[leaf-user] Is my NIC the bottleneck?
pn] I'm still running E2B on a P166. I have 768K SDSL, and my leaf box is connected to the DSL modem via a 10Mbps NIC. The best speed I can download from anywhere is in the 70something KB/sec (as reported on a Windows box on the internal network). I think I should be able to do faster downloads, but am not sure where I'm getting bottlenecked. = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Is my NIC the bottleneck?
Hi, 768Kb/s = 96KB/s or 93KB/s depending on what your ISP considers a Kilo. I have 1024 over 256 cable, I very VERY rarely see one connection hit more than 70. If I want a fast download, I use Getright and use 3 or 4 different sources. Does anyone else think that all this massive increase in downstream by ISPs (as a marketing tool) is outstripping the resources of the poor old creaky internet? That's just practical thinking though, I don't know any technical reasons you could be running slow. Sorry :P James. -Original Message- From: Peter Nosko [mailto:[EMAIL PROTECTED] Sent: 14 April 2004 23:11 To: leaf Subject: [leaf-user] Is my NIC the bottleneck? pn] I'm still running E2B on a P166. I have 768K SDSL, and my leaf box is connected to the DSL modem via a 10Mbps NIC. The best speed I can download from anywhere is in the 70something KB/sec (as reported on a Windows box on the internal network). I think I should be able to do faster downloads, but am not sure where I'm getting bottlenecked. = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Is my NIC the bottleneck?
Your ISP's theoretical 768 Kilo bps compared to your NIC's theoretical 10 Mega bps. Me thinks your 10Mb NIC is not guilty. Do you run your DSL modem as a modem only, or does it do DHCP, DNS and firewall as well? Gus [EMAIL PROTECTED] wrote on 15-04-2004 00:10:31: pn] I'm still running E2B on a P166. I have 768K SDSL, and my leaf box is connected to the DSL modem via a 10Mbps NIC. The best speed I can download from anywhere is in the 70something KB/sec (as reported on a Windows box on the internal network). I think I should be able to do faster downloads, but am not sure where I'm getting bottlenecked. = - Peter Nosko ([EMAIL PROTECTED]) --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Is my NIC the bottleneck?
768 Kb/s= ~ 70 kB/sec. You have to taken into account the overhead in the packets which roughly is a factor 10 to translate Kb/s to kB/s. I have a cable connection which is much faster (here in Holland at least) than ADSL and regularly have download speeds of 120 - 150 kB/s. Joep On Thu, 2004-04-15 at 10:42, James Neave wrote: Hi, 768Kb/s = 96KB/s or 93KB/s depending on what your ISP considers a Kilo. I have 1024 over 256 cable, I very VERY rarely see one connection hit more than 70. If I want a fast download, I use Getright and use 3 or 4 different sources. Does anyone else think that all this massive increase in downstream by ISPs (as a marketing tool) is outstripping the resources of the poor old creaky internet? That's just practical thinking though, I don't know any technical reasons you could be running slow. Sorry :P James. -Original Message- From: Peter Nosko [mailto:[EMAIL PROTECTED] Sent: 14 April 2004 23:11 To: leaf Subject: [leaf-user] Is my NIC the bottleneck? pn] I'm still running E2B on a P166. I have 768K SDSL, and my leaf box is connected to the DSL modem via a 10Mbps NIC. The best speed I can download from anywhere is in the 70something KB/sec (as reported on a Windows box on the internal network). I think I should be able to do faster downloads, but am not sure where I'm getting bottlenecked. = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door OpenProtect en lijkt schoon te zijn. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2
Hi, We're trying to connect the Cisco VPN Dialer (v3) to a Cisco VPN concentrator through a Bering 1.2 box performing firewalling and NAT, pretty standard stuff. The rules we use are: Policy = No traffic allowed period. Rules for this case: ACCEPT loc:192.168.x.y net:a.b.c.d udp 500 ACCEPT loc:192.168.x.y net:a.b.c.d udp 4500 ACCEPT loc:192.168.x.y net:a.b.c.d 50 Now, this is why it is probably OT. It work fine on Win2K SP1 boxes It does NOT work on Win2K SP4 and WinXP SP1 So currently is seems to be a Windows problem, not a LEAF problem. However we have been assured that it *should* work. Of course, no help is forthcoming from Cisco. (Side Note: Why do people eschew free solutions for lack of support? Our client must have paid 1000s for that VPN box, but we don't get any help. We're a 3rd party but it's not even like our client can ask for help.) Logs at the end of this message. Probably nothing to do with LEAF, but if anybody can shed any light! Thanks, James. Anyway, here are some logs I've collected. First WinDump, kinda equivalent to tcpdump I guess. IKE failed. INVALID-HASH-INFORMATION may suggest packet mangling broke a signature? 11:14:58.506130 IP james.WIN2KDOMAIN.1367 colo-62-105-97-range129.as15758.net.62514: udp 12 11:14:58.512641 IP james.WIN2KDOMAIN.1368 colo-62-105-97-range129.as15758.net.62514: udp 8 11:14:58.513100 IP james.WIN2KDOMAIN.1369 colo-62-105-97-range129.as15758.net.62514: udp 8 11:14:58.518808 IP james.WIN2KDOMAIN.500 colo-62-105-97-range129.as15758.net.500: isakmp: phase 1 I agg: [|sa] 11:14:58.594708 IP colo-62-105-97-range129.as15758.net.500 james.WIN2KDOMAIN.500: isakmp: phase 1 R agg: [|sa] 11:14:58.601393 IP james.WIN2KDOMAIN.500 colo-62-105-97-range129.as15758.net.500: isakmp: phase 1 I inf: (n: doi=ipsec proto=isakmp type=INVALID-HASH-INFORMATION) Next up, the Cisco Logger, sais pretty much the same thing, IKE failed. More detailed I guess. 1 11:24:34.845 04/15/04 Sev=Info/6 DIALER/0x6332 Initiating connection. 2 11:24:34.845 04/15/04 Sev=Info/4 CM/0x6312 Begin connection process 3 11:24:34.845 04/15/04 Sev=Info/4 CM/0x6314 Establish secure connection using Ethernet 4 11:24:34.845 04/15/04 Sev=Info/4 CM/0x63100024 Attempt connection with server 62.105.97.129 5 11:24:34.860 04/15/04 Sev=Info/6 IKE/0x633B Attempting to establish a connection with 62.105.97.129. 6 11:24:34.860 04/15/04 Sev=Info/4 IKE/0x6313 SENDING ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 62.105.97.129 7 11:24:34.954 04/15/04 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 62.105.97.129 8 11:24:34.954 04/15/04 Sev=Info/4 IKE/0x6314 RECEIVING ISAKMP OAK AG (SA, VID, VID, VID, VID, KE, ID, NON, HASH) from 62.105.97.129 9 11:24:34.954 04/15/04 Sev=Info/5 IKE/0x6359 Vendor ID payload = 09002689DFD6B712 10 11:24:34.954 04/15/04 Sev=Info/5 IKE/0x6301 Peer supports XAUTH 11 11:24:34.954 04/15/04 Sev=Info/5 IKE/0x6359 Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100 12 11:24:34.954 04/15/04 Sev=Info/5 IKE/0x6301 Peer supports DPD 13 11:24:34.954 04/15/04 Sev=Info/5 IKE/0x6359 Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100 14 11:24:34.954 04/15/04 Sev=Info/5 IKE/0x6301 Peer is a Cisco-Unity compliant peer 15 11:24:34.954 04/15/04 Sev=Info/5 IKE/0x6359 Vendor ID payload = 3E1AE87FDF4D1C40CE41D30ED2964D10 16 11:24:34.954 04/15/04 Sev=Warning/3IKE/0xE356 The received HASH payload cannot be verified 17 11:24:34.954 04/15/04 Sev=Warning/2IKE/0xE37D Hash verification failed... may be configured with invalid group password. 18 11:24:34.954 04/15/04 Sev=Info/4 IKE/0x6313 SENDING ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 62.105.97.129 19 11:24:34.954 04/15/04 Sev=Info/4 IKE/0x634A Discarding IKE SA negotiation 20 11:24:34.954 04/15/04 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server 62.105.97.129 because of DEL_REASON_IKE_NEG_FAILED 21 11:24:34.954 04/15/04 Sev=Info/5 CM/0x63100027 Initializing CVPNDrv 22 11:24:35.001 04/15/04 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 23 11:24:35.001 04/15/04 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 24 11:24:35.032 04/15/04 Sev=Warning/3DIALER/0xE338 GI VPNStart callback failed CM_IKE_ESTABLISH_FAIL (3h). --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED]
Re: [leaf-user] LEAF Theory of Operation
jeremy rubia wrote: Hi Larry, actually im talking to the Bering version, in the LEAF homepage documentation there is a link there that says something like this lrp.c0wz.com - this is a mirror of one of the best sources of LRP information on the net. but it was dead link already i believed that it would point me to the right docs i need. i have also googled on this topic but to no avail. The c0wz site is quite dated at this point, but I've still got a mirror running: http://c0wz2.steinkuehler.net/ by the way what i need to know is how LEAF bering starts from booting up and how does it managed to use RAM instead of the physical storage media and what happens when i backup lrp packages. I have actually used Bering LEAF but dont have firm understanding on how it works behind the scene. and thats what i want to know. Basically, at startup a ramdisk is created and populated with the contents of all the *.lrp packages (which are simply tar.gz files) configured to load via the LRP= kernel command line (or one of the more recent enhancements, like the lrpkg.cfg file). When you backup a package, the backup scripts simply make a tar.gz file of all files that belong in a particular package. Some details of package creation can be found on the LEAF site in the SF Document Manager: http://sourceforge.net/docman/?group_id=13751 See particularly How do I create packages? and LRP packaging details and limitations (in section 13). Your real source for information, however, is the source code. Both the packaging and the initial system generation are done by simple shell scripts, so just open an editor and follow along until you understand as much as you want. The initial system configuration is done by /linuxrc, and the backup scripts are in /usr/sbin, along with the rest of the lrcfg menu scripts. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2
James Neave wrote: snip Now, this is why it is probably OT. It work fine on Win2K SP1 boxes It does NOT work on Win2K SP4 and WinXP SP1 So currently is seems to be a Windows problem, not a LEAF problem. snip 16 11:24:34.954 04/15/04 Sev=Warning/3IKE/0xE356 The received HASH payload cannot be verified 17 11:24:34.954 04/15/04 Sev=Warning/2IKE/0xE37D Hash verification failed... may be configured with invalid group password. This looks to be why it died. I'm not familiar with the Cisco products, so can't provide much detailed help, but have you verified all boxes are using appropriate credientials (or group password, whatever that is in Cisco parlance)? -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Is my NIC the bottleneck?
pn] Thanks, all. I'm ashamed that I was unable to do that math myself. --- [EMAIL PROTECTED] wrote: Do you run your DSL modem as a modem only, or does it do DHCP, DNS and firewall as well? pn] Not sure what you mean (do DSL modems do all that?). My LEAF boxes do the DHCP, DNS and firewall (and good 'ole routing). pn] Hey Charles, E2B is still solid. ;) = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2
Hi, But have you verified all boxes are using appropriate credentials? I've just gone round and checked all the passwords, they all check out. Currently the only test I'm unable to perform is plugging a PC straight into our real router and giving it one of our real IPs and testing it that way, taking the LEAF box out of the equation and seeing if XP/2KSP4 *still* don't work. Don't have the time for the PC lugging at the moment, currently this is not high priority enough. Thanks, James. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: 15 April 2004 12:46 To: James Neave Cc: leaf Subject: Re: [leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2 James Neave wrote: snip Now, this is why it is probably OT. It work fine on Win2K SP1 boxes It does NOT work on Win2K SP4 and WinXP SP1 So currently is seems to be a Windows problem, not a LEAF problem. snip 16 11:24:34.954 04/15/04 Sev=Warning/3 IKE/0xE356 The received HASH payload cannot be verified 17 11:24:34.954 04/15/04 Sev=Warning/2 IKE/0xE37D Hash verification failed... may be configured with invalid group password. This looks to be why it died. I'm not familiar with the Cisco products, so can't provide much detailed help, but have you verified all boxes are using appropriate credientials (or group password, whatever that is in Cisco parlance)? -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 Throughput Test Results
Charles, I did the test with the converted Bering-Contivity yesterday. I ran the VPN as AES then changed to 3DES and ran it again. AES was 6% slower. Any ideas why this would be the case? Best Regards, Roger McClurg [EMAIL PROTECTED] This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. Charles Steinkuehler charles @steinkuehler.net 04/13/2004 04:13 PM To: Roger E McClurg/CEG/[EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject:Re: [leaf-user] Bering 1.2 Throughput Test Results Roger E McClurg wrote: snip The next test was to FTP from the PC connected to the OpenBrick E to the PC connected to a 500 Mhz P III running Bering 1.2. The transfer rate was only 12.67 Mb/sec. The 3DES IPSEC encryption was certainly taking it's toll. Next we replaced both Bering machines with Nortel Contivity 1500 VPN devices. The Contivity is a popular VPN concentrator for small branch offices. It was designed specifically for the purpose of a VPN concentrator. Imagine our surprise when the Contivity transfer rate was only 4.45 Mb/sec. The Bering boxes were running weblet, shorewall, dnscache, dhcpd, ssh, sshd, sftp, snmp, and snmpd in addition to IPSEC, and yet they were almost three times faster than commercial VPN concentrators. If you want to have a bit more fun, switch your IPSec links to the new AES (ipsec_aes.o) encryption algorithm. Designed to be more friendly to modern CPU's with wide registers and SIMD (Single Instruction Multiple Data) instruction sets (3DES is optimized for hardware, and doesn't translate nicely into a byte/word oriented general-purpose CPU algorithm), you should see a substantial increase in your transfer rates. 3DES is usually not much of a bottleneck (even with the 'slow' Nortel devices), as usually the upstream WAN link is substantially slower than the potential CPU throughput when compressing, but if you've got fast pipes, you'll notice a drastic difference by choosing an alternate encryption scheme. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Is my NIC the bottleneck?
You shouldn't be, because you were right that there's a bottleneck, you just missed what the bottleneck is. A 768k T-1 or Cablemodem line is going to give you around 90-95Kbytes/sec on a download, whereas your DSL is only turning out around 70Kbytes/sec. The reason for this is pretty straightforward: DSL uses ATM connections between the Central Office DSLAM and the ISP's router. Since ATM only works in packets 53 bytes large, a packet of 1500 bytes gets chopped up into a bunch of other packets, each with it's own control and error markers, and doesn't actually get reassembled until it arrives at the DSL modem. It's worse, too, if you've got PPPoE, as that adds in it's own overhead. The net result is, if you've got a DSL line of speed X, and a Cable line of speed X, then as long as the cable line isn't on an overloaded cable node, the cable line will be faster, because it doesn't have to convert to a half-dozen different Layer 2/3 Protocols along the way. Oh, and yes, some DSL modems do have firewall/NAT routers built in these days, but they tend not to work too well for gaming applications. George Peter Nosko wrote: pn] Thanks, all. I'm ashamed that I was unable to do that math myself. --- [EMAIL PROTECTED] wrote: Do you run your DSL modem as a modem only, or does it do DHCP, DNS and firewall as well? pn] Not sure what you mean (do DSL modems do all that?). My LEAF boxes do the DHCP, DNS and firewall (and good 'ole routing). pn] Hey Charles, E2B is still solid. ;) = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Is my NIC the bottleneck?
At 10:57 AM 4/15/2004 +0200, [EMAIL PROTECTED] wrote: Your ISP's theoretical 768 Kilo bps compared to your NIC's theoretical 10 Mega bps. Me thinks your 10Mb NIC is not guilty. Do you run your DSL modem as a modem only, or does it do DHCP, DNS and firewall as well? Gus [EMAIL PROTECTED] wrote on 15-04-2004 00:10:31: pn] I'm still running E2B on a P166. I have 768K SDSL, and my leaf box is connected to the DSL modem via a 10Mbps NIC. The best speed I can download from anywhere is in the 70something KB/sec (as reported on a Windows box on the internal network). I think I should be able to do faster downloads, but am not sure where I'm getting bottlenecked. Based on the numbers you report, there is no bottleneck that needs an explanation ... or at worst a very small one. 70something KB/sec (big B = bytes, the way clients usually report transfer speed) translates to something between 560 and 640 Kbps (small b = bits, the measure uses for DSL speed). That discrepancy is too small to need explaining, when you remember that there is also packet overhead and such to allow for (my rule of thumb is to allow 10% of capacity for this). If there is any residual problem to be explained, you will need more exact numbers to detect it. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Is my NIC the bottleneck?
I have Bering-uClibc 2.1 setup in a 486/66 with 16MB. With two ISA (SMC 8216C) 10M cards I have a TESTED ~7M/s download speed from a company internal FTP server. With 100M connection I was able to download (without the FW in the middle) 20M/s. Both tests were done in a ethernet network without ADSL. So this will prove that almost all ADSL speeds can be handled with a slow 486 level PC. PC was actually ICL C4/33V with 25Mhz SX processor and a 66Mhz math co-processor. Std. floppy version used without tweaking. Home ADSL connection is 1M/512K and I get download speeds of 110K/s normally from university servers near me -Marko Peter Nosko wrote: pn] Thanks, all. I'm ashamed that I was unable to do that math myself. --- [EMAIL PROTECTED] wrote: Do you run your DSL modem as a modem only, or does it do DHCP, DNS and firewall as well? pn] Not sure what you mean (do DSL modems do all that?). My LEAF boxes do the DHCP, DNS and firewall (and good 'ole routing). pn] Hey Charles, E2B is still solid. ;) --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 Throughput Test Results
Roger E McClurg wrote: Charles, I did the test with the converted Bering-Contivity yesterday. I ran the VPN as AES then changed to 3DES and ran it again. AES was 6% slower. Any ideas why this would be the case? I'd have to look at the code...I'm somewhat familiar with the 'stock' FreeS/WAN stuff, but haven't checked out the algorithm patch that adds the additional encryption options to SuperFreeS/WAN. The only thing that comes immediately to mind is optimization. 3DES performs so pitifully that most architecturs have hand-optimized assembler stubs for the 'guts' of the encryption routine. If the AES routines are generic C code, it would likely explain the performance difference. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Is my NIC the bottleneck?
--- George Metz [EMAIL PROTECTED] wrote: You shouldn't be, because you were right that there's a bottleneck, you just missed what the bottleneck is. pn] Hey George, thanks for eliminating my shame. And for the math DSL lesson. = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Thanks
Charles, I never got around to thanking you for your help over the years, and for your contribution to LEAF. I cut my teeth on Dachstein and Eigerstein. I used them on a quite a few different platforms, and I learned a lot along the way. I appreciate everything you have done, and thought it was high time I said so. Roger --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Thanks
Roger E McClurg wrote: Charles, I never got around to thanking you for your help over the years, and for your contribution to LEAF. I cut my teeth on Dachstein and Eigerstein. I used them on a quite a few different platforms, and I learned a lot along the way. I appreciate everything you have done, and thought it was high time I said so. I appreciate the feedback, and am glad you found Dachstein and Eigerstein useful! -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Thanks
Ditto for me. Started with LRP, then made my way up through the ranks to Bering. I am running a number of these boxes in production environments now. Although Snapgear may begin to put a dent in my deployments (my boss, who cut his teeth on LRP along side me sure likes the small box, off the shelf idea especially because of his ability to manipulate it using his past LRP experience), I will always have a use for these great boxes. Thanks to Charles et al! - Original Message - From: Roger E McClurg [EMAIL PROTECTED] To: Charles Steinkuehler [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 1:26 PM Subject: [leaf-user] Thanks Charles, I never got around to thanking you for your help over the years, and for your contribution to LEAF. I cut my teeth on Dachstein and Eigerstein. I used them on a quite a few different platforms, and I learned a lot along the way. I appreciate everything you have done, and thought it was high time I said so. Roger --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] shorewall policy question (lots of hits from fw to loc)
hi, i'm new to bering-uclibc and shorewall (but have used lrp and dachstein). I'm getting hundreds of icmp hits showing up in the shorewall log between my bering box and one of my local machines. here's an example: Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297 PROTO=ICMP TYPE=3 CODE=0 eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup). I think that a solution would be to add the following line to the shorewall policy, but i have some questions on it... fw loc ACCEPT this seems like a very normal thing to do, so why is it not set in the default config? are there any reasons to not accept these connections (other than local attacks on the firewall)? thanks, -matt --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering 1.2 Throughput Test Results
I had no problems adding the aes module. I am not exactly sure what you did but I will tell you what I did and hopefully it helps you out. :) 1. First copy the ipsec_aes.o module from the Modules archive to a formatted floppy. 2. Mount the floppy in your Bering box with this command: mount -t msdos /dev/fd0u1440 /mnt 3. Next, copy the module file to your modules directory with this command: cp ipsec_~1.o /lib/modules/ [ENTER] 4. Change directory to / (cd /) and type umount /mnt [ENTER] 5. Change directory again to /lib/modules/ 6. We need to change the name of the module back to ipsec_aes.o now with this command: cp ipsec_~1.o ipsec_aes.o [ENTER] 7. Then chmod the file with 644 with this command: chmod 644 ipsec_aes.o 8. Almost there! Now type lrcfg [ENTER] and go into /etc/modules. Add ipsec_aes to the list of entries there. 9. Lastly, go into your IPSec config file and add esp=aes to the connection config. (Check where I put it below to give you an idea) 10. Back up your changes! :) I hope this helped. I have a question of my own for the list. :) Can you have multiple rightsubnet= or leftsubnet= in your ipsec config for a single connection? I want to connect two networks that have multiple subnets. Thus far I have gotten away with just putting entries like 172.16.0.0/16 connecting to 192.168.0.0/16. That solution is no longer practical however and I am wondering if I can change it to multiple leftsubnet/rightsubnet entries to reflect the actual networks that I am linking. Can anyone tell me the syntax I would use to do this? :) Thanks in advance! Troy (Still a newbie after years of LEAF) -Original Message- From: J.Clark [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 8:52 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Bering 1.2 Throughput Test Results My question is how does one properly load this module? I've tried loading it from the modules package (/etc/modules) but when I try to restart ipsec it fails becuase it can't unload the ipsec.o module due to the fact that it is in use by the ipsec_aes.o module. I'm sure I'm missing something here. Should I replace the ipsec.o with ipsec_aes.o or add a stub to the shutdown/restart script to remove unload ipsec_aes.o first? Dumb questions I'm sure but we all have to learn somehow =-) - Original Message - From: Roger E McClurg [EMAIL PROTECTED] To: Troy Aden [EMAIL PROTECTED] Cc: Charles Steinkuehler [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 11:43 AM Subject: RE: [leaf-user] Bering 1.2 Throughput Test Results Troy, It's not a dumb question. I just figured it out myself. In the connection defaults, or in the specific connection you want to use aes, just add esp=aes. Of course the ipsec-aes.o module must be loaded. Roger Troy Aden Troy.Aden @VCom.com 04/14/2004 10:13 AM To: Roger E McClurg/CEG/[EMAIL PROTECTED], Charles Steinkuehler [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject:RE: [leaf-user] Bering 1.2 Throughput Test Results I am sure this question is a silly one but here it goes. How do I go about changing the Encryption algorithm in Freeswan IPSec? I am using Bering Uclibc 2.0. I am using FreeSwan IPSec with PSK's for my connections. I did not see anything in the procedures for changing the encryption algorithms that this package uses. I am assuming that I would add the module (ipsec_aes.o) to /lib/modules/. But can anyone please tell me the command that I need to put in the IPSec config file to tell it specifically what algorithm to use? Thanks in advance! Troy Here is what my config looks like: config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=132.125.107.155 rightsubnet=192.168.55.0/16 rightnexthop=132.125.107.254 esp=aes pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn troy left=139.145.45.166 leftsubnet=10.10.65.0/24 leftnexthop=139.145.45.129 auto=start Here is what comes up when I start a connection: ipsec whack --initiate --name test
RE: [leaf-user] Is my NIC the bottleneck?
Hello Peter, Nice name ;-) Subject: [leaf-user] Is my NIC the bottleneck? pn] I'm still running E2B on a P166. I have 768K SDSL, and my leaf box is connected to the DSL modem I know it's already resolved, but I recommend using DSLReports's speed test for this kind of thing. Test a desktop from behind the LEAF server network, then connect it directly to the DSL line and test again. Using this method you can see if there is a bottleneck in the router. I usually run the test 3 times to get a nice average. URL : http://www.dslreports.com/stest P --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 Throughput Test Results
Troy Aden wrote: snip I have a question of my own for the list. :) Can you have multiple rightsubnet= or leftsubnet= in your ipsec config for a single connection? I want to connect two networks that have multiple subnets. Thus far I have gotten away with just putting entries like 172.16.0.0/16 connecting to 192.168.0.0/16. That solution is no longer practical however and I am wondering if I can change it to multiple leftsubnet/rightsubnet entries to reflect the actual networks that I am linking. Can anyone tell me the syntax I would use to do this? :) Thanks in advance! Sure you can...sort of. What you're missing is the fact that each additional [left|right]subnet entry requires a new connection specification. If you don't have a lot of connections, managing them by hand (or maybe with some simple scripts) is possible. If you decide you want to do this, I suggest using descriptive names for you connections to avoid any ambiguity based on IP addresses, ie: [left|[EMAIL PROTECTED] If you find your configuration getting too complex, the next best option is probably to push the complexity from your IPSec configuration into the routing domain. Remember you can only pass traffic that matches a connections endpoint specifications through an IPSec tunnel, so you can't simply use an IPSec connection like a virtual 'wire' and route traffic down it. The way around this is to setup point-point IPSec connections between your gateway boxes (rather than the subnet-subnet links it sounds like you're using). Once you have these links in place, you run GRE tunnels over the IPSec tunnels (so all traffic matches the source/destination IP's listed in the connection description), then run the routing protocol of your choice (or even static routing) across the GRE tunnels. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering 1.2 Throughput Test Results
I did the test with the converted Bering-Contivity yesterday. I ran the VPN as AES then changed to 3DES and ran it again. AES was 6% slower. Any ideas why this would be the case? AES should be faster. I remember seeing a few posts about this. For example, http://lists.freeswan.org/pipermail/users/2002-February/007771.html indicates 89mbps with AES as opposed to 44mpbs with 3DES.Alternatively, the creater of the patch for FreeSWAN indicated 'expect 3 to 2 performance'. Are you sure you're not using double the keysize with your setup? There has to be some explanation. AES _IS_ faster, at least on the 15 or so tunnels I have created. P --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 Throughput Test Results
That sounds probable.. Freeswan may default to AES256, which would be similar in performance to 3DES (based on my experience with some commercial VPN solutions). Unfortunately, I don't know the exact syntax.. I've been messing with the KAME IPSec that is in the 2.6 kernel and MacOS X/BSD, rather than Freeswan. But, a google search for Freeswan configs turned up statements like: esp=aes128-sha1,aes128-md5 On Thu, Apr 15, 2004 at 01:54:04PM -0700, Peter Mueller wrote: I did the test with the converted Bering-Contivity yesterday. I ran the VPN as AES then changed to 3DES and ran it again. AES was 6% slower. Any ideas why this would be the case? AES should be faster. I remember seeing a few posts about this. For example, http://lists.freeswan.org/pipermail/users/2002-February/007771.html indicates 89mbps with AES as opposed to 44mpbs with 3DES.Alternatively, the creater of the patch for FreeSWAN indicated 'expect 3 to 2 performance'. Are you sure you're not using double the keysize with your setup? There has to be some explanation. AES _IS_ faster, at least on the 15 or so tunnels I have created. P --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)
The first thing I'd be doing here is NOT asking how to allow these packets to pass, but trying to figure out why they're being sent in the first place. If you're using a default Bering install without monkeying with the Bering settings, and you're using DHCP, then your gateway should be 192.168.1.254, and 192.168.1.1 would be a machine on your LAN. Either way, if you're getting a flood of ICMP packets from anywhere to anywhere, it's questionable. I don't know of anything that would generate ICMP from a Bering box to anything without user input, at least in the basic setup, so a little forensics work would be in order to find out what's really going on. Given the number of worms and virii out there that use ICMP sweeps to find vulnerable systems, I'd be hesitant to allow ICMP of any kind. It technically breaks RFC standards, but I don't know of anything that it actually causes a problem with by doing. Matt wrote: hi, i'm new to bering-uclibc and shorewall (but have used lrp and dachstein). I'm getting hundreds of icmp hits showing up in the shorewall log between my bering box and one of my local machines. here's an example: Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297 PROTO=ICMP TYPE=3 CODE=0 eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup). I think that a solution would be to add the following line to the shorewall policy, but i have some questions on it... fw loc ACCEPT this seems like a very normal thing to do, so why is it not set in the default config? are there any reasons to not accept these connections (other than local attacks on the firewall)? thanks, -matt --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] using inetd to pon/poff or ifupdown ppp0
I've been playing around with inetd trying to get it to launch pon or poff when certain ports are hit. I have opened shorewall on these ports (1022, 1021), configured /etc/services, /etc/inetd.conf, and /etc/protocols. the lines I added are below. I'm not sure why it dosn't work... I don't NEED to do this through inetd, but i thought it would be convienient. all I need is a simple way for people to manualy start/stop ppp0 without ssh-ing in as root. my first try was to create a cgi script for sh-httpd to run...but sh-httpd dosn't run scripts as root so it didn't work (i don't feel comfortable with suid root). ideas please? thanks, -matt services: pppup 1021/tcp# bring up ppp0 when hit pppdown 1022/tcp# bring down ppp0 when hit inetd.conf: pppup stream tcp nowait root/tmp/usr/bin/pon pppdown stream tcp nowait root/tmp/usr/bin/poff protocols: pppup 1021TCP pppdown 1022TCP --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)
Matt wrote: hi, i'm new to bering-uclibc and shorewall (but have used lrp and dachstein). I'm getting hundreds of icmp hits showing up in the shorewall log between my bering box and one of my local machines. here's an example: Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297 PROTO=ICMP TYPE=3 CODE=0 eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup). I think that a solution would be to add the following line to the shorewall policy, but i have some questions on it... fw loc ACCEPT this seems like a very normal thing to do, so why is it not set in the default config? are there any reasons to not accept these connections (other than local attacks on the firewall)? If Netfilter connection tracking is working properly, ICMP 3/0 packets *are* accepted. These packets get generated by a REJECT Shorewall rule or policy for UDP requests. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)
George Metz wrote: Given the number of worms and virii out there that use ICMP sweeps to find vulnerable systems, I'd be hesitant to allow ICMP of any kind. It technically breaks RFC standards, but I don't know of anything that it actually causes a problem with by doing. It breaks MTU discovery... -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] looking for Bering 1.2 and 2.1 kernel .config files
Greetings, The .config files used to be with the development files in the previous version of LRP/Bering e.g. rc3. Where can I locate the linux kernel .config files for 1.2 and 2.1 ? Thanks. Newton __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)
Tom Eastep wrote: Matt wrote: fw loc ACCEPT this seems like a very normal thing to do, so why is it not set in the default config? are there any reasons to not accept these connections (other than local attacks on the firewall)? If Netfilter connection tracking is working properly, ICMP 3/0 packets *are* accepted. These packets get generated by a REJECT Shorewall rule or policy for UDP requests. Also, are you setting 'norfc1918' on your ppp0 interface (/etc/shorewall/interfaces)? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] uClibc ipsec
Just installed the ipsec package from: http://leaf.sourceforge.net/packages/uclibc-0.9/20/ipsec.lrp Rebooted, and there's no ipsec.o :( Looked in the archive, and can't find it there either :( -- Homer Parker/\ ASCII Ribbon Campaign BOFH for homershut.net \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net / \ Respect for open standards Bill Gates reports on security progress made and the challenges ahead. -- Microsoft's Homepage, on the day an SQL Server bug crippled large sections of the Internet. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)
On Thu, 2004-04-15 at 14:35, Matt wrote: hi, i'm new to bering-uclibc and shorewall (but have used lrp and dachstein). I'm getting hundreds of icmp hits showing up in the shorewall log between my bering box and one of my local machines. here's an example: Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297 PROTO=ICMP TYPE=3 CODE=0 eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup). I think that a solution would be to add the following line to the shorewall policy, but i have some questions on it... fw loc ACCEPT this seems like a very normal thing to do, so why is it not set in the default config? are there any reasons to not accept these connections (other than local attacks on the firewall)? thanks, -matt in a few hours (and a lot of comparing log entries to network activity) I was able to determine that dhcp requests were causing the problem. dhcp was actually working (client machines were being assigned addresses, albeit not very gracefuly) but the dhcp discover, offer, ack, etc process wasn't able to complete due to shorewall blocking something setting the dhcp option for eth0 in the shorewall interface file fixed it. Tom, i do not have 'norfc1918' set for my ppp interface. i'll read up on rfc1918 tomorrow, but do you know from expierence if this should be set? thanks all, -matt --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] uClibc ipsec
Homer wrote: Just installed the ipsec package from: http://leaf.sourceforge.net/packages/uclibc-0.9/20/ipsec.lrp Rebooted, and there's no ipsec.o :( Looked in the archive, and can't find it there either :( As described in http://leaf.sourceforge.net/doc/guide/buipsec.html, the ipsec.o module is located in of the modules package which matches your kerenel. So, you want to get the modules tarball for the kernel you're using (Bering_uClibc_2.1.0_modules_2.4.24.tar.gz if you're using Bering uClibc 2.1) and get ipsec.o from there (look in directory 2.4.24/kernel/net/ipsec inside the tarball). I hope that helps. Martin --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] looking for Bering 1.2 and 2.1 kernel .config files
wing newton wrote: Greetings, The .config files used to be with the development files in the previous version of LRP/Bering e.g. rc3. Where can I locate the linux kernel .config files for 1.2 and 2.1 ? The kernel configs used in Bering uClibc (as well as the patches needed) can be found in CVS at http://cvs.sourceforge.net/viewcvs.py/leaf/src/bering-uclibc/configs/kernel/ I don't know about Bering, maybe somebody else can help with that. Martin --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html