Re: [Leaf-user] Re: Weblet... yet again ...again
Hi all http://bund.dk/~jon/weblethowo-pub.html O.K. spent some more time reading and trying out stuff. This 'problem' persists: at the top of the page. The only way I could get the print-link inside the two hr /'s was to make it a paragraph, which renders as if there were br /'s there... So I think I'll leave it as that. The above is going to be a 'problem' with all the docs (if/when they should validate as 'strict') and so someone should eventually come up with a solution. Nesting of tags and elements is tricky. You said it Mike !-) I'm thinking that I *should* add Gareth's piece too: -- I achieve this by tunnelling the http stream through an SSH session. My command line is as follows: ssh -l root -L 81:localhost:80 hostname Once I am logged in, using the URL http://localhost:81 opens weblet. I did need to edit /etc/hosts.allow and /etc/sh-httpd.conf to add 127.0.0.1 for this to work. I also needed to killall -HUP inetd for the changes to take effect. Gareth --- but I haven't had the time to put in the effort to understand it yet, so if someone could explain, I'm all ears. :) Specifically I think I'm getting confused as to which is the local, and which is the remote host... ? Jon ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] OT: ssh keys
I generated a ssh key on a machine behind my lrp box and placed that key on a remote machine so that I could do key-based authentication instead of password authentication. However, when I try to ssh to the remote box, it doesn't recognize me, the host names don't match because the connection is masqueraded as coming from the lrp box. Suggestions? = [EMAIL PROTECTED] Hacking is a Good Thing! See http://www.tuxedo.org/~esr/faqs/hacker-howto.html __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] LRP and DOC
Charles FINALLY! It works. And it works great. I think the latest and greates SYSLINUX (version 1.66) did it for me. Once I re-did the boot loader with that, it worked. For informational purposes ONLY, if you or any list member would like to see what it took, I have made a ZIP of all files currently on my embedded board. Because of the licence thing about M-SYS (and the fact that I used your sample kernal with DOC in it), this is not a distribution. The board was purchased from ARISE computers, is a PIII 433mhz with DiskOnChip 2000 (80meg), 32meg RAM, Intel 82559 ethernet on board, and DE-538 in the only on-board PCI slot. Obviously this is over-kill for the job at hand, but since it was made available to me :) John PS: I like the WEBLET thing. First time for me and it's a nice feature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Friday, January 25, 2002 2:59 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] LRP and DOC This results in an immediate 'boot fail' message. Note that I have tried minor:1 and minor:0 both with same result. Could there be a problem with the boot sector information? Does 'syslinux' work properly on D.O.C.? I don't know...I have yet to play with syslinux and DOC in an embedded environment. I did get a ZF Linux eval board with a DOC, but when I tried to run syslinux, I never got past the not enough low memory problem (but syslinux *was* running). I'm not sure how the other folks who have used DOC's boot their systems. I suppose you could always fall back to booting dos, and using ldlinux. I also think there are versions of lilo and grub that know how to boot from a DOC... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
FW: [Leaf-user] LRP and DOC
Sorry, forgot to leave the link for the file... http://mullan.dns2go.com/files/MullanStein.zip -Original Message- From: John Mullan [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 26, 2002 8:51 AM To: 'Charles Steinkuehler'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: [Leaf-user] LRP and DOC Charles FINALLY! It works. And it works great. I think the latest and greates SYSLINUX (version 1.66) did it for me. Once I re-did the boot loader with that, it worked. For informational purposes ONLY, if you or any list member would like to see what it took, I have made a ZIP of all files currently on my embedded board. Because of the licence thing about M-SYS (and the fact that I used your sample kernal with DOC in it), this is not a distribution. The board was purchased from ARISE computers, is a PIII 433mhz with DiskOnChip 2000 (80meg), 32meg RAM, Intel 82559 ethernet on board, and DE-538 in the only on-board PCI slot. Obviously this is over-kill for the job at hand, but since it was made available to me :) John PS: I like the WEBLET thing. First time for me and it's a nice feature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Friday, January 25, 2002 2:59 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] LRP and DOC This results in an immediate 'boot fail' message. Note that I have tried minor:1 and minor:0 both with same result. Could there be a problem with the boot sector information? Does 'syslinux' work properly on D.O.C.? I don't know...I have yet to play with syslinux and DOC in an embedded environment. I did get a ZF Linux eval board with a DOC, but when I tried to run syslinux, I never got past the not enough low memory problem (but syslinux *was* running). I'm not sure how the other folks who have used DOC's boot their systems. I suppose you could always fall back to booting dos, and using ldlinux. I also think there are versions of lilo and grub that know how to boot from a DOC... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Beowulf channel bonding
this looks like a way to bond multiple ehternet channels into one single bandwidth. This has been discussed many times on the baord, but not sure if Beowulf has ever ben discussed indepth or tried. I has been on the board for a while, but still consider myself at newbie status. Could someone with more experience check this out. I see that they use RPM packages, but can they be recompiled for LRP? http://www.beowulf.org/software/bonding.html Link to the bonding patch http://www.beowulf.org/software/patches/ Thanks, David ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: OT: ssh keys
Hi [EMAIL PROTECTED] wrote the following at 14:54 26.01.2002: Message: 12 Date: Sat, 26 Jan 2002 04:57:29 -0800 (PST) From: Charles Baker [EMAIL PROTECTED] To: leaf-user [EMAIL PROTECTED] Subject: [Leaf-user] OT: ssh keys I generated a ssh key on a machine behind my lrp box and placed that key on a remote machine so that I could do key-based authentication instead of password authentication. However, when I try to ssh to the remote box, it doesn't recognize me, the host names don't match because the connection is masqueraded as coming from the lrp box. Suggestions? I have not seen a situation yet where the IP played any role, as authentication is based on the key. I am using Putty on a Wintel box as client from almost anywhere with the same key and never had a problem. I guess you should check the traffic to/from port 22 first, then look at the authentication log on the host. HTH Erich ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Internal Network
Been there done that :-) Make sure you have proper tc rules for _both_ directions, and try tcpdump on all three boxes. Not sure if you already knew this, but tcpdump has a ton of command line options to make it just show the packets you're looking for. Also double-check your NAT and the routing on box 1 and 2. I suspect something like this is happening to you: z.z.z.z:1024 SYN - box3 - box1(NATSRC=x.x.x.x:4001) - a.a.a.a:80 z.z.z.z:1024box3 ACK loops back to box1 - a.a.a.a:80 So on each box get two consoles (one for eth0 and one for eth1), then do a: tcpdump -i eth[0|1] -n port 80 and host 66.1.155.123 and then go to your client workstation and browse to www.monkeynoodle.org. The tcpdump output should make it very clear what happened. Good luck! Jack On Sat, 26 Jan 2002, Reginald R. Richardson wrote: Me again.. We getting there, with this 3 router box... Question: I reach so far as having Router3 sending the HTTP traffic to the correct router, the SMTP traffic to the correct box also, as i use my TCPDUMP on my BOX connecected to the Internet, i can see the HTTP traffic being transmitted to the internet, but my problem is it's not being return to the requesting workstation. this is what my HTTP lookup table looks like ip rout ls table http default dev eth2 scope link I must say, that if i clear this table, and let BOX3, with a DEFAULT GW to the internet via BOX1 or BOX2, then the Workstation can connect to the net without any problems. I don't have the slightest idea now where i should look thnks On Wed, 23 Jan 2002 14:14:37 -0600, Charles Steinkuehler wrote: Everything seems to be moving like a charm, not getting the IP ROUTE per TCP Port talking to healthy, but still working on it.. question. U mentioned why not use equal-weight routing, i checked at googles to get more info about this, it seems a nice way to go...but can u guide me to a weblink where i can find more info on how to implement this on my Box3, CS Start with the Advanced Routing HOWTO, from linuxdoc.org or similar...if you get your port-based routing tables setup, you'll be over most of the hurdles... CS Keep us all posted on your progress...if you get this working, it's the first step to doing the same thing cleanly with a single box. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) - Reginald R. Richardson [EMAIL PROTECTED] on 1/26/2002 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Beowulf channel bonding
On Sat, 26 Jan 2002, David McBride wrote: this looks like a way to bond multiple ehternet channels into one single bandwidth. This has been discussed many times on the baord, but not sure if Beowulf has ever ben discussed indepth or tried. I has been on the board for a while, but still consider myself at newbie status. Could someone with more experience check this out. I see that they use RPM packages, but can they be recompiled for LRP? http://www.beowulf.org/software/bonding.html Link to the bonding patch http://www.beowulf.org/software/patches/ Thanks, David ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user I don't think anyone's tried -- realize that the assumption behind this package is two links ion the same LAN and IP network/i, which is not something most LEAF users have needed to do yet. -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] How to add hub functions into Dachstein floppyversion firewall?
On Fri, 25 Jan 2002, Mark Plowman wrote: From: Jeff Newmiller [EMAIL PROTECTED] Date: Fri, 25 Jan 2002 02:39:41 -0800 (PST) On Thu, 24 Jan 2002, WS Wong wrote: I am a newbie to Linux firewall. I downloaded the Dachstein image and installed in a P100 PC with 64MB RAM and two Linksys Ethernet cards. Every thing works fine connecting to a DSL modem on one end and my home PC on the other end of the firewall box. I have two spare 3Com 3C509B-TPO Ethernet ISA cards. I want to add the 3Com cards to the Linux firewall and have the one Linksys card and two 3Com cards working as a Hub. This way I can have a local three computers network that can talk to each other and share one ISP IP address for Internet access. Is it feasible to add the hub function into a floppy disk firewall box? Did anyone try this configuration before? What do I have to change and add to the network configuration module to add the Hub functions? Theoretically possible, if you enable bridging, but not really worth the trouble it will take. Hubs and switches are too economical in their per-port cost these days to consider using a computer instead. Really. You can use your Firewall as a Hub or as a *Router*. This is perhaps not so much work. You must specify the ethernet cards in the config (much as the existing *internal* interfaces), they must each have there own network (192.168.0.*, 192.168.1.*, 192.168.2.* etc) and there is a little bit of magic that must be done somewhere (and I can't remeber where - anyone else?) to allow the networks to talk to each other (as the default is seperate networks). The drawback to this is the loss of broadcast communication support between your hosts, because they are on different networks. This feature is most commonly used in peer-to-peer networking (Appletalk, CIFS=Windows). Thus, _routing_ is not a clean substitute for switching or hub-connection. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Leaf 2.4.16 view firewall rules
From: Larry Platzek [EMAIL PROTECTED] Is it just my copy view firewall rules that only has zero for packacts and bytes fields? Are you using weblet ? What command are you using ? Any output to show ? also when using PPP to my isp and they hang up the line after 240 minutes that why does not persist does not work? I would have expected my system to reconnect to the isp just like if I unplug the phone line and back in. Could we have a look at your provider or option file ? I am doing demand dial by PPP and have idle and persist. Does anyone care to tell me what to out on the active-filter option line so any multicast coming in on ppp0 not to effect the idle timer? This is using PPPd 2.4.1 include with Leaf 2.4.16. Try one of those: active-filter 'ip multicast' or active-filter 'not ip multicast' Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] OT: ssh keys
Charles Baker wrote: Perhaps comp.securtity.ssh is a better place to ask. But give us some more information and perhaps we could help. I generated a ssh key on a machine behind my lrp box and placed that key on a remote machine so that I could do key-based authentication instead of password authentication. How exactly did you do that? If you describe what you did we could perhaps see what went wrong. However, when I try to ssh to the remote box, it doesn't recognize me, the host names don't match because the connection is masqueraded as coming from the lrp box. Why is that a problem? I don't see it. I can do ssh through my firewall fine, both using passwords and public key authentication. Suggestions? More information! Ewald Wasscher ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Leaf 2.4.16 view firewall rules
view Firewall (p1 of 9) LEAF Firewall ::Packet Filter:: Shorewall-1.2.2 Chain at - Fri Jan 25 16:13:32 UTC 2002 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 rfc1918all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 net2fw all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 loc2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 The above partial output is from the viewfw in weblet below I will place the output of iptables -v -L INPUT Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1920 99542 rfc1918all -- ppp0 any anywhere anywhere 205 14196 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT udp -- ppp0 any anywhere anywhere udp dpts:bootps:bootpc 0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpts:bootps:bootpc 1920 99542 net2fw all -- ppp0 any anywhere anywhere 598 72694 loc2fw all -- eth0 any anywhere anywhere 0 0 common all -- anyany anywhere anywhere 0 0 LOGall -- anyany anywhere anywhere limit: avg 10/hour burst 5 LOG level info prefix `Shorewall:all2all:REJECT:' 0 0 reject all -- anyany anywhere anywhere I hope did not mangle anything too badly on the above iptable output. [root@gw254 /root]# mtype a:options # /etc/ppp/options asyncmap 0 auth crtscts lock hide-password modem #proxyarp idle 600 persist demand #lcp-echo-interval 30 lcp-echo-interval 300 lcp-echo-failure 4 noipx [root@gw254 /root]# mtype a:provider # ISP pppd options file # What follows is OK for Compuserve # noauth debug # log transaction to /var/log/messages /dev/ttyS1 # (ttyS0=com1, ttyS1=com2, ...) 115200 # baud rate modem crtscts # use hardware flow control asyncmap 0 defaultroute# ppp becomes default route to the internet noipdefault lock# don't let other processes besides PPP use the device connect /usr/sbin/chat -v -f /etc/chatscripts/provider [root@gw254 /root]# I have go do other things untill tonite. Larry Platzek [EMAIL PROTECTED] On Sat, 26 Jan 2002, Jacques Nilo wrote: Date: Sat, 26 Jan 2002 18:00:26 +0100 From: Jacques Nilo [EMAIL PROTECTED] To: Larry Platzek [EMAIL PROTECTED] Cc: Leaf-user@lists. sourceforge. net [EMAIL PROTECTED] Subject: Re: [Leaf-user] Leaf 2.4.16 view firewall rules From: Larry Platzek [EMAIL PROTECTED] Is it just my copy view firewall rules that only has zero for packacts and bytes fields? Are you using weblet ? What command are you using ? Any output to show ? also when using PPP to my isp and they hang up the line after 240 minutes that why does not persist does not work? I would have expected my system to reconnect to the isp just like if I unplug the phone line and back in. Could we have a look at your provider or option file ? I am doing demand dial by PPP and have idle and persist. Does anyone care to tell me what to out on the active-filter option line so any multicast coming in on ppp0 not to effect the idle timer? This is using PPPd 2.4.1 include with Leaf 2.4.16. Try one of those: active-filter 'ip multicast' or active-filter 'not ip multicast' Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] setting up tinydns.lrp
Hi everybody, today, I successfully set up a Dachstein box. On the router, I'm running tinydns and dnscache to replace our (private) DNS server (which was Bind - I guess I don't need to tell anybody why I wanted to switch). Thanks to Jacques' excellent documentation, setting tinydns up was pretty simple (except for the part below). One thing that took us quite a while was to figure out why reverse lookups didn't work on the internal net. The way we finally got it to work was to declare all entries in /etc/tinydns-private/root/data as PTRs. For example =example1.private.network:192.168.1.1 instead of +example1.private.network:192.168.1.1 Now, my question is, is that actually correct? If so, I guess it would be a good idea to add a reference to that to the docs (I know there's a PTR in the sample, but since that referred to the router name, we assumed that there was something special about that - remember, I'm surely a DNS newbie). And if I'm wrong with my guess, I'd appreciate any ideas or suggestions on how to make reverse lookups work properly. Martin ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Leaf 2.4.16 view firewall rules
Is it just my copy view firewall rules that only has zero for packacts and bytes fields? Ok. So it's because you are viewing your firewall rules through weblet. When Shorewall is started, the following /etc/shorewall/start script is executed. BOF shorewall show /var/sh-www/data/firewall chown sh-httpd.adm /var/sh-www/data/firewall shorewall show nat /var/sh-www/data/masq chown sh-httpd.adm /var/sh-www/data/masq EOF the firewall masq files are the one you see through weblet Since this is executed at the very begining of the session it is normal that you find zeros for packects and bytes fields. Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] cpu utilization measurement
dyp wrote: I am looking for a cpu utilization measurement tool for lrp oxygen. Any pointers !!! -Dharmin. Like top or something? I looked, and top's not in pub/oxygen/packages, which leads me to believe that top may not be able to interface with Oxygen's busybox ps and kernel. Either that or David didn't get around to it. I see that he has ntop, but the last time I tried it, I got a segfault. Your mileage will vary. My next guess is uptime, though the good lord only knows how accurate that is :-o Did you realize you already have that command? Take care, Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: FW: [Leaf-user] LRP and DOC
John, Congrats on getting this working. I'm currently spending most of my weekend attempting to get it working and like charles mentioned, I'm running into a 'insufficent low memory error'. How did you get around that? When I attempted to syslinux the DOC using 1.66 it whined about exclusive access. Perhaps you can do a small write up on the steps you took to complete it? Thanks, Patrick On Sat, 26 Jan 2002, John Mullan wrote: Sorry, forgot to leave the link for the file... http://mullan.dns2go.com/files/MullanStein.zip -Original Message- From: John Mullan [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 26, 2002 8:51 AM To: 'Charles Steinkuehler'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: [Leaf-user] LRP and DOC Charles FINALLY! It works. And it works great. I think the latest and greates SYSLINUX (version 1.66) did it for me. Once I re-did the boot loader with that, it worked. For informational purposes ONLY, if you or any list member would like to see what it took, I have made a ZIP of all files currently on my embedded board. Because of the licence thing about M-SYS (and the fact that I used your sample kernal with DOC in it), this is not a distribution. The board was purchased from ARISE computers, is a PIII 433mhz with DiskOnChip 2000 (80meg), 32meg RAM, Intel 82559 ethernet on board, and DE-538 in the only on-board PCI slot. Obviously this is over-kill for the job at hand, but since it was made available to me :) John PS: I like the WEBLET thing. First time for me and it's a nice feature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Friday, January 25, 2002 2:59 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] LRP and DOC This results in an immediate 'boot fail' message. Note that I have tried minor:1 and minor:0 both with same result. Could there be a problem with the boot sector information? Does 'syslinux' work properly on D.O.C.? I don't know...I have yet to play with syslinux and DOC in an embedded environment. I did get a ZF Linux eval board with a DOC, but when I tried to run syslinux, I never got past the not enough low memory problem (but syslinux *was* running). I'm not sure how the other folks who have used DOC's boot their systems. I suppose you could always fall back to booting dos, and using ldlinux. I also think there are versions of lilo and grub that know how to boot from a DOC... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] setting up tinydns.lrp
Martin Hejl wrote: today, I successfully set up a Dachstein box. On the router, I'm running tinydns and dnscache to replace our (private) DNS server (which was Bind - I guess I don't need to tell anybody why I wanted to switch). Thanks to Jacques' excellent documentation, setting tinydns up was pretty simple (except for the part below). One thing that took us quite a while was to figure out why reverse lookups didn't work on the internal net. The way we finally got it to work was to declare all entries in /etc/tinydns-private/root/data as PTRs. For example =example1.private.network:192.168.1.1 instead of +example1.private.network:192.168.1.1 Now, my question is, is that actually correct? If so, I guess it would be a good idea to add a reference to that to the docs (I know there's a PTR in the sample, but since that referred to the router name, we assumed that there was something special about that - remember, I'm surely a DNS newbie). And if I'm wrong with my guess, I'd appreciate any ideas or suggestions on how to make reverse lookups work properly. Look here: http://cr.yp.to/djbdns/tinydns-data.html -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] cpu utilization measurement
dyp wrote: I am looking for a cpu utilization measurement tool for lrp oxygen. Any pointers !!! if you're looking for something that displays cpu-usage graphically, you may want to take a look at lrpStat from http://leaf.sourceforge.net/devel/hejl/ - when used with the c-program on the server side (not the shell script), it can also display cpu-usage. It's _not_ the main purpose of the tool, but if one is running a window with network traffic already anyway, it comes in handy. Martin ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] setting up tinydns.lrp
One thing that took us quite a while was to figure out why reverse lookups didn't work on the internal net. The way we finally got it to work was to declare all entries in /etc/tinydns-private/root/data as PTRs. For example =example1.private.network:192.168.1.1 instead of +example1.private.network:192.168.1.1 Now, my question is, is that actually correct? If so, I guess it would be a good idea to add a reference to that to the docs (I know there's a PTR in the sample, but since that referred to the router name, we assumed that there was something special about that - remember, I'm surely a DNS newbie). This is correct. +example1.private.network:192.168.1.1 only creates a A record =example1.private.network:192.168.1.1 creates a A and a PTR record Your PTR record shows example1.private.network as the name of 1.1.168.192.in-addr.arpa if ip is 192.168.1.1 You definitively need it for reverse DNS. Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] setting up tinydns.lrp
Jacques Nilo wrote: This is correct. +example1.private.network:192.168.1.1 only creates a A record =example1.private.network:192.168.1.1 creates a A and a PTR record Your PTR record shows example1.private.network as the name of 1.1.168.192.in-addr.arpa if ip is 192.168.1.1 You definitively need it for reverse DNS. Thanks for the clarification. I guess my biggest problem with the docs was my lack of understanding of the actual meaning of A and PTR records (which was solved once I had a look at RFC 1034 - up until just now, all I found about PTRs was a domain name pointer which didn't tell me much)... Thanks again, Martin ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Annoucement: Openssh 3.0.2p1 available
This is a maintenance package. Statically compiled against libnsl and openssl-0.9.6c Dynamically against zlib 1.1.3 One more FAQ in the doc. See: http://leaf.sourceforge.net/devel/jnilo/openssh.html Jacques http://leaf.sourceforge.net/devel/jnilo ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] setting up tinydns.lrp
Martin Hejl wrote: Hi everybody, today, I successfully set up a Dachstein box. On the router, I'm running tinydns and dnscache to replace our (private) DNS server (which was Bind - I guess I don't need to tell anybody why I wanted to switch). Thanks to Jacques' excellent documentation, setting tinydns up was pretty simple (except for the part below). One thing that took us quite a while was to figure out why reverse lookups didn't work on the internal net. The way we finally got it to work was to declare all entries in /etc/tinydns-private/root/data as PTRs. For example =example1.private.network:192.168.1.1 instead of +example1.private.network:192.168.1.1 Now, my question is, is that actually correct? If so, I guess it would be a good idea to add a reference to that to the docs (I know there's a PTR in the sample, but since that referred to the router name, we assumed that there was something special about that - remember, I'm surely a DNS newbie). And if I'm wrong with my guess, I'd appreciate any ideas or suggestions on how to make reverse lookups work properly. Martin Martin, you figured it out correctly, but you may not understand what you did fully. So here's the section from cr.yp.to that describes the entry you made: =fqdn:ip:ttl:timestamp:lo Host fqdn with IP address ip. tinydns-data creates an A record showing ip as the IP address of fqdn and a PTR record showing fqdn as the name of d.c.b.a.in-addr.arpa if ip is a.b.c.d. Remember to specify name servers for some suffix of fqdn; otherwise tinydns will not respond to queries about fqdn. The same comment applies to other records described below. Similarly, remember to specify name servers for some suffix of d.c.b.a.in-addr.arpa, if that domain has been delegated to you. Example: =button.panic.mil:1.8.7.108 creates an A record showing 1.8.7.108 as the IP address of button.panic.mil, and a PTR record showing button.panic.mil as the name of 108.7.8.1.in-addr.arpa. As you analyzed, the + style data line doesn't create the PTR record for reverse lookups. It only creates the A record. With the = you get both. n1, Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] setting up tinydns.lrp
Hi Matt, Martin, you figured it out correctly, but you may not understand what you did fully. Yep, that's exactly what happened - and exactly why I asked the list for clarification. And as always, the replies were quick and very helpful. Host fqdn with IP address ip. tinydns-data creates an A record showing ip as the IP address of fqdn and a PTR record showing fqdn as the name of d.c.b.a.in-addr.arpa if ip is a.b.c.d. I actually read that part several times - and until I knew that a PTR record was exactly what I'm looking for, that statement didn't help much. Of course, now that I know it, it's painfully clear. As usual, the information was there all along, I just didn't see it. Thanks Martin ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Annoucement: Openssh 3.0.2p1 available
From: Michael Leone [EMAIL PROTECTED] On Sat, 2002-01-26 at 15:04, Jacques Nilo wrote: This is a maintenance package. Statically compiled against libnsl and openssl-0.9.6c Dynamically against zlib 1.1.3 One more FAQ in the doc. See: http://leaf.sourceforge.net/devel/jnilo/openssh.html Jacques, I'm currently using OpenSSH v3.0p1. What's the best way to upgrade, without having to remake keys? Just load the new sshd.lrp? Here is what I would suggest: Download the new sshd.lrp on a floppy disk. mount it on your firewall: mount -t msdos /dev/fd0 /mnt then extract the package cd /mnt lrpkg -i cd / umount your floppy: umount /mnt OK now you have to make a change in /etc/ssh since the entropy file has changed Removed the NEW one (rm moduli) and rename the OLD one (mv primes moduli) You have to do that otherwise I think your keys won't work any more. I have not done it myself but it is exactly what the install part of the openssh Makefile is doing. So it should work Once you have done that backup your new sshd -- it will backup your keys as well. Of course you could also scp the package to the firewall /tmp file and do the same. Let me know if it is working. It's worth a FAQ :-) Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Annoucement: Openssh 3.0.2p1 available
To extract the package one should read: lrpkg -i sshd Sorry for the typo. Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LRP and DOC
FINALLY! It works. And it works great. I think the latest and greates SYSLINUX (version 1.66) did it for me. Once I re-did the boot loader with that, it worked. For informational purposes ONLY, if you or any list member would like to see what it took, I have made a ZIP of all files currently on my embedded board. Because of the licence thing about M-SYS (and the fact that I used your sample kernal with DOC in it), this is not a distribution. Now it's working you can use the existing linuxrc mechanism to load modules from root.lrp (put modules in /boot/lib/modules, and edit /boot/etc/modules just like you would /etc/modules), and make a legally distributable system... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Getting cable modem status
I'd like to be able to access my cable modem's built in web server through my DCD v1.01 firewall. Unfortunately the cable modem's IP is 192.168.100.1. Is there something I can add to my firewall scripts that will allow me to get at this IP from the internal (192.168.1.x) network? Cheers, Paul ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Internal Network
Jack../Charles we starting to see some light, but i guess that the lack of some Linux Firewall knowledge holding us back over here... but here's what.. On my BOX3 Non NAT/Firewall Box if i add a default route on this box, via the CABLE Router (Box1), then all HTTP traffic goes out to the internet without a problem, and also, all the other traffic that has to go to the internet via Box2, goes to Box2, so here i can see that Box3, is sending the traffic to the correct InterNet Router, so in other words, he's a very nice Traffic Police, he's routing as COMMANDED too.. For some reason, i can't figure out, why the return traffic is not going back to the workstation without any problem.. but what i found strange, is that from the moment i say the the default gateway is box 1 eg. ip route add 0/0 via 192.168.1.6 (box1), then i have no problem internet traffic proceeds, but from the moment i removed this route, no more internet... to the little knowledge i have, i don't believe that BOX3 should have an default route, because i assume that the LOOKUP table is supposed to tell him where to send the data for the specific Traffice Type. (correct me if i'm wrong) On Box1 and Box2, is the normal settings that came by default..with Dachsten onliest changes i have in those boxes is a static route back to the 192.168.10.0 network, and i commented out the ipchains commands that block traffic to the 10.0.0.0 network on Box2 (see below) Box1 (Cable) #ip route 62.234.0.1 dev ppp0 proto kernel scope link src 62.234.0.234 192.168.1.4/30 dev eth1 proto kernel scope link src 192.168.1.6 192.168.10.0/24 via 192.168.1.5 dev eth1 default via 62.234.0.1 dev ppp0 #ip addr sh 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:bb:c8:25 brd ff:ff:ff:ff:ff:ff 8: eth1: BROADCAST,MULTICAST,PROMISC,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:f0:12:f1:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.6/30 brd 192.168.1.7 scope global eth1 Box2 (Adsl) #ip route 192.168.1.0/30 dev eth1 proto kernel scope link src 192.168.1.2 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.100 192.168.10.0/24 via 192.168.1.1 dev eth1 default via 10.0.0.138 dev eth0 #ip addr sh 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 08:00:00:22:20:34 brd ff:ff:ff:ff:ff:ff inet 10.0.0.100/24 brd 10.0.0.255 scope global eth0 8: eth1: BROADCAST,MULTICAST,PROMISC,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:05:27:cb:9a brd ff:ff:ff:ff:ff:ff This is a little tricky one, cause my ADSL provider Network requires us to create a VPN connection between my router and the ADSL MODEM, so therefore the default route is the ADSL Modem 10.0.0.138 (before u asked, i commented out the IPCHAINS rules in this router that block the RFC ip's of 10.0.0.0) From this router i can ping the internet without any problem, so therefore i have internet connectivity. Here is what i have on Box3 #ip addr sh 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:bb:c8:25 brd ff:ff:ff:ff:ff:ff 8: eth1: BROADCAST,MULTICAST,PROMISC,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:f0:12:f1:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.6/30 brd 192.168.1.7 scope global eth1 # ip ru ls 0: from all lookup local 32764: from all fwmark1 lookup adsl 32765: from all fwmark2 lookup cable 32766: from all lookup main 32767: from all lookup default # ipchains Chain input (policy ACCEPT: 100740 packets, 8739050 bytes): prot opttosa tosx ifname mark outsize source destination ports tcp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 80 udp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 80 udp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 443 tcp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 443 tcp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 110 tcp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 25 tcp -- 0xFF 0x00 * 0x1192.168.10.0/24 0.0.0.0/0* - 1214 Chain forward (policy ACCEPT: 75921 packets, 6589166 bytes): Chain output (policy ACCEPT: 95403 packets, 8331173 bytes): # ip ro ls table cable default via 192.168.1.6 dev eth2 # ip rou ls table adsl default via 192.168.1.2 dev eth0 # ip route 192.168.1.0/30 dev eth0 proto kernel scope link src 192.168.1.1 192.168.1.4/30 dev eth2 proto kernel scope link src 192.168.1.5 192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.254 Jack, What did u mean with this comment, don't under what u mean with tc Make sure you have proper tc rules for _both_ directions Do hope i have provided enough information, so that i can get these babies talk to me, and do what they should do. Can some one give me a tip, on what i can do to tell BOX3 that if he routes HTTP traffic to BOX1, and there is no
[Leaf-user] DCD, busybox date -d ???
I have reviewed http://www.busybox.net/downloads/BusyBox.html#item_date; but, I cannot get date -d to work: date date [OPTION]... [+FORMAT] Displays the current time in the given FORMAT, or sets the system date. Options: -R Outputs RFC-822 compliant date string -d STRING display time described by STRING, not `now' -s Sets time described by STRING -u Prints or sets Coordinated Universal Time For example: # date -d 2002/01/26 22:12:27 +%s 1012104747 This works on my potato; but, *not* under DCD. Anybody know how to grab dates, say, from /var/state/dhcp/dhcpd.leases and _compare_ them to some other date, say the current time? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipsec leftrsasig only in /etc/ipsec.secrets ???
Michael D. Schleif wrote: http://freeswan.org/freeswan_trees/freeswan-1.91/doc/config.html#handy ``On the left gateway, we can omit leftrsasig. That gateway uses the private key stored in ipsec.secrets(5) and has no need for its own public key.'' When I do that, I get this: # ipsec auto --add trout-bluetrout ipsec_auto: fatal error in trout-bluetrout: connection has no leftrsasigkey parameter specified What am I doing wrong? Anybody know anything about this? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipsec leftrsasig only in /etc/ipsec.secrets ???
``On the left gateway, we can omit leftrsasig. That gateway uses the private key stored in ipsec.secrets(5) and has no need for its own public key.'' When I do that, I get this: # ipsec auto --add trout-bluetrout ipsec_auto: fatal error in trout-bluetrout: connection has no leftrsasigkey parameter specified What am I doing wrong? Anybody know anything about this? I always include both RSA public keys in the ipsec.conf file. I put the local infomation (incluuding leftid, and leftrsasig) in a conn %default section, then add multiple tunnel definitions with the include feature of ipsec.conf. All included tunnel descriptions come from /etc/ipsec/, and are configured with only the right side information. I also used unresolved FQDN's for the system ID's, so they don't change if IP's get re-assigned (also, some systems are dynamic). This way, if details on a remote system change, I only have to edit two files...the local ipsec.conf file on the system that changed, and the /etc/ipsec/system.conf file, which can then be rsync'd to all the other remote VPN gateways. An example: /etc/ipsec.conf conn %default type=tunnel auto=start [EMAIL PROTECTED] left=216.171.153.130 leftnexthop=216.171.153.129 leftsubnet=10.34.1.0/24 #leftfirewall=yes keyexchange=ike authby=rsasig leftrsasigkey=0x01036... # key lifetime (before automatic rekeying) keylife=8h # how persistent to be in (re)keying negotiations (0 means very) keyingtries=0 include ipsec/SanAntonio.conf include ipsec/SanFrancisco.conf /etc/ipsec/SanAntonio.conf conn SanAntonio [EMAIL PROTECTED] right=207.235.86.252 rightnexthop=207.235.86.1 rightsubnet=10.28.0.0/19 rightrsasigkey=0x0103c... /etc/ipsec/SanFrancisco.conf conn SanFrancisco [EMAIL PROTECTED] right=66.88.8.234 rightnexthop=66.88.8.233 rightsubnet=10.31.0.0/21 rightrsasigkey=0x01039... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Internal Network
On Sat, 26 Jan 2002, Reginald R. Richardson wrote: Jack../Charles we starting to see some light, but i guess that the lack of some Linux Firewall knowledge holding us back over here... but here's what.. On my BOX3 Non NAT/Firewall Box if i add a default route on this box, via the CABLE Router (Box1), then all HTTP traffic goes out to the internet without a problem, and also, all the other traffic that has to go to the internet via Box2, goes to Box2, so here i can see that Box3, is sending the traffic to the correct InterNet Router, so in other words, he's a very nice Traffic Police, he's routing as COMMANDED too.. For some reason, i can't figure out, why the return traffic is not going back to the workstation without any problem.. To figure this out you need to use tcpdump; it's probably getting lost between box1 or 2 and box3. but what i found strange, is that from the moment i say the the default gateway is box 1 eg. ip route add 0/0 via 192.168.1.6 (box1), then i have no problem internet traffic proceeds, but from the moment i removed this route, no more internet... to the little knowledge i have, i don't believe that BOX3 should have an default route, because i assume that the LOOKUP table is supposed to tell him where to send the data for the specific Traffice Type. (correct me if i'm wrong) Maybe... a default route could be helpful if you get everything else configured right. On Box1 and Box2, is the normal settings that came by default..with Dachsten onliest changes i have in those boxes is a static route back to the 192.168.10.0 network, and i commented out the ipchains commands that block traffic to the 10.0.0.0 network on Box2 (see below) Box1 (Cable) #ip route 62.234.0.1 dev ppp0 proto kernel scope link src 62.234.0.234 192.168.1.4/30 dev eth1 proto kernel scope link src 192.168.1.6 192.168.10.0/24 via 192.168.1.5 dev eth1 default via 62.234.0.1 dev ppp0 #ip addr sh 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:bb:c8:25 brd ff:ff:ff:ff:ff:ff 8: eth1: BROADCAST,MULTICAST,PROMISC,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:f0:12:f1:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.6/30 brd 192.168.1.7 scope global eth1 Box2 (Adsl) #ip route 192.168.1.0/30 dev eth1 proto kernel scope link src 192.168.1.2 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.100 192.168.10.0/24 via 192.168.1.1 dev eth1 default via 10.0.0.138 dev eth0 #ip addr sh 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 08:00:00:22:20:34 brd ff:ff:ff:ff:ff:ff inet 10.0.0.100/24 brd 10.0.0.255 scope global eth0 8: eth1: BROADCAST,MULTICAST,PROMISC,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:05:27:cb:9a brd ff:ff:ff:ff:ff:ff This is a little tricky one, cause my ADSL provider Network requires us to create a VPN connection between my router and the ADSL MODEM, so therefore the default route is the ADSL Modem 10.0.0.138 (before u asked, i commented out the IPCHAINS rules in this router that block the RFC ip's of 10.0.0.0) From this router i can ping the internet without any problem, so therefore i have internet connectivity. Here is what i have on Box3 #ip addr sh 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:bb:c8:25 brd ff:ff:ff:ff:ff:ff 8: eth1: BROADCAST,MULTICAST,PROMISC,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:c0:f0:12:f1:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.6/30 brd 192.168.1.7 scope global eth1 # ip ru ls 0: from all lookup local 32764: from all fwmark1 lookup adsl 32765: from all fwmark2 lookup cable 32766: from all lookup main 32767: from all lookup default # ipchains Chain input (policy ACCEPT: 100740 packets, 8739050 bytes): prot opttosa tosx ifname mark outsize source destination ports tcp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 80 udp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 80 udp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 443 tcp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 443 tcp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 110 tcp -- 0xFF 0x00 * 0x2192.168.10.0/24 0.0.0.0/0* - 25 tcp -- 0xFF 0x00 * 0x1192.168.10.0/24 0.0.0.0/0* - 1214 Chain forward (policy ACCEPT: 75921 packets, 6589166 bytes): Chain output (policy ACCEPT: 95403 packets, 8331173 bytes): # ip ro ls table cable default via 192.168.1.6 dev eth2 # ip rou ls table adsl default via 192.168.1.2 dev eth0 # ip route 192.168.1.0/30 dev eth0 proto kernel scope link src 192.168.1.1 192.168.1.4/30 dev eth2 proto kernel scope link src 192.168.1.5 192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.254 Looks alright from a cursory
[Leaf-user] DS 1.0.2
Finally got a couple of hours to upgrade my router to Dachstein 1.0.2 -- very nice improvement over ES2B. Thanks Charles! One thing that hasn't changed with DS is that there are a ton of places to tweak in order to get a working config. Next time I get a couple of hours, I'm going to take a crack at chopping network.conf down to half size. -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipsec leftrsasig only in /etc/ipsec.secrets ???
Charles Steinkuehler wrote: ``On the left gateway, we can omit leftrsasig. That gateway uses the private key stored in ipsec.secrets(5) and has no need for its own public key.'' When I do that, I get this: # ipsec auto --add trout-bluetrout ipsec_auto: fatal error in trout-bluetrout: connection has no leftrsasigkey parameter specified What am I doing wrong? Anybody know anything about this? I always include both RSA public keys in the ipsec.conf file. I put the local infomation (incluuding leftid, and leftrsasig) in a conn %default section, then add multiple tunnel definitions with the include feature of ipsec.conf. All included tunnel descriptions come from /etc/ipsec/, and are configured with only the right side information. I also used unresolved FQDN's for the system ID's, so they don't change if IP's get re-assigned (also, some systems are dynamic). This way, if details on a remote system change, I only have to edit two files...the local ipsec.conf file on the system that changed, and the /etc/ipsec/system.conf file, which can then be rsync'd to all the other remote VPN gateways. [ snip ] Yes, I understand this; but, I think that /etc/ipsec.conf can be kept even cleaner and easier to maintain if that public key is kept someplace that no editor is likely to touch. This text from the FreeS/WAN web documentation suggests that this is not only possible; but, that somebody is actually doing this. If this is really not possible, then I can go on from here without it; but, I'd really like to know how to do this. I suppose, there's a FreeS/WAN List Service? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DS 1.0.2
On Saturday 26 January 2002 17:42, Jack Coates wrote: Finally got a couple of hours to upgrade my router to Dachstein 1.0.2 -- very nice improvement over ES2B. Thanks Charles! One thing that hasn't changed with DS is that there are a ton of places to tweak in order to get a working config. Next time I get a couple of hours, I'm going to take a crack at chopping network.conf down to half size. Jack, I've just finished some install/config scripts that are on the lrcfg menu (added). This allows a simple config to be done in under 30 seconds if you have any idea what your doing. I haven't done any ppp/pppoe scripts, so those will follow sometime in a different image. I'm fixing to upload a custom floppy root.lrp and a full custom image to http://leaf.sourceforge.net/devel/guitarlynn/ here in a few minutes. I think these scripts take right at 15K compressed and generate full network.conf and modules files that are consistant with Charles files. These should be much easier for first time users and save some time for experienced users. Any feedback is appreciated. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipsec leftrsasig only in /etc/ipsec.secrets ???
I suppose, there's a FreeS/WAN List Service? Several: http://www.freeswan.org/mail.html Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] LRP Oxygen CD and floppy disk boot question
Hi everyone. I am now using the lrp oxygen version 1.8.0 that can boot from a cd. I got it to boot on a pentium 3 machine and run into a few pbs. if anyone has had experience with it maybe these will sound familiar. 1) I only needed the cd to boot. it did work. However I made a boot disk prior to that. 1)Once Im at the root I am prompted to choose b/w some options to configure the router. I found out how I can change and move out of each file that is presented to me, but when trying to save it (back up) it comes with the following error end_request, I/O error dev 02:2c(floppy), sector 19 end_request, I/O error dev 02:2c(floppy), sector 20 At first I thought it was a bad floppy but when I tried some brand new disk the error persisted and nothing got copied. Does that sound like a common thing? Is it the disk? should I make a image file from the cd first? 2)inside the /etc/ folder the file network.conf presented me with some questions: should I set eth0 as local or as external? the entries for eth0 and eth1 both requires IP, netmask and gateways setup should they be the same or different? 3)I also saw two files that look kinda familiar to network.conf I am referring to networks.conf and gateways.conf. Do I need to configure those files too or should I rely only on the one first one (2)? 4)inside the module option I saw three network files: pci-scan tulip and eepro 100 since I am running 2 nics 3C905 I figured I need to get some drivers for those 2 cards and mount them. Does that sound right or I have enough tools there? thanks and regards. -M _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] NFS hanging up
Hello All, I have just installed an EigerStein LRP firewall and it seems to be working good, but I have 6 machines which were NFS mounting and exporting various directories before I put them behind the firewall so that they could cross communicate. They worked just fine at that time with the NFS. I then put them behind the Eigersten LRP firewall and changed all of their /etc/hosts files so reflect the new IP's on each machine and so that each machine could lookup the name of the other machine from their hosts file. The problem now is that when the NFS daemon is started on each machine, it just seems to hang after reporting Starting the NFS daemon. My OS on these machines is Linux Mandrake 8.1. does anyone have any idea as to what is happening here and how I might be able to fix it? All healp would be greatly appreciated, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DS 1.0.2
On Sat, 26 Jan 2002, guitarlynn wrote:
On Saturday 26 January 2002 17:42, Jack Coates wrote:
Finally got a couple of hours to upgrade my router to Dachstein 1.0.2
-- very nice improvement over ES2B. Thanks Charles!
One thing that hasn't changed with DS is that there are a ton of
places to tweak in order to get a working config. Next time I get a
couple of hours, I'm going to take a crack at chopping network.conf
down to half size.
Jack, I've just finished some install/config scripts that are on the
lrcfg menu (added). This allows a simple config to be done in under
30 seconds if you have any idea what your doing. I haven't done any
ppp/pppoe scripts, so those will follow sometime in a different image.
I'm fixing to upload a custom floppy root.lrp and a full custom image
to
http://leaf.sourceforge.net/devel/guitarlynn/
here in a few minutes. I think these scripts take right at 15K
compressed and generate full network.conf and modules files that are
consistant with Charles files.
These should be much easier for first time users and save some time
for experienced users.
Any feedback is appreciated.
Well, this is a good start, especially with the modules; there used to
be (like LRP version 2.9.4 or something) a web-based configger that
would give end-users a custom kernel and modules.lrp; this looks like
the basis for another one of those.
The network configger doesn't address the thing that was bugging me
though, which is:
a] network.conf is confusing
b] network.conf contains code in addition to data (not sure if it's
possible to break this up).
Having EXTERN_DHCP and EXTERN_DYNADDR both in there just confuses
things. There should just be two options, dynamic or static. Of course
since I don't use PPPoE there might be something I don't know about
causing this; still that should be clearly commented. If the external
interface isn't dynamic, then EXTERN_IP should auto-set to
\$$EXTERN_IF_IPADDR.
The Internal Interface section should be pulled up below External
Interface and above SILENT_DENY. Once $INTERN_IF is set, INTERN_NET and
INTERN_IP should be auto-set again.
It's difficult to ascertain which sections of the opened ports and
portforwards are relevant. New headers would do it:
#
# Ports to open -- these must be opened for services
# that are hosted on or behind the firewall.
#
SILENT_DENY
EXTERN_ICMP/UDP/TCP/GENERIC
#
# Port-forward an aliased or bridged IP here
#
INTERN_SERVERS=tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
#
# Port-forward the primary external IP here
#
INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server
--
Jack Coates
Monkeynoodle: A Scientific Venture...
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] NFS hanging up
Lonnie -- it just seems to hang is a bit too imprecise to make a good starting point. So I'll just take a wild shot at it -- might you have left in /etc/exports an entry for a hostname or IP address that is now unresolvable? If so, that would introduce a 3-minute delay at the point where you say the system hangs. More generally, do the Mandrake systems *ever* resume init'ing? Operationally, ever means wait about 5 minutes before deciding that they are completely blocked. Then see if a ^C will cause boot/init to resume. If you can get the boot/init sequence to complete, do the logs report anything interesting? Whatever is going on, your LEAF router is extremely unlikely to be involved (unless you need access to an off-LAN nameserver that you now cannot reach, or unless you were exporting to off-LAN hosts). At 11:18 PM 1/26/02 -0500, Lonnie Cumberland wrote: Hello All, I have just installed an EigerStein LRP firewall and it seems to be working good, but I have 6 machines which were NFS mounting and exporting various directories before I put them behind the firewall so that they could cross communicate. They worked just fine at that time with the NFS. I then put them behind the Eigersten LRP firewall and changed all of their /etc/hosts files so reflect the new IP's on each machine and so that each machine could lookup the name of the other machine from their hosts file. The problem now is that when the NFS daemon is started on each machine, it just seems to hang after reporting Starting the NFS daemon. My OS on these machines is Linux Mandrake 8.1. does anyone have any idea as to what is happening here and how I might be able to fix it? -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
