Re: [Leaf-user] remote access to dachstein
Hi All At 13:35 17/01/02 -0800, Victor McAllisteer wrote: There was a post here recently from someone who got libz.lrp and sshd.lrp to fit on a single floppy. He stripped the pretty version of weblet and used one without graphics if I remember correctly. Unfortunately the search feature does not appear to work on the list so I can't find the message. That was me actually, and it really isn't that hard. A standard Dachstein 1680K floppy has about 275KB of free space anyway, while libz.lrp and sshd.lrp total around 330KB - you've only got to find about 55 KB. Here's exactly what I did: 1. In /var/sh-www/, I deleted lrpStat.jar, the weblet's java-based bandwidth monitor, and netmon.html, the html document that's used to display it. To keep things neat and tidy, I then opened up index.html and edited out the resulting broken link to netmon.html. 2. Then I had a look at the file etc/modules (from lrcfg, menu options 3, 3, then 1), took notes of the ethernet card modules I'm using, then commented out all the ip_masq modules I'm unlikely to use. Then, in lib/modules/, I deleted everything I didn't need. I notice that the ethernet card modules are in general bigger than the ip_masq ones, so get rid of the unused ethernet ones first if you're unsure. 3. Then, I backed up. Weblet.lrp reduced in size from about 67 K to about 18 K, and modules went from 113 K to about 24 K. Giving me an extra 138K of extra space (that's about 400-odd K in total) which was plenty. You might not get modules to get so small - I was lucky because I didn't need many ip_masq modules, and both NIC's in my firewall use the ne.o module which is one of the smallest. Still, I have space to spare so you'll still probably have made enough space even if your setup is a fair bit more complex. 4. I still didn't have room for the ssh key generator program, sshkey.lrp, on the floppy so had to install it manually after boot. Once the key is generated though, you don't need it any more so there isn't actually much point in trying too hard to fit it on the boot floppy in any case. Instructions for this part are at http://leaf.sourceforge.net/devel/jnilo/openssh.html. If anyone thinks I should flesh this out into a howto, just let me know. cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Filtering Web content
Pär Johansson wrote: Hello My 8 year old boy is getting verry interested in the internet, but i have some considerations (porn etc.) connecting his computer to the net. Is it possible to add some web filtering to dachstein, can squid or some other package do this? Regards Pär Johansson The fundamental nature of the Web is to provide unlimited access to the entire world's knowledge. Even Senators have difficulty with that concept. Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Suspicious 'last'
Jon Clausen wrote: Hi list I've been monitoring the list for a while now. Seems there are some very knowledgeable people here. Originally I was going to ask about some vpn-stuff, but then this happened: Running Dachstein on a three-way box with LAN (192.*.*.*) and DMZ (10.*.*.*), at a remote location. Everything seems to work (well pretty much anyway). I have web, mail, ftp and ssh forwarded through to dmz-host. As I logged in on the dach-box (ssh to dmz-host, and ssh from there to dach-box) last night it started the whole 'host unknown, somebody might be eavesdropping, do you want to continue?'-thing. Now this was because I was using a host (on my home lan) that I don't usually use for this. So I went to the machine that I *do* use for this, logged in (no problem) first to the dmz-box, and then to the dach-box. I then looked at 'last', and then I got worried: # last USER TTY PID TIMEON FROM reboot ~ 0 22545 2.2.19 root ttyp0 845 22491 192.*.*.* root ttyp0 153221794 UNKNOWN root ttyp0 154021791 10.*.*.* root ttyp0 155421785 10.*.*.* root ttyp0 538512592 10.*.*.* root ttyp0 550512518 10.*.*.* root ttyp0 682410156 10.*.*.* root ttyp0 90465075192.*.*.* root ttyp0 10667 157610.*.*.* root ttyp0 11313 114010.*.*.* root ttyp0 11804 176 10.*.*.* root ttyp0 12220 135 10.*.*.* root ttyp0 12235 119 10.*.*.* root ttyp0 12263 78 10.*.*.* root ttyp0 12597 70 10.*.*.* root ttyp0 13135 56 10.*.*.* root ttyp0 13744 26 10.*.*.* root ttyp0 13758 23 10.*.*.* root ttyp0 13769 18 10.*.*.* root ttyp0 13829 0 10.*.*.* Looking at the logs, I can see that this UNKNOWN corresponds to a root-login yesterday *morning*. The only other person who has access to these systems, tells me it wasn't him... Now I'm pretty new at this stuff, so I really would appreciate some opinions on this... Should I *be* worried, is there a way to check whether stuff has been tampered-with? I'll post further info, as requested/required. TIA Sincerely Jon Clausen Hey Jon, I can't say for sure, but these three look too similar to be co-inkydinks: USER TTY PID TIMEON FROM root ttyp0 153221794 UNKNOWN root ttyp0 154021791 10.*.*.* root ttyp0 155421785 10.*.*.* Don't you think there's some similarity? It difficult to get those so sequential, wouldn't you think? Could the unknown be from a login that didn't finish for some innocent reason? Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] @home to Cox conversion problems
Hello all.. Very long time no talk to... I've been having a problem with my LRP box and my cable service. Use Cox/@home in the Orange County, Southern CA area, and it's been working fine for 2 years. We are finally getting ours, in the Exicte@home demise, and they have changed something, we're on a whole new IP network now. And suddenly, no service.. It seems the handshaking for the DHCP is not the same anymore, the box is offering but nobody is taking it. Strangely, it WILL give an IP to my 98 machine when plugged straight to the cable modem, after a couple of days of not even that working. LRP is Dachstein, second revision. Formerly just the host name in dhclient was all that was needed. I now notice on the Win box's config info, that the new network has a 255.255.248.0 subnet mask.. I tried a /21, with no success, hope that was right since it's nearing 3AM.. Any ideas on what might be the possible change? Thanks in advance.. Jon ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Speed Survey
Paul Rimmer wrote: ** Speed 2325(down)/1034(up) kbps ** ** Speed 2925(down)/947(up) kbps ** P133 64MB RAM DCDv1.01 with brand new Motorola cable modem (old one was definitely slower). I'd be curious to see what other cable modem users are getting and what their config is. @home in Petaluma, CA, near the wine country. 2400 kbps(down)/128(up) kbps. The LEAF is a PII 400, 2U Gateway thing, so there's not going to be any bottleneck there. He's capped for sure, because he see's that speed a lot of the time. -- As far as raw speed goes, I really gave the DSL installers, who took care of me near San Francisco, the real once over when they finally got around to my house. I'm out there by the pole, telling them how I'm going to get another three phone lines in a two months, so they better run an entirely new trunk from the pole to my house (they did, 6 lines, heh). Then I made them test the heck out of it, and they found they could get 9000(down)/8000(up) kbps using their testers. Heck, I could host the LEAF site with that speed :) But unfortunately, I was only paying for 1500/128, so I was going to be capped by the system. I'd never really see that 9000/8000, though, because I doubt they'd supply me with a 100 BaseTx dsl modem. So I figure I'd be good for a solid 5000/5000 if I had the $$ to pay for the service. I'm 10017 ft ( 3070 meters ) from the central office. Best, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] @home to Cox conversion problems
Jon Pike wrote: Very long time no talk to... I've been having a problem with my LRP box and my cable service. Use Cox/@home in the Orange County, Southern CA area, and it's been working fine for 2 years. We are finally getting ours, in the Exicte@home demise, and they have changed something, we're on a whole new IP network now. And suddenly, no service.. It seems the handshaking for the DHCP is not the same anymore, the box is offering but nobody is taking it. Strangely, it WILL give an IP to my 98 machine when plugged straight to the cable modem, after a couple of days of not even that working. LRP is Dachstein, second revision. Formerly just the host name in dhclient was all that was needed. I now notice on the Win box's config info, that the new network has a 255.255.248.0 subnet mask.. I tried a /21, with no success, hope that was right since it's nearing 3AM.. Any ideas on what might be the possible change? Please, post *all* available information off of the successful win98 box, including everything from winipcfg . . . -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] @home to Cox conversion problems
On Friday 18 January 2002 09:00, Michael D. Schleif wrote: We are finally getting ours, in the Exicte@home demise, and they have changed something, we're on a whole new IP network now. And suddenly, no service.. It seems the handshaking for the DHCP is not the same anymore, the box is offering but nobody is taking it. Strangely, it WILL give an IP to my 98 machine when plugged straight to the cable modem, after a couple of days of not even that working. boot up again in Win98 and run winipcfg as Michael suggested. Make not of the default gateway on you NIC. Before closing winipcfg, you _must_ Release all then shutdown Win98. Boot up Dachstein and enter the default gateway you found in winipcfg to the line in network.conf that reads DEFAULT_GW= www.xxx.yyy.zzz. Now do a svi network reload and things should be better. It seems with Excite out of there that Cox@Home is only giving out one dhcp lease at a time forcing you to release one before getting another. There has been several cases of this in the last couple of weeks. The default gateway seems to be more of a regional requirement, but it wouldn't hurt to enter it in either case. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] OT: ipchains
If you want to take the time to help me out that would be great, but if not that's cool. thanks for any help, -Alex Fore We have two internal DNS servers one internal smtp server, many internal webservers. ipchains commands snipped Assumptions: eth0 = internal network = good eth1 = DMZ = dmz eth2 = internet = bad Well, assuming: - The above interface list is correct - The shell variables are set correctly - Your interfaces and routes are configured correctly on the firewall and all server systems - and a bunch of other stuff... (hint...it's important to provide as much detail as possible when asking for remote help with tricky problems) I don't notice anything immediately obvious that would be blocking outbound e-mail and/or dns, so I'll just provide a few general ipchains tricks I've found useful in debugging firewall problems... IPChains debugging hints: ipsec -Lvn --line-numbers is your friend. Pay special attention to the packet counts next to the rules...especially when debugging those why doesn't this protocol work sort of problems. NOTE: Flushing all packet counts and running a test (like trying to send an e-mail) can make this technique much more powerful, since you can more easily see which rules are maching the packets of interest. Use logging! Adding an ipchains -I rule -l switch to log all traffic hitting a rule can be very helpful. While this will fill up your logs quickly under real loads, it can be invaluable to see packets hitting each rule, and watching the packet counts increase. You can also verify things like a particular packet hit the forward chain, but never made it to the output chain... Use deny logging...a slight twist on the above, if all your deny rules log the packets, you'll see in the logs if you're traffic isn't making it out of the box. Combined the rule name and rule number in the log and the --line-numbers and -v switchs to ipchains, and you can generally deduce where things went wrong by crawling through the ipchains verbose output. Good luck! Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] 2.2.16/tulip/build How?
I'd suggest upgrading to the 2.2.19 kernel. You don't have to upgrade your whole distribution to do this...just replace the kernel file on the floppy (the file named linux) and the modules in modules.lrp. You can even cheat and start with the files from a Dachstein relese (just make a Dachstein floppy, and copy the linux and modules.lrp from it to your existing firewall). Thanks for responding. Does this mean that the tulip.o on the 2.2.19 index supports the 1255tx card from SMC? My problem is that 2.2.16 tulip apparently does not. I don't know for sure, but the tulip driver *is* much newer. It's even newer than the 2.2.19 kernel version of the driver, since I compiled all the drivers maintained by Dan Becker seperately, and replaced the default kernel versions with the newer ones... If so: so my existing dhcp and ipchains and ipsec1.5 should be cool with the newer kernel? Ouch! The IPSec will also have to be upgraded, since it talks to code patched into the kernel. I'd still recommend upgrading...the new 1.91 version of IPSec is much more friendly than the 1.5 version, and you can simply copy your ipsec.conf and ipsec.secrets files directly into the new package...no 'tweaking' required, unless you want to use some of the new features available in 1.91. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] OT: ipchains
ipsec -Lvn --line-numbers is your friend. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) Pay special attention to the ^ ^^^ Did you mean `ipchains -nvL --line-numbers' ??? Notice, the `L' cannot precede the `nv' . . . Yes...sorry. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] D/DCD busybox gzip/gunzip problem???
I was wondering if anybody else is, like me, having some problem with the gzip/gunzip commands provided by the busybox currently used on Dachstein... I sometimes have problems decompressing (gunzip) files which where packed by gzip (both being the busybox ones). I have had this problem mainly with the psentry.lrp package on my pc but I had it with more than one package on one of my friends' pc... On his pc it could have been cause by a flaky diskette or diskette drive since we were using 3 1/2 diskette drive but on mine I'm using a properly terminated and AFAIK without bad sectors SCSI hard disk (which is, most of the time, write-protected...)... I get the following error messages: gunzip: invalid compressed data--crc error gunzip: invalid compressed data--length error But the file is still considered OK by both Winzip more importantly, the real gunzip running on a full Linux distribution... There doesn't seem to be any problem relating to that logged on busybox site... I recall some e-mails about a CRC calculation problem with busybox gzip...don't remember exactly when, but a problem was identified, and the fix is likely in CVS, if not in the latest releases (check the change logs). IIRC, other than the warning, everything unpacks OK, so the error is at least somewhat benign. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] glibc pppoe...
When LEAF leaves the single floppy behind, the entire project target changes and all the indications point to the change happening in the next 6 months or so. It seems that the primary developers are trying to keep the original target (floppy), and for that I commend them, it would be easy to simply abandon this target and move on to other ones. I for one still use the single floppy release as my primary home firewall. I have installed the DCD cd release in several different configurations including a harddrive, a flash drive, and a stand-alone cdrom, but in all honesty the floppy version stills does anything I need it to at home and it still intrigues me how well put together it is. Well, I *have* effectevly abandoned the 1440 floppy format (for anything other than the config floppy for a CD-ROM install), but I really want to keep a workable firewall running on a 1680K floppy. Note the new Dachstein releases are actually *SMALLER* than the previous EigerStein releases, while supporting more features! Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] oxygen + snort + kernel panic
Hi! I am using Oxygen May 2000 and snort1.8. The router routes the packets when snort is not installed. But when snort is up, I get the following message and the system hangs. None of the special keys work. error message : $ kernel panic: skput: over c014e7cb : 1006 put : 1006 dev : eth0 In swapper task - not syncing. I get the same error message when I have ipchains turned on. It would be great if anyone could suggest a solution. Thanks, Dharmin. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] glibc pppoe...
- Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 18, 2002 8:29 AM Subject: Re: [Leaf-user] glibc pppoe... When LEAF leaves the single floppy behind, the entire project target changes and all the indications point to the change happening in the next 6 months or so. It seems that the primary developers are trying to keep the original target (floppy), and for that I commend them, it would be easy to simply abandon this target and move on to other ones. I for one still use the single floppy release as my primary home firewall. I have installed the DCD cd release in several different configurations including a harddrive, a flash drive, and a stand-alone cdrom, but in all honesty the floppy version stills does anything I need it to at home and it still intrigues me how well put together it is. Well, I *have* effectevly abandoned the 1440 floppy format (for anything other than the config floppy for a CD-ROM install), but I really want to keep a workable firewall running on a 1680K floppy. Note the new Dachstein releases are actually *SMALLER* than the previous EigerStein releases, while supporting more features! Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) For which many of us are very grateful for your work Charles. Except for a config I'm under the opinion that the floppy is dead. In computer technology its a stagnate dinosaur whose time for retirement has long been late, however its reliability and being available on almost every PC has made it live on much longer than it should. If the advancement of the various projects in LEAF means goodbye to the floppy, then so be it. I look forward to all further improvements in all the various LEAF projects. Kenneth Hadley PC Network Specialist / Network-PC Systems Administrator McCormick Selph Inc. [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] OpenSSL and fswcert
Hmm. I follow your suggestion about maintaining certs on a separate system. Actually, that is my intent but it looked like OpenSSH was going to be necessary to do the format changing (DER, pem etc.). I've found a compiled Windows version and, since I'll be maintaining certs on a Windows system, I think I'll use that. That only leaves fswcert (used to extract the key and DN and to format the result suitable for .secrets file). Would you be so kind as to post (or email me if you don't want to post for some reason) the fswcert compiled for DCD? OpenSSL and fswcert compiled to run under Dachstein are now available (as certools.tgz) from the IPSec 1.91 page of my website: http://lrp.steinkuehler.net/Packages/ipsec1.91.htm I have verified the programs run under Dachstein (so no odd libraries are required), but I don't do much work with certificates, so I don't know if they need any other external utilities to do their thing, but I think they're both self-contained, and should work without issue... Please verify the do (or don't) work for you, when you get a chance to test them. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] OpenSSL and fswcert
Will advise... Many, many thanks (again), kind sir. Keith Laidlaw Manager of Engineering Dakins Engineering Group Ltd. tel: (905) 814-6024 fax: (905) 814-6029 -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 12:11 PM To: Keith Laidlaw; LEAF Subject: Re: [Leaf-user] OpenSSL and fswcert Hmm. I follow your suggestion about maintaining certs on a separate system. Actually, that is my intent but it looked like OpenSSH was going to be necessary to do the format changing (DER, pem etc.). I've found a compiled Windows version and, since I'll be maintaining certs on a Windows system, I think I'll use that. That only leaves fswcert (used to extract the key and DN and to format the result suitable for .secrets file). Would you be so kind as to post (or email me if you don't want to post for some reason) the fswcert compiled for DCD? OpenSSL and fswcert compiled to run under Dachstein are now available (as certools.tgz) from the IPSec 1.91 page of my website: http://lrp.steinkuehler.net/Packages/ipsec1.91.htm I have verified the programs run under Dachstein (so no odd libraries are required), but I don't do much work with certificates, so I don't know if they need any other external utilities to do their thing, but I think they're both self-contained, and should work without issue... Please verify the do (or don't) work for you, when you get a chance to test them. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-devel] Re: [Leaf-user] glibc pppoe...
Kenneth Hadley PC Network Specialist McCormick Selph Inc. 831-637-3731 x363 [EMAIL PROTECTED] - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 18, 2002 11:18 AM Subject: Re: [Leaf-devel] Re: [Leaf-user] glibc pppoe... On Fri, 18 January 2002, Kenneth Hadley wrote: - Original Message - From: Charles Steinkuehler Well, I *have* effectevly abandoned the 1440 floppy format (for anything other than the config floppy for a CD-ROM install), but I really want to keep a workable firewall running on a 1680K floppy. Note the new Dachstein releases are actually *SMALLER* than the previous EigerStein releases, while supporting more features! Charles Steinkuehler For which many of us are very grateful for your work Charles. Except for a config I'm under the opinion that the floppy is dead. In computer technology its a stagnate dinosaur whose time for retirement has long been late, however its reliability and being available on almost every PC has made it live on much longer than it should. If the advancement of the various projects in LEAF means goodbye to the floppy, then so be it. I look forward to all further improvements in all the various LEAF projects. Kenneth Hadley I like to have the floppy configuration avaiable. While it is 'old' technology, there remain many who cannot afford flash w/ide adaptors, etc. Since I have inheritted several older systems, it costs me little to nothing to set one up for someone. And while one or two have CD Rom drives, all have floppy drives. If they had to buy a flash or DOC, then they might as well buy a Linksys. With the LEAF floppy systems, I have found that half the folks get more interested in networking and Linux, which I regard as a plus. -sp $0.02 I totally understand and agree with most of what you have said, but when I look at new CDROM drives going for the same price tag of a new 1.44MB Floppy Drive it seams a more than a little funny that a old floppy drive is a more important media target for a project than something that is a lot more reliable and allows the project to do so much more. Of course this is just my .02 cents worth...and about a $1.98 short of something that makes sense ;-) -Kenneth Hadley ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] glibc pppoe...
On Friday 18 January 2002 13:21, Charles Steinkuehler wrote: Well, I *have* effectevly abandoned the 1440 floppy format (for anything other than the config floppy for a CD-ROM install), but I really want to keep a workable firewall running on a 1680K floppy. Note the new Dachstein releases are actually *SMALLER* than the previous EigerStein releases, while supporting more features! So you're saying that Dachstein floppy is the last of its kind in your development? I find that saddening, but I do understand! Not at all! All I'm saying above, is that I plan on going forward with the 1680K floppy format, rather than the 1440K disks. Well, duh! Shows how well my public education encouraged me to read thoroughly! I feel much better now. The scary part is I teach a telecom class for the Tech College here maybe I can get a seeing-eye dog to read for me! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] remote access to dachstein
At 2002-01-18 10:25 +, Julian Church wrote: That was me actually, and it really isn't that hard. A standard Dachstein 1680K floppy has about 275KB of free space anyway, while libz.lrp and sshd.lrp total around 330KB - you've only got to find about 55 KB. Here's exactly what I did: If anyone thinks I should flesh this out into a howto, just let me know. Julian, Please do. When you're ready submit it in the DocManager. Thanks. https://sourceforge.net/docman/new.php?group_id=13751 -- Mike Noyes [EMAIL PROTECTED] http://leaf.sourceforge.net/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Suspicious 'last'
On Friday 18 January 2002 12:18, you wrote: Hey Jon, I can't say for sure, but these three look too similar to be co-inkydinks: USER TTY PID TIMEON FROM root ttyp0 153221794 UNKNOWN root ttyp0 154021791 10.*.*.* root ttyp0 155421785 10.*.*.* Don't you think there's some similarity? It difficult to get those so sequential, wouldn't you think? Could the unknown be from a login that didn't finish for some innocent reason? Matt Hi matt, and thanks for the response :) similar..? -well yeah, now that you mention it, they *do* look kind of the same (both pid, and time-on -wise). Especially when compared to the rest of the entries :P Also I talked some more with Jan, and as it turns out he *was* doing some stuff that morning. So I should ask if he had some login fail at some point... Guess I could have looked a litlle closer before posting :( I just got pretty upset, 'cause I've never seen an 'unknown' come up like that before. And as I said, I'm pretty new to fw-building, and as such naturally paranoid. There are enough 'unknowns' (pun intended) for me in dealing with all this stuff, as it is. Thanks though. I haven't seen anything on the inside that suggets a breach, so I think it's probably o.k. Now, about that other stuff I was going to ask about, now that I've come out in the open... I'll post ;) Jon ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] remote access to dachstein
Julian Church wrote: Hi All At 13:35 17/01/02 -0800, Victor McAllisteer wrote: There was a post here recently from someone who got libz.lrp and sshd.lrp to fit on a single floppy. He stripped the pretty version of weblet and used one without graphics if I remember correctly. Unfortunately the search feature does not appear to work on the list so I can't find the message. That was me actually, and it really isn't that hard. A standard Dachstein 1680K floppy has about 275KB of free space anyway, while libz.lrp and sshd.lrp total around 330KB - you've only got to find about 55 KB. Here's exactly what I did: 1. In /var/sh-www/, I deleted lrpStat.jar, the weblet's java-based bandwidth monitor, and netmon.html, the html document that's used to display it. To keep things neat and tidy, I then opened up index.html and edited out the resulting broken link to netmon.html. Didn't anyone notice Charles has a weblet-tiny package on his website which doen't include the bandwidth monitor? snip 3. Then, I backed up. Weblet.lrp reduced in size from about 67 K to about 18 K, Which is the size of the weblet-tiny package. 4. I still didn't have room for the ssh key generator program, sshkey.lrp, on the floppy so had to install it manually after boot. Once the key is generated though, you don't need it any more so there isn't actually much point in trying too hard to fit it on the boot floppy in any case. Instructions for this part are at http://leaf.sourceforge.net/devel/jnilo/openssh.html. If you still don't have enough space you may want to try my lshd and/or udhcpd package at: http://leaf.sourceforge.net//devel/ewaldw/packages/ lsh is a smaller replacement for openssh and udhcpd is a smaller replacement for the regular dhcpd. If you're running dhcpd on multiple interfaces it will be hard or impossible to use this udhcpd package. Ewald Wasscher ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] remote access to dachstein
Please do flesh it out! It is good to share one's knowledge. Thank you for offering to flesh it out. Larry Platzek [EMAIL PROTECTED] On Fri, 18 Jan 2002, Julian Church wrote: Date: Fri, 18 Jan 2002 10:25:58 + From: Julian Church [EMAIL PROTECTED] To: leaf-user [EMAIL PROTECTED] Subject: Re: [Leaf-user] remote access to dachstein Whole bunch of text deleted. If anyone thinks I should flesh this out into a howto, just let me know. cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Diald, ppp and firewall rules
I'm a little confused about how to set up the network.conf to work with diald and ppp. Diald sets up a proxy interface called 'sl0' to monitor for network traffic. This is the default route until diald starts up ppp. Then the default route switches to 'ppp0'. My question is how does someone set up the rules to apply to both sl0 and ppp0, especially when ppp0 won't exist at the time the rules are setup? Do I can't recall any reports of diald being used with any of the mountain versions of LEAF/LRP, so you may be exploring new ground. In general, however, you use the IF_AUTO and IF_LIST variables in network.conf to configure your interfaces. For example, you could use: IF_AUTO = eth0 sl0 IF_LIST = $IF_AUTO This automatically starts sl0, but leaves diald in charge of configuring ppp0. I need to use ip-up and ip-down scripts to change the firewall rules depending upon the state of sl0 and ppp0? Does anyone know how I might use network.conf with ip-up and ip-down? Normally, a script in /etc/ppp/ip-up.d starts the firewall when ppp0 comes up. Perhaps someone more familiar with the Dachstein scripts can tell you how to use the built-in firewall functions for ppp0 without restarting the ppp0 interface. It might be easier to use a separate firewall package like seawall or echowall. Thanks for the help! Mark Good luck! -Richard ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[leaf-user] Memory, Floppy-Drive or other problem
Hi, I'm having some problems with my dachstein diskimage firewall. It refuses to load, backup etc. The error I generally get is: Segmentation fault. Other thing I see quit often is when loading my lrp modules like, etc dhclient etc. : unable to handle kernel paging request at virtual address I first guess that it was the floppy drive, because it was quit old. So I replaced it with a brand new floppy drive. I tried setting it up again, but i get the same problems. Other guess from me: the memory simms are old/broken etc. I moved some simms out of it and tried some others. Can anyone explain me what this error messages mean, and what could cause them, is it the floppy drive, the simms or some other wacky problem??? Thanks for suggestions Gr Joris ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] oxygen + snort + kernel panic
dyp wrote: Hi! I am using Oxygen May 2000 and snort1.8. The router routes the packets when snort is not installed. But when snort is up, I get the following message and the system hangs. None of the special keys work. error message : $ kernel panic: skput: over c014e7cb : 1006 put : 1006 dev : eth0 In swapper task - not syncing. I get the same error message when I have ipchains turned on. It would be great if anyone could suggest a solution. Thanks, Dharmin. I think something's wrong with David's SF email account, or something, because he's not been around in a bit. Anyway, I'd suggest you upgrade Oxygen to 1.8.0, which is a supposedly stable release. Pair that with the latest snort in his package directory and see what happens. If it doens't work, try out Dacshstein. Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [leaf-user] Memory, Floppy-Drive or other problem
I'm having some problems with my dachstein diskimage firewall. It refuses to load, backup etc. The error I generally get is: Segmentation fault. Other thing I see quit often is when loading my lrp modules like, etc dhclient etc. : unable to handle kernel paging request at virtual address I first guess that it was the floppy drive, because it was quit old. So I replaced it with a brand new floppy drive. I tried setting it up again, but i get the same problems. Other guess from me: the memory simms are old/broken etc. I moved some simms out of it and tried some others. You're running out of memory. Some of your memory may also be bad. You need at least 12 Megs to run the floppy disk version of Dachstein, and I suggest running with 16 Meg. You can test your memory using a program called memtest86: http://www.teresaudio.com/memtest86/ Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] floppy base (wasglibc pppoe... )
On Fri, 18 January 2002, Kenneth Hadley wrote: If they had to buy a flash or DOC, then they might as well buy a Linksys. With the LEAF floppy systems, I have found that half the folks get more interested in networking and Linux, which I regard as a plus. -sp $0.02 I totally understand and agree with most of what you have said, but when I look at new CDROM drives going for the same price tag of a new 1.44MB Floppy Drive it seams a more than a little funny that a old floppy drive is a more important media target for a project than something that is a lot more reliable and allows the project to do so much more. Of course this is just my .02 cents worth...and about a $1.98 short of something that makes sense ;-) -Kenneth Hadley I restate and throw in a nickel. :) I am not that far removed from when $15.00 in non-food/living expenses was an event to be planned for. Then the options were to be selected, let's see...save for monitor, sound card cpu upgrade, car repair :) Please no tangents about affordability, job, poor, etc :0, thru study, hard work and LUCK I improved my lot in life, but I know others who have not hit that 'luck' mark yet. ;) I like the idea of a more powerful and flexible system avaible on CD, with config files on a floppy, BUT, I think that maintaining a simpler floppy base distribution is a good goal (even 1.68MB). It enforces build disipline (ie, no wasted crap on base installs) and it provides a usable/afordable solution for the majority of people setting this stuff up. Those on this list with DMZ's and ipsec tunnels, and etc and not the probable majority of users. (Could be wrong, this is an opinion). They just want to set up something that firewalls systems. People have been marching the floppy drive's death for years now, and it still ends up a practical tool. (hell, corporate installs of OS's) When something as cheap and as good/better becomes avaiable, then the floppy will die. Burnable CD-Rom's are getting there, but not as ubiquitous yet. -sp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-devel] Re: [Leaf-user] glibc pppoe...
At 11:44 AM 1/18/02 -0800, Kenneth Hadley wrote: [...] I totally understand and agree with most of what you have said, but when I look at new CDROM drives going for the same price tag of a new 1.44MB Floppy Drive it seams a more than a little funny that a old floppy drive is a more important media target for a project than something that is a lot more reliable and allows the project to do so much more. Where do you look? *New* CD-ROM drives are pretty cheap ... $US30 in today's ads around here ... but not as cheap as *new* floppy drives ($US10, same ad) by a lot. Do you know better sources for new equipment? Anyway, unless you make a custom CD, you need a CD -AND- a floppy, not a CD -OR- a floppy. The other issue for the home user working with CDs is that he or she needs a burner, and they are more expensive ($US50 locally today), require a separate system to run them, and are more finicky than even 1680 floppy drives and disks. I'm moving away from this low-end equipment myself, but I still think we'll lose a lot of user interest if floppy-only systems become impractical. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] floppy base (wasglibc pppoe... )
I like the idea of a more powerful and flexible system avaible on CD, with config files on a floppy, BUT, I think that maintaining a simpler floppy base distribution is a good goal (even 1.68MB). It enforces build disipline (ie, no wasted crap on base installs) and it provides a usable/afordable solution for the majority of people setting this stuff up. Those on this list with DMZ's and ipsec tunnels, and etc and not the probable majority of users. (Could be wrong, this is an opinion). They just want to set up something that firewalls systems. Agreed...especially the point about floppy use enforcing build discipline. IMHO, it should continue to be possible to create a firewall system that functions on a single floppy, with perhaps two floppies (or other larger media) required for more advanced setups (ie sshd, IPSec gateway). People have been marching the floppy drive's death for years now, and it still ends up a practical tool. (hell, corporate installs of OS's) When something as cheap and as good/better becomes avaiable, then the floppy will die. Burnable CD-Rom's are getting there, but not as ubiquitous yet. Many folks have predicted the death of removable magnetic media incorrectly. CD-R's have the floppy beat for size, speed, price-per-bit, and possibly even overall cost (IIRC, a floppy-disk and CDR cost about the same), but floppies still win for general usefulness, and the drives are cheaper. If you look at CD-RW (a more apples to apples comparison), the floppy is still a fair amount cheaper in everything but cost per bit. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Announcement: LEAF 2.4.16 + Shorewall 1.2.2
With the help of Eric Wolzak I have updated my LEAF 2.4.x / Shorewall based distro. Many new features are available on the floppy: a.. Kernel 2.4.16 now used. New kernel config file. Includes in particular support for PCMCIA, PPP, PPP/PPPOE, ISDN, USB and bridging b.. Use shorewall 1.2.2 allowing among many other things traffic shapping blacklisting c.. Pump (0.8.11-3) being used as default DHCP/BOOTP client to save disk space (dhclient.lrp still OK) d.. networking script now fully debian/sid compatible. Dachstein's /etc/network.conf, /etc/ipchains.conf and /etc/init.d/network files/scripts completely removed e.. ifconfig (1.4.2) and ifupdown (0.6.4) available f.. new applets in bbox library (0.60.2) g.. new version of iproute2 (010824). tc patched to allow for HTB queuing discipline h.. bridge now available as a separate package. Provides brctl from bridge-utils (0.9.4) i.. ppp.lrp and pppoe.lrp provided in the standard distro for serial/modem and adsl/pppoe connections. pppoe.lrp provides the PPPOE 2.4.16 kernel plugin. The ppp daemon is the 2.4.1 version patched for kernel mode PPPOE available here. j.. pon, poff and plog scripts provided in ppp.lrp for ppp on demand. k.. weblet.lrp modified to handle iptable output. Do not need netstat anymore Also a user's guide is available. Check: http://leaf.sourceforge.net/devel/jnilo Enjoy! Jacques Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-devel] Re: [Leaf-user] glibc pppoe...
32x cd rom drive at Computer geeks $14.00 Ray Olszewski wrote: At 11:44 AM 1/18/02 -0800, Kenneth Hadley wrote:[...] I totally understand and agree with most of what you have said, but when Ilook at new CDROM drives going for the same price tag of a new 1.44MB FloppyDrive it seams a more than a little funny that a old floppy drive is a moreimportant media target for a project than something that is a lot morereliable and allows the project to do so much more. Where do you look? *New* CD-ROM drives are pretty cheap ... $US30 in today'sads around here ... but not as cheap as *new* floppy drives ($US10, same ad)by a lot. Do you know better sources for new equipment?Anyway, unless you make a custom CD, you need a CD -AND- a floppy, not a CD-OR- a floppy.The other issue for the home user working with CDs is that he or she needs aburner, and they are more expensive ($US50 locally today), require aseparate system to run them, and are more finicky than even 1680 floppydrives and disks.I'm moving away from this low-end equipment myself, but I still think we'lllose a lot of user interest if floppy-only systems become impractical.--"Never tell me the odds!"---Ray Olszewski-- Han SoloPalo Alto, CA [EMAIL PROTECTED]___Leaf-user mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] floppy base (wasglibc pppoe... )
snip Agreed...especially the point about floppy use enforcing build discipline. IMHO, it should continue to be possible to create a firewall system that functions on a single floppy, with perhaps two floppies (or other larger media) required for more advanced setups (ie sshd, IPSec gateway). And (again) the point that: what isn't there, can't be hacked A firewall is *the* security component in many systems, keep it small, keep it simple. Mark ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] dachstein and port forwarding (again)
earlier... I am running the most recent version of dachstein, and i cannot figure out how to forward ports (most notably port 80) to machines on my internal net. i.e. send http request on port 80 to [static ip] and have the firewall send the request to [internal webserver] while still looking like it came from [static ip]. ... on the advice of guitarlynn, i un-commented these lines in network.conf EXTERN_TCP_PORT0=0/0 www and INTERN_WWW_SRVER=192.168.1.11 and it doesn't work... the internal webserver is accessible on the internal network, the router is nat'ing packets just fine (i'm writing this email from behind it) and... yeah... i don't know what more information you need from me, but let me know what you do need. if you have any idea what's wrong, i'd appreciate the help :] thanks again -david goodrich ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] many packets, different T
Folks, Since I posted my earlier message, I have begun to see this kind of thing repeatedly. For the past 24 hours, my logs contain over 1000 lines of such packets! By that I mean, if I discard all lines that are identical to one another except for the T= field, my file goes from 1177 denied packets to 47 denied packets. They are NOT all port 111 packets--some are port 111, some are port 22, port 21, port 53, and port 0 (PROTO 1). And they seem to have many different source IP's as well. I have NEVER seen anything like this over the past year. I changed from ES2B to D-floppy about two weeks ago. I have rebooted since these started. Is it possible that I have a bug somewhere and these log entries are all from the same packet? Is it possible that someone on my cable subnet is doing something bad to me? Folks, I have begun receiving (and denying) long sequences of packets and I am wondering what is going on. I am running Dachstein 1.0.2 floppy on a 486/33 with 16MB. VERY nice! Thanks Charles and so many others. I am on a cable connection with Adelphia, from which I generally get good service. Starting several days ago I began receiving long sequences of packets. For example, I received the following: Jan 17 10:27:25 boxer kernel: Packet log: input DENY eth0 PROTO=6 65.103.98.68:2240 24.51.134.147:111 L=60 S=0x00 I=4296 F=0x4000 T=39 SYN (#62) This packet is suspicious in itself, but I also received 38 more like it with the same time stamp (10:27:25), identical in all fields except the T= field. That one contained the numbers 1-38 for each of the other packets. They appear in order, decreasing from 39 to 1, in /var/log/messages. -- Mike Sussman [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DCD PPPoE documentation needs fixing
Kenneth the documentation here has an error. http://leaf.sourceforge.net/devel/khadley/pppoe-cd.html 7) Uncomment the modules you need for your NICs and add this to your /etc/network.conf: # Serial Support slhc ppp ppp_deflate bsd_comp 7) Uncomment the modules you need for your NICs and add this to your /etc/modules ^^^ # Serial Support slhc ppp ppp_deflate bsd_comp I have a friend who is trying to migrate from Eigerstein PPPoE to DCD PPPoE and this drove him nuts. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Announcement: LEAF 2.4.16 + Shorewall 1.2.2
From: [EMAIL PROTECTED] Does USB support include networking? My brother-in-law has DSL, but the modem he got with the service is USB only, and the service uses PPPoE on top of that. Will this let me finally share his connection out to the rest of the house? USB networking should work. Obviously we have not been able to test every DSL/modem combination and we have not tested USB in particuler. But I am definitively interested to help you to setup that (send me your modem reference and some info on your ISP connection characteristics) in order to improve the documentation. They don't want any wires run, so the plan (if this distro can do it) will be to use the USB DSL modem/PPPoE to connect, and to run the rest of the house wireless. I would have internet connectivity to all of my machines again (moved 3 months ago, and haven't been directly on the ineternet for that long --- it's killing me), and all would be well with the world. Okay, maybe not with *the* world, but *my* world would be much better. :) Wireless networking is one of my next priority. Here again beta testers are welcomed ! Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user