RE: [leaf-user] Updated SSH packages
http://www.think.ch/leaf/wrap/packages/ look for the packages with a date 22-Mar-2004 Do not forget to modify your lrpkg.cfg, you need a few more packages like libnsl and libcrypt pls keep me updated cheers Tried them out last night, and they work fine. I had to change the passwords option from no to yes in sshd_config to allow logins. Also, if upgrading a remote box, make sure to build a package with default keys, because the default package has no keys and sshd will not start. Regards, Dave. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Wavemon for Bering 1.2
Has anyone got a wavemon lrp handy for Bering 1.2? Cheers, Dave. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Updated SSH packages
Dave At 10:39 23.03.2004 +, Dave Hunt wrote: http://www.think.ch/leaf/wrap/packages/ look for the packages with a date 22-Mar-2004 Do not forget to modify your lrpkg.cfg, you need a few more packages like libnsl and libcrypt pls keep me updated cheers Tried them out last night, and they work fine. I had to change the passwords option from no to yes in sshd_config to allow logins. My fault, I never allow password authentication, professionally induced paranoia i guess. I will modify the sshd_config file accordingly. Also, if upgrading a remote box, make sure to build a package with default keys, because the default package has no keys and sshd will not start. I know, but the original sshd.lrp did not have keys installed, so I left it that way. I guess it would be a function of a package manager to do some post install stuff. Thanks for the feedback. Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Looking for a VPN Solution
I am running Bering 1.2 and am looking for a VPN solution for one of my users. Her ISP is Earthlink and she reports that here IP address changes frequently (every 30 minutes). She will be connecting with a Windows client. I have Freeswan working for others but their IPs are static. I have tried OpenVPN but the LEAF software seg faults when a UDP connection is made from a Windows Client and constantly reset if a TCP connection is made. Does anyone know what kernel version this code was compiled for? I know it's a weak solution, but I need to also check out PPTP. Does anyone have a version of POPTOP for Bering? All I can locate is the PPTP client. JamesS --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Looking for a VPN Solution
Hi, I have PoPToP for Bering. It's around on the LEAF site somewhere. It's a bugger to get working, the version on the website has config files that are not for openSSH. I tracked it all down and have a nice server working for Win32 clients doing their dial-in. When I get home I'll email you my stuff, sans passwords. BUT (aha!) Expect pain if she's running Win2K. I have a few people for whom it just does not work. Also, it's a bit flaky in the password department. Most of my users all have the same username and password, because that's the only way it works (it just don't work). I authenticate by DNS entries in the shorewall rules and my clients have dynDNS accounts. If you don't mind that it doesn't offer REAL security (like, keep the government out), PPTP is nice and painless for your less IT friendly clients. James. -Original Message- From: JamesSturdevant [mailto:[EMAIL PROTECTED] Sent: 23 March 2004 16:24 To: [EMAIL PROTECTED] Subject: [leaf-user] Looking for a VPN Solution I am running Bering 1.2 and am looking for a VPN solution for one of my users. Her ISP is Earthlink and she reports that here IP address changes frequently (every 30 minutes). She will be connecting with a Windows client. I have Freeswan working for others but their IPs are static. I have tried OpenVPN but the LEAF software seg faults when a UDP connection is made from a Windows Client and constantly reset if a TCP connection is made. Does anyone know what kernel version this code was compiled for? I know it's a weak solution, but I need to also check out PPTP. Does anyone have a version of POPTOP for Bering? All I can locate is the PPTP client. JamesS --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Which Distro for This Firewall/Router?
Hello Michiel, Wow! I guess you were serious about helping. I really appreciate the time and thought you have put into this, Michiel. I'm curious why you have not been cc'ing the LEAF list. This information might be helpful to someone else like me. If you would prefer I leave the list off my replies please let me know. I'm not sure if all my replies are making it to the list either. I just got a message that my last post was sent to the moderator awaiting approval due to suspicious header. I suspect you may be in the same boat. My in-line comments are inserted below. Thanks! --Cal Webster On Mon, 2004-03-22 at 19:37, michiel wrote: Dear calvin Not all 3C905 cart are the same. I got one with a lucent chip that don't works with linux. Most of them do work with linux best sugestion try it first. The bug is verrie enoing becouse dhcp and some other things work but not havie loads like ftp. (espacialy lage packeges (mtu).) It cost me 3 days to find that out. Trying to prevent it for you. Thanks for the warning. Fortunately, I haven't encountered those problems. DOC sockets? You can also use a ide port with a doc. Take a look at this one. http://www.routerboard.com/parts.html#cf_ide Just works like a harddisk. (have not tried it jet) That was an option when I specified the SBC, but the performance specifications in the Cyber Research catalog appeared better for the DOC sockets. I've bookmarked that site, though. I'm always looking for new sources for non-standard hardware. 128 MB RAM? Even with squid proxie caching is way to mutch. 32 mb is mostly oke. 768 MB RAM? There is no use for it. Atleast not with leaf. RAM is relatively cheap. Better to have more than less, especially without hard drives. Pci bridge. All pci briges can only do a 133 mbps. Then there will be a problem to use 2X 100mbps wireless link. (not sure witch wireless system you are using?) I am using a 54g wireless network that doesn't mean that there is a 54 mbps speed just 22.5 mbps max. Intel has mainboards with a separate brige for network ( 1 gbps) that can give some space, but expensive. Otherwise there is not mutch need for faster systems as a pentium. Pci express is going to chainge that I hope. We're using RadioLAN RMG503's. I may substitute a free-space optical bridge for one of the links. With Ethernet overhead and encryption from VPN tunneling, we're getting more like 30-40 Mbps of the 100 Mbps advertised. I'd be interested in looking at any SBC with separate bridge for networking to use with the 3rd router and possible upgrades for the others. Is there a separate block of PCI slots for NICs? As I indicated in one of my previous posts, I intend to eventually upgrade the existing NICs with multi-port Ethernet cards. These typically have their own PCI-to-PCI bridge anyway. Such is the case with the 4-port Ethernet Card RouterBoard 44 at the site you listed above. Layout: This wil be my solution. At least just my few cents. Building D firewall 4. Not realy intereting just a simple bering + ipsec. A 486DX-33. pci will do, but isa is fine to. (maybe if the plan1/2 are big go for pci) Bit more pc is always nice. So use a pentium. No routing protocols nessesary so I will scratch him out the scemetic. I don't want to have to manage static routes. As I indicated in my original specification, all other Private LANs (PLANs) must be able to send and receive traffic to/from all other PLANs without restriction. I neglected to mention however, that at least one PLAN in each building will also need Internet access and access to the corporate intranet. To Firewall or to (ipsec)route That's the diferents. Routers 1/2/3 use ospf/bgp/ routing over ipsec. firewals 1/2/3 use a simple switching software between dsl and router. I'm not sure what you mean by switching software between dsl and router. Are you implying that the ospf/bgp daemons are not to be aware of the DSL links? Without the routing protocols, how will automatic fail-over occur when a link goes down? Most dsl providers requier that they are your defauld gatway. And you want that to be router 2 at building B. We own our own DSL equipment including the chassis and line cards at the corporate telephone office/network operation center. However, it is aging and will soon be unsupportable. I haven't gotten approval for replacement yet, but hope to tap existing fiber links. We have a default gateway on the corporate network for access to the corporate network and their severely restricted Internet connection. We will normally only use corporate network to access corporate resources. However, if the main cable ISP link at our site goes down or is somehow unavailable, each of the buildings should fail-over to use the corporate Internet access through the DSL link. [Remote User] [firewall 1] [firewall 2] | |
Re: [leaf-user] Looking for a VPN Solution
Am Dienstag, 23. März 2004 17:23 schrieb JamesSturdevant: I am running Bering 1.2 and am looking for a VPN solution for one of my users. Her ISP is Earthlink and she reports that here IP address changes frequently (every 30 minutes). She will be connecting with a Windows client. I have Freeswan working for others but their IPs are static. You may look into road-warrior configuration for a dynamic ip address. kp --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Looking for a VPN Solution
JamesSturdevant wrote: I am running Bering 1.2 and am looking for a VPN solution for one of my users. Her ISP is Earthlink and she reports that here IP address changes frequently (every 30 minutes). She will be connecting with a Windows client. I have Freeswan working for others but their IPs are static. I have tried OpenVPN but the LEAF software seg faults when a UDP connection is made from a Windows Client and constantly reset if a TCP connection is made. Does anyone know what kernel version this code was compiled for? It shouldn't matter. For all I know, OpenVPN is completely independant of the kernel version (unlike IPSEC), since it runs completely in user-space. Unless there is a compelling reason not to (like, extensive setup already done on Bering, or software that's not available for Bering uClibc), you might also want to consider switching to Bering uClibc - I maintain the OpenVPN package for Bering uClibc (I also wrote a patch to enable OpenVPN to work with ip instead of ipconfig, which has found it's way into the latest version), and it's been _very_ stable for me (I'm currently running two OpenVPN links - one over the internet where both ends are dynamic and change IPs once a day, and one over a wireless connection, which goes up and down a lot, since it's used for testing wireless equipment). I'm not trying to sell Bering uClibc to you, I just don't like it that a fine piece of software like OpenVPN is being dropped in favour of something less secure, just because of a seemingly faulty package (and sorry, no, I can't help with fixing the package on Bering). Martin --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Difficulty assigning multiple IP addresses
Hi folks, I'm trying (with no success) to assign multiple IP addresses to eth0 on my Bering-uClibc 2.1-rc1 box. At Tom's suggestion, I have read (studied really) his instructions at: http://www.shorewall.net/shorewall_setup_guide.htm. I have been assigned by our network admin the following addresses: 66.60.172.201-204, Gateway 205. In /etc/shorewall/masq I have made the following entry: #INTERFACE SUBNET ADDRESS eth0:0 eth166.60.172.201-66.60.172.204 When I save the file, restart shorewall, and issue the ip addr command I'm expecting to see the additional addresses but here's what I get: 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:d3:c2:14 brd ff:ff:ff:ff:ff:ff inet 66.60.172.201/24 brd 66.60.172.255 scope global eth0 inet 66.60.172.204/24 brd 66.60.172.255 scope global secondary eth0:0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:52:07:52 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: eth2: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 1000 link/ether 00:a0:cc:d3:cf:40 brd ff:ff:ff:ff:ff:ff When I try to ping the addresses, I can ping only 66.60.172.201 but nothing else. In the /etc/network/interfaces file, I have eth0 statically set to 66.60.172.201, and I use the dhcpd for assigning local addresses. I'm stumped...any suggestions??? P.S. One thing I did gave me, what *I* think, was a really unusual result: I had initially set eth0's static address as 66.60.172.204, and when I tried to ping 66.60.172.201...here's what I got: G:\WINNT\system32ping 66.60.172.201 Pinging 66.60.172.201 with 32 bytes of data: Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Ping statistics for 66.60.172.201: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Is that really odd...or is it me??? :-) I see there's no packet loss...but I also can't reach the box. H. Thank you as always, Craig --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Craig Caughlin wrote: Hi folks, I'm trying (with no success) to assign multiple IP addresses to eth0 on my Bering-uClibc 2.1-rc1 box. At Tom's suggestion, I have read (studied really) his instructions at: http://www.shorewall.net/shorewall_setup_guide.htm. I have been assigned by our network admin the following addresses: 66.60.172.201-204, Gateway 205. In /etc/shorewall/masq I have made the following entry: #INTERFACE SUBNET ADDRESS eth0:0 eth166.60.172.201-66.60.172.204 When I save the file, restart shorewall, and issue the ip addr command I'm expecting to see the additional addresses but here's what I get: 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:d3:c2:14 brd ff:ff:ff:ff:ff:ff inet 66.60.172.201/24 brd 66.60.172.255 scope global eth0 inet 66.60.172.204/24 brd 66.60.172.255 scope global secondary eth0:0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:52:07:52 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: eth2: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 1000 link/ether 00:a0:cc:d3:cf:40 brd ff:ff:ff:ff:ff:ff When I try to ping the addresses, I can ping only 66.60.172.201 but nothing else. In the /etc/network/interfaces file, I have eth0 statically set to 66.60.172.201, and I use the dhcpd for assigning local addresses. I'm stumped...any suggestions??? P.S. One thing I did gave me, what *I* think, was a really unusual result: I had initially set eth0's static address as 66.60.172.204, and when I tried to ping 66.60.172.201...here's what I got: G:\WINNT\system32ping 66.60.172.201 Pinging 66.60.172.201 with 32 bytes of data: Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Ping statistics for 66.60.172.201: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Is that really odd...or is it me??? :-) I see there's no packet loss...but I also can't reach the box. H. Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra IP addresses? With your setup, I'd simply assign all IP's in your /etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., along with the entry for eth0). With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Craig Caughlin wrote: Hi folks, I'm trying (with no success) to assign multiple IP addresses to eth0 on my Bering-uClibc 2.1-rc1 box. At Tom's suggestion, I have read (studied really) his instructions at: http://www.shorewall.net/shorewall_setup_guide.htm. I have been assigned by our network admin the following addresses: 66.60.172.201-204, Gateway 205. In /etc/shorewall/masq I have made the following entry: #INTERFACE SUBNET ADDRESS eth0:0 eth166.60.172.201-66.60.172.204 When I save the file, restart shorewall, and issue the ip addr command I'm expecting to see the additional addresses but here's what I get: And have you set ADD_SNAT_ALIASES=Yes in shorewall.conf? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Charles Steinkuehler wrote: Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra IP addresses? With your setup, I'd simply assign all IP's in your /etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., along with the entry for eth0). With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want. Good catch -- I haven't a clue what Shorewall would do with that masq file entry and ADD_SNAT_ALIASES=Yes. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Tom Eastep wrote: Charles Steinkuehler wrote: Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra IP addresses? With your setup, I'd simply assign all IP's in your /etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., along with the entry for eth0). With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want. Good catch -- I haven't a clue what Shorewall would do with that masq file entry and ADD_SNAT_ALIASES=Yes. Hmmm -- I'm smarter than I thought :-) ... Adding IP Addresses... IP Address 206.124.146.178 added to interface eth0 with label eth0:0 IP Address 206.124.146.180 added to interface eth0 with label eth0:1 IP Address 206.124.146.179 added to interface eth0 with label eth0:2 IP Address 176.16.1.1 added to interface eth3 with label eth3:0 IP Address 176.16.1.2 added to interface eth3 with label eth3:1 IP Address 176.16.1.3 added to interface eth3 with label eth3:2 IP Address 176.16.1.4 added to interface eth3 with label eth3:3 IP Address 176.16.1.5 added to interface eth3 with label eth3:4 IP Address 176.16.1.6 added to interface eth3 with label eth3:5 IP Address 176.16.1.7 added to interface eth3 with label eth3:6 Processing /etc/shorewall/start ... Shorewall Restarted gateway:/etc/test# So it assigns the addresses to sequential aliases. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Tom Eastep wrote: Tom Eastep wrote: Charles Steinkuehler wrote: Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra IP addresses? With your setup, I'd simply assign all IP's in your /etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., along with the entry for eth0). With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want. Good catch -- I haven't a clue what Shorewall would do with that masq file entry and ADD_SNAT_ALIASES=Yes. Hmmm -- I'm smarter than I thought :-) ... Adding IP Addresses... IP Address 206.124.146.178 added to interface eth0 with label eth0:0 IP Address 206.124.146.180 added to interface eth0 with label eth0:1 IP Address 206.124.146.179 added to interface eth0 with label eth0:2 IP Address 176.16.1.1 added to interface eth3 with label eth3:0 IP Address 176.16.1.2 added to interface eth3 with label eth3:1 IP Address 176.16.1.3 added to interface eth3 with label eth3:2 IP Address 176.16.1.4 added to interface eth3 with label eth3:3 IP Address 176.16.1.5 added to interface eth3 with label eth3:4 IP Address 176.16.1.6 added to interface eth3 with label eth3:5 IP Address 176.16.1.7 added to interface eth3 with label eth3:6 Processing /etc/shorewall/start ... Shorewall Restarted gateway:/etc/test# So it assigns the addresses to sequential aliases. ...but do any of your alias IP's overlap the main IP for the interface? I think the setup Craig was commenting likely has overlapping IP's (kind of hard to tell, though, since there's not exactly complete debugging info). Regardless, if I'm reading the docs correctly, having multiple IP's after a masq entry will round-robin through all the IP's listed, which seems like a pretty wierd way to setup an external link. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Charles Steinkuehler wrote: So it assigns the addresses to sequential aliases. ...but do any of your alias IP's overlap the main IP for the interface? I think the setup Craig was commenting likely has overlapping IP's (kind of hard to tell, though, since there's not exactly complete debugging info). Shorewall is smart enough to not try to add an IP address to an interface if the address is already configured on that interface. Regardless, if I'm reading the docs correctly, having multiple IP's after a masq entry will round-robin through all the IP's listed, which seems like a pretty wierd way to setup an external link. Yes -- -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Craig Caughlin wrote: Hey...thank you Charles Tom for the expeditious response! Let me see if I can address you both... O.K., so I gather that I need to do 2 things: 1.) Take Charles suggestion and add entries for eth0:0, eth0:1, etc., along with the entry for eth0, and 2.) Tom's suggestion ADD_SNAT_ALIASES=Yes in shorewall.conf. Is that right? No, you want to do one or the other. And you want to consider whether round-robining your SNAT is what you really want. Charles, how do I add entries as you suggest (I don't know how to do that :-( )? Here's what I have: This is a LEAF FAQ. You add one line to the eth0 interface description for each address. Example (folded to fit my mailer's default line width): up /sbin/ip addr add 66.60.172.202/24 brd 66.60.172.255 \ dev eth0 label eth0:0 The label eth0:N part is strictly window-dressing for compatibility with ifconfig; IIRC, Bering doesn't even have ifconfig so you can leave that off. Tom: If I ADD_SNAT_ALIASES=Yes in shorewall.conf, do I need to change ADD_IP_ALIASES to No or should I leave it to it's default Yes? If you add your IP addresses to your /etc/network/interfaces file then there is no point to set ADD_SNAT_ALIASES=Yes. You want to do one or the other. ADD_IP_ALIASES is completely independent of ADD_SNAT_ALIASES. You really should read http://shorewall.net/Shorewall_and_Aliased_Interfaces.html. Once I have made the correct modifications, ip addr should show all of the addresses, and I should be able to ping them all, shouldn't I??? Yes. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
I just use the normal setup with Bering, e.g. iface eth0 inet static address 24.81.144.90 masklen 24 broadcast 24.81.144.255 gateway 24.81.144.1 # # secondary IP is defined here # up ip addr add 24.81.144.91/24 dev eth0 BTW, is there anyway I can specify my 'eth0:0' in Shorewall black-list or is there any other way to achieve blacklisting on that interface? Thank you. - Original Message - From: Tom Eastep [EMAIL PROTECTED] To: Tom Eastep [EMAIL PROTECTED] Cc: Charles Steinkuehler [EMAIL PROTECTED]; Craig Caughlin [EMAIL PROTECTED]; LEAF [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 4:44 PM Subject: Re: [leaf-user] Difficulty assigning multiple IP addresses Tom Eastep wrote: Charles Steinkuehler wrote: Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra IP addresses? With your setup, I'd simply assign all IP's in your /etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., along with the entry for eth0). With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want. Good catch -- I haven't a clue what Shorewall would do with that masq file entry and ADD_SNAT_ALIASES=Yes. Hmmm -- I'm smarter than I thought :-) ... Adding IP Addresses... IP Address 206.124.146.178 added to interface eth0 with label eth0:0 IP Address 206.124.146.180 added to interface eth0 with label eth0:1 IP Address 206.124.146.179 added to interface eth0 with label eth0:2 IP Address 176.16.1.1 added to interface eth3 with label eth3:0 IP Address 176.16.1.2 added to interface eth3 with label eth3:1 IP Address 176.16.1.3 added to interface eth3 with label eth3:2 IP Address 176.16.1.4 added to interface eth3 with label eth3:3 IP Address 176.16.1.5 added to interface eth3 with label eth3:4 IP Address 176.16.1.6 added to interface eth3 with label eth3:5 IP Address 176.16.1.7 added to interface eth3 with label eth3:6 Processing /etc/shorewall/start ... Shorewall Restarted gateway:/etc/test# So it assigns the addresses to sequential aliases. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
M Lu wrote: I just use the normal setup with Bering, e.g. iface eth0 inet static address 24.81.144.90 masklen 24 broadcast 24.81.144.255 gateway 24.81.144.1 # # secondary IP is defined here # up ip addr add 24.81.144.91/24 dev eth0 BTW, is there anyway I can specify my 'eth0:0' in Shorewall black-list or is there any other way to achieve blacklisting on that interface? No. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Tom Eastep wrote: BTW, is there anyway I can specify my 'eth0:0' in Shorewall black-list or is there any other way to achieve blacklisting on that interface? No. The real point is that eth0:0 is *not* an interface. It is a label for an ip address on an interface. See the introductory section of http://shorewall.net/Shorewall_and_Aliased_Interfaces.html -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Craig Caughlin wrote: Hey...thank you Charles Tom for the expeditious response! Let me see if I can address you both... O.K., so I gather that I need to do 2 things: 1.) Take Charles suggestion and add entries for eth0:0, eth0:1, etc., along with the entry for eth0, and 2.) Tom's suggestion ADD_SNAT_ALIASES=Yes in shorewall.conf. Is that right? Charles, how do I add entries as you suggest (I don't know how to do that :-( )? Here's what I have: auto eth0 iface eth0 inet static address 66.60.172.201 netmask 255.255.255.0 braodcast 66.60.172.255 gateway 66.60.172.205 Do I then add this for the next address... auto eth0:0 iface eth0 inet static address 66.60.172.202 netmask 255.255.255.0 braodcast 66.60.172.255 gateway 66.60.172.205 auto eth0:1 iface eth0 inet static address 66.60.172.203 netmask 255.255.255.0 braodcast 66.60.172.255 gateway 66.60.172.205 Etc, etc... Is this right? Yes, although you don't need to duplicate the gateway entry on any but the main eth0 entry. You can also do it the way Tom mentioned (adding an 'up' clause to your eth0 definition...there's almost always more than one way to do something in linux!). Also, just out of curiosity, what do you mean when you said, With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want.? What's wrong with that??? It means the source IP of the traffic you send to the internet (or anything else on the 'upstream' side of your firewall) will dynamically rotate between the various IP's you have assigned. You will have to be *VERY* careful that your firewall rules take this into account, and you may have problems with some applications that open multiple connections, or anything that expects your IP to be constant. Tom: If I ADD_SNAT_ALIASES=Yes in shorewall.conf, do I need to change ADD_IP_ALIASES to No or should I leave it to it's default Yes? Once I have made the correct modifications, ip addr should show all of the addresses, and I should be able to ping them all, shouldn't I??? You should be able to ping all assigned IP's, assuming the firewall rules allow it (you can allow/prevent just about anything with iptables). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Looking for a VPN Solution
Eric Spakman has just compiled pptpd for Bering uClib which I have got working. I haven't finished testing my set up yet but its looking good! The .lrp package is in the Testing area of the uClib packages download page. So now I have a single 1.44 floppy router/firewall with dhcpd, pump, ezipupdate, bpalogin, weblet, dropbear (SSH and SCP!) and VPN!! Plus some other things that I can probably do without! Very functional, cheap, and a lot of fun!! And for those who think floppies are unreliable, I agree entirely which is why I keep an executable image of my router disk on a couple of workstations around the place so I can remake the router disk quickly. I have been playing with this stuff for a couple of years now and I have had a couple of disks fail while I have been playing (maybe because I have been playing??) but none in operation and given that once your image is settled you should not need to reboot the router for a long time, floppy reliability is not so much of an issue. Except maybe if your router is an environmentally unfriendly area. Beauuudiful!! Thanks folks. David Pitts IT Services Manager Reid Library University of Western Australia Telephone: (08) 6488 3492 Fax: (08) 6488 1012 -Original Message- From: Martin Hejl [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 March 2004 4:21 AM To: JamesSturdevant Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Looking for a VPN Solution JamesSturdevant wrote: I am running Bering 1.2 and am looking for a VPN solution for one of my users. Her ISP is Earthlink and she reports that here IP address changes frequently (every 30 minutes). She will be connecting with a Windows client. I have Freeswan working for others but their IPs are static. I have tried OpenVPN but the LEAF software seg faults when a UDP connection is made from a Windows Client and constantly reset if a TCP connection is made. Does anyone know what kernel version this code was compiled for? It shouldn't matter. For all I know, OpenVPN is completely independant of the kernel version (unlike IPSEC), since it runs completely in user-space. Unless there is a compelling reason not to (like, extensive setup already done on Bering, or software that's not available for Bering uClibc), you might also want to consider switching to Bering uClibc - I maintain the OpenVPN package for Bering uClibc (I also wrote a patch to enable OpenVPN to work with ip instead of ipconfig, which has found it's way into the latest version), and it's been _very_ stable for me (I'm currently running two OpenVPN links - one over the internet where both ends are dynamic and change IPs once a day, and one over a wireless connection, which goes up and down a lot, since it's used for testing wireless equipment). I'm not trying to sell Bering uClibc to you, I just don't like it that a fine piece of software like OpenVPN is being dropped in favour of something less secure, just because of a seemingly faulty package (and sorry, no, I can't help with fixing the package on Bering). Martin --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Looking for a VPN Solution
You may want to check out m0n0wall. http://m0n0.ch/wall It has PPTP server built in and boots from a CD-ROM while the configuration is saved to a floppy. There are some known problems with some XP clients. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JamesSturdevant Sent: Tuesday, March 23, 2004 8:24 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Looking for a VPN Solution I am running Bering 1.2 and am looking for a VPN solution for one of my users. Her ISP is Earthlink and she reports that here IP address changes frequently (every 30 minutes). She will be connecting with a Windows client. I have Freeswan working for others but their IPs are static. I have tried OpenVPN but the LEAF software seg faults when a UDP connection is made from a Windows Client and constantly reset if a TCP connection is made. Does anyone know what kernel version this code was compiled for? I know it's a weak solution, but I need to also check out PPTP. Does anyone have a version of POPTOP for Bering? All I can locate is the PPTP client. JamesS --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html