[Leaf-user] man page for IP command
Where can I find it? I am using dachstein floppy v 2-19. The help I get from ip --help is incomplete. -Tim Inter-Tel -- Your Connection to the Future http://www.inter-tel.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein CD, IPSEC and PGPnet
I am currently trying to get my Dachstein CD v1.02 firewall to allow connections through the freeswan ipsec to a windoze 98 machine running PGPnet (freeware 6.5.x). I found Felippe Piazza article in www.strongsec.com/freeswan on how to accomplish this using Open PGP certificates without the x509 certificates. The article indicates that a patch must be made to the kernel of linux to get this to work which strangely enough is the x509 patch. In C. Steinkuehler documentation of the Dachstein CD he indicates that a support lrp is available as ipsec509.lrp to be included on the floppy's pkgpath.cfg file along with the regular ipsec.lrp. So finally the question, does the ipsec509.lrp file include the patch to pluto and kernel modifications so that Open PGP certificates will work with the Dachstein IPSEC? The Dachstein firewall/VPN functions great between linux firewalls but I cannot seem to get the M$ product to talk. Any help or suggestions would be appreciated. __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] man page for IP command
Tim Dieterman wrote: Where can I find it? I am using dachstein floppy v 2-19. The help I get from ip --help is incomplete. -Tim Use iproute2 with Googlelots of info there, among them being: http://www.linuxgrill.com/iproute2-toc.html -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein CD, IPSEC and PGPnet
I found Felippe Piazza article in www.strongsec.com/freeswan on how to accomplish this using Open PGP certificates without the x509 certificates. The article indicates that a patch must be made to the kernel of linux to get this to work which strangely enough is the x509 patch. In C. Steinkuehler documentation of the Dachstein CD he indicates that a support lrp is available as ipsec509.lrp to be included on the floppy's pkgpath.cfg file along with the regular ipsec.lrp. So finally the question, does the ipsec509.lrp file include the patch to pluto and kernel modifications so that Open PGP certificates will work with the Dachstein IPSEC? If you're running the CD version of Dachstein, and loading the ipsec and ipsec509 packages, you should be able to use x.509 certificates as authentication keys. The Dachstein firewall/VPN functions great between linux firewalls but I cannot seem to get the M$ product to talk. I don't acutally use certificates, so I haven't verified everything works personally. I do know, however, that there are numerous configuration problems on the windows side if you're not using the entire MS VPN framework. You might ask on the ipsec list (or search the archives) about configuring windows and FreeS/WAN to talk to each other using certificates. You'll also need to import the certificates into freeswan...I have the openssl and fswcert programs to do this available for download from the ipsec pacakge page on my website, if you don't have an alternative linux box to run the programs on... I also seem to remember something odd about PGP cert's...I think they're stored in yet another format, and require a different program to extract their data on a linux system, but I'm not sure...the FreeS/WAN docs mailing list will be your best source of info. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Submitting documentation... a few questions
At 2002-01-23 20:03 +0100, Jon Clausen wrote: Hey there O.k. so I've prepared my description of how to get the weblet to be accessible from the 'outside', and I'm ready to submit it. I read the 'why does the docmanager?' document but I do need some clarification on a couple of points, though: Author: - do I just take the credit? or should I list the persons whose answers I basically cut/pasted from messages on this list? Jon, You can give credit to others if you wish, but you took the time to write it up. Document ID: ? - what do I put here? -do I just pick a number, and hope it's not already in use? This will be assigned by the DocManager when you submit the document. Just leave it blank for now. I'll put the docid in when I add it to our CVS repository. Format: - the 'surrounding' html-tags (head/head toe/toe) gets added automatically, right? Correct. Group: - where does this document belong? section 3? ..6? ..8? I'd suggest 8. This can always be changed later, so it's location is not as important as getting it into the DocManager. Maintenance: - once the document is submitted, how do I go about changing stuff? (I only just recently started toying with html at all, so maybe the doc looks terrible, and I'd like to change something or maybe something is just plain wrong and should be righted) You have to be a developer for our project to modify the document once it is submitted. All of the DocManager documents are modified in our CVS repository. You can always submit a bug report against the FAQ to correct mistakes. I know most of this is pretty basic stuff, but there's a first time for everything :) It just shows the deficiencies in the current FAQ. I'll try to improve it in the future. Thanks for the feedback. -- Mike Noyes [EMAIL PROTECTED] https://sourceforge.net/users/mhnoyes/ http://leaf.sourceforge.net/content.php?menu=1000page_id=4 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Strange error messages
I used to run Mike Leone's PPPoE Materhorn image on a 486/100 with 16 megs of ram and had no problems. I upgraded my motherboard to a P90 with 24 megs of ram and now I'm getting some strange error message like the following Jan 23 18:08:08 marchwarden kernel: eth0: Bus master arbitration failure, status 8cf2. Jan 23 18:08:09 marchwarden kernel: eth0: Tx FIFO error! Status 02e2. Jan 23 18:08:12 marchwarden last message repeated 7 times Jan 23 18:08:12 marchwarden kernel: eth0: Bus master arbitration failure, status 8cf2. Jan 23 18:08:12 marchwarden in.telnetd[786]: connect from 192.168.1.1 Jan 23 18:08:13 marchwarden kernel: eth0: Tx FIFO error! Status 02e2. Jan 23 18:08:15 marchwarden last message repeated 4 times Jan 23 18:08:15 marchwarden kernel: eth0: Tx FIFO error! Status 06e2. Jan 23 18:08:16 marchwarden kernel: eth0: Tx FIFO error! Status 02e2. Jan 23 18:08:17 marchwarden kernel: eth0: Tx FIFO error! Status 02e2. Jan 23 18:08:17 marchwarden kernel: eth0: Tx FIFO error! Status 06e2. Jan 23 18:08:17 marchwarden kernel: eth0: Tx FIFO error! Status 02e2. I have no idea as to what's causing the problem. I'm using 2 Compaq 10 megabit Netelligent ISA Ethernet cards equipped with the PCNet-ISA II (Lance compatible) chip. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] (no subject)
On Wed, 23 Jan 2002, Erich Titl wrote: Hi Jon great someone took the time, here just my 2c [EMAIL PROTECTED] wrote the following at 14:52 23.01.2002: How do I access the Weblet from 'outside' I have my Dachstein release up and running, and I can access the weblet from the inside but... Q) I would like to access the weblet engine on the primary link. A) 1: Add a rule to the input chain which should allow access to port 80 on the external interface. In /etc/network.conf: EXTERN_TCP_PORTS=address/mask_www or EXTERN_TCP_PORTx=address/mask www If you like the indexed list better. 2: You will probably have to add something in /etc/hosts.allow: sh-httpd: ip.add.re.ss/255.255.255.0 Q) But what if I am roaming and want access from an unknown IP 3: In /etc/sh-httpd.conf add the address range you are trying to access from: # Who can access the server? CLIENT_ADDRS=123.345.456. Q) But i don't know my address on the road. dyndns would be a good link here. I've also heard of people setting up scripts to listen for a predetermined sequence of packets at a predetermined port, then open the rule to the IP that the packets come from. This could be as simple as telnet my.router.home or something really complex requiring a script and a packet crafter. The router end is out of my depth, but this would be an interesting project to research. Q) O.K. but we have a webserver in the DMZ, so port 80 gets forwarded to that host. Now what? A) Use some other port, like 81: 1: Follow the above steps, but substitute 'www' with e.g. 81 For clarity you might add something to /etc/services wwweblet 8081/tcp# the leaf/lrp weblet port and then 2: Additionally: In /etc/sh-httpd.conf: SERVER_PORT=81 Also: The program that acually listens on a TCP port, and starts the weblet server for each connection is inetd. So you will need to edit /etc/inetd.conf, and change the line that starts sh-httpd (weblet's web server) from: www stream tcp nowait root/usr/sbin/tcpd /usr/sbin/sh-httpd to: wwweblet stream tcp nowait root/usr/sbin/tcpd /usr/sbin/sh-httpd NOTE: Only the port number (the first field) needs to change...everything else stays the same. 2.nd NOTE: If you are accessing from a single remote host, being too verbose in hosts.allow and sh-httpd.conf, by putting address/netmask (e.g. 111.222.333.444/32 or 111.222.333.444./255.255.255.255), may result in network errors, and make the 'protocol die unexpectedly'. In that case, removing the netmask might help. -- hope this does not sount too sneaky We could even set up the port in /etc/inetd.conf from the information in /etc/sh-httpd.conf. It takes only a little configuration script (which must exist anyway in the distribution) and then we'd have to maintain only one location. Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON
These are the items that iam interested in selling.. Could you help me with some details on the goods, history, origin etc. are these worth anything and if so who would i contact with regards to selling them? and the best way to sell them ie auction etc APOLOGISE IF YOU HAVE ALREADY RECEIVED THIS E-MAIL JPEGS ARE AVAILABLE AT YOUR REQUEST MANY THANX kriss rolo tel: 0044 182760393 office (uk) 0044 1216864211 home (uk) 0044 7814294018 mobile (uk) return e-mail address [EMAIL PROTECTED] UK ONLY VEHICLE REGISTRATION NUMBER N64 CON NINTENDO 64 CONSOLE item 1 hand carved round table with metal chain link in the middle item 2 magnum laurent perrier vintage 1988 champagne item 3 miniture football on stand from euro96 signed by pele and bobby charlton item 4 is a bit more interesting. its a protana minifon attache, as u will see ive enclosed notes from a web site regarding this and you will see back in the 50's it cost $340.00 so i could imagine this to be worth a bit. it also has an original tape inside i do not know what is on this tape, but judging by who made it and the cost of the machine, the tape could have some important information on it. heres the note. The Minifon, developed in the early 1950s by Monske GMBH of Hanover(or by Protona GMBH- I'm not certain), was an ultra-miniaturized, battery operated magnetic recording device. It could not (initially at least) record the full range of sounds and was thus limited to voice recording, but it did offer easy portability in a very small package. The idea of offering a pocket dictating machine was novel, since dictation had previously been done in the office. However, it was thought that people like salesmen could take the machine on the road with them. Once on the market, the Minifon's promoters discovered that many people took advantage of the recorder's small size to make secret recordings to be used as evidence, as in court.BR BR The legitimate use of the Minifon, as a dictating machine, was somewhat problematical. Recordings made on regular dictating equipment were usually letters, and thus were normally sent almost immediately to a typist. The Minifon offered no obvious advantages over standard dictation equipment for office use, but its developers hoped to cultivate new uses for dictation equipment, such as stock taking in warehouses, or the use of the machine as a substitute for note-taking by reporters, insurance adjusters, salesmen, and others. In its original form, the Minifon was a wire recorder, using a type of wire medium developed by the Armour Research Foundation of Chicago and employed in many similar devices since the late 1940s. The machine at its introduction in 1952 had a recording time of one hour, which was remarkably long, and weighed only about 3 pounds at a time when a typical office dictating machine weighed upwards of 10 pounds. It accomplished this small size and light weight in part through the use of miniature tubes and clever mechanical design. The basic machine cost $289.50-- a price that sounds high today but was very much in line with competing office dictating machines. The parent company attempted to set up distribution, sales and service networks in the United States. It established a business office called the Minifon Export Corp in New York, and an existing company, Harvey Radio in New York City became the main distributor. Although smaller tape recorders appeared at about the same time, the main competition in the voice recording field was from an American company, Mohawk, which made a small, battery-operated cartridge tape recorder called the Migetape. Both products sold less than 10,000 units per year in the U.S.BR After a few years, the Minifon was modified to use transistors and magnetic tape, further lowering its weight and cost. By 1962 the basic machine weighed in at only 1.5 pounds. Competition by this time had helped bring the cost down to $249.50. The Minifon after about 1962 was distributed by the international conglomerate ITT through its subsidiary in the U.S., Federal Electric Corp. A little later, distribution was taken over by the ITT Distributor Products Division in Lodi, New Jersey. (I don't know whether these were the same company with different names) By the time ITT became associated with this product, it had taken on the name of Minifon Attache, and a new line of models and options appeared. These included a hi-fi model, the 978H, which sold for $330.50.Usinga two-track, 1/4 inch tape cartridge operating at 1 7/8 inches per second, the machine claimed a frequency response of up to 12,000 Hz, plus or minus 3db. The coming of magnetic tape did not completely displace wire. The Model 240 series of recorders introduced in the early 1960s were probably the last wire recorders in regular production. The 240L, at a price of $269.50 used a special long-playing wire cartridge that held 4 hours of wire. Otherwise it looked like both the tape model and the 240S,
[Leaf-user] ANN: Oxygen 1.8
Oxygen 1.8 is a major new revision in the Oxygen distribution. It contains the following new features: * A new flexible configuration file system * Full support for CDROMs * Upgradable glibc - packaged glibc 2.1 (new) into libc.lrp * More flexibility: things like cron and init are now packages * Linux 2.2.20 with Openwall enhanced security patch * Revised hardening script * Script for headless booting with Compaq PCs * Full support for vfat * More automatic boot sequence * Updated: busybox 0.60.2, syslinux 1.64, more... The new configuration file now allows these new features: * Load from multiple floppies, different formats * Definable prompt - prompt user to insert appropriate disk * Load modules * Load configuration file * Load from a list of packages * Use alternate packing programs (like bzip2) * Load packages from CDROM Oxygen retains these features: * Automatic loading of packages; no more having to specify each package * Updated programs * Security checked * Enhanced with many utilities * Powerful package management (apkg) with optional full-screen interface * Full screen (with ncurses and dialog) configuration * Safe package backups (using apkg -s) - no more panicking when the disk runs out of space... and you find out too late... * Control system kernel parameters with sysctl Available from the download area at http://leaf.sf.net/ -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Internal Network
Charles.. i try adding the following commands in the network.conf Ipchains commands to be added to box3 ipchains -A input -p tcp -s 192.168.10.0/24 -d 0/0 80 -m 2 ipchains -A input -p tcp -s 192.168.10.0/24 -d 0/0 110 -m 3 ipchains -A input -p tcp -s 192.168.10.0/24 -d 0/0 25 -m 4 ipchains -A input -p tcp -s 192.168.10.0/24 -d 0/0 1214 -m 5 Last but not lease: i have to create the following ip rules on BOX3: ip rule add fwmark 2 table http pref 2500 ip rule add fwmark 3 table pop3 pref 2500 ip rule add fwmark 4 table smtp pref 2500 ip rule add fwmark 5 table 1214 pref 2500 ip ro add 0/0 dev eth0 table http ip ro add 0/0 dev eth0 table smtp ip ro add 0/0 dev eth1 table 1214 ip ro add 0/0 dev eth0 table pop3 but it seems that they are probably loading before the necessary devices are started, i inserted them just before the QOS functions / after the DNS Server Settings The onliest that were loaded wer the ip rule add fwmark etc.. the ipchains command were not loaded neither was the ip ro add 0/0 dev etc.. I wanted to make a script and add it to the init.d directory, but due to my limited experience, i didn't know how to get the script executed at boot time, or is there maybe an existing script in the init.d that i can add these commands to.. Somehow i noted when booting, i got a message, about some device not ready or is busy.and after that message, is when i saw the ethx devices being loading at the bottom of the screen when the router is booted.. Please help me out once again..then we starting to cook thnks On Wed, 23 Jan 2002 11:50:13 -0600, Charles Steinkuehler wrote: CS Comments inline... What i'm trying 3 LEAF boxes BOX 1 -- Cable eth0 via PPPOE eth1 192.168.1.6/30 BOX 2 -- ADSL eth0 213.10.x.x eth1 192.168.1.2/30 BOX 3 -- Local Network (Non FIREWALL/Non Natting -Straight Router) eth0 192.168.1.1/30 connects to Box2 eth1 192.168.10.254 connects to Local Net eth2 192.168.1.5/30 connects to Box 1 The intern net was needed so that the 192.168.10.0 can also be MASQueraded to the internet since the 192.168.1.0/30 and 192.168.10.4/30 are separate SUBNETS The reason for all of this is basically because i have extra 486/50's an P120's and extra NICS to my disposal, and mainly because getting 1 LEAF box connecting via 2 ISP's was being a little difficult with Multiple EXTERNEL INTERFACES, getting all the firewall rules needed to protect both external interfaces, and after all i tried many ways of telling Dachstein that i have to Extern. Interfaces, but was getting nothing but fraustration, and after all, it seems to me, that no one on the list was succesfull in getting it done either. CS Not a bad way to go about it, if you've got the extra boxes...you can always work on consolidating a working solution once you've got everything running properly. CS Why not use equal-weight routing, and The ipchains commands are needed to MARK the TCP packets, and base on their PORT, they will be either sent to the CABLE or the ADSL connection using the ip route command More info needed: Which file would be the best to put some static routes so that they can be created during the boot up, and also, if i want to include some ipchains commands where can i do that.. eg Static routes to be created at boot on box 1 and box 2 ip route add 192.168.10/24 via 192.168.1.5 (box2) ip route add 192.168.10/24 via 192.168.1.1 (box1) CS Use the iface_ROUTES setting in /etc/network.conf...eg on box1: eth1_ROUTES=192.168.10/24_via_192.168.1.1 CS Note spaces - underscores Ipchains commands to be added to box3 ipchains -A input -p tcp -s 192.168.10.0/24 -d 0/0 80 -m 2 ipchains -A input -p tcp -s 192.168.10.0/24 -d 0/0 110 -m 3 ipchains -A input -p tcp -s 192.168.10.0/24 -d 0/0 25 -m 4 ipchains -A input -p tcp -s 192.168.10.0/24 -d 0/0 1214 -m 5 Last but not lease: i have to create the following ip rules on BOX3: ip rule add fwmark 2 table http pref 2500 ip rule add fwmark 3 table pop3 pref 2500 ip rule add fwmark 4 table smtp pref 2500 ip rule add fwmark 5 table 1214 pref 2500 ip ro add 0/0 dev eth0 table http ip ro add 0/0 dev eth0 table smtp ip ro add 0/0 dev eth1 table 1214 ip ro add 0/0 dev eth0 table pop3 would i have to put these in a script to be created every time at boot, or what PACKAGE do i have to backup on Dachstein to have these commands saved once i create them. CS There's no really clean place to add these. You could tack them into network.conf if you want, or make your own init script in /etc/init.d. For either approach, backup etc to save your changes. In this scenario, what is the best settings for the following configs: IPFILTER_SWITCH=Router or NONE (current setting=ROUTER) IPALWAYSDEFRAG_KERNEL=YES or NO (current setting=NO) IPFWDING_KERNEL=YES or NO or FILTER_ON (current setting=YES) CS I'd probably use IPFILTER_SWITCH=NONE...IIRC, the ROUTER setting may block some traffic (snmp, and possibly private IP's). IPALWAYSDEFRAG_KERNEL probably doesn't matter, but if it's set
