Re: [leaf-user] traceroute through Bering firewall
Kim Oppalfens [EMAIL PROTECTED] writes: Microsoft traceroute uses icmp whereas unix traceroute tends to use udp ports in the range above 33000. Huh. That's wild. I didn't know UDP was useful for such things. I'd've thought there'd have to be like a tracerouted listening to some UDP port(s) for it to work that way, whereas I thought the TCP/IP stack was responsible for responding to certain ICMP messages, and that ICMP's whole reason for being was things like ping and traceroute (and lower-level equivalents). I am not sure on the exact range used but 33434-33463 probably is correct. So if the problem is reproducable by tracerouting from a win2k station it is icmp related and not udp related. I see. That explains why Russ Price and I were seeing different behavior than Tom Eastep. Presumably the solution, then, would be to open up some icmp stuff in Shorewall, though I wouldn't hazard to guess what. Personally it doesn't really bother me that the first hop of traceroute always gets * * *, now that I know it's to be expected. (If the required Shorewall rule to fix it were easy, however, I'd probably go ahead and do so.) -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] traceroute through Bering firewall
Microsoft traceroute uses icmp whereas unix traceroute tends to use udp ports in the range above 33000. Huh. That's wild. I didn't know UDP was useful for such things. I'd've thought there'd have to be like a tracerouted listening to some UDP port(s) for it to work that way, whereas I thought the TCP/IP stack was responsible for responding to certain ICMP messages, and that ICMP's whole reason for being was things like ping and traceroute (and lower-level equivalents). The unix traceroute is based on the fact that you will respond with a package stating that nothing is listening on that port. That is normal behaviour if you don't have a firewall DROPping the package. A reject rule might make a unix traceroute already happy (not sure though). As to making the traceroute from microsoft work, I am pretty sure it involves some icmp rule being added, not sure what though. But default bering only allows icmp type 8 in which is the echo request icmp packet. Just testing by allowing all icmp in should confirm my suspicion that it is an icmp related issue. Close it up afterwards again. I will try and network monitor an microsoft traceroute and come back with a better filtered solution. Kim Oppalfens I am not sure on the exact range used but 33434-33463 probably is correct. So if the problem is reproducable by tracerouting from a win2k station it is icmp related and not udp related. I see. That explains why Russ Price and I were seeing different behavior than Tom Eastep. Presumably the solution, then, would be to open up some icmp stuff in Shorewall, though I wouldn't hazard to guess what. Personally it doesn't really bother me that the first hop of traceroute always gets * * *, now that I know it's to be expected. (If the required Shorewall rule to fix it were easy, however, I'd probably go ahead and do so.) -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Where is the lrpkg.cfg file?
Brad Fritz [EMAIL PROTECTED] writes: On Mon, 29 Jul 2002 11:01:52 PDT you wrote: Also, what is this acronym he keeps using...IIRC??? Thank you. http://www.acronymfinder.com/af-query.asp?acronym=IIRC Wow, that's a really useful resource to have, Brad! Thanks for posting that link. (Too bad about their obnoxious banner and popup ads, and self-censorship on e.g. FUBAR, though.) BTW, they were missing a definition for LEAF, but I submitted it. ;^ -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: re sh-httpd perm Bug
[EMAIL PROTECTED] (Eric Wolzak) writes: What doesn't function anymore if the group of sh- httpd is adm are parts of the viewsys page: the listing of the modules for example. Gotcha. I missed that -- thanks. This was the reason the wheel ( not wheels you are right ;)) group was used. In the new release of weblet the modification to the cron job assigning the logfiles to -g wheel is allready done. Thanks. I've now fixed my LEAF systems to put sh-httpd back in wheel and have /etc/cron.daily/multicron-d and /etc/cron.daily/savelog-sh-httpd use -g wheel, and all appears to be working well, including the modules listing on the viewsys page. Of course weblet is still doing something I consider wrong -- it's saying the firewall is in red light / ERROR mode just because it has 251 denied or rejected packets. Isn't this the whole point of a firewall, to deny and reject those packets? How is this an ERROR? At worst, it should be at yellow alert. -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] traceroute through Bering firewall
[EMAIL PROTECTED] writes: The unix traceroute is based on the fact that you will respond with a package stating that nothing is listening on that port. That is normal behaviour if you don't have a firewall DROPping the package. Yeah, but I didn't realize UDP packets could know anything about the routers in between you and the destination machine. I thought only ICMP packets had that power. A reject rule might make a unix traceroute already happy (not sure though). As to making the traceroute from microsoft work, I am pretty sure it involves some icmp rule being added, not sure what though. But default bering only allows icmp type 8 in which is the echo request icmp packet. Just testing by allowing all icmp in should confirm my suspicion that it is an icmp related issue. Close it up afterwards again. Why, is there a specific danger to allowing ICMP packets from your internal network to the firewall box? I will try and network monitor an microsoft traceroute and come back with a better filtered solution. That'd be great... -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Using ifconfig?
George Georgalis [EMAIL PROTECTED] writes: Try these... (the default is 'show') ip addr ip route ip link ip help ip addr help etc... I know the help is not easy, but it's all there I bring up my interfaces something like this... # first bring everything down... d=`ip -o link show | cut -d: -f2` for i in $d ; do ip addr flush $i ip link set $i down done # then bring up each interface like so... ip link set lo up ip link set eth0 up ip addr add 127.0.0.1/8 label lodev lo ip addr add 192.168.0.1/24 label eth0 dev eth0 ip route add 0/0via 12.34.56.78 table main # use your GW Not sure how to ppp/chat with the ip command. I don't think you can. But with PPPoE, at least (and presumably dialup PPP as well), ifdown ppp0 will bring down the PPP interface and ifup ppp0 will bring up the interface, doing a new PPP login, getting a newly-assigned IP address, etc. -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Earthlink PPP connection info (was: Problem booting Bering RC3)
On Tue, 30 Jul 2002 00:43:04 CDT Patrick Teague wrote: Yay, it works, Cool. In your first posting, you mentioned you had trouble with the CompuServe setup example not working for Earthlink. After setting up for Earthlink, do you have suggestions for improving or adding to the docs? Jacques is really good about incorporating suggestions. but um... any idea how to get it to redial or is the default ppp.lrp in the Bering rc3 already set up to do that? From the options section of man pppd on a full linux distro: persist Do not exit after a connection is terminated; instead try to reopen the connection. So if you have the persist keyword in your /etc/ppp/options file as described at http://leaf.sourceforge.net/devel/jnilo/bumodem.html , the router should automatically redial. Somebody with Bering PPP experience, please collect me if I am mis-speaking. You can also setup demand dialing, if you prefer, by replacing persist with demand and adding an idle sec entry as described in the same doc. thanks for the help :) Glad to help. I just read the PPP configuration information from the URL above. It seemed to do a fair job of describing the differences between the Compuserve example and providers using PAP like Earthlink. I am probably biased from having some Linux PPP experience though. If you have suggestions for improving the docs, send them to the list. Jacques is good at incorporating them. --Brad --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] OT: acronym lookups (was: Where is the lrpkg.cfg file?)
On Mon, 29 Jul 2002 23:46:31 PDT Dan Harkless wrote: Brad Fritz [EMAIL PROTECTED] writes: On Mon, 29 Jul 2002 11:01:52 PDT you wrote: Also, what is this acronym he keeps using...IIRC??? Thank you. http://www.acronymfinder.com/af-query.asp?acronym=IIRC Wow, that's a really useful resource to have, Brad! Thanks for posting that link. (Too bad about their obnoxious banner and popup ads, and self-censorship on e.g. FUBAR, though.) It was the first one I found when I searched for acronym iirc on google. http://www.geek2geek.org/ seem to be ad-free and less censored. I'm sure there are others too. BTW, they were missing a definition for LEAF, but I submitted it. ;^ Excellent! --Brad --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] traceroute through Bering firewall
involves some icmp rule being added, not sure what though. But default bering only allows icmp type 8 in which is the echo request icmp packet. Just testing by allowing all icmp in should confirm my suspicion that it is an icmp related issue. Close it up afterwards again. Why, is there a specific danger to allowing ICMP packets from your internal network to the firewall box? There are some hacks based on ICMP like the icmp redirect message. So is there a specific danger to allow this from your internal network? I don't know depends on how much you trust the people on your internal network I suppose. I will try and network monitor an microsoft traceroute and come back with a better filtered solution. That'd be great... I have done a network monitor of a traceroute session and traceroute uses identical packets as ping does just with shorter TTL. Traceroute in ms is based on the fact that if the ttl becomes 0 the router that drops the packet because of this sends you a time to live exceeded in transmit back. (This message contains the routers ip address). Ms traceroute sends 3 of these packages to every hop. So if 1 of them is timing out it is probably a site between you and your traceroute target that has icmp replies filtered. Bottom line it is probably out of your hands. Someone on the road is blocking icmp. It doesn't kill traceroute but it means your missing one hop. Kim Oppalfens -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] traceroute through Bering firewall
[EMAIL PROTECTED] wrote about Re: [leaf-user] traceroute through Bering firewall: Why, is there a specific danger to allowing ICMP packets from your internal network to the firewall box? There are some hacks based on ICMP like the icmp redirect message. So is there a specific danger to allow this from your internal network? I don't know depends on how much you trust the people on your internal network I suppose. Be careful when you're blocking ICMP. It breaks Path MTU discovery. -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] WISP drivers loaded but can't ping
Looks like a PCMCIA bridge configuration issue. I had similar problem with the new Teletronics motherboards. What kind of PCMCIA chipset do you use? In any case, in /etc/init.d/pcmcia there is a special kludge (line 116) which detects TI bridges used in Teletronics. Modify it so that it recognizes your PCMCIA chipset ID and check if it will help you. Ray wrote: On Sun, Jul 28, 2002 at 02:14:06PM +0300, Vladimir I. wrote: Ray wrote about [leaf-user] WISP drivers loaded but can't ping: I managed to get WISP-Dist loaded and recognizing my Prism 2 based wireless card with no problem but I can't get it to ping any of my other wireless boxes. All are using the same type of card, 2 are using a standard Debian distro with wlan-ng and 1 is using Station Server. The are all using Ad-Hoc mode with wep disabled and they can talk to each other just fine. From the Statistics page it looks like the WISP-Dist box is seeing packets from the others but just isn't doing anything about them. I'm reasonably sure I Can you run tcpdump -i [interface] -n and see what it shows when you try to ping etc? Ok, I removed all machines from the wireless network except the WISP-Dist box and a laptop and ran tcpdump on the WISP-Dist box and started pinging from the laptop.: # tcpdump -i netcs1 -n Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on netcs1 11:12:11.852643 B arp who-has 192.168.4.2 tell 192.168.4.6 11:12:11.852957 arp reply 192.168.4.2 (0:2:6f:1:5f:27) is-at 0:2:6f:1:5f:27 (0:2:6f:1:89:48) 11:12:12.848877 B arp who-has 192.168.4.2 tell 192.168.4.6 11:12:12.849035 arp reply 192.168.4.2 (0:2:6f:1:5f:27) is-at 0:2:6f:1:5f:27 (0:2:6f:1:89:48) 11:12:13.848948 B arp who-has 192.168.4.2 tell 192.168.4.6 11:12:13.849102 arp reply 192.168.4.2 (0:2:6f:1:5f:27) is-at 0:2:6f:1:5f:27 (0:2:6f:1:89:48) 11:12:14.850622 B arp who-has 192.168.4.2 tell 192.168.4.6 11:12:14.850777 arp reply 192.168.4.2 (0:2:6f:1:5f:27) is-at 0:2:6f:1:5f:27 (0:2:6f:1:89:48) 11:12:15.849210 B arp who-has 192.168.4.2 tell 192.168.4.6 11:12:15.849360 arp reply 192.168.4.2 (0:2:6f:1:5f:27) is-at 0:2:6f:1:5f:27 (0:2:6f:1:89:48) 10 packets received by filter The 192.168.4.6 and 0:2:6f:1:89:48 really do belong to the laptop so at least the WISP box is receiving correctly... I also noticed that the laptop side shows a RX packets of 0 (using ifconfig) so it's not getting the replies. Reversing the process outputs nothing at all on the laptop. havn't done anything dumb with the routing and iptables -L doesn't show any firewall rules. What could I be missing? BTW I can't seem to cut paste from the Statistics page (I'm logged in via ssh on the wired link) so is there any good way to get that same information? Hmm, I'm able to do it. However I didn't try it using xterm, try to login via virtual console or change terminal from xterm to something else. Of course, you can run statistics commands manually from the command line. iwconfig, ip addr, ip route etc. Thanks I'd forgotten about the ip *** commands. Could the output from the WISP box be getting stuck before getting out? Also, as an experiment I tried running WISP as an AP. The other machines were able to associate but could not communicate with any others. Any ideas? -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Dlink 570
This is a bit off topic, but does anyone know where I can get a couple of Dlink 570TX NICs? Just when I need them, they stop making them. Best Regards, Roger McClurg [EMAIL PROTECTED] --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Earthlink PPP connection info (was: Problem bootingBering RC3)
On Tue, 2002-07-30 at 00:41, Brad Fritz wrote: On Tue, 30 Jul 2002 00:43:04 CDT Patrick Teague wrote: but um... any idea how to get it to redial or is the default ppp.lrp in the Bering rc3 already set up to do that? From the options section of man pppd on a full linux distro: persist Do not exit after a connection is terminated; instead try to reopen the connection. So if you have the persist keyword in your /etc/ppp/options file as described at http://leaf.sourceforge.net/devel/jnilo/bumodem.html , the router should automatically redial. Somebody with Bering PPP experience, please collect me if I am mis-speaking. You can also setup demand dialing, if you prefer, by replacing persist with demand and adding an idle sec entry as described in the same doc. Patrick, Make sure to move /etc/ppp/no_ppp_on_boot to /etc/ppp/ppp_on_boot, or persist wont work properly. -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] traceroute through Bering firewall
On Tue, 30 Jul 2002, [EMAIL PROTECTED] wrote: Microsoft traceroute uses icmp whereas unix traceroute tends to use udp I can't reproduce the problem with MS tracert either. Tracing route to animal.blarg.net [206.124.128.1] over a maximum of 30 hops: 11 ms1 ms1 ms gateway.shorewall.net [192.168.1.254] 222 ms22 ms25 ms atm02.sea.blarg.net [206.124.128.31] 325 ms24 ms26 ms animal.blarg.net [206.124.128.1] Trace complete. MS tracert appears to just be using ICMP echo-request (ping) packets. It starts out with TTL=1 and increases. I've tested using both Windows XP and Windows ME. As to making the traceroute from microsoft work, I am pretty sure it involves some icmp rule being added, not sure what though. But default bering only allows icmp type 8 Please see /etc/shorewall/icmp.def for a list of the ICMP messages passed by the default Bering configuration. And remember that icmp.def, like common/common.def only get used when the applicable policy is DROP or REJECT. If the policy is ACCEPT, then ALL traffic is passed. Dan -- the only thing that I can see that would cause the problem that you are seeing is if the firewall is blocking fw-loc time exceeded ICMP packets. The icmp.def file that I release definitely allows those through. And since the packet is related to a loc-net ping request, it should be passed unconditionally. Here's what the tracert run above generates on the loc-FW segment: 07:31:28.378156 192.168.1.5 206.124.128.1: icmp: echo request [ttl 1] 07:31:28.378332 192.168.1.254 192.168.1.5: icmp: time exceeded in-transit [tos 0xc0] 07:31:28.381450 192.168.1.5 206.124.128.1: icmp: echo request [ttl 1] 07:31:28.381559 192.168.1.254 192.168.1.5: icmp: time exceeded in-transit [tos 0xc0] 07:31:28.382612 192.168.1.5 206.124.128.1: icmp: echo request [ttl 1] 07:31:28.382718 192.168.1.254 192.168.1.5: icmp: time exceeded in-transit [tos 0xc0] 07:31:29.378859 192.168.1.5 206.124.128.1: icmp: echo request 07:31:29.408235 206.124.128.31 192.168.1.5: icmp: time exceeded in-transit [tos 0xc0] 07:31:29.409029 192.168.1.5 206.124.128.1: icmp: echo request 07:31:29.433342 206.124.128.31 192.168.1.5: icmp: time exceeded in-transit [tos 0xc0] 07:31:29.434174 192.168.1.5 206.124.128.1: icmp: echo request 07:31:29.470638 206.124.128.31 192.168.1.5: icmp: time exceeded in-transit [tos 0xc0] 07:31:30.440366 192.168.1.5 206.124.128.1: icmp: echo request 07:31:30.475732 206.124.128.1 192.168.1.5: icmp: echo reply 07:31:30.476792 192.168.1.5 206.124.128.1: icmp: echo request 07:31:30.505624 206.124.128.1 192.168.1.5: icmp: echo reply 07:31:30.506244 192.168.1.5 206.124.128.1: icmp: echo request 07:31:30.534502 206.124.128.1 192.168.1.5: icmp: echo reply -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] traceroute through Bering firewall
On Tue, 30 Jul 2002, Vladimir I. wrote: [EMAIL PROTECTED] wrote about Re: [leaf-user] traceroute through Bering firewall: Why, is there a specific danger to allowing ICMP packets from your internal network to the firewall box? There are some hacks based on ICMP like the icmp redirect message. So is there a specific danger to allow this from your internal network? I don't know depends on how much you trust the people on your internal network I suppose. Be careful when you're blocking ICMP. It breaks Path MTU discovery. The assertion in an earlier post that Bering blocks all ICMP except type 8 was FUD. By default, Shorewall still allows a sane set of ICMP packet types to pass when the policy is DROP or REJECT. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] slow conection under Bering rc3
I've switch to bering rc3 early but i have a strange behavior I have two computer in my local network and my internet connection is pppoe One under Windows Xp and another under a debian woody. I have a very slow connection with the debian ( under 5Ko/s) but with Windows Xp, the connection is fine. The bering boot from floppy and I have dachtein rc2 wich boot from hard-disk. When i reboot with dachtein all work perfectly. If someone know what the problem is. I would like to stay under bering ( yes i like shorewall facilities :-) ) My brain is going warm Sylvain --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Newbie help for Road Warrior VPN
1. download the ipsec.lrp 2. down load the docs from FreeSWAN.org and do a lot of reading but don't get depressed. 3. You need a win ipsec client. I suggest SSH Sentinel. Download it, eval is free. 4. Go the FAQ on Sentinel and read about configuring a FreeSWAN host. Essentially in /etc/ipsec.conf you are going to have some default settings then settings for a connection. The settings include your external ip address, the internal network you are allowing access to and a shared secret. You will set up Sentinel to 'match' this and voila. 5. Write back here for help. Craig [EMAIL PROTECTED] on 07/30/2002 09:23:24 AM To: LEAF [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: [leaf-user] Newbie help for Road Warrior VPN Hi folks, I'd like to use my Dachstein 1.0.2 CD, and set up a Road Warrior VPN, but I'm really confused on how to start. While I'm comfortable with Windows and VPN concepts, I'm pretty new to the Linux/Dachstein scene, so hopefully you'll be patient with me. :-) Here's what I have: I have the basic Dachstein CD that I use, and the only thing(s) I have done to get it successfully working is uncomment the correct NIC drivers, and changed the root password. I've backed up those changes to floppy, re-burned a new CD (so all those changes are part of my new CD, and I don't have to use the floppy for them) and everything works fine. Now...I would like to set up the box to accept my Road Warrior client(s)...but I don't know how to start or where to start. All help is appreciated!!! Thank you in advance!!! Have a great week. Best Regards, Craig P.S. The Dachstein box uses two Linksys LNE100-TX NICs (tulip drivers), a Motorola SB4100 Surfboard cable modem, and ATT broadband service. --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: re sh-httpd perm Bug
Of course weblet is still doing something I consider wrong -- it's saying the firewall is in red light / ERROR mode just because it has 251 denied or rejected packets. Isn't this the whole point of a firewall, to deny and reject those packets? How is this an ERROR? At worst, it should be at yellow alert. This depends on what you log and in what environment you are. On some of my internal boxes 251 would be a whole lot :) You can change the settings for your individual system in 3) Packages configuration Weblet 2) LRP web page configuration # Warning/Error thresholds for the weblet utility # Disable checking of any value by setting it to -1 # Firewall thresholds: deny/reject messages WRN_FW=5 ERR_FW=50 WRN_FW is the number of logged packets after which the color changes to yellow ERR_FW is the number of logged packets to change to red Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ Eric Wolzak member of the bering Crew --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] DHCP on Bering or WISP-Dist
I can't seem to find a DHCP server mentioned on either of these two distributions. Is it included? If it isn't where can I go about finding one. Also if there is one would you be able to point me how to install it, I am such a newbie on linux. I have been getting better though. Robert Everland III Web Developer Extraordinaire Dixon Ticonderoga Company http://www.dixonusa.com --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DHCP on Bering or WISP-Dist
DHCP server is included in WISP-Dist. Just uncomment RCDLINKS line in /etc/init.d/dhcpd, as well as edit /etc/dhcpd.conf. Robert Everland wrote: I can't seem to find a DHCP server mentioned on either of these two distributions. Is it included? If it isn't where can I go about finding one. Also if there is one would you be able to point me how to install it, I am such a newbie on linux. I have been getting better though. Robert Everland III Web Developer Extraordinaire Dixon Ticonderoga Company http://www.dixonusa.com --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Newbie help for Road Warrior VPN
Thanks Phillip, I see the Dachstein CD already has the ipsec.lrp (and ipsec509.lrp ipsec.o files) on it. Can I just use those? As far as the Windows Ipsec client, I found instructions on using the functionality already built-in to Windows at: http://www.natecarlson.com/include/showpage.php?cat=linuxpage=ipsec-x50 9. That should work shouldn't it? O.K...what should I do now? Thank you. Craig --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: re sh-httpd perm Bug
Hi Dan At 00:07 30/07/02 -0700, Dan Harkless wrote: Of course weblet is still doing something I consider wrong -- it's saying the firewall is in red light / ERROR mode just because it has 251 denied or rejected packets. Isn't this the whole point of a firewall, to deny and reject those packets? How is this an ERROR? At worst, it should be at yellow alert. It's possible to adjust this behaviour by changing the weblet's OK/warning/error thresholds. I see you've got some advice on that already. There's also the possibility that the bulk of those packets are from one or two harmless sources that you don't really need to worry about - it's common for cable/ADSL systems to spew forth all sorts of stuff of this type. If this is the case it might be helpful to fiddle with your firewall rules so these things don't get logged in the first place. I'd be inclined to do the latter, mainly because I only really want stuff that I have to think about in my logs and I find a lot of extra rows of harmless activity often make more important entries difficult to spot, but it's your firewall - you should do whichever you want. cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Newbie help for Road Warrior VPN
Can't help you with 509. SSH Sentinel supports it. Can't help you with windows ipsec. I downloaded Sentinel and got it working in an hour because the folks at my office told me the microsoft client was a bear to configure. Never tried it myself. If you use ipsec.lrp you have a choice of shared secret ( an ascii password) and RSA sigkey for authentication. Start with shared secret to get going, much simpler. Then graduate to RSA key, incredibly powerful. You will spend many hours getting this working but it is well worth it to work from home or road without leaving giant holes in your firewall. Craig [EMAIL PROTECTED] on 07/30/2002 11:08:07 AM To: LEAF [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: [leaf-user] Newbie help for Road Warrior VPN Thanks Phillip, I see the Dachstein CD already has the ipsec.lrp (and ipsec509.lrp ipsec.o files) on it. Can I just use those? As far as the Windows Ipsec client, I found instructions on using the functionality already built-in to Windows at: http://www.natecarlson.com/include/showpage.php?cat=linuxpage=ipsec-x50 9. That should work shouldn't it? O.K...what should I do now? Thank you. Craig --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] What are syslinux.cfg and/or lrpkg.cfg files ???
Hi folks, I having a difficult time trying to understand how to set up a VPN with Dachstein CD 1.0.2, but somehow, I think it has to do with the fact that I don't have (at least as far as I can see) either one of these files on my CD. I get the impression that the syslinux.cfg file allows you to specify additional .lrp packages you want to load upon boot-up...is that right? I don't have (at least as far as I can tell) an ipsec.conf file in my /etc directory, and I think it's because I don't have the ipsec.lrp file loading on start-up, and that's because I don't have a syslinux.cfg file with that parameter specified in it...is that right??? I welcome anyone's help and comments as to what these files are for, how do you create them, what do you use them for, any tutorials you're aware of, etc., etc., etc. At this point I would be willing to write a tutorial for people who want to use this feature and want step-by-step instructions if someone will help me figure this out. Thank you, I welcome your comments. Best Regards, Craig --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] DHCP on Bering or WISP-Dist
Actually I had to edit the syslinux.cfg and add in dhcpd, it wasn't even loading at all. I did that and it worked beautifully. I think bering is a lot better than dachstein for new users. I was able to get this one up and running with minimal effort. The firewall portion was a bit flaky for dachstein, it's much nicer having shorewall loaded. Robert Everland III Web Developer Extraordinaire Dixon Ticonderoga Company http://www.dixonusa.com -Original Message- From: Vladimir I. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 11:58 AM To: Robert Everland Cc: '[EMAIL PROTECTED]' Subject: Re: [leaf-user] DHCP on Bering or WISP-Dist DHCP server is included in WISP-Dist. Just uncomment RCDLINKS line in /etc/init.d/dhcpd, as well as edit /etc/dhcpd.conf. Robert Everland wrote: I can't seem to find a DHCP server mentioned on either of these two distributions. Is it included? If it isn't where can I go about finding one. Also if there is one would you be able to point me how to install it, I am such a newbie on linux. I have been getting better though. Robert Everland III Web Developer Extraordinaire Dixon Ticonderoga Company http://www.dixonusa.com --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] What are syslinux.cfg and/or lrpkg.cfg files ???
Hey Erich, I think I now understand (and agree with you) that the purpose of the lrpkg.cfg is to override the CD. But I have not seen ANY documentation on what should be included within it and why. If you know of some instructions, tutorial, etc. I would enjoy seeing it. Thank you. Craig --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] What are syslinux.cfg and/or lrpkg.cfg files ???
Hey Craig, do you have not received my las post for you ? You should read : 9.5. Booting from a CD-Rom with isolinux http://leaf.sourceforge.net/devel/jnilo/bubooting.html#AEN1120 and this for IPSec http://leaf.sourceforge.net/devel/jnilo/buipsec.html I hope this could help you. I am playing with IPSec this days, and checking why my 'PLUTO' doesn't discover my ppp0 connexion that I must launch 'by hand'. May be by exchanging our own 'point of vue' and mistakes... Good luck. Francois BERGERET. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de Craig Envoye : mercredi 31 juillet 2002 00:15 A : LEAF Objet : [leaf-user] What are syslinux.cfg and/or lrpkg.cfg files ??? Hey Erich, I think I now understand (and agree with you) that the purpose of the lrpkg.cfg is to override the CD. But I have not seen ANY documentation on what should be included within it and why. If you know of some instructions, tutorial, etc. I would enjoy seeing it. Thank you. Craig --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What are syslinux.cfg and/or lrpkg.cfg files ???
Hey Erich, I think I now understand (and agree with you) that the purpose of the lrpkg.cfg is to override the CD. But I have not seen ANY documentation on what should be included within it and why. If you know of some instructions, tutorial, etc. I would enjoy seeing it. Thank you. lrpkg.cfg was created to override the CD or to be able to specify a longer configuration line. In the lrpkg.cfg you write everything ,you would have written in the syslinux.cfg after LRP= you can read something about this file in http://leaf.sourceforge.net/devel/jnilo/bubooting.html look at the booting from CDRom part. Eric Wolzak member of the bering Crew Craig --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Earthlink PPP connection info (was: Problem booting Bering RC3)
- Original Message - From: Brad Fritz [EMAIL PROTECTED] To: Patrick Teague [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, July 30, 2002 2:41 AM Subject: Re: [leaf-user] Earthlink PPP connection info (was: Problem booting Bering RC3) On Tue, 30 Jul 2002 00:43:04 CDT Patrick Teague wrote: Yay, it works, Cool. In your first posting, you mentioned you had trouble with the CompuServe setup example not working for Earthlink. After setting up for Earthlink, do you have suggestions for improving or adding to the docs? Jacques is really good about incorporating suggestions. Maybe having connection info on how to connect to several different ISPs for examples or perhaps more information as to what exactly is going on. I used to be able to do all sorts of things with modems under dos, but it's been so long I can barely remember anything. I do remember there being an AT setting that most modems had that allowed you to set the volume (S0, S1, etc or S=1, S=2, etc). Would this be an extra AT command just prior to ATDT? or would this be a part of ATZ? I can't remember whether ATZ is the reset or part of the setup... I seem to have lost my USRobotics CD case with all sorts of useful AT commands :( If I have time somewhere between now sometime I'll see if I can find generic AT commands send them Jacques' way as extra info to include. thanks for the help :) Glad to help. I just read the PPP configuration information from the URL above. It seemed to do a fair job of describing the differences between the Compuserve example and providers using PAP like Earthlink. I am probably biased from having some Linux PPP experience though. If you have suggestions for improving the docs, send them to the list. Jacques is good at incorporating them. Ok, now I feel like a complete idiot... I only read that 5 or 6 times over the last 2-3 weeks. I must have been asleep when I glanced over it again the other day. Then again that wouldn't surprise me with this new job... we're setting up a new warehouse, 6am-6pm Mon-Sun is standard, I drag home fall asleep on the computer :) However, I'm not sure what exactly PAP or CHAP authentication is I only have a vague idea of what the windows RAS server is. Prior to asking all my questions I did check out the earthlink site to see if it contained any useful info... only thing I found was windows, been there, been hacked. Patrick --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What are syslinux.cfg and/or lrpkg.cfg files ???
On Tue, 30 Jul 2002, Craig wrote: Hey Erich, What do you mean You can start with what's in your syslinux.cfg and expand it??? I've looked on my Dachstein CD, and I don't even see a syslinux.cfg file! How do I know if I have one on my CD, how do I find it, and how do I look at it? If I create this infamous lrpkg.cfg file...should I even care about what's in the syslinux.cfg file??? Thanks for your help. I may have this somewhat wrong... I have never used DCD for any real work, but you seem to be thrashing here so I will speak out anyway. Have you googled for any answers to your questions? Bootable CDs incorporate a disk image that the BIOS temporarily treats as drive a: for the purpose of booting. As loaded, the boot image is not located within the visible filesystem, but if I recall correctly there is another copy of the image in the cd filesystem that you can dd onto a floppy disk (presuming you have appropriately formatted the disk). You should care what is in the syslinux.cfg file, because it determines how the system boots and the base complement of packages. If you don't like something in the base complement, you will need to modify a boot floppy that extracts the appropriate selections from the CD and floppy, and optionally create a new CD with an image of that floppy instead of the default. You should read the README file on the CD as well. If you make a floppy disk like this file says, I think you will be able to learn a lot about how Dachstein in general, and thus DCD in particular, boots. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] How do I set eepro nic to 100mbit?
Can someone tell me how I can force my internal NIC (Intel 10/100 using PCI eepro module) to run at 100mb full duplex? My switch does not support autosense and everytime I reset it I have to reboot the firewall to get my connection back. The firewall is a Dachstein floppy based unit connected to a UPS so it never goes down. Thank you, Kory Krofft --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I set eepro nic to 100mbit?
At 08:36 PM 7/30/02 -0400, Kory Krofft wrote: Can someone tell me how I can force my internal NIC (Intel 10/100 using PCI eepro module) to run at 100mb full duplex? My switch does not support autosense and everytime I reset it I have to reboot the firewall to get my connection back. The firewall is a Dachstein floppy based unit connected to a UPS so it never goes down. If I read the source right (eepro.c, that is), full duplex is enabled by default (the only code that disables it is associated with use of a 10Base2 port). Although there is code in the module to read the AutoNegotiation bit in the NIC's EEPROM, there is no code to set that bit. So unless there is a separate program to set card parameters, I think you are out of luck (unless you can get and run the card's own, probably DOS or Windows based, config program). -- ---Never tell me the odds!-- Ray Olszewski-- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Monitoring syslog and a couple of questions.
Hi all, I've got a couple of quick questions (no brainers for the pro's) that I need a hand answering, I figured it easier to wait a while to get a list of questions that hopefully you can all help me out with... I'm running eiger static with a bastardised (if there is such a word) version of the extended scripts. The LRP box is a proud edition to the network with it quite happily chugging along hosting 30 internal PC's, 15 odd servers sitting in the DMZ, 10M Microwave connection with a class c on the live side of things. It truly is amazing what such a simple setup can handle. Anyway on with the questions.. 1. Is there a package out there that can monitor the syslog (or denied rules) to maybe send an email out when certain types of packet's get denied (hmm not at packet level more like if say there is activity on port 23 of a certain IP, that is being denied then send an email) 2. What do I need to change to have my firewall send all it's syslog info to a syslog server? 3. I'm running the socks5 package on my firewall, how do I DISABLE logging in syslog. I'm getting heaps of these kind's of lines Jul 31 11:11:38 Firewall01 Socks5[23491]: TCP Connection Request: Connect (10.0.10.35:3039 to 205.188.248.57:80) for user Jul 31 11:11:38 Firewall01 Socks5[23491]: TCP Connection Established: Connect (10.0.10.35:3039 to 205.188.248.57:80) for user Jul 31 11:11:38 Firewall01 Socks5[23491]: TCP Connection Terminated: Normal (10.0.10.35:3039 to 205.188.248.57:80) for user : 252 bytes out, 29 bytes in 4. If I wish to see all rulset denies etc I gather I have to add -l to all my deny firewall rules in ipfilter.conf, is that correct? 5. How do I deny icmp (ping) on all my external IP's? I know it's in the extended scripts but I can't find the rule that denies, all I can find is there $IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l $IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l 6. Ok this one will take a little bit to explain.. I have a win2k network (2k server, 2k clients etc, on a domain running active directory and so on) The firewall is setup to handle the connection to the internet, and protect the servers in the DMZ. Some of the internal people are running the own ftp server (setup for passive mode only) ie the boss ;o), at the moment I have put in some rules to manually handle this.. eg: $IPCH -A input -p tcp -s 10.0.10.30 -d 0/0 13600:13649 -j ACCEPT $IPCH -A input -p tcp -s 0/0 13600:13649 -d 10.0.10.30 -j ACCEPT $IPMASQADM autofw -A -r tcp 13600 13649 -h 10.0.10.30 and of course I forwarding port 21 to his machine. I wish to be able to run the DHCP server package on my firewall, but how do I handle mapping a LIVE ip to the internal DHCP assigned IP. (as in the boss's IP might change as DCHP leases expire and renew, how do I write rulsets so that I'm mapping the LIVE hardcoded IP to the assign DHCP IP? Thanks in advance, Regards, Adam Niedzwiedzki c: genis-x a: level 1, 278-280 church street richmond, victoria, 3121, au, earth m: +614 0732 2719 w: www.genis-x.com icq: 325910 Any sufficiently advanced bug is indistinguishable from a feature. --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Monitoring syslog and a couple of questions.
At 11:31 AM 7/31/02 +1000, [EMAIL PROTECTED] wrote: Hi all, I've got a couple of quick questions (no brainers for the pro's) that I need a hand answering, I figured it easier to wait a while to get a list of questions that hopefully you can all help me out with... Actually, this is such a hodgepodge of questions that I doubt you will find any one person here who can answer them all. So saving them up may not be the best strategy. I'm running eiger static with a bastardised (if there is such a word) version of the extended scripts. Eiger-static is pretty old. Eiger's original developer, Matthew Grant, is long gone from teh LEAF scene (actually, he never was part of LEAF), and its packager, Charles Steinkuehler, has replaced it with Eigerstein, then Dachstein. You may have trouble getting *specific* help for this version. You probably have some long-forgotten security holes as well. The LRP box is a proud edition to the network with it quite happily chugging along hosting 30 internal PC's, 15 odd servers sitting in the DMZ, 10M Microwave connection with a class c on the live side of things. It truly is amazing what such a simple setup can handle. Anyway on with the questions.. 1. Is there a package out there that can monitor the syslog (or denied rules) to maybe send an email out when certain types of packet's get denied (hmm not at packet level more like if say there is activity on port 23 of a certain IP, that is being denied then send an email) I'm sure there is not one specifically for Eiger, and I don't know of one generally. Nor could I find one with a quick search. But negatives here are never final; perhaps someone else will know of one. [skipping items 2 and 3] 4. If I wish to see all rulset denies etc I gather I have to add -l to all my deny firewall rules in ipfilter.conf, is that correct? Almost correct. You may also have to add general DENY rules at the end of each chain, IFF the chain has a DENY policy, since the policy decision cannot be logged, only the actions of specific rules. 5. How do I deny icmp (ping) on all my external IP's? I know it's in the extended scripts but I can't find the rule that denies, all I can find is there $IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l $IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l Try this: $IPCH -A input -j DENY -p icmp -i eth0 -l (assuming your external interface is eth0). There are other ways to do it too, but this should work and is the simplest to write. 6. Ok this one will take a little bit to explain.. I have a win2k network (2k server, 2k clients etc, on a domain running active directory and so on) The firewall is setup to handle the connection to the internet, and protect the servers in the DMZ. Some of the internal people are running the own ftp server (setup for passive mode only) ie the boss ;o), at the moment I have put in some rules to manually handle this.. eg: $IPCH -A input -p tcp -s 10.0.10.30 -d 0/0 13600:13649 -j ACCEPT $IPCH -A input -p tcp -s 0/0 13600:13649 -d 10.0.10.30 -j ACCEPT $IPMASQADM autofw -A -r tcp 13600 13649 -h 10.0.10.30 and of course I forwarding port 21 to his machine. I wish to be able to run the DHCP server package on my firewall, but how do I handle mapping a LIVE ip to the internal DHCP assigned IP. (as in the boss's IP might change as DCHP leases expire and renew, how do I write rulsets so that I'm mapping the LIVE hardcoded IP to the assign DHCP IP? This is a tough one. As a general rule, servers should not have dynamically-assigned addresses. Your best bet is to use the DHCP server to assign static addresses to the hosts that need this mapping, using the ability most DHCP servers have (I don't recall what DHCP server Eiger-static used) to assign IP addresses by MAC address, bootp style. The EchoWall firewalling package was written to handle this general sort of problem, but not for arbitrary ranges of ports. And I'm uncertain if it would run on Eiger. Still, you might look at it and see if you can adapt it to your needs. -- ---Never tell me the odds!-- Ray Olszewski-- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] DHCP stuff (more)
I have a problem to one similar to an earlier thread posted by David Pitts earlier this month here: http://sourceforge.net/mailarchive/forum.php?thread_id=887924forum_id=5483 I have read that thread fully but found no answers - David, did you ever get to the bottom of it? My cable supplier changed my server location recently and since then I have been unable to set up a firewall to connect to it's DHCP server. I was originally using Gnatbox but when this failed I tried Dachstein. The problem seems to be the same with each. I can connect to my ISP's DHCP server using Windows 98SE without problem, but using both Gnatbox and Dachstein, DHCP requests timeout without any offer or reply from the server. I have tested my NICs and they are fine and correctly orientated. I get the message DHCPDISCOVER on ETH0 to 255.255.255.255 port 67 repeatedly until a final NO OFFERS WERE RECEIVED message. Ping requests to external IPs fail on a Type 1 error. Ping requests and DHCP on the local network work fine. I have left DHCLIENT.conf setup as default as I have not needed to supply any specific information from Windows or Gnatbox in the past. Any help is most appreciated - I'm surfing unprotected at the moment and I don't like it :( Roki ***ADDITIONAL INFO*** Dachstein 1.0.2 / Linux 2.2.19-3-LEAF ip addr show: 1: lo: LOOPBACK,UP mtu qdisc noqueue link/loopback 00:00:00:00:00:00: brd 00:00:00:00:00:00 Inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pf ifo_fast qlen 100 link/ether 00:40:95:65:67:3f brd ff:ff:ff:ff:ff:ff 3: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pf ifo_fast qlen 100 link/ether 00:40:95:65:67:3e brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 ip route show: 192.168.1.0/24 dev eth1 proto kernal scope link src 192.168.1.254 --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] DHCP stuff (more)
I haven't had any resolution to this. Eigerstein works fine so I don't feel especially exposed, but I would like to update. I became a little frustrated with is and decided I had more important things to do! I could get interested again though. I would be interested to know what IP address your ISP is using as their DHCP Server. Mine is using some sort of restricted address that looks like it gets blocked? Doesn't happen in Eigerstein though. Would be interested to know how you go with this! David Pitts IT Services Manager Reid Library University of Western Australia Telephone: (08) 9380 3492 Fax: (08) 9380 1012 -Original Message- From: roki [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 31 July 2002 10:13 AM To: [EMAIL PROTECTED] Subject: [leaf-user] DHCP stuff (more) I have a problem to one similar to an earlier thread posted by David Pitts earlier this month here: http://sourceforge.net/mailarchive/forum.php?thread_id=887924forum_id=5 483 I have read that thread fully but found no answers - David, did you ever get to the bottom of it? My cable supplier changed my server location recently and since then I have been unable to set up a firewall to connect to it's DHCP server. I was originally using Gnatbox but when this failed I tried Dachstein. The problem seems to be the same with each. I can connect to my ISP's DHCP server using Windows 98SE without problem, but using both Gnatbox and Dachstein, DHCP requests timeout without any offer or reply from the server. I have tested my NICs and they are fine and correctly orientated. I get the message DHCPDISCOVER on ETH0 to 255.255.255.255 port 67 repeatedly until a final NO OFFERS WERE RECEIVED message. Ping requests to external IPs fail on a Type 1 error. Ping requests and DHCP on the local network work fine. I have left DHCLIENT.conf setup as default as I have not needed to supply any specific information from Windows or Gnatbox in the past. Any help is most appreciated - I'm surfing unprotected at the moment and I don't like it :( Roki ***ADDITIONAL INFO*** Dachstein 1.0.2 / Linux 2.2.19-3-LEAF ip addr show: 1: lo: LOOPBACK,UP mtu qdisc noqueue link/loopback 00:00:00:00:00:00: brd 00:00:00:00:00:00 Inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pf ifo_fast qlen 100 link/ether 00:40:95:65:67:3f brd ff:ff:ff:ff:ff:ff 3: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pf ifo_fast qlen 100 link/ether 00:40:95:65:67:3e brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 ip route show: 192.168.1.0/24 dev eth1 proto kernal scope link src 192.168.1.254 --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code1 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] DHCP stuff (more)
My ISP uses a regular IP address for it's DHCP server (65.252.128.3). I read something about DHCP TTL values being too low (16) for some large networks (ATT) but as I can traceroute from DOS to the above IP in 4 hops I assume this is not the case with me. I think I'll try Eigerstein and see if it works better as with your setup... otherwise, thanks and keep the ideas coming! Roki - Original Message - From: David Pitts [EMAIL PROTECTED] Date: Wed, 31 Jul 2002 10:20:57 +0800 To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [leaf-user] DHCP stuff (more) I haven't had any resolution to this. Eigerstein works fine so I don't feel especially exposed, but I would like to update. I became a little frustrated with is and decided I had more important things to do! I could get interested again though. I would be interested to know what IP address your ISP is using as their DHCP Server. Mine is using some sort of restricted address that looks like it gets blocked? Doesn't happen in Eigerstein though. Would be interested to know how you go with this! David Pitts IT Services Manager Reid Library University of Western Australia Telephone: (08) 9380 3492 Fax: (08) 9380 1012 -Original Message- From: roki [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 31 July 2002 10:13 AM To: [EMAIL PROTECTED] Subject: [leaf-user] DHCP stuff (more) I have a problem to one similar to an earlier thread posted by David Pitts earlier this month here: http://sourceforge.net/mailarchive/forum.php?thread_id=887924forum_id=5 483 I have read that thread fully but found no answers - David, did you ever get to the bottom of it? My cable supplier changed my server location recently and since then I have been unable to set up a firewall to connect to it's DHCP server. I was originally using Gnatbox but when this failed I tried Dachstein. The problem seems to be the same with each. I can connect to my ISP's DHCP server using Windows 98SE without problem, but using both Gnatbox and Dachstein, DHCP requests timeout without any offer or reply from the server. I have tested my NICs and they are fine and correctly orientated. I get the message DHCPDISCOVER on ETH0 to 255.255.255.255 port 67 repeatedly until a final NO OFFERS WERE RECEIVED message. Ping requests to external IPs fail on a Type 1 error. Ping requests and DHCP on the local network work fine. I have left DHCLIENT.conf setup as default as I have not needed to supply any specific information from Windows or Gnatbox in the past. Any help is most appreciated - I'm surfing unprotected at the moment and I don't like it :( Roki ***ADDITIONAL INFO*** Dachstein 1.0.2 / Linux 2.2.19-3-LEAF ip addr show: 1: lo: LOOPBACK,UP mtu qdisc noqueue link/loopback 00:00:00:00:00:00: brd 00:00:00:00:00:00 Inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pf ifo_fast qlen 100 link/ether 00:40:95:65:67:3f brd ff:ff:ff:ff:ff:ff 3: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pf ifo_fast qlen 100 link/ether 00:40:95:65:67:3e brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 ip route show: 192.168.1.0/24 dev eth1 proto kernal scope link src 192.168.1.254 --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code1 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- __ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Get 4 DVDs for $.49 cents! plus shipping processing. Click to join. http://adfarm.mediaplex.com/ad/ck/990-1736-3566-59 --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED]
Re: [leaf-user] Earthlink PPP connection info (was: Problem booting Bering RC3)
On Tue, 30 Jul 2002 18:16:06 CDT Patrick Teague wrote: Yay, it works, Cool. In your first posting, you mentioned you had trouble with the CompuServe setup example not working for Earthlink. After setting up for Earthlink, do you have suggestions for improving or adding to the docs? Jacques is really good about incorporating suggestions. Maybe having connection info on how to connect to several different ISPs for examples or perhaps more information as to what exactly is going on. [snip] thanks for the help :) Glad to help. I just read the PPP configuration information from the URL above. It seemed to do a fair job of describing the differences between the Compuserve example and providers using PAP like Earthlink. I am probably biased from having some Linux PPP experience though. If you have suggestions for improving the docs, send them to the list. Jacques is good at incorporating them. Ok, now I feel like a complete idiot... I only read that 5 or 6 times over the last 2-3 weeks. I must have been asleep when I glanced over it again the other day. Nah, I was the idiot for typing the same paragraph twice in the same email. :-/ Then again that wouldn't surprise me with this new job... we're setting up a new warehouse, 6am-6pm Mon-Sun is standard, I drag home fall asleep on the computer :) However, I'm not sure what exactly PAP or CHAP authentication is I only have a vague idea of what the windows RAS server is. Prior to asking all my questions I did check out the earthlink site to see if it contained any useful info... only thing I found was windows, been there, been hacked. For information on how Linux PPP works, the Linux PPP HOWTO is a good resource. It's at http://www.tldp.org/HOWTO/PPP-HOWTO/ . Earthlink used to publish linux connection instructions, but they don't seem to now. Looks like they're still available via help.mindspring.com (EL and MS merged in 2000): http://help.mindspring.com/support/browse/general_info/toc/d0119.htm http://help.mindspring.com/modules/01400/01419.htm --Brad Patrick --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] DHCP stuff (more)
Could I ask you to clarify a bit about what you have been trying? First, how many different computers have you tested? Did you try Gnatbox software and Dachstein on the same computer (or do you have the hardware version of Gnatbox)? Is the Win98 computer a different physical machine? Second, when you say My cable supplier changed my server location recently, what *exactly* do you mean? That they changed the IP address of your DHCP server? Or something else? In any case, were there any other changes coincident to the one you report on the ISP end? Third, -AFTER- the ISP made this change, what was the FIRST computer you connected directly to the service? I want to rule out the possibility that the reason the Win98 machine works and the other does (or others do) not is the use of MAC address authentication by the ISP. Fourth, you say that My ISP uses a regular IP address for it's DHCP server (65.252.128.3). When you have a connection (with the Win98 host), is this address on your external network? (If you are not sure what this means, then let us see the routing table of the Win98 host.) Finally, just to be clear, are we correct in understanding that prior to this change by the ISP, the Gnatbox worked just fine but you had never tried Dachstein on the connection? Also that prior to the change, the ISP had already been using DHCP assignment for your hookup? And that after the change, you were using the same hardware, unchanged, first with Gnatbox, then with Dachstein? If I seem a bit picky about all these questions ... successful troubleshooting is usually a matter fo finding the answer somewhere in the details, so we need to have the details right. Since Dachstein does usually work, we need to figure out what about your circumstances is unusual. At 09:33 PM 7/30/02 -0500, DJ Roki wrote: [intermediate stuff deleted] -Original Message- From: roki [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 31 July 2002 10:13 AM To: [EMAIL PROTECTED] Subject: [leaf-user] DHCP stuff (more) [...] My cable supplier changed my server location recently and since then I have been unable to set up a firewall to connect to it's DHCP server. I was originally using Gnatbox but when this failed I tried Dachstein. The problem seems to be the same with each. I can connect to my ISP's DHCP server using Windows 98SE without problem, but using both Gnatbox and Dachstein, DHCP requests timeout without any offer or reply from the server. I have tested my NICs and they are fine and correctly orientated. I get the message DHCPDISCOVER on ETH0 to 255.255.255.255 port 67 repeatedly until a final NO OFFERS WERE RECEIVED message. Ping requests to external IPs fail on a Type 1 error. Ping requests and DHCP on the local network work fine. I have left DHCLIENT.conf setup as default as I have not needed to supply any specific information from Windows or Gnatbox in the past. [...] -- ---Never tell me the odds!-- Ray Olszewski-- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
swfla.rr.com == aka == timewarner/roadrunner cable I'm using the default setup on the Bering_1.0rc3 floppy1680 image ---except I went ahead and removed norfc1918 from /etc/shorewall/interfaces' eth0 I'm still having the outside world suddenly disappear. I can login to the firewall itself and ping the upstream BootP server address, but nothing outside of it. Yes, if I powercycle the cable modem and issue: #shorewall stop #svi networking restart #shorewall start Shorewall Already Started Everything works again, and I get a new DHCP Lease. The strange thing is that the old lease wasn't supposed to renew/expire for another 5 hours. could you dump iptables -t nat -vnL zz iptables --vnL zz . . . it sounds like it's not keeping up with his DHCP lease so I wanted to see how the rules are. hmm, my Bering doesn't like the --vnL so I did it with only a single dash -vnL here's the dump . . . Chain PREROUTING (policy ACCEPT 241 packets, 17089 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1309 packets, 86217 bytes) pkts bytes target prot opt in out source destination 185 11100 MASQUERADE ah -- * eth0192.168.1.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1311 packets, 87121 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy DROP 2 packets, 138 bytes) pkts bytes target prot opt in out source destination 511 50052 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0 207 57264 eth0_inah -- eth0 * 0.0.0.0/0 0.0.0.0/0 214 14275 eth1_inah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2365 1644K eth0_fwd ah -- eth0 * 0.0.0.0/0 0.0.0.0/0 1861 199K eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 511 50052 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 4 288 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * eth00.0.0.0/0 0.0.0.0/0 udp dpts:67:68 1432 92881 fw2net ah -- * eth00.0.0.0/0 0.0.0.0/0 171 15610 all2allah -- * eth10.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (3 references) pkts bytes target prot opt in out source destination 171 15610 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdeficmp -- * * 0.0.0.0/0 0.0.0.0/0 35 1820 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/0
Re: [leaf-user] traceroute through Bering firewall
[EMAIL PROTECTED] writes: There are some hacks based on ICMP like the icmp redirect message. So is there a specific danger to allow this from your internal network? I don't know depends on how much you trust the people on your internal network I suppose. Well, on my home network it's just me, so that figure would be ~100%, but I suppose I can't necessarily say the same about my company's internal network. I have done a network monitor of a traceroute session and traceroute uses identical packets as ping does just with shorter TTL. Traceroute in ms is based on the fact that if the ttl becomes 0 the router that drops the packet because of this sends you a time to live exceeded in transmit back. (This message contains the routers ip address). Ah. Very interesting. Now I begin to see how UDP packets could do the traceroute magic as well... Ms traceroute sends 3 of these packages to every hop. So if 1 of them is timing out it is probably a site between you and your traceroute target that has icmp replies filtered. Bottom line it is probably out of your hands. Someone on the road is blocking icmp. It doesn't kill traceroute but it means your missing one hop. Um, right. It's the first hop. My Bering firewall. That's what we were talking about... -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
At 12:31 AM 7/31/02 -0400, lbilyeu wrote: swfla.rr.com == aka == timewarner/roadrunner cable I'm using the default setup on the Bering_1.0rc3 floppy1680 image ---except I went ahead and removed norfc1918 from /etc/shorewall/interfaces' eth0 I'm still having the outside world suddenly disappear. I can login to the firewall itself and ping the upstream BootP server address, but nothing outside of it. Disappear is not a technical description. *How* do the unsuccessful ping attempts fail (if you don't know the variety of ways ping can report failure, refer to the LEAF FAQs)? Can you ping your default gateway address (which may be the same as or different from what you call your BootP server)? If you try a traceroute out to the Internet (for example, to my IP address -- 63.198.182.124), where does it fail? At the time of failure, what do the following commands report? ip addr show netstat -nr (That is, do you still have a working interface and routing table?) And if the BootP server is different from the gateway, what is its address? How long do you wait before restarting? Might this just be flaky connectivity between your ISP and the Internet, and your fix a false solution (it just kills some time, and during that time, connectivity is restored)? When you get a new DHCP lease, does it have the same or different gateway and nameserver addresses? Finally, are you doing all of this testing by IP address (not FQN)? If you are pinging by name, you might be having DNS resolution problems, not actual connectivity problems. Just to be clear ... if the problem is with DHCP lease renewal, then it probably is in the firewalling, and Tom or some other Shorewall expert needs to comment on the ruleset (which I've deleted here). But the symptoms don't sound like a DHCP problem ... you can still ping some external address, and you say the lease still has 5 hours to run ... which is why I am raising these more standard routing questions. Oh, one more comment ... [...] One last bit of worthless trivia, this location has been running successfully with Dachstein on a different Box for over 11months. So there must be something weird in DHCP that TimeWarner has setup for swfla.rr.com (we're upgrading from a 386sx and figured while we upgrade the hardware, we'd upgrade the software too) While Bering is a different LEAF variant than Dachstein, with a slightly different focus, I would not characterize it as an upgrade. Just a good alternative. -- ---Never tell me the odds!-- Ray Olszewski-- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: re sh-httpd perm Bug
Eric Wolzak [EMAIL PROTECTED] writes: Of course weblet is still doing something I consider wrong -- it's saying the firewall is in red light / ERROR mode just because it has 251 denied or rejected packets. Isn't this the whole point of a firewall, to deny and reject those packets? How is this an ERROR? At worst, it should be at yellow alert. This depends on what you log and in what environment you are. On some of my internal boxes 251 would be a whole lot :) Right, but I'm sure the vast majority of LEAF installations are exposed to the Internet, not sequestered on some internal network. You can change the settings for your individual system in 3) Packages configuration Weblet 2) LRP web page configuration # Warning/Error thresholds for the weblet utility # Disable checking of any value by setting it to -1 # Firewall thresholds: deny/reject messages WRN_FW=5 ERR_FW=50 WRN_FW is the number of logged packets after which the color changes to yellow ERR_FW is the number of logged packets to change to red Thanks, I hadn't noticed those parameters. The default values do seem unreasonably low, if most people are using LEAF on the Internet. But I guess I don't really agree with the design philosophy in general. How many packets on an Internet-facing firewall is the right number to be considered an ERROR? To me, going to red-light mode just because there are a lot (however you define a lot) of denied and rejected packets means that you're crying wolf, and conditions people not to click on the red light to find out what's wrong. I think the ERROR case should be saved for when things are seriously wrong, like the firewall is failing to process packets, or all rules have been cleared, or things of that nature. Again, I'm perfectly happy with the use of the yellow light to indicate a high number of denied/rejected packets, just not with the use of the red light to indicate even more of them. -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: re sh-httpd perm Bug
Julian Church [EMAIL PROTECTED] writes: There's also the possibility that the bulk of those packets are from one or two harmless sources that you don't really need to worry about - it's common for cable/ADSL systems to spew forth all sorts of stuff of this type. If this is the case it might be helpful to fiddle with your firewall rules so these things don't get logged in the first place. I believe my ADSL provider is quite clean as far as unnecessary packet spewage goes (and I know my ISP is), but I'll check again. I'd be inclined to do the latter, mainly because I only really want stuff that I have to think about in my logs and I find a lot of extra rows of harmless activity often make more important entries difficult to spot, but it's your firewall - you should do whichever you want. I don't think this applies in my case, but it's a good point to bring up -- thanks. -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] HOW TO ADD STATIC ROUTES TO BERING..
On Tue, 30 Jul 2002, Troy Aden wrote: I done a fair amount of digging and I can't find any documentation on haw to add static routes to Bering. Can anyone tell me how to do it or point me to the documentation. I am trying to add 4 static routes. Read the comments in /etc/network/interfaces. You can learn more about the format of this file in man 5 interfaces [1] Something like --- auto eth0 iface eth0 inet static address 192.168.1.1 masklen 24 broadcast 192.168.1.255 auto eth1 iface eth1 inet static address 192.168.2.1 masklen 24 broadcast 192.168.2.255 auto eth2 iface eth2 inet static address 192.168.3.1 masklen 24 broadcast 192.168.3.255 auto eth3 iface eth3 inet static address 192.168.4.1 masklen 24 broadcast 192.168.4.255 --- ought to do it. [1] http://www.fifi.org/cgi-bin/man2html/usr/share/man/man5/interfaces.5.gz --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] HOW TO ADD STATIC ROUTES TO BERING..
http://leaf.sourceforge.net/devel/ericw/ip-syntax.php This should help you figure it out. If you need more help just give a yell. Kim Oppalfens -- Original Message -- From: Troy Aden [EMAIL PROTECTED] To: Leaf-User (E-mail) [EMAIL PROTECTED] Subject: [leaf-user] HOW TO ADD STATIC ROUTES TO BERING.. Date: Tue, 30 Jul 2002 21:10:27 -0600 I done a fair amount of digging and I can't find any documentation on haw to add static routes to Bering. Can anyone tell me how to do it or point me to the documentation. I am trying to add 4 static routes. Thanks in advance. Troy --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
