[leaf-user] uClibc2 Bering

[Robert Sabine von Knobloch]

Hello LEAF World,

I have just made the transition from Bering 1.2 to the new uClibc release.

So far I have got it all working, using only the new uClibc packages except
that when I try to use the bash shell (packages ncurses.lrp and bash.lrp),
then ezipudate and dnscache don't work any more.

errors at boot time are :

/etc/rc2.d/S45dnscache: line 14: UID: readonly variable

Starting /usr/bin/ez-ipupdate...
ez-ipupdate Version 3.0.11b8
Copyright (C) 1998-2001 Angus Mackay
gethostbyname: Unknown host
error connecting to members.dyndns.org:80

Can anyone help?

Robert von Knobloch




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] uClibc2 Bering

[Erich Titl]

Hi

At 12:07 21.12.2003 +0100, Robert  Sabine von Knobloch wrote:
Hello LEAF World,

I have just made the transition from Bering 1.2 to the new uClibc release.

So far I have got it all working, using only the new uClibc packages except
that when I try to use the bash shell (packages ncurses.lrp and bash.lrp),
then ezipudate and dnscache don't work any more.
errors at boot time are :

/etc/rc2.d/S45dnscache: line 14: UID: readonly variable

Starting /usr/bin/ez-ipupdate...
ez-ipupdate Version 3.0.11b8
Copyright (C) 1998-2001 Angus Mackay
gethostbyname: Unknown host
error connecting to members.dyndns.org:80
Can anyone help?
Well, I'll try

1) it looks like dnscache start bails out, so you lack DNS resolution
2) ez-ipupdate needs a working DNS resolution
look into

/etc/rc2.d/S45dnscache: line 14: UID: readonly variable

HTH

Erich



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] uClibc2 Bering

[K.-P. Kirchdörfer]

Am Sonntag, 21. Dezember 2003 12:54 schrieb Erich Titl:
 Hi

 At 12:07 21.12.2003 +0100, Robert  Sabine von Knobloch wrote:
 Hello LEAF World,
 
 I have just made the transition from Bering 1.2 to the new uClibc release.
 
 So far I have got it all working, using only the new uClibc packages
  except that when I try to use the bash shell (packages ncurses.lrp and
  bash.lrp), then ezipudate and dnscache don't work any more.
 
 errors at boot time are :
 
 /etc/rc2.d/S45dnscache: line 14: UID: readonly variable
 
 Starting /usr/bin/ez-ipupdate...
 ez-ipupdate Version 3.0.11b8
 Copyright (C) 1998-2001 Angus Mackay
 gethostbyname: Unknown host
 error connecting to members.dyndns.org:80
 
 Can anyone help?

 Well, I'll try

 1) it looks like dnscache start bails out, so you lack DNS resolution
 2) ez-ipupdate needs a working DNS resolution

 look into

 /etc/rc2.d/S45dnscache: line 14: UID: readonly variable

it only happens with bash, ash works fine.
dnscache will start if comment out 

UID=1001

in /etc/init.d/dnscache.

kp



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Question on Shorewall/blacklist/DNAT

[Tony]

Good Morning,

I have the latest version of Bering UlibC with shorewall 1.4.5.  I also
run a DMZ with an ftp server.  The DNAT rule logs at the info level so I
can see who is accessing the server.  I have blacklisted China and Korea
according to http://www.okean.com/asianspamblocks.html
Now, last night, I get a hit from:

Dec 21 01:09:40 firewall kernel: Shorewall:net_dnat:DNAT:IN=eth0 OUT=
MAC=00:20:af:9f:15:ff:00:09:12:85:08:70:08:00 SRC=210.82.163.1
DST=66.67.173.226 LEN=60 TOS=0x10 PREC=0x00 TTL=38 ID=24530 DF PROTO=TCP
SPT=3457 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
But, my blacklist includes 210.82.0.0/15

Also, my shorewall log shows no hit which I didn't expect to, and the
counter in shorewall status shows one hit for that range.
My question is, did he get blocked or allowed access?
It looks as thought he got access.
Thanks,

Tony





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] pcnet_cs: Invalid argument ???

[Johnny]

Hello,
Trying to upgrade from Bering 1.0-rc4-2.4.18 to Bering-uClibc_2.0. NetGear
FA411 uses pcnet_cs.o and worked under Bering 1.0-rc4-2.4.18. Now when
executing insmod pcnet_cs I get:
pcnet_cs: Invalid argument

Is that referring to a command line argument error? All the prerequisite
modules are loaded, error free, and there aren't any options set for
pcnet_cs anywhere that I can find. It's the same config that worked under
1.0. Is this a bug? Is there anyone else out there successfully using the
pcnet_cs module with Bering-uClibc_2.0?

-j-



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] pcnet_cs: Invalid argument ???

[Eric Spakman]

Hello Johnny,

Bering 1.0 uses kernel 2.4.18, Bering-uClibc-2.0 (and Bering-1.2) are 
using kernel 2.4.20. Are you absolutely sure you use the pcnet_cs.o 
module for the 2.4.20 kernel?

Eric

 Hello,
 Trying to upgrade from Bering 1.0-rc4-2.4.18 to Bering-uClibc_2.0. NetGear
 FA411 uses pcnet_cs.o and worked under Bering 1.0-rc4-2.4.18. Now when
 executing insmod pcnet_cs I get:
 pcnet_cs: Invalid argument
 
 Is that referring to a command line argument error? All the prerequisite
 modules are loaded, error free, and there aren't any options set for
 pcnet_cs anywhere that I can find. It's the same config that worked under
 1.0. Is this a bug? Is there anyone else out there successfully using the
 pcnet_cs module with Bering-uClibc_2.0?
 
 -j-
 
 
 
 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] pcnet_cs: Invalid argument ???

[Eric Spakman]

Johnny,

 Hi Eric,
 yes, 2.4.20 modules, 18K 5/11/03 10:08AM.
 
I think I know what the problem is. Because Bering-uClibc uses a 
newer pcmcia package and because of that the pcmcia modules in the 
Bering_uClibc_2.0_modules_2.4.20.tar.gz are not correct for pcmcia.
I just put new pcmcia packages in CVS (pcmcia-3.2.6) and will update 
the Bering_uClibc_2.0_modules_2.4.20.tar.gz to 2.0.1. 

I will send you the needed modules offlist (if you can tell me 
exactly which ones are needed). You have to use the new pcmcia-3.2.6 
package for this 
(http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc-
0.9/20/)

Regards,
Eric Spakman
member of the Bering-uClibc crew


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Question on Shorewall/blacklist/DNAT

[Victor McAllister]

Tony wrote:

Good Morning,

I have the latest version of Bering UlibC with shorewall 1.4.5.  I also
run a DMZ with an ftp server.  The DNAT rule logs at the info level so I
can see who is accessing the server.  I have blacklisted China and Korea
according to http://www.okean.com/asianspamblocks.html
Now, last night, I get a hit from:

Dec 21 01:09:40 firewall kernel: Shorewall:net_dnat:DNAT:IN=eth0 OUT=
MAC=00:20:af:9f:15:ff:00:09:12:85:08:70:08:00 SRC=210.82.163.1
DST=66.67.173.226 LEN=60 TOS=0x10 PREC=0x00 TTL=38 ID=24530 DF PROTO=TCP
SPT=3457 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
But, my blacklist includes 210.82.0.0/15

Also, my shorewall log shows no hit which I didn't expect to, and the
counter in shorewall status shows one hit for that range.
My question is, did he get blocked or allowed access?
It looks as thought he got access.
Thanks,

Tony
Did you actually put the word blacklist in the interfaces file 
/etc/shorewall/interfaces

net  ppp0norfc1918,blacklist

as welll as fil out the list of IPs to blacklist

then do a backup and a shorewall restart



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Question on Shorewall/blacklist/DNAT

[Tony]

Yup, did all that.

The actual file reads:

net eth0detect  dhcp,routefilter,norfc1918,blacklist
loc eth1detect
dmz eth2detect
And the ip's are showing up in the shorewall status under the blacklist 
column.

Thanks

Tony

Victor McAllister wrote:
Tony wrote:

Good Morning,

I have the latest version of Bering UlibC with shorewall 1.4.5.  I also
run a DMZ with an ftp server.  The DNAT rule logs at the info level so I
can see who is accessing the server.  I have blacklisted China and Korea
according to http://www.okean.com/asianspamblocks.html
Now, last night, I get a hit from:

Dec 21 01:09:40 firewall kernel: Shorewall:net_dnat:DNAT:IN=eth0 OUT=
MAC=00:20:af:9f:15:ff:00:09:12:85:08:70:08:00 SRC=210.82.163.1
DST=66.67.173.226 LEN=60 TOS=0x10 PREC=0x00 TTL=38 ID=24530 DF PROTO=TCP
SPT=3457 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
But, my blacklist includes 210.82.0.0/15

Also, my shorewall log shows no hit which I didn't expect to, and the
counter in shorewall status shows one hit for that range.
My question is, did he get blocked or allowed access?
It looks as thought he got access.
Thanks,

Tony


Did you actually put the word blacklist in the interfaces file 
/etc/shorewall/interfaces

net  ppp0norfc1918,blacklist

as welll as fil out the list of IPs to blacklist

then do a backup and a shorewall restart



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Shorewall Log Question

[Tom Eastep]

On Saturday 20 December 2003 05:44 pm, Kory Krofft wrote:
 I think I need to add
 DROPnet fw  icmp8
 to my rules file just to keep from logging the entries and filling up
 my logs. Correct?

Yes, as recommended at http://www.shorewall.net/ping.html

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Question on Shorewall/blacklist/DNAT

[Tom Eastep]

On Sunday 21 December 2003 06:00 am, Tony wrote:

 But, my blacklist includes 210.82.0.0/15

 Also, my shorewall log shows no hit which I didn't expect to, and the
 counter in shorewall status shows one hit for that range.

 My question is, did he get blocked or allowed access?
 It looks as thought he got access.

No. Blacklist rules are enforced in the 'filter' table whereas DNAT is logged 
out of the 'nat' table. See http://www.shorewall.net/NetfilterOverview.html

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Question on Shorewall/blacklist/DNAT

[Tony]

OK, so what you're saying is the packet was logged up in the pre-routing 
 NAT section before it got dropped by the blacklisting filter at the 
Forward section?

Thanks,

Tony

Tom Eastep wrote:
snip
No. Blacklist rules are enforced in the 'filter' table whereas DNAT is logged 
out of the 'nat' table. See http://www.shorewall.net/NetfilterOverview.html

-Tom


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Question on Shorewall/blacklist/DNAT

[Tom Eastep]

On Sunday 21 December 2003 08:36 am, Tony wrote:
 OK, so what you're saying is the packet was logged up in the pre-routing
   NAT section before it got dropped by the blacklisting filter at the
 Forward section?


Yes.

If you want to log these connections out of the FORWARD chain, replace your 
DNAT rule with:

DNAT-   net dmz:internal ip   ftp 21
ACCEPT:log level  net dmz:internal ip   ftp 21

With Shorewall 1.4.5, the above two rules are identical to your current single 
DNAT rule with the exception that logging occurs out of the filter table.

With Shorewall 1.4.6 and later, if your kernel has the connection tracking 
match extension, the single DNAT rule is a little tighter than the two rules 
above in that the ACCEPT rule checks to ensure that the original destination 
of the connection was your external IP address. This extra check requires 
that you have DETECT_DNAT_IPADDRS=Yes in shorewall.conf. This additional 
check usually doesn't significantly enhance security though since you have 
RFC1918 filtering enabled on your external interface and the internal ip is 
most likely an RFC 1918 address. That guarantees that any connection from the 
net to the server had to have traversed the DNAT rule.

-Tom 
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Qmail questions

[Kory Krofft]

I have successfully set up my DMZ, registered a domain, compiled a custom version of 
ez-ipupdate to handle a non standard service, reconfigured weblet to act as a basic 
web content server.

I now need to get Qmail up and running so I can host my own email.
I followed the qmail LEAF/LRP user's guide but I am missing something. If I use a 
windows mail client to send mail to the lrpqmail user at my domain name, the message 
shows up in the /home/lrpqmail/Maildir/new directory. If I configure the mail client 
to  retrieve the message, it times out and is unable to retrieve it.
Anyone else got this working and care to help me debug it? I have pored through many 
qmail documents but the lrp setup is different than most as far as some of the file 
locations so I am trusting that the package should work as is if the right config 
options are set.

Thanks,

Kory

Local mail client is at 192.168.1.1 qmail is on the dmz host at 192.168.10.1
The dmz host is running Bering 1.2 without shorewall.
hosts.allow is set to all:all
I have these rules set in /etc/shorewall/rules
ACCEPT loc dmz tcp 110
ACCEPT loc dmz udp 110
ACCEPT dmz loc tcp 110
ACCEPT dmz loc udp 110
to allow pop3 access and the shorewall logs do not show anything after I make the 
attempt.
tcpdump shows this

cat /trace.txt
12:15:02.858391 192.168.10.1.22  192.168.1.1.2545: P 1829060004:1829060048(44) ack 
2012809980 win 7504 (DF) [tos 0x10]
0x   4510 0054 cc2c 4000 4006 e214 c0a8 0a01E..T.,@[EMAIL PROTECTED]
0x0010   c0a8 0101 0016 09f1 6d05 3da4 77f9 0afcm.=.w...
0x0020   5018 1d50 4f4d   0027 15bb 63c4P..POM.'..c.
0x0030   cb01 b157 ed34 4321 891d 69dc ce4d e601...W.4C!..i..M..
0x0040   106b 3e93 9eec 801a e0f4 be8e 8c60 b6c0.k..`..
0x0050   3d90 2330  =.#0
12:15:03.022844 192.168.1.1.2545  192.168.10.1.22: . ack 44 win 64859 (DF) [tos 0x10]
0x   4510 0028 e834 4000 7f06 8738 c0a8 0101E..([EMAIL PROTECTED]
0x0010   c0a8 0a01 09f1 0016 77f9 0afc 6d05 3dd0w...m.=.
0x0020   5010 fd5b ee53     P..[.S
12:15:17.574911 192.168.1.1.2596  192.168.10.1.110: S 2396681599:2396681599(0) win 
65535 mss 1460,nop,nop,sackOK (DF)
0x   4500 0030 ec7c 4000 7f06 82f8 c0a8 0101E..0.|@.
0x0010   c0a8 0a01 0a24 006e 8eda 757f  .$.n..u.
0x0020   7002  e7e0  0204 05b4 0101 0402p...
12:15:17.575141 192.168.10.1.110  192.168.1.1.2596: S 1898983426:1898983426(0) ack 
2396681600 win 5840 mss 1460,nop,nop,sackOK (DF)
0x   4500 0030 931e 4000 4006 1b57 c0a8 0a01[EMAIL PROTECTED]@..W
0x0010   c0a8 0101 006e 0a24 7130 3002 8eda 7580.n.$q00...u.
0x0020   7012 16d0 2fcd  0204 05b4 0101 0402p.../...
12:15:17.575863 192.168.1.1.2596  192.168.10.1.110: . ack 1 win 65535 (DF)
0x   4500 0028 ec7d 4000 7f06 82ff c0a8 0101E..([EMAIL PROTECTED]
0x0010   c0a8 0a01 0a24 006e 8eda 7580 7130 3003.$.n..u.q00.
0x0020   5010  7361     P...sa
12:16:38.723826 192.168.10.1.110  192.168.1.1.2596: P 1:42(41) ack 1 win 5840 (DF)
0x   4500 0051 d712 4000 4006 d741 c0a8 0a01[EMAIL PROTECTED]@..A
0x0010   c0a8 0101 006e 0a24 7130 3003 8eda 7580.n.$q00...u.
0x0020   5018 16d0 d2a9  2b4f 4b20 3c31 3537P...+OK.157
0x0030   3734 2e31 3037 3230 3038 3939 3840 6d61[EMAIL PROTECTED]
0x0040   696c 2e6b 726f  7473 2e63 6f6d 3e0dil.kroffts.com.
0x0050   0a .
12:16:38.940653 192.168.1.1.2596  192.168.10.1.110: . ack 42 win 65494 (DF)
0x   4500 0028 eee6 4000 7f06 8096 c0a8 0101E..([EMAIL PROTECTED]
0x0010   c0a8 0a01 0a24 006e 8eda 7580 7130 302c.$.n..u.q00,
0x0020   5010 ffd6 7361     P...sa
12:17:27.145630 192.168.1.1.2596  192.168.10.1.110: F 1:1(0) ack 42 win 65494 (DF)
0x   4500 0028 f113 4000 7f06 7e69 c0a8 0101E..([EMAIL PROTECTED]
0x0010   c0a8 0a01 0a24 006e 8eda 7580 7130 302c.$.n..u.q00,
0x0020   5011 ffd6 7360     P...s`
12:17:27.146212 192.168.10.1.110  192.168.1.1.2596: F 42:42(0) ack 2 win 5840 (DF)
0x   4500 0028 2e5e 4000 4006 801f c0a8 0a01E..([EMAIL PROTECTED]@...
0x0010   c0a8 0101 006e 0a24 7130 302c 8eda 7581.n.$q00,..u.
0x0020   5011 16d0 5c66 P...\f..
12:17:27.146783 192.168.1.1.2596  192.168.10.1.110: . ack 43 win 65494 (DF)
0x   4500 0028 f114 4000 7f06 7e68 c0a8 0101E..([EMAIL PROTECTED]
0x0010   c0a8 0a01 0a24 006e 8eda 7581 7130 302d.$.n..u.q00-
0x0020   5010 ffd6 735f     P...s_





---
This SF.net email is sponsored by: IBM Linux Tutorials.

Re: [leaf-user] Bering-uclibc kernel with CONFIG_MELAN=y for soekris?

[Martin Hejl]

Hi Steve,

Steve Tell wrote:
Let me know if I should upload the kernel/modules to sourceforge
If you want me to, I can do so tomorrow (the files are on my devel box 
at the office).
 
It would be great if you could do so.  
I'm not using ipsec yet, so that's no problem.  
Ok, done. I had to put it in CVS, since access to the SF shell servers 
is down at the moment. You can get to it at:
http://cvs.sourceforge.net/viewcvs.py/leaf/devel/hejl/elan/

Let me know if you run into any problems.

Martin



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Lynn Avants]

Kory,

I haven't set up Qmail on a LEAF system, but from regular Linux distributions
I'm not sure your likely looking for the most common problems. Typically, each
user must have a directory that contains a ~/Maildir folder rather than a
global directory (one user?). POP3 is quite a bit of a PITA with Qmail over
the preferred IMAP method as well (which likely doesn't have a *.lrp package).
IIRC, the qmail.lrp is setup by default as a relay instead of a stand-alone
server which makes more sense from the configuration you describe and
the typical use of a MTA on a router distribution. 

In any respect, you should see if you can telnet in a pop/smtp session to the
mail server and see where the process bombs out manually. If you can't SMTP
in as a valid mail user, the most likely culprit is the fact that the server 
is configured to relay to a different full mail server.



On Sunday 21 December 2003 11:53 am, Kory Krofft wrote:
 I have successfully set up my DMZ, registered a domain, compiled a custom
 version of ez-ipupdate to handle a non standard service, reconfigured
 weblet to act as a basic web content server.

 I now need to get Qmail up and running so I can host my own email.
 I followed the qmail LEAF/LRP user's guide but I am missing something. If
 I use a windows mail client to send mail to the lrpqmail user at my domain
 name, the message shows up in the /home/lrpqmail/Maildir/new directory. If
 I configure the mail client to  retrieve the message, it times out and is
 unable to retrieve it. Anyone else got this working and care to help me
 debug it? I have pored through many qmail documents but the lrp setup is
 different than most as far as some of the file locations so I am trusting
 that the package should work as is if the right config options are set.

 Thanks,

 Kory

 Local mail client is at 192.168.1.1 qmail is on the dmz host at
 192.168.10.1 The dmz host is running Bering 1.2 without shorewall.
 hosts.allow is set to all:all
 I have these rules set in /etc/shorewall/rules
 ACCEPT loc dmz tcp 110
 ACCEPT loc dmz udp 110
 ACCEPT dmz loc tcp 110
 ACCEPT dmz loc udp 110
 to allow pop3 access and the shorewall logs do not show anything after I
 make the attempt. tcpdump shows this

 cat /trace.txt
 12:15:02.858391 192.168.10.1.22  192.168.1.1.2545: P
 1829060004:1829060048(44) ack 2012809980 win 7504 (DF) [tos 0x10] 0x  
 4510 0054 cc2c 4000 4006 e214 c0a8 0a01E..T.,@[EMAIL PROTECTED] 0x0010  
 c0a8 0101 0016 09f1 6d05 3da4 77f9 0afcm.=.w... 0x0020  
 5018 1d50 4f4d   0027 15bb 63c4P..POM.'..c. 0x0030  
 cb01 b157 ed34 4321 891d 69dc ce4d e601...W.4C!..i..M.. 0x0040  
 106b 3e93 9eec 801a e0f4 be8e 8c60 b6c0.k..`.. 0x0050  
 3d90 2330  =.#0
 12:15:03.022844 192.168.1.1.2545  192.168.10.1.22: . ack 44 win 64859 (DF)
 [tos 0x10] 0x   4510 0028 e834 4000 7f06 8738 c0a8 0101   
 E..([EMAIL PROTECTED] 0x0010   c0a8 0a01 09f1 0016 77f9 0afc 6d05 3dd0   
 w...m.=. 0x0020   5010 fd5b ee53    
 P..[.S 12:15:17.574911 192.168.1.1.2596  192.168.10.1.110: S
 2396681599:2396681599(0) win 65535 mss 1460,nop,nop,sackOK (DF) 0x  
 4500 0030 ec7c 4000 7f06 82f8 c0a8 0101E..0.|@. 0x0010  
 c0a8 0a01 0a24 006e 8eda 757f  .$.n..u. 0x0020  
 7002  e7e0  0204 05b4 0101 0402p...
 12:15:17.575141 192.168.10.1.110  192.168.1.1.2596: S
 1898983426:1898983426(0) ack 2396681600 win 5840 mss 1460,nop,nop,sackOK
 (DF) 0x   4500 0030 931e 4000 4006 1b57 c0a8 0a01   
 [EMAIL PROTECTED]@..W 0x0010   c0a8 0101 006e 0a24 7130 3002 8eda 7580   
 .n.$q00...u. 0x0020   7012 16d0 2fcd  0204 05b4 0101 0402   
 p.../... 12:15:17.575863 192.168.1.1.2596  192.168.10.1.110: . ack
 1 win 65535 (DF) 0x   4500 0028 ec7d 4000 7f06 82ff c0a8 0101   
 E..([EMAIL PROTECTED] 0x0010   c0a8 0a01 0a24 006e 8eda 7580 7130 3003   
 .$.n..u.q00. 0x0020   5010  7361    
 P...sa 12:16:38.723826 192.168.10.1.110  192.168.1.1.2596: P
 1:42(41) ack 1 win 5840 (DF) 0x   4500 0051 d712 4000 4006 d741 c0a8
 0a01[EMAIL PROTECTED]@..A 0x0010   c0a8 0101 006e 0a24 7130 3003 8eda
 7580.n.$q00...u. 0x0020   5018 16d0 d2a9  2b4f 4b20 3c31
 3537P...+OK.157 0x0030   3734 2e31 3037 3230 3038 3939 3840
 6d61[EMAIL PROTECTED] 0x0040   696c 2e6b 726f  7473 2e63 6f6d
 3e0dil.kroffts.com. 0x0050   0a   
  .
 12:16:38.940653 192.168.1.1.2596  192.168.10.1.110: . ack 42 win 65494
 (DF) 0x   4500 0028 eee6 4000 7f06 8096 c0a8 0101   
 E..([EMAIL PROTECTED] 0x0010   c0a8 0a01 0a24 006e 8eda 7580 7130 302c   
 .$.n..u.q00, 0x0020   5010 ffd6 7361    
 P...sa 12:17:27.145630 192.168.1.1.2596  

Re: [leaf-user] Qmail questions

[Kory Krofft]

Lynn,
Please forgive my lack of experience but I don't quite follow all the terms.
I have the proper Maildir set up for the admin account (lrpqmail) and it receives the 
mail sent to it from the internet as proven by my ability to see the message in the 
~Maildir/new directory. I believe I may have some additional issues with the user 
accounts since the user accounts do not receive mail sent to them as yet. I am 
thinking it is because they have home directories that are located on the ide drive 
and may need to have some other config option set to let qmail know about them.
My intention is to host my own email server for a few local users to avoid the hassles 
I have had with transfer limits on my other pop3 accounts. I am not sure I understand 
what the relay comments mean in my situation.
/etc/tcp.smtp looks like this:
127.:allow,RELAYCLIENT=
192.168.:allow,RELAYCLIENT=
I assume that I need to do something else to change the behavior of qmail to provide 
pop access?
You suggest that relay makes sense in my configuration. I am open to suggestions. What 
should I relay to. We use Mozilla and PocoMail clients on our windows machines for 
mail. There is no MS Exchange server available. I would like to keep the bering DMZ 
machine as the mail server as it is one box that will be on all the time. The DMZ 
server does not have telnet and I am unsure how to telnet in a pop/smtp session to 
the mail server and see where the process bombs out manually.
I do have ssh configured for access to the DMZ host.
I will try to provide any test results that would be helpful in further resolving this 
setup.

Thank you so much,

Kory



On Sun, 21 Dec 2003 12:41:01 -0600, Lynn Avants wrote:
Kory,

I haven't set up Qmail on a LEAF system, but from regular Linux
distributions
I'm not sure your likely looking for the most common problems.
Typically, each
user must have a directory that contains a ~/Maildir folder rather
than a
global directory (one user?). POP3 is quite a bit of a PITA with
Qmail over
the preferred IMAP method as well (which likely doesn't have a *.lrp
package).
IIRC, the qmail.lrp is setup by default as a relay instead of a
stand-alone
server which makes more sense from the configuration you
describe and
the typical use of a MTA on a router distribution.

In any respect, you should see if you can telnet in a pop/smtp
session to the
mail server and see where the process bombs out manually. If you
can't SMTP
in as a valid mail user, the most likely culprit is the fact that
the server
is configured to relay to a different full mail server.



On Sunday 21 December 2003 11:53 am, Kory Krofft wrote:
I have successfully set up my DMZ, registered a domain, compiled a
custom
version of ez-ipupdate to handle a non standard service,
reconfigured
weblet to act as a basic web content server.

I now need to get Qmail up and running so I can host my own email.
I followed the qmail LEAF/LRP user's guide but I am missing
something. If
I use a windows mail client to send mail to the lrpqmail user at my
domain
name, the message shows up in the /home/lrpqmail/Maildir/new
directory. If
I configure the mail client to  retrieve the message, it times out
and is
unable to retrieve it. Anyone else got this working and care to
help me
debug it? I have pored through many qmail documents but the lrp
setup is
different than most as far as some of the file locations so I am
trusting
that the package should work as is if the right config options are
set.

Thanks,

Kory

Local mail client is at 192.168.1.1 qmail is on the dmz host at
192.168.10.1 The dmz host is running Bering 1.2 without shorewall.
hosts.allow is set to all:all
I have these rules set in /etc/shorewall/rules
ACCEPT loc dmz tcp 110
ACCEPT loc dmz udp 110
ACCEPT dmz loc tcp 110
ACCEPT dmz loc udp 110
to allow pop3 access and the shorewall logs do not show anything
Snipped




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Kory Krofft]

Ray,
Sorry I was not clearer about the overall config. Comments inline.

Kory -- Because (I think) your setup involves two separate LEAF
systems --
one running as a router/firewall, the other as a DMZ/Qmail server --
you
might want to be a bit clearer about which system you are reporting
each
detail about. For example:

Local mail client is at 192.168.1.1 qmail is on the dmz host at
192.168.10.1 The dmz host is running Bering 1.2 without
shorewall.
hosts.allow is set to all:all

This setting is relevant (and for the purposes at hand, correct) on
the
DMZ/Qmail server but not on the router.

Correct. 192.168.1.1 is a Win2K machine using Pocomail.

I have these rules set in /etc/shorewall/rules
ACCEPT loc dmz tcp 110
ACCEPT loc dmz udp 110
ACCEPT dmz loc tcp 110
ACCEPT dmz loc udp 110
to allow pop3 access and the shorewall logs do not show anything
after I
make the attempt.

But this information makes sense only with respect to the router
(since the
DMZ host is, as you say, not running Shorewall).

Correct assumption.

As to the rules themselves, the first two are fine: they will get
port-110
traffic *to* the DMZ as you intend. They are probably sufficient to
get the
return traffic to the LAN (since Shorewall normally handles
responses to
ACCEPTed traffic right).

My thought as well but I added the others in case.

But if not, the latter two don't do the
job,
because they ACCEPT traffic *to* port 110 on the LAN, not *from*
port 110
on the DMZ. I'm not the best source for Shorewall rules, but I think
that
in order to ACCEPT traffic *from* DMZ port 110, the rules need to be:

ACCEPT dmz loc tcp - 110
ACCEPT dmz loc udp - 110

(the added - skips the dport value and puts the 110 into the sport
location).

I can change them, but I agree they are most likely unneeded.

The Shorewall logs are helpful here but not definitive. Much better
is to
run status shorewall before and after an unsuccessful attempt to
connect
and see what rules are being incremented.

I reset the counters and tried to connect. Shorewall status afterward shows:

Shorewall-1.4.2 Status at markii - Sun Dec 21 16:49:15 UTC 2003

Counters reset Sun Dec 21 16:47:00 UTC 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination
0 0 DROP  !icmp --  *  *   0.0.0.0/00.0.0.0/0  
state INVALID
9   639 ACCEPT all  --  lo *   0.0.0.0/00.0.0.0/0
   21  3966 eth0_inall  --  eth0   *   0.0.0.0/00.0.0.0/0
 1212  212K eth1_inall  --  eth1   *   0.0.0.0/00.0.0.0/0
7   496 eth2_inall  --  eth2   *   0.0.0.0/00.0.0.0/0
0 0 common all  --  *  *   0.0.0.0/00.0.0.0/0
0 0 ULOG   all  --  *  *   0.0.0.0/00.0.0.0/0  
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:REJECT:' queue_threshold 1
0 0 reject all  --  *  *   0.0.0.0/00.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination
0 0 DROP  !icmp --  *  *   0.0.0.0/00.0.0.0/0  
state INVALID
0 0 eth0_fwd   all  --  eth0   *   0.0.0.0/00.0.0.0/0
5   208 eth1_fwd   all  --  eth1   *   0.0.0.0/00.0.0.0/0
3   168 eth2_fwd   all  --  eth2   *   0.0.0.0/00.0.0.0/0
0 0 common all  --  *  *   0.0.0.0/00.0.0.0/0
0 0 ULOG   all  --  *  *   0.0.0.0/00.0.0.0/0  
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:FORWARD:REJECT:' queue_threshold 1
0 0 reject all  --  *  *   0.0.0.0/00.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination
0 0 DROP  !icmp --  *  *   0.0.0.0/00.0.0.0/0  
state INVALID
0 0 ACCEPT udp  --  *  eth00.0.0.0/00.0.0.0/0  
udp dpts:67:68
9   639 ACCEPT all  --  *  lo  0.0.0.0/00.0.0.0/0
0 0 fw2net all  --  *  eth00.0.0.0/00.0.0.0/0
 1252  419K all2allall  --  *  eth10.0.0.0/00.0.0.0/0
7   580 all2allall  --  *  eth20.0.0.0/00.0.0.0/0
0 0 common all  --  *  *   0.0.0.0/00.0.0.0/0
0 0 ULOG   all  --  *  *   0.0.0.0/00.0.0.0/0  
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:OUTPUT:REJECT:' queue_threshold 1
0 0 reject all  --  *  *   0.0.0.0/00.0.0.0/0

Chain all2all (7 references)
 pkts bytes target prot opt in out source   destination
 1256  419K ACCEPT all  --  *  *   0.0.0.0/00.0.0.0/0  
state 

Re: [leaf-user] Qmail questions

[Kory Krofft]

Ray,

I was able to connect to the pop server using telnet it seemed to take quite a while 
to get a response but I was able to retreive and read the test message sent to 
lrpqmail.


I don't know your setup well enough to tell you what is going on in
the
Shorewall DROP log, but since it involves ports 67 and 68, it has
something
to do with DHCP leases, not anything to do with POP3.

I was getting a lot of log entries from DHCP queries so I added the DROP to stop the 
logging of the rejects.


Last thing ... the tcpdump output you sent indicates that after the
POP3
connection is initiated, the POP3 server is trying to do a reverse
lookup
on the source IP address. Several packets indicate  this, the first
being --

16:37:26.524013 192.168.10.1.59258  192.168.1.254.53:  28701+

PTR? 1.10.168.192.in-addr.arpa. (43) (DF)

The router responds with a port unreachable packet:

16:37:29.547086 192.168.10.254  192.168.10.1: icmp:
192.168.10.254 udp port 53 unreachable [tos 0xc0]

This certainly indicates some sort of a configuration error, but not
knowing the details of your setup, I can;t say what that error is.
It does
make me guess that the POP3 server does not reply, after the initial
reply,
because it cannot do a lookup on the IP address. Or ... a blue-sky
thought
here ... how long do you wait before giving up? DNS failures can, in
some
cases, cause delays of up  to 3 minutes in responses.

What would be the proper way for the router to reply to this reverse lookup?
/etc/hosts on the router looks like this:
127.0.0.1   localhost.kroffts.home localhost
192.168.1.254   markii
192.168.1.1 coventry.kroffts.home coventry
192.168.10.1www.kroffts.com dmz kroffts_web

/etc/resolv.conf on router:
domain kroffts.home
nameserver 127.0.0.1
nameserver 192.168.1.254

/etc/hosts on dmz:
127.0.0.1   localhost
192.168.1.254   markii
192.168.10.1kroffts_web.kroffts.com kroffts_web mail.kroffts.com
191.168.1.1 coventry.kroffts.home   coventry


/etc/resolv.conf on dmz:
domain kroffts.com
nameserver 127.0.0.1
nameserver 192.168.1.254
nameserver 192.168.10.254

What can you tell me about The /etc/tinydns-private/root/data file from the router? 
Does this look correct?

kroffts.home::localhost
1.168.192.in-addr.arpa::localhost
+markii.kroffts.home:192.168.1.254the router
=mail.kroffts.com:192.168.10.1  the dmz host

I am not running any DNS daemons on the dmz. Should I be? I had wanted to use DHCP to 
configure the DMZ host but I could not get it to work on two separate networks. I know 
it should, but it didn't so I set up the eth0 on the dmz host as static.
from the /etc/network/interfaces file on the dmz host:

auto eth0
iface eth0 inet static
address 192.168.10.1
masklen 24
broadcast 192.168.10.255
gateway   192.168.10.254

Thanks again,

Kory




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] 2 VPN Clients through Bering

[Lynn Avants]

On Wednesday 17 December 2003 08:33 am, John J. Orsini wrote:
 Leaf Users,
 This is a general question about the capability of Bering.  I am trying to
 connect 2 VPN clients from inside my network to their respective VPN
 concentrators.  I have successfully set up the Cisco VPN client to
 communicate to my wife's company.  One of the clients is a Cisco and the
 other is for Checkpoint.  My question is, does Bering support VPN pass thru
 like a Linksys or Dlink router?  Is there a way to set up Bering so that it
 works dynamically, instead of setting up all of the portforwarding and
 firewall rules by hand. Please let me know.

At this time, the Linux firewalling programs have no way of dynamically 
port-forwarding more than one pass-through service (such as Ipsec) on
a single port (ie... 500). I know many of the DLinks are running Cisco IOS,
but I can't explain how they accomplish this feat even on IOS.
Simple answer no.
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Lynn Avants]

On Sunday 21 December 2003 08:32 pm, Kory Krofft wrote:
 Ray,

 I was able to connect to the pop server using telnet it seemed to take
 quite a while to get a response but I was able to retreive and read the
 test message sent to lrpqmail.

Then the mail server is working correctly and you have not yet setup the
user accounts for the 'real' users. Unfortunately on LEAF, you must do this
manually. Sample /home/(username)/Maildir. This likely uses system passwords,
so you must also set these up manually and make sure the users directories
have the proper ownership/permissions.

Your close! :)
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] 2 VPN Clients through Bering

[Charles Steinkuehler]

Lynn Avants wrote:
On Wednesday 17 December 2003 08:33 am, John J. Orsini wrote:
Leaf Users,
This is a general question about the capability of Bering.  I am trying to
connect 2 VPN clients from inside my network to their respective VPN
concentrators.  I have successfully set up the Cisco VPN client to
communicate to my wife's company.  One of the clients is a Cisco and the
other is for Checkpoint.  My question is, does Bering support VPN pass thru
like a Linksys or Dlink router?  Is there a way to set up Bering so that it
works dynamically, instead of setting up all of the portforwarding and
firewall rules by hand. Please let me know.
At this time, the Linux firewalling programs have no way of dynamically 
port-forwarding more than one pass-through service (such as Ipsec) on
a single port (ie... 500). I know many of the DLinks are running Cisco IOS,
but I can't explain how they accomplish this feat even on IOS.
Simple answer no.
You can have multiple VPN clients behind a linux firewall if they're 
using the recent NAT traversal configuration.  IIRC, instead of using 
protocols 50/51 for the IPSec data, *ALL* data is sent via UDP, allowing 
VPN connections to traverse standard NAT/masquerading firewalls.

AFAIK, this would be something you would setup in your VPN software, and 
should 'just work' with most default firewall configurations.

Note that FreeS/WAN requires a patch to support this functionality, if 
you're planning on using linux as one (or both) of the endpoints.

Of course, it's still possible to setup one system for pretty much any 
VPN flavor using port/protocol forwarding, and there may be some 
advanced conntrack modules in 2.4 that do fancy things with IPSec 
packets, but I'm stuck in 2.2 kernel land (for IPSec, anyway) so am not 
familiar with what new features might be in 2.4.

--
Charles Steinkuehler
[EMAIL PROTECTED]


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering-uclibc kernel with CONFIG_MELAN=y for soekris?

[Steve Tell]

On Sun, 21 Dec 2003, Martin Hejl wrote:

 Ok, done. I had to put it in CVS, since access to the SF shell servers 
 is down at the moment. You can get to it at:
 http://cvs.sourceforge.net/viewcvs.py/leaf/devel/hejl/elan/
 
 Let me know if you run into any problems.

Its working great, thanks!

Steve



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] uClibc2 Bering

[Steve Tell]

On Sun, 21 Dec 2003, K.-P. Kirchdörfer wrote:

 Am Sonntag, 21. Dezember 2003 12:54 schrieb Erich Titl:
  Hi
 
  At 12:07 21.12.2003 +0100, Robert  Sabine von Knobloch wrote:
  Hello LEAF World,
  
  I have just made the transition from Bering 1.2 to the new uClibc release.
  
  So far I have got it all working, using only the new uClibc packages
   except that when I try to use the bash shell (packages ncurses.lrp and
   bash.lrp), then ezipudate and dnscache don't work any more.
  
  errors at boot time are :
  
  /etc/rc2.d/S45dnscache: line 14: UID: readonly variable
  
  Starting /usr/bin/ez-ipupdate...
  ez-ipupdate Version 3.0.11b8
  Copyright (C) 1998-2001 Angus Mackay
  gethostbyname: Unknown host
  error connecting to members.dyndns.org:80
  
  Can anyone help?
 
  Well, I'll try
 
  1) it looks like dnscache start bails out, so you lack DNS resolution
  2) ez-ipupdate needs a working DNS resolution
 
  look into
 
  /etc/rc2.d/S45dnscache: line 14: UID: readonly variable
 
 it only happens with bash, ash works fine.
 dnscache will start if comment out 
 
 UID=1001
 
 in /etc/init.d/dnscache.

Alternately, you can change the first line of /etc/init.d/dnscache from
#!/bin/sh
to
#!/bin/ash

dnscache uses environment variables for things that should be in a config 
file or on the command line, including UID  
UID is a special read-only variable in bash, but not special to ash.

Steve


 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Michael D Schleif]

Kory Krofft [EMAIL PROTECTED] [2003:12:21:12:53:56-0500] scribed:
 I have successfully set up my DMZ, registered a domain, compiled a
 custom version of ez-ipupdate to handle a non standard service,
 reconfigured weblet to act as a basic web content server.
 
 I now need to get Qmail up and running so I can host my own email.
 I followed the qmail LEAF/LRP user's guide but I am missing
 something. If I use a windows mail client to send mail to the lrpqmail
 user at my domain name, the message shows up in the
 /home/lrpqmail/Maildir/new directory. If I configure the mail client
 to  retrieve the message, it times out and is unable to retrieve it.
 Anyone else got this working and care to help me debug it? I have
 pored through many qmail documents but the lrp setup is different than
 most as far as some of the file locations so I am trusting that the
 package should work as is if the right config options are set.

Do I understand correctly that you _successfully_ send mail to this box,
and you know that because that same message shows up in
/home/lrpqmail/Maildir/new?

So, your only problem is retrieving that message to a windows machine?

If so, what username and password are you using for this retrieval?

I am running Dachstein and, of course, 110/tcp is open to my retrieving
systems, both on same LAN and across the Internet.

What is in these files:

   /var/qmail/control/defaultdomain
   /var/qmail/control/locals
   /var/qmail/control/rcpthosts

Try watching output from the following while you attempt to retrieve
mail to the windows box:

   tail -f /var/log/qmail/{pop3d,qmail,smtpd}/current | tai64nlocal

Without any special configuration to my qmail, here is a fetchmail
recipe I use every 131 seconds:

   poll mail.private.network with proto POP3
   user 'lrpqmail' there with password '_secret_password_' is 'mds' here

It should `just work' -- even from a windows box -- if that port is
open, qmail is properly configured, and you are using lrpqmail user and
its correct password.

hth

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


pgp0.pgp
Description: PGP signature