RE: [leaf-user] Updated SSH packages

2004-03-23 Thread Dave Hunt 
 
http://www.think.ch/leaf/wrap/packages/

look for the packages with a date 22-Mar-2004

Do not forget to modify your lrpkg.cfg, you need a few more 
packages like libnsl and libcrypt pls keep me updated cheers

Tried them out last night, and they work fine. I had to change 
the passwords option from no to yes in sshd_config to allow 
logins.

Also, if upgrading a remote box, make sure to build a package 
with default keys, because the default package has no keys and
sshd will not start.

Regards,
Dave.





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Wavemon for Bering 1.2

2004-03-23 Thread Dave Hunt 

Has anyone got a wavemon lrp handy for Bering 1.2?

Cheers,
Dave.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Updated SSH packages

2004-03-23 Thread Erich Titl 
Dave

At 10:39 23.03.2004 +, Dave Hunt wrote:
 
http://www.think.ch/leaf/wrap/packages/

look for the packages with a date 22-Mar-2004

Do not forget to modify your lrpkg.cfg, you need a few more 
packages like libnsl and libcrypt pls keep me updated cheers

Tried them out last night, and they work fine. I had to change 
the passwords option from no to yes in sshd_config to allow 
logins.

My fault, I never allow password authentication, professionally induced paranoia i 
guess. 
I will modify the sshd_config file accordingly.


Also, if upgrading a remote box, make sure to build a package 
with default keys, because the default package has no keys and
sshd will not start.

I know, but the original sshd.lrp did not have keys installed, so I left it that way. 
I guess it would be a function of a package manager to do some post install stuff.

Thanks for the feedback.

Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Looking for a VPN Solution

2004-03-23 Thread JamesSturdevant 
I am running Bering 1.2 and am looking for a VPN solution for one of my users.

Her ISP is Earthlink and she reports that here IP address changes 
frequently (every 30 minutes). She will be connecting with a Windows client.

I have Freeswan working for others but their IPs are static. I have tried 
OpenVPN but the LEAF software seg faults when a UDP connection is made from 
a Windows Client and constantly reset if a TCP connection is made. Does 
anyone know what kernel version this code was compiled for?

I know it's a weak solution, but I need to also check out PPTP. Does anyone 
have a version of POPTOP for Bering? All I can locate is the PPTP client.

JamesS



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Looking for a VPN Solution

2004-03-23 Thread James Neave 
Hi,

I have PoPToP for Bering. It's around on the LEAF site somewhere.
It's a bugger to get working, the version on the website has config
files that are not for openSSH. I tracked it all down and have a nice
server working for Win32 clients doing their dial-in. 

When I get home I'll email you my stuff, sans passwords.

BUT (aha!)

Expect pain if she's running Win2K. I have a few people for whom it just
does not work.

Also, it's a bit flaky in the password department. Most of my users all
have the same username and password, because that's the only way it
works (it just don't work). 
I authenticate by DNS entries in the shorewall rules and my clients have
dynDNS accounts.

If you don't mind that it doesn't offer REAL security (like, keep the
government out), PPTP is nice and painless for your less IT friendly
clients.

James.
-Original Message-
From: JamesSturdevant [mailto:[EMAIL PROTECTED] 
Sent: 23 March 2004 16:24
To: [EMAIL PROTECTED]
Subject: [leaf-user] Looking for a VPN Solution

I am running Bering 1.2 and am looking for a VPN solution for one of my
users.

Her ISP is Earthlink and she reports that here IP address changes 
frequently (every 30 minutes). She will be connecting with a Windows
client.

I have Freeswan working for others but their IPs are static. I have
tried 
OpenVPN but the LEAF software seg faults when a UDP connection is made
from 
a Windows Client and constantly reset if a TCP connection is made. Does 
anyone know what kernel version this code was compiled for?

I know it's a weak solution, but I need to also check out PPTP. Does
anyone 
have a version of POPTOP for Bering? All I can locate is the PPTP
client.

JamesS



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Which Distro for This Firewall/Router?

2004-03-23 Thread Calvin Webster 
Hello Michiel,

Wow! I guess you were serious about helping. I really appreciate the
time and thought you have put into this, Michiel. I'm curious why you
have not been cc'ing the LEAF list. This information might be helpful to
someone else like me. If you would prefer I leave the list off my
replies please let me know. I'm not sure if all my replies are making it
to the list either. I just got a message that my last post was sent to
the moderator awaiting approval due to suspicious header. I suspect
you may be in the same boat.

My in-line comments are inserted below.

Thanks!

--Cal Webster

On Mon, 2004-03-22 at 19:37, michiel wrote:
 Dear calvin
 
 Not all 3C905 cart are the same.
 I got one with a lucent chip that don't works with linux.
 Most of them do work with linux best sugestion try it first. The bug is
 verrie enoing becouse dhcp and some other things work but not havie
 loads like ftp. (espacialy lage packeges (mtu).)
 It cost me 3 days to find that out. Trying to prevent it for you.

Thanks for the warning. Fortunately, I haven't encountered those
problems.

 DOC sockets?
 You can also use a ide port with a doc.
 Take a look at this one.
 http://www.routerboard.com/parts.html#cf_ide
 Just works like a harddisk. (have not tried it jet)

That was an option when I specified the SBC, but the performance
specifications in the Cyber Research catalog appeared better for the DOC
sockets. I've bookmarked that site, though. I'm always looking for new
sources for non-standard hardware.

 128 MB RAM?
 Even with squid proxie caching is way to mutch.
 32 mb is mostly oke.
 768 MB RAM?
 There is no use for it. Atleast not with leaf.

RAM is relatively cheap. Better to have more than less, especially
without hard drives.

 Pci bridge.
 All pci briges can only do a 133 mbps.
 Then there will be a problem to use 2X 100mbps wireless link.
 (not sure witch wireless system you are using?)
 I am using a 54g wireless network that doesn't mean that there is a 54
 mbps speed just 22.5 mbps max.
 Intel has mainboards with a separate brige for network ( 1 gbps) that
 can give some space, but expensive.
 Otherwise there is not mutch need for faster systems as a pentium.
 Pci express is going to chainge that I hope.

We're using RadioLAN RMG503's. I may substitute a free-space optical
bridge for one of the links. With Ethernet overhead and encryption from
VPN tunneling, we're getting more like 30-40 Mbps of the 100 Mbps
advertised. 

I'd be interested in looking at any SBC with separate bridge for
networking to use with the 3rd router and possible upgrades for the
others. Is there a separate block of PCI slots for NICs?

As I indicated in one of my previous posts, I intend to eventually
upgrade the existing NICs with multi-port Ethernet cards. These
typically have their own PCI-to-PCI bridge anyway. Such is the case with
the 4-port Ethernet Card RouterBoard 44 at the site you listed above.

 Layout:
 This wil be my solution.
 At least just my few cents.
 
 Building D firewall 4.
 Not realy intereting just a simple bering + ipsec. A 486DX-33. pci will
 do, but isa is fine to. (maybe if the plan1/2 are big go for pci)
 Bit more pc is always nice. So use a pentium.
 No routing protocols nessesary so I will scratch him out the scemetic.

I don't want to have to manage static routes. As I indicated in my
original specification, all other Private LANs (PLANs) must be able to
send and receive traffic to/from all other PLANs without restriction. I
neglected to mention however, that at least one PLAN in each building
will also need Internet access and access to the corporate intranet.

 To Firewall or to (ipsec)route
 That's the diferents.
 Routers 1/2/3 use ospf/bgp/ routing over ipsec.
 firewals 1/2/3 use a simple switching software between dsl and router.

I'm not sure what you mean by switching software between dsl and
router. Are you implying that the ospf/bgp daemons are not to be aware
of the DSL links? Without the routing protocols, how will automatic
fail-over occur when a link goes down?

 Most dsl providers requier that they are your defauld gatway.
 And you want that to be router 2 at building B.

We own our own DSL equipment including the chassis and line cards at the
corporate telephone office/network operation center. However, it is
aging and will soon be unsupportable. I haven't gotten approval for
replacement yet, but hope to tap existing fiber links.

We have a default gateway on the corporate network for access to the
corporate network and their severely restricted Internet connection. We
will normally only use corporate network to access corporate resources.
However, if the main cable ISP link at our site goes down or is somehow
unavailable, each of the buildings should fail-over to use the corporate
Internet access through the DSL link.

   [Remote User]
  [firewall 1]   [firewall 2]   |
 |

Re: [leaf-user] Looking for a VPN Solution

2004-03-23 Thread K.-P. Kirchdörfer 
Am Dienstag, 23. März 2004 17:23 schrieb JamesSturdevant:
 I am running Bering 1.2 and am looking for a VPN solution for one of my
 users.

 Her ISP is Earthlink and she reports that here IP address changes
 frequently (every 30 minutes). She will be connecting with a Windows
 client.

 I have Freeswan working for others but their IPs are static.

You may look into road-warrior configuration for a dynamic ip address.

kp


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Looking for a VPN Solution

2004-03-23 Thread Martin Hejl 
JamesSturdevant wrote:
I am running Bering 1.2 and am looking for a VPN solution for one of my 
users.

Her ISP is Earthlink and she reports that here IP address changes 
frequently (every 30 minutes). She will be connecting with a Windows 
client.

I have Freeswan working for others but their IPs are static. I have 
tried OpenVPN but the LEAF software seg faults when a UDP connection is 
made from a Windows Client and constantly reset if a TCP connection is 
made. Does anyone know what kernel version this code was compiled for?
It shouldn't matter. For all I know, OpenVPN is completely independant 
of the kernel version (unlike IPSEC), since it runs completely in 
user-space.

Unless there is a compelling reason not to (like, extensive setup 
already done on Bering, or software that's not available for Bering 
uClibc), you might also want to consider switching to Bering uClibc - I 
maintain the OpenVPN package for Bering uClibc (I also wrote a patch to 
enable OpenVPN to work with ip instead of ipconfig, which has found 
it's way into the latest version), and it's been _very_ stable for me 
(I'm currently running two OpenVPN links - one over the internet where 
both ends are dynamic and change IPs once a day, and one over a wireless 
connection, which goes up and down a lot, since it's used for testing 
wireless equipment). I'm not trying to sell Bering uClibc to you, I 
just don't like it that a fine piece of software like OpenVPN is being 
dropped in favour of something less secure, just because of a seemingly 
faulty package (and sorry, no, I can't help with fixing the package on 
Bering).

Martin



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Craig Caughlin 
Hi folks,
I'm trying (with no success) to assign multiple IP addresses to eth0 on my
Bering-uClibc 2.1-rc1 box. 

At Tom's suggestion, I have read (studied really) his instructions at:
http://www.shorewall.net/shorewall_setup_guide.htm.

I have been assigned by our network admin the following addresses:
66.60.172.201-204, Gateway 205. In /etc/shorewall/masq I have made the
following entry:

#INTERFACE  SUBNET  ADDRESS
eth0:0  eth166.60.172.201-66.60.172.204

When I save the file, restart shorewall, and issue the ip addr command I'm
expecting to see the additional addresses but here's what I get:

1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:cc:d3:c2:14 brd ff:ff:ff:ff:ff:ff
inet 66.60.172.201/24 brd 66.60.172.255 scope global eth0
inet 66.60.172.204/24 brd 66.60.172.255 scope global secondary eth0:0
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:cc:52:07:52 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 1000
link/ether 00:a0:cc:d3:cf:40 brd ff:ff:ff:ff:ff:ff

When I try to ping the addresses, I can ping only 66.60.172.201 but nothing
else. In the /etc/network/interfaces file, I have eth0 statically set to
66.60.172.201, and I use the dhcpd for assigning local addresses. I'm
stumped...any suggestions???

P.S. One thing I did gave me, what *I* think, was a really unusual result: I
had initially set eth0's static address as 66.60.172.204, and when I tried
to ping 66.60.172.201...here's what I got:

G:\WINNT\system32ping 66.60.172.201
Pinging 66.60.172.201 with 32 bytes of data:
Reply from 66.60.172.204: Destination host unreachable.
Reply from 66.60.172.204: Destination host unreachable.
Reply from 66.60.172.204: Destination host unreachable.
Reply from 66.60.172.204: Destination host unreachable.
Ping statistics for 66.60.172.201:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum =  0ms, Average =  0ms

Is that really odd...or is it me??? :-) I see there's no packet loss...but I
also can't reach the box. H.


Thank you as always,
Craig



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Charles Steinkuehler 
Craig Caughlin wrote:
Hi folks,
I'm trying (with no success) to assign multiple IP addresses to eth0 on my
Bering-uClibc 2.1-rc1 box. 

At Tom's suggestion, I have read (studied really) his instructions at:
http://www.shorewall.net/shorewall_setup_guide.htm.
I have been assigned by our network admin the following addresses:
66.60.172.201-204, Gateway 205. In /etc/shorewall/masq I have made the
following entry:
#INTERFACE  SUBNET  ADDRESS
eth0:0  eth166.60.172.201-66.60.172.204
When I save the file, restart shorewall, and issue the ip addr command I'm
expecting to see the additional addresses but here's what I get:
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:cc:d3:c2:14 brd ff:ff:ff:ff:ff:ff
inet 66.60.172.201/24 brd 66.60.172.255 scope global eth0
inet 66.60.172.204/24 brd 66.60.172.255 scope global secondary eth0:0
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:cc:52:07:52 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 1000
link/ether 00:a0:cc:d3:cf:40 brd ff:ff:ff:ff:ff:ff
When I try to ping the addresses, I can ping only 66.60.172.201 but nothing
else. In the /etc/network/interfaces file, I have eth0 statically set to
66.60.172.201, and I use the dhcpd for assigning local addresses. I'm
stumped...any suggestions???
P.S. One thing I did gave me, what *I* think, was a really unusual result: I
had initially set eth0's static address as 66.60.172.204, and when I tried
to ping 66.60.172.201...here's what I got:
G:\WINNT\system32ping 66.60.172.201
Pinging 66.60.172.201 with 32 bytes of data:
Reply from 66.60.172.204: Destination host unreachable.
Reply from 66.60.172.204: Destination host unreachable.
Reply from 66.60.172.204: Destination host unreachable.
Reply from 66.60.172.204: Destination host unreachable.
Ping statistics for 66.60.172.201:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum =  0ms, Average =  0ms
Is that really odd...or is it me??? :-) I see there's no packet loss...but I
also can't reach the box. H.
Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra 
IP addresses?  With your setup, I'd simply assign all IP's in your 
/etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., 
along with the entry for eth0).

With the masq entry you list above, you'll be round-robining through 
source IP's for outbound traffic, which I doubt is what you really want.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Tom Eastep 
Craig Caughlin wrote:
Hi folks,
I'm trying (with no success) to assign multiple IP addresses to eth0 on my
Bering-uClibc 2.1-rc1 box. 

At Tom's suggestion, I have read (studied really) his instructions at:
http://www.shorewall.net/shorewall_setup_guide.htm.
I have been assigned by our network admin the following addresses:
66.60.172.201-204, Gateway 205. In /etc/shorewall/masq I have made the
following entry:
#INTERFACE  SUBNET  ADDRESS
eth0:0  eth166.60.172.201-66.60.172.204
When I save the file, restart shorewall, and issue the ip addr command I'm
expecting to see the additional addresses but here's what I get:
And have you set ADD_SNAT_ALIASES=Yes in shorewall.conf?

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Tom Eastep 
Charles Steinkuehler wrote:

Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra 
IP addresses?  With your setup, I'd simply assign all IP's in your 
/etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., 
along with the entry for eth0).

With the masq entry you list above, you'll be round-robining through 
source IP's for outbound traffic, which I doubt is what you really want.

Good catch -- I haven't a clue what Shorewall would do with that masq 
file entry and ADD_SNAT_ALIASES=Yes.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Tom Eastep 
Tom Eastep wrote:
Charles Steinkuehler wrote:

Are you using the /etc/shorewall/masq file to try and *ASSIGN* the 
extra IP addresses?  With your setup, I'd simply assign all IP's in 
your /etc/network/interfaces file (add entries for eth0:0, eth0:1, 
etc., along with the entry for eth0).

With the masq entry you list above, you'll be round-robining through 
source IP's for outbound traffic, which I doubt is what you really want.

Good catch -- I haven't a clue what Shorewall would do with that masq 
file entry and ADD_SNAT_ALIASES=Yes.

Hmmm -- I'm smarter than I thought :-)

...
Adding IP Addresses...
   IP Address 206.124.146.178 added to interface eth0 with label eth0:0
   IP Address 206.124.146.180 added to interface eth0 with label eth0:1
   IP Address 206.124.146.179 added to interface eth0 with label eth0:2
   IP Address 176.16.1.1 added to interface eth3 with label eth3:0
   IP Address 176.16.1.2 added to interface eth3 with label eth3:1
   IP Address 176.16.1.3 added to interface eth3 with label eth3:2
   IP Address 176.16.1.4 added to interface eth3 with label eth3:3
   IP Address 176.16.1.5 added to interface eth3 with label eth3:4
   IP Address 176.16.1.6 added to interface eth3 with label eth3:5
   IP Address 176.16.1.7 added to interface eth3 with label eth3:6
Processing /etc/shorewall/start ...
Shorewall Restarted
gateway:/etc/test#
So it assigns the addresses to sequential aliases.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Charles Steinkuehler 
Tom Eastep wrote:

Tom Eastep wrote:
Charles Steinkuehler wrote:

Are you using the /etc/shorewall/masq file to try and *ASSIGN* the 
extra IP addresses?  With your setup, I'd simply assign all IP's in 
your /etc/network/interfaces file (add entries for eth0:0, eth0:1, 
etc., along with the entry for eth0).

With the masq entry you list above, you'll be round-robining through 
source IP's for outbound traffic, which I doubt is what you really want.

Good catch -- I haven't a clue what Shorewall would do with that masq 
file entry and ADD_SNAT_ALIASES=Yes.

Hmmm -- I'm smarter than I thought :-)

...
Adding IP Addresses...
IP Address 206.124.146.178 added to interface eth0 with label eth0:0
IP Address 206.124.146.180 added to interface eth0 with label eth0:1
IP Address 206.124.146.179 added to interface eth0 with label eth0:2
IP Address 176.16.1.1 added to interface eth3 with label eth3:0
IP Address 176.16.1.2 added to interface eth3 with label eth3:1
IP Address 176.16.1.3 added to interface eth3 with label eth3:2
IP Address 176.16.1.4 added to interface eth3 with label eth3:3
IP Address 176.16.1.5 added to interface eth3 with label eth3:4
IP Address 176.16.1.6 added to interface eth3 with label eth3:5
IP Address 176.16.1.7 added to interface eth3 with label eth3:6
Processing /etc/shorewall/start ...
Shorewall Restarted
gateway:/etc/test#
So it assigns the addresses to sequential aliases.
...but do any of your alias IP's overlap the main IP for the interface? 
I think the setup Craig was commenting likely has overlapping IP's (kind 
of hard to tell, though, since there's not exactly complete debugging info).

Regardless, if I'm reading the docs correctly, having multiple IP's 
after a masq entry will round-robin through all the IP's listed, which 
seems like a pretty wierd way to setup an external link.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Tom Eastep 
Charles Steinkuehler wrote:

So it assigns the addresses to sequential aliases.


...but do any of your alias IP's overlap the main IP for the interface? 
I think the setup Craig was commenting likely has overlapping IP's (kind 
of hard to tell, though, since there's not exactly complete debugging 
info).
Shorewall is smart enough to not try to add an IP address to an 
interface if the address is already configured on that interface.

Regardless, if I'm reading the docs correctly, having multiple IP's 
after a masq entry will round-robin through all the IP's listed, which 
seems like a pretty wierd way to setup an external link.

Yes --

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Tom Eastep 
Craig Caughlin wrote:
Hey...thank you Charles  Tom for the expeditious response! Let me see if I
can address you both...
O.K., so I gather that I need to do 2 things:

1.) Take Charles suggestion and add entries for eth0:0, eth0:1, etc., along
with the entry for eth0, and 2.) Tom's suggestion ADD_SNAT_ALIASES=Yes in
shorewall.conf. Is that right?
No, you want to do one or the other. And you want to consider whether 
round-robining your SNAT is what you really want.

Charles, how do I add entries as you suggest (I don't know how to do that
:-( )? Here's what I have:
This is a LEAF FAQ. You add one line to the eth0 interface description 
for each address. Example (folded to fit my mailer's default line width):

up /sbin/ip addr add 66.60.172.202/24 brd 66.60.172.255 \
dev eth0 label eth0:0
The label eth0:N part is strictly window-dressing for compatibility 
with ifconfig; IIRC, Bering doesn't even have ifconfig so you can leave 
that off.

Tom:
If I ADD_SNAT_ALIASES=Yes in shorewall.conf, do I need to change
ADD_IP_ALIASES to No or should I leave it to it's default Yes?
If you add your IP addresses to your /etc/network/interfaces file then 
there is no point to set ADD_SNAT_ALIASES=Yes. You want to do one or the 
other.

ADD_IP_ALIASES is completely independent of ADD_SNAT_ALIASES. You really 
should read http://shorewall.net/Shorewall_and_Aliased_Interfaces.html.

Once I have made the correct modifications, ip addr should show all of the
addresses, and I should be able to ping them all, shouldn't I???
Yes.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread M Lu 
I just use the normal setup with Bering, e.g.

iface eth0 inet static
address 24.81.144.90
masklen 24
broadcast 24.81.144.255
gateway 24.81.144.1
#
# secondary IP is defined here
#
up ip addr add 24.81.144.91/24 dev eth0


BTW, is there anyway I can specify my 'eth0:0' in Shorewall black-list or is
there any other way to achieve blacklisting on that interface?

Thank you.


- Original Message - 
From: Tom Eastep [EMAIL PROTECTED]
To: Tom Eastep [EMAIL PROTECTED]
Cc: Charles Steinkuehler [EMAIL PROTECTED]; Craig Caughlin
[EMAIL PROTECTED]; LEAF [EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 4:44 PM
Subject: Re: [leaf-user] Difficulty assigning multiple IP addresses


 Tom Eastep wrote:
  Charles Steinkuehler wrote:
 
 
  Are you using the /etc/shorewall/masq file to try and *ASSIGN* the
  extra IP addresses?  With your setup, I'd simply assign all IP's in
  your /etc/network/interfaces file (add entries for eth0:0, eth0:1,
  etc., along with the entry for eth0).
 
  With the masq entry you list above, you'll be round-robining through
  source IP's for outbound traffic, which I doubt is what you really
want.
 
 
  Good catch -- I haven't a clue what Shorewall would do with that masq
  file entry and ADD_SNAT_ALIASES=Yes.
 

 Hmmm -- I'm smarter than I thought :-)

 ...
 Adding IP Addresses...
 IP Address 206.124.146.178 added to interface eth0 with label eth0:0
 IP Address 206.124.146.180 added to interface eth0 with label eth0:1
 IP Address 206.124.146.179 added to interface eth0 with label eth0:2
 IP Address 176.16.1.1 added to interface eth3 with label eth3:0
 IP Address 176.16.1.2 added to interface eth3 with label eth3:1
 IP Address 176.16.1.3 added to interface eth3 with label eth3:2
 IP Address 176.16.1.4 added to interface eth3 with label eth3:3
 IP Address 176.16.1.5 added to interface eth3 with label eth3:4
 IP Address 176.16.1.6 added to interface eth3 with label eth3:5
 IP Address 176.16.1.7 added to interface eth3 with label eth3:6
 Processing /etc/shorewall/start ...
 Shorewall Restarted
 gateway:/etc/test#

 So it assigns the addresses to sequential aliases.

 -Tom
 -- 
 Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
 Shoreline, \ http://shorewall.net
 Washington USA  \ [EMAIL PROTECTED]




 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Tom Eastep 
M Lu wrote:
I just use the normal setup with Bering, e.g.

iface eth0 inet static
address 24.81.144.90
masklen 24
broadcast 24.81.144.255
gateway 24.81.144.1
#
# secondary IP is defined here
#
up ip addr add 24.81.144.91/24 dev eth0
BTW, is there anyway I can specify my 'eth0:0' in Shorewall black-list or is
there any other way to achieve blacklisting on that interface?
No.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Tom Eastep 
Tom Eastep wrote:

BTW, is there anyway I can specify my 'eth0:0' in Shorewall black-list 
or is
there any other way to achieve blacklisting on that interface?

No.

The real point is that eth0:0 is *not* an interface. It is a label for 
an ip address on an interface. See the introductory section of 
http://shorewall.net/Shorewall_and_Aliased_Interfaces.html

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty assigning multiple IP addresses

2004-03-23 Thread Charles Steinkuehler 
Craig Caughlin wrote:
Hey...thank you Charles  Tom for the expeditious response! Let me see if I
can address you both...
O.K., so I gather that I need to do 2 things:

1.) Take Charles suggestion and add entries for eth0:0, eth0:1, etc., along
with the entry for eth0, and 2.) Tom's suggestion ADD_SNAT_ALIASES=Yes in
shorewall.conf. Is that right?
Charles, how do I add entries as you suggest (I don't know how to do that
:-( )? Here's what I have:
auto eth0
iface eth0 inet static
address 66.60.172.201
netmask 255.255.255.0
braodcast 66.60.172.255
gateway 66.60.172.205
Do I then add this for the next address...

auto eth0:0
iface eth0 inet static
address 66.60.172.202
netmask 255.255.255.0
braodcast 66.60.172.255
gateway 66.60.172.205
	auto eth0:1
	iface eth0 inet static
		address 66.60.172.203
		netmask 255.255.255.0
		braodcast 66.60.172.255
		gateway 66.60.172.205
Etc, etc...
Is this right? 
Yes, although you don't need to duplicate the gateway entry on any but 
the main eth0 entry.

You can also do it the way Tom mentioned (adding an 'up' clause to your 
eth0 definition...there's almost always more than one way to do 
something in linux!).

Also, just out of curiosity, what do you mean when you said,
With the masq entry you list above, you'll be round-robining through source
IP's for outbound traffic, which I doubt is what you really want.? What's
wrong with that???
It means the source IP of the traffic you send to the internet (or 
anything else on the 'upstream' side of your firewall) will dynamically 
rotate between the various IP's you have assigned.  You will have to be 
*VERY* careful that your firewall rules take this into account, and you 
may have problems with some applications that open multiple connections, 
or anything that expects your IP to be constant.

Tom:
If I ADD_SNAT_ALIASES=Yes in shorewall.conf, do I need to change
ADD_IP_ALIASES to No or should I leave it to it's default Yes?
Once I have made the correct modifications, ip addr should show all of the
addresses, and I should be able to ping them all, shouldn't I???
You should be able to ping all assigned IP's, assuming the firewall 
rules allow it (you can allow/prevent just about anything with iptables).

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Looking for a VPN Solution

2004-03-23 Thread David Pitts 
Eric Spakman has just compiled pptpd for Bering uClib which I have got
working.  I haven't finished testing my set up yet but its looking good!
The .lrp package is in the Testing area of the uClib packages download
page.

So now I have a single 1.44 floppy router/firewall with dhcpd, pump,
ezipupdate, bpalogin, weblet, dropbear (SSH and SCP!) and VPN!!  Plus
some other things that I can probably do without!  

Very functional, cheap, and a lot of fun!!

And for those who think floppies are unreliable, I agree entirely which
is why I keep an executable image of my router disk on a couple of
workstations around the place so I can remake the router disk quickly.
I have been playing with this stuff for a couple of years now and I have
had a couple of disks fail while I have been playing (maybe because I
have been playing??) but none in operation and given that once your
image is settled you should not need to reboot the router for a long
time, floppy reliability is not so much of an issue.  Except maybe if
your router is an environmentally unfriendly area.

Beauuudiful!!

Thanks folks.

David Pitts
IT Services Manager
Reid Library 
University of Western Australia
 
Telephone:   (08) 6488 3492 Fax:  (08) 6488 1012


-Original Message-
From: Martin Hejl [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, 24 March 2004 4:21 AM
To: JamesSturdevant
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Looking for a VPN Solution



JamesSturdevant wrote:
 I am running Bering 1.2 and am looking for a VPN solution for one of 
 my
 users.
 
 Her ISP is Earthlink and she reports that here IP address changes
 frequently (every 30 minutes). She will be connecting with a Windows 
 client.
 
 I have Freeswan working for others but their IPs are static. I have
 tried OpenVPN but the LEAF software seg faults when a UDP connection
is 
 made from a Windows Client and constantly reset if a TCP connection is

 made. Does anyone know what kernel version this code was compiled for?
It shouldn't matter. For all I know, OpenVPN is completely independant 
of the kernel version (unlike IPSEC), since it runs completely in 
user-space.

Unless there is a compelling reason not to (like, extensive setup 
already done on Bering, or software that's not available for Bering 
uClibc), you might also want to consider switching to Bering uClibc - I 
maintain the OpenVPN package for Bering uClibc (I also wrote a patch to 
enable OpenVPN to work with ip instead of ipconfig, which has found 
it's way into the latest version), and it's been _very_ stable for me 
(I'm currently running two OpenVPN links - one over the internet where 
both ends are dynamic and change IPs once a day, and one over a wireless

connection, which goes up and down a lot, since it's used for testing 
wireless equipment). I'm not trying to sell Bering uClibc to you, I 
just don't like it that a fine piece of software like OpenVPN is being 
dropped in favour of something less secure, just because of a seemingly 
faulty package (and sorry, no, I can't help with fixing the package on 
Bering).

Martin



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Looking for a VPN Solution

2004-03-23 Thread Ping Kwong 
You may want to check out m0n0wall.

http://m0n0.ch/wall

It has PPTP server built in and boots from a CD-ROM while the
configuration is saved to a floppy.  There are some known problems with
some XP clients.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JamesSturdevant
Sent: Tuesday, March 23, 2004 8:24 AM
To: [EMAIL PROTECTED]
Subject: [leaf-user] Looking for a VPN Solution

I am running Bering 1.2 and am looking for a VPN solution for one of my
users.

Her ISP is Earthlink and she reports that here IP address changes 
frequently (every 30 minutes). She will be connecting with a Windows
client.

I have Freeswan working for others but their IPs are static. I have
tried 
OpenVPN but the LEAF software seg faults when a UDP connection is made
from 
a Windows Client and constantly reset if a TCP connection is made. Does 
anyone know what kernel version this code was compiled for?

I know it's a weak solution, but I need to also check out PPTP. Does
anyone 
have a version of POPTOP for Bering? All I can locate is the PPTP
client.

JamesS





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html