Re: [leaf-user] Help with Taxcut uploading
At 10:19 PM 2/7/03 -0500, Kevin wrote: I am having problems with uploading TaxCut. Help desks states I have to disable the firewall to have it complete. Does anyone have a quick way to disable the firewall to allow the upload then turn the firewall back on? Running Dachstein firewall - two floppy disk system thanks for any help or directions I'm not familiar with the product TaxCut, but your question prompts me to remind you that firewall has more than one meaning. In the context of LEAF, a firewall (or, more exactly, a router/firewall) is a device separate from your workstation that provides security for an entire LAN. But the other (related) meaning of firewall is a piece of software that runs on your workstation and provides security against threats coming from the network. Instructions from the ninnies who staff product help desks don't make the distinction clear, but they usually refer to the second sort of firewall. Depending on the details of your connection to the Internet, you may not be able to disable the firewall in the first (LEAF) context, specifically not if your LAN is NAT'd. The firewall code is what handles IP Masquerading and thereby allows the hosts on a NAT'd LAN to share a single, public IP address. If your workstation is on a LAN that has real IP addresses, and your LEAF router only routes and firewalls, but does not NAT, then a little reading in the Ipchains HowTo will equip you to temporarily remove your firewall protections. (Set your default input, output, and forward policies to ACCEPT, then clear the chains of rules.) If it is NAT'd, your only way of accommodating the software provider may be temporarily to connect your workstation directly to your Internet connection, bypassing the LAN and LEAF router entirely. Were it me, I would do neither of these things. I'd find different tax-prep software, or tell TaxCut to send a CD. Software companies shouldn't use delivery or installation methods that rely on people being trusting (or, I would say, naive) enough to think that it is safe to turn off their firewalls when asked to. -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Win2K and LEAF
OK. I did my research and found that Win2K Server 'Active Directory' requires and DNS server with active/dynamic record keeping. My DNS is TinyDNS on my LEAF box. TinyDNS does not register computer names (ie; mullan2 = mullan2.mullan.ca). When the Win2K box boots up, it takes 5-10 minutes to figure this out. Can anyone share with me a good way to make these two boxes co-exist peacefully? IE; Make my private TinyDNS dynamic (probably not) or to make the Win2K box forget about the DNS problem? Thanks. John --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Wireless IPSec network ideas
Hi everyone, I'm posting this to all these lists because each set of readers can no doubt give excellent advice concerning areas of the project. Here goes... I decided to get off of DSL at home, lose my landline in favor of just my cell, and get my broadband via cable. My cable comes in down in the living room, but my home office is on the other end of the house, upstairs. I don't want to run either cable or ethernet all that way, but I'm a little concerned about the insecurity of wireless networks. I'm building a new Shorewall firewalled LEAF router from a shoebox-sized SBC that I ended up buying from a guy who posted here on Shorewall-Users last week. That will reside down at the cable entry-point down in the living room. My current router, an old Micron P-133 running LEAF Bering lives in my home office, and currently gets it's Internet from DSL. I'm thinking I can put a wireless NIC in both the new SBC router, and another in the Micron and use IPSec to encrypt the trasnsfer of wireless packets from the living room to the office. Also, I would like to be able to access the Internet from a laptop with a wireless card from within the house while not on the switch. I would do NAT on the SBC and simply route on the Micron. I'm experienced with LEAF, Shorewall, and FreeS/WAN, but am a wireless ethernet newbie. Has anyone out there done this type of thing, and if so is there any info/documentation/advice you can throw my way? Is it as straightforward as I think it is? Here's the obligatory ASCII art... +--+ +--+ +--+ | | | | | | various Office | | | | | | Boxen | | | | | | +--+ +--+ +--+ | | | | / / +--+/ | | --- switch +--+ | | wired NIC +--+ | | Micron LEAF | | Router +--+ \\ wireless NIC // \\ IPSec // encrypted Traffic \\ // wireless NIC +---+___ | |\ \ |shoebox SBC|)\__\ +---+ | | Wireless | wired NIC | | Laptop access |+--+ +---+ | | | | cable modem +---+ | \ cable entry-point Thanks Everyone, Christopher --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Win2K and LEAF
On Saturday 08 February 2003 06:39 am, John Mullan wrote: OK. I did my research and found that Win2K Server 'Active Directory' requires and DNS server with active/dynamic record keeping. My DNS is TinyDNS on my LEAF box. TinyDNS does not register computer names (ie; mullan2 = mullan2.mullan.ca). When the Win2K box boots up, it takes 5-10 minutes to figure this out. Can anyone share with me a good way to make these two boxes co-exist peacefully? IE; Make my private TinyDNS dynamic (probably not) or to make the Win2K box forget about the DNS problem? Search the leaf-user archives for 'Win2k DNS', there's a post a couple of months ago that describes a way to prevent Windows from doing this. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Help with Taxcut uploading
Thanks Ray and yes I agree with you about the software companies. Yes I am using NAT with Ipchain rules. I did find this on the net about ACCEPT'ing everything ipchains -F input ipchains -P input ACCEPT ipchains -F output ipchains -P output ACCEPT ipchains -F forward ipchains -P forward ACCEPT ran each line at the prompt of the box and still was not able to connect, so I am now thinking it is a software feature. I even used a dial-up internet access account to try that and still no luck with uploading. Guess it is time to find another vendor or way to e-file my taxes. -Original Message- From: Ray Olszewski [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 08, 2003 3:13 AM To: Kevin; [EMAIL PROTECTED] Subject: Re: [leaf-user] Help with Taxcut uploading At 10:19 PM 2/7/03 -0500, Kevin wrote: I am having problems with uploading TaxCut. Help desks states I have to disable the firewall to have it complete. Does anyone have a quick way to disable the firewall to allow the upload then turn the firewall back on? Running Dachstein firewall - two floppy disk system thanks for any help or directions I'm not familiar with the product TaxCut, but your question prompts me to remind you that firewall has more than one meaning. In the context of LEAF, a firewall (or, more exactly, a router/firewall) is a device separate from your workstation that provides security for an entire LAN. But the other (related) meaning of firewall is a piece of software that runs on your workstation and provides security against threats coming from the network. Instructions from the ninnies who staff product help desks don't make the distinction clear, but they usually refer to the second sort of firewall. Depending on the details of your connection to the Internet, you may not be able to disable the firewall in the first (LEAF) context, specifically not if your LAN is NAT'd. The firewall code is what handles IP Masquerading and thereby allows the hosts on a NAT'd LAN to share a single, public IP address. If your workstation is on a LAN that has real IP addresses, and your LEAF router only routes and firewalls, but does not NAT, then a little reading in the Ipchains HowTo will equip you to temporarily remove your firewall protections. (Set your default input, output, and forward policies to ACCEPT, then clear the chains of rules.) If it is NAT'd, your only way of accommodating the software provider may be temporarily to connect your workstation directly to your Internet connection, bypassing the LAN and LEAF router entirely. Were it me, I would do neither of these things. I'd find different tax-prep software, or tell TaxCut to send a CD. Software companies shouldn't use delivery or installation methods that rely on people being trusting (or, I would say, naive) enough to think that it is safe to turn off their firewalls when asked to. -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA[EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Help with Taxcut uploading
At 12:06 PM 2/8/03 -0500, Kevin wrote: Thanks Ray and yes I agree with you about the software companies. Yes I am using NAT with Ipchain rules. I did find this on the net about ACCEPT'ing everything ipchains -F input ipchains -P input ACCEPT ipchains -F output ipchains -P output ACCEPT ipchains -F forward ipchains -P forward ACCEPT ran each line at the prompt of the box and still was not able to connect, so I am now thinking it is a software feature. No, it is not a software feature (whichever of several things you may mean by that). When you changed the forward chain (in your third line above), you turned NAT'ing off in the router. With these settings, it should not let your workstation access the Internet at all (since you say you normally use NAT). Depending on what you have the forward-chain doing (often, default forward chains with ipchains just do the NAT'ing, and the input chain provides the real firewall protection), you *might* find it worth trying just the first 2 changes, to see if that has the effect you need. I even used a dial-up internet access account to try that and still no luck with uploading. Guess it is time to find another vendor or way to e-file my taxes. I assume you mean here a connection that did not involve the LEAF router. In that case, whatever the problem might be, it clearly does not involve LEAF, so I won't speculate. [old stuff deleted] -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] OT: Genica GN-788 10/100 PCI Network Interface Card , $4.70
http://www.compgeeks.com/details.asp?invtid=u-30140-nb pn] FYI. Not sure of the driver availability for LEAF, but they mention SCO UNIX. = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Mini-Qmail and dotted-decimal addressed email
I've been using mini-qmail on Bering (per Hendry D. Lee: http://sourceforge.net/tracker/index.php?func=detailaid=586953group_id=13751atid=313751 ) but recently discovered that mail addressed to me in the form postmaster@[1.2.3.4] was being rejected. I tested this because of what I read at anti-spam Distributed Server Boycott List (http://dsbl.org/) concerning their emails to admins of blacklisted servers. They will only attempt to send mail addressed as above. Other RBLs might be doing the same. When mail is addressed to my domain (let's say dork.face.name), mini-qmail on the firewall compares the domain to the allowed delivery domains in /var/qmail/control/rcpthosts. If it's in there, mini-qmail will forward the mail to the main mail server behind the firewall (server.dork.face.name). Naturally, at least dork.face.name would be one of the domains in rcpthosts. When mini-qmail receives email addressed to the firewall's external IP addie, it replaces the IP with a domain name and forwards it to the mail server. Unless otherwise specified, mini-qmail will replace the IP with *its own* fully-qualified name (in my case firewall.dork.face.name), which, of course, is not going to be delivered on the firewall, so it gets rejected. The fix is to put dork.face.name into a new file /var/qmail/control/localiphost. If this file exists, mini-qmail will replace the IP addie with the dork.face.name domain, compare the resulting address with the list of domains in rcpthosts and, lo, there is a match. The mail gets forwarded to the server. Hope this helps if you're using mini-qmail and get blacklisted :-) -John __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: Help with Taxcut uploading
I wqas able to install Taxcut on a WIN98 box, and it worked through the firewall. The problem was with a WinXP Pro laptop from work... thanks for all sugggestions --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] OT: Genica GN-788 10/100 PCI Network Interface Card , $4.70
On Saturday 08 February 2003 02:02 pm, Peter Nosko wrote: http://www.compgeeks.com/details.asp?invtid=u-30140-nb pn] FYI. Not sure of the driver availability for LEAF, but they mention SCO UNIX. I think you mean: http://www.compgeeks.com/details.asp?invtid=GN-788 I can't say that I've ever heard of the chipset. You might bewary of this. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Repoting programs for tc
LEAF is an eminent candidate as a bandwidth manager. As a member of the lartc list, I came across this posting. Interesting for status reporting of bandwidth usage class wise. Would be a good add-on to LEAF. I do not know if recompiles are required. I'm not a developer and know very little of this. Can someone examine its portability to LEAF please? Bye Mohan Mail from on lartc mailing list: Ming-Ching Tiew [[EMAIL PROTECTED]] I have upload my files to the following web site, locations as follows :- http://geocities.com/mctiew/ffw/ffwgrapher0.88.zip http://geocities.com/mctiew/ffw/fwstat-0.88.tar.gz The first is the VB program and the later is the server program. The server program should be fairly plug-and-play. The client program too. However, because I am not using an installer( the installer package is 12MB, so I refused to used it ! ), you may find missing files which causes it unable to run. Regards. Mail from on lartc mailing list: Ming-Ching Tiew [[EMAIL PROTECTED]] I am just written ( I won't say completed !) a program which performs traffic read operation. It is a VB client program talking to a C TCP socket server. Everything is based on scripting, so it could be flaky right now, so you might have to be patient :-) The server has been tested running on my Linux 2.4.20 machine. The VB GUI program charts the traffic data on per interface and per-class/qdisc basis. It also displays the class/qdisc relationship in a hierarchical (GUI) tree diagram. The intention is for you to determine how effective is your class/qdisc. The server is pure C ( without any other fancy libraries ) to reduce the footprint because my intention is to let it run on a floppy-based NAT firewall/router, which I have tested against floppyfw ( http://www.zelow.no/floppyfw/ ). I will be enhancing it in the future to allow service-by-service traffic charting, based on iptables' traffic counter. Any interest parties could mail to me and we shall see how thing goes. Regards. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
Chris Low wrote:
Okay, today I'm trying to get our Exchange 2000 mailserver online behind
the firewall.
Currently mail is set to go straight from our ISP's router to 192.168.1.2
(the ip address of our exchange server)
I'm trying to do a minimal amount of work to get the firewall in between
the ISP's router and the exchange server so I configured the firewall's
external interface (eth0) to be 192.168.1.2 and the internal interface to
10.10.10.254. The exchange server is now 10.10.10.2
In trying to setup port forwarding for smtp services I put the following in
my network.conf file:
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
#EXTERN_TCP_PORTS=216.171.153.128/25_ssh 0/0_www 0/0_1023
EXTERN_TCP_PORTS=192.168.1.1/24_25
Use:
EXTERN_TCP_PORTS=192.168.1.2_25
although the entry you have shouldn't be causing problems.
and
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# protocol_local-ip_local-port_remote-ip_remote-port
#INTERN_SERVERS=tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp
INTERN_SERVERS=tcp_$192.168.1.2_smtp_10.10.10.200_smtp
Um...didn't you just indicate your internal exchange box is 10.10.10.2,
*NOT* 10.10.10.200?!? Probably a big part of your problem!
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Win2K and LEAF
John Mullan wrote: OK. I did my research and found that Win2K Server 'Active Directory' requires and DNS server with active/dynamic record keeping. My DNS is TinyDNS on my LEAF box. TinyDNS does not register computer names (ie; mullan2 = mullan2.mullan.ca). When the Win2K box boots up, it takes 5-10 minutes to figure this out. Can anyone share with me a good way to make these two boxes co-exist peacefully? IE; Make my private TinyDNS dynamic (probably not) or to make the Win2K box forget about the DNS problem? Reinstall Win2K server without AD, or spend the time and effort to come up to speed on how M$ expects you to do networking (be prepared to buy about 3X more server licenses than you ever thought you'd need, as well as upgrade every box on your network to 2K or XP...or just live with the broken-ness Microsoft forces on you to try and get you to upgrade). It might help to through some online references as well...a google search for microsoft co-opting internet standards should turn up some good reading material. BTW: Can you tell I just had a junior network admin replace a failed NT domain controller with 2KServer (with Active Directory installed) because it has to be better than NT, and we'll have to upgrade someday anyway, right?!?. sigh ...sorry about the rant :-/ -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
Chris Low wrote: It needs to be 192.168.1.2 to match the address the mail is being forwarded to. I'll give it a try. Didn't work. Still can only send, not receive. Have you loaded the portfw module??? is it listed in the lsmod command? Yep. modulepages used by ip_masq_portfw 2416 0 (unused) Here's something else fun to work on while we're at it: I tried putting other machines behind the firewall today since the office was empty (office retreat, except for me!) and only the NT box, and the Exchange server (Running Windows 2000 server) can browse the web. Our windows 98se, windows me, and windows 95 computers can't. They log into the server fine, get an ip address fine, just no web. They can ping the firewall (both interfaces) and the ISP's router (also both interfaces) but when I ping something like www.yahoo.com it comes back with unknown host. Any ideas on this one? This is almost certianly a DNS problem as indicated by others. If you're running DNSCache on the firewall, make sure you have properly configured it to allow access from your changed internal network address space. If you're using your ISP's DNS server(s), make sure you properly updated the name-servers option in /etc/dhcpd.conf. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Win2K and LEAF
On Saturday 08 February 2003 09:26 pm, Charles Steinkuehler wrote: BTW: Can you tell I just had a junior network admin replace a failed NT domain controller with 2KServer (with Active Directory installed) because it has to be better than NT, and we'll have to upgrade someday anyway, right?!?. sigh ...sorry about the rant :-/ Been there.. it started my addiction to Xbill. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
