[Leaf-user] Re: multi ip port forwarding (to:bela)

[GREGOR]

hi all,

>Ray Olszewski writes:

> they both resolve, as follows: 
> 
> inf.uajy.ac.id  = 202.149.81.61
> mail.uajy.ac.id = 202.149.81.55

yes it's true. 

> collier:/usr/src/linux# host 202.149.81.61
> 202.149.81.61 does not exist, try again
> collier:/usr/src/linux# host 202.149.81.55
> 202.149.81.55 does not exist, try again 
> 
> This is a DNS problem that should be fixed. It might be causing some of your

i have asked the person in charge about this problem but still no answer 
yet. 


> inf=61 *is* ping'able from here, but mail=55 is *not (times out)
hmmm that's strange mail=55 should be ping'able. after reading your 
review I was then gave it a try using my dial-up connection and the result, 
mail=55 was ping'able.
> My browser returns home pages of both addresses: 
> 
> http://202.149.81.61/   =   "Teknik Informatika"
> http://202.149.81.55/   =   "UAJYWebmail"

these are also right. 

> Given the differences between my results and yours, I can only suggest that
> you report the conditions of your tests more completely. 
> 

right now 202.149.81.61 and 202.149.81.55 are running behind a seperated 
firewall. I'm saying that each of them have their own firewall.I want to 
have only one firewall box for all of my servers, so I'm doing experiment 
with DCD.
Sometimes to find out wheter my DCD is working or not, i switch the cables 
between the old firewall and my experiment DCD. If the DCD doesn't seems to 
work properly I switch back the cables to the old firewall.
The following is my latest network.conf configuration based on Bela's and 
charles' advice. But I think there's something wrong with it. after 
reloading network, no ipmasqadm rules were listed when I did *svi network 
ipfilter list portfw* and in the ipchains input list, there's a rule to deny 
packets that coming from my external IP range (202.149.81.48/28). That's not 
good, how do stop it from showing? which line in ipfilter.conf should I 
comment? 

 
###
# Extended firewall configruation scripts
# By Charles Steinkuehler
# Version 1.3.2
# September 29, 2001
 
###
# Brief instructions for this file
 
###
#
# VERBOSE=(YES/NO)  Default: Yes
# Be verbose about settings.
#
# MAX_LOOP=(int)Default: 10
# Maximum number of incrementable entries to search for.
# IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached.
# (DNS0 - DNS7 == 8 entires)
# Setting this value too high will decrease the speed of the configuation
# system.
#
# IPFWDING_KERNEL=(YES/NO/FILTER_ON)Default: NO
# Enable IP forwarding in the kernel.  FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
#
# IPALWAYSDEFRAG_KERNEL=(YES/NO)Default: NO
# Enable IP Global defragmentation in the kernel.
#
# **WARNING** - If this was turned on everywhere in a network of routers,
# it can result in TCP connections failing and TCP connection resets.
#
# ONLY turn this on if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm.  DO NOT turn this on if the box is a
# conventional router as it breaks the TCP/IP RFCes.  This option is
# needed when using IP NAT, IP masquerading, IP autofw, IP portfw,
# transperent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a usful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
#
# CONFIG_HOSTNAME=(YES/NO)  Default: NO
# Create /etc/hostname file using HOSTNAME entry.
# Any current hostname file will be **OVERWRITTEN**
#
# CONFIG_HOSTSFILE=(YES/NO) Default: NO
# Create /etc/hosts file using HOSTSx entries.
# Any current hosts file will be **OVERWRITTEN**
#
# CONFIG_DNS=(YES/NO)   Default: NO
# Create /etc/resolv.conf file using DOMAINS and DNSx entries.
# Any current resolv.conf file will be **OVERWRITTEN**
#
# IF_LIST   Default: "$IF_AUTO"
# A space seperated list of interfaces that can be ACTIVE on this machine
# This controls which interfaces can be brought up and down manually.
#
# IF_AUTO   Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw  interfaces they depend on.
# The interfaces are started in the order they occur on the list, a

RE: [Leaf-user] @home to Cox conversion problems

[Jon Pike]

"boot up again in Win98 and run "winipcfg" as Michael suggested. Make
not of the default gateway on you NIC. Before closing "winipcfg", you
_must_ "Release all" then shutdown Win98. Boot up Dachstein and 
enter the default gateway you found in "winipcfg" to the line in
network.conf that reads "DEFAULT_GW= http://www.xxx.yyy.zzz";.  
Now do a 
"svi network reload" and things should be better. 

It seems with Excite out of there that Cox@Home is only giving out one
dhcp lease at a time forcing you to "release" one before getting
another. There has been several cases of this in the last couple of
weeks. The default gateway seems to be more of a regional requirement,
but it wouldn't hurt to enter it in either case."

OK Lynn.. 

Hadn't seen your response yet, when I posted my last.  I tried this
with no result,  then without Win98 successfully getting an IP, it gave
itself the bogus default MS, IP..   Then it wouldn't release that, so
I was down completely for a while. 

I'm about to explore the possibility that the cable modem needs a power
cycle to clear the MAC address, when changing NIC's  AND  the IP release.

I'd normally test and post the results,  but if it takes me down for the 
night..

The other kicker,  it has been stated that the DHCP lease time is four hours,
(?!) so that may be how long I have to wait between changes..  Of course, thats
what they say, according to winipcfg, my current lease is for 24 hours.  This 
after having "dynamic IP" and two IP's in two and a half years..

Let you all know how it goes..

Jon





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPP(oE) standards/Updating port forwarding with dynamic IP CORRECTION

[Tom Atwater]

--- Tom Atwater <[EMAIL PROTECTED]> wrote:

> then check 'ipmasq portfw -nl` to see if the port fw IP

That should be

ipmasqadm portfw -nl

=
Tom Atwater
tomath2o.yahoo.com

__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPP(oE) standards/Updating port forwarding with dynamic IP **SUCCESS**

[Tom Atwater]

--- "David B. Cook" <[EMAIL PROTECTED]> wrote:
> Well, to test the theory, I modified one of my port forwards and ran the 
> "svi network ipfilter reload" and it indeed reloaded the filters 
> correctly as viewed from the web applet. Thanks Eric/Ewald.
> (Backup /etc for this).
> 
> So, I put the "svi network ipfilter reload" into the /etc/ppp/ip-up file 
> at the end and just before the call to run parts from the ip-up.d 
> directory.
> (Backup ppp for this one).

SUCCESS!

This works!


> Killing the pppd appears to restart a new version and re-run the filters. 
> Also, a reboot appears to be no worse for the wear with this change. I 
> will keep you informed the first time the ISP drops the connection such 
> that it renegotiates the address without my intervention.
> dbc.

I simulate the ISP dropping connection by unplugging the
incoming cable to the DSL modem, then waiting a couple
of minutes until `ip addr show dev ppp0' no longer has
an "inet" line with the extern IP. Plug the cable back in,
then shortly the ip command will show a new 'inet',
then check 'ipmasq portfw -nl` to see if the port fw IP
has changed also.

Many thanks to Ewald, Eric & David for helping to
resolve this issue.

I love the Net! 

Tom


=
Tom Atwater
tomath2o.yahoo.com

__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPP(oE) standards

[David B. Cook]

Well, to test the theory, I modified one of my port forwards and ran the 
"svi network ipfileter reload" and it indeed reloaded the filters 
correctly as viewed from the web applet. Thanks Eric/Ewald.
(Backup /etc for this).

So, I put the "svi network ipfilter reload" into the /etc/ppp/ip-up file 
at the end and just before the call to run parts from the ip-up.d 
directory.
(Backup ppp for this one).

Killing the pppd appears to restart a new version and re-run the filters. 
Also, a reboot appears to be no worse for the wear with this change. I 
will keep you informed the first time the ISP drops the connection such 
that it renegotiates the address without my intervention.
dbc.

On Mon, 21 Jan 2002, Tom Atwater wrote:

> 
> --- Eric Wolzak <[EMAIL PROTECTED]> wrote:
> > > David B. Cook wrote:
> 
> > > >Does this mean that something placed in /etc/ppp/ip-up.d will 
> > > >automatically get run at that time to "fix" it?
> > Yes.
> 
> 
> > with rp-pppoe and with the 2.4 kernel pppoe it is both possible in 
> > /etc/ppp/ip-up or in the /etc/ppp/ip-up.d/ directory.
> 
> I created a script named update_portfw_ip.sh, with the 2 lines
>#!/bin/sh
>/usr/sbin/svi network ipfilter reload
> in the directory /etc/ppp/ip-up.d , did chmod a+x,
> then reset the DSL signal.
> 
> Didn't work.
> The portfw IP as given by `ipmasqadm portfw -nl` is still the old IP,
> and not the new one given by `ip addr show dev ppp0` .
> 
> (It doesn't mater what the script is named does it?
> It automatically runs all scripts marked executable in
> that directory, correct?)
> 
> 
> > BTW if you have dynamically assigned internet addresses, the 
> > firewall could be assigned like that.
> > The portforwarding isn't affected by the external adress is it.
> > You're problem with an external connection is that you don't know 
> > the external adress after rebooting and so you cannot connect with 
> > your box.
> 
> No, the external address is known, connection
> with the box is fine, problem is only that the 
> IP used by the port forwarding is incorrect.
> 
> > put something like "mail me the new external ip" in ip-up.
> 
> I am not sure how this helps -- you mean to do
> a manual update after I read my email?
> I can do that already by using the weblet to look
> at the viewnet page output.
> I want it to be automatic.
> 
> Thanks for your help Eric,
> Tom
> 
> 
> =
> Tom Atwater
> tomath2o.yahoo.com
> 
> __
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/
> 

-- 
 
David B. Cook, <[EMAIL PROTECTED]>
Linux -- up 12 days because it can.
9:00pm up 12 days, 20:56, 0 users, load average: 0.00, 0.00, 0.00


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPP(oE) standards

[David B. Cook]

Sorry ... brain fade ... I'm running Dachstein.


On Mon, 21 Jan 2002, Eric 
Wolzak wrote:

> > David B. Cook wrote:
> > 
> > >Does PPP have it in its specs to renegotiate an IP like DHCP does? Or are 
> > >they forcing a renegotiation by dropping your connection?
> > >
> > >Does this mean that something placed in /etc/ppp/ip-up.d will 
> > >automatically get run at that time to "fix" it?
> Yes.
> >  The following will reload your firewall rules:
> > 
> > svi network ipfilter reload
> > 
> > I don't know where to place this command as I'm totally unfamiliar with 
> > PPPoE. Could you please tell us what diskimage/LEAF distribution you are 
> > using, so that this can be fixed?
> with rp-pppoe and with the 2.4 kernel pppoe it is both possible in 
> /etc/ppp/ip-up or in the /etc/ppp/ip-up.d/ directory.
> 
> BTW if you have dynamically assigned internet addresses, the 
> firewall could be assigned like that.
> The portforwarding isn't affected by the external adress is it.
Actually, yes it is. Whether it is part of the PPPoE standard or Sympatico 
accomplishes it by dumping my session forcing a respawn or not, when the 
new address is assigned, all works fine EXCEPT the port forwards because 
they use $EXTERN_IP as the source variable.

 > You're problem with an 
external connection is that you don't know 
> the external adress after rebooting and so you cannot connect with 
> your box.
> put something like "mail me the new external ip" in ip-up.
Actually *no* on this count. I am upating my dyndns.org account 
automatically so I do know what the external IP is. It is definitely the 
port forwards that don't work. 

I was not trying the svi network reload with the "ipfilter" option. I will 
try that and keep you all posted. 

> 
> PPPOE can be seen as "just normal pppd only over a different 
> interface  ; )
> 
> Good Luck 
> 
> Wanting to try kernel pppoe (kernel 2.4.16)
> get our image at jacques nilos page 
> (end of advertisement  ;)  )
> 
> Eric Wolzak
> 
> http://leaf.sf.net/devel/ericw
> 

-- 
 
David B. Cook, <[EMAIL PROTECTED]>
Linux -- up 12 days because it can.
8:30pm up 12 days, 20:26, 0 users, load average: 0.00, 0.00, 0.00


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Dachstein (floppy) passing IPSec ...

[Michael Leone]

I'm using Dachstein (floppy). I'd like to use the Cisco Secure client,
on a Win98 station on my LAN, to connect to my Pix at work. I do NOT
want the Dachstein to be one end of the IPSec tunnel; only to pass the
IPSec traffic to my (NATed) workstation. (eventually, when I get the
3DES license for my Pix, I'll want the Dachstein to be an end-point. Not
yet, tho)

1. I'd need to load ip_masq_ipsec on Dachstein, yes?
2. I'd need to open port 50, and port-forward protocol 500? Are there
entries already in Dachstein (/etc/ipfilter.conf?) to do this already,
and just need to be uncommented?

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


"Sometimes your lack of sympathy gets hard to explain, 
 So on your mask of make-up you just paint a little parody of pain" 
 "When you were young", Del Amitri



signature.asc
Description: This is a digitally signed message part

Re: [Leaf-user] glibc & pppoe...

[KP Kirchdörfer]

Am Sonntag, 20. Januar 2002 20:11 schrieb Nicolas Riendeau:
> Kim Oppalfens wrote:

> > Yups on http://leaf.sourceforge.net somebody is distributing an
> > image as "proof-of-concept"
>
> I just downloaded it... It SEEMS (s)he got rid libnss_dns.so.1 &
> libnss_files.so.1 (which I guess are not used by Dachstein?) &
> added libnsl-2.1.3.so. The rest SEEMED similar to the mods I had
> done...

mea culpa...

He(!) updated to a Dachstein 1.0.2 based glibc 2.1.3 ISO image.

You might look at
leaf.sourceforge.net/devel/kapeka/lrp-packages.html


regards kp
 

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Keeping system date upto date

[Patrick Benson]

[EMAIL PROTECTED] wrote:

> The trouble is that the routers time gets screwed up, as it doesnt seem
> to get updated when it is 'sleeping'. hence the uptime command is way,
> way off, and worse yet, timestamps on the logs are not accurate either!
> Looking through /etc/lrp.conf, I have seen a setting there for a date
> server that would be connected to in order to get the correct time. Has
> anyone used this? More importantly, can anyone list for me the date
> servers that they use? I have not ever used one of these before, and am
> in the Pacific Timezone. Also, what changes (if any) are required in
> the firewall rules (i.e. are there ports that need to be opened for the
> server(s) )
> 
> Thanks for any replies!

Make a visit to Charles site: 

http://lrp.steinkuehler.net/files/kernels/zoneinfo/

and grab the zone that is closest to your own location. Maybe PST8PDT?
Copy it over the /etc/localtime file on your E2B disk, don't forget to
back it up. Two servers that haven't failed me yet are 132.163.4.101,
132.163.4.102 - they're the first and second time servers in Boulder,
Colorado. Try issuing "rdate -s 132.163.4.101" in the console. If it
worked your in business. Look in your /etc/crontab and just insert
something like this:

# m h dom mon dow user  command
00 0,6,12,18* * *   rootrdate -s 132.163.4.101

and it will sync your comp-clock every 6 hrs., round the clock.  :)

Now, Matt had a point about hibernation there...   ;-)

 
-- 
Patrick Benson
Stockholm, Sweden

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] IP RULE LIST

[Charles Steinkuehler]

The problem is likely the kernel options.  The diskette version by default
comes with a much smaller kernel, with many advanced features disabled to
save space for the average user.  From the kernel-source REAMDE file:

  The "small" kernels are missing the following features of the "normal"
  kernels:

IP: multicasting
IP: advanced router
IP: use FWMARK value as routing key
IP: multicast routing
The IPv6 protocol
IPX: Full internal IPX network
IPX: SPX networking
LAPB Data Link Driver
Bridging
QoS and/or fair queueing
Mouse Support (not serial mice)
Reiserfs support
Support for console on serial port

So...if "ip rule" requires advanced routing to be enabled, it won't work
using the "small" kernel tree.  If you need this functionality, upgrade to a
"normal" or "RAID" kernel.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


- Original Message -
From: "Reginald R. Richardson" <[EMAIL PROTECTED]>
To: "__Leaf" <[EMAIL PROTECTED]>
Sent: Monday, January 21, 2002 4:41 PM
Subject: [Leaf-user] IP RULE LIST


Charles..

I'm playing around with the Dachstein CD version and the Diskette Version,
when i issue the following commmand:

ip rule list

on the Diskette version, i get the following error message:

RTNETLINK answers: Invalid argument
Dump terminated

when issued on the Cd version, i get the correct resultscan this be a
BUG,
i was checking out googles for more information.

seems like they were saying something about ip policy routing was not enable
in
the kernel

let me know, if this is a bug, or me doing something wrong on the diskette
version

thnks

-
Reginald R. Richardson
[EMAIL PROTECTED] on 1/21/2002



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] IP RULE LIST

[Reginald R. Richardson]

Charles..

I'm playing around with the Dachstein CD version and the Diskette Version,
when i issue the following commmand:

ip rule list

on the Diskette version, i get the following error message:

RTNETLINK answers: Invalid argument
Dump terminated

when issued on the Cd version, i get the correct resultscan this be a BUG,
i was checking out googles for more information.

seems like they were saying something about ip policy routing was not enable in
the kernel

let me know, if this is a bug, or me doing something wrong on the diskette
version

thnks

-
Reginald R. Richardson
[EMAIL PROTECTED] on 1/21/2002



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] ICQ 2001 / Sock5

[Reginald R. Richardson]

Hello all,
Can someone guide to where i can find a HOW-TO, on how to configure SoCKS5
Package on Dachstein r1.02.

Seems like if i use ICQ with the icq_masq, i can't do file transfer and those
fancy things, i would like to try the socks package, i read somewhere in the
forum that it works great, but i can's seems to find a doc. on the
configuration of SOCKS

thnks


-
Reginald R. Richardson
[EMAIL PROTECTED] on 1/21/2002



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPP(oE) standards

[Tom Atwater]

--- Eric Wolzak <[EMAIL PROTECTED]> wrote:
> > David B. Cook wrote:

> > >Does this mean that something placed in /etc/ppp/ip-up.d will 
> > >automatically get run at that time to "fix" it?
> Yes.


> with rp-pppoe and with the 2.4 kernel pppoe it is both possible in 
> /etc/ppp/ip-up or in the /etc/ppp/ip-up.d/ directory.

I created a script named update_portfw_ip.sh, with the 2 lines
   #!/bin/sh
   /usr/sbin/svi network ipfilter reload
in the directory /etc/ppp/ip-up.d , did chmod a+x,
then reset the DSL signal.

Didn't work.
The portfw IP as given by `ipmasqadm portfw -nl` is still the old IP,
and not the new one given by `ip addr show dev ppp0` .

(It doesn't mater what the script is named does it?
It automatically runs all scripts marked executable in
that directory, correct?)


> BTW if you have dynamically assigned internet addresses, the 
> firewall could be assigned like that.
> The portforwarding isn't affected by the external adress is it.
> You're problem with an external connection is that you don't know 
> the external adress after rebooting and so you cannot connect with 
> your box.

No, the external address is known, connection
with the box is fine, problem is only that the 
IP used by the port forwarding is incorrect.

> put something like "mail me the new external ip" in ip-up.

I am not sure how this helps -- you mean to do
a manual update after I read my email?
I can do that already by using the weblet to look
at the viewnet page output.
I want it to be automatic.

Thanks for your help Eric,
Tom


=
Tom Atwater
tomath2o.yahoo.com

__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Updating port forwarding with dynamic IP

[Tom Atwater]

Hi Ewald,

Thank you for your reply.

--- Ewald Wasscher <[EMAIL PROTECTED]> wrote:
> 
> There is a newer Dachstein-PPPoE package available here:
> 
> http://leaf.sourceforge.net/devel/khadley/

I will check this out if I can't get my existing distro
to work.


> If you use the Eigerstein builtin firewall you should reload/restart the 
> firewall like this:
> 
> svi network ipfilter reload
> 
> The firewall scripts should read the ip-address from the external 
> interface (if properly configured) and adjust the portforwarding 
> accordingly. Tell me if it doesn't work.

Yes, when I run this manually, the 
port fwd IP does indeed update correctly.


> >
> >I tried to add these commands to the Roaring Penguin adsl-connect
> >script that runs when Earthlink changes the dynamic IP,
> >but it didn't work.
> >
> Try adding the "svi network ipfilter reload" instead and see if that works.

I did, but couldn't get it to work.

>From what I can gather, the pppd daemon is in a wait state
internally, until it detects the DSL signal is dropped.
Then it exits to the adsl-connect script, which loops back
to call the daemon again (using setsid, which I am not familiar with.)
The daemon reconnects to the new IP, then goes back into wait 
(or polling) state.

Therefore inserting commands in adsl-connect will have no effect.
I only have adsl-connect as a script, pppd is an executable.
So it seems there is nowhere to insert the avi command easily.
Or maybe you have an idea?

Maybe the only solution is to run a cron job that checks
once a minute if the new IP and the port fwd IP are different,
and if so, run avi?

Appreciate your help very much,
Tom

PS. For reference, here are two of the Roaring Penguin scripts:
http://www.mindspring.com/~ath2o/adsl-start.txt
http://www.mindspring.com/~ath2o/adsl-connect.txt

The change I attempted was in adsl-connect, near the 
bottom of the file.



=
Tom Atwater
tomath2o.yahoo.com

__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] About Proftpd

[sylvain pelletier]

hi,
 
I want to set up proftpd but i can't found good 
documentation.
All examples i saw are anonymous access and i don't 
want it.
Somebody know a good link??
 
Thanks
 
Sylvain
 

Re: [Leaf-user] Message log Overflow crashes EigerStein

[Scott C. Best]

Stephen:

Heya. Presuming that you're using one of the Dachstein
versions, you need to do 3 things to get "passthru" IPSec
masquerading to work:

1. As Charles said, you need to open UDP-500 and protocol (not
   port) 50.

2. You need to uncomment the "ip_masq_ipsec" line in /etc/modules,
   backup etc, and reboot.

3. You need to use the "ipfwd" utility to forward the IPSec
   connection across your firewall to your target machine. The
   traditional ipmasqadm utility only groks packet types of
   protocol 1 (ICMP), 6 (TCP), and 17 (UDP).

If you get stuck, see the echowall.rules file, in the
IPSEC section.

cheers,
Scott


>>> Do you have an image that is setup to pass IPSEC or do I have to patch
>>> in those modules and rules again.
> >
> >You're in luck.  The Dachstein kernels come pre-patched for VPN-Masquerade,
> >so all you have to do is load the modules, and open a couple ports to get
> >IPSec masquerading working.
>
> Can you provide instructions on which modules to load and which ports to
> open for IPSec masquerading to work ?




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] many packets, different T

[Scott C. Best]

Mike:
Heya. Nope, nothing's wrong with your setup; you're
not seeing a bug. You really are seeing all of these deny'd
packets. Someone on your cable subnet may be trying to
crush you with noise, or someone from anywhere on the planet
may have taken interest in your ISP's cable system. No real
way to distinguish the two.

So, in other words, you're doing all you can. Well,
you could contact abuse@yourisp and see if they have any
interest. My experience is that few do: they'll ask what
version of Windows you're running, and then quickly tell you
that they don't support Linux...

-Scott

> Folks,
> Since I posted my earlier message, I have begun to see this kind of
> thing repeatedly.  For the past 24 hours, my logs contain over 1000
> lines of such packets!  By that I mean, if I discard all lines that are
> identical to one another except for the T= field, my file goes from
> 1177 denied packets to 47 denied packets.  They are NOT all
> port 111 packets--some are port 111, some are port 22, port 21,
> port 53, and port 0 (PROTO 1).  And they seem to have many different
> source IP's as well.  I have NEVER seen anything like this over the past
> year.  I changed from ES2B to D-floppy about two weeks ago.  I have
> rebooted since these started.
>
> Is it possible that I have a bug somewhere and these log entries are all
> from the same packet?  Is it possible that someone on my cable
> subnet is doing something bad to me?



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] /devttyS0 error...

[Brad Fritz]

On Mon, 21 Jan 2002 12:19:35 CST David Goodrich wrote:

> i'm attempting to run a null-modem cable from my router to my main pc to
> manage my router w/o a monitor & keyboard permanently attached... so as
> instructed in the serial-howto, i typed
> echo "hello world" > /dev/ttyS0
> to test the serial link...it returned
> cannot create /dev/ttyS0: error 19
> i haven't found anything about this error on the web, and was wondering if
> anyone here has had similar experience... thanks

In my experience, that error occurs when trying to use the serial
port when
  a) the kernel doesn't have serial support compiled in, or
  b) the kernel has serial support via kernel modules and
 serial.o hasn't been loaded.

The Dachstein-small kernel in the floppy version of Dachstein
requires the serial.o kernel module to be loaded for serial
support.  It's at
  http://lrp1.steinkuehler.net/files/kernels/Dachstein-small/modules/misc/

I'm not certain about other LEAF kernels offhand.

--Brad


>  -david

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] /devttyS0 error...

[Luis.F.Correia]

What is the version you are using?

EigerStein, DachStein, Oxygen?

Please be a little more explicit.

-Original Message-
From: David Goodrich [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 21, 2002 6:20 PM
To: '[EMAIL PROTECTED]'
Subject: [Leaf-user] /devttyS0 error...


i'm attempting to run a null-modem cable from my router to my main pc to
manage my router w/o a monitor & keyboard permanently attached... so as
instructed in the serial-howto, i typed
echo "hello world" > /dev/ttyS0
to test the serial link...it returned
cannot create /dev/ttyS0: error 19
i haven't found anything about this error on the web, and was wondering if
anyone here has had similar experience... thanks
 -david
__
http://complex.wox.org

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPP(oE) standards

[Eric Wolzak]

> David B. Cook wrote:
> 
> >Does PPP have it in its specs to renegotiate an IP like DHCP does? Or are 
> >they forcing a renegotiation by dropping your connection?
> >
> >Does this mean that something placed in /etc/ppp/ip-up.d will 
> >automatically get run at that time to "fix" it?
Yes.
>  The following will reload your firewall rules:
> 
> svi network ipfilter reload
> 
> I don't know where to place this command as I'm totally unfamiliar with 
> PPPoE. Could you please tell us what diskimage/LEAF distribution you are 
> using, so that this can be fixed?
with rp-pppoe and with the 2.4 kernel pppoe it is both possible in 
/etc/ppp/ip-up or in the /etc/ppp/ip-up.d/ directory.

BTW if you have dynamically assigned internet addresses, the 
firewall could be assigned like that.
The portforwarding isn't affected by the external adress is it.
You're problem with an external connection is that you don't know 
the external adress after rebooting and so you cannot connect with 
your box.
put something like "mail me the new external ip" in ip-up.

PPPOE can be seen as "just normal pppd only over a different 
interface  ; )

Good Luck 

Wanting to try kernel pppoe (kernel 2.4.16)
get our image at jacques nilos page 
(end of advertisement  ;)  )

Eric Wolzak

http://leaf.sf.net/devel/ericw


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Keeping system date upto date

[Matt Schalit]

[EMAIL PROTECTED] wrote:
> 
> sadly, my eigerBeta2 based router must operate under some Draconian
> operating perameters (due to it being in the same room as where my wife
> studies for exams) .. hence it must be ultra quiet. I have implemented
> this by using a friends old (5+ years old!) laptop with the Hard disk
> removed. It does operate without any noise whatsoever, but lately I had
> received complaints about the rather loud fan that would go on
> intermittently (usually I wasn't even using the connection when this
> happened)... I found a setting in the BIOS to drop the laptop into
> a low power state when no activity was detected. ( Yes, I know that a
> router that enters sleep mode after a few minutes is indeed a sad
> beast, but such is my predicament!)
> 
> This works great, no more fan going on, and the power light turns
> yellow from green. No problems with using the network connection, the
> pcmcia cards seem to stay powered on, and as soon as I connect to a
> website on the outside or externally to the router via ssh, it works
> (without any noticeable lag in response time as it 'wakes up').
> 
> The trouble is that the routers time gets screwed up, as it doesnt seem
> to get updated when it is 'sleeping'. hence the uptime command is way,
> way off, and worse yet, timestamps on the logs are not accurate either!
> Looking through /etc/lrp.conf, I have seen a setting there for a date
> server that would be connected to in order to get the correct time. Has
> anyone used this? More importantly, can anyone list for me the date
> servers that they use? I have not ever used one of these before, and am
> in the Pacific Timezone. Also, what changes (if any) are required in
> the firewall rules (i.e. are there ports that need to be opened for the
> server(s) )
> 
> Thanks for any replies!


The definitive source for time servers has always been:

http://www.eecis.udel.edu/~mills/ntp/servers.html

May I suggest a nice variety of Stratum 2 servers?  

I would search around, like the other fellow mentioned, and 
try to hash out the problems of updating your clock. 

Once you get the scripts to work, you have to figure out
a way to run a script when the laptop comes out of hibernation,
but not the rest of the time.  So a cron script that runs
every five minutes would work, but would be too often if you're
not using it and would put too much load on the public ntp servers 
for such a minor problem.  Plus, wouldn't a script bring
the laptop out of hibernation?

Can you just update the OS clock from the BIOS hwclock,
as long as the BIOS clock keeps the correct time during
suspend mode?

If so, you could do that with a cron script that checks
the two to see if they are different once every few minutes
or so.  If they are, it updates the OS clock with the hwclock.
(As long as this doesn't wake the computer out of suspend).

Does that seem to make sense?
Matthew

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] /devttyS0 error...

[David Goodrich]

i'm attempting to run a null-modem cable from my router to my main pc to
manage my router w/o a monitor & keyboard permanently attached... so as
instructed in the serial-howto, i typed
echo "hello world" > /dev/ttyS0
to test the serial link...it returned
cannot create /dev/ttyS0: error 19
i haven't found anything about this error on the web, and was wondering if
anyone here has had similar experience... thanks
 -david
__
http://complex.wox.org

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Keeping system date upto date

[Eric Wolzak]

hello ssbiring 

> happened)... I found a setting in the BIOS to drop the laptop into 
> a low power state when no activity was detected. ( Yes, I know that a 
> router that enters sleep mode after a few minutes is indeed a sad 
> beast, but such is my predicament!)

Lucky you , I'm using a computer with a at the moment not used 
harddisk (spinning without function ;) I know disengage the power ;))
> 
> This works great, no more fan going on, and the power light turns 
> yellow from green. No problems with using the network connection, the 
> pcmcia cards seem to stay powered on, and as soon as I connect to a 
> website on the outside or externally to the router via ssh, it works 
> (without any noticeable lag in response time as it 'wakes up').
> 
> The trouble is that the routers time gets screwed up, as it doesnt seem 
> to get updated when it is 'sleeping'. hence the uptime command is way, 
> way off, and worse yet, timestamps on the logs are not accurate either! 
> Looking through /etc/lrp.conf, I have seen a setting there for a date 
> server that would be connected to in order to get the correct time. Has 
> anyone used this? More importantly, can anyone list for me the date 
I use it , but the time server I use is in Europe and not very 
appropiate for you.

I've got two links here at hand  
http://www.linuxsa.org.au/tips/time.html  (Linux Clock and Time)
and public NTP time servers
http://www.eecis.udel.edu/~mills/ntp/servers.htm
look for one "near" you and try if they respond then you can 
change the setting.
I am  not sure if time is set in regular intervalls but even that should 
be no problem. 
> servers that they use? I have not ever used one of these before, and am 
> in the Pacific Timezone. Also, what changes (if any) are required in 
> the firewall rules (i.e. are there ports that need to be opened for the 
> server(s) )
No as the eigersteinbeta accepts connections initiated  from the 
firewall. If not you'll notice them in your logfile with the number of 
the rule indicating which rule was causing the deny.

> Thanks for any replies!

good luck 
Eric Wolzak

http://leaf.sf.net/devel/ericw


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] IPsec error in logs

[Alec Miller]

ack that was it, I was loading the masq_ipsec module when I don't need it.
I am using IPSec as a gateway on the router, not a client.


Thanks


- Original Message -
From: Charles Steinkuehler <[EMAIL PROTECTED]>
To: Alec Miller <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, January 21, 2002 9:32 AM
Subject: Re: [Leaf-user] IPsec error in logs


> Anyone know how to get rid of this error in the logs?  Running IPSec 1.91
> from Charles site on Dachstien CD 1.02.
>
> router kernel: ip_demasq_esp(): Inbound from 65.xx.xx.xx SPI EBC4FE83 has
no
> masq table entry

Hmm...it sounds like a masquerade problem, but you indicate you're running
IPSec on the Dachstein box (not trying to masquerade).  What's the status of
your VPN link (ie is it up & running)?  Did you try to load the
ip_masq_ipsec.o module (do *NOT* load this with the IPSec enabled kernel
which comes by default on Dachstein CD).

More details please...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] IPsec error in logs

[Netcom]

At 09:32 AM 1/21/02 -0600, Charles Steinkuehler wrote:
> > Anyone know how to get rid of this error in the logs?  Running IPSec 1.91
> > from Charles site on Dachstien CD 1.02.
> >
> > router kernel: ip_demasq_esp(): Inbound from 65.xx.xx.xx SPI EBC4FE83 has
>no
> > masq table entry
>
>Hmm...it sounds like a masquerade problem, but you indicate you're running
>IPSec on the Dachstein box (not trying to masquerade).  What's the status of
>your VPN link (ie is it up & running)?  Did you try to load the
>ip_masq_ipsec.o module (do *NOT* load this with the IPSec enabled kernel
>which comes by default on Dachstein CD).

 I've had the same thing with a VPN client I'm using from my Win NT 
Wrkst
through my LRP to my Corporate's VPN gateway.  I hadn't paid it much mind,
but have attributed it to some type of keep alive from the VPN SW, or the 
Windows
network at Corp broadcasting the netbios stuff.



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Keeping system date upto date

[Sergio Morilla]

Hi,

This is what I have used.
I could not find the url but it works on my Dachstein Floppy and CD routers
About time servers, I got mine from a search for "time server" on the net

Sergio

From: 
Charles Steinkuehler <[EMAIL PROTECTED]>
   
  Thu 7:21 PM

 Subject: 
Re: [LRP] portsentry/ntp/logging...
 To: 
William Clements <[EMAIL PROTECTED]>, [EMAIL PROTECTED]


Updated April 1, 2001 with new URL's, and new updatetime procedure for LRP
2.9.x users.

> One more...  I have and internal machine acting as an ntp server and
> I 'm wondering how I can get lrp to sync from this machine.  I've noticed
> a few posts floating by on this issue, but my understanding of this
> issue is minimial so I require a little more hand-holding...

Well, I don't run psentry, and haven't set up remote logging yet, but I can
help with the time thing.  I posted a nice summary about LRP and timezones
and such a while ago...I thought rick would have stuck this on his site, but
apparently not, so here it is again.

For those keeping score at home, since I posted this, it has been noted that
LRP 2.9.x systems are missing the hwclock command, which can be found on my
site as part of the utilities package (put the binary in /sbin):

http://lrp.steinkuehler.net/files/packages/Utilities/hwclock

Also, LRP 2.9.x distributions don't automatically set the hardware clock to
the current time the way Materhorn/Eiger systems do (since the hwclock
command is missing).  To fix this, replace the updatetime procedure in
/etc/cron.daily/multicron-d with the procedure below:

Old updatetime routine:

updatetime () {

[ "$lrp_DATE_SERVER" != "" ] && qt rdate $lrp_DATE_SERVER

}

New updatetime routine:

updatetime () {

[ -f /etc/default/rcS ] && . /etc/default/rcS
[ "$GMT" = "-u" ] && GMT="--utc"
if [ -n "`ps axc | grep xntpd`" ]; then
hwclock --systohc $GMT
else
[ "$lrp_DATE_SERVER" != "" ] \
&& rdate -s $lrp_DATE_SERVER \
&& sleep 2 && hwclock --systohc $GMT
fi

}

Finally, it seems that the LRP 2.9.4 date command does not support any of
the fancy formatting commands listed, and doesn't seem to know about
timezones...anyone with a 2.9.4 system want to fill in the missing pieces
for setting up your local time-zone?



I finally have an understanding of how TimeZones, localtime, and the
hardware clock are configured on LRP.  Thanks to Karl for posting how to get
automatic time updates working, which prompted me to (finally) get my
timezone configured properly.  Here's a summary of what I've found:

All unix systems run on UTC, or 'universal' time.  This allows servers from
around the world to communicate with a consistent view of 'time'.  To make
life easy for the local user, the system typcially reports times and dates
adjusted to a local time zone.

To further complicate matters, on PC's (typical LRP hardware) the hardware
'CMOS' clock can be set to local time (typical for DOS/WIN machines) or UTC
(typical for unix only machines).  LRP can handle either setting, although I
suggest setting your hardware clock to UTC, as your LRP machine is not
likely to 'multiboot' into DOS or Windows :)

OK, so how do you make it work already?!?

Some useful commands to see if your LRP system is setup properly...

Display local system time:
date

Display UTC time:
date -u

Display current TimeZone:
date +%Z

Display current TimeZone offset from UTC:
date +%z

Display current time from the CMOS clock (no adjustments made for local/UTC
time, so this is the actual CMOS clock setting)
hwclock --show

OK, now to make things work...

To set up the proper timezone, simply replace /etc/localtime with a timezone
file appropriate for your local.  You can use the timezone files from a
Debian release (in /user/share/zoneinfo) or download the appropriate
timezone file from my website:

http://lrp.steinkuehler.net/files/kernels/zoneinfo/

Use the date commands above to verify your new zoneinfo file is
working properly (no reboot required).

To define the setting of your CMOS clock (set to UTC or local time), edit
/etc/default/rcS, and set the value of GMT appropriately:

CMOS clock set to UTC
GMT="-u"

CMOS clock set to local time
GMT=""

Finally, as stated previously, to have LRP automatically update your clock
settings to a network clock server, edit /etc/lrp.conf and set
lrp_DATE_SERVER=

NOTE: There are several different time protocols availble.  The rdate
command, used by LRP uses the RFC868 protocol which is usually implemented
as a built-in service of inetd.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)




___
linux-router maillist  -  [EMAIL PROTECTED]
http://www.linuxrouter.org/mailman/listinfo/linux-router






ht

[Leaf-user] Keeping system date upto date

[ssbiring]

sadly, my eigerBeta2 based router must operate under some Draconian 
operating perameters (due to it being in the same room as where my wife 
studies for exams) .. hence it must be ultra quiet. I have implemented 
this by using a friends old (5+ years old!) laptop with the Hard disk 
removed. It does operate without any noise whatsoever, but lately I had 
received complaints about the rather loud fan that would go on 
intermittently (usually I wasn't even using the connection when this 
happened)... I found a setting in the BIOS to drop the laptop into 
a low power state when no activity was detected. ( Yes, I know that a 
router that enters sleep mode after a few minutes is indeed a sad 
beast, but such is my predicament!)


This works great, no more fan going on, and the power light turns 
yellow from green. No problems with using the network connection, the 
pcmcia cards seem to stay powered on, and as soon as I connect to a 
website on the outside or externally to the router via ssh, it works 
(without any noticeable lag in response time as it 'wakes up').

The trouble is that the routers time gets screwed up, as it doesnt seem 
to get updated when it is 'sleeping'. hence the uptime command is way, 
way off, and worse yet, timestamps on the logs are not accurate either! 
Looking through /etc/lrp.conf, I have seen a setting there for a date 
server that would be connected to in order to get the correct time. Has 
anyone used this? More importantly, can anyone list for me the date 
servers that they use? I have not ever used one of these before, and am 
in the Pacific Timezone. Also, what changes (if any) are required in 
the firewall rules (i.e. are there ports that need to be opened for the 
server(s) )

Thanks for any replies!


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN software

[Charles Baker]

--- Charles Steinkuehler <[EMAIL PROTECTED]>
wrote:
> > Does any one have recommendations for VPN software
> > that works w/ Linux and Windows?
> 
> Depends on exactly what you want to do.  If you want
> to use Dachstein as a
> VPN gateway, you can easily setup another Dachstein
> box on the far end, and
> none of the workstation systems (linux or windows)
> need any special VPN
> software.
> 
> If you have remote users who need access to a
> network behind a Dachstein VPN
> gateway, you can use any of several IPSec
> implementations.  I've heard good
> things about SSH Sentinel.  You can also use the MS
> Built-in IPSec support,
> but configuration can get ugly.  Notes on other
> systems available at the
> FreeS/WAN web site:

<>

Well actually, there was an article in the Feb 2002
issue of Linux Journal about setting up a wireless
home network. It suggested using VPN technology to
keep unwanted users off the wireless network.
Unfortunately, the article in question is only
available to subscribers on the web site. :-(


=
[EMAIL PROTECTED]
Hacking is a "Good Thing!"
See http://www.tuxedo.org/~esr/faqs/hacker-howto.html

__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] 2.2.16/tulip/build How?

[Charles Steinkuehler]

> The Dachstein tulip driver doesn't appear to support this.
> I got the most recent  tulip driver from the Becker website (above).
>
> I will attempt to build the tulip module I need from this.
> Then send it to you, if you're interested.
>
> I would appreciate a little advice, if you have a moment.
> My computer is running RedHat  7.2 ( 2.4.7)
> My plan is:
> Dowload  2.2.16 from kernel.org.
> Put it in  /usr/src/linux-2.2.16.
> make links from  /usr/include/linux  and /usr/include/asm  into the  .16
dirs.
> Run  kgcc  on tulip.c
>
> If that doesn't work, load RH 6.2 (2.2.14) on a  486 box I have
> and repeat the above.
>
> Should one of those produce a module for 2.2.16?

Yes, one of the above should work, although you'll probably have to build
(or at least configure) the kernel first, before the compile of tulip.c will
work.  You'll probably also need to compile pci-scan.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] IPsec error in logs

[Charles Steinkuehler]

> Anyone know how to get rid of this error in the logs?  Running IPSec 1.91
> from Charles site on Dachstien CD 1.02.
>
> router kernel: ip_demasq_esp(): Inbound from 65.xx.xx.xx SPI EBC4FE83 has
no
> masq table entry

Hmm...it sounds like a masquerade problem, but you indicate you're running
IPSec on the Dachstein box (not trying to masquerade).  What's the status of
your VPN link (ie is it up & running)?  Did you try to load the
ip_masq_ipsec.o module (do *NOT* load this with the IPSec enabled kernel
which comes by default on Dachstein CD).

More details please...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Message log Overflow crashes EigerStein

[Charles Steinkuehler]

> At 08:13 AM 1/15/02 -0600, Charles Steinkuehler wrote:
> >> Do you have an image that is setup to pass IPSEC or do I have to patch
in
> >> those modules and rules again.
> >
> >You're in luck.  The Dachstein kernels come pre-patched for
VPN-Masquerade,
> >so all you have to do is load the modules, and open a couple ports to get
> >IPSec masquerading working.
>
> Can you provide instructions on which modules to load and which ports to
> open for IPSec masquerading to work ?

You need to open UDP port 50 (keying traffic), and protocol 50 (ESP) for VPN
data.

You'll also need the ip_masq_ipsec.o module loaded.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN software

[Charles Steinkuehler]

> Does any one have recommendations for VPN software
> that works w/ Linux and Windows?

Depends on exactly what you want to do.  If you want to use Dachstein as a
VPN gateway, you can easily setup another Dachstein box on the far end, and
none of the workstation systems (linux or windows) need any special VPN
software.

If you have remote users who need access to a network behind a Dachstein VPN
gateway, you can use any of several IPSec implementations.  I've heard good
things about SSH Sentinel.  You can also use the MS Built-in IPSec support,
but configuration can get ugly.  Notes on other systems available at the
FreeS/WAN web site:

http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/interop.html

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein - Allowing access from DMZ to Internal network?

[Charles Steinkuehler]

Use the standard port-forwarding features:

INTERN_SERVERS="tcp__ftp_192.168.1.1_ftp"

Where  is the IP address of your DMZ interface.  DMZ systems can now
connect to this IP/port, and the traffic will be port-forwarded to your
internal net server.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


- Original Message -
From: "Ryan P. Matijcio" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 21, 2002 8:40 AM
Subject: [Leaf-user] Dachstein - Allowing access from DMZ to Internal
network?



This may be a silly question, but I can't find a way to easily do this
within Dachstein's network.conf .  I would like to allow a host on the
DMZ to communicate with a host on the internal network on certain ports.
Is this possible using any of the built in network.conf directives?
After looking through this file I can't find any directive that's
specifically there to facilitate this.

Thanks in advance.

Ryan





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] 2.2.16/tulip/build How?

[Phillip . Watts]

Charles,  this from Donald Becker

>That's an ADMtek Comet chip.  Here is the entry in tulip.c
> { "Accton EN1217/EN2242 (ADMtek Comet)", { 0x12161113, 0x },
> TULIP_IOTYPE, TULIP_SIZE1, COMET },
> You should use
>http://www.scyld.com/network/tulip.html
>   ftp://www.scyld.com/pub/network/tulip.c


The Dachstein tulip driver doesn't appear to support this.
I got the most recent  tulip driver from the Becker website (above).

I will attempt to build the tulip module I need from this.
Then send it to you, if you're interested.

I would appreciate a little advice, if you have a moment.
My computer is running RedHat  7.2 ( 2.4.7)
My plan is:
Dowload  2.2.16 from kernel.org.
Put it in  /usr/src/linux-2.2.16.
make links from  /usr/include/linux  and /usr/include/asm  into the  .16  dirs.
Run  kgcc  on tulip.c

If that doesn't work, load RH 6.2 (2.2.14) on a  486 box I have
and repeat the above.

Should one of those produce a module for 2.2.16?

Thanx very much, phil.



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] VPN software

[Ryan P. Matijcio]

I'd be interested to know this as well.  Espically software that can
connect to an Dachstein as a VPN gateway.

Ideas anyone?

Cheers.
R.


-Original Message-
From: Charles Baker [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 21, 2002 9:42 AM
To: leaf-user
Subject: [Leaf-user] VPN software

Does any one have recommendations for VPN software
that works w/ Linux and Windows?

=
[EMAIL PROTECTED]
Hacking is a "Good Thing!"
See http://www.tuxedo.org/~esr/faqs/hacker-howto.html

__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] VPN software

[Charles Baker]

Does any one have recommendations for VPN software
that works w/ Linux and Windows?

=
[EMAIL PROTECTED]
Hacking is a "Good Thing!"
See http://www.tuxedo.org/~esr/faqs/hacker-howto.html

__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Dachstein - Allowing access from DMZ to Internal network?

[Ryan P. Matijcio]

 

This may be a silly question, but I can’t find a way to easily do
this within Dachstein’s network.conf .  I would like to allow a host on the DMZ
to communicate with a host on the internal network on certain ports.   Is this possible using any of the
built in network.conf directives?  After looking through this file I can’t
find any directive that’s specifically there to facilitate this.

 

Thanks in advance.

 

Ryan

 

 

Re: [Leaf-user] Message log Overflow crashes EigerStein

[Stephen More]

At 08:13 AM 1/15/02 -0600, Charles Steinkuehler wrote:
>> Do you have an image that is setup to pass IPSEC or do I have to patch in
>> those modules and rules again.
>
>You're in luck.  The Dachstein kernels come pre-patched for VPN-Masquerade,
>so all you have to do is load the modules, and open a couple ports to get
>IPSec masquerading working.

Can you provide instructions on which modules to load and which ports to
open for IPSec masquerading to work ?


-Thanks
Stephen More


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Junkbuster

[Kevin]

I was using Junkbuster from the Junkbuster web site
(http://www.mwheldon.freeserve.co.uk/documents/Jbuster.htm ) with one
problem, it would not load on a reboot. I built another set of (2) floppy
disks, added the version found below and rebooted. Well Junkbuster loaded
the first boot, however I could never get Junkbuster on the LRP menu system
to edit the config files. I searched the file structure, and the files were
in place, they would even show on the backup scripts.

I spent all day Sunday fighting with two sets of distribution disks (1440
and 1680), trying to get it to work correctly. I even saved both
Junkbuster.lrp files on a windows box, changed .lrp to .gz and used winrar
to open each one to see what was different. Both had different config files
and settings, so I can not figure which one was incorrect.

Has anyone had luck with Junkbuster and auto starting on a reboot? If so,
where did you get the lrp file?

Is there another version that someone has that works correctly?

Thanks

FROM: Jack CoatesDATE: 01/19/2002 19:43:36SUBJECT: RE:  [Leaf-user]
Junkbuster On 19 Jan 2002, Michael Leone wrote:

> I know there used to be a junkbuster.lrp. I've searched the LEAF page at
> sourceforge, but didn't see it, or a link to it.
>
>

http://www.monkeynoodle.org/lrp/packages/servers

junkbuster and squid are there.

--
Jack Coates
Monkeynoodle: A Scientific Venture...



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPP(oE) standards

[Ewald Wasscher]

David B. Cook wrote:

>I'm on Sympatico in Ontario and notice that my ip changes quite 
>frequently. It is stable for a week, then I get bumped twice in a single 
>day. Now, the system renegotiates just fine, however, because network.conf 
>has not been re-run, all my port forwards are "broken" until I do so 
>(which doesn't help me if I'm at work trying to get in).
>
>Does PPP have it in its specs to renegotiate an IP like DHCP does? Or are 
>they forcing a renegotiation by dropping your connection?
>
>Does this mean that something placed in /etc/ppp/ip-up.d will 
>automatically get run at that time to "fix" it? Can I just put 
>network.conf there?
>
No, that won't work. The following will reload your firewall rules:

svi network ipfilter reload

I don't know where to place this command as I'm totally unfamiliar with 
PPPoE. Could you please tell us what diskimage/LEAF distribution you are 
using, so that this can be fixed?

>What will happen to it as it will probably run from 
>here before it is supposed to on a normal boot sequence?
>
I _think_ it won't hurt. But again I have no experience with PPPoE

Ewald Wasscher


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user