and we may not be
> granted access nor information adequate to implementing
> our preferred solution.  Currently, the remote sources are
> using their proprietary systems (black boxes) to
> auto-magically transfer the files directly to one (1)
> proprietary system inside our customer's network. Yes,
> this looks everyway like ftp -- except the proprietary
> system vendor says, no, it is not that simple ;>
> 
> When one of these images is needed on another proprietary
> system inside this network, somebody needs to push the
> required file to another proprietary system.  Our customer
> wants ``pull'' access from any given system.
> 
> In brainstorming alternatives, this occured to me:
> 
> send images
> |
> V
>  internet
> |
> V
>  firewall
> |
>   -
>   | | |
>   V V V
> host_1host_2host_n ...
> 
> Regardless, whether or not this is the best solution for
> this application, how can this be done?
> 
> What do you think?

This sounds to me like a case for rsync + ssh There is, if you
need it, an rsync.lrp already - and of course, ssh.lrp.  You could set
up rsync either as a "push" or a "pull" alternative.  As a case study,
consider that there are many publicly accessibly rsync servers (the
Linux kernel site kernel.org comes to mind...)

If you could set up host_1, host_2, etc. to be rsync recipients, why
not tunnel rsync via ssh through the firewall?
--
David Douthitt
UNIX Systems Administrator
HP-UX, Unixware, Linux
[EMAIL PROTECTED]

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] How can I protect the network from the webserver

2001-12-27 Thread Ray Olszewski 

I added the LEAF list back in.

At 03:38 AM 12/28/01 +, djoutlaw outlaw wrote:
>I am sorry what I mean is I can give a friend my static IP address and then 
>they can pull up my apache test page.  I am using DachStein which seems to 
>be the easiest setup.  Just opened up the INTERNAL__WWW_SERVER 
>XXX.XXX.XXX.XXX  and with the TCP 0.0.0.0/0_www

OK. This means you are port forwarding port 80 of your LEAF router's
external IP address to port 80 of a private-address server. No problem there.

>I really just want people to be able to access port 80 but not be able to 
>use the server as a gateway to the network.  I am only forwading port 80.
>I thought there was some way I could block the webserver from connecting to 
>the network but allow everyone else to connect to the webserver

Unfortunately, "connecting" is an imprecise term. I'm also uncertain as to
what you mean by "the" network.

You can prevent the Web server from initiating connections to the Internet
(one possible "the" network), while allowing it to access the Internet only
for purposes of responding to port-80 queries. I don't know if there is an
easy way to do this using DachStein's setup scripts, though ... someone
better acquainted with the intricacies of DachStein will have to handle that. 

You would most easily do the underlying work by adding, at an appropriate
place in your input chain, theses two firewalling rules (approximately; I
haven't tested this syntax so may have made small errors):

ipchains -A input -j ACCEPT -s a.b.c.d/32 80 -i eth1 -p tcp
ipchains -A input -j DENY -s a.b.c.d/32 -i eth1 -p all

where a.b.c.d is the internal address of the Web server and I've assumed
that eth1 is your LAN interface.

The first rule passes all traffic from port 80 on the Web server. The second
rule blocks all other traffic from the Web server.

There are fancier ways to do this too; you can distinguish initiation and
reply TCP (but not UDP or ICMP) packets by testing the flag bits. Look at
the -y switch for ipchains to learn the details.

While you can do this, you may not want to. The Web server may well need to
communicate to or from other ports to work properly. For example, it may
need to do off-LAN DNS resolution. Or it may get its time updated using ntp.
Or it may also be a mail server. Or ... you get the idea. This is what I
meant when I said you can't decide how to firewall properly without knowing
the details of how the setup is supposed to work.

OTOH, if you want to prevent the Web server from connecting to other hosts
on the LAN (the other possible "the" network) ... if the Web server is
itself on the LAN, a LEAF router cannot help you there, since on-LAN traffic
doesn't (normally) go through a router. (There are some tricky things you
can do there, but in the end, none are really secure if the Web server gets
cracked.)

If you want to isolate the Web server from the LAN, you normally do so by
adding a third interface to the router and setting up on it a separate
netwotk, customarily called a DMZ, that keeps the "exposed" part of your
site isolated from the truly privat part of your site. This is a standard
DachStein setup and should be well explained in the DachStein docs and
config-file comments.

>Thanks for the quick response!
[old stuff deleted]


--
"Never tell me the odds!"---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Running tinydns and dnscache side by side

2001-12-27 Thread Daryl L. Biberdorf 


I wanted to run a private DNS cache (an "external cache" in Dan Bernstein's
terms, as it is external to the actual client needing a name resolved)
in conjunction with a private DNS server and a public DNS server.
Here's a picture of what I wanted:

192.168.1.5  eth1 - private IP
+---++-+ eth0 - public IP 1.2.3.4
|client ||  LRP firewall   |-
+---+| |
 |   tinydns-public|
 | |
 | |
 |dnscache |
 |tinydns-private  |
 | |
 | |
 +-+


When I did an out-of-the-box configuration of the dnscache.lrp and
tinydns.lrp packages, I discovered that I was correctly providing
server info on the public interface. However, internal lookups were
failing for all clients (Solaris and Linux) other than my Windows machine, 
which in fact was relying on some mysterious Windows mechanisms rather than 
pure DNS. I should note that my public and private tinydns servers were 
providing somewhat different information, as the public DNS server offers no 
details on purely private machines.

Based on the documentation at 
http://cr.yp.to/djbdns/faq/cache.html and
http://cr.yp.to/djbdns/faq/cachex.html, it appears that dnscache should
run on a different IP from tinydns to avoid conflicts. 
(See the links http://cr.yp.to/djbdns/faq/cache.html#internal
and http://cr.yp.to/djbdns/faq/cachex.html#mixnmatch
for particular details.)

What I had to
do (at a high level) is the following:
1. Set up another (aliased) IP address on the internal interface.
2. Tell the internal dnscache server to listen on the new aliased address.
3. Tell the dnscache server to use the private tinydns server to resolve
   queries in the local domain.
4. Add an entry for the new (aliased) IP address to the private tinydns
   server data file.
5. Restart everything.
6. Point clients to the dnscache server IP (the aliased one).

My original internal IP address for the LRP firewall was 192.168.1.254.
My private tinydns server continues to listen at this address.
I wanted my dnscache server to listen on 192.168.1.250.

Here's what I had to do to make the above steps work:

1. In /etc/network.conf, add a line:
 eth1_IP_EXTRA_ADDRS="192.168.1.250"
   (I chose .250 simply because I have some other stuff at .253, .252,
and .251.) I can't find this parameter explicitly documented
   anywhere, but it successfully aliases the second IP to the internal
   interface.

2. Restart networking to apply this change: /etc/init.d/network reload
   (You can use "ip addr" to verify that eth1 is now listening on 
   multiple internal addresses.)

3. Change dnscache's default listening address to the new one (using the
   menus in lrcfg, or editing /etc/dnscache/env/IP), 192.168.1.250

4. Tell dnscache to rely on the tinydns-private server for things in
   my own domain (paradosis.com, in my case). There's no lrcfg option
   for this. You'll have to manually edit the following files,
   replacing the default 127.0.0.1 entry with the address of the
   tinydns-private server (192.168.1.254 in my case):
   /etc/dnscache/root/servers/paradosis.com
   /etc/dnscache/root/servers/1.168.192.in-addr.arpa

   (REMEMBER, your domain is probably not paradosis.com. Use your own
   domain instead. If your tinydns server is supplying information on
   additional domains, you'll have files for those domains, too. For
   example if you have a tinydns server supplying info for
   paradosis.com and mywiddleteddybear.com, you'll have three files
   in that subdirectory: paradosis.com, mywiddleteddybear.com, and
   1.168.192.in-addr.arpa)

5. Restart dnscache: /etc/init.d/dnscache restart

6. Edit your tinydns-private server data file to include A and PTR
   records for the new dnscache address. You can use lrcfg to do this, or
   edit /etc/tinydns-private/root/data directly. In my case, I used:
   =dnscache.paradosis.com:192.168.1.250

7. Restart tinydns: /etc/init.d/tinydns restart

8. Back up etc.lrp, tinydns.lrp, and dnscache.lrp.

9. Change the nameserver entries on your client machines to point to the
   new dnscache address (192.168.1.250 in my case). For UNIX/Linux,
   you'll edit the nameserver line in /etc/resolv.conf. For Windows
   machines, edit the TCP/IP network properties and do the obligatory
   reboot.

So far, everything on the internal side is working very well, especially
compared to the seemingly random failures I was getting before. It would
be nice to work some of this into the tinydns and dnscache packages, but
Jacques has already done a marvelous job. :) 

Does anyone see any problems with this?

Daryl

Daryl L. Biberdorf  [EMAIL PROTECTED]
"And if [God] were to withdraw what we may call his

FW: [Leaf-user] HELP HELP!!......grrrrrr

2001-12-27 Thread Jim Van Eeckhoutte 

No now its not that its not getting a address... its just losing link
led when driver is loaded ... therefore no connection.
This is nuts... hehehehe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Victor
McAllisteer
Sent: Thursday, December 27, 2001 8:01 PM
To: leaf-user
Subject: Re: [Leaf-user] HELP HELP!!

Jim Van Eeckhoutte wrote:

> Guys I need help with this rtl8139 issue. Eth0 connects to cable
> modem ..while watching back of Eth0..link drops when it trys to get
> address from ATT ..i take out UTP wire from cable modem and hook
> into switch and link light comes back and Dachstein CD 1.0.2 gets
> address from 2k server in garage (dhcp scope). What could this be .
> im pullin my hair out ..hehe.
> I have reset the modem several times.
>
> ATT pushes out dhcp address to client via mac address which I have
> set via (ip link set eth0 address ma:ca:dd:re:ss:00 in network.cfg)
>
Several list members have remarked that it is necessary to release the
lease with AT&T.  You may have to hook your windows box up directly
w/o the router and use winipcfg to release all on your lease.  Then
shut everything down and plug the LEAF box in.  Maybe then AT&T will
give you a lease.

PS - html on this list makes your mail very difficult to read.  Please
set your email software to send in text mode to the list.



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user