Re: [leaf-user] tc not found
tc.lrp - patched for HTB support - is provided on the Bering floppy ! It is not activated by default. To do so declare it in the syslinux.cfg file See: http://leaf.sourceforge.net/devel/jnilo/bipackages.html#AEN833 http://leaf.sourceforge.net/devel/jnilo/biaddrm.html#AEN509 Also do not forget to load the HTB modules (if you are using this QoS) http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/net/sched/ Jacques I found tc.lrp by Google search and have found it a good way to get my lrps. Maybe you can follow this in future. Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roberto Pereyra Sent: 10 September 2002 18:13 To: leaf Subject: [leaf-user] tc not found Hi I using bering 1.0 r3, and I want to use iproute for manager my bandwith. I have the tc.lrp package in my disk, and I enable the tc options in shorewall conf. When boot shorewall say 'tc not found' then I did whereis tc and I can't found it. I found ip utility and run fine. What happens ?? tc was missing in tc.lrp in bering 1.0 r3 ?? Where I can download it ? Excuse my poor english, I spahish speaker. thanks a lot roberto --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Inetd on bering rc3
On Wednesday 11 September 2002 03:49, S Mohan wrote: I've now getting to some deployment scenarios after playing around with bering. I've a few doubts and would appreciate some pointers. 1. In shorewall, the FAQ/doc says that sshd should be commented in inetd for it to work. I thought it was there to make sure controls of host.deny and host.allow could apply. Why is it being commented? All Bering distro so far up to and including rc3 expect sshd to run through inetd. Therefore you have in inetd.conf : snip #:OTHER: Other services sshstream tcp nowait root/usr/sbin/tcpd /usr/sbin/sshd -i www stream tcp nowait sh-httpd/usr/sbin/tcpd ... snip snip Prior to sshd 3.4p1 the /etc/init.d/sshd script was a dummy script since sshd was running by default through inetd.conf With sshd 3.4p1, as mentionned in the changelog, the /etc/init.d/sshd script runs sshd a normal daemon that will stay in memory. This is compliant with the sshd debian package. That is why you have to comment out the ssh line in inetd.conf if you are using Bering rc3. Of course that will be the default in rc4. I thought it was is pretty clear in the changelog statement of sshd 3.4p1. But apparently not... http://leaf.sourceforge.net/devel/jnilo/openssh1.html#AEN55 http://leaf.sourceforge.net/devel/jnilo/packages/openssh-3.4p1/README.txt 2. I shut down shorewall and changed all policies to accept to first see if my services are going thro'. When I try to login thro' ssh to the bering box, the login takes almost 4 minutes to show up on the screen. My bering box is a P4 1.7Mhz with 512MB RAM! I'm sure something is wrong in the config but do not know what. Once again, this is a FAQ. http://leaf.sourceforge.net/devel/jnilo/openssh4.html#AEN184 Add you client IP address in your router /etc/hosts file 3. I tried running weblet using /usr/sbin/sh-httpd and then did a ps. Ps shows stopped for sh-httpd (tty input). I cannot run sh-httpd as a service using svi as no entry in /etc/init.d exists. Am I wrong? I also configured weblet to accept client logins from a specified network by uncommenting that line. When I invoke sh-httpd after this, I'm getting Exit 1 status in ps ax. Why would this be? I went back and commented that line, sh-httpd worked as earlier. I leave that one to someone else :-) 4. Will lrps from oxygen or dachenstein work on bering? Some of the lrps I need are not available on bering - wget, vrrpd etc. Generally yes. Be careful since some oxygen packages are glic 2.1 based. Dachstein should work in most case but in some cases you might need to modify the scripts (e.g. dhclient); My advice: just give it a try ... Jacques --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Bering and bridging...
On Wednesday 04 September 2002 15:39, you wrote: Hi Jacques, I've been playing around with the Bering distribution of LEAF and I've hit a brick wall when trying to find good documentation about bridging. I'm relatively new to linux and LEAF but I'm experienced with Unix so this is driving me nuts! It seems to me (and about 10 friends of mine who all want to do it if I can figure it out) that an incredibly great use for LEAF is as a very simple home broadband router. Now in the default configuration with 2 ethernet cards it works great (I've got it running on one of my spare P200s now) but I'd like to ditch the hub. I'm trying to add a 3rd or 4th network card and bridge eth1, eth2 and eth3 all together so that clients can be plugged into any of them and still get DHCP'd addresses and have access to the internet. There is lots of documentation about setting up a DMZ, but nothing out there about bridging the extra cards. I'm sure it is easy as pie but I just can't find anything. I figured I'd write to you and see if you knew of any sites since you seem to have the *best* LEAF documentation available! Any assistance you might be able to provide would be great!!! Neil: The bridging part of Bering is indeed poorly documented. I am looking for volunteers to write up a chapter on this in the Bering user's guide. No success so far :-( I hope you have at least read this: http://leaf.sourceforge.net/devel/jnilo/bridge.html also http://bridge.sourceforge.net/ http://www.tldp.org/HOWTO/mini/Bridge/ http://www.tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETBRIDGE Also please post your request to the Leaf user list. You can get better feedback from there. Jacques --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] PCMCIA Adapters
Hi What modules should i load to have support for PCMCIA ISA/PCI adapters ? bye --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Dachstein /Bering and Speedtouch USB ADSL
Well the only thing that looks like stopping both Dachstein and Bering is the compilation of CONFIG_USB_DEVICEFS into the kernel. This allows usbdevfs support. Jacques pointed this out on Aug 23 and I learnt this the hard way. He points this out in his email but I found this after the fact while looking for Jeff Newmillers' mail some weeks ago. Thank you Jacques. Now has any kind soul compiled 2.2.19-3 for this? If not is there someone out there prepared to do this? The kernel config files are available from Charles' site and may I would suggest a full blown IPSEC IDE kernel be made. That way all can benefit in some way, lets face it if they are doing USB they're going to have more than one floppy. I look forward to hearing from someone, please? Matt --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Unable to bring up interfaces
On Wed, 11 Sep 2002 10:32:30 +0530 S Mohan wrote: Shorewall by default disables ping - is it not? That statement is somewhat ambiguous. There are also two defaults to consider: Jacques' modified shorwall.lrp and Tom's original shorwall.lrp. Even if some ICMP traffic was restricted by default, it seems unlikely that such behavior would override an ACCEPT policy. (Obviously assuming that Kyle is using ACCEPT for loc - net.) But you say you are able to ping from both internal and external networks! Maybe you should first try a masquerade without limiting services. If it works, then try other services. Or just verify that masquerading is enabled via /etc/shorewall/masq . I should have mentioned that in my previous posting. I also think Shorewall disables forwarding by echoing 0 into rp_filter of each device. This is again a security measure. Is that creating problems? Did you mean ip_forward? The summarizing the kernel documentation[1] rp_filter determines if source validation is done and can be used to help prevent spoofing attacks. Shorewall does control ip_forward, but as long as you have shorewall configured properly, there shouldn't be any reason to adjust it manually. --Brad [1] /usr/src/kernel-source-2.4.18/Documentation/filesystems/proc.txt Check this out. The way I would go about this is to first stop shorewall, turn on masquerading in iptables by hand and see if what you want works. If it does, then I would start up shorewall and try the same in shorewall. HTH Mohan --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] running LEAF on a Xbox ??
wouldn't it be cool to have LEAF on a Xbox ? http://xbox-linux.sourceforge.net/ http://www.linuxfrench.net/article.php3?id_article=1021 I seems that the boot sequence is different, and there are still other issues ... but i suppose it could be possible ;-) --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein floppy
OK - I'm still stuck. Could anyone help me out? I've got a range of IP addresses 213.107.212.9 (adsl modem) 213.107.212.10 (firewall WAN interface) 213.107.212.11 (incoming email comes to this address) 213.107.212.12 (DMZ - not used yet) Trying to let incoming mail through to the mail server (213.107.212.11 mail server 192.168.175.1) With help i've got: assign extra IP's to the external interface: eth0_IP_EXTRA_ADDRS=213.107.212.11 213.107.212.12 allow e-mail traffic through the firewall filters with the following: EXTERN_TCP_PORT0=0/0 smtp 213.107.212.11 port-forward the traffic to your exchange server: INTERN_SERVERS=tcp_213.107.212.11_smtp_192.168.175.1_smtp But, still no joy. In particular, I notice that the addition IPs i've added have a different subnet entry to the primary eth0 : is this OK? I can ping the firewall eth0 interface IPs (apart from the .11 for some reason?) from the internet (which I couldn't do with the old firewall) : is this a bad setup by me? Thanks for ANY help!! Cheers, Matt W 1: lo: mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:08:5e:90:46 brd ff:ff:ff:ff:ff:ff inet 213.107.212.10/29 brd 213.107.212.15 scope global eth0 inet 213.107.212.11/32 scope global eth0 inet 213.107.212.12/32 scope global eth0 3: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:08:c7:39:af:07 brd ff:ff:ff:ff:ff:ff inet 192.168.175.9/24 brd 192.168.175.255 scope global eth1 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 213.107.212.8 0.0.0.0 255.255.255.248 U 0 00 eth0 192.168.175.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 213.107.212.9 0.0.0.0 UG0 00 eth0 Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 164 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.175.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 213.107.212.10 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 213.107.212.11 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 213.107.212.12 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0192.168.175.0/24 n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 33 2574 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 138:139 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 138
[leaf-user] installation error
hi try to be a new user, ;) but i have this error msg when booting on my old 486 dx: INIT: CANNOT execute /sbin/getty INIT: id 1 responding too fast: disable and boot stops repeating several time the last line what it means?? tnx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Question: (user's guide) 12. Monitoring Bering through a terminal console
On Wednesday 11 September 2002 15:09, David Shu wrote: Hi Jacques, Firstly thanks for the great work with the berings firewall. Your documentation is second to none and I've found it very easy to get things working despite my limited knowledge and experience with *nix. I've just enabled my router/firewall to be serially accessed through a terminal console and all seems to be working fine till I edit files. Some how, there seems to be a severe lag and refresh line going through the screen everytime I move down or up a line. Is this a known bug? Or have I possibly done something wrong. I've not changed anything from your recommended values (Serial Port 1, baud 19200). I'm using secureCRT with similar values to access the router (I tried TeraTerm with similar results). Like I said before, there are no problems till I edit files (I've tried e3, e3vi, ae). All other times everything is displaying well and smoothly.. Any ideas? I understand that you only have that pb when using the editor (by the way e3, e3vi and ae are all linked to the same program ...) I am forwarding your mail to the leaf-user list for assistance on this mater since I never user serial connection myself Any idea anyone ? Jacques --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Question: (user's guide) 12. Monitoring Beringthrough a terminal console
On Wed, 2002-09-11 at 11:16, Jacques Nilo wrote: On Wednesday 11 September 2002 15:09, David Shu wrote: Hi Jacques, Firstly thanks for the great work with the berings firewall. Your documentation is second to none and I've found it very easy to get things working despite my limited knowledge and experience with *nix. I've just enabled my router/firewall to be serially accessed through a terminal console and all seems to be working fine till I edit files. Some how, there seems to be a severe lag and refresh line going through the screen everytime I move down or up a line. Is this a known bug? Or have I possibly done something wrong. I've not changed anything from your recommended values (Serial Port 1, baud 19200). I'm using secureCRT with similar values to access the router (I tried TeraTerm with similar results). Like I said before, there are no problems till I edit files (I've tried e3, e3vi, ae). All other times everything is displaying well and smoothly.. Any ideas? I understand that you only have that pb when using the editor (by the way e3, e3vi and ae are all linked to the same program ...) I am forwarding your mail to the leaf-user list for assistance on this mater since I never user serial connection myself Any idea anyone ? Jacques I have the same refresh problem when communicating with the serial port to Bering 1.0rc2 via Minicom. It's a bear to edit anything with e3vi. There must be some com setting that can fix this problem... Stephen --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] installation error
Your inquiry includes way too little information to let anyone here give you a definite answer. The SQ FAQ (referenced below) will help you re-pose your question with the needed details. In the meantime ... id 1 is usually a console process (that is, a line in /etc/inittab something like this: 1:2345:respawn:/sbin/getty 38400 tty1), so the problem is *probably* that your system is missing either /sbin/getty itself or a library getty needs to execute. As to why one of these things is missing ... well, that is why we need to know basic information about your system hardware and whichever LEAF version you are using. At 08:01 PM 9/11/02 +0200, [EMAIL PROTECTED] wrote: hi try to be a new user, ;) but i have this error msg when booting on my old 486 dx: INIT: CANNOT execute /sbin/getty INIT: id 1 responding too fast: disable and boot stops repeating several time the last line what it means?? -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA[EMAIL PROTECTED] --- --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] How do I punch a dynamic hole thru firewall?
[This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I punch a dynamic hole thru firewall?
Duke Ionescu said: [This was originally posted to the LRP mailing list, where I was spat upon :] How is the old LRP list? Haven't seen that since the mass exodus of users and developers. I tried searching thru it via the web archive once, and all I found was spam. :-) Is Dave Cinege still doing any development with LRP? I thought he wanted to stick with that Butterfly project of his instead. (sorry; I don't have an answer for your question :-) -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project http://leaf.sourceforge.netAIM: MikeLeone Public Key - http://www.mike-leone.com/~turgon/turgon-public-key.asc ( Memoriam ) ;===;() # # # #:: # # # #:: # # # #:: # # # #:: # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Random Thought: -- --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I punch a dynamic hole thru firewall?
Hi canonical ways could be ssh tunneling or a VPN HTH Erich Duke Ionescu wrote the following at 21:16 11.09.2002: [This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I punch a dynamic hole thru firewall?
Duke, On Wed, 11 Sep 2002 15:16:37 -0400 you wrote: [This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Not sure I qualify, but have a suggestion to expand on your ssh idea anyhow. :) Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? Just for the record, even with source filtering, SMB over untrusted networks is insecure. (Sorry, I couldn't continue in good conscious without stating that, even though it's probably obvious to most everyone here.) Obviously it's more difficult to exploit with filtering based on source address. VPN-based access is the (more) secure access mechanism. The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. If you were to use the .ssh/rc file or command option in a .ssh/authorization (for key-based authentication) and the SSH_CLIENT environment veriable, you could automate this pretty far... Set command=/usr/bin/toggle_smb_access in .ssh/authorization (tested) or run it and then exit from $HOME/.ssh/rc (not tested, but seems viable from reading sshd manpage). toggle_smb_access could be written so that it looks up $SSH_CLIENT in a simple data file. If it does not find $SSH_CLIENT, it would run the appropriate ipchains commands to allow access and update the data file. If $SSH_CLIENT is already in the data file, run a different set of ipchains commands to disable access. Have the script echo something like Access enabled. or Access disabled., respectively, after it finished executing so the users can see confirmation of the state change. Then have users run a plink.exe[1] one-liner (if they're using Win32): plink.exe [EMAIL PROTECTED] Use a desktop shortcut on their desktop if you want to make it easy for them. I didn't include all the gory details, but that should be enough to get you going if you decide to use the automated ssh approach. VPN access would definitely be more secure though. HTH, Brad [1] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein floppy
On Wednesday 11 September 2002 11:42, Matt Walker wrote: OK - I'm still stuck. Could anyone help me out? You haven't mentioned adding and loading the ip_masq_portfw moduleyou'll need this from Charles' small kernel tree. Everything else looks pretty good. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I punch a dynamic hole thru firewall?
On Wednesday 11 September 2002 14:16, Duke Ionescu wrote: I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: LEAF, not LRP, please! I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? There isn't a standard way of doing this. The few of us that are using a similar setup to this simply add a ping script like you have come up with. It really can't be integrated into the network setup because you have no way of knowing the remote address (dyndns?) BEFORE loading the ruleset w/o opening the box to possible exploit. The most reasonable alternative is to use a SSH tunnel or VPN as has been suggested. Opening your NetBIOS ports is about the biggest hole you could put in a system. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Question: (user's guide) 12. Monitoring Bering through a terminal console
On 11 Sep 2002 11:47:22 -0700 Stephen Lee [EMAIL PROTECTED] wrote: On Wed, 2002-09-11 at 11:16, Jacques Nilo wrote: On Wednesday 11 September 2002 15:09, David Shu wrote: Hi Jacques, Firstly thanks for the great work with the berings firewall. Your documentation is second to none and I've found it very easy to get things working despite my limited knowledge and experience with *nix. I've just enabled my router/firewall to be serially accessed through a terminal console and all seems to be working fine till I edit files. Some how, there seems to be a severe lag and refresh line going through the screen everytime I move down or up a line. Is this a known bug? Or have I possibly done something wrong. I've not changed anything from your recommended values (Serial Port 1, baud 19200). I'm using secureCRT with similar values to access the router (I tried TeraTerm with similar results). Like I said before, there are no problems till I edit files (I've tried e3, e3vi, ae). All other times everything is displaying well and smoothly.. Any ideas? I understand that you only have that pb when using the editor (by the way e3, e3vi and ae are all linked to the same program ...) I am forwarding your mail to the leaf-user list for assistance on this mater since I never user serial connection myself Any idea anyone ? Jacques I have the same refresh problem when communicating with the serial port to Bering 1.0rc2 via Minicom. It's a bear to edit anything with e3vi. There must be some com setting that can fix this problem... If there was a way to fix it (which I doubt there is), it would be a setting with e3. It is just really slow because of the way it repaints the screen. vim has no problems. There has to be some tradeoff with size! -- Chad Carr [EMAIL PROTECTED] --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Question: (user's guide) 12. Monitoring Beringthrough a terminal console
On Wed, 2002-09-11 at 18:49, Chad Carr wrote: I have the same refresh problem when communicating with the serial port to Bering 1.0rc2 via Minicom. It's a bear to edit anything with e3vi. There must be some com setting that can fix this problem... If there was a way to fix it (which I doubt there is), it would be a setting with e3. It is just really slow because of the way it repaints the screen. vim has no problems. There has to be some tradeoff with size! I see, so it has to do with e3? Any idea if the vim.lrp package from http://www.monkeynoodle.org/lrp/lrp/packages/clients/vim.lrp will work under bering? Thanks, Stephen --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] How do I punch a dynamic hole thru firewall?
I've seen this in portsentry where are defined to block an IP. One way to this is to make a weblet page (can we authenticate in weblet?) and allow it to execute a script or a shorwall command to allow an IP and ports. The problem is the system cannot know the user is done with automatically. The user has to again come in thro' weblet and delete that specific rule in iptables - again script driven thro' weblet. You will also encounter problems if that specific user is on a dynamic IP ISP dial-up. He might disconnect and connect again when his IP is likely to change thus negating this rule. One possibility is to define a road-warrior connection in ipsec and allow ipsec thro' to the network. If the samba service is available to the network, the ipsec connection should also be able to access the samba service. loc - loc is also on in shorwall. I've not done this and hence am not speaking from experience but logic having used different subsystems. HTH Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Duke Ionescu Sent: 12 September 2002 00:47 To: [EMAIL PROTECTED] Subject: [leaf-user] How do I punch a dynamic hole thru firewall? [This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Re: Question: (user's guide) 12. Monitoring Beringthrough a terminal console
Normally should as it is meand for Dachenstein which uses glib 2.0. Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen Lee Sent: 12 September 2002 07:52 To: Chad Carr Cc: Leaf-user Subject: Re: [leaf-user] Re: Question: (user's guide) 12. Monitoring Beringthrough a terminal console On Wed, 2002-09-11 at 18:49, Chad Carr wrote: I have the same refresh problem when communicating with the serial port to Bering 1.0rc2 via Minicom. It's a bear to edit anything with e3vi. There must be some com setting that can fix this problem... If there was a way to fix it (which I doubt there is), it would be a setting with e3. It is just really slow because of the way it repaints the screen. vim has no problems. There has to be some tradeoff with size! I see, so it has to do with e3? Any idea if the vim.lrp package from http://www.monkeynoodle.org/lrp/lrp/packages/clients/vim.lrp will work under bering? Thanks, Stephen --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
FW: [leaf-user] How do I punch a dynamic hole thru firewall?
I've seen this in portsentry where are defined to block an IP. One way to this is to make a weblet page (can we authenticate in weblet?) and allow it to execute a script or a shorwall command to allow an IP and ports. The problem is the system cannot know the user is done with automatically. The user has to again come in thro' weblet and delete that specific rule in iptables - again script driven thro' weblet. You will also encounter problems if that specific user is on a dynamic IP ISP dial-up. He might disconnect and connect again when his IP is likely to change thus negating this rule. One possibility is to define a road-warrior connection in ipsec and allow ipsec thro' to the network. If the samba service is available to the network, the ipsec connection should also be able to access the samba service. loc - loc is also on in shorwall. I've not done this and hence am not speaking from experience but logic having used different subsystems. HTH Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Duke Ionescu Sent: 12 September 2002 00:47 To: [EMAIL PROTECTED] Subject: [leaf-user] How do I punch a dynamic hole thru firewall? [This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] dhcp_2_dns
A while back, I asked the list how I could get my dhcp server to update my
dns server. I finally felt up to the task tonight so I downloaded a script
written by Michael D. Schleif:
http://leaf.sourceforge.net/devel/helices/scripts/dhcp_2_dns.sh
I now have 3 questions:
First, it gives some error messages when I run it:
[: 20020908084404: out of range
[: 20020912062502: out of range
[: 20020912040952: out of range
[: 20020912042402: out of range
These are coming from line 174:
# Lease expired?# 1
[ $end -lt $current_date ] \
continue
[ ${debug:-0} -ne 0 ] echo Lease is CURRENT
So, any idea how to stop these error messages? I'm running on bering 1.0 rc
3 if that helps.
Second, it was suggested that I should run this from cron. Is there any way
to have the dhcp server run it when the lease file is update instead? (I
want to minimize the lag between an address changing and the dns server
being updated)
Finally, I'm hoping someone can answer a security related question. Does it
pose any risk to use dns names (i.e. web_server.private.network) instead of
the IP addresses (i.e. 192.168.1.10) in the various configuration files?
I'm mainly thinking the shorewall files.
-Mark Ivey-
---
In remembrance
www.osdn.com/911/
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
