Re: [leaf-user] Actiontec DSL gateway with Qwest DSL and rfc 1918

[Erich Titl]

At 22:56 23.02.2004 -0800, Eric House wrote:
>.
>In one sense, the problem's solved.  But: is this a reasonably safe
>thing to do?  Has anybody out there found a better solution using LEAF
>with an Actiontec?  Ideally I'd be able to turn the thing into a dumb
>bridge, but when it's set up that way I can't get my IP address via
>dhcp.  I'm not ready to double the cost of the connection to get a
>static IP address.

Can't you use pppoe/a ?

HTH
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

OT: [leaf-user] Debian runlevels

[Henning Jebsen]

Christian HOSTELET wrote:

process (either at kernel init time, or when its module is loaded). Same
should occur for PCMCIA stuff this is the reason I added S,S38.
I am a bit off topic now asking this:
I dont know what S,S38 means. I know about runlevels,  for
sure, but am not familiar with debian-stuff.
That was the reason, my changes of rcdlinks did not work unless
I used your proposal. What does S,S38 mean ? Start it 
before _any_ other runlevels[123456] ?? K,Z99 would be
the corresponding very last script to be executed ?

Greetings !



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Public IPs in DMZ with Proxy Arp

[Robert K Coffman Jr - Info From Data Corporation]

Ray - thanks again.  Forgive me if I was unclear.  I've got 5 Bering
firewalls in production but this one is bringing a lot of new concepts my
way.

>This doesn't deal with my uncertainty about the old setup. Was the old
>router  able to handle the address "xxx.xxx.xxx.142" or not?

Yes.

>That is, did it somehow (either as its own interface with port forwarding,
or via proxy
arp) make that address visible on the external interface, and could it
route traffic going from the server using that address successfully?

Apparently so.  If it didn't, then I'm missing a piece of the puzzle, which
is possible.  I've not been on site where this firewall is installed, and I
apologize to you for the boneheads on site if this is the case.


>Were the "LAN" servers we're talking about also plugged into this same
>switch? I suppose they must have been.

Yes they were.

>With that physical setup, and knowing as little about the configuration of
>the prior router as we seem to, I would not assume it was routing traffic
>to and from the other public addresses; the ISP may have been reaching them
>directly, without firewalling. It may only have been NAT'ing whatever
>private-address IPs were used by workstations ... the physical setup you
>(sort of) describe could do this, while not offering any firewalling or
>routing whatsoever to the public-address servers.

I never considered this, but this is probably exactly how it was working for
the 27-30 public IPs (see below.)

>Even if you can't check the old router, can you check the old
>configurations of the servers? What did their routing tables look like? (If
>you feel you must conceal the actual addresses, please don't turn them into
>jabberwocky ... use some convention that lets us easily distinguish
>different hosts, gateway addresses, and netmasks.)  Did they have the old
>router's internal IP address as their default gateway or the ISP gateway
>appropriate to each distinct "network"?

ISP gateway appropriate to each distinct network, with the exception of the
FTP server.  It is configured as follows:

Public address
2A9.2B8.2C3.1D2
mask 255.255.255.252
gw 2A9.2B8.2C3.1D1

internal 192.168.1.7

There is only one NIC in this box, and so apparently the old router did
something (SNAT?) for this address.

The other address range (the 26-30 addresses) are configured exactly as the
external interface on the firewall, and are working in a proxy arp'ed DMZ.
In fact, 26 is the firewall address.

>In the meantime, please figure out a way to conceal them that does not
>leave out information we need to know.

Hopefully the above is better.  I can say that all these addresses are
public and routable - no upstream NAT.

I'm still trying to get access to the old router.

Thanks again for your help.

- Bob Coffman





---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Actiontec DSL gateway with Qwest DSL and rfc 1918

[Tom Eastep]

On Monday 23 February 2004 10:56 pm, Eric House wrote:

>
> In one sense, the problem's solved.  But: is this a reasonably safe
> thing to do?  Has anybody out there found a better solution using LEAF
> with an Actiontec?  Ideally I'd be able to turn the thing into a dumb
> bridge, but when it's set up that way I can't get my IP address via
> dhcp.  I'm not ready to double the cost of the connection to get a
> static IP address.

Eric,

This topic is covered in the Shorewall FAQ -- http://www.shorewall.net/FAQ.htm

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Re: LEAF on Notebook help

[Christian HOSTELET]

> Christian,
>
> I can't reply to the list because I have only webmail at the moment, but
I'm "in charge" of the (uClibc) pcmcia packages.
>
> The addition of S,38 to the list of startup levels is somewhat redundant,
can you check if only "S,S20 0,K20 6,K20" in the RCDLINKS also works
correct?
> If it works I will take care of updating the various pcmcia packages.
>
> Regards,
> Eric Spakman
> member of the Bering-uClibc team
>
>

Test done successfully. I've put the same RDCLINKS both in
/etc/init.d/pcmcia and /etc/init.d/pcmcia_eth

Regards,
--
Christian - Grenoble





---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Debian runlevels

[Christian HOSTELET]

From: "Henning Jebsen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 24, 2004 10:59 AM
Subject: OT: [leaf-user] Debian runlevels


> Christian HOSTELET wrote:
>
> > process (either at kernel init time, or when its module is loaded). Same
> > should occur for PCMCIA stuff this is the reason I added S,S38.
> I am a bit off topic now asking this:
> I dont know what S,S38 means. I know about runlevels,  for
> sure, but am not familiar with debian-stuff.
> That was the reason, my changes of rcdlinks did not work unless
> I used your proposal. What does S,S38 mean ? Start it
> before _any_ other runlevels[123456] ?? K,Z99 would be
> the corresponding very last script to be executed ?
>
>
> Greetings !
>
>

Hello Jebsen,

  I'm sure someone, with better skills than I got on Unix/Linux/Bering, will
answer with more details. But here is an intro.

  This RDCLINKS "trick" is used to defined the /etc/rc?.d links to be
created at boot-up.

   In /etc/rc?.d directorie (rc? = rcS, rc0, rc1, etc...), you'll find
script files named SXX and KXX.
   These scripts are executed (under init's control) during transitions of
run-levels.
   /etc/rc?.d/SXXscripts (start scripts) are executed when you enter the
corresponding ? run-level.
   /etc/rc?.d/KXXscripts (kill scripts) are executed when you leave the
run-level ?
   (refer to /etc/inittab for list of assigned run-levels in Bering).

   For example, a transition from level S (start) to 2 (multi-user level)
will execute all KXXscripts in /etc/rcS.d then all SXXscripts in /etc/rc2.d.
   Then a transition to level 1 (single-user) will execute all KXXscripts in
/etc/rc2.d then all SXXscripts in /etc/rc1.d

   All these scripts are executed in alphanumerical order (S00a.., S00b...,
..., S01, S02... S99z).

   Note: when the system boots up, all SXXscripts in /etc/rcS.d are
executed.

   Going back to RDCLINKS, the value "S,S38 2,S13 3,S13 4,S13 5,S13 6,K87"
in /etc/init.d/pcmcia resulted in creation of following links:

   /etc/rcS.d/S38pcmcia
   /etc/rc2.d/S13pcmcia
   /etc/rc3.d/S13pcmcia
   etc...
   /etc/rc6.d/K87pcmcia

   Which not the correct way to do it. Following Eric Spacman's suggestion,
RDCLINKS in pcmcia script is now "S,S20 0,K20 6,K20" which means:

   S,S20 : starts pcmcia at startup
   0,K20 : stops pcmcia when (before) halting the system
   6,K20 : stops pcmcia when (before) rebooting the system

Hope this clarify.

--
Christian - Grenoble






---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Routing to two servers

[JamesSturdevant]

I am trying to get two IPs on one interface to route to two different
web servers. I am using Shorewall 1.4.2 on LEAF Bering.
I have two IP addresses on my network interface:
eth0   xx.yyy.zz.10
eth0:0 xx.yyy.zz.11
I am trying to route port 80 from each of them to different
machines and changing the port on one.  This is what I have
in my rules file:
DNATnet loc:172.16.201.90:8081  tcp 80-  xx.yyy.zz.11
DNATnet loc:172.16.201.90   tcp 8081  -  xx.yyy.zz.11
DNATnet loc:172.16.201.9tcp 80-  xx.yyy.zz.10

I can get to my web server on xx.yyy.zz.10 and to my server on
xx.yyy.zz.11 if is use port 8081 but not when I use port 80. The
shorewall.log file show a DROP from net2all when port 80 is used.
Shorewall status shows this for net2loc:

Chain net2loc (1 references)
 pkts bytes target prot opt in  out  source destination
 4886 2563K ACCEPT all  --  *   *0.0.0.0/0  0.0.0.0/0  state 
RELATED,ESTABLISHED
0 0 newnotsyn  tcp  --  *   *0.0.0.0/0  0.0.0.0/0  state 
NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.90  state 
NEW tcp dpt:8081
0 0 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.90  state 
NEW tcp dpt:8081
   20   960 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.9   state 
NEW tcp dpt:80
5   328 net2allall  --  *   *0.0.0.0/0  0.0.0.0/0

Chain net_dnat (1 references)
 pkts bytes target prot opt in  out  source destination
0 0 DNAT   tcp  --  *   *0.0.0.0/0  0.0.0.0/0  tcp 
dpt:8081 to:172.16.201.90
0 0 DNAT   tcp  --  *   *0.0.0.0/0  xx.yyy.zz.11   tcp 
dpt:80 to:172.16.201.90:8081
   20   960 DNAT   tcp  --  *   *0.0.0.0/0  xx.yyy.zz.10   tcp 
dpt:80 to:172.16.201.9



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Routing to two servers

[Tom Eastep]

On Tue, 24 Feb 2004, JamesSturdevant wrote:

> I am trying to get two IPs on one interface to route to two different
> web servers. I am using Shorewall 1.4.2 on LEAF Bering.
>
> I have two IP addresses on my network interface:
> eth0   xx.yyy.zz.10
> eth0:0 xx.yyy.zz.11
>
> I am trying to route port 80 from each of them to different
> machines and changing the port on one.  This is what I have
> in my rules file:
>
> DNATnet loc:172.16.201.90:8081  tcp 80-  xx.yyy.zz.11
> DNATnet loc:172.16.201.90   tcp 8081  -  xx.yyy.zz.11
>
> DNATnet loc:172.16.201.9tcp 80-  xx.yyy.zz.10
>
> I can get to my web server on xx.yyy.zz.10 and to my server on
> xx.yyy.zz.11 if is use port 8081 but not when I use port 80. The
> shorewall.log file show a DROP from net2all when port 80 is used.
>

May we see one of these messages?

> Shorewall status shows this for net2loc:
>
> Chain net2loc (1 references)
>   pkts bytes target prot opt in  out  source destination
>   4886 2563K ACCEPT all  --  *   *0.0.0.0/0  0.0.0.0/0  state
> RELATED,ESTABLISHED
>  0 0 newnotsyn  tcp  --  *   *0.0.0.0/0  0.0.0.0/0  state
> NEW tcp flags:!0x16/0x02
>  0 0 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.90  state
> NEW tcp dpt:8081
>  0 0 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.90  state
> NEW tcp dpt:8081
> 20   960 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.9   state
> NEW tcp dpt:80
>  5   328 net2allall  --  *   *0.0.0.0/0  0.0.0.0/0
>
> Chain net_dnat (1 references)
>   pkts bytes target prot opt in  out  source destination
>  0 0 DNAT   tcp  --  *   *0.0.0.0/0  0.0.0.0/0  tcp
> dpt:8081 to:172.16.201.90
>  0 0 DNAT   tcp  --  *   *0.0.0.0/0  xx.yyy.zz.11   tcp
> dpt:80 to:172.16.201.90:8081
> 20   960 DNAT   tcp  --  *   *0.0.0.0/0  xx.yyy.zz.10   tcp
> dpt:80 to:172.16.201.9
>
>

Does the above show the entire contents of each chain?

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Actiontec DSL gateway with Qwest DSL and rfc 1918

[Alex Martin]

Specifically
http://www.shorewall.net/FAQ.htm#faq14
and
http://www.shorewall.net/FAQ.htm#faq14a
I think.
;)

Alex Martin
http://www.rettc.com
Tom Eastep wrote:

On Monday 23 February 2004 10:56 pm, Eric House wrote:

 

In one sense, the problem's solved.  But: is this a reasonably safe
thing to do?  Has anybody out there found a better solution using LEAF
with an Actiontec?  Ideally I'd be able to turn the thing into a dumb
bridge, but when it's set up that way I can't get my IP address via
dhcp.  I'm not ready to double the cost of the connection to get a
static IP address.
   

Eric,

This topic is covered in the Shorewall FAQ -- http://www.shorewall.net/FAQ.htm

-Tom
 



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: Actiontec DSL gateway with Qwest DSL and rfc 1918

[Eric House]

> At 22:56 23.02.2004 -0800, Eric House wrote:
> >.
> >In one sense, the problem's solved.  But: is this a reasonably safe
> >thing to do?  Has anybody out there found a better solution using LEAF
> >with an Actiontec?  Ideally I'd be able to turn the thing into a dumb
> >bridge, but when it's set up that way I can't get my IP address via
> >dhcp.  I'm not ready to double the cost of the connection to get a
> >static IP address.

Erich Titl <[EMAIL PROTECTED]> then asked

> Can't you use pppoe/a ?

The modem uses pppoa to connect to Qwest, as per Qwest's configuration
instructions.  Do you mean that I'd use pppoa on the LEAF box to
connect through the modem (in dumb bridge mode)?

I've tried turning on bridging (an alternative to pppoa in the
configuration screen) and then asking LEAF to connect via dhcp.  This
doesn't work.  But I have not tried setting LEAF up to connect using
pppoa.  It's worth a try, to be sure.  I'll post a note if it works --
though it'll be 10 days before I have a chance to try.

Thanks,

--Eric
-- 
**
* From the desktop of: Eric House, [EMAIL PROTECTED]*
*Crosswords 4.0 for PalmOS is out!:   *
**


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: Actiontec DSL gateway with Qwest DSL and rfc 1918

[Erich Titl]

At 21:19 24.02.2004 -0800, you wrote:
>> At 22:56 23.02.2004 -0800, Eric House wrote:
>> >.
>> >In one sense, the problem's solved.  But: is this a reasonably safe
>> >thing to do?  Has anybody out there found a better solution using LEAF
>> >with an Actiontec?  Ideally I'd be able to turn the thing into a dumb
>> >bridge, but when it's set up that way I can't get my IP address via
>> >dhcp.  I'm not ready to double the cost of the connection to get a
>> >static IP address.
>
>Erich Titl <[EMAIL PROTECTED]> then asked
>
>> Can't you use pppoe/a ?
>
>The modem uses pppoa to connect to Qwest, as per Qwest's configuration
>instructions.  Do you mean that I'd use pppoa on the LEAF box to
>connect through the modem (in dumb bridge mode)?

Yep, in bridge mode the LEAF box will be responsible for the pppxx protocol.

cheers
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Tinydns and VHosts in DMZ

[Sak]

Hey everyone,

I'm having a little trouble with accessing virtual hosts in my DMZ.
I've setup tinydns and it handles the primary DNS stuff (requests for
102010.org) just fine.  But when I try to access the other domain
either inside, or outside the network, I get a "...could not be
found." response.

In my tinydns-private file, I've got the following for the DMZ, and
the sites that I'm hosting...

.2.168.192.in-addr.arpa::ns1.102010.org
=demian.102010.org:192.168.2.2 
+www.102010.org:192.168.2.2
+www.adreamcreation.org:192.168.2.2

My tinydns-public file looks like this...

.102010.org::ns1.102010.org
.38.231.216.in-addr.arpa::ns1.102010.org

@102010.org::demian.102010.org
=gw.102010.org:216.231.38.127
+ns1.102010.org:216.231.38.127
+ns2.102010.org:216.231.38.127
   
=demian.102010.org:216.231.38.127
+www.102010.org:216.231.38.127
+www.adreamcreation.org:216.231.38.127

Are any of you running virtual hosts in a similar fashion, and
possibly have some advice?

-- 
Thanks,
Sak.
-


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html