Re: [leaf-user] Qmail questions
Sorry to disagree with Lynn, but the magic words here are quite a while. This strongly suggests to me that an earlier guess, that the observed failures actually are DNS-based delays, is the right guess ... and that quite a while is around 3 minutes. What to do about it? First, maybe your mail server can be configured not to do reverse lookups. I'm not a qmail expert so can't help there. Second, if you do not want your mail server to be able to do DNS lookups, then the router's response -- an icmp port unreachable response -- is a correct response. A slightly better response is to send a udp REJECT packet ... some clients recognize this but do not understand icmp port unreachable (dig through ancient archives for discussion of why LEAF routers normally leave port 113 open for the theory here). You would do this by adding a Shorewall rule to ACCEPT dport-53-udp traffic from the DMZ. Third, if you do want your mail server to be able to resolve these reverse lookups ... where do you want it to do so? What DNS server (or orher mechanism) do you want to provide? Options (for these on-LAN lookups) are: put the information in /etc/hosts on the DMZ machine (this may or may not work with qmail; MTAs are notorious for using ONLY DNS, not /etc/hosts, and I don't know about qmail in this regard) run a DNS sever authoritative for the LAN on the LEAF router run a DNS server authoritative for the LAN on the LEAF mail server run a DNS server authoritative for the LAN on some LAN host, and let the DMZ server have access to it through the firewall (this is what I do here, running BIND on a full-strength-Linux LAN server). From your comments below, it appears you are trying to do #2, using tinydns. If you want to do it that way, someone else will have to answe those questions, as I've never set up that package (on LEAF or any other host) ... as I recall, it has problems lsitening on multiple interfaces ... but I may be remembering wrong. Sorry I cannot take you all the way to an answer, but with the problem identified as a DNS misconfiguration, surely someone else here knows the details you need to wrap this up. At 09:32 PM 12/21/2003 -0500, Kory Krofft wrote: Ray, I was able to connect to the pop server using telnet it seemed to take quite a while to get a response but I was able to retreive and read the test message sent to lrpqmail. I don't know your setup well enough to tell you what is going on in the Shorewall DROP log, but since it involves ports 67 and 68, it has something to do with DHCP leases, not anything to do with POP3. I was getting a lot of log entries from DHCP queries so I added the DROP to stop the logging of the rejects. Last thing ... the tcpdump output you sent indicates that after the POP3 connection is initiated, the POP3 server is trying to do a reverse lookup on the source IP address. Several packets indicate this, the first being -- 16:37:26.524013 192.168.10.1.59258 192.168.1.254.53: 28701+ PTR? 1.10.168.192.in-addr.arpa. (43) (DF) The router responds with a port unreachable packet: 16:37:29.547086 192.168.10.254 192.168.10.1: icmp: 192.168.10.254 udp port 53 unreachable [tos 0xc0] This certainly indicates some sort of a configuration error, but not knowing the details of your setup, I can;t say what that error is. It does make me guess that the POP3 server does not reply, after the initial reply, because it cannot do a lookup on the IP address. Or ... a blue-sky thought here ... how long do you wait before giving up? DNS failures can, in some cases, cause delays of up to 3 minutes in responses. What would be the proper way for the router to reply to this reverse lookup? /etc/hosts on the router looks like this: 127.0.0.1 localhost.kroffts.home localhost 192.168.1.254 markii 192.168.1.1 coventry.kroffts.home coventry 192.168.10.1www.kroffts.com dmz kroffts_web /etc/resolv.conf on router: domain kroffts.home nameserver 127.0.0.1 nameserver 192.168.1.254 /etc/hosts on dmz: 127.0.0.1 localhost 192.168.1.254 markii 192.168.10.1kroffts_web.kroffts.com kroffts_web mail.kroffts.com 191.168.1.1 coventry.kroffts.home coventry /etc/resolv.conf on dmz: domain kroffts.com nameserver 127.0.0.1 nameserver 192.168.1.254 nameserver 192.168.10.254 What can you tell me about The /etc/tinydns-private/root/data file from the router? Does this look correct? kroffts.home::localhost 1.168.192.in-addr.arpa::localhost +markii.kroffts.home:192.168.1.254the router =mail.kroffts.com:192.168.10.1 the dmz host I am not running any DNS daemons on the dmz. Should I be? I had wanted to use DHCP to configure the DMZ host but I could not get it to work on two separate networks. I know it should, but it didn't so I set up the eth0 on the dmz host as static. from the /etc/network/interfaces file on the dmz host: auto eth0 iface eth0 inet static address 192.168.10.1 masklen 24
[leaf-user] Re - Bash Shell in Bering uClibc
Thanks to Erich Titl K.P. for their useful suggestions. Commenting out line 14 in /etc/init.d/dnscache (UID=1001) works fine, dnscache ezipupdate are now working together with the bash shell. Robert von Knobloch. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Static DNS entry
Does anyone know a simple way to set a couple of static dns entries on my LEAF Bering (uClib) box? I'm running DNSCACHE for resolving Internet names and have an MS Win2000 Domain controller as internal DNS (it needs it's own dynamic DNS for active directory). All this works just fine until I power down the complete Windows network (which I do every evening). When I want a quick connection from my laptop or a visitor's laptop I don't have internal DNS and can't acces my LEAF box by name (unless I power my MS domain up). I don't want to put a host file on visitor's machines and adding a dns server to my LEAF box will disturb CACHEDNS. Any ideas ? Robert von Knobloch. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] OpenVPN
Im trying to connect several offices, and I decided to use Bering uClib because it seems to be the most up to date branch. After several problems with network drivers its starting to work, but now I have to decide about security: ipsec or openvpn. It seems that openvpn is easier to configure and you can select the degree of security/cpu that you want (my pc's are really old), so I think its the better solution for me, but I cant see a package for openvpn using Bering uClib. The questions are three: -Do you think its a good idea to use Bering uClib? -What about ipsec vs openvpn? -Is there a package for openvpn under Bering uClib? Thanks!! Fernando Febles Armas Jefe de la Seccin de Informtica Tf.922140170 Fx.922140151 [EMAIL PROTECTED] Cabildo de La Gomera CIF:P384H Profesor Armas Fernndez 2 S/S Gomera 38800 Tenerife (Canarias) --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] OpenVPN
Hello, I use openvpn since 1 year with bering ( glibc) to connect 2 subnets through adsl ( pppoe) lines It's a wonderfull product. ( the easiest one to configure if both ends of the tunnel are connected with changing extrnal addresses). I only used static keys so far. I'm working on building a .lrp for bering-uclibc using buildtool. I'm cloning the openssh buildtool configuration but I didn't manage yet to make it compile I might have some news beginning of next year because I plan to work on it during the end of year hollidays... Regards, Etienne Charlier - Original Message - From: Informtica. Cabildo de La Gomera [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 12:59 PM Subject: [leaf-user] OpenVPN Im trying to connect several offices, and I decided to use Bering uClib because it seems to be the most up to date branch. After several problems with network drivers its starting to work, but now I have to decide about security: ipsec or openvpn. It seems that openvpn is easier to configure and you can select the degree of security/cpu that you want (my pc's are really old), so I think its the better solution for me, but I cant see a package for openvpn using Bering uClib. The questions are three: -Do you think its a good idea to use Bering uClib? -What about ipsec vs openvpn? -Is there a package for openvpn under Bering uClib? Thanks!! Fernando Febles Armas Jefe de la Seccin de Informtica Tf.922140170 Fx.922140151 [EMAIL PROTECTED] Cabildo de La Gomera CIF:P384H Profesor Armas Fernndez 2 S/S Gomera 38800 Tenerife (Canarias) --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=ick leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.553 / Virus Database: 345 - Release Date: 18/12/2003 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Static DNS entry
Hi At 09:52 22.12.2003 +0100, you wrote: Does anyone know a simple way to set a couple of static dns entries on my LEAF Bering (uClib) box? I'm running DNSCACHE for resolving Internet names and have an MS Win2000 Domain controller as internal DNS (it needs it's own dynamic DNS for active directory). All this works just fine until I power down the complete Windows network (which I do every evening). When I want a quick connection from my laptop or a visitor's laptop I don't have internal DNS and can't acces my LEAF box by name (unless I power my MS domain up). I don't want to put a host file on visitor's machines and adding a dns server to my LEAF box will disturb CACHEDNS. Any ideas ? I always thought DNSCache was part of tinydns, e,g, the djbdns suite. Will this really disturb? You could publish your LEAF box to be the nameserver for your ad-hoc clients, if you want to rely on your windoze set up to server DNS then do a zone transfer to your LEAF box to take over once the windoze box is off. HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bash Bering uClibc
Hello LEAF World! My earlier mail was too hasty, another problem has emerged when using bash. Backup of any or all package (backup... c... L...)results in each package reporting a line number and terminated ticker. A reboot produces simply a kernel panic and everything is completely dead. Restoring my carefully saved ghost backup, removing ncurses and bash fixes this. Any ideas anyone? robert von Knobloch in the very snowy Black Forest --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bash Bering uClibc
Robert At 14:57 22.12.2003 +0100, Robert Sabine von Knobloch wrote: Hello LEAF World! My earlier mail was too hasty, another problem has emerged when using bash. Backup of any or all package (backup... c... L...)results in each package reporting a line number and terminated ticker. A reboot produces simply a kernel panic and everything is completely dead. Restoring my carefully saved ghost backup, removing ncurses and bash fixes this. Any ideas anyone? Same ideas as before, obviously bash breaks things that are written with an ashen mind :-) Most backup scripts are located in /usr/sbin They use /bin/sh. On my system /bin/sh links to ash. If you install bash this is probably changet to bash. gatekeeper: -root- # ls -l /bin/sh lrwxrwxrwx1 root root3 Nov 18 01:02 /bin/sh - ash Now you could change this by rm /bin/sh ln -s /bin/ash /bin/sh You would have to make sure that the new installation of bash does _not_ overwrite /bin/sh again, so happy hacking. But then you can easily add a script to /etc/init.d which takes care of that. BTW. Why exactly do you use bash? robert von Knobloch in the very snowy Black Forest Altitude? How much snow? cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] NIC driver for Netgear FA310TX / Bering-uClibc 2.0?
Hi folks, I can't get my NICs to initialize. I'm using Bering-uClibc (from Bering-uClibc_2.0_img_bering-uclibc-1680.exe) and 3 Netgear FA310TX (Rev-D2)cards. I've tried using both the natsemi.o tulip.o drivers by themselves and with the pci-scan.o driver, none of which work. I would be happy to provide any futher info. Any suggestions? Thank you, Happy Holidays! Craig --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ISDN package fo Bering uClibc
hi i'm looking for isdn.lrp package for bering uClibc distribution, can anybody help me please? thanks jakub urban --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Static DNS entry
On Mon, 2003-12-22 at 05:05, Erich Titl wrote: Hi At 09:52 22.12.2003 +0100, you wrote: Does anyone know a simple way to set a couple of static dns entries on my LEAF Bering (uClib) box? I don't see how these entries would solve the problem you describe below. They would help the LEAF box resolve host names, but wouldn't help other hosts resolve the name of your LEAF box. Part of the source of my confusion (and, I suspect, yours) is that you haven't told us how IPs are assigned on your network; I suspect the Win2000 domain server provides DHCP services. If so, how will laptops attached to the network obtain IPs and other network settings when the DHCP server is off-line? I'm running DNSCACHE for resolving Internet names and have an MS Win2000 Domain controller as internal DNS (it needs it's own dynamic DNS for active directory). All this works just fine until I power down the complete Windows network (which I do every evening). When I want a quick connection from my laptop or a visitor's laptop I don't have internal DNS and can't acces my LEAF box by name (unless I power my MS domain up). I don't want to put a host file on visitor's machines and adding a dns server to my LEAF box will disturb CACHEDNS. Any ideas ? I always thought DNSCache was part of tinydns, e,g, the djbdns suite. Sort of. dnscache and tinydns are separate parts of the djbdns suite. Will this really disturb? As Erich's question implies, you can run both tinydns and dnscache on a single host by binding each to a different ip. On a typical LEAF box, tinydns is bound to 127.0.0.1 and dnscache is bound to the IP of the box's internal interface (192.168.1.254 for example). You could publish your LEAF box to be the nameserver for your ad-hoc clients, if you want to rely on your windoze set up to server DNS then do a zone transfer to your LEAF box to take over once the windoze box is off. HTH Erich -Richard --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] zebra.lrp?
hi all does anybody have last version of zebra (0.94) or quagga (0.96.4) compiled for bering-glibc distro? when I try to compile this on my UML debian/slink machine, I've got segmentation fault messages ;-( (immediately after running .\configure) thanks jakub urban --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] NIC driver for Netgear FA310TX / Bering-uClibc 2.0?
Craig Caughlin wrote: Hi folks, I can't get my NICs to initialize. I'm using Bering-uClibc (from Bering-uClibc_2.0_img_bering-uclibc-1680.exe) and 3 Netgear FA310TX (Rev-D2)cards. I've tried using both the natsemi.o tulip.o drivers by themselves and with the pci-scan.o driver, none of which work. I would be happy to provide any futher info. Any suggestions? I use the same cards - open Bering_uClibc_2.0_modules_2.4.20.tar you can use the single kernel driver found in 2.4.20/kernel/drivers/net/tulip/ works great --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] e1000 module (version 4.3.15) for Dachstein?
Does anyone have the compiled e1000 module (version 4.3.15) for the Intel Pro/1000 MT Dual Port nic? I believe that the 4.3.15 version of the driver is the most recent one for 2.2 kernels. I'm using Dachstein v1.0.2, which has version 3.0.16. Unfortunately when I try and load the module I get insmod: init_module: e1000: Device or resourrce busy. I'm running on a Dell PowerEdge 650. I'm hoping that a new version of the driver will do the trick. thanks, Miguel DeAvila _ Check your PC for viruses with the FREE McAfee online computer scan. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] e1000 module (version 4.3.15) for Dachstein?
I don't have specific info for that card, but when I've had cards that have been acting that way, it's either been that the card was conflicting with another device, or that the module needs the io address specified. Hope that helps somewhat. Tony - Original Message - From: Miguel De Avila [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 1:53 PM Subject: [leaf-user] e1000 module (version 4.3.15) for Dachstein? Does anyone have the compiled e1000 module (version 4.3.15) for the Intel Pro/1000 MT Dual Port nic? I believe that the 4.3.15 version of the driver is the most recent one for 2.2 kernels. I'm using Dachstein v1.0.2, which has version 3.0.16. Unfortunately when I try and load the module I get insmod: init_module: e1000: Device or resourrce busy. I'm running on a Dell PowerEdge 650. I'm hoping that a new version of the driver will do the trick. thanks, Miguel DeAvila _ Check your PC for viruses with the FREE McAfee online computer scan. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] sftp gives /usr/bin/ssh: Permission denied
Hi there, I have problems making a sftp/scp from my LEAF Bering 1.2 to a local host. Connecting from a sftp client on the host to router works fine. When connecting from router (192.168.22.1) to host (192.168.22.3) I get the error message shown below. firewall: -root- # sftp 192.168.22.3 Connecting to 192.168.22.3... exec: /usr/bin/ssh: Permission denied # sftp -o UsePriviledgedPort no 192.168.22.3 Connecting to 192.168.22.3... exec: /usr/bin/ssh: Permission denied Couldn't read packet: Connection reset by peer I hope some of you can help me. I expect some trivial error, as I am fairly new to Linux. Kind regards Axel B. Bregnsbo Additional information: 1) ssh connection from the host to the router works fine. The host is using Putty on a Windows machine. 2) sftp client connection FROM host TO router works fine. 2) issuing 'sftp' did not cause any packets to be transmitted by the router. I ran a packet-sniffer on the link between 192.168.22.3 192.168.22.1. 3) the /usr/bin/ssh directory is empty # ls -ld ssh drwxr-xr-x2 root root 40 Dec 20 21:54 ssh # lrpkg -l NameVersionDescription ===-==-= = initrd V1.2 LEAF Bering initial filesystem rootV1.2 Core LEAF Bering package etc V1.2 LEAF Bering /etc files local V1.2 LEAF Bering local package modules V1.2 Define contain your LEAF Bering modules iptables1.2.8 IP packet filter administration tools for 2.4. pump0.8.14-2 DHCP/BOOTP client from Redhat shorwall1.4.2 Shoreline Firewall (Shorewall) ulogd 1.0The Netfilter Userspace Logging Daemon dnscache1.05a A fast secure proxy DNS server weblet 1.2.0 LEAF status via a small web server dhcpd 2.0pl5 DHCP server for automatic IP assignment libz1.1.4 zlib compression library. Needed for openssh sshd3.7.1p2 compil OpenSSH sshd daemon. sftp3.7.1p2 compil OpenSSH sftp client server programs. # ps PID Uid VmSize Stat Command 1 root764 Sinit [2] 2 rootS[keventd] 3 rootS[ksoftirqd_CPU0] 4 rootS[kswapd] 5 rootS[bdflush] 6 rootS[kupdated] 3127 root816 S/sbin/syslogd -m 240 19671 root836 S/sbin/klogd 5769 root 1744 S/usr/sbin/sshd 24789 root720 S/usr/sbin/watchdog 23329 root776 S/usr/sbin/inetd 15315 root860 S/usr/sbin/ulogd -d 7766 root964 S/usr/sbin/dhcpd eth1 695 dnscache 2044 S[dnscache] 19773 root812 S/usr/sbin/cron 11612 root848 S-sh 9987 root952 S/sbin/getty 38400 tty2 8480 root 4440 Ssshd: [EMAIL PROTECTED] 22634 root848 S-sh 32196 root 4364 Ssshd: [EMAIL PROTECTED] 13989 root840 S-sh 19070 root936 Rps --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] zebra.lrp?
Am Montag, 22. Dezember 2003 19:12 schrieb jakub urban: hi all does anybody have last version of zebra (0.94) or quagga (0.96.4) compiled for bering-glibc distro? look for zebra.lrp (which is in fact quagga) at: http://leaf.sourceforge.net/mod.php?mod=userpagemenu=91017page_id=51 when I try to compile this on my UML debian/slink machine, I've got segmentation fault messages ;-( (immediately after running .\configure) As bad as that sounds, you're lucky :) UML debian/slink can't be used for compiling apps for use with Bering-uClibc. The generated app will segfault as well on a Bering-uClibc based router. Please read: http://leaf.sourceforge.net/doc/guide/buc-devel.html to get an impression how to build packages for Bering-uClibc. kp --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] zebra.lrp?
does anybody have last version of zebra (0.94) or quagga (0.96.4) compiled for bering-glibc distro? look for zebra.lrp (which is in fact quagga) at: http://leaf.sourceforge.net/mod.php?mod=userpagemenu=91017page_id=51 i know this, but this is zebra.lrp for Bering-uClibc, but i looking for zebra for Bering (glibc) version when I try to compile this on my UML debian/slink machine, I've got segmentation fault messages ;-( (immediately after running .\configure) As bad as that sounds, you're lucky :) UML debian/slink can't be used for compiling apps for use with Bering-uClibc. i know, but i'm not lucky , i want zebra for bering-glibc, so i thing that debian/slink is OK for compiling, jakub urban --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] e1000 module (version 4.3.15) for Dachstein?
Miguel De Avila wrote: Does anyone have the compiled e1000 module (version 4.3.15) for the Intel Pro/1000 MT Dual Port nic? I believe that the 4.3.15 version of the driver is the most recent one for 2.2 kernels. I'm using Dachstein v1.0.2, which has version 3.0.16. Unfortunately when I try and load the module I get insmod: init_module: e1000: Device or resourrce busy. I'm running on a Dell PowerEdge 650. I'm hoping that a new version of the driver will do the trick. You'll probably have to build this yourself, unless someone else on-list has done so already and can send you the binary. The required patches and a script to turn a 'virgin' kernel.org sorce tarball into a source tree for the Dachstein kernel is available (see the Readme file): http://leaf-project.org/devel/cstein/files/kernels/Dachstein-source.tar.gz Note that the intel makefile assumes you're compiling on the same system you're building the driver for (highly unlikely in this case), so you'll have to short-circuit the automatic 'find the kernel source directory' code in the makefile to compile against the Dachstein kernel. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] re:Opening UDP ports problem solved
This email is just an FYI to Ray and Tom who where helping me out last week. I was able to solve my problem from last week with traffic not being forwarded over port 27015. You guys were correct that some traffic was passing but only a small amount about 1 in 5 if I did my math correct. Once I changed the rule (see below) all the traffic passed and the service is accepting traffic. the rule I had was.. DNATnet loc:192.186.1.3:27015 udp 27015 I changed the rule to.. DNATall loc:192.186.1.3:27015 udp 27015 And everything started to work. thanks again for your help Josh Dalziel T-Mobile National Operations Bothell Wa USA 425-770-5683 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] How to debug boot up?
Hi folks, I'm trying to set up a new Bering-uClibc v 2.0 firewall, and I'm getting an error message(s) that I think are related to dnscache (which, of course, scroll by so quickly I can't be sure :-). How do find out which package(s) I'm having problems with? I wrote the dmesg to a file, and then examined it...but I don't see any reference to the packages that loaded at boot or the (nf!) message(s) that scroll by. Suggestions? Thank you, Happy Holidays! Craig --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] re:Opening UDP ports problem solved
On Monday 22 December 2003 03:20 pm, Dalziel, Josh wrote: the rule I had was.. DNATnet loc:192.186.1.3:27015 udp 27015 I changed the rule to.. DNATall loc:192.186.1.3:27015 udp 27015 And everything started to work. Now look at the output of shorewall status and see where the packets are really coming from (if not 'net'). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to debug boot up?
On Monday 22 December 2003 05:46 pm, Craig Caughlin wrote: Hi folks, I'm trying to set up a new Bering-uClibc v 2.0 firewall, and I'm getting an error message(s) that I think are related to dnscache (which, of course, scroll by so quickly I can't be sure :-). How do find out which package(s) I'm having problems with? What are the error messages? shift+PgUp Most likely places to find the package problems are lack of the package in the lrcfg backup menu (not loaded ...nf!), /var/log/messages, and /var/log/kern.log I wrote the dmesg to a file, and then examined it...but I don't see any reference to the packages that loaded at boot or the (nf!) message(s) that scroll by. Suggestions? Doesn't sound as if one or more packages were found on your disk at boot. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Qmail questions
Michael, Thanks for the response. See below... Kory Krofft [EMAIL PROTECTED] [2003:12:21:12:53:56-0500] scribed: Snip I now need to get Qmail up and running so I can host my own email. I followed the qmail LEAF/LRP user's guide but I am missing something. If I use a windows mail client to send mail to the snip Do I understand correctly that you _successfully_ send mail to this box, and you know that because that same message shows up in /home/lrpqmail/Maildir/new? Yes. I can receive mail sent to [EMAIL PROTECTED] I can't currently seem to get mail to show up in any other users Maildir's but I figure one problem at a time. If I can get the pop client to work it will be much easier to debug the user issues. So, your only problem is retrieving that message to a windows machine? Yes. I use PocoMail on a win2k box. I get a timeout error when attempting to contact the popserver on my dmz host. If so, what username and password are you using for this retrieval? I use lrpqmail and the password for lrpqmail on the host. I can log into the host with this combination, I can telnet to port 110 and the pop server using this combination but telnet takes about a minute and a half to respond to to the telnet open command. Once the session is open, it responds OK. I am running Dachstein and, of course, 110/tcp is open to my retrieving systems, both on same LAN and across the Internet. What is in these files: /var/qmail/control/defaultdomain kroffts.com /var/qmail/control/locals kroffts.com /var/qmail/control/rcpthosts kroffts.com Try watching output from the following while you attempt to retrieve mail to the windows box: tail -f /var/log/qmail/{pop3d,qmail,smtpd}/current | tai64nlocal tail~.../pop3d/current | tai64nlocal gives: 2003-12-22 20:18:37.252597500 tcpserver: end 25088 status 256 2003-12-22 20:18:37.252615500 tcpserver: status: 0/40 2003-12-22 20:38:59.646993500 tcpserver: status: 1/40 2003-12-22 20:38:59.647207500 tcpserver: pid 14513 from 192.168.1.1 2003-12-22 20:40:20.795033500 tcpserver: ok 14513 :192.168.10.1:110 :192.168.1.1::3584 the other 2 show no new entries Without any special configuration to my qmail, here is a fetchmail recipe I use every 131 seconds: poll mail.private.network with proto POP3 user 'lrpqmail' there with password '_secret_password_' is 'mds' here It should `just work' -- even from a windows box -- if that port is open, qmail is properly configured, and you are using lrpqmail user and its correct password. I believe as Ray has mentioned that the major issue may be a reverse lookup that qmail is doing which causes the timeout error on the mail client. I am still looking into what dns settings I need to change to fix that possibility. Thanks for your input, Kory hth --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Qmail questions
Ray, See below snipped failures actually are DNS-based delays, is the right guess ... and that quite a while is around 3 minutes. It takes about a minute and a half to get a response with telnet. What to do about it? First, maybe your mail server can be configured not to do reverse lookups. I'm not a qmail expert so can't help there. I have not found any source so far that tells me how to configure it. I am considering asking on the qmail list but since the lrp setup is different, The responses are often hard to follow when asked to compare setup info. Second, if you do not want your mail server to be able to do DNS lookups, then the router's response -- an icmp port unreachable response -- is a correct response. A slightly better response is to send a udp REJECT packet some clients recognize this but do not understand icmp port unreachable (dig through ancient archives for discussion of why LEAF routers normally leave port 113 open for the theory here). You would do this by adding a Shorewall rule to ACCEPT dport-53-udp traffic from the DMZ. I have had ACCEPT dmz fw udp 53 in place all along/ Third, if you do want your mail server to be able to resolve these reverse lookups ... where do you want it to do so? What DNS server (or orher mechanism) do you want to provide? Options (for these on-LAN lookups) are: put the information in /etc/hosts on the DMZ machine (this may or may not work with qmail; MTAs are notorious for using ONLY DNS, not /etc/hosts, and I don't know about qmail in this regard) I tried the hosts file but it does not seem to help. run a DNS sever authoritative for the LAN on the LEAF router run a DNS server authoritative for the LAN on the LEAF mail server run a DNS server authoritative for the LAN on some LAN host, and let the DMZ server have access to it through the firewall (this is what I do here, running BIND on a full-strength-Linux LAN server). From your comments below, it appears you are trying to do #2, using tinydns. If you want to do it that way, someone else will have to answe those questions, as I've never set up that package (on LEAF or any other host) ... as I recall, it has problems lsitening on multiple interfaces ... but I may be remembering wrong. I think I am doing #1. I have no DNS packages running on the DMZ host. I have tried to set the router as a default dns server for bothe the dmz and loc networks. It works for lookups resolving internet hosts. I will repost and ask what the proper setup is for dns service to resolve my 2 internal networks. Sorry I cannot take you all the way to an answer, but with the problem identified as a DNS misconfiguration, surely someone else here knows the details you need to wrap this up. Thanks for alll the help. I know more now than when I started. Kory At 09:32 PM 12/21/2003 -0500, Kory Krofft wrote: the tcpdump output you sent indicates that after the POP3 connection is initiated, the POP3 server is trying to do a reverse lookup on the source IP address. Several packets indicate this, the first being -- 16:37:26.524013 192.168.10.1.59258 192.168.1.254.53: 28701+ PTR? 1.10.168.192.in-addr.arpa. (43) (DF) The router responds with a port unreachable packet: 16:37:29.547086 192.168.10.254 192.168.10.1: icmp: 192.168.10.254 udp port 53 unreachable [tos 0xc0] This certainly indicates some sort of a configuration error, but not knowing the details of your setup, I can;t say what that error is. It does make me guess that the POP3 server does not reply, after the initial reply, because it cannot do a lookup on the IP address. Or ... a blue-sky thought here ... how long do you wait before giving up? DNS failures can, in some cases, cause delays of up to 3 minutes in responses. What would be the proper way for the router to reply to this reverse lookup? /etc/hosts on the router looks like this: 127.0.0.1 localhost.kroffts.home localhost 192.168.1.254 markii 192.168.1.1 coventry.kroffts.home coventry 192.168.10.1 www.kroffts.com dmz kroffts_web /etc/resolv.conf on router: domain kroffts.home nameserver 127.0.0.1 nameserver 192.168.1.254 /etc/hosts on dmz: 127.0.0.1 localhost 192.168.1.254 markii 192.168.10.1 kroffts_web.kroffts.com kroffts_web mail.kroffts.com 191.168.1.1 coventry.kroffts.home coventry /etc/resolv.conf on dmz: domain kroffts.com nameserver 127.0.0.1 nameserver 192.168.1.254 nameserver 192.168.10.254 What can you tell me about The /etc/tinydns-private/root/data file from the router? Does this look correct? kroffts.home::localhost 1.168.192.in-addr.arpa::localhost +markii.kroffts.home:192.168.1.254 the router =mail.kroffts.com:192.168.10.1 the dmz host I am not running any DNS daemons on the dmz. Should I be? I had wanted to use DHCP to configure the DMZ host but I could not get it to work on two separate networks. I know it should, but it didn't so I set up the eth0 on the dmz host as
[leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
Hello All, Please be patient with me, I am new to the Linux world and I am not a security expert. I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. For the most part this is a default configuration with no special services needed or running, I setup dropbear (default config) but have not removed the package yet. The Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I have not changed anything in this configuration file. Please see Configuration and rules below for more detail and please let me know if you need any additional information. Thank you in advance to all that will help me. I am learning, and I am sure this is NOT an issue with the shorewall product but with my configuration. Please also remember who you are addressing (dope newbie/wannabie) so please if you could. :) Ken [EMAIL PROTECTED] Issue: ===-==-= = My shorewall has been compromised. I need to find out how they are compromising this machine repeatedly and what I need to do to stop it! The hackers have already used the shorewall box to spam others on the internet and god knows what else. I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to 192.168.1.99. As far as I can tell it has not been compromised and I have not noticed any strange events internally on my home network (yet). (I am told the PIX cannot be configured for dhcp so I am using shorewall for this; unfortunately in my area I have a choice between Comcast and dialup). The version of uClibc I am using may need some patches but I am not sure about this as I downloaded this image and set it up less than a month ago, please let me know if there are any critical updates that I need to apply. I have read the installation/user guides and have read hundreds of man pages and I can only hope I did everything right. This clip is from my shorewall.log:0: Note the date on the first entry and the source IP. The problem is that the SRC is my IP and I do not have an IP 192.43.244.18 on my network. I have added 123.1.1.1 to my blacklist. Since this IP has been added to my blacklist it still shows up in my log and looks something like the log from DEC 20 below with Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99. This is bad because this IP is eth0 to my CISCO PIX 515. Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0 Dec 21 10:19:38 firewall Shorewall:logdrop:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=123.1.1.1 DST=12.213.227.185 LEN=783 TOS=00 PREC=0x00 TTL=112 ID=28872 PROTO=UDP SPT=14833 DPT=1026 LEN=763 Dec 21 15:13:10 firewall Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=205.240.153.242 DST=12.213.227.185 LEN=60 TOS=00 PREC=0x00 TTL=49 ID=13109 DF PROTO=TCP SPT=1787 DPT=21 SEQ=3260295433 ACK=0 WINDOW=5840 SYN URGP=0 Also SRC IP 66.218.70.35 has seemingly exploited the uClibc firewall. The IP 192.168.1.99 is eth0 for my CISCO PIX 515. You can see shorewall start and then 66.218.70.35 (v4.vc.scd.yahoo.com [66.218.70.35]) is out eth1, looks bad to me. The hacker is using several boxes from yahoo IP's: v3.vc.scd.yahoo.com [66.218.70.45], v1.vc.scd.yahoo.com [66.218.70.32], v13.vc.scd.yahoo.com [66.218.70.34] Dec 20 14:59:16 firewall dhcpcd.exe: interface eth0 has been configured with new IP=12.213.227.185 Dec 20 14:59:23 firewall root: Shorewall Started Dec 20 15:41:06 firewall kernel: Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=66.218.70.35 DST=192.168.1.99 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=2091 DF PROTO=TCP SPT=5001 DPT=10468 WINDOW=65535 RES=0x00 ACK SYN URGP=0 Configuration: ===-==-= = The Shoewall box has two Intel Pro 100 NIC's. Eth0 to internet with dhcp, routefilter, blacklist, rfc1918 and dropunclean set to yes. I had set blacklist logging to 6 (informational) and then changed it to 4 (ergent) just to see if this would show different events in the log. Eth0 pulls dhcp IP 12.213.227.185 from Comcast. Eth1 is configured with default address 192.168.1.254. Incoming ICMP on port 8 set to DROP packets. Ident Port 113 set to DROP packets. Modules Loaded: ===-==-= = Modules: softdog 1476 1 ip_nat_irc 2176 0 (unused) ip_nat_ftp 2784 0 (unused) ip_conntrack_irc2880 1 ip_conntrack_ftp3648 1 eepro100
[leaf-user] first beta build of WISP-Dist with Atheros support released
I have finally released a new WISP-Dist build 2634 with beta Atheros support (using madwifi driver). I was waiting for madwifi to mature, and it is finally stable under my tests (so far). On a 100 Mhz Soekris board I'm able to get around 16 megabits/sec. I didn't test it on more powerful motherboards yet. Atheros support is incomplete; for example, access point statistics are not reported. As usual, this beta release is available from: http://www.hazard.maks.net/wisp-dist/downloads Project homepage is at: http://leaf-project.org/ Any feedback is welcome. :) -- Best Regards, Vladimir Ivaschenko Thunderworx - Senior Systems Engineer (RHCE) --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
On Mon, 22 Dec 2003, Ken wrote: Please be patient with me, I am new to the Linux world and I am not a security expert. Then big red flashing lights should have been going off in your head before you posted. I'm not going to respond -- when you can provide conslusive evidence that your Shorewall box has been compromised and why then you let me know. Otherwise, I'm just going to pretend that I didn't see your post... And if you want to talk, I'm listed (but not published) in the Shoreline directory... -Tom Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Qmail questions
Kory Krofft [EMAIL PROTECTED] [2003:12:22:20:24:44-0500] scribed: snip / I believe as Ray has mentioned that the major issue may be a reverse lookup that qmail is doing which causes the timeout error on the mail client. I am still looking into what dns settings I need to change to fix that possibility. Indeed, that is a very serious problem -- not so much because qmail requires a dns server (it does not); but, from tcpdump it is clear that it cannot find PTR for 1.1.168.192.in-addr.arpa. In a previous message, you asked for comments on your /etc/tinydns-private/root/data -- I strongly suggest that you try the following, and forget about your DMZ for now: =localhost:127.0.0.1 .localhost:127.0.0.1:a .1.0.0.127.in-addr.arpa:127.0.0.1:a .kroffts.home:127.0.0.1:a .1.168.192.in-addr.arpa:127.0.0.1:a =markii.kroffts.home:192.168.1.254 =coventry.kroffts.home:192.168.1.1 [EMAIL PROTECTED]:192.168.10.1:mail.kroffts.com [EMAIL PROTECTED]::mail.kroffts.com The last two (2) lines are problematic. With the `-' as first character, they will *not* be used now. Currently, you are *NOT* authoritative and *CANNOT* assume authority for the kroffts.com domain: # dnsqr any kroffts.com 255 kroffts.com: 101 bytes, 1+4+0+0 records, response, noerror query: 255 kroffts.com answer: kroffts.com 170446 NS ns1.dnsexit.com answer: kroffts.com 170446 NS ns2.dnsexit.com answer: kroffts.com 170446 NS ns1.dnsexit.com answer: kroffts.com 170446 NS ns2.dnsexit.com # dnsqr mx kroffts.com 15 kroffts.com: 45 bytes, 1+1+0+0 records, response, noerror query: 15 kroffts.com answer: kroffts.com 120 MX 5 kroffts.com # dnsqr a kroffts.com 1 kroffts.com: 45 bytes, 1+1+0+0 records, response, noerror query: 1 kroffts.com answer: kroffts.com 109 A 24.210.193.152 # dnsqr soa kroffts.com 6 kroffts.com: 91 bytes, 1+1+0+0 records, response, noerror query: 6 kroffts.com answer: kroffts.com 120 SOA ns1.dnsexit.com jchen.netdorm.com 260701 1200 1200 604800 1200 # dnsqr any mail.kroffts.com 255 mail.kroffts.com: 48 bytes, 1+1+0+0 records, response, noerror query: 255 mail.kroffts.com answer: mail.kroffts.com 120 CNAME kroffts.com You cannot assert that 192.168.10.1 is mail.kroffts.com with authority, unless you either: [a] Change DNS configuration at ns{1,2}.dnsexit.com; or [b] Replace DNS authority at ns{1,2}.dnsexit.com with your own DNS server for kroffts.com. I highly, highly, highly urge your to *NOT* configure your DMZ hosts in the kroffts.com domain -- especially, since your DMZ is running on an RFC 1918 network -- unless you get ns{1,2}.dnsexit.com to delegate a sub-domain to you. And that is problematic, too, because of the private network. For now, try my suggested tinydns data changes, and see whether or not we get any closer. hth -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: [leaf-user] Qmail questions
Kory Krofft [EMAIL PROTECTED] [2003:12:22:20:24:44-0500] scribed: snip / What is in these files: /var/qmail/control/defaultdomain kroffts.com /var/qmail/control/locals kroffts.com /var/qmail/control/rcpthosts kroffts.com Try watching output from the following while you attempt to retrieve mail to the windows box: tail -f /var/log/qmail/{pop3d,qmail,smtpd}/current | tai64nlocal tail~.../pop3d/current | tai64nlocal gives: 2003-12-22 20:18:37.252597500 tcpserver: end 25088 status 256 2003-12-22 20:18:37.252615500 tcpserver: status: 0/40 2003-12-22 20:38:59.646993500 tcpserver: status: 1/40 2003-12-22 20:38:59.647207500 tcpserver: pid 14513 from 192.168.1.1 2003-12-22 20:40:20.795033500 tcpserver: ok 14513 :192.168.10.1:110 :192.168.1.1::3584 snip / O, I forgot to ask, what do you get for this? cat /etc/tcp.smtp -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: [leaf-user] Qmail questions
At 09:47 PM 12/22/2003 -0600, Michael D Schleif wrote: [...] Currently, you are *NOT* authoritative and *CANNOT* assume authority for the kroffts.com domain: Actually, he can ... in a limited sense. In a way that matters, DNS is just a shared delusion, and as long as he lies about it only when talking to himself, he doesn't hurt anything. He can configure the DNS server that *LAN* and DMZ hosts use as their resolver (assuming they use an on-LAN host) as authoritative for his domain. External hosts trying to do DNS will lever see this server, and it will let him have on-LAN hosts resolve domain names differently (to private addresses, probably) than off-LAN hosts do. This limited sense could easily be adequate to take care of his problems. That said, it's not the best approach (or at least not the one I prefer). A tidier method is to use an unofficial domain for on-LAN resolution and reserve the registered name for off-LAN use. Here, for example, comarre.com and all the usual variants resolve to external addresses, internally and externally, and internally the pseudo-domain is comarre.lan . (I am authoritative for comarre.com, though, and that simplifies setup. Even so, I do my authoritative DNS on a different host from my local-resolver DNS, to avoid some headaches from running multiple instances of BIND on a host.) # dnsqr any kroffts.com 255 kroffts.com: 101 bytes, 1+4+0+0 records, response, noerror query: 255 kroffts.com answer: kroffts.com 170446 NS ns1.dnsexit.com answer: kroffts.com 170446 NS ns2.dnsexit.com answer: kroffts.com 170446 NS ns1.dnsexit.com answer: kroffts.com 170446 NS ns2.dnsexit.com # dnsqr mx kroffts.com 15 kroffts.com: 45 bytes, 1+1+0+0 records, response, noerror query: 15 kroffts.com answer: kroffts.com 120 MX 5 kroffts.com # dnsqr a kroffts.com 1 kroffts.com: 45 bytes, 1+1+0+0 records, response, noerror query: 1 kroffts.com answer: kroffts.com 109 A 24.210.193.152 # dnsqr soa kroffts.com 6 kroffts.com: 91 bytes, 1+1+0+0 records, response, noerror query: 6 kroffts.com answer: kroffts.com 120 SOA ns1.dnsexit.com jchen.netdorm.com 260701 1200 1200 604800 1200 # dnsqr any mail.kroffts.com 255 mail.kroffts.com: 48 bytes, 1+1+0+0 records, response, noerror query: 255 mail.kroffts.com answer: mail.kroffts.com 120 CNAME kroffts.com You cannot assert that 192.168.10.1 is mail.kroffts.com with authority, unless you either: [a] Change DNS configuration at ns{1,2}.dnsexit.com; or [b] Replace DNS authority at ns{1,2}.dnsexit.com with your own DNS server for kroffts.com. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Qmail questions
Lynn, See below I believe as Ray has mentioned that the major issue may be a reverse lookup that qmail is doing which causes the timeout error on the mail client. I am still looking into what dns settings I need to change to fix that possibility. I was assuming that all the qmail doc I've worked with have noted that a working DNS server is required for use with private addressing on a LAN. You need to setup tinydns (not dnscache), bind, or a similar nameserver to serve the proper DNS lookups for your LAN. A further note, since you are using this domain on both the LAN and the DMZ, both segments will need to use this nameserver as Ray (IIRC) noted earlier. I think DNS is working to a point, let me clarify a bit. I have both tinydns and dnscache running on the firewall machine and nowhere else. I am not using this domain on the lan and dmz. The lan is defined as kroffts.home and is on 192.168.1 The dmz is kroffts.com and is on 192.168.10 with http and mail DNATed from the internet or at least that is my intent :-) As I see it now I have two problems (at least) One is the excessive amount of time needed for qmail to respond to a pop3 request from the lan. I tested with a different mail client and found that it is in fact functional in both pop3 and smtp operations. It it just very slow. I did not time it but it takes 1 to 2 minutes for mail to be retrieved or sent. The time appears to be spent in authentication. The actual mail transfer is normal. The second issue is one of qmail not recognizing my users. I have created user accounts with entries in /etc/passwd and /etc/shadow and made a group entry in /etc/group. I used makemaildir to create mail directories for each user. I can log into these accounts locally or through ssh. I can use the logins to access pop3 through telnet. But when I send mail to these users, I get a returned message from qmail saying: Sorry, no mailbox here by that name. (#5.1.1) Aside from the group number the only difference I can see is that the lrpqmail user has a home directory entry where I have set the others to use /server/home as /server is the mount point for the ide disk that will store the mail. Since the login scripts seem to work and send the users to the proper home directory on logging in, I think qmail should recognize the Maildir's as well. I wanted to mount the /server/home as /home to reduce confusion. It seemed to me that I had used a command similar to mount /server/home /home before but it is not a valid command since mount seems to need a device identifier. I have read the man pages and still thing this relocation is possible but I need more research. Thanks again for whatever input you can offer, Kory This is to prevent resolving the domain to your external address which should be blocked with ip spoofing rules. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Qmail questions
Michael, cat /etc/tcp.smtp gives 127.:allow,RELAYCLIENT= 192.168.:allow,RELAYCLIENT= Kory On Mon, 22 Dec 2003 21:51:31 -0600, Michael D Schleif wrote: Kory Krofft [EMAIL PROTECTED] [2003:12:22:20:24:44-0500] scribed: snip / What is in these files: /var/qmail/control/defaultdomain kroffts.com /var/qmail/control/locals kroffts.com /var/qmail/control/rcpthosts kroffts.com Try watching output from the following while you attempt to retrieve mail to the windows box: tail -f /var/log/qmail/{pop3d,qmail,smtpd}/current | tai64nlocal tail~.../pop3d/current | tai64nlocal gives: 2003-12-22 20:18:37.252597500 tcpserver: end 25088 status 256 2003-12-22 20:18:37.252615500 tcpserver: status: 0/40 2003-12-22 20:38:59.646993500 tcpserver: status: 1/40 2003-12-22 20:38:59.647207500 tcpserver: pid 14513 from 192.168.1.1 2003-12-22 20:40:20.795033500 tcpserver: ok 14513 :192.168.10.1:110 :192.168.1.1::3584 snip / O, I forgot to ask, what do you get for this? cat /etc/tcp.smtp --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Qmail questions
I understand much better now. I will try your suggestions tomorrow and report back. So the DMZ domain should NOT match the internet domain since the name itself ti registered at dnsexit. I take it then that the domain on the dmz could be kroffts.dmz as well as anything else I could choose to call it. But since the subnets are different, it should not be the same as the private lan? Kory On Mon, 22 Dec 2003 21:47:33 -0600, Michael D Schleif wrote: Kory Krofft [EMAIL PROTECTED] [2003:12:22:20:24:44-0500] scribed: snip / I believe as Ray has mentioned that the major issue may be a reverse lookup that qmail is doing which causes the timeout error on the mail client. I am still looking into what dns settings I need to change to fix that possibility. Indeed, that is a very serious problem -- not so much because qmail requires a dns server (it does not); but, from tcpdump it is clear that it cannot find PTR for 1.1.168.192.in-addr.arpa. In a previous message, you asked for comments on your /etc/tinydns-private/root/data -- I strongly suggest that you try the following, and forget about your DMZ for now: =localhost:127.0.0.1 .localhost:127.0.0.1:a .1.0.0.127.in-addr.arpa:127.0.0.1:a .kroffts.home:127.0.0.1:a .1.168.192.in-addr.arpa:127.0.0.1:a =markii.kroffts.home:192.168.1.254 =coventry.kroffts.home:192.168.1.1 [EMAIL PROTECTED]:192.168.10.1:mail.kroffts.com [EMAIL PROTECTED]::mail.kroffts.com The last two (2) lines are problematic. With the `-' as first character, they will *not* be used now. Currently, you are *NOT* authoritative and *CANNOT* assume authority for the kroffts.com domain: # dnsqr any kroffts.com 255 kroffts.com: 101 bytes, 1+4+0+0 records, response, noerror query: 255 kroffts.com answer: kroffts.com 170446 NS ns1.dnsexit.com answer: kroffts.com 170446 NS ns2.dnsexit.com answer: kroffts.com 170446 NS ns1.dnsexit.com answer: kroffts.com 170446 NS ns2.dnsexit.com # dnsqr mx kroffts.com 15 kroffts.com: 45 bytes, 1+1+0+0 records, response, noerror query: 15 kroffts.com answer: kroffts.com 120 MX 5 kroffts.com # dnsqr a kroffts.com 1 kroffts.com: 45 bytes, 1+1+0+0 records, response, noerror query: 1 kroffts.com answer: kroffts.com 109 A 24.210.193.152 # dnsqr soa kroffts.com 6 kroffts.com: 91 bytes, 1+1+0+0 records, response, noerror query: 6 kroffts.com answer: kroffts.com 120 SOA ns1.dnsexit.com jchen.netdorm.com 260701 1200 1200 604800 1200 # dnsqr any mail.kroffts.com 255 mail.kroffts.com: 48 bytes, 1+1+0+0 records, response, noerror query: 255 mail.kroffts.com answer: mail.kroffts.com 120 CNAME kroffts.com You cannot assert that 192.168.10.1 is mail.kroffts.com with authority, unless you either: [a] Change DNS configuration at ns{1,2}.dnsexit.com; or [b] Replace DNS authority at ns{1,2}.dnsexit.com with your own DNS server for kroffts.com. I highly, highly, highly urge your to *NOT* configure your DMZ hosts in the kroffts.com domain -- especially, since your DMZ is running on an RFC 1918 network -- unless you get ns{1,2}.dnsexit.com to delegate a sub-domain to you. And that is problematic, too, because of the private network. For now, try my suggested tinydns data changes, and see whether or not we get any closer. hth --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
On Monday 22 December 2003 08:16 pm, Ken wrote: Hello All, Please be patient with me, I am new to the Linux world and I am not a security expert. I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. You did a pretty good job of showing the logs of packets that have been dropped (that never got through the firewall). Believe it or not, it would be next to impossible to relay spam or send it from a compromised LEAF box. First of all, you would have to enable some form of login to the outside, which isn't available unless you opened the firewall to accept such requests. Second of all, the likely culprit of spewing emails is Outlook/Outlook-Express on a Win32 machine with a virus which can very easily happen if you use IM, chat, or P2P applications on the client-side (LEAF doesn't content-filter traffic). I would check your client machine(s) for possible infection first, then find sort of proof that the LEAF firewall was compromised (which likely won't be found in any logs). Remember, your clients will show the external ip of the firewall when sending traffic because of the masquerading done by the firewall. Your local ip's of the client machines will/should never be sent from the firewall. which is the entire point of masquerading/NAT. If your LEAF firewall has actually been compromised, it would be the first that I know of in memory. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Qmail questions
Ray Olszewski [EMAIL PROTECTED] [2003:12:22:20:08:14-0800] scribed: At 09:47 PM 12/22/2003 -0600, Michael D Schleif wrote: [...] Currently, you are *NOT* authoritative and *CANNOT* assume authority for the kroffts.com domain: Actually, he can ... in a limited sense. In a way that matters, DNS is just a shared delusion, and as long as he lies about it only when talking to himself, he doesn't hurt anything. Let's just say, stuff like that is best left to the brave and those really in the know, OK? Of course, you are right; but, that scenario is riddled with holes, points of failure and opportunities for problems that become extremely difficult to diagnose ; Not to mention, that the illusionist road is rarely -- if ever -- the best possible road to travel . . . -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: [leaf-user] Qmail questions
Kory Krofft [EMAIL PROTECTED] [2003:12:22:23:30:12-0500] scribed: I understand much better now. I will try your suggestions tomorrow and report back. So the DMZ domain should NOT match the internet domain since the name itself ti registered at dnsexit. I take it then that the domain on the dmz could be kroffts.dmz as well as anything else I could choose to call it. But since the subnets are different, it should not be the same as the private lan? Let's just say that it would be simpler to setup, simpler to maintain, and result in fewer puzzling problems down the road, if you do not mix public and private domains, nor public and private networks. -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- pgp0.pgp Description: PGP signature
Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
Preliminary comment: Tom is right. You've provided here nothing to indicate that your router/firewall has been compromised, so there is no way we (or anyone) can tell you how they did it. Some more specific comments appear inline. I hope you consider them patient ... you are unlikely to get *more* patient help than this here. At 06:16 PM 12/22/2003 -0800, Ken wrote: Hello All, Please be patient with me, I am new to the Linux world and I am not a security expert. I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. For the most part this is a default configuration with no special services needed or running, I setup dropbear (default config) but have not removed the package yet. The Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I have not changed anything in this configuration file. Please see Configuration and rules below for more detail and please let me know if you need any additional information. Thank you in advance to all that will help me. I am learning, and I am sure this is NOT an issue with the shorewall product but with my configuration. Please also remember who you are addressing (dope newbie/wannabie) so please if you could. :) Ken [EMAIL PROTECTED] Issue: ===-==-= = My shorewall has been compromised. I need to find out how they are compromising this machine repeatedly and what I need to do to stop it! The hackers have already used the shorewall box to spam others on the internet and god knows what else. Unfortunately, He is not subscribed to this list, so we lack access to what He knows and have to make do with what you actually tell us. First thing, please provide a copy of a sample SPAM message, one that includes ***all*** the Received: headers. Have you made sure that this is not just someone forging you as a From: address? Or that it is not from a LAN host that got a virus in any of the many ways an inept user can manage even behind a good firewall? Second thing, please provide ANY other specifics you can that indicate that a compromise has taken place. I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to 192.168.1.99. As far as I can tell it has not been compromised and I have not noticed any strange events internally on my home network (yet). Does traffic to the LAN go from the LEAF router *through* the Cisco? If so, is it proxy-arp'ing the rest of 192.168.1.0/24 to the LEAF router? Or is it NAT'ing some other private network? THe LEAF router doesn't know 192.168.1.99 as a route to anything. (I am told the PIX cannot be configured for dhcp so I am using shorewall for this; unfortunately in my area I have a choice between Comcast and dialup). The version of uClibc I am using may need some patches but I am not sure about this as I downloaded this image and set it up less than a month ago, please let me know if there are any critical updates that I need to apply. I have read the installation/user guides and have read hundreds of man pages and I can only hope I did everything right. This clip is from my shorewall.log:0: Note the date on the first entry and the source IP. The problem is that the SRC is my IP and I do not have an IP 192.43.244.18 on my network. I have added 123.1.1.1 to my blacklist. Since this IP has been added to my blacklist it still shows up in my log and looks something like the log from DEC 20 below with Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99. This is bad because this IP is eth0 to my CISCO PIX 515. Maybe it is bad, maybe not ... but what it definitely is is incomplete (never, never tell troublshooters that a problem looks something like what you want to report ... if you are asking for help, you don't know enough to know what needs to be included and what can safely be left out). If you've blacklisted 123.1.1.1, then why do you think it bad that packets from that address show up in the blacklst log? It is what I would expect to see. (But a lower packet involving this source address is more complete, so I say more there.) Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0 Of course you do not have an IP 192.43.244.18 on [your] network. This is a packet originating on the router and going to a public IP address on the external interface (the *router's* eth0), connecting to the time service port. All quite reasonable, since this IP address is a public timeserver: [EMAIL PROTECTED]:~$ ping 192.43.244.18 PING 192.43.244.18