Re: [leaf-user] PKGPATH=tftp://tftpserver/tftpboot wouldbe nice
On 2002.10.29_08:45:21_+, Karl Gaissmaier wrote: Hi Karl, This beast is/will be able to do remote configs via tftp and gpg signed RPM packages. The whole gimmick is a clever initial ramdisk, building /dev /etc /tmp /var /opt in RAM and mounting /usr /bin /sbin /lib from the BOOTDISK (CD or what else). On the Bootdisk you can have any common Linux Distro (Redhat, SuSE, Debian etc. in any version) the whole bootup and setup stuff is done in the initrd. You need only RPM on the Linux Distro, because RPM is used to obackup the system specific config files. Instead of reinventing the wheel, why don't you expand works from other distro? Just a suggestion. I have successfully boot Oxygen from the network[1] , and get to the shell. Haven't make any progress after that due to daily work. Glenn McKechnie also have a HOWTO to boot LRP based machine using Etherboot and Dachstein[2]. Regards Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration Tel.: ++49 731 50-22499 [1] http://www.leaf-project.org/devel/hdlee/oxygen/doc/netboot/network-boot-howto [2] http://members.optushome.com.au/graybeard/linux/netboot.html -- H. D. Lee --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to set up bridging with Bering?
On Tuesday 29 October 2002 12:20 am, dan carter wrote: Charles Steinkuehler wrote: You need to talk to more Microsoft people (motto: Microsoft doesn't understand how tcp/ip works.) The L2TP protocol used by M$ WAN's is a Layer 2 Tunneling Protocol (hence the name), which enables your systems to propogate Layer 2 packets (including broadcasts and arp requests) over a WAN. This is actually billed as a *FEATURE* of their WAN software vs. the competition, which doesn't have such a feature. The fact that no-one should be so insane as to actually *WANT* to pipe broadcast packets across their WAN is apparently lost on the market-droids (and MS networking programmers). Is there an a linux implementation of this protocol? I have been trying to get something like that going for ages to join two private LANs over the internet. All the VPN stuff i've looked at doesn't seem to be able to forward the broadcast packets even if they are directed broadcast packets, which breaks warcraft 3 LAN game discovery and simple broadcast discovery for smb browse lists I have not used it, but there is a Linux development effort for L2TP: http://sourceforge.net/projects/l2tp SMB Browse lists are best handled in a WAN setting by use of WINS. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Newbie question: would this setup be possible?
Hi, I'm a complete newbie concerning PC-based Linux-Routers, so please tell me in case my questions are trivial. My questions: - would it be possible to use the same machine that is running the router as a 'public' (for my intranet) place to leave e.g. patches, driver updates or other useful files on? - is it possible to require an authentication for outgoing traffic at a rate of, let's say, once per day? Feel free to reply with a definitive 'no'/'yes, rtfm!' at this point, although I would appreciate any hint on where to find the 'fine manual' on that. Those asking 'why the hell do you want to?' may read on. My scenario is this: I'm living in a students dormitory, and we recently got equipped with a 100Mbps LAN. Shortly, we'll also get a 2Mbps internet link, requiring a router. I want to have a firewall in place, would like to have the aforementioned public directorys available and additionally, need a way to reliably identify the users, because the management of the dormitory wants to be able to track down possible misuse. Our ISP could only track IP and (possibly) MAC adresses, but I think that both are not reliable enough in case official investigations should occur (or are they?). After all, I would like to save all the other users from having their computers searched or seized, just because some stupid amateur believes he will not get caught. Please tell me if this could work (and perhaps give me a brief hint?), or suggest a better solution under the given circumstances. Thanks in advance to you all, Björn Snippe Hannover, Germany --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] New to Bering, stuck at step 1
Thanks for the response. This is exactly what I missed. Now that I know what I should have done, I see the line in the installation manual I missed. Given my experience (granted I'm just the *one* guy that didn't pay attention), I would recommend highlighting the /etc/modules as a separate step in Chapter 6. (6.7: Editing /etc/modules) Just one humble opinion. Thanks Chris Wyatt Draggoo wrote: Sorry, couldn't resist. Now, for some possibly useful information. It sounds like you need to load the correct modules for your NICs. I can't remember off hand which, if any, come on the Bering image. If none do, you'll have to download the modules from the Bering LEAF site and copy the appropriate ones into your /lib/modules directory on the router. Don't forget to back it up to the floppy! Next, edit the /etc/modules file and uncomment out the modules you need for your card. Some cards need module parameters, and some modules depends on other modules, but the concept is the same. Again, back up, and then reboot. If you have the correct modules loaded and configured, your system should now see the interfaces. Wyatt I've just starting trying to implement a firewall with Bering and I seem to be stuck at the most basic step. I have created a bootable floppy and configured that network interface following the instructions in the Installation guide. To start with, I'm trying to bring Bering up on my desktop system, but I can't get the network to start. I try both of the example eth0 configurations in interfaces file, but neither seems to work. When the system boots, /sbin/ip addr only lists lo and dummy0. What am I missing? Chris --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] WLAN routing setup/harware [was WLAN again]
Hi Pat List First let me apologize for the misleading subject, it was late yesterday. Thanks for the hint, indeed I was able to get a card for trial from D-Link and my old PC did not even want to start anymore. So much for compatibility. Now I will have to see if some other product performs better. Anyone, please comment on the routing setup, I am a complete newbie in that field and need a few hints. Here the original stuff once more DSL to ISP | eth0 dynamic IP LEAF router/firewall ?? -- wireless--- ??LEAF router eth1 192.168.1.1 connection eth1 192.168.2.? subnet 192.168.2.0/24 | | | (??.??.??.?? possible mobile WLAN station(s) | | subnet1 192.168.1.0/24 Thanks Erich [EMAIL PROTECTED] wrote the following at 00:42 29.10.2002: Hey Erich, I would be wary of the DWL-520 cards are they require a PCI 2.2 compliant system, which most older (more than a year or two) aren't. I ran into this problem and switched it to the Linksys WMP11 card (I think that's the model) and it worked without a problem. --Pat On Mon, 28 Oct 2002, Erich Titl wrote: Hi everybody Similar questions have been brought up lately so please bear with me. I am about to build a WLAN connection to a remote subnet which should be built up as follows: DSL to ISP | | eth0 dynamic IP LEAF router/firewall??.??.??.??-- wireless connection -- ??.??.??.?? LEAF router eth1 192.168.2.? --- subnet 192.168.2.0/24 192.168.1.1 | | --(??.??.??.?? possible mobile WLAN station) | subnet1 192.168.1.0/24 Now I am uncertain, what assignment of addresses and routes would be reasonable for the wireless connection. Should I treat the wireless connection as a separate subnet which I am just using to route through or does it make more sense to build a wireless bridge. Would the set up of the wireless connection using a separate subnet allow me to deploy additional mobile WLAN stations in the intermediate subnet. I would like to use the D-Link DWL-520+ with external antennae as the WLAN equipment in the routers, does anyone have experience with this type of equipment. Thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:erich.titl;think.ch PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html THINK Püntenstrasse 39 8143 Stallikon mailto:erich.titl;think.ch PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Wisp´s using 5GHz cards.
I'm not aware of any 5 Ghz (802.11a) carda which are supported by Linux. Gilberto de F. Mendes wrote: Hi all! I´m planning migrate to 5.7GHz, actually We uses 2.4Hz, with Wisp´s Boxes and Orinoco Gold Cards... Anybody here start uses Wisp with 5 GHz cards? Thank´s! -- Gilberto de Freitas Mendes Técnico em Comunicação Wireless Mananger DNA Digital - Fortaleza/CE --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: [leaf-user] Wisp´s using 5GHz cards.
Try, http://www.mikrotik.com/Documentation/5_2GHz_solutions.pdf and tell me what you think, they have a Linux Based Router OS which supports the new standard i guess also drivers to support this cards. Best Regards Armend Zeqiraj - Original Message - From: Vladimir I. [EMAIL PROTECTED] To: Gilberto de F. Mendes [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, October 29, 2002 16:06 PM Subject: Re: [leaf-user] Wisp´s using 5GHz cards. I'm not aware of any 5 Ghz (802.11a) carda which are supported by Linux. Gilberto de F. Mendes wrote: Hi all! I´m planning migrate to 5.7GHz, actually We uses 2.4Hz, with Wisp´s Boxes and Orinoco Gold Cards... Anybody here start uses Wisp with 5 GHz cards? Thank´s! -- Gilberto de Freitas Mendes Técnico em Comunicação Wireless Mananger DNA Digital - Fortaleza/CE --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Which LEAF for wireless router
Thanks. It's very encouraging to hear recommendations like that. :-) I'm thinking of putting a small webserver for statistics, but will not for configuration. It is much easier to make an ncurses based interface than a web based one. Another idea is to put a Java ssh client on the embdedded webserver so that you don't need to carry putty/ssh with you. About upgrade - none of your configuration files should be touched by the upgrade. Well, configuration files/scripts before build 2290 were not stabilized, but after that all upgrades should be backwards compatible. Marty Buchaus wrote: I Applaud Vladimir's work with WISP-Dist I've deployed 25+ as CPE's with Teletronics CPR Hardware (133amd, 8M flash, TT(PrisimII) 100mw cards) and have had very few problems. Most of the problems I ran into were configuration mistakes and due to WISP being based on the Debian flavor, I believe, and with the majority of our experience is with the RedHat and Mandrake Flavors there are console differences to work through.. Other than that the remote upgrade is a bit tricky ( I suggest using the devel scripts to modify the default configuration on the new *.lrp and *.cfs packages before pushing them up since the default Vladimir uses most likely doesn't match your network ) I should maybe rephrase this by stating that the after upgrade is tricky.. The push of new files to the system works great. I would love to see things like a gui config (other than the ncurses) web,php,cgi for example. BUT this would put the code size way over 8meg. There again flash card prices are coming down it may be a possibility. overall I would recommend using WISP-Dist Marty Buchaus CTO Dabuke Internet / Big Sky Wireless ICQ 10579998 RHCE - 807101943103186 -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user-admin;lists.sourceforge.net] On Behalf Of Vladimir I. Sent: Saturday, October 26, 2002 12:49 PM To: Tony Cappelli Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Which LEAF for wireless router Tony Cappelli wrote about [leaf-user] Which LEAF for wireless router: What is the best LEAF for this purpose? The WISP seems like it's designed for base stations and not customer premises equipment. I designed WISP-Dist for both customers and APs. -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Wisp´s using 5GHz cards.
Mikrotik keeps everything proprietary. Actually if they indeed wrote a closed driver for 802.11a then it breaks GPL. BTW, the numbers they state for 802.11a are unrealistic. Real throughput which you can expect from 802.11a is around 30 mbps; moreoever, 5 Ghz signal fades faster so on outskirts you actually get lower speeds than with 2.4 Ghz 802.11b. Armend Zeqiraj wrote: Try, http://www.mikrotik.com/Documentation/5_2GHz_solutions.pdf and tell me what you think, they have a Linux Based Router OS which supports the new standard i guess also drivers to support this cards. Best Regards Armend Zeqiraj - Original Message - From: Vladimir I. [EMAIL PROTECTED] To: Gilberto de F. Mendes [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, October 29, 2002 16:06 PM Subject: Re: [leaf-user] Wisp´s using 5GHz cards. I'm not aware of any 5 Ghz (802.11a) carda which are supported by Linux. Gilberto de F. Mendes wrote: Hi all! I´m planning migrate to 5.7GHz, actually We uses 2.4Hz, with Wisp´s Boxes and Orinoco Gold Cards... Anybody here start uses Wisp with 5 GHz cards? Thank´s! -- Gilberto de Freitas Mendes Técnico em Comunicação Wireless Mananger DNA Digital - Fortaleza/CE --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering / Shorewall
Hi all, Just wondering if anyone could let me know if Ipv6 addresses can be used in Bering rc4. I would think Bering should support them alright but am unsure about Shorewall. Thanks Paul --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Newbie question: would this setup be possible?
At 02:54 PM 10/29/02 +0100, Sanyarin wrote: [...] - would it be possible to use the same machine that is running the router as a 'public' (for my intranet) place to leave e.g. patches, driver updates or other useful files on? Possible? Yes. Any general-purpose Linux system (e.g., Red Hat, Debian, SuSE) can also function as a router. A good idea? Not really. The more the router does, the more vulnerable it is to attack. Since your comments below suggest that you are concerned about unauthorized use from the internal side, this is a concern even if you successfully make the services available only to intranet hosts. In any case, specialized distros like LEAF are not ideal for multi-purpose hosts. - is it possible to require an authentication for outgoing traffic at a rate of, let's say, once per day? Traffic is not well defined here. From what you write below, I think you want each system (or, possibly, each user personally) to authenticate itself (him/herself) periodically to the router. IP address is worthless for this, of course. MAC-address authentication is better, but still spoofable. PPPoE gives you the ability to require userid/password authentication, but at the price of a hefty performance hit. I can't think of anything off the shelf that will do the sort of authentication you want. One could adapt something (for example, some SMTP servers are set up to require POP userid/password authentication before accepting outgoing mail from a host; I have in mind a similar capability for a firewall ruleset), but it would be a lot of work. The simplest solution would require each LAN host to run a daemon that responds to periodic authorization queries, using either good encryption or some sort of challenge-response exchange that varies over time, and that raises the obvious problem that you need to decide what OSs you will support. Or, you might require each user to open an ssh connection to the router (or to some separate, authenticating host) before the firewall rulset will allow traffic from that IP address to be routed. This is not off-the-shelf either, but all the implementation trickiness occurs at the router end; the client hosts just need to be able to run an ssh client. Were I confronted with this requirement, I'd try an approach something like this: 1. Require all systems to use DHCP leasing and register their MAC addresses for use in DHCP assignment. 2. Use ipchains/iptables to restrict Internet access to the subset of LAN IP addresses that are registered in step 1. 3. Use hardware controls to limit the physical access points that are active to the rooms that have registered in step 1. You can do better than this if you use a switch that allows head-end restriction of what IP addresses (or MAC addresses; I'm a bit hazy on how this works) can connect to each port, but that's not a Linux or LEAF solution, so I, at least, cannot help much with the details. Trying to implement this sort of restriction imposes some support headaches, in that even honest users change out their computers, hence their MAC addresses, or use multiple computers, and will be inconvenienced by the need to update their registrations. So you'll need a way to make updates fairly promptly. And it is far from perfect; you are still vulnerable to MAC-address spoofing. Finally, please remember that a router can control only routed traffic. If your concerns are realistic, you need to worry about LAN-side attacks, not just misuse of the Internet connection. Every system on the LAN needs to be protected somehow from other LAN systems. There are ways to do this too, but the ones I can think of are expensive and/or are not Linux-based solutions (at least the Linux solution I can think of does not scale well to a dormitory). Feel free to reply with a definitive 'no'/'yes, rtfm!' at this point, although I would appreciate any hint on where to find the 'fine manual' on that. Sorry I cannot offer definitive answers, just some speculation. In any case, don't take a negative response as any real assurance that what you want doesn't exist someplace; it really just means I do not know of an off-the-shelf solution. Possibly someone else does and will educate both of us. Those asking 'why the hell do you want to?' may read on. My scenario is this: I'm living in a students dormitory, and we recently got equipped with a 100Mbps LAN. Shortly, we'll also get a 2Mbps internet link, requiring a router. I want to have a firewall in place, would like to have the aforementioned public directorys available and additionally, need a way to reliably identify the users, because the management of the dormitory wants to be able to track down possible misuse. Our ISP could only track IP and (possibly) MAC adresses, but I think that both are not reliable enough in case official investigations should occur (or are they?). After all, I would like to save all the other users from having their computers
Re[2]: [leaf-user] Newbie question: would this setup be possible?
Hello Ray, Tuesday, October 29, 2002, 11:28:12 AM, you wrote: Just my two cents... - is it possible to require an authentication for outgoing traffic at a rate of, let's say, once per day? RO Traffic is not well defined here. From what you write below, I think you RO want each system (or, possibly, each user personally) to authenticate RO itself (him/herself) periodically to the router. IP address is worthless RO for this, of course. MAC-address authentication is better, but still RO spoofable. PPPoE gives you the ability to require userid/password RO authentication, but at the price of a hefty performance hit. RO I can't think of anything off the shelf that will do the sort of Is the socks5 will do this job? -- Best regards, Alexmailto:alecsey;rogers.com --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re[2]: [leaf-user] Newbie question: would this setup be possible?
At 12:02 PM 10/29/02 -0500, Alex Ryabtsev wrote: [...] RO I can't think of anything off the shelf that will do the sort of Is the socks5 will do this job? Maybe. Socks is a proxy server, not just an authentication mechanism. So it depends on what activities the original poster wants the dorm's Internet connection to support. Offhand, I am not sure what clients will and what clients will not work through socks. And the requirements for running servers behind a socks firewall are aven more obscure to me. Also, socks uses unencrypted userid/password authentication (see http://www.socks.nec.com/socksfaq.html, item 24). In a situation where the operator is concerned about unaothorized to the LAN, this is weak security. In my earlier response, I was thinking of supporting direct access to the Internet with authentication, not proxy-based access. -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to deal with P2P-apps? [was; What's this guy trying?]
Comments interleaved below. (I waited awhile before replying, in the hope that someone who knows more about this area than I would chime in. What I can offer is very limited, as you will see.) At 08:06 AM 10/29/02 +0100, Jon Clausen wrote: I'm not at all sure but I suspect there might be *some* connection between the hordes of denied icmp-messages discussed before (see quote below), and the fact that one of the kids on the lan is running Morpheus (a P2P filesharing app). Quick ascii reminder: Inet---Dachstein---LAN---(host running Morpheus) | DMZ | Linux server On Mon, Oct 14, 2002 at 11:15:11PM -0700, Ray Olszewski wrote: At 07:24 AM 10/15/02 +0200, Jon Clausen wrote: O.K. full log entry: Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x T=243 (#9) OK. It's what I guessed above ... an icmp host unreachable message. There's probably a secret decoder ring for this stuff online somewhere, but I use a book. Here's the pieces: PROTO=1 protocol 1 is icmp 10.131.224.1:3 10.131.224.1 is the source IP, of course; the port is the icmp message type, 3=Destination unreachable 62.243.222.62:1 62.243.222.62 is the destination IP, as usual; the port is the icmp message code, 1=host unreachable Without seeing the content of the packet (which does not get logged), we have no way to know what host this is about. As I said, there are a bunch of this kind of entries, all PROTO=1 some-ip:3 62.243.222.62:1 L=56 S=0x00 I varying T varying (# varying) It starts at 11:36:39 continues through the day to 21:11:20 Which *could* fit with: 11:36 kid opens windows/morpheus, dumdedum all day to 21:11 kid shuts down, goes to bed Now, why morpheus on the lan should result in incoming martian icmp messages on eth0, I haven't any idea...(?) BUT Me either, except to note that P2P services make a lot of connections to and from poorly configured systems. If your ISP uses private address 10.131.224.1 for some specialized purpose (a plausible example would be a server that does PPPoE authentication), a configuration error by some morpheus user elsewhere could be causing a routing error from your end. Just a guess, of course. More generally; This being a residential network, I have no authority to block P2P apps outright. So I would like some opinions/advice WRT the following: P2P being the potential security hazard it is, would it make sense to place a P2P proxy in the dmz? (And try to beef up security on it) My guess is no. Any vulnerabilities here are in the application layer of closed-source software. For each P2P app to work, you have to let the app connect to the Internet. In any case, I've never heard of a P2P proxy for the common P2P services ... has anyone? Bandwidth. This stuff needs to be throttled. This is something I've been wanting to get into, but since the documentaion on Morpheus amounts to This is the best P2P app... ever! I've no idea where to begin. Does anyone have links to docs on the ports/protocols used for these types op apps? (Morpheus/Kazaa/Gnutella/whathavewe) As to where to begin ... a good place to start with this sort of question is at Google. A search on Morpheus ports turned up a ton of listings, including this one: http://www.oofle.com/iptables/filesharing.htm A search on kazaa ports turned up this one (among others): http://www.geocrawler.com/archives/3/90/2002/6/0/8906982/ Guntella looks a bit tougher to control, but Gnutella ports did turn this up: http://www.nwconnection.com/2001_09/gnutel91/ While this identifies the ports, it does not address the issue of bandwidth throttling. I don't know if speed controls can be imposed port by port; perhaps someone else can comment on that part. These are more of conceptual/conversational questions, since I've done little research of my own yet. I thought it'd be nice to get some pointers ideas on *what* to research first... -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Logging question.
First I thought: Log tcp packets that have the SYN flag set. The SYN flag is only set on the very first packet of a new connection from the outside. But you said you want to log everything that hits your external interface, not just new incoming connections. So maybe write a filtering script that listens on a socket for log file entries and filters them if they are the body. You can set up a listener via inetd and send the traffic to a shell script. Not sure how to get the logging data over there, but syslogd.conf sounds like a place to start. If you want to see a similar example, look at sh-httpd, or look at the FAQ entry I wrote for UnixWare7: Good Luck, matthew = 10.7) How do I catch someone trying to port scan my Uw7 host? The curious out there like to scan the ports of publicly available computers. At times they are trying to attack your system, and you can run a dummy service on an unused port that'll send root some email if someone tries to connect to it. Let's call the new service we are going to create 'probe.' Let's have probe run on port 999, which is unused. Let's make a batch file that probe runs called 'etcprobe.' Probe will be added with an entry in /etc/services. Probe will be started with an entry in /etc/inet/inetd.conf. Etcprobe will be stored in /usr/local/bin. /usr/local/bin/etcprobe +--- | #!/bin/sh | netstat -an | grep 999 | grep ESTAB | mail -s Probe Alert!! root | /etc/services +-- | ... | ... | probe 999/tcp | ... /etc/inet/inetd.conf +-- | ... | probe stream tcp nowait root /usr/local/bin/etcprobe probe | Now apply the changes made to inetd.conf with the kill command. Test that probe is working by trying to telnet to port 999. You'll get mail to root in a few seconds. === --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Newbie question: would this setup be possible?
Sanyarin, If I needed a solution like you asked about I think I'd look into seting up a second server as a proxy for web and ftp. With a proxy you could (I think) log web and ftp URLs. Combine that with a mac address and maybe switchport information would give you enough to track down a malice user on the internal network. chris --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] (no subject)
confirm 937257 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to set up bridging with Bering?
Scott Merrill wrote: On Tuesday 29 October 2002 12:20 am, dan carter wrote: I have not used it, but there is a Linux development effort for L2TP: http://sourceforge.net/projects/l2tp SMB Browse lists are best handled in a WAN setting by use of WINS. I agree on a large centrally controlled WAN, but on a small anarchic WAN, getting everybody to agree on a WINS server to use is unlikely. Thanks for the link --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Can't PPTP to work
You will definitely need the ip_masq_pptp.o module loaded and also need to open the firewall for protocol 47 (GRE) to pass in order to get connected.This is all that should be needed to make an outgoing connection using PPTP. Andrew G. GRAY MCSE Ph. (07) 3288 8209 Mob. 0418 734 078 -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user-admin;lists.sourceforge.net]On Behalf Of Joey Officer Sent: Fri, 25 Oct 2002 18:01 PM To: Hien Le; [EMAIL PROTECTED] Subject: RE: [leaf-user] Can't PPTP to work I'm not familiar with PPTP at all, but if its at all similar to ipsec (sounds like it) then you might need to add the module to allow trafic through the firewall. I am really speaking out of my ass on this one though. try adding the pptp module (ip_masq_pptp.o) to the modules conf, I'll bet that'll fix it. good luck joey -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user-admin;lists.sourceforge.net]On Behalf Of Hien Le Sent: Friday, October 25, 2002 1:26 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Can't PPTP to work Hi, My winXP computer is behind a Dachstein at home. I'm trying to connect to a PPTP VPN server at work, but I can only get to the Verify Username and Password screen and the connection drops with the error message 731. Please help. Thank you. --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Problems with RC4
On Sun, 27 Oct 2002 18:56:42 +0100, you wrote: Lars: Today i upgraded to RC4 and now mysql(/usr/sbin/mysql --user=mysql) can't start anymore. When i start mysql the following way (/usr/sbin/mysql --user=root) it is starting up. I saw that you changed something grsecurity. Does someone have a idea, where i can start looking? This sounds to be be indeed grsecurity related. Bering was not really designed to be a full fledged distro :-) but rather a secure router... :) The way to proceed would be to compile your own kernel and relax the grsecurity options. Since I am currently out of town I cannot help you more about that -- I do not have access to my doc. Hope you will find the solution. If so please report it to the list I found a solution. I recompiled it, but not the kernel! ;) First i was using the precompiled binaries from mysql.com. Today i recompiled mysql my self. Now it is really small and is working again. So far so good! Cu -- Lars Kneschke CCNP --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] WLAN routing setup/harware [was WLAN again]
As long as all the LEAF boxes have routes setup, I don't see a problem of it. At one point I had 12 LRP boxen setup with static routes all aware of each other. -Pat On Tue, 29 Oct 2002, Erich Titl wrote: Hi Pat List First let me apologize for the misleading subject, it was late yesterday. Thanks for the hint, indeed I was able to get a card for trial from D-Link and my old PC did not even want to start anymore. So much for compatibility. Now I will have to see if some other product performs better. Anyone, please comment on the routing setup, I am a complete newbie in that field and need a few hints. Here the original stuff once more DSL to ISP | eth0 dynamic IP LEAF router/firewall ?? -- wireless--- ??LEAF router eth1 192.168.1.1 connection eth1 192.168.2.? subnet 192.168.2.0/24 | | | (??.??.??.?? possible mobile WLAN station(s) | | subnet1 192.168.1.0/24 Thanks Erich [EMAIL PROTECTED] wrote the following at 00:42 29.10.2002: Hey Erich, I would be wary of the DWL-520 cards are they require a PCI 2.2 compliant system, which most older (more than a year or two) aren't. I ran into this problem and switched it to the Linksys WMP11 card (I think that's the model) and it worked without a problem. --Pat On Mon, 28 Oct 2002, Erich Titl wrote: Hi everybody Similar questions have been brought up lately so please bear with me. I am about to build a WLAN connection to a remote subnet which should be built up as follows: DSL to ISP | | eth0 dynamic IP LEAF router/firewall??.??.??.??-- wireless connection -- ??.??.??.?? LEAF router eth1 192.168.2.? --- subnet 192.168.2.0/24 192.168.1.1 | | --(??.??.??.?? possible mobile WLAN station) | subnet1 192.168.1.0/24 Now I am uncertain, what assignment of addresses and routes would be reasonable for the wireless connection. Should I treat the wireless connection as a separate subnet which I am just using to route through or does it make more sense to build a wireless bridge. Would the set up of the wireless connection using a separate subnet allow me to deploy additional mobile WLAN stations in the intermediate subnet. I would like to use the D-Link DWL-520+ with external antennae as the WLAN equipment in the routers, does anyone have experience with this type of equipment. Thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:erich.titl;think.ch PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html THINK Püntenstrasse 39 8143 Stallikon mailto:erich.titl;think.ch PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Newbie question: would this setup be possible?
What you want do is feasible. Authentication for outgoing traffic if http can be done thro' squid. If you want masq or nat, look at Horatio. It uses authentication for allowing nat/masq in a typical dhcp LAN where each machines IP is dynamic and hence static IP filtering cannot be applied. It runs on ipchains and not iptables. However, it may not be able to limit access to once a day. Most authentication mechanisms are either time based or URL based but I've not come across no of tries/access instances per day. HTH -:) Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user-admin;lists.sourceforge.net] On Behalf Of Sanyarin Sent: Tuesday, October 29, 2002 7:25 PM To: [EMAIL PROTECTED] Subject: [leaf-user] Newbie question: would this setup be possible? Hi, I'm a complete newbie concerning PC-based Linux-Routers, so please tell me in case my questions are trivial. My questions: - would it be possible to use the same machine that is running the router as a 'public' (for my intranet) place to leave e.g. patches, driver updates or other useful files on? - is it possible to require an authentication for outgoing traffic at a rate of, let's say, once per day? Feel free to reply with a definitive 'no'/'yes, rtfm!' at this point, although I would appreciate any hint on where to find the 'fine manual' on that. Those asking 'why the hell do you want to?' may read on. My scenario is this: I'm living in a students dormitory, and we recently got equipped with a 100Mbps LAN. Shortly, we'll also get a 2Mbps internet link, requiring a router. I want to have a firewall in place, would like to have the aforementioned public directorys available and additionally, need a way to reliably identify the users, because the management of the dormitory wants to be able to track down possible misuse. Our ISP could only track IP and (possibly) MAC adresses, but I think that both are not reliable enough in case official investigations should occur (or are they?). After all, I would like to save all the other users from having their computers searched or seized, just because some stupid amateur believes he will not get caught. Please tell me if this could work (and perhaps give me a brief hint?), or suggest a better solution under the given circumstances. Thanks in advance to you all, Björn Snippe Hannover, Germany --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] DMZ: Mail Server (HELP)
I'm trying to configure my local network using the 3-Interface DOCs on (www.shorewall.net) to setup a External, Internet, and DMZ network. net - The Internet(eth0) loc - Local Network (eth1) dmz - Demilitarized Zone (eth2) Now all traffic between (net) and (loc) work just fine. I want to place an SMTP server on my (dmz) and have it pass all SMTP traffic back and forth like a normal mail server. As of right now, I can't seem to get it to work. Network Diagram: net:216.170.101.137 (Remote ISP Router) 216.170.101.138 (IP of Bering Firewall - External - eth0) loc:199.74.186.200 (IP of Bering Firewall - Internal - eth1) 199.74.186.0/24 (Addresses issued via DHCP) dmz:10.10.10.1 (IP of Bering Firewall - DMZ - eth2) 10.10.10.2 (IP of Mail Server) I'm assuming I need to modify the Shorewall (rules) file to pass (net) to (dmz) SMTP Traffic and also (loc) to (dmz) SMTP Traffic but I'm unsure on how to configure that. Could anybody give me a helping hand on how Shorewall Configs and/or anything else need to be configured? I've also tried the configs listed here: http://sourceforge.net/docman/display_doc.php?docid=1452group_id=13751 ...but that didn't do much good on my Bering LRP since its a FAQ for people configuring LRP 2.9.x or Materhorn/Eiger. Any assistance is appreciated. -Alby --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: DMZ: Mail Server (HELP)
PS: Also to rest any fears, I did make a crossover cable and it does work. -Alby I'm trying to configure my local network using the 3-Interface DOCs on (www.shorewall.net) to setup a External, Internet, and DMZ network. net - The Internet(eth0) loc - Local Network (eth1) dmz - Demilitarized Zone (eth2) Now all traffic between (net) and (loc) work just fine. I want to place an SMTP server on my (dmz) and have it pass all SMTP traffic back and forth like a normal mail server. As of right now, I can't seem to get it to work. Network Diagram: net: 216.170.101.137 (Remote ISP Router) 216.170.101.138 (IP of Bering Firewall - External - eth0) loc: 199.74.186.200 (IP of Bering Firewall - Internal - eth1) 199.74.186.0/24 (Addresses issued via DHCP) dmz: 10.10.10.1 (IP of Bering Firewall - DMZ - eth2) 10.10.10.2 (IP of Mail Server) I'm assuming I need to modify the Shorewall (rules) file to pass (net) to (dmz) SMTP Traffic and also (loc) to (dmz) SMTP Traffic but I'm unsure on how to configure that. Could anybody give me a helping hand on how Shorewall Configs and/or anything else need to be configured? I've also tried the configs listed here: http://sourceforge.net/docman/display_doc.php?docid=1452group_id=13751 ...but that didn't do much good on my Bering LRP since its a FAQ for people configuring LRP 2.9.x or Materhorn/Eiger. Any assistance is appreciated. -Alby --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] [ leaf-Support Requests-630851 ] Traffic shaping in Bering
Support Requests item #630851, was opened at 2002-10-29 21:28 You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=213751aid=630851group_id=13751 Category: Release/Branch: Bering Group: None Status: Open Priority: 5 Submitted By: Ernest Fontes (ef11) Assigned to: Mike Noyes (mhnoyes) Summary: Traffic shaping in Bering Initial Comment: First let me express my amazement and gratitude to all the talented developers along the path to Bering 1.0-rc4. I love open source and the creativity it encourages. I've used Bering rc3 for several months now and love it. I've poured over the documentation and bootstrapped myself enough to add and remove packages and modules, etc. I've even added the lrpstat package to my router so I have mesmerizing stripcharts of traffic. A true lava lamp if I've ever seen one! The feature I now drool over is traffic shaping. I have a family of five and we're stuck sharing a dial-up modem. Sad, I know, but actually workable. To make it more workable I'd like to shape traffic so that I can start a long download, at low priority, so that it will yield whenever interactive traffic needs some space. I tried a tcstart file under shorewall in RC3 but dropped it after getting constant error messages. I was encouraged to see mention that the RC4 included a version of tc patched for htb (version 2) (section 12.11 in the Information on packages provided in the Bering...). So I dug right in and added tc.lrp to my router and then tried the first parts of T. Eastep's script. Still the same error messages: RTNETLINK: invalid argument I know I'm not giving much detail right now but before I spend more time on this I'd like to know if it can work and if I'm anywhere close to the correct path. Thanks in advance. Ernie -- You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=213751aid=630851group_id=13751 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to set up bridging with Bering?
On Monday 28 October 2002 23:20, dan carter wrote: Is there an a linux implementation of this protocol? I have been trying to get something like that going for ages to join two private LANs over the internet. All the VPN stuff i've looked at doesn't seem to be able to forward the broadcast packets even if they are directed broadcast packets, which breaks warcraft 3 LAN game discovery and simple broadcast discovery for smb browse lists Gads I hope not.. :-) You might take a gander at WINS or some other resolution method outside of NetBeui/NetBIOS. You do _not_ want to be spewing broadcast garbage outside of your subnet when better, more controlled methods are available. Setting up a WINS server on each subnet that sync with each other is much more preferrable. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] bearing and VPN
On Tuesday 22 October 2002 07:06, Steve Buehler wrote: If the only logical way is a VPN network and IF Bearing 1.0-RC3 won't do that, can someone suggest to me an inexpensive VPN/Firewall/Router software or hardware that would be powerful enough to do what I need here. Please understand that my boss is really on my case about getting this set up, but for some reason, he is being cheap (stupid) about it. I believe many people are running ipsec (VPN) on Bering RC3 boxes. You might check out the VPN/IPSec section in the Bering user's manual. You might also give us a hint at where your having problems so we might be of some use to help. I hope your boss lightens up on you until the system can be brought up. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to set up bridging with Bering?
guitarlynn wrote: On Monday 28 October 2002 23:20, dan carter wrote: Is there an a linux implementation of this protocol? I have been trying to get something like that going for ages to join two private LANs over the internet. All the VPN stuff i've looked at doesn't seem to be able to forward the broadcast packets even if they are directed broadcast packets, which breaks warcraft 3 LAN game discovery and simple broadcast discovery for smb browse lists Gads I hope not.. :-) You might take a gander at WINS or some other resolution method outside of NetBeui/NetBIOS. You do _not_ want to be spewing broadcast garbage outside of your subnet when better, more controlled methods are available. Setting up a WINS server on each subnet that sync with each other is much more preferrable. Getting Warcraft III going was actually the more pressing requirement, broadcast browse lists would just be a nice bonus otherwise you have to keep using \\ip address\sharename strings to find file shares. They are only small networks 5 machines each, so being overwhelmed with broadcast packets is not going to be a problem. For tiny networks i often find it is more work to do things the 'proper' way (eg dhcp server) than the 'hard' way (manual ip settings and a text file of who has what ip) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] (no subject)
On Tuesday 22 October 2002 22:36, Simpson, Doug wrote: I believe it is the firewall or a routing issue. Pardon my ignorance but I do not know where to look next or what to test or disable. Has anyone done this successfully? Bering (LRP) and FreeSwan and SSHSentinel. THank you for your time Yep, many people are running this setup without problems. We'll need some configuration information for Ipsec and Shorewall to have any clue to what might be wrong. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to set up bridging with Bering?
On Tuesday 29 October 2002 23:22, dan carter wrote: guitarlynn wrote: On Monday 28 October 2002 23:20, dan carter wrote: Is there an a linux implementation of this protocol? I have been trying to get something like that going for ages to join two private LANs over the internet. All the VPN stuff i've looked at doesn't seem to be able to forward the broadcast packets even if they are directed broadcast packets, which breaks warcraft 3 LAN game discovery and simple broadcast discovery for smb browse lists Gads I hope not.. :-) You might take a gander at WINS or some other resolution method outside of NetBeui/NetBIOS. You do _not_ want to be spewing broadcast garbage outside of your subnet when better, more controlled methods are available. Setting up a WINS server on each subnet that sync with each other is much more preferrable. Getting Warcraft III going was actually the more pressing requirement, broadcast browse lists would just be a nice bonus otherwise you have to keep using \\ip address\sharename strings to find file shares. They are only small networks 5 machines each, so being overwhelmed with broadcast packets is not going to be a problem. For tiny networks i often find it is more work to do things the 'proper' way (eg dhcp server) than the 'hard' way (manual ip settings and a text file of who has what ip) A M$ WINS server will likely be a pain to get to sync across subnets, however Samba servers do it effortlessly. It might be harder to setup a WINS server, but at last look the line added to smb.conf only required wins server=yes to set it up as a wins server. You also need to add a line for sync'ing the remote servers (by ip address). If this is not something your going to want to try, your probably not going to have any success without a lot more work across subnets. My suggestion was from the stand-point that I don't want Win2K/XP to be broadcasting all my LAN information out to the internet. there is enough trash in my logs without adding more to someone else's logs. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to set up bridging with Bering?
guitarlynn wrote: A M$ WINS server will likely be a pain to get to sync across subnets, however Samba servers do it effortlessly. Must be a new option, last time i looked at it there was no way to sync samba WINS servers, they said they were working on it but it would be a proprietary option and would not work with MSs WINS server syncing. The recommended option was to have one machine be the single WINS server for all subnets. You would then need to configure all the machines in all the remote networks to use that WINS server as they could not discover it with broadcast packets... Sounds quite easy to setup now, but again it isn't going to help Warcraft III clients find each other ... --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] [ leaf-Support Requests-630851 ] Traffic shaping in Bering
Support Requests item #630851, was opened at 2002-10-30 02:28 You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=213751aid=630851group_id=13751 Category: Release/Branch: Bering Group: None Status: Open Priority: 5 Submitted By: Ernest Fontes (ef11) Assigned to: Mike Noyes (mhnoyes) Summary: Traffic shaping in Bering Initial Comment: First let me express my amazement and gratitude to all the talented developers along the path to Bering 1.0-rc4. I love open source and the creativity it encourages. I've used Bering rc3 for several months now and love it. I've poured over the documentation and bootstrapped myself enough to add and remove packages and modules, etc. I've even added the lrpstat package to my router so I have mesmerizing stripcharts of traffic. A true lava lamp if I've ever seen one! The feature I now drool over is traffic shaping. I have a family of five and we're stuck sharing a dial-up modem. Sad, I know, but actually workable. To make it more workable I'd like to shape traffic so that I can start a long download, at low priority, so that it will yield whenever interactive traffic needs some space. I tried a tcstart file under shorewall in RC3 but dropped it after getting constant error messages. I was encouraged to see mention that the RC4 included a version of tc patched for htb (version 2) (section 12.11 in the Information on packages provided in the Bering...). So I dug right in and added tc.lrp to my router and then tried the first parts of T. Eastep's script. Still the same error messages: RTNETLINK: invalid argument I know I'm not giving much detail right now but before I spend more time on this I'd like to know if it can work and if I'm anywhere close to the correct path. Thanks in advance. Ernie -- Comment By: Tom Eastep (teastep) Date: 2002-10-30 03:02 Message: Logged In: YES user_id=6546 Are you loading the appropriate kernel modules? I don't know how Jacques is building his rc4 kernel but I can envision you needing to load both sch_sfq and sch_htb. You may need more modules if the basic QoS capability is also modularized. -- You can respond by visiting: https://sourceforge.net/tracker/?func=detailatid=213751aid=630851group_id=13751 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to deal with P2P-apps? [was; What's this guy trying?]
On Tue, Oct 29, 2002 at 10:03:58AM -0800, Ray Olszewski wrote: Comments interleaved below. (I waited awhile before replying, in the hope that someone who knows more about this area than I would chime in. What I can offer is very limited, as you will see.) Limited, but by no means useless... thanks :) Now, why morpheus on the lan should result in incoming martian icmp messages on eth0, I haven't any idea...(?) BUT Me either, except to note that P2P services make a lot of connections to and from poorly configured systems. If your ISP uses private address 10.131.224.1 for some specialized purpose (a plausible example would be a server that does PPPoE authentication), a configuration error by some morpheus user elsewhere could be causing a routing error from your end. Just a guess, of course. Except that what I'm seeing is many different IPs, although they're almost all in the 10.0.0.0/8 range. (I do see some 192.168.x.x. and a couple 172's, but not nearly as many as the 10's...) More generally; This being a residential network, I have no authority to block P2P apps outright. So I would like some opinions/advice WRT the following: P2P being the potential security hazard it is, would it make sense to place a P2P proxy in the dmz? (And try to beef up security on it) My guess is no. Any vulnerabilities here are in the application layer of closed-source software. For each P2P app to work, you have to let the app connect to the Internet. In any case, I've never heard of a P2P proxy for the common P2P services ... has anyone? Right. Well... I'm using the term 'proxy' very loosely here; What I meant was to set up a windows host in the DMZ, strip it as much as possible, load some antivirus stuff on it, and let it act as 'buffer' for P2P. Then use the very useful info from oofle.com to build rules that only allow P2P to/from *that* machine to/from the NET, throttling and all, and only let the internal clients up/download from it. I don't know, just an idea... :-P As to where to begin ... a good place to start with this sort of question is at Google. A search on Morpheus ports turned up a ton of listings, including this one: Right... google is our friend... I'll look more closely into these links. Oofle looks like a great resource :) Thanks... I now have some leads to pursue... Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html