[leaf-user] DSL troubleshooting.....

[John Mullan]

Can anyone give me hints about what to look for?

My DSL modem (apparently) loses sync when I try to access an external web
site.  After it syncs back up, and I try again, I lose sync again.  Ping
works the same way except if I try to ping an IP rather than URL.

Now this would seem to me to be a DNS problem.  But can this be with my
internal DNS or ISP's DNS ???  Could it be either?

HISTORY:  This is my home/personal network.  I have Bering/Shorewall and it
has been working up until yesterday.  I have not made any changes in the
last couple of days.  I have a Win2K server (192.168.1.128) inside and it
is the primary DNS of the internal network.  Bering box (192.168.1.254) is
secondary DNS (DNSCache).  IE; Win2K will forward unresolved addresses to
it (obvious!?!).

Ideas please..

John (www.mullan.ca)
==
http://www.olgc.ca888-345-7568 ext. 2210
mailto:[EMAIL PROTECTED]416-213-2210 (direct)
==
If each of us have one object, and we exchange them,
  then each of us still has one object.

If each of us have one idea, and we exchange them,
  then each of us now has two ideas.
==


KNOW YOUR LIMIT, PLAY WITHIN IT!
ONTARIO PROBLEM GAMBLING HELPLINE   1 888 230-3505

DÉPASSER SES LIMITES, CE N'EST PLUS DU JEU.
LA LIGNE ONTARIENNE D'AIDE SUR LE JEU PROBLÉMATIQUE1 888 230-3505




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Using a Sip phone with Dachstein 1.02

[Robert Chambers]

Ray:
In my discussions about Kphone on another forum, I was informed about an 
app called siproxd from siproxd.sf.net which works with Kphone and 
Linphone.  A short explanation of siproxd copied from the sipoxd.sf.net 
website:

Siprox is an proxy/masquerading daemon for the SIP protocol.
It handles registrations of SIP clients on a private IP network
and performs rewriting of the SIP message bodies to make SIP
connections possible via an masquerading firewall.
It allows SIP clients (like kphone, linphone) to work behind
an IP masquerading firewall or router.
Robert Chambers

Ray Olszewski wrote:

At 08:33 PM 11/24/2003 -0600, Robert Chambers wrote:

I am trying to use a Sip phone with Dachstein 1.02 and according to 
[EMAIL PROTECTED] I must open ports in the range of 5004 and 5060 
- 65534 UDP. But according to an email that I received from their 
support, the phone will not work with Linux routers because they are 
NAT type is symmetric.

Here is a copy of one of the emails:

"Open ports range 5004 and 5060-65534 UDP in your firewall to allow
SIPphone calls. You might want to check first to see if you are 
behind asymetric NAT. Dial '*0' and wait for the announcement. If you 
hear the message "You are behind a NAT" then you won't be able to 
make any calls no matter how you set up your firewall. In this case 
you might want to try updating the firmware on your router. If that 
doesn't work then you will need to try a different router."


I've only started seeing the terms "symmetric NAT" and "asymmetric 
NAT" very recently, and I had to Google them to find out what they 
(probably) mean. If I've misunderstood the terms, than the rest of my 
reply is nonsense, and I apologize for wasting your time.

What I found (at 
http://www.kanga.nu/archives/MUD-Dev-L/2000Q1/msg00539.php; much more 
informative than the bafflegab on the sipphone.com Website) says that 
asymmetric NAT refers to situations where the number of internal IP 
addresses being NAT'd is greater than the number of external addresses 
they are being NAT'd to. Or, in terms more familiar to us old timers, 
"symmetric NAT" refers to the one-to-one NAT'ing of private to public 
IP addresses that I used to call static NAT, while "asymmetric NAT" 
refers to the many-to-one NAT'ing of private addresses to a single 
public address that I used to call dynamic NAT. (This simplifies 
things a bit too much, but not, I think, in ways that matter to the 
immediate problem.)

Linux (LEAF and other) routers can do both kinds of NAT'ing. (Even 
ipchains could do static NAT'ing, and iptables is only better at it.) 
But to do symmetric NAT'ing, you need multiple public IP addresses, 
and LEAF routers are often used in settings where the goal is to share 
a single public address over all the hosts in a network. If you have a 
separate public IP address you can assign to the SIP device, your LEAF 
router is quite able to static-NAT it for you.

But usually this sort of problem comes up in settings where only the 
single public address is available, and with peer-to-peer services 
like Kazaa and some multiplayer games. SIP is no different in 
principle from these other cases.

The usual workaround for this sort of problem is to port-forward the 
required ports to the host you want to run the service on. 
Unfortunately, as far as I can find out, there are no standards for 
the ports that SIP phones use, so you get nonsense advice like 
requiring 6 ports (5060 to 65534) to be available to the SIP host. 
(Similarly, I've seen docs for a Cisco SIP phone that requires 
forwarding of ~32000 ports.)

If anyone knows a more comforting answer, I would love to see it. But 
I *believe* the problem here is not with Linux (or Linksys or Netgear 
or ... routers, all of which would also have this problem) but with a 
poor implementation of SIP by the vendor.

FYI, the latest version of the Linux app kphone allows the user to 
specify the port range that its SIP connections will use. I don't have 
that working yet ... I started working on getting it and FWD running 
but got distracted ... but it might be the basis for a workaround that 
involves forwarding only a handful of ports (a dozen of so) to a 
sensible VoIP/SIP provider.

In any case, the limitation you face derives not from Linux or LEAF, 
but from the availability of a single public IP address. Get a second 
address and the problem is easily handled by Linux. Without a second 
IP address ... you probably need to try a different VoIP supplier.





---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-p

Re: [leaf-user] DSL troubleshooting.....

[George Metz]

This cannot be a DNS issue. It's like saying, every time a plane flies 
over my house, the subway train that runs underneath it gets derailed.

DSL modem sync is a Layer 2 function, whereas DNS is a Layer 7(?) 
function. (I'm talking about the OSI Layer Model. Layer 2 is Data Link, 
Layer 7 is application, though I'm too tired to place DNS accurately, so 
it might be in the 4-6 range.) More than likely, there's something 
screwy with your DSL modem and a request on port 80 is causing it to 
keel over. I would contact your DSL provider and request that they have 
the line tested - you'll need to be on hand for that - and if that 
doesn't turn anything up, see if they'll send you a replacement modem. 
Explain everything in detail to them when you call.

If you want to verify that it isn't your Bering box before you call, 
just run the ethernet cable straight from the modem to your workstation, 
set whatever needs to be set for getting an IP address, and try 
accessing a website and see if it does the same thing.

George

John Mullan wrote:
Can anyone give me hints about what to look for?

My DSL modem (apparently) loses sync when I try to access an external web
site.  After it syncs back up, and I try again, I lose sync again.  Ping
works the same way except if I try to ping an IP rather than URL.
Now this would seem to me to be a DNS problem.  But can this be with my
internal DNS or ISP's DNS ???  Could it be either?
HISTORY:  This is my home/personal network.  I have Bering/Shorewall and it
has been working up until yesterday.  I have not made any changes in the
last couple of days.  I have a Win2K server (192.168.1.128) inside and it
is the primary DNS of the internal network.  Bering box (192.168.1.254) is
secondary DNS (DNSCache).  IE; Win2K will forward unresolved addresses to
it (obvious!?!).
Ideas please..

John (www.mullan.ca)
==
http://www.olgc.ca888-345-7568 ext. 2210
mailto:[EMAIL PROTECTED]416-213-2210 (direct)
==
If each of us have one object, and we exchange them,
  then each of us still has one object.
If each of us have one idea, and we exchange them,
  then each of us now has two ideas.
==
KNOW YOUR LIMIT, PLAY WITHIN IT!
ONTARIO PROBLEM GAMBLING HELPLINE   1 888 230-3505
DÉPASSER SES LIMITES, CE N'EST PLUS DU JEU.
LA LIGNE ONTARIENNE D'AIDE SUR LE JEU PROBLÉMATIQUE1 888 230-3505


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] DSL troubleshooting.....

[Ray Olszewski]

At 07:41 AM 11/25/2003 -0500, John Mullan wrote:
Can anyone give me hints about what to look for?

My DSL modem (apparently) loses sync when I try to access an external web
site.  After it syncs back up, and I try again, I lose sync again.  Ping
works the same way except if I try to ping an IP rather than URL.
Can you describe in a bit more detail what actual symptoms lie behind 
"(apparently) loses sync" and "it syncs back up"? Are you actually seeing 
the DSL modem's sync light (or whatever it is called on your device) go 
off, then back on? And, just to be sure, the problem is associated with 
*any* attempt at off-LAN DNS resolution (not just port-80 URLs), right?

George's response is correct as far as it goes -- problems with a DSL 
modem's connectivity to your ISP are OSI layer-2, or possibly layer-1, 
problems, and (putting aside the possibility of some bizarre interaction 
deliberately introduced by your ISP, mentioned only because I don't put 
*anything* beyond sufficiently stupid ISPs) layer-3 (IP) and layer-4 (TCP, 
UDP) activities should not affect layer 2 (or 1).

If your evidence for loss of sync is more indirect than what I write above, 
please provide additional details on the symptoms and on how you have DNS 
set up.

If it is not more indirect, follow George's advice in the first instance. 
(Except focus on port 53, not port 80, if the problem occurs with pings by 
FQN as well as URLs).

You might still want to tell us the rest of the details of your DNS setup 
and what sort of DSL service you have (that is, how you get your IP address 
... it is PPPoE, for example). I can (just barely) imagine that your ISP is 
doing something silly to discourage its captives (pardon me, its 
"customers") from bypassing its DNS forwarders.

Now this would seem to me to be a DNS problem.  But can this be with my
internal DNS or ISP's DNS ???  Could it be either?
HISTORY:  This is my home/personal network.  I have Bering/Shorewall and it
has been working up until yesterday.  I have not made any changes in the
last couple of days.  I have a Win2K server (192.168.1.128) inside and it
is the primary DNS of the internal network.  Bering box (192.168.1.254) is
secondary DNS (DNSCache).  IE; Win2K will forward unresolved addresses to
it (obvious!?!).
Ideas please..




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] DSL troubleshooting.....

[John Mullan]

OK.  My evidence for 'loses sync': the lights labeled DSL and ATM on the
modem go out.  Flash for a while, then come back on.

I can access any IP or URL that exists within the internal network.  IE; a
web server exists on host WWW (192.168.1.128) and I can access it via
http://www or http://192.168.1.128

However, I cannot access http://www.google.com or others.  If the modem is
'synced up', attempting to access an external page may start to load, but
the lights again go out on the modem and the page is not displayed.

DSL is PPPoE.  I don't think I can be too much more specific on the DNS
setup except standard DNSCache setup on the Bering box (ie; as suggested
when setting up PPPoE).  The Win2K machine is set as DNS server but to
forward unresolved requests to the Bering box.  The Bering box therefore, I
believe, will be supplied DNS info from the ISP (Sympatico, by the way).

Does this clarify?



   

  Ray Olszewski

  <[EMAIL PROTECTED]> To:   <[EMAIL 
PROTECTED]>
  Sent by:  cc:

  [EMAIL PROTECTED]Subject:  Re: [leaf-user] DSL 
troubleshooting. 
  ceforge.net  

   

   

  11/25/2003 10:31 

   

   





At 07:41 AM 11/25/2003 -0500, John Mullan wrote:
>Can anyone give me hints about what to look for?
>
>My DSL modem (apparently) loses sync when I try to access an external web
>site.  After it syncs back up, and I try again, I lose sync again.  Ping
>works the same way except if I try to ping an IP rather than URL.

Can you describe in a bit more detail what actual symptoms lie behind
"(apparently) loses sync" and "it syncs back up"? Are you actually seeing
the DSL modem's sync light (or whatever it is called on your device) go
off, then back on? And, just to be sure, the problem is associated with
*any* attempt at off-LAN DNS resolution (not just port-80 URLs), right?

George's response is correct as far as it goes -- problems with a DSL
modem's connectivity to your ISP are OSI layer-2, or possibly layer-1,
problems, and (putting aside the possibility of some bizarre interaction
deliberately introduced by your ISP, mentioned only because I don't put
*anything* beyond sufficiently stupid ISPs) layer-3 (IP) and layer-4 (TCP,
UDP) activities should not affect layer 2 (or 1).

If your evidence for loss of sync is more indirect than what I write above,

please provide additional details on the symptoms and on how you have DNS
set up.

If it is not more indirect, follow George's advice in the first instance.
(Except focus on port 53, not port 80, if the problem occurs with pings by
FQN as well as URLs).

You might still want to tell us the rest of the details of your DNS setup
and what sort of DSL service you have (that is, how you get your IP address

... it is PPPoE, for example). I can (just barely) imagine that your ISP is

doing something silly to discourage its captives (pardon me, its
"customers") from bypassing its DNS forwarders.

>Now this would seem to me to be a DNS problem.  But can this be with my
>internal DNS or ISP's DNS ???  Could it be either?
>
>HISTORY:  This is my home/personal network.  I have Bering/Shorewall and
it
>has been working up until yesterday.  I have not made any changes in the
>last couple of days.  I have a Win2K server (192.168.1.128) inside and it
>is the primary DNS of the internal network.  Bering box (192.168.1.254) is
>secondary DNS (DNSCache).  IE; Win2K will forward unresolved addresses to
>it (obvious!?!).
>
>Ideas please..





---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create b

Re: [leaf-user] DSL troubleshooting.....

[Ray Olszewski]

At 01:30 PM 11/25/2003 -0500, John Mullan wrote:

OK.  My evidence for 'loses sync': the lights labeled DSL and ATM on the
modem go out.  Flash for a while, then come back on.
Ok. Those labels don't match the lights on either of my DSL modems, but 
your interpretation of them sounds right. Since you use PPPoE, you actually 
have multiple "layer 2" layers, each encapsulated in another. But these 
lights seem to imply either a layer-1 (physical layer) failure of some sort 
or a failure of the lowest layer 2 (whatever native protocol the DSL 
circuit itself uses, something that will encapsulate the Ethernet frames on 
the far side of the DSL modem and be invisible to your router).

I can access any IP or URL that exists within the internal network.  IE; a
web server exists on host WWW (192.168.1.128) and I can access it via
http://www or http://192.168.1.128
This would be true whatever the source of the proboem is.

However, I cannot access http://www.google.com or others.  If the modem is
'synced up', attempting to access an external page may start to load, but
the lights again go out on the modem and the page is not displayed.
If the page "may start to load", then any DNS requests have been processed 
successfully. This implies that the problem is not specifically with DNS.

DSL is PPPoE.  I don't think I can be too much more specific on the DNS
setup except standard DNSCache setup on the Bering box (ie; as suggested
when setting up PPPoE).  The Win2K machine is set as DNS server but to
forward unresolved requests to the Bering box.  The Bering box therefore, I
believe, will be supplied DNS info from the ISP (Sympatico, by the way).
No need for more detail here, i think.

Does this clarify?
Mostly. Your earlier message said, as I read it, that you had sync problems 
("Ping works the same way") if you ping by FQN but not if you ping by IP 
address. Based on the added information you just supplied about http 
problems, I suspect it would be worth knowing more about other services 
(including ping) and how they react. For example ...

1. Can you connect to an offsite Web page by IP address?

2. Can you do a traceroute by (a) FQN and (b) IP address?

More generally, what *can* you do with any reliability over this 
connection? More and more, this sounds like a line problem ... either a 
physical problem with the line or the DSL modem, or something at the ISP 
end ... but one that only manifests itself when you use more than a trivial 
amount of bandwidth. That is, George's initial guess appears to have been 
on target (except perhaps for the pat that associates the problem with port 
80).

[old stuff deleted]





---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] DSL troubleshooting.....

[John Mullan]

Hmmm.  Physical line problems??

Perhaps this should have been my first line of attack :-(  since it seemed
to happen suddenly.

I will go around and make sure nobody fiddled with any of the filters!  Of
course, this will have to wait until I get home in an hour or two.

As one of my tech teachers used to say "NEVER OVERLOOK THE OBVIOUS".




   

  Ray Olszewski

  <[EMAIL PROTECTED]> To:   [EMAIL PROTECTED]  

  Sent by:  cc:

  [EMAIL PROTECTED]Subject:  Re: [leaf-user] DSL 
troubleshooting. 
  ceforge.net  

   

   

  11/25/2003 13:58 

   

   





At 01:30 PM 11/25/2003 -0500, John Mullan wrote:

>OK.  My evidence for 'loses sync': the lights labeled DSL and ATM on the
>modem go out.  Flash for a while, then come back on.

Ok. Those labels don't match the lights on either of my DSL modems, but
your interpretation of them sounds right. Since you use PPPoE, you actually

have multiple "layer 2" layers, each encapsulated in another. But these
lights seem to imply either a layer-1 (physical layer) failure of some sort

or a failure of the lowest layer 2 (whatever native protocol the DSL
circuit itself uses, something that will encapsulate the Ethernet frames on

the far side of the DSL modem and be invisible to your router).

>I can access any IP or URL that exists within the internal network.  IE; a
>web server exists on host WWW (192.168.1.128) and I can access it via
>http://www or http://192.168.1.128

This would be true whatever the source of the proboem is.

>However, I cannot access http://www.google.com or others.  If the modem is
>'synced up', attempting to access an external page may start to load, but
>the lights again go out on the modem and the page is not displayed.

If the page "may start to load", then any DNS requests have been processed
successfully. This implies that the problem is not specifically with DNS.

>DSL is PPPoE.  I don't think I can be too much more specific on the DNS
>setup except standard DNSCache setup on the Bering box (ie; as suggested
>when setting up PPPoE).  The Win2K machine is set as DNS server but to
>forward unresolved requests to the Bering box.  The Bering box therefore,
I
>believe, will be supplied DNS info from the ISP (Sympatico, by the way).

No need for more detail here, i think.

>Does this clarify?

Mostly. Your earlier message said, as I read it, that you had sync problems

("Ping works the same way") if you ping by FQN but not if you ping by IP
address. Based on the added information you just supplied about http
problems, I suspect it would be worth knowing more about other services
(including ping) and how they react. For example ...

1. Can you connect to an offsite Web page by IP address?

2. Can you do a traceroute by (a) FQN and (b) IP address?

More generally, what *can* you do with any reliability over this
connection? More and more, this sounds like a line problem ... either a
physical problem with the line or the DSL modem, or something at the ISP
end ... but one that only manifests itself when you use more than a trivial

amount of bandwidth. That is, George's initial guess appears to have been
on target (except perhaps for the pat that associates the problem with port

80).

[old stuff deleted]





---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://

[leaf-user] IPSEC NAT traversal with shorewall HELP!

[Troy Aden]

Hello all,

I have posted earlier regarding setting up an IPSEC gateway with Bering
UCLIBC 2.0.
I am happy to report that I have successfully setup an IPSEC tunnel between
two routers (External interface only).

The next step is to setup IPSEC so that I can communicate from router A's
internal subnet to Router B's internal subnet.

ROUTER A Eth0 = 24.78.140.* --> Eth1 = 172.16.0.0/16

I want 172.16.0.0/16 network to be able to communicate with 192.168.1.0/24
network.

ROUTER B Eth0 = 139.142.224.* --> Eth1 = 192.168.1.0/24

Can anyone please tell me exactly what I need to do to get this working? I
will include all the relevant configs below. I realize that I may have
things way to open security wise so if anyone has any pointers on how I
should go about hardening this configuration please feel free to tell me.
For example, what exactly do I need to have in my shorewall/rules and
/policy files to allow IPSEC? (I suspect that my shorewall config is full of
unnecessary rules and policies.)
My goal with this configuration is to have two networks linked via IPSEC. I
would expect that all users from site A will be able to communicate with all
users on site B "transparently" meaning that for all intents and purposes
users on site A's internal network would be able to communicate with users
from site B's internal network as if they were on the same LAN. If I am off
base in how this works, please feel free to correct me.

Here is my working config: (I apologize in advance since there is a fair
amount here.)
Also, for the sake of saving space, I am only posting one half of the
connection in this post. The other half simply has the other routers
external IP entered in the /etc/shorewall/tunnels file and the IPs are
switched around in the /etc/ipsec.secrets file. I have also put in a bogus
secrets password to save space. :-))

Thanks in advance!



To start the tunnel
ipsec whack --initiate --name Victoria

To stop the tunnel
ipsec whack --terminate --name Victoria



>>>working configs for router -router
IPSEC>>>
SITE A SIDE

#
# Shorewall 1.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#   ZONEShort name of the zone (5 Characters or less in
length).
#   DISPLAY Display name of the zone
#   COMMENTSComments about the zone
#
#ZONE   DISPLAY COMMENTS
net Net Internet
loc Local   Local networks
vpn VPN Remote Networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


/etc/shorewall/interfaces


##
#ZONEINTERFACE  BROADCAST   OPTIONS
net eth0detect  routefilter,norfc1918,tcpflags
loc eth1detect
vpn ipsec0


/etc/shorewall/policy 


###
#SOURCE DESTPOLICY  LOG LEVEL   LIMIT:BURST
loc vpn ACCEPT
vpn loc ACCEPT
vpn fw  ACCEPT
net vpn ACCEPT
vpn net ACCEPT
fw  vpn ACCEPT
loc net ACCEPT
net loc REJECT  ULOG
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
net all DROPULOG
all all REJECT  ULOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


 /etc/shorewall/rules

#ACTION  SOURCE DESTPROTO   DESTSOURCE ORIGINAL
#   PORTPORT(S)DEST


#IPSEC RULES

ACCEPT  net fw  udp 500
ACCEPT  fw  net udp 500
ACCEPT  vpn fw  udp 500
ACCEPT  fw  vpn udp 500
ACCEPT  vpn loc udp 500
ACCEPT  loc vpn udp 500
ACCEPT  vpn net udp 500
ACCEPT  net vpn udp 500

ACCEPT  net fw  esp -
ACCEPT  fw  net esp -
ACCEPT  vpn fw  esp -
ACCEPT  fw  vpn esp -
ACCEPT  vpn loc esp -
ACCEPT  loc vpn esp -
ACCEPT  vpn net esp -
ACCEPT  net vpn esp -

ACCEPT  net fw  ah  -
ACCEPT  fw  net ah  -
ACCEPT  vpn fw  ah  -
ACCEPT  fw  vpn ah  -
ACCEPT  vpn loc ah  -
ACCEPT  loc vpn ah  -
ACCEPT  vpn net ah  -
ACCEPT  net vpn ah  -



#   Accept DNS connections from the firewall to the network
#
ACCEPT  

Re: [leaf-user] IPSEC NAT traversal with shorewall HELP!

[Tom Eastep]

On Tue, 25 Nov 2003, Troy Aden wrote:

> The next step is to setup IPSEC so that I can communicate from router A's
> internal subnet to Router B's internal subnet.
>
> ROUTER A Eth0 = 24.78.140.* --> Eth1 = 172.16.0.0/16
>
> I want 172.16.0.0/16 network to be able to communicate with 192.168.1.0/24
> network.
>
> ROUTER B Eth0 = 139.142.224.* --> Eth1 = 192.168.1.0/24
>
> Can anyone please tell me exactly what I need to do to get this working?

>From a Shorewall point of view, much less than you are doing. As a last
resort, consult the Shorewall IPSEC documentation:
http://www.shorewall.net/IPSEC.htm

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] LRP & apache http setup

[kevin]

a little background information:

i am in the process of configuring and running a linux apache http 
webserver from my house and i had a few questions concerning my LRP. 
(eigerstein, basic configuration)  the web server will host my web pages 
for public viewing for now, and i will install a ftp server in the future.

right now my webserver is running apache, (slackware 9.0, with upgraded 
apache http 2.0)

the server can access it self:

(i get the apache default page)
(i get the apache default page)
  (i get a web test page i created)
a windows client cannot access the serverat all.

question, does the eigerstein hide all of the ports to the outside 
world?  i think it does, so is it possible to configure eigerstein to 
allow people to access my webserver?



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html