RE: [Leaf-user] Bering and Port Forwarding
Thanks Tom - my replies are below. If you (or anyone else) can suggest anything else I might try, that would be great :) -Original Message- From: [EMAIL PROTECTED] On Mon, 8 Apr 2002, [EMAIL PROTECTED] wrote: /etc/Shorewall/params contains mostly the default options, except: Loc_tcp_ports1=80,3389 (=www and Win2k Terminal Services) server1=192.168.1.2 (=my webserver's internal address) When Shorewall starts, the Rule outputs are: Accept fw net tcp 53 Accept fw net udp 53 Accept net fw tcp 22 Reject net fw tcp 113 Accept loc fw tcp 22,80 Accept loc fw udp 53 Accept net loc:192.168.1.2 tcp 80,3389 - all Accept fw loc icmp 8 Accept loc fw icmp 8 I can access the Weblet (and ssh if I put sshd on) internally, as I'd expect. If I do a port scan from grc.com, AUTH shows up as closed rather than stealthed, which I'd also expect. However, HTTP shows up as stealthed, which I don't understand. Your Shorewall setup looks correct -- a) When you attempt the port scan, does Shorewall report anything about TCP port 80 in /var/log/messages? Yep. GRC's port scan probes the following ports: 21,23,25,79,80,110,113,135,139,143,443,445,5000. The first time I tried a portscan, there were messages in /var/log/messages for destination ports 5000,445,443,143,139 (in that order). Each message is reporting a dropped packet from the Net2all rule. A subsequent portscan only resulted in a message for the port 5000 attempt - still dropped from the Net2all rule. b) After the port scan, if you do shorewall show nat, does the packet count for the port 80 DNAT rule show a non-zero packet count? How about the port 80 rule in shorewall show net2loc? Shorewall show nat shows a packet count of 20 for the port 80 DNAT rule. Shorewall show net2loc shows a packet count of 109 for state NEW tcp dpt:80 If neither of these packet counts is non-zero, your ISP is most likely dropping SYN TCP packets with destination port 80. I know this isn't the case because I've had a webserver running here up until last week. Cheers Richard ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Bering and Port Forwarding - RESOLVED!
I've just figured out what I was doing wrong. I feel about 3 inches high right about now. Due to trying several different LEAF/LRP images, I had set my webserver's default gateway to 192.168.1.1, whereas the firewall's internal address is 192.168.1.254. The upshot of which is that the webserver won't reply to any requests from the internet, because it's default gateway doesn't exist. A portscan won't pick the port up as open, because there's never going to be so much as an ACK in response. D'oh! Much thanks to those who have helped to troubleshoot :) Cheers Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Busby Sent: Tuesday, 9 April 2002 7:15 p.m. To: Tom Eastep Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] Bering and Port Forwarding Thanks Tom - my replies are below. If you (or anyone else) can suggest anything else I might try, that would be great :) -Original Message- From: [EMAIL PROTECTED] On Mon, 8 Apr 2002, [EMAIL PROTECTED] wrote: /etc/Shorewall/params contains mostly the default options, except: Loc_tcp_ports1=80,3389 (=www and Win2k Terminal Services) server1=192.168.1.2 (=my webserver's internal address) When Shorewall starts, the Rule outputs are: Accept fw net tcp 53 Accept fw net udp 53 Accept net fw tcp 22 Reject net fw tcp 113 Accept loc fw tcp 22,80 Accept loc fw udp 53 Accept net loc:192.168.1.2 tcp 80,3389 - all Accept fw loc icmp 8 Accept loc fw icmp 8 I can access the Weblet (and ssh if I put sshd on) internally, as I'd expect. If I do a port scan from grc.com, AUTH shows up as closed rather than stealthed, which I'd also expect. However, HTTP shows up as stealthed, which I don't understand. Your Shorewall setup looks correct -- a) When you attempt the port scan, does Shorewall report anything about TCP port 80 in /var/log/messages? Yep. GRC's port scan probes the following ports: 21,23,25,79,80,110,113,135,139,143,443,445,5000. The first time I tried a portscan, there were messages in /var/log/messages for destination ports 5000,445,443,143,139 (in that order). Each message is reporting a dropped packet from the Net2all rule. A subsequent portscan only resulted in a message for the port 5000 attempt - still dropped from the Net2all rule. b) After the port scan, if you do shorewall show nat, does the packet count for the port 80 DNAT rule show a non-zero packet count? How about the port 80 rule in shorewall show net2loc? Shorewall show nat shows a packet count of 20 for the port 80 DNAT rule. Shorewall show net2loc shows a packet count of 109 for state NEW tcp dpt:80 If neither of these packet counts is non-zero, your ISP is most likely dropping SYN TCP packets with destination port 80. I know this isn't the case because I've had a webserver running here up until last week. Cheers Richard ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] two-diskettes system
On 4/3/02 at 3:17 PM, Matt Schalit [EMAIL PROTECTED] wrote: David Douthitt wrote: Packages will be backed up to whatever disk is in the drive - make sure you put the appropriate disk in the boot drive before backing up. I have a small request that the backup scripts write to the drive from which the package was loaded. Would that be a major rewrite? Not a major rewrite, but a major project nonetheless. You have to add the following capabilities to the system: * Tracking where files came from - including storing data, additions, deletions, and everything else - a new database really. MySQL anyone? * Unique identifiers for disks - including checking for the right one and error handling for the case when it isn't. This would be a big project to get right, requires a database with full database accessability, and identifiers for disks that are guaranteed to be right. What's more, what if you can't back the package up to the right disk but want to back up to a new disk - more functions. Seems like a lot of extra work to me but that's just my personal opinion... -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] multilink ppp async
On 4/7/02 at 8:48 PM, Andrew Mitchell [EMAIL PROTECTED] wrote: I have recently installed Bering LEAF (Kernel:Linux version 2.4.18 (bering5@debian)) and am quite pleased with the results. At the moment I have installed 2 V.90 modems and would like to configure for multilink. Is this possible to support? If so, any config assistance would be appreciated. As it happens, I've just begun work on setting up ppp. If memory serves, you need Linux 2.4 and ppp 2.4.1 to make multilink work. I've been working with ppp 2.4.1; if you want a copy let me know. -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] two-diskettes system
Packages will be backed up to whatever disk is in the drive - make sure you put the appropriate disk in the boot drive before backing up. I have a small request that the backup scripts write to the drive from which the package was loaded. Would that be a major rewrite? Not a major rewrite, but a major project nonetheless. You have to add the following capabilities to the system: * Tracking where files came from - including storing data, additions, deletions, and everything else - a new database really. MySQL anyone? How about a flat text file per-package? * Unique identifiers for disks - including checking for the right one and error handling for the case when it isn't. This would be a big project to get right, requires a database with full database accessability, and identifiers for disks that are guaranteed to be right. What's more, what if you can't back the package up to the right disk but want to back up to a new disk - more functions. I've got this functionality in my backup scripts for Dachstein already (and it was a fairly major re-write). The system remembers where the package was loaded from, and defaults to backing up to the same location. You can also manually change the backup destination, if desired. The default backup destination menu is populated with the devices from PKGPATH= and BOOT= (which are assumed to be places you'd like to store packages :-), but you can type in alternate device names manually... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Bering and Port Forwarding - RESOLVED!
On Tue, 9 Apr 2002, Richard Busby wrote: I've just figured out what I was doing wrong. I feel about 3 inches high right about now. Due to trying several different LEAF/LRP images, I had set my webserver's default gateway to 192.168.1.1, whereas the firewall's internal address is 192.168.1.254. It's amazing how often that configuration snafu occurs -- always a good idea to confirm that your server can reach the internet before attempting port forwarding. Thanks for the update, -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] dachstein serial kernel
No, there is a linux kernel available from the Charles' website, below is the direct link. Save this as a file on your floppy (overwriting the 'linux' file) then you will also need to modify the syslinux.cfg file. There is a very extensive HOW-TO available on the website that talks about this. If you have any further questions, please ask... http://lrp.steinkuehler.net/files/kernels/Dachstein-normal/linux-2.2.19-3-LE AF-normal.zImage.upx copy the above file to 'linux' on the floppy, and you should be good to go... joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Goodrich Sent: Monday, April 08, 2002 7:37 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] dachstein serial kernel -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to get boot messages posted to the serial port with my dachstein 1.0.2 floppy fw, instead of just the screen. I assume, then, that i need a kernel with serial support compiled into it, instead of loading serial.o as a kernel module. is it as simple as grabbing root.lrp from the dachstein CD image and putting it on my floppy? tia -david -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPLI3vtemHuGGnm+XEQKTKgCgvpAj3aDKPkjkFkBWzjw0vG7B7OkAoNgX CT+A0qOLzuZiSqHcznxEBGbj =6lYa -END PGP SIGNATURE- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user Sponsored by http://www.ThinkGeek.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] IPSec
Does anyone know what version of IPsec is included on the Dachstein-CD? Also, is there a limit to the number of VPN connections it can concurrently support? Does it support PPTP clients? Thanks. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein serial kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 yup, that did it. thanks for the help! -david - - Original Message - From: Joey Officer [EMAIL PROTECTED] To: David Goodrich [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, April 09, 2002 11:30 AM Subject: RE: [Leaf-user] dachstein serial kernel No, there is a linux kernel available from the Charles' website, below is the direct link. Save this as a file on your floppy (overwriting the 'linux' file) then you will also need to modify the syslinux.cfg file. There is a very extensive HOW-TO available on the website that talks about this. If you have any further questions, please ask... http://lrp.steinkuehler.net/files/kernels/Dachstein-normal/linux-2.2.19-3-LE AF-normal.zImage.upx copy the above file to 'linux' on the floppy, and you should be good to go... joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Goodrich Sent: Monday, April 08, 2002 7:37 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] dachstein serial kernel -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to get boot messages posted to the serial port with my dachstein 1.0.2 floppy fw, instead of just the screen. I assume, then, that i need a kernel with serial support compiled into it, instead of loading serial.o as a kernel module. is it as simple as grabbing root.lrp from the dachstein CD image and putting it on my floppy? tia -david -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPLI3vtemHuGGnm+XEQKTKgCgvpAj3aDKPkjkFkBWzjw0vG7B7OkAoNgX CT+A0qOLzuZiSqHcznxEBGbj =6lYa -END PGP SIGNATURE- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user Sponsored by http://www.ThinkGeek.com/ -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPLMzldemHuGGnm+XEQIdAwCg+eVgQP1BsI78fkL7Qndggv2Ki2gAn0jw PxMve4Wje8OMEpCymS79fCzR =V/xU -END PGP SIGNATURE- ___ Sponsored by: Looking for hip toys and fun scwag. There is no better place then the good friends at ThinkGeek. http://www.ThinkGeek.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] IPSec
Does anyone know what version of IPsec is included on the Dachstein-CD? Version 1.91 Also, is there a limit to the number of VPN connections it can concurrently support? The short answer is Lots. See documentation on the FreeS/WAN site, but the CPU workload is primarily dependant on how much data you're passing rather than by how many VPN connections are active. Each VPN tunnel does need to be re-keyed periodically, but this typically only happens once every few hours (1-8 hours are typical re-key times), so there's not much per-client CPU load... Does it support PPTP clients? No...just IPSec. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Sponsored by: Looking for hip toys and fun scwag. There is no better place then the good friends at ThinkGeek. http://www.ThinkGeek.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Junk Busting???
I am now in need of blocking certain web content from my 8-year-old grandson. Since my only gateway to the internet is through the Dachstein box, I am wondering what (if anything) can be run on the box to block various web content. So is there anything?? I'm kinda hoping NOT to add in another computer... *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* John Mullan http://mullan.dns2go.com/ Personal: mailto:[EMAIL PROTECTED] Business: mailto:[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Active Internet connections (w/o servers) How to block these?
Help! Tonight, we lost our internet connection to the web completly. When checking out my logs on the DS cd v1.0.2 router/firewall, I found what seemed like hundreds of ESTABLISHED connections to my router from various IP numbers. Here is a very small sample of what weblet showed as Current Connections (viewmasq); IP masquerading entries prot expire source destination ports tcp 221:27.27 192.168.1.6 216.136.233.129 1033 - 5050 (64102) tcp 217:19.06 192.168.1.3 216.136.226.117 1027 - 5050 (63591) Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.1.254:80192.168.1.2:34654 ESTABLISHED tcp0 0 192.168.1.254:80192.168.1.2:34652 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:34651 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:34648 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:34647 TIME_WAIT udp0112 24.118.176.41:29434 192.203.230.10:53 ESTABLISHED udp0112 24.118.176.41:57815 198.41.0.4:53 ESTABLISHED udp0112 24.118.176.41:14956 198.32.64.12:53 ESTABLISHED udp0 0 24.118.176.41:29756 128.63.2.53:53 ESTABLISHED udp0 0 24.118.176.41:60355 192.112.36.4:53 ESTABLISHED udp0 0 24.118.176.41:41054 192.112.36.4:53 ESTABLISHED udp0 0 24.118.176.41:32748 128.63.2.53:53 ESTABLISHED udp0 0 24.118.176.41:30375 192.112.36.4:53 ESTABLISHED udp0 0 24.118.176.41:60529 198.41.0.10:53 ESTABLISHED udp0 0 24.118.176.41:48569 192.5.5.241:53 ESTABLISHED udp0 0 24.118.176.41:6072 192.5.5.241:53 ESTABLISHED udp0 0 24.118.176.41:53941 192.33.4.12:53 ESTABLISHED udp0 0 24.118.176.41:58580 192.36.148.17:53ESTABLISHED udp0 0 24.118.176.41:42257 192.33.4.12:53 ESTABLISHED udp0 0 24.118.176.41:43835 192.5.5.241:53 ESTABLISHED udp0 0 24.118.176.41:39480 192.203.230.10:53 ESTABLISHED udp0 0 24.118.176.41:5089 193.0.14.129:53 ESTABLISHED udp0 0 24.118.176.41:11945 202.12.27.33:53 ESTABLISHED udp0 0 24.118.176.41:51961 198.41.0.10:53 ESTABLISHED udp0 0 24.118.176.41:60227 198.32.64.12:53 ESTABLISHED udp0 0 24.118.176.41:33408 128.8.10.90:53 ESTABLISHED It appears that somehow this load balancing thing of using port 53 is trying to implement my router to use as one of their active connections. Now I have various entries in my /etc/network.conf under SILENT_DENY to block port 53 scans without logging, but none of these IP numbers are listed there. Question 1, do I have to add these as well so they cannot CONNECT to my router? I don't believe that is the answer though. Question 2, what can I do to prevent this from happening? Question 3, is there anyway to kill those connections without having to reboot the firewall/router? I tried svi network stop then svi network reload with no luck. This has happened before, but never to the point of having s many Active Internet connections (w/o servers) to the point of killing our net access. Has anybody else had this happen to them? Thanks for any help you have to offer. Keep up the good work Charles, am looking forward to seeing Dachstein cd v1.0.3(?) being released soon (hopefully!, I understand you are a very busy man though) Steve ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: How do I reject a specific IP
Hello all, I have made a package out of my scripts, dnyports, nolog, hits, graphgen and bars.html + the support files. For my deny an address and port without logging. I call it ip-graph.lrp. You get 1. A dynamic graph of ports DENIED with a rule that is generated to deny and not log the specific ip address and port. (these come right out of your /var/log/messages log file, it picks on the DENY or REJECT addresses.) The graph is displayed inside the index.html page. 2. A web page with a 1 month history graph. 3. A web page dynamically generated with hyperlinks created for each ip address so you can do a 'who is' look up of the ip address if you wish. If any of you have been to my site http://www.vette66.com and downloaded the parts to make it work, you may want to get the latest ip-graph.lrp package as I have fixed a few bugs and have now included all my scripts PLUS added in the weblet.lrp files needed for weblet to run. It seemed a bit redundant to capture some of the same bits in 2 lrp packages. You still need to have mawk.lrp and sort on your system for this to work. I do replace the index.html file so if you want to keep yours, back it up. The package file size is 16k. Make sure you grab the 'About' file, as I have install instructions there. After some more re-boots and other testing I plan on submitting it to Leaf. (thanks Mike Noyes). Just for the record, I am running Eiger 2.2.16 Thanks Chuck ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
Charles Steinkuehler [EMAIL PROTECTED] wrote: It looks like it's getting to be time for a new Dachstein release. There are a number of minor bugs to fix in the system scripts, and (more importantly) security updates to some of the packages on the CD (SNMP and libz). My current ToDo list consists of the following. Please post if you think something else should be added to this list, or are willing to try your hand at implementing some of the listed changes. -- TODO -- - Support multiple mount points in space-check multicron script (currently, only the root partition is checked) - Fix ping check e-mail functionality - Fix package not found bug in /linuxrc (duplicates appear in package list if a package is not found) - Fix updatetime() in /etc/multicron-p - Fix mount.back dev = POSIXness bug - Add example lrpkg.cfg to CD Contents - Add example pkgpath.cfg to CD Contents - Alter weblet disk-checking script to ignore CD-ROM (always 100% full) I am not following the weblet CD-ROM issue. I am running weblet 1.2.0 off of DCD 1.0.2. I've clicked all around on the weblet web pages and I do not see where the CD-ROM is reported at all. Package updates: libz snmp There are newer versions of the ssh packages available, as well... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
Greg Morgan wrote: Charles Steinkuehler [EMAIL PROTECTED] wrote: [ snip ] - Alter weblet disk-checking script to ignore CD-ROM (always 100% full) I am not following the weblet CD-ROM issue. I am running weblet 1.2.0 off of DCD 1.0.2. I've clicked all around on the weblet web pages and I do not see where the CD-ROM is reported at all. First, mount the cd, then run the weblet and click on the RAM Disk icon . . . -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user