[Leaf-user] Multiple device for internal networks
Hello All, In line with the "No firewall / more networks" response from Charles, and the fact that INTERN_IF and INTERN_IP parameters can only hold values from a single device, what if I would like to have multiple devices serve internal networks? And I would like these devices have the same security rules. How/where should I declare multiple INTERN devices in network.conf? TIA. - Message: 1 From: "Charles Steinkuehler" <[EMAIL PROTECTED]> To: "brooksp" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: Re: [Leaf-user] No firewall / more networks Date: Thu, 28 Feb 2002 09:54:50 -0600 > Kindest greetings, > Can anyone help me out and give me some information on the following two > points. > I currently run Dachstein CD and it works a treat, fair play to all > involved. > Firstly,I want to know if it is possible to run as a general router without > firewalling. Absolutely > And secondly, if it is possible to route between 3or4 different networks, > and if so, how can it be done? You can route between as many network connections as you configure your machine for. I've run several Dachstein routers/firewalls with 5 10/100 Ethernet ports. > Does setting the IP Filter Switch to 'router' in network.conf disable the > firewall scripts? Not entirely...you'll still have some address spoofing protection, and traffic that shouldn't be crossing the internet (private IP's, all zero's/one's, &c) will be dropped. If you don't want any packet filtering, set the IP filter switch to "none". > Any help on details of how to add settings for more eth cards in > network.conf would be appreciated. > Only static IP addresses will be used and the box will be firewalled from > the internet. To add interfaces, just create additional ethX_* settings (ie eth2_IPADDR, ...), and add the interface to the IF_AUTO list so it will get configured automatically. Also, set: IPFILTER_SWITCH=none and IPFWDING_KERNEL=YES This will get you a multi-port router. If you need to add any static routes, you can do so with the ethX_ROUTES setting. Let's say you get to the remote 10.2.0.0/24 network via a router at 10.1.0.4, which is attached to eth3. Add the following to your eth3 configuration to make a static route: eth3_ROUTES="10.2.0.0/24_via_10.1.0.4" Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec.conf assistance..
> I got all of the packages on the diskette (thanks again for so much help > from Lynn and Charles), and I got the serial device working (I feel like > such a dolt, I never checked the cable, thanks Charles) but know, after I > think I've written a very generic .conf file for ipsec, its bombing, and I'm > not able to connect to the other site. Attached is a copy of my ipsec.conf. > but I'm unable to get any results... > > # system wide setup > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > # uniqueids=yes # not yet, otherwise it'll only allow one > connection > > conn %default > keyingtries=0 > authby=rsasig > > # left is joey's hose > # right is the shop > conn home-office > left=66.25.44.147 > leftnexthope=66.25.44.1 > leftsubnet=192.168.3.0/24 > leftrsasigkey= < removed for space> > right=66.25.18.71 > rightnexthope=66.25.18.1 > rightsubnet=192.168.1.0/24 > rightrsasigkey= > > I still have uniqueids commented out because I read that to be that it would > only allow one connection at a time, ie only one user at a time to a > specific connection, want to be able to give the whole office access to the > other network. Can someone point out the obvious errors, and possibly give > me some assistance in getting this up... Asuming your ipsec.secrets file is formtted properly, the big problem I see with the above is the nexthop settings. You should be using "leftnexthop" and "rightnexthop", not "hope". Since IPSec builds it's own routing, these settings are important. You may also need to use the leftid and rightid fields, especially if you've got any home users with dynamic IP's. I typically use unresolved host names (a hostname preceeded by "@", so IPSec doesn't try to resolve it into an IP address). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Map internal IP to Live external IP
> I'm actually using your Eiger static (but have it running off a HDD etc, > I'm also running with "some" parts taken from your extended scripts). > Will I be able to setup the same with this or will have to move over to the > Dachstein build? There is some support for static NAT in Eiger, depending on which version of the extended scripts you're using. The Dachstein scripts are substantially cleaned up supersets of the Eiger extended scripts. Proxy-arp support in particular is much improved, and I think there were some static-NAT enhancements to the firewall rules as well... > Also when I was building this I used your full extended scripts and found I > could not ping any of the aliased IP's on eth0, (and you allowed with > #EXTERN_ICMP_PORT0="0/0 : 1.2.3.12" to activiate ICMP to that IP which > worked fine) > I'm just wondering what line(s) in the ipfilter.conf configured this, as I > was comparing the standard ipfilter.conf with the one from the extended > scripts but couldn't find the difference. # Open ICMP ports (for aliased external addresses) walk_list EXTERN_ICMP_PORT $INIT_INDEX open_port icmp $EXTERN_IF $EXTERN_IP Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Multiple device for internal networks
> In line with the "No firewall / more networks" response from Charles, > and the fact that INTERN_IF and INTERN_IP parameters can only hold > values from a single device, what if I would like to have multiple > devices serve internal networks? And I would like these devices have the > same security rules. How/where should I declare multiple INTERN devices > in network.conf? Just add multiple networks to the INTERN_NET variable, and they'll all get masqueraded and firewalled. NOTE: The multiple nets will all be able to talk to the internet, but they will *NOT* be able to talk to each other unless you build specific forward rules allowing this in /etc/ipchains.forward Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Will LaBrea work with dynamic IP addresses?
Hi folks, Hey Simon...are you reading this??? -if not, hopefully someone can clarify something for me. Should I create the two files as suggested in Simon's earlier message (see below) exactly as he has shown...or is there something unique about my scenario that I should be substituting when I create these files? Thank you, have a great weekend!!! Craig 1. Create /etc/LaBrea.in have it contain the following: dst host and tcp[2:2] & 0xfc00 == 0 and not dst port (port # of any services you run that use ports below 1024 like ssh or ftp or www) 2. Create /etc/LaBrea.scr it should contain the following: #!/bin/sh IPADDR=`ip addr list label eth0 | grep inet | \ sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf 3. Allow LaBrea.scr to be executable: chmod 744 /etc/LaBrea.scr 4. Edit the dhclient-exit-hooks to with the following changes: # Reload networking to see new address reload_all Add a few lines so you have # Reload networking to see new address reload_all /etc/LaBrea.scr svi LaBrea stop svi LaBrea start 5. Back up dhclient and LaBrea - all done :) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???
> Did you see this, yesterday? Yeah...got distracted while analizing & it got dropped... > > The final problem is the fact that you can't do an snmpwalk from the > > firewall to the DMZ. Apparently, the SNMP query packets are transmitted, > > but no response is recieved. I still don't understand why this is > > happening, especially if you can do an snmpwalk from the internal network (I > > think I remember you saying you could...) > > > > Patch your ipfilter.conf, and see how much farther that gets you. If you > > still can't snmpwalk from the firewall, take tcpdumps at both the firewall > > (DMZ IF) and the DMZ system, while trying to snmpwalk from both the firewall > > and from an internal system. > > Following are dumps for snmpwalk failure between DCD and one of its dmz > hosts. I have tried to remove spurious data, like Unknown IPX packet > stuff ;< The rest I could not rule out -- can you? We'll see...are you actually running an IPX network? > [1] tcpdump on DCD, ostensibly pointing only to itself: > > tcpdump \ > -i eth1 \ > -l \ > -n \ > not port domain \ > and not port smtp \ > and not port ssh \ > and not port www Looks good... > 12:40:34.280871 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:35.290141 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:36.300099 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:37.310112 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:38.320089 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:39.280028 arp who-has w.x.y.66 tell w.x.y.65 > 12:40:39.280169 arp reply w.x.y.66 is-at 0:6:29:a8:1d:df > 12:40:39.330112 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] These are your SNMP queries, apparently going into never-never land (no respnoses). The arp query at least indicates both your .65 and .66 systems know each other's physical & logical address. > 12:40:58.557946 w.x.y.65.62737 > w.x.y.66.110: S > 2835461865:2835461865(0) win 64240 (DF) > 12:40:58.558166 w.x.y.66.110 > w.x.y.65.62737: S > 1431617489:1431617489(0) ack 2835461866 win 6144 (DF) This is pop traffic...the .66 machine must be doing e-mail (also supported by your "not port smtp" in the tcpdump filter. Further port 110 traffic deleted. > 12:41:05.346234 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:06.350100 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:07.360117 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:08.370085 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:09.380095 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:10.390114 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] More SNMP queries w/o any response... > [1] tcpdump on DCD, ostensibly pointing only to its dmz host: > > tcpdump \ > -i eth1 \ > -l \ > -n \ > host w.x.y.66 \ > and not port domain \ > and not port smtp \ > and not port ssh \ > and not port www > > 12:40:34.280871 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:35.290141 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:36.300099 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:37.310112 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:38.320089 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:40:39.280028 arp who-has w.x.y.66 tell w.x.y.65 > 12:40:39.280169 arp reply w.x.y.66 is-at 0:6:29:a8:1d:df > 12:40:39.330112 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:05.346234 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:06.350100 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:07.360117 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:08.370085 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:09.380095 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > 12:41:10.390114 w.x.y.65.4712 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] Looks like more of the same... > What do you think? I'm confused. I don't think the firewall rules on the .65 machine can be your problem, since you're seeing the request packets go out, and even if the replies were being dropped, tcpdump would see them at the interface. About the only thing that comes to mind is your snmp configuration on the .66 machine. Are you *SURE* you've allowed snmp
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Hey again Craig, Nope - the files should be pretty much identical to the ones I showed you except you don't need the text in brackets (port # of any services you run that use ports below 1024 like ssh or ftp or www)- replace that with the port numbers of any services you want to run - i.e. 22 for ssh or 21 for ftp - and don't put the brackets in. If you have more than one service (say you're running ssh and ftp on the default ports) your config would look like this: dst host and tcp[2:2] & 0xfc00 == 0 and not dst port 22 and not dst port 21 The other thing is when you are configuring your options you might want to leave the -v switch out as noted by Steve Jeppesen as it will fill your log partition. As a reference point here is what you probably want as your options for LaBrea (you can get to this file by typing in ae /etc/init.d/LaBrea): OPTIONS="-i eth0 -l -p 8 -z -x -F /etc/LaBrea.bpf" HTH S >From: "Craig Caughlin" <[EMAIL PROTECTED]> >To: "LEAF" <[EMAIL PROTECTED]> >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Fri, 1 Mar 2002 06:31:12 -0800 > >Hi folks, >Hey Simon...are you reading this??? -if not, hopefully someone can clarify >something for me. Should I create the two files as suggested in Simon's >earlier message (see below) exactly as he has shown...or is there something >unique about my scenario that I should be substituting when I create these >files? Thank you, have a great weekend!!! > >Craig > >1. Create /etc/LaBrea.in have it contain the following: > >dst host > and tcp[2:2] & 0xfc00 == 0 > and not dst port (port # of any services you run that use ports below >1024 like ssh or ftp or www) > >2. Create /etc/LaBrea.scr it should contain the following: > >#!/bin/sh > >IPADDR=`ip addr list label eth0 | grep inet | \ >sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > >sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > >3. Allow LaBrea.scr to be executable: > >chmod 744 /etc/LaBrea.scr > >4. Edit the dhclient-exit-hooks to with the following changes: > ># Reload networking to see new address >reload_all > >Add a few lines so you have > ># Reload networking to see new address >reload_all >/etc/LaBrea.scr >svi LaBrea stop >svi LaBrea start > >5. Back up dhclient and LaBrea - all done :) > > > > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DMZ Options
Can someone, explain me the differences in the DMZ options in DCD 1.02 " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " Proxy NAT Private... Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc, thn - Reginald R. Richardson [EMAIL PROTECTED] on 3/1/2002 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DMZ Options
> " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " > > Proxy > NAT > Private... > > Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc, YES - This is a traditional "routed" DMZ...your ISP routes a block of IP's to the external interface of your firewall PROXY - A "Proxy-ARP" DMZ...used if you've got a block of static IP's from your ISP. The firewall essentially "glues together" two identical network segments, allowing your DMZ systems to be configured with public IP's (just like they were connected directly to your upstream modem), but still having the protection of a firewall. NAT - Similar to a Proxy-ARP setup, but uses static-NAT translation instead. Each DMZ system is configured with a private IP, and a translation table is built, converting public IP's to the private IP of your DMZ systems. PRIVATE - This architecture is unique...it port-forwards specific services to DMZ machines, which have private IP's. The main benifit is you don't have to have multiple IP's assigned to be able to implement this form of DMZ. NO - No DMZ Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec.conf assistance..
Joey, I see nothing terribly wrong with the ipsec.conf file. Mine does have a leftid and rightid in the conn home-office section. I also have a auto=add on the office and a auto=start on the home section. Without these lines it does not when to start up. I'm sure you are reading the configuration section from freeswan.org. You might also try the logs to see what is going on. # ipsec look - will give you the connections that are up and allowed. If the two are tunnel and secure if gives more information than can be believed. # more /var/log/log.auth will tell you all about how the ipsec is connecting. It will also give you some real clues on connections. This will get REAL chatty if you change the plutodebug to all. I believe uniqueids means that if "B" machine tries to connect while "A" still thinks its connected, "A" will kill the current session with "B" and start a new session with "B". If you have a firewall other options might be needed like leftfirewall=yes. I'm about to finish a mini-howto for Dachstein CD using X.509 certificates. Let me know if you are interested. Hopes this helps - Bill --- Joey Officer <[EMAIL PROTECTED]> wrote: > Ok, its been awhile since last I had a real chance > to work on this, and now > finally I'm getting into it... > > I got all of the packages on the diskette (thanks > again for so much help > from Lynn and Charles), and I got the serial device > working (I feel like > such a dolt, I never checked the cable, thanks > Charles) but know, after I > think I've written a very generic .conf file for > ipsec, its bombing, and I'm > not able to connect to the other site. Attached is > a copy of my ipsec.conf. > but I'm unable to get any results... > > # system wide setup > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > plutoload=%search > plutostart=%search > # uniqueids=yes # not yet, otherwise it'll > only allow one > connection > > conn %default > keyingtries=0 > authby=rsasig > > # left is joey's hose > # right is the shop > conn home-office > left=66.25.44.147 > leftnexthope=66.25.44.1 > leftsubnet=192.168.3.0/24 > leftrsasigkey= < removed for space> > right=66.25.18.71 > rightnexthope=66.25.18.1 > rightsubnet=192.168.1.0/24 > rightrsasigkey= > > I still have uniqueids commented out because I read > that to be that it would > only allow one connection at a time, ie only one > user at a time to a > specific connection, want to be able to give the > whole office access to the > other network. Can someone point out the obvious > errors, and possibly give > me some assistance in getting this up... > > Joey > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec.conf assistance..
As Charles mentioned earlier - the lines: leftnexthope=66.25.44.1 rightnexthope=66.25.18.1 should be: rightnexthop=66.25.44.1 leftnexthop=66.25.18.1 >From: William Brinkman <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED], LRP Support ><[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] ipsec.conf assistance.. >Date: Fri, 1 Mar 2002 06:19:30 -0800 (PST) > >Joey, > >I see nothing terribly wrong with the ipsec.conf file. > Mine does have a leftid and rightid in the conn >home-office section. I also have a auto=add on the >office and a auto=start on the home section. Without >these lines it does not when to start up. I'm sure >you are reading the configuration section from >freeswan.org. You might also try the logs to see what >is going on. > ># ipsec look - will give you the connections that are >up and allowed. If the two are tunnel and secure if >gives more information than can be believed. > ># more /var/log/log.auth will tell you all about how >the ipsec is connecting. It will also give you some >real clues on connections. This will get REAL chatty >if you change the plutodebug to all. > >I believe uniqueids means that if "B" machine tries to > connect while "A" still thinks its connected, "A" >will kill the current session with "B" and start a new >session with "B". > >If you have a firewall other options might be needed >like leftfirewall=yes. > >I'm about to finish a mini-howto for Dachstein CD >using X.509 certificates. Let me know if you are >interested. > >Hopes this helps - Bill > > > >--- Joey Officer <[EMAIL PROTECTED]> wrote: > > Ok, its been awhile since last I had a real chance > > to work on this, and now > > finally I'm getting into it... > > > > I got all of the packages on the diskette (thanks > > again for so much help > > from Lynn and Charles), and I got the serial device > > working (I feel like > > such a dolt, I never checked the cable, thanks > > Charles) but know, after I > > think I've written a very generic .conf file for > > ipsec, its bombing, and I'm > > not able to connect to the other site. Attached is > > a copy of my ipsec.conf. > > but I'm unable to get any results... > > > > # system wide setup > > config setup > > interfaces=%defaultroute > > klipsdebug=none > > plutodebug=none > > plutoload=%search > > plutostart=%search > > # uniqueids=yes # not yet, otherwise it'll > > only allow one > > connection > > > > conn %default > > keyingtries=0 > > authby=rsasig > > > > # left is joey's hose > > # right is the shop > > conn home-office > > left=66.25.44.147 > > leftnexthope=66.25.44.1 > > leftsubnet=192.168.3.0/24 > > leftrsasigkey= < removed for space> > > right=66.25.18.71 > > rightnexthope=66.25.18.1 > > rightsubnet=192.168.1.0/24 > > rightrsasigkey= > > > > I still have uniqueids commented out because I read > > that to be that it would > > only allow one connection at a time, ie only one > > user at a time to a > > specific connection, want to be able to give the > > whole office access to the > > other network. Can someone point out the obvious > > errors, and possibly give > > me some assistance in getting this up... > > > > Joey > > > > > > > > ___ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > >https://lists.sourceforge.net/lists/listinfo/leaf-user > > >__ >Do You Yahoo!? >Yahoo! Greetings - Send FREE e-cards for every occasion! >http://greetings.yahoo.com > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec.conf assistance..
Oops - that should be leftnexthop=66.25.44.1 rightnexthop=66.25.18.1 I transposed the IP addresses - guess i should read before I post S >As Charles mentioned earlier - the lines: > >leftnexthope=66.25.44.1 >rightnexthope=66.25.18.1 > > >should be: > >rightnexthop=66.25.44.1 >leftnexthop=66.25.18.1 > > > > >>From: William Brinkman <[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED], LRP Support >><[EMAIL PROTECTED]> >>Subject: Re: [Leaf-user] ipsec.conf assistance.. >>Date: Fri, 1 Mar 2002 06:19:30 -0800 (PST) >> >>Joey, >> >>I see nothing terribly wrong with the ipsec.conf file. >> Mine does have a leftid and rightid in the conn >>home-office section. I also have a auto=add on the >>office and a auto=start on the home section. Without >>these lines it does not when to start up. I'm sure >>you are reading the configuration section from >>freeswan.org. You might also try the logs to see what >>is going on. >> >># ipsec look - will give you the connections that are >>up and allowed. If the two are tunnel and secure if >>gives more information than can be believed. >> >># more /var/log/log.auth will tell you all about how >>the ipsec is connecting. It will also give you some >>real clues on connections. This will get REAL chatty >>if you change the plutodebug to all. >> >>I believe uniqueids means that if "B" machine tries to >> connect while "A" still thinks its connected, "A" >>will kill the current session with "B" and start a new >>session with "B". >> >>If you have a firewall other options might be needed >>like leftfirewall=yes. >> >>I'm about to finish a mini-howto for Dachstein CD >>using X.509 certificates. Let me know if you are >>interested. >> >>Hopes this helps - Bill >> >> >> >>--- Joey Officer <[EMAIL PROTECTED]> wrote: >> > Ok, its been awhile since last I had a real chance >> > to work on this, and now >> > finally I'm getting into it... >> > >> > I got all of the packages on the diskette (thanks >> > again for so much help >> > from Lynn and Charles), and I got the serial device >> > working (I feel like >> > such a dolt, I never checked the cable, thanks >> > Charles) but know, after I >> > think I've written a very generic .conf file for >> > ipsec, its bombing, and I'm >> > not able to connect to the other site. Attached is >> > a copy of my ipsec.conf. >> > but I'm unable to get any results... >> > >> > # system wide setup >> > config setup >> >interfaces=%defaultroute >> >klipsdebug=none >> >plutodebug=none >> >plutoload=%search >> >plutostart=%search >> ># uniqueids=yes # not yet, otherwise it'll >> > only allow one >> > connection >> > >> > conn %default >> >keyingtries=0 >> >authby=rsasig >> > >> > # left is joey's hose >> > # right is the shop >> > conn home-office >> >left=66.25.44.147 >> >leftnexthope=66.25.44.1 >> >leftsubnet=192.168.3.0/24 >> >leftrsasigkey= < removed for space> >> >right=66.25.18.71 >> >rightnexthope=66.25.18.1 >> >rightsubnet=192.168.1.0/24 >> >rightrsasigkey= >> > >> > I still have uniqueids commented out because I read >> > that to be that it would >> > only allow one connection at a time, ie only one >> > user at a time to a >> > specific connection, want to be able to give the >> > whole office access to the >> > other network. Can someone point out the obvious >> > errors, and possibly give >> > me some assistance in getting this up... >> > >> > Joey >> > >> > >> > >> > ___ >> > Leaf-user mailing list >> > [EMAIL PROTECTED] >> > >>https://lists.sourceforge.net/lists/listinfo/leaf-user >> >> >>__ >>Do You Yahoo!? >>Yahoo! Greetings - Send FREE e-cards for every occasion! >>http://greetings.yahoo.com >> >>___ >>Leaf-user mailing list >>[EMAIL PROTECTED] >>https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > >_ >Chat with friends online, try MSN Messenger: http://messenger.msn.com > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ Send and receive Hotmail on your mobile device: http://mobile.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Unused IP's with LaBrea
No, you do not need another computer. What was described was for use on your current DCD setup. And the scanning doesn't stop just because you load LaBrea. I use it to help slow down the spread of viruses. From what I can tell, by using LaBrea you also seem to peak one's interest in your IP for a bit longer than the usual scans (not talking about port 80, I mean 21, 22, 111 etc.) Good luck Steve On Fri, 1 Mar 2002 11:34:52 -0800 "MLU " <[EMAIL PROTECTED]> wrote: > Thank you Steve. That's a great news. I will try it on the weekend and see how it goes with my system. > > Another question? Seems to me from reading your instructions, I do not see anything mentioned about having a spared internal machine just for that purpose, so just want to double check with you on "Do I have to dedicate an internal machine for that purpose"? My system is a home-based so having another one would be a little bit outch for me. > > Have a very nice weekend Steve. You can now feel relieved about being scanned, right? > > > > -- Original Message -- > From: Steve Jeppesen <[EMAIL PROTECTED]> > Date: Fri, 1 Mar 2002 10:27:17 -0600 > > >Sure no problem. > >Simon had just posted pretty much the same thing what I did to make LaBrea > >work with one IP, so I did not want to repeat what he posted. I will send > >you what I did anyways; > > > >*I am using Dachstein CD v1.0.2 with two network cards but only one > >dynamically assigned IP* > > > > > >#1 edit lrpkg.cfg to contain ifconfig and LaBrea > > > >example: > >etc,ramlog,local,modules,dhclient,dhcpd,dnscache,weblet,psentry,libz,sshd,ssh,ifconfig,LaBrea > > > > > > > >#2 create a file called /etc/LaBrea.in which would contain: > > > >dst host > > and tcp[2:2] & 0xfc00 == 0 > > > >= > > > >#3 create script file called /etc/ipupdate (to update and/or create > >/etc/LaBrea.bpf) > >which would contain: > > > >#!/bin/sh > > > >IPADDR=`ip addr list label eth0 | grep inet | \ > >sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > > >sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > > >= > > > >#4 Chmod /etc/ipupdate to 744 > > > >chmod 744 /etc/ipupdate > > > >= > > > >#5 Edit /etc/dhclient-exit-hooks and update with the following changes: > > > >change > ># Reload networking to see new address > > reload_all > > > >to this > ># Reload networking to see new address > > reload_all > > /etc/ipupdate > > svi LaBrea stop > > svi LaBrea start > > > >== > > > >#6 Mount CD-ROM and load ifconfig and LaBrea > > > >mount -t iso9660 /dev/cdrom /mnt > >cd /mnt > >lrpkg -i ifconfig > >lrpkg -i LaBrea > >cd .. > >umount /mnt > > > >== > > > >#7 Stop the interface from running in promiscuous mode. > >Edit /etc/init.d/LaBrea and update with the following changes: > > > >change > >ifconfig eth0 promisc > > > >to this > >ifconfig eth0 -promisc > > > >== > > > >#8 Edit /etc/init.d/LaBrea and update OPTIONS= to this; > > > >OPTIONS="-i eth0 -l -p 8 -z -x -F /etc/LaBrea.bpf" > > > >= > > > >#9 run ipupdate to create LaBrea.bpf and to tests the ipupdate script > > > >/etc/ipupdate > > > >= > > > >what *my* /etc/LaBrea.bpf file should read (listed here as an example); > > > > dst host 24.118.176.41 > > and tcp[2:2] & 0xfc00 == 0 > > > >= > > > >start LaBrea > > > >svi LaBrea start > > > >= > > > >That is all that is needed. DO NOT FORGET THE -x OPTION IN STEP #8 > > > >= > > > >I choose to not log port 80 scans anymore (that is up to you, it is not > >required) > >by editing /etc/ipfilter.conf (towards the end of the file is > >the best way for me .. a n00B .. to described where) to add the following > >2 lines > > > >#Deny and don't log Code Red stuff on port 80 > >$IPCH -I input 3 -j DENY -p tcp -s 0/0 -d $EXTERN_IP/32 80 -i $EXTERN_IF > > > >= > > > >I have had pretty good success in running LaBrea. Remember when adding > >the > >word LaBrea to anything it is case sensitive. Do not enter labrea, > >enter it as LaBrea. Just trying to give you some clues as to what to > >watch for. > > > >Please read https://lists.sourceforge.net/lists/listinfo/leaf-user > >to catch some of what Simon Bolduc posted concerning this same subject. > >You may > >find
[Leaf-user] FW: fealnx driver for LRP kernel 2.2.19-3-LEAF
Has anybody a compiled fealnx.o driver for my new LRP machine. The version i'm looking for should be ready for LRP Kernel 2.2.19-3-LEAF. Thx in advance... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DMZ Options
pn] Sorry 'bout the private message, Charles. I haven't posted to the list in months, and I hit reply by habit. --- Charles Steinkuehler <[EMAIL PROTECTED]> wrote: > > " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " > > YES - This is a traditional "routed" DMZ...your ISP routes a block of IP's > to the external interface of your firewall > > PROXY - A "Proxy-ARP" DMZ...used if you've got a block of static IP's from > your ISP. The firewall essentially "glues together" two identical network > segments, allowing your DMZ systems to be configured with public IP's (just > like they were connected directly to your upstream modem), but still having > the protection of a firewall. pn] I'm not sure I understand the distinction. If both use public IPs for the DMZ machines, and in both cases traffic comes/goes through the external router/firewall interface, what makes each different from the other? Maybe a small example would help. = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DMZ Options
> > > " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " > > > > YES - This is a traditional "routed" DMZ...your ISP routes a block of IP's > > to the external interface of your firewall > > > > PROXY - A "Proxy-ARP" DMZ...used if you've got a block of static IP's from > > your ISP. The firewall essentially "glues together" two identical network > > segments, allowing your DMZ systems to be configured with public IP's (just > > like they were connected directly to your upstream modem), but still having > > the protection of a firewall. > > pn] I'm not sure I understand the distinction. If both use public IPs > for the DMZ machines, and > in both cases traffic comes/goes through the external router/firewall > interface, what makes each > different from the other? Maybe a small example would help. Routed DMZ: ISP router Static routes 2.2.2.0/24 to 1.1.1.2 1.1.1.1/30 | Upstream link (1.1.1.0/30) | 1.1.1.2/30 Firewall 2.2.2.1/24 | DMZ Network (2.2.2.0/24) | DMZ systems... Proxy-ARP DMZ: ISP router 3.3.3.1/29 | Upstream link (3.3.3.0/29) | 3.3.3.2/29 Firewall - Proxy-arp enabled 3.3.3.2/29 | DMZ Network (3.3.3.0/29) | DMZ systems... Note that a routed DMZ has *TWO* seperate subnets. The one linking your FW/router with the ISP, and the subnet the ISP routes to you for your local systems. The Proxy-ARP DMZ only has *ONE* subnet, with several usable IP's, typical of cable-modem and xDSL connections with multiple static IP's. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] DMZ Options - additional questions
Good Evening, I would like to build on this DMZ discussion and combine it with a post that Matt had a few days ago. My situation is that I am going to impliment a DMZ with the private switch, and have a second firewall (MS ISA server) between the DMZ and internal network. Here is a lame pic of what I want to do: Internet | | | |eth0 (IP assigned from RR) LRP Box | | | |eth1(192.168.1.2) | | | |_ 192.168.1.0/24 DMZ | eth2 (192.168.1.3) | 192.168.1.1 ISA ext. nic 192.168.0.1 ISA int. network | | Internal network (192.168.0.0/24) OK, now what I was thinking was, that the eth1 and eth2 would be on the same subnet. This way, updating the web server from the internal network would be fairly easy, because the internal nets default gateway is the ISA server, and the external nic on the ISA server has a default gateway of the LRP box. Same with the DMZ box. Assuming they penetrate the LRP box and hack the DMZ server, they are still removed from the internal net by the ISA server. I want to allow the DMZ box access to a Access database on the internal network (read only) and the DMZ box also needs access to relay SMTP messages to an internal Exchange box. The DMZ box is a W2K server running IIS and SMTP w/ ISA's message screener. (Everything is patched :-) Anyway, what do you all think? Any flaws you can see in this plan? I appreciate all the feedback you can give Thanks Tony > > > " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " > > > > Proxy > > NAT > > Private... > > > > Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc, > > YES - This is a traditional "routed" DMZ...your ISP routes a block of IP's > to the external interface of your firewall > > PROXY - A "Proxy-ARP" DMZ...used if you've got a block of static IP's from > your ISP. The firewall essentially "glues together" two identical network > segments, allowing your DMZ systems to be configured with public > IP's (just > like they were connected directly to your upstream modem), but > still having > the protection of a firewall. > > NAT - Similar to a Proxy-ARP setup, but uses static-NAT > translation instead. > Each DMZ system is configured with a private IP, and a > translation table is > built, converting public IP's to the private IP of your DMZ systems. > > PRIVATE - This architecture is unique...it port-forwards specific services > to DMZ machines, which have private IP's. The main benifit is you don't > have to have multiple IP's assigned to be able to implement this form of > DMZ. > > NO - No DMZ > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] help on wireless pcmcia
Hello everyone, Has anyone been successful in rolling a wireless pcmcia package for DS 1.0.2? (with kernel Dachstein-normal.tar.gz <- not really sure if this supports wireless pcmcia/pcmcia). If so, care to share it? I'm trying to roll out my own. And the modules I've gotten from http://www.rarf.riken.go.jp/archives/Linux/slackware/slackware seem to load without any errors. But my problem is, the cardmgr demon can't automatically detect if a pcmcia card is replaced. If I manually insmod the corresponding driver for a card (and it loads), then pulls the card off, the daemon properly uninstalls (rmmod) the modules involved (ofcourse leaving i82365, ds, and pcmcia_core untouched). My problem is to make the package detect the card automatically. I also compiled iw* tools and rolled them along with the package. Another concern of mine is that I'm not sure if the kernel I'm using has wireless pcmcia support (but I was able to insmod, maybe it does). Can anyone also throw me a copy of a complete menuconfig for DS1.0.2 that supports wireless pcmcia and usb? Or you can also throw in a fully functional kernel if possible :o). I'm currently running everything on a HD so size really doesn't bother me. Any attempts to help is greately appreciated. TIA! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???
Charles Steinkuehler wrote: > > > Did you see this, yesterday? > > Yeah...got distracted while analizing & it got dropped... OK, sorry for my impatience . . . > > > The final problem is the fact that you can't do an snmpwalk from the > > > firewall to the DMZ. Apparently, the SNMP query packets are > transmitted, > > > but no response is recieved. I still don't understand why this is > > > happening, especially if you can do an snmpwalk from the internal > network (I > > > think I remember you saying you could...) > > > > > > Patch your ipfilter.conf, and see how much farther that gets you. If > you > > > still can't snmpwalk from the firewall, take tcpdumps at both the > firewall > > > (DMZ IF) and the DMZ system, while trying to snmpwalk from both the > firewall > > > and from an internal system. > > > > Following are dumps for snmpwalk failure between DCD and one of its dmz > > hosts. I have tried to remove spurious data, like Unknown IPX packet > > stuff ;< The rest I could not rule out -- can you? > > We'll see...are you actually running an IPX network? Yes, and else, too ;> [ snip ] > I'm confused. I don't think the firewall rules on the .65 machine can be > your problem, since you're seeing the request packets go out, and even if > the replies were being dropped, tcpdump would see them at the interface. > About the only thing that comes to mind is your snmp configuration on the > .66 machine. Are you *SURE* you've allowed snmp queries from the firewall > IP and you're not firewalling any traffic on the .66 system? Which version > of SNMP are you running? Join the club ;> w.x.y.66 is a netware v5.x box, a mail server running groupies, &c. It's not my environment, but an associate's. I know (next to) nothing about netware and he knows nearly nothing about snmp. I've queried snmp v1, 2c and 3 -- all same results. No, there is not any ip filtering on that box. > If you can't find any problems with the configuration of the .66 machine, do > a tcp dump on the DMZ IF of the the firewall while trying to snmpwalk from > the firewall and from an internal network system (am I remembering correctly > that you said internal systems could see the DMZ snmp server?). It would > probalby also help if you provide the output of net ipfilter list and your > snmp config file from the DMZ system... Yes, I can snmpwalk w.x.y.66 *both* from a remote internet host _and_ from some moronic wintel box inside its internal network (notice, *not* on the dmz). This weekend, I will try to comply with your latest test . . . Follows, hopefully readable, is output of net ipfilter list from subject DCD: Chain input (policy DENY: 7 packets, 801 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 DENY all -- 0xFF 0x00 wan1 0.0.0.0/0 255.255.255.255 n/a 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 -> * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 13 -> * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 14 -> * 0 0 DENY all l- 0xFF 0x00 wan1 0.0.0.0 0.0.0.0/0 n/a 143 DENY all l- 0xFF 0x00 wan1 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 172.16.0.0/12 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 0.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 wan1 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 w
Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???
"Michael D. Schleif" wrote: > > Charles Steinkuehler wrote: > > > [ snip ] > > > I'm confused. I don't think the firewall rules on the .65 machine can be > > your problem, since you're seeing the request packets go out, and even if > > the replies were being dropped, tcpdump would see them at the interface. > > About the only thing that comes to mind is your snmp configuration on the > > .66 machine. Are you *SURE* you've allowed snmp queries from the firewall > > IP and you're not firewalling any traffic on the .66 system? Which version > > of SNMP are you running? > > Join the club ;> > > w.x.y.66 is a netware v5.x box, a mail server running groupies, &c. ^^^ groupwise Bad, bad, spellchecker ;< > It's not my environment, but an associate's. I know (next to) nothing > about netware and he knows nearly nothing about snmp. I've queried snmp > v1, 2c and 3 -- all same results. No, there is not any ip filtering on > that box. [ snip ] -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re:ipsec.conf assistance
Hi Joey, Charles picked up the obvious problem of the spelling mistake in left and rightnexthop. However, you haven't said what the symptoms of the problem are (assuming this isn't it!). Every time I've had problems with RSA keys it related to whitespace in the file or a hidden carriage return. The key must not be broken with a return, it must wrap all on its own! Using the copy function in Putty always resulted in a need for some careful deleting. Also, the syntax in .secrets is also fussy this way. If the spelling error doesn't fix things, give us some info on what's happening. Does it load but not connect? Or not load at all? You might also try putting the left and right id parameters in there... I was under the impression this was needed to match with ipsec.secrets. Using left and rightfirewall=yes seems to be necessary to poke the correct holes in the firewall to allow the traffic to pass. Brock | Message: 6 | Reply-To: <[EMAIL PROTECTED]> | From: "Joey Officer" <[EMAIL PROTECTED]> | To: "LRP Support" <[EMAIL PROTECTED]> | Date: Fri, 1 Mar 2002 00:02:44 -0600 | Subject: [Leaf-user] ipsec.conf assistance.. | | Ok, its been awhile since last I had a real chance to work on this, and now | finally I'm getting into it... | | I got all of the packages on the diskette (thanks again for so much help | from Lynn and Charles), and I got the serial device working (I feel like | such a dolt, I never checked the cable, thanks Charles) but know, after I | think I've written a very generic .conf file for ipsec, its bombing, and I'm | not able to connect to the other site. Attached is a copy of my ipsec.conf. | but I'm unable to get any results... | | # system wide setup | config setup | interfaces=%defaultroute | klipsdebug=none | plutodebug=none | plutoload=%search | plutostart=%search | # uniqueids=yes # not yet, otherwise it'll only allow one | connection | | conn %default | keyingtries=0 | authby=rsasig | | # left is joey's hose | # right is the shop | conn home-office | left=66.25.44.147 | leftnexthope=66.25.44.1 | leftsubnet=192.168.3.0/24 | leftrsasigkey= < removed for space> | right=66.25.18.71 | rightnexthope=66.25.18.1 | rightsubnet=192.168.1.0/24 | rightrsasigkey= | | I still have uniqueids commented out because I read that to be that it would | only allow one connection at a time, ie only one user at a time to a | specific connection, want to be able to give the whole office access to the | other network. Can someone point out the obvious errors, and possibly give | me some assistance in getting this up... | | Joey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
