Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp

[Charles Steinkuehler]

Joey Officer wrote:
Dave,

Thanks for this tip, I see the biggest difference between the command you
supplied and the command I was using is the version of the SNMP
implementation.  I was under the impression that the version was v2 so I
apologize for assuming, and not trying earlier.  Fortunately, using your
step, I do begin to see data, however there are a couple of things that
concern me.  I'll post the data that I see:
[EMAIL PROTECTED] harryk]$ snmpwalk -v 1 -c public -m
/usr/share/snmp/mibs/UCD-SNMP-MIB.txt firewall
1.1.0 = "Linux firewall 2.4.20 #1 Sun May 11 18:53:34 CEST 2003 i586"


From the firewall itself, try:
  snmpwalk localhost public
This same command (with localhost replaced with the actual IP or DNS 
name of your firewall, ie: snmpwalk 192.168.1.1 public) should work on 
any other system running net-snmpd, and typically returns *PAGES* of 
information.

I get basically the same thing when I remove the -m option.  At anyrate, I
see that I am atleast able to pull information (some) however what I have
noticed is that I do not see any statistical information.  From what I have
read through the snmpd.conf and through the maillinglist, I should be able
to use it without any major modification to the snmpd.conf file.  So I guess
my next question is, do I need to modify the snmpd.conf file in order to
retrieve eth 0/1/2 data, cpu usage, mem usage, etc... or should it work in
its default form?
I think some modifications to the configuration are required...at least 
I always modify the config when bringing a new router online (it's been 
long enough since I've done this, however, I don't remember exactly what 
if anything needs to be changed for basic functionality).

Here's my current Bering snmpd configuration (with snmp community 
changed to public), which works fine for reading interface stats, 
processor load, etc. (warning: Lines will probably wrap, but you should 
be able to figure out the proper format given the example config file):

###
#
# snmpd.conf:
#   An example configuration file for configuring the ucd-snmp snmpd agent.
#
###
#
# This file is intended to only be as a starting point.  Many more
# configuration directives exist than are mentioned in this file.  For
# full details, see the snmpd.conf(5) manual page.
#
# All lines beginning with a '#' are comments and are intended for you
# to read.  All other lines are configuration commands for the agent.
###
# Access Control
###
# As shipped, the snmpd demon will only respond to queries on the
# system mib group until this file is replaced or modified for
# security purposes.  Examples are shown below about how to increase the
# level of access.
# By far, the most common question I get about the agent is "why won't
# it work?", when really it should be "how do I configure the agent to
# allow me to access it?"
#
# By default, the agent responds to the "public" community for read
# only access, if run out of the box without any configuration file in
# place.  The following examples show you other ways of configuring
# the agent so that you can change the community names, and give
# yourself write access to the mib tree as well.
#
# For more information, read the FAQ as well as the snmpd.conf(5)
# manual page.

# First, map the community name "public" into a "security name"
#   sec.name  source  community
com2sec notConfigUser  default   public

# Second, map the security name into a group name:
#   groupName  securityModel securityName
group   notConfigGroup v1   notConfigUser
group   notConfigGroup v2c   notConfigUser

# Third, create a view for us to let the group have rights to:
#   name   incl/excl subtree mask(optional)
viewsystemview included  system

# Finally, grant the group read-only access to the systemview view.
#   group  context sec.model sec.level prefix read   write 
notif
access  notConfigGroup ""  any   noauthexact  systemview 
none none



--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer

[Ramiro Morales]

Hi

On 23 Apr 2004 at 16:52, Charles Steinkuehler wrote about "Re: [leaf-user] IPsec 
between FreeS/WAN 1.91 (Dac":

> Timothy J. Massey wrote:
> > Hello!
> > 
> > I'm using a Dachstein firewall with FreeS/WAN 1.91.  I would like to set up an
> > IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 computer
> > behind it.
> > 
> > I have been unable to do either.  The router won't negotiate a tunnel 
> > with the LEAF firewall, and I can't seem to make the IPsec passthrough 
> > work, either.  The Windows 2000 computer does work if plug it into the 
> > Internet directly, but not from behind the router.
> > 
> > Any ideas on what I could try?  Even a success story would be enough:  
> > it would be nice to know that it's possible.
> 
> [...]
> 
> After a quick review of the Linksys manual for your box, it looks like 
> it should work fine as an IPSec gateway with Dachstein's IPSec, as long 
> as you get the configuration correct.  Make sure you're selecting 3DES, 
> SHA, IKE (with perfect-forward-security), and have a properly setup 
> pre-shared key.
> 
> You also need to verify the basic tunnel configuration is correct (ie: 
> subnet-subnet, host-host, or subnet-host) and the IP's/networks match on 
> both ends.
> 
> There's probably useful information in the logs on both ends 
> (web-accessible on the Linksys, and in /var/log/auth.log on the 
> Dachstein box...also accessible via the web if you're running weblet).
> 
> We could probably help a lot more with some additional debugging info 
> from the logs and details of your ipsec.conf from Dachstein and the 
> configuration settings on the Linksys.

You could also try an update to Windows 2000 with NAT-T enhacements
published bt M$ a year ago

http://support.microsoft.com/default.aspx?scid=kb;en-us;818043#6

Note that the article states you need Windows 2000 Service pack 3 or 
greater but it doesn't says if the update got bundled with the Service
Pack 4.

Regards,

-
Ramiro



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bering-uClib, pppoe question

[Ivica Samija]

Hi list,

I'm using Bering with ADSL connection for some time and it works great.
THX to all people who is doing great job on LEAF project.
Now I'm trying to set up Bering-uClib 2.1 box on ADSL connection
P133
64Mb RAM
HDD
RTL8139 lan card
NE2000 ISA PnP lan card

Everything is working fine (drivers for lan cards are loaded and cards are
up), /etc/interfaces is configured, ppp.lrp and pppoe.lrp are loaded and
configured, but pppd is not starting at boot.
I have noticed that there are no /etc/init.d/ppp script ( there was
/etc/init.d/ppp script in Bering 1.2) can it be a reason for pppd not
starting.
Any help or hint would be great.
THX
Ivica



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: Floppy boot error help req.

[Ray Olszewski]

I'm cc'ing the leaf-user support list with this reply. Please direct future 
requests for assistance to it, not to me personally.

At 05:14 PM 4/26/2004 +, isandro belli wrote:

hello ray

I'm calling for some help to resolve a problem and I've got.
thanks in advance for any..
I am trying to find a solution to a problem in booting from a floppy (1.68M)
for a LEAF Bering 2.4.16 on a
Tinkpad 755c(floppy, 486DX100, 75MHz, 2 3com 589d pcmcia)
Reading (among others) through your Oxygen distro docs:
Not mine. David Douthitt was the creator of Oxygen. I'm more of a kibitzer.

-> Chapter 5. Using Floppy Disks

I've found an I/O error message, similar to my own:

-> end_request: I/O error, dev 02:2c (floppy), sector 19
   ^
mine is:

-> 
-> VFS: Mounted root (minix filesystem).
-> Mounting a 6M TMPFS filesystem...
-> end_request: I/O error, dev 02:2c (floppy), sector 2
-> MINIx-fs unable to read superblock ^
Context would help. I surmise that this is a boottime message, and 
boot/init fails at this point.

the same floppy disk does work ok on a Tinkpad 380D, do you think that the:
Does "work ok" mean it boots/inits successfully? Or just that you can mount 
it and get a directory listing? For troubleshooting purposes, "work ok" 
needs to have the first of these meanings.


Solution: This is a standard 1.44M floppy being mounted as a 1.68M floppy.
I don't know what this means.

Do you mean that the disk is formatted to 1.44 MB but is being mounted (by 
what?) at the mount point /dev/fd0u1680 ? (Probably not; I can't recall 
ever seeing a Bering boot disk that wasn't 1.68 MB.)

Or do you mean that the disk is sold as a 1.44 MB disk, but you've 
superformatted it to 1.68 MB? (If so, this is nothing special. A boot/init 
should be fine, and a post-init mount should be to /dev/fd0u1680.)

Or do you mean that you dd'd a 1.68 MB image to a floppy that had been 
formatted to 1.44 MB. (This is a bad idea. Use superformat to reformat it 
to 1.68 MB before you dd the image to it.) If you did the Windows 
equivalent of this, you will need to get advice from someone else, someone 
who knows Windows better than I do.

Or do you mean something else (what)?

Mount it with the appropriate device file name: mount 
/dev/fd0u1440 /mnt

would apply here ?

Any thoughts to fix the problem ?
Getting superformatted disks to work with floppy drives is always a bit hit 
or miss, since none of the drives sold is *officially* able to read above 
1.44 MB formatting. In practice most do, just as in practice most floppies 
themselves can handle the higher densities. If the disk itself fails even 
with a different floppy drive attached to the same computer, that certainly 
suggests that the problem is with the floppy controller on the failing 
laptop ... but I can offer no suggestions for what to do about it. (But 
even a 486 DX100 is plenty fast for LEAF, so if there is an ISR problem, it 
reflects poor design of the particular host, not a general problem with 
older machines.) Look for a list that supports that hardware, I guess.

About all I can suggest is that you try several different floppies. Since 
*none* of the components involved in the failure -- the disk, the drive, or 
the controller -- is ever tested with 1.68 MB densities, your hope is that 
you've run into a problem akin to "tolerance stacking", and that a 
different disk may perform better. with the 755C's floppy controller.


PS I attached the Tinkpad 380D floppy driver to my 755C, but same error 
comes out.
I think it might be an floppy drive interface timing problem (too slow 
interrupt service or something similar)






---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering-uClib, pppoe question

[K.-P. Kirchdörfer]

Am Montag, 26. April 2004 17:35 schrieb Ivica Samija:
> Hi list,
>
> I'm using Bering with ADSL connection for some time and it works great.
> THX to all people who is doing great job on LEAF project.
> Now I'm trying to set up Bering-uClib 2.1 box on ADSL connection
> P133
> 64Mb RAM
> HDD
> RTL8139 lan card
> NE2000 ISA PnP lan card
>
> Everything is working fine (drivers for lan cards are loaded and cards are
> up), /etc/interfaces is configured, ppp.lrp and pppoe.lrp are loaded and
> configured, but pppd is not starting at boot.
> I have noticed that there are no /etc/init.d/ppp script ( there was
> /etc/init.d/ppp script in Bering 1.2) can it be a reason for pppd not
> starting.

No that's definitely not the reason.

I assume there is something wrong with your account (name, password) - pls 
doublecheck. 
And come back with output collected from syslog/messages, probably with debug 
enabled in /etc/ppp/options, if it still won't work.


kp


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp

[Charles Steinkuehler]

NOTE: Restored leaf-user list cc:

wing newton wrote:

Charles,

Which version of Bering that you are using for this ?
Bering 1.2 ? 
Bering 1.2, with slightly customized init scripts to run off of CD-ROM 
(see the leaf-devel list archives if you're really interested in exactly 
what I changed...it doesn't affect package setup/configuration).

Where is your snmp package for this ?
I'm running with the 'split' netsnmp packages from my Dachstein-CD release:
http://lrp.steinkuehler.net/files/diskimages/dachstein-CD/CD-Contents/netsnmpd.lrp
http://lrp.steinkuehler.net/files/diskimages/dachstein-CD/CD-Contents/netsnmpu.lrp
Is there a snmp(mib) xml gateway available ?
???  I have no idea...I typically don't mess with the MIBs or use much 
in the way of XML.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] SNMPd using Dachstien netsnmpd.lrp

[Joey Officer]

Charles,

After using the test command, on the firewall itself, I receive the
following error:

firewall: -root-
# snmpwalk localhost public
snmpwalk: error in loading shared libraries
libsnmp-0.4.2.1.so: cannot open shared object file: No such file or
directory

lrpkg -l gives the following:

firewall: -root-
# lrpkg -l
NameVersionDescription
===-==-=
=
initrd  V1.2   LEAF Bering initial filesystem
rootV1.2   Core LEAF Bering package
etc V1.2   LEAF Bering /etc files
local   V1.2   LEAF Bering local package
modules V1.2   Define & contain your LEAF Bering modules
iptables1.2.8  IP packet filter administration tools for
2.4.
pump0.8.14-2   DHCP/BOOTP client from Redhat
keyboard0.3Define your keyboard settings
shorwall1.4.2  Shoreline Firewall (Shorewall)
ulogd   1.0The Netfilter Userspace Logging Daemon
dnscache1.05a  A fast & secure proxy DNS server
weblet  1.2.0  LEAF status via a small web server
dhcpd   2.0pl5 DHCP server for automatic IP assignment
mawk1.3.3
libz1.1.4  zlib compression library. Needed for openssh
ssh 3.5p1 compiled OpenSSH ssh & scp programs.
sshd3.5p1 compiled OpenSSH sshd daemon.
sftp3.5p1 compiled OpenSSH sftp client & server programs.
netutils
tc  ss010824   tc from iproute2-2.4.7-now-SS010824.tar.gz &
p
qos-htb 0.8.3  QoS HTB based - HTB.init Quality Of Service
pa
wireless25 Wireless tools by J. Tourrilhes
ntpdate 4.1.0-8client for setting system time from NTP
server
ntpsimpl4.1.0-8NTP v4 daemon for simple systems from Debian
libm2.1.1
libdb   2.0.7-1
netsnmpd4.2.3  SNMP agent which binds to a port, awaits
reque
netsnmpu4.2.1-1-CS http://net-snmp.sourceforge.net

If there is an incompatibility somewhere, perhaps it will need to get
documented.  Also, I compared my snmpd.conf file to what you have, and did
not see any discrepancies.  When I perform a walk (without options) from
another workstation, all I get are the values from my previous post.

Joey

-Original Message-
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]
Sent: Monday, April 26, 2004 6:38 AM
To: Joey Officer
Cc: Dave Hunt; 'Leaf-User'
Subject: Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp


Joey Officer wrote:
> Dave,
>
> Thanks for this tip, I see the biggest difference between the command you
> supplied and the command I was using is the version of the SNMP
> implementation.  I was under the impression that the version was v2 so I
> apologize for assuming, and not trying earlier.  Fortunately, using your
> step, I do begin to see data, however there are a couple of things that
> concern me.  I'll post the data that I see:
>
> [EMAIL PROTECTED] harryk]$ snmpwalk -v 1 -c public -m
> /usr/share/snmp/mibs/UCD-SNMP-MIB.txt firewall
> 1.1.0 = "Linux firewall 2.4.20 #1 Sun May 11 18:53:34 CEST 2003 i586"


 From the firewall itself, try:
   snmpwalk localhost public

This same command (with localhost replaced with the actual IP or DNS
name of your firewall, ie: snmpwalk 192.168.1.1 public) should work on
any other system running net-snmpd, and typically returns *PAGES* of
information.

> I get basically the same thing when I remove the -m option.  At anyrate, I
> see that I am atleast able to pull information (some) however what I have
> noticed is that I do not see any statistical information.  From what I
have
> read through the snmpd.conf and through the maillinglist, I should be able
> to use it without any major modification to the snmpd.conf file.  So I
guess
> my next question is, do I need to modify the snmpd.conf file in order to
> retrieve eth 0/1/2 data, cpu usage, mem usage, etc... or should it work in
> its default form?

I think some modifications to the configuration are required...at least
I always modify the config when bringing a new router online (it's been
long enough since I've done this, however, I don't remember exactly what
if anything needs to be changed for basic functionality).

Here's my current Bering snmpd configuration (with snmp community
changed to public), which works fine for reading interface stats,
processor load, etc. (warning: Lines will probably wrap, but you should
be able to figure out the proper format given the example config file):


###
#
# snmpd.conf:
#   An example configuration file for configuring the ucd-snmp snmpd agent.
#

###
#
# This file is intended to only be as a starting point.  Many more
# confi

Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp

[Charles Steinkuehler]

Joey Officer wrote:
Charles,

After using the test command, on the firewall itself, I receive the
following error:
firewall: -root-
# snmpwalk localhost public
snmpwalk: error in loading shared libraries
libsnmp-0.4.2.1.so: cannot open shared object file: No such file or
directory
lrpkg -l gives the following:

netsnmpd4.2.3  SNMP agent which binds to a port, awaits
netsnmpu4.2.1-1-CS http://net-snmp.sourceforge.net
It looks like you're using my netsnmpu, but not my netsnmpd.  Try using 
matching netsnmpd and netsnmpu packages and you'll probably have better 
results.  From my working system:

# lrpkg -l | grep snmp
netsnmpd4.2.1-1-CS http://net-snmp.sourceforge.net
netsnmpu4.2.1-1-CS http://net-snmp.sourceforge.net
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] SNMPd using Dachstien netsnmpd.lrp

[Joey Officer]

Charles,

That did it.  Apparently I was indeed using the wrong snmpd package,
although I could've swore I was using the correct pacakge.  When running the
snmpwalk this time, I get good results.  Thanks for bearing with me through
this.  I will have to try and track down where I get the other file from.
Thanks again.

I'll post if I find any more problems, but I think this was the big step
that I kept fumbling with.

Joey

-Original Message-
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]
Sent: Monday, April 26, 2004 6:00 PM
To: Joey Officer
Cc: 'Leaf-User'
Subject: Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp


Joey Officer wrote:
> Charles,
>
> After using the test command, on the firewall itself, I receive the
> following error:
>
> firewall: -root-
> # snmpwalk localhost public
> snmpwalk: error in loading shared libraries
> libsnmp-0.4.2.1.so: cannot open shared object file: No such file or
> directory
>
> lrpkg -l gives the following:


> netsnmpd4.2.3  SNMP agent which binds to a port, awaits
> netsnmpu4.2.1-1-CS http://net-snmp.sourceforge.net

It looks like you're using my netsnmpu, but not my netsnmpd.  Try using
matching netsnmpd and netsnmpu packages and you'll probably have better
results.  From my working system:

# lrpkg -l | grep snmp
netsnmpd4.2.1-1-CS http://net-snmp.sourceforge.net
netsnmpu4.2.1-1-CS http://net-snmp.sourceforge.net

--
Charles Steinkuehler
[EMAIL PROTECTED]



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ULOGD with mySQL support

[AdStar]

Hi there,

Umm I'm not to flash at the whole *nix side of things, so I thought I would
ask.

Has/Can anyone make up the ulogd.lrp package for me but include the mysql
stuff.
Seen as Shorewall etc can output via ulogd I thought it would be nice to
have my firewall info going into mysql for me to then analyse later.

If not, maybe some people can point me in the right direction  and I'll give
it a go myself.

Cheers
Ad


smime.p7s
Description: S/MIME cryptographic signature

[leaf-user] Dachstein as border_router? (public ip addresses etc)

[Craig Johnson]

Wondering if I can get some help?

I have a static public IP from ISP for an ADSL account (call it
addrISP). We also have our own public IP range. I want to setup an LEAF
box (eg dachstein), which holds the addrISP on one NIC, and one of our
public IP addresses on another NIC. Then it will route all traffic
through to other servers on the public IP addresses. Also there is an
internal network beheind one of the other public IP addresses, with a
VPN server attached.

So, two questions:

* what is the best way/distro to setup a LEAF box as this kind of border
router? (I noticed references to border_router options on the dachstain
network.conf documentation page, but haven't been able to find any
substantial documentation about setting one up.)

* how do I also set up the LEAF box so that it can receive VPN server
requests on it's IP address (addrISP), but forward those requests to be
served by another firewall server connected to the internal lan?

Diagramatically, I guess I want something like:

[Internet]
|
  eth0 (addrISP)
|
LEAF Box
|
  eth1 (addrPUBA)
|
  -
  | | |
 (addrPUBB) (addrPUBC)   (addrPUBD)
  Server 1 (VPN etc) Server 2 Server 3
(addrPRIVA)
  |
  internal network


Thanks!

Craig


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dachstein as border_router? (public ip addresses etc)

[George Metz]

Don't know about shorewall (which you would have to configure to allow 
VPN traffic to pass through to that specific IP address), but what you 
basically want it to do is substitute for a traditional router. 
Effectively, you'd simply have to turn off NAT and let DNS and the 
public IP addresses do the rest.

I'd probably use Bering or Bering-uClibC instead of Dachstein, which I 
don't think is actively developed any longer. (Charles, please hit me 
with the correction-bat if that's wrong.)

Configuring Shorewall, on the other hand, is pretty straightforward; all 
you need to do is forward the ports you want to hit each device to the 
respective devices, and deny all (probably both ways - loc to net and 
net to loc) on everything else.

Going from memory, the commands would be:

ACCEPT	net	loc:addrPUBB	TCP/UDP*	PortNum

* Whichever protocol is correct.

That would be VPN. If addrPUBC is a Web and FTP server, and addrPUBD is 
a mailserver, then you'd do:

ACCEPT  net loc:addrPUBCTCP http
ACCEPT  net loc:addrPUBCTCP https
ACCEPT  net loc:addrPUBCTCP ftp
ACCEPT  net loc:addrPUBCTCP ftp-data
ACCEPT	net	loc:addrPUBD	TCP	smtp

(Again, please correct me if I've flubbed this.)

The routing itself, any variant of LEAF is going to be able to 
accomplish with ease, as it will be straight vanilla routing without 
even a need for connection tracking, because there's no NAT type stuff 
going on. Shorewall shouldn't be too tough, either, as long as you know 
what needs access where.

Craig Johnson wrote:
Wondering if I can get some help?

I have a static public IP from ISP for an ADSL account (call it
addrISP). We also have our own public IP range. I want to setup an LEAF
box (eg dachstein), which holds the addrISP on one NIC, and one of our
public IP addresses on another NIC. Then it will route all traffic
through to other servers on the public IP addresses. Also there is an
internal network beheind one of the other public IP addresses, with a
VPN server attached.
So, two questions:

* what is the best way/distro to setup a LEAF box as this kind of border
router? (I noticed references to border_router options on the dachstain
network.conf documentation page, but haven't been able to find any
substantial documentation about setting one up.)
* how do I also set up the LEAF box so that it can receive VPN server
requests on it's IP address (addrISP), but forward those requests to be
served by another firewall server connected to the internal lan?
Diagramatically, I guess I want something like:

[Internet]
|
  eth0 (addrISP)
|
LEAF Box
|
  eth1 (addrPUBA)
|
  -
  | | |
 (addrPUBB) (addrPUBC)   (addrPUBD)
  Server 1 (VPN etc) Server 2 Server 3
(addrPRIVA)
  |
  internal network

Thanks!

Craig

---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Difficulty with Aliases

[Stirling Westrup]

On 21 Apr 2004 at 17:53, freeman wrote:

> I'm running Bering 1.2 Release.
> 
> I have created a large number of aliases within /etc/profile and they 
> mostly work. However some of them do not get recognized as valid in that 
when
> I enter a valid alias at the shell. For example:
>   m16
> I get the response:
>  m16: not found
> 
> However when I enter:
>  alias m16
> it tells me:
> alias m16=mount -t msdos /dev/fd0u1680 /mnt/16 ; cd /mnt/16
> 
> so it should work?!
> 
> I've sought on the net for info about aliases and found nothing 
> indicating a limitation on their number or collective size.

I had a similar problem recently and it turned out the alias was being 
invoked but the command it was running was issuing the 'not found' error. 
What happens if you type

mount -t msdos /dev/fd0u1680 /mnt/16 ; cd /mnt/16

at a shell prompt?

-- 
 Stirling Westrup  |  Use of the Internet by this poster
 [EMAIL PROTECTED]   |  is not to be construed as a tacit
   |  endorsement of Western Technological
   |  Civilization or its appurtenances.



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Upgrade to uClibc

[Stirling Westrup]

On 23 Apr 2004 at 10:30, ALParada wrote:

> Hi Everyone,
> 
> A newbie question. I have been using Bering for about 6 months now and want to
> try uClibc. I was hoping to bring in all my lrp's and modules and basically
> reboot. Is this possible or do I need to start from scratch? I did read
> something about packages needing to be recompiled but not sure if this applies
> to Bering packages. My main reason in doing this is to use the openvpn
> package. I understand the Bering package may have some issues. Any suggestions
> or shortcuts will be appreciated.
> 
I did the Bering to uClibc upgrade about 6 months ago. I found the best thing 
to do was to just to copy all of the files in /etc (and its subdirectories) 
from a running Bering to another machine and keep them for reference or print 
them out. Then you should replace everything with a clean version of Bering-
uClibc, install any missing modules or packages, and configure it. With the 
saved files from the old Bering you'll find it a breeze to set up the new 
system in the same way. (But do it by using the old files as hints, they 
can't be used exactly as is.)

This technique had me with a new working system in just under an hour. (Of 
course, that made me ambitious and I installed all sorts of things that I 
hadn't been running before and its taken some time to sort all of THAT out.)

-- 
 Stirling Westrup  |  Use of the Internet by this poster
 [EMAIL PROTECTED]   |  is not to be construed as a tacit
   |  endorsement of Western Technological
   |  Civilization or its appurtenances.



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html