date:20031208

Re: [leaf-user] Required EZ-IPUpdate Client Upgrade Notice

2003-12-08 Thread Greg Morgan

I suppose there's some more good news on this topic? I had sent a
followup email to dyndns thanking them for their help with confirming
Jacques' package. Vivian sent the response below. It is not critical
that this change be made right away. For one thing, some analysis will
have to be done to see if the change would cause problems with other
services that ez-ipupdate supports. Moreover, it requires registration
and other overhead that may not add much value to the change. I wonder
then, if a person would also have to register the ez-ipupdate client
modification with all the other services that ez-ipupdate supports?
http://leaf.sourceforge.net/devel/jnilo/ezipupd.html
http://leaf.sourceforge.net/devel/jnilo/ezipupd1.html#AEN6

Greg Morgan

Thanks. One little thing: if you haven't (I didn't make this clear),
can you ask Jacques to change the user agent to something unique
(http://www.dyndns.org/developers/ has some guidelines he should look
at) that identifies the leaf project so we don't run into this situation
again next time someone abuses the ez-ipupdate user agent? If he has any
questions about this, tell him to email [EMAIL PROTECTED] and put
Attn: Vivien M. in the subject line so I look at it.

Vivien

Reginald R. Richardson wrote:
Hi greg,

thanks for your aleartness,

I'm using dnydns and ez-ipupdate for a few years now, and the service is so darn good, i never had problems, i don't even take note of their website, after seeing your e-mail, i trance over to their website, and saw the whole big confusion what's happening overthere with the linksys equipment,

I immediately, download the new version, so me and my 20 clients are all happy now, else what would have been a bachanal in the next few days, when they had shut us out.

Jacques, once again, thanks for your prompt reply, u have never failed me/us when a new update of a product is needed in .lrp format.

regarfds
reggie

Jacques,

Problem solved. I received confirmation from dyndns.org tech support
that your package update is working as intended. They also went on to
say, ... the version of ez-ipupdate you're using now identifies itself
differently from the Linksys version, so you should not have any
problems. Note that your account was never dirty or anything like
that: the fact that you got this email is simply the result of people
embedding clients into things (Linksys, as we discovered the hard way,
is not the only company to have done this) and not changing how these
clients identify themselves, so we simply have no way to tell the
problematic Linksys client apart from other, most likely perfectly
acceptable, configurations of ez-ipupdate.

Thanks again,
Greg Morgan

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] LONG /sbin/htb.init: 636: Syntax error: Bad substitution

2003-12-08 Thread Yazgot

Hello !
Could anyone tell me what am i doing wrong ?
I've installed QoS package
tc  ss010824
qos-htb 0.8.3
i can edit HTB rules by menu at lrcfg but...
1. It looks like it doesn't work at any interface (I've configured ppp0 as 
network interface - SAGEM [EMAIL PROTECTED] ADSL modem and eth0 as LAN interface ). 
I've checked it by:
tc -s -d cl show dev [eth0 | ppp0]
besides /var/cache/htb.init (below) script doesn't look like created on my 
machine :-(

2. when bering (1.2) boots up i get QoS message at console without any err
htb.init (QoS) ... start
3. after invoking  htb.init or /etc/init.d/htb.init stats i get
/sbin/htb.init: 636: Syntax error: Bad substitution
here's my machine configuration
# lrpkg -l
NameVersionDescription
===-==-==
initrd  V1.2   LEAF Bering initial filesystem
rootV1.2   Core LEAF Bering package
etc V1.2   LEAF Bering /etc files
local   V1.2   LEAF Bering local package
modules V1.2   Define  contain your LEAF Bering modules
iptables1.2.8  IP packet filter administration tools for 
2.4.
ppp 2.4.1-pppoePoint-to-Point Protocol (PPP) daemon
eagle   1.0.4  Linux driver for DSL modems based on the 
Analo
shorwall1.4.2  Shoreline Firewall (Shorewall)
ulogd   1.0The Netfilter Userspace Logging Daemon
libcrpto0.9.7c Rev 1   libcrypto  - part of the Openssl libraries
sshd3.7.1p2 compil OpenSSH sshd daemon.
weblet  1.2.0  weblet - LRP status via a small web server
libm   The libm Library
dhcpd3  3.0pl2 ISC DHCP server for automatic IP address 
assig
dnscache1.05a  dnscache from djbdns (V1.05a) package 
creates
ezipupd 3.0.11b8   ez-ipupdate is a client for several dynamic 
IP
tc  ss010824   tc from iproute2 patched for HTB3 packet 
sched
qos-htb 0.8.3  QoS HTB based - HTB.init Quality Of Service 
pa
ssh 3.7.1p2 compil OpenSSH ssh  scp programs.
sftp3.7.1p2 compil OpenSSH sftp client  server programs.
links   0.95   Links is an advanced replacement for lynx, 
the
iptraf  1.3.0-1
libncurs

# ip a
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:5a:47:2b:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:4c:14:f4:6e brd ff:ff:ff:ff:ff:ff
5: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
inet 80.54.204.100 peer 213.25.2.80/32 scope global ppp0
firewall: -root-
# cat /sbin/htb.sysconfig
#!/bin/bash
# This is the main script to build the configuration
# files in the format proposed by htb.init
# By default, if nothing is modified, the generated files
# are adecuated to create classes that control minimum latency
# and maximum throughput traffic.
# But two (2) more classes are created, one specific for web traffic (port 
80)
# and a 'default' class for the rest. Normally, web traffic is considered 
of minimum
# latency and that's the way we have configured it (it has a higher 
priority
# than the maximum throughput and default), but it has it's own class 
because
# of it's importance, so you could assign it a different class from ssh, 
dns, etc.

# If you want to adjust the values for your own connection,
# it will be enough to know the download and dowload bandwidth
# to automatically adjust the RATE and CEIL values of each class.
# When you are done, don't forget to execute:
#
#/etc/init.d/htb.init recreate
#/etc/init.d/htb.init reload
#
# to rebuild the configuration files and restart the service.
# By default the values are calculated for a 256Kbits download
# and 128 Kbits upload bandwidth, very commom in Spain.
#
# NOTE: all values should be around 95-98% aprox. of the real ones
# to be shure the queue is managed in your Linux router.


# --- Configuration files for net zone (eth0).

/bin/cat  /etc/sysconfig/htb/ppp0  EOF
DEFAULT=40
EOF
# Maximum for root class
/bin/cat  /etc/sysconfig/htb/ppp0-2.root  EOF
RATE=90Kbit
BURST=2k
EOF
# Values for minimum latency class
# Typical services: ssh, telnet, ftp, irc, dns, smtp, pop3, imap2
/bin/cat  /etc/sysconfig/htb/ppp0-2:10.minlatency  EOF
CEIL=50Kbit
RATE=6Kbit

[leaf-user] orinoco pppoe

2003-12-08 Thread Luciano Inacio

I have a wireless network client. (
I want the wireless interface work with pppoe.

I try but the wireless options dont act with
pppoe. The orinoco wireless use the defaults
configurations.

I thik the wireless_acts  only work with (ethx) interfaces


iface ppp0 inet ppp
pre-up ip link set eth0 up
provider dsl-provider eth0
wireless_mode managed
 wireless_essid Home
The interface dont accept de parameters wireless_ 


Anythig can help-me?

Luciano Inacio


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] scp for Bering-uClib

2003-12-08 Thread Eric House

Dropbear, which I otherwise love, doesn't include scp.  The dropbear
docs suggest that scp from the ssh package can be used, but while the
scp on my Debian system is plenty small it of course links in a half
dozen libraries, including libc, that aren't present on Bering-uClib.

Before I try to figure out how to build scp for Bering-uClib, does
anybody have a .lrp to share?  Or know of plans to include one anytime
soon?

Thanks,

--Eric House
-- 
**
* From the desktop of: Eric House, [EMAIL PROTECTED]*
*Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords  *
**


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Shorewall questions

2003-12-08 Thread Troy Aden

I have a quick newbie shorewall question.
In setup I have several static routes from several internal routers going to
the shorewall box.

The external interface (eth0) has the external IP. But the internal
interface has to be able to recognize 8 separate subnets as internal IPs and
treat them as the local zone.
I suspect that I would have to make changes to the shorewall/interfaces file
and add all of these subnets to the eth1 interface. Can anyone confirm this
for me? Also I have reviewed the docs and I can't seem to find an example of
the appropriate syntax to make entries like this in the shorewall/interfaces
file. 

Thanks in advance.


Troy


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Shorewall questions

2003-12-08 Thread Tom Eastep

On Mon, 2003-12-08 at 09:36, Troy Aden wrote:
 I have a quick newbie shorewall question.
 In setup I have several static routes from several internal routers going to
 the shorewall box.
 
 The external interface (eth0) has the external IP. But the internal
 interface has to be able to recognize 8 separate subnets as internal IPs and
 treat them as the local zone.
 I suspect that I would have to make changes to the shorewall/interfaces file
 and add all of these subnets to the eth1 interface. Can anyone confirm this
 for me? Also I have reviewed the docs and I can't seem to find an example of
 the appropriate syntax to make entries like this in the shorewall/interfaces
 file. 
 

You might take a look at:

http://www.shorewall.net/Multiple_Zones.html

Be sure to pay attention to the links in the first numbered list.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Troy Aden

One more quick question.

We are running a PPTP server behind shorewall.
The default policy is
Loc net DROP

The rules are :
#Inbound VPN
DNATnet loc:{local PPTP server}  tcp  1723
DNATnet loc:{local PPTP server}  47   -

#Outbound VPN

ACCEPT  loc net tcp 1723
ACCEPT  loc net 47  -

The problem is that I have a user that is logged into our VPN from a remote
site. This user then came into work and is attempting to connect back into
his system at the remote location. The firewall is blocking him from doing
this.
Here is a snip from the logs.

loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP   (OS fingerprint)

Can anyone tell me if there is a way to allow this user to connect to his
system from our network?

Many thanks in advance!

Troy
-Original Message-
From: Troy Aden [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 11:37 AM
To: Leaf-User (E-mail)
Subject: [leaf-user] Shorewall questions

I have a quick newbie shorewall question.
In setup I have several static routes from several internal routers going to
the shorewall box.

The external interface (eth0) has the external IP. But the internal
interface has to be able to recognize 8 separate subnets as internal IPs and
treat them as the local zone.
I suspect that I would have to make changes to the shorewall/interfaces file
and add all of these subnets to the eth1 interface. Can anyone confirm this
for me? Also I have reviewed the docs and I can't seem to find an example of
the appropriate syntax to make entries like this in the shorewall/interfaces
file.

Thanks in advance.


Troy


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Tom Eastep

On Mon, 2003-12-08 at 09:59, Troy Aden wrote:
 One more quick question.
 
 We are running a PPTP server behind shorewall.
 The default policy is
 Loc   net DROP
 
 The rules are :
 #Inbound VPN
 DNAT  net loc:{local PPTP server}  tcp  1723
 DNAT  net loc:{local PPTP server}  47   -
 
 #Outbound VPN
 
 ACCEPTloc net tcp 1723
 ACCEPTloc net 47  -
 
 The problem is that I have a user that is logged into our VPN from a remote
 site. This user then came into work and is attempting to connect back into
 his system at the remote location. The firewall is blocking him from doing
 this.
 Here is a snip from the logs.
 
 loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP   (OS fingerprint)
 
 Can anyone tell me if there is a way to allow this user to connect to his
 system from our network?
 

You would need to install the PPTP connection tracking and NAT support
from Netfilter Patch-O-Matic. Without that support, you can only have a
single active PPTP tunnel to any given remote system.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] scp for Bering-uClib

2003-12-08 Thread K.-P. Kirchdörfer

Am Montag, 8. Dezember 2003 17:09 schrieb Eric House:
 Dropbear, which I otherwise love, doesn't include scp.  The dropbear
 docs suggest that scp from the ssh package can be used, but while the
 scp on my Debian system is plenty small it of course links in a half
 dozen libraries, including libc, that aren't present on Bering-uClib.

 Before I try to figure out how to build scp for Bering-uClib, does
 anybody have a .lrp to share?  Or know of plans to include one anytime
 soon?

Eric; 
There is no extra lrp yet, but you'll find scp in sshd.lrp. 
It requires libz and libcrpto.lrp; I guess too much for a floppy.

kp



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: orinoco pppoe

2003-12-08 Thread Luciano Inacio

Please,
help me set up a pppoe in a orinoco interface as bellow!

Sincerely
Luciano
- Original Message - 
From: Luciano Inacio [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 08, 2003 9:53 AM
Subject: [leaf-user] orinoco pppoe


I have a wireless network client. (
I want the wireless interface work with pppoe.

I try but the wireless options dont act with
pppoe. The orinoco wireless use the defaults
configurations.

I thik the wireless_acts  only work with (ethx) interfaces


iface ppp0 inet ppp
pre-up ip link set eth0 up
provider dsl-provider eth0
wireless_mode managed
 wireless_essid Home
The interface dont accept de parameters wireless_ 


Anythig can help-me?

Luciano Inacio


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Troy Aden

I made these changes to shorewall and rebooted. The result was all hosts
lost Internet access.

/ETC/shorewall/hosts 

#ZONE   HOST(S) OPTIONS
loc eth1:192.168.1.0/24
loc eth1:192.168.2.0/24
loc eth1:192.168.140.0/24
loc eth1:192.168.142.0/24
loc eth1:192.168.143.0/24
loc eth1:192.168.145.0/24
loc eth1:192.168.146.0/24
loc eth1:192.168.147.0/24
loc eth1:192.168.148.0/24

And then this:

/ETC/shorewall/Interfaces

#ZONEINTERFACE  BROADCAST   OPTIONS
net eth0142.165.207.162
routefilter,norfc1918,tcpflags 
loc eth1
192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255,
192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255
vpn ipsec0  

I watched shorewall load and it did show all of these networks as defining
the loc zone as I would expect. I am just not sure why we lost Internet
access after that point. Do I need to define these subnets as for example
192.168.1.0/24,192.168.2.0/24...)

I think I may not have given all the information in my previous post. Here
are the relevant configs. (Some IPs have been altered to protect the
innocent)

IP ROUTE: 

192.168.147.0/24 dev eth1  proto kernel  scope link  src 192.168.147.4 
192.168.146.0/24 via 192.168.147.2 dev eth1 
192.168.145.0/24 via 192.168.147.2 dev eth1 
192.168.2.0/24 via 192.168.147.5 dev eth1 
192.168.1.0/24 via 192.168.147.5 dev eth1 
192.168.148.0/24 via 192.168.147.2 dev eth1 
10.10.26.0/24 via 142.165.207.254 dev ipsec0 
192.168.143.0/24 via 192.168.147.1 dev eth1 
192.168.142.0/24 via 192.168.147.1 dev eth1 
142.165.207.0/24 dev eth0  proto kernel  scope link  src 142.165.207.*
142.165.207.0/24 dev ipsec0  proto kernel  scope link  src 142.165.207.* 
192.168.140.0/24 via 192.168.147.3 dev eth1 
default via 142.165.207.254 dev eth0 


IP ADDR:

3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff
inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1
9: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0

/ETC/INTERFACES

auto eth0
iface eth0 inet static  
address 142.165.207.*
netmask 255.255.255.0
broadcast 142.165.207.255
gateway 142.165.207.254

# Step 2: configure  internal interface
# Default: eth1 / fixed IP = 192.168.1.254
auto eth1
iface eth1 inet static
address 192.168.147.4
netmask 255.255.255.0
broadcast 192.168.147.255

up ip route add 192.168.140.0/24 via 192.168.147.3 || true
up ip route add 192.168.142.0/24 via 192.168.147.1 || true
up ip route add 192.168.143.0/24 via 192.168.147.1 || true
up ip route add 192.168.1.0/24 via 192.168.147.5 || true
up ip route add 192.168.2.0/24 via 192.168.147.5 || true
up ip route add 192.168.145.0/24 via 192.168.147.2 || true
up ip route add 192.168.146.0/24 via 192.168.147.2 || true
up ip route add 192.168.148.0/24 via 192.168.147.2 || true


/etc/shorewall/masq

#INTERFACE  SUBNET  ADDRESS
eth0192.168.1.0/24  
eth0192.168.2.0/24  
eth0192.168.140.0/24  
eth0192.168.142.0/24  
eth0192.168.143.0/24  
eth0192.168.145.0/24  
eth0192.168.146.0/24  
eth0192.168.147.0/24  
eth0192.168.148.0/24   


Thanks in advance!

Troy 





-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 11:58 AM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: Re: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 09:36, Troy Aden wrote:
 I have a quick newbie shorewall question.
 In setup I have several static routes from several internal routers going
to
 the shorewall box.

 The external interface (eth0) has the external IP. But the internal
 interface has to be able to recognize 8 separate subnets as internal IPs
and
 treat them as the local zone.
 I suspect that I would have to make changes to the shorewall/interfaces
file
 and add all of these subnets to the eth1 interface. Can anyone confirm
this
 for me? Also I have reviewed the docs and I can't seem to find an example
of
 the appropriate syntax to make entries like this in the
shorewall/interfaces
 file.


You might take a look at:

http://www.shorewall.net/Multiple_Zones.html

Be sure to pay

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Tom Eastep

On Mon, 2003-12-08 at 12:36, Troy Aden wrote:
 I made these changes to shorewall and rebooted.

WHY REBOOT?

  The result was all hosts
 lost Internet access.

That's not a problem description that can be done much with.

 
 /ETC/shorewall/hosts 
 
 #ZONE HOST(S) OPTIONS
 loc   eth1:192.168.1.0/24
 loc   eth1:192.168.2.0/24
 loc   eth1:192.168.140.0/24
 loc   eth1:192.168.142.0/24
 loc   eth1:192.168.143.0/24
 loc   eth1:192.168.145.0/24
 loc   eth1:192.168.146.0/24
 loc   eth1:192.168.147.0/24
 loc   eth1:192.168.148.0/24

And you are defining each subnet individually because?

 
 And then this:
 
 /ETC/shorewall/Interfaces
 
 #ZONE  INTERFACE  BROADCAST   OPTIONS
 net eth0142.165.207.162
 routefilter,norfc1918,tcpflags 
 loc eth1
 192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255,
 192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255

With the above mess in the hosts file, you don't want loc in the zone
column there -- you want - since you are defining the zone entirely
through use of the hosts file.

 vpn   ipsec0  
 
 I watched shorewall load and it did show all of these networks as defining
 the loc zone as I would expect. I am just not sure why we lost Internet
 access after that point. Do I need to define these subnets as for example
 192.168.1.0/24,192.168.2.0/24...)
 
 I think I may not have given all the information in my previous post. Here
 are the relevant configs. (Some IPs have been altered to protect the
 innocent)
 
 IP ROUTE: 
 
 192.168.147.0/24 dev eth1  proto kernel  scope link  src 192.168.147.4 
 192.168.146.0/24 via 192.168.147.2 dev eth1 
 192.168.145.0/24 via 192.168.147.2 dev eth1 
 192.168.2.0/24 via 192.168.147.5 dev eth1 
 192.168.1.0/24 via 192.168.147.5 dev eth1 
 192.168.148.0/24 via 192.168.147.2 dev eth1 
 10.10.26.0/24 via 142.165.207.254 dev ipsec0 
 192.168.143.0/24 via 192.168.147.1 dev eth1 
 192.168.142.0/24 via 192.168.147.1 dev eth1 
 142.165.207.0/24 dev eth0  proto kernel  scope link  src 142.165.207.*
 142.165.207.0/24 dev ipsec0  proto kernel  scope link  src 142.165.207.* 
 192.168.140.0/24 via 192.168.147.3 dev eth1 
 default via 142.165.207.254 dev eth0 
 
 
 IP ADDR:
 
 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
 inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0
 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
 link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff
 inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1
 9: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10
 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
 inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0
 
 /ETC/INTERFACES
 
 auto eth0
 iface eth0 inet static  
   address 142.165.207.*
   netmask 255.255.255.0
   broadcast 142.165.207.255
   gateway 142.165.207.254
   
 # Step 2: configure  internal interface
 # Default: eth1 / fixed IP = 192.168.1.254
 auto eth1
 iface eth1 inet static
   address 192.168.147.4
   netmask 255.255.255.0
   broadcast 192.168.147.255
 
 up ip route add 192.168.140.0/24 via 192.168.147.3 || true
 up ip route add 192.168.142.0/24 via 192.168.147.1 || true
 up ip route add 192.168.143.0/24 via 192.168.147.1 || true
 up ip route add 192.168.1.0/24 via 192.168.147.5 || true
 up ip route add 192.168.2.0/24 via 192.168.147.5 || true
 up ip route add 192.168.145.0/24 via 192.168.147.2 || true
 up ip route add 192.168.146.0/24 via 192.168.147.2 || true
 up ip route add 192.168.148.0/24 via 192.168.147.2 || true
 
 
 /etc/shorewall/masq
 
 #INTERFACESUBNET  ADDRESS
 eth0  192.168.1.0/24  
 eth0  192.168.2.0/24  
 eth0  192.168.140.0/24  
 eth0  192.168.142.0/24  
 eth0  192.168.143.0/24  
 eth0  192.168.145.0/24  
 eth0  192.168.146.0/24  
 eth0  192.168.147.0/24  
 eth0  192.168.148.0/24  

Assuming that eth1 is up when shorewall [re]starts, all you needed was:

eth0eth1

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now!

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Troy Aden

First of all, thanks for your quick responses to my silly questions. I am
sorry to take up your time.

With regards to the /etc/shorewall/hosts file, how should I have done it?
Please tell me the clean way it should have been done as opposed to the
messy way I have done it. 

I am sorry with regards to rebooting the Bering box, yes I know I did not
have to reboot but I had added those ip_conntrack_pptp.o and ip_nat_pptp.o
modules (that you recommended from my previous post) and I decided to reboot
to get them to load. I realize that all I needed to do was shorewall
restart.

Thanks again!

Have a great day.

Troy



-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 2:49 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: RE: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 12:36, Troy Aden wrote:
 I made these changes to shorewall and rebooted.

WHY REBOOT?

  The result was all hosts
 lost Internet access.

That's not a problem description that can be done much with.


 /ETC/shorewall/hosts

 #ZONE HOST(S) OPTIONS
 loc   eth1:192.168.1.0/24
 loc   eth1:192.168.2.0/24
 loc   eth1:192.168.140.0/24
 loc   eth1:192.168.142.0/24
 loc   eth1:192.168.143.0/24
 loc   eth1:192.168.145.0/24
 loc   eth1:192.168.146.0/24
 loc   eth1:192.168.147.0/24
 loc   eth1:192.168.148.0/24

And you are defining each subnet individually because?


 And then this:

 /ETC/shorewall/Interfaces

 #ZONE  INTERFACE  BROADCAST   OPTIONS
 net eth0142.165.207.162
 routefilter,norfc1918,tcpflags
 loc eth1

192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255,
 192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255

With the above mess in the hosts file, you don't want loc in the zone
column there -- you want - since you are defining the zone entirely
through use of the hosts file.

 vpn   ipsec0 

 I watched shorewall load and it did show all of these networks as defining
 the loc zone as I would expect. I am just not sure why we lost Internet
 access after that point. Do I need to define these subnets as for example
 192.168.1.0/24,192.168.2.0/24...)

 I think I may not have given all the information in my previous post. Here
 are the relevant configs. (Some IPs have been altered to protect the
 innocent)

 IP ROUTE:

 192.168.147.0/24 dev eth1  proto kernel  scope link  src 192.168.147.4
 192.168.146.0/24 via 192.168.147.2 dev eth1
 192.168.145.0/24 via 192.168.147.2 dev eth1
 192.168.2.0/24 via 192.168.147.5 dev eth1
 192.168.1.0/24 via 192.168.147.5 dev eth1
 192.168.148.0/24 via 192.168.147.2 dev eth1
 10.10.26.0/24 via 142.165.207.254 dev ipsec0
 192.168.143.0/24 via 192.168.147.1 dev eth1
 192.168.142.0/24 via 192.168.147.1 dev eth1
 142.165.207.0/24 dev eth0  proto kernel  scope link  src 142.165.207.*
 142.165.207.0/24 dev ipsec0  proto kernel  scope link  src 142.165.207.*
 192.168.140.0/24 via 192.168.147.3 dev eth1
 default via 142.165.207.254 dev eth0


 IP ADDR:

 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
 inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0
 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
 link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff
 inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1
 9: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10
 link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
 inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0

 /ETC/INTERFACES

 auto eth0
 iface eth0 inet static 
   address 142.165.207.*
   netmask 255.255.255.0
   broadcast 142.165.207.255
   gateway 142.165.207.254
  
 # Step 2: configure  internal interface
 # Default: eth1 / fixed IP = 192.168.1.254
 auto eth1
 iface eth1 inet static
   address 192.168.147.4
   netmask 255.255.255.0
   broadcast 192.168.147.255

 up ip route add 192.168.140.0/24 via 192.168.147.3 || true
 up ip route add 192.168.142.0/24 via 192.168.147.1 || true
 up ip route add 192.168.143.0/24 via 192.168.147.1 || true
 up ip route add 192.168.1.0/24 via 192.168.147.5 || true
 up ip route add 192.168.2.0/24 via 192.168.147.5 || true
 up ip route add 192.168.145.0/24 via 192.168.147.2 || true
 up ip route add 192.168.146.0/24 via 192.168.147.2 || true
 up ip route add 192.168.148.0/24 via 192.168.147.2 || true


 /etc/shorewall/masq

 #INTERFACESUBNET  ADDRESS
 eth0  192.168.1.0/24 
 eth0  192.168.2.0/24 
 eth0  192.168.140.0/24 
 eth0  192.168.142.0/24 
 eth0  192.168.143.0/24 
 eth0

[leaf-user] firewall or just router

2003-12-08 Thread Brian Kolaci


Hi,

I'm looking to setup a box mainly as a routing decision maker.
I'll have 2 DSL lines, a primary and backup (to 2 different ISP's).  I'd
like traffic to go out the primary (faster and static IP's) when its up
and have it automatically failover to the second DSL router when the first
dies.  I have a LAN - watchguard - linux box - 2 DSL connections.

Actually, the linux box and the 2 DSL lines are on the same physical
network.  I'd setup the linux box with static routes to force pings
through each of the DSL lines and when it notices one line down to force
the default route through the backup.

The trick I'm finding is getting it to forward packets from the watchguard
back out the same interface to one of the DSL lines.  I can't seem to get
it to work like a router when there's only a single ethernet interface.

I'm looking to make a transparent failover (and recovery) between the
DSL lines.  The watchguard can only take a single IP address for its
default internet connection.

Any help would be appreciated...

Thanks,

Brian




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Tom Eastep

On Mon, 2003-12-08 at 13:01, Troy Aden wrote:
 First of all, thanks for your quick responses to my silly questions. I am
 sorry to take up your time.
 
 With regards to the /etc/shorewall/hosts file, how should I have done it?
 Please tell me the clean way it should have been done as opposed to the
 messy way I have done it. 

Did you confirm that you had to do anything? Given the way that your
network is set up, I would have thought that Bering's Shorewall
configuration would have worked out of the box provided that you add
the routes to the other subnets BEFORE you start Shorewall (again,
assuming that your /etc/shorewall/masq file just contains eth0 eth1).

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Ray Olszewski

Troy -- Are you sure you have a Shorewall problem and not some sort of 
routing problem? If it's Shorewall, Tom's suggestions will be a lot more 
help than anything I can offer. So my comments below consider only the 
possibility of a different source to the problem.

At 02:36 PM 12/8/2003 -0600, Troy Aden wrote:
I made these changes to shorewall and rebooted. The result was all hosts
lost Internet access.
What exactly does this mean?

1. Did all hosts have Internet access under some prior configuration? If 
so, what was it?

2. How many hosts did you actually test, and what subnets were they on? In 
particular, did you do tests from a host on the 192.168.147.0/24 network 
(the one that is DIRECTLY connected to the LEAF router, if I read your 
routing table right)? Might there be problems with the internal routers 
(the various 192.168.147.d routers, that is)?

3. When you say lost Internet access, what actual services and 
destinations did you use in your tests?

4. For the moment, I'm going to leave the ipsec stuff to the side, under 
the assumption that you undescribed problems you are seeing involve 
ordinary (not VPN) service connections from the various 192.168.c.0 
networks to public addresses on the Internet.

5. Can the router itself access the Internet? For example, can it ping 
142.165.207.254, its default gateway? If not, how does the attempt fail?

6. If you run a traceroute from an internal host to 142.165.207.254, where 
does the traceroute stop?

/ETC/shorewall/hosts

#ZONE   HOST(S) OPTIONS
loc eth1:192.168.1.0/24
loc eth1:192.168.2.0/24
loc eth1:192.168.140.0/24
loc eth1:192.168.142.0/24
loc eth1:192.168.143.0/24
loc eth1:192.168.145.0/24
loc eth1:192.168.146.0/24
loc eth1:192.168.147.0/24
loc eth1:192.168.148.0/24
If you cheat and specify loc as 192.168.0.0/16, does that fix any of the 
problems you see?

[...]
I think I may not have given all the information in my previous post. Here
are the relevant configs. (Some IPs have been altered to protect the
innocent)
IP ROUTE:

192.168.147.0/24 dev eth1  proto kernel  scope link  src 192.168.147.4
192.168.146.0/24 via 192.168.147.2 dev eth1
192.168.145.0/24 via 192.168.147.2 dev eth1
192.168.2.0/24 via 192.168.147.5 dev eth1
192.168.1.0/24 via 192.168.147.5 dev eth1
192.168.148.0/24 via 192.168.147.2 dev eth1
10.10.26.0/24 via 142.165.207.254 dev ipsec0
192.168.143.0/24 via 192.168.147.1 dev eth1
192.168.142.0/24 via 192.168.147.1 dev eth1
142.165.207.0/24 dev eth0  proto kernel  scope link  src 142.165.207.*
142.165.207.0/24 dev ipsec0  proto kernel  scope link  src 142.165.207.*
192.168.140.0/24 via 192.168.147.3 dev eth1
default via 142.165.207.254 dev eth0
You have here two routes to 142.165.207.0/24 ... one on eth0, the other on 
ipsec0. Since this network contains your default gateway, any problem here 
will interfere with Internet access. Of course, in protecting the 
innocent you may  have obscured or distorted something here that matters.

[rest deleted]





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Troy Aden

I installed these modules from the modules archive as per your
recommendation below. I am assuming this is what you were referring to.
 Bering_uClibc_2.0_modules_2.4.20.tar.gz
\\2.4.20\kernel\net\ipv4\netfilter , ip_conntrack_pptp.o, ip_nat_pptp.o

I get the following error on reboot of the Bering router:

After ip_conntrack_pptp.o loads I see this message:
INSMOD: Unresolved symbol ip_ct_gre_keymap_add

After ip_nat_pptp.o loads I see this message:
INSMOD: Unresolved symbol ip_ct_gre_keymap_change

Can someone please tell me what is happening here?

Thanks!

Troy


-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 08, 2003 12:07 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: RE: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 09:59, Troy Aden wrote:
 One more quick question.
 
 We are running a PPTP server behind shorewall.
 The default policy is
 Loc   net DROP
 
 The rules are :
 #Inbound VPN
 DNAT  net loc:{local PPTP server}  tcp  1723
 DNAT  net loc:{local PPTP server}  47   -
 
 #Outbound VPN
 
 ACCEPTloc net tcp 1723
 ACCEPTloc net 47  -
 
 The problem is that I have a user that is logged into our VPN from a
remote
 site. This user then came into work and is attempting to connect back into
 his system at the remote location. The firewall is blocking him from doing
 this.
 Here is a snip from the logs.
 
 loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP   (OS fingerprint)
 
 Can anyone tell me if there is a way to allow this user to connect to his
 system from our network?
 

You would need to install the PPTP connection tracking and NAT support
from Netfilter Patch-O-Matic. Without that support, you can only have a
single active PPTP tunnel to any given remote system.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Tom Eastep

On Mon, 8 Dec 2003, Troy Aden wrote:

 I installed these modules from the modules archive as per your
 recommendation below. I am assuming this is what you were referring to.
  Bering_uClibc_2.0_modules_2.4.20.tar.gz
 \\2.4.20\kernel\net\ipv4\netfilter , ip_conntrack_pptp.o, ip_nat_pptp.o
 
 I get the following error on reboot of the Bering router:
 
 After ip_conntrack_pptp.o loads I see this message:
 INSMOD: Unresolved symbol ip_ct_gre_keymap_add
 
 After ip_nat_pptp.o loads I see this message:
 INSMOD: Unresolved symbol ip_ct_gre_keymap_change
 
 Can someone please tell me what is happening here?
 

When you are installing modules that are only available via a Netfilter 
patch and are having problems, it's always a good idea to check the 
Netfilter site. e.g.,

http://www.netfilter.org/documentation/pomlist/pom-extra.html#pptp-conntrack-nat

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bering: time to hand on the torch ...

2003-12-08 Thread Jacques Nilo

Dear folks
After quite some years spent working on LEAF, most of them dedicated to the 
Bering variant, I realise that the time I can spend on the project is 
diminishing every day. I have therefore decided to follow one of the many 
good principle from Eric Raymond's seminal paper (The cathedral and the 
Bazaar):

When you lose interest in a program, your last duty to it is to hand it off 
to a competent successor.

Eric Wolzak, my Bering fellow from the begining in this project, will from 
now on take over the responsability of pursuing the Bering project on his own.

I am sure they are now many knowledgeable people around who will bring fresh 
ideas and energy. And the doc is still around :-)

It has been a real pleasure to work with such a nice community

Long life to the LEAF project !

Cheers

Jacques



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: [leaf-devel] Bering: time to hand on the torch ...

2003-12-08 Thread Tom Eastep

On Mon, 2003-12-08 at 13:29, Jacques Nilo wrote:
 Dear folks
 After quite some years spent working on LEAF, most of them dedicated to the 
 Bering variant, I realise that the time I can spend on the project is 
 diminishing every day. I have therefore decided to follow one of the many 
 good principle from Eric Raymond's seminal paper (The cathedral and the 
 Bazaar):
 
 When you lose interest in a program, your last duty to it is to hand it off 
 to a competent successor.
 
 Eric Wolzak, my Bering fellow from the begining in this project, will from 
 now on take over the responsability of pursuing the Bering project on his own.
 
 I am sure they are now many knowledgeable people around who will bring fresh 
 ideas and energy. And the doc is still around :-)
 
 It has been a real pleasure to work with such a nice community
 
 Long life to the LEAF project !
 

Thanks Jacques for your fine work and dedication. You will be missed,
but I perfectly understand the demands of running a project such as
Bering and the need to eventually step away.

Best wishes,
-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] RE: [leaf-devel] Bering: time to hand on the torch ...

2003-12-08 Thread Eric B Kiser

Jacques,

It is with great respect and appreciation that I say, thank you for all
of your hard work on behalf of the LEAF-Project. You will be missed.

Best regards,
Eric Kiser

 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:leaf-devel-
 [EMAIL PROTECTED] On Behalf Of Jacques Nilo
 Sent: Monday, December 08, 2003 4:30 PM
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: [leaf-devel] Bering: time to hand on the torch ...
 
 Dear folks
 After quite some years spent working on LEAF, most of them dedicated
to
 the
 Bering variant, I realise that the time I can spend on the project
is
 diminishing every day. I have therefore decided to follow one of the
many
 good principle from Eric Raymond's seminal paper (The cathedral and
the
 Bazaar):
 
 When you lose interest in a program, your last duty to it is to hand
it
 off
 to a competent successor.
 
 Eric Wolzak, my Bering fellow from the begining in this project, will
from
 now on take over the responsability of pursuing the Bering project on
his
 own.
 
 I am sure they are now many knowledgeable people around who will bring
 fresh
 ideas and energy. And the doc is still around :-)
 
 It has been a real pleasure to work with such a nice community
 
 Long life to the LEAF project !
 
 Cheers
 
 Jacques
 
 
 
 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 
 ___
 leaf-devel mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-devel



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

2003-12-08 Thread Troy Aden

Ok I loaded the modules: (Listed in this order in the /lib/modules config
file)
ip_conntrack_proto_gre.o
ip_conntrack_pptp.o
ip_nat_proto_gre.o
ip_nat_pptp.o

Here are the rules that worked fine previously for pptp BEFORE I loaded
these modules.

#Allow VPN connections Outbound
ACCEPT  loc net tcp 1723
ACCEPT  loc net 47  -

#Allow VPN Inbound
DNATnet loc:192.168.169.24  tcp 1723
DNATnet loc:192.168.169.24  47  -

Here are the policies:

#SOURCE DESTPOLICY  LOG LEVEL   LIMIT:BURST
loc net DROPULOG
loc vpn ACCEPT
vpn loc ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
net all DROPULOG
all all REJECT  ULOG


Now I can't make a pptp connection to our VPN.

Can anyone PLEASE tell me why? Is there something that I am missing here? It
fails with error 721 remote computer did not respond. It was working
before I loaded these modules. Why is it broken now?

Thanks in advance!

Troy

-Original Message-
From: Troy Aden [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 8:58 PM
To: 'Tom Eastep'
Cc: Leaf-User (E-mail)
Subject: RE: [leaf-user] Shorewall questions

I installed these modules from the modules archive as per your
recommendation below. I am assuming this is what you were referring to.
 Bering_uClibc_2.0_modules_2.4.20.tar.gz
\\2.4.20\kernel\net\ipv4\netfilter , ip_conntrack_pptp.o, ip_nat_pptp.o

I get the following error on reboot of the Bering router:

After ip_conntrack_pptp.o loads I see this message:
INSMOD: Unresolved symbol ip_ct_gre_keymap_add

After ip_nat_pptp.o loads I see this message:
INSMOD: Unresolved symbol ip_ct_gre_keymap_change

Can someone please tell me what is happening here?

Thanks!

Troy


-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 12:07 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: RE: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 09:59, Troy Aden wrote:
 One more quick question.

 We are running a PPTP server behind shorewall.
 The default policy is
 Loc   net DROP

 The rules are :
 #Inbound VPN
 DNAT  net loc:{local PPTP server}  tcp  1723
 DNAT  net loc:{local PPTP server}  47   -

 #Outbound VPN

 ACCEPTloc net tcp 1723
 ACCEPTloc net 47  -

 The problem is that I have a user that is logged into our VPN from a
remote
 site. This user then came into work and is attempting to connect back into
 his system at the remote location. The firewall is blocking him from doing
 this.
 Here is a snip from the logs.

 loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP   (OS fingerprint)

 Can anyone tell me if there is a way to allow this user to connect to his
 system from our network?


You would need to install the PPTP connection tracking and NAT support
from Netfilter Patch-O-Matic. Without that support, you can only have a
single active PPTP tunnel to any given remote system.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Required EZ-IPUpdate Client Upgrade Notice

[leaf-user] LONG /sbin/htb.init: 636: Syntax error: Bad substitution

[leaf-user] orinoco pppoe

[leaf-user] scp for Bering-uClib

[leaf-user] Shorewall questions

Re: [leaf-user] Shorewall questions

RE: [leaf-user] Shorewall questions

RE: [leaf-user] Shorewall questions

Re: [leaf-user] scp for Bering-uClib

[leaf-user] Re: orinoco pppoe

RE: [leaf-user] Shorewall questions

RE: [leaf-user] Shorewall questions

RE: [leaf-user] Shorewall questions

[leaf-user] firewall or just router

RE: [leaf-user] Shorewall questions

RE: [leaf-user] Shorewall questions

RE: [leaf-user] Shorewall questions

RE: [leaf-user] Shorewall questions

[leaf-user] Bering: time to hand on the torch ...

[leaf-user] Re: [leaf-devel] Bering: time to hand on the torch ...

[leaf-user] RE: [leaf-devel] Bering: time to hand on the torch ...

RE: [leaf-user] Shorewall questions

22 matches

Site Navigation

Mail list logo

Footer information