[leaf-user] DNAT:ssh how to restrict ?
Dear List, I just dnatted my ssh port of Bering 1.0 to a sshd-server inside my localnet. Works fine :-). But I am concerned about security I would like to restrict ssh-logins from a list of MAC-Addresses. I had a look into /etc/shorewall/rules and tried net:~00-00-00-00-00-00 (-- somethin´ like that ;-)) Shorewall ouputs this: no chain/target/match for that name and .. exits.. Hm. I cannot use a IP-Adress for restriction, because it changes. The ssh client got a dynamic IP..., so I would like to use MAC-Addresses. Any hints ??? --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering 1.0 IDE cdrom Device not found
Dear list ! I am trying to use two IDE-CDrom drives, I recently connected to my Bering 1.0-Box loading of moduls succeeded, both drives are found while loading the moduls. Manufacturer name and other stuff is recognized correctly. How do I access the devices ? mount /dev/hd[ab] /mnt results: no driver present no device found mount /dev/hd[cd] /mnt misses: driver not found but also states:no device found In both cdroms are CD's inserted... (I actually do a mount of /dev/hda OR /dev/hdb, instead of /dev/hd[ab] (-- regular expression) reading the docs/faqs/mailarchives last night did not give a hint Some DOCs on LEAF mention a device /dev/cdrom. This link does not exist. I will eventually will create it, when I found the physical to which it can refer ;-) The devicefiles /dev/hd[abcd] does exist. I am _not_ trying to _boot_ from CD, I just need a second media to store more moduls, which doesn't fit onto one floppydisk. I also could install a second floppydriveif I had one ;-) Thanks for any hints ! --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] DHCP client
Ok, I finally got the via-rhine driver installed, but now I can't get the dhcp client running (I've got a cable modem internet connection). After some browsing through the docs I noticed dhclient.lrp is not standard included in Bering, which seems strange since the default network setup is eth0 dhcp, eth1 fixed IP. Dhcpd.lrp is included though. Do I need the dhclient package, or am I missing something? Also, are there any remote login tools included in the standard boot disk? -- Alex Borghgraef --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering's features of stateful inspection
Dear List, what features does Bering have thinking of stateful inspection ? Every (commercial) FW does have a feature named stateful inspection. Whats about Bering ? To prevent a discussion about What ist stateful inspection ? As far as I know, it is nothing strictly defined, more a marketing name of Checkpoint. Currently I got the task to connect 4 departures via VPN. I (obviously ;-)) tend to do it with Bering, so I need arguments belonging stateful inspection. The customer currently tends to do it by a cisco-firewall or something similar... What appearently belongs to stateful inspection is conntracking. Synflood protection too ? I use Bering 1.0, therefor I don't know all new features... Thanks alot for hints ! --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.0 IDE cdrom Device not found
Hein Bauer wrote: Dear list ! I am trying to use two IDE-CDrom drives, I recently connected to my Bering 1.0-Box loading of moduls succeeded, both drives are found while loading the moduls. Manufacturer name and other stuff is recognized correctly. How do I access the devices ? mount /dev/hd[ab] /mnt results: no driver present no device found mount /dev/hd[cd] /mnt misses: driver not found but also states:no device found In both cdroms are CD's inserted... (I actually do a mount of /dev/hda OR /dev/hdb, instead of /dev/hd[ab] (-- regular expression) reading the docs/faqs/mailarchives last night did not give a hint Some DOCs on LEAF mention a device /dev/cdrom. This link does not exist. I will eventually will create it, when I found the physical to which it can refer ;-) The devicefiles /dev/hd[abcd] does exist. I am _not_ trying to _boot_ from CD, I just need a second media to store more moduls, which doesn't fit onto one floppydisk. I also could install a second floppydriveif I had one ;-) Thanks for any hints ! Do you have the iso9660 filesystem module loaded? What about the IDE CD modules (note you need more than the low-level IDE drivers, there are also modules for talking to a CD-ROM drive using the IDE bus)? Assuming you have the modules loaded to support CD access, use: mount -t iso9660 -r /dev/hd[abcd] /mnt You can also probably use the shortcut of /dev/cdrom, if the Bering init scripts still look for and create a /dev/cdrom symlink to the first cdrom device found (this feature was added to Dachstein, which Bering is based on, so it should probably work). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DNAT:ssh how to restrict ?
On Mon, 2003-07-28 at 12:40, Hein Bauer wrote: Dear List, I just dnatted my ssh port of Bering 1.0 to a sshd-server inside my localnet. Works fine :-). But I am concerned about security I would like to restrict ssh-logins from a list of MAC-Addresses. I had a look into /etc/shorewall/rules and tried net:~00-00-00-00-00-00 (-- somethin´ like that ;-)) Shorewall ouputs this: no chain/target/match for that name and .. exits.. Your kernel must have MAC address match support in order for this to work; don't know if Jacques includes that or not. Hm. I cannot use a IP-Adress for restriction, because it changes. The ssh client got a dynamic IP..., so I would like to use MAC-Addresses. Unless the client is on the same network as you are, MAC matching won't work. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering's features of stateful inspection
On Sat, 2003-08-02 at 04:11, Henning Jebsen wrote: Dear List, what features does Bering have thinking of stateful inspection ? Every (commercial) FW does have a feature named stateful inspection. Whats about Bering ? To prevent a discussion about What ist stateful inspection ? As far as I know, it is nothing strictly defined, more a marketing name of Checkpoint. Currently I got the task to connect 4 departures via VPN. I (obviously ;-)) tend to do it with Bering, so I need arguments belonging stateful inspection. The customer currently tends to do it by a cisco-firewall or something similar... What appearently belongs to stateful inspection is conntracking. Synflood protection too ? I use Bering 1.0, therefor I don't know all new features... All Bering releases use Shorewall/Netfilter which implements a stateful firewall (stateful inspection). -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering's features of stateful inspection
Henning Jebsen wrote: Dear List, what features does Bering have thinking of stateful inspection ? Every (commercial) FW does have a feature named stateful inspection. Whats about Bering ? To prevent a discussion about What ist stateful inspection ? As far as I know, it is nothing strictly defined, more a marketing name of Checkpoint. Currently I got the task to connect 4 departures via VPN. I (obviously ;-)) tend to do it with Bering, so I need arguments belonging stateful inspection. The customer currently tends to do it by a cisco-firewall or something similar... What appearently belongs to stateful inspection is conntracking. Synflood protection too ? I use Bering 1.0, therefor I don't know all new features... Thanks alot for hints ! 1. not every commercial FW incorporates stateful inspection 2. according to the NIST Guide to Firewall Selection and Policy Recommendations a stateful inspection fw is a packet filter that incorporates added awareness of the OSI data model, maintaining a stateful connection state table. Please refer to the Guide for a very clear explanation. 3. the iptables/shorewall based Bering distro contains all what you need for your task. Regards Franco -- Franco Segna - [EMAIL PROTECTED] Keys server wwwkeys.pgp.net Key fingerprint = 704C 3070 70A0 680A 760D 025E D849 02AB 2309 87A3 --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DHCP client
Bering uses pump.lrp by default. From: Alexander Borghgraef [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [leaf-user] DHCP client Date: Sat, 2 Aug 2003 11:08:48 +0200 (CEST) Ok, I finally got the via-rhine driver installed, but now I can't get the dhcp client running (I've got a cable modem internet connection). After some browsing through the docs I noticed dhclient.lrp is not standard included in Bering, which seems strange since the default network setup is eth0 dhcp, eth1 fixed IP. Dhcpd.lrp is included though. Do I need the dhclient package, or am I missing something? Also, are there any remote login tools included in the standard boot disk? -- Alex Borghgraef --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DHCP client
To clarify, however... Bering is indeed setup to use pump.lrp by default, and it works extremely well. HOWEVER, since Bering is set up so that you can use DHCP, PPP, or PPPoE with the default image, pump.lrp is NOT loaded by default in syslinux.cfg. So, if you open up syslinux.cfg and add pump to the LRP= statement, you should have no issues getting your Bering box to grab an IP from your provider for eth0. George M Lu wrote: Bering uses pump.lrp by default. From: Alexander Borghgraef [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [leaf-user] DHCP client Date: Sat, 2 Aug 2003 11:08:48 +0200 (CEST) Ok, I finally got the via-rhine driver installed, but now I can't get the dhcp client running (I've got a cable modem internet connection). After some browsing through the docs I noticed dhclient.lrp is not standard included in Bering, which seems strange since the default network setup is eth0 dhcp, eth1 fixed IP. Dhcpd.lrp is included though. Do I need the dhclient package, or am I missing something? Also, are there any remote login tools included in the standard boot disk? -- Alex Borghgraef --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] using dyndns as a proxy for incoming packets [leaf-user]
Tom Eastep wrote: Unless the client is on the same network as you are, MAC matching won't work. Yes, I do fairly remember, MAC adresses is restricted to my LAN (on the same cable). OK. -- changing topic to DYNDNS -- Currently my FW accepts TCP connections only from myprivatnet.dyndns.info. So DYNDNS is a kind of (FTP)-Proxy to my firewall. I hope I gain a little more security by restrict it as described. Others may not adress it directly by IP-adress. All incoming traffic to my firewall did pass security-checks from dyndns. (Before my firewall is flooded, dyndns is flooded ;-)) Yes, I know, there is hardly anyone out, who should be interested to flood my firewall. As a second point of security I restricted FW2net (tcp) to dyndns only. loc2net is not restricted, only the firewall itself is restricted to members..something.dyndns.org (the dyndns-client needs contact to its server ;-)) comments welcome ;-) --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] NAT Trouble
I have another problem. My son is trying to access an online gaming site and is running into a brick wall. The site requires UDP port 2213 which I opened up with no trouble. Whoever when he connects he gets the following error message... Your internet address changed! It was 4.47.177.158:62146, but now it appears to be 4.47.177.158:62156. This is a problem usually caused by a bad or improperly configured NAT setup. What do I need to do to correct this problem? __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] NAT Trouble
At 03:29 PM 8/2/2003 -0700, Mike Koceja wrote: I have another problem. My son is trying to access an online gaming site and is running into a brick wall. The site requires UDP port 2213 which I opened up with no trouble. Whoever when he connects he gets the following error message... Your internet address changed! It was 4.47.177.158:62146, but now it appears to be 4.47.177.158:62156. This is a problem usually caused by a bad or improperly configured NAT setup. What do I need to do to correct this problem? Is this really an error message and not just an informational one? That is to say, does the game then fail to operate properly? If the game goes on to work, my own inclination would be to ignore the site's whining. But assuming it is really an error message, what instruction does the site (or its companion URL) provide about how to configure access through a NAT'ing router? The message by itself is simply too lean in content to figure out what they want from you. I'd **guess** that the game client at your end runs using a particular port, not just any available port. If so, you **may** need to port-forward that port through the LEAF router rather than simply use the standard NAT'ing code to handle it (since that code will not use the same external support every time you access the site). Really, your best bet is to look more closely at the game site. These guys want their systems to work through NAT, so they usually provide good instructions about what you need to do to make it work. Once we know what they want, translating it into LEAF terms will probablty not be hard, and surely we can help with that part if you need it. BTW, I'm assuming here that 4.47.177.158 is your external IP address. If not ... if, say, your ISP does some further NAT'ing upstream of you ... then fixing this may be more of a challenge. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Question: Bering static DHCP configuration
Thank you to all that have helped me learn a bit as I go. My question now is: I'd like to configure the internal network to ONLY assign IP addresses to certain machines. I don't seem to have it correctly configured. Could someone point me to something to read / learn about this? I've checked the FAQ, read the User Guide and the Installation Guide, and Googled, but don't seem to find what I'm after. I've got DHCP running, and assigning IPs quite nicely. Unfortunately, it's also assigning IPs to what I think are other hosts. I thought that, by only assigning particular IPs to particular MACs, the others would not receive addresses. That leaves me with some options: - restrict the netmask to only those few addresses - somehow change the subnet mask. - something else that restricts which IPs get assigned to which MACs What haven't I learned yet? My dhcp.config is like this: dynamic-bootp-lease-length 604800; max-lease-time 1209600; host FirstHost { hardware ethernet 00:00:00:00:00:00; # where the MAC addr is fixed-address 192.168.1.1; } host SecondHost { hardware ethernet 00:00:00:00:00:00; fixed-address 192.168.1.2; } host ThirdHost { hardware ethernet 00:00:00:00:00:00; fixed-address 192.168.1.3; } #host ExcludeHost { # hardware ethernet 00:00:00:00:00:00; # fixed-address 192.168.1.4; #} subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; option domain-name name; option domain-name-servers 192.168.1.254; range 192.168.1.1 192.168.1.3; } --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] NAT Trouble
Maybe this app requires more than one port like H323. Port forwarding might then solve the problem. Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ray Olszewski Sent: Sunday, August 03, 2003 5:22 AM To: leaf Subject: Re: [leaf-user] NAT Trouble At 03:29 PM 8/2/2003 -0700, Mike Koceja wrote: I have another problem. My son is trying to access an online gaming site and is running into a brick wall. The site requires UDP port 2213 which I opened up with no trouble. Whoever when he connects he gets the following error message... Your internet address changed! It was 4.47.177.158:62146, but now it appears to be 4.47.177.158:62156. This is a problem usually caused by a bad or improperly configured NAT setup. What do I need to do to correct this problem? Is this really an error message and not just an informational one? That is to say, does the game then fail to operate properly? If the game goes on to work, my own inclination would be to ignore the site's whining. But assuming it is really an error message, what instruction does the site (or its companion URL) provide about how to configure access through a NAT'ing router? The message by itself is simply too lean in content to figure out what they want from you. I'd **guess** that the game client at your end runs using a particular port, not just any available port. If so, you **may** need to port-forward that port through the LEAF router rather than simply use the standard NAT'ing code to handle it (since that code will not use the same external support every time you access the site). Really, your best bet is to look more closely at the game site. These guys want their systems to work through NAT, so they usually provide good instructions about what you need to do to make it work. Once we know what they want, translating it into LEAF terms will probablty not be hard, and surely we can help with that part if you need it. BTW, I'm assuming here that 4.47.177.158 is your external IP address. If not ... if, say, your ISP does some further NAT'ing upstream of you ... then fixing this may be more of a challenge. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html