Re: [leaf-user] DHCLIENT errors filling up my log...eigerstein.
More info from the logs: Jun 13 00:03:34 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Jun 13 00:03:34 mikerouter dhclient: accepting packet with data after udp payload. Jun 13 00:03:34 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Jun 13 00:03:34 mikerouter dhclient: accepting packet with data after udp payload. Jun 13 00:03:34 mikerouter dhcpd: receive_packet failed on eth1: Network is down Jun 13 00:03:48 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Jun 13 00:03:48 mikerouter dhclient: accepting packet with data after udp payload. Jun 13 00:03:48 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Jun 13 00:03:48 mikerouter dhclient: accepting packet with data after udp payload. Jun 13 00:04:04 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Any help would be greatly appreciated. TIA. mike. Michael McClure wrote: I was recently forced to switch from dedicated to dhclient ip by my cable modem company. It worked fine, but I'm getting the following messages in my log (which are shown in a manual startup: # svi dhclient start Starting dhclient... Internet Software Consortium DHCP Client 2.0pl5 Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium. All rights reserved. Please contribute if you find this software useful. For info, please visit http://www.isc.org/dhcp-contrib.html IP filters: [IP Forwarding: DISABLED] flushed Listening on LPF/eth0/00:80:29:68:a1:4f Sending on LPF/eth0/00:80:29:68:a1:4f Sending on Socket/fallback/fallback-net IP filters: [IP Forwarding: DISABLED] flushed IP filters: [IP Forwarding: DISABLED] flushed DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 10 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 10 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. DHCPREQUEST on eth0 to 255.255.255.255 port 67 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPACK from 64.255.221.4 IP filters: firewall [IP Forwarding: ENABLED] Would send signal 15 to 1904. Stopped /usr/sbin/dnscache (pid 1904). Starting /usr/sbin/dnscache... bound to 66.235.3.59 -- renewal in 43200 seconds. In addition, when I tried a restart, I got some errors in the script: # svi dhclient restart Starting dhclient... Internet Software Consortium DHCP Client 2.0pl5 Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium. All rights reserved. Please contribute if you find this software useful. For info, please visit http://www.isc.org/dhcp-contrib.html
[leaf-user] tcpdum
Hi guys.. Does anyone has the latest version of TCPDUMP.LRP for leaf... Would believe that's 3.7.1, Latest I found was 3.6.1 at jack's site... thnks ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] SSH via http ?
-Original Message- From: Jack Coates [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 25, 2002 17:09 To: [EMAIL PROTECTED] Cc: leaf Subject: Re: [leaf-user] SSH via http ? Use corkscrew (http://www.agroman.net/corkscrew); you may need to use cygwin if coming from windows. Works like a charm at my work, which also only allows HTTP/S out. Jack On Fri, 24 May 2002, David Ondzes wrote: I have seen a commercial product that lets you use a browser to connect to a SSH server and get terminal access. Does anyone know if there a similar type application available for LEAF ? The reason I ask is because my company only lets http traffic pass through firewall (via a proxy server) and it would be nice to be able to reach my machine at home. __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] SSH via http ?
Oops...forgot the data If you're using a windows client, u can try http-tunnel, what it does is tunnel all traffic, via the proxy server on port 80 cheers -Original Message- From: Jack Coates [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 25, 2002 17:09 To: [EMAIL PROTECTED] Cc: leaf Subject: Re: [leaf-user] SSH via http ? Use corkscrew (http://www.agroman.net/corkscrew); you may need to use cygwin if coming from windows. Works like a charm at my work, which also only allows HTTP/S out. Jack On Fri, 24 May 2002, David Ondzes wrote: I have seen a commercial product that lets you use a browser to connect to a SSH server and get terminal access. Does anyone know if there a similar type application available for LEAF ? The reason I ask is because my company only lets http traffic pass through firewall (via a proxy server) and it would be nice to be able to reach my machine at home. __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DHCLIENT errors filling up my log...eigerstein.
I have seen mention of a nic driver bug awhile back that got fixed. http://www.scyld.com/pipermail/realtek/2000-October/000659.html On Wed, 12 Jun 2002, Michael McClure wrote: More info from the logs: Jun 13 00:03:34 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Jun 13 00:03:34 mikerouter dhclient: accepting packet with data after udp payload. Jun 13 00:03:34 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Jun 13 00:03:34 mikerouter dhclient: accepting packet with data after udp payload. Jun 13 00:03:34 mikerouter dhcpd: receive_packet failed on eth1: Network is down Jun 13 00:03:48 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Jun 13 00:03:48 mikerouter dhclient: accepting packet with data after udp payload. Jun 13 00:03:48 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Jun 13 00:03:48 mikerouter dhclient: accepting packet with data after udp payload. Jun 13 00:04:04 mikerouter dhclient: ip length 328 disagrees with bytes received 332. Any help would be greatly appreciated. TIA. mike. Michael McClure wrote: I was recently forced to switch from dedicated to dhclient ip by my cable modem company. It worked fine, but I'm getting the following messages in my log (which are shown in a manual startup: # svi dhclient start Starting dhclient... Internet Software Consortium DHCP Client 2.0pl5 Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium. All rights reserved. Please contribute if you find this software useful. For info, please visit http://www.isc.org/dhcp-contrib.html IP filters: [IP Forwarding: DISABLED] flushed Listening on LPF/eth0/00:80:29:68:a1:4f Sending on LPF/eth0/00:80:29:68:a1:4f Sending on Socket/fallback/fallback-net IP filters: [IP Forwarding: DISABLED] flushed IP filters: [IP Forwarding: DISABLED] flushed DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 10 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 10 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPOFFER from 64.255.221.4 DHCPOFFER already seen. DHCPREQUEST on eth0 to 255.255.255.255 port 67 ip length 328 disagrees with bytes received 332. accepting packet with data after udp payload. DHCPACK from 64.255.221.4 IP filters: firewall [IP Forwarding: ENABLED] Would send signal 15 to 1904. Stopped /usr/sbin/dnscache (pid 1904). Starting /usr/sbin/dnscache... bound to 66.235.3.59 -- renewal in 43200 seconds. In addition, when I tried a restart, I got some errors in the script: # svi
Re: [leaf-user] RE: FreeS/Wan and tinydns
Hello Brock, Would Vic's use of the DNS server be to allow opportunistic connections, where the key is stored on the DNS server? Presumably tinydns would allow this? Would it allow dynamic updates of your IP (and thus eliminate a commercial dynamic DNS server subscription)? I didn't quite understand what he was getting at in the original post, I wonder if this is the real question? Brock Actually, my query is a lot lamer than what you guys thought (heheheh). All really needed is if tinydns will suffice to supply what freeswan needs so that I can implement a successful VPN. I'm still in the process of going through all the docs though. But thanks anyway! - Vic ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] FDDI support
Hi, I am using Bering rc2 on a compact flash card at the moment. Working well, just have a question though, Would it be possible to build a kernel with FDDI support? A quick internet scan shows there has been a little work done to combine Token Ring and LRP in the past but I found no reference to FDDI. Just thought I would ask the list before I went trying something that couldn't be done. If it is possible, are the steps to (1)create a new kernel with FDDI support and then (2)patch it for LRP ? Or am I way off in some obscure direction?? Cheers Paul ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] I drop a packet every 3 minutes; help to ID?
On Wed, 12 Jun 2002, Eric House wrote: My shorewall logs show that I'm dropping an identical packet every three minutes (exactly). After a reboot of the router the packet resumes, but might be at a different time -- which makes me wonder if it's an artifact of the router rather than coming from outside. Anyway, here's one entry. Does this mean anything to any of you? Jun 12 19:26:22 pauling kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:20:40:64:a1:fd:08:00 SRC=192.168.100.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2 (My internal networks are 192.168.1.0 and 192.168.2.0. I'm running Bering rc2 with ATT cable.) Some device on the internet side of your router is configured with IP address 192.168.100.1 and is sending a multicast packet every three minutes. Because the source address is reserved by RFC 1918 and you have 'norfc1918' specified for eth0, the packet is being dropped. You can eliminate that message in one of two ways: a) Create the file /etc/shorewall/start (if it's not already part of the Bering distribution) and add the command: run_iptables -I rfc1918 -s 192.168.100.1 -d 224.0.0.1 -j DROP b) Upgrade to Shorewall 1.3.1 and insert the following at the top of /etc/shorewall/rfc1918: 192.168.100.1 DROP If you choose a), then when you upgrade your Bering distribution to one that incluces Shorewall 1.3.1 or later, you will want to adopt approach b). -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Nessus scan of Dachstein Firewall
I scanned one of my firewalls just for the fun of it. We've been using Nessus for scanning a client's network to prepare for a security audit. Nothing fancy, just a default, don't DOS or destroy anything type of scan. Thought you all might be interested. Dach CD 1.02 (I updated some packages awhile back, libz...) It says the WWW server crashed. This is Weblet. It didn't crash really, it kinda got confused. When I looked it was running 20 or so servers, a bunch of seds, and was not responding to requests. I killed a bunch of processes, then it restarted itself. Here it is... Nessus Scan Report -- SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 0 - Number of security warnings found : 6 - Number of security notes found : 9 TESTED HOSTS 64.252.129.83 (Security warnings found) DETAILS + 64.252.129.83 : . List of open ports : o general/tcp (Security warnings found) o ssh (22/tcp) (Security warnings found) o http (80/tcp) (Security warnings found) o unknown (5901/tcp) (Security warnings found) o general/udp (Security notes found) . Warning found on port general/tcp The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine if the remote host sent a packet in reply to another request. This may be used for portscanning and other things. Solution : Contact your vendor for a patch Risk factor : Low . Information found on port general/tcp Default scan set. nmap will ignore the user specified port range and scan only the 1024 first ports and those declared in nmap-services . Information found on port general/tcp Nmap found that this host is running Linux 2.1.122 - 2.2.16 . Warning found on port ssh (22/tcp) The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution : If you use OpenSSH, set the option 'Protocol' to '2' If you use SSH.com's set the option 'Ssh1Compatibility' to 'no' Risk factor : Low . Warning found on port ssh (22/tcp) You are running a version of OpenSSH older than OpenSSH 3.2.1 A buffer overflow exists in the daemon if AFS is enabled on your system, or if the options KerberosTgtPassing or AFSTokenPassing are enabled. Even in this scenario, the vulnerability may be avoided by enabling UsePrivilegeSeparation. Versions prior to 2.9.9 are vulnerable to a remote root exploit. Versions prior to 3.2.1 are vulnerable to a local root exploit. Solution : Upgrade to the latest version of OpenSSH Risk factor : High . Information found on port ssh (22/tcp) a ssh server is running on this port . Information found on port ssh (22/tcp) Remote SSH version : SSH-1.99-OpenSSH_3.1p1 . Information found on port ssh (22/tcp) The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 . Warning found on port http (80/tcp) The port was detected as opened by scanner but is now closed. The service was probably crashed by the scanner . Information found on port http (80/tcp) a web server is running on this port . Information found on port http (80/tcp) The remote web server type is : ShellHTTPD/0.4.1 We recommend that you configure your web server to return bogus versions in order to not leak information . Information found on port http (80/tcp) For your information, here is the list of CGIs that are used by the remote host, as well as their arguments : Syntax: cginame (arguments [default value]) /cgi-bin/checkfw ( verbose ) /cgi-bin/checkmem ( verbose ) /cgi-bin/checkdisk ( verbose ) /cgi-bin/viewlogs ( messages ) /cgi-bin/viewlogs-www ( sh-httpd.log ) . Warning found on port unknown (5901/tcp) The remote server is running VNC. VNC permits a console to be displayed remotely. Solution: Disable VNC access from the network by using a firewall, or stop VNC service if not needed. Risk factor : Medium . Warning found on port unknown (5901/tcp) Version of VNC Protocol is: RFB 003.003 . Information found on port general/udp For your information, here is the traceroute to 64.252.129.83 : 192.168.1.254 64.252.129.83 -- This file was generated by the Nessus Security Scanner ___
[leaf-user] (no subject)
I have a compact flash to ide converter board and would like to put a copy of Oxygen on a CF card and use the board to boot but I am not exactly sure how. I have connected my compact flash to my linux system via a SanDisk usb writer (SDDR-31) and the system sees it as /dev/sdb. I downloaded the latest Oxygen .bin file and I tried using dd to write it dd if=oxygen.bin of=/dev/sdb When I print the partition table with fdisk it doesn't look right; fdisk complains about different physical and logical endings and about partitions not ending on a cylinder boundry. What am I doing wrong ? Is it even possible to get the image to a cf card ? __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Nessus scan of Dachstein Firewall
I scanned one of my firewalls just for the fun of it. We've been using Nessus for scanning a client's network to prepare for a security audit. Nothing fancy, just a default, don't DOS or destroy anything type of scan. Thought you all might be interested. Dach CD 1.02 (I updated some packages awhile back, libz...) It says the WWW server crashed. This is Weblet. It didn't crash really, it kinda got confused. When I looked it was running 20 or so servers, a bunch of seds, and was not responding to requests. I killed a bunch of processes, then it restarted itself. Here it is... snip Good info...thanks for sharing the results. I'm not too suprised by the web server crash. It was never really setup to handle tons of inbound requests. In fact, there's a feature of inetd (which launches weblet). If you recieve too many inbound connection requests in a short period of time, inetd assumes there's something wrong and stops recieving connections for 10 minutes. That or running out of memory (easy to do on a system w/o lots of RAM with a scanner firing off tons of simultanious requests) is probably the culprit. The main thing to note is the currently dated ssh shipping with Dachstein-CD. Anyone want to volunteer to make an update CD? I just don't have the time : Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Nessus scan of Dachstein Firewall
Your logs probably ate all your free memory. I had this happen when I did a similiar scan, my system slowly became less responsive. The firewall never failed protecting, but it did stop passing packets for a while. I see your biggest warning was using the earlier version of ssh :). All in all not bad eh? -sp On Thu, 13 June 2002, [EMAIL PROTECTED] wrote I scanned one of my firewalls just for the fun of it. We've been using Nessus for scanning a client's network to prepare for a security audit. Nothing fancy, just a default, don't DOS or destroy anything type of scan. Thought you all might be interested. Dach CD 1.02 (I updated some packages awhile back, libz...) It says the WWW server crashed. This is Weblet. It didn't crash really, it kinda got confused. When I looked it was running 20 or so servers, a bunch of seds, and was not responding to requests. I killed a bunch of processes, then it restarted itself. Here it is... Nessus Scan Report -- SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 0 - Number of security warnings found : 6 - Number of security notes found : 9 ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DHCLIENT errors filling up my log...eigerstein.
Jun 13 00:03:34 mikerouter dhclient: ip length 328 disagrees with bytes received 332. IIRC, this is a known bug in a widly released non-linux based DHCP server (BSD or Solaris, if memory serves). Nothing to do about this but ignore (or not log) the errors...or get your ISP to update their DHCP server (good luck there :). Jun 13 00:03:34 mikerouter dhcpd: receive_packet failed on eth1: Network is down This is the classic symptom of a bug in all dhclient packages from me except the latest (caused by an error in translating the dhclient scripts from ifconfig/route to iproute2). Replace your dhclient.lrp with the lastest one from my website (or the udhcp package recently made available, if you want extra space!), and you should be able to correctly re-start. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Unable to Route
Charles, I'm hoping you have a quick answer on this one. I'm running DCD 1.02. I had the system up and running with two VPNs happily passing data, and then the thunderstorm came. Don't think it was the culprit, but on reboot etc.lrp was unreadable. Even though I keep telling people to back up their config floppies, I didn't get a roundtuit for this one. So I rebuilt the network.conf , and other etc files. And rebooted. Now the firewall works just fine. The VPN gets established, but when the updown script runs Pluto reports that it is unable to route. The firewall rules look OK. Everything looks fine, but there is something I am missing and it's driving me nuts. I even tried an ipsec auto --route with the same results: unable to route. Is there something simple and obvious that I'm missing here? I just thought I'd ask before I got to the trouble of rebuilding everything from scratch. I've built a dozen leafs now and never hit this issue. Best Regards, Roger ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Unable to Route
I'm hoping you have a quick answer on this one. I'm running DCD 1.02. I had the system up and running with two VPNs happily passing data, and then the thunderstorm came. Don't think it was the culprit, but on reboot etc.lrp was unreadable. Even though I keep telling people to back up their config floppies, I didn't get a roundtuit for this one. So I rebuilt the network.conf , and other etc files. And rebooted. Now the firewall works just fine. The VPN gets established, but when the updown script runs Pluto reports that it is unable to route. The firewall rules look OK. Everything looks fine, but there is something I am missing and it's driving me nuts. I even tried an ipsec auto --route with the same results: unable to route. Is there something simple and obvious that I'm missing here? I just thought I'd ask before I got to the trouble of rebuilding everything from scratch. I've built a dozen leafs now and never hit this issue. I've not seen this error, so I don't know if I can help much. About the only thing I can think of is to make sure you've loaded the ifconfig/route binaries (ifconfig.lrp), since the FreeS/WAN scripts use these instead of the ip command. Maybe your lrpkg.cfg file on the floppy got hosed along with etc.lrp? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Nessus scan of Dachstein Firewall
I'm actually working on an updated cd. I have added/updated ipmail.lrp, udhcp.lrp, sshkey.lrp, sshd.lrp, sshd.lrp, sftp.lrp, and my libz.lrp was updated previously. Any other packages I should update/add? How about recent script changes? I'd be willing to update those as well if needed. Sean I scanned one of my firewalls just for the fun of it. We've been using Nessus for scanning a client's network to prepare for a security audit. Nothing fancy, just a default, don't DOS or destroy anything type of scan. Thought you all might be interested. Dach CD 1.02 (I updated some packages awhile back, libz...) It says the WWW server crashed. This is Weblet. It didn't crash really, it kinda got confused. When I looked it was running 20 or so servers, a bunch of seds, and was not responding to requests. I killed a bunch of processes, then it restarted itself. Here it is... snip Good info...thanks for sharing the results. I'm not too suprised by the web server crash. It was never really setup to handle tons of inbound requests. In fact, there's a feature of inetd (which launches weblet). If you recieve too many inbound connection requests in a short period of time, inetd assumes there's something wrong and stops recieving connections for 10 minutes. That or running out of memory (easy to do on a system w/o lots of RAM with a scanner firing off tons of simultanious requests) is probably the culprit. The main thing to note is the currently dated ssh shipping with Dachstein-CD. Anyone want to volunteer to make an update CD? I just don't have the time : Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD update
I'm actually working on an updated cd. I have added/updated ipmail.lrp, udhcp.lrp, sshkey.lrp, sshd.lrp, sshd.lrp, sftp.lrp, and my libz.lrp was updated previously. Any other packages I should update/add? How about recent script changes? I'd be willing to update those as well if needed. The current todo list includes the following: -- TODO -- Support multiple mount points in space-check multicron script Fix ping check e-mail functionality Fix package not found bug in /linuxrc Fix updatetime() in /etc/multicron-p Fix mount.back dev = POSIXness bug x Add example lrpkg.cfg to CD Contents x Add example pkgpath.cfg to CD Contents Alter weblet disk-checking script to ignore CD-ROM (always 100% full) ?Use busybox to build links instead of root.bb.links mac addy command in /etc/modules fix extra IP problem when using new net segment. Add 192.0.2.0/24 to stopMartians Support unblocking of private IP ranges Package updates: libz x snmp ssh* (add sftp) New packages: x keyboard.lrp x ez-ipupd.lrp ntpclient - name too long! psentry Update binaries: ?new busybox end Some of the script stuff would be nice to address, but it's probably more important to get a version released with updated/secure binaries for snmp, ssh, and libz. I can try and tackle a couple of the scripting jobs, but no guarantees for how much I'll be able to get to...that means now would be a good time for everyone to scream really loudly for their most desired new features/bug-fixes. Flattery and/or bribery probably wouldn't hurt, either :-) NOTE: I have a new busybox compiled with ash built-in. The new busybox fixes a few bugs and adds some new features, while compiling ash in saves quite a bit of space. I can make this available (or re-compile with different options) if desired, but if ash gets included in busybox, it will need to be heavily tested prior to a full release. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD update
On Thu, 13 Jun 2002, Charles Steinkuehler wrote: I'm actually working on an updated cd. I have added/updated ipmail.lrp, udhcp.lrp, sshkey.lrp, sshd.lrp, sshd.lrp, sftp.lrp, and my libz.lrp was updated previously. Any other packages I should update/add? How about recent script changes? I'd be willing to update those as well if needed. The current todo list includes the following: -- TODO -- Support multiple mount points in space-check multicron script Fix ping check e-mail functionality Fix package not found bug in /linuxrc Fix updatetime() in /etc/multicron-p Fix mount.back dev = POSIXness bug x Add example lrpkg.cfg to CD Contents x Add example pkgpath.cfg to CD Contents Alter weblet disk-checking script to ignore CD-ROM (always 100% full) ?Use busybox to build links instead of root.bb.links mac addy command in /etc/modules fix extra IP problem when using new net segment. Add 192.0.2.0/24 to stopMartians Support unblocking of private IP ranges Package updates: libz x snmp ssh* (add sftp) New packages: x keyboard.lrp x ez-ipupd.lrp ntpclient - name too long! psentry Update binaries: ?new busybox end The only request I'd add is to update ipsec and ipsec509 to FreeS/WAN 1.97. I'd volunteer to compile them, but my RH 5.2 machine blew it's HD about 48 hours after I installed it, so I'm without a compatible compile environment. If it would gar-run-tee an update, I could throw a new drive in a couple of days. Thanks, Corey Betka ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD update
The only request I'd add is to update ipsec and ipsec509 to FreeS/WAN 1.97. I'd volunteer to compile them, but my RH 5.2 machine blew it's HD about 48 hours after I installed it, so I'm without a compatible compile environment. If it would gar-run-tee an update, I could throw a new drive in a couple of days. Compiling FreeS/WAN is the easy part. It's modifying the convoluted startup scripts to work with the limited environment available on LEAF that takes a lot of time (see the ipsec page on my website for notes on what I changed for 1.91). Plus, upgrading IPSec would require re-compiling all the IPSec enabled kernels. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD update
I already have psentry.lrp on my CD! Where are the latest .lrp for the other packages? I get lost easily on sourceforge. I'd be glad to add those other packages. Jacques Nilo: libz ssh* (add sftp) keyboard.lrp ez-ipupd.lrp Michael D. Schelif: ntpclnt (ntpclient) net-snmp (updated snmp...3 LRP's) Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD update
Got them! I'll wait until later tonight before making the ISO in case anyone else has something to add. Where should I upload the ISO to? I already have psentry.lrp on my CD! Where are the latest .lrp for the other packages? I get lost easily on sourceforge. I'd be glad to add those other packages. Jacques Nilo: libz ssh* (add sftp) keyboard.lrp ez-ipupd.lrp Michael D. Schelif: ntpclnt (ntpclient) net-snmp (updated snmp...3 LRP's) Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD update
On Thu, 13 Jun 2002, Charles Steinkuehler wrote: I'm actually working on an updated cd. I have added/updated ipmail.lrp, udhcp.lrp, sshkey.lrp, sshd.lrp, sshd.lrp, sftp.lrp, and my libz.lrp was updated previously. Any other packages I should update/add? How about recent script changes? I'd be willing to update those as well if needed. The current todo list includes the following: -- TODO -- Support multiple mount points in space-check multicron script Fix ping check e-mail functionality Fix package not found bug in /linuxrc Fix updatetime() in /etc/multicron-p Fix mount.back dev = POSIXness bug x Add example lrpkg.cfg to CD Contents Extremely easy usability fix for /usr/sbin/lrpkg: http://www.geocrawler.com/lists/3/SourceForge/7325/175/8861202/ [...] --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] How do I set up static routes with Oxygen? - Now Bering
Just to document my findings: In (lack of) response to my earlier post on specifying static-routes with Oxygen, http://www.rslomkow.org/Pretender/scripts/static_route.html has a script that looks like it might be useful. I'll be trying this on a Bering router. ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD update
Extremely easy usability fix for /usr/sbin/lrpkg: http://www.geocrawler.com/lists/3/SourceForge/7325/175/8861202/ Yeah, this should be added if you feel up to re-packaging root.lrp. Note that the problem only occurs on MSDOS filesystems (where package.lrp.lrp is the same file as package.lrp). You get a file not found error on a real filesystem (like the cd-rom). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] wireless dlink pci dwl520 problem
Hi all I bought 3 dlink wireless adapters to make my internal network wireless. But with only partial success. I am using bering by the way. My progress so far. I loaded the hostap_pci.o module from jacques. and modified shorewall to use wlan0 as internal device over eth1. The wlan adapter is coming up and is getting a static ip. I also loaded the wireless tools, which complain that they are version 13 the driver was compiled for 12 but things seem to work. I tried to switch the network to ad hoc mode but there things start to go wrong. Anyone using these dlink cards with bering have any pointers? Are just some pointers for wireless in general might help. Thanks a million in advance Kim ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Using Extended Scripts with DachStein
Hi, I'm currently using the Eiger Firewall Extended scripts that Charles created for the Eiger version. I would like to consider updating to DachStein CD due to better reliability/security gained from the CD-ROM. I believe my Hard Drive is on it's last leg. Can I use the Extended Scripts that Charles wrote to handle DMZ etc.. Again, many thanks to Charles for providing such a wonderful piece of software... ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Using Extended Scripts with DachStein
I'm currently using the Eiger Firewall Extended scripts that Charles created for the Eiger version. I would like to consider updating to DachStein CD due to better reliability/security gained from the CD-ROM. I believe my Hard Drive is on it's last leg. Can I use the Extended Scripts that Charles wrote to handle DMZ etc.. Again, many thanks to Charles for providing such a wonderful piece of software... The extended script functionality (and then some!) is built into Dachstein already. I suggest you hand-merge your existing network.conf variables into the Dachstein network.conf...there are several more place-holders and inline comments in the Dachstein scripts that are missing in your extended-script version of Eigerstein. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein-CD update
I can do that I guess. Give me an excuse to get my hands dirty in Linux. Wasn't there some fixes for the mailing scripts? I thought that was a minor fix that might stop some major headaches. Can't seem to find it though. Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Thursday, June 13, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Dachstein-CD update Extremely easy usability fix for /usr/sbin/lrpkg: http://www.geocrawler.com/lists/3/SourceForge/7325/175/8861202/ Yeah, this should be added if you feel up to re-packaging root.lrp. Note that the problem only occurs on MSDOS filesystems (where package.lrp.lrp is the same file as package.lrp). You get a file not found error on a real filesystem (like the cd-rom). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein-CD update
I have added all the new packages as requested so far and included bind-8 as well (someone asked for it a long time ago in leaf-user). I added the two sample .cfg files. I updated the ssh* lrps. I updated the changes.txt and am in the process of updating the README.txt. I removed the old ssh1 packages. I'll make the script update over the weekend. Monday night I'll stop taking new orders and Tuesday night you should have a shiny new Dachstein-CD. Shall I call it v1.0.3? Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Thursday, June 13, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Dachstein-CD update Extremely easy usability fix for /usr/sbin/lrpkg: http://www.geocrawler.com/lists/3/SourceForge/7325/175/8861202/ Yeah, this should be added if you feel up to re-packaging root.lrp. Note that the problem only occurs on MSDOS filesystems (where package.lrp.lrp is the same file as package.lrp). You get a file not found error on a real filesystem (like the cd-rom). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Blocking established connections from external port 53's
I am having trouble with these established connections showing up in my viewmasq log to the point where no one on the homenetwork can connect to the Internet. The problem seemed to go away after AT$T assigned new IP's for everyone in the neighborhood, but just today it reared its ugly head again. I have asked for help before from the list here, but nobody replied to my posts. Please tell me at least is it something I am being ignorant about and not researching the problem enough myself before posting here? Or is it that nobody here knows what to do about it? It seems there should be a way to modify network.conf (Dachstein CD V1.02) to not allow any external connections from any IP using port 53 - is there something in network.conf that would work? I have looked thru network.conf but do not see anything that might help block external connections to eth0 Here is a small portion of my Current connections as reported in viewmasq; Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.1.254:80192.168.1.2:33449 ESTABLISHED tcp0 0 192.168.1.254:80192.168.1.2:33447 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:33446 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:33444 TIME_WAIT udp0 0 24.118.176.137:52220192.203.230.10:53 ESTABLISHED udp0 0 24.118.176.137:43084128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:21690128.63.2.53:53 ESTABLISHED udp0 0 24.118.176.137:34665128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:30698192.33.4.12:53 ESTABLISHED udp0 0 24.118.176.137:31418198.32.64.12:53 ESTABLISHED udp0 0 24.118.176.137:40885198.41.0.4:53 ESTABLISHED udp0 0 24.118.176.137:22397198.41.0.10:53 ESTABLISHED udp0 0 24.118.176.137:48569192.36.148.17:53ESTABLISHED udp0 0 24.118.176.137:18114193.0.14.129:53 ESTABLISHED udp0 0 24.118.176.137:39686128.63.2.53:53 ESTABLISHED udp0 0 24.118.176.137:53853128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:55249198.41.0.10:53 ESTABLISHED udp0 0 24.118.176.137:35631198.32.64.12:53 ESTABLISHED udp0 0 24.118.176.137:24105202.12.27.33:53 ESTABLISHED udp0 0 24.118.176.137:13567193.0.14.129:53 ESTABLISHED udp0 0 24.118.176.137:19059192.5.5.241:53 ESTABLISHED udp0 0 24.118.176.137:13893193.0.14.129:53 ESTABLISHED Notice the Foreign Address column... How can I block those xxx.xxx.xxx.xxx:53 using Dachstein? Thanks for any help and/or replies - I am pulling my hair out over this, what hair I have left! ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Blocking established connections from external port 53's
On Thursday 13 June 2002 22:34, Steve Jeppesen wrote: It seems there should be a way to modify network.conf (Dachstein CD V1.02) to not allow any external connections from any IP using port 53 - is there something in network.conf that would work? I have looked thru network.conf but do not see anything that might help block external connections to eth0 By default Dachstein has: ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client EXTERN_UDP_PORTS=0/0_domain 0/0_bootpc Remove the 0/0_domain entry, but leave the 0/0_bootpc if you are using DHCP to connect to your ISP. I have had this problem once or twice other DNS servers are trying to connect to your DNS server on the router (dnscache, tinydns, bind, whatever). I've never had it choke out a router, but dropping the open port will stop them. I hope this helps, -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Using LEAF just for IPSEC?
On Thursday 13 June 2002 16:24, Allan Crooks wrote: Now I want to setup a LEAF box that would act as a router, but for certain traffic (going to a particular IP address), it would use IPSEC. But I need it to forward all traffic to the router (which is the main gateway). So essentially, I just have one ethernet card in my proposed LEAF box... is this doable? I doubt it. Basically what you want is a VPN gateway w/o firewalling if I am understanding this right. The documentation for Duckling suggests this setup (hey, no VPN service running on the firewall... should be safer :0), and basically what you do is drop the firewall and simply setup a simple router with IPSec tunneling setup on it. The option to choose in the filter section of /etc/network.conf will be none, and you will also need to drop the ipspoofing and martian filtering while your in there. The result is a router that runs the IPSec tunnel and forwards all other traffic thru to the DSL router w/o any filtering at all. The link to the DUCKLING article is at: http://linuxjournal.com/article.php?sid=4772 I hope this helps, -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Blocking established connections from external port 53's
Steve Jeppesen wrote: [ snip ] Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.1.254:80192.168.1.2:33449 ESTABLISHED tcp0 0 192.168.1.254:80192.168.1.2:33447 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:33446 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:33444 TIME_WAIT udp0 0 24.118.176.137:52220192.203.230.10:53 ESTABLISHED udp0 0 24.118.176.137:43084128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:21690128.63.2.53:53 ESTABLISHED udp0 0 24.118.176.137:34665128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:30698192.33.4.12:53 ESTABLISHED udp0 0 24.118.176.137:31418198.32.64.12:53 ESTABLISHED udp0 0 24.118.176.137:40885198.41.0.4:53 ESTABLISHED udp0 0 24.118.176.137:22397198.41.0.10:53 ESTABLISHED udp0 0 24.118.176.137:48569192.36.148.17:53ESTABLISHED udp0 0 24.118.176.137:18114193.0.14.129:53 ESTABLISHED udp0 0 24.118.176.137:39686128.63.2.53:53 ESTABLISHED udp0 0 24.118.176.137:53853128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:55249198.41.0.10:53 ESTABLISHED udp0 0 24.118.176.137:35631198.32.64.12:53 ESTABLISHED udp0 0 24.118.176.137:24105202.12.27.33:53 ESTABLISHED udp0 0 24.118.176.137:13567193.0.14.129:53 ESTABLISHED udp0 0 24.118.176.137:19059192.5.5.241:53 ESTABLISHED udp0 0 24.118.176.137:13893193.0.14.129:53 ESTABLISHED [ snip ] Let's slow down and look at this carefully. I assume that 24.118.176.137 is your external address -- right? Your external address is connecting to those foreign addresses on udp port 53. udp port 53 is domain, aka dns. Interestingly enough, these are the root dns servers: 128.8.10.90 128.63.2.53 128.9.0.107 192.5.5.241 192.33.4.12 192.36.148.17 192.112.36.4 192.203.230.10 193.0.14.129 198.32.64.12 198.41.0.4 198.41.0.10 202.12.27.33 These are those you listed, sorted and without duplicates: 128.8.10.90 128.63.2.53 192.5.5.241 192.33.4.12 192.36.148.17 192.203.230.10 193.0.14.129 198.32.64.12 198.41.0.4 198.41.0.10 202.12.27.33 Now, if you were using only attbi's dns servers that they assigned to you, there is no reason that your system would be contacting them for dns. Therefore, it is reasonable to assume that your system is mis-configured for dns. Are you using dnscache? tinydns? bind? The fact that you say that these connections are only a subset of an overwhelming number of identical connections indicates a serious configuration problem on your gateway box. Do you know _why_ your system might be contacting these root domain servers? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Blocking established connections from external port 53's
The basic question you need to answer for us is: how is your system doing DNS? Are you running your own DNS server on the router and using it to do DNS directly (i.e., starting at the roo servers and working down)? Are you running a DNS server that uses your ISP's DNS server(s) as forwarder(s)? Are the clients on your LAN using the ISP's DNS servers directly? Something else? As a general matter, if you want to be able to access the Internet using FQNs (and not just IP addresses directly, something nobody does), you need to allow *some* UDP traffic from port 53 in. Otherwise, off-LAN DNS servers will be unable to respond to the queries you send them ... and while I don't know from what you sent *how* you do (off-site) DNS queries, you must be doing them *somehow*. It would not surprise me if the current connections you list below were incomplete DNS queries. If so, the reason no one on the homenetwork can connect to the Internet may be that you have an undiagnosed DNS problem, so URLs (or FQNs for whatever services you mean by connect) do not resolve. The mere existence of open connections should not prevent LAN users from accessing the Internet (at least not in in the quantities you report ... you are in no danger of running out of ports). You might want to report with a more descriptive trouble report. The SR FAQ link below will help you do so, if you care to try this approach. (I don't recall your prior postings, but if you really got no responses, it may be that they were too vague to elicit anything useful. There are enough of us regulars, with a wide range of expertises and tempraments, that it is rare that no one responds to a query.) At 10:34 PM 6/13/02 -0500, Steve Jeppesen wrote: I am having trouble with these established connections showing up in my viewmasq log to the point where no one on the homenetwork can connect to the Internet. The problem seemed to go away after AT$T assigned new IP's for everyone in the neighborhood, but just today it reared its ugly head again. I have asked for help before from the list here, but nobody replied to my posts. Please tell me at least is it something I am being ignorant about and not researching the problem enough myself before posting here? Or is it that nobody here knows what to do about it? It seems there should be a way to modify network.conf (Dachstein CD V1.02) to not allow any external connections from any IP using port 53 - is there something in network.conf that would work? I have looked thru network.conf but do not see anything that might help block external connections to eth0 Here is a small portion of my Current connections as reported in viewmasq; Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.1.254:80192.168.1.2:33449 ESTABLISHED tcp0 0 192.168.1.254:80192.168.1.2:33447 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:33446 TIME_WAIT tcp0 0 192.168.1.254:80192.168.1.2:33444 TIME_WAIT udp0 0 24.118.176.137:52220192.203.230.10:53 ESTABLISHED udp0 0 24.118.176.137:43084128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:21690128.63.2.53:53 ESTABLISHED udp0 0 24.118.176.137:34665128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:30698192.33.4.12:53 ESTABLISHED udp0 0 24.118.176.137:31418198.32.64.12:53 ESTABLISHED udp0 0 24.118.176.137:40885198.41.0.4:53 ESTABLISHED udp0 0 24.118.176.137:22397198.41.0.10:53 ESTABLISHED udp0 0 24.118.176.137:48569192.36.148.17:53ESTABLISHED udp0 0 24.118.176.137:18114193.0.14.129:53 ESTABLISHED udp0 0 24.118.176.137:39686128.63.2.53:53 ESTABLISHED udp0 0 24.118.176.137:53853128.8.10.90:53 ESTABLISHED udp0 0 24.118.176.137:55249198.41.0.10:53 ESTABLISHED udp0 0 24.118.176.137:35631198.32.64.12:53 ESTABLISHED udp0 0 24.118.176.137:24105202.12.27.33:53 ESTABLISHED udp0 0 24.118.176.137:13567193.0.14.129:53 ESTABLISHED udp0 0 24.118.176.137:19059192.5.5.241:53 ESTABLISHED udp0 0 24.118.176.137:13893193.0.14.129:53 ESTABLISHED Notice the Foreign Address column... How can I block those xxx.xxx.xxx.xxx:53 using Dachstein? Thanks for any help and/or replies - I am pulling my hair out over this, what hair I have left! -- ---Never tell me the odds!-- Ray Olszewski-- Han Solo Palo Alto, California, USA
[leaf-user] Re: Using LEAF just for IPSEC?
| Message: 4 | From: Allan Crooks [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Date: Thu, 13 Jun 2002 22:24:00 +0100 | Subject: [leaf-user] Using LEAF just for IPSEC? | | Hi, | | I've got a quick question about using LEAF (and any of its | distributions). | | I've currently got an ADSL router, which performs NAT and | firewalling for me. I have a machine that needs to connect to a VPN | using IPSEC. Now, all the documents talk about the LEAF box | using either 2 network cards or being connected to a network and a | particular connection device. | | Now I want to setup a LEAF box that would act as a router, but for | certain traffic (going to a particular IP address), it would use | IPSEC. But I need it to forward all traffic to the router (which is the | main gateway). | | So essentially, I just have one ethernet card in my proposed LEAF | box... is this doable? | | Thanks, | Allan. I'm not sure why you would want to do this... First problem, it looks to me like you plan to have the IPSec gateway inside your LAN, *behind* the NAT gateway. With the way FreeS/WAN works right now, you will have big problems. Simply, IPSec doesn't like traversing a NAT box. You mention that you want certain traffic to be encrypted. This happens transparently with the LEAF box. Traffic headed to the IP or subnet it's configured for will be encrypted before dumping to the WAN port. The remaining traffic just gets dumped as per normal, without encryption. I think you'd be better off putting the LEAF box into the position of the ADSL router. Let the LEAF box masquerade your LAN, port forward, whatever you need. Use the ADSL router as a hub if it has more than 1 port on the LAN side. Unless I'm missing some detail here, the LEAF box will do everything the router will, and more. Brock ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html