RE: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?
S Mohan said: If you are using Win2K clients, Chad has put up a good chapter. I am not using Win2K clients. (Not yet, anyway. Eventually, but that's a bit far in the distance) What I want is for my Bering 1.0 to make an IPSec connection to my Pix. No Win2K involved, at this point in time. -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project http://leaf.sourceforge.netAIM: MikeLeone Public Key - http://www.mike-leone.com/~turgon/turgon-public-key.asc Registered Linux user# 201348 --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
K.-P. Kirchdörfer said: Am Montag, 10. Februar 2003 06:19 schrieb Mike Leone: OK; so I think I'm making progress ... Anyway, when ipsec starts, I get: # svi ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.99... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = , should be 0) However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). I thought it might, but the Bering docs indicate otherwise - that the easiest way is by changing /etc/network/options. If that's all the real tunnel config is missing, these are only the general settings for every tunnel you'll define. Correct; the tunnel definition is missing. That's what I was asking about - what do I need to put here to make the tunnel work properly with a Pix using pre-shared keys. The examples I've found on the FreeS/WAN site are confusing and contradictory. -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project http://leaf.sourceforge.netAIM: MikeLeone Public Key - http://www.mike-leone.com/~turgon/turgon-public-key.asc Registered Linux user# 201348 --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Win2K and LEAF
John Mullan wrote: OK Charles. I understand. As you know by now, I only really do this stuff at home. I have helped a buddy by putting a LEAF router at his office. So, not being the guru and not having a great amount of time, I will eventually read bits and pieces. I only ended up with Win2K server because my drive crapped out on Tuesday and I figured that, what the heck. It would give me the ability to keep user profiles in one location. On this scale, it really comes down to what I'm willing to live with and for how long. Right now I timed it and I spend about 1 minute 'Preparing Network Connections'. That's really not too bad. Also, since this is only my home network, I run all servers on one box. It's name is WWW but has FTP and POP3/SMTP. I thought it great to define ftp.mullan.ca, mail.mullan.ca and www.mullan.ca and have them all point to the same box but thanks to M$ that doesn't work anymore as it seems to override my TinyDNS in this respect. (a little of my ranting too :) So really, would it be better to let my M$ box handle internal DNS and let LEAF handle dnscache for internet queries? Is there a package other than TinyDNS that is dynamic and will let the M$ box register hosts? I intentionally know as little as possible about the M$ networking world, but from what I know, and the information provided above, if you don't want to remove AD (and your other MS systems are recent enough to avoid any MS-MS operating problems), you're probably best off using your AD server as the primary DNS for your network. You can probably configure the AD server to query DNSCache on the firewall for internet domains, use your ISP's DNS servers, or make all queries itself. Which option is best depends a lot on your connection to the 'net (bandwidth and latency) and the reliability of your ISP's name servers. I added DNSCache to Dachstein to allow implementing a pre-configured DHCP server, and because my ISP's DNS servers would typically go down about once every other week. You don't *HAVE* to use it, it's simply provided as a convinence. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?
I had replied privately, but I'll include the list (BTW, please don't send me private copies of list mail; it just means twice the bandwidth, since I will see the message on the list anyway). S Mohan said: If you are using Win2K clients, Chad has put up a good chapter. It would No, I am not using any Win2K clients, not at this time. For now, I want a subnet-to-subnet IPSec tunnel, between my Bering 1.0 box and my Pix at work. Thanks for the info, tho - it will come in handy, since eventually I will want remote Win2K clients to connect to my Bering box. -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project http://leaf.sourceforge.netAIM: MikeLeone Public Key - http://www.mike-leone.com/~turgon/turgon-public-key.asc Registered Linux user# 201348 --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
On Monday 10 February 2003 08:08 am, Michael Leone wrote: However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). I thought it might, but the Bering docs indicate otherwise - that the easiest way is by changing /etc/network/options. If that's all the real tunnel config is missing, these are only the general settings for every tunnel you'll define. Correct; the tunnel definition is missing. That's what I was asking about - what do I need to put here to make the tunnel work properly with a Pix using pre-shared keys. The examples I've found on the FreeS/WAN site are confusing and contradictory. It would definately be in your best interest to read the Shorewall Ipsec/VPN page on http://www.shorewall.net . IPSec definately won't work with Shorewall unless you configure shorewall correct. Do not use the 509 package if you are not using certs, the 509 package probably will not work with PSK's. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Couple of General Questions
On Monday 10 February 2003 12:18 am, David Pitts wrote: Thanks Lynn. The RCDLinks = in your uDHCPC is S,S38 6,K38 . I will try RCDLINKS=2,S38 3,S38 6,K38 which looks more consistent with other packages (including uDHCPD which I hadn't noticed earlier). No, No the 2 in your example is for the runlevel to start in. My version starts from rcS.d, not rc2.d. The S38 is the number you need to pay attention to. You can try changing it, but I don't see where having it start in single-user mode is going to make a difference. Generally the networking doesn't come up in run-level 2. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Lynn Avants said: It would definately be in your best interest to read the Shorewall Ipsec/VPN page on http://www.shorewall.net . IPSec definately won't work with Shorewall unless you configure shorewall correct. Do not use OK. Haven't gotten that far yet; was just following the Bering docs for the moment. And the samples linked off the FreeS/WAN page for connecting to a Pix didn't seem to match up with the simple (?) config I wanted, of PSKs between my Bering and the Pix. the 509 package if you are not using certs, the 509 package probably will not work with PSK's. -- It won't? Shoot. I do want to move to using certs, both between my Pix and for any remote clients to my Bering box that I may have in future. But at the moment, I have PSKs to my Pix. I'd hate to have to redo all my configs when I do move to certs. Ah, well. I do still have all the keys and certs and all on my main Linux box; I suppose it won't be too bad to move them again later. I'll load up the ipsec instead of the ipsec509, and see where it takes me. Thanks. -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project http://leaf.sourceforge.netAIM: MikeLeone Public Key - http://www.mike-leone.com/~turgon/turgon-public-key.asc Registered Linux user# 201348 --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). I thought it might, but the Bering docs indicate otherwise - that the easiest way is by changing /etc/network/options. Trust but verify. There has been a new release of shorewall on bering since I last touched or tested that doc. It could be that it is overriding the setting I recommended. Also, I have found that it really only matters is quite strange tunneling setups (like I was using at the time). It could pay to understand what reverse path filtering actually does: If the packet comes in from a given source ip address on an interface that would not be used to send a packet to that address, the packet is dropped if rp_filter is set on the interface OR if it is set on all interfaces. Example from Mobile IP: A foreign agent receives traffic on an ipip tunnel interface (tunl0) for delivery to a mobile node in his visitor list. The source address is someone on the internet (say, www.yahoo.com). If he were to send a packet to www.yahoo.com, it would be sent through eth0, his default route. rp_filter will drop this packet (in an excruciatingly silent manner) because it was received on tunl0 (when de-tunneled), but traffic sent to that host would be sent through eth0. That is what rp_filter means. In practice, with ipsec, if you are using the %defaultroute command in ipsec.conf, you will probably not really need rp_filter disabled because all traffic coming in on the ipsecN interface will also be routed back out the same ipsec interface it came in on. There you go. -- --- Chad Carr [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] [problems] Dachstein with IPSec
I'm using Lynn Avants' Dachstein v1.0.2 with IPSEC from http://lrp.steinkuehler.net/contrib_disk_images.htm. I want to configure a subnet-to-subnet ipsec tunnel where both subnets are linked through a wireless bridge. The diagram below shows what I'm trying to accomplish: +---+++ +++---+ | Net 0 |--| LEAF 0 |-(*)-| LEAF 1 |--| Net 1 | +---+++ +++---+ (*) Wireless bridge - it's transparent. Both wireless bridges have IPs that I use for testing the connection (192.168.250.254 and 192.168.250.127). Net 0 - 192.168.2.0/24 LEAF 0 - 192.168.2.250(internal) 192.168.250.1(external) LEAF 1 - 192.168.250.128(external) 192.168.23.254(Internal) Net 1 - 192.168.23.0/24 The problems I'm seeing: 1) the routing tables in both LEAF routers have 2 entries for 192.168.250.0/24, one through eth0 (the ethernet card) and one through the tunnel (ipsec0). According to my experience I only want an entry through eth0, correct ? 2) I get Pluto messages like: ERROR: leaf-ipsec #1: sendto() on eth0 to 192.168.250.128:500 failed in EVENT_RETRANSMIT. Errno 1: Operation not permitted. From other messages I gather this is an ipchains issue. I can get both hosts to ping by flushing all chains and changing the default policies to ACCEPT, but I wanted to know how to correct this. 3) I'm a complete newbie at IPSEC. Anyone knows how I can check if a tunnel is up ? Any help will be appreciated, -- João Miguel Neves signature.asc Description: This is a digitally signed message part
Re: [leaf-user] Bering1.0-stable Problem with 2.4.20 on net4501
Hi all, I'm getting the following kernel panic on my bering1.0_stable box with kernel 2.4.20 This is running on a Soekris net4501 . Anyone else see this? Hello Steve, Kernel panic with the kernel is often a problem of a corrupt media, or corrupt download. From what kind of media are you booting Unable to handle kernel NULL pointer dereference at virtual addr ess printing eip: *pde = Oops: CPU:0 EIP:0010:[]Not tainted EFLAGS: 00010286 eax: c10d3da0 ebx: c3c1f2b0 ecx: c4815860 edx: 0025 esi: c0241f08 edi: 0002 ebp: c3dde81e esp: c0241e70 ds: 0018 es: 0018 ss: 0018 Process swapper (pid: 0, stackpage=c0241000) Stack: c01e8caf c3dde81e 0025 c3c1f2b0 0002 0002 c0241ee8 c01bcf70 c0279d80 c01afef6 c0241f08 c10db800 c01bcf70 c01bcf70 c01b01a3 c0279d80 c0241f08 Call Trace:[c01e8caf] [c01bcf70] [c01afef6] [c01bcf70] [c01bcf70] [c01b01a3] [c01bcf70] [c01bcd74] [c01bcf70] [c01aa15e] [c01aa269] [c01aa37f] [c011a323] [c010a2b0] [c0107040] [c010c858] [c0107040] [c0107063] [c0107102] [c0105000] Code: Bad EIP value. 0Kernel panic: Aiee, killing interrupt handler! In interrupt handler - not syncing Eric Wolzak member of the bering Crew --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Win2K and LEAF
Charles is correct, Windows 2000 should handle it's own DNS if you are using AD. For Windows 2000, outside of AD, it doesn't matter, but AD wants to create a bunch of DNS records for AD to work properly as a name and service resolution tool. You can run it with a properly configured *nix DNS server, but it is just easier to use Win2K for DNS. You can then have Win2K forward onto DNS cache. -Cheers edt - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: John Mullan [EMAIL PROTECTED] Cc: Leaf-User [EMAIL PROTECTED] Sent: Monday, February 10, 2003 10:14 AM Subject: Re: [leaf-user] Win2K and LEAF John Mullan wrote: OK Charles. I understand. As you know by now, I only really do this stuff at home. I have helped a buddy by putting a LEAF router at his office. So, not being the guru and not having a great amount of time, I will eventually read bits and pieces. I only ended up with Win2K server because my drive crapped out on Tuesday and I figured that, what the heck. It would give me the ability to keep user profiles in one location. On this scale, it really comes down to what I'm willing to live with and for how long. Right now I timed it and I spend about 1 minute 'Preparing Network Connections'. That's really not too bad. Also, since this is only my home network, I run all servers on one box. It's name is WWW but has FTP and POP3/SMTP. I thought it great to define ftp.mullan.ca, mail.mullan.ca and www.mullan.ca and have them all point to the same box but thanks to M$ that doesn't work anymore as it seems to override my TinyDNS in this respect. (a little of my ranting too :) So really, would it be better to let my M$ box handle internal DNS and let LEAF handle dnscache for internet queries? Is there a package other than TinyDNS that is dynamic and will let the M$ box register hosts? I intentionally know as little as possible about the M$ networking world, but from what I know, and the information provided above, if you don't want to remove AD (and your other MS systems are recent enough to avoid any MS-MS operating problems), you're probably best off using your AD server as the primary DNS for your network. You can probably configure the AD server to query DNSCache on the firewall for internet domains, use your ISP's DNS servers, or make all queries itself. Which option is best depends a lot on your connection to the 'net (bandwidth and latency) and the reliability of your ISP's name servers. I added DNSCache to Dachstein to allow implementing a pre-configured DHCP server, and because my ISP's DNS servers would typically go down about once every other week. You don't *HAVE* to use it, it's simply provided as a convinence. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering1.0-stable Problem with 2.4.20 on net4501
At 05:36 PM 2/10/03 +0100, Eric Wolzak wrote: Hi all, I'm getting the following kernel panic on my bering1.0_stable box with kernel 2.4.20 This is running on a Soekris net4501 . Anyone else see this? Hello Steve, Kernel panic with the kernel is often a problem of a corrupt media, or corrupt download. [rest deleted] Or bad hardware. How long does the system run before this happens? Could it be a heat-related issue? a RAM issue? The virtual address part of the oops, in particular, suggests to me a RAM issue. Although kernel panics are supposed to alert you to programming errors in the kernel, I have, in 8 years of using Linux, never actually encountered a kernel panic that was not related to bad media, bad RAM, or CPU overheating. (This is all using released kernels, never experimental ones -- I'm sure the experience is different for kernel developers.) -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering1.0-stable Problem with 2.4.20 onnet4501
Steve, You might want to try the kernal and drivers Jaques compiled for the Elan hardware target. They're at: http://leaf.sourceforge.net/devel/jnilo/testing/ Ignore the busybox stuff that's in there. I had asked Jaques to recompile the 2.4.20 kernal for the Elan target specifically for use on the net4501. I haven't had a chance to try testing them yet as I got sidetracked on another project over the weekend. The Elan target addresses some kernal incompatability issues that have sprung up recently, so you should have better luck with that kernal verson on the net4501. Michael Steve Bihari [EMAIL PROTECTED] 02/09/03 15:11 PM Hi all, I'm getting the following kernel panic on my bering1.0_stable box with kernel 2.4.20 This is running on a Soekris net4501 . Anyone else see this? Unable to handle kernel NULL pointer dereference at virtual addr ess printing eip: *pde = Oops: CPU:0 EIP:0010:[]Not tainted EFLAGS: 00010286 eax: c10d3da0 ebx: c3c1f2b0 ecx: c4815860 edx: 0025 esi: c0241f08 edi: 0002 ebp: c3dde81e esp: c0241e70 ds: 0018 es: 0018 ss: 0018 Process swapper (pid: 0, stackpage=c0241000) Stack: c01e8caf c3dde81e 0025 c3c1f2b0 0002 0002 c0241ee8 c01bcf70 c0279d80 c01afef6 c0241f08 c10db800 c01bcf70 c01bcf70 c01b01a3 c0279d80 c0241f08 Call Trace:[c01e8caf] [c01bcf70] [c01afef6] [c01bcf70] [c01bcf70] [c01b01a3] [c01bcf70] [c01bcd74] [c01bcf70] [c01aa15e] [c01aa269] [c01aa37f] [c011a323] [c010a2b0] [c0107040] [c010c858] [c0107040] [c0107063] [c0107102] [c0105000] Code: Bad EIP value. 0Kernel panic: Aiee, killing interrupt handler! In interrupt handler - not syncing --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Michael Leone wrote: Lynn Avants said: the 509 package if you are not using certs, the 509 package probably will not work with PSK's. -- It won't? Shoot. I do want to move to using certs, both between my Pix and for any remote clients to my Bering box that I may have in future. But at the moment, I have PSKs to my Pix. I'd hate to have to redo all my configs when I do move to certs. Ah, well. I do still have all the keys and certs and all on my main Linux box; I suppose it won't be too bad to move them again later. I'll load up the ipsec instead of the ipsec509, and see where it takes me. I am unaware of any issue that would prevent you from continuing to use PSKs after switching to the 509 version of FreeS/WAN. As far as I know, PSKs work identically between the plain and x.509 patched versions. What *DOES* change, however, is how RSA signature keys are handled. If you have multiple road-warrior clients running RSA encryption and migrate to the x.509 patched version, you will have to migrate your road-warriors to x.509 certs as well. I believe this has to do with the difficulty of identifying dynamic-IP connections at authentication time, prior to an encrypted tunnel being setup. Connections between two ends with static IP's can authenticate with anything (certs, RSA keys, or PSKs) without issue. Since full connection specifications for these tunnels are available throughout the authentication process, there are no chicken and egg problems trying to figure out who you're talking to, and which connection description to use. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] [problems] Dachstein with IPSec
João Miguel Neves wrote: I'm using Lynn Avants' Dachstein v1.0.2 with IPSEC from http://lrp.steinkuehler.net/contrib_disk_images.htm. I want to configure a subnet-to-subnet ipsec tunnel where both subnets are linked through a wireless bridge. The diagram below shows what I'm trying to accomplish: +---+++ +++---+ | Net 0 |--| LEAF 0 |-(*)-| LEAF 1 |--| Net 1 | +---+++ +++---+ (*) Wireless bridge - it's transparent. Both wireless bridges have IPs that I use for testing the connection (192.168.250.254 and 192.168.250.127). Net 0 - 192.168.2.0/24 LEAF 0 - 192.168.2.250(internal) 192.168.250.1(external) LEAF 1 - 192.168.250.128(external) 192.168.23.254(Internal) Net 1 - 192.168.23.0/24 The problems I'm seeing: 1) the routing tables in both LEAF routers have 2 entries for 192.168.250.0/24, one through eth0 (the ethernet card) and one through the tunnel (ipsec0). According to my experience I only want an entry through eth0, correct ? 2) I get Pluto messages like: ERROR: leaf-ipsec #1: sendto() on eth0 to 192.168.250.128:500 failed in EVENT_RETRANSMIT. Errno 1: Operation not permitted. From other messages I gather this is an ipchains issue. I can get both hosts to ping by flushing all chains and changing the default policies to ACCEPT, but I wanted to know how to correct this. 3) I'm a complete newbie at IPSEC. Anyone knows how I can check if a tunnel is up ? Any help will be appreciated, Must be the day for ipsec questions. :) Problem 1 is not a problem. It is an artifact of how IPSec gets setup. Problem 2 is caused by the firewall rules. If you have an unmodified Dachstein firewall, it is not expecting private IP's to exist on the external interface, and drops this traffic by default. You can fix this by editing /etc/ipfilter.conf. Locate the stopMartians () procedure, and comment out the appropriate RFC 1918/1627/1597 blocks...in your case: #$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $* 3) Try: ipsec look and ipsec auto --status. See the ipsec man pages for more usage info. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bizarre behaviour in wisp dist?
I use wisp in all my wireless station, and for everything works just fine! But im getting a problem that i can't understand! I got 0% of packet loss, the ping responds in 3 ms to 10 ms! very stable, the distance between the antenas are 2km! The signal in AP Manager (The station is connected in a AP1000 of orinoco!) give 95% of signal, noise is 30% (The amplifier increase the noise! =() Everything looks just fine! But i got just a unique problem! When i try to log via telnet or ssh, sometimes the menu is ok, other times it don't show complete, then i get no response from the station, i have to kill the telnet session and start other! that happens a lot! Now i have a station, that the menu don't appears at all, the cursor stay in the top of the screen, without blanking, and always get that response, i just can't log-in in the station remotely! =( The version of wisp is 2397, and i have only 2 station with that version, one is just fine, but the one who have problem is with bridge active! Thanks Samuel Abreu _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bizarre behaviour in wisp dist?
Hello Samuel, I have a feeling that your system ran out of memory. Try telnet. It is lighter on resources. If you cannot login remotely, try to login via serial cable. You can see memory usage by running ps auxw and cat /proc/meminfo. Also see what messages you have in the system log. Please let me know. Samuel Abreu wrote: I use wisp in all my wireless station, and for everything works just fine! But im getting a problem that i can't understand! I got 0% of packet loss, the ping responds in 3 ms to 10 ms! very stable, the distance between the antenas are 2km! The signal in AP Manager (The station is connected in a AP1000 of orinoco!) give 95% of signal, noise is 30% (The amplifier increase the noise! =() Everything looks just fine! But i got just a unique problem! When i try to log via telnet or ssh, sometimes the menu is ok, other times it don't show complete, then i get no response from the station, i have to kill the telnet session and start other! that happens a lot! Now i have a station, that the menu don't appears at all, the cursor stay in the top of the screen, without blanking, and always get that response, i just can't log-in in the station remotely! =( The version of wisp is 2397, and i have only 2 station with that version, one is just fine, but the one who have problem is with bridge active! -- Best Regards, Vladimir Systems Engineer (RHCE) --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Hello and has anyone any experience with...
Ok, new to the list. I have been looking to set up a floppy based router for a vpn connection (bering looks ideal for this) so ditched the Intel 3240 in favour of a speedtouch - only to receive a 330 which appears only to be supported in the latest beta at speedtouch.sourceforge.net, and for which the .sys file is over 700k (oops, not that much space left on the floppy! even gzipped it is 358k) I assume the solution to the space problem is to place the file (and anything else that doesn't change) onto a cdr and mount that as part of the boot - but it seems like an uphill struggle. so on to the obvious question - has anyone already done all or part of this, and can give me some pointers and/or configured lrp files? I assume that the speedtch.lrp from http://leaf.sourceforge.net/devel/jnilo/bering/latest/drivers/speedtouch / is for the the original model I don't have --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ??? Shorewall/Bering and VTUN Bridge ???
Hi All, I'm fairly new to shorewall and have a unique environment to setup, currently have two building connected via Orinoco AP. Both building are part of the same subnet and must stay that way. I want to incress secury of the wirelless segment and have decided to user Bering, VTunnel and Shorewall to accomplish this. Both system currently create a VPN tunnel using VTUN (/dev/tap0) and automaticaly add this interface to the the bridge interface br0 So to recap eth1 in the internal device, eth0 external. tap0 in the VTUN interface after the connection br0 has tap0 and eth1 bridged. What do I have to do to allow VTUN to establish the connection in the external interface ? it uses udp prot 5000 What do I have to do to allow triffic from both segments to flow ? Please send me a direct e-mail if you have the answer Thanks in advance Hugues [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bizarre behaviour in wisp dist?
# cat /proc/meminfo total:used:free: shared: buffers: cached: Mem: 62746624 25681920 370647040 3182592 12390400 Swap:000 MemTotal:61276 kB MemFree: 36196 kB MemShared: 0 kB Buffers: 3108 kB Cached: 12100 kB SwapCached: 0 kB Active: 4456 kB Inactive:15456 kB HighTotal: 0 kB HighFree:0 kB LowTotal:61276 kB LowFree: 36196 kB SwapTotal: 0 kB SwapFree:0 kB Hmm, this is all i get! i try to get the system.log, but the station down! Im going to make some changes... i will change the board, of AAEON to Soekris! and change the version of wisp... later i send a mail! Samuel Abreu From: Vladimir I. [EMAIL PROTECTED] To: Samuel Abreu [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [leaf-user] Bizarre behaviour in wisp dist? Date: Mon, 10 Feb 2003 20:10:33 +0200 Hello Samuel, I have a feeling that your system ran out of memory. Try telnet. It is lighter on resources. If you cannot login remotely, try to login via serial cable. You can see memory usage by running ps auxw and cat /proc/meminfo. Also see what messages you have in the system log. Please let me know. _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bizarre behaviour in wisp dist?
Strange. I also saw things going out of control under high load of small packets, when the CPU cannot keep up with them. Could it be the case? Samuel Abreu wrote: # cat /proc/meminfo total:used:free: shared: buffers: cached: Mem: 62746624 25681920 370647040 3182592 12390400 Swap:000 MemTotal:61276 kB MemFree: 36196 kB MemShared: 0 kB Buffers: 3108 kB Cached: 12100 kB SwapCached: 0 kB Active: 4456 kB Inactive:15456 kB HighTotal: 0 kB HighFree:0 kB LowTotal:61276 kB LowFree: 36196 kB SwapTotal: 0 kB SwapFree:0 kB Hmm, this is all i get! i try to get the system.log, but the station down! Im going to make some changes... i will change the board, of AAEON to Soekris! and change the version of wisp... later i send a mail! Samuel Abreu -- Best Regards, Vladimir Systems Engineer (RHCE) --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Dachstein Port Forwarding
I want to port forward any packets sent to port 25 on the external interface to an internal email server but I seem to be having trouble doing so. I've made the necessary changes to the network config file but the changes aren't taking hold. I've rebooted the server twice to no avail (I'm a M$ techie :) ). Here's the network config file condensed: snip # ICMP types to open # Space seperated list: proto_destIP/mask_port#NOMASQ_DEST=tcp_0/0_ssh # Indexed list: SrcAddr/Mask type [ DestAddr[/DestMask] ] #EXTERN_ICMP_PORT0=0/0 : 1.1.1.12 ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client #EXTERN_UDP_PORTS=0/0_domain 0/0_bootpc # -or- # Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ] #EXTERN_UDP_PORT0=0/0 domain #EXTERN_UDP_PORT1=5.6.7.8 500 1.1.1.12 # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=xxx.xxx.0.0/16_ssh 0/0_www 0/0_8080 0/0_25 --edited to hide actual addrs # -or- # Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ] #EXTERN_TCP_PORT0=5.6.7.8 domain 1.1.1.12 #EXTERN_TCP_PORT1=0/0 www snip ### # Port Forwarding ### # Remember to open appropriate holes in the firewall rules, above # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # protocol_local-ip_local-port_remote-ip_remote-port INTERN_SERVERS=tcp_${EXTERN_IP}_smtp_192.168.1.4_smtp tcp_${EXTERN_IP}_8080_192.168.1.15_www # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available #INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access # Advanced settings: parameters passed directly to portfw and autofw # Indexed list: ipmasqadm portfw options #INTERN_SERVER0=-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF] #INTERN_SERVER1= # Indexed list: ipmasqadm autofw options #INTERN_AUTOFW0=-A -r tcp 2 20050 -h 192.168.1.1 #INTERN_AUTOFW1= snip Running the Port Probe function at www.grc.com reveals port 25 to be in stealth mode which under any other circumstances would be great but not under the current circumstance! The same probe shows port 80 to be open which is what I intended. The IP address for our email server is 192.168.1.4. It's an Exchange box with ports SMTP, POP3, and IMAP opened. Currently running Dachstein CD 1.0.2. ~Doug --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] (no subject)
Hello, Looking at my firewall via the webbrowser I have the following situation within the current connections: Masqueraded Connections:: udp src=192.168.1.44 1276 dst=194.109.6.65 123 --90 sec. unknown src=599 dst=10.0.0.138 dst=src=10.0.0.2 src=10.0.0.138 --47 sec. use=1 tcp src=192.168.1.44 2010 dst=65.197.157.202 80 --74882 sec. ESTABLISHED tcp src=192.168.1.97 1116 dst=208.254.63.58 80 --60133 sec. ESTABLISHED I understand the connection to the dns server and the connection between firewall and adsl modem, but i don't understand the other two connections. Those ip-numbers seem to have a connection for a very, very long time. My question: is this normal behaviour or is there something wrong? Rob. __ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Masqueraded Connections
Hello, Looking at my firewall via the webbrowser I have the following situation within the current connections: Masqueraded Connections:: udp src=192.168.1.44 1276 dst=194.109.6.65 123 --90 sec. unknown src=599 dst=10.0.0.138 dst=src=10.0.0.2 src=10.0.0.138 --47 sec. use=1 tcp src=192.168.1.44 2010 dst=65.197.157.202 80 --74882 sec. ESTABLISHED tcp src=192.168.1.97 1116 dst=208.254.63.58 80 --60133 sec. ESTABLISHED I understand the connection to the dns server and the connection between firewall and adsl modem, but i don't understand the other two connections. Those ip-numbers seem to have a connection for a very, very long time. My question: is this normal behaviour or is there something wrong? Rob. __ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein Port Forwarding
Doug Sampson wrote: I want to port forward any packets sent to port 25 on the external interface to an internal email server but I seem to be having trouble doing so. I've made the necessary changes to the network config file but the changes aren't taking hold. I've rebooted the server twice to no avail (I'm a M$ techie :) ). Here's the network config file condensed: snip snip # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=xxx.xxx.0.0/16_ssh 0/0_www 0/0_8080 0/0_25 --edited to hide actual addrs This looks OK. snip # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # protocol_local-ip_local-port_remote-ip_remote-port INTERN_SERVERS=tcp_${EXTERN_IP}_smtp_192.168.1.4_smtp tcp_${EXTERN_IP}_8080_192.168.1.15_www This also looks OK. You could try using the INTERN_SMTP_SERVER variable below, to make sure there's not something broken with the INTERN_SERVERS line above, but if your web-server port-forwarding is working OK, I doubt that will help. # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available #INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access snip Running the Port Probe function at www.grc.com reveals port 25 to be in stealth mode which under any other circumstances would be great but not under the current circumstance! The same probe shows port 80 to be open which is what I intended. The IP address for our email server is 192.168.1.4. It's an Exchange box with ports SMTP, POP3, and IMAP opened. Currently running Dachstein CD 1.0.2. OK, are several things that could be going wrong, besides mis-configuration (it looks like you've got everything setup properly, but I can't tell for sure without the full output of net ipfilter list). 1) Your ISP is blocking port 25. This is fairly common, and is typically encountered along with blocking of port 80. To test this, keep the EXTERN_TCP_PORTS setting above, but comment out the INTERN_SERVERS port-forwarding setting. This will let packets through your firewall, but they will have nowhere to go (no listening service or port-forward), so the firewall will send out a TCP reset packet. GRC should show this as a closed port, rahter than open or stealth. You can also try a normal traceroute to your box, then a traceroute using TCP port 25 packets, to see if your ISP is filtering traffic (Note you have to do this from *OUTSIDE* your ISP's network). 2) Your firewall is actually mis-configured, and your firewall rules or port-forwarding setup is preventing packets from getting to your mail server, even though your network.conf settings look OK. Send the output of net ipfilter list so we can verify your setup and/or trace packets as they make their way through your network (with ipchains packet counts/logging, tcpdump, or some other means). 3) Your mail server is off-line, or you are port-forwarding to the wrong internal IP. Try telneting to the internal IP of your mail server from a box on the internal network, and see if you can connect and manually walk through an SMTP session (type HELO then QUIT for a minimal test). Reading between the lines, I strongly suspect your ISP is blocking trafifc to port 25. This is typically done along with blocking inbound web traffic to port 80, and I notice you are using port 8080 to forward to your internal web server, but have still opened port 80 to the world (perhaps from a previous unsuccessful attempt to port-forward normal web traffic?). Regardless, post the requested net ipfilter list output for debugging, along with the results of the above tests if you can't get things working. Some details about your ISP (including where your are, as folks like RoadRunner and Cox do things differently in different cities) would also help. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] new WISP-Dist test release available
New test release available from leaf.sf.net/devel/hzdrus/files, it fixes traffic shaping and a few other small glitches compared to previous test release. -- Best Regards, Vladimir Systems Engineer (RHCE) --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)
What you described is all correct including the fact that I my wired machine can ping my wireless machine and vice versa (which I didn't state in the previous mail). 1. What LAN IP address is assigned to the Linksys, and is it different from the LAN IP address of the Bering? If not, fix it; that conflict is causing your problem. If this is OK, then go on. How do you do this? I changed the IP address to 192.168.1.253 (the default is 192.168.1.1 just to see if it made any difference, which was none). I don't get what you mean? What do you mean by different from the LAN IP address of the Bering? 2. Before you ping from a wireless host, check its arp table to see if there is an entry for the Bering's IP address. (Probably there is not.) After you ping, check again. See if there is an entry present, and see if it has the right MAC address. Also check the Bering's arp table before and after. Right after my wireless machine starts up, the arp table contains two entries, 192.168.1.253 (which is the Linksys) and 192.168.1.254 (which is Bering). Pinging doesn't work and there is no difference in the arp table except that 192.168.1.253 gets dropped from the table. 3. Try to ping a wireless host from the Bering. Check the arp tables the same way you did in item 2. No luck here, can't ping to wireless machine (but can ping my wired one) and there's no entries in the arp table (arp -a prints out nothing). Any help would be greatly appreciated. CK ip addr show 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:5a:6c:d5:3d brd ff:ff:ff:ff:ff:ff 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:08:c7:90:ba:c4 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 64.231.42.125 peer 64.231.42.1/32 scope global ppp0 ip route show 64.231.42.1 dev ppp0 proto kernel scope link src 64.231.42.125 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 64.231.42.1 dev ppp0 lsmod Module PagesUsed by ip_nat_irc 2400 0 (unused) ip_nat_ftp 3008 0 (unused) ip_conntrack_irc3104 1 ip_conntrack_ftp3840 1 pppoe 6656 1 pppox916 1 [pppoe] ppp_synctty 4408 0 (unused) ppp_generic14932 3 [pppoe pppox ppp_synctty] n_hdlc 5792 0 (unused) slhc4288 0 [ppp_generic] tlan 23744 1 tulip 37024 1 /var/log/messages Feb 10 04:15:06 firewall syslogd 1.3-3#31.slink1: restart. Feb 10 04:15:06 firewall kernel: klogd 1.3-3#31.slink1, log source = /proc/kmsg started. Feb 10 04:15:06 firewall kernel: Cannot find map file. Feb 10 04:15:06 firewall kernel: Loaded 72 symbols from 12 modules. Feb 10 04:15:06 firewall kernel: Linux version 2.4.18 (root@uml_woody) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Sun Nov 10 17:40:20 UTC 2002 Feb 10 04:15:06 firewall kernel: BIOS-provided physical RAM map: Feb 10 04:15:06 firewall kernel: BIOS-e820: - 0009fc00 (usable) Feb 10 04:15:06 firewall kernel: BIOS-e820: 0009fc00 - 000a (reserved) Feb 10 04:15:06 firewall kernel: BIOS-e820: 000f - 0010 (reserved) Feb 10 04:15:06 firewall kernel: BIOS-e820: 0010 - 0800 (usable) Feb 10 04:15:06 firewall kernel: BIOS-e820: fffe - 0001 (reserved) Feb 10 04:15:06 firewall kernel: On node 0 totalpages: 32768 Feb 10 04:15:06 firewall kernel: zone(0): 4096 pages. Feb 10 04:15:06 firewall kernel: zone(1): 28672 pages. Feb 10 04:15:06 firewall kernel: zone(2): 0 pages. Feb 10 04:15:06 firewall kernel: Kernel command line: BOOT_IMAGE=linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0 boot=/dev/fd0u1680:msdos PKGPATH=/dev/fd0u1680 LRP=root,etc,local,modules,iptables,dhcpd,ppp,pppoe,keyboard,shorwall,dnscache,w eblet Feb 10 04:15:06 firewall kernel: Initializing CPU#0 Feb 10 04:15:06 firewall kernel: Detected 199.909 MHz processor. Feb 10 04:15:06 firewall kernel: Console: colour VGA+ 80x25 Feb 10 04:15:06 firewall kernel: Calibrating delay loop... 398.95 BogoMIPS Feb 10 04:15:06 firewall kernel: Memory: 126816k/131072k available (907k kernel code, 3868k reserved, 232k data, 60k init, 0k highmem) Feb 10 04:15:06 firewall kernel: Dentry-cache hash table entries: 16384 (order: 5, 131072 bytes) Feb 10 04:15:06 firewall kernel: Inode-cache hash table entries: 8192 (order: 4, 65536 bytes) Feb 10 04:15:06 firewall kernel: Mount-cache hash table
Re: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)
On Monday 10 February 2003 03:43 pm, Camille King wrote: Right after my wireless machine starts up, the arp table contains two entries, 192.168.1.253 (which is the Linksys) and 192.168.1.254 (which is Bering). Pinging doesn't work and there is no difference in the arp table except that 192.168.1.253 gets dropped from the table. Ok, what are the ip address(es) of your wireless machine(s) clients, not Linksys. Also, what do the wireless clients have for default gateway and dns servers? -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Hello and has anyone any experience with...
David David Howe wrote the following at 19:15 10.02.2003: Ok, new to the list. I have been looking to set up a floppy based router for a vpn connection (bering looks ideal for this) so ditched the Intel 3240 in favour of a speedtouch - only to receive a 330 which appears only to be supported in the latest beta at speedtouch.sourceforge.net, and for which the .sys file is over 700k (oops, not that much space left on the floppy! even gzipped it is 358k) I assume the solution to the space problem is to place the file (and anything else that doesn't change) onto a cdr and mount that as part of the boot - but it seems like an uphill struggle. so on to the obvious question - has anyone already done all or part of this, and can give me some pointers and/or configured lrp files? I assume that the speedtch.lrp from http://leaf.sourceforge.net/devel/jnilo/bering/latest/drivers/speedtouch / is for the the original model I don't have For the space restriction a CD is almost unbeatable, building the CD is easy, just follow the instructions. If you have a CDRW on the LEAF box life is even easier as you don't have to ditch that many CD's. HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein Port Forwarding
OK, are several things that could be going wrong, besides mis-configuration (it looks like you've got everything setup properly, but I can't tell for sure without the full output of net ipfilter list). 1) Your ISP is blocking port 25. This is fairly common, and is typically encountered along with blocking of port 80. To test this, keep the EXTERN_TCP_PORTS setting above, but comment out the INTERN_SERVERS port-forwarding setting. This will let packets through your firewall, but they will have nowhere to go (no listening service or port-forward), so the firewall will send out a TCP reset packet. GRC should show this as a closed port, rahter than open or stealth. You can also try a normal traceroute to your box, then a traceroute using TCP port 25 packets, to see if your ISP is filtering traffic (Note you have to do this from *OUTSIDE* your ISP's network). Definitely not blocked by my ISP- we have a Proxy Server 2.0 router running on another machine at address 216.70.236.235 subnet mask 255.255.255.248 and it's receiving packets destined for the Exchange box. We've had this setup for at least 4 years now. So I'm ruling out SMTP blocking. 2) Your firewall is actually mis-configured, and your firewall rules or port-forwarding setup is preventing packets from getting to your mail server, even though your network.conf settings look OK. Send the output of net ipfilter list so we can verify your setup and/or trace packets as they make their way through your network (with ipchains packet counts/logging, tcpdump, or some other means). Here's the net ipfilter list: Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 216.70.236.236 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0192.168.1.0/24n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 20 800 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 53 4134 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 20 800 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 138:139 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 138 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 137:138 - * 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 135 - * 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 137:139 - * 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 135 - * 0 0 ACCEPT tcp -- 0xFF 0x00 eth0 xxx.xxx.0.0/16 --edited out 0.0.0.0/0 * - 22 40 1600 ACCEPT tcp -- 0xFF 0x00
RE: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)
Comments inline below. At 04:43 PM 2/10/03 -0500, Camille King wrote: What you described is all correct including the fact that I my wired machine can ping my wireless machine and vice versa (which I didn't state in the previous mail). 1. What LAN IP address is assigned to the Linksys, and is it different from the LAN IP address of the Bering? If not, fix it; that conflict is causing your problem. If this is OK, then go on. How do you do this? I changed the IP address to 192.168.1.253 (the default is 192.168.1.1 just to see if it made any difference, which was none). I don't get what you mean? What do you mean by different from the LAN IP address of the Bering? The Linksys router has an IP address on its internal (LAN) interface (I infer 192.168.1.1 from your comment above). The Bering router has an interface connected to the LAN, and that interface has an IP address too (apparently 192.168.1.254, from the diagnostics reported below). I was asking you to check these two addresses to verify that they were different. Apparently they are, so that is not the source of the problem. But I didn't know what default the Linksys used, and did not recall offhand what Bering's default was ... though I had recalled correctly that both use the 192.168.1.0/24 network. 2. Before you ping from a wireless host, check its arp table to see if there is an entry for the Bering's IP address. (Probably there is not.) After you ping, check again. See if there is an entry present, and see if it has the right MAC address. Also check the Bering's arp table before and after. Right after my wireless machine starts up, the arp table contains two entries, 192.168.1.253 (which is the Linksys) and 192.168.1.254 (which is Bering). Pinging doesn't work and there is no difference in the arp table except that 192.168.1.253 gets dropped from the table. The drop is just due to the entry expiring from inactivity. But this tell us that the link layer (Ethernet layer) is working. Just a thought here ... does the wireless host run any sort of firewalling package? If so, what are its details? (And what OS does this client run, BTW?) 3. Try to ping a wireless host from the Bering. Check the arp tables the same way you did in item 2. No luck here, can't ping to wireless machine (but can ping my wired one) and there's no entries in the arp table (arp -a prints out nothing). OK. What message are you getting here (on the Bering) when the ping fails? Does it just fail silently (that is, do nothing until you enter CTRL-C, then report 100% failure)? Or is there a different result? And just to be clear ... another wireline host CAN ping this same wireless host successfully, right? And that same wireline host CAN ping the Bering router? Best indication at this point is that, for some reason, either your wireless client does not respond to arp queries properly, or the Bering router does not generate them properly, or the wireline/wireless bridge in the Linksys does not pass them properly. First verify that all the arp stuff works properly when the Bering is not involved, but the wireline/wireless bridge is. Any help would be greatly appreciated. The diagnostics you sent do not include the firewall ruleset. Please include next time the output of iptables -nvL (the SR FAQ is a bit out of date here, referring only to the analogous ipchains command used with 2.2.x kernels). (Note to other LEAF troubleshooters: Yes I know Tom advises people to use the specialized listing commands in Shorewall. But I prefer to read the raw listing myself. So don't correct my advice here unless *you* are prepared to help Camille interpret the output ... as Tom usually is when he offers this advice.) CK ip addr show 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:5a:6c:d5:3d brd ff:ff:ff:ff:ff:ff 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:08:c7:90:ba:c4 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 64.231.42.125 peer 64.231.42.1/32 scope global ppp0 ip route show 64.231.42.1 dev ppp0 proto kernel scope link src 64.231.42.125 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 64.231.42.1 dev ppp0 lsmod Module PagesUsed by ip_nat_irc 2400 0 (unused) ip_nat_ftp 3008 0 (unused) ip_conntrack_irc3104 1 ip_conntrack_ftp3840 1 pppoe 6656 1 pppox916 1 [pppoe] ppp_synctty 4408 0 (unused) ppp_generic14932 3 [pppoe
Re: [leaf-user] Bizarre behaviour in wisp dist?
The wireless network, is to use one particular system, made by other company! 99,5% of the traffic is for that intranet system, made in cobol, with servers running linux, through apache! I spent all my afternoon in the roof of a building trying to set-up this thing! I change the SBC, the wireless cards, almost everything, and the problem persists! I will spent all my day tomorrow trying to get something else! Thanks for the helP! Samuel Abreu From: Vladimir I. [EMAIL PROTECTED] Strange. I also saw things going out of control under high load of small packets, when the CPU cannot keep up with them. Could it be the case? _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein Port Forwarding
OK. Nothing like looking at a real ruleset to sort things out. The input chain appears to be working properly to allow port-25 traffic in, since this rule shows matching packets: 20 800 ACCEPT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 25 Since you are port forwarding, the forward chain does not enter into it. Since fairq has no port-25 rules, the packets should drop back to output and be included in what its final rule ACCEPTs. Assuming this is the right IP address for the Exchange server, the port-forwarding part looks OK TCP 216.70.236.236 192.168.1.425 25 810 So ... it's not a firewall problem in the narrow sense; that is, it is not the firewalling part of the Dachstein setup that's causing the problem, though there may still be a problem with the Dachstein router/firewall in a less specific sense. But since forwarding to the Web server works, we can assume no Dachstein problems at the link layer or with the routing table. But with all of that, I cannot connect (using telnet) to your mail server from here (though I can ping you and connect to the Web server). So ... how thoroughly have you checked the Exchange server for configuration problems? Is the Dachstein router its default gateway (and not the proxy server at 216.70.236.235)? Does Exchange do any authentication (such as auth) of a sort that might work with the proxy server but not an ordnary port-forwarding router? I hesitate to go down this road very far, since I suspect you know more about Windows sysadmin issues than I do, but I would encourage you to spend some time thinking about possible problems with Exchange or the server it runs on. Is the Dachstein router replacing a prior router of some sort? Or is this a new connection (that is, did everything previously use the proxy server at 216.70.236.235)? At 02:32 PM 2/10/03 -0800, Doug Sampson wrote: [detailed diagnostics and discussion deleted] For almost 2 years, we've used TelePacific, a telecommunications provider with full ISP functions. We currently use a fractional T-1 link. We've never had a problem with them when it comes to providing full ISP functionality. I'm thinking there *has* to be a misconfiguration of the firewall. The question is where do I go from here? All I have on the firewall is dnscache, tinydns, weblet, and sshd besides the usual Dachstein files. -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein Port Forwarding
On Monday 10 February 2003 04:32 pm, Doug Sampson wrote: 20 800 ACCEPT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 25 0 0 MASQ tcp -- 0xFF 0x00 * 192.168.1.4 0.0.0.0/0 25 - * :: Port FW :: prot localaddrrediraddr lportrport pcnt pref TCP 216.70.236.236 192.168.1.15 8080 8010 10 TCP 216.70.236.236 192.168.1.425 25 810 Everything looks fine here. I would highly suspect a configuration problem by changing the location (network). I'm assuming you've dropped the proxy configuration that you were using when attempting to use it behind the LEAF box. DNS can also cause problems. I'm assuming you have loaded the ip_masq_portfw module. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Couple of General Questions
On Monday 10 February 2003 04:06 pm, Erich Titl wrote: Lynn snip Unless you are using pcmcia adapter cards only, or maybe USB devices (wireless??). I ran into a similar issue with dhclient and had to wait quite some time until all adapters were ready. True, but that isn't an init problem, rather it simply takes some time for the hardware to come up. IIRC, a sleep command needed to be entered to allow time for the hardware to come up in these specific instances. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
On Monday 10 February 2003 10:58 am, Charles Steinkuehler wrote: I am unaware of any issue that would prevent you from continuing to use PSKs after switching to the 509 version of FreeS/WAN. As far as I know, PSKs work identically between the plain and x.509 patched versions. That might be, I thought the packages (after 1.91 anyway) would bomb out on initiation if the certs weren't loaded (or there) on the x509 package. In any case, it would be one less layer of possible problems until it tries to authenticate using PSK. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
FW: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)
-Original Message- From: Camille King [mailto:[EMAIL PROTECTED]] Sent: February 10, 2003 7:12 PM To: 'Ray Olszewski' Subject: RE: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering) Just a thought here ... does the wireless host run any sort of firewalling package? If so, what are its details? (And what OS does this client run, BTW?) No the client machine is WinXP machine that does not have the XP firewall turned on. OK. What message are you getting here (on the Bering) when the ping fails? Does it just fail silently (that is, do nothing until you enter CTRL-C, then report 100% failure)? Or is there a different result? And just to be clear ... another wireline host CAN ping this same wireless host successfully, right? And that same wireline host CAN ping the Bering router? The ping is dead silent, the Bering router is just stuck and I have to Ctrl-C to quit the ping action. Yes, the wireline host can ping Bering successfully and vice versa. I tried arp on Bering and it displayed the working wireline host with the proper IP and it's MAC address. The wireless host has it's IP address but the HWaddress is incomplete. What arp displays on Bering is attached below. Thanks a lot. CK arp -va (from Bering) ? (192.168.1.2) at 00:08:74:94:6E:55 [ether] on eth1 ? (192.168.1.3) at incomplete on eth1 ? (192.168.1.4) at 00:04:5A:7B:AC:A1 [ether] on eth1 Entries: 3 Skipped: 0 Found: 3 iptables -nvL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 167 15158 ACCEPT ah -- lo * 0.0.0.0/00.0.0.0/0 78 23011 ppp0_inah -- ppp0 * 0.0.0.0/00.0.0.0/0 239 32477 eth1_inah -- eth1 * 0.0.0.0/00.0.0.0/0 0 0 common ah -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 184 TCPMSS tcp -- * * 0.0.0.0/00.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 12 5344 ppp0_fwd ah -- ppp0 * 0.0.0.0/00.0.0.0/0 12 1659 eth1_fwd ah -- eth1 * 0.0.0.0/00.0.0.0/0 0 0 common ah -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject ah -- * * 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 167 15158 ACCEPT ah -- * lo 0.0.0.0/00.0.0.0/0 158 12938 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 state NEW,RELATED,ESTABLISHED 68 4242 fw2net ah -- * ppp00.0.0.0/00.0.0.0/0 196 all2allah -- * eth10.0.0.0/00.0.0.0/0 0 0 common ah -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/00.0.0.0/0 Chain all2all (3 references) pkts bytes target prot opt in out source destination 196 ACCEPT ah -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/00.0.0.0/0 state NEW tcp flags:!0x16/0x02 176 27442 common ah -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject ah -- * * 0.0.0.0/00.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdeficmp -- * * 0.0.0.0/00.0.0.0/0 0 0 DROP tcp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 113 13094 REJECT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:135 39 6260 DROP udp -- * * 0.0.0.0/00.0.0.0/0 udp
RE: [leaf-user] Bering1.0-stable Problem with 2.4.20 onnet4501
Thnkas Michael. However it seems he's got the IDE support as modules and it fails to boot. I was hoping for one compiled with IDE :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Bonner Sent: Monday, February 10, 2003 12:02 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [leaf-user] Bering1.0-stable Problem with 2.4.20 onnet4501 Steve, You might want to try the kernal and drivers Jaques compiled for the Elan hardware target. They're at: http://leaf.sourceforge.net/devel/jnilo/testing/ Ignore the busybox stuff that's in there. I had asked Jaques to recompile the 2.4.20 kernal for the Elan target specifically for use on the net4501. I haven't had a chance to try testing them yet as I got sidetracked on another project over the weekend. The Elan target addresses some kernal incompatability issues that have sprung up recently, so you should have better luck with that kernal verson on the net4501. Michael Steve Bihari [EMAIL PROTECTED] 02/09/03 15:11 PM Hi all, I'm getting the following kernel panic on my bering1.0_stable box with kernel 2.4.20 This is running on a Soekris net4501 . Anyone else see this? Unable to handle kernel NULL pointer dereference at virtual addr ess printing eip: *pde = Oops: CPU:0 EIP:0010:[]Not tainted EFLAGS: 00010286 eax: c10d3da0 ebx: c3c1f2b0 ecx: c4815860 edx: 0025 esi: c0241f08 edi: 0002 ebp: c3dde81e esp: c0241e70 ds: 0018 es: 0018 ss: 0018 Process swapper (pid: 0, stackpage=c0241000) Stack: c01e8caf c3dde81e 0025 c3c1f2b0 0002 0002 c0241ee8 c01bcf70 c0279d80 c01afef6 c0241f08 c10db800 c01bcf70 c01bcf70 c01b01a3 c0279d80 c0241f08 Call Trace:[c01e8caf] [c01bcf70] [c01afef6] [c01bcf70] [c01bcf70] [c01b01a3] [c01bcf70] [c01bcd74] [c01bcf70] [c01aa15e] [c01aa269] [c01aa37f] [c011a323] [c010a2b0] [c0107040] [c010c858] [c0107040] [c0107063] [c0107102] [c0105000] Code: Bad EIP value. 0Kernel panic: Aiee, killing interrupt handler! In interrupt handler - not syncing --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bizarre behaviour in wisp dist?
Try to find out if there is something that triggers this behavior. Do you have the same problem when you connect to CPE through normal Ethernet? Samuel Abreu wrote about Re: [leaf-user] Bizarre behaviour in wisp dist?: The wireless network, is to use one particular system, made by other company! 99,5% of the traffic is for that intranet system, made in cobol, with servers running linux, through apache! I spent all my afternoon in the roof of a building trying to set-up this thing! I change the SBC, the wireless cards, almost everything, and the problem persists! I will spent all my day tomorrow trying to get something else! Thanks for the helP! Samuel Abreu From: Vladimir I. [EMAIL PROTECTED] Strange. I also saw things going out of control under high load of small packets, when the CPU cannot keep up with them. Could it be the case? _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Best Regards, Vladimir Systems Engineer (RHCE) --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering/Shorewall vs. Dachstein
On Sunday 09 February 2003 08:58 pm, Sean wrote: I have been using Dachstein for a few years. I recently decided to give Bering a try. I use an app, EyeBall chat, to video chat to relatives. It worked just fine under Dachstein. It is NOT working under Bering. It appears the app uses a number of dynamic UDP and TCP connections for the audio/video portions of the chat. I didn't see anything in the shorewall logs that was helpful. Anyone got any thoughts? If there isn't anything in your logs, then likely the application has problems working with NAT. Personally, I would ask the company that writes the program what needs to be done to work with a stateful firewall (iptables). I would imagine that since it worked with Dachstein, there was probably some high port UDP traffic that iptables stops with conntrack (statefule connection tracking). -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein Port Forwarding
Ray, But with all of that, I cannot connect (using telnet) to your mail server from here (though I can ping you and connect to the Web server). You couldn't- all attempts to port 23 are blocked. So ... how thoroughly have you checked the Exchange server for configuration problems? Is the Dachstein router its default gateway (and not the proxy server at 216.70.236.235)? Does Exchange do any authentication (such as auth) of a sort that might work with the proxy server but not an ordnary port-forwarding router? I hesitate to go down this road very far, since I suspect you know more about Windows sysadmin issues than I do, but I would encourage you to spend some time thinking about possible problems with Exchange or the server it runs on. No, I haven't configured the Exchange server for use with the Dachstein router. I assumed that since the firewall had an internal address that the Exchange server would accept connections from it. Currently Exchange is configured to accept unauthenticated connections. Is the Dachstein router replacing a prior router of some sort? Or is this a new connection (that is, did everything previously use the proxy server at 216.70.236.235)? No, Dachstein isn't replacing anything that used to exist at that address. I am still running a Proxy Server 2.0 at that address and it shows port 25 and 80 being open. Running a port scanner from outside the network against the Dachstein router shows only port 80 (and 22) as being open. You can try scanning against 216.70.236.236 (Dachstein) and see for yourself. Try the same scan against 216.70.236.235 (the Proxy Server) and you will notice that ports 25 and 80 are open. All evidence points to the Dachstein router. Ray, I understand what you're saying about the firewall being correctly configured- it does seem like it is. But the port scanner isn't reporting port 25 as being open. ~Doug --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Lynn Avants ([EMAIL PROTECTED]) had this to say on 02/10/03 at 19:17: On Monday 10 February 2003 10:58 am, Charles Steinkuehler wrote: I am unaware of any issue that would prevent you from continuing to use PSKs after switching to the 509 version of FreeS/WAN. As far as I know, PSKs work identically between the plain and x.509 patched versions. That might be, I thought the packages (after 1.91 anyway) would bomb out on initiation if the certs weren't loaded (or there) on the x509 package. In Actually, I have the certs already, and they seem to be loading (which doesn't mean that they *work*, of course :-) And if not, almost certainly my error creating/configuring the certs). I think that if they load without error, I can then use PSKs instead of the certs, if I choose. Or use both, perhaps, depending on the tunnel config. any case, it would be one less layer of possible problems until it tries to authenticate using PSK. Hopefully, we'll find out soon. I followed the Shorewall VPN document to the letter, and now will be trying to verify my ipsecrets.conf entries. (left is me, right is them - do I have that right? If so, I have all the entries, except for that rightnexthop .. is that the gateway entry for the other subnet?) msg12930/pgp0.pgp Description: PGP signature
RE: [leaf-user] Bering1.0-stable Problem with 2.4.20 onnet4501
All, Some more info on this... I recompiled the kernel for natsemi Module support instead of native kernel support for the dp83815. The module loads fine on bootup and detects all three integrated interfaces. But as soon as the load progresses to Configuring Network Interface.., sure enough, same think. Crash !!! ...Steve Steve Bihari [EMAIL PROTECTED] 02/09/03 15:11 PM Hi all, I'm getting the following kernel panic on my bering1.0_stable box with kernel 2.4.20 This is running on a Soekris net4501 . Anyone else see this? Unable to handle kernel NULL pointer dereference at virtual addr ess printing eip: *pde = Oops: CPU:0 EIP:0010:[]Not tainted EFLAGS: 00010286 eax: c10d3da0 ebx: c3c1f2b0 ecx: c4815860 edx: 0025 esi: c0241f08 edi: 0002 ebp: c3dde81e esp: c0241e70 ds: 0018 es: 0018 ss: 0018 Process swapper (pid: 0, stackpage=c0241000) Stack: c01e8caf c3dde81e 0025 c3c1f2b0 0002 0002 c0241ee8 c01bcf70 c0279d80 c01afef6 c0241f08 c10db800 c01bcf70 c01bcf70 c01b01a3 c0279d80 c0241f08 Call Trace:[c01e8caf] [c01bcf70] [c01afef6] [c01bcf70] [c01bcf70] [c01b01a3] [c01bcf70] [c01bcd74] [c01bcf70] [c01aa15e] [c01aa269] [c01aa37f] [c011a323] [c010a2b0] [c0107040] [c010c858] [c0107040] [c0107063] [c0107102] [c0105000] Code: Bad EIP value. 0Kernel panic: Aiee, killing interrupt handler! In interrupt handler - not syncing --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Non-FPU Kernels
I've been inspecting the various versions of LEAF, and can't readily identify which of them might work in my 486SX, i.e. Non-FPU. I'm quite interested in the Bering, Dachstein, and Oxygen distributions. Could someone let me know which of these would work in my ancient machine? Many thanks Nick --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)
I'm responding via leaf-user rather than privately mainly because I'm running out of ideas, so I'm hoping the additional information you provided here will give someone else an idea. Based on this new information, it looks like whatever the problem is, it is NOT a problem at the network layer (so the firewall rulesets are not involved). In any case, the OUTPUT table is ACCEPT'ing ping output. The failure is at the link layer, where the Bering router is unable to arp the wireless host (but the wireless host apparently can arp the Bering router, based on what you reported before). This leads me to think the problem either is in the Linksys or is something peculiar to the way the Linux kernel forms arp packets. One wild thought ... have you tried connecting the Bering router to a different port on the Linksys? I don't really see how changing ports can affect things, since the wireless host, from your report, does get a DHCP lease from the Bering router (and arps it successfully) ... but I'm getting down to long shots here. Another long shot ... is the routing table on the XP host correctly configured after it gets its DHCP lease? More interspersed below. Sorry I cannot offer more or better help; I'm really out of ideas. At 07:11 PM 2/10/03 -0500, Camille King wrote: [...] Just a thought here ... does the wireless host run any sort of firewalling package? If so, what are its details? (And what OS does this client run, BTW?) No the client machine is WinXP machine that does not have the XP firewall turned on. OK. What message are you getting here (on the Bering) when the ping fails? Does it just fail silently (that is, do nothing until you enter CTRL-C, then report 100% failure)? Or is there a different result? And just to be clear ... another wireline host CAN ping this same wireless host successfully, right? And that same wireline host CAN ping the Bering router? The ping is dead silent, the Bering router is just stuck and I have to Ctrl-C to quit the ping action. Yes, the wireline host can ping Bering successfully and vice versa. And this SAME wireline host can also ping the same wireless host that the Bering router cannot find? (A prior message said a wireline host can ping a wireless host and vice versa; i'm only double checking that those hosts are the same ones you are talking aqbout here.) I tried arp on Bering and it displayed the working wireline host with the proper IP and it's MAC address. The wireless host has it's IP address but the HWaddress is incomplete. What arp displays on Bering is attached below. Thanks a lot. CK arp -va (from Bering) ? (192.168.1.2) at 00:08:74:94:6E:55 [ether] on eth1 ? (192.168.1.3) at incomplete on eth1 ? (192.168.1.4) at 00:04:5A:7B:AC:A1 [ether] on eth1 Entries: 3 Skipped: 0 Found: 3 I assume .2 and .4 are two different wireline hosts and .3 is the wireless host. iptables -nvL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 167 15158 ACCEPT ah -- lo * 0.0.0.0/00.0.0.0/0 78 23011 ppp0_inah -- ppp0 * 0.0.0.0/00.0.0.0/0 239 32477 eth1_inah -- eth1 * 0.0.0.0/00.0.0.0/0 0 0 common ah -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 184 TCPMSS tcp -- * * 0.0.0.0/00.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 12 5344 ppp0_fwd ah -- ppp0 * 0.0.0.0/00.0.0.0/0 12 1659 eth1_fwd ah -- eth1 * 0.0.0.0/00.0.0.0/0 0 0 common ah -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject ah -- * * 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/00.0.0.0/0 state INVALID 167 15158 ACCEPT ah -- * lo 0.0.0.0/00.0.0.0/0 158 12938 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 state NEW,RELATED,ESTABLISHED 68 4242 fw2net ah -- * ppp00.0.0.0/00.0.0.0/0 196 all2allah -- * eth10.0.0.0/00.0.0.0/0 0 0 common ah -- * * 0.0.0.0/00.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/00.0.0.0/0 LOG
Re: [leaf-user] More Bering IPSec questions ...
On Monday 10 February 2003 06:31 pm, Mike Leone wrote: Hopefully, we'll find out soon. I followed the Shorewall VPN document to the letter, and now will be trying to verify my ipsecrets.conf entries. (left is me, right is them - do I have that right? If so, I have all the entries, except for that rightnexthop .. is that the gateway entry for the other subnet?) rightnexthop would be the ISP's router(gateway) for the 'other' network. The external interface on the router's themselves are 'right'/'left'. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering/Shorewall vs. Dachstein
The solution was posted on their website. Apparently by default it uses dynamic UDP and TCP but there is a static port patch for v2.2 located here: http://www.eyeballchat.com/download/patches/fixed_ports_patch22.reg Then you need to open up these ports: Open the following ports in your firewall (may require assistance from your system administrator): - UDP ports 5700, 5701 and 5702 and - TCP ports 5500 and 5501. Eyeball Chat should then work correctly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lynn Avants Sent: Monday, February 10, 2003 4:20 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Bering/Shorewall vs. Dachstein On Sunday 09 February 2003 08:58 pm, Sean wrote: I have been using Dachstein for a few years. I recently decided to give Bering a try. I use an app, EyeBall chat, to video chat to relatives. It worked just fine under Dachstein. It is NOT working under Bering. It appears the app uses a number of dynamic UDP and TCP connections for the audio/video portions of the chat. I didn't see anything in the shorewall logs that was helpful. Anyone got any thoughts? If there isn't anything in your logs, then likely the application has problems working with NAT. Personally, I would ask the company that writes the program what needs to be done to work with a stateful firewall (iptables). I would imagine that since it worked with Dachstein, there was probably some high port UDP traffic that iptables stops with conntrack (statefule connection tracking). -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Remount issue
Sorry if this sounds stupid, but using LRP version 3.1.0 (2.2 kernel) I can't use the remount option with the mount command. Using for example either mount -n -o remount,ro /somedir or mount /somedir -o -n remount ,ro doesn't work. Options like these are used in a checkroot script I'm using for running with root on a hard drive. Am I using the wrong syntax, or is there another,newer, version of mount I can find somewhere? Thanks. -- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Lynn Avants ([EMAIL PROTECTED]) had this to say on 02/10/03 at 22:05: On Monday 10 February 2003 06:31 pm, Mike Leone wrote: Hopefully, we'll find out soon. I followed the Shorewall VPN document to the letter, and now will be trying to verify my ipsecrets.conf entries. (left is me, right is them - do I have that right? If so, I have all the entries, except for that rightnexthop .. is that the gateway entry for the other subnet?) rightnexthop would be the ISP's router(gateway) for the 'other' network. The external interface on the router's themselves are 'right'/'left'. That's about what I thought ... I'll have to check what the office Pix uses as a gateway. I do have the external IPs of both subnets. Thanks; I'll post back the results, perhaps tomorrow. msg12939/pgp0.pgp Description: PGP signature
RE: [leaf-user] Using a wireless router with LEAF (Dachstein, Bering)
pn] Thanks Ray, Lynn and Todd for your replies! pn] Yes, what I want is simply an access point for my notebook PC. Not just to be more mobile in the house, but one of the few irritants with my notebook is that the NIC connector on the left side near the front. What a PITA. pn] Todd, you mentioned you did this with a D-Link model. The Linksys has a WAN port, 4 LAN ports and an uplink port (shares port 4). Is this similar to yours? Are you saying that I can just connect my current laptop connector into one of the LAN ports and it will act as a hub with wireless access? I didn't see any notes about this in the users guide. pn] One last concern (paranoia) of mine is (of course) security. I want to be reasonably certain no one else can connect (I'm in an apartment-style condo) to this access point or monitor the wireless traffic. A separate subnet that can't get to my internal network would make the connection effectively useless for me too. pn] I'm not as concerned about a slight price difference. Is anyone here using the D-Link DLINK XTREME G WIRELESS ACCESS POINT 11G DWL2000AP with the DLINK XTREME G WIRELESS ACCESS POINT 11G DWL2000AP? Do you trust the security provided by it? pn] TIA for feedback. --- Peter Nosko --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Remount issue
On Monday 10 February 2003 10:03 pm, Spiro Philopoulos wrote: Sorry if this sounds stupid, but using LRP version 3.1.0 (2.2 kernel) I can't use the remount option with the mount command. Using for example either mount -n -o remount,ro /somedir or mount /somedir -o -n remount ,ro doesn't work. Options like these are used in a checkroot script I'm using for running with root on a hard drive. Am I using the wrong syntax, or is there another,newer, version of mount I can find somewhere? Thanks. The 'mount' command used with LEAF is (generally) the one included in Busybox that is scaled down. You can compile one (or possibly find one) that is the full command, but it will have to be compiled with the correct libc. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bizarre behaviour in wisp dist?
Ok, detailing more! That particular station, have 3 interfaces, netcs0, netcs1 and eth0 all with same ip! and with parprouted on! netcs0 is connected to one Orinoco AP1000, both with Orinoco Gold Cards, netcs1 is a Orinoco Gold Card, and is connected to another wisp station, with one orinoco gold! eth0 is connected to a Red Hat! Ok, no packet loss, signal is excelent, in both connections! The bizarre part, when i try to log-in via telnet in the side of my lan, that use the AP-1000 to reach that station, i just can't get the menu, it stops and don't get more response in the telnet! Sometimes, when i put the password and hit Ctrl+c, i fall directly in the console... not always work, but with some persistency! Now, going via eth0 i don't know, i don't have the oportuni to test! But in the station that is connected in netcs1, and all the computer that stay in that wisp station (The one connected in netcs1), i can get the menu! In the station with 3 interfaces and in the stations that's is connected to that machine via netcs1, but out of it, via internet or via the next hop after AP-1000 in my lan, i can't log-in! =(( I change the SBC, change the wisp version and the problem persists! But i do not change the pcmcia slot, so is my next try, i don't seem solving my problem! but i have to try something! Samuel Abreu From: Vladimir I. [EMAIL PROTECTED] Try to find out if there is something that triggers this behavior. Do you have the same problem when you connect to CPE through normal Ethernet? _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Remount issue
On Mon, 2003-02-10 at 20:03, Spiro Philopoulos wrote: Sorry if this sounds stupid, but using LRP version 3.1.0 (2.2 kernel) Spiro, It looks like you're using one of Matthew Grant's Mountain releases. Specifically Eiger. The only way we'll know for sure is if you paste the output from 'uname -a' in a message. I can't use the remount option with the mount command. Using for example either mount -n -o remount,ro /somedir or mount /somedir -o -n remount ,ro doesn't work. Options like these are used in a checkroot script I'm using for running with root on a hard drive. Am I using the wrong syntax, or is there another,newer, version of mount I can find somewhere? I believe this problem may have been addressed in later BusyBox releases. You may want to try one of our newer LEAF releases/branches. Take a look at: http://leaf-project.org/mod.php?mod=userpagemenu=9page_id=2 -- Mike Noyes mhnoyes @ users.sourceforge.net http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/ --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Remount issue
On Mon, 2003-02-10 at 23:41, Mike Noyes wrote: On Mon, 2003-02-10 at 20:03, Spiro Philopoulos wrote: Sorry if this sounds stupid, but using LRP version 3.1.0 (2.2 kernel) It looks like you're using one of Matthew Grant's Mountain releases. Specifically Eiger. The only way we'll know for sure is if you paste the output from 'uname -a' in a message. I can't use the remount option with the mount command. Using for example either mount -n -o remount,ro /somedir or mount /somedir -o -n remount ,ro doesn't work. Options like these are used in a checkroot script I'm using for running with root on a hard drive. Am I using the wrong syntax, or is there another,newer, version of mount I can find somewhere? I believe this problem may have been addressed in later BusyBox releases. You may want to try one of our newer LEAF releases/branches. Take a look at: http://leaf-project.org/mod.php?mod=userpagemenu=9page_id=2 Spiro, I just checked the BusyBox documentation, and remount is supported. http://www.busybox.net/downloads/BusyBox.html -- Mike Noyes mhnoyes @ users.sourceforge.net http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/ --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html