Re: [leaf-user] Required EZ-IPUpdate Client Upgrade Notice
I suppose there's some more good news on this topic? I had sent a followup email to dyndns thanking them for their help with confirming Jacques' package. Vivian sent the response below. It is not critical that this change be made right away. For one thing, some analysis will have to be done to see if the change would cause problems with other services that ez-ipupdate supports. Moreover, it requires registration and other overhead that may not add much value to the change. I wonder then, if a person would also have to register the ez-ipupdate client modification with all the other services that ez-ipupdate supports? http://leaf.sourceforge.net/devel/jnilo/ezipupd.html http://leaf.sourceforge.net/devel/jnilo/ezipupd1.html#AEN6 Greg Morgan Thanks. One little thing: if you haven't (I didn't make this clear), can you ask Jacques to change the user agent to something unique (http://www.dyndns.org/developers/ has some guidelines he should look at) that identifies the leaf project so we don't run into this situation again next time someone abuses the ez-ipupdate user agent? If he has any questions about this, tell him to email [EMAIL PROTECTED] and put Attn: Vivien M. in the subject line so I look at it. Vivien Reginald R. Richardson wrote: Hi greg, thanks for your aleartness, I'm using dnydns and ez-ipupdate for a few years now, and the service is so darn good, i never had problems, i don't even take note of their website, after seeing your e-mail, i trance over to their website, and saw the whole big confusion what's happening overthere with the linksys equipment, I immediately, download the new version, so me and my 20 clients are all happy now, else what would have been a bachanal in the next few days, when they had shut us out. Jacques, once again, thanks for your prompt reply, u have never failed me/us when a new update of a product is needed in .lrp format. regarfds reggie Jacques, Problem solved. I received confirmation from dyndns.org tech support that your package update is working as intended. They also went on to say, ... the version of ez-ipupdate you're using now identifies itself differently from the Linksys version, so you should not have any problems. Note that your account was never dirty or anything like that: the fact that you got this email is simply the result of people embedding clients into things (Linksys, as we discovered the hard way, is not the only company to have done this) and not changing how these clients identify themselves, so we simply have no way to tell the problematic Linksys client apart from other, most likely perfectly acceptable, configurations of ez-ipupdate. Thanks again, Greg Morgan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] LONG /sbin/htb.init: 636: Syntax error: Bad substitution
Hello ! Could anyone tell me what am i doing wrong ? I've installed QoS package tc ss010824 qos-htb 0.8.3 i can edit HTB rules by menu at lrcfg but... 1. It looks like it doesn't work at any interface (I've configured ppp0 as network interface - SAGEM [EMAIL PROTECTED] ADSL modem and eth0 as LAN interface ). I've checked it by: tc -s -d cl show dev [eth0 | ppp0] besides /var/cache/htb.init (below) script doesn't look like created on my machine :-( 2. when bering (1.2) boots up i get QoS message at console without any err htb.init (QoS) ... start 3. after invoking htb.init or /etc/init.d/htb.init stats i get /sbin/htb.init: 636: Syntax error: Bad substitution here's my machine configuration # lrpkg -l NameVersionDescription ===-==-== initrd V1.2 LEAF Bering initial filesystem rootV1.2 Core LEAF Bering package etc V1.2 LEAF Bering /etc files local V1.2 LEAF Bering local package modules V1.2 Define contain your LEAF Bering modules iptables1.2.8 IP packet filter administration tools for 2.4. ppp 2.4.1-pppoePoint-to-Point Protocol (PPP) daemon eagle 1.0.4 Linux driver for DSL modems based on the Analo shorwall1.4.2 Shoreline Firewall (Shorewall) ulogd 1.0The Netfilter Userspace Logging Daemon libcrpto0.9.7c Rev 1 libcrypto - part of the Openssl libraries sshd3.7.1p2 compil OpenSSH sshd daemon. weblet 1.2.0 weblet - LRP status via a small web server libm The libm Library dhcpd3 3.0pl2 ISC DHCP server for automatic IP address assig dnscache1.05a dnscache from djbdns (V1.05a) package creates ezipupd 3.0.11b8 ez-ipupdate is a client for several dynamic IP tc ss010824 tc from iproute2 patched for HTB3 packet sched qos-htb 0.8.3 QoS HTB based - HTB.init Quality Of Service pa ssh 3.7.1p2 compil OpenSSH ssh scp programs. sftp3.7.1p2 compil OpenSSH sftp client server programs. links 0.95 Links is an advanced replacement for lynx, the iptraf 1.3.0-1 libncurs # ip a 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:5a:47:2b:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:4c:14:f4:6e brd ff:ff:ff:ff:ff:ff 5: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 80.54.204.100 peer 213.25.2.80/32 scope global ppp0 firewall: -root- # cat /sbin/htb.sysconfig #!/bin/bash # This is the main script to build the configuration # files in the format proposed by htb.init # By default, if nothing is modified, the generated files # are adecuated to create classes that control minimum latency # and maximum throughput traffic. # But two (2) more classes are created, one specific for web traffic (port 80) # and a 'default' class for the rest. Normally, web traffic is considered of minimum # latency and that's the way we have configured it (it has a higher priority # than the maximum throughput and default), but it has it's own class because # of it's importance, so you could assign it a different class from ssh, dns, etc. # If you want to adjust the values for your own connection, # it will be enough to know the download and dowload bandwidth # to automatically adjust the RATE and CEIL values of each class. # When you are done, don't forget to execute: # #/etc/init.d/htb.init recreate #/etc/init.d/htb.init reload # # to rebuild the configuration files and restart the service. # By default the values are calculated for a 256Kbits download # and 128 Kbits upload bandwidth, very commom in Spain. # # NOTE: all values should be around 95-98% aprox. of the real ones # to be shure the queue is managed in your Linux router. # --- Configuration files for net zone (eth0). /bin/cat /etc/sysconfig/htb/ppp0 EOF DEFAULT=40 EOF # Maximum for root class /bin/cat /etc/sysconfig/htb/ppp0-2.root EOF RATE=90Kbit BURST=2k EOF # Values for minimum latency class # Typical services: ssh, telnet, ftp, irc, dns, smtp, pop3, imap2 /bin/cat /etc/sysconfig/htb/ppp0-2:10.minlatency EOF CEIL=50Kbit RATE=6Kbit
[leaf-user] orinoco pppoe
I have a wireless network client. ( I want the wireless interface work with pppoe. I try but the wireless options dont act with pppoe. The orinoco wireless use the defaults configurations. I thik the wireless_acts only work with (ethx) interfaces iface ppp0 inet ppp pre-up ip link set eth0 up provider dsl-provider eth0 wireless_mode managed wireless_essid Home The interface dont accept de parameters wireless_ Anythig can help-me? Luciano Inacio --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] scp for Bering-uClib
Dropbear, which I otherwise love, doesn't include scp. The dropbear docs suggest that scp from the ssh package can be used, but while the scp on my Debian system is plenty small it of course links in a half dozen libraries, including libc, that aren't present on Bering-uClib. Before I try to figure out how to build scp for Bering-uClib, does anybody have a .lrp to share? Or know of plans to include one anytime soon? Thanks, --Eric House -- ** * From the desktop of: Eric House, [EMAIL PROTECTED]* *Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords * ** --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Shorewall questions
I have a quick newbie shorewall question. In setup I have several static routes from several internal routers going to the shorewall box. The external interface (eth0) has the external IP. But the internal interface has to be able to recognize 8 separate subnets as internal IPs and treat them as the local zone. I suspect that I would have to make changes to the shorewall/interfaces file and add all of these subnets to the eth1 interface. Can anyone confirm this for me? Also I have reviewed the docs and I can't seem to find an example of the appropriate syntax to make entries like this in the shorewall/interfaces file. Thanks in advance. Troy --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Shorewall questions
On Mon, 2003-12-08 at 09:36, Troy Aden wrote: I have a quick newbie shorewall question. In setup I have several static routes from several internal routers going to the shorewall box. The external interface (eth0) has the external IP. But the internal interface has to be able to recognize 8 separate subnets as internal IPs and treat them as the local zone. I suspect that I would have to make changes to the shorewall/interfaces file and add all of these subnets to the eth1 interface. Can anyone confirm this for me? Also I have reviewed the docs and I can't seem to find an example of the appropriate syntax to make entries like this in the shorewall/interfaces file. You might take a look at: http://www.shorewall.net/Multiple_Zones.html Be sure to pay attention to the links in the first numbered list. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Shorewall questions
One more quick question. We are running a PPTP server behind shorewall. The default policy is Loc net DROP The rules are : #Inbound VPN DNATnet loc:{local PPTP server} tcp 1723 DNATnet loc:{local PPTP server} 47 - #Outbound VPN ACCEPT loc net tcp 1723 ACCEPT loc net 47 - The problem is that I have a user that is logged into our VPN from a remote site. This user then came into work and is attempting to connect back into his system at the remote location. The firewall is blocking him from doing this. Here is a snip from the logs. loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP (OS fingerprint) Can anyone tell me if there is a way to allow this user to connect to his system from our network? Many thanks in advance! Troy -Original Message- From: Troy Aden [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 11:37 AM To: Leaf-User (E-mail) Subject: [leaf-user] Shorewall questions I have a quick newbie shorewall question. In setup I have several static routes from several internal routers going to the shorewall box. The external interface (eth0) has the external IP. But the internal interface has to be able to recognize 8 separate subnets as internal IPs and treat them as the local zone. I suspect that I would have to make changes to the shorewall/interfaces file and add all of these subnets to the eth1 interface. Can anyone confirm this for me? Also I have reviewed the docs and I can't seem to find an example of the appropriate syntax to make entries like this in the shorewall/interfaces file. Thanks in advance. Troy --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Shorewall questions
On Mon, 2003-12-08 at 09:59, Troy Aden wrote: One more quick question. We are running a PPTP server behind shorewall. The default policy is Loc net DROP The rules are : #Inbound VPN DNAT net loc:{local PPTP server} tcp 1723 DNAT net loc:{local PPTP server} 47 - #Outbound VPN ACCEPTloc net tcp 1723 ACCEPTloc net 47 - The problem is that I have a user that is logged into our VPN from a remote site. This user then came into work and is attempting to connect back into his system at the remote location. The firewall is blocking him from doing this. Here is a snip from the logs. loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP (OS fingerprint) Can anyone tell me if there is a way to allow this user to connect to his system from our network? You would need to install the PPTP connection tracking and NAT support from Netfilter Patch-O-Matic. Without that support, you can only have a single active PPTP tunnel to any given remote system. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] scp for Bering-uClib
Am Montag, 8. Dezember 2003 17:09 schrieb Eric House: Dropbear, which I otherwise love, doesn't include scp. The dropbear docs suggest that scp from the ssh package can be used, but while the scp on my Debian system is plenty small it of course links in a half dozen libraries, including libc, that aren't present on Bering-uClib. Before I try to figure out how to build scp for Bering-uClib, does anybody have a .lrp to share? Or know of plans to include one anytime soon? Eric; There is no extra lrp yet, but you'll find scp in sshd.lrp. It requires libz and libcrpto.lrp; I guess too much for a floppy. kp --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: orinoco pppoe
Please, help me set up a pppoe in a orinoco interface as bellow! Sincerely Luciano - Original Message - From: Luciano Inacio [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 08, 2003 9:53 AM Subject: [leaf-user] orinoco pppoe I have a wireless network client. ( I want the wireless interface work with pppoe. I try but the wireless options dont act with pppoe. The orinoco wireless use the defaults configurations. I thik the wireless_acts only work with (ethx) interfaces iface ppp0 inet ppp pre-up ip link set eth0 up provider dsl-provider eth0 wireless_mode managed wireless_essid Home The interface dont accept de parameters wireless_ Anythig can help-me? Luciano Inacio --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Shorewall questions
I made these changes to shorewall and rebooted. The result was all hosts lost Internet access. /ETC/shorewall/hosts #ZONE HOST(S) OPTIONS loc eth1:192.168.1.0/24 loc eth1:192.168.2.0/24 loc eth1:192.168.140.0/24 loc eth1:192.168.142.0/24 loc eth1:192.168.143.0/24 loc eth1:192.168.145.0/24 loc eth1:192.168.146.0/24 loc eth1:192.168.147.0/24 loc eth1:192.168.148.0/24 And then this: /ETC/shorewall/Interfaces #ZONEINTERFACE BROADCAST OPTIONS net eth0142.165.207.162 routefilter,norfc1918,tcpflags loc eth1 192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255, 192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255 vpn ipsec0 I watched shorewall load and it did show all of these networks as defining the loc zone as I would expect. I am just not sure why we lost Internet access after that point. Do I need to define these subnets as for example 192.168.1.0/24,192.168.2.0/24...) I think I may not have given all the information in my previous post. Here are the relevant configs. (Some IPs have been altered to protect the innocent) IP ROUTE: 192.168.147.0/24 dev eth1 proto kernel scope link src 192.168.147.4 192.168.146.0/24 via 192.168.147.2 dev eth1 192.168.145.0/24 via 192.168.147.2 dev eth1 192.168.2.0/24 via 192.168.147.5 dev eth1 192.168.1.0/24 via 192.168.147.5 dev eth1 192.168.148.0/24 via 192.168.147.2 dev eth1 10.10.26.0/24 via 142.165.207.254 dev ipsec0 192.168.143.0/24 via 192.168.147.1 dev eth1 192.168.142.0/24 via 192.168.147.1 dev eth1 142.165.207.0/24 dev eth0 proto kernel scope link src 142.165.207.* 142.165.207.0/24 dev ipsec0 proto kernel scope link src 142.165.207.* 192.168.140.0/24 via 192.168.147.3 dev eth1 default via 142.165.207.254 dev eth0 IP ADDR: 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1 9: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0 /ETC/INTERFACES auto eth0 iface eth0 inet static address 142.165.207.* netmask 255.255.255.0 broadcast 142.165.207.255 gateway 142.165.207.254 # Step 2: configure internal interface # Default: eth1 / fixed IP = 192.168.1.254 auto eth1 iface eth1 inet static address 192.168.147.4 netmask 255.255.255.0 broadcast 192.168.147.255 up ip route add 192.168.140.0/24 via 192.168.147.3 || true up ip route add 192.168.142.0/24 via 192.168.147.1 || true up ip route add 192.168.143.0/24 via 192.168.147.1 || true up ip route add 192.168.1.0/24 via 192.168.147.5 || true up ip route add 192.168.2.0/24 via 192.168.147.5 || true up ip route add 192.168.145.0/24 via 192.168.147.2 || true up ip route add 192.168.146.0/24 via 192.168.147.2 || true up ip route add 192.168.148.0/24 via 192.168.147.2 || true /etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth0192.168.1.0/24 eth0192.168.2.0/24 eth0192.168.140.0/24 eth0192.168.142.0/24 eth0192.168.143.0/24 eth0192.168.145.0/24 eth0192.168.146.0/24 eth0192.168.147.0/24 eth0192.168.148.0/24 Thanks in advance! Troy -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 11:58 AM To: Troy Aden Cc: Leaf-User (E-mail) Subject: Re: [leaf-user] Shorewall questions On Mon, 2003-12-08 at 09:36, Troy Aden wrote: I have a quick newbie shorewall question. In setup I have several static routes from several internal routers going to the shorewall box. The external interface (eth0) has the external IP. But the internal interface has to be able to recognize 8 separate subnets as internal IPs and treat them as the local zone. I suspect that I would have to make changes to the shorewall/interfaces file and add all of these subnets to the eth1 interface. Can anyone confirm this for me? Also I have reviewed the docs and I can't seem to find an example of the appropriate syntax to make entries like this in the shorewall/interfaces file. You might take a look at: http://www.shorewall.net/Multiple_Zones.html Be sure to pay
RE: [leaf-user] Shorewall questions
On Mon, 2003-12-08 at 12:36, Troy Aden wrote: I made these changes to shorewall and rebooted. WHY REBOOT? The result was all hosts lost Internet access. That's not a problem description that can be done much with. /ETC/shorewall/hosts #ZONE HOST(S) OPTIONS loc eth1:192.168.1.0/24 loc eth1:192.168.2.0/24 loc eth1:192.168.140.0/24 loc eth1:192.168.142.0/24 loc eth1:192.168.143.0/24 loc eth1:192.168.145.0/24 loc eth1:192.168.146.0/24 loc eth1:192.168.147.0/24 loc eth1:192.168.148.0/24 And you are defining each subnet individually because? And then this: /ETC/shorewall/Interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0142.165.207.162 routefilter,norfc1918,tcpflags loc eth1 192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255, 192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255 With the above mess in the hosts file, you don't want loc in the zone column there -- you want - since you are defining the zone entirely through use of the hosts file. vpn ipsec0 I watched shorewall load and it did show all of these networks as defining the loc zone as I would expect. I am just not sure why we lost Internet access after that point. Do I need to define these subnets as for example 192.168.1.0/24,192.168.2.0/24...) I think I may not have given all the information in my previous post. Here are the relevant configs. (Some IPs have been altered to protect the innocent) IP ROUTE: 192.168.147.0/24 dev eth1 proto kernel scope link src 192.168.147.4 192.168.146.0/24 via 192.168.147.2 dev eth1 192.168.145.0/24 via 192.168.147.2 dev eth1 192.168.2.0/24 via 192.168.147.5 dev eth1 192.168.1.0/24 via 192.168.147.5 dev eth1 192.168.148.0/24 via 192.168.147.2 dev eth1 10.10.26.0/24 via 142.165.207.254 dev ipsec0 192.168.143.0/24 via 192.168.147.1 dev eth1 192.168.142.0/24 via 192.168.147.1 dev eth1 142.165.207.0/24 dev eth0 proto kernel scope link src 142.165.207.* 142.165.207.0/24 dev ipsec0 proto kernel scope link src 142.165.207.* 192.168.140.0/24 via 192.168.147.3 dev eth1 default via 142.165.207.254 dev eth0 IP ADDR: 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1 9: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0 /ETC/INTERFACES auto eth0 iface eth0 inet static address 142.165.207.* netmask 255.255.255.0 broadcast 142.165.207.255 gateway 142.165.207.254 # Step 2: configure internal interface # Default: eth1 / fixed IP = 192.168.1.254 auto eth1 iface eth1 inet static address 192.168.147.4 netmask 255.255.255.0 broadcast 192.168.147.255 up ip route add 192.168.140.0/24 via 192.168.147.3 || true up ip route add 192.168.142.0/24 via 192.168.147.1 || true up ip route add 192.168.143.0/24 via 192.168.147.1 || true up ip route add 192.168.1.0/24 via 192.168.147.5 || true up ip route add 192.168.2.0/24 via 192.168.147.5 || true up ip route add 192.168.145.0/24 via 192.168.147.2 || true up ip route add 192.168.146.0/24 via 192.168.147.2 || true up ip route add 192.168.148.0/24 via 192.168.147.2 || true /etc/shorewall/masq #INTERFACESUBNET ADDRESS eth0 192.168.1.0/24 eth0 192.168.2.0/24 eth0 192.168.140.0/24 eth0 192.168.142.0/24 eth0 192.168.143.0/24 eth0 192.168.145.0/24 eth0 192.168.146.0/24 eth0 192.168.147.0/24 eth0 192.168.148.0/24 Assuming that eth1 is up when shorewall [re]starts, all you needed was: eth0eth1 -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now!
RE: [leaf-user] Shorewall questions
First of all, thanks for your quick responses to my silly questions. I am sorry to take up your time. With regards to the /etc/shorewall/hosts file, how should I have done it? Please tell me the clean way it should have been done as opposed to the messy way I have done it. I am sorry with regards to rebooting the Bering box, yes I know I did not have to reboot but I had added those ip_conntrack_pptp.o and ip_nat_pptp.o modules (that you recommended from my previous post) and I decided to reboot to get them to load. I realize that all I needed to do was shorewall restart. Thanks again! Have a great day. Troy -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 2:49 PM To: Troy Aden Cc: Leaf-User (E-mail) Subject: RE: [leaf-user] Shorewall questions On Mon, 2003-12-08 at 12:36, Troy Aden wrote: I made these changes to shorewall and rebooted. WHY REBOOT? The result was all hosts lost Internet access. That's not a problem description that can be done much with. /ETC/shorewall/hosts #ZONE HOST(S) OPTIONS loc eth1:192.168.1.0/24 loc eth1:192.168.2.0/24 loc eth1:192.168.140.0/24 loc eth1:192.168.142.0/24 loc eth1:192.168.143.0/24 loc eth1:192.168.145.0/24 loc eth1:192.168.146.0/24 loc eth1:192.168.147.0/24 loc eth1:192.168.148.0/24 And you are defining each subnet individually because? And then this: /ETC/shorewall/Interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0142.165.207.162 routefilter,norfc1918,tcpflags loc eth1 192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255, 192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255 With the above mess in the hosts file, you don't want loc in the zone column there -- you want - since you are defining the zone entirely through use of the hosts file. vpn ipsec0 I watched shorewall load and it did show all of these networks as defining the loc zone as I would expect. I am just not sure why we lost Internet access after that point. Do I need to define these subnets as for example 192.168.1.0/24,192.168.2.0/24...) I think I may not have given all the information in my previous post. Here are the relevant configs. (Some IPs have been altered to protect the innocent) IP ROUTE: 192.168.147.0/24 dev eth1 proto kernel scope link src 192.168.147.4 192.168.146.0/24 via 192.168.147.2 dev eth1 192.168.145.0/24 via 192.168.147.2 dev eth1 192.168.2.0/24 via 192.168.147.5 dev eth1 192.168.1.0/24 via 192.168.147.5 dev eth1 192.168.148.0/24 via 192.168.147.2 dev eth1 10.10.26.0/24 via 142.165.207.254 dev ipsec0 192.168.143.0/24 via 192.168.147.1 dev eth1 192.168.142.0/24 via 192.168.147.1 dev eth1 142.165.207.0/24 dev eth0 proto kernel scope link src 142.165.207.* 142.165.207.0/24 dev ipsec0 proto kernel scope link src 142.165.207.* 192.168.140.0/24 via 192.168.147.3 dev eth1 default via 142.165.207.254 dev eth0 IP ADDR: 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1 9: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0 /ETC/INTERFACES auto eth0 iface eth0 inet static address 142.165.207.* netmask 255.255.255.0 broadcast 142.165.207.255 gateway 142.165.207.254 # Step 2: configure internal interface # Default: eth1 / fixed IP = 192.168.1.254 auto eth1 iface eth1 inet static address 192.168.147.4 netmask 255.255.255.0 broadcast 192.168.147.255 up ip route add 192.168.140.0/24 via 192.168.147.3 || true up ip route add 192.168.142.0/24 via 192.168.147.1 || true up ip route add 192.168.143.0/24 via 192.168.147.1 || true up ip route add 192.168.1.0/24 via 192.168.147.5 || true up ip route add 192.168.2.0/24 via 192.168.147.5 || true up ip route add 192.168.145.0/24 via 192.168.147.2 || true up ip route add 192.168.146.0/24 via 192.168.147.2 || true up ip route add 192.168.148.0/24 via 192.168.147.2 || true /etc/shorewall/masq #INTERFACESUBNET ADDRESS eth0 192.168.1.0/24 eth0 192.168.2.0/24 eth0 192.168.140.0/24 eth0 192.168.142.0/24 eth0 192.168.143.0/24 eth0
[leaf-user] firewall or just router
Hi, I'm looking to setup a box mainly as a routing decision maker. I'll have 2 DSL lines, a primary and backup (to 2 different ISP's). I'd like traffic to go out the primary (faster and static IP's) when its up and have it automatically failover to the second DSL router when the first dies. I have a LAN - watchguard - linux box - 2 DSL connections. Actually, the linux box and the 2 DSL lines are on the same physical network. I'd setup the linux box with static routes to force pings through each of the DSL lines and when it notices one line down to force the default route through the backup. The trick I'm finding is getting it to forward packets from the watchguard back out the same interface to one of the DSL lines. I can't seem to get it to work like a router when there's only a single ethernet interface. I'm looking to make a transparent failover (and recovery) between the DSL lines. The watchguard can only take a single IP address for its default internet connection. Any help would be appreciated... Thanks, Brian --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Shorewall questions
On Mon, 2003-12-08 at 13:01, Troy Aden wrote: First of all, thanks for your quick responses to my silly questions. I am sorry to take up your time. With regards to the /etc/shorewall/hosts file, how should I have done it? Please tell me the clean way it should have been done as opposed to the messy way I have done it. Did you confirm that you had to do anything? Given the way that your network is set up, I would have thought that Bering's Shorewall configuration would have worked out of the box provided that you add the routes to the other subnets BEFORE you start Shorewall (again, assuming that your /etc/shorewall/masq file just contains eth0 eth1). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Shorewall questions
Troy -- Are you sure you have a Shorewall problem and not some sort of routing problem? If it's Shorewall, Tom's suggestions will be a lot more help than anything I can offer. So my comments below consider only the possibility of a different source to the problem. At 02:36 PM 12/8/2003 -0600, Troy Aden wrote: I made these changes to shorewall and rebooted. The result was all hosts lost Internet access. What exactly does this mean? 1. Did all hosts have Internet access under some prior configuration? If so, what was it? 2. How many hosts did you actually test, and what subnets were they on? In particular, did you do tests from a host on the 192.168.147.0/24 network (the one that is DIRECTLY connected to the LEAF router, if I read your routing table right)? Might there be problems with the internal routers (the various 192.168.147.d routers, that is)? 3. When you say lost Internet access, what actual services and destinations did you use in your tests? 4. For the moment, I'm going to leave the ipsec stuff to the side, under the assumption that you undescribed problems you are seeing involve ordinary (not VPN) service connections from the various 192.168.c.0 networks to public addresses on the Internet. 5. Can the router itself access the Internet? For example, can it ping 142.165.207.254, its default gateway? If not, how does the attempt fail? 6. If you run a traceroute from an internal host to 142.165.207.254, where does the traceroute stop? /ETC/shorewall/hosts #ZONE HOST(S) OPTIONS loc eth1:192.168.1.0/24 loc eth1:192.168.2.0/24 loc eth1:192.168.140.0/24 loc eth1:192.168.142.0/24 loc eth1:192.168.143.0/24 loc eth1:192.168.145.0/24 loc eth1:192.168.146.0/24 loc eth1:192.168.147.0/24 loc eth1:192.168.148.0/24 If you cheat and specify loc as 192.168.0.0/16, does that fix any of the problems you see? [...] I think I may not have given all the information in my previous post. Here are the relevant configs. (Some IPs have been altered to protect the innocent) IP ROUTE: 192.168.147.0/24 dev eth1 proto kernel scope link src 192.168.147.4 192.168.146.0/24 via 192.168.147.2 dev eth1 192.168.145.0/24 via 192.168.147.2 dev eth1 192.168.2.0/24 via 192.168.147.5 dev eth1 192.168.1.0/24 via 192.168.147.5 dev eth1 192.168.148.0/24 via 192.168.147.2 dev eth1 10.10.26.0/24 via 142.165.207.254 dev ipsec0 192.168.143.0/24 via 192.168.147.1 dev eth1 192.168.142.0/24 via 192.168.147.1 dev eth1 142.165.207.0/24 dev eth0 proto kernel scope link src 142.165.207.* 142.165.207.0/24 dev ipsec0 proto kernel scope link src 142.165.207.* 192.168.140.0/24 via 192.168.147.3 dev eth1 default via 142.165.207.254 dev eth0 You have here two routes to 142.165.207.0/24 ... one on eth0, the other on ipsec0. Since this network contains your default gateway, any problem here will interfere with Internet access. Of course, in protecting the innocent you may have obscured or distorted something here that matters. [rest deleted] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Shorewall questions
I installed these modules from the modules archive as per your recommendation below. I am assuming this is what you were referring to. Bering_uClibc_2.0_modules_2.4.20.tar.gz \\2.4.20\kernel\net\ipv4\netfilter , ip_conntrack_pptp.o, ip_nat_pptp.o I get the following error on reboot of the Bering router: After ip_conntrack_pptp.o loads I see this message: INSMOD: Unresolved symbol ip_ct_gre_keymap_add After ip_nat_pptp.o loads I see this message: INSMOD: Unresolved symbol ip_ct_gre_keymap_change Can someone please tell me what is happening here? Thanks! Troy -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 12:07 PM To: Troy Aden Cc: Leaf-User (E-mail) Subject: RE: [leaf-user] Shorewall questions On Mon, 2003-12-08 at 09:59, Troy Aden wrote: One more quick question. We are running a PPTP server behind shorewall. The default policy is Loc net DROP The rules are : #Inbound VPN DNAT net loc:{local PPTP server} tcp 1723 DNAT net loc:{local PPTP server} 47 - #Outbound VPN ACCEPTloc net tcp 1723 ACCEPTloc net 47 - The problem is that I have a user that is logged into our VPN from a remote site. This user then came into work and is attempting to connect back into his system at the remote location. The firewall is blocking him from doing this. Here is a snip from the logs. loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP (OS fingerprint) Can anyone tell me if there is a way to allow this user to connect to his system from our network? You would need to install the PPTP connection tracking and NAT support from Netfilter Patch-O-Matic. Without that support, you can only have a single active PPTP tunnel to any given remote system. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Shorewall questions
On Mon, 8 Dec 2003, Troy Aden wrote: I installed these modules from the modules archive as per your recommendation below. I am assuming this is what you were referring to. Bering_uClibc_2.0_modules_2.4.20.tar.gz \\2.4.20\kernel\net\ipv4\netfilter , ip_conntrack_pptp.o, ip_nat_pptp.o I get the following error on reboot of the Bering router: After ip_conntrack_pptp.o loads I see this message: INSMOD: Unresolved symbol ip_ct_gre_keymap_add After ip_nat_pptp.o loads I see this message: INSMOD: Unresolved symbol ip_ct_gre_keymap_change Can someone please tell me what is happening here? When you are installing modules that are only available via a Netfilter patch and are having problems, it's always a good idea to check the Netfilter site. e.g., http://www.netfilter.org/documentation/pomlist/pom-extra.html#pptp-conntrack-nat -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering: time to hand on the torch ...
Dear folks After quite some years spent working on LEAF, most of them dedicated to the Bering variant, I realise that the time I can spend on the project is diminishing every day. I have therefore decided to follow one of the many good principle from Eric Raymond's seminal paper (The cathedral and the Bazaar): When you lose interest in a program, your last duty to it is to hand it off to a competent successor. Eric Wolzak, my Bering fellow from the begining in this project, will from now on take over the responsability of pursuing the Bering project on his own. I am sure they are now many knowledgeable people around who will bring fresh ideas and energy. And the doc is still around :-) It has been a real pleasure to work with such a nice community Long life to the LEAF project ! Cheers Jacques --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: [leaf-devel] Bering: time to hand on the torch ...
On Mon, 2003-12-08 at 13:29, Jacques Nilo wrote: Dear folks After quite some years spent working on LEAF, most of them dedicated to the Bering variant, I realise that the time I can spend on the project is diminishing every day. I have therefore decided to follow one of the many good principle from Eric Raymond's seminal paper (The cathedral and the Bazaar): When you lose interest in a program, your last duty to it is to hand it off to a competent successor. Eric Wolzak, my Bering fellow from the begining in this project, will from now on take over the responsability of pursuing the Bering project on his own. I am sure they are now many knowledgeable people around who will bring fresh ideas and energy. And the doc is still around :-) It has been a real pleasure to work with such a nice community Long life to the LEAF project ! Thanks Jacques for your fine work and dedication. You will be missed, but I perfectly understand the demands of running a project such as Bering and the need to eventually step away. Best wishes, -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: [leaf-devel] Bering: time to hand on the torch ...
Jacques, It is with great respect and appreciation that I say, thank you for all of your hard work on behalf of the LEAF-Project. You will be missed. Best regards, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-devel- [EMAIL PROTECTED] On Behalf Of Jacques Nilo Sent: Monday, December 08, 2003 4:30 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [leaf-devel] Bering: time to hand on the torch ... Dear folks After quite some years spent working on LEAF, most of them dedicated to the Bering variant, I realise that the time I can spend on the project is diminishing every day. I have therefore decided to follow one of the many good principle from Eric Raymond's seminal paper (The cathedral and the Bazaar): When you lose interest in a program, your last duty to it is to hand it off to a competent successor. Eric Wolzak, my Bering fellow from the begining in this project, will from now on take over the responsability of pursuing the Bering project on his own. I am sure they are now many knowledgeable people around who will bring fresh ideas and energy. And the doc is still around :-) It has been a real pleasure to work with such a nice community Long life to the LEAF project ! Cheers Jacques --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Shorewall questions
Ok I loaded the modules: (Listed in this order in the /lib/modules config file) ip_conntrack_proto_gre.o ip_conntrack_pptp.o ip_nat_proto_gre.o ip_nat_pptp.o Here are the rules that worked fine previously for pptp BEFORE I loaded these modules. #Allow VPN connections Outbound ACCEPT loc net tcp 1723 ACCEPT loc net 47 - #Allow VPN Inbound DNATnet loc:192.168.169.24 tcp 1723 DNATnet loc:192.168.169.24 47 - Here are the policies: #SOURCE DESTPOLICY LOG LEVEL LIMIT:BURST loc net DROPULOG loc vpn ACCEPT vpn loc ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT net all DROPULOG all all REJECT ULOG Now I can't make a pptp connection to our VPN. Can anyone PLEASE tell me why? Is there something that I am missing here? It fails with error 721 remote computer did not respond. It was working before I loaded these modules. Why is it broken now? Thanks in advance! Troy -Original Message- From: Troy Aden [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 8:58 PM To: 'Tom Eastep' Cc: Leaf-User (E-mail) Subject: RE: [leaf-user] Shorewall questions I installed these modules from the modules archive as per your recommendation below. I am assuming this is what you were referring to. Bering_uClibc_2.0_modules_2.4.20.tar.gz \\2.4.20\kernel\net\ipv4\netfilter , ip_conntrack_pptp.o, ip_nat_pptp.o I get the following error on reboot of the Bering router: After ip_conntrack_pptp.o loads I see this message: INSMOD: Unresolved symbol ip_ct_gre_keymap_add After ip_nat_pptp.o loads I see this message: INSMOD: Unresolved symbol ip_ct_gre_keymap_change Can someone please tell me what is happening here? Thanks! Troy -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 12:07 PM To: Troy Aden Cc: Leaf-User (E-mail) Subject: RE: [leaf-user] Shorewall questions On Mon, 2003-12-08 at 09:59, Troy Aden wrote: One more quick question. We are running a PPTP server behind shorewall. The default policy is Loc net DROP The rules are : #Inbound VPN DNAT net loc:{local PPTP server} tcp 1723 DNAT net loc:{local PPTP server} 47 - #Outbound VPN ACCEPTloc net tcp 1723 ACCEPTloc net 47 - The problem is that I have a user that is logged into our VPN from a remote site. This user then came into work and is attempting to connect back into his system at the remote location. The firewall is blocking him from doing this. Here is a snip from the logs. loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP (OS fingerprint) Can anyone tell me if there is a way to allow this user to connect to his system from our network? You would need to install the PPTP connection tracking and NAT support from Netfilter Patch-O-Matic. Without that support, you can only have a single active PPTP tunnel to any given remote system. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html