Re: [leaf-user] How to define time zone in bering rc3

[Jon Clausen]

On Wed, Nov 13, 2002 at 11:47:42AM +0700, Thitiporn Pornpirunrak wrote:
> Hi all
>  I am using bering rc3 and try to define time zone in my bering box. I am living 
>in thailand and my time zone is "GMT+7". How do i define them in my bering box? When 
>I use command "date" it returns "Wed Nov 13 11:42:22 UTC 2002" But I should be "Wed 
>Nov 13 11:42:22" at GMT+7. And when i use command "rdate -s time.nuri.net" it turn my 
>bering box into "Wed Nov 13 04:42:22 GMT 2002". Anyone who know please tell me..

Have a look at:

http://leaf.sourceforge.net/devel/jnilo/butime.html

- pretty comprehensive walkthrough of exactly that ;)

HTH
Jon Clausen


---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] How to define time zone in bering rc3

[Thitiporn Pornpirunrak]

Hi all
 I am using bering rc3 and try to define time zone in my bering box. I am living 
in thailand and my time zone is "GMT+7". How do i define them in my bering box? When I 
use command "date" it returns "Wed Nov 13 11:42:22 UTC 2002" But I should be "Wed Nov 
13 11:42:22" at GMT+7. And when i use command "rdate -s time.nuri.net" it turn my 
bering box into "Wed Nov 13 04:42:22 GMT 2002". Anyone who know please tell me..

Thank in advanced,
Thitiporn†+,~w­zf¢–+,¦‰ì¢·o$è•æ«žØ^m«"rʱç.®)àʋ«ÁæìŠ×°ŠØRH·%‰É!z·­¢­hTD4Hºi8ZÂגz»Þ¬'«¶'âq«^†Ûiÿü0Â
-…¬-yÊ&þ·yÛhmšY^iû¬z¹šŠX§‚X¬¶Wš~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z´‘!¶ÚþWš~šèç-¢¸?¦æÿv‡?v‡&jv z¿Ý¡È×Ïu†Ù¥

[leaf-user] Müzik ve aradýklarýnýz nybh

[Jude Colpitts]

Mp3sa yine bir ilki gerçekleþtiriyor: Klip arþivi!
Full albüm ve single parçalar mp3 halinde!
Arayýpta bulamadýðýnýz bütün parçalar için birde sitemize bakýn: http://www.mp3sa.com

Full Turkçe Album 
Full Yabancý Album 
A-Z Yerli Mp3 
A-Z Yabancý Mp3 
En Iyý 20 
Yerli Výdeo Klýp 
Yabancý Výdeo Klýp 
Yerli ve Yab. Arsýv

Hepsine birden ulaþabileceðiz tek bir adres var
http://www.mp3sa.com



áŠËë^™¨¥ŠË)¢{(­ç[É:%yªç¶›jȜ²‡ìyË«Šx2¢êðy»"µì"¶’-ÉbrH^­ëhëZM.‡ÚN°µäž®÷«
 êí‰øœjס¶Úÿ
0‚‹ak^r‰¿­ÞvÚf–Wš~ë®f¢–)à–+-•æŸºÇ«–+-²Ê.­ÇŸ¢¸ëa¶Úlÿùb²Û,¢êÜyú+éÞ·ùb²Û?–+-ŠwèþWš~ë­$E
m¶Ÿÿ•æŸ¦º#yËh®鹿ݡÏݡɚ¨¯÷hr'uóÝa¶i

Re: [leaf-user] nat between gateways ???

[Michael D. Schleif]

Charles Steinkuehler wrote:
> 
> Michael D. Schleif wrote:
> > Charles Steinkuehler wrote:
> >> You don't give enough information to correctly diagnose martian errors,
> >> which are based pretty much entirely on the status of the route tables.
> >>   Also, while I have not done a lot of host-host or host-subnet VPNs
> >> (you also don't include your IPSec configuration), you will run into
> >> problems with these VPN flavors if you don't have rpfiltering turned off
> >> (you'll get a warning when starting IPSec about this if it's enabled).


For futher information, please, let me know and I will be as verbose as
necessary on a separate webpage.  Let's hope that I remember to publish
the final solution exhaustively to the list ;>

[1] Indeed, that pesky martian problem appears to be directly related
to the values of:

/proc/sys/net/ipv4/conf/ipsec0/rp_filter
/proc/sys/net/ipv4/conf/wan1/rp_filter

Changing them from `1` to `0' resolves that issue.

[2] The current setup is to mimic the intended vpn between DCD at
pinktrout and that pesky dicom cisco vpn, for which we are
substituting another of our DCD's: bluetrout.

[3] Now, with that 1 -> 0 conversion and following ipsec configuration,
SA is established on both sides.

[4] Neither side can ping anything on the other side.

[5] routes:

root@bluetrout:/root
# ip route
64.4.222.158 dev wan1  proto kernel  scope link  src 64.4.222.157
64.4.222.158 dev ipsec0  proto kernel  scope link  src 64.4.222.157
144.228.51.210 via 64.4.222.158 dev ipsec0  src 192.168.1.254
64.4.197.64/26 dev eth1  scope link
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254
default via 64.4.222.158 dev wan1

root@pinktrout:/root
# ip route
144.228.51.209 dev wan1  proto kernel  scope link  src 144.228.51.210
144.228.51.209 dev ipsec0  proto kernel  scope link  src 144.228.51.210
192.168.1.0/24 via 144.228.51.209 dev ipsec0  src 192.168.11.254
192.168.14.0/24 dev eth1  proto kernel  scope link  src 192.168.14.254
192.168.13.0/24 dev eth0  scope link
192.168.12.0/24 dev eth0  scope link
192.168.11.0/24 dev eth0  proto kernel  scope link  src 192.168.11.254
192.168.10.0/24 dev eth0  scope link
default via 144.228.51.209 dev wan1

[6] udp port 500 & protocols 50 & 51:

root@bluetrout:/root
# ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)'
1  0  0ACCEPT  51  -- 0xFF 0x00  * 144.228.51.210  64.4.222.157  n/a
2  0  0ACCEPT  50  -- 0xFF 0x00  * 144.228.51.210  64.4.222.157  n/a
3  0  0ACCEPT  51  -- 0xFF 0x00  * 144.228.51.210  64.4.222.157  n/a
4  0  0ACCEPT  50  -- 0xFF 0x00  * 144.228.51.210  64.4.222.157  n/a
5  0  0ACCEPT  51  -- 0xFF 0x00  * 144.228.51.210  64.4.222.157  n/a
6  0  0ACCEPT  50  -- 0xFF 0x00  * 144.228.51.210  64.4.222.157  n/a
7  0  0ACCEPT  51  -- 0xFF 0x00  * 144.228.51.210  64.4.222.157  n/a
8  0  0ACCEPT  50  -- 0xFF 0x00  * 144.228.51.210  64.4.222.157  n/a
53 62 9756 ACCEPT  udp -- 0xFF 0x00  wan1  0.0.0.0/0   64.4.222.157  * -> 
500

root@pinktrout:/root
# ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)'
50  26  6156 ACCEPT  udp  -- 0xFF 0x00  wan1  0.0.0.0/0  144.228.51.210  * -> 
500

[7] kern.log:

root@pinktrout:/root
# tail -f /var/log/kern.log
Nov 12 20:41:18 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 
64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62911 F=0x T=54 (#56)
Nov 12 20:41:19 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 
64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62913 F=0x T=54 (#56)
Nov 12 20:41:20 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 
64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62915 F=0x T=54 (#56)

[8] ipsec.conf

bluetrout
=
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
authby=rsasig
auto=start
keyingtries=0
left=%defaultroute
leftfirewall=yes
[EMAIL PROTECTED]
leftrsasigkey=_super_dooper_secret_L_
leftsubnet=192.168.1.0/24
include ipsec/pinktrout.conf

ipsec/pinktrout.conf

conn pinktrout
right=144.228.51.210
[EMAIL PROTECTED]
rightrsasigkey=_super_dooper_secret_R_


pinktrout
=
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
authby=rsasig
auto=start
keyingtries=0
left=%defaultroute

Re: [leaf-user] Problem getting PPTP client to work behindLEAF/Bering firewall

[Tom Eastep]

--On Tuesday, November 12, 2002 10:04:20 AM -0600 "David A. Bright" 
<[EMAIL PROTECTED]> wrote:

I've been trying to set up a LEAF/Bering firewall at home to allow a
connection to my employer's VPN (PPTP). Here is a rough picture of my
connection:

Win98 client ---> Bering ---> Router ---> ISP ---> Internet ---> Company

My internal network (Win98 -> Bering) uses a private IP space
(192.168.1.0/24). I'm connected to my ISP via a DSL connection in bridge
mode, so my router also has a private IP (192.168.x.y, x != 1). The ISP
then does NAT on that, so my packets are NAT'ed twice, once at the Bering
firewall and again by my ISP. I've got a fairly straightforward Shorewall
configuration on the Bering box, defining just two zones (net and loc).
Outgoing traffic from loc to net is allowed, related traffic is allowed
back in. RFC1918 addresses are not allowed to flow from net -> loc, except
for those on my bridge connection (192.168.x.y) to the ISP.

What I see happening is that packets coming back from the company are
getting rejected by the "norfc1918" rule, as shown by the trace below
(just two messages are shown, I get a bunch more but they are all pretty
much the same):

Nov  9 02:29:15 firewall kernel: Shorewall:rfc1918:DROP:IN=eth1 OUT=eth0
SRC=192.168.p.q DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=253 ID=20062
PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.x.y DST=a.b.c.d LEN=50 TOS=0x00
PREC=0x00 TTL=125 ID=28417 PROTO=47 ]


This is an ICMP type 3, code 1 packet (Port Unreachable) packet being 
returned by 192.168.p.q. I suspect that box is behing a NAT gateway (or is 
the interal IP of a NAT gateway) and that gateway isn't handling NAT of 
ICMP properly so that the RFC 1918 address isn't being translated back into 
the external address of the gateway.

The packet is being trapped in your Shorewall rfc1918 chain because it has 
a source IP reserved by RFC 1918. The packet has already had its 
destination IP rewritten to 192.168.1.1 so it is that box who sent the 
original packet which we can see in square brackets (a GRE packet from 
192.168.x.y to a.b.c.d).

Check the firewall configuration at the other end to be sure that it is 
accepting protocol 47.

-Tom
--
Tom Eastep\ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ [EMAIL PROTECTED]



---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Cant route to local IP address on eth2

[Ray Olszewski]

Look at the differences in the routing tables of the Linux host on eth2 and 
ISDN router #2. I bet you will find that the Linux host knows that the LEAF 
router's eth2 IP address is its route to 192.168.1.0/24, but that the ISDN 
router #2 does not know this. (I am assuming here that the LEAF router is 
NOT set to NAT traffic from the eth1 network to the eth2 network.) The ISDN 
router may not even know that the LEAF router's eth2 IP address is its 
default gateway.

If I'm wrong ... and if no one else chimes in with an "obvious" answer ... 
then we need a more complete characterization of the LEAF router's 
configuration then you have provided. Consult the SR FAQ (listed below) for 
how to provide this.

Also, try putting the Linux host on the eth2 LAN with a different IP 
address this time, and using it to sniff traffic. See if the pings get *to* 
the ISDN #2 router, but the ping *replies* do not get back to the LEAF router.

At 06:17 PM 11/12/02 -0500, Robert Szabo wrote:
I have Leaf Bering installed.

My setup is:

3 network cards

eth0 - net - internet address to ISDN Router #1 (has internet address in
and out)
eth1 - lan - 192.168.1.x
eth2 - dmz - 192.168.2.x to ISDN Router #2 with local address on the inside
and internet address on the outside (setup to allow communication only to
and from a single IP address) I used the designation dmz for this adapter
even though I know its not really a dmz since I have no route between it
and the net.

I am able to see the internet through eth0 from the lan and fw. Everything
is fine between lan and net.

I can ping ISDN Router #2 hooked to eth2 from the fw.  I can NOT ping ISDN
Router #2 from the lan.

HOWEVER, I have hooked a linux box to eth2 it is fine. I can ping it from
the lan. For testing I set it to the same IP address that I have the #2
ISDN router set to.

I am starting to think it may be the setup in ISDN Router #2. OR.. am I
missing something in my rules. BUT if thats the case why does the linux box
work fine on eth2??

Any help would be greatly appreciated.





--
---"Never tell me the odds!"
Ray Olszewski	-- Han Solo
Palo Alto, California, USA			  [EMAIL PROTECTED]
---



---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Mounting / formatting an IDE drive in Bering was Samba, Ide, Mount ???'s

[Kory Krofft]

OK so I answered my own question. mount -t ext2 /dev/hdc1 /mnt did the
trick. I now have a usable IDE disk drive with an ext2 ext2 partition.
Now I can go back to getting Samba working.
Thanks for all the guidance.

KK

  

Kory Krofft wrote:
> 
> Erich and all...
> 
> I have loaded ext2.0 but not until after the tmpfs.o.
> Will it matter where it is in the order as long as it
> is after ide-disk.o? Since I could not mount /dev/hdc1
> due to errors that looked like a bad format I was
> trying to use the mkfs.minix not realizing that it was
> for virtual disks. At this point I can use a msdos
> format but I believed it would be more secure as a
> Linux partition. True? Or will the Samba share proved
> all the security I need or can get? I do not want to
> boot from this device I simply want to use it as a
> file repository.
> Is it likely that I need to reformat it on the RedHat
> machine or more likely that the ext2.o driver is in
> the wrong order. My original error was :
> 
> # mount /dev/hdc1 /mnt results in the following:
> 
> VFS: Can't find a Minix or Minix V2 filesystem on
> device 16:01.
> FAT: Did not find valid FSINFO signature.
> Found signature1 0x0 signature2 0x0 sector=1.
> Directory 1: bad FAT
> Filesystem panic (dev 16:01).
>   FAT error
>   File system has been set read-only
> 
> Maybe I should try to specify the fstype with the -t
> switch in the mount command like so:
> # mount -t ext2 /dev/hdc1 /mnt
> 
> I will try a couple of things when I get home. Boy is
> it frustrating to be at work with no access to the
> problem. ;-)
> 
> Thanks again,
> 
> Kory
> 
> 
> <>Big Snip<>
> > I believe syslinux only supports M$DOS formattet
> > filesystems. So in order
> > to boot from that medium and using syslinux I
> > believe you have to stick
> > with M$DOS format. If all you want to do is to store
> > information
> > persistently then you are free to use whatever you
> > decide to load a driver for.
> >
> > HTH
> > Erich
> >
> > THINK
> > Püntenstrasse 39
> > 8143 Stallikon
> > mailto:erich.titl@;think.ch
> > PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4
> > FF9D 05B8 0A16
> >
> >
> >
> >
> ---
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> >
> 
> > leaf-user mailing list:
> > [EMAIL PROTECTED]
> >
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> > SR FAQ:
> >
> http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> >
> >
> 
> __
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
> 
> ---
> This sf.net email is sponsored by:
> To learn the basics of securing your web site with SSL,
> click here to get a FREE TRIAL of a Thawte Server Certificate:
> http://www.gothawte.com/rd522.html
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This sf.net email is sponsored by:
To learn the basics of securing your web site with SSL,
click here to get a FREE TRIAL of a Thawte Server Certificate:
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Cant route to local IP address on eth2

[Robert Szabo]

I have Leaf Bering installed.

My setup is:

3 network cards

eth0 - net - internet address to ISDN Router #1 (has internet address in
and out)
eth1 - lan - 192.168.1.x
eth2 - dmz - 192.168.2.x to ISDN Router #2 with local address on the inside
and internet address on the outside (setup to allow communication only to
and from a single IP address) I used the designation dmz for this adapter
even though I know its not really a dmz since I have no route between it
and the net.

I am able to see the internet through eth0 from the lan and fw. Everything
is fine between lan and net.

I can ping ISDN Router #2 hooked to eth2 from the fw.  I can NOT ping ISDN
Router #2 from the lan.

HOWEVER, I have hooked a linux box to eth2 it is fine. I can ping it from
the lan. For testing I set it to the same IP address that I have the #2
ISDN router set to.

I am starting to think it may be the setup in ISDN Router #2. OR.. am I
missing something in my rules. BUT if thats the case why does the linux box
work fine on eth2??

Any help would be greatly appreciated.

Robert Szabo






---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dachstein DNS Config - HELP!

[Brad Fritz]

Good catch, Ray.  As usual, you were spot on.  Details below...

On Tue, 12 Nov 2002 12:30:19 PST Ray Olszewski wrote:

> At 02:44 PM 11/12/02 -0500, Brad Fritz wrote:
> 
> >A small addition to Ray's already comprehensive analysis...
> [...]
> >3. You have dnscache listening on port 193.37.83.1:53 and traffic
> >is allowed to it through the packet filter, but
> >/etc/dnscache/env/IPQUERY does not include a line that allows
> >queries from pingu-serv.farside.net's address or network.
> 
> This would certainly cause the query to fail, Brad ... but would it fail 
> with the particular icmp message he is getting? (This is a real question, 
> not a disagreement phrased as a question.)

No, it would not send the icmp message.  I actually thought about
that before sending my post and then forgot to verify in my haste.
Here is what testing revealed:

While running:

  tcpdump -n -i eth0 port 53 or icmp


Testing with IPQUERY=11.11.11 :

  [EMAIL PROTECTED]:~$ dig +short www.google.com @192.168.1.254
  ;; connection timed out; no servers could be reached

  15:52:58.571963 192.168.21.10.34619 > 192.168.1.254.53:  23740+ A? \
  www.google.com. (32) (DF)
  15:53:27.528375 192.168.21.10.34619 > 192.168.1.254.53:  7106+ A? \
  www.google.com. (32) (DF)

  [no response, no ICMP traffic]


Testing with IPQUERY=192.168 :

  [EMAIL PROTECTED]:~$ dig +short www.google.com @192.168.1.254
  216.239.53.101

  15:53:27.879319 192.168.1.254.53 > 192.168.21.10.34619:  7106 1/0/0 A \
  216.239.53.101 (48) (DF)

  [expected response, no ICMP traffic]

  
Testing with dnscache stopped:

  [EMAIL PROTECTED]:~$ dig +short www.google.com @192.168.1.254
  ;; connection timed out; no servers could be reached

  16:01:54.009667 192.168.21.10.34619 > 192.168.1.254.53:  46045+ A? \
  www.google.com. (32) (DF)
  16:01:54.012534 192.168.1.254 > 192.168.21.10: icmp: 192.168.1.254 udp \
  port 53 unreachable [tos 0xc0] 
  16:01:59.012618 192.168.21.10.34619 > 192.168.1.254.53:  46045+ A? \
  www.google.com. (32) (DF)
  16:01:59.015371 192.168.1.254 > 192.168.21.10: icmp: 192.168.1.254 udp \
  port 53 unreachable [tos 0xc0] 

  [no response, ICMP port unreachable message]


Thanks for keeping me honest, Ray.  :-)

--Brad



---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dachstein DNS Config - HELP!

[Ray Olszewski]

At 02:44 PM 11/12/02 -0500, Brad Fritz wrote:


A small addition to Ray's already comprehensive analysis...

[...]

3. You have dnscache listening on port 193.37.83.1:53 and traffic
   is allowed to it through the packet filter, but
   /etc/dnscache/env/IPQUERY does not include a line that allows
   queries from pingu-serv.farside.net's address or network.


This would certainly cause the query to fail, Brad ... but would it fail 
with the particular icmp message he is getting? (This is a real question, 
not a disagreement phrased as a question.)


--
---"Never tell me the odds!"
Ray Olszewski	-- Han Solo
Palo Alto, California, USA			  [EMAIL PROTECTED]
---



---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dachstein DNS Config - HELP!

[Brad Fritz]

A small addition to Ray's already comprehensive analysis...

On Tue, 12 Nov 2002 10:53:38 PST Ray O. wrote:

> Now, the tcpdump traffic you report is --
> 
>  17:07:30.870333 pingu-serv.farside.net.vfo > 
> 193.37.83.1.domain:  58405+
>  PTR? 81.83.37.193.in-addr.arpa. (43) (DF)
>  17:07:30.870892 193.37.83.1 > pingu-serv.farside.net: icmp: 
> 193.37.83.1 udp
>  port domain unreachable [tos 0xc0]

[..]

> the router's reply is that the DNS port cannot be reached on the router. Bad.
> 
> So ... why not? Two candidate reasons --
> 
> 1. The firewall blocks access to that port.

[..]

> 2, Nothing is listening on port 53 on the router.

3. You have dnscache listening on port 193.37.83.1:53 and traffic
   is allowed to it through the packet filter, but
   /etc/dnscache/env/IPQUERY does not include a line that allows
   queries from pingu-serv.farside.net's address or network.

--Brad



---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] restoring vlan's after reboot: /proc/net/vlan not there

[Jacques Nilo]

Le Mardi 12 Novembre 2002 08:27, Scott a écrit :
Scott:
Have you gone through:
http://sourceforge.net/mailarchive/message.php?msg_id=2304008
Also it seems that you have a problem with backup. Suggestion by Luis to 
check available disk space of the quality of the floppy seems reasonable
Jacques

> using Intel Pro/100 82559 chipset
> using eepro100 Revision 1.36
> using bering rc4
>
> On boot I'm getting the error:
>SIOCGIFFLAGS: Operation not supported by device
>
> I load the 802.1q driver (8021q.o).  I configure my vlan with the
> following command lines:
>
> vconfig add eth1 11
> vconfig add eth2 12
> vconfig add eth3 13
> etc...
>
> I backup the vlan.  When I reboot, it is not finding the devices
> eth1.11, eth1.12, and eth1.13.  I check /proc/net/vlan and it's empty
> where there used to be entries for each virtual device.
>
> /var/lib/lrpkg/vlan.list:
>
> sbin/vconfig
> etc/network/if-pre-up.d/vlan
> etc/network/ip-up.d/ip
> etc/network/if-post-down.d/vlan
> var/lib/lrpkg/vlan.*
>
> By default there is no entry in vlan.list for /proc/net/vlan.  I tried
> adding it, but it bombs when I try "lrpkg -i vlan" later with a tar
> error.  Any suggestions how to have those vlans active when I boot?
> Otherwise shorewall doesn't have anything to configure.
>
> -Scott
>
>
>
>
> ---
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] orinoco wireless firmware versions -- any difference in performance/reliablity?

[Matt Russell]

something i forgot to mention -- the newer drivers that i recieved i tried
but i could not get them to work due to failed dependencies. should i persue
this further?

thanks again



-Original Message-
From: [EMAIL PROTECTED]
[mailto:leaf-user-admin@;lists.sourceforge.net]On Behalf Of Matt Russell
Sent: Tuesday, November 12, 2002 11:58 AM
To: [EMAIL PROTECTED]
Subject: [leaf-user] orinoco wireless firmware versions -- any
difference in performance/reliablity?


Hey all,
I had the opportunity to do a checkup on the LRP, and found that my wireless
card which serves as the interface to the internet has quite a few TX
errors - 4916 to be precise. the following is reported by
/proc/net/wireless:

under quality
link - 30; level - 199; noise - 169

discarded packets
nwid - 0; crypt - 0; frag - 53217; retry - 4917

my question is, is there a great discrepency in the different firmwares with
reguard to reliablity and link quality? are my figures (esp under the
quality category) pretty bad? i had a fellow leaf-user send me some new
drivers (orinoco 13b1) that he compiled based on the new drivers. i am using
bering rc-2 and uptime is 19 days, 21hrs. thanks for any help.




---
This sf.net email is sponsored by:
To learn the basics of securing your web site with SSL,
click here to get a FREE TRIAL of a Thawte Server Certificate:
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] orinoco wireless firmware versions -- any difference in performance/reliablity?

[Matt Russell]

Hey all,
I had the opportunity to do a checkup on the LRP, and found that my wireless
card which serves as the interface to the internet has quite a few TX
errors - 4916 to be precise. the following is reported by
/proc/net/wireless:

under quality
link - 30; level - 199; noise - 169

discarded packets
nwid - 0; crypt - 0; frag - 53217; retry - 4917

my question is, is there a great discrepency in the different firmwares with
reguard to reliablity and link quality? are my figures (esp under the
quality category) pretty bad? i had a fellow leaf-user send me some new
drivers (orinoco 13b1) that he compiled based on the new drivers. i am using
bering rc-2 and uptime is 19 days, 21hrs. thanks for any help.




---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dachstein DNS Config - HELP!

[Ray Olszewski]

A preliminary comment -- please be more careful about use of upper and 
lower case in your reporting. I'm inclined to believe that your interface 
variables really are eth0 and eth1, not (as you report them) Eth0 and Eth1, 
and I doubt your LAN-side SuSE server is named both pingu-serv and 
Pingu-serv. And the app is named tcpdump, not Tcpdump. I spotted all of 
these mistakes easily, but the number of them leaves me a bit concerned 
that there is some other error (either in your reporting or in your actual 
setup) caused by misuse of case.

Now, the tcpdump traffic you report is --

17:07:30.870333 pingu-serv.farside.net.vfo > 
193.37.83.1.domain:  58405+
PTR? 81.83.37.193.in-addr.arpa. (43) (DF)
17:07:30.870892 193.37.83.1 > pingu-serv.farside.net: icmp: 
193.37.83.1 udp
port domain unreachable [tos 0xc0]

The second line replies to a packet *from* pingu-serv to the DNS port on 
the router *itself* (193.37.83.1.domain), one that attempts a reverse 
lookup on your NT host. (No indication of why the SuSE host is doing this 
recverse lookup, but such requests are commonplace.) So far so good. But 
the router's reply is that the DNS port cannot be reached on the router. Bad.

So ... why not? Two candidate reasons --

1. The firewall blocks access to that port. Improbable if the rest of your 
reporting is correct (but given my opening comment, worth considering). 
Check your firewall log for any report of REJECTed traffic to port 53 
(domain).

2, Nothing is listening on port 53 on the router. The more likely answer, a 
consequence of some error in your (undescribed by you, beyond the 
uninformative "Made what I considered to be appropriate settings") 
configuration of dnscache (or conceivably one of the other 2 packages). 
Report what you did and someone may be able to help. In addition to 
rounding up the usual suspects (consult the SR FAQ) and describing your 
setup of dnscache and tinydns, see what, if anything, "netstat -ln" says is 
actually listening on port 53.

At 06:01 PM 11/12/02 +, Wrigglesworth, Colin wrote:
Help needed setting up DNS on Dachstein-CD V1.02.

Have installed the packages djbutils, dnscache and tinydns. Made what I
considered to be appropriate settings using the lrcfg menus, saved and
rebooted.
Host names for machines on the private side have been entered in
NETWORK.CONF and DNS set to YES.

The LRP box is configured thus:

Eth0=89.10.1.1
Eth1=193.37.83.1

The Eth0 side is connected to the main company network which has a
proliferation of windoze boxen one of which is a DNS server on 89.2.7.6
On the Eth1 side I have a SuSe8.0 box (Pingu-serv) 193.37.83.2 and a couple
of WinNT3.51 boxes one of which is 193.37.83.81

Running Tcpdump on pingu-serv I get the following

17:07:30.870333 pingu-serv.farside.net.vfo > 193.37.83.1.domain:  58405+
PTR? 81.83.37.193.in-addr.arpa. (43) (DF)
17:07:30.870892 193.37.83.1 > pingu-serv.farside.net: icmp: 193.37.83.1 udp
port domain unreachable [tos 0xc0]

Pingu-serv is set to get DNS info for both the private network (farside.net)
and the company network from 193.37.83.1, the private side of the LRP box.

All ipchains rules have been flushed and the default policies set to ACCEPT
so I shouldn't be blocking any requests.

What is this tcpdump output telling me?

I'm a relative newbie so pointing me at some relevant, but easily
comprehensible reading matter might assist. To me it just looks like the
port which serves the dns requests isn't open.





--
---"Never tell me the odds!"
Ray Olszewski	-- Han Solo
Palo Alto, California, USA			  [EMAIL PROTECTED]
---



---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] nat between gateways ???

[Charles Steinkuehler]

Michael D. Schleif wrote:

Charles Steinkuehler wrote:

You don't give enough information to correctly diagnose martian errors,
which are based pretty much entirely on the status of the route tables.
  Also, while I have not done a lot of host-host or host-subnet VPNs
(you also don't include your IPSec configuration), you will run into
problems with these VPN flavors if you don't have rpfiltering turned off
(you'll get a warning when starting IPSec about this if it's enabled).


Yes, I know that I did not include ipsec info; but, I fail to see any
relevancy.  Isn't martian-ness independent of anything ipsec?


I don't think it is entirely.  Martin-ness is related to the routing 
tables and the interface a particular packet arrives on.  IPSec plays 
with this at a very low level, which is why some types of tunnels will 
not work with the kernel's rp_filter (spoofing) protection enabled.

Fundamentally, IPSec can setup what looks to the kernel like asymetric 
routing tables, which can cause martians and (in the case of rp_filter) 
dropped packets.  A good example is a host-host VPN.  Your routing rules 
specify ipsec0 for the remote IP, but you will be recieving encrypted 
traffic from that system on your external interface (in violation of 
your routing tables as far as the martian and rp_filter logic are 
concerned).

What I see here is a valid public address trying to come in the publicly
addressed external interface of a router.

My question, I feel, remains valid: How can this be considered martian?


I can't tell without your routing table information.


Clearly, in order for me to understand this, I need a better grasp of
martian-ness.

Pointers?  Docs?


A packet is considered a "martian" if it arrives on an interface *OTHER* 
than the interface the kernel would route a packet out of, when trying 
to reply to the source IP of the packet.

For docs, your best bet is the kernel source-tree.  In addiiton to the 
source itself, some info is in the Documentation directory:
linux/Documentation/networking/ip-sysctl.txt
linux/Documentation/proc.txt

--
Charles Steinkuehler
[EMAIL PROTECTED]




---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] updated dhcp_2_dns.sh

[Mark Ivey]

I have made some updates to Michael Schleif's
dhcp_2_dns.sh script. For those who aren't familiar
with it, this script takes data from the dhcp server's
lease file and adds it to tinydns's data file so you
can do DNS lookups on computers that are given
addresses by the DHCP server.

Here are the changes I made:
- fixed "out of range" problem when comparing lease dates
- fixed problem where dns entries were never replaced
when a host's
address changed
- new feature: fixed-address entries (from dhcpd.conf)
are now added to the dns server

The file is in sourceforge's patches area:
https://sourceforge.net/tracker/index.php?func=detail&aid=628812&group_id=13751&atid=313751

Enjoy...

-Mark Ivey-




---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Dachstein DNS Config - HELP!

[Wrigglesworth, Colin]

Help needed setting up DNS on Dachstein-CD V1.02.

Have installed the packages djbutils, dnscache and tinydns. Made what I
considered to be appropriate settings using the lrcfg menus, saved and
rebooted.
Host names for machines on the private side have been entered in
NETWORK.CONF and DNS set to YES.

The LRP box is configured thus:

Eth0=89.10.1.1
Eth1=193.37.83.1

The Eth0 side is connected to the main company network which has a
proliferation of windoze boxen one of which is a DNS server on 89.2.7.6
On the Eth1 side I have a SuSe8.0 box (Pingu-serv) 193.37.83.2 and a couple
of WinNT3.51 boxes one of which is 193.37.83.81

Running Tcpdump on pingu-serv I get the following 

17:07:30.870333 pingu-serv.farside.net.vfo > 193.37.83.1.domain:  58405+
PTR? 81.83.37.193.in-addr.arpa. (43) (DF)
17:07:30.870892 193.37.83.1 > pingu-serv.farside.net: icmp: 193.37.83.1 udp
port domain unreachable [tos 0xc0] 

Pingu-serv is set to get DNS info for both the private network (farside.net)
and the company network from 193.37.83.1, the private side of the LRP box.

All ipchains rules have been flushed and the default policies set to ACCEPT
so I shouldn't be blocking any requests.

What is this tcpdump output telling me?

I'm a relative newbie so pointing me at some relevant, but easily
comprehensible reading matter might assist. To me it just looks like the
port which serves the dns requests isn't open.


Regards,

Colin


***
The information contained in this e-mail is confidential. It may also be legally 
privileged. It is intended only for the stated addressee(s) and access to it by any 
other person is unauthorised. If you are not an addressee, you must not disclose, 
copy, circulate or in any other way use or rely on the information contained in this 
e-mail. Such unauthorised use may be unlawful.

If you have received this e-mail in error, please inform RACAL INSTRUMENTS LTD. 
immediately by phoning +44 (0)1628 604455 (ask for the I.T. dept) and delete it and 
all copies from your system.
***



---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Mounting / formatting an IDE drive in Bering was Samba, Ide, Mount ???'s

[Kory Krofft]

Erich and all...

I have loaded ext2.0 but not until after the tmpfs.o.
Will it matter where it is in the order as long as it
is after ide-disk.o? Since I could not mount /dev/hdc1
due to errors that looked like a bad format I was
trying to use the mkfs.minix not realizing that it was
for virtual disks. At this point I can use a msdos
format but I believed it would be more secure as a
Linux partition. True? Or will the Samba share proved
all the security I need or can get? I do not want to
boot from this device I simply want to use it as a
file repository. 
Is it likely that I need to reformat it on the RedHat
machine or more likely that the ext2.o driver is in
the wrong order. My original error was :

# mount /dev/hdc1 /mnt results in the following:

VFS: Can't find a Minix or Minix V2 filesystem on
device 16:01.
FAT: Did not find valid FSINFO signature.
Found signature1 0x0 signature2 0x0 sector=1.
Directory 1: bad FAT
Filesystem panic (dev 16:01).
  FAT error
  File system has been set read-only

Maybe I should try to specify the fstype with the -t
switch in the mount command like so:
# mount -t ext2 /dev/hdc1 /mnt

I will try a couple of things when I get home. Boy is
it frustrating to be at work with no access to the
problem. ;-)

Thanks again,

Kory

  
<>Big Snip<> 
> I believe syslinux only supports M$DOS formattet
> filesystems. So in order 
> to boot from that medium and using syslinux I
> believe you have to stick 
> with M$DOS format. If all you want to do is to store
> information 
> persistently then you are free to use whatever you
> decide to load a driver for.
> 
> HTH
> Erich
> 
> THINK
> Püntenstrasse 39
> 8143 Stallikon
> mailto:erich.titl@;think.ch
> PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4
> FF9D 05B8 0A16
> 
> 
> 
>
---
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
>

> leaf-user mailing list:
> [EMAIL PROTECTED]
>
https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ:
>
http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> 
> 


__
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2


---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] kernel mode pppd problems

[Richard Doyle]

On Tue, 2002-11-12 at 04:32, Matthew Pozzi wrote:
> Could someone please help me here, I have upgraded to Dachstein v1.02 and
> would like to run pppd for a dialin service.
> 
> However I have the following message coming back at me when I try to run
> 
> # /usr/sbin/pppd
> ioctl(TIOCSETD(PPP)): Invalid argument(22)
> /usr/sbin/pppd: This system lacks kernel support for PPP.  This could be
> because
> the PPP kernel module could not be loaded, or because PPP was not
> included in the kernel configuration.  If PPP was included as a
> module, try `/sbin/modprobe -v ppp'.  If that fails, check t
> 
> I have the ppp.lrp module that came with Dachstein, so just what is
> happening here? I must admit to being a bit tired of recent and hence a bit
> muddled.

Do:

lsmod
ls -al /lib/modules/

Report your system's responses.

> 
> Many thanks,
> Matt
> 
> My apology for posting to the list admin, slip of the finger!
> 
> 

-Richard



---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Problem getting PPTP client to work behind LEAF/Bering firewall

[David A. Bright]

I've been trying to set up a LEAF/Bering firewall at home to allow a
connection to my employer's VPN (PPTP). Here is a rough picture of my
connection:

Win98 client ---> Bering ---> Router ---> ISP ---> Internet ---> Company

My internal network (Win98 -> Bering) uses a private IP space
(192.168.1.0/24). I'm connected to my ISP via a DSL connection in bridge
mode, so my router also has a private IP (192.168.x.y, x != 1). The ISP
then does NAT on that, so my packets are NAT'ed twice, once at the Bering
firewall and again by my ISP. I've got a fairly straightforward Shorewall
configuration on the Bering box, defining just two zones (net and loc).
Outgoing traffic from loc to net is allowed, related traffic is allowed
back in. RFC1918 addresses are not allowed to flow from net -> loc, except
for those on my bridge connection (192.168.x.y) to the ISP.

What I see happening is that packets coming back from the company are
getting rejected by the "norfc1918" rule, as shown by the trace below
(just two messages are shown, I get a bunch more but they are all pretty
much the same):

Nov  9 02:29:15 firewall kernel: Shorewall:rfc1918:DROP:IN=eth1 OUT=eth0
SRC=192.168.p.q DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=253 ID=20062
PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.x.y DST=a.b.c.d LEN=50 TOS=0x00
PREC=0x00 TTL=125 ID=28417 PROTO=47 ]

Nov  9 02:29:18 firewall kernel: Shorewall:rfc1918:DROP:IN=eth1 OUT=eth0
SRC=192.168.p.q DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=253 ID=20068
PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.x.y DST=a.b.c.d LEN=50 TOS=0x00
PREC=0x00 TTL=125 ID=28929 PROTO=47 ]

In these traces, "a.b.c.d" is the IP for my company's PPTP server,
"192.168.1.1" is the (internal) IP for my Win98 client, "192.168.x.y"  is
the IP of my firewall (ISP side), and "192.168.p.q" is (I think; p != x !=
1) the private IP being used inside my company's LAN (i.e., on the other
side of the PPTP server).

I'm not sure how to read the log message, but it appears to me that the
part in the brackets is either an indicator of the GRE wrapper for the
packet or the original packet that is "related" to the incoming packet. In
any case, it appears that the filtering rules are keying on the private IP
from inside my company and rejecting the packet. What I don't understand
is why the packet isn't marked as coming from the PPTP server.

I should note that I have the ip_conntrack_pptp and ip_nat_pptp modules
loaded. Also, I've been told that I can't do this successfully due to the
fact that my "external" (i.e., the router) address is a private,
non-routable IP and that I have to get (and pay for) a "real" static IP in
order to get this to work. What I want to know, though, is why. If it were
really the case that my non-routable IP were the problem, I would have
expected the packets to never even reach me.

Any light that can be shed on this situation would be greatly appreciated.
If I really need to buy an external IP, I will, but right now I'm not
convinced that even that would work.

Thanks.

-- 
David A. Bright
[EMAIL PROTECTED]
[EMAIL PROTECTED]




---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Help on Port 67 68 rejects

[Tom Eastep]

--On Tuesday, November 12, 2002 05:28:51 AM + Bob D 
<[EMAIL PROTECTED]> wrote:


Do I have to put a rule in shorewall to quiet this down?  If so what is
the rule.  I am very green with tables.



Simply specify the 'dhcp' option for eth1 in /etc/shorewall/interfaces

-Tom
--
Tom Eastep\ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ [EMAIL PROTECTED]



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] NIS/YP Packages for LEAF?

[Brian Credeur]

Does anyone know of or use a package for running an NIS server on LEAF?

Thanks,
Brian




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Write permission for weblet in bering

[Erich Titl]

Hi everybody

This refers to Bering 1.0rc3

I wou like to get a general feeling about allowing write to the file system 
for cgi-scripts in weblet. Is is reasonable to do that opening grsecurity 
for the various scripts or rather implementing a sudo like binary which is 
allowed to write.

Is grsecurity a problem at all for this?

Thanks
Erich

THINK
Püntenstrasse 39
8143 Stallikon
mailto:erich.titl@;think.ch
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] nat between gateways ???

[Erich Titl]

Michael

just a thought, is Martian-ness check done at the end of the tunnel then 
maybe you see the private address on the other side of the tunnel.

$00.2

Erich

At 14:25 12.11.2002, you wrote:

"Michael D. Schleif" wrote:
>
> Charles Steinkuehler wrote:
> >
> > Michael D. Schleif wrote:



> > > Every time that I think that I understand what constitutes 
martian-ness,
> > > I am tossed a new wrinkle ;>
> > >
> > > What do you think?

THINK
Püntenstrasse 39
8143 Stallikon
mailto:erich.titl@;think.ch
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] nat between gateways ???

[Michael D. Schleif]

"Michael D. Schleif" wrote:
> 
> Charles Steinkuehler wrote:
> >
> > Michael D. Schleif wrote:



> > > Every time that I think that I understand what constitutes martian-ness,
> > > I am tossed a new wrinkle ;>
> > >
> > > What do you think?
> >
> > You don't give enough information to correctly diagnose martian errors,
> > which are based pretty much entirely on the status of the route tables.
> >   Also, while I have not done a lot of host-host or host-subnet VPNs
> > (you also don't include your IPSec configuration), you will run into
> > problems with these VPN flavors if you don't have rpfiltering turned off
> > (you'll get a warning when starting IPSec about this if it's enabled).

Or, are you saying that, due to the ipsec stuff compiled into the
kernel, martian-ness can manifest in many ways, including ipsec-specific
ways?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] pppd issues - user issues really

[Matthew Pozzi]

Sorry for lowering the signal to noise ratio, some thought on my part
pointed to the wrong modules being loaded, and sure enough they were.

So if you get messages about your kernel not having support for kernel mode
ppp, then believe it and try the other ppp.o module that gives you non
kernel ppp.

Matt



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] nat between gateways ???

[Michael D. Schleif]

Charles Steinkuehler wrote:
> 
> Michael D. Schleif wrote:
> > I am confused ;<
> >
> > In order to address the original vpn problem, we have setup a pilot vpn
> > between two (2) of our DCD's.
> >
> > How does this scenario qualify as ``martian'' ???
> >
> > root@bluetrout:/root
> > # tail -f /var/log/kern.log
> > Nov 11 22:08:09 bluetrout kernel: martian source d233e490 for 9dde0440,
> > dev wan1
> > Nov 11 22:09:29 bluetrout last message repeated 2 times
> > Nov 11 22:09:59 bluetrout last message repeated 2 times
> > Nov 11 22:11:19 bluetrout last message repeated 2 times
> > Nov 11 22:13:19 bluetrout kernel: martian source d233e490 for 9dde0440,
> > dev wan1
> > Nov 11 22:14:29 bluetrout last message repeated 10 times
> > Nov 11 22:15:19 bluetrout last message repeated 6 times
> > Nov 11 22:16:37 bluetrout last message repeated 7 times
> > Nov 11 22:17:19 bluetrout last message repeated 5 times
> > Nov 11 22:18:37 bluetrout last message repeated 7 times
> > Nov 11 22:19:19 bluetrout last message repeated 5 times
> > Nov 11 22:20:37 bluetrout last message repeated 7 times
> > Nov 11 22:21:19 bluetrout last message repeated 5 times
> >
> > NOTE:
> >   9dde0440 == 64.4.222.157
> >   d233e490 == 144.228.51.210
> >   (wan1 on other side of vpn)
> >
> >
> > # ip addr
> > 1: lo:  mtu 3924 qdisc noqueue
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
> > 2: ipsec0:  mtu 16260 qdisc pfifo_fast qlen 10
> > link/ipip
> > inet 64.4.222.157 peer 64.4.222.158/32 scope global ipsec0
> >  . . .
> > 7: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
> > link/ether 00:a0:c9:9e:57:70 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
> > 8: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
> > link/ether 00:a0:c9:9e:64:83 brd ff:ff:ff:ff:ff:ff
> > inet 64.4.197.65/26 brd 64.4.197.127 scope global eth1
> > 14: wan1:  mtu 1500 qdisc pfifo_fast qlen 100
> > link/ppp
> > inet 64.4.222.157 peer 64.4.222.158/32 scope global wan1
> > inet 64.4.197.99/32 scope global wan1
> > inet 64.4.197.100/32 scope global wan1
> > inet 64.4.197.101/32 scope global wan1
> >
> >
> > Every time that I think that I understand what constitutes martian-ness,
> > I am tossed a new wrinkle ;>
> >
> > What do you think?
> 
> You don't give enough information to correctly diagnose martian errors,
> which are based pretty much entirely on the status of the route tables.
>   Also, while I have not done a lot of host-host or host-subnet VPNs
> (you also don't include your IPSec configuration), you will run into
> problems with these VPN flavors if you don't have rpfiltering turned off
> (you'll get a warning when starting IPSec about this if it's enabled).

Yes, I know that I did not include ipsec info; but, I fail to see any
relevancy.  Isn't martian-ness independent of anything ipsec?

What I see here is a valid public address trying to come in the publicly
addressed external interface of a router.

My question, I feel, remains valid: How can this be considered martian?

Clearly, in order for me to understand this, I need a better grasp of
martian-ness.

Pointers?  Docs?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] nat between gateways ???

[Charles Steinkuehler]

Michael D. Schleif wrote:

I am confused ;<

In order to address the original vpn problem, we have setup a pilot vpn
between two (2) of our DCD's.

How does this scenario qualify as ``martian'' ???

root@bluetrout:/root
# tail -f /var/log/kern.log
Nov 11 22:08:09 bluetrout kernel: martian source d233e490 for 9dde0440,
dev wan1
Nov 11 22:09:29 bluetrout last message repeated 2 times
Nov 11 22:09:59 bluetrout last message repeated 2 times
Nov 11 22:11:19 bluetrout last message repeated 2 times
Nov 11 22:13:19 bluetrout kernel: martian source d233e490 for 9dde0440,
dev wan1
Nov 11 22:14:29 bluetrout last message repeated 10 times
Nov 11 22:15:19 bluetrout last message repeated 6 times
Nov 11 22:16:37 bluetrout last message repeated 7 times
Nov 11 22:17:19 bluetrout last message repeated 5 times
Nov 11 22:18:37 bluetrout last message repeated 7 times
Nov 11 22:19:19 bluetrout last message repeated 5 times
Nov 11 22:20:37 bluetrout last message repeated 7 times
Nov 11 22:21:19 bluetrout last message repeated 5 times

NOTE:
	9dde0440 == 64.4.222.157
	d233e490 == 144.228.51.210
	(wan1 on other side of vpn)


# ip addr
1: lo:  mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0:  mtu 16260 qdisc pfifo_fast qlen 10
link/ipip
inet 64.4.222.157 peer 64.4.222.158/32 scope global ipsec0
 . . .
7: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:c9:9e:57:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
8: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:c9:9e:64:83 brd ff:ff:ff:ff:ff:ff
inet 64.4.197.65/26 brd 64.4.197.127 scope global eth1
14: wan1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ppp
inet 64.4.222.157 peer 64.4.222.158/32 scope global wan1
inet 64.4.197.99/32 scope global wan1
inet 64.4.197.100/32 scope global wan1
inet 64.4.197.101/32 scope global wan1


Every time that I think that I understand what constitutes martian-ness,
I am tossed a new wrinkle ;>

What do you think?


You don't give enough information to correctly diagnose martian errors, 
which are based pretty much entirely on the status of the route tables. 
 Also, while I have not done a lot of host-host or host-subnet VPNs 
(you also don't include your IPSec configuration), you will run into 
problems with these VPN flavors if you don't have rpfiltering turned off 
(you'll get a warning when starting IPSec about this if it's enabled).

--
Charles Steinkuehler
[EMAIL PROTECTED]




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] kernel mode pppd problems

[Matthew Pozzi]

Could someone please help me here, I have upgraded to Dachstein v1.02 and
would like to run pppd for a dialin service.

However I have the following message coming back at me when I try to run

# /usr/sbin/pppd
ioctl(TIOCSETD(PPP)): Invalid argument(22)
/usr/sbin/pppd: This system lacks kernel support for PPP.  This could be
because
the PPP kernel module could not be loaded, or because PPP was not
included in the kernel configuration.  If PPP was included as a
module, try `/sbin/modprobe -v ppp'.  If that fails, check t

I have the ppp.lrp module that came with Dachstein, so just what is
happening here? I must admit to being a bit tired of recent and hence a bit
muddled.

Many thanks,
Matt

My apology for posting to the list admin, slip of the finger!



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Mounting / formatting an IDE drive in Bering was Samba, Ide, Mount ???'s

[Erich Titl]

Hi

At 11:47 12.11.2002, you wrote:

>> This leads me to believe that the filesystem I created on Redhat is
>> not Bering compatible so I tried # ./mkfs.minix -c /dev/hdc which
>> gives me
>>
>> # ./mkfs.minix -c /dev/hdc1
>> BusyBox v0.60.3 (2002.06.08-17:56+) multi-call binary
>>
>> Usage: mkfs.minix [-c | -l filename] [-nXX] [-iXX] /dev/name [blocks]
>>
>> The man page for mkfs.minix is no help at this point. What am I
>> missing?
>
>Umm Minix is a "virtual filesystem" not possible to partition an actual
HD with. ie. RamDrive >(if I remember correctly). You originally
formatted the drive ext2 as I remember correctly, which Bering

Minix is a true filesystem. Due to its small footprint it is normally used
for
ramdrives. And I also think that originally you could boot from it.


I believe syslinux only supports M$DOS formattet filesystems. So in order 
to boot from that medium and using syslinux I believe you have to stick 
with M$DOS format. If all you want to do is to store information 
persistently then you are free to use whatever you decide to load a driver for.

HTH
Erich

THINK
Püntenstrasse 39
8143 Stallikon
mailto:erich.titl@;think.ch
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] restoring vlan's after reboot: /proc/net/vlan not there

[Luis.F.Correia]

It seems that your floppy must have been almost full when you ran the
backup,
ending up with a corrupted vlan.lrp...

I guess you must redo the config again.

-Original Message-
From: Scott [mailto:leaf@;troutpocket.org] 
Sent: Tuesday, November 12, 2002 7:27 AM
To: [EMAIL PROTECTED]
Subject: [leaf-user] restoring vlan's after reboot: /proc/net/vlan not there


using Intel Pro/100 82559 chipset
using eepro100 Revision 1.36
using bering rc4

On boot I'm getting the error:
   SIOCGIFFLAGS: Operation not supported by device

I load the 802.1q driver (8021q.o).  I configure my vlan with the 
following command lines:

vconfig add eth1 11
vconfig add eth2 12
vconfig add eth3 13
etc...

I backup the vlan.  When I reboot, it is not finding the devices 
eth1.11, eth1.12, and eth1.13.  I check /proc/net/vlan and it's empty 
where there used to be entries for each virtual device.

/var/lib/lrpkg/vlan.list:

sbin/vconfig
etc/network/if-pre-up.d/vlan
etc/network/ip-up.d/ip
etc/network/if-post-down.d/vlan
var/lib/lrpkg/vlan.*

By default there is no entry in vlan.list for /proc/net/vlan.  I tried 
adding it, but it bombs when I try "lrpkg -i vlan" later with a tar 
error.  Any suggestions how to have those vlans active when I boot? 
Otherwise shorewall doesn't have anything to configure.

-Scott




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Mounting / formatting an IDE drive in Bering was Samba, Ide, Mount ???'s

[Luis.F.Correia]

>> This leads me to believe that the filesystem I created on Redhat is 
>> not Bering compatible so I tried # ./mkfs.minix -c /dev/hdc which 
>> gives me
>>
>> # ./mkfs.minix -c /dev/hdc1
>> BusyBox v0.60.3 (2002.06.08-17:56+) multi-call binary
>>
>> Usage: mkfs.minix [-c | -l filename] [-nXX] [-iXX] /dev/name [blocks]
>>
>> The man page for mkfs.minix is no help at this point. What am I 
>> missing?
>
>Umm Minix is a "virtual filesystem" not possible to partition an actual
HD with. ie. RamDrive >(if I remember correctly). You originally
formatted the drive ext2 as I remember correctly, which Bering 

Minix is a true filesystem. Due to its small footprint it is normally used
for
ramdrives. And I also think that originally you could boot from it.

Anyway if your harddisk was formatted as ext2, all you need to do is load
the ext2.o 
module right after the ide-disk.o .

You can get the mentioned module from here:
http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/2.4.18/kernel/
fs/ext2/ext2.o



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] restoring vlan's after reboot: /proc/net/vlan not there

[Brad Fritz]

On Mon, 11 Nov 2002 23:27:14 PST Scott wrote:

> using Intel Pro/100 82559 chipset
> using eepro100 Revision 1.36
> using bering rc4
> 
> On boot I'm getting the error:
>SIOCGIFFLAGS: Operation not supported by device

Interesting.  It's hard to say exactly what's causing it without
a bit more context.  I doubt that error message directly affects
the vlan configuration though.  If you're really curious, set
VERBOSE=1 and DEBUG=1 in /linuxrc, backup initrd, and reboot.
You should get more verbose startup messages that will probably
include the command that causes the SIOCGIFFLAGS error.

> I load the 802.1q driver (8021q.o).  I configure my vlan with the 
> following command lines:
> 
> vconfig add eth1 11
> vconfig add eth2 12
> vconfig add eth3 13
> etc...
> 
> I backup the vlan.  When I reboot, it is not finding the devices 
> eth1.11, eth1.12, and eth1.13.  I check /proc/net/vlan and it's empty 
> where there used to be entries for each virtual device.
> 
> /var/lib/lrpkg/vlan.list:
> 
> sbin/vconfig
> etc/network/if-pre-up.d/vlan
> etc/network/ip-up.d/ip
> etc/network/if-post-down.d/vlan
> var/lib/lrpkg/vlan.*
> 
> By default there is no entry in vlan.list for /proc/net/vlan.

There shouldn't be since /proc isn't a real filesystem.  The
trick is to make the vconfig commands persistent across reboots...

> I tried 
> adding it, but it bombs when I try "lrpkg -i vlan" later with a tar 
> error.  Any suggestions how to have those vlans active when I boot? 
> Otherwise shorewall doesn't have anything to configure.

The approach I would probably use is:

  1) Copy 8021q.o into /lib/modules .

  2) Add 8021q to /etc/modules .

  3) Backup the "modules" package.

  4) Use the "up" option in /etc/network/interfaces to run the
 vconfig commands.  As an example:

 auto eth0
 iface eth0 inet static  
 address 11.22.33.44
 masklen 29
 [..]
 up vconfig add eth1 11

  5) Test with:

 svi network restart; svi shorewall restart

 (After insmoding 8021q.o manually if necessary.)

  6) Backup the "etc" package if everything works as expected.

There are also "pre-up", "down" and "post-down" options.  Gory
details at
http://leaf-project.org/devel/jnilo/manpages/interfaces_man.html

Hope that helps.

--Brad



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html