Re: [Leaf-user] What logs mean.
Hi Jason At 21:31 05/02/02 -0800, Jason C. Leach wrote: If I have an entry: Packet log: remote DENY eth0 PROTO=6 208.181.x.y:3254 208.181.x.y:80 L=48 S=0x00 I=63245 F=0x4000 T=121 SYN (#15) What does the PROTO=6 snip SYN #15 Mean. There's a really handy one-sheet PDF file about interpreting these log entries: http://leaf.sourceforge.net/devel/msensney/packetlog.pdf There's also an automatic tool that extracts all the important information for you: http://www.echogent.com/cgi-bin/fwlog.pl cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] IPSec automatic setup.
malik menzong wrote: Hi- I currently have a working system. But I keep on stubbling on a small issue with my file rc.firewall this files contains all the ipchains rules. When I boot my system and it runs, I can see that the new rules have been applied from the browser(I am using routerst from Ed). However I still dont have connection to the outside world. But when I manually key in the rules from the prompt and try to access the web afterward it always works. I did put a refence to 'rc.firewall' in one of my init.d file and I know it runs but why wont it works from there? Thanks -M Let your system come up and let init run rc.firewall. Then post the output of ifconfig -a netstat -nr ipchains -n -L -v ipmasqadm -l -n And tell us which command you issued at the prompt that got it to work. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Need help getting LEAF running
Thanks for all the input. Apologies for the text and line length issue. I hope this message is improved. I tried the various suggestions with varying success: 1.tried using rtl8139 with 8390 without success (same signature as before) 2.tried HOSTS0 eth0_IPADDR ... instead of eth1_IPADDR without success 3.tried 8139too with 8390 and finally successfully configured both NICS So I am using a D-Link DFE-530TX+ as eth0 with the 8139too module and a NetGear FA311 as eth1 (internal) with the natsemi module. ping to the ISP IP and to the eth1 IP (192.168.1.254) both appeared to respond favorably, with 0% packet loss (yippee). lsmod shows: 8390 (unused) natsemi (used by 1) 8139too (used by 1) pci-scan (used by 0 [natsemi]) Does this imply that 8390 is unnecessary? It seems that SHIFT-PGUP only works to scroll the screen for kernel messages until I log in. Is that normal? Now I can proceed to try to get the Win machine applications to access the outside world (mail, http, etc.). Is it necessary to enable these within network.conf? Again, thanks for the input everyone. I really appreciate it. Mike ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Rebuilding the Dachstein CD
I am usin the Dachstein CD 1.0.2 and want to know if you can get the updated, configured boot floppy image back into the iso and reburn the ISO so it all runs from the CD, with yer personal configurations from the floppy? Im not a man of Linux, but it does interest me very much and have learned quite a bit from your site and others. Thanks for the bitchin Firewall/Router, Jason
Re: [Leaf-user] Problem booting Dachstein CD
Gareth Howell wrote: I had a strange problem installing Dachstein today. The hardware was a Dell Dimension XPS. The machine would boot from a Windows CD, but for some reason it would not boot from the Dachstein CD I had created, and tested, on another Dell. I created a boot floppy, but that wouldn't recognise the CD either. In the end I used a Dachstein floppy distribution, but I can't figure out what was wrong. The CD booted OK on another Dell workstation and on my laptop - this would seem to rule out a duff CD A Windows CD booted OK on the offending Dell workstation - this would seem to rule out duff hardware. DCD assumes that your cd-rom is /dev/hda. That means that it is configured as Primary Master, or primary on the first ide controller on your mainboard. It can be configured otherwise; but, it is simpler to change the system configuration. HTH -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Rebuilding the Dachstein CD
I am usin' the Dachstein CD 1.0.2 and want to know if you can get the updated, configured boot floppy image back into the iso and reburn the ISO so it all runs from the CD, with yer personal configurations from the floppy? I'm not a man of Linux, but it does interest me very much and have learned quite a bit from your site and others. Yes. You can use the mkisofs command listed in the readme file to make a new ISO image on linux (after replacing bootdisk.bin with your updated version). If you're running windows, you can still burn a new CD, but the procedure varies by software version. See the instructions for burning a bootable CD for whatever software you're running. Typically, you need to specify a floppy-disk emulation boot (there's more than one type of bootable CD), and then specify the disk image to use for the boot floppy. Use your updated bootdisk.bin for the floppy boot-image, and everything should work OK. NOTE: I've had problems with some windows software not recognizing the linux boot floppy as a bootable disk (particularly with EZ-CD Creator)...if you get this error, you may need to use another software package. I know that Nero will work properly... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Problem booting Dachstein CD
I had a strange problem installing Dachstein today. The hardware was a Dell Dimension XPS. The machine would boot from a Windows CD, but for some reason it would not boot from the Dachstein CD I had created, and tested, on another Dell. I created a boot floppy, but that wouldn't recognise the CD either. In the end I used a Dachstein floppy distribution, but I can't figure out what was wrong. The CD booted OK on another Dell workstation and on my laptop - this would seem to rule out a duff CD A Windows CD booted OK on the offending Dell workstation - this would seem to rule out duff hardware. There's more than one type of bootable CD, and most windows CD's use a different boot strategy than Dachstein-CD, which uses floppy emulation when booting from CD. There could be a BIOS problem (most likely if the system didn't even try to boot off the Dachstein-CD), or a compatibility problem with the particular system (most likely if the system tried to boot the CD, but never fully came up). Since you indicate booting from a floppy image still didn't get the CD recognized, there's probably a compatibility problem with the existing Dachstein CD and your system. Remember that as packaged, Dachstein CD will only talk to IDE CD-ROM drives. If you've got a SCSI drive, or one of the older proprietary interface CD-ROMs, you'll need to edit root.lrp on the boot-floppy to load proper drivers before you can see the CD. Once you get a floppy booting and recognizing the CD, you can burn a new CD-ROM using the updated disk as a boot floppy image, and boot directly from the CD for speed... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Problem booting Dachstein CD
I had a strange problem installing Dachstein today. The hardware was a Dell Dimension XPS. The machine would boot from a Windows CD, but for some reason it would not boot from the Dachstein CD I had created, and tested, on another Dell. I created a boot floppy, but that wouldn't recognise the CD either. In the end I used a Dachstein floppy distribution, but I can't figure out what was wrong. The CD booted OK on another Dell workstation and on my laptop - this would seem to rule out a duff CD A Windows CD booted OK on the offending Dell workstation - this would seem to rule out duff hardware. DCD assumes that your cd-rom is /dev/hda. That means that it is configured as Primary Master, or primary on the first ide controller on your mainboard. It can be configured otherwise; but, it is simpler to change the system configuration. As of 1.0.2, this is no longer true, and the startup scripts will use the first CD-Rom found, searching IDE devices first, then SCSI, although to use a SCSI CD-ROM, you need to update the drivers loaded at boot-time (/boot/lib/modules /boot/etc/modules). If using a version of Dachstein CD prior to 1.0.2, you do need to either make your CD-ROM /dev/hda, or create a pkgpath.cfg file on your config floppy with the proper CD device (see the readme file for details). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Mail logs on Oxygen
Title: Mail logs on Oxygen I'm running the May 2001 release of Oxygen, and I'm trying to get the system to email me the logs each day. I have ssmtp working from the command line, so that I can ssmtp [EMAIL PROTECTED] /var/log/kern.log and the log shows up just fine. However, I have two problems: 1) If the log I'm trying to send is large, I get a ssmtp: Header too large Max is 4000 characters error. Obviously, I need to do some pre-processing on the log files to define a header at the top of the file and put the log info in a defined body of the message. Since I'm new to linux, I don't know how to do this. 2) To automate the log sending process, I think I need to put something into /etc/cron.daily/multicron-d? Here's a chunk of multicron-d: snip rotatelogs () { case $prog in *-d ) LOGFILES=$lrp_LOGS_DAILY ;; *-w ) LOGFILES=$lrp_LOGS_WEEKLY ;; *-m ) LOGFILES=$lrp_LOGS_MONTHLY ;; * ) return 1 ;; esac cd /var/log for LOG in $LOGFILES; do if [ -f $LOG ]; then savelog -g adm -m 640 -u root -c ${lrp_LOGS_DEPTH:-4} $LOG /dev/null fi done svi sysklogd reload } snip I think I need to insert a line above the savelog line to send the log files before they are rotated -- and, possibly, to do the pre-processing on the spot? But, again, I'm lost. I'm not sure what the right way to solve these two problems is -- should I be trying to put code into multicron-d, or do I need to write a separate script? (I've never done that either) Sorry for the simple questions! Also, I notice the following further down in multicron-d. Is this going to work in Oxygen, with no defined mail command? Does -s mean anything to ssmtp? snip mailadmin () { if [ $lrp_MAIL_ADMIN = ]; then cat /dev/null else subject=$HOSTNAME alert: $1 mail -s $subject $lrp_MAIL_ADMIN fi } snip Thanks! --Merrick Munday
Re: [Leaf-user] Need help getting LEAF running
On Wednesday 06 February 2002 07:32, Hall, Michael A wrote: Thanks for all the input. Apologies for the text and line length issue. I hope this message is improved. I tried the various suggestions with varying success: 1.tried using rtl8139 with 8390 without success (same signature as before) 2.tried HOSTS0 eth0_IPADDR ... instead of eth1_IPADDR without success 3.tried 8139too with 8390 and finally successfully configured both NICS Good deal! I wasn't aware of a card that would work _only_ with the 8139too module ... I'll make note of that! They're great cards in any case. lsmod shows: 8390 (unused) natsemi (used by 1) 8139too (used by 1) pci-scan (used by 0 [natsemi]) Does this imply that 8390 is unnecessary? It would. It seems that SHIFT-PGUP only works to scroll the screen for kernel messages until I log in. Is that normal? Nope, but it won't work if there is not enough text to scroll on the screen and it only caches so much text at a time (ie... it will only remember x amount of old information). Now I can proceed to try to get the Win machine applications to access the outside world (mail, http, etc.). Is it necessary to enable these within network.conf? Nope, that stuff should work fine. There are some services, like IRC for file sharing, netmeeting, and others that require helper modules. You would set these in the modules file if you need any of them. Again, thanks for the input everyone. I really appreciate it. NP -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Mail logs on Oxygen
1) If the log I'm trying to send is large, I get a ssmtp: Header too large Max is 4000 characters error. Obviously, I need to do some pre-processing on the log files to define a header at the top of the file and put the log info in a defined body of the message. Since I'm new to linux, I don't know how to do this. The message headers are seperated from the message body by a single blank line. Headers take the form of header: value...as an example, some of the headers from your e-mail to the list: From: Munday, Merrick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C1AF22.AD71F4C0 Subject: [Leaf-user] Mail logs on Oxygen Date: Wed, 6 Feb 2002 10:26:41 -0500 You may want to add a few simple headers of your own (like a subject) to the e-mail. NOTE: You probably don't want to mess with multipart messages or mime, so I'd just set Content-Type to text/plain. See RFC-822 for message format details. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Need help getting LEAF running
At 06:32 AM 2/6/02 -0700, Hall, Michael A wrote: [...] lsmod shows: 8390 (unused) natsemi (used by 1) 8139too (used by 1) pci-scan (used by 0 [natsemi]) Does this imply that 8390 is unnecessary? Yes. I don't recall either of the actual NIC modules you use depending on 8390.o It seems that SHIFT-PGUP only works to scroll the screen for kernel messages until I log in. Is that normal? No. But if you switch among VTs, that dofes affect the ability to scroll back. Now I can proceed to try to get the Win machine applications to access the outside world (mail, http, etc.). Is it necessary to enable these within network.conf? In general, no. You do need to enable *incoming* services explicitly, but not *most* outgoing services (at least not mail and http ... I don't know what you think etc covers). For some problem services, you need to insmod special modules to handle outgoing connections properly ... ftp is the most common of these. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Need help getting LEAF running
At 09:03 06/02/02 -0800, Ray Olszewski wrote: At 06:32 AM 2/6/02 -0700, Hall, Michael A wrote: Now I can proceed to try to get the Win machine applications to access the outside world (mail, http, etc.). Is it necessary to enable these within network.conf? In general, no. snip For some problem services, you need to insmod special modules to handle outgoing connections properly ... ftp is the most common of these. I seem to remember that Dachstein has a load of these (including FTP) set up by default. Correct me if I'm wrong, by all means, but I'm pretty sure that's the case. -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] IPSec 1.9 on a bare 2.9.8 floppy ?
It is posible to use ipsec.lrp (1.9) on a standard LRP 2.9.8 flopply (provided that I correctly patch and recompile the 2.2.19kernel that comes with it ) ? I need to set up just a tunnel endpoint, and want to run it from a bare 1.44 floppy in a 1 NIC machine, so I don´t want the additional features (and overhead ) of Dachstein. Thank you Javier
Re: [Leaf-user] IPSec 1.9 on a bare 2.9.8 floppy ?
It is posible to use ipsec.lrp (1.9) on a standard LRP 2.9.8 flopply (provided that I correctly patch and recompile the 2.2.19 kernel that comes with it ) ? I need to set up just a tunnel endpoint, and want to run it from a bare 1.44 floppy in a 1 NIC machine, so I don´t want the additional features (and overhead ) of Dachstein. Yes, you could make your own kernel to use with LRP 2.9.8, although you're probably better off not trying to re-compile the kernel...just use one of the ipsec-enabled kernels available from my site. Since you're targeting a single floppy, you'll probably want the small kernel with IPSec support. I can also virtually guarantee you won't be able to fit IPSec on a 1.44 floppy, but you may be able to squeeze it onto a 1.68K disk. Also, while you're free to use LRP 2.9.8 as a base, don't do this just because the default distribution of Dachstein comes with several extra fetures. You can customize your disk, removing anything you don't want/need (ie dnscache, weblet, dhclient, dhcpd), and IIRC, you'll wind up with a base image smaller than LRP 2.9.8 (lots of work went into shrinking updating root.lrp in Dachstein). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: Leaf Mail Command
Seems that Rogers is using ESMTP as the protocol - which isn't really POP before SMTP (as far as I can tell at least) - using a program called postie I am able to mail via a command line - without telling it what my pop server's address is. So I guess I'll just scp the necessary log files over to my server - and have it do the mailing - oh well not as efficient as it was - but at least it'll work. S From: Erich Titl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Leaf-user] Re: Leaf Mail Command Date: Tue, 05 Feb 2002 21:13:09 +0100 Hi Simon [EMAIL PROTECTED] wrote the following at 20:47 05.02.2002: Date: Tue, 5 Feb 2002 11:52:13 -0800 (PST) From: Jack Coates [EMAIL PROTECTED] To: Simon Bolduc [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Leaf-user] Leaf Mail Command If it is POP-before-SMTP like Jack suggests then authentication using small tools would be quite easy. You can check on the protocol with telnet luna telnet foodle 110 Trying xxx.xxx.xxx.xxx... Connected to foodle.xxx.xx Escape character is '^]'. +OK Qpopper (version 4.0.3) at foodle.xxx.xx starting. user testuser +OK Password required for testuser. pass foodle +OK testuser has 2 visible messages (0 hidden) in 1289 octets. quit +OK Pop server at foodle.xxx.xx signing off. Connection closed by foreign host. This little sequence is all it requires to authenticate against POP. regards Erich ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] FTP Timeout Problems with Oxygen
Hey everyone, I've started to notice FTP problems with an Oxygen firewall I have running. The problem occurs on both unix and NT systems located behind the firewall. I have found that all ftp transfers be they incoming or outgoing eventually freeze. Although it appears that NT - NT transfers are more stable, they too freeze after about 800-1500 files have been transferred. The firewall configuration is pretty simple. It has two 2 ethernet interfaces, and proxyarp is being used. I've included the seawall.conf file below. One thing about my config is that I do not have any masq timeouts specified. I was wondering if perhaps I should? One thing I've noticed that I think is interesting to note is that this problem does not occur when using LeechFTP. I believe this because LeechFTP tends to keep sending commands to keep the connection active. That's why I was wondering if it could have something to do with the masq timeouts. My seawall.conf: (with comments stripped out) --- internet=eth0 myip=x.y.z.51 local=eth1 strong= noforward=eth1 noforwardnets= dialinppp= localports= log=Yes lockfile=/var/state/firewall ntpservers= ntpnonpriv=No dnsservers= dnslocalports= icqports= pptpservers= pptpserver= ipsecservers= poptop= pptpclients= pptpclient=No dmz= localnets= nonmasq= nonmasqnets= popservers= smtpservers= modules= masq_timeouts= --- Should I be setting anything for the masq_timeouts if I am using ProxyARP? I guess my real question is that if I am using ProxyArp am I still masq'ing? Here is a log from some testing I was doing: --- sending Body_RJ_B4_FMA_012802_R0017GR01.txt as Body_RJ_B4_FMA_012802_R0017GR01.txt (1 of 285) PASV 227 Entering Passive Mode (205,150,101,55,247,15) connecting to x.y.z.55:63247 - - connecting to x.y.z.55:63247 ! Connection failed x.y.z.55 - connection timed out ! connect: error 0 PORT 192,168,0,124,7,124 200 PORT command successful. STOR Body_RJ_B4_FMA_012802_R0017GR01.txt 150 Opening ASCII mode data connection for Body_RJ_B4_FMA_012802_R0017GR01.txt. Transmitted 3008 bytes in 0.1 secs, (290.00 Kbps), transfer succeeded 226 Transfer complete. MDTM 20020129035134 Body_RJ_B4_FMA_012802_R0017GR01.txt 550 20020129035134 Body_RJ_B4_FMA_012802_R0017GR01.txt: No such file or directory. sending Body_RJ_ES_ESN_012802_R0205I00D.txt as Body_RJ_ES_ESN_012802_R0205I00D.txt (2 of 285) PASV 227 Entering Passive Mode (x,y,z,55,181,6) connecting to x.y.z.55:46342 - - connecting to x.y.z.55:46342 ! Connection failed x.y.z.55 - connection timed out ! connect: error 0 PORT 192,168,0,124,7,131 200 PORT command successful. STOR Body_RJ_ES_ESN_012802_R0205I00D.txt 150 Opening ASCII mode data connection for Body_RJ_ES_ESN_012802_R0205I00D.txt. Transmitted 1039 bytes in 0.1 secs, (100.00 Kbps), transfer succeeded 226 Transfer complete. sending Body_RJ_ES_ESN_012802_R0205J00D.txt as Body_RJ_ES_ESN_012802_R0205J00D.txt (3 of 285) PASV 227 Entering Passive Mode (x,y,z,55,243,37) connecting to x.y.z.55:62245 - - connecting to x.y.z.55:62245 ! Connection failed x.y.z.55 - connection timed out ! connect: error 0 PORT 192,168,0,124,7,135 200 PORT command successful. STOR Body_RJ_ES_ESN_012802_R0205J00D.txt 150 Opening ASCII mode data connection for Body_RJ_ES_ESN_012802_R0205J00D.txt. Transmitted 1039 bytes in 0.1 secs, (100.00 Kbps), transfer succeeded 226 Transfer complete. PWD 257 /home/campload is current directory. PASV 227 Entering Passive Mode (x,y,z,55,178,19) connecting to x.y.z.55:45587 - - connecting to x.y.z.55:45587 ! Connection failed x.y.z.55 - connection timed out ! connect: error 0 PORT 192,168,0,124,7,138 200 PORT command successful. LIST 150 Opening ASCII mode data connection for directory listing. Received 501 bytes in 0.1 secs, (40.00 Kbps), transfer succeeded 226 Transfer complete. --- Thanks in advance. Ryan. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Leaf Mail Command
If the server is on the protected LAN, you could always just do remote syslog. This also lets you use some of the nice Perl-based log anaylzers to prioritize and mail the output. Jack On Wed, 6 Feb 2002, Simon Bolduc wrote: Seems that Rogers is using ESMTP as the protocol - which isn't really POP before SMTP (as far as I can tell at least) - using a program called postie I am able to mail via a command line - without telling it what my pop server's address is. So I guess I'll just scp the necessary log files over to my server - and have it do the mailing - oh well not as efficient as it was - but at least it'll work. S From: Erich Titl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Leaf-user] Re: Leaf Mail Command Date: Tue, 05 Feb 2002 21:13:09 +0100 Hi Simon [EMAIL PROTECTED] wrote the following at 20:47 05.02.2002: Date: Tue, 5 Feb 2002 11:52:13 -0800 (PST) From: Jack Coates [EMAIL PROTECTED] To: Simon Bolduc [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Leaf-user] Leaf Mail Command If it is POP-before-SMTP like Jack suggests then authentication using small tools would be quite easy. You can check on the protocol with telnet luna telnet foodle 110 Trying xxx.xxx.xxx.xxx... Connected to foodle.xxx.xx Escape character is '^]'. +OK Qpopper (version 4.0.3) at foodle.xxx.xx starting. user testuser +OK Password required for testuser. pass foodle +OK testuser has 2 visible messages (0 hidden) in 1289 octets. quit +OK Pop server at foodle.xxx.xx signing off. Connection closed by foreign host. This little sequence is all it requires to authenticate against POP. regards Erich ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: Mail logs on Oxygen
Title: RE: Mail logs on Oxygen Thanks to all who helped! I've created a /root/headers directory with files containing email headers for each logfile that I wish the machine to email me, each named with the same name as the logfile. Then, I have added 3 lines to multicron-d like so: rotatelogs () { case $prog in *-d ) LOGFILES=$lrp_LOGS_DAILY ;; *-w ) LOGFILES=$lrp_LOGS_WEEKLY ;; *-m ) LOGFILES=$lrp_LOGS_MONTHLY ;; * ) return 1 ;; esac cd /var/log for LOG in $LOGFILES; do if [ -f $LOG ]; then if [-f /root/headers/$LOG ]; then cat /root/headers/$LOG $LOG | ssmtp [EMAIL PROTECTED] fi savelog -g adm -m 640 -u root -c ${lrp_LOGS_DEPTH:-4} $LOG /dev/null fi done svi sysklogd reload } This seems to work -- is this some awful kludge that I should have done in another way? Thanks again, and especially to David and Charles for all their fine work. --Merrick Munday
[Leaf-user] Multiple Gateways with Dachstein
Hey everyone, I am trying to set up a Dachstein firewall to use multiple gateways. We have two DSL connections (pppoe, ugh) and one ISDN connection from Worldcom. I know setting this kind of thing up can be quite difficult, espically if one is looking to do load balancing. Since this is the case (?) I'm concentrating on keeping it simple for now: |--- DSL 1 --- [Metric 0] Firewall |--- DSL 2 --- [Metric 0] |--- ISDN --- [Metric 1] What I am wondering is that if a connection comes in via the ISDN connection will the reponse be routed back out that connection? I am planning on using the ISDN connection for email only, as it is a static IP. Also, what will happen when both of the DSL connections have the same metric? How will the firewall use both? This is less of a concern at the moment, as I am more interested in getting the ISDN and one DSL going. Finally, where is the best place to put my route command for the ISDN interface? Thanks in advance! Ryan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: Leaf Mail Command
Hi Simon Simon Bolduc wrote the following at 18:58 06.02.2002: Seems that Rogers is using ESMTP as the protocol - which isn't really POP before SMTP (as far as I can tell at least) - using a program called postie I am able to mail via a command line - without telling it what my pop server's address is. So I guess I'll just scp the necessary log files over to my server - and have it do the mailing - oh well not as efficient as it was - but at least it'll work. S ESMTP is an extension to SMTP. Normally an ESMTP capable server supports SMTP. You can check on the server like luna telnet luna 25 Trying 194.124.158.50... Connected to luna.think.ch. Escape character is '^]'. 220 luna.think.ch ESMTP Sendmail 8.12.0/8.12.0; Wed, 6 Feb 2002 21:49:28 +0100 ehlo jupiter 250-luna.think.ch Hello luna.think.ch [194.124.158.50], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP mail from: [EMAIL PROTECTED] 250 2.1.0 [EMAIL PROTECTED] Sender ok rcpt to: testuser 250 2.1.5 testuser... Recipient ok data 354 Enter mail, end with . on a line by itself test . 250 2.0.0 g16KnSbV004853 Message accepted for delivery quit 221 2.0.0 luna.think.ch closing connection Connection closed by foreign host. this is a ESMTP session. If your server supports this, then you can find a host of applications which will do that for you on the net. The normal *X mail command is a frontend to sendmail which will do (E)SMTP for you, but a full fledged sendmail distribution is way too big for a floppy based machine. have a look at http://www.engelschall.com/sw/smtpclient/ this might fit on a LEAF machine regards Erich ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Am so lovin LEAF, but have got some question
If you really must get to the point of the story skip down to the closing tag for LONG VERSION OF SHORT STORY. Big thanks to many! Not in any order but how I'm finding them in my mail archive, and I know I'll leave out some. Especially jack at monkeynoodle, guitarlynn at kscable, charles at steinkuehler, jnilo at sourceforge, mschalit at pacbell, mds at helices, mhnoyes at sourceforge, ray at comarre and many others that host supporting web pages, reply to posted questions I have lurked here for a couple of months and have added a couple of cents or a question now and then. My system is an old Compaq Prosignia 66Mhz 486DX with 48Mb RAM, two ne200 0 compatible NICS and a single 3 1/2 floppy drive. It is so sweet to be getting a useful firewall out of that, it was a killer machine in it's hay days. I have gotten to work remotely for my employer, so on a cable modem I sit in my basement in Missouri and work for my employer in Virginia. The last thing I want is for my VPN connection to corporate to be the access point that some one uses to get into the system. That is one of the primary reasons for the firewall. Now although I've told you my hardware, I'd be hard pressed to tell what version of LRP I'm using. Got most of my material from Charles and think it would be a Dachstein (sp?) floppy based system. I know that I use 1.68Mb floppies. What I trying to say here is that I have visited so many web sites, downloaded so many images and executables so that this M$ box could make initial boot floppies and such that I'm not sure what I've got. What I have done is zip up a messages file and a capture of the boot screen text that I'd gladly mail to anyone that wants to contact me and take a look. I am trying to be sensitive to those that pay for their downloads, as I heard on the list. /LONG VERSION OF SHORT STORY. What I trying to do is not log some lines that keep showing up in my messages. I believe these to be either net-bios related messages or VPN keep alives being broadcast from the corporate VPN connection. I can not just turn all of that off as I need to map local drives to corporate assets. However if I can tell the firewall to ignore or not log these I will have met my goal. Feb 6 14:10:19 ardentpursuit kernel: ip_demasq_esp(): Inbound from MY.CORP.VPN.ADDRESS SPI SOME8DIGITHEXNO has no masq table entry. Feb 6 14:10:21 ardentpursuit kernel: ip_demasq_esp(): Inbound from MY.CORP.VPN.ADDRESS SPI DIFF8DIGITHEXNO has no masq table entry. As Always... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] M$ VPN (PPTP) and DCD 1.02
Hi, I'm trying to set up portforwarding for M$ VPN (PPTP) to an internal server 192.168.1.24 So far I figured the following: # Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ] #EXTERN_TCP_PORT0=5.6.7.8 domain 1.1.1.12 #EXTERN_TCP_PORT1=0/0 www EXTERN_TCP_PORT0=0/0 smtp #SMTP (E-Mail) EXTERN_TCP_PORT1=0/0 ssh #Secure Shell EXTERN_TCP_PORT2=0/0 1723 192.168.1.24/32 #Microsoftp PPTP # Indexed list: Protocol SrcAddr/Mask [ DestAddr[/DestMask] ] #EXTERN_PROTO0=50 5.6.7.8/32 #EXTERN_PROTO1=51 5.6.7.8/32 EXTERN_PROTO0=47 0/0 192.168.1.24/32 # GRE INTERN_PPTP_SERVER=192.168.1.24 # Internal M$ PPTP server to make available # Advanced settings: parameters passed directly to portfw and autofw # Indexed list: ipmasqadm portfw options #INTERN_SERVER0=-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF] #INTERN_SERVER1= INTERN_SERVER0=-a -P tcp -L ${EXTERN_IP} 1723 -R ${INTERN_PPTP_SERVER} 1723 But from previous messages on the list I´ve seen this rules: 1)ipchains -A input -s 0/0 -d $IP_EXT/32 1723 -p tcp -l -j ACCEPT 2)ipchains -A input -s 0/0 -d $IP_EXT/32 -p 47 -j ACCEPT 3)ipmasqadm portfw -a -P tcp -L $IP_EXT 1723 -R $PPTP_HOST 1723. 4)ipfwd --masq $PPTP_HOST 47 I understand that 1), 2) and 3) are under control. But... How do I set up 4) within network.conf??? Thanks for your help Sergio D. Morilla Sistemas Tipoiti SATIC San Martín 647 Piso 2 Tel. : +54 11 4314-4482 C1004AAM - Buenos Aires Fax : +54 11 4508-6425 Argentina e-mail [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Rebuilding the Dachstein CD
Charles Steinkuehler wrote: [snip] NOTE: I've had problems with some windows software not recognizing the linux boot floppy as a bootable disk (particularly with EZ-CD Creator)... You're not using WinImage 6 for both diskettes and cd iso's ? I thought it worked fine. Heck, you paid for it :) Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: Leaf Mail Command
Simon Bolduc wrote: Seems that Rogers is using ESMTP as the protocol - which isn't really POP before SMTP (as far as I can tell at least) - using a program called postie I am able to mail via a command line - without telling it what my pop server's address is. So I guess I'll just scp the necessary log files over to my server - and have it do the mailing - oh well not as efficient as it was - but at least it'll work. S Can't you securely rsync the log from the LEAF to the remote machine you wanted it emailed to? As far as I know, you could even do it in such a way that the syslog shows up in /var/spool/mail/root on the remote system. You'd never know it wasn't emailed, and you'd have one less intermediate system to go through. Best, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] LRP Dachstein Vs. Coyote.
hi, What are some of the significant differences between Coyote and Charls' versionf of LRP? j. -- .. . Jason C. Leach .. PGP/GPG Public key at http://www.keyserver.net/ Key ID: 1CF6DA85 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Open Ports
At 07:54 PM 2/6/02 -0500, Lonnie Cumberland wrote: Hello All, I was just told by a network administrator that port 1214 is open and communicating on my system. Is there a way that I can find out which ports are open on my Eigerstein LRP firewall and turn it off. Depends on what you mean by open. To find out what services are actually *listening* on a system, netstat -l (that's lower-case L) will list them by port. If you mean is the router firewalling the port, then you need to inspect the output of ipchains -nvL to see what is being DENYd or REJECTed. More usefully, if your site is NAT'd, check your port-forwarding rules for something that forwards 1214 to an internal system. To turn it off via the firewall, add a rule that DENYs incoming traffic to, or outgoing traffic from, the problem port. To turn it off wherever it is running, terminate the app that is listening on the port (or modify inetd.conf if it is a service that runs through inetd - improbable in this example). It is supposed to be something called Morpheus or something like that which allows MP3 sharing, but I have nothing like that running on any of my machines. For intro-level info on Morpheus, go to http://www.musiccity.com/ and look at the FAQ. It appears to be Windows only, so you might ask anyone who has a Windows workstation behind your router if he or she knows what's going on. A bit more technical information is here http://www.openp2p.com/lpt/a/p2p/2001/07/02/morpheus.html and it confirms the association with port 1214. As I read this, you would have to be (a) running a SuperNode (Morpheus-speak for a directory server with a published address) -AND- (b) port-forwarding port 1214 to it via the router. I can imagine the first happening without your knowing, but the second is improbable. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] dachstein dchp with samba?
hello all, is it possible to makedhcp clients under a dachstein dhcp server access samba service installed onthe same dachstien dhcp server? if so, how? ... or do i really haveto set upanother box with the samba service and make it workas another dhcp client? TIA!
Re: [Leaf-user] dachstein dchp with samba?
Vic Berdin wrote: is it possible to make dhcp clients under a dachstein dhcp server access samba service installed on the same dachstien dhcp server? if so, how? ... or do i really have to set up another box with the samba service and make it work as another dhcp client? Goto http://lrp.steinkuehler.net/Packages/man/dhcp-options.5.man.htm Look for: option netbios-name-servers and other options thereabouts. HTH -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein logs filling up with DHCP denied packets
I have a Dachstein 1.0.2 firewall that was running just fine until Comcast@Home switched me from a static IP to a dynamic one. I now have DHClient running successfully, but am getting thousands of denied packets in my logs. Since yesterday, I have over 9,500 denied packets and my 32meg routers' RAM disk and logs are about full. Almost all of these denied packets seem to be coming from Comcast's DHCP server. Here's a very small sample of the errors I'm getting; perhaps someone can either shed light on this problem and tell me either how to correct the configuration problem (if there is one) or at least how to block these packets from being logged. I'm using Charles Steinkuehler's latest Dachstein release straight out of the box have followed his DHClient setup instructions. Feb 6 06:42:03 CAROL syslogd 1.3-3#31.slink1: restart. Feb 6 06:42:16 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=15503 F=0x T=255 (#8) Feb 6 06:42:16 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=15506 F=0x T=255 (#8) Feb 6 06:42:26 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=15818 F=0x T=255 (#8) Feb 6 06:42:26 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=15830 F=0x T=255 (#8) Feb 6 06:42:36 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=16368 F=0x T=255 (#8) Feb 6 06:42:36 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=16373 F=0x T=255 (#8) Feb 6 06:42:36 CAROL kernel: Packet log: input DENY eth0 PROTO=2 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x T=1 (#10) Feb 6 06:42:37 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=16422 F=0x T=255 (#8) Feb 6 06:42:37 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=16425 F=0x T=255 (#8) Feb 6 06:42:43 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=16565 F=0x T=255 (#8) Thanks, Dave _ Send and receive Hotmail on your mobile device: http://mobile.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein logs filling up with DHCP denied packets
Dave Hubble wrote: I have a Dachstein 1.0.2 firewall that was running just fine until Comcast@Home switched me from a static IP to a dynamic one. I now have DHClient running successfully, but am getting thousands of denied packets in my logs. Since yesterday, I have over 9,500 denied packets and my 32meg routers' RAM disk and logs are about full. Almost all of these denied packets seem to be coming from Comcast's DHCP server. Here's a very small sample of the errors I'm getting; perhaps someone can either shed light on this problem and tell me either how to correct the configuration problem (if there is one) or at least how to block these packets from being logged. I'm using Charles Steinkuehler's latest Dachstein release straight out of the box have followed his DHClient setup instructions. Feb 6 06:42:03 CAROL syslogd 1.3-3#31.slink1: restart. Feb 6 06:42:16 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 255.255.255.255:68 L=340 S=0x00 I=15503 F=0x T=255 (#8) [ snip ] This is a faq and should be listed somewhere. However, here are a couple previous threads and their solutions: http://sourceforge.net/mailarchive/message.php?msg_id=687084 http://sourceforge.net/mailarchive/message.php?msg_id=686657 http://sourceforge.net/mailarchive/message.php?msg_id=686498 HTH -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein dchp with samba?
thanks a lot mate! your prompt response gave me a prompt solution. - Original Message - From: Michael D. Schleif [EMAIL PROTECTED] To: Vic Berdin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, February 07, 2002 10:22 AM Subject: Re: [Leaf-user] dachstein dchp with samba? Vic Berdin wrote: is it possible to make dhcp clients under a dachstein dhcp server access samba service installed on the same dachstien dhcp server? if so, how? ... or do i really have to set up another box with the samba service and make it work as another dhcp client? Goto http://lrp.steinkuehler.net/Packages/man/dhcp-options.5.man.htm Look for: option netbios-name-servers and other options thereabouts. HTH -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein logs filling up with DHCP denied packets
guitarlynn wrote: On Wednesday 06 February 2002 21:03, Michael D. Schleif wrote: [ snip ] This is a faq and should be listed somewhere. However, here are a couple previous threads and their solutions: I have a LEAF command help FAQ at: http://sourceforge.net/docman/display_doc.php?docid=9267group_id=13751 Under the Dachstein specific heading at SILENT_DENY: ## beginning on snip The SILENT_DENY Option # To set the SILENT_DENY (no logging) option to Dachstein Firewall. # SILENT_DENY=ProtoNumber_SourceAddress/Netmask_DestinationPort # Netmask and DestinationPort are optional *note*-the netmask and destination port# are optional ProtoNumber will take tcp, udp, and all for options. examples: SILENT_DENY=tcp_a.b.c.d/255.255.255.255 (for all ports tcp-only) SILENT_DENY=all_a.b.c.d_80 (for single port) # end of snip ### From this you can use: SILENT_DENY=17_10.117.160.1_68 to filter this traffic. Provided that only one (1) server ever broadcasts this way, then this is acceptable. However, previous consensus was that there is *never* any reason to log broadcasts to destination 255.255.255.255 -- so, perhaps, a better solution is that suggested in http://sourceforge.net/mailarchive/message.php?msg_id=686657 TIMTOWTDI -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein logs filling up with DHCP denied packets
On Wednesday 06 February 2002 21:53, Michael D. Schleif wrote: Provided that only one (1) server ever broadcasts this way, then this is acceptable. However, previous consensus was that there is *never* any reason to log broadcasts to destination 255.255.255.255 -- so, perhaps, a better solution is that suggested in http://sourceforge.net/mailarchive/message.php?msg_id=686657 Agreed, I was just stating there was something reminesant of a FAQ that approached the question :) That rule probably ought to be added in the next update. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein logs filling up
Dave: Heya. Give the echowall.lrp package a try. It's got a more aggressive don't log this sort of noise section to it than the stock firewall that comes with Dachstein does. EchoWall was built for Dachstein, so it should sneak in nicely. The README has all the details of installation. cheers, Scott PS: http://leaf.sourceforge.net/devel/sbest/echowall/ I have a Dachstein 1.0.2 firewall that was running just fine until Comcast@Home switched me from a static IP to a dynamic one. I now have DHClient running successfully, but am getting thousands of denied packets in my logs. Since yesterday, I have over 9,500 denied packets and my 32meg routers' RAM disk and logs are about full. Almost all of these denied packets seem to be coming from Comcast's DHCP server. Here's a very small sample of the errors I'm getting; perhaps someone can either shed light on this problem and tell me either how to correct the configuration problem (if there is one) or at least how to block these packets from being logged. I'm using Charles Steinkuehler's latest Dachstein release straight out of the box have followed his DHClient setup instructions. Feb 6 06:42:03 CAROL syslogd 1.3-3#31.slink1: restart. Feb 6 06:42:16 CAROL kernel: Packet log: input DENY eth0 PROTO=17 10.117.160.1:67 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LRP Dachstein Vs. Coyote.
Jason: Lynn has a pretty good comparison of the various leaf distro's out there on his web site. http://www.geocities.com/guitarlynn/lrp.html Robert Chambers Jason C. Leach wrote: hi, What are some of the significant differences between Coyote and Charls' versionf of LRP? j. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipmasqadm portfw dynamic/private ports ???
On Thursday 07 February 2002 00:26, Michael D. Schleif wrote: Is there some _maximum_ port that can be port forwarded? This fails: INTERN_SERVERS=tcp_${EXTERN_IP}_65456_${LOKI}_www This succeeds: INTERN_SERVERS=tcp_${EXTERN_IP}_6543_${LOKI}_www I have scoured /etc/ipfilter.conf, /etc/network.conf and man ipmasqadm; but, I cannot find this limitation. What do you think? I'd say that probably 65535 is the upper limit. Being the highest nuber 16 bits can produce... HTH Jon Clausen ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipmasqadm portfw dynamic/private ports ???
Jon = 65456 65535 Your point? Jon Clausen wrote: On Thursday 07 February 2002 00:26, Michael D. Schleif wrote: Is there some _maximum_ port that can be port forwarded? This fails: INTERN_SERVERS=tcp_${EXTERN_IP}_65456_${LOKI}_www This succeeds: INTERN_SERVERS=tcp_${EXTERN_IP}_6543_${LOKI}_www I have scoured /etc/ipfilter.conf, /etc/network.conf and man ipmasqadm; but, I cannot find this limitation. What do you think? I'd say that probably 65535 is the upper limit. Being the highest nuber 16 bits can produce... HTH -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] LEAF routing private IP space
This is my specific setup: ~~ { Internet } ~~ | --- |ISP | --- | DSL | --- | 64.96.78.45 | | | |DSL | | Router| | | | 192.168.68.1| --- | | Ethernet | | --- | 192.168.68.254| |eth0 | | | | LEAF ROUTER | | | |eth1 | | 192.168.1.1 | --- | | Ethernet | | | Workstation | | 192.168.1.50 | The LEAF Router is running Oxygen 1.8. The DSL router has a static external IP and is performing masquerading NAT on the internal interface on the 192.168.68.0 network. Both interfaces of the LEAF router are static as is the IP of the workstation. The LEAF is also performing masquerading NAT. The default gw of the LEAF router is set to 192.168.68.1 - the internal interface of the DSL router. The default gw of the workstation is set to 192.168.1.1 - the internal interface of the LEAF router. My symptoms are these: from the LEAF router I can ping all of the devices on the local netork as well as the greater Internet. However from the workstation I can only ping as far as the external (eth0 - 192.168.68.254) interface of the LEAF router. I can not hit the internal interface of the DSL router. I have disabled checking for martians on the external interface of the LEAF router. I can not see anything wrong with this setup but I must be missing something basic. Any pointers are greatly appreciated. Thanks in advance #ip addr show 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:e0:29:6b:0f:0b brd ff:ff:ff:ff:ff:ff inet 192.168.68.254/24 brd 192.168.68.255 scope global eth0 3: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:e0:29:6b:0f:0f brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 #ip route sh 192.168.1.1 dev eth1 scope link 192.168.1.0 dev eth1 scope link 192.168.68.254 dev eth0 scope link 192.168.68.0 dev eth0 scope link 192.168.68.0/24 dev eth0 proto kernel scope link src 192.168.68.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 127.0.0.0/8 dev lo scope link default via 192.168.68.1 dev eth0 #ip neighbour sh 192.168.68.1 dev eth0 lladdr 00:20:6f:10:d8:cb nud reachable 192.168.1.50 dev eth1 lladdr 00:80:c8:8b:9e:01 nud reachable __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] crontab vs /etc/cron.d/multicron
On 2/5/02 at 10:56 AM, Matt Schalit [EMAIL PROTECTED] wrote: Secondly this whole discussion about setting the date is a waste of time until David replaces the broken busybox date with a working date binary. What good is it to set the clock with atomic precision when date doesn't even know the difference between GMT and EST? I don't program busybox. I don't control busybox. I didn't write busybox or the busybox date command. The broken date is only in the reporting of the timezone, as I remember. If the system is set correctly, it doesn't matter. rdate, ntpdate, hwclock - they all work just fine - and two of them are in busybox. As a matter of fact - hwclock is not. Most programs get the date and time wrong, while the other half log with a shifted timestamp? The syslog goes kablooie. You have no idea when anything happened. The programs that get the time wrong are their own problems (not problems with date) - syslogd, for example, is the full version. ssmtp is ssmtp - if it gets the date wrong, it is its own fault as long as the timezones are set correctly. Make sure TZ is set and /etc/localtime points to a file that exists and is correct. In my mind, the TZ environment variable should be all that is required - but it would appear things are not that way any more. It used to be simple... someone had to muck it up. At worst - things are either in GMT or in localtime. Period. If it's really bad - forget timezones and set the system hardware time to local time, not GMT. -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Mail logs on Oxygen
On 2/6/02 at 10:26 AM, Munday, Merrick [EMAIL PROTECTED] wrote: I'm running the May 2001 release of Oxygen, The current release is 1.8; May 2001 would be one back. 2) To automate the log sending process, I think I need to put something into /etc/cron.daily/multicron-d? multicron has been removed from Oxygen as of 1.8; put the script into the appropriate slot. You can read up on crontab and edit /etc/crontab, or... Put the script into the directory that describes how often you want it to happen (like /etc/cron.daily) - and it will happen th I'm not sure what the right way to solve these two problems is -- should I be trying to put code into multicron-d, or do I need to write a separate script? (I've never done that either) To be compatable with future versions, you're better off writing your own script from scratch and not using multicron. -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] crontab vs /etc/cron.d/multicron
On 2/5/02 at 7:55 AM, Jack Coates [EMAIL PROTECTED] wrote: And how; there's a xntpd package out there, but I haven't seen ntpdate. xntpd's binary is 175,832 bytes; the whole package is 88,007 bytes compressed. ntpdate is 33k uncompressed (and stripped). -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipmasqadm portfw dynamic/private ports ???
From the numbers you report, I wonder if the NAT'ing stuff in the kernel, which uses a high block of ports, somehow conflicts with the port-forwarding stuff. I'd suggest throwing some more pebbles to see experimentally where the line is, trying the hypothesis that it's the NAT range (which I think starts around 61000; do you recall the exact starting value?) that is the problem. Only a guess, though. On Thursday 07 February 2002 00:26, Michael D. Schleif wrote: Is there some _maximum_ port that can be port forwarded? This fails: INTERN_SERVERS=tcp_${EXTERN_IP}_65456_${LOKI}_www This succeeds: INTERN_SERVERS=tcp_${EXTERN_IP}_6543_${LOKI}_www I have scoured /etc/ipfilter.conf, /etc/network.conf and man ipmasqadm; but, I cannot find this limitation. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LEAF routing private IP space
sigh We need a FAQ answer for this one too (or do we have one?). LEAF basic firewalls by default block ALL private-address traffic on the external interface. (At least Dachstein and Eigerstein do, and I think Oxygen is the same in that regard.) So traffic on eth0 to private address 192.168.68.1 gets firewalled. Solutions: 1. Add a suitable rule to ALLOW traffic to 192.168.68.0/24 on eth0. 2. Run a different drop-in firewall package that checks the gateway address and allows traffic to it. (EchoWall does this, for example.) Having said all of that, this is really just a guess. Other things could be going on as well. To see all the possibilities, look at the sections ot the LEAF FAQ that discuss inteprertation of ping failures. (Examples: does the workstation have the right gateway address? Is ip_forwarding turned on on the Oxygen firewall?) At 11:13 PM 2/6/02 -0800, Greg R wrote: This is my specific setup: ~~ { Internet } ~~ | --- |ISP | --- | DSL | --- | 64.96.78.45 | | | |DSL | | Router| | | | 192.168.68.1| --- | | Ethernet | | --- | 192.168.68.254| |eth0 | | | | LEAF ROUTER | | | |eth1 | | 192.168.1.1 | --- | | Ethernet | | | Workstation | | 192.168.1.50 | The LEAF Router is running Oxygen 1.8. The DSL router has a static external IP and is performing masquerading NAT on the internal interface on the 192.168.68.0 network. Both interfaces of the LEAF router are static as is the IP of the workstation. The LEAF is also performing masquerading NAT. The default gw of the LEAF router is set to 192.168.68.1 - the internal interface of the DSL router. The default gw of the workstation is set to 192.168.1.1 - the internal interface of the LEAF router. My symptoms are these: from the LEAF router I can ping all of the devices on the local netork as well as the greater Internet. However from the workstation I can only ping as far as the external (eth0 - 192.168.68.254) interface of the LEAF router. I can not hit the internal interface of the DSL router. I have disabled checking for martians on the external interface of the LEAF router. I can not see anything wrong with this setup but I must be missing something basic. Any pointers are greatly appreciated. Thanks in advance #ip addr show 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:e0:29:6b:0f:0b brd ff:ff:ff:ff:ff:ff inet 192.168.68.254/24 brd 192.168.68.255 scope global eth0 3: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:e0:29:6b:0f:0f brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 #ip route sh 192.168.1.1 dev eth1 scope link 192.168.1.0 dev eth1 scope link 192.168.68.254 dev eth0 scope link 192.168.68.0 dev eth0 scope link 192.168.68.0/24 dev eth0 proto kernel scope link src 192.168.68.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 127.0.0.0/8 dev lo scope link default via 192.168.68.1 dev eth0 #ip neighbour sh 192.168.68.1 dev eth0 lladdr 00:20:6f:10:d8:cb nud reachable 192.168.1.50 dev eth1 lladdr 00:80:c8:8b:9e:01 nud reachable -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user