RE: [Leaf-user] newbie question (Bering/2.4/IDE)
First familiarise yourself with the general methods for running from hard disk via the excellent HOWTO on the LEAF site. Bering's kernel has module support for IDE built in (always a good idea to check the kernel config file which most developers provide with the dist so you can check what is in and out of the kernel). This means that you need to load the ide modules at boot time. The ide modules are available from leaf.sourceforge.net/devel/jnilo/ and are called ide-mod.o, ide-disk.o and ide-probe.mod.o. The procedure for adding modules to /boot/lib/modules is described in the docs on Jacques' LEAF site. Finally make sure you follow the HOWTO on the necessary changes to syslinux and it works. How do I know? Because I happen to have done it on Monday. Good luck rgds/andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Stovall Sent: 26 February 2002 20:48 To: LEAF (E-mail) Subject: [Leaf-user] newbie question (Bering/2.4/IDE) Hi all...I had successfully finished a previous install with a 2.2.19-IDE kernel and run from a small IDE HD. What I would like to do is repeat this with a 2.4 kernel (currently messing around with Bering Beta4...no probs running from floppy). What do I need to do to make this run from a hard drive? I'm hoping for something other than compile a 2.4 kernel with IDE support enabled, but I'll try to if I have no choice (severe lack of experience with compiling a kernel on my own). Is there a 2.4-IDE kernel out there? Am I stupid, and there's some simple config option to make the Bering 2.4 kernel boot from my HD? I'm running this on a Dell PowerApp Web 100 (single PIII-73/256MB/dual EEPro100) and using Bering Beta4/Syslinux 1.66 on my HD. Any info is *greatly* appreciated. TIA Adrian ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: [Shorewall-users] LEAF Bering beta4 available
On Fri, 2002-02-22 at 00:49, Jacques Nilo wrote: Changelog for beta4: looks great, are there any plans to make that available on a CD for more space ? It try to access the documentation page, but I get unreachable. Best regards, Christophe -- Christophe Zwecker :Sysctl Susannenstr. 26-28 20357 Hamburg phon/fax: +49 40 43099296/7 mail: [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] newbie question (Bering/2.4/IDE)
On Tue, 26 Feb 2002 14:48:09 CST Adrian wrote: Hi all...I had successfully finished a previous install with a 2.2.19-IDE kernel and run from a small IDE HD. Cool. What I would like to do is repeat this with a 2.4 kernel (currently messing around with Bering Beta4...no probs running from floppy). What do I need to do to make this run from a hard drive? I'm hoping for something other than compile a 2.4 kernel with IDE support enabled, but I'll try to if I have no choice (severe lack of experience with compiling a kernel on my own). Compiling a 2.4 kernel with IDE support using Jacques' kernel config [1] as a starting point shouldn't be too bad. For an alternative solution, read on... Is there a 2.4-IDE kernel out there? Am I stupid, and there's some simple config option to make the Bering 2.4 kernel boot from my HD? I recently setup Bering (beta 3) on a compact flash card plugged into an CF-to-IDE adaptor. I use the stock kernel with with the IDE modules loaded via the initrd image. This isn't necessarily easier than recompiling the kernel, but if you *really* want to avoid re-compiling the kernel, the procedure below should work. Disclaimer: This is mostly from memory, so there may be a few mistakes. I am also assuming the hard disk is /dev/hdc and is temporarily installed in a full-blown Linux system for installation of Bering. 1. Format a partition of your HDD with an MS-DOS filesystem as described in Charles' LRP Hard Disk HOTWO [2] or with the Linux fdisk and mkfs.msdos commands [3]. 2. Mount a copy of the Bering image somewhere convenient: mount -o loop /tmp/bering-1680-b4.bin /mnt/disk/ 3. Uncompress a copy of the Bering initrd.lrp: gunzip -c /mnt/disk/initrd.lrp /tmp/initrd 4. Mount the uncompressed ramdisk image: mount -o loop /tmp/initrd /mnt/initrd 5. Copy the ide-disk.o, ide-mod.o, and ide-probe-mod.o modules from the ide directory of Jacques' modules directory [4] to the mounted initrd image: cp /tmp/ide-disk.o /tmp/ide-mod.o /tmp/ide-probe-mod.o \ /mnt/initrd/boot/lib/modules/ 6. Add lines to boot/etc/modules of the initrd image to load the ide modules: echo ide-mod/mnt/initrd/boot/etc/modules echo ide-disk /mnt/initrd/boot/etc/modules echo ide-probe-mod /mnt/initrd/boot/etc/modules 7. Unmount the initrd image: umount /mnt/initrd 8. Mount the MS-DOS partition you created on the hard drive: mount /dev/hdc1 /mnt/newdisk 9. Copy all files from the Bering image to the new disk: cp /mnt/disk/* /mnt/newdisk 10. Replace the old initrd.lrp with the new one: gzip -9 /tmp/initrd /mnt/newdisk/initrd.lrp 11. Edit syslinux.cfg on the new disk and change the fd0u1680 references to hdc1. 12. Unmount the hard drive: umount /mnt/newdisk 13. Run syslinux on the hard drive partition: syslinux /dev/hdc1 14. Cross your fingers and try to boot from the new image. :) If you run into problems, setting the VERBOSE and DEBUG flags in /linuxrc (in the initrd file system) may help debugging them. I'm running this on a Dell PowerApp Web 100 (single PIII-73/256MB/dual EEPro100) and using Bering Beta4/Syslinux 1.66 on my HD. Any info is *greatly* appreciated. I've probably missed a few details here or there, but it should give you an idea for an approach that doesn't require a kernel recompilealthough recompiling the kernel with IDE support is probably less work. ;) --Brad [1] http://leaf.sourceforge.net/devel/jnilo/bering/beta4/bering-b4.config [2] http://lrp.steinkuehler.net/Documentation/LRPHardDiskHOWTO.txt [3] I had trouble getting the mkfs.msdos created filesystem to boot correctly using syslinux, but it was probably due to an error on my part. [4] http://leaf.sourceforge.net/devel/jnilo/bering/beta4/modules/drivers/ide/ TIA Adrian ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] PPPoE or Ethernet
I have the opportunity to setup a firewall for a local non-profit organization. They want Internet access for their office. Both Cable and DSL are available in their area. Prices and speed seem comparable. I have been using Eiger and Dach 'steins for years with a cable connection. I have not used DLS or PPPoE. Are there any advantages/disadvantages with either option? Thanks for your opinions! I am mostly concerned with ease of administration. Sean ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] shell script problem
Hi, I would make a little script in sh on my lrp ( dachtein version) and i can't do this : for file in 'ls' ; do echo $file done the echo response is: ls what's wrong, the problem comes from lrp??? Thanks Sylvain ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] PPPoE or Ethernet
At 01:27 PM 2/27/02 +, [EMAIL PROTECTED] wrote: I have the opportunity to setup a firewall for a local non-profit organization. They want Internet access for their office. Both Cable and DSL are available in their area. Prices and speed seem comparable. I have been using Eiger and Dach 'steins for years with a cable connection. I have not used DLS or PPPoE. Are there any advantages/disadvantages with either option? Thanks for your opinions! I am mostly concerned with ease of administration. Before you can recommend a solution to them, you need to find out more about what they want. They want Internet access for their office has too many meanings to serve as a guide. The important question is whether they want to make services (like an onsite Web server) available on the Internet. If they do, you want to recommend that they get either (a) a service that offers static addresses -OR- (b) one that offers dynamic addresses that don't change very often (making use of dynamic-DNS service easier and more reliable). The first is better, but the second will be cheaper, and since non-profits rarely have more monry than they know what to do with, cost may be a big issue for them. If you need to opt for (b) above, this *probably* means going with cable. My experience is that cable/DHCP leases change relatively rarely, while DSL/PPPoE leases change multiple times per day. But those observations are generalizations, and you need to find out what is true in your area. If they only need outgoing service, this consideration does not apply. LEAF variants now support both DHCP addressing (used by cable-modem providers) and PPPoE addressing (used by most DSL providers), but do allow for the fact that PPPoE requires a bit higher level of hardware than true Ethernet-based connections. The last thing to think about is service quality, both the frequency of interruptions and the actual speed delivered. Cable connections use shared bandwidth (they are functionally like a hub-based LAN in this respect), so the actual speed delivered can be much lower (or, occasionally, higher) than the service's nominal speed. DSL is point to point, so the promised speed will be the real speed ... between the client site and the ISP. But bandwidth is shared *after* that point, and can be underprovisioned by a DSL ISP as easily as by a cable ISP. There is no general answer to this one; you need to ask around locally to find out what the specific providers you are considering actually do. Aside from that, the only advantage I can see to DSL is that you are likely to have multiple DSL-based ISPs in your area, but only one cable-based ISP. My observation is that this is an advantage of DSL only in theory, though, as the low-price DSL provider always seems to be the telco. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Will LaBrea work with dynamic IP addresses?
Hi folks, I'm confused (what else is new :-) ). Will LaBrea work with the default Dachstein CD (which acts as both a DHCP client Server)? or would I need to change DCD for static addresses? I have my generic, Dachstein CD working O.K., and would like to incorporate LaBrea...but I can't seem to figure out if it will work with the default DCD. Thank you, have a great day! Craig ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] shell script problem
You need to use backticks (`) around ls, not single-quotes ('), to
accomplish what you probably want. The script as written below works correctly.
At 04:10 PM 2/27/02 +0100, sylvain pelletier wrote:
Hi,
I would make a little script in sh on my lrp ( dachtein version)
and i can't do this :
for file in 'ls' ; do
echo $file
done
the echo response is: ls
what's wrong, the problem comes from lrp???
--
Never tell me the odds!---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
On Wednesday 27 February 2002 10:14, Simon Bolduc wrote: 2. Create /etc/LaBrea.scr it should contain the following: #!/bin/sh IPADDR=`ip addr list label eth0 | grep inet | \ sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` sed s/IPADDR/$IPADDR/g /etc/LaBrea.in /etc/LaBrea.bpf Nice script. If you want something Dachstein specific that takes the external ip addy and service ports from /etc/network.conf let me know. It would eliminate the need to enter these ports twice in the config. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Question of principle: Are ProxyARP DMZ insecure?
Hi all I'm currently in a Watchguard training. I'm going to make the WCP Certificate. The trainer told me, that the Drop-In configuration (ProxyARP DMZ) is less secure than the routed DMZ. I didn't say anything and thought Uh, really? Why?. Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ? Are there even any security related differents? She told me, that staticNAT with a private DMZ is the better solution if you want to save public IP's. I don't think so. I think I run into problems with special applications/protocols if using staticNAT (passiveFTP, PPTP?) Discussion is opened --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DCD, proxy dmz, snmp icmp ???
We have a DCD setup, including a proxy dmz. SNMP queries work everywhere, excepting systems residing on that dmz. Let me clarify that: snmp queries respond properly from clients inside the private network; but, *not* from the DCD firewall nor internet hosts. Running iptraf on the firewall, we see the snmp queries properly forwarded to the dmz host; but, *nothing* returns from that host. Instead, we see a flurry of these: timestamp ICMP; lo; 99 bytes; from bluetrout.private.network \ to bluetrout.private.network; dest unrch (port) Notice that bluetrout is the firewall. We're unclear as to why snmp queries have anything to do with icmp. What is going on here? What are possible solutions? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] FW: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?
Hi Charles, hi all Good for you that you question rather than simply believe... Ahh.. OK :) Unfortunately, you can't define in which chain rules go. (Watchguard Fireboxes run on a highly modified kernel 2.0.38) I don't know in which chain the organize their DMZ stuff. Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform. As there are things you can do with 2.4 kernels and iptables that are difficult or impossible with ipchains, there's a *LOT* you can't do with a 2.0 kernel's packet filtering. I'm not familiar enough with the 2.0 stuff to know for sure, but that could very well be why a proxy-arp based DMZ isn't as secure. If so, just note that it's an artifical limitation of the firewall, and not a basic problem with the topology. Please note that, referring to my trainer, Watchguard don't use a standard 2.0 kernel at all. They rewrote the whole TCP/IP stack and the firewalling part. I don't know how far this is true. I'm sure they've still some parts of the original 2.0 code in their stack. I'll ask her for more details and let you know. --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, proxy dmz, snmp icmp ???
We have a DCD setup, including a proxy dmz. SNMP queries work everywhere, excepting systems residing on that dmz. Let me clarify that: snmp queries respond properly from clients inside the private network; but, *not* from the DCD firewall nor internet hosts. Running iptraf on the firewall, we see the snmp queries properly forwarded to the dmz host; but, *nothing* returns from that host. Instead, we see a flurry of these: timestamp ICMP; lo; 99 bytes; from bluetrout.private.network \ to bluetrout.private.network; dest unrch (port) Notice that bluetrout is the firewall. We're unclear as to why snmp queries have anything to do with icmp. What is going on here? What are possible solutions? What do you think? Do you have SNMP_BLOCK and SNMP_MANAGER_IPS set properly? Since it sounds like the packets may actually be getting to the DMZ host, do you maybe have a network configuration issue on that system? Your error report lacks enough detail for me to figure out exactly what's happening...not only am I unfamiliar with iptraf output (more of a tcpdump man), IP addresses would be more helpful (does the above really indacate your firewall is pinging itself over the loopback interface, like I think it does?), as well as other details (like details on the packets that you think were OK and went through to the DMZ host). If your local net can see SNMP services on the DMZ host (you indicate it can), but the firewall cannot, something wierd is going on. The internal snmp requests should be using the same query IP as the firewall, since the internal net is masqueraded to the DMZ. Are your firewall rules blocking anything? Did you remember to check (watch the byte/packet counts before and after trying to access your non-working service)? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, proxy dmz, snmp icmp ???
I was not certain what it is that you want to see -- see below. tcpdump output, run on the local DCD : OK, this helps, but I'm still not sure what I'm looking at. Which interface did you run the tcpdump on? I'm guessing from the packet traffic we're looking at the upstream interface, and not the DMZ interface, but it's hard to be sure... Your first case: [1] Internet host (a.b.c.d) query - dmz host (w.x.y.66) via DCD external port (w.x.z.157) 14:47:11.577976 a.b.c.d.64861 w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:11.578411 w.x.z.157.64943 a.b.c.d.64861: udp 107 14:47:11.598985 a.b.c.d w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:12.600050 a.b.c.d.64861 w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:12.600443 w.x.z.157.64943 a.b.c.d.64861: udp 107 14:47:12.686292 a.b.c.d w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] repeats This is just wacky...looks like the remote system sends an SNMP query, followed by your firewall sending a UDP query back to the remote system. Finally, the remote system replies with a destination unreachable packet, probalby meaning inbound UDP packets are firewalled (or connection tracked). My best guess at this point is that your outbound UDP traffic is being masqueraded, and the packet: 14:47:11.578411 w.x.z.157.64943 a.b.c.d.64861: udp 107 is actually the SNMP response, being masqueraded by your firewall... NOTE: All UDP traffic (other than DNS) is masqueraded from the DMZ using the default Dachstein firewall rules, which could explain the above traffic. Even so, the difference between [1], above, and [2], below, has me confused...something had to change between these two samples (or perhaps an unnoted change in the test procedure?). Your second case: [2] Internet host (a.b.c.d) query - dmz host (w.x.y.66) via DCD dmz port (w.x.z.157) 14:50:05.672129 a.b.c.d.64919 w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:05.672360 w.x.y.66.161 a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:05.692707 a.b.c.d w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:06.682834 a.b.c.d.64919 w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:06.683065 w.x.y.66.161 a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:06.702159 a.b.c.d w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] repeats This looks a bit more normal...what changed between this trace and the first trace? Your description is identical. Here you're seeing the SNMP request, followed by an SNMP response, and finally the ICMP destination unreachable message back from the remote host. It sure looks like a.b.c.d is firewalling or otherwise dropping your response packets... Finally, we get to: [3] DCD external port (w.x.y.65 - alias) query - dmz host (w.x.y.66) via DCD external port (w.x.z.157) 14:51:46.455695 w.x.y.65.4709 w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:51:47.460138 w.x.y.65.4709 w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] repeats Here we've got nothing but the query packets...no response traffic at all. Without knowing which port you're running tcpdump on, and some more details about your test, I can't help much more... Try to forget everything you know about your network architecture, and look at line [3], above. To me, this is saying you're trying to access your internal DMZ host via SNMP from the firewall's external port. For one, this doesn't really even make sense...if the firewall's talking SNMP to the DMZ, the traffic will be going out the DMZ interface, with a source IP of the DMZ's primary address. I'm not even sure how you'd get snmpwalk or something to use the external IP over the default interface IP. Not knowing which interface the tcpdump came from is also kind of limiting. Any interesting results when looking at the packet counts in your ipchains rules? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
I have to say - Simon, along with Charles posted on the list about a week ago and this is how I set mine up last week. I did pretty much the same thing Simon posted, except I took out the v (Verbosely log activity to syslog) out of the OPTIONS= and I disabled logging on port 80 - My ramdisk was pushing 98% capacity in a matter of a few hours! #1 Seems LaBrea is working just fine, too good actually because it is drawing in some active port scanning as well, just increases after they realized something (LaBrea) answered them back. could just change and tcp[2:2] 0xfc00 == 0 in /etc/LaBrea.bpf to read tcp dst port 80 or 21) however I think I would rather just keep it the way it is. #2 It would work even better - say that when any IP that gets teergrubed LaBrea (or some other package?) could run a small script to stop logging anything else to do with that IP.. Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427 - 24.118.176.41 21 preferably I would not want this to show up in the log after the previous msg; Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67) Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67) Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67) Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67) On Wed, 27 Feb 2002 11:14:28 -0500 Now with the changes I made, and uptime is over three days; Uptime: 12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01 my ramdisk is fine; /dev/ram1 4049 359 3690 9% /var/log That I can live with. Thanks again to all your help! Steve Simon Bolduc [EMAIL PROTECTED] wrote: This is from the mailing list (modified slightly) - it is a little script that greps your external IP and reconfigures LaBrea on an IP change: 1. Create /etc/LaBrea.in have it contain the following: dst host IPADDR and tcp[2:2] 0xfc00 == 0 and not dst port (port # of any services you run that use ports below 1024 like ssh or ftp or www) 2. Create /etc/LaBrea.scr it should contain the following: #!/bin/sh IPADDR=`ip addr list label eth0 | grep inet | \ sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` sed s/IPADDR/$IPADDR/g /etc/LaBrea.in /etc/LaBrea.bpf 3. Allow LaBrea.scr to be executable: chmod 744 /etc/LaBrea.scr 4. Edit the dhclient-exit-hooks to with the following changes: # Reload networking to see new address reload_all Add a few lines so you have # Reload networking to see new address reload_all /etc/LaBrea.scr svi LaBrea stop svi LaBrea start 5. Back up dhclient and LaBrea - all done :) Just so you know the filter will block all ports below 1024 (which are the ports that are normally denied automatically by Dachstein), make sure you aren't running any services on those ports - or alter the bpf accordingly. If you only have one IP address like I do here are the options that I use to make sure my box doesn't proactively look for unused IPs (contained in the LaBrea startup script): OPTIONS=-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf Also everything is case sensitive in Linux - thus labrea and LaBrea are two totally different words to the OS - so make sure you are typing things correctly. You may just want to cut and paste. HTH S From: Craig Caughlin [EMAIL PROTECTED] To: LEAF [EMAIL PROTECTED] Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? Date: Wed, 27 Feb 2002 07:33:33 -0800 Hi folks, I'm confused (what else is new :-) ). Will LaBrea work with the default Dachstein CD (which acts as both a DHCP client Server)? or would I need to change DCD for static addresses? I have my generic, Dachstein CD working O.K., and would like to incorporate LaBrea...but I can't seem to figure out if it will work with the default DCD. Thank you, have a great day! Craig ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] LRP's firewalling capbility
Hi gurus, I just set up a LRP box using Eiger 2.2.16 with pppoe support by Mike Leone. It's working fine with Bell Canada's Symaptico adsl service. Thanks to all who have put efforts on this image and LRP! Here is my question though. How strong is its firewalling capability? Is it just doing stateless packet filering by using ipchain? Can it do statefull fitering?(know which session a packet belongs to). Can it do proxy level of filtering as well? (e.g, application level filtering such as url blocking, email scanning, virus filtering, etc.) Thanks in advance! Andy ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, proxy dmz, snmp icmp ???
Charles Steinkuehler wrote: I was not certain what it is that you want to see -- see below. tcpdump output, run on the local DCD : OK, this helps, but I'm still not sure what I'm looking at. Which interface did you run the tcpdump on? I'm guessing from the packet traffic we're looking at the upstream interface, and not the DMZ interface, but it's hard to be sure... Your first case: [1] Internet host (a.b.c.d) query - dmz host (w.x.y.66) via DCD external port (w.x.z.157) 14:47:11.577976 a.b.c.d.64861 w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:11.578411 w.x.z.157.64943 a.b.c.d.64861: udp 107 14:47:11.598985 a.b.c.d w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:12.600050 a.b.c.d.64861 w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:12.600443 w.x.z.157.64943 a.b.c.d.64861: udp 107 14:47:12.686292 a.b.c.d w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] repeats This is just wacky...looks like the remote system sends an SNMP query, followed by your firewall sending a UDP query back to the remote system. Finally, the remote system replies with a destination unreachable packet, probalby meaning inbound UDP packets are firewalled (or connection tracked). Hence, my confusion . . . My best guess at this point is that your outbound UDP traffic is being masqueraded, and the packet: 14:47:11.578411 w.x.z.157.64943 a.b.c.d.64861: udp 107 is actually the SNMP response, being masqueraded by your firewall... NOTE: All UDP traffic (other than DNS) is masqueraded from the DMZ using the default Dachstein firewall rules, which could explain the above traffic. Even so, the difference between [1], above, and [2], below, has me confused...something had to change between these two samples (or perhaps an unnoted change in the test procedure?). Yes, same test; but, tcpdump on different interface -- see below. Your second case: [2] Internet host (a.b.c.d) query - dmz host (w.x.y.66) via DCD dmz port (w.x.z.157) 14:50:05.672129 a.b.c.d.64919 w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:05.672360 w.x.y.66.161 a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:05.692707 a.b.c.d w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:06.682834 a.b.c.d.64919 w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:06.683065 w.x.y.66.161 a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:06.702159 a.b.c.d w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] repeats This looks a bit more normal...what changed between this trace and the first trace? Your description is identical. Here you're seeing the SNMP request, followed by an SNMP response, and finally the ICMP destination unreachable message back from the remote host. It sure looks like a.b.c.d is firewalling or otherwise dropping your response packets... a.b.c.d is an internet address on the external IF of a remote DCD, behind which is the debian potato from which I tried to snmpwalk the subject dmz hosts. Finally, we get to: [3] DCD external port (w.x.y.65 - alias) query - dmz host (w.x.y.66) via DCD external port (w.x.z.157) 14:51:46.455695 w.x.y.65.4709 w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:51:47.460138 w.x.y.65.4709 w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] repeats Here we've got nothing but the query packets...no response traffic at all. This is local DCD to local dmz attempted snmpwalk -- identical query to the previous, remote queries. Without knowing which port you're running tcpdump on, and some more details about your test, I can't help much more... Try to forget everything you know about your network architecture, and look at line [3], above. To me, this is saying you're trying to access your internal DMZ host via SNMP from the firewall's external port. For one, this doesn't really even make sense...if the firewall's talking SNMP to the DMZ, the traffic will be going out the DMZ interface, with a source IP of the DMZ's primary address. I'm not even sure how you'd get snmpwalk or something to use the external IP over the default interface IP. Not knowing which interface the tcpdump came from is also kind of limiting. See ip addr and ip route output below. Any interesting results when looking at the packet counts in your ipchains rules? No -- nothing is logged and when I subtract the obvious: # ipchains -nvL | grep -v '\(ACCEPT\|-l-\)' there is nothing that I find interesting in remaining output. = I am sorry; but, I thought that I differentiated each of my examples. Is there away to get tcpdump to listen to more than one (1) interface at a time? -i any does *not* work . . . This is the invocation, all examples run from the local DCD: tcpdump \ -i $IF \ -l \
[Leaf-user] No firewall / more networks
Kindest greetings, Can anyone help me out and give me some information on the following two points. I currently run Dachstein CD and it works a treat, fair play to all involved. Firstly,I want to know if it is possible to run as a general router without firewalling. And secondly, if it is possible to route between 3or4 different networks, and if so, how can it be done? Does setting the IP Filter Switch to 'router' in network.conf disable the firewall scripts? Any help on details of how to add settings for more eth cards in network.conf would be appreciated. Only static IP addresses will be used and the box will be firewalled from the internet. Thanks in advance, Paul. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Will LaBrea work with dynamic IP addresses?
Thank you Simon and Lynn for the responses. Unfortunately, I don't quite understand it all (I've taken a college class on Linux because I really enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.) First, how do I create the /etc/LaBrea.in that you refer to, and how do I create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by using the ae editor? 2.) How do I edit the dhclient-exit-hooks to? Is that in the network.conf file or ??? Thank you for your help, have a great day!!! Craig P.S. How do you copy and paste with Dachstein? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Will LaBrea work with dynamic IP addresses?
Thank you Simon and Lynn for the responses. Unfortunately, I don't quite understand it all (I've taken a college class on Linux because I really enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.) First, how do I create the /etc/LaBrea.in that you refer to, and how do I create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by using the ae editor? 2.) How do I edit the dhclient-exit-hooks to? Is that in the network.conf file or ??? Thank you for your help, have a great day!!! Craig P.S. How do you copy and paste with Dachstein? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?
The trainer told me, that the Drop-In configuration (ProxyARP DMZ) is less secure than the routed DMZ. I didn't say anything and thought Uh, really? Why?. Good for you! Good for me that I didn't say anything or good for me that I'm going to make the WCP? :) Good for you that you question rather than simply believe... Unfortunately, you can't define in which chain rules go. (Watchguard Fireboxes run on a highly modified kernel 2.0.38) I don't know in which chain the organize their DMZ stuff. She told me, that she'll explain the whole DMZ stuff more exactly tomorrow. Let's see if she knows what she's talking about... ;) Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform. As there are things you can do with 2.4 kernels and iptables that are difficult or impossible with ipchains, there's a *LOT* you can't do with a 2.0 kernel's packet filtering. I'm not familiar enough with the 2.0 stuff to know for sure, but that could very well be why a proxy-arp based DMZ isn't as secure. If so, just note that it's an artifical limitation of the firewall, and not a basic problem with the topology. Charles Steinkuehler [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?
I'm currently in a Watchguard training. I'm going to make the WCP Certificate. The trainer told me, that the Drop-In configuration (ProxyARP DMZ) is less secure than the routed DMZ. I didn't say anything and thought Uh, really? Why?. Good for you! Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ? Are there even any security related differents? She told me, that staticNAT with a private DMZ is the better solution if you want to save public IP's. I don't think so. I think I run into problems with special applications/protocols if using staticNAT (passiveFTP, PPTP?) Discussion is opened All three of the architecture you mention (static-NAT, routed, and proxy-arp) have the same basic packet flow: internet | Firewall - DMZ net Or possibly: internet | Firewall - DMZ net | Internal net The only difference between the flavors of DMZ you mention is what IP addresses and subnet lables get attached to each interface...the security (or lack thereof) depends entirely on what the firewall is doing with the packet data. If you've got a flexible mechanism for building firewall rules, it shouldn't matter which architecture you pick...you should be able to implement your desired firewall functionality with any of the DMZ flavors. NOTE: There are specific things you need to watch for depending on the DMZ architecture. For instance, the Dachstein firewall rules implement routed, static-nat, and proxy-arp DMZ rules in the forward chain, so the packets are blindly accepted in the input chain (to be sorted later). If you're running static-NAT or proxy-arp, the firewall probably has an IP that overlaps with the DMZ network, so you've just potentially opened your firewall's external IP to the world with no filtering! For the curious, that's why the dmz-in and dmz-spoof ipchains are created in this situation...ip's destined for the local box are routed back through the input rule chain, while packets truly destined for the DMZ are accepted in the input chain, then filtered in the forward chain. Charles Steinkuehler [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Hey Craig, Well to answer your first question, ae is the editor you use, just type ae at a command prompt and you should be good, then its just CTRL+W to save the file - so you could just type the file name at the prompt /etc/LaBrea.in or whatever the file name is To edit the dhclient-exit-hooks you run lrcfg at a command prompt, then choose options 3) Package Settings, 4) dhclient (at least its the 4th package on my box), and finally 5) dhclient-exit-hooks after you're done editing you just hit CTRL+Q and type y to save the changes. The easiest way to copy and paste text to your box is to run Putty (at least in a windows environment). You will need to be running SSH to use this. SSH is on your Dachstein CD (assuming you're using the CD version). If you aren't running SSH already here is an (older) document that might help to get you started: http://sourceforge.net/docman/display_doc.php?docid=1441group_id=13751 you can also check the readme.txt contained on the CD: http://lrp1.steinkuehler.net/files/diskimages/dachstein-CD/README.txt assuming you are running SSH properly and are using putty, just highlite the text you want (from the email), right click on it and choose copy. Then to paste it into the putty window right click on the window - and it automagically gets typed in. Putty tends to mess tabs up tho - so you may have some deleting to do. Putty is available here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html HTH S From: Craig Caughlin [EMAIL PROTECTED] To: LEAF [EMAIL PROTECTED] Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? Date: Wed, 27 Feb 2002 11:26:36 -0800 Thank you Simon and Lynn for the responses. Unfortunately, I don't quite understand it all (I've taken a college class on Linux because I really enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.) First, how do I create the /etc/LaBrea.in that you refer to, and how do I create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by using the ae editor? 2.) How do I edit the dhclient-exit-hooks to? Is that in the network.conf file or ??? Thank you for your help, have a great day!!! Craig P.S. How do you copy and paste with Dachstein? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Send and receive Hotmail on your mobile device: http://mobile.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Steve, I long ago stopped logging hits on port 80, and just have them silently denied - it just made the whole messages file too hard to read - you might want to consider doing this. S _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] even more worried
By chance you didn't leave IE on when you shut down??? I've seen some banner ads run something similar to a lease type connection. Yahoo and flipside.com leave a lot of residual connections like that tied directly to Win32 clients. On Wednesday 27 February 2002 22:24, Scott C. Best wrote: Anyone ever seen this one before: I shut down my WinNT server today to see what TCP/IP traffic a Windows machines makes at powerdown. That is, I was tcpdump'ing on another LAN member. And I saw this: 03:29:14.553849 192.168.123.130.1853 209.73.225.9.80: R 804849242:804849242(0) win 0 (DF) (ttl 128, id 7442) 03:29:14.553965 192.168.123.130.1852 209.73.225.9.80: R 804738457:804738457(0) win 0 (DF) (ttl 128, id 7698) I did a whois on 209.73.225.9 and it came up with something from either PFM Communications: or Cydoor Technologies (they seem to have overlapping IP space). I've just started poking around to learn more about these, check for spy-ware reports, adding -vv to the tcpdump...but I thought I'd ask to see if anyone hear has seen it before. cheers, Scott PS: A Windows machine does spew some NetBIOS traffic to the broadcast address at shutdown. :) Of course...when *doesn't* it do that... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
