Re: [leaf-user] UDP Port 1191
On Sat, 28 Jun 2003, Jim Hubbard wrote: Is this the script kiddie port du jour just for me or has anyone else been getting a whole buttload of hits on udp1191? Starting to look like a virus there's so much traffic from so many hosts. I haven't seen it. Might be edificational to run ethereal for awhile and see if your outbound traffic is prompting the return traffic. Look at the source ip, or if you have protocols already heading at those inbound sources, then the outbound payload may imply that that port is active. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] DNS lookups in shorewall rules fail at boot.
Hi, I open holes in the firewall from specific IP addresses to allow access to my pptp server. ACCEPT net:X.X.X.X fw tcp 1723 ACCRPT net:X.X.X.X fw 47 and for my friends with dynamic IPs, they have dynamic DNS entries. ACCEPT net:MyIP.No-IP.Org fw tcp 1723 ACCEPT net:MyIP.No-IP.Org fw 47 But the the DNS lookups fail at boot. I have to log in and start up shorewall manually. The shorewall guides don't say anything about putting DNS entries in the rules file, appart from that you can. Can anybody help? Thanks. James --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] UDP Port 1191
Jim Hubbard wrote: Is this the script kiddie port du jour just for me or has anyone else been getting a whole buttload of hits on udp1191? Starting to look like a virus there's so much traffic from so many hosts. Sincerely, Jim Hubbard You might want to consider visiting Dshield http://www.dshield.org/ and try popping in various ports you may find irritating in their database http://www.dshield.org/port_report.php and there's The Internet Storm Center http://isc.incidents.org/ Like Jeff pointed out why not run ethereal, you may even be able to start submitting your own findings... -- Patrick Benson Stockholm, Sweden --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Some questions about leaf PPPoE
Hello Raymond, Lynn list Hello Lynn, Raymond, I don't think the modem is a router, the internal modem addres is probably only for maintainance btw, be carefull, that this is a private ip and might be blocked by shorewall, if you try to do maintainance. So if it is internal network -- LEAF ---normal ethernet Router --- pppoe ---Provider ýou have a normal network firewall setup and don't need ppp pppoe but probably pump as Lynn stated you exernal interface is eth0 if it si internal -- LEAF ---PPPOE Modem PPPOE ( modulated ) --Provider you need pppd and pppoe. and in that case there is something ´wrong with your settings to identify user name not corresponding to entry in pap.secrets or chap.secrets your external interface is ppp0 Part of your log file (time,date and firewall name removed for line length) # mycomments # before this there should have been a communication to establish a Access Concentrator and the offer to use channel 1 : using channel 1# ok we use channel 1 # pppd[557]: sent [LCP ConfReq id=0x1 magic 0x52cf66a9] pppd[557]: rcvd [LCP ConfReq id=0xc3 mru 1492 auth chap MD5 magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # AC request to identify with chap # pppd[557]: sent [LCP ConfRej id=0xc3 auth chap MD5] # Identifikation by chap from you rejected ## pppd[557]: rcvd [LCP ConfAck id=0x1 magic 0x52cf66a9] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 pppd[557]: rcvd [LCP ConfReq id=0xc4 mru 1492 auth pap magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # received reqiest to identify yourself with pap # pppd[557]: sent [LCP ConfRej id=0xc4 auth pap] # I don't identify with pap # pppd[557]: rcvd [LCP ConfReq id=0xc5 mru 1492 magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 pppd[557]: sent [LCP ConfAck id=0xc5 mru 1492 magic 0x3d5cac04] pppd[557]: sent [LCP EchoReq id=0x0 magic=0x52cf66a9] # pinging the line Jan 5 23:40:50 firewall pppd[557]: sent [IPCP ConfReq id=0x1 addr 0.0.0.0] # please give me an IP # Jan 5 23:40:50 firewall pppd[557]: rcvd [LCP TermReq id=0xc6] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... # your provider shuts the connection down, as you didn't identify yourself # Jan 5 23:40:50 firewall pppd[557]: sent [LCP TermAck id=0xc6] # ok I understand # Jan 5 23:41:23 firewall pppd[557]: using channel 2 # in between there was another try to start up the basic conecction and the game starts a new # On Saturday 28 June 2003 09:02 pm, PAGE,RAYMOND wrote: [...] eth0 is definitely connected to the modem, and ?trying? to talk to the modem. The modem has an IP of 192.168.7.1. The internal nic, eth1, is able to connect to internal boxes. It's ip is 192.168.0.1. I know it works because I can ssh to that IP from an internal machine. I don't believe that udhcpd(as opposed to the standard daemon because it's so much larger in size) is working properly for me, however I've statically assigned other boxes temporarily so it doesn't have to work right now and that shouldn't affect getting this to work. Lynn wrote: Ok, your DSL-modem/router is running as a NAT'ing router with DNS-cache on it. This is changes your settings considerably, since this DSL-modem/router is also the machine authenticating your DSL connection (you had to set it up with username/password, correct?). With these assumptions on my part, you should NOT need a PPPoE client on the LEAF box and you will need a dhcp client such as pump/dhclient/ udhcpcd/etc to get an ip from your DSL-modem/router. There may be some application problems due to running NAT twice (once at the DSL-modem/router and again at the Bering box), but that depends on whether you can set the DSL-modem/router to NOT NAT the ip address assigned to you. DNS-cache can be run on either the DSL-modem/router or on the Bering box (dnscache package), that is simply preference left to you. I'm attaching the output you requested, along with my syslinux.cfg, because I'm not sure if udhcpd should be called before or after pump and ppp/pppoe. Eric Wolzak member of the bering crew --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Because the list auto-rejects emails with attachments....here's my configs for everyone inline
Eric, I'm not sure if this is what you were conveying, but do you think that I have a incorrect login/password in my pap/chap.secrets? Thanks for all the input, this helps a lot. firewall: -root- # uname -a Linux firewall 2.4.20 #1 Sun May 11 18:53:34 CEST 2003 i586 unknown firewall: -root- # ip route show 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 firewall: -root- # ip addr show 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:fc:74:be:d0 brd ff:ff:ff:ff:ff:ff 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:80:c8:4e:b7:ea brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 firewall: -root- # ip link show 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:fc:74:be:d0 brd ff:ff:ff:ff:ff:ff 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:80:c8:4e:b7:ea brd ff:ff:ff:ff:ff:ff /var/log/messages: Jan 5 23:40:46 firewall syslogd 1.4.1: restart. Jan 5 23:40:46 firewall kernel: klogd 1.4.1, log source = /proc/kmsg started. Jan 5 23:40:46 firewall kernel: No module symbols loaded. Jan 5 23:40:46 firewall kernel: BIOS-provided physical RAM map: Jan 5 23:40:46 firewall kernel: 64MB LOWMEM available. Jan 5 23:40:46 firewall kernel: Initializing CPU#0 Jan 5 23:40:46 firewall kernel: Memory: 62704k/65536k available (948k kernel code, 2448k reserved, -1176k data, 64k init, 0k highmem) Jan 5 23:40:46 firewall kernel: Dentry cache hash table entries: 8192 (order: 4, 65536 bytes) Jan 5 23:40:46 firewall kernel: Inode cache hash table entries: 4096 (order: 3, 32768 bytes) Jan 5 23:40:46 firewall kernel: Intel Pentium with F0 0F bug - workaround enabled. Jan 5 23:40:46 firewall kernel: Checking 'hlt' instruction... OK. Jan 5 23:40:46 firewall kernel: PCI: PCI BIOS revision 2.10 entry at 0xfb0d0, last bus=0 Jan 5 23:40:46 firewall kernel: PCI: Using configuration type 1 Jan 5 23:40:46 firewall kernel: PCI: Probing PCI hardware Jan 5 23:40:46 firewall kernel: Limiting direct PCI/PCI transfers. Jan 5 23:40:46 firewall kernel: Linux NET4.0 for Linux 2.4 Jan 5 23:40:46 firewall kernel: Based upon Swansea University Computer Society NET3.039 Jan 5 23:40:46 firewall kernel: Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ DETECT_IRQ SERIAL_PCI enabled Jan 5 23:40:46 firewall kernel: ttyS00 at 0x03f8 (irq = 4) is a 16550A Jan 5 23:40:46 firewall kernel: ttyS01 at 0x02f8 (irq = 3) is a 16550A Jan 5 23:40:46 firewall kernel: Real Time Clock Driver v1.10e Jan 5 23:40:46 firewall kernel: Software Watchdog Timer: 0.05, timer margin: 60 sec Jan 5 23:40:46 firewall kernel: Floppy drive(s): fd0 is 1.44M Jan 5 23:40:46 firewall kernel: FDC 0 is an 8272A Jan 5 23:40:46 firewall kernel: NET4: Linux TCP/IP 1.0 for NET4.0 Jan 5 23:40:46 firewall kernel: IP Protocols: ICMP, UDP, TCP, IGMP Jan 5 23:40:46 firewall kernel: IP: routing cache hash table of 512 buckets, 4Kbytes Jan 5 23:40:46 firewall kernel: TCP: Hash tables configured (established 4096 bind 4096) Jan 5 23:40:46 firewall kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. Jan 5 23:40:46 firewall kernel: RAMDISK: Compressed image found at block 0 Jan 5 23:40:46 firewall kernel: Freeing initrd memory: 247k freed Jan 5 23:40:46 firewall kernel: Freeing unused kernel memory: 64k freed Jan 5 23:40:47 firewall kernel: pci-scan.c:v1.11 8/31/2002 Donald Becker [EMAIL PROTECTED] http://www.scyld.com/linux/drivers.html Jan 5 23:40:47 firewall kernel: rtl8139.c:v1.22 11/17/2002 Donald Becker, [EMAIL PROTECTED] Jan 5 23:40:47 firewall kernel: http://www.scyld.com/network/rtl8139.html Jan 5 23:40:47 firewall kernel: eth0: RealTek RTL8139C Fast Ethernet at 0x6100, IRQ 11, 00:50:fc:74:be:d0. Jan 5 23:40:47 firewall kernel: via-rhine.c:v1.13 11/17/2002 Written by Donald Becker [EMAIL PROTECTED] Jan 5 23:40:47 firewall kernel: http://www.scyld.com/network/via-rhine.html Jan 5 23:40:47 firewall kernel: eth1: VIA VT3043 Rhine at 0x6000, 00:80:c8:4e:b7:ea, IRQ 10. Jan 5 23:40:47 firewall kernel: eth1: MII PHY found at address 8, status 0x782d advertising 05e1 Link 45e1. Jan 5 23:40:47 firewall kernel: CSLIP: code copyright 1989 Regents of the University of California Jan 5 23:40:48 firewall kernel: N_HDLC line discipline registered. Jan 5 23:40:48 firewall kernel: PPP generic driver version 2.4.2 Jan 5 23:40:51 firewall udhcpd: udhcp server
[leaf-user] separate mail routing on two LANs on shared ISP Link
Hi all, I have the setup below which I would like to use leaf for 'firewalling' the two LANs while enabling smtp/pop3 and http for both LANs separately! my questions are: a.Is this possible using leaf? b.Do I need to change the setup below? say two external nics and two internal nics? or two external nics and one internal nic (multihomed?) **Initially LAN #1 Mail server had the public IP 64.86.235.161 and LAN# Mail Server had the IP 64.86.235.162 for the purposes of routing mails and webservice (each lan hosts is independent but share premises!) Problems: 1: I have implemented the above soln but on one LAN but, I would want to implement it for the second LAN therefore the second card. I am however stuck as I do not know how to configure e0 to respond to requests for LAN1 Public IP separate from similar requests for LAN2 Public IP (assuming I am multihoming both public IPs on e0) Please let me know which LAEF version can do this and the config necessary. **ALL interfaces have static IPs Link from/to Isp to Router | -- |Router| -- ^ | |Cross-over cable to/from LEAF Box | |e0(64.86.235.160/29) | Shared Link (64.86.235.161--LAN1 162--LAN2) - |Leaf Box | - | | | | | |e2 (10.0.0.1) | | LAN #2 (10.0.0.0/24) | |__ Mail server (10.0.0.2) | |e1(192.168.0.1) | LAN #1 (192.168.0.0/24) |__Mail server (192.168.0.2) --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DNS lookups in shorewall rules fail at boot.
On Sun, 2003-06-29 at 02:45, James Neave wrote: Hi, I open holes in the firewall from specific IP addresses to allow access to my pptp server. ACCEPT net:X.X.X.X fw tcp 1723 ACCRPT net:X.X.X.X fw 47 and for my friends with dynamic IPs, they have dynamic DNS entries. ACCEPT net:MyIP.No-IP.Org fw tcp 1723 ACCEPT net:MyIP.No-IP.Org fw 47 But the the DNS lookups fail at boot. I have to log in and start up shorewall manually. The shorewall guides don't say anything about putting DNS entries in the rules file, appart from that you can. See http://www.shorewall.net/configuration_file_basics.#dnsnames -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DNS lookups in shorewall rules fail at boot.
On Sun, 2003-06-29 at 07:48, Tom Eastep wrote: The shorewall guides don't say anything about putting DNS entries in the rules file, appart from that you can. See http://www.shorewall.net/configuration_file_basics.#dnsnames Er -- make that http://www.shorewall.net/configuration_file_basics.htm#dnsnames -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] DNS lookups in shorewall rules fail at boot.
On Sun, 2003-06-29 at 08:17, James Neave wrote: Aha, didn't see that bit... OK. Anything I can do about it? This is way beyond my meager problem solving skills... I suspect that Shorewall is starting before dnscache so you will need to reverse their startup order. The means for changing the startup order of packages in a Leaf system is discussed regularly on the list and has to do with the RCDLINKS= specification found in each file in /etc/init.d. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] hostap for Bering : does it work ?
Hi everybody, Is somebody using hostap with Bering ? I am using Bering V1.1, running in a Soekris net4521. I have tempted to use pcmcia_hostap.lrp form our friend Jacques, but without success :-( Introduction of Prism2 cards are detected, but a Kernel Panic occurs at PCMCIA inserting. I have read and read the Bering manuals without understanding more... Has somebody the complete list of files with their tree position in the directories ? Because, it seems that some are missing (I suppose, but I am not a perfect user). For example, the file : wireless.opts is not installed by the package. I have created one, including : *,*,*,*) INFO:Prism2 MODE:Master CHANNEL=6 RATE=AUTO ESSID=WLAN1 ;; basing from the Bering manuals example, but for Orinoco. May be this file must contain some other things... I have some doubts about what drivers to add/have in the /lib/modules/pcmcia/ directory, and why Bering is so different of Vladimir WHISP-dist project regarding the directory organization. I tempt to compare this directories trees but I am lost... I have compared the files because my two PCMCIA PRISM 2 cards run well with WISP-dist without any crash. Any suggestions, ideas, files and config examples ? TIA Best Regards, Francois BERGERET, France. (sorry for my very bad english). --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Because the list auto-rejects emails with attachments....here's my configs for everyone inline
Yes suppose that WWWRaymond is you login and PAGESecret is your password than you have to have in your pppoe option file a name WWWRaymond or user WWWRaymond and in your pap-secrets file WWWRaymond * PAGESecret put those in quotes if you have any special characters in them -Ursprüngliche Nachricht- Von: PAGE,RAYMOND [EMAIL PROTECTED] An: [EMAIL PROTECTED] [EMAIL PROTECTED] Datum: Sonntag, 29. Juni 2003 16:02 Betreff: [leaf-user] Because the list auto-rejects emails with attachmentshere's my configs for everyone inline Eric, I'm not sure if this is what you were conveying, but do you think that I have a incorrect login/password in my pap/chap.secrets? Thanks for all the input, this helps a lot. What I tried to tell you is 1. debug was not set with debug 7 so the first part of the communication isn't in the log file 2. There is something communicating with you in pppoe mode. ( probably your provider) 3. your side rejected pap and chap authentification. this is mostly because you don't have a corresponging username-password pair. 4. If your had a corresponding user-password name than your side would have tried to identify, and if the password was wrong , you would have had a different termination. if you don't find the cause here, then post me your ppp and pppd options original post deleted see list for more details-- --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Vlan Acces link (vlan.lrp + bridge.lrp
Hi everyone, I am trying to set a vlan but using vlan-unaware machines ( PC1, PC2,PC3 and PC4 as you can see in the picture). Here the bridge is the one to do the tagging of the frames and untag them to send them to the correct machine (Because the vlan-unaware machines dont tag their frames, as I have readed in some tutorials about vlans). I am using the packages vlan.lrp and bridge.lrp to configure the bridges as it follows: - - -PC1- -PC2- - - - - - eth0eth0- - 192.168.1.1192.168.1.2 - - - - - - - - eth1.10- - eth2.20 -- - br0- -- - eth0 - - - - - eth0 -- - br1- -- eth1.10 - - eth2.20 - - - - --- -- -- eth0 192.168.1.3 eth0 192.168.1.4 -- - - -PC3- -PC4- - - So following this picture, PC2 would see PC4 and PC1 would see PC3 and the bridges would be in charge of tagging and untagging the frames, the vlan-unaware machines would not have to know about the tagging, right, I think this is the Idea of the vlan access link. So to get this, I have configured the bridges this way: first I have created the vlans vconfig add eth1 10 vconfig add eth2 20 then I set them up ifconfig eth1.10 up ifconfig eth2.20 up so then I have configured the bridge brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1.10 brctl addif br0 eth2.20 and set it up ifconfig br0 up As far as I know about vlans and bridging PC2 would have to be able to comunicate with PC4 and PC1 with PC3, but they don´t. Is it maybe because the kernel doesn´t support vlan access link, and PC1,PC2,PC3 and PC4 must be vlan-aware machines to tag the frames? (as it is possible in CISCO machines) If this bridge configuration to get a vlan access link is wrong, as I think it is because it doesn´t work, what do I have to change to get a vlan access link in my bridges so PC1, PC2, PC3 and PC4 could be vlan-unaware machines and don´t worry about tagging? Thank you for your help, I will be checking my mail to see if any of you can help me out with this. bye!! ___ Yahoo! Messenger - Nueva versión GRATIS Super Webcam, voz, caritas animadas, y más... http://messenger.yahoo.es --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] separate mail routing on two LANs on shared ISP Link
Hi Steve, I am actually running the setup below (on LAN# 1) on Dachstein Kernel 2.2.19 based disk image v 1.0.2 and would definitely prefer to continue with it but would not mind using a different leaf image if advisable. The issues I raised were because I noticed (if am right) that on Dachstein, I have to configure which IP is my external IP (single IP) for portfw while and which internal IP Port to forward services to (yet I need two ext IPs and Int IPs). I also noticed that I specify which is my Int LAN IPs for NAT (again I only noticed 1 network range space when I need two). **Am assuming I will be using portfw to forward smtp http for the two domains to their respective mail and webservers. These were the reasons coupled with the fact that I had tried multihoming on either interface e0 and e1 without success. Any suggestions with examples based on my initial setup below would be highly appreciated. Nyawallow - Original Message - From: Steve Wright [EMAIL PROTECTED] To: Nyawallow James [EMAIL PROTECTED] Sent: Sunday, June 29, 2003 11:50 PM Subject: Re: [leaf-user] separate mail routing on two LANs on shared ISP Link Nyawallow James wrote: I have the setup below which I would like to use leaf for 'firewalling' the two LANs while enabling smtp/pop3 and http for both LANs separately! my questions are: a.Is this possible using leaf? b.Do I need to change the setup below? say two external nics and two internal nics? or two external nics and one internal nic (multihomed?) a. This is Linux - anything is possible. b. It depends on the requirements of your networks. There is no requirement for subnets to have their own ethernet card. You may attach any number of addressing schemes to any ethernet card. **Initially LAN #1 Mail server had the public IP 64.86.235.161 and LAN# Mail Server had the IP 64.86.235.162 for the purposes of routing mails and webservice (each lan hosts is independent but share premises!) You could leave them that way, and simply route with the leaf box, but I think you will need to add instructions on the upstream router to route these hosts via the leaf external interface. You might add both these external addresses to the external interface of leaf, and then directly translate only these two addresses to the private addresses that match the appropriate Server - the internal servers will 'look' like they are directly on the Internet then. Then MASQ or proxy your internal http clients to the 'Net. Problems: 1: I have implemented the above soln but on one LAN but, I would want to implement it for the second LAN therefore the second card. I am however stuck as I do not know how to configure e0 to respond to requests for LAN1 Public IP separate from similar requests for LAN2 Public IP (assuming I am multihoming both public IPs on e0) Please let me know which LAEF version can do this and the config necessary. You haven't said how you did it. Maybe it is not possible now to implement a second internal server - I cannot tell you. All LEAF versions will do this. Use the latest version for the best functionality. Tell us how you have implemented your first solution. Perhaps it is readily adpatable to add a second internal host, since you understand it well already. regards, Steve **ALL interfaces have static IPs Link from/to Isp to Router | -- |Router| -- ^ | |Cross-over cable to/from LEAF Box | |e0(64.86.235.160/29) | Shared Link (64.86.235.161--LAN1 162--LAN2) - |Leaf Box | - | | | | | |e2 (10.0.0.1) | | LAN #2 (10.0.0.0/24) | |__ Mail server (10.0.0.2) | |e1(192.168.0.1) | LAN #1 (192.168.0.0/24) |__Mail server (192.168.0.2) --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Some questions about leaf PPPoE
Turns out that I hadn't saved my pap.secrets file. Updated it, but didn't back it up to disk. So I now have internet connectivity and can ping the internet, yeah :)I was curious if I still require pump, ie. what does pump handle so that I might be able to get rid of it? Fifth bullet or so on this link (http://leaf.sourceforge.net/devel/jnilo/biaddrm.html) indicates that I may not need pump. What would such a specialized case be? -- PAGE,RAYMOND On Sun Jun 29 07:49:02 EDT 2003, eric wolzak [EMAIL PROTECTED] wrote: Hello Raymond, Lynn list Hello Lynn, Raymond, I don't think the modem is a router, the internal modem addres is probably only for maintainance btw, be carefull, that this is a private ip and might be blocked by shorewall, if you try to do maintainance. So if it is internal network -- LEAF ---normal ethernet Router --- pppoe ---Provider ýou have a normal network firewall setup and don't need ppp pppoe but probably pump as Lynn stated you exernal interface is eth0 if it si internal -- LEAF ---PPPOE Modem PPPOE ( modulated ) --Provider you need pppd and pppoe. and in that case there is something ´wrong with your settings to identify user name not corresponding to entry in pap.secrets or chap.secrets your external interface is ppp0 Part of your log file (time,date and firewall name removed for line length) # mycomments # before this there should have been a communication to establish a Access Concentrator and the offer to use channel 1 : using channel 1# ok we use channel 1 # pppd[557]: sent [LCP ConfReq id=0x1 magic 0x52cf66a9] pppd[557]: rcvd [LCP ConfReq id=0xc3 mru 1492 auth chap MD5 magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # AC request to identify with chap # pppd[557]: sent [LCP ConfRej id=0xc3 auth chap MD5] # Identifikation by chap from you rejected ## pppd[557]: rcvd [LCP ConfAck id=0x1 magic 0x52cf66a9] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 pppd[557]: rcvd [LCP ConfReq id=0xc4 mru 1492 auth pap magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # received reqiest to identify yourself with pap # pppd[557]: sent [LCP ConfRej id=0xc4 auth pap] # I don't identify with pap # pppd[557]: rcvd [LCP ConfReq id=0xc5 mru 1492 magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 pppd[557]: sent [LCP ConfAck id=0xc5 mru 1492 magic 0x3d5cac04] pppd[557]: sent [LCP EchoReq id=0x0 magic=0x52cf66a9] # pinging the line Jan 5 23:40:50 firewall pppd[557]: sent [IPCP ConfReq id=0x1 addr 0.0.0.0] # please give me an IP # Jan 5 23:40:50 firewall pppd[557]: rcvd [LCP TermReq id=0xc6] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... # your provider shuts the connection down, as you didn't identify yourself # Jan 5 23:40:50 firewall pppd[557]: sent [LCP TermAck id=0xc6] # ok I understand # Jan 5 23:41:23 firewall pppd[557]: using channel 2 # in between there was another try to start up the basic conecction and the game starts a new # On Saturday 28 June 2003 09:02 pm, PAGE,RAYMOND wrote: [...] eth0 is definitely connected to the modem, and ?trying? to talk to the modem. The modem has an IP of 192.168.7.1. The internal nic, eth1, is able to connect to internal boxes. It's ip is 192.168.0.1. I know it works because I can ssh to that IP from an internal machine. I don't believe that udhcpd(as opposed to the standard daemon because it's so much larger in size) is working properly for me, however I've statically assigned other boxes temporarily so it doesn't have to work right now and that shouldn't affect getting this to work. Lynn wrote: Ok, your DSL-modem/router is running as a NAT'ing router with DNS-cache on it. This is changes your settings considerably, since this DSL-modem/router is also the machine authenticating your DSL connection (you had to set it up with username/password, correct?). With these assumptions on my part, you should NOT need a PPPoE client on the LEAF box and you will need a dhcp client such as pump/dhclient/ udhcpcd/etc to get an ip from your DSL-modem/router. There may be some application problems due to running NAT twice (once at the DSL-modem/router and again at the Bering box), but that depends on whether you can set the DSL-modem/router to NOT NAT the ip address assigned to you. DNS-cache can be run on either the DSL-modem/router or on the Bering box (dnscache package), that is simply preference left to you. I'm attaching the output you requested, along with my syslinux.cfg, because I'm not sure if udhcpd should be called before or after pump and ppp/pppoe. Eric Wolzak member of the bering crew --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download
Re: [leaf-user] Re: Some questions about leaf PPPoE
On Sunday 29 June 2003 10:00 pm, PAGE,RAYMOND wrote: Turns out that I hadn't saved my pap.secrets file. Updated it, but didn't back it up to disk. So I now have internet connectivity and can ping the internet, yeah :)I was curious if I still require pump, ie. what does pump handle so that I might be able to get rid of it? Fifth bullet or so on this link (http://leaf.sourceforge.net/devel/jnilo/biaddrm.html) indicates that I may not need pump. What would such a specialized case be? pump is a dhcp client. Since your using pppoe, you shouldn't need a dhcp client as you have received you ip address via the ppp configuration. I have never heard of a network that required both dhcp and ppp. From what you have described, your DSL-modem/router makes no sense to me at all... a bridge cannot perform NAT or be a dhcp server, so I feel that I'm missing something from your description. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Some questions about leaf PPPoE
On Sunday 29 June 2003 11:05 pm, PAGE,RAYMOND wrote: Not all of this may be 100% accurate, but is to the best of my current knowledge. Understood. A bridge is merely a router with one to one connections (as opposed to a star). The modem is able to turn off it's DHCP, DNS, and NAT abilities. Essentially it can plug into a hub or a single computer. The above functionality is uesful if it's plugged into a hub. If it is connected to a single computer, than you are quite right, dhcp makes little sense, as the pppoe will make an outbound call after assigning a static ip to the ethernet device it is calling out on. That clarify it, or not? Perhaps my conceptions are flawed. A bridge is definately not a router. Bridging is essentially the function of a switch between similar and/or different media types. Bridging works on OSI layer 2 and does not use ip address information, while router is OSI layer 3 and must use some form of ip address information to function period. Most DSL/cable-modems are bridges as opposed to actual modems. This being said, many offerings of DSL and cable modems are not only a bridge, but also include a router on the LAN side of the bridge. I've never seen one that you could diable the router function if included, but this would appear to be what you have. You have said that your ip addressing that is received in the the 192.168.0.0/24 subnet that is non-routable and reserved for private networks only (can't be used as a valid internet address), this would tell me that your modem/router is doing NAT or your ISP is not giving you a 'real' ip address. Personally, I would not run 2 stages of NAT (on your modem/router and on LEAF), so if possible I would disable NAT on your modem/router and let the Bering box handle it. This will make many applications much easier to deal with that do not work well with NAT. Hopefully this clarifies what is likely happening with your 'modem'. Thanks for the reply, was able to regain 2% disk space after removing pump, which I didn't need as you mentioned :) Np, I can't see that it would be possible to have both on a WAN connection. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] separate mail routing on two LANs on shared ISP Link
On Sunday 29 June 2003 06:28 pm, Nyawallow James wrote: Hi Steve, I am actually running the setup below (on LAN# 1) on Dachstein Kernel 2.2.19 based disk image v 1.0.2 and would definitely prefer to continue with it but would not mind using a different leaf image if advisable. The issues I raised were because I noticed (if am right) that on Dachstein, I have to configure which IP is my external IP (single IP) for portfw while and which internal IP Port to forward services to (yet I need two ext IPs and Int IPs). You can have more than one external ip address (extra's go in ETH0_EXTRA-ADDRESS= variable). You port forward by ip address, so if you specify the proper addresses going in and out, this is entirely possible. I also noticed that I specify which is my Int LAN IPs for NAT (again I only noticed 1 network range space when I need two). **Am assuming I will be using portfw to forward smtp http for the two domains to their respective mail and webservers. You can easily add extra internal networks/subnets as well by configuring the interfaces with the proper information and adding the extra internal interfaces to the variables: INTERN_IF=eth1 INTERN_NET=192.168.1.0/24 INTERN_IP=192.168.1.254 These were the reasons coupled with the fact that I had tried multihoming on either interface e0 and e1 without success. IIRC, multi-homing w/Dachstein wasn't much fun, though possible as well. I hope this helps! -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
