Re: [leaf-user] IPSEC NAT traversal with shorewall HELP!
On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote: [...] My goal with this configuration is to have two networks linked via IPSEC. I would expect that all users from site A will be able to communicate with all users on site B transparently meaning that for all intents and purposes users on site A's internal network would be able to communicate with users from site B's internal network as if they were on the same LAN. If I am off base in how this works, please feel free to correct me. DNS, WINS, and other forms of broadcast traffic will not work ideally across the tunnel transparently. For SMB networking, you'll likely have to link PDC's and/or WIN servers on each subnet. There is some information on this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering Dial in, problems with ppp - long
Dear list listeners, I am tearing my hair out trying to get this to work, so I am humbly seeking advice on how to get Bering 1.2, with pppoe on the internet side, to accept a dial in using ppp again on the internal side of this connection. The good news is that the dial in will receive and accept the call via mgetty, and will start pppd as its gets the password and lcp connection and discissions, ip-up is reached and executed although nothing exists in it as seen below: Nov 25 08:45:01 firewall /USR/SBIN/CRON[31332]: (root) CMD (/etc/multicron-p) Nov 25 08:53:01 firewall pppd[8591]: pppd 2.4.1 started by LOGIN, uid 0 Nov 25 08:53:01 firewall pppd[8591]: using channel 25 Nov 25 08:53:01 firewall pppd[8591]: Using interface ppp1 Nov 25 08:53:01 firewall pppd[8591]: Connect: ppp1 -- /dev/ttyS0 Nov 25 08:53:01 firewall pppd[8591]: sent [LCP ConfReq id=0x1 asyncmap 0x0 auth pap magic 0x7a06aae5 pcomp accomp] Nov 25 08:53:04 firewall pppd[8591]: rcvd [LCP ConfReq id=0x3 asyncmap 0xa magic 0x1c6a6 pcomp accomp callback CBCP] Nov 25 08:53:04 firewall pppd[8591]: sent [LCP ConfRej id=0x3 callback CBCP] Nov 25 08:53:04 firewall pppd[8591]: sent [LCP ConfReq id=0x1 asyncmap 0x0 auth pap magic 0x7a06aae5 pcomp accomp] Nov 25 08:53:04 firewall pppd[8591]: rcvd [LCP ConfReq id=0x4 asyncmap 0xa magic 0x1c6a6 pcomp accomp] Nov 25 08:53:04 firewall pppd[8591]: sent [LCP ConfAck id=0x4 asyncmap 0xa magic 0x1c6a6 pcomp accomp] Nov 25 08:53:04 firewall pppd[8591]: rcvd [LCP ConfAck id=0x1 asyncmap 0x0 auth pap magic 0x7a06aae5 pcomp accomp] Nov 25 08:53:04 firewall pppd[8591]: sent [LCP EchoReq id=0x0 magic=0x7a06aae5] Nov 25 08:53:04 firewall pppd[8591]: rcvd [PAP AuthReq id=0x1 user=a_user password=hidden] Nov 25 08:53:04 firewall pppd[8591]: sent [PAP AuthAck id=0x1 Login ok] Nov 25 08:53:04 firewall pppd[8591]: sent [IPCP ConfReq id=0x1 addr 192.168.5.254 compress VJ 0f 01] Nov 25 08:53:04 firewall pppd[8591]: rcvd [LCP EchoRep id=0x0 magic=0x1c6a6] Nov 25 08:53:04 firewall pppd[8591]: rcvd [IPCP ConfReq id=0x1 compress VJ 0f 01 addr 0.0.0.0 ms-dns1 0.0.0.0 ms-wins 0.0.0.0 ms-wins 0.0.0.0] Nov 25 08:53:04 firewall pppd[8591]: sent [IPCP ConfRej id=0x1 ms-wins 0.0.0.0 ms-wins 0.0.0.0] Nov 25 08:53:04 firewall pppd[8591]: rcvd [CCP ConfReq id=0x1 12 06 00 00 00 01 11 05 00 01 04] Nov 25 08:53:04 firewall pppd[8591]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received Nov 25 08:53:04 firewall pppd[8591]: sent [LCP ProtRej id=0x2 80 fd 01 01 00 0f 12 06 00 00 00 01 11 05 00 01 04] Nov 25 08:53:04 firewall pppd[8591]: rcvd [IPCP ConfAck id=0x1 addr 192.168.5.254 compress VJ 0f 01] Nov 25 08:53:04 firewall pppd[8591]: rcvd [IPCP ConfReq id=0x2 compress VJ 0f 01 addr 0.0.0.0 ms-dns1 0.0.0.0] Nov 25 08:53:04 firewall pppd[8591]: sent [IPCP ConfNak id=0x2 addr 192.168.5.99 ms-dns1 192.168.5.254] Nov 25 08:53:04 firewall pppd[8591]: rcvd [IPCP ConfReq id=0x3 compress VJ 0f 01 addr 192.168.5.99 ms-dns1 192.168.5.254] Nov 25 08:53:04 firewall pppd[8591]: sent [IPCP ConfAck id=0x3 compress VJ 0f 01 addr 192.168.5.99 ms-dns1 192.168.5.254] Nov 25 08:53:04 firewall pppd[8591]: found interface eth1 for proxy arp Nov 25 08:53:04 firewall pppd[8591]: local IP address 192.168.5.254 Nov 25 08:53:04 firewall pppd[8591]: remote IP address 192.168.5.99 Nov 25 08:53:04 firewall pppd[8591]: Script /etc/ppp/ip-up started (pid 4309) Nov 25 08:53:04 firewall pppd[8591]: Script /etc/ppp/ip-up finished (pid 4309), status = 0x100 Nov 25 08:53:37 firewall pppd[7359]: No response to 3 echo-requests Nov 25 08:53:37 firewall pppd[7359]: Serial link appears to be disconnected. Nov 25 08:53:37 firewall pppd[7359]: Couldn't increase MTU to 1500. Nov 25 08:53:37 firewall pppd[7359]: Couldn't increase MRU to 1500 Nov 25 08:53:43 firewall pppd[7359]: Connection terminated. Nov 25 08:53:43 firewall pppd[7359]: Connect time 561.8 minutes. Nov 25 08:53:43 firewall pppd[7359]: Sent 383329 bytes, received 1140685 bytes. Nov 25 08:53:43 firewall pppd[7359]: Doing disconnect Nov 25 08:54:04 firewall pppd[8591]: Hangup (SIGHUP) Nov 25 08:54:04 firewall pppd[8591]: Modem hangup Nov 25 08:54:04 firewall pppd[8591]: Script /etc/ppp/ip-down started (pid 1933) Nov 25 08:54:04 firewall pppd[8591]: Connection terminated. Nov 25 08:54:04 firewall pppd[8591]: Connect time 1.1 minutes. Nov 25 08:54:04 firewall pppd[8591]: Sent 446 bytes, received 842 bytes. Nov 25 08:54:04 firewall pppd[8591]: Waiting for 1 child processes... Nov 25 08:54:04 firewall pppd[8591]: script /etc/ppp/ip-down, pid 1933 Nov 25 08:54:04 firewall pppd[8591]: Script /etc/ppp/ip-down finished (pid 1933), status = 0x100 Nov 25 08:54:04 firewall pppd[8591]: Exit. Nov 25 08:54:13 firewall pppd[7359]: Sending PADI Nov 25 08:54:32 firewall pppd[7359]: HOST_UNIQ successful match Nov 25 08:54:32 firewall pppd[7359]: HOST_UNIQ successful match Nov 25 08:54:32 firewall pppd[7359]: Got connection: a63 Nov 25 08:54:32 firewall pppd[7359]: Connecting PPPoE socket:
Re: [leaf-user] LRP apache http setup
kevin wrote: a little background information: i am in the process of configuring and running a linux apache http webserver from my house and i had a few questions concerning my LRP. (eigerstein, basic configuration) the web server will host my web pages for public viewing for now, and i will install a ftp server in the future. right now my webserver is running apache, (slackware 9.0, with upgraded apache http 2.0) the server can access it self: http://127.0.0.1(i get the apache default page) http://localhost(i get the apache default page) http://localhost/test.html (i get a web test page i created) a windows client cannot access the serverat all. Sounds like you've got something messed up in your apache configuration. Run 'netstat -lnp' on the webserver, and make sure apache is listening on port 80 of the network interface, and not just the loopback interface. question, does the eigerstein hide all of the ports to the outside world? i think it does, so is it possible to configure eigerstein to allow people to access my webserver? Yes, using port-forwarding. Simply uncomment the INTERN_WWW_SERVER setting, and set the IP address to the private IP assigned to your web-server machine. People outside your network can then connect using the IP of your firewall (assuming you get apache fixed :). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Accounting Bering 1.0 Shorewall 1.3 / 1.4
Hi Bino, -- iptables -N 02I -- prepared for inbound/download traffic -- iptables -N 02O -- prepared for outbound/upload traffic iptables -I FORWARD -d 192.168.0.2 -j 0I iptables -I FORWARD -s 192.168.0.2 -j 0O this is not working here... don't know why. The chain is listet correctly using iptables -L 02I -v but the counters remain at zero. I do execute my accounting-script after shorewall has started. What is wrong ?? I also tried the rules I found in the Linux Administrators Guide. iptables -N name1 iptables -A FORWARD -i ppp0 -d ip-adress1 -j name1 iptables -A FORWARD -o ppp0 -s ip-adress1 -j name1 This is also not working here I even tried the shorewall-version from CVS, Tom included accounting recently. But using shorewall 1.4 instead of 1.3 leads to some other strange mysteries I cannot reach www.ebay.de anymore This dokument contains no data. So I have to use shorewall 1.3 Accounting works fine in shorewall 1.4 But I can't find out, why ebay makes problems. (There *are* more sites I cannot reach) Nothing is displayed in the log files (/var/log/*) thanks so much ! --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Accounting Bering 1.0 Shorewall 1.3 / 1.4
On Wed, 2003-11-26 at 07:50, Henning Jebsen wrote: I even tried the shorewall-version from CVS, Tom included accounting recently. But using shorewall 1.4 instead of 1.3 leads to some other strange mysteries I cannot reach www.ebay.de anymore This dokument contains no data. So I have to use shorewall 1.3 Accounting works fine in shorewall 1.4 But I can't find out, why ebay makes problems. (There *are* more sites I cannot reach) Nothing is displayed in the log files (/var/log/*) Sounds like you need CLAMPMSS=Yes in shorewall.conf -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Accounting Bering 1.0 Shorewall 1.3 / 1.4
I went back and looked a bit at the prior messages in this thread, but I may have missed something (Sourceforge is slow this morning, so checking the list archive is a bit demanding). Apologies in advance if I'm guessing wrong here. As a general matter, following a quote from some other source with words to the effect that I tried this and it didn't work is not s good as quoting what you actually tried and the actual result. With firewalling, as with many things, the devil is in the details, and the way you allude to what you did gives us no way to spot possible errors of detail (for example, using -A instead of -I, which I discuss below). At 04:50 PM 11/26/2003 +0100, Henning Jebsen wrote: Hi Bino, -- iptables -N 02I -- prepared for inbound/download traffic -- iptables -N 02O -- prepared for outbound/upload traffic iptables -I FORWARD -d 192.168.0.2 -j 0I iptables -I FORWARD -s 192.168.0.2 -j 0O this is not working here... don't know why. The chain is listet correctly using iptables -L 02I -v but the counters remain at zero. You did catch the typo in this advice, I trust. It creates table 02I but tries to jump to table 0I. The real problem is that rules cannot be viewed in isolation, and the poster giving you this suggestion said he wasn't using Shorewall. Still, this procedure makes sense, even in the context of Shorewall. If traffic *is* getting through to 192.168.0.2, and you didn't fall into the typo trap, you might try checking the entire ruleset *after* a big download to 192.168.0.2 (or the actual address you use) and see what rules *do* get their counts incremented. Then check to see if somehow (though I don't see how, if you really do use -I rather than -A; see below) they are getting called instead of the accounting rules. I do execute my accounting-script after shorewall has started. Does it execute cleanly? Please post a followup with the actual script and any output it generates when run from the command line. Also, round up the usual suspects and tell us the basics of your setup (see the SR FAQ if you need more explicit guidence on this score). What is wrong ?? I also tried the rules I found in the Linux Administrators Guide. iptables -N name1 iptables -A FORWARD -i ppp0 -d ip-adress1 -j name1 iptables -A FORWARD -o ppp0 -s ip-adress1 -j name This is also not working here I would not expect it to, because -A puts the new rules at the *end* of the chain (while -I, if not given a rule placement number explicitly, puts new rules at the beginning of the chain). In Shorewall, it is likely that some prior rule catches the traffic before it ever sees this rule. These sorts of rules (ones meant not to direct traffic but just to count it) need to be at the top of the relevant ruleset, not at the bottom. [rest deleted] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC NAT traversal with shorewall HELP!
Thanks! Ok I followed your procedure and I am getting this when I initiate the tunnel from the Victoria side: ipsec whack --initiate --name victoria 002 victoria #1: initiating Main Mode 104 victoria #1: STATE_MAIN_I1: initiate 106 victoria #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 victoria #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 victoria #1: Main mode peer ID is ID_IPV4_ADDR: '139.142.224.39' 002 victoria #1: ISAKMP SA established 004 victoria #1: STATE_MAIN_I4: ISAKMP SA established 002 victoria #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK 117 victoria #2: STATE_QUICK_I1: initiate 010 victoria #2: STATE_QUICK_I1: retransmission; will wait 20s for response It never completes the tunnel. Can anyone please tell me what I am missing here? Thanks in advance! Troy -Original Message- From: Lynn Avants [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:10 AM To: Troy Aden; Leaf-User ([EMAIL PROTECTED]) Subject: Re: [leaf-user] IPSEC NAT traversal with shorewall HELP! On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote: [...] My goal with this configuration is to have two networks linked via IPSEC. I would expect that all users from site A will be able to communicate with all users on site B transparently meaning that for all intents and purposes users on site A's internal network would be able to communicate with users from site B's internal network as if they were on the same LAN. If I am off base in how this works, please feel free to correct me. DNS, WINS, and other forms of broadcast traffic will not work ideally across the tunnel transparently. For SMB networking, you'll likely have to link PDC's and/or WIN servers on each subnet. There is some information on this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Driver for Davicom Ethernet card
Which driver I should use for the Davicom DM9008F Ethernet card with the LEAF Bering distribution? I hope you could help me. Thanks. Carlos Pedezert. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html