Re: [Leaf-user] 4 NIC LRP -Dachstein CD- only one internal IP forwards to internet

2002-03-08 Thread Erich Titl 

Hi folks

Charles commented the following

At 11:43 07.03.2002 -0800, you wrote:
Make sure you've added all your internal networks to the INTERN_NET variable
in /etc/network.conf.  If that's not the problem, we'll need more
information about your firewall setup, including network.conf settings, and
the output of net ipfilter list

I tried to find documentation on multiple internal interfaces but failed. I 
just found the network.txt file on 
lrp.steinkuehler.net/files/packages/network.txt. Could anyone please 
clarify the format of

INTERN_IF
INTERN_NET
INTERN_IP

for more than one internal interface

Thanks

Erich


THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] a message to NTL customers in the uk

2002-03-08 Thread Alex McLintock 

Hello Ant - 

I just knew I should have written up my experiences on this See comments inline 
below.

 --- Ant Ken [EMAIL PROTECTED] wrote:  hello,
 
 if you use the NTL broadband in the UK you will have problems setting you 
 router up, heres what you have to do:
 when a new network card  ( ie your new router ) is switched on for the 
 first time your cable box gives you an ip address of something like 
 10.xxx.xxx.xxx, via DHCP  Because of the ip filters setup on the box you 
 will not be able to immediately browse the web, you have to either install 
 a version of linux with X and netscape on or install M$ windows then try 
 and access the web you will be presented with the ntl account 
 administration page.

You have two other options

You can also use your network card in a separate MS Windows box for the initial MAC 
address
registration
or 
You can install the simple text based web browser on your Leaf box.

I did the first option which works fine. I haven't tried the second option.


 enter your account PID and password, login and click the add button. type a 
 name in for your router ( any thing does not matter ( letters, numbers, - 
 and _ only ))
 when you have done this either restart your network interface's or restart 
 windows
 when you have done all that then you can start configuring your router to 
 do what ever you want!
 
 if any one has any queries email me and just ask
 
 antken


I am thinking of writing a long document explaining how to use Leaf with NTL broadband
but don't know how to distribute it to those potential Leaf users. ANy ideas on that?

Alex


=
Alex McLintock[EMAIL PROTECTED]Open Source Consultancy in London
OpenWeb Analysts Ltd, http://www.OWAL.co.uk/ 
---
SF and Computing Book News and Reviews: http://news.diversebooks.com/
Get Your XML T-Shirt t-shirt/ at http://www.inversity.co.uk/
Please Remove [EMAIL PROTECTED] from your address book.

__
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] routed subnet dmz help

2002-03-08 Thread kevin mudrick 


Lynn,

This is exactly what I needed.  Works perfectly now!  Thank you kindly.

-Kevin

 Well, this is more like what you are looking to do with ProxyArp.
 You should get a good start off of this link anyway:

 http://www.casano.com/lrp/proxy_arp.html

 Just kill the private network using NAT if you don't need it.

-- 
 (kevin mudrick)   ([EMAIL PROTECTED])   (www.bleachedwhale.com)
  pgp key available at http://www.bleachedwhale.com/kevinGPG.asc

 Despair: It's always darkest just before it goes pitch black.


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] DMZ Options - additional questions

2002-03-08 Thread Tony 

Good Morning,

I am resending a message that got no response the last time, I would
appreciate any input anyone might have.

I am going to try and impliment this on Sunday.

Thanks in advance

Tony





Good Evening,

I would like to build on this DMZ discussion and combine it with a post that
Matt had a few days ago.
My situation is that I am going to impliment a DMZ with the private switch,
and have a second firewall (MS ISA server) between the DMZ and internal
network.

Here is a lame pic of what I want to do:

Internet
 |
 |
 |
 |eth0 (IP assigned from RR)
LRP Box
 | |
 | |eth1(192.168.1.2)
 | |
 | |_ 192.168.1.0/24 DMZ
 |
 eth2 (192.168.1.3)
 |
192.168.1.1 ISA ext. nic
192.168.0.1 ISA int. network
 |
 |
Internal network (192.168.0.0/24)

OK, now what I was thinking was, that the eth1 and eth2 would be on the same
subnet.  This way, updating the web server from the internal network would
be fairly easy, because the internal nets default gateway is the ISA server,
and the external nic on the ISA server has a default gateway of the LRP box.
Same with the DMZ box.  Assuming they penetrate the LRP box and hack the DMZ
server, they are still removed from the internal net by the ISA server.

I want to allow the DMZ box access to a Access database on the internal
network (read only) and the DMZ box also needs access to relay SMTP messages
to an internal Exchange box.  The DMZ box is a W2K server running IIS and
SMTP w/ ISA's message screener.  (Everything is patched :-)

Anyway, what do you all think?  Any flaws you can see in this plan?

I appreciate all the feedback you can give

Thanks

Tony








   Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) 
 
  Proxy
  NAT
  Private...
 
  Does PRIVATE mean, that i have a DMZ, but with PRIVATE ip ranges etc,

 YES - This is a traditional routed DMZ...your ISP routes a block of IP's
 to the external interface of your firewall

 PROXY - A Proxy-ARP DMZ...used if you've got a block of static IP's from
 your ISP.  The firewall essentially glues together two identical network
 segments, allowing your DMZ systems to be configured with public
 IP's (just
 like they were connected directly to your upstream modem), but
 still having
 the protection of a firewall.

 NAT - Similar to a Proxy-ARP setup, but uses static-NAT
 translation instead.
 Each DMZ system is configured with a private IP, and a
 translation table is
 built, converting public IP's to the private IP of your DMZ systems.

 PRIVATE - This architecture is unique...it port-forwards specific services
 to DMZ machines, which have private IP's.  The main benifit is you don't
 have to have multiple IP's assigned to be able to implement this form of
 DMZ.

 NO - No DMZ

 Charles Steinkuehler
 http://lrp.steinkuehler.net
 http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] My New Dachstein LRP

2002-03-08 Thread Lonnie Cumberland 

Hello All,

I have been noticing some errors in my logs that look like:

Mar 8 00:33:44 a904j637 kernel: Packet log: input DENY eth0 PROTO=17
192.168.159.129:137 192.168.159.255:137 L=96 S=0x00 I=13824 F=0x
T=128 (#12)

but I have no machine 192.168.159.129 on my subnet and am only using
192.168.1.x

What does this mean?

Cheers,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] My New Dachstein LRP

2002-03-08 Thread guitarlynn 

On Friday 08 March 2002 07:35, Lonnie Cumberland wrote:
 Hello All,

 I have been noticing some errors in my logs that look like:

 Mar 8 00:33:44 a904j637 kernel: Packet log: input DENY eth0 PROTO=17
 192.168.159.129:137 192.168.159.255:137 L=96 S=0x00 I=13824 F=0x
 T=128 (#12)

 but I have no machine 192.168.159.129 on my subnet and am only using
 192.168.1.x

 What does this mean?


It means that someone is broadcasting NetBIOS trash through their
internet connection in your neighborhood and it is looking for more 
computers to join the network. It is web trash and can be safely be
dropped from logging. SILENT_DENY is used with Dachstein to avoid
logging this. Personally, I don't log anything on the 192.168./16
subnet. The LEAF Command FAQ has some examples of how to do
this several ways using SILENT_DENY in the Dachstein section.

http://sourceforge.net/docman/display_doc.php?docid=9267group_id=13751

I hope this helps,
-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] routed subnet dmz help

2002-03-08 Thread guitarlynn 

On Friday 08 March 2002 06:18, kevin mudrick wrote:
 Lynn,

 This is exactly what I needed.  Works perfectly now!  Thank you
 kindly.

Great!
Thanks for letting us know!
-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein migration successful! - General routing question.

2002-03-08 Thread Charles Steinkuehler 

 One guy behind my leaf firewall needs a securemote (Checkpoint)
 connection to company b.  He has a Win2k workstation.  As I understand
 from searching the newsgroups, this isn't possible with Linux, although
 I would love to be corrected on that one.

Sounds a lot like the securemote client is simply an IPSec implementation.
There are lots of details about masquerading an IPSec connection in the list
archives, and all the gory details can be found in the VPN-Masquerade-HOWTO.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] lrp format and filter config

2002-03-08 Thread Charles Steinkuehler 

  Probably, although you don't mention what you're trying to specify
source
  ports for.  If you need to make custom rules, that's what the
  ipchains.input, ipchains.output, and ipchains.forward files are for in
 /etc.

 I want local users to be able to ssh into external machines, and (being
 fairly pedantic about firewalls) I only want to specify port 22 for
external
 machines. If I edit those files, how do they relate to the config files
(No
 2 on the network config menu)

The files are sourced by /etc/ipfilter.conf, so you can use any variables or
procedures defined in /etc/network.conf, /etc/ipfilter.conf, or
/etc/init.d/network.  Look for IPCH_IN, IPCH_OUT, and IPCH_FWD in
/etc/ipfilter.conf to see exactly where they are sourced in relation to the
rest of the rules.  You can either add rules using the -A option (probably
what you want in your case), or the I option to add rules at the beginning
of the list (for things like silently denying something filling up your
logs).

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] martians on internal network ???

2002-03-08 Thread Michael D. Schleif 


We are seeing martians on internal networks on a regular basis.

Usually, it is traceable to users logging into AOL over our high speed
internet connections:

172.128.0.0 - 172.191.255.255

Today, we saw one from United Airlines:

205.174.16.0 - 205.174.23.255

[1] How does this happen?

[2] Why does this happen?

[3] Is this exploitable?

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Re: Leaf-user digest, Vol 1 #707 - 14 msgs

2002-03-08 Thread Erich Titl 

Hi Charles

At 02:21 08.03.2002 -0800, you wrote:
  Finally, as a constructive suggestion, does anyone think it would be
useful
  if all ipchains rules where built up in one place in the config, and it
was
  all done in a more 'tabular' fashion, so that rules could be added easily,
  and options such as logging for some of the defaults could be easily
  switched off.

Probably, but it would take a lot of work.  Are you volunteering?


I am in the process to propose a little LEAF base VPN here. I might find 
some spare hours to look into it.

I might just list the ipchains/ipmasqadm commands as they are built by the 
ipfilter.conf. I am pretty sure this will still fit on the floppy.

Could anyone suggest a superset of rules which will just be pumped through 
the firewall set up script. Instead of
executing the rules we could just dump them into a file and then see where 
we get.

This should us a good idea how deep we will have to wade.

Erich






THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Re: Leaf-user digest, Vol 1 #707 - 14 msgs

2002-03-08 Thread Charles Steinkuehler 

I'm not sure exactly what you're after here, but the ipchains and ipmasqadm
commands used to build the firewall rules are done using the environment
variables $IPCH and $IPMASQADM, so it would be easy to re-define these and
echo all the comands to a file, instead of actually running them...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


- Original Message -
From: Erich Titl [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, March 08, 2002 9:55 AM
Subject: [Leaf-user] Re: Leaf-user digest, Vol 1 #707 - 14 msgs


Hi Charles

At 02:21 08.03.2002 -0800, you wrote:
  Finally, as a constructive suggestion, does anyone think it would be
useful
  if all ipchains rules where built up in one place in the config, and it
was
  all done in a more 'tabular' fashion, so that rules could be added
easily,
  and options such as logging for some of the defaults could be easily
  switched off.

Probably, but it would take a lot of work.  Are you volunteering?


I am in the process to propose a little LEAF base VPN here. I might find
some spare hours to look into it.

I might just list the ipchains/ipmasqadm commands as they are built by the
ipfilter.conf. I am pretty sure this will still fit on the floppy.

Could anyone suggest a superset of rules which will just be pumped through
the firewall set up script. Instead of
executing the rules we could just dump them into a file and then see where
we get.

This should us a good idea how deep we will have to wade.

Erich






THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Dachstein LRP

2002-03-08 Thread Peter Kanatselis 

All,

Can I use the pkgpath.cfg and lrpkg.cfg files on Dachstein LRP that is
booting of an IDE hard drive? It is booting in a DOS partition and runs in
RAM

Thanks in advance for any help

Peter


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein LRP

2002-03-08 Thread Charles Steinkuehler 

 Can I use the pkgpath.cfg and lrpkg.cfg files on Dachstein LRP that is
 booting of an IDE hard drive? It is booting in a DOS partition and runs in
 RAM

Yes.  The /linuxrc script will look for the pkgpath.cfg and lrpkg.cfg files
on your boot= device (probably your HDD).

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein LRP

2002-03-08 Thread Peter Kanatselis 


Thanks Charles, I tried it but it failed. What if anything remains in the
syslinux.cfg file? Do you include the LRP= and PKGPATH= in the new file?
Do you leave them blank in the old one?

Thanks.

P.S.

Congratulations on a job very well done on the LRP box

Peter


- Original Message -
From: Charles Steinkuehler [EMAIL PROTECTED]
To: Peter Kanatselis [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Friday, March 08, 2002 11:21 AM
Subject: Re: [Leaf-user] Dachstein LRP


  Can I use the pkgpath.cfg and lrpkg.cfg files on Dachstein LRP that is
  booting of an IDE hard drive? It is booting in a DOS partition and runs
in
  RAM

 Yes.  The /linuxrc script will look for the pkgpath.cfg and lrpkg.cfg
files
 on your boot= device (probably your HDD).

 Charles Steinkuehler
 http://lrp.steinkuehler.net
 http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein LRP

2002-03-08 Thread Charles Steinkuehler 

 Thanks Charles, I tried it but it failed. What if anything remains in the
 syslinux.cfg file? Do you include the LRP= and PKGPATH= in the new
file?
 Do you leave them blank in the old one?

You might want to see the CD-ROM readme file...it goes over the use of these
settings in a bit more detail.

When the system boots, the /linuxrc script searches the kernel command line
for a boot= parameter, and tries to mount the specified device.  If the
lrpkg.cfg and/or pkgpath.cfg files are found on this device, the contents of
those files override the kernel command line settings provided by
syslinux.cfg.  Therefore, if you've got lrpkg.cfg and pkgpath.cfg files, the
contents of LRP= and PGKPATH= in syslinux.cfg are don't care, and can even
be blank.

Both files should have a single line of data, which is *EXACTLY* what would
come after LRP= or PKGPATH= on the kernel command line.  LRP= and PKGPATH=
should *NOT* appear in these files.  Again, refer to the CD-ROM readme for
details...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] a message to NTL customers in the uk

2002-03-08 Thread Jeff Newmiller 

On Fri, 8 Mar 2002, Alex McLintock wrote:

 Hello Ant - 
 
 I just knew I should have written up my experiences on this See comments inline 
below.
 
  --- Ant Ken [EMAIL PROTECTED] wrote:  hello,
  
  if you use the NTL broadband in the UK you will have problems setting you 
  router up, heres what you have to do:
  when a new network card  ( ie your new router ) is switched on for the 
  first time your cable box gives you an ip address of something like 
  10.xxx.xxx.xxx, via DHCP  Because of the ip filters setup on the box you 
  will not be able to immediately browse the web, you have to either install 
  a version of linux with X and netscape on or install M$ windows then try 
  and access the web you will be presented with the ntl account 
  administration page.
 
 You have two other options
 
 You can also use your network card in a separate MS Windows box for the initial MAC 
address
 registration
 or 
 You can install the simple text based web browser on your Leaf box.

I don't understand why any of these options are required.

Why not accept the ip address you are given as a router, and use your
usual box behind it to talk to the webserver to do the configuration, and
then re-initialize networking on the router?

Does the configuration process use java or javascript?

---
Jeff NewmillerThe .   .  Go Live...
DCN:[EMAIL PROTECTED]Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] DMZ Options - additional questions

2002-03-08 Thread Charles Steinkuehler 

 OK, but how does the network setup look on the webserver?  I envisioned
 something like:

 IP=192.168.1.100
 Mask=255.255.255.0
 GW=192.168.1.2 (eth2 on LEAF box)
 How would SMTP know to forward to the ISA server?

 I guess I could point the SMTP server on the protected box to point to the
 external interface of the ISA server, who would be listening for SMTP
 traffic from that IP. {guess I just answered my own question}

 BTW, ISA = Microsoft Internet Security  Acceleration Server 2000

 If I set up the LEAF server as a more typical setup with a different
subnet
 for the DMZ, the default rules would not allow communication to the
 protected network (eth1 internal) right?  Internal could initiate
 communications with the DMZ, but not vise versa, correct?  That was what I
 was going to do initially, but was pretty sure it would fail.  If this is
a
 better way, perhaps I could craft some rules that said essentially, the
only
 traffic that could be routed to the internal network is SMTP traffic and
ISA
 message filter DCOM traffic.

This all makes sense, until I get to the end, where you indicate you want to
push SMTP (and other) traffic to your internal net.  The whole point of
having a screened subnet or DMZ is to keep public servers *OUT* of your
internal net.  It's almost always possible to restructure a network that
requires inbound connections so that inbound connections are only permitted
on the DMZ.

 Back to the screened subnet, all on the same subnet as first described.
So
 any inbound comm allowed would head to the internal network, and then be
 forwarded based on rules (i.e. web trafic to this IP, SMTP to that IP,
etc.
 The second firewall (ISA) would then decide whether or not to allow
inbound
 to the real internal network.  For example, I also want to setup a VPN
 eventually.  The access would be allowed/denied from the ISA server who
 would have access to Active Directory domain info.  Again, all forwarding
 could be accomplished by rules at the LEAF box.

 Does that sound like I am on the right track?

It's really hard to tell...it sounds like you're running an e-mail server
BEHIND the ISA, on your internal net.  If  so, this is a *REALLY BAD IDEA*,
and pretty much defeats the whole purpose of a screened subnet architecture.
Your comments about VPN, however, are correct...you could easily setup the
ISA to be a VPN gateway for the real internal subnet.  BTW:  What you
refer to as internal network above (the network between the Dachstein box
and the ISA) should be called the screened subnet, although you'll still
have to use the INTERN_* variables in network.conf to configure it :-/

If you don't have a copy already, pickup O'Reilly's Building Internet
Firewalls and take a look at chapter 6, Firewall Architectures.  It's an
excellent resource when trying to design safe network architectures, and
includes excellent (and very readable) descriptions of architectures that
work, and archectures to avoid (often for subtle, non-obvious reasons).

If you want general advice from the list, you're going to have to provide a
lot more detail about exactly what you're trying to accomplish...I've tried
to make what comments I could, but it's hard trying to read between the
lines and figure out what services you're running where...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ipsec errors

2002-03-08 Thread Charles Steinkuehler 

 can someone point out the obvious mistake that I have made..

How about starting with:

 Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in
 office: (/etc/ipsec.conf, line 25) duplicated parameter auto
 Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in
shop:
 (/etc/ipsec.conf, line 39) duplicated parameter auto

...and...

 conn office
snip
 auto=add
 auto=start

Try with just *ONE* auto= line and see what you get...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Multicast Routing

2002-03-08 Thread cntv1 cntv1 

I setup one entire LRP router with ospf , ftp ,ssh , iptable ,etc and 3 
NICs.
Now i need multicast routing and not find mrouted.lrp.
Can someone tell me where i would find mrouted.lrp or some other lrp that 
support multicasting routing protocolos.

thanks

_
Con MSN Hotmail súmese al servicio de correo electrónico más grande del 
mundo. http://www.hotmail.com/ES


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Re : martians on internal network ???

2002-03-08 Thread Doug Hite 

We see martians from users on our private network that are using 
dial up internet accounts on W2k computers, external of the 
normal way of getting to the internet (through our LEAF router).
Does anyone have a fix either on the W2k side or on the router
to stop the console logging of these ?  (without turning off 
martian logging completely)

Doug

==
We are seeing martians on internal networks on a regular basis.
Usually, it is traceable to users logging into AOL over our high speed
internet connections:

   172.128.0.0 - 172.191.255.255

Today, we saw one from United Airlines:
   205.174.16.0 - 205.174.23.255

[1] How does this happen?
[2] Why does this happen?
[3] Is this exploitable?



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] General routing question. Securemote

2002-03-08 Thread Boyd Kelly 

Thanks Richard  Charles for comments and links.
 
I should provide a bit of insight here.  Dealing with technical and political issues.  
(really too bad!)  Office secretary doesn't get along with IT dept of company b, and 
there seems to have been a real lack of cooperation although according to management 
this guy (on their board of directors) is supposed to have access to their intranet.  
I think that there may be a reluctance to reconfigure their firewall (as link 
suggests) as the IT guy there seems so uncooperative.  I did do some research and 
figured that this is going to require some testing and troubleshooting, and I don't 
know whether they are using encapsulated FWZ or not.  Also, I am not an employee of 
company a, but just do work for them so I can't be on site for any extended time.  So 
I will try to prepare a diskette as per instructions in links below to see if it will 
work, but I also want to have a plan b. ie jump around the firewall for that one route 
if that might work as well.
 
Still open to suggestions.  Thanks,
 
Boyd
 
PS.  I'll also be working on both pptp and ipsec for my own dachstein.

-Original Message- 
From: Richard Doyle [mailto:[EMAIL PROTECTED]] 
Sent: Thu 07/03/2002 7:08 PM 
To: Boyd Kelly; [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Leaf-user] Dachstein migration successful! - General routing 
question.



FWIW, a quick check on google for securemote linux nat turned up
http://www.phoneboy.com/faq/0372.html and
http://www.phoneboy.com/faq/0141.html.

-Richard

 Got my ip aliasing/forwarding and all working on dachstein.
 Very happy
 about that.  Great piece of work!

 Now for an interesting problem:

 One guy behind my leaf firewall needs a securemote (Checkpoint)
 connection to company b.  He has a Win2k workstation.  As I understand
 from searching the newsgroups, this isn't possible with
 Linux, although
 I would love to be corrected on that one.

 So I am looking for some opinions on a solution.  Could I just do some
 routing magic on the win2k workstation to bypass the leaf router only
 for that securemote ip address?  For something like that to work would
 the workstation need a second nic?  Or can I just plug all the
 Internet/Leaf wires into the same switch, and then give computer 3 a
 default gateway of 208.x.x.1 for the address in question?

 Any security issues?



   [Internet]
   |
  eth0  208.x.x.13
   |
   LEAF Box (DF 208.x.x.1) |
   |
  eth1  192.168.1.254
   |
   ---
   | |
   Computer 2Computer 3  (needs to use
 securemote client)
 (192.168.1.2)  (192.168.1.3)


 Thanks very much,

 Boyd

 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user




Þiû¬z¹šŠX§‚X¬´·š~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z

Re: [Leaf-user] Multicast Routing

2002-03-08 Thread Dan Mønster 

Hi,

 Can someone tell me where i would find mrouted.lrp or some other lrp that
 support multicasting routing protocolos.

I made an .lrp package of pimd, which is a PIM Sparse Mode multicast
daemon. I had to patch and compile my own kernel as well in order to get
multicast support. Do: echo 1  /proc/sys/net/ipv4/conf/all/mc_forwarding;
cat /proc/sys/net/ipv4/conf/all/mc_forwarding to see if your kernel
supports multicast forwarding (if my memory serves me right, since I do
not have access to my lrp box right now).

So if you have multicast enabled I can probably compile and make a pimd.lrp
package for you. I also have a Linux 2.2.19 LRP kernel with multicast enabled
that might be useful to you.

-Dan

_
Dan Mønster, PhD E-mail: [EMAIL PROTECTED]
UNI·C, Research   Phone: (+45) 8937 6621
Olof Palmes Allé 38 Fax: (+45) 8937 6677
DK-8200 Århus N, DenmarkWWW: http://www.uni-c.dk
_



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] floppy to hard disk?

2002-03-08 Thread Ant Ken 

hello all,
are there any how-to's that help you to get leaf from a floppy to a hard disk?

if so what are the urls?

thanks you for your time
antken


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

FW: [Leaf-user] FW: fealnx driver for LRP kernel 2.2.19-3-LEAF

2002-03-08 Thread Jan Linders 

Has anybody a compiled fealnx.o network card driver for my
new LRP machine. The version i'm looking for should be ready for LRP Kernel
2.2.19-3-LEAF.

Thx in advance...


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] floppy to hard disk?

2002-03-08 Thread Mike Noyes 

At 2002-03-08 20:29 +, Ant Ken wrote:
hello all,
are there any how-to's that help you to get leaf from a floppy to a hard disk?

if so what are the urls?

LEAF: Documentation: HOWTOs
http://leaf.sourceforge.net/mod.php?mod=userpagemenu=1302page_id=11

I hope this helps.

--
Mike Noyes [EMAIL PROTECTED]
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Re : martians on internal network ???

2002-03-08 Thread Richard Doyle 

Ugh. Console messages about martians almost always tell you there is
something seriously wrong with your network. Turning them off is like
disconnecting a burglar alarm. In your case, these messages indicate
that an unguarded (?) backdoor to your network is currently open.

This will disable martian logging for interface $IFNAME:
echo 0 /proc/sys/net/ipv4/conf/$IFNAME/log_martians

AFAIK you can't log martians to a file without seeing them on the
console, unless you want to stop seeing all level 4 kernel messages
(KERN_WARNING). You can probably do this by modifying
/etc/init.d/sysklogd to read

klogd -c 4

instead of whatever is there now (I'm using busybox klogd, which doesn't
support this parameter; please correct if necessary).

rant Sorry for being so cranky about this, but wanting to make martian
messages go away without fixing the underlying problem is a Bad Thing.
You have a nice security system with deadbolts on your front door, but
you leave the backdoor unlocked. Those martian messages at least let you
know when the back door is open and remind you to install a lock on the
damn thing. /rant

-Richard

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Doug Hite
 Sent: Friday, March 08, 2002 11:21 AM
 To: [EMAIL PROTECTED]
 Subject: [Leaf-user] Re : martians on internal network ???


 We see martians from users on our private network that are using
 dial up internet accounts on W2k computers, external of the
 normal way of getting to the internet (through our LEAF router).
 Does anyone have a fix either on the W2k side or on the router
 to stop the console logging of these ?  (without turning off
 martian logging completely)

 Doug

 ==
 We are seeing martians on internal networks on a regular basis.
 Usually, it is traceable to users logging into AOL over our
 high speed
 internet connections:
 
  172.128.0.0 - 172.191.255.255
 
 Today, we saw one from United Airlines:
  205.174.16.0 - 205.174.23.255
 
 [1] How does this happen?
 [2] Why does this happen?
 [3] Is this exploitable?



 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] vpn routing

2002-03-08 Thread Phillip . Watts 



It seems that I've seen this problem here before:


There are two dsl connections to the internet

behind one is an NT Proxy server.
behind the other is an Eiger router running LRP/IPSec.
Both masquerade

Behind both of those is a lan  123.x.x.x
AS400  123.x.x.1
Exchange Server 123.x.x.2

So the internal subnet for the Eiger is 123.x.x.0/24

A remote laptop with a dynamic address establishes a VPN connection
to the Eiger.   And access mail on 123.x.x.2
How does the traffic back from the Exchange Server to the laptop
find its way back thru the correct router, the eiger.
I mean it can only have one default gateway. ??



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] vpn routing

2002-03-08 Thread Charles Steinkuehler 

 It seems that I've seen this problem here before:

 There are two dsl connections to the internet

 behind one is an NT Proxy server.
 behind the other is an Eiger router running LRP/IPSec.
 Both masquerade

 Behind both of those is a lan  123.x.x.x
 AS400  123.x.x.1
 Exchange Server 123.x.x.2

 So the internal subnet for the Eiger is 123.x.x.0/24

 A remote laptop with a dynamic address establishes a VPN connection
 to the Eiger.   And access mail on 123.x.x.2
 How does the traffic back from the Exchange Server to the laptop
 find its way back thru the correct router, the eiger.
 I mean it can only have one default gateway. ??

You either have to have the Eiger VPN gateway as the default route for the
exchange box, or setup a static route on the Exchange box pointing to the
remote endpoint of the VPN.  I've done the latter with subnet-subnet VPN's,
but I don't think it will work well with a host-subnet VPN, as the far end
IP isn't static...

It sounds like you're wanting to just use the Eiger box as a VPN gateway.
Another option would be to setup proxy-arp on the Eiger box, with two
internal NIC's.  Something like:

Internet
-
DSL1 DSL2
  ||
  |  NT Proxy Server
  ||
  |  Internal net (123.x.x.0/24)
  ||
  |   eth2
eth0-Eiger/Dachstein VPN gateway
  eth1
   |
 Internal net (123.x.x.0/24)
   |
 Exchange server

This gets around the routing problem because all packets will go through the
VPN gateway, even if destined for the IP of your NT proxy-server.  The
routing rules on the VPN gateway should make everything work properly, but I
haven't actually tested this setup.

NOTE:  While the above diagram may look kind of scary, it really isn't.  The
big problem will be getting the routing on the VPN box setup to use the
alternate DSL link (it would be much more straight-forward if the VPN
gateway simply routed all data out the NT Proxy server, and had one default
gateway), but you should be able to setup advanced routing rules based on
either firewall marks or protocol that sends VPN traffic out the DSL1 link,
and all other traffic out the NT proxy...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] routing more than 1 hop

2002-03-08 Thread Bob Pocius 


 Sometimes LEAF distros are configured to block traffic destined for
 the private address space from going out eth0.  It's designed that
 way because private addresses are in general for internal use only.
 Rarely, an ISP uses these, and adjustments are made to ipfilter.conf
 or wherever your rules are defined.
That makes good sense, but I stripped Whorewall out to try to simplify
things for myself.

 Btw, tabs mess up your tables.  I converted them to spaces.
Thanks!!

 I'm deciding not to comment on the routes at all until
 you post the output of   ifconfig -a on all four sites.
I've included the useful data with each of the routing tables (I hope I
didn't leave out anything that you were looking for).

 I will mention that I don't get the concept of having both
 10.10.1.254 and 10.10.1.40 assigned to the same eth0, for
 instance.
I did this because that router is connected via 100Mb fibre to another
building where the rest of the routing happens. eth0 on Site 1 connects to a
switch, and 10.10.1.254 (my main gateway router) connects to a different
port on that same switch.



 Site 1:  10.10.1.0 
 eth0 10.10.1.40/24
 eth1 192.168.1.254/24

 Destination  MaskGatewayDev
 0.0.0.0  0.0.0.0 10.10.1.254eth0  (to internet)
 10.10.1.0255.255.255.0   10.10.1.40 eth0  (wired interface)
 10.10.12.0   255.255.255.0   192.168.1.253  eth1  (wireless to site 2)
 10.10.13.0   255.255.255.0   192.168.1.253  eth1  (wireless to site 2)
 192.168.1.0  255.255.255.0   192.168.1.254  eth1  (wireless interface)
 192.168.2.0  255.255.255.0   192.168.1.253  eth1  (wireless to site 2)



 Site 2a:  10.10.12.0 
 eth0 10.10.12.254/24
 eth1 192.168.1.253/24

 Destination  MaskGatewayDev
 0.0.0.0  0.0.0.0 192.168.1.254  eth1  (wireless to site 1)
 10.10.12.0   255.255.255.0   10.10.12.254   eth0  (wired interface)
 10.10.13.0   255.255.255.0   10.10.12.253   eth0  (to other local router)
 192.168.1.0  255.255.255.0   192.168.1.253  eth1  (wireless interface)
 192.168.2.0  255.255.255.0   10.10.12.253   eth0  (to other local router)


 (Site 2a and 2b are connected to the same switch)


 Site 2b:  10.10.12.0
 eth0 10.10.12.253/24
 eth1 192.168.2.254/24

 Destination   MaskGateway Dev
 0.0.0.0   0.0.0.0 10.10.12.254eth0  (to other local router)
 10.10.12.0255.255.255.0   10.10.12.253eth0  (wired interface)
 10.10.13.0255.255.255.0   192.168.2.253   eth1  (wireless to site 3)
 192.168.2.0   255.255.255.0   192.168.2.254   eth1  (wireless interface)




 Site 3: 10.10.13.0
 eth0 10.10.13.254/24
 eth1 192.168.2.253/24

 Destination   MaskGateway Dev
 0.0.0.0   0.0.0.0 192.168.2.254   eth1 (wireless to site 2)
 10.10.13.0255.255.255.0   10.10.13.254eth0 (wired interface)
 192.168.2.0   255.255.255.0   192.168.2.253   eth1 (wireless interface)
 
 
 Bob Pocius

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Dachstein migration successful!

2002-03-08 Thread Scott C. Best 

Boyd:

As Charles says, the docs on www.phoneboy.com/faq/0372.html
suggest this is a lot like an IPSec connection. You may want to have
a look at echoWall again, though: it supports both FW1 and IPSEC.
You can enable or disable either of them, see what works.

-Scott

  One guy behind my leaf firewall needs a securemote (Checkpoint)
  connection to company b.  He has a Win2k workstation.  As I understand
  from searching the newsgroups, this isn't possible with Linux, although
  I would love to be corrected on that one.

 Sounds a lot like the securemote client is simply an IPSec implementation.
 There are lots of details about masquerading an IPSec connection in the list
 archives, and all the gory details can be found in the VPN-Masquerade-HOWTO.



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] openssh 3.1p1 LEAF packages available

2002-03-08 Thread Jacques Nilo 

A vulnerability has been recently found in openssh up to version 3.0.2.
See the CERT annoucement  at:
http://www.kb.cert.org/vuls/id/408419

The LEAF openssh packages (ssh/sshd/sftp/sshkey) have been updated accordingly
and are now available
for download from my website.
http://leaf.sourceforge.net/devel/jnilo/

The documentation has also been updated to include clarifications suggested by
Matt Shalit (Thanks Matt) !)
http://leaf.sourceforge.net/devel/jnilo/openssh.html

Jacques




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] ipsec errors

2002-03-08 Thread Joey Officer 

Ok, I've modified the config and am no longer getting any errors, however I
cannot get to the other machine.  I've tried to ping, and also tried to do a

traceroute -i eth0 -f 20 192.168.1.1

and have gotten only the * * * as output from the traceroute.  At anyrate..
I'm not seeing any erros, and am wondering if there is something I am
missing... any thoughts...

joey


-Original Message-
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 08, 2002 12:47 PM
To: [EMAIL PROTECTED]; LRP Support
Subject: Re: [Leaf-user] ipsec errors

 can someone point out the obvious mistake that I have made..

How about starting with:

 Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in
 office: (/etc/ipsec.conf, line 25) duplicated parameter auto
 Mar 8 13:25:08 firewall ipsec__plutorun: ipsec_auto: fatal error in
shop:
 (/etc/ipsec.conf, line 39) duplicated parameter auto

...and...

 conn office
snip
 auto=add
 auto=start

Try with just *ONE* auto= line and see what you get...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] martians on internal network ???

2002-03-08 Thread Jeff Newmiller 

On Fri, 8 Mar 2002, Michael D. Schleif wrote:

 
 We are seeing martians on internal networks on a regular basis.
 
 Usually, it is traceable to users logging into AOL over our high speed
 internet connections:
 
   172.128.0.0 - 172.191.255.255
 
 Today, we saw one from United Airlines:
 
   205.174.16.0 - 205.174.23.255
 
 [1] How does this happen?

I often wonder how it happens that people who should know better fail to
provide specific error and log messages and explain what they know about
the particulars of the ip addresses, routes, machines and connections
involved.  It is hard to trust reports as sanitized as this.

On the surface, the idea that packets should be generated within your LAN
with source addresses outside your network would suggest something is
seriously broken (accidentally or purposefully) with the workstation
generating the packets.

 [2] Why does this happen?

Speculation: if your AOL users are actually dialling into AOL while being
on the network, they may be temporarily acquiring an IP from AOL, and
Windows could possibly screw up and ships packets out the wrong interface.  
However, something would have to be pretty weird with the AOL software if
it decided it had an AOL IP even if no dialup had occurred.  There could
possibly be overlap when a dialup connection was lost as well.

 [3] Is this exploitable?

Insufficient data.

---
Jeff NewmillerThe .   .  Go Live...
DCN:[EMAIL PROTECTED]Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ipsec errors

2002-03-08 Thread Charles Steinkuehler 

 Ok, I've modified the config and am no longer getting any errors, however
I
 cannot get to the other machine.  I've tried to ping, and also tried to do
a

 traceroute -i eth0 -f 20 192.168.1.1

 and have gotten only the * * * as output from the traceroute.  At
anyrate..
 I'm not seeing any erros, and am wondering if there is something I am
 missing... any thoughts...

Check the output of ipsec look, and make sure you're allowing protocol 50
packets through the firewall.  If you only allow the UDP keying traffic, the
tunnels will get put in place, but the data packets (protocol 50) won't get
through, so no traffic can flow...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] vpn routing

2002-03-08 Thread Phillip . Watts 



Hey, Charles,

 I had a weird idea ihave no way to test right now.
 What if I had the Eiger masquerade both directions.
 The packet is unencapsulated.
 It goes thru the forward chain.
 Its source address is masqed to the internal address.
 The Exchange server responds to that address
 The NAT table converts the destination address of the
response to the source address of the request.
 IPSec sees it and says that's mine.

  ??





Charles Steinkuehler [EMAIL PROTECTED] on 03/08/2002 03:27:44 PM

To:   Phillip Watts/austin/Nlynx@Nlynx, [EMAIL PROTECTED]
cc:

Subject:  Re: [Leaf-user] vpn routing



 It seems that I've seen this problem here before:

 There are two dsl connections to the internet

 behind one is an NT Proxy server.
 behind the other is an Eiger router running LRP/IPSec.
 Both masquerade

 Behind both of those is a lan  123.x.x.x
 AS400  123.x.x.1
 Exchange Server 123.x.x.2

 So the internal subnet for the Eiger is 123.x.x.0/24

 A remote laptop with a dynamic address establishes a VPN connection
 to the Eiger.   And access mail on 123.x.x.2
 How does the traffic back from the Exchange Server to the laptop
 find its way back thru the correct router, the eiger.
 I mean it can only have one default gateway. ??

You either have to have the Eiger VPN gateway as the default route for the
exchange box, or setup a static route on the Exchange box pointing to the
remote endpoint of the VPN.  I've done the latter with subnet-subnet VPN's,
but I don't think it will work well with a host-subnet VPN, as the far end
IP isn't static...

It sounds like you're wanting to just use the Eiger box as a VPN gateway.
Another option would be to setup proxy-arp on the Eiger box, with two
internal NIC's.  Something like:

Internet
-
DSL1 DSL2
  ||
  |  NT Proxy Server
  ||
  |  Internal net (123.x.x.0/24)
  ||
  |   eth2
eth0-Eiger/Dachstein VPN gateway
  eth1
   |
 Internal net (123.x.x.0/24)
   |
 Exchange server

This gets around the routing problem because all packets will go through the
VPN gateway, even if destined for the IP of your NT proxy-server.  The
routing rules on the VPN gateway should make everything work properly, but I
haven't actually tested this setup.

NOTE:  While the above diagram may look kind of scary, it really isn't.  The
big problem will be getting the routing on the VPN box setup to use the
alternate DSL link (it would be much more straight-forward if the VPN
gateway simply routed all data out the NT Proxy server, and had one default
gateway), but you should be able to setup advanced routing rules based on
either firewall marks or protocol that sends VPN traffic out the DSL1 link,
and all other traffic out the NT proxy...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] ipsec errors

2002-03-08 Thread Joey Officer 

Where do I check to see if protocol 50 packets are being allowed through?
I'll be working more on it this weekend.. I'd really like to get this
working so I'll try just about anything.. even possibly step/by/step support
via phone (I'd beg someone to call my 800 number for a little assistance...

Joey


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Charles
Steinkuehler
Sent: Friday, March 08, 2002 4:57 PM
To: [EMAIL PROTECTED]; LRP Support
Subject: Re: [Leaf-user] ipsec errors

 Ok, I've modified the config and am no longer getting any errors, however
I
 cannot get to the other machine.  I've tried to ping, and also tried to do
a

 traceroute -i eth0 -f 20 192.168.1.1

 and have gotten only the * * * as output from the traceroute.  At
anyrate..
 I'm not seeing any erros, and am wondering if there is something I am
 missing... any thoughts...

Check the output of ipsec look, and make sure you're allowing protocol 50
packets through the firewall.  If you only allow the UDP keying traffic, the
tunnels will get put in place, but the data packets (protocol 50) won't get
through, so no traffic can flow...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Multicast Routing

2002-03-08 Thread cntv1 cntv1 

Yes i had compiled the kernel for multicast support from the fist time 
becouse i plan to use multicast. But when i try to find some multicasting 
software were the problem.

I try to find mrouted becouse this support other protocols than PIM.
I have others cisco router. The problem is: if this PIM sparse module can 
interact with the router cisco serie 2500.
If yes, I thanks to you if you can compile and make the lrp package pimd.lrp 
for me.

From: Dan Mønster [EMAIL PROTECTED]
To: cntv1 cntv1 [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Re: [Leaf-user] Multicast Routing
Date: Fri, 8 Mar 2002 21:18:53 +0100 (MET)

Hi,

  Can someone tell me where i would find mrouted.lrp or some other lrp 
that
  support multicasting routing protocolos.

I made an .lrp package of pimd, which is a PIM Sparse Mode multicast
daemon. I had to patch and compile my own kernel as well in order to get
multicast support. Do: echo 1  /proc/sys/net/ipv4/conf/all/mc_forwarding;
cat /proc/sys/net/ipv4/conf/all/mc_forwarding to see if your kernel
supports multicast forwarding (if my memory serves me right, since I do
not have access to my lrp box right now).

So if you have multicast enabled I can probably compile and make a pimd.lrp
package for you. I also have a Linux 2.2.19 LRP kernel with multicast 
enabled
that might be useful to you.

   -Dan

_
Dan Mønster, PhD E-mail: [EMAIL PROTECTED]
UNI·C, Research   Phone: (+45) 8937 6621
Olof Palmes Allé 38 Fax: (+45) 8937 6677
DK-8200 Århus N, DenmarkWWW: http://www.uni-c.dk
_



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


_
Descargue GRATUITAMENTE MSN Explorer en http://explorer.yupimsn.com/intl.asp


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] vpn routing

2002-03-08 Thread Charles Steinkuehler 

  I had a weird idea ihave no way to test right now.
  What if I had the Eiger masquerade both directions.
  The packet is unencapsulated.
  It goes thru the forward chain.
  Its source address is masqed to the internal address.
  The Exchange server responds to that address
  The NAT table converts the destination address of the
 response to the source address of the request.
  IPSec sees it and says that's mine.

That should work, although you're a bit outside the existing firewall script
functionality.  Sounds like you really want a VPN gateway mroe than a
firewall, though, so maybe that's OK.

If you setup the above, you *WILL* have problems with M$ networking (which
doesn't like being masqueraded) over the VPN, so whether masquerading the
remote VPN system to your local net will work for you depends on exactly
which protocols you need to run.  I'm not sure about exchange (I stay as far
away from it as possible), but it may suffer the same problems that prevent
M$ networking from working properly when masqueraded if you're using the
'advanced' features and not just running in SMTP/POP/IMAP mode...

rant
Good old Microsoft...where enterprise networking is a single collision
domain, all protocols use dynamically allocated ports, and IP information is
embedded in datagrams, to break that pesky masqerading...remember, at
Micro$oft, security is more than just an afterthought, it's a Marketing
Slogan!!!

I'm personally glad to live in one of the states that parted ways with
Justice on the M$ anti-trust case.
/rant

Sorry about that...I think something in me just snaps whenever anyone
mentions Exchange server
sigh
At least you're looking for an alternate solution for your VPN...

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ipsec errors

2002-03-08 Thread William Brinkman 

All,

If I remember correctly, and please correct me if I am
wrong, the documentation with the ipsec lrp with the
Dachstein CD says that using the leftfirewall=yes or
rightfirewall=yes will automatically append the
scripts to allow protocol 50 through.  If I remember
from the first post, the office connection had the
left and rightfirewall commented out.

Just another thought - Bill

--- Charles Steinkuehler [EMAIL PROTECTED]
wrote:
  Where do I check to see if protocol 50 packets are
 being allowed through?
  I'll be working more on it this weekend.. I'd
 really like to get this
  working so I'll try just about anything.. even
 possibly step/by/step
 support
  via phone (I'd beg someone to call my 800 number
 for a little
 assistance...
 
 The primary source is the output of net ipfilter
 list, which shows you
 exactly how your firewall rules are setup.  You're
 looking for a line
 allowing protocol 50, preferrably with non-zero
 byte/packet counts:
 
 1843  356K ACCEPT 50   -- 0xFF 0x00  eth0
 snip
 
 You open protocol 50 traffic with the following in
 network.conf:
 EXTERN_PROTO0=50 0/0
 
 Of course, you can change the 0/0 (the entire
 internet) to the address (or
 network) of your remote VPN link, if it's static.
 
 Charles Steinkuehler
 http://lrp.steinkuehler.net
 http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
 
 
 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]

https://lists.sourceforge.net/lists/listinfo/leaf-user


__
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] martians on internal network ??? [LONG!]

2002-03-08 Thread Michael D. Schleif 


Jeff Newmiller wrote:
 
 On Fri, 8 Mar 2002, Michael D. Schleif wrote:
 
  We are seeing martians on internal networks on a regular basis.
 
  Usually, it is traceable to users logging into AOL over our high speed
  internet connections:
 
172.128.0.0 - 172.191.255.255
 
  Today, we saw one from United Airlines:
 
205.174.16.0 - 205.174.23.255
 
  [1] How does this happen?
 
 I often wonder how it happens that people who should know better fail to
 provide specific error and log messages and explain what they know about
 the particulars of the ip addresses, routes, machines and connections
 involved.  It is hard to trust reports as sanitized as this.

Jeff, I respect your intelligence and firewall skills; however, if you
read exactly what I posted, then you will know exactly what there is to
know.

 On the surface, the idea that packets should be generated within your LAN
 with source addresses outside your network would suggest something is
 seriously broken (accidentally or purposefully) with the workstation
 generating the packets.

That is one idea, isn't it?

  [2] Why does this happen?
 
 Speculation: if your AOL users are actually dialling into AOL while being
 on the network, they may be temporarily acquiring an IP from AOL, and
 Windows could possibly screw up and ships packets out the wrong interface.
 However, something would have to be pretty weird with the AOL software if
 it decided it had an AOL IP even if no dialup had occurred.  There could
 possibly be overlap when a dialup connection was lost as well.

Please, please, please, read my post and respond accordingly:

`` ... users logging into AOL over our high speed internet connections
... ''

They are *NOT* _dialing_ into AOL !!!

Or, even if they were, the questions remain the same -- what's the
difference?

  [3] Is this exploitable?
 
 Insufficient data.

How much data will suffice?

A smattering of log entries:

Feb 26 08:17:36 redtrout kernel: martian source 0b49a2ac for ,
dev eth1 
Feb 26 08:21:11 redtrout kernel: martian source 490b99ac for ,
dev eth1 
Feb 26 08:21:13 redtrout kernel: martian source 490b99ac for ,
dev eth1 
Feb 26 08:21:45 redtrout kernel: martian source 995c9eac for ,
dev eth1 
Feb 26 08:21:47 redtrout kernel: martian source 995c9eac for ,
dev eth1 
Feb 26 08:22:45 redtrout kernel: martian source 995c9eac for ,
dev eth1 
Feb 26 08:22:46 redtrout kernel: martian source 995c9eac for ,
dev eth1 
Feb 26 08:22:55 redtrout kernel: martian source 995c9eac for ,
dev eth1 
Feb 26 08:22:57 redtrout kernel: martian source 995c9eac for ,
dev eth1 
Feb 26 08:23:11 redtrout kernel: martian source c75c9eac for ,
dev eth1 
Feb 26 08:23:13 redtrout kernel: martian source c75c9eac for ,
dev eth1 
Feb 26 08:25:02 redtrout kernel: martian source b16f98ac for ,
dev eth1 
Feb 26 08:25:04 redtrout kernel: martian source b16f98ac for ,
dev eth1 
Feb 26 10:03:09 redtrout kernel: martian source a0fb99ac for ,
dev eth1 
Feb 26 10:03:11 redtrout kernel: martian source a0fb99ac for ,
dev eth1 
Feb 26 11:28:11 redtrout kernel: martian source 3c779bac for ,
dev eth1 
Feb 26 11:28:13 redtrout kernel: martian source 3c779bac for ,
dev eth1 
Feb 26 11:28:39 redtrout kernel: martian source ebb195ac for ,
dev eth1 
Feb 26 11:28:41 redtrout kernel: martian source ebb195ac for ,
dev eth1 
Feb 26 11:29:26 redtrout kernel: martian source 4d779bac for ,
dev eth1 
Feb 26 11:29:28 redtrout kernel: martian source 4d779bac for ,
dev eth1 
Feb 27 07:40:30 redtrout kernel: martian source 3336baac for ,
dev eth1 
Feb 27 07:40:32 redtrout kernel: martian source 3336baac for ,
dev eth1 
Feb 27 07:42:40 redtrout kernel: martian source 5236baac for ,
dev eth1 
Feb 27 07:42:42 redtrout kernel: martian source 5236baac for ,
dev eth1 
Feb 27 07:43:17 redtrout kernel: martian source c16e82ac for ,
dev eth1 
Feb 27 07:43:19 redtrout kernel: martian source c16e82ac for ,
dev eth1 
Feb 27 08:25:08 redtrout kernel: martian source 765a8fac for ,
dev eth1 
Feb 27 08:25:10 redtrout kernel: martian source 765a8fac for ,
dev eth1 
Feb 27 08:49:04 redtrout kernel: martian source 05f6a3ac for ,
dev eth1 
Feb 27 08:49:06 redtrout kernel: martian source 05f6a3ac for ,
dev eth1 
Feb 27 08:49:27 redtrout kernel: martian source 5be7acac for ,
dev eth1 
Feb 27 08:49:29 redtrout kernel: martian source 5be7acac for ,
dev eth1 
Feb 27 08:51:01 redtrout kernel: martian source fa35a0ac for ,
dev eth1 
Feb 27 08:51:03 redtrout kernel: martian source fa35a0ac for ,
dev eth1 
Feb 27 13:10:16 redtrout kernel: martian source c46299ac for ,
dev eth1 
Feb 27 13:10:18 redtrout kernel: martian source c46299ac for ,
dev eth1 
Feb 27 14:56:05 redtrout kernel: martian source d0ab9cac for

[Leaf-user] MSN MESSENGER FT

2002-03-08 Thread Jim Van Eeckhoutte 

I know this is a non leaf question but you guys might be my only hope.
Im using MikroTik RouterOS which is usin input , forward, and output
chains with src-nat and dest-nat. I have it set up usint masq and nat
for internal services . Heres my question: I have tried everything to
get file transfer (msmessenger) to work, I can receive files but cant
send them. Can you guys shed some light on how this process could work.
MikroTik response is somewhat limited.


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user