Re: [leaf-user] Qmail questions

[Ray Olszewski]

Sorry to disagree with Lynn, but the magic words here are quite a while. 
This strongly suggests to me that an earlier guess, that the observed 
failures actually are DNS-based delays, is the right guess ... and that 
quite a while is around 3 minutes.

What to do about it?

First, maybe your mail server can be configured not to do reverse lookups. 
I'm not a qmail expert so can't help there.

Second, if you do not want your mail server to be able to do DNS lookups, 
then the router's response -- an icmp port unreachable response -- is a 
correct response. A slightly better response is to send a udp REJECT packet 
... some clients recognize this but do not understand icmp port unreachable 
(dig through ancient archives for discussion of why LEAF routers normally 
leave port 113 open for the theory here). You would do this by adding a 
Shorewall rule to ACCEPT dport-53-udp traffic from the DMZ.

Third, if you do want your mail server to be able to resolve these reverse 
lookups ... where do you want it to do so? What DNS server (or orher 
mechanism) do you want to provide? Options (for these on-LAN lookups) are:

put the information in /etc/hosts on the DMZ machine (this may or 
may not work with qmail; MTAs are notorious for using ONLY DNS, not 
/etc/hosts, and I don't know about qmail in this regard)

run a DNS sever authoritative for the LAN on the LEAF router

run a DNS server authoritative for the LAN on the LEAF mail server

run a DNS server authoritative for the LAN on some LAN host, and 
let the DMZ server have access to it through the firewall (this is what I 
do here, running BIND on a full-strength-Linux LAN server).

From your comments below, it appears you are trying to do #2, using 
tinydns. If you want to do it that way, someone else will have to answe 
those questions, as I've never set up that package (on LEAF or any other 
host) ... as I recall, it has problems lsitening on multiple interfaces ... 
but I may be remembering wrong.

Sorry I cannot take you all the way to an answer, but with the problem 
identified as a DNS misconfiguration, surely someone else here knows the 
details you need to wrap this up.

At 09:32 PM 12/21/2003 -0500, Kory Krofft wrote:
Ray,

I was able to connect to the pop server using telnet it seemed to take 
quite a while to get a response but I was able to retreive and read the 
test message sent to lrpqmail.


I don't know your setup well enough to tell you what is going on in
the
Shorewall DROP log, but since it involves ports 67 and 68, it has
something
to do with DHCP leases, not anything to do with POP3.
I was getting a lot of log entries from DHCP queries so I added the DROP 
to stop the logging of the rejects.


Last thing ... the tcpdump output you sent indicates that after the
POP3
connection is initiated, the POP3 server is trying to do a reverse
lookup
on the source IP address. Several packets indicate  this, the first
being --

16:37:26.524013 192.168.10.1.59258  192.168.1.254.53:  28701+

PTR? 1.10.168.192.in-addr.arpa. (43) (DF)

The router responds with a port unreachable packet:

16:37:29.547086 192.168.10.254  192.168.10.1: icmp:
192.168.10.254 udp port 53 unreachable [tos 0xc0]

This certainly indicates some sort of a configuration error, but not
knowing the details of your setup, I can;t say what that error is.
It does
make me guess that the POP3 server does not reply, after the initial
reply,
because it cannot do a lookup on the IP address. Or ... a blue-sky
thought
here ... how long do you wait before giving up? DNS failures can, in
some
cases, cause delays of up  to 3 minutes in responses.

What would be the proper way for the router to reply to this reverse lookup?
/etc/hosts on the router looks like this:
127.0.0.1   localhost.kroffts.home localhost
192.168.1.254   markii
192.168.1.1 coventry.kroffts.home coventry
192.168.10.1www.kroffts.com dmz kroffts_web
/etc/resolv.conf on router:
domain kroffts.home
nameserver 127.0.0.1
nameserver 192.168.1.254
/etc/hosts on dmz:
127.0.0.1   localhost
192.168.1.254   markii
192.168.10.1kroffts_web.kroffts.com kroffts_web mail.kroffts.com
191.168.1.1 coventry.kroffts.home   coventry
/etc/resolv.conf on dmz:
domain kroffts.com
nameserver 127.0.0.1
nameserver 192.168.1.254
nameserver 192.168.10.254
What can you tell me about The /etc/tinydns-private/root/data file from 
the router? Does this look correct?

kroffts.home::localhost
1.168.192.in-addr.arpa::localhost
+markii.kroffts.home:192.168.1.254the router
=mail.kroffts.com:192.168.10.1  the dmz host
I am not running any DNS daemons on the dmz. Should I be? I had wanted to 
use DHCP to configure the DMZ host but I could not get it to work on two 
separate networks. I know it should, but it didn't so I set up the eth0 on 
the dmz host as static.
from the /etc/network/interfaces file on the dmz host:

auto eth0
iface eth0 inet static
address 192.168.10.1
masklen 24

[leaf-user] Re - Bash Shell in Bering uClibc

[Robert Sabine von Knobloch]

Thanks to Erich Titl  K.P. for their useful suggestions.

Commenting out line 14 in /etc/init.d/dnscache (UID=1001) works fine,
dnscache  ezipupdate are now working together with the bash shell.

Robert von Knobloch.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Static DNS entry

[Robert Sabine von Knobloch]

Does anyone know a simple way to set a couple of static dns entries on my
LEAF Bering (uClib) box?
I'm running DNSCACHE for resolving Internet names and have an MS Win2000
Domain controller as internal DNS (it needs it's own dynamic DNS for active
directory).
All this works just fine until I power down the complete Windows network
(which I do every evening). When I want a quick connection from my laptop or
a visitor's laptop I don't have internal DNS and can't acces my LEAF box by
name (unless I power my MS domain up).
I don't want to put a host file on visitor's machines and adding a dns
server to my LEAF box will disturb CACHEDNS.
Any ideas ?

Robert von Knobloch.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] OpenVPN

[Informtica. Cabildo de La Gomera]

Im trying to connect several offices, and I decided to use Bering uClib

because it seems to be the most up to date branch.




After several problems with network drivers its starting to work, but

now I have to decide about security: ipsec or openvpn. It seems that

openvpn is easier to configure and you can select the degree of security/cpu

that you want (my pc's are really old), so I think its the better solution
for

me, but I cant see a package for openvpn using Bering uClib.




The questions are three:

-Do you think its a good idea to use Bering uClib?

-What about ipsec vs openvpn?

-Is there a package for openvpn under Bering uClib?




Thanks!!





Fernando Febles Armas
Jefe de la Seccin de Informtica
Tf.922140170  Fx.922140151
[EMAIL PROTECTED]
Cabildo de La Gomera  CIF:P384H
Profesor Armas Fernndez 2
S/S Gomera 38800
Tenerife (Canarias)



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OpenVPN

[Etienne Charlier]

Hello,
I use openvpn since 1 year with bering ( glibc) to connect 2 subnets through
adsl ( pppoe) lines

It's a wonderfull product. ( the easiest one to configure if both ends of
the tunnel are connected with changing extrnal addresses). I only used
static keys so far.
I'm working on building a .lrp for bering-uclibc using buildtool. I'm
cloning the openssh buildtool configuration but I didn't manage yet to make
it compile
I might have some news beginning of next year because I plan to work on it
during the end of year hollidays...


Regards,
Etienne Charlier
- Original Message - 
From: Informtica. Cabildo de La Gomera [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 12:59 PM
Subject: [leaf-user] OpenVPN


Im trying to connect several offices, and I decided to use Bering uClib

because it seems to be the most up to date branch.




After several problems with network drivers its starting to work, but

now I have to decide about security: ipsec or openvpn. It seems that

openvpn is easier to configure and you can select the degree of security/cpu

that you want (my pc's are really old), so I think its the better solution
for

me, but I cant see a package for openvpn using Bering uClib.




The questions are three:

-Do you think its a good idea to use Bering uClib?

-What about ipsec vs openvpn?

-Is there a package for openvpn under Bering uClib?




Thanks!!





Fernando Febles Armas
Jefe de la Seccin de Informtica
Tf.922140170  Fx.922140151
[EMAIL PROTECTED]
Cabildo de La Gomera  CIF:P384H
Profesor Armas Fernndez 2
S/S Gomera 38800
Tenerife (Canarias)



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=ick

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.553 / Virus Database: 345 - Release Date: 18/12/2003



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Static DNS entry

[Erich Titl]

Hi

At 09:52 22.12.2003 +0100, you wrote:
Does anyone know a simple way to set a couple of static dns entries on my
LEAF Bering (uClib) box?
I'm running DNSCACHE for resolving Internet names and have an MS Win2000
Domain controller as internal DNS (it needs it's own dynamic DNS for active
directory).
All this works just fine until I power down the complete Windows network
(which I do every evening). When I want a quick connection from my laptop or
a visitor's laptop I don't have internal DNS and can't acces my LEAF box by
name (unless I power my MS domain up).
I don't want to put a host file on visitor's machines and adding a dns
server to my LEAF box will disturb CACHEDNS.
Any ideas ?

I always thought DNSCache was part of tinydns, e,g, the djbdns suite. Will this really 
disturb?
You could publish your LEAF box to be the nameserver for your ad-hoc clients, if you 
want to rely on your windoze set up to server DNS then do a zone transfer to your LEAF 
box to take over once the windoze box is off.

HTH
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bash Bering uClibc

[Robert Sabine von Knobloch]

Hello LEAF World!

My earlier mail was too hasty, another problem has emerged when using bash.
Backup of any or all package (backup... c... L...)results in each package
reporting a line number and terminated ticker.
A reboot produces simply a kernel panic and everything is completely dead.
Restoring my carefully saved ghost backup, removing ncurses and bash fixes
this.
Any ideas anyone?

robert von Knobloch in the very snowy Black Forest



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bash Bering uClibc

[Erich Titl]

Robert

At 14:57 22.12.2003 +0100, Robert  Sabine von Knobloch wrote:
Hello LEAF World!

My earlier mail was too hasty, another problem has emerged when using bash.
Backup of any or all package (backup... c... L...)results in each package
reporting a line number and terminated ticker.
A reboot produces simply a kernel panic and everything is completely dead.
Restoring my carefully saved ghost backup, removing ncurses and bash fixes
this.
Any ideas anyone?

Same ideas as before, obviously bash breaks things that are written with an ashen mind 
:-)

Most backup scripts are located in /usr/sbin
They use /bin/sh. On my system /bin/sh links to ash. If you install bash this is 
probably changet to bash.

gatekeeper: -root-
# ls -l /bin/sh
lrwxrwxrwx1 root root3 Nov 18 01:02 /bin/sh - ash

Now you could change this by

rm /bin/sh
ln -s /bin/ash /bin/sh

You would have to make sure that the new installation of bash does _not_ overwrite 
/bin/sh again, so happy hacking.

But then you can easily add a script to /etc/init.d which takes care of that.

BTW. Why exactly do you use bash?


robert von Knobloch in the very snowy Black Forest

Altitude? How much snow?

cheers
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] NIC driver for Netgear FA310TX / Bering-uClibc 2.0?

[Craig Caughlin]

Hi folks,
I can't get my NICs to initialize. I'm using Bering-uClibc (from
Bering-uClibc_2.0_img_bering-uclibc-1680.exe) and 3 Netgear FA310TX
(Rev-D2)cards. I've tried using both the natsemi.o  tulip.o drivers by
themselves and with the pci-scan.o driver, none of which work. I would
be happy to provide any futher info. Any suggestions?

Thank you, Happy Holidays!
Craig



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ISDN package fo Bering uClibc

[jakub urban]

hi

i'm looking for isdn.lrp package for bering uClibc distribution, can 
anybody help me please?

thanks
jakub urban


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Static DNS entry

[Richard Doyle]

On Mon, 2003-12-22 at 05:05, Erich Titl wrote:
 Hi
 
 At 09:52 22.12.2003 +0100, you wrote:
 Does anyone know a simple way to set a couple of static dns entries on my
 LEAF Bering (uClib) box?
I don't see how these entries would solve the problem you describe
below. They would help the LEAF box resolve host names, but wouldn't
help other hosts resolve the name of your LEAF box. Part of the source
of my confusion (and, I suspect, yours) is that you haven't told us how
IPs are assigned on your network; I suspect the Win2000 domain server
provides DHCP services. If so, how will laptops attached to the network
obtain IPs and other network settings when the DHCP server is off-line?

 I'm running DNSCACHE for resolving Internet names and have an MS Win2000
 Domain controller as internal DNS (it needs it's own dynamic DNS for active
 directory).
 All this works just fine until I power down the complete Windows network
 (which I do every evening). When I want a quick connection from my laptop or
 a visitor's laptop I don't have internal DNS and can't acces my LEAF box by
 name (unless I power my MS domain up).
 I don't want to put a host file on visitor's machines and adding a dns
 server to my LEAF box will disturb CACHEDNS.
 Any ideas ?
 
 I always thought DNSCache was part of tinydns, e,g,
 the djbdns suite.
Sort of. dnscache and tinydns are separate parts of the djbdns suite.
 
 Will this really disturb?
As Erich's question implies, you can run both tinydns and dnscache on a
single host by binding each to a different ip. On a typical LEAF box, 
tinydns is bound to 127.0.0.1 and dnscache is bound to the IP of the
box's internal interface (192.168.1.254 for example).

 You could publish your LEAF box to be the nameserver
 for your ad-hoc clients, if you want to rely on your 
 windoze set up to server DNS then do a zone transfer
 to your LEAF box to take over once the windoze box is off.
 HTH
 Erich

-Richard



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] zebra.lrp?

[jakub urban]

hi all
does anybody have last version of zebra (0.94) or quagga (0.96.4) 
compiled for bering-glibc distro?

when I try to compile this on my UML debian/slink machine, I've got 
segmentation fault messages ;-( (immediately after running .\configure)

thanks
jakub urban




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] NIC driver for Netgear FA310TX / Bering-uClibc 2.0?

[Victor McAllister]

Craig Caughlin wrote:

Hi folks,
I can't get my NICs to initialize. I'm using Bering-uClibc (from
Bering-uClibc_2.0_img_bering-uclibc-1680.exe) and 3 Netgear FA310TX
(Rev-D2)cards. I've tried using both the natsemi.o  tulip.o drivers by
themselves and with the pci-scan.o driver, none of which work. I would
be happy to provide any futher info. Any suggestions?
 

I use the same cards - open Bering_uClibc_2.0_modules_2.4.20.tar

you can use the single kernel driver found in

2.4.20/kernel/drivers/net/tulip/

works great



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] e1000 module (version 4.3.15) for Dachstein?

[Miguel De Avila]

Does anyone have the compiled e1000 module (version 4.3.15) for the Intel 
Pro/1000 MT Dual Port nic? I believe that the 4.3.15 version of the driver 
is the most recent one for 2.2 kernels.

I'm using Dachstein v1.0.2, which has version 3.0.16. Unfortunately when I 
try and load the module I get

  insmod: init_module: e1000: Device or resourrce busy.

I'm running on a Dell PowerEdge 650. I'm hoping that a new version of the 
driver will do the trick.

thanks,

Miguel DeAvila

_
Check your PC for viruses with the FREE McAfee online computer scan.  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] e1000 module (version 4.3.15) for Dachstein?

[Tony]

I don't have specific info for that card, but when I've had cards that have
been acting that way, it's either been that the card was conflicting with
another device, or that the module needs the io address specified.

Hope that helps somewhat.

Tony


- Original Message - 
From: Miguel De Avila [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 1:53 PM
Subject: [leaf-user] e1000 module (version 4.3.15) for Dachstein?


 Does anyone have the compiled e1000 module (version 4.3.15) for the Intel
 Pro/1000 MT Dual Port nic? I believe that the 4.3.15 version of the driver
 is the most recent one for 2.2 kernels.

 I'm using Dachstein v1.0.2, which has version 3.0.16. Unfortunately when I
 try and load the module I get

insmod: init_module: e1000: Device or resourrce busy.

 I'm running on a Dell PowerEdge 650. I'm hoping that a new version of the
 driver will do the trick.

 thanks,

 Miguel DeAvila

 _
 Check your PC for viruses with the FREE McAfee online computer scan.
 http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] sftp gives /usr/bin/ssh: Permission denied

[Axel B. Bregnsbo]

Hi there,

I have problems making a sftp/scp from my LEAF Bering 1.2 to a local
host. Connecting from a sftp client on the host to router works fine.
When connecting from router (192.168.22.1) to host (192.168.22.3) I get
the error message shown below.

firewall: -root-
# sftp 192.168.22.3
Connecting to 192.168.22.3...
exec: /usr/bin/ssh: Permission denied

# sftp -o UsePriviledgedPort no 192.168.22.3
Connecting to 192.168.22.3...
exec: /usr/bin/ssh: Permission denied
Couldn't read packet: Connection reset by peer

I hope some of you can help me. I expect some trivial error, as I am
fairly new to Linux.

Kind regards
Axel B. Bregnsbo

Additional information:

1) ssh connection from the host to the router works fine. The host is
using Putty on a Windows machine.
2) sftp client connection FROM host TO router works fine.
2) issuing 'sftp' did not cause any packets to be transmitted by the
router. I ran a packet-sniffer on the link between 192.168.22.3 
192.168.22.1.
3) the /usr/bin/ssh directory is empty

# ls -ld ssh
drwxr-xr-x2 root root   40 Dec 20 21:54 ssh

# lrpkg -l
NameVersionDescription
===-==-=
=
initrd  V1.2   LEAF Bering initial filesystem
rootV1.2   Core LEAF Bering package
etc V1.2   LEAF Bering /etc files
local   V1.2   LEAF Bering local package
modules V1.2   Define  contain your LEAF Bering modules
iptables1.2.8  IP packet filter administration tools for
2.4.
pump0.8.14-2   DHCP/BOOTP client from Redhat
shorwall1.4.2  Shoreline Firewall (Shorewall)
ulogd   1.0The Netfilter Userspace Logging Daemon
dnscache1.05a  A fast  secure proxy DNS server
weblet  1.2.0  LEAF status via a small web server
dhcpd   2.0pl5 DHCP server for automatic IP assignment
libz1.1.4  zlib compression library. Needed for
openssh
sshd3.7.1p2 compil OpenSSH sshd daemon.
sftp3.7.1p2 compil OpenSSH sftp client  server programs.

# ps
  PID  Uid VmSize Stat Command
1 root764 Sinit [2]
2 rootS[keventd]
3 rootS[ksoftirqd_CPU0]
4 rootS[kswapd]
5 rootS[bdflush]
6 rootS[kupdated]
 3127 root816 S/sbin/syslogd -m 240
19671 root836 S/sbin/klogd
 5769 root   1744 S/usr/sbin/sshd
24789 root720 S/usr/sbin/watchdog
23329 root776 S/usr/sbin/inetd
15315 root860 S/usr/sbin/ulogd -d
 7766 root964 S/usr/sbin/dhcpd eth1
  695 dnscache   2044 S[dnscache]
19773 root812 S/usr/sbin/cron
11612 root848 S-sh
 9987 root952 S/sbin/getty 38400 tty2
 8480 root   4440 Ssshd: [EMAIL PROTECTED]
22634 root848 S-sh
32196 root   4364 Ssshd: [EMAIL PROTECTED]
13989 root840 S-sh
19070 root936 Rps



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] zebra.lrp?

[K.-P. Kirchdörfer]

Am Montag, 22. Dezember 2003 19:12 schrieb jakub urban:
 hi all
 does anybody have last version of zebra (0.94) or quagga (0.96.4)
 compiled for bering-glibc distro?

look for zebra.lrp (which is in fact quagga) at:

http://leaf.sourceforge.net/mod.php?mod=userpagemenu=91017page_id=51


 when I try to compile this on my UML debian/slink machine, I've got
 segmentation fault messages ;-( (immediately after running .\configure)

As bad as that sounds, you're lucky :)
UML debian/slink can't be used for compiling apps for use with Bering-uClibc. 
The generated app will segfault as well on a Bering-uClibc based router.

Please read:
http://leaf.sourceforge.net/doc/guide/buc-devel.html

to get an impression how to build packages for Bering-uClibc.

kp



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] zebra.lrp?

[jakub urban]

does anybody have last version of zebra (0.94) or quagga (0.96.4)
compiled for bering-glibc distro?
   

look for zebra.lrp (which is in fact quagga) at:
http://leaf.sourceforge.net/mod.php?mod=userpagemenu=91017page_id=51
i know this, but this is zebra.lrp for Bering-uClibc, but i looking for 
zebra for Bering (glibc) version

when I try to compile this on my UML debian/slink machine, I've got
segmentation fault messages ;-( (immediately after running .\configure)
   

As bad as that sounds, you're lucky :)
UML debian/slink can't be used for compiling apps for use with Bering-uClibc. 

i know, but i'm not lucky , i want zebra for bering-glibc, so i thing 
that debian/slink is OK for compiling,

jakub urban



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] e1000 module (version 4.3.15) for Dachstein?

[Charles Steinkuehler]

Miguel De Avila wrote:
Does anyone have the compiled e1000 module (version 4.3.15) for the Intel 
Pro/1000 MT Dual Port nic? I believe that the 4.3.15 version of the driver 
is the most recent one for 2.2 kernels.

I'm using Dachstein v1.0.2, which has version 3.0.16. Unfortunately when I 
try and load the module I get

   insmod: init_module: e1000: Device or resourrce busy.

I'm running on a Dell PowerEdge 650. I'm hoping that a new version of the 
driver will do the trick.
You'll probably have to build this yourself, unless someone else on-list 
has done so already and can send you the binary.

The required patches and a script to turn a 'virgin' kernel.org sorce 
tarball into a source tree for the Dachstein kernel is available (see 
the Readme file):
http://leaf-project.org/devel/cstein/files/kernels/Dachstein-source.tar.gz

Note that the intel makefile assumes you're compiling on the same system 
you're building the driver for (highly unlikely in this case), so you'll 
have to short-circuit the automatic 'find the kernel source directory' 
code in the makefile to compile against the Dachstein kernel.

--
Charles Steinkuehler
[EMAIL PROTECTED]


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] re:Opening UDP ports problem solved

[Dalziel, Josh]

This email is just an FYI to Ray and Tom who where helping me out last week.
I was able to solve my problem from last week with traffic not being
forwarded over port 27015. You guys were correct that some traffic was
passing but only a small amount about 1 in 5 if I did my math correct. Once
I changed the rule (see below) all the traffic passed and the service is
accepting traffic.


the rule I had was..

DNATnet loc:192.186.1.3:27015  udp   27015 

I changed the rule to..

DNATall loc:192.186.1.3:27015  udp   27015 
And everything started to work.

thanks again for your help

Josh Dalziel
T-Mobile
National Operations
Bothell Wa USA 
425-770-5683


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] How to debug boot up?

[Craig Caughlin]

Hi folks,
I'm trying to set up a new Bering-uClibc v 2.0 firewall, and I'm getting
an error message(s) that I think are related to dnscache (which, of
course, scroll by so quickly I can't be sure :-). How do find out which
package(s) I'm having problems with? I wrote the dmesg to a file, and
then examined it...but I don't see any reference to the packages that
loaded at boot or the (nf!) message(s) that scroll by. Suggestions?

Thank you, Happy Holidays!
Craig



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] re:Opening UDP ports problem solved

[Tom Eastep]

On Monday 22 December 2003 03:20 pm, Dalziel, Josh wrote:
 


 the rule I had was..

 DNATnet loc:192.186.1.3:27015  udp   27015

 I changed the rule to..

 DNATall loc:192.186.1.3:27015  udp   27015
 And everything started to work.

Now look at the output of shorewall status and see where the packets are 
really coming from (if not 'net').

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] How to debug boot up?

[Lynn Avants]

On Monday 22 December 2003 05:46 pm, Craig Caughlin wrote:
 Hi folks,
 I'm trying to set up a new Bering-uClibc v 2.0 firewall, and I'm getting
 an error message(s) that I think are related to dnscache (which, of
 course, scroll by so quickly I can't be sure :-). How do find out which
 package(s) I'm having problems with? 

What are the error messages? shift+PgUp
Most likely places to find the package problems are lack of the
package in the lrcfg backup menu (not loaded ...nf!), /var/log/messages,
and /var/log/kern.log

I wrote the dmesg to a file, and
 then examined it...but I don't see any reference to the packages that
 loaded at boot or the (nf!) message(s) that scroll by. Suggestions?

Doesn't sound as if one or more packages were found on your disk at boot.
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Kory Krofft]

Michael,

Thanks for the response. See below...

Kory Krofft [EMAIL PROTECTED] [2003:12:21:12:53:56-0500] scribed:
Snip
I now need to get Qmail up and running so I can host my own email.
I followed the qmail LEAF/LRP user's guide but I am missing
something. If I use a windows mail client to send mail to the
snip

Do I understand correctly that you _successfully_ send mail to this
box,
and you know that because that same message shows up in
/home/lrpqmail/Maildir/new?

Yes. I can receive mail sent to [EMAIL PROTECTED] I can't currently seem to get mail 
to show up in any other users Maildir's but I figure one problem at a time. If I can 
get the pop client to work it will be much easier to debug the user issues.


So, your only problem is retrieving that message to a windows
machine?

Yes. I use PocoMail on a win2k box. I get a timeout error  when attempting to contact 
the popserver on my dmz host.

If so, what username and password are you using for this retrieval?

I use lrpqmail and the password for lrpqmail on the host. I can log into the host with 
this combination, I can telnet to port 110 and the pop server using this combination 
but telnet takes about a minute and a half to respond to to the telnet open command. 
Once the session is open, it responds OK.

I am running Dachstein and, of course, 110/tcp is open to my
retrieving
systems, both on same LAN and across the Internet.

What is in these files:

/var/qmail/control/defaultdomain
kroffts.com
/var/qmail/control/locals
kroffts.com
/var/qmail/control/rcpthosts
kroffts.com

Try watching output from the following while you attempt to retrieve
mail to the windows box:

tail -f /var/log/qmail/{pop3d,qmail,smtpd}/current | tai64nlocal

tail~.../pop3d/current | tai64nlocal gives:

2003-12-22 20:18:37.252597500 tcpserver: end 25088 status 256
2003-12-22 20:18:37.252615500 tcpserver: status: 0/40
2003-12-22 20:38:59.646993500 tcpserver: status: 1/40
2003-12-22 20:38:59.647207500 tcpserver: pid 14513 from 192.168.1.1
2003-12-22 20:40:20.795033500 tcpserver: ok 14513 :192.168.10.1:110 :192.168.1.1::3584

the other 2 show no new entries

Without any special configuration to my qmail, here is a fetchmail
recipe I use every 131 seconds:

poll mail.private.network with proto POP3
user 'lrpqmail' there with password '_secret_password_' is 'mds'
here

It should `just work' -- even from a windows box -- if that port is
open, qmail is properly configured, and you are using lrpqmail user
and
its correct password.

I believe as Ray has mentioned that the major issue may be  a reverse lookup that 
qmail is doing which causes the timeout error on the mail client. I am still looking 
into what dns settings I need to change to fix that possibility.

Thanks for your input,

Kory

hth





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Kory Krofft]

Ray,

See below

snipped
failures actually are DNS-based delays, is the right guess ... and
that
quite a while is around 3 minutes.

It takes about a minute and a half to get a response with telnet.

What to do about it?

First, maybe your mail server can be configured not to do reverse
lookups.
I'm not a qmail expert so can't help there.
I have not found any source so far that tells me how to configure it. I am considering 
asking on the qmail list but since the lrp setup is different, The responses are often 
hard to follow when asked to compare setup info.

Second, if you do not want your mail server to be able to do DNS
lookups,
then the router's response -- an icmp port unreachable response --
is a
correct response. A slightly better response is to send a udp REJECT
packet
 some clients recognize this but do not understand icmp port
unreachable
(dig through ancient archives for discussion of why LEAF routers
normally
leave port 113 open for the theory here). You would do this by
adding a
Shorewall rule to ACCEPT dport-53-udp traffic from the DMZ.

I have had ACCEPT  dmz fw  udp 53   in place all 
along/


Third, if you do want your mail server to be able to resolve these
reverse
lookups ... where do you want it to do so? What DNS server (or orher
mechanism) do you want to provide? Options (for these on-LAN
lookups) are:

put the information in /etc/hosts on the DMZ machine (this may or

may not work with qmail; MTAs are notorious for using ONLY DNS, not
/etc/hosts, and I don't know about qmail in this regard)

I tried the hosts file but it does not seem to help.

run a DNS sever authoritative for the LAN on the LEAF router

run a DNS server authoritative for the LAN on the LEAF mail
server

run a DNS server authoritative for the LAN on some LAN host, and

let the DMZ server have access to it through the firewall (this is
what I
do here, running BIND on a full-strength-Linux LAN server).

From your comments below, it appears you are trying to do #2, using
tinydns. If you want to do it that way, someone else will have to
answe
those questions, as I've never set up that package (on LEAF or any
other
host) ... as I recall, it has problems lsitening on multiple
interfaces ...
but I may be remembering wrong.

I think I am doing #1. I have no DNS packages running on the DMZ host.
I have tried to set the router as a default dns server for bothe the dmz and loc 
networks. It works for lookups resolving internet hosts.
I will repost and ask what the proper setup is for dns service to resolve my 2 
internal networks.


Sorry I cannot take you all the way to an answer, but with the
problem
identified as a DNS misconfiguration, surely someone else here knows
the
details you need to wrap this up.

Thanks for alll the help. I know more now than when I started.

Kory


At 09:32 PM 12/21/2003 -0500, Kory Krofft wrote:

the tcpdump output you sent indicates that after
the
POP3
connection is initiated, the POP3 server is trying to do a reverse
lookup
on the source IP address. Several packets indicate  this, the
first
being --

16:37:26.524013 192.168.10.1.59258  192.168.1.254.53:  28701+

PTR? 1.10.168.192.in-addr.arpa. (43) (DF)

The router responds with a port unreachable packet:

16:37:29.547086 192.168.10.254  192.168.10.1: icmp:
192.168.10.254 udp port 53 unreachable [tos 0xc0]

This certainly indicates some sort of a configuration error, but
not
knowing the details of your setup, I can;t say what that error is.
It does
make me guess that the POP3 server does not reply, after the
initial
reply,
because it cannot do a lookup on the IP address. Or ... a blue-sky
thought
here ... how long do you wait before giving up? DNS failures can,
in
some
cases, cause delays of up  to 3 minutes in responses.

What would be the proper way for the router to reply to this
reverse lookup?
/etc/hosts on the router looks like this:
127.0.0.1       localhost.kroffts.home localhost
192.168.1.254   markii
192.168.1.1     coventry.kroffts.home coventry
192.168.10.1    www.kroffts.com dmz kroffts_web

/etc/resolv.conf on router:
domain kroffts.home
nameserver 127.0.0.1
nameserver 192.168.1.254

/etc/hosts on dmz:
127.0.0.1       localhost
192.168.1.254   markii
192.168.10.1    kroffts_web.kroffts.com kroffts_web mail.kroffts.com
191.168.1.1     coventry.kroffts.home   coventry


/etc/resolv.conf on dmz:
domain kroffts.com
nameserver 127.0.0.1
nameserver 192.168.1.254
nameserver 192.168.10.254

What can you tell me about The /etc/tinydns-private/root/data file
from
the router? Does this look correct?

kroffts.home::localhost
1.168.192.in-addr.arpa::localhost
+markii.kroffts.home:192.168.1.254    the router
=mail.kroffts.com:192.168.10.1          the dmz host

I am not running any DNS daemons on the dmz. Should I be? I had
wanted to
use DHCP to configure the DMZ host but I could not get it to work
on two
separate networks. I know it should, but it didn't so I set up the
eth0 on
the dmz host as 

[leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe

[Ken]

Hello All,

Please be patient with me, I am new to the Linux world and I am not a
security expert.

I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the
image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been
compromised.  I have included a lot of information here because I need to
know how the hackers compromised this machine and I want to give you as much
information as you need to help me figure it how.  For the most part this is
a default configuration with no special services needed or running, I setup
dropbear (default config) but have not removed the package yet.  The
Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I
have not changed anything in this configuration file.  Please see
Configuration and rules below for more detail and please let me know if you
need any additional information.  

Thank you in advance to all that will help me. I am learning, and I am sure
this is NOT an issue with the shorewall product but with my configuration.
Please also remember who you are addressing (dope newbie/wannabie) so please
if you could. :)

Ken
[EMAIL PROTECTED]

Issue:
===-==-=
=
My shorewall has been compromised.  I need to find out how they are
compromising this machine repeatedly and what I need to do to stop it!  The
hackers have already used the shorewall box to spam others on the internet
and god knows what else. 
I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to
192.168.1.99.  As far as I can tell it has not been compromised and I have
not noticed any strange events internally on my home network (yet). (I am
told the PIX cannot be configured for dhcp so I am using shorewall for this;
unfortunately in my area I have a choice between Comcast and dialup).  The
version of uClibc I am using may need some patches but I am not sure about
this as I downloaded this image and set it up less than a month ago, please
let me know if there are any critical updates that I need to apply.  I have
read the installation/user guides and have read hundreds of man pages and I
can only hope I did everything right.

This clip is from my shorewall.log:0: Note the date on the first entry and
the source IP.  The problem is that the SRC is my IP and I do not have an IP
192.43.244.18 on my network.  I have added 123.1.1.1 to my blacklist.  Since
this IP has been added to my blacklist it still shows up in my log and looks
something like the log from DEC 20 below with
Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99.
This is bad because this IP is eth0 to my CISCO PIX 515. 

Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC=
SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF
PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0

Dec 21 10:19:38 firewall Shorewall:logdrop:DROP: IN=eth0 OUT=
MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=123.1.1.1
DST=12.213.227.185 LEN=783 TOS=00 PREC=0x00 TTL=112 ID=28872 PROTO=UDP
SPT=14833 DPT=1026 LEN=763 
 
Dec 21 15:13:10 firewall Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=205.240.153.242
DST=12.213.227.185 LEN=60 TOS=00 PREC=0x00 TTL=49 ID=13109 DF PROTO=TCP
SPT=1787 DPT=21 SEQ=3260295433 ACK=0 WINDOW=5840 SYN URGP=0

Also SRC IP 66.218.70.35 has seemingly exploited the uClibc firewall.  The
IP 192.168.1.99 is eth0 for my CISCO PIX 515.  
You can see shorewall start and then 66.218.70.35 (v4.vc.scd.yahoo.com
[66.218.70.35]) is out eth1, looks bad to me. The hacker is using several
boxes from yahoo IP's: v3.vc.scd.yahoo.com [66.218.70.45],
v1.vc.scd.yahoo.com [66.218.70.32], v13.vc.scd.yahoo.com [66.218.70.34]
Dec 20 14:59:16 firewall dhcpcd.exe: interface eth0 has been configured with
new IP=12.213.227.185
Dec 20 14:59:23 firewall root: Shorewall Started
Dec 20 15:41:06 firewall kernel: Shorewall:blacklst:DROP:IN=eth0 OUT=eth1
SRC=66.218.70.35 DST=192.168.1.99 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=2091
DF PROTO=TCP SPT=5001 DPT=10468 WINDOW=65535 RES=0x00 ACK SYN URGP=0

Configuration:
===-==-=
=
The Shoewall box has two Intel Pro 100 NIC's.  Eth0 to internet with dhcp,
routefilter, blacklist, rfc1918 and dropunclean set to yes.  
I had set blacklist logging to 6 (informational) and then changed it to 4
(ergent) just to see if this would show different events in the log.
Eth0 pulls dhcp IP 12.213.227.185 from Comcast.
Eth1 is configured with default address 192.168.1.254.
Incoming ICMP on port 8 set to DROP packets.
Ident Port 113 set to DROP packets.

Modules Loaded:
===-==-=
=
Modules:
softdog 1476   1
ip_nat_irc  2176   0 (unused)
ip_nat_ftp  2784   0 (unused)
ip_conntrack_irc2880   1
ip_conntrack_ftp3648   1
eepro100 

[leaf-user] first beta build of WISP-Dist with Atheros support released

[Vladimir Ivaschenko]

I have finally released a new WISP-Dist build 2634 with beta Atheros 
support (using madwifi driver). I was waiting for madwifi to mature, 
and it is finally stable under my tests (so far). On a 100 Mhz Soekris 
board I'm able to get around 16 megabits/sec. I didn't test it on more 
powerful motherboards yet.

Atheros support is incomplete; for example, access point statistics 
are not reported.

As usual, this beta release is available from: 
http://www.hazard.maks.net/wisp-dist/downloads

Project homepage is at: http://leaf-project.org/

Any feedback is welcome. :)

--
Best Regards,
Vladimir Ivaschenko
Thunderworx - Senior Systems Engineer (RHCE)


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe

[Tom Eastep]

On Mon, 22 Dec 2003, Ken wrote:

 Please be patient with me, I am new to the Linux world and I am not a
 security expert.

Then big red flashing lights should have been going off in your head
before you posted. I'm not going to respond -- when you can provide
conslusive evidence that your Shorewall box has been compromised and why
then you let me know. Otherwise, I'm just going to pretend that I didn't
see your post...

And if you want to talk, I'm listed (but not published) in the Shoreline
directory...

-Tom

Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Michael D Schleif]

Kory Krofft [EMAIL PROTECTED] [2003:12:22:20:24:44-0500] scribed:
snip /

 I believe as Ray has mentioned that the major issue may be  a reverse
 lookup that qmail is doing which causes the timeout error on the mail
 client. I am still looking into what dns settings I need to change to
 fix that possibility.

Indeed, that is a very serious problem -- not so much because qmail
requires a dns server (it does not); but, from tcpdump it is clear that
it cannot find PTR for 1.1.168.192.in-addr.arpa.

In a previous message, you asked for comments on your
/etc/tinydns-private/root/data -- I strongly suggest that you try the
following, and forget about your DMZ for now:

   =localhost:127.0.0.1
   .localhost:127.0.0.1:a
   .1.0.0.127.in-addr.arpa:127.0.0.1:a
   .kroffts.home:127.0.0.1:a
   .1.168.192.in-addr.arpa:127.0.0.1:a

   =markii.kroffts.home:192.168.1.254

   =coventry.kroffts.home:192.168.1.1

   [EMAIL PROTECTED]:192.168.10.1:mail.kroffts.com
   [EMAIL PROTECTED]::mail.kroffts.com

The last two (2) lines are problematic.  With the `-' as first
character, they will *not* be used now.

Currently, you are *NOT* authoritative and *CANNOT* assume authority for
the kroffts.com domain:

   # dnsqr any kroffts.com
   255 kroffts.com:
   101 bytes, 1+4+0+0 records, response, noerror
   query: 255 kroffts.com
   answer: kroffts.com 170446 NS ns1.dnsexit.com
   answer: kroffts.com 170446 NS ns2.dnsexit.com
   answer: kroffts.com 170446 NS ns1.dnsexit.com
   answer: kroffts.com 170446 NS ns2.dnsexit.com

   # dnsqr mx kroffts.com
   15 kroffts.com:
   45 bytes, 1+1+0+0 records, response, noerror
   query: 15 kroffts.com
   answer: kroffts.com 120 MX 5 kroffts.com

   # dnsqr a kroffts.com
   1 kroffts.com:
   45 bytes, 1+1+0+0 records, response, noerror
   query: 1 kroffts.com
   answer: kroffts.com 109 A 24.210.193.152

   # dnsqr soa kroffts.com
   6 kroffts.com:
   91 bytes, 1+1+0+0 records, response, noerror
   query: 6 kroffts.com
   answer: kroffts.com 120 SOA ns1.dnsexit.com jchen.netdorm.com 260701 1200 1200 
604800 1200

   # dnsqr any mail.kroffts.com
   255 mail.kroffts.com:
   48 bytes, 1+1+0+0 records, response, noerror
   query: 255 mail.kroffts.com
   answer: mail.kroffts.com 120 CNAME kroffts.com

You cannot assert that 192.168.10.1 is mail.kroffts.com with authority,
unless you either:

[a] Change DNS configuration at ns{1,2}.dnsexit.com; or

[b] Replace DNS authority at ns{1,2}.dnsexit.com with your own DNS
server for kroffts.com.

I highly, highly, highly urge your to *NOT* configure your DMZ hosts in
the kroffts.com domain -- especially, since your DMZ is running on an
RFC 1918 network -- unless you get ns{1,2}.dnsexit.com to delegate a
sub-domain to you.  And that is problematic, too, because of the
private network.

For now, try my suggested tinydns data changes, and see whether or not
we get any closer.

hth

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


pgp0.pgp
Description: PGP signature

Re: [leaf-user] Qmail questions

[Michael D Schleif]

Kory Krofft [EMAIL PROTECTED] [2003:12:22:20:24:44-0500] scribed:
snip /

 What is in these files:
 
 /var/qmail/control/defaultdomain
 kroffts.com
 /var/qmail/control/locals
 kroffts.com
 /var/qmail/control/rcpthosts
 kroffts.com
 
 Try watching output from the following while you attempt to retrieve
 mail to the windows box:
 
 tail -f /var/log/qmail/{pop3d,qmail,smtpd}/current | tai64nlocal
 
 tail~.../pop3d/current | tai64nlocal gives:
 
 2003-12-22 20:18:37.252597500 tcpserver: end 25088 status 256
 2003-12-22 20:18:37.252615500 tcpserver: status: 0/40
 2003-12-22 20:38:59.646993500 tcpserver: status: 1/40
 2003-12-22 20:38:59.647207500 tcpserver: pid 14513 from 192.168.1.1
 2003-12-22 20:40:20.795033500 tcpserver: ok 14513 :192.168.10.1:110 
 :192.168.1.1::3584
snip /

O, I forgot to ask, what do you get for this?

   cat /etc/tcp.smtp

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


pgp0.pgp
Description: PGP signature

Re: [leaf-user] Qmail questions

[Ray Olszewski]

At 09:47 PM 12/22/2003 -0600, Michael D Schleif wrote:
[...]
Currently, you are *NOT* authoritative and *CANNOT* assume authority for
the kroffts.com domain:
Actually, he can ... in a limited sense. In a way that matters, DNS is just 
a shared delusion, and as long as he lies about it only when talking to 
himself, he doesn't hurt anything.

He can configure the DNS server that *LAN* and DMZ hosts use as their 
resolver (assuming they use an on-LAN host) as authoritative for his 
domain. External hosts trying to do DNS will lever see this server, and it 
will let him have on-LAN hosts resolve domain names differently (to private 
addresses, probably) than off-LAN hosts do. This limited sense could easily 
be adequate to take care of his problems.

That said, it's not the best approach (or at least not the one I 
prefer).  A tidier method is to use an unofficial domain for on-LAN 
resolution and reserve the registered name for off-LAN use. Here, for 
example, comarre.com and all the usual variants resolve to external 
addresses, internally and externally, and internally the pseudo-domain is 
comarre.lan . (I am authoritative for comarre.com, though, and that 
simplifies setup. Even so, I do my authoritative DNS on a different host 
from my local-resolver DNS, to avoid some headaches from running multiple 
instances of BIND on a host.)

   # dnsqr any kroffts.com
   255 kroffts.com:
   101 bytes, 1+4+0+0 records, response, noerror
   query: 255 kroffts.com
   answer: kroffts.com 170446 NS ns1.dnsexit.com
   answer: kroffts.com 170446 NS ns2.dnsexit.com
   answer: kroffts.com 170446 NS ns1.dnsexit.com
   answer: kroffts.com 170446 NS ns2.dnsexit.com
   # dnsqr mx kroffts.com
   15 kroffts.com:
   45 bytes, 1+1+0+0 records, response, noerror
   query: 15 kroffts.com
   answer: kroffts.com 120 MX 5 kroffts.com
   # dnsqr a kroffts.com
   1 kroffts.com:
   45 bytes, 1+1+0+0 records, response, noerror
   query: 1 kroffts.com
   answer: kroffts.com 109 A 24.210.193.152
   # dnsqr soa kroffts.com
   6 kroffts.com:
   91 bytes, 1+1+0+0 records, response, noerror
   query: 6 kroffts.com
   answer: kroffts.com 120 SOA ns1.dnsexit.com jchen.netdorm.com 
260701 1200 1200 604800 1200

   # dnsqr any mail.kroffts.com
   255 mail.kroffts.com:
   48 bytes, 1+1+0+0 records, response, noerror
   query: 255 mail.kroffts.com
   answer: mail.kroffts.com 120 CNAME kroffts.com
You cannot assert that 192.168.10.1 is mail.kroffts.com with authority,
unless you either:
[a] Change DNS configuration at ns{1,2}.dnsexit.com; or

[b] Replace DNS authority at ns{1,2}.dnsexit.com with your own DNS
server for kroffts.com.






---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Kory Krofft]

Lynn,

See below

I believe as Ray has mentioned that the major issue may be  a
reverse
lookup that qmail is doing which causes the timeout error on the
mail
client. I am still looking into what dns settings I need to change
to fix
that possibility.

I was assuming that all the qmail doc I've worked with have noted
that
a working DNS server is required for use with private addressing on
a LAN.
You need to setup tinydns (not dnscache), bind, or a similar
nameserver to serve the proper DNS lookups for your LAN. A further
note, since you are using this domain on both the LAN and the DMZ,
both segments will need to use this nameserver as Ray (IIRC) noted
earlier.

I think DNS is working to a point, let me clarify a bit.
I have both tinydns and dnscache running on the firewall machine and nowhere else.
I am not using this domain on the lan and dmz. The lan is defined as kroffts.home and 
is on 192.168.1
The dmz is kroffts.com and is on 192.168.10 with http and mail DNATed from the 
internet or at least that is my intent :-)
As I see it now I have two problems (at least) One is the excessive amount of time 
needed for qmail to respond to a pop3 request from the lan. I tested with a different 
mail client and found that it is in fact functional in both pop3 and smtp operations. 
It it just very slow. I did not time it but it takes 1 to 2 minutes for mail to be 
retrieved or sent. The time appears to be spent in authentication. The actual mail 
transfer is normal.

The second issue is one of qmail not recognizing my users. I have created user 
accounts with entries in /etc/passwd and /etc/shadow and made a group entry in 
/etc/group. I used makemaildir to create mail directories for each user. I can log 
into these accounts locally or through ssh. I can use the logins to access pop3 
through telnet. But when I send mail to these users, I get a returned message from 
qmail saying: Sorry, no mailbox here by that name. (#5.1.1) Aside from the group 
number the only difference I can see is that the lrpqmail user has a home directory 
entry where I have set the others to use /server/home as /server is the mount point 
for the ide disk that will store the mail. Since the login scripts seem to work and 
send the users to the proper home directory on logging in, I think qmail should 
recognize the Maildir's as well. I wanted to mount the /server/home as /home to reduce 
confusion. It seemed to me that I had used a command similar to
mount /server/home /home before but it is not a valid command since mount seems to 
need a device identifier. I have read the man pages  and still thing this relocation 
is possible but I need more research.

Thanks again for whatever input you can offer,

Kory



This is to prevent resolving the domain to your external
address
which should be blocked with ip spoofing rules.





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Kory Krofft]

Michael,


cat /etc/tcp.smtp gives

127.:allow,RELAYCLIENT=
192.168.:allow,RELAYCLIENT=

Kory




On Mon, 22 Dec 2003 21:51:31 -0600, Michael D Schleif wrote:
Kory Krofft [EMAIL PROTECTED] [2003:12:22:20:24:44-0500] scribed:
snip /

What is in these files:

/var/qmail/control/defaultdomain
kroffts.com
/var/qmail/control/locals
kroffts.com
/var/qmail/control/rcpthosts
kroffts.com

Try watching output from the following while you attempt to
retrieve
mail to the windows box:

tail -f /var/log/qmail/{pop3d,qmail,smtpd}/current | tai64nlocal

tail~.../pop3d/current | tai64nlocal gives:

2003-12-22 20:18:37.252597500 tcpserver: end 25088 status 256
2003-12-22 20:18:37.252615500 tcpserver: status: 0/40
2003-12-22 20:38:59.646993500 tcpserver: status: 1/40
2003-12-22 20:38:59.647207500 tcpserver: pid 14513 from 192.168.1.1
2003-12-22 20:40:20.795033500 tcpserver: ok 14513 :192.168.10.1:110
:192.168.1.1::3584
snip /

O, I forgot to ask, what do you get for this?

cat /etc/tcp.smtp





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Kory Krofft]

I understand much better now. I will try your suggestions tomorrow and report back.
So the DMZ domain should NOT match the internet domain since the name itself ti 
registered at dnsexit.
I take it then that the domain on the dmz could be kroffts.dmz as well as anything 
else I  could choose to call it. But since the subnets are different, it should not be 
the same as the private lan?

Kory



On Mon, 22 Dec 2003 21:47:33 -0600, Michael D Schleif wrote:
Kory Krofft [EMAIL PROTECTED] [2003:12:22:20:24:44-0500] scribed:
snip /

I believe as Ray has mentioned that the major issue may be  a
reverse
lookup that qmail is doing which causes the timeout error on the
mail
client. I am still looking into what dns settings I need to change
to
fix that possibility.

Indeed, that is a very serious problem -- not so much because qmail
requires a dns server (it does not); but, from tcpdump it is clear
that
it cannot find PTR for 1.1.168.192.in-addr.arpa.

In a previous message, you asked for comments on your
/etc/tinydns-private/root/data -- I strongly suggest that you try the
following, and forget about your DMZ for now:

=localhost:127.0.0.1
.localhost:127.0.0.1:a
.1.0.0.127.in-addr.arpa:127.0.0.1:a
.kroffts.home:127.0.0.1:a
.1.168.192.in-addr.arpa:127.0.0.1:a

=markii.kroffts.home:192.168.1.254

=coventry.kroffts.home:192.168.1.1

[EMAIL PROTECTED]:192.168.10.1:mail.kroffts.com
[EMAIL PROTECTED]::mail.kroffts.com

The last two (2) lines are problematic.  With the `-' as first
character, they will *not* be used now.

Currently, you are *NOT* authoritative and *CANNOT* assume authority
for
the kroffts.com domain:

# dnsqr any kroffts.com
255 kroffts.com:
101 bytes, 1+4+0+0 records, response, noerror
query: 255 kroffts.com
answer: kroffts.com 170446 NS ns1.dnsexit.com
answer: kroffts.com 170446 NS ns2.dnsexit.com
answer: kroffts.com 170446 NS ns1.dnsexit.com
answer: kroffts.com 170446 NS ns2.dnsexit.com

# dnsqr mx kroffts.com
15 kroffts.com:
45 bytes, 1+1+0+0 records, response, noerror
query: 15 kroffts.com
answer: kroffts.com 120 MX 5 kroffts.com

# dnsqr a kroffts.com
1 kroffts.com:
45 bytes, 1+1+0+0 records, response, noerror
query: 1 kroffts.com
answer: kroffts.com 109 A 24.210.193.152

# dnsqr soa kroffts.com
6 kroffts.com:
91 bytes, 1+1+0+0 records, response, noerror
query: 6 kroffts.com
answer: kroffts.com 120 SOA ns1.dnsexit.com jchen.netdorm.com
260701 1200 1200 604800 1200

# dnsqr any mail.kroffts.com
255 mail.kroffts.com:
48 bytes, 1+1+0+0 records, response, noerror
query: 255 mail.kroffts.com
answer: mail.kroffts.com 120 CNAME kroffts.com

You cannot assert that 192.168.10.1 is mail.kroffts.com with
authority,
unless you either:

[a] Change DNS configuration at ns{1,2}.dnsexit.com; or

[b] Replace DNS authority at ns{1,2}.dnsexit.com with your own DNS
server for kroffts.com.

I highly, highly, highly urge your to *NOT* configure your DMZ hosts
in
the kroffts.com domain -- especially, since your DMZ is running on an
RFC 1918 network -- unless you get ns{1,2}.dnsexit.com to delegate a
sub-domain to you.  And that is problematic, too, because of the
private network.

For now, try my suggested tinydns data changes, and see whether or
not
we get any closer.

hth





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe

[Lynn Avants]

On Monday 22 December 2003 08:16 pm, Ken wrote:
 Hello All,

 Please be patient with me, I am new to the Linux world and I am not a
 security expert.

 I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the
 image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been
 compromised.  I have included a lot of information here because I need to
 know how the hackers compromised this machine and I want to give you as
 much information as you need to help me figure it how. 

You did a pretty good job of showing the logs of packets that have been
dropped (that never got through the firewall). Believe it or not, it would be
next to impossible to relay spam or send it from a compromised LEAF box.

First of all, you would have to enable some form of login to the outside,
which isn't available unless you opened the firewall to accept such requests.
Second of all, the likely culprit of spewing emails is Outlook/Outlook-Express
on a Win32 machine with a virus which can very easily happen if you use
IM, chat, or P2P applications on the client-side (LEAF doesn't content-filter
traffic).
 
I would check your client machine(s) for possible infection first, then find 
sort of proof that the LEAF firewall was compromised (which likely won't
be found in any logs). Remember, your clients will show the external ip
of the firewall when sending traffic because of the masquerading done by
the firewall. Your local ip's of the client machines will/should never be sent
from the firewall. which is the entire point of masquerading/NAT.

If your LEAF firewall has actually been compromised, it would be the first
that I know of in memory. 
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Michael D Schleif]

Ray Olszewski [EMAIL PROTECTED] [2003:12:22:20:08:14-0800] scribed:
 At 09:47 PM 12/22/2003 -0600, Michael D Schleif wrote:
 [...]
 Currently, you are *NOT* authoritative and *CANNOT* assume authority for
 the kroffts.com domain:
 
 Actually, he can ... in a limited sense. In a way that matters, DNS is just 
 a shared delusion, and as long as he lies about it only when talking to 
 himself, he doesn't hurt anything.

Let's just say, stuff like that is best left to the brave and those
really in the know, OK?  Of course, you are right; but, that scenario is
riddled with holes, points of failure and opportunities for problems
that become extremely difficult to diagnose ;

Not to mention, that the illusionist road is rarely -- if ever -- the
best possible road to travel . . .

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


pgp0.pgp
Description: PGP signature

Re: [leaf-user] Qmail questions

[Michael D Schleif]

Kory Krofft [EMAIL PROTECTED] [2003:12:22:23:30:12-0500] scribed:
 I understand much better now. I will try your suggestions tomorrow and
 report back.
 So the DMZ domain should NOT match the internet domain since the name
 itself ti registered at dnsexit.
 I take it then that the domain on the dmz could be kroffts.dmz as well
 as anything else I  could choose to call it. But since the subnets are
 different, it should not be the same as the private lan?

Let's just say that it would be simpler to setup, simpler to maintain,
and result in fewer puzzling problems down the road, if you do not mix
public and private domains, nor public and private networks.

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


pgp0.pgp
Description: PGP signature

Re: [leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe

[Ray Olszewski]

Preliminary comment: Tom is right. You've provided here nothing to indicate 
that your router/firewall has been compromised, so there is no way we (or 
anyone) can tell you how they did it.

Some more specific comments appear inline. I hope you consider them 
patient ... you are unlikely to get *more* patient help than this here.

At 06:16 PM 12/22/2003 -0800, Ken wrote:
Hello All,

Please be patient with me, I am new to the Linux world and I am not a
security expert.
I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the
image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been
compromised.  I have included a lot of information here because I need to
know how the hackers compromised this machine and I want to give you as much
information as you need to help me figure it how.  For the most part this is
a default configuration with no special services needed or running, I setup
dropbear (default config) but have not removed the package yet.  The
Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I
have not changed anything in this configuration file.  Please see
Configuration and rules below for more detail and please let me know if you
need any additional information.
Thank you in advance to all that will help me. I am learning, and I am sure
this is NOT an issue with the shorewall product but with my configuration.
Please also remember who you are addressing (dope newbie/wannabie) so please
if you could. :)
Ken
[EMAIL PROTECTED]
Issue:
===-==-=
=
My shorewall has been compromised.  I need to find out how they are
compromising this machine repeatedly and what I need to do to stop it!  The
hackers have already used the shorewall box to spam others on the internet
and god knows what else.
Unfortunately, He is not subscribed to this list, so we lack access to what 
He knows and have to make do with what you actually tell us.

First thing, please provide a copy of a sample SPAM message, one that 
includes ***all*** the Received: headers. Have you made sure that this is 
not just someone forging you as a From: address? Or that it is not from a 
LAN host that got a virus in any of the many ways an inept user can manage 
even behind a good firewall?

Second thing, please provide ANY other specifics you can that indicate that 
a compromise has taken place.

 I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to
192.168.1.99.  As far as I can tell it has not been compromised and I have
not noticed any strange events internally on my home network (yet).
Does traffic to the LAN go from the LEAF router *through* the Cisco? If so, 
is it proxy-arp'ing the rest of 192.168.1.0/24 to the LEAF router? Or is it 
NAT'ing some other private network? THe LEAF router doesn't know 
192.168.1.99 as a route to anything.

(I am
told the PIX cannot be configured for dhcp so I am using shorewall for this;
unfortunately in my area I have a choice between Comcast and dialup).  The
version of uClibc I am using may need some patches but I am not sure about
this as I downloaded this image and set it up less than a month ago, please
let me know if there are any critical updates that I need to apply.  I have
read the installation/user guides and have read hundreds of man pages and I
can only hope I did everything right.
This clip is from my shorewall.log:0: Note the date on the first entry and
the source IP.  The problem is that the SRC is my IP and I do not have an IP
192.43.244.18 on my network.  I have added 123.1.1.1 to my blacklist.  Since
this IP has been added to my blacklist it still shows up in my log and looks
something like the log from DEC 20 below with
Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99.
This is bad because this IP is eth0 to my CISCO PIX 515.
Maybe it is bad, maybe not ... but what it definitely is is incomplete 
(never, never tell troublshooters that a problem looks something like 
what you want to report ... if you are asking for help, you don't know 
enough to know what needs to be included and what can safely be left out).

If you've blacklisted 123.1.1.1, then why do you think it bad that 
packets from that address show up in the blacklst log? It is what I would 
expect to see. (But a lower packet involving this source address is more 
complete, so I say more there.)


Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC=
SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF
PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0
Of course you do not have an IP 192.43.244.18 on [your] network. This is 
a packet originating on the router and going to a public IP address on the 
external interface (the *router's* eth0), connecting to the time service 
port. All quite reasonable, since this IP address is a public timeserver:

[EMAIL PROTECTED]:~$ ping 192.43.244.18
PING 192.43.244.18