[leaf-user] Is my NIC the bottleneck?

[Peter Nosko]

pn] I'm still running E2B on a P166.  I have 768K
SDSL, and my leaf box is connected to the DSL modem
via a 10Mbps NIC.  The best speed I can download from
anywhere is in the 70something KB/sec (as reported on
a Windows box on the internal network).  I think I
should be able to do faster downloads, but am not sure
where I'm getting bottlenecked.

=

-
Peter Nosko ([EMAIL PROTECTED])
This is a good place for a tagline.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Is my NIC the bottleneck?

[James Neave]

Hi,

768Kb/s = 96KB/s or 93KB/s depending on what your ISP considers a Kilo.

I have 1024 over 256 cable, I very VERY rarely see one connection hit
more than 70. If I want a fast download, I use Getright and use 3 or 4
different sources. Does anyone else think that all this massive increase
in downstream by ISPs (as a marketing tool) is outstripping the
resources of the poor old creaky internet?

That's just practical thinking though, I don't know any technical
reasons you could be running slow. Sorry :P

James.

-Original Message-
From: Peter Nosko [mailto:[EMAIL PROTECTED] 
Sent: 14 April 2004 23:11
To: leaf
Subject: [leaf-user] Is my NIC the bottleneck?

pn] I'm still running E2B on a P166.  I have 768K
SDSL, and my leaf box is connected to the DSL modem
via a 10Mbps NIC.  The best speed I can download from
anywhere is in the 70something KB/sec (as reported on
a Windows box on the internal network).  I think I
should be able to do faster downloads, but am not sure
where I'm getting bottlenecked.

=

-
Peter Nosko ([EMAIL PROTECTED])
This is a good place for a tagline.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Is my NIC the bottleneck?

[Gustav_Schaffter]

Your ISP's theoretical 768 Kilo bps compared to your NIC's theoretical 10
Mega bps.

Me thinks your 10Mb NIC is not guilty.

Do you run your DSL modem as a modem only, or does it do DHCP, DNS and
firewall as well?

Gus



[EMAIL PROTECTED] wrote on 15-04-2004 00:10:31:

 pn] I'm still running E2B on a P166.  I have 768K
 SDSL, and my leaf box is connected to the DSL modem
 via a 10Mbps NIC.  The best speed I can download from
 anywhere is in the 70something KB/sec (as reported on
 a Windows box on the internal network).  I think I
 should be able to do faster downloads, but am not sure
 where I'm getting bottlenecked.

 =

 -
 Peter Nosko ([EMAIL PROTECTED])



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Is my NIC the bottleneck?

[Joep Blom]

768 Kb/s= ~ 70 kB/sec. You have to taken into account the overhead in
the packets which roughly is a factor 10 to translate Kb/s to kB/s.
I have a cable connection which is much faster (here in Holland at
least) than ADSL and regularly have download speeds of 120 - 150 kB/s.
Joep

On Thu, 2004-04-15 at 10:42, James Neave wrote:
 Hi,
 
 768Kb/s = 96KB/s or 93KB/s depending on what your ISP considers a Kilo.
 
 I have 1024 over 256 cable, I very VERY rarely see one connection hit
 more than 70. If I want a fast download, I use Getright and use 3 or 4
 different sources. Does anyone else think that all this massive increase
 in downstream by ISPs (as a marketing tool) is outstripping the
 resources of the poor old creaky internet?
 
 That's just practical thinking though, I don't know any technical
 reasons you could be running slow. Sorry :P
 
 James.
 
 -Original Message-
 From: Peter Nosko [mailto:[EMAIL PROTECTED] 
 Sent: 14 April 2004 23:11
 To: leaf
 Subject: [leaf-user] Is my NIC the bottleneck?
 
 pn] I'm still running E2B on a P166.  I have 768K
 SDSL, and my leaf box is connected to the DSL modem
 via a 10Mbps NIC.  The best speed I can download from
 anywhere is in the 70something KB/sec (as reported on
 a Windows box on the internal network).  I think I
 should be able to do faster downloads, but am not sure
 where I'm getting bottlenecked.
 
 =
 
 -
 Peter Nosko ([EMAIL PROTECTED])
 This is a good place for a tagline.
 
 
 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 
 
 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door OpenProtect en lijkt schoon te zijn.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2

[James Neave]

Hi,

We're trying to connect the Cisco VPN Dialer (v3) to a Cisco VPN
concentrator through a Bering 1.2 box performing firewalling and NAT,
pretty standard stuff.

The rules we use are:

Policy = No traffic allowed period.
Rules for this case:

ACCEPT loc:192.168.x.y net:a.b.c.d udp 500
ACCEPT loc:192.168.x.y net:a.b.c.d udp 4500
ACCEPT loc:192.168.x.y net:a.b.c.d 50

Now, this is why it is probably OT.
It work fine on Win2K SP1 boxes
It does NOT work on Win2K SP4 and WinXP SP1
So currently is seems to be a Windows problem, not a LEAF problem.

However we have been assured that it *should* work. Of course, no help
is forthcoming from Cisco.

(Side Note: Why do people eschew free solutions for lack of support? Our
client must have paid 1000s for that VPN box, but we don't get any help.
We're a 3rd party but it's not even like our client can ask for help.)

Logs at the end of this message.

Probably nothing to do with LEAF, but if anybody can shed any light!

Thanks,

James.



Anyway, here are some logs I've collected.

First WinDump, kinda equivalent to tcpdump I guess. IKE failed.
INVALID-HASH-INFORMATION may suggest packet mangling broke a signature?

11:14:58.506130 IP james.WIN2KDOMAIN.1367 
colo-62-105-97-range129.as15758.net.62514: udp 12
11:14:58.512641 IP james.WIN2KDOMAIN.1368 
colo-62-105-97-range129.as15758.net.62514: udp 8
11:14:58.513100 IP james.WIN2KDOMAIN.1369 
colo-62-105-97-range129.as15758.net.62514: udp 8
11:14:58.518808 IP james.WIN2KDOMAIN.500 
colo-62-105-97-range129.as15758.net.500: isakmp: phase 1 I agg: [|sa]
11:14:58.594708 IP colo-62-105-97-range129.as15758.net.500 
james.WIN2KDOMAIN.500: isakmp: phase 1 R agg: [|sa]
11:14:58.601393 IP james.WIN2KDOMAIN.500 
colo-62-105-97-range129.as15758.net.500: isakmp: phase 1 I inf: (n:
doi=ipsec proto=isakmp type=INVALID-HASH-INFORMATION)

Next up, the Cisco Logger, sais pretty much the same thing, IKE failed.
More detailed I guess.

1  11:24:34.845  04/15/04  Sev=Info/6   DIALER/0x6332
Initiating connection.
2  11:24:34.845  04/15/04  Sev=Info/4   CM/0x6312
Begin connection process
3  11:24:34.845  04/15/04  Sev=Info/4   CM/0x6314
Establish secure connection using Ethernet
4  11:24:34.845  04/15/04  Sev=Info/4   CM/0x63100024
Attempt connection with server 62.105.97.129
5  11:24:34.860  04/15/04  Sev=Info/6   IKE/0x633B
Attempting to establish a connection with 62.105.97.129.
6  11:24:34.860  04/15/04  Sev=Info/4   IKE/0x6313
SENDING  ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to
62.105.97.129
7  11:24:34.954  04/15/04  Sev=Info/5   IKE/0x632F
Received ISAKMP packet: peer = 62.105.97.129
8  11:24:34.954  04/15/04  Sev=Info/4   IKE/0x6314
RECEIVING  ISAKMP OAK AG (SA, VID, VID, VID, VID, KE, ID, NON, HASH)
from 62.105.97.129
9  11:24:34.954  04/15/04  Sev=Info/5   IKE/0x6359
Vendor ID payload = 09002689DFD6B712
10 11:24:34.954  04/15/04  Sev=Info/5   IKE/0x6301
Peer supports XAUTH
11 11:24:34.954  04/15/04  Sev=Info/5   IKE/0x6359
Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100
12 11:24:34.954  04/15/04  Sev=Info/5   IKE/0x6301
Peer supports DPD
13 11:24:34.954  04/15/04  Sev=Info/5   IKE/0x6359
Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100
14 11:24:34.954  04/15/04  Sev=Info/5   IKE/0x6301
Peer is a Cisco-Unity compliant peer
15 11:24:34.954  04/15/04  Sev=Info/5   IKE/0x6359
Vendor ID payload = 3E1AE87FDF4D1C40CE41D30ED2964D10
16 11:24:34.954  04/15/04  Sev=Warning/3IKE/0xE356
The received HASH payload cannot be verified
17 11:24:34.954  04/15/04  Sev=Warning/2IKE/0xE37D
Hash verification failed... may be configured with invalid group
password.
18 11:24:34.954  04/15/04  Sev=Info/4   IKE/0x6313
SENDING  ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 62.105.97.129
19 11:24:34.954  04/15/04  Sev=Info/4   IKE/0x634A
Discarding IKE SA negotiation
20 11:24:34.954  04/15/04  Sev=Info/4   CM/0x63100014
Unable to establish Phase 1 SA with server 62.105.97.129 because of
DEL_REASON_IKE_NEG_FAILED
21 11:24:34.954  04/15/04  Sev=Info/5   CM/0x63100027
Initializing CVPNDrv
22 11:24:35.001  04/15/04  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
23 11:24:35.001  04/15/04  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
24 11:24:35.032  04/15/04  Sev=Warning/3DIALER/0xE338
GI VPNStart callback failed CM_IKE_ESTABLISH_FAIL (3h).


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]

Re: [leaf-user] LEAF Theory of Operation

[Charles Steinkuehler]

jeremy rubia wrote:
Hi Larry,

actually im talking to the Bering version, in the LEAF
homepage documentation there is a link there that says
something like this 
lrp.c0wz.com - this is a mirror of one of the best
sources of LRP information on the net.
but it was dead link already i believed that it would
point me to the right docs i need. i have also googled
on this topic but to no avail.
The c0wz site is quite dated at this point, but I've still got a mirror 
running:
http://c0wz2.steinkuehler.net/

by the way what i need to know is how LEAF bering
starts from booting up and how does it managed to use
RAM instead of the physical storage media and what
happens when i backup lrp packages.  I have actually
used Bering LEAF but dont have firm understanding on
how it works behind the scene. and thats what i want
to know.
Basically, at startup a ramdisk is created and populated with the 
contents of all the *.lrp packages (which are simply tar.gz files) 
configured to load via the LRP= kernel command line (or one of the more 
recent enhancements, like the lrpkg.cfg file).

When you backup a package, the backup scripts simply make a tar.gz file 
of all files that belong in a particular package.

Some details of package creation can be found on the LEAF site in the SF 
Document Manager:
http://sourceforge.net/docman/?group_id=13751

See particularly How do I create packages? and LRP packaging details 
and limitations (in section 13).

Your real source for information, however, is the source code.  Both the 
packaging and the initial system generation are done by simple shell 
scripts, so just open an editor and follow along until you understand as 
much as you want.  The initial system configuration is done by /linuxrc, 
and the backup scripts are in /usr/sbin, along with the rest of the 
lrcfg menu scripts.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2

[Charles Steinkuehler]

James Neave wrote:
snip
Now, this is why it is probably OT.
It work fine on Win2K SP1 boxes
It does NOT work on Win2K SP4 and WinXP SP1
So currently is seems to be a Windows problem, not a LEAF problem.
snip
16 11:24:34.954  04/15/04  Sev=Warning/3IKE/0xE356
The received HASH payload cannot be verified
17 11:24:34.954  04/15/04  Sev=Warning/2IKE/0xE37D
Hash verification failed... may be configured with invalid group
password.
This looks to be why it died.  I'm not familiar with the Cisco products, 
so can't provide much detailed help, but have you verified all boxes are 
using appropriate credientials (or group password, whatever that is in 
Cisco parlance)?

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Is my NIC the bottleneck?

[Peter Nosko]

pn] Thanks, all.  I'm ashamed that I was unable to do
that math myself.

--- [EMAIL PROTECTED] wrote:
 Do you run your DSL modem as a modem only, or does
 it do DHCP, DNS and firewall as well?

pn] Not sure what you mean (do DSL modems do all
that?).  My LEAF boxes do the DHCP, DNS and firewall
(and good 'ole routing).

pn] Hey Charles, E2B is still solid.  ;)

=

-
Peter Nosko ([EMAIL PROTECTED])
This is a good place for a tagline.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2

[James Neave]

Hi,

But have you verified all boxes are using appropriate credentials?

I've just gone round and checked all the passwords, they all check out.
Currently the only test I'm unable to perform is plugging a PC straight
into our real router and giving it one of our real IPs and testing it
that way, taking the LEAF box out of the equation and seeing if XP/2KSP4
*still* don't work. Don't have the time for the PC lugging at the
moment, currently this is not high priority enough.

Thanks,

James.

-Original Message-
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] 
Sent: 15 April 2004 12:46
To: James Neave
Cc: leaf
Subject: Re: [leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2

James Neave wrote:
snip
 Now, this is why it is probably OT.
 It work fine on Win2K SP1 boxes
 It does NOT work on Win2K SP4 and WinXP SP1
 So currently is seems to be a Windows problem, not a LEAF problem.
snip
 16 11:24:34.954  04/15/04  Sev=Warning/3  IKE/0xE356
 The received HASH payload cannot be verified
 17 11:24:34.954  04/15/04  Sev=Warning/2  IKE/0xE37D
 Hash verification failed... may be configured with invalid group
 password.

This looks to be why it died.  I'm not familiar with the Cisco products,

so can't provide much detailed help, but have you verified all boxes are

using appropriate credientials (or group password, whatever that is in

Cisco parlance)?

-- 
Charles Steinkuehler
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering 1.2 Throughput Test Results

[Roger E McClurg]

Charles,

I did the test with the converted Bering-Contivity yesterday. I ran the 
VPN as AES then changed to 3DES and ran it again. AES was 6% slower. Any 
ideas why this would be the case?

Best Regards,

Roger McClurg
[EMAIL PROTECTED]




This is a PRIVATE message. If you are not the intended recipient, please 
delete without copying and kindly advise us by e-mail of the mistake in 
delivery. NOTE: Regardless of content, this e-mail shall not operate to 
bind CSC to any order or other contract unless pursuant to explicit 
written agreement or government initiative expressly permitting the use of 
e-mail for such purpose.






Charles Steinkuehler charles
@steinkuehler.net
04/13/2004 04:13 PM
 
To: Roger E McClurg/CEG/[EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject:Re: [leaf-user] Bering 1.2 Throughput Test Results


Roger E McClurg wrote:
snip
 The next test was to FTP from the PC connected to the OpenBrick E to the 

 PC connected to a 500 Mhz P III running Bering 1.2.  The transfer rate 
was 
 only 12.67 Mb/sec.  The 3DES IPSEC encryption was certainly taking it's 
 toll. 
 
 Next we replaced both Bering machines with Nortel Contivity 1500 VPN 
 devices. The Contivity is a popular VPN concentrator for small branch 
 offices. It was designed specifically for the purpose of a VPN 
 concentrator. Imagine our surprise when the Contivity transfer rate was 
 only 4.45 Mb/sec. The Bering boxes were running weblet, shorewall, 
 dnscache, dhcpd, ssh, sshd, sftp, snmp, and snmpd in addition to IPSEC, 
 and yet they were almost three times faster than commercial VPN 
 concentrators. 

If you want to have a bit more fun, switch your IPSec links to the new 
AES (ipsec_aes.o) encryption algorithm.  Designed to be more friendly to 
modern CPU's with wide registers and SIMD (Single Instruction Multiple 
Data) instruction sets (3DES is optimized for hardware, and doesn't 
translate nicely into a byte/word oriented general-purpose CPU 
algorithm), you should see a substantial increase in your transfer rates.

3DES is usually not much of a bottleneck (even with the 'slow' Nortel 
devices), as usually the upstream WAN link is substantially slower than 
the potential CPU throughput when compressing, but if you've got fast 
pipes, you'll notice a drastic difference by choosing an alternate 
encryption scheme.

-- 
Charles Steinkuehler
[EMAIL PROTECTED]





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Is my NIC the bottleneck?

[George Metz]

You shouldn't be, because you were right that there's a bottleneck, you 
just missed what the bottleneck is.

A 768k T-1 or Cablemodem line is going to give you around 
90-95Kbytes/sec on a download, whereas your DSL is only turning out 
around 70Kbytes/sec. The reason for this is pretty straightforward: DSL 
uses ATM connections between the Central Office DSLAM and the ISP's 
router. Since ATM only works in packets 53 bytes large, a packet of 1500 
bytes gets chopped up into a bunch of other packets, each with it's own 
control and error markers, and doesn't actually get reassembled until it 
arrives at the DSL modem. It's worse, too, if you've got PPPoE, as that 
adds in it's own overhead.

The net result is, if you've got a DSL line of speed X, and a Cable line 
of speed X, then as long as the cable line isn't on an overloaded cable 
node, the cable line will be faster, because it doesn't have to convert 
to a half-dozen different Layer 2/3 Protocols along the way.

Oh, and yes, some DSL modems do have firewall/NAT routers built in these 
days, but they tend not to work too well for gaming applications.

George

Peter Nosko wrote:
pn] Thanks, all.  I'm ashamed that I was unable to do
that math myself.
--- [EMAIL PROTECTED] wrote:

Do you run your DSL modem as a modem only, or does
it do DHCP, DNS and firewall as well?


pn] Not sure what you mean (do DSL modems do all
that?).  My LEAF boxes do the DHCP, DNS and firewall
(and good 'ole routing).
pn] Hey Charles, E2B is still solid.  ;)

=

-
Peter Nosko ([EMAIL PROTECTED])
This is a good place for a tagline.
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Is my NIC the bottleneck?

[Ray Olszewski]

At 10:57 AM 4/15/2004 +0200, [EMAIL PROTECTED] wrote:

Your ISP's theoretical 768 Kilo bps compared to your NIC's theoretical 10
Mega bps.
Me thinks your 10Mb NIC is not guilty.

Do you run your DSL modem as a modem only, or does it do DHCP, DNS and
firewall as well?
Gus
[EMAIL PROTECTED] wrote on 15-04-2004 00:10:31:
 pn] I'm still running E2B on a P166.  I have 768K
 SDSL, and my leaf box is connected to the DSL modem
 via a 10Mbps NIC.  The best speed I can download from
 anywhere is in the 70something KB/sec (as reported on
 a Windows box on the internal network).  I think I
 should be able to do faster downloads, but am not sure
 where I'm getting bottlenecked.


Based on the numbers you report, there is no bottleneck that needs an 
explanation ... or at worst a very small one. 70something KB/sec (big B = 
bytes, the way clients usually report transfer speed) translates to 
something between 560 and 640 Kbps (small b = bits, the measure uses for 
DSL speed). That discrepancy is too small to need explaining, when you 
remember that there is also packet overhead and such to allow for (my rule 
of thumb is to allow 10% of capacity for this).

If there is any residual problem to be explained, you will need more exact 
numbers to detect it.





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Is my NIC the bottleneck?

[Marko Nurmenniemi]

I have Bering-uClibc 2.1 setup in a 486/66 with 16MB.

With two ISA (SMC 8216C) 10M cards I have a TESTED ~7M/s download speed 
from a company internal FTP server. With 100M connection I was able to 
download (without the FW in the middle) 20M/s. Both tests were done in a 
ethernet network without ADSL.

So this will prove that almost all ADSL speeds can be handled with a 
slow 486 level PC.
PC was actually ICL C4/33V with 25Mhz SX processor and a 66Mhz math 
co-processor.
Std. floppy version used without tweaking.

Home ADSL connection is 1M/512K and I get download speeds of 110K/s 
normally from university servers near me

-Marko

Peter Nosko wrote:

pn] Thanks, all.  I'm ashamed that I was unable to do
that math myself.
--- [EMAIL PROTECTED] wrote:
 

Do you run your DSL modem as a modem only, or does
it do DHCP, DNS and firewall as well?
   

pn] Not sure what you mean (do DSL modems do all
that?).  My LEAF boxes do the DHCP, DNS and firewall
(and good 'ole routing).
pn] Hey Charles, E2B is still solid.  ;)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering 1.2 Throughput Test Results

[Charles Steinkuehler]

Roger E McClurg wrote:
Charles,

I did the test with the converted Bering-Contivity yesterday. I ran the 
VPN as AES then changed to 3DES and ran it again. AES was 6% slower. Any 
ideas why this would be the case?
I'd have to look at the code...I'm somewhat familiar with the 'stock' 
FreeS/WAN stuff, but haven't checked out the algorithm patch that adds 
the additional encryption options to SuperFreeS/WAN.

The only thing that comes immediately to mind is optimization.  3DES 
performs so pitifully that most architecturs have hand-optimized 
assembler stubs for the 'guts' of the encryption routine.  If the AES 
routines are generic C code, it would likely explain the performance 
difference.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Is my NIC the bottleneck?

[Peter Nosko]

--- George Metz [EMAIL PROTECTED] wrote:
 You shouldn't be, because you were right that
 there's a bottleneck, you 
 just missed what the bottleneck is.

pn] Hey George, thanks for eliminating my shame.  And
for the math  DSL lesson.

=

-
Peter Nosko ([EMAIL PROTECTED])
This is a good place for a tagline.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Thanks

[Roger E McClurg]

Charles,

I never got around to thanking you for your help over the years, and for 
your contribution to LEAF. I cut my teeth on Dachstein and Eigerstein. I 
used them on a quite a few different platforms, and I learned a lot along 
the way. I appreciate everything you have done, and thought it was high 
time I said so.

Roger




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: Thanks

[Charles Steinkuehler]

Roger E McClurg wrote:

Charles,

I never got around to thanking you for your help over the years, and for 
your contribution to LEAF. I cut my teeth on Dachstein and Eigerstein. I 
used them on a quite a few different platforms, and I learned a lot along 
the way. I appreciate everything you have done, and thought it was high 
time I said so.
I appreciate the feedback, and am glad you found Dachstein and 
Eigerstein useful!

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Thanks

[J.Clark]

Ditto for me.  Started with LRP, then made my way up through the ranks to
Bering.  I am running a number of these boxes in production environments
now.  Although Snapgear may begin to put a dent in my deployments (my boss,
who cut his teeth on LRP along side me sure likes the small box, off the
shelf idea especially because of his ability to manipulate it using his past
LRP experience), I will always have a use for these great boxes.

Thanks to Charles et al!

- Original Message - 
From: Roger E McClurg [EMAIL PROTECTED]
To: Charles Steinkuehler [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, April 15, 2004 1:26 PM
Subject: [leaf-user] Thanks


 Charles,

 I never got around to thanking you for your help over the years, and for
 your contribution to LEAF. I cut my teeth on Dachstein and Eigerstein. I
 used them on a quite a few different platforms, and I learned a lot along
 the way. I appreciate everything you have done, and thought it was high
 time I said so.

 Roger




 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] shorewall policy question (lots of hits from fw to loc)

[Matt]

hi, i'm new to bering-uclibc and shorewall (but have used lrp and
dachstein).

I'm getting hundreds of icmp hits showing up in the shorewall log
between my bering box and one of my local machines.  here's an example:

Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC=
SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297
PROTO=ICMP TYPE=3 CODE=0

eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup).  I
think that a solution would be to add the following line to the
shorewall policy, but i have some questions on it...
fw loc ACCEPT

this seems like a very normal thing to do, so why is it not set in the
default config?  are there any reasons to not accept these connections
(other than local attacks on the firewall)?

thanks,
-matt





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering 1.2 Throughput Test Results

[Troy Aden]

I had no problems adding the aes module. 
I am not exactly sure what you did but I will tell you what I did and
hopefully it helps you out. :) 

1. First copy the ipsec_aes.o module from the Modules archive to a formatted
floppy. 
2. Mount the floppy in your Bering box with this command: mount -t msdos
/dev/fd0u1440 /mnt
3. Next, copy the module file to your modules directory with this command:
cp ipsec_~1.o /lib/modules/ [ENTER]
4. Change directory to / (cd /) and type umount /mnt [ENTER]
5. Change directory again to /lib/modules/ 
6. We need to change the name of the module back to ipsec_aes.o now with
this command: cp ipsec_~1.o ipsec_aes.o [ENTER]
7. Then chmod the file with 644 with this command: chmod 644 ipsec_aes.o
8. Almost there! Now type lrcfg [ENTER] and go into /etc/modules. Add
ipsec_aes to the list of entries there.
9. Lastly, go into your IPSec config file and add esp=aes to the connection
config. (Check where I put it below to give you an idea)
10. Back up your changes! :)

I hope this helped. I have a question of my own for the list. :)

Can you have multiple rightsubnet= or leftsubnet= in your ipsec config for a
single connection? I want to connect two networks that have multiple
subnets. Thus far I have gotten away with just putting entries like
172.16.0.0/16 connecting to 192.168.0.0/16. That solution is no longer
practical however and I am wondering if I can change it to multiple
leftsubnet/rightsubnet entries to reflect the actual networks that I am
linking. Can anyone tell me the syntax I would use to do this? :)

Thanks in advance!

Troy (Still a newbie after years of LEAF)



-Original Message-
From: J.Clark [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 15, 2004 8:52 AM
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering 1.2 Throughput Test Results

My question is how does one properly load this module?  I've tried loading
it from the modules package (/etc/modules) but when I try to restart ipsec
it fails becuase it can't unload the ipsec.o module due to the fact that it
is in use by the ipsec_aes.o module.

I'm sure I'm missing something here.  Should I replace the ipsec.o with
ipsec_aes.o or add a stub to the shutdown/restart script to remove unload
ipsec_aes.o first?

Dumb questions I'm sure but we all have to learn somehow =-)

- Original Message -
From: Roger E McClurg [EMAIL PROTECTED]
To: Troy Aden [EMAIL PROTECTED]
Cc: Charles Steinkuehler [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Wednesday, April 14, 2004 11:43 AM
Subject: RE: [leaf-user] Bering 1.2 Throughput Test Results


 Troy,

 It's not a dumb question. I just figured it out myself. In the connection
 defaults, or in the specific connection you want to use aes, just add
 esp=aes. Of course the ipsec-aes.o module must be loaded.

 Roger





 Troy Aden Troy.Aden
 @VCom.com
 04/14/2004 10:13 AM

 To: Roger E McClurg/CEG/[EMAIL PROTECTED], Charles Steinkuehler
 [EMAIL PROTECTED]
 cc: [EMAIL PROTECTED]
 Subject:RE: [leaf-user] Bering 1.2 Throughput Test Results


 I am sure this question is a silly one but here it goes.
 How do I go about changing the Encryption algorithm in Freeswan IPSec?
 I am using Bering Uclibc 2.0. I am using FreeSwan IPSec with PSK's for my
 connections. I did not see anything in the procedures for changing the
 encryption algorithms that this package uses. I am assuming that I would
 add
 the module (ipsec_aes.o) to /lib/modules/. But can anyone please tell me
 the
 command that I need to put in the IPSec config file to tell it
 specifically
 what algorithm to use?

 Thanks in advance!

 Troy

 Here is what my config looks like:

 config setup
 # THIS SETTING MUST BE CORRECT or almost nothing will work;
 # %defaultroute is okay for most simple cases.
 interfaces=%defaultroute
 # Debug-logging controls:  none for (almost) none, all for
 lots.
 klipsdebug=none
 plutodebug=none
 # Use auto= parameters in conn descriptions to control startup
 actions.
 plutoload=%search
 plutostart=%search
 # Close down old connection when new one using same ID shows up.
 uniqueids=yes



 # defaults for subsequent connection descriptions
 conn %default
 # How persistent to be in (re)keying negotiations (0 means very).
 keyingtries=0
 # RSA authentication with keys from DNS.
 authby=secret
 right=132.125.107.155
 rightsubnet=192.168.55.0/16
 rightnexthop=132.125.107.254
 esp=aes
pfs=yes
   

 conn block
 auto=ignore

 conn private
 auto=ignore

 conn private-or-clear
 auto=ignore

 conn clear
 auto=ignore

 conn packetdefault
 auto=ignore

 conn troy
 left=139.145.45.166
 leftsubnet=10.10.65.0/24
 leftnexthop=139.145.45.129
 auto=start

 Here is what comes up when I start a connection:

 ipsec whack --initiate --name test
 

RE: [leaf-user] Is my NIC the bottleneck?

[Peter Mueller]

Hello Peter,

Nice name ;-)

 Subject: [leaf-user] Is my NIC the bottleneck?
 
 pn] I'm still running E2B on a P166.  I have 768K
 SDSL, and my leaf box is connected to the DSL modem

I know it's already resolved, but I recommend using DSLReports's speed test
for this kind of thing.  Test a desktop from behind the LEAF server network,
then connect it directly to the DSL line and test again.  Using this method
you can see if there is a bottleneck in the router.  I usually run the test
3 times to get a nice average.

URL : http://www.dslreports.com/stest

P


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering 1.2 Throughput Test Results

[Charles Steinkuehler]

Troy Aden wrote:
snip
I have a question of my own for the list. :)

Can you have multiple rightsubnet= or leftsubnet= in your ipsec config for a
single connection? I want to connect two networks that have multiple
subnets. Thus far I have gotten away with just putting entries like
172.16.0.0/16 connecting to 192.168.0.0/16. That solution is no longer
practical however and I am wondering if I can change it to multiple
leftsubnet/rightsubnet entries to reflect the actual networks that I am
linking. Can anyone tell me the syntax I would use to do this? :)
Thanks in advance!
Sure you can...sort of.  What you're missing is the fact that each 
additional [left|right]subnet entry requires a new connection 
specification.  If you don't have a lot of connections, managing them by 
hand (or maybe with some simple scripts) is possible.  If you decide you 
want to do this, I suggest using descriptive names for you connections 
to avoid any ambiguity based on IP addresses, ie:
  [left|[EMAIL PROTECTED]

If you find your configuration getting too complex, the next best option 
is probably to push the complexity from your IPSec configuration into 
the routing domain.  Remember you can only pass traffic that matches a 
connections endpoint specifications through an IPSec tunnel, so you 
can't simply use an IPSec connection like a virtual 'wire' and route 
traffic down it.  The way around this is to setup point-point IPSec 
connections between your gateway boxes (rather than the subnet-subnet 
links it sounds like you're using).  Once you have these links in place, 
you run GRE tunnels over the IPSec tunnels (so all traffic matches the 
source/destination IP's listed in the connection description), then run 
the routing protocol of your choice (or even static routing) across the 
GRE tunnels.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering 1.2 Throughput Test Results

[Peter Mueller]

 I did the test with the converted Bering-Contivity yesterday. 
 I ran the 
 VPN as AES then changed to 3DES and ran it again. AES was 6% 
 slower. Any ideas why this would be the case?

AES should be faster.  I remember seeing a few posts about this.  For
example, http://lists.freeswan.org/pipermail/users/2002-February/007771.html
indicates 89mbps with AES as opposed to 44mpbs with 3DES.Alternatively,
the creater of the patch for FreeSWAN indicated 'expect 3 to 2 performance'.

Are you sure you're not using double the keysize with your setup?  There has
to be some explanation.  AES _IS_ faster, at least on the 15 or so tunnels I
have created.

P


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering 1.2 Throughput Test Results

[leaf-user]

That sounds probable..  Freeswan may default to AES256, which would be
similar in performance to 3DES (based on my experience with some
commercial VPN solutions).

Unfortunately, I don't know the exact syntax.. I've been messing with
the KAME IPSec that is in the 2.6 kernel and MacOS X/BSD, rather than 
Freeswan.  But, a google search for Freeswan configs turned up 
statements like:

esp=aes128-sha1,aes128-md5



On Thu, Apr 15, 2004 at 01:54:04PM -0700, Peter Mueller wrote:
  I did the test with the converted Bering-Contivity yesterday. 
  I ran the 
  VPN as AES then changed to 3DES and ran it again. AES was 6% 
  slower. Any ideas why this would be the case?
 
 AES should be faster.  I remember seeing a few posts about this.  For
 example, http://lists.freeswan.org/pipermail/users/2002-February/007771.html
 indicates 89mbps with AES as opposed to 44mpbs with 3DES.Alternatively,
 the creater of the patch for FreeSWAN indicated 'expect 3 to 2 performance'.
 
 Are you sure you're not using double the keysize with your setup?  There has
 to be some explanation.  AES _IS_ faster, at least on the 15 or so tunnels I
 have created.
 
 P
 
 
 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)

[George Metz]

The first thing I'd be doing here is NOT asking how to allow these 
packets to pass, but trying to figure out why they're being sent in the 
first place.

If you're using a default Bering install without monkeying with the 
Bering settings, and you're using DHCP, then your gateway should be 
192.168.1.254, and 192.168.1.1 would be a machine on your LAN.

Either way, if you're getting a flood of ICMP packets from anywhere to 
anywhere, it's questionable. I don't know of anything that would 
generate ICMP from a Bering box to anything without user input, at least 
in the basic setup, so a little forensics work would be in order to find 
out what's really going on.

Given the number of worms and virii out there that use ICMP sweeps to 
find vulnerable systems, I'd be hesitant to allow ICMP of any kind. It 
technically breaks RFC standards, but I don't know of anything that it 
actually causes a problem with by doing.

Matt wrote:

hi, i'm new to bering-uclibc and shorewall (but have used lrp and
dachstein).
I'm getting hundreds of icmp hits showing up in the shorewall log
between my bering box and one of my local machines.  here's an example:
Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC=
SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297
PROTO=ICMP TYPE=3 CODE=0
eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup).  I
think that a solution would be to add the following line to the
shorewall policy, but i have some questions on it...
fw loc ACCEPT
this seems like a very normal thing to do, so why is it not set in the
default config?  are there any reasons to not accept these connections
(other than local attacks on the firewall)?
thanks,
-matt




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] using inetd to pon/poff or ifupdown ppp0

[Matt]

I've been playing around with inetd trying to get it to launch pon or 
poff when certain ports are hit.  I have opened shorewall on these ports 
(1022, 1021), configured /etc/services, /etc/inetd.conf, and 
/etc/protocols.  the lines I added are below.  I'm not sure why it 
dosn't work...

I don't NEED to do this through inetd, but i thought it would be 
convienient.  all I need is a simple way for people to manualy 
start/stop ppp0 without ssh-ing in as root.  my first try was to create 
a cgi script for sh-httpd to run...but sh-httpd dosn't run scripts as 
root so it didn't work (i don't feel comfortable with suid root).

ideas please?

thanks,
-matt
services:
pppup   1021/tcp# bring up ppp0 when hit
pppdown 1022/tcp# bring down ppp0 when hit
inetd.conf:
pppup   stream  tcp nowait  root/tmp/usr/bin/pon
pppdown stream  tcp nowait  root/tmp/usr/bin/poff
protocols:
pppup   1021TCP
pppdown 1022TCP


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)

[Tom Eastep]

Matt wrote:
hi, i'm new to bering-uclibc and shorewall (but have used lrp and
dachstein).
I'm getting hundreds of icmp hits showing up in the shorewall log
between my bering box and one of my local machines.  here's an example:
Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC=
SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297
PROTO=ICMP TYPE=3 CODE=0
eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup).  I
think that a solution would be to add the following line to the
shorewall policy, but i have some questions on it...
fw loc ACCEPT
this seems like a very normal thing to do, so why is it not set in the
default config?  are there any reasons to not accept these connections
(other than local attacks on the firewall)?
If Netfilter connection tracking is working properly, ICMP 3/0 packets 
*are* accepted. These packets get generated by a REJECT Shorewall rule 
or policy for UDP requests.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)

[Tom Eastep]

George Metz wrote:

Given the number of worms and virii out there that use ICMP sweeps to 
find vulnerable systems, I'd be hesitant to allow ICMP of any kind. It 
technically breaks RFC standards, but I don't know of anything that it 
actually causes a problem with by doing.

It breaks MTU discovery...

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] looking for Bering 1.2 and 2.1 kernel .config files

[wing newton]

Greetings,

The .config files used to be with the development
files in the previous version of LRP/Bering e.g. rc3.
Where can I locate the linux kernel .config files for
1.2 and 2.1 ?

Thanks.

Newton





__
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)

[Tom Eastep]

Tom Eastep wrote:
Matt wrote:

fw loc ACCEPT

this seems like a very normal thing to do, so why is it not set in the
default config?  are there any reasons to not accept these connections
(other than local attacks on the firewall)?


If Netfilter connection tracking is working properly, ICMP 3/0 packets 
*are* accepted. These packets get generated by a REJECT Shorewall rule 
or policy for UDP requests.

Also, are you setting 'norfc1918' on your ppp0 interface 
(/etc/shorewall/interfaces)?

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] uClibc ipsec

[Homer]

Just installed the ipsec package from:

http://leaf.sourceforge.net/packages/uclibc-0.9/20/ipsec.lrp

Rebooted, and there's no ipsec.o :( Looked in the archive, and can't
find it there either :(

-- 
Homer Parker/\ ASCII Ribbon Campaign
BOFH for homershut.net  \ / No HTML/RTF in email
http://www.homershut.net x   No Word docs in email
telnet://bbs.homershut.net  / \ Respect for open standards

Bill Gates reports on security progress made and the challenges ahead.
-- Microsoft's Homepage, on the day an SQL Server bug crippled large
   sections of the Internet.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)

[Matt]

On Thu, 2004-04-15 at 14:35, Matt wrote:
 hi, i'm new to bering-uclibc and shorewall (but have used lrp and
 dachstein).
 
 I'm getting hundreds of icmp hits showing up in the shorewall log
 between my bering box and one of my local machines.  here's an example:
 
 Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC=
 SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297
 PROTO=ICMP TYPE=3 CODE=0
 
 eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup).  I
 think that a solution would be to add the following line to the
 shorewall policy, but i have some questions on it...
 fw loc ACCEPT
 
 this seems like a very normal thing to do, so why is it not set in the
 default config?  are there any reasons to not accept these connections
 (other than local attacks on the firewall)?
 
 thanks,
 -matt

in a few hours (and a lot of comparing log entries to network activity)
I was able to determine that dhcp requests were causing the problem.
dhcp was actually working (client machines were being assigned
addresses, albeit not very gracefuly) but the dhcp discover, offer, ack,
etc process wasn't able to complete due to shorewall blocking
something setting the dhcp option for eth0 in the shorewall
interface file fixed it.

Tom, i do not have 'norfc1918' set for my ppp interface.  i'll read up
on rfc1918 tomorrow, but do you know from expierence if this should be
set?

thanks all,
-matt



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] uClibc ipsec

[Martin Hejl]

Homer wrote:
	Just installed the ipsec package from:

http://leaf.sourceforge.net/packages/uclibc-0.9/20/ipsec.lrp

Rebooted, and there's no ipsec.o :( Looked in the archive, and can't
find it there either :(
As described in http://leaf.sourceforge.net/doc/guide/buipsec.html, the 
ipsec.o module is located in of the modules package which matches your 
kerenel.

So, you want to get the modules tarball for the kernel you're using 
(Bering_uClibc_2.1.0_modules_2.4.24.tar.gz if you're using Bering uClibc 
2.1) and get ipsec.o from there (look in directory 
2.4.24/kernel/net/ipsec inside the tarball).

I hope that helps.

Martin



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] looking for Bering 1.2 and 2.1 kernel .config files

[Martin Hejl]

wing newton wrote:
Greetings,

The .config files used to be with the development
files in the previous version of LRP/Bering e.g. rc3.
Where can I locate the linux kernel .config files for
1.2 and 2.1 ?
The kernel configs used in Bering uClibc (as well as the patches needed) 
can be found in CVS at
http://cvs.sourceforge.net/viewcvs.py/leaf/src/bering-uclibc/configs/kernel/ 

I don't know about Bering, maybe somebody else can help with that.

Martin



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html