Re: [Leaf-user] 4 NIC LRP -Dachstein CD- only one internal IP forwards to internet
Hi folks Charles commented the following At 11:43 07.03.2002 -0800, you wrote: Make sure you've added all your internal networks to the INTERN_NET variable in /etc/network.conf. If that's not the problem, we'll need more information about your firewall setup, including network.conf settings, and the output of net ipfilter list I tried to find documentation on multiple internal interfaces but failed. I just found the network.txt file on lrp.steinkuehler.net/files/packages/network.txt. Could anyone please clarify the format of INTERN_IF INTERN_NET INTERN_IP for more than one internal interface Thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] a message to NTL customers in the uk
Hello Ant - I just knew I should have written up my experiences on this See comments inline below. --- Ant Ken [EMAIL PROTECTED] wrote: hello, if you use the NTL broadband in the UK you will have problems setting you router up, heres what you have to do: when a new network card ( ie your new router ) is switched on for the first time your cable box gives you an ip address of something like 10.xxx.xxx.xxx, via DHCP Because of the ip filters setup on the box you will not be able to immediately browse the web, you have to either install a version of linux with X and netscape on or install M$ windows then try and access the web you will be presented with the ntl account administration page. You have two other options You can also use your network card in a separate MS Windows box for the initial MAC address registration or You can install the simple text based web browser on your Leaf box. I did the first option which works fine. I haven't tried the second option. enter your account PID and password, login and click the add button. type a name in for your router ( any thing does not matter ( letters, numbers, - and _ only )) when you have done this either restart your network interface's or restart windows when you have done all that then you can start configuring your router to do what ever you want! if any one has any queries email me and just ask antken I am thinking of writing a long document explaining how to use Leaf with NTL broadband but don't know how to distribute it to those potential Leaf users. ANy ideas on that? Alex = Alex McLintock[EMAIL PROTECTED]Open Source Consultancy in London OpenWeb Analysts Ltd, http://www.OWAL.co.uk/ --- SF and Computing Book News and Reviews: http://news.diversebooks.com/ Get Your XML T-Shirt t-shirt/ at http://www.inversity.co.uk/ Please Remove [EMAIL PROTECTED] from your address book. __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] routed subnet dmz help
Lynn, This is exactly what I needed. Works perfectly now! Thank you kindly. -Kevin Well, this is more like what you are looking to do with ProxyArp. You should get a good start off of this link anyway: http://www.casano.com/lrp/proxy_arp.html Just kill the private network using NAT if you don't need it. -- (kevin mudrick) ([EMAIL PROTECTED]) (www.bleachedwhale.com) pgp key available at http://www.bleachedwhale.com/kevinGPG.asc Despair: It's always darkest just before it goes pitch black. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] DMZ Options - additional questions
Good Morning, I am resending a message that got no response the last time, I would appreciate any input anyone might have. I am going to try and impliment this on Sunday. Thanks in advance Tony Good Evening, I would like to build on this DMZ discussion and combine it with a post that Matt had a few days ago. My situation is that I am going to impliment a DMZ with the private switch, and have a second firewall (MS ISA server) between the DMZ and internal network. Here is a lame pic of what I want to do: Internet | | | |eth0 (IP assigned from RR) LRP Box | | | |eth1(192.168.1.2) | | | |_ 192.168.1.0/24 DMZ | eth2 (192.168.1.3) | 192.168.1.1 ISA ext. nic 192.168.0.1 ISA int. network | | Internal network (192.168.0.0/24) OK, now what I was thinking was, that the eth1 and eth2 would be on the same subnet. This way, updating the web server from the internal network would be fairly easy, because the internal nets default gateway is the ISA server, and the external nic on the ISA server has a default gateway of the LRP box. Same with the DMZ box. Assuming they penetrate the LRP box and hack the DMZ server, they are still removed from the internal net by the ISA server. I want to allow the DMZ box access to a Access database on the internal network (read only) and the DMZ box also needs access to relay SMTP messages to an internal Exchange box. The DMZ box is a W2K server running IIS and SMTP w/ ISA's message screener. (Everything is patched :-) Anyway, what do you all think? Any flaws you can see in this plan? I appreciate all the feedback you can give Thanks Tony Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) Proxy NAT Private... Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc, YES - This is a traditional routed DMZ...your ISP routes a block of IP's to the external interface of your firewall PROXY - A Proxy-ARP DMZ...used if you've got a block of static IP's from your ISP. The firewall essentially glues together two identical network segments, allowing your DMZ systems to be configured with public IP's (just like they were connected directly to your upstream modem), but still having the protection of a firewall. NAT - Similar to a Proxy-ARP setup, but uses static-NAT translation instead. Each DMZ system is configured with a private IP, and a translation table is built, converting public IP's to the private IP of your DMZ systems. PRIVATE - This architecture is unique...it port-forwards specific services to DMZ machines, which have private IP's. The main benifit is you don't have to have multiple IP's assigned to be able to implement this form of DMZ. NO - No DMZ Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] My New Dachstein LRP
Hello All, I have been noticing some errors in my logs that look like: Mar 8 00:33:44 a904j637 kernel: Packet log: input DENY eth0 PROTO=17 192.168.159.129:137 192.168.159.255:137 L=96 S=0x00 I=13824 F=0x T=128 (#12) but I have no machine 192.168.159.129 on my subnet and am only using 192.168.1.x What does this mean? Cheers, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] My New Dachstein LRP
On Friday 08 March 2002 07:35, Lonnie Cumberland wrote: Hello All, I have been noticing some errors in my logs that look like: Mar 8 00:33:44 a904j637 kernel: Packet log: input DENY eth0 PROTO=17 192.168.159.129:137 192.168.159.255:137 L=96 S=0x00 I=13824 F=0x T=128 (#12) but I have no machine 192.168.159.129 on my subnet and am only using 192.168.1.x What does this mean? It means that someone is broadcasting NetBIOS trash through their internet connection in your neighborhood and it is looking for more computers to join the network. It is web trash and can be safely be dropped from logging. SILENT_DENY is used with Dachstein to avoid logging this. Personally, I don't log anything on the 192.168./16 subnet. The LEAF Command FAQ has some examples of how to do this several ways using SILENT_DENY in the Dachstein section. http://sourceforge.net/docman/display_doc.php?docid=9267group_id=13751 I hope this helps, -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] routed subnet dmz help
On Friday 08 March 2002 06:18, kevin mudrick wrote: Lynn, This is exactly what I needed. Works perfectly now! Thank you kindly. Great! Thanks for letting us know! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein migration successful! - General routing question.
One guy behind my leaf firewall needs a securemote (Checkpoint) connection to company b. He has a Win2k workstation. As I understand from searching the newsgroups, this isn't possible with Linux, although I would love to be corrected on that one. Sounds a lot like the securemote client is simply an IPSec implementation. There are lots of details about masquerading an IPSec connection in the list archives, and all the gory details can be found in the VPN-Masquerade-HOWTO. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] lrp format and filter config
Probably, although you don't mention what you're trying to specify source ports for. If you need to make custom rules, that's what the ipchains.input, ipchains.output, and ipchains.forward files are for in /etc. I want local users to be able to ssh into external machines, and (being fairly pedantic about firewalls) I only want to specify port 22 for external machines. If I edit those files, how do they relate to the config files (No 2 on the network config menu) The files are sourced by /etc/ipfilter.conf, so you can use any variables or procedures defined in /etc/network.conf, /etc/ipfilter.conf, or /etc/init.d/network. Look for IPCH_IN, IPCH_OUT, and IPCH_FWD in /etc/ipfilter.conf to see exactly where they are sourced in relation to the rest of the rules. You can either add rules using the -A option (probably what you want in your case), or the I option to add rules at the beginning of the list (for things like silently denying something filling up your logs). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] martians on internal network ???
We are seeing martians on internal networks on a regular basis. Usually, it is traceable to users logging into AOL over our high speed internet connections: 172.128.0.0 - 172.191.255.255 Today, we saw one from United Airlines: 205.174.16.0 - 205.174.23.255 [1] How does this happen? [2] Why does this happen? [3] Is this exploitable? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Leaf-user digest, Vol 1 #707 - 14 msgs
Hi Charles At 02:21 08.03.2002 -0800, you wrote: Finally, as a constructive suggestion, does anyone think it would be useful if all ipchains rules where built up in one place in the config, and it was all done in a more 'tabular' fashion, so that rules could be added easily, and options such as logging for some of the defaults could be easily switched off. Probably, but it would take a lot of work. Are you volunteering? I am in the process to propose a little LEAF base VPN here. I might find some spare hours to look into it. I might just list the ipchains/ipmasqadm commands as they are built by the ipfilter.conf. I am pretty sure this will still fit on the floppy. Could anyone suggest a superset of rules which will just be pumped through the firewall set up script. Instead of executing the rules we could just dump them into a file and then see where we get. This should us a good idea how deep we will have to wade. Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: Leaf-user digest, Vol 1 #707 - 14 msgs
I'm not sure exactly what you're after here, but the ipchains and ipmasqadm commands used to build the firewall rules are done using the environment variables $IPCH and $IPMASQADM, so it would be easy to re-define these and echo all the comands to a file, instead of actually running them... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) - Original Message - From: Erich Titl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 08, 2002 9:55 AM Subject: [Leaf-user] Re: Leaf-user digest, Vol 1 #707 - 14 msgs Hi Charles At 02:21 08.03.2002 -0800, you wrote: Finally, as a constructive suggestion, does anyone think it would be useful if all ipchains rules where built up in one place in the config, and it was all done in a more 'tabular' fashion, so that rules could be added easily, and options such as logging for some of the defaults could be easily switched off. Probably, but it would take a lot of work. Are you volunteering? I am in the process to propose a little LEAF base VPN here. I might find some spare hours to look into it. I might just list the ipchains/ipmasqadm commands as they are built by the ipfilter.conf. I am pretty sure this will still fit on the floppy. Could anyone suggest a superset of rules which will just be pumped through the firewall set up script. Instead of executing the rules we could just dump them into a file and then see where we get. This should us a good idea how deep we will have to wade. Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein LRP
All, Can I use the pkgpath.cfg and lrpkg.cfg files on Dachstein LRP that is booting of an IDE hard drive? It is booting in a DOS partition and runs in RAM Thanks in advance for any help Peter ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein LRP
Can I use the pkgpath.cfg and lrpkg.cfg files on Dachstein LRP that is booting of an IDE hard drive? It is booting in a DOS partition and runs in RAM Yes. The /linuxrc script will look for the pkgpath.cfg and lrpkg.cfg files on your boot= device (probably your HDD). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein LRP
Thanks Charles, I tried it but it failed. What if anything remains in the syslinux.cfg file? Do you include the LRP= and PKGPATH= in the new file? Do you leave them blank in the old one? Thanks. P.S. Congratulations on a job very well done on the LRP box Peter - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: Peter Kanatselis [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, March 08, 2002 11:21 AM Subject: Re: [Leaf-user] Dachstein LRP Can I use the pkgpath.cfg and lrpkg.cfg files on Dachstein LRP that is booting of an IDE hard drive? It is booting in a DOS partition and runs in RAM Yes. The /linuxrc script will look for the pkgpath.cfg and lrpkg.cfg files on your boot= device (probably your HDD). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein LRP
Thanks Charles, I tried it but it failed. What if anything remains in the syslinux.cfg file? Do you include the LRP= and PKGPATH= in the new file? Do you leave them blank in the old one? You might want to see the CD-ROM readme file...it goes over the use of these settings in a bit more detail. When the system boots, the /linuxrc script searches the kernel command line for a boot= parameter, and tries to mount the specified device. If the lrpkg.cfg and/or pkgpath.cfg files are found on this device, the contents of those files override the kernel command line settings provided by syslinux.cfg. Therefore, if you've got lrpkg.cfg and pkgpath.cfg files, the contents of LRP= and PGKPATH= in syslinux.cfg are don't care, and can even be blank. Both files should have a single line of data, which is *EXACTLY* what would come after LRP= or PKGPATH= on the kernel command line. LRP= and PKGPATH= should *NOT* appear in these files. Again, refer to the CD-ROM readme for details... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] a message to NTL customers in the uk
On Fri, 8 Mar 2002, Alex McLintock wrote: Hello Ant - I just knew I should have written up my experiences on this See comments inline below. --- Ant Ken [EMAIL PROTECTED] wrote: hello, if you use the NTL broadband in the UK you will have problems setting you router up, heres what you have to do: when a new network card ( ie your new router ) is switched on for the first time your cable box gives you an ip address of something like 10.xxx.xxx.xxx, via DHCP Because of the ip filters setup on the box you will not be able to immediately browse the web, you have to either install a version of linux with X and netscape on or install M$ windows then try and access the web you will be presented with the ntl account administration page. You have two other options You can also use your network card in a separate MS Windows box for the initial MAC address registration or You can install the simple text based web browser on your Leaf box. I don't understand why any of these options are required. Why not accept the ip address you are given as a router, and use your usual box behind it to talk to the webserver to do the configuration, and then re-initialize networking on the router? Does the configuration process use java or javascript? --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DMZ Options - additional questions
OK, but how does the network setup look on the webserver? I envisioned something like: IP=192.168.1.100 Mask=255.255.255.0 GW=192.168.1.2 (eth2 on LEAF box) How would SMTP know to forward to the ISA server? I guess I could point the SMTP server on the protected box to point to the external interface of the ISA server, who would be listening for SMTP traffic from that IP. {guess I just answered my own question} BTW, ISA = Microsoft Internet Security Acceleration Server 2000 If I set up the LEAF server as a more typical setup with a different subnet for the DMZ, the default rules would not allow communication to the protected network (eth1 internal) right? Internal could initiate communications with the DMZ, but not vise versa, correct? That was what I was going to do initially, but was pretty sure it would fail. If this is a better way, perhaps I could craft some rules that said essentially, the only traffic that could be routed to the internal network is SMTP traffic and ISA message filter DCOM traffic. This all makes sense, until I get to the end, where you indicate you want to push SMTP (and other) traffic to your internal net. The whole point of having a screened subnet or DMZ is to keep public servers *OUT* of your internal net. It's almost always possible to restructure a network that requires inbound connections so that inbound connections are only permitted on the DMZ. Back to the screened subnet, all on the same subnet as first described. So any inbound comm allowed would head to the internal network, and then be forwarded based on rules (i.e. web trafic to this IP, SMTP to that IP, etc. The second firewall (ISA) would then decide whether or not to allow inbound to the real internal network. For example, I also want to setup a VPN eventually. The access would be allowed/denied from the ISA server who would have access to Active Directory domain info. Again, all forwarding could be accomplished by rules at the LEAF box. Does that sound like I am on the right track? It's really hard to tell...it sounds like you're running an e-mail server BEHIND the ISA, on your internal net. If so, this is a *REALLY BAD IDEA*, and pretty much defeats the whole purpose of a screened subnet architecture. Your comments about VPN, however, are correct...you could easily setup the ISA to be a VPN gateway for the real internal subnet. BTW: What you refer to as internal network above (the network between the Dachstein box and the ISA) should be called the screened subnet, although you'll still have to use the INTERN_* variables in network.conf to configure it :-/ If you don't have a copy already, pickup O'Reilly's Building Internet Firewalls and take a look at chapter 6, Firewall Architectures. It's an excellent resource when trying to design safe network architectures, and includes excellent (and very readable) descriptions of architectures that work, and archectures to avoid (often for subtle, non-obvious reasons). If you want general advice from the list, you're going to have to provide a lot more detail about exactly what you're trying to accomplish...I've tried to make what comments I could, but it's hard trying to read between the lines and figure out what services you're running where... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
can someone point out the obvious mistake that I have made.. How about starting with: Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in office: (/etc/ipsec.conf, line 25) duplicated parameter auto Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in shop: (/etc/ipsec.conf, line 39) duplicated parameter auto ...and... conn office snip auto=add auto=start Try with just *ONE* auto= line and see what you get... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Multicast Routing
I setup one entire LRP router with ospf , ftp ,ssh , iptable ,etc and 3 NICs. Now i need multicast routing and not find mrouted.lrp. Can someone tell me where i would find mrouted.lrp or some other lrp that support multicasting routing protocolos. thanks _ Con MSN Hotmail súmese al servicio de correo electrónico más grande del mundo. http://www.hotmail.com/ES ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re : martians on internal network ???
We see martians from users on our private network that are using dial up internet accounts on W2k computers, external of the normal way of getting to the internet (through our LEAF router). Does anyone have a fix either on the W2k side or on the router to stop the console logging of these ? (without turning off martian logging completely) Doug == We are seeing martians on internal networks on a regular basis. Usually, it is traceable to users logging into AOL over our high speed internet connections: 172.128.0.0 - 172.191.255.255 Today, we saw one from United Airlines: 205.174.16.0 - 205.174.23.255 [1] How does this happen? [2] Why does this happen? [3] Is this exploitable? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] General routing question. Securemote
Thanks Richard Charles for comments and links. I should provide a bit of insight here. Dealing with technical and political issues. (really too bad!) Office secretary doesn't get along with IT dept of company b, and there seems to have been a real lack of cooperation although according to management this guy (on their board of directors) is supposed to have access to their intranet. I think that there may be a reluctance to reconfigure their firewall (as link suggests) as the IT guy there seems so uncooperative. I did do some research and figured that this is going to require some testing and troubleshooting, and I don't know whether they are using encapsulated FWZ or not. Also, I am not an employee of company a, but just do work for them so I can't be on site for any extended time. So I will try to prepare a diskette as per instructions in links below to see if it will work, but I also want to have a plan b. ie jump around the firewall for that one route if that might work as well. Still open to suggestions. Thanks, Boyd PS. I'll also be working on both pptp and ipsec for my own dachstein. -Original Message- From: Richard Doyle [mailto:[EMAIL PROTECTED]] Sent: Thu 07/03/2002 7:08 PM To: Boyd Kelly; [EMAIL PROTECTED] Cc: Subject: RE: [Leaf-user] Dachstein migration successful! - General routing question. FWIW, a quick check on google for securemote linux nat turned up http://www.phoneboy.com/faq/0372.html and http://www.phoneboy.com/faq/0141.html. -Richard Got my ip aliasing/forwarding and all working on dachstein. Very happy about that. Great piece of work! Now for an interesting problem: One guy behind my leaf firewall needs a securemote (Checkpoint) connection to company b. He has a Win2k workstation. As I understand from searching the newsgroups, this isn't possible with Linux, although I would love to be corrected on that one. So I am looking for some opinions on a solution. Could I just do some routing magic on the win2k workstation to bypass the leaf router only for that securemote ip address? For something like that to work would the workstation need a second nic? Or can I just plug all the Internet/Leaf wires into the same switch, and then give computer 3 a default gateway of 208.x.x.1 for the address in question? Any security issues? [Internet] | eth0 208.x.x.13 | LEAF Box (DF 208.x.x.1) | | eth1 192.168.1.254 | --- | | Computer 2Computer 3 (needs to use securemote client) (192.168.1.2) (192.168.1.3) Thanks very much, Boyd ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user Þiû¬z¹X§X¬´·~ë®X¬¶Ë(º·~àzwÛi³ÿåËl²«qç讧zßåËlþX¬¶)ߣù^iû¬z
Re: [Leaf-user] Multicast Routing
Hi, Can someone tell me where i would find mrouted.lrp or some other lrp that support multicasting routing protocolos. I made an .lrp package of pimd, which is a PIM Sparse Mode multicast daemon. I had to patch and compile my own kernel as well in order to get multicast support. Do: echo 1 /proc/sys/net/ipv4/conf/all/mc_forwarding; cat /proc/sys/net/ipv4/conf/all/mc_forwarding to see if your kernel supports multicast forwarding (if my memory serves me right, since I do not have access to my lrp box right now). So if you have multicast enabled I can probably compile and make a pimd.lrp package for you. I also have a Linux 2.2.19 LRP kernel with multicast enabled that might be useful to you. -Dan _ Dan Mønster, PhD E-mail: [EMAIL PROTECTED] UNI·C, Research Phone: (+45) 8937 6621 Olof Palmes Allé 38 Fax: (+45) 8937 6677 DK-8200 Århus N, DenmarkWWW: http://www.uni-c.dk _ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] floppy to hard disk?
hello all, are there any how-to's that help you to get leaf from a floppy to a hard disk? if so what are the urls? thanks you for your time antken ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
FW: [Leaf-user] FW: fealnx driver for LRP kernel 2.2.19-3-LEAF
Has anybody a compiled fealnx.o network card driver for my new LRP machine. The version i'm looking for should be ready for LRP Kernel 2.2.19-3-LEAF. Thx in advance... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] floppy to hard disk?
At 2002-03-08 20:29 +, Ant Ken wrote: hello all, are there any how-to's that help you to get leaf from a floppy to a hard disk? if so what are the urls? LEAF: Documentation: HOWTOs http://leaf.sourceforge.net/mod.php?mod=userpagemenu=1302page_id=11 I hope this helps. -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Re : martians on internal network ???
Ugh. Console messages about martians almost always tell you there is something seriously wrong with your network. Turning them off is like disconnecting a burglar alarm. In your case, these messages indicate that an unguarded (?) backdoor to your network is currently open. This will disable martian logging for interface $IFNAME: echo 0 /proc/sys/net/ipv4/conf/$IFNAME/log_martians AFAIK you can't log martians to a file without seeing them on the console, unless you want to stop seeing all level 4 kernel messages (KERN_WARNING). You can probably do this by modifying /etc/init.d/sysklogd to read klogd -c 4 instead of whatever is there now (I'm using busybox klogd, which doesn't support this parameter; please correct if necessary). rant Sorry for being so cranky about this, but wanting to make martian messages go away without fixing the underlying problem is a Bad Thing. You have a nice security system with deadbolts on your front door, but you leave the backdoor unlocked. Those martian messages at least let you know when the back door is open and remind you to install a lock on the damn thing. /rant -Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Doug Hite Sent: Friday, March 08, 2002 11:21 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] Re : martians on internal network ??? We see martians from users on our private network that are using dial up internet accounts on W2k computers, external of the normal way of getting to the internet (through our LEAF router). Does anyone have a fix either on the W2k side or on the router to stop the console logging of these ? (without turning off martian logging completely) Doug == We are seeing martians on internal networks on a regular basis. Usually, it is traceable to users logging into AOL over our high speed internet connections: 172.128.0.0 - 172.191.255.255 Today, we saw one from United Airlines: 205.174.16.0 - 205.174.23.255 [1] How does this happen? [2] Why does this happen? [3] Is this exploitable? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] vpn routing
It seems that I've seen this problem here before: There are two dsl connections to the internet behind one is an NT Proxy server. behind the other is an Eiger router running LRP/IPSec. Both masquerade Behind both of those is a lan 123.x.x.x AS400 123.x.x.1 Exchange Server 123.x.x.2 So the internal subnet for the Eiger is 123.x.x.0/24 A remote laptop with a dynamic address establishes a VPN connection to the Eiger. And access mail on 123.x.x.2 How does the traffic back from the Exchange Server to the laptop find its way back thru the correct router, the eiger. I mean it can only have one default gateway. ?? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
It seems that I've seen this problem here before: There are two dsl connections to the internet behind one is an NT Proxy server. behind the other is an Eiger router running LRP/IPSec. Both masquerade Behind both of those is a lan 123.x.x.x AS400 123.x.x.1 Exchange Server 123.x.x.2 So the internal subnet for the Eiger is 123.x.x.0/24 A remote laptop with a dynamic address establishes a VPN connection to the Eiger. And access mail on 123.x.x.2 How does the traffic back from the Exchange Server to the laptop find its way back thru the correct router, the eiger. I mean it can only have one default gateway. ?? You either have to have the Eiger VPN gateway as the default route for the exchange box, or setup a static route on the Exchange box pointing to the remote endpoint of the VPN. I've done the latter with subnet-subnet VPN's, but I don't think it will work well with a host-subnet VPN, as the far end IP isn't static... It sounds like you're wanting to just use the Eiger box as a VPN gateway. Another option would be to setup proxy-arp on the Eiger box, with two internal NIC's. Something like: Internet - DSL1 DSL2 || | NT Proxy Server || | Internal net (123.x.x.0/24) || | eth2 eth0-Eiger/Dachstein VPN gateway eth1 | Internal net (123.x.x.0/24) | Exchange server This gets around the routing problem because all packets will go through the VPN gateway, even if destined for the IP of your NT proxy-server. The routing rules on the VPN gateway should make everything work properly, but I haven't actually tested this setup. NOTE: While the above diagram may look kind of scary, it really isn't. The big problem will be getting the routing on the VPN box setup to use the alternate DSL link (it would be much more straight-forward if the VPN gateway simply routed all data out the NT Proxy server, and had one default gateway), but you should be able to setup advanced routing rules based on either firewall marks or protocol that sends VPN traffic out the DSL1 link, and all other traffic out the NT proxy... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] routing more than 1 hop
Sometimes LEAF distros are configured to block traffic destined for the private address space from going out eth0. It's designed that way because private addresses are in general for internal use only. Rarely, an ISP uses these, and adjustments are made to ipfilter.conf or wherever your rules are defined. That makes good sense, but I stripped Whorewall out to try to simplify things for myself. Btw, tabs mess up your tables. I converted them to spaces. Thanks!! I'm deciding not to comment on the routes at all until you post the output of ifconfig -a on all four sites. I've included the useful data with each of the routing tables (I hope I didn't leave out anything that you were looking for). I will mention that I don't get the concept of having both 10.10.1.254 and 10.10.1.40 assigned to the same eth0, for instance. I did this because that router is connected via 100Mb fibre to another building where the rest of the routing happens. eth0 on Site 1 connects to a switch, and 10.10.1.254 (my main gateway router) connects to a different port on that same switch. Site 1: 10.10.1.0 eth0 10.10.1.40/24 eth1 192.168.1.254/24 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 10.10.1.254eth0 (to internet) 10.10.1.0255.255.255.0 10.10.1.40 eth0 (wired interface) 10.10.12.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 10.10.13.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 192.168.1.0 255.255.255.0 192.168.1.254 eth1 (wireless interface) 192.168.2.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) Site 2a: 10.10.12.0 eth0 10.10.12.254/24 eth1 192.168.1.253/24 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 192.168.1.254 eth1 (wireless to site 1) 10.10.12.0 255.255.255.0 10.10.12.254 eth0 (wired interface) 10.10.13.0 255.255.255.0 10.10.12.253 eth0 (to other local router) 192.168.1.0 255.255.255.0 192.168.1.253 eth1 (wireless interface) 192.168.2.0 255.255.255.0 10.10.12.253 eth0 (to other local router) (Site 2a and 2b are connected to the same switch) Site 2b: 10.10.12.0 eth0 10.10.12.253/24 eth1 192.168.2.254/24 Destination MaskGateway Dev 0.0.0.0 0.0.0.0 10.10.12.254eth0 (to other local router) 10.10.12.0255.255.255.0 10.10.12.253eth0 (wired interface) 10.10.13.0255.255.255.0 192.168.2.253 eth1 (wireless to site 3) 192.168.2.0 255.255.255.0 192.168.2.254 eth1 (wireless interface) Site 3: 10.10.13.0 eth0 10.10.13.254/24 eth1 192.168.2.253/24 Destination MaskGateway Dev 0.0.0.0 0.0.0.0 192.168.2.254 eth1 (wireless to site 2) 10.10.13.0255.255.255.0 10.10.13.254eth0 (wired interface) 192.168.2.0 255.255.255.0 192.168.2.253 eth1 (wireless interface) Bob Pocius ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein migration successful!
Boyd: As Charles says, the docs on www.phoneboy.com/faq/0372.html suggest this is a lot like an IPSec connection. You may want to have a look at echoWall again, though: it supports both FW1 and IPSEC. You can enable or disable either of them, see what works. -Scott One guy behind my leaf firewall needs a securemote (Checkpoint) connection to company b. He has a Win2k workstation. As I understand from searching the newsgroups, this isn't possible with Linux, although I would love to be corrected on that one. Sounds a lot like the securemote client is simply an IPSec implementation. There are lots of details about masquerading an IPSec connection in the list archives, and all the gory details can be found in the VPN-Masquerade-HOWTO. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] openssh 3.1p1 LEAF packages available
A vulnerability has been recently found in openssh up to version 3.0.2. See the CERT annoucement at: http://www.kb.cert.org/vuls/id/408419 The LEAF openssh packages (ssh/sshd/sftp/sshkey) have been updated accordingly and are now available for download from my website. http://leaf.sourceforge.net/devel/jnilo/ The documentation has also been updated to include clarifications suggested by Matt Shalit (Thanks Matt) !) http://leaf.sourceforge.net/devel/jnilo/openssh.html Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ipsec errors
Ok, I've modified the config and am no longer getting any errors, however I cannot get to the other machine. I've tried to ping, and also tried to do a traceroute -i eth0 -f 20 192.168.1.1 and have gotten only the * * * as output from the traceroute. At anyrate.. I'm not seeing any erros, and am wondering if there is something I am missing... any thoughts... joey -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Friday, March 08, 2002 12:47 PM To: [EMAIL PROTECTED]; LRP Support Subject: Re: [Leaf-user] ipsec errors can someone point out the obvious mistake that I have made.. How about starting with: Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in office: (/etc/ipsec.conf, line 25) duplicated parameter auto Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in shop: (/etc/ipsec.conf, line 39) duplicated parameter auto ...and... conn office snip auto=add auto=start Try with just *ONE* auto= line and see what you get... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] martians on internal network ???
On Fri, 8 Mar 2002, Michael D. Schleif wrote: We are seeing martians on internal networks on a regular basis. Usually, it is traceable to users logging into AOL over our high speed internet connections: 172.128.0.0 - 172.191.255.255 Today, we saw one from United Airlines: 205.174.16.0 - 205.174.23.255 [1] How does this happen? I often wonder how it happens that people who should know better fail to provide specific error and log messages and explain what they know about the particulars of the ip addresses, routes, machines and connections involved. It is hard to trust reports as sanitized as this. On the surface, the idea that packets should be generated within your LAN with source addresses outside your network would suggest something is seriously broken (accidentally or purposefully) with the workstation generating the packets. [2] Why does this happen? Speculation: if your AOL users are actually dialling into AOL while being on the network, they may be temporarily acquiring an IP from AOL, and Windows could possibly screw up and ships packets out the wrong interface. However, something would have to be pretty weird with the AOL software if it decided it had an AOL IP even if no dialup had occurred. There could possibly be overlap when a dialup connection was lost as well. [3] Is this exploitable? Insufficient data. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
Ok, I've modified the config and am no longer getting any errors, however I cannot get to the other machine. I've tried to ping, and also tried to do a traceroute -i eth0 -f 20 192.168.1.1 and have gotten only the * * * as output from the traceroute. At anyrate.. I'm not seeing any erros, and am wondering if there is something I am missing... any thoughts... Check the output of ipsec look, and make sure you're allowing protocol 50 packets through the firewall. If you only allow the UDP keying traffic, the tunnels will get put in place, but the data packets (protocol 50) won't get through, so no traffic can flow... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
Hey, Charles, I had a weird idea ihave no way to test right now. What if I had the Eiger masquerade both directions. The packet is unencapsulated. It goes thru the forward chain. Its source address is masqed to the internal address. The Exchange server responds to that address The NAT table converts the destination address of the response to the source address of the request. IPSec sees it and says that's mine. ?? Charles Steinkuehler [EMAIL PROTECTED] on 03/08/2002 03:27:44 PM To: Phillip Watts/austin/Nlynx@Nlynx, [EMAIL PROTECTED] cc: Subject: Re: [Leaf-user] vpn routing It seems that I've seen this problem here before: There are two dsl connections to the internet behind one is an NT Proxy server. behind the other is an Eiger router running LRP/IPSec. Both masquerade Behind both of those is a lan 123.x.x.x AS400 123.x.x.1 Exchange Server 123.x.x.2 So the internal subnet for the Eiger is 123.x.x.0/24 A remote laptop with a dynamic address establishes a VPN connection to the Eiger. And access mail on 123.x.x.2 How does the traffic back from the Exchange Server to the laptop find its way back thru the correct router, the eiger. I mean it can only have one default gateway. ?? You either have to have the Eiger VPN gateway as the default route for the exchange box, or setup a static route on the Exchange box pointing to the remote endpoint of the VPN. I've done the latter with subnet-subnet VPN's, but I don't think it will work well with a host-subnet VPN, as the far end IP isn't static... It sounds like you're wanting to just use the Eiger box as a VPN gateway. Another option would be to setup proxy-arp on the Eiger box, with two internal NIC's. Something like: Internet - DSL1 DSL2 || | NT Proxy Server || | Internal net (123.x.x.0/24) || | eth2 eth0-Eiger/Dachstein VPN gateway eth1 | Internal net (123.x.x.0/24) | Exchange server This gets around the routing problem because all packets will go through the VPN gateway, even if destined for the IP of your NT proxy-server. The routing rules on the VPN gateway should make everything work properly, but I haven't actually tested this setup. NOTE: While the above diagram may look kind of scary, it really isn't. The big problem will be getting the routing on the VPN box setup to use the alternate DSL link (it would be much more straight-forward if the VPN gateway simply routed all data out the NT Proxy server, and had one default gateway), but you should be able to setup advanced routing rules based on either firewall marks or protocol that sends VPN traffic out the DSL1 link, and all other traffic out the NT proxy... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ipsec errors
Where do I check to see if protocol 50 packets are being allowed through? I'll be working more on it this weekend.. I'd really like to get this working so I'll try just about anything.. even possibly step/by/step support via phone (I'd beg someone to call my 800 number for a little assistance... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Friday, March 08, 2002 4:57 PM To: [EMAIL PROTECTED]; LRP Support Subject: Re: [Leaf-user] ipsec errors Ok, I've modified the config and am no longer getting any errors, however I cannot get to the other machine. I've tried to ping, and also tried to do a traceroute -i eth0 -f 20 192.168.1.1 and have gotten only the * * * as output from the traceroute. At anyrate.. I'm not seeing any erros, and am wondering if there is something I am missing... any thoughts... Check the output of ipsec look, and make sure you're allowing protocol 50 packets through the firewall. If you only allow the UDP keying traffic, the tunnels will get put in place, but the data packets (protocol 50) won't get through, so no traffic can flow... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Multicast Routing
Yes i had compiled the kernel for multicast support from the fist time becouse i plan to use multicast. But when i try to find some multicasting software were the problem. I try to find mrouted becouse this support other protocols than PIM. I have others cisco router. The problem is: if this PIM sparse module can interact with the router cisco serie 2500. If yes, I thanks to you if you can compile and make the lrp package pimd.lrp for me. From: Dan Mønster [EMAIL PROTECTED] To: cntv1 cntv1 [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Multicast Routing Date: Fri, 8 Mar 2002 21:18:53 +0100 (MET) Hi, Can someone tell me where i would find mrouted.lrp or some other lrp that support multicasting routing protocolos. I made an .lrp package of pimd, which is a PIM Sparse Mode multicast daemon. I had to patch and compile my own kernel as well in order to get multicast support. Do: echo 1 /proc/sys/net/ipv4/conf/all/mc_forwarding; cat /proc/sys/net/ipv4/conf/all/mc_forwarding to see if your kernel supports multicast forwarding (if my memory serves me right, since I do not have access to my lrp box right now). So if you have multicast enabled I can probably compile and make a pimd.lrp package for you. I also have a Linux 2.2.19 LRP kernel with multicast enabled that might be useful to you. -Dan _ Dan Mønster, PhD E-mail: [EMAIL PROTECTED] UNI·C, Research Phone: (+45) 8937 6621 Olof Palmes Allé 38 Fax: (+45) 8937 6677 DK-8200 Århus N, DenmarkWWW: http://www.uni-c.dk _ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Descargue GRATUITAMENTE MSN Explorer en http://explorer.yupimsn.com/intl.asp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
I had a weird idea ihave no way to test right now. What if I had the Eiger masquerade both directions. The packet is unencapsulated. It goes thru the forward chain. Its source address is masqed to the internal address. The Exchange server responds to that address The NAT table converts the destination address of the response to the source address of the request. IPSec sees it and says that's mine. That should work, although you're a bit outside the existing firewall script functionality. Sounds like you really want a VPN gateway mroe than a firewall, though, so maybe that's OK. If you setup the above, you *WILL* have problems with M$ networking (which doesn't like being masqueraded) over the VPN, so whether masquerading the remote VPN system to your local net will work for you depends on exactly which protocols you need to run. I'm not sure about exchange (I stay as far away from it as possible), but it may suffer the same problems that prevent M$ networking from working properly when masqueraded if you're using the 'advanced' features and not just running in SMTP/POP/IMAP mode... rant Good old Microsoft...where enterprise networking is a single collision domain, all protocols use dynamically allocated ports, and IP information is embedded in datagrams, to break that pesky masqerading...remember, at Micro$oft, security is more than just an afterthought, it's a Marketing Slogan!!! I'm personally glad to live in one of the states that parted ways with Justice on the M$ anti-trust case. /rant Sorry about that...I think something in me just snaps whenever anyone mentions Exchange server sigh At least you're looking for an alternate solution for your VPN... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec errors
All, If I remember correctly, and please correct me if I am wrong, the documentation with the ipsec lrp with the Dachstein CD says that using the leftfirewall=yes or rightfirewall=yes will automatically append the scripts to allow protocol 50 through. If I remember from the first post, the office connection had the left and rightfirewall commented out. Just another thought - Bill --- Charles Steinkuehler [EMAIL PROTECTED] wrote: Where do I check to see if protocol 50 packets are being allowed through? I'll be working more on it this weekend.. I'd really like to get this working so I'll try just about anything.. even possibly step/by/step support via phone (I'd beg someone to call my 800 number for a little assistance... The primary source is the output of net ipfilter list, which shows you exactly how your firewall rules are setup. You're looking for a line allowing protocol 50, preferrably with non-zero byte/packet counts: 1843 356K ACCEPT 50 -- 0xFF 0x00 eth0 snip You open protocol 50 traffic with the following in network.conf: EXTERN_PROTO0=50 0/0 Of course, you can change the 0/0 (the entire internet) to the address (or network) of your remote VPN link, if it's static. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] martians on internal network ??? [LONG!]
Jeff Newmiller wrote: On Fri, 8 Mar 2002, Michael D. Schleif wrote: We are seeing martians on internal networks on a regular basis. Usually, it is traceable to users logging into AOL over our high speed internet connections: 172.128.0.0 - 172.191.255.255 Today, we saw one from United Airlines: 205.174.16.0 - 205.174.23.255 [1] How does this happen? I often wonder how it happens that people who should know better fail to provide specific error and log messages and explain what they know about the particulars of the ip addresses, routes, machines and connections involved. It is hard to trust reports as sanitized as this. Jeff, I respect your intelligence and firewall skills; however, if you read exactly what I posted, then you will know exactly what there is to know. On the surface, the idea that packets should be generated within your LAN with source addresses outside your network would suggest something is seriously broken (accidentally or purposefully) with the workstation generating the packets. That is one idea, isn't it? [2] Why does this happen? Speculation: if your AOL users are actually dialling into AOL while being on the network, they may be temporarily acquiring an IP from AOL, and Windows could possibly screw up and ships packets out the wrong interface. However, something would have to be pretty weird with the AOL software if it decided it had an AOL IP even if no dialup had occurred. There could possibly be overlap when a dialup connection was lost as well. Please, please, please, read my post and respond accordingly: `` ... users logging into AOL over our high speed internet connections ... '' They are *NOT* _dialing_ into AOL !!! Or, even if they were, the questions remain the same -- what's the difference? [3] Is this exploitable? Insufficient data. How much data will suffice? A smattering of log entries: Feb 26 08:17:36 redtrout kernel: martian source 0b49a2ac for , dev eth1 Feb 26 08:21:11 redtrout kernel: martian source 490b99ac for , dev eth1 Feb 26 08:21:13 redtrout kernel: martian source 490b99ac for , dev eth1 Feb 26 08:21:45 redtrout kernel: martian source 995c9eac for , dev eth1 Feb 26 08:21:47 redtrout kernel: martian source 995c9eac for , dev eth1 Feb 26 08:22:45 redtrout kernel: martian source 995c9eac for , dev eth1 Feb 26 08:22:46 redtrout kernel: martian source 995c9eac for , dev eth1 Feb 26 08:22:55 redtrout kernel: martian source 995c9eac for , dev eth1 Feb 26 08:22:57 redtrout kernel: martian source 995c9eac for , dev eth1 Feb 26 08:23:11 redtrout kernel: martian source c75c9eac for , dev eth1 Feb 26 08:23:13 redtrout kernel: martian source c75c9eac for , dev eth1 Feb 26 08:25:02 redtrout kernel: martian source b16f98ac for , dev eth1 Feb 26 08:25:04 redtrout kernel: martian source b16f98ac for , dev eth1 Feb 26 10:03:09 redtrout kernel: martian source a0fb99ac for , dev eth1 Feb 26 10:03:11 redtrout kernel: martian source a0fb99ac for , dev eth1 Feb 26 11:28:11 redtrout kernel: martian source 3c779bac for , dev eth1 Feb 26 11:28:13 redtrout kernel: martian source 3c779bac for , dev eth1 Feb 26 11:28:39 redtrout kernel: martian source ebb195ac for , dev eth1 Feb 26 11:28:41 redtrout kernel: martian source ebb195ac for , dev eth1 Feb 26 11:29:26 redtrout kernel: martian source 4d779bac for , dev eth1 Feb 26 11:29:28 redtrout kernel: martian source 4d779bac for , dev eth1 Feb 27 07:40:30 redtrout kernel: martian source 3336baac for , dev eth1 Feb 27 07:40:32 redtrout kernel: martian source 3336baac for , dev eth1 Feb 27 07:42:40 redtrout kernel: martian source 5236baac for , dev eth1 Feb 27 07:42:42 redtrout kernel: martian source 5236baac for , dev eth1 Feb 27 07:43:17 redtrout kernel: martian source c16e82ac for , dev eth1 Feb 27 07:43:19 redtrout kernel: martian source c16e82ac for , dev eth1 Feb 27 08:25:08 redtrout kernel: martian source 765a8fac for , dev eth1 Feb 27 08:25:10 redtrout kernel: martian source 765a8fac for , dev eth1 Feb 27 08:49:04 redtrout kernel: martian source 05f6a3ac for , dev eth1 Feb 27 08:49:06 redtrout kernel: martian source 05f6a3ac for , dev eth1 Feb 27 08:49:27 redtrout kernel: martian source 5be7acac for , dev eth1 Feb 27 08:49:29 redtrout kernel: martian source 5be7acac for , dev eth1 Feb 27 08:51:01 redtrout kernel: martian source fa35a0ac for , dev eth1 Feb 27 08:51:03 redtrout kernel: martian source fa35a0ac for , dev eth1 Feb 27 13:10:16 redtrout kernel: martian source c46299ac for , dev eth1 Feb 27 13:10:18 redtrout kernel: martian source c46299ac for , dev eth1 Feb 27 14:56:05 redtrout kernel: martian source d0ab9cac for
[Leaf-user] MSN MESSENGER FT
I know this is a non leaf question but you guys might be my only hope. Im using MikroTik RouterOS which is usin input , forward, and output chains with src-nat and dest-nat. I have it set up usint masq and nat for internal services . Heres my question: I have tried everything to get file transfer (msmessenger) to work, I can receive files but cant send them. Can you guys shed some light on how this process could work. MikroTik response is somewhat limited. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user