Re: [Leaf-user] tulip problems
Hi All At 20:52 10/04/02 -0500, David Goodrich wrote: you can change the irq addresses with 3c5x9cfg.exe ... 3com doesn't have it on their site any more... Yes they do - it's on disk 1 of their Etherdisk package, downloadable here: http://support.3com.com/infodeli/tools/nic/3c509/3c5096.1.htm Cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Junk Busting???
In my past use of Snort it was for intrusion detection. It watches all the incoming traffic for patterns that may be hack attempts. I'm not aware of it being useful for controlling where internal users go. In fact I think it only logs suspicious activity and doesn't actually stop traffic from coming in (like portsentry does for port scanning) - Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Mullan Sent: Wednesday, April 10, 2002 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Leaf-user] Junk Busting??? Thanks all for input received so far. I'm not so picky on the thin-ness of my LEAF router box. I still have some space left on my 80meg flash disk. At home it is becoming my catch-all router/firewall so adding a certain amount of extra abilities flies for me on this one. However, I have looked around the net and noticed that SNORT may be up to the task (although not necessarily it's conventional use). Is there anyone that has put SNORT to use on LEAF as a nanny filter??? John -Original Message- From: Todd Pearsall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 9:33 AM To: 'John Mullan'; [EMAIL PROTECTED] Subject: RE: [Leaf-user] Junk Busting??? I use squid and squidguard on a separate machine. Squidguard is nice because it updates nightly with a new bad list. I'm pretty sure you can run squid on your Dachstein box, but you'll need a HD to store the cached pages and logs and probably more memory (32MB-64MB?). With squid in place you can probably add squidguard. There are also rules you can add so the web proxy is transparent, meaning the users PC just uses the Dachstein box as the gateway and the rules pump anything destined for port 80 thru squid. I put this in the category of can be done if your pretty familiar with Dachstein, Linux and firewalls, but I doubt you'll find a drop in package. If you can scrape up another PC then this should be a piece of cake since squid is a standard package in RedHat and all you'd need to do it is to add squidguard (pretty easy). If you get it to work on Dachstein please write it up. I would like to have squid and squidguard running on the firewall, but I love having no HD in the firewall, so I'm sticking with my current solution. I run e-smith as a server and Dachstein as firewall. If you used e-smith as both you just add squidguard and be done. Personally I like the firewall as skinny as possible and separate from the server. Enough rambling, good luck. - Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Mullan Sent: Tuesday, April 09, 2002 10:11 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] Junk Busting??? I am now in need of blocking certain web content from my 8-year-old grandson. Since my only gateway to the internet is through the Dachstein box, I am wondering what (if anything) can be run on the box to block various web content. So is there anything?? I'm kinda hoping NOT to add in another computer... *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* John Mullan http://mullan.dns2go.com/ Personal: mailto:[EMAIL PROTECTED] Business: mailto:[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] tulip problems
BTW, does anyone know how to detemine which RJ45 is which interface on the D_LINK DFE-570TX with the tulip driver? IIRC, the top connector (the one farthest from the PCI connector) is the first interface to get recognized (ie eth0 if this is the only card in the system), and the connector closest to the PCI connector is the last interface (ie eth3). Regarding your ISA problems: Make sure you have the cards set for unique I/O and IRQ values. You'll probably also have to pass the values to the driver for it to recognize all the cards. One word of warning...not all network drivers will support an arbitrary number of cards. It's possible (but unlikely with the 3com cards) the driver will not recognize more than two NIC's. If this is the case, there are a couple work-arounds you can try, including using a different driver (I think there are at least 2 linux drivers for most 3com stuff), and loading the same driver again with a different name (ie copy your driver.o file to driver2.o, and make another entry in /etc/modules for it). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Ipsec problems
Charles, it appears you are FreeSWAN very aware. I'll appeal to you first but if you don't want to handle I'll turn to freeswan because technically I'm working on non LEAF right now. And it looks like I'm going to have quite a few questions. IPSec(1.5) works like a charm on Eiger but I wanted to do thorough QA on 2.4 with iptables before going to LEAF 2.4 ( Bering ?) Netfilter is very different from the 2.2 stack. Anyway I loaded freeswan 1.94 and 1.96 on RH7.2(linux 2.7) and am seeing strange things: 1: One scenario is getting a connection to my office from dialup at home(which was tough) but then don't have a tunnel, can't telnet to machines behind the router. But What I observe that is really weird is on the corp. gateway the packets are hitting the input chain instead of the forward chain. It seems that would have been proper on 2.2 but not 2.4. Packets destined thru the box are not supposed to traverse the input chain. Perhaps that is different with ipsec ??? 2. The other scenario is a Lan Lab. One Eiger with ipsec 1.5, one Red Hat with ipsec 1.94 on a dedicated lan. These 2 units create a tunnel for 2 other machines to talk to each other. They talk allright but not thru ipsec, they are routing around the tunnel. The eiger machine builds its routing table correctly. The RH 2.4 with ipsec 1.94 does not correctly add an ipsec route when the connection comes up. ??? I am studying the _updown script to understand this but I was wondering if you have seen this phenom ? thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] serial console access
On Thu, 4 Apr 2002 15:18:59 -0500 Eric B Kiser [EMAIL PROTECTED] wrote: _SUCCESS_ The results as copied from my hyperterm window.. LEAF configuration menu 1 ) Network configuration 2 ) System configuration 3 ) Packages configuration b) Back-up a package c) Back-up your LEAF disk h) Help q) quit - --- Selection: The contents of this thread make a delightful howto, but I am wondering when you say success what you really mean. I can copy the same results as you from my minicom window (i.e the boot happens and I can log in) but there is one large thing missing: boot messages. I see none. Are you seeing them? Can you tell me how I can see them? Aren't boot messages important? They probably aren't for a production box, I guess, but for developers on headless boxes? Maybe. Is the boot information available any other way in LEAF? Of course it is successful not to have to use a custom compiled kernel on your leaf box, because it makes it easier to stay up with the latest version. That is what i am going for. But I think I need my boot messages. Please tell me if I am wrong or if there is something I can do to not have to live without them. Thanks in advance, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] serial console access
Chad what you are referring to is that linux kernel having serial support built in. The 'normal' linux kernel should have this, that and modification to the syslinux.cfg file on the floppy should be the only modification you should have to make. There is a fairly extensive HOW-TO that has this information within it. I do not know if the HOW-TO has been updated to include the part about the linux kernel. Happy hunting... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chad Carr Sent: Thursday, April 11, 2002 10:07 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] serial console access On Thu, 4 Apr 2002 15:18:59 -0500 Eric B Kiser [EMAIL PROTECTED] wrote: _SUCCESS_ The results as copied from my hyperterm window.. LEAF configuration menu 1 ) Network configuration 2 ) System configuration 3 ) Packages configuration b) Back-up a package c) Back-up your LEAF disk h) Help q) quit - --- Selection: The contents of this thread make a delightful howto, but I am wondering when you say success what you really mean. I can copy the same results as you from my minicom window (i.e the boot happens and I can log in) but there is one large thing missing: boot messages. I see none. Are you seeing them? Can you tell me how I can see them? Aren't boot messages important? They probably aren't for a production box, I guess, but for developers on headless boxes? Maybe. Is the boot information available any other way in LEAF? Of course it is successful not to have to use a custom compiled kernel on your leaf box, because it makes it easier to stay up with the latest version. That is what i am going for. But I think I need my boot messages. Please tell me if I am wrong or if there is something I can do to not have to live without them. Thanks in advance, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Ipsec problems
IPSec(1.5) works like a charm on Eiger but I wanted to do thorough QA on 2.4 with iptables before going to LEAF 2.4 ( Bering ?) Netfilter is very different from the 2.2 stack. Anyway I loaded freeswan 1.94 and 1.96 on RH7.2(linux 2.7) and am seeing strange things: 1: One scenario is getting a connection to my office from dialup at home(which was tough) but then don't have a tunnel, can't telnet to machines behind the router. But What I observe that is really weird is on the corp. gateway the packets are hitting the input chain instead of the forward chain. It seems that would have been proper on 2.2 but not 2.4. Packets destined thru the box are not supposed to traverse the input chain. Perhaps that is different with ipsec ??? Umm...which packets? Have you taken a look at the packet flow in the FreeS/WAN Docs? I'm not up on using FreeS/WAN with the 2.4 kernels, but the IPSec traffic will look like it's to/from the local box (because it is) and should hit the input/output chains AFAIK, while the actual VPN traffic (pre/post encryption/decryption) will likely traverse the forward chain, headed to/from the ipsec0 interface. 2. The other scenario is a Lan Lab. One Eiger with ipsec 1.5, one Red Hat with ipsec 1.94 on a dedicated lan. These 2 units create a tunnel for 2 other machines to talk to each other. They talk allright but not thru ipsec, they are routing around the tunnel. The eiger machine builds its routing table correctly. The RH 2.4 with ipsec 1.94 does not correctly add an ipsec route when the connection comes up. ??? I am studying the _updown script to understand this but I was wondering if you have seen this phenom ? Hard to say what's wrong without more details. I'd double-check your configuration files, especially the [left|right]subnet specifiers. Crawling through the output of ipsec look and ipsec barf might also present a likely suspect... Charles Steinkuehler [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Changes for new Dachstein release
I'm not wanting this to get out of hand ... but ... my wish list of programs to be included on the next DCD version include ez-ipupd.lrp The newest version I think is at http://leaf.sourceforge.net/devel/jnilo/packages/ez-ipupd.lrp Docs at http://leaf.sourceforge.net/devel/jnilo/ezipupd.html ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] serial console access
On Thursday 11 April 2002 10:07, Chad Carr wrote: The contents of this thread make a delightful howto, but I am wondering when you say success what you really mean. I can copy the same results as you from my minicom window (i.e the boot happens and I can log in) but there is one large thing missing: boot messages. I see none. Are you seeing them? Can you tell me how I can see them? Aren't boot messages important? They probably aren't for a production box, I guess, but for developers on headless boxes? Maybe. Is the boot information available any other way in LEAF? Boot messages are set in Syslinux, not the LEAF OS until the kernel gives up control to INIT. The console keyword in /syslinux.cfg should point to the serial port instead of tty if your planning to run headless. Charles serial HowTo and the Serial Console FAQ aptly covers this change as well. All LEAF kernels except DF small should have serial support compiled in, so usually kernel support isn't an issue in the least. I have had problems attempting to get boot messages sent to two consoles, so I pick the one I will be using (the most). ie, if the machine is headless I use /dev/ttyS0 instead of tty0 in syslinux.cfg. I hope this helps, -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] serial console access
On Thu, 2002-04-11 at 08:45, guitarlynn wrote: Boot messages are set in Syslinux, not the LEAF OS until the kernel gives up control to INIT. The console keyword in /syslinux.cfg should point to the serial port instead of tty if your planning to run headless. Charles serial HowTo and the Serial Console FAQ aptly covers this change as well. All LEAF kernels except DF small should have serial support compiled in, so usually kernel support isn't an issue in the least. Lynn, Bering doesn't have serial support compiled into the kernel. -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] tulip problems
Interesting that you mention the 3c5x9cfg utility! I was using this the other night and found some strange behavior which may or may not be of use to you. If you change the transceiver type (? -this is from memory) or at least enter the option for TP vs AUI, when you exit there will be another option at the bottom of the list. It showed as being a toggle for full or half duplex. As these cards have always been half duplex, I was overjoyed(!) at this development and tried this option. But, when I changed this toggle the option switched from 'duplex' to 'plug and play'!! I have no idea whether it actually does anything useful, but there you go. Has anyone seen a method (or know if the card supports it) to allow full duplex operation on the 509's? Brock Message: 6 From: David Goodrich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] tulip problems Date: Wed, 10 Apr 2002 20:52:38 -0500 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If these NICs are 3c509s on the ISA bus, they aren't PnP not true. about half of mine are, half aren't. apparently you can change whether or not it's PnP, but i haven't been able to find the utility. you can change the irq addresses with 3c5x9cfg.exe ... 3com doesn't have it on their site any more but i've got a copy if anybody wants it. i have two 3c509's running in my backup firewall with no problems. -david ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] tulip problems
On Thu, 2002-04-11 at 09:10, Brock Nanson wrote: If you change the transceiver type (? -this is from memory) or at least enter the option for TP vs AUI, when you exit there will be another option at the bottom of the list. It showed as being a toggle for full or half duplex. As these cards have always been half duplex, I was overjoyed(!) at this development and tried this option. But, when I changed this toggle the option switched from 'duplex' to 'plug and play'!! I have no idea whether it actually does anything useful, but there you go. Has anyone seen a method (or know if the card supports it) to allow full duplex operation on the 509's? Brock, If my memory serves me correctly, 3Com sold two versions of the 509. One of them was capable of full-duplex. At the time it cost almost double the half-duplex version. I don't think there are many of the full-duplex NICs out there. -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] [ leaf-Support Requests-542543 ] kernel compression?
Support Requests item #542543, was opened at 2002-04-11 08:39 You can respond by visiting: http://sourceforge.net/tracker/?func=detailatid=213751aid=542543group_id=13751 Category: Release/Branch: Bering Group: None Status: Open Priority: 5 Submitted By: Nobody/Anonymous (nobody) Assigned to: Mike Noyes (mhnoyes) Summary: kernel compression? Initial Comment: i am working with the bering distro and building a custom kernel. i started with the bering.config that is on the ftp server and added ntfs write (yes, i know but i have to prove it). The compiled kernel that i got was 597k. i doubt that the ntfs write is responsible for all of that difference in size (124k). Did you do anything to compress the kernel that ships on the diskette image? thanks, dean -- You can respond by visiting: http://sourceforge.net/tracker/?func=detailatid=213751aid=542543group_id=13751 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
Am Donnerstag, 11. April 2002 07:46 schrieb Victor McAllister: My wish list of programs to be included on the next DCD version include xntp.lrp and psentry.lrp both from http://leaf.sourceforge.net/devel/ddouthitt/packages/ I've built a dachstein 1.0.2 based CD with glibc 2.1.3. Among other enhancements you'll find xntp on the CD. I thought about portsentry as well, but found it's not a good idea to block ports based on ip-addresses. Currently in Germany the most affordable flatrate with DSL is bound to dynmic ip-adresses (changing a least once a day). If someone today portsscan your net with an dynamic address, I might be blocked in the future for no other reason than unfortunately getting this ip-address. Given the long uptimes of leaf routers chances are good, that portsentry blocks more innocent users with dynamic addresses, than real portscanners. Now I could live a day without accessing your net, but what bothered me is administration of a net using portsentry. I hear all those yelling, that services have been inaccessible for the last day and you find everything is working ok now. Please correct me, if I understood portsentry wrong; I'm willing to add it as soon as possible, if it's handling dynamic addresses without problems. kp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
Am Donnerstag, 11. April 2002 17:48 schrieb Doug Hite: I'm not wanting this to get out of hand ... but ... my wish list of programs to be included on the next DCD version include ez-ipupd.lrp I agree ez-ipupd.lrp is a must have on a CD. Additionally and as alternative for those who don't need a public dns entry, ipmail.lrp should be on the CD. It sends the actual ip-address to one or more admins by mail. kp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
I thought about portsentry as well, but found it's not a good idea to block ports based on ip-addresses. snip Please correct me, if I understood portsentry wrong; I'm willing to add it as soon as possible, if it's handling dynamic addresses without problems. Port-sentry and similar atomatic firewall rule generators can usually be pretty easily converted into denial-of-service tools. Simply spew a bunch of packets with forged IP's at something like port-sentry, and a malicious individual can easily prevent you from accessing key portions of the internet. Also, your excellent points about users with changing IP's apply equally to virtually all dial-up users, who still make up the vast portion of end-users on the 'net. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
I'm not sure if this would be possible but: Wouldn't it be possible to do a reverse lookup on all blocked IPs (via a script) when they are blocked, add it to a file, and then every few hours do another lookup to see if the FQDN associated with the IP has changed - (if it has then remove it from list)? This does of course assume that the FQDN associated with a dynamic IP changes when the lease does. S From: KP Kirchdörfer [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Victor McAllister [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Leaf-user] Changes for new Dachstein release Date: Thu, 11 Apr 2002 19:12:54 +0200 Am Donnerstag, 11. April 2002 07:46 schrieb Victor McAllister: My wish list of programs to be included on the next DCD version include xntp.lrp and psentry.lrp both from http://leaf.sourceforge.net/devel/ddouthitt/packages/ I've built a dachstein 1.0.2 based CD with glibc 2.1.3. Among other enhancements you'll find xntp on the CD. I thought about portsentry as well, but found it's not a good idea to block ports based on ip-addresses. Currently in Germany the most affordable flatrate with DSL is bound to dynmic ip-adresses (changing a least once a day). If someone today portsscan your net with an dynamic address, I might be blocked in the future for no other reason than unfortunately getting this ip-address. Given the long uptimes of leaf routers chances are good, that portsentry blocks more innocent users with dynamic addresses, than real portscanners. Now I could live a day without accessing your net, but what bothered me is administration of a net using portsentry. I hear all those yelling, that services have been inaccessible for the last day and you find everything is working ok now. Please correct me, if I understood portsentry wrong; I'm willing to add it as soon as possible, if it's handling dynamic addresses without problems. kp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Problems with Bering Beta 4 root.linuxrc
Douglas Bush wrote: I'm using LEAF Bering in a way it probably wasn't intended, but its got just the right level of features for what we're doing. I'm using x86 Embedded PCs from http://www.compulab-systems.com. I've modified the kernel to support the Compulab Nor and Nand flash. The NOR flash behaves as a Floppy, and is formatted by MSDOS, and the NAND is formatted as ext2. I placed the kernel and root file system in MSDOS bootable NOR, and I placed the Bering LRP packages in NAND flash. Anyways, with the SYSLINUX.CFG below, root.linuxrc could not mount the NAND flash and load the LRP packages. (Although I could do this manually using a working Bering boot disk.) SYSLINUX.CFG display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0 boot=/dev/nor,msdos PKGPATH=/dev/nand,ext2 LRP=root,etc,local,libm,modules,pcmcia,wireless,shorwall,bridge,log I finally (my shell, and sed aren't that good) modified the root.linuxrc (lines 171-172) by adding DEVICE=nand nor FSTYPE=ext2 msdos This worked, but it does make me wonder why your script didn't work. I ran snippits of the script on a floppy booted system, and they generated output which looked correct. I suspect that if the script fails once, it fails completely. Doug: I suspect it did not worked because you did not load the ext2.o module. Ext2 FS is not compiled in the kernel. Also if yo want to read packages stored on a ext2 FS you have to put the module in /boot/lib/modules. See the doc. So put ext2.o it in /boot/lib/modules and edit /boot/etc/modules to declare it through initrd config menu. Save initrd and reboot. Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Floppy VPN (Dachstein based)
Hello, I have a Dachstein box that does NAT and port forwarding for my network. I would now like to implement a VPN. I replaced the kernel with an IPSEC enabled one, and loaded the needed modules. I have the box able to boot and still NATing and port forwarding but get error messages. I do not have the exact messages, but would like to know if what I would like to do is possible. If it is I will post the exact messages. What I would like is for one LEAF box to: NAT Port Forward Endpoint of a VPN tunnel Please advise if this is possible. Thank you very much! Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein Logs Changing Rules
First, a *big thanks* to the developers of this wonderful software. I am a Linux LEAF newbie, so please respond accordingly :-) I am running Dachstein-CD 1.0.2 on an old headless P133/32MB box as a dedicated firewall/router for my home network. I use Putty WinSCP over SSH for internal remote admin. I am backing up changes to floppy as per the install docs. It all appears to be running fine, but I have 2 questions: 1) Can someone please explain how the logs work, or point me to doc source? My Weblet log shows messages 0-3; why 0-3? Can these be backed up? The log was showing 2,300+ denied/rejected entries over 5 days uptime, but it has suddenly reset itself to today's entries only (50+). Is this a RAMdisk issue or some config limit being reached, or what? I just can't seem to get a handle on how the logs work at all, nor could I find any docs? 2) Neither could I find any docs on how to open a port to (say) join a peer-to-peer file sharing service and how to then back up any such changes made. Is this a question of my reading a generic IP Chains How-to or is there more to it? I am not about to punch holes in the firewall until I get a clue about the whole issue, but would like to know how to approach this? Best regds, Bob Osola ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein Logs Changing Rules
On Thu, 2002-04-11 at 14:08, Bob Osola wrote: 1) Can someone please explain how the logs work, or point me to doc source? Bob, I hope this information helps. FAQs sec09: Security Firewall Questions Answered * How Do I Interpret IPChains Log Entries? http://sourceforge.net/docman/display_doc.php?docid=2459group_id=13751 My Weblet log shows messages 0-3; why 0-3? Can these be backed up? The log was showing 2,300+ denied/rejected entries over 5 days uptime, but it has suddenly reset itself to today's entries only (50+). Is this a RAMdisk issue or some config limit being reached, or what? I just can't seem to get a handle on how the logs work at all, nor could I find any docs? FAQs sec09: Security Firewall Questions Answered * Why am I getting floods of SYN/ACK packets to my DNS server? https://sourceforge.net/docman/display_doc.php?docid=4715group_id=13751 2) Neither could I find any docs on how to open a port to (say) join a peer-to-peer file sharing service and how to then back up any such changes made. Is this a question of my reading a generic IP Chains How-to or is there more to it? I am not about to punch holes in the firewall until I get a clue about the whole issue, but would like to know how to approach this? FAQs sec07: Solutions to Routing Problems * Port-Forwarding with Dachstein http://sourceforge.net/docman/display_doc.php?docid=10418group_id=13751 FAQs sec09: Security Firewall Questions Answered * Port Forwarding http://sourceforge.net/docman/display_doc.php?docid=1443group_id=13751 -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: Problems with Bering Beta 4 root.linuxrc
Thanks for you help. I tried both suggestions, and neither seems to be correct. Also, I compiled all the file systems/drivers into the kernel I'm using. -Original Message- From: uml [mailto:uml] On Behalf Of Jacques Nilo Sent: Thursday, April 11, 2002 2:49 PM To: Douglas Bush Cc: [EMAIL PROTECTED] Subject: Re: Problems with Bering Beta 4 root.linuxrc Douglas Bush wrote: I'm using LEAF Bering in a way it probably wasn't intended, but its got just the right level of features for what we're doing. I'm using x86 Embedded PCs from http://www.compulab-systems.com. I've modified the kernel to support the Compulab Nor and Nand flash. The NOR flash behaves as a Floppy, and is formatted by MSDOS, and the NAND is formatted as ext2. I placed the kernel and root file system in MSDOS bootable NOR, and I placed the Bering LRP packages in NAND flash. Anyways, with the SYSLINUX.CFG below, root.linuxrc could not mount the NAND flash and load the LRP packages. (Although I could do this manually using a working Bering boot disk.) SYSLINUX.CFG display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0 boot=/dev/nor,msdos PKGPATH=/dev/nand,ext2 LRP=root,etc,local,libm,modules,pcmcia,wireless,shorwall,bridge,log I finally (my shell, and sed aren't that good) modified the root.linuxrc (lines 171-172) by adding DEVICE=nand nor FSTYPE=ext2 msdos This worked, but it does make me wonder why your script didn't work. I ran snippits of the script on a floppy booted system, and they generated output which looked correct. I suspect that if the script fails once, it fails completely. Doug: I suspect it did not worked because you did not load the ext2.o module. Ext2 FS is not compiled in the kernel. Also if yo want to read packages stored on a ext2 FS you have to put the module in /boot/lib/modules. See the doc. So put ext2.o it in /boot/lib/modules and edit /boot/etc/modules to declare it through initrd config menu. Save initrd and reboot. Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Floppy VPN (Dachstein based)
I have a Dachstein box that does NAT and port forwarding for my network. I would now like to implement a VPN. I replaced the kernel with an IPSEC enabled one, and loaded the needed modules. I have the box able to boot and still NATing and port forwarding but get error messages. I do not have the exact messages, but would like to know if what I would like to do is possible. If it is I will post the exact messages. What I would like is for one LEAF box to: NAT Port Forward Endpoint of a VPN tunnel Please advise if this is possible. Yes, you can do what you want. The only restraint on VPN's and port-forwarding is the firewall cannot masquerade an internal VPN client (ie running a VPN client on an internal system...sometimes called VPN port-forwarding) at the same time the firewall is serving as a VPN gateway (ie running VPN software on the firewall itself). There are many folks running the standard NAT/masquerading firewall rules, and port forwarding services (like web, dns, e-mail, c), and using the firewall as an IPSec VPN gateway. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein Logs Changing Rules
1) Can someone please explain how the logs work, or point me to doc source? My Weblet log shows messages 0-3; why 0-3? Can these be backed up? The log was showing 2,300+ denied/rejected entries over 5 days uptime, but it has suddenly reset itself to today's entries only (50+). Is this a RAMdisk issue or some config limit being reached, or what? I just can't seem to get a handle on how the logs work at all, nor could I find any docs? The log files are automatically rotated by a cron job. The program that does this is /etc/cron.daily.multicron-d (called via /etc/crontab run-parts /etc/cron.daily). The list of logs to rotate is in /etc/lrp.conf. Most log files are rotated daily, and 4 old logs are kept (ie log.0 through log.3)...after this, the old logs are deleted to keep the ramdisk from filling without bound. The FAQ's Mike pointed to are a good place to start with the firewall issues...if you have specific questions, just ask. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Adding to syslinux.cfg on DCD
How do I edit syslinux.cfg on the DCD image? I have winimage and can view the ISO image but I don't see syslinux.cfg. I want to add the serial terminal redirect to it so I will see boot messages. Also, am I correct in thinking that I can replace the .lrp files in the image with my floppy backups and reburn to get a floppyless setup once I have it all configured? Thank you all, Kory Krofft ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Junk Busting???
Todd: I realize that Snort is more for monitoring (NIDS in particular). However the current documentation indicates that it can scan for content and, if desired, drop the packets. It also says it can do this in either direction. So, if one were to think outside the box, instead of blocking outbound requests (like a nanny filter), I could watch for undesirable content coming in and drop it. I could also replace the packet with content issuing a warning. While unconventional, it may meet my desired criteria of fitting into my LEAF router and eliminate the need for an extra box. Keep in mind, this is just from reading the user manual. I have yet to actually try this... John -Original Message- From: Todd Pearsall [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 9:25 AM To: 'John Mullan'; [EMAIL PROTECTED] Subject: RE: [Leaf-user] Junk Busting??? In my past use of Snort it was for intrusion detection. It watches all the incoming traffic for patterns that may be hack attempts. I'm not aware of it being useful for controlling where internal users go. In fact I think it only logs suspicious activity and doesn't actually stop traffic from coming in (like portsentry does for port scanning) - Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Mullan Sent: Wednesday, April 10, 2002 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Leaf-user] Junk Busting??? Thanks all for input received so far. I'm not so picky on the thin-ness of my LEAF router box. I still have some space left on my 80meg flash disk. At home it is becoming my catch-all router/firewall so adding a certain amount of extra abilities flies for me on this one. However, I have looked around the net and noticed that SNORT may be up to the task (although not necessarily it's conventional use). Is there anyone that has put SNORT to use on LEAF as a nanny filter??? John -Original Message- From: Todd Pearsall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 9:33 AM To: 'John Mullan'; [EMAIL PROTECTED] Subject: RE: [Leaf-user] Junk Busting??? I use squid and squidguard on a separate machine. Squidguard is nice because it updates nightly with a new bad list. I'm pretty sure you can run squid on your Dachstein box, but you'll need a HD to store the cached pages and logs and probably more memory (32MB-64MB?). With squid in place you can probably add squidguard. There are also rules you can add so the web proxy is transparent, meaning the users PC just uses the Dachstein box as the gateway and the rules pump anything destined for port 80 thru squid. I put this in the category of can be done if your pretty familiar with Dachstein, Linux and firewalls, but I doubt you'll find a drop in package. If you can scrape up another PC then this should be a piece of cake since squid is a standard package in RedHat and all you'd need to do it is to add squidguard (pretty easy). If you get it to work on Dachstein please write it up. I would like to have squid and squidguard running on the firewall, but I love having no HD in the firewall, so I'm sticking with my current solution. I run e-smith as a server and Dachstein as firewall. If you used e-smith as both you just add squidguard and be done. Personally I like the firewall as skinny as possible and separate from the server. Enough rambling, good luck. - Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Mullan Sent: Tuesday, April 09, 2002 10:11 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] Junk Busting??? I am now in need of blocking certain web content from my 8-year-old grandson. Since my only gateway to the internet is through the Dachstein box, I am wondering what (if anything) can be run on the box to block various web content. So is there anything?? I'm kinda hoping NOT to add in another computer... *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* John Mullan http://mullan.dns2go.com/ Personal: mailto:[EMAIL PROTECTED] Business: mailto:[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Adding to syslinux.cfg on DCD
How do I edit syslinux.cfg on the DCD image? I have winimage and can view the ISO image but I don't see syslinux.cfg. I want to add the serial terminal redirect to it so I will see boot messages. You boot off a floppy (or other writable media), or you burn a new CD : Also, am I correct in thinking that I can replace the .lrp files in the image with my floppy backups and reburn to get a floppyless setup once I have it all configured? Yes, if you do full backups to your floppy, and use these packages when you burn a new CD, you won't have to have a floppy (or other device for configuraiton storage) until/unless your configuration needs to change from the CD. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
Quoting Simon Bolduc [EMAIL PROTECTED]: I'm not sure if this would be possible but: Wouldn't it be possible to do a reverse lookup on all blocked IPs (via a script) when they are blocked, add it to a file, and then every few hours do another lookup to see if the FQDN associated with the IP has changed -(if it has then remove it from list)? This does of course assume that the FQDN associated with a dynamic IP changes when the lease does. It's certainly possible to do the reverse DNS lookups - but there's nothing stating that hosts on the internet have to have a reverse DNS record. Also, ISPs that do use reverse DNS often have the reverse DNS linked to the IP address rather than a particular user account - for example dial up users to the ISP I use are given a DNS name of xxx-xxx-xxx-xxx.dialup.paradise.net.nz which is bound to the IP they are given when dialing up. Richard ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Adding to syslinux.cfg on DCD
Thanks for the response Charles, I am planning to burn a new CD but I don't see where to edit syslinux.cfg to use when burning the new CD. I can copy it from a boot floppy but where do I have winimage put it to replace the current one on the ISO image? Thanks, Kory Charles Steinkuehler wrote: How do I edit syslinux.cfg on the DCD image? I have winimage and can view the ISO image but I don't see syslinux.cfg. I want to add the serial terminal redirect to it so I will see boot messages. You boot off a floppy (or other writable media), or you burn a new CD : ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Adding to syslinux.cfg on DCD
I don't know how to do it with WinImage... this is what I did ( I have a access to RedHat Linux machine) so mount -t msdos bootdisk.bin -o loop /mnt/lrpmnt cd /mnt/lrpmnt vi syslinux.cfg then rebuild the .iso image and burn Upnet Joe - Original Message - From: Kory Krofft [EMAIL PROTECTED] To: Charles Steinkuehler [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, April 11, 2002 10:06 PM Subject: Re: [Leaf-user] Adding to syslinux.cfg on DCD Thanks for the response Charles, I am planning to burn a new CD but I don't see where to edit syslinux.cfg to use when burning the new CD. I can copy it from a boot floppy but where do I have winimage put it to replace the current one on the ISO image? Thanks, Kory Charles Steinkuehler wrote: How do I edit syslinux.cfg on the DCD image? I have winimage and can view the ISO image but I don't see syslinux.cfg. I want to add the serial terminal redirect to it so I will see boot messages. You boot off a floppy (or other writable media), or you burn a new CD : ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Adding to syslinux.cfg on DCD
On Fri, 12 Apr 2002 00:04:42 -0400 Upnet Joe [EMAIL PROTECTED] wrote: I don't know how to do it with WinImage... this is what I did ( I have a access to RedHat Linux machine) so mount -t msdos bootdisk.bin -o loop /mnt/lrpmnt cd /mnt/lrpmnt vi syslinux.cfg Have you tried mounting the iso image on loopback like so: mount -t iso9660 dach.iso /mnt -o loop then mounting the bootdisk image from the mounted iso image like this: cd /mnt; mount -t msdos bootdisk.bin /some/other/mount/point -o loop then modifying your files and umounting them in the opposite order? Will that work? I don't really know how iso filesystems work, but it ought to. I've done that _sort_ of thing before, but not with iso9660, I'm afraid, so I don't know. I don't really know how hard life is with a Windows machine, though. I have never had to do real work with them. Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] help with opensshd/weblet/dachstein
Greetings, I'm a long time user of LRP. My last LRP was a 2-disks EigerStein with ssh/sshd and it worked great. I have decided to give Dachstein a try but ran into 2 problems, and I seek your help. Here is how I got Dachstein to work with my cable modem (Cogeco@Ontario, Canada). I downloaded the Dachstein 1680 image from http://leaf.sourceforge.net/devel/cstein/DiskImages/Dachstein.htm and wrote it to a desk. Added modules for my ethernet card, changed the host name, configured dhclient, and it worked perfectly with my cable modem. No other modification was needed. Dachstein is much an improvement over EigerStein as far as step-up goes. I then used a 2nd disks, and copied ssh/sshd/sshkey to it. The ssh packages are downloaded from http://leaf.sourceforge.net/devel/jnilo According to the User's Guide at http://leaf.sourceforge.net/devel/jnilo/openssh2.html, the sshd is SUPPOSED to run through inetd. Since I don't want to regenerate the key everytime, I commented out the following line from /etc/init.d/sshd: #Comment out and edit /etc/inetd.conf to run as a stand alone server #echo Secure Shell server via inetd: sshd #exit 0 I ran makekey to generate new keys, it worked. However, here is my first problem: 1) I can only ssh to my router from my local machines. I can NOT ssh to it from my external machines. Any ideas? With EigerStein this was not an issue. from my external machines, I ran ssh my router ip -v I get: debug: connecting to my router ip... debug: entering event loop and it stays there forever. If I ran dmesg on my router, I see: Packet log: input DENY eth0 PROTO=6 external machine IP:39141 my router ip:22 L=48 S=0 x00 I=35425 F=0x4000 T=60 SYN (#40) so it looks like the router is blocking port 22. However, I explicitely opened port 22 from /etc/ssh/sshd_config: # $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This is the sshd server system-wide configuration file. See sshd(8) # for more information. Port 22 ... 2) weblet doesn't really work. From my internal machine, if I try to access http://192.168.1.254 (from Netscape), I get the error of This page contains no data. Is there anything I need to change to activate it? thx in advance, Elvis __ Music, Movies, Sports, Games! http://entertainment.yahoo.ca ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
