Re: [Leaf-user] port 53 flooding my log
On Fri, 15 Feb 2002 04:56:30 GMT "GREGOR" <[EMAIL PROTECTED]> wrote: > I'm using DCD, I set it up as firewall, with IP aliasing on eth0, DMZ > switch=PRIVATE on eth2 and internal network on eth1.(thank's to bela,charles > and ray). > > I've got tons of logs of hits on port 53 like the following examples : > > Feb 14 06:42:04 firewall syslogd 1.3-3#31.slink1: restart. > Feb 14 07:31:08 firewall kernel: Packet log: input DENY eth0 PROTO=6 > 167.216.144.43:53 202.149.81.55:53 L=44 S=0x00 I=0 F=0x T=239 (#48) > -snip > > I've search the mailing list archives and found these following extra lines > to add to ipfilter.conf file : > > # New Port 53 filter start IP_LIST="`cat /etc/dns_floods`" > for IP in $IP_LIST; do > $IPCH -I input -j DENY -p tcp -s $IP/32 -d $EXTERN_IP/32 53 -i$EXTERN_IF > done; unset IP > #New Port 53 filter end > > I've created the */etc/dns_floods* file as instructed in the archive and > also added some more IP#'s and then did *svi network reload*, but those hits > don't seems to stop. > > any idea? > > thank's in advance. In Dachstein, I have found somewhere in the mailing list here, that you need to add a SILENT DENY section to your /etc/network.conf file. Mine reads a little like this; SILENT_DENY="tcp_64.78.235.14_53 tcp_64.56.174.186_53 tcp_64.37.200.46_53" and so on and so on... Just make sure to separate each entry with a space and then type svi network reload and no more logging of any IP's you list doing scans on your port 53. Again, thanks to the users on the list here for helping me with that problem. Steve ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] 802.11/pcmcia/ide
[EMAIL PROTECTED] wrote: > > I would like to make a series of statements here and appreciate > anyone's comments as to their truth or idiocy. Excellent questions Phil. Or is it Phillip? Questions like this really get me going, but it's a lot of fun. Let's see what kind of treatment we can come up with on the subject of PC Architecture --- In the beginning, God created the universe with certain fundamental quantities we call units that can be symbolized: M = mass (kilogram) L = length (meter) T = time (second) A = electric current (ampere) K = temperature (kelvin) And perhaps candelas, moles, radians and steradians. All the quantities we measure today are combinations of the above fundamental units. miL speed = -- = --- hour T meters meters L acceleration = --- = -- = -- sec² sec x sec T x T and so on. A few billion years later, around 600 BC, the Greek Philosophers found that amber, when rubbed, would collect bits of straw. Consequently the word electron comes from the Latin electrum and Greek elektron, meaning amber. The movement of and attraction between electrons led to Maxwell's equations for electromagnetism. Using his equations and derived values like voltage and amperage gave rise to electronics in the 1800's. Contributions by Einstein, Bohr, Heisenberg and others led to the creation of Quantum mechanics and Quantum theory, which simply states that physical systems behave in terms of levels when you examine them at the very-microscopic scale. They don't exhibit a continuous range of behavior - they exhibit behavior at specific levels. They only accept energy in specific amounts, and they only give off energy in specific amounts. For instance, an electron can't orbit an atom with any amount of energy infused into the electron, it can only accept an infusion of energy of a specific amount. If you hit an electron with just the right amount of energy, it will absorb that energy into its movements and move to and exist at a higher orbit - a higher energy level. If you put in two times the exact energy, it jumps two levels. In other words the electrons hovering around the atoms in your *blue* jeans only absorb light that has the exact energy amount needed for that electron to jump to the next level. In this case that exact amount of energy is the energy contained in blue light. Green light has the wrong energy and won't be absorbed by the electrons. But blue light is absorbed. But now the atom is unstable, because it has more energy than what normally makes it stable. So the electron falls back to the lower energy level it came from, giving off the exact amount of energy it took in. That exact amount of energy is the energy value of blue light. Summary: the electron absorbs only blue light and reradiates only blue light, and you see blue jeans. That's what happens when energy states are quantized. Electronics work in a quantized nature on macro and microscopically. On the large scale, to simulate a number, a circuit could +5 volts to represent a 1 and ground to represent a 0. The presence of +5 V or GND on a wire indicates a 1 or a 0 is present. The need to control the output of ones and zeros on a wire led to the invention of the vacuum tube. A vacuum tube is an on-off switch. You switch it on with by sending a +5 V on a control line and +5 V will appear on the output line. On the microscopic level, electronic devices use quantum mechanics. When physicists applied quantum theory to materials constructed of silicon, arsenic, gallium, yttrium, barium, and copper oxide, that work lead to the creation of super-miniature switches that were much better than their bulky vacuum tubes ancestors. These new switches, called transistors, are superior to vacuum tubes for most purposes. The early transistors were called BJTs (Bipolar Junction Transistors) as versus FETs (Field Effect Transistors), and they looked like this : __,_ +5 V | BJT | collector TRANSISTOR | __|___ base | | __| | | | |__| \ \ emitter \ \ The base is what you control. The emitter is where your data is. If you hold the base at +5 V, or high, then current flows from the collector to the emitter. Making creative connections with resistors between
[Leaf-user] help on LEAF ppp.lrp (2.3.11)
Hello all, Can anyone point me out to a link where i can get a linux tool/source that can "setuid-root"the pppd binary that comes with the package? TIA! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] The Latest Stable LRP with kernel 2.4.x
-- Forwarded by Phillip Watts/austin/Nlynx on 02/15/2002 07:50 AM --- [EMAIL PROTECTED] on 02/14/2002 06:11:41 PM To: "LRP" <[EMAIL PROTECTED]> cc:(bcc: Phillip Watts/austin/Nlynx) Subject: [LRP] The Latest Stable LRP with kernel 2.4.x Hi, Anyone know what is the latest stable LRP with kernel 2.4.x, with iptables and support for hard disk ? And where i can find it . Tanks, John Smith [EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ linux-router maillist - [EMAIL PROTECTED] http://www.linuxrouter.org/mailman/listinfo/linux-router ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] help on LEAF ppp.lrp (2.3.11)
> Can anyone point me out to a link where i can get a linux > tool/source that can "setuid-root"the pppd binary that > comes with the package? No special tools necessary. The setuid bit is just one of the normal file "mode" bits used in *nix. You see these modes when you do "ls -l". You can set the mode bits with the chmod command. To set the setuid bit on the pppd binary, just: chmod u+s pppd If for some reason you have problems with this, you can run: chmod 4755 pppd to overwrite any existing permissions, and set the setuid bit in the process. You should end up with: -rwsr-xr-x as permissions when listed with ls -l...the "s" indicates user execute permissions, with setuid. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] sshd and putty loggin with keyfile
Hi, I'm trying to enable login using putty, sshd anf key files I copyed the key generated with puttygen (SH2RSA) into authorized_keys2. All I get is "Server refused our key". There is no log file for sshd. How can I know what I´m doing wrong? Any how-to??? Thanks Sergio D. Morilla Sistemas Tipoiti SATIC San Martín 647 Piso 2 Tel. : +54 11 4314-4482 C1004AAM - Buenos Aires Fax : +54 11 4508-6425 Argentina e-mail [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] 802.11/pcmcia/ide
Wow! I have a few thousand more questions. I am an expert french toast chef. You made a couple prodigious leaps from God to the Greeks and from mosfet to CPU, But it was very interesting and I would seriously like to ask some bus questions when I have more time. But for now: > DLink, et al, are putting a 802.11b wireless card with antenna on > Compact Flash. Sounds interesting. Do you have a link? http://www.dlink.com/products/DigitalHome/Mobile/dcf650w/ Now, this device is obviously a 50 pin compact flash. I am filled with curiosity about this and can't seem to glean anything from the websites. The SanDisk compact flash obviously has IDE logic built in. I wonder is that a standard for compact flash devices? If so, why would that be? Why would a wireless card be accessed thru an IDE driver? I followed your AP link and hit a deadend on the ftp download. I "gleaned" from your essay that the PC Card Bus Bridge and the EIDE Host Controller are very similar in function. The reason I am asking these questions is that we build in house a very compact thin client with an extra compact flash adapter on IDE and I'd love to use this little box as a diskless router with an 802.11 lan. Anyway, thanx. And I'll come back later with more bus questions if you don't mind. ( I wonder if the amber monitor(which I miss) was a coincidence or subliminal homage ) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] 1680K Dachstein-IPSec floppy
That sounds like a real winner. I started playing with udhcpd last night and found that the scripting is pretty straightforward. One question I have, after combining the scripts (cut & paste), it occurred to me that you shouldn't really need the script files, but rather a configure file that can be user modified, and have the inittab actually run the program based on the conf file. Anyway .. I made a little progress last night, but not a whole lot. I'll let you know more this evening... The other question I am still working on is this damn serial terminal problem. I am still able to get the echo out, and the login says (so on and so on) ttyS0, so I know that it is at least allowing a login from the terminal, but I still cannot transmit data. This is really starting to bother me... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of guitarlynn Sent: Thursday, February 14, 2002 11:29 PM To: Joey Officer Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] 1680K Dachstein-IPSec floppy Ok, I did a little more stripping of the system and came up with a image with dhclient, dhcpd, and 37K blocks of free room to actually configure it on a 1680K disk. This image should now fully replace the other two images I made using the same space. Here is the image: http://leaf.sourceforge.net/devel/guitarlynn/images \ /dachstein-v1.0.2-ipsec-full-1680.bin To get modules that aren't on the disk, get them here: http://lrp.steinkuehler.net/files/kernels/Dachstein-small/modules/ The big loser this time was local.lrp (which isn't used on the floppy anyway) and all NIC modules except pci-scan, tulip, and 3c509. Aside from the stripped modules, everything should be fully functional. The tulip module happens to be one of the larger (and most used) modules, so many people will have to load the modules they need and get rid of the ones they don't that exist on the disk. I have left the most commonly used ip_masq modules on the disk, so the same space requirements apply for these modules as well. I did this for a safe default space figure, for instance you can pretty much load the entire "8390.o" modules (8390, ne.0, ne2k-pci, etc...) in the same space as the tulip module alone. You'll have to gauge for yourself if real audio, ICQ, and serial.o are possible with this image. I'm also looking at implementing udhcp as Charles thought it might make a sizable replacement for dhclient and dhcpd. It appears that 50-60k might be gained if it works acceptably. This extra space would make it possible to make a custom ppp/pppoe image, which will not be possible IMHO on a 1680-ipsec image at this time. We'll see how it goes I hope this pretty much fits the bill for this experiment, for now! Enjoy! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] An ssh attack against ESb2
Good idea. When I set this up, I was in my 'textbook' phase. I could probably afford to get a little fancier now. -John --- Simon Bolduc <[EMAIL PROTECTED]> wrote: > Another thing you can do is to have SSH listen on a > port other than 22. I > moved mine up into the 2 range. Most people > scan only on well known > ports (FTP, WWW, SSH, SMTP, etc) so if they don't > find anything they move > on, plenty of vulnerable systems out there, why > waste time scanning one that > doesn't appear to be online, and if it is is > probably well protected. > > S > > > >From: John Desmond <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED], LEAF User List > <[EMAIL PROTECTED]> > >Subject: Re: [Leaf-user] An ssh attack against ESb2 > >Date: Thu, 14 Feb 2002 12:24:36 -0800 (PST) > > > >Right you are. And I just tightened it up to only > the > >one external location I really want to access it > from. > >Too bad that newer OpenSSL is *so-o-o* big. I can't > >fit it. > >-John > > > >--- "Glenn A. Thompson" <[EMAIL PROTECTED]> wrote: > > > hey: > > > > > > Jeff Newmiller wrote: > > > > > > > On Sun, 27 Jan 2002, John Desmond wrote: > > > > > > > > > I just picked the following off my ESbeta2 a > few > > > > > minutes ago. It claims a "crc32 compensation > > > attack" > > > > > was made against it. It went on for about > 1/2 > > > hour. Is > > > > > it significant that the source port changes > with > > > every > > > > > connection attempt? > > > > > I have sshd set up to receive connections > from > > > two > > > > > external IPs (EXTERN_TCP_PORTS="0/0_ssh <2 > > > locations>" > > > > > > Doesn't "0/0_ssh mean that the whole world can > > > connect to port 22 not just two > > > hosts? > > > > > > Glenn > > > > > >__ > >Do You Yahoo!? > >Send FREE Valentine eCards with Yahoo! Greetings! > >http://greetings.yahoo.com > > > >___ > >Leaf-user mailing list > >[EMAIL PROTECTED] > >https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > _ > Join the worlds largest e-mail service with MSN > Hotmail. > http://www.hotmail.com > __ Do You Yahoo!? Got something to say? Say it better with Yahoo! Video Mail http://mail.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Amiga Dachstein Serial port connection
Is there a way to connect an Amiga 3000 via serial port to the Dachstein, or the best way for Internet Access? Off topic, but what is the best TCP stack for the Amiga? __ Do You Yahoo!? Got something to say? Say it better with Yahoo! Video Mail http://mail.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ip link set eth0 address
hello- i tried running the command: ip link set eth0 address 00:40:54:31:7c:7c It gave me an error that that the device is busy... This will spoof the mac address when it works... Do i need to disable some thing to run this command? Thanks again, brian ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ip link set eth0 address
Brian, You first have to bring the interface down with: ip link set eth0 down Robert Henning, Brian wrote: >i tried running the command: >ip link set eth0 address 00:40:54:31:7c:7c > >It gave me an error that that the device is busy... > >This will spoof the mac address when it works... >Do i need to disable some thing to run this command? > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ip link set eth0 address
> i tried running the command: > ip link set eth0 address 00:40:54:31:7c:7c > > It gave me an error that that the device is busy... > > This will spoof the mac address when it works... > Do i need to disable some thing to run this command? IIRC, you may not be able to change the MAC address while the link is up...try: svi dhclient stop net stop ip link set eth0 address 00:40:54:31:7c:7c net start svi dhclient start Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Amiga Dachstein Serial port connection
> Is there a way to connect an Amiga 3000 via serial > port to the Dachstein, or the best way for Internet > Access? Wow! Someone still using an Amiga! I've still got my working A1000 kicking around. I did a lot of design work for the Amiga (I work for NewTek, and did hardware design work on the Video Toaster and Flyer products). You should be able to setup pppd to talk over a straight serial link. Details can likely be found in much mainstream linux documentation...there may even be a few LRP/LEAF specific details floating around somewhere... > Off topic, but what is the best TCP stack for the Amiga? I have no idea...the last time I networked an Amiga, it was to a Netware 3.12 fileserver, with the (hard to come-by these days) Commodore ethernet card... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] 1680K Dachstein-IPSec floppy
> The other question I am still working on is this damn serial terminal > problem. I am still able to get the echo out, and the login says (so on and > so on) ttyS0, so I know that it is at least allowing a login from the > terminal, but I still cannot transmit data. This is really starting to > bother me... Are you sure your cable is OK? Serial ports will work fine in one direction only if you're missing the RxD or TxD line. Also, are both ends happy with the handshaking? Try setting handshaking to "none", if you haven't already...even then, some systems will *NOT* ignore the hardware handshaking signals, and you have to have a properly made null-modem cable for things to work properly. There's a reason they sell those little "serial breakout boxes" with the switches, LED's, and jumper wires, and why there's one burried somewhere in most IT departments ;-) Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] [DCD] DMZ SSH still not ... oh that would be a problem...
Hello all,
Well, I was all ready to send the message below when I discovered
what the real problem is... the gateway was set wrong in the
unreachable box... so it couldn't route the packets back to the
client.
I include the following as an example of some working settings,
though they are not the safest, they can be tightened. I'm sure there
are others on the list which can critique them. My next step will be
to ensure the only packets into the system are destined for the
appropriate boxes rather than to anywhere i.e.
EXTERN_TCP_PORT0="0/0_www_231.123.123.242"
EXTERN_TCP_PORT1="_ssh_231.123.123.242"
instead of
EXTERN_TCP_PORTS="0/0_ssh 0/0_www 0/0_ftp 0/0_20"
There are more, but you get the idea. Personally, I found this list
to be a wealth of configuration info and helped me learn the DCD/LRP.
So I submit this to the archives ;-)
___ begin original message ___
Hello again,
It's been a long learning curve, but I feel I have most everything
pulled together. I still have a problem that when installed, the
router will only let me SSH into one of two servers, the .243 box.
None of the forwarded services to .242 respond at all. The .244 box
(part distraction, part sacrificial lamb & 100% MacOS) is not online
so I can't say if that is working as yet.
I took the approach of simplifying all the settings and therefore
offering the least security but also the least obscuring to
protocols. I can refine after it works, but at present that is not
the case. But I guess that's blatantly obvious ;-!
So, below you will find some grep'd files removing comments and
altering the _insignificant_ IP numbers. The subnet and the last
octal are real, only the names have been changed to protect... oops
pop-culture strikes again. Well this net is certainly becoming a
'Drag' so I suppose that slip was appropriate =8@
_ begin network.conf
#cat /etc/network.conf
IF_AUTO="eth0 eth1 eth2"
eth0_IPADDR=231.123.123.241
eth0_MASKLEN=29
eth0_BROADCAST=+
eth0_DEFAULT_GW=231.123.123.246
eth0_IP_EXTRA_ADDRS="231.123.123.242
231.123.123.243
231.123.123.244"
eth0_IP_SPOOF=YES
eth0_IP_KRNL_LOGMARTIANS=YES
eth0_IP_SHARED_MEDIA=NO
eth0_BRIDGE=NO
eth0_PROXY_ARP=NO
eth0_FAIRQ=NO
eth1_IPADDR=192.168.70.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
eth2_IPADDR=192.168.71.254
eth2_MASKLEN=24
eth2_BROADCAST=+
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO
IPFILTER_SWITCH=firewall
EXTERN_IF="eth0"
EXTERN_DHCP=NO
EXTERN_DYNADDR=NO
EXTERN_UDP_PORTS="0/0_domain"
EXTERN_TCP_PORTS="0/0_ssh 0/0_www 0/0_ftp 0/0_20"
INTERN_IF="eth1"
INTERN_NET=192.168.70.0/24
INTERN_IP=192.168.70.254
MASQ_SWITCH=YES
INTERN_SERVERS="tcp_231.123.123.244_20_192.168.71.244_20
tcp_231.123.123.244_ftp_192.168.71.244_ftp
tcp_231.123.123.242_www_192.168.71.242_www
tcp_231.123.123.243_ssh_192.168.71.243_ssh
tcp_231.123.123.242_ssh_192.168.71.242_ssh"
DMZ_SWITCH=YES
DMZ_IF="eth2"
DMZ_NET=192.168.71.0/24
DMZ_SRC=231.123.123.240/29
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
DMZ_HIGH_TCP_CONNECT=NO
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
tcp_231.123.123.242_www
tcp_231.123.123.242_ssh
tcp_231.123.123.244_20
tcp_231.123.123.244_ftp
tcp_231.123.123.243_ssh"
DMZ_OUTBOUND_ALL=YES
___ end settings _
#ipchains -L -n -v
#*** only TCP and ALL are shown. UDP etc. have been stripped!
Chain input (policy ACCEPT: 0 packets, 0 bytes):
target prot ifname source destination ports
ACCEPT tcp eth00.0.0.0/0 0.0.0.0/0 * -> 22
ACCEPT tcp eth00.0.0.0/0 0.0.0.0/0 * -> 80
ACCEPT tcp eth00.0.0.0/0 0.0.0.0/0 * -> 21
ACCEPT tcp eth00.0.0.0/0 0.0.0.0/0 * -> 20
REJECT tcp eth00.0.0.0/0 0.0.0.0/0 * -> 113
ACCEPT tcp eth00.0.0.0/0 0.0.0.0/0 * -> 1024:65535
DENYall eth00.0.0.0/0 0.0.0.0/0 n/a
ACCEPT all * 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
target prot ifname markoutsize source destination ports
MASQtcp * 192.168.71.244 0.0.0.0/0 20 -> *
MASQtcp * 192.168.71.244 0.0.0.0/0 21 -> *
MASQtcp * 192.168.71.242 0.0.0.0/0 80 -> *
MASQtcp * 192.168.71.243 0.0.0.0/0 22 -> *
MASQtcp * 192.168.71.242 0.0.0.0/0 22 -> *
M
Re: [Leaf-user] sshd and putty loggin with keyfile
On Fri, 15 Feb 2002, Sergio Morilla wrote: > Hi, > > I'm trying to enable login using putty, sshd anf key files > I copyed the key generated with puttygen (SH2RSA) into > authorized_keys2. you don't indicate that you have OpenSSH installed in your LEAF box. the most common sshd is version 1 protocol only. If that isn't the problem, another option is to generate keys under LRP and move the private identity to the Windows box. > All I get is "Server refused our key". > There is no log file for sshd. ? I assume it is running ... you should get output in the files specified in /etc/syslog.conf. --- Jeff NewmillerThe . . Go Live... DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] port 53 flooding my log
GREGOR wrote: > I'm using DCD, I set it up as firewall, with IP aliasing on eth0, DMZ > switch=PRIVATE on eth2 and internal network on eth1.(thank's to bela,charles > and ray). > > I've got tons of logs of hits on port 53 like the following examples : > Since you are using DCD - try adding all the port 53 flood servers in SILENT_DENY. Here is a copy of my list - note that they are all on one line each machine separated by a space. I have modified my list. # grep SILENT_DENY /etc/network.conf SILENT_DENY="tcp_64.78.235.14_53 tcp_64.56.174.186_53 tcp_64.37.200.46_53 tcp_64.14.200.154_53 tcp_62.26.119.34_53 tcp_62.23.80.2_53 tcp_216.35.167.58_53 tcp_216.34.68.2_53 tcp_216.33.35.214_53 tcp_216.220.39.42_53 tcp_212.78.160.237_53 tcp_203.208.128.70_53 tcp_203.194.166.182_53 tcp_202.139.133.129_53 tcp_194.213.64.150_53 tcp_194.205.125.26_53" svi network ipfilter reload If it stops the log noise - then backup etc. Victor McAllister ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] sshd and putty loggin with keyfile
My fault I´m usin sshd version OpenSSH_3.0p1 running on DCD 1.02, putty 0.52 I generated the public key using PuTTYgen, SSH1RSA. Then I copied (from puttygen) the public key and pasted it into /etc/ssh/authorized_keys. Saved sshd.lrp and rebooted. When I try to log in again I got: login as: root Sent username "root" Trying public key authentication. Passphrase for key "rsa-key-20020215": Server refused our public key. Any hints?? Some other settings in sshd.config??? Thanks > -Mensaje original- > De: Jeff Newmiller [mailto:[EMAIL PROTECTED]] > Enviado el: Friday, February 15, 2002 15:12 > Para: Sergio Morilla > CC: Leaf-user@lists. sourceforge. net (E-mail) > Asunto: Re: [Leaf-user] sshd and putty loggin with keyfile > > > On Fri, 15 Feb 2002, Sergio Morilla wrote: > > > Hi, > > > > I'm trying to enable login using putty, sshd anf key files > > I copyed the key generated with puttygen (SH2RSA) into > > authorized_keys2. > > you don't indicate that you have OpenSSH installed in your LEAF box. > the most common sshd is version 1 protocol only. > > If that isn't the problem, another option is to generate keys > under LRP > and move the private identity to the Windows box. > > > All I get is "Server refused our key". > > There is no log file for sshd. > > ? I assume it is running ... you should get output in the > files specified > in /etc/syslog.conf. > > -- > - > Jeff NewmillerThe . > . Go Live... > DCN:<[EMAIL PROTECTED]>Basics: ##.#. > ##.#. Live Go... > Live: OO#.. Dead: > OO#.. Playing > Research Engineer (Solar/BatteriesO.O#. #.O#. with > /Software/Embedded Controllers) .OO#. > .OO#. rocks...2k > -- > - > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Roll-over in /proc/net/dev???
Never mind - I googled around a lil and discoverd that " The problem was that the tx_bytes and rx_bytes will reset when ~4GB is transferred." S >From: "Simon Bolduc" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [Leaf-user] Roll-over in /proc/net/dev??? >Date: Thu, 14 Feb 2002 23:13:52 -0500 > >Hey all, > > Does the /proc/net/dev file "roll-over" after a certain number of packets >have been transmitted? I've been downloading Redhat 7.2 iso's today and >they weigh in at about 3GB - I've downloaded 2.2 GB so far but if I cat the >aforementioned file here is what I get (edited to be more readable). > >Receive: > > bytes packets > >eth0: 526 928 908 14 120 236 >eth1: 1 239 783 644 12 518 146 > > >Transmit: > > bytespackets > >eth0: 1 321 054 569 14 284 771 >eth1: 73 717 066 13 736 556 > > >And I'm almost positive it was higher earlier today (cause I remember >thinking "wow - thats all I've transfered in 60 days??"), I think it was a >little over 2 GB then. So if anyone out there can answer this burning >question, I'd appreciate it. > > >S > > >_ >Join the worlds largest e-mail service with MSN Hotmail. >http://www.hotmail.com > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] sshd and putty loggin with keyfile
Sergio Morilla wrote: > > My fault > > I´m usin sshd version OpenSSH_3.0p1 running on DCD 1.02, putty 0.52 > > I generated the public key using PuTTYgen, SSH1RSA. > Then I copied (from puttygen) the public key and > pasted it into /etc/ssh/authorized_keys. > Saved sshd.lrp and rebooted. > > When I try to log in again > > I got: > > login as: root > Sent username "root" > Trying public key authentication. > Passphrase for key "rsa-key-20020215": > Server refused our public key. > > Any hints?? Some other settings in sshd.config??? Did you check the permissions of the file after copying and pasting the key? OpenSSH is picky when dealing with permissions. If you have a Linux box try ssh -v and see what the messages say. I usually copy the public key by floppy to /mnt, set the permissions: chmod 644 , then copy that to authorized_keys(2). -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] The Latest Stable LRP with kernel 2.4.x
> Hi, > > Anyone know what is the latest stable LRP with kernel 2.4.x, with iptables > and support for hard disk ? > > And where i can find it . You might give a try to Bering. Check: http://leaf.sourceforge.net/devel/jnilo Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: port 53 flooding my log
On Fri, 15 Feb 2002, GREGOR wrote: > ps... I'm sorry for the typo. the following lines are what actually > written in my ipfilter.conf file : > > # New Port 53 filter start > IP_LIST="`cat /etc/dns_floods`" > for IP in $IP_LIST; do > $IPCH -I input -j DENY -p tcp -s $IP/32 -d $EXTERN_IP/32 53 -i $EXTERN_IF > done; unset IP > #New Port 53 filter end Well, it appears okay to me now. Perhaps you put it in the wrong place? I did look at the logs again: > Feb 14 07:31:08 firewall kernel: Packet log: input DENY eth0 PROTO=6 > 167.216.144.43:53 202.149.81.55:53 L=44 S=0x00 I=0 F=0x T=239 (#48) and because the port is 53 (dns), the protocol is tcp (typically only used for zone transfers), the flags are zero (no SYN bit, so it is not a connection initiation packet) and given the number of packets, perhaps it could be due to you running a DNS server on your firewall that is attempting to initiate inbound zone transfers and these are reply packets? --- Jeff NewmillerThe . . Go Live... DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Hotswap firewall, Monitoring Data.
Hi all, I've just installed an full LRP (Eiger Static) firewall (DMZ and all) at a small clients of mine. They have a full class C, a couple hundred clients in the hosting facilities and a nice little LRP box looking after the whole show :o) There are a couple of things that I guess I've wanted answered but now that I have a client pestering me for some answers I guess these things have moved up the priority tree. I'll do a bit of a dump/rant here and hopefully some of you folk can help me out, I know I've got a LOT of learning to do as I'm not that confident in scripts etc (I can understand what they are/do but have never "written" one myself). I'm wondering if LRP can be setup to have a hot stand-by server. I've worked with a couple of products (IBM Network Dispatcher for one) that can handle having a "hot standby machine", I know this would only appeal to the people that have more then a couple permanent IPs or the bigger picture people/ISP's. Some ideas on the hotswap stand by: Be able to specify if it's a primary or secondary machine (so more param's in network.conf for this) Both boxes keep a "heart beat" between each other (so each machine needs at least ONE permanent IP to be able to poll each other.) I have no idea where to write, run this kinda script? To start off with I'm happy to "mirror" the network.conf, ipfilter.conf on the boxes manually, but I guess it would be a nice feature if the secondary kept itself upto date firewall rule wise from the primary. Ensure that all IP's are ARP'd on the interfaces (which they are anyway), so that if the secondary machine finds that the primary has failed all it needs to do it auto apply the IP's to it's interface's and "in theory" the box becomes the primary. and I guess clean up where need be when the primary does come back online. I know those couple of lines above seem to make it simple, but I'm hopeing that's all it is. I guess I'm asking all you folk for some guidance on how I can achieve the above. It would be nice if it's already done, but I can't find anything as yet, and after spending and fair amount of time mixing Charlies Extended scripts with a heap of changes that I want, I think I have a grasp on how I want to do it, but I don't have the knowledge of the tools to be able to do it. Secondly I'm wishing to be able to monitor the amount of data going through the firewall. When I say monitor I need/want to be able to monitor it down to the level of number of bytes sent/received, on what port and of course which IP's. If you have heard of CISCO's NetFLOW then that's kinda what I would like to be able to do on an LRP box. This kinda of thing I have no idea where to start, so if anyone can point me in the right direction that would be great. The only thing on this is I'm happy to have the LRP box spit the output of the monitoring to syslog or it's own log, but I will be glad to have it send it over the network to a monitoring machine. (on a side note can you setup syslog to a remote machine currently??) Well that's my rant/want's. if anyone can give me some input on this that would be awesome. I've worked with PIX firewalls, raptor, checkpoint, and I still seem to go back to using LRP and think this is so simple. :o) Thanks in advance Adam Niedzwiedzki AKA: AdStar® c: genis-x a: level 1, 278 church street richmond, victoria, 3121, au, earth m: +61 040 7322 719 e: [EMAIL PROTECTED] w: www.genis-x.com icq: 325910 "I never made a mistake in my life. I thought I did once, but I was wrong." ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein plus Seawall problem - network reset
I have been a happy user of Eigerstein (and descendents) plus Seawall
for quite a while. I am currently using Dachstein RC2 + the latest
Seawall. I have three NICS, a local network, and a DMZ behind a DSL
modem. In the DMZ I am using Oxygen as a thin client and running a
tiny web site.
Recently I noticed that the small web server I keep in the DMZ at
http://twegner.dynodns.net (a very modest web site) would become
inaccessible periodically (every few hours). After executing "seawall
restart" everything is OK for a while. Then bad again.
I sent the results of "seawall status" before and after the web site
disappeared to Tom Eastep. He told me it appeared that somehow the
Dachstein network was getting reset, essentially undoing seawall.
This makes sense because (as has been mentioned recently) seawall
runs after the Dachstein network was been set up, and essentially
overwrites the ipchains rules.
It didn't take me long to find the problem. It is in /etc/dhclient-
exit-hooks. My DSL connection uses DHCP. I noticed this problem
because apparently the logic in that detects that the IP has changed
executes every time the lease is renewed. Since that logic ends by
causing the network to be reloaded, voila! Seawall is undone.
My workaround was to add the command "seawall restart" after
"reload_all" (see below). [Note: you will see in this code some logic
I added to tell my dynamic dns service that my IP has changed. This
code also logs when that logic executes. Actually, my IP has changed
once in the last two years, I have the poor man's static IP! :-)]
My question is NOT what is the bug in the ip changing logic below, I
can probably figure that out (though if someone sees it instantly
there is no harm in writing me). This code is supposed to have a bug
fix I saw in the list from Charles. Maybe I dropped it or did it
wrong. I will upgrade the the Latest Dachstein and see if this IP
change detection has changed
Here are the questions:
1. Are there any other places in Dachstein that update the network,
and need to be followed by "seawall restart"?
2. Is there a better fix for this problem? (This fix works, my humble
web site has been visible continuously since I edited dhclient-exit-
hooks.) Unfortuantely my fix entangles seawall.lrp and dhclient.lrp.
Thanks everyone, I love this list! (Oops "these lists" because I sent
this to the seawalll list as well.)
Tim Wegner
#!/bin/sh
# dhclient-exit-hooks script for LRP
# Charles Steinkuehler, January 2000
# Updated June 27, 2000 to restart dnscache, if present
# Notes:
# 0. This script restarts the following when a new address is aquired
# a: Firewall filter rules
reload_all() {
svi network ipfilter reload
}
if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || \
[ x$reason = xREBIND ] || [ x$reason = xREBOOT ]; then
# If our IP address changed, or we just got a new address,
# restart the IP filters, using the new address
if [ x$old_ip_address = x ] || [ x$old_ip_address !=
x$new_ip_address ] || \
[ x$reason = xBOUND ] || [ x$reason = xREBOOT ]; then
# tell dynodns that the IP has changed
date >> /var/log/dynodns.txt
http_get -a twegner.dynodns.net: \
http://www.dynodns.net/pr/updatens.cgi | \
grep twegner >> /var/log/dynodns.txt
#end dynodns changes
# Reload networking to see new address
reload_all
seawall restart
fi
fi
if [ x$reason = xEXPIRE ] || [ x$reason = xFAIL ]; then
# No dhcp lease - Shutdown packet forwarding
/etc/init.d/network ipfilter flush
fi
if [ x$reason = xTIMEOUT ]; then
if [ x$timeout_using_old_lease = xTRUE ]; then
# Succsfully using an old lease, even though we can't talk to the
# dhcp server, so reload network to configure with 'new' address
reload_all
else
# Couldn't find the dhcp server, and can't ping the last default
router
# so let's just give up and stop forwarding packets
/etc/init.d/network ipfilter flush
fi
fi
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] 802.11/pcmcia/ide
Hmm. I posted this, but it hasn't appeared. Well, here it is again. MS. = [EMAIL PROTECTED] wrote: > > Wow! > > I have a few thousand more questions. > I am an expert french toast chef. > > > You made a couple prodigious leaps from > God to the Greeks and from mosfet to CPU, > But it was very interesting and I would > seriously like to ask some bus questions > when I have more time. Good stuff that french toast :-) You can hit the list anytime. We'll see if we can't make sense of this or that. > But for now: > > > DLink, et al, are putting a 802.11b wireless card with antenna on > > Compact Flash. > > Sounds interesting. Do you have a link? > > http://www.dlink.com/products/DigitalHome/Mobile/dcf650w/ Well there are more peripheral connection types than I listed previously. There's PC Cards slots, Compact Flash compartments, and SmartCard reader slots. Take a look at the HP Jordana 720, which is listed as compatible with the Dlink 650W http://www.hp.com/cposupport/manual_set/bpia2316.pdf Down around page 112 or so it gets into the different cards and their connectors. Compact Flash devices come in Type I and Type II format, using the names that PC Cards do, but the format is obviously much different. CF devices were in general mass storage devices, and we learned that RAM and Disk drives are both mass storage devices. Making CF mass storage cards ATA compliant and PC-Card compliant means that they can interface easily. CF mass storage cards CF I/O cards --- -- Type I flashType I & Type II Type II flash modems Type II microdriveethernet nics, serial ports bluetoothe wireless USB ports I haven't heard of a type III CF Card. > Now, this device is obviously a 50 pin compact flash. > I am filled with curiosity about this and can't seem to glean anything from > the websites. > The SanDisk compact flash obviously has IDE logic built in. > I wonder is that a standard for compact flash devices? Yes it is standard and one of the main selling points of all CF Cards, which are not PC Cards but are compatible with PC Card specs. > If so, why would that be? > Why would a wireless card be accessed thru an IDE driver? I'm not sure that it does. It may be that CF I/O cards specifically emulate something else. I have a hard time determining the exact answer to this. The CF specs are hard to get. I think I'll dig around some more and see what turns up. > I followed your AP link and hit a deadend on the ftp download. Which was that? The access point one? What exactly failed? > I "gleaned" from your essay that the PC Card Bus Bridge and > the EIDE Host Controller are very similar in function. Yes, but the CardBus bridge is much more complex because of the chores it keeps, where the ATA host controller bridge is mostly just a splitter and a buffer to the bus. > The reason I am asking these questions is that we build in house a > very compact thin client with an extra compact flash adapter on > IDE and I'd love to use this little box as a diskless router with an > 802.11 lan. It's perfect for that as far as I can tell. Just follow the booting from a hard disk documents, which all refer to ATA as IDE. > Anyway, thanx. And I'll come back later with more bus questions if you don't > mind. "Love this stuff!" -- Scott Best > ( I wonder if the amber monitor(which I miss) was a coincidence > or subliminal homage ) What a great insight that would be. Nice one. Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] 802.11/pcmcia/ide
At 2002-02-15 18:34 -0800, Matt Schalit wrote: > > If so, why would that be? > > Why would a wireless card be accessed thru an IDE driver? > >I'm not sure that it does. It may be that CF I/O cards specifically >emulate something else. I have a hard time determining the exact >answer to this. The CF specs are hard to get. I think I'll dig >around some more and see what turns up. Matt, I hope this is what you're looking for. CF 1.4 specifications. http://www.compactflash.org/cfspc1_4.pdf -- Mike Noyes <[EMAIL PROTECTED]> http://sourceforge.net/users/mhnoyes/ http://leaf.sourceforge.net/content.php?menu=1000&page_id=4 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
