[leaf-user] how to set up parallel wireless and wired LANs/interfaces
Using Bering rc2, I'm trying to set up a router with eth0 external (ATT cable modem), eth1 a wired Ethernet LAN, and eth2 a wireless Ethernet LAN. Though I may eventually want to put an externally-reachable webserver on one of the LANs, I don't think I want a dmz. That is, I want all hosts on eth1 and eth2 to have full access to each other as if they were all on the same subnet. All interfaces come up fine. 'ip addr' shows all three with the IP addresses I'd expect: eth0's assigned via pump, eth1's 192.168.1.254 and eth2's 192.168.2.254. Further, the wired LAN on eth1 seems to be working correctly. A host there gets assigned an IP via dhcpd, and dig shows that names are being resolved by the router at 192.168.1.254. The host on eth1 can ping 192.168.2.254 (the router's eth2 interface), but cannot ping any hosts on eth2. A host on the wireless LAN also gets an IP via dhcp, but DNS isn't working for it (though its resolv.conf file shows that it correctly got the DNS server: 192.168.1.254.) Like the eth1 host, it can ping the router's other internal interface, but can't ping hosts on the other LAN. I'm guessing that I need to coerce shorewall into letting those icmp packets across the eth1/eth2 boundary. Is the firewall also responsible for the failure of DNS on eth2? More generally, has anyone posted suggestions for making this configuration work? Thanks, --Eric House ** * From the desktop of: Eric House, [EMAIL PROTECTED]* *Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords * ** ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] bering iso images
anyone got bering iso images? please email it to me Tq leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] how to set up parallel wireless and wired LANs/interfaces
On Tue, 14 May 2002 23:25:43 PDT Eric House wrote: Using Bering rc2, I'm trying to set up a router with eth0 external (ATT cable modem), eth1 a wired Ethernet LAN, and eth2 a wireless Ethernet LAN. Though I may eventually want to put an externally-reachable webserver on one of the LANs, I don't think I want a dmz. That is, I want all hosts on eth1 and eth2 to have full access to each other as if they were all on the same subnet. Assuming you've named your shorewall zones net, loc and wlan (in /etc/shorewall/{zones,interfaces}, you could pass traffic freely from loc to wlan by adding policies in /etc/shorewall/policy: #SOURCE DESTINATION POLICY LOG LEVEL # You could also change the existing loc - net to loc - all. # Doing so would allow unfiltered access from loc to the firewall. loc wlanACCEPT info # New policy to give the wlan access to the private net. wlanloc ACCEPT info This is probably obvious, but... Be careful; unless you take further precautions, the policies above will allow anyone with a wireless card nearby (or not-so-nearby with a wireless card and an antenna) full access to the network hanging off eth1. All interfaces come up fine. 'ip addr' shows all three with the IP addresses I'd expect: eth0's assigned via pump, eth1's 192.168.1.254 and eth2's 192.168.2.254. Further, the wired LAN on eth1 seems to be working correctly. A host there gets assigned an IP via dhcpd, and dig shows that names are being resolved by the router at 192.168.1.254. The host on eth1 can ping 192.168.2.254 (the router's eth2 interface), but cannot ping any hosts on eth2. From memory, Tom Eastep's shorwall.lrp (and I think Jacques's version, too) have a rule in /etc/shorewall/rules like so: ACCEPT loc fwicmp8 that allows the loc - fw:192.168.2.254 ping. The policy outlined above would permit loc - wlan pings. You could also leave the policy as-is and allow selected traffic through by adding rules like these: # pings between wlan and loc ACCEPT loc wlan icmp8 ACCEPT wlan loc icmp8 # http, https and ssh between wlan and loc ACCEPT loc wlan tcp www,https,ssh ACCEPT wlan loc tcp www,https,ssh A host on the wireless LAN also gets an IP via dhcp, but DNS isn't working for it (though its resolv.conf file shows that it correctly got the DNS server: 192.168.1.254.) Like the eth1 host, it can ping the router's other internal interface, but can't ping hosts on the other LAN. You probably need to add a rule to allow the DNS queries: ACCEPT wlan fw:192.168.1.254 udp domain I'm guessing that I need to coerce shorewall into letting those icmp packets across the eth1/eth2 boundary. Is the firewall also responsible for the failure of DNS on eth2? More generally, has anyone posted suggestions for making this configuration work? Running a tail -f on /var/log/messages while you are debugging the rules can be a huge help. tcpdump(.lrp) can come in handy too, when log output isn't sufficient to debug the problem. Hope that helps at least a little. --Brad Thanks, --Eric House ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] bering and ne2000 card?
I'm having trouble getting bering to recognize my isa ne2000 card (and my wavelan/pcmcia adapter but I'll ignore that until I can ping the ne2000). It's giving me undefined symbols (about half a dozen, all starting with ei) when it tries to load. Also, is there an easy way to set the firewall wide open (or disable it) while I try to get this running? klint. (please CC me direct if you reply as I get the list in digest and I'm getting to a point where I need to cut my losses if it's never going to work) +---+-+ : Klint Gore: Non rhyming: : EMail : [EMAIL PROTECTED] : slang - the: : Snail : A.B.R.I.: possibilities : : Mail University of New England : are useless : : Armidale NSW 2351 Australia : L.J.J. : : Fax : +61 2 6772 5376 : : +---+-+ ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] bering and ne2000 card?
Hi Klint At 18:33 15/05/02 +1000, Klint Gore wrote: I'm having trouble getting bering to recognize my isa ne2000 card ... You need to load the 8390 module before the ne module - could that be the problem? cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] RE: booting from CDROM
Aanhalen Luis.F.Correia [EMAIL PROTECTED]: It is hard to tell since you don't provide enough information. But I will try a little gamble here. If you followed the guide that was mentioned in the previous guide and you entered /dev/cdrom in boot pkgpath variable (in syslinux.cfg) this is probably your problem. You can easily check this by booting from cdrom and do ls /dev/cdrom if there is no file found you will have to specify something else in syslinux.cfg probably /dev/hda or /dev/hdb or /dev/hdc or /dev/hdd Check your boot sequence to see how your cdrom is detected Kim Oppalfens Azlan Training You should address these questions to the list. Anyway, have you read the doc? http://leaf.sourceforge.net/devel/jnilo/bucdrom.html Please explain in more detail what is not working. Cheers -Original Message- From: Mohd Nazri Bin Ab Hamid [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 4:14 AM To: [EMAIL PROTECTED] Subject: hi.. one Q, i got bering floppy that is worked for eth0 and ppp0, now i want to create a bootable bering CDROM. while booting from CDROM i got and error: kernel panic: Attempted to kill init! why? Thanks in advance. ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html - This mail sent through Tiscali Webmail (http://webmail.tiscali.be) ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Permanent PPP with ADSL/PPPoATM/Bering
OK, the issue now is how to keep your conenction up as permanently as possible. Occasionally my ADSL line will go down, and ppp will spot this and exit. I've looked through the various ppp options, and there seems to be scope for having ppp stay up and try reconnects every now and then (this is CHAP auth) This doesn't seem to be accomplished by the persist option, which I guess is at a different level (i.e. line up but connection down) I suppose ppp will need to re-chap when the line comes back up too. Various options look like they might be likely to succeed, but rather than just trial and error all of them, I was wondering whether anyone has done this and knows for sure what will work. Failing that, here is a solution from the ppp howto If you are fortunate enough to have a semi permanent connection to the net and would like to have your machine automatically redial your PPP connection if it is lost then here is a simple trick to do so. Configure PPP such that it can be started by the root user by issuing the command: # pppd Be sure that you have the `-detach' option configured in your /etc/ppp/options file. Then, insert the following line into your /etc/inittab file, down with the getty definitions: pd:23:respawn:/usr/sbin/pppd This will cause the init program to spawn and monitor the pppd program and automatically restart it if it dies. This is a nice solution, but for Bering, if I wanted to do this, would it be a case of remove the auto from the interfaces file, and move the dsl-provider peers name into the options file? Many thanks Dave ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ip addr, test the water ?
The user adds some addresses and I want to find out if they're valid before running a complex series of networking scripts. Like give him feedback if that address is already taken. Is there anip addr command which will test if an addr is already taken on the network without doing an add? Conversely, he wants to assign a gateway, can ip find out if that address exists without adding a route? TIA ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] how to set up parallel wireless and wired LANs/interfaces
On Wed, 15 May 2002, Brad Fritz wrote: On Tue, 14 May 2002 23:25:43 PDT Eric House wrote: Using Bering rc2, I'm trying to set up a router with eth0 external (ATT cable modem), eth1 a wired Ethernet LAN, and eth2 a wireless Ethernet LAN. Though I may eventually want to put an externally-reachable webserver on one of the LANs, I don't think I want a dmz. That is, I want all hosts on eth1 and eth2 to have full access to each other as if they were all on the same subnet. This is probably obvious, but... Be careful; unless you take further precautions, the policies above will allow anyone with a wireless card nearby (or not-so-nearby with a wireless card and an antenna) full access to the network hanging off eth1. So dmz-style rules make sense for the wireless net, don't they? Though I may eventually put a web server on the net (the wlan isn't the logical place for it but for its being dmz-like), the wlan will mostly be used for internet access. But I expect I'll occasionally want to connect from the wlan to machines on loc, e.g. to kill an XF86 server when it crashes. Perhaps the best approach is to start with the default dmz rules, then punch specific holes through the firewall allowing ssh and ping between dmz and loc? Thanks! --Eric ** * From the desktop of: Eric House, [EMAIL PROTECTED]* *Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords * ** ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Question: DachsteinCD Update for IPSec 1.97?
Are there any plans to update the Dachstein CD with IPSec 1.97? I've got a need to use the X509 patch to connect some Win2k wireless laptops and all the docs I can find say IPSec509 = 1.96 is needed. I have no current plans to update IPSec. I got to the point of updating the package on the CD, booted it up and then realized kernel mode stuff was still 1.91. D'oh. If I had a little more experience with recompling kernels for DCD, I'd think about doing it myself, but I've got lots to learn in that area, Windows 2000 during the day and RedHat at night has numbed my brain to the nuts and bolts under the hood. If you were able to get the FreeS/WAN binaries compiled, you should have no problem building a kernel. Grab the kernel source tarball from my site (or one of the many mirrors), and take a look at the kernel readme file. The process is pretty straight-forward: http://lrp.steinkuehler.net/files/kernels/2.2.19-3-source/README See my IPSec page for notes on the mods required to get the FreeS/WAN scripts working under Dachstein: http://lrp.steinkuehler.net/Packages/ipsec1.91.htm#NOTES Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] package conflicts
Perhaps this question has been answered before--if so, sorry. What happens when two .LRP packages contain the same file, like ppp and pppoe? Both contain /etc/pap-secrets. Does the package that gets loaded last simply overwrite the existing file? Thanks, George Luft ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] package conflicts
Perhaps this question has been answered before--if so, sorry. What happens when two .LRP packages contain the same file, like ppp and pppoe? Both contain /etc/pap-secrets. Does the package that gets loaded last simply overwrite the existing file? When loading, yes...the last pakage loaded will overwrite the file. If the file is listed the same way in two package list files, however, backing up *EITHER* package will result in the file *MISSING* from that package. If you backup both packages, you will entirely loose the file! For details, see: http://sourceforge.net/docman/display_doc.php?docid=1461group_id=13751 ...and other items in the FAQ. http://leaf.sourceforge.net/mod.php?mod=userpagemenu=1300page_id=9 Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] What should dhcpd.conf look like for eth2?
I want dhcpd to serve both eth1 and eth2. My dhcpd.conf looks like this, with the second subnet changing '1' to '2' for everything but the name server: dynamic-bootp-lease-length 604800; max-lease-time 1209600; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; option domain-name private.network; option domain-name-servers 192.168.1.254; range 192.168.1.1 192.168.1.199; } subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.254; option domain-name dmz.network; option domain-name-servers 192.168.1.254; range 192.168.2.1 192.168.2.199; } When the router boots, I get error messages from dhcpd (on the console and in syslog) telling me I need a subnet declaration for eth2 in my dhcpd.conf file. Oddly, if after I get a prompt I run '/etc/init.d/dhcpd restart' (without changing anything) I don't get those errors. (dhcpd works only intermitently on eth2, but that may be shorewall problems.) I have this in /etc/init.d/dhcpd, BTW: # Add interfaces, separated by a space (ie eth0 eth1) # Typically your internal interface: eth1 for cable modems/DSL, or # eth0 for ppp/dialup ifs=eth1 eth2 Thanks, --Eric House ** * From the desktop of: Eric House, [EMAIL PROTECTED]* *Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords * ** ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What should dhcpd.conf look like for eth2?
Your dhcpd.conf entry for the 192.168.2.0 subnet looks fine. Given that, the problem is probably that dhcpd is starting before whatever interface network 192.168.2.0 is on (I infer eth2 from what you say) gets configured. At the point at which dhcpd starts, eth2 is probably (implicitly) network 0.0.0.0/something, and you have no subnet declaration for that bogus network. That it works fine from a console restart reinforces this interpretation of the symptom you describe. Since you tell us so little about your setup (not even which LEAF version you are using), it's not really possible to be more specific than that. At 09:35 AM 5/15/02 -0700, Eric House wrote: I want dhcpd to serve both eth1 and eth2. My dhcpd.conf looks like this, with the second subnet changing '1' to '2' for everything but the name server: dynamic-bootp-lease-length 604800; max-lease-time 1209600; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; option domain-name private.network; option domain-name-servers 192.168.1.254; range 192.168.1.1 192.168.1.199; } subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.254; option domain-name dmz.network; option domain-name-servers 192.168.1.254; range 192.168.2.1 192.168.2.199; } When the router boots, I get error messages from dhcpd (on the console and in syslog) telling me I need a subnet declaration for eth2 in my dhcpd.conf file. Oddly, if after I get a prompt I run '/etc/init.d/dhcpd restart' (without changing anything) I don't get those errors. (dhcpd works only intermitently on eth2, but that may be shorewall problems.) I have this in /etc/init.d/dhcpd, BTW: # Add interfaces, separated by a space (ie eth0 eth1) # Typically your internal interface: eth1 for cable modems/DSL, or # eth0 for ppp/dialup ifs=eth1 eth2 -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What should dhcpd.conf look like for eth2?
Your dhcpd.conf entry for the 192.168.2.0 subnet looks fine. Given that, the problem is probably that dhcpd is starting before whatever interface network 192.168.2.0 is on (I infer eth2 from what you say) gets configured. At the point at which dhcpd starts, eth2 is probably (implicitly) network 0.0.0.0/something, and you have no subnet declaration for that bogus network. That it works fine from a console restart reinforces this interpretation of the symptom you describe. Since you tell us so little about your setup (not even which LEAF version you are using), it's not really possible to be more specific than that. Sorry. Bering, rc2. eth0 and eth2 are 3c509; eth2 is a wireless card using ray_cs plus whatever it takes to run the ISA-PCMCIA adapter. eth0 is outbound, and connected to a cable modem (ATT) with IP assigned over dhcp. The card on eth2 *does* take a few seconds to come up. Is this just a timing issue? Should I be delaying dhcpd somehow? (I suppose a 'sleep 5' in init.d/dhcpd would do it, but there's sure to be a better way.) Thanks, --Ericn At 09:35 AM 5/15/02 -0700, Eric House wrote: I want dhcpd to serve both eth1 and eth2. My dhcpd.conf looks like this, with the second subnet changing '1' to '2' for everything but the name server: dynamic-bootp-lease-length 604800; max-lease-time 1209600; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; option domain-name private.network; option domain-name-servers 192.168.1.254; range 192.168.1.1 192.168.1.199; } subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.254; option domain-name dmz.network; option domain-name-servers 192.168.1.254; range 192.168.2.1 192.168.2.199; } When the router boots, I get error messages from dhcpd (on the console and in syslog) telling me I need a subnet declaration for eth2 in my dhcpd.conf file. Oddly, if after I get a prompt I run '/etc/init.d/dhcpd restart' (without changing anything) I don't get those errors. (dhcpd works only intermitently on eth2, but that may be shorewall problems.) I have this in /etc/init.d/dhcpd, BTW: # Add interfaces, separated by a space (ie eth0 eth1) # Typically your internal interface: eth1 for cable modems/DSL, or # eth0 for ppp/dialup ifs=eth1 eth2 ** * From the desktop of: Eric House, [EMAIL PROTECTED]* *Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords * ** ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] package conflicts
Perhaps this question has been answered before--if so, sorry. What happens when two .LRP packages contain the same file, like ppp and pppoe? Both contain /etc/pap-secrets. Does the package that gets loaded last simply overwrite the existing file? When loading, yes...the last pakage loaded will overwrite the file. If the file is listed the same way in two package list files, however, backing up *EITHER* package will result in the file *MISSING* from that package. If you backup both packages, you will entirely loose the file! For details, see: http://sourceforge.net/docman/display_doc.php?docid=1461group _id=13751 ...and other items in the FAQ. http://leaf.sourceforge.net/mod.php?mod=userpagemenu=1300page_id=9 Actually, it looks like pppoe does not have etc/pap-secrets in its .list file. The confusing thing is that both package menus in lrcfg--from the package.conf files--refer to the same pap-secrets file. It was especially confusing becasue at one point, I had declared pppoe but not ppp, so the file was not there to edit. Thanks for clearing that up, Charles. I'll check the FAQ first next time. ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] how to set up parallel wireless and wired LANs/interfaces
On Wed, 15 May 2002 06:28:45 PDT Eric House wrote: This is probably obvious, but... Be careful; unless you take further precautions, the policies above will allow anyone with a wireless card nearby (or not-so-nearby with a wireless card and an antenna) full access to the network hanging off eth1. So dmz-style rules make sense for the wireless net, don't they? Probably so. Another approach, if you're concerned about who uses or who can snoop on the wireless net, would be to use IPSec on the wireless net and define separate access policies for authenticated wireless clients on the VPN and non-authenticated wireless clients. Though I may eventually put a web server on the net (the wlan isn't the logical place for it but for its being dmz-like), the wlan will mostly be used for internet access. It probably makes sense to comment out the dmz zone, policy, interface and rules for now and add in your own wlan zone. That way there's now confusion if you decide to add a DMZ later. As you said, the setup for the WLAN zone will probably look a lot like the example dmz zone. But I expect I'll occasionally want to connect from the wlan to machines on loc, e.g. to kill an XF86 server when it crashes. Your setup sounds very similar to mine. From my WLAN I allow DNS requests to the firewall and ssh and https access to selected hosts on my private network. From the WLAN to the 'net, I allow HTTP, HTTPs, SSH, FTP, whois and maybe one or two other protocols. Eventually, I will setup IPSec for access from the WLAN to the private net, but even now my exposure is fairly limited. Perhaps the best approach is to start with the default dmz rules, then punch specific holes through the firewall allowing ssh and ping between dmz and loc? Sounds like a plan. I'm guessing you will probably want to add rules to allow HTTP, HTTPS and FTP from the wireless network to the Internet too. --Brad Thanks! --Eric leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] bering rc2 ipsec
Coming a little late to the thread, but I was reading this message and had a question. I also get the rp_filter=0 ... etc... but I never really needed to fix that. I have since only made sure that the leftfirewall=yes option is set in ipsec.conf. Has anyone seen a true need to try and fix that error? Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of a hillery Sent: Monday, May 13, 2002 9:50 PM To: Jacques Nilo Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] bering rc2 ipsec That was it ipsec.o was left out of the mix. ( My error. ) Thank you for your help!!! (I am on to the next error it seem to want /proc/sys/net/ipv4/conf/eth2/rp_filter = 0 and I have a 1 I need to go back clean up all my network setting. I was just testing the pieces and must have some thing not quite valid. Also my cardmgr did not want to load my orinoco_cs.o unless I had loaded hermes.o and orinoco.o a before running cardmgr. ) My goal is to ipsec my wireless connections I can let you know if it get it all working to you like. Allen Jacques Nilo wrote: When I try to setup ipsec.lrp under bering rc2 I get the following error after restarting (ipsec setup --restart): ... /lib/ipsec/spi: Trouble opening PF_KEY family socket with error: KLIPS not loaded or enabled ipsec_setup: Starting FreeS/WAN IPsec 1.97 ipsec_setup: kernel appears to lack KLIPS - Should I need a special kernel or did I do something wrong? Do you get that message only when you REstart ? What do you get if you type /etc/inet.d/ipsec start ? Basic things to check: ipsec.o in /lib/modules mawk.lrp must be loaded Jacques ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] slink (leaf development environment)
Also, remember that some LEAF variants use newer libraries (newer than glibc-2.0.x) so don't require Slink as a development platform. With this in mind, which LEAF versions use the newer libraries? I think oxygen does, how about Dachstein? thanks Steve ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html