Re: [leaf-user] RFC1918 packets to NET
At 16:44 15.07.2004 +0300, [EMAIL PROTECTED] wrote: I 've noticed that when installing the default shorewall configuration of= Bering-* there is no block of rfc1918 packets going out to NET That is traceroute from LOC of any address not included in LOCAL LAN but in= the RFC1918 range will go out and traverse the net( Default route ). Are you tracing the external interface? You should see a masqueraded source= address there. Who is responsible of stopping this packets ??? NAT OK I shall make this more clear ... I am refering to Destination Address... Supose LOC=192.168.1.0/24 DMZ=NONE NET IF=ppp0=62.12.1.1 ( DYNAMIC ) No other addresses are involved in this hypothetical configuration. Supose a user from LOC LAN and address 192.168.1.4 pings or trace(s)route to 10.0.1.1 which it is not used in local or any other zone .. 10.0.1.1 is DST If an observer in the net zone ( the ISP ) observes packets comming in from source address 62.12.1.1 tcpdump -i someif0 src address 62.12.1.1 She will see these ping or traceroute packets with the following characteristics. SRC=62.12.1.1 DST=10.0.1.1 Am I right or am I right ??? So we have a packet destined to a private address space looking around the internet to contact address 10.0.1.1 ( noise ). So let me repeat Who is responsible to stop or drop or kill this packet ? The ISP or The firewall admin ??? Best Regards Harry --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Dropbear and sshd in Bering_uClibc 2.1.3
HI AGAIN, I am new to LEAF and have just got my Leaf system running. However, I have been reading about dropbear, dropbearkeys, and SSH and it seems if these have to do with some sort of remote admin packages. Am I right? Is there some good beginer information you could point me to to read about these topics? Or could you tell me what they do and their benefits? Thanks, Andrew The best thing to hit the Internet in years - Juno SpeedBand! Surf the Web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today! --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] RFC1918 packets to NET
Hi! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, July 16, 2004 7:06 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] RFC1918 packets to NET At 16:44 15.07.2004 +0300, [EMAIL PROTECTED] wrote: I 've noticed that when installing the default shorewall configuration of= Bering-* there is no block of rfc1918 packets going out to NET That is traceroute from LOC of any address not included in LOCAL LAN but in= the RFC1918 range will go out and traverse the net( Default route ). RFC1918 cannot be blocked by default, because some ISP's provide these addresses to their customers, so, if we did block them Bering-uClibc would no longer work, and that would be our fault. [snip] Supose a user from LOC LAN and address 192.168.1.4 pings or trace(s)route to 10.0.1.1 which it is not used in local or any other zone .. 10.0.1.1 is DST If an observer in the net zone ( the ISP ) observes packets comming in from source address 62.12.1.1 tcpdump -i someif0 src address 62.12.1.1 She will see these ping or traceroute packets with the following characteristics. SRC=62.12.1.1 DST=10.0.1.1 Am I right or am I right ??? So we have a packet destined to a private address space looking around the internet to contact address 10.0.1.1 ( noise ). So let me repeat Who is responsible to stop or drop or kill this packet ? The ISP or The firewall admin ??? IMHO it is the firewall admin's responsability. Use 'norfc1918' in the interface that connects to the net in '/etc/shorewall/interfaces' Luis Correia Bering uClibc Team Member PGP Fingerprint: BC44 D7DA 5A17 F92A CA21 9ABE DFF0 3540 2322 21F6 Key Server: http://pgp.mit.edu --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] RFC1918 packets to NET
Hi! I 've noticed that when installing the default shorewall configuration of= Bering-* there is no block of rfc1918 packets going out to NET That is traceroute from LOC of any address not included in LOCAL LAN but in= the RFC1918 range will go out and traverse the net( Default route ). RFC1918 cannot be blocked by default, because some ISP's provide these addresses to their customers, so, if we did block them Bering-uClibc would no longer work, and that would be our fault. [snip] Supose a user from LOC LAN and address 192.168.1.4 pings or trace(s)route to 10.0.1.1 which it is not used in local or any other zone .. 10.0.1.1 is DST If an observer in the net zone ( the ISP ) observes packets comming in from source address 62.12.1.1 tcpdump -i someif0 src address 62.12.1.1 She will see these ping or traceroute packets with the following characteristics. SRC=62.12.1.1 DST=10.0.1.1 Am I right or am I right ??? So we have a packet destined to a private address space looking around the internet to contact address 10.0.1.1 ( noise ). So let me repeat Who is responsible to stop or drop or kill this packet ? The ISP or The firewall admin ??? IMHO it is the firewall admin's responsability. Use 'norfc1918' in the interface that connects to the net in '/etc/shorewall/interfaces' NOPE The norfc1918 option in the interfaces file is about packets that come IN from NET- to net interface . Not about packets that go out destined to rfc1918 address space and the net... At least it operates like that... I don't know if it was intended to operate both ways The funny thing that I saw with this experiment is that when I traceroute some rfc1918 address I get full legitimate responses from the ISP's routers out there. I stoped them by typing a few lines to the rules file [DROP]|[REJECT]loc net:192.168.0.0/16 all etc Regards Harry... Please consider me as a Fool. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall)
Ben, I want to use LEAF as a simple router inside my internal networks. I don't need any firewalling or NAT. if you have Bering-uClibc 2.1: - delete all references to shorewall in syslinux.cfg if you have Bering-uClibc 2.2: - delete all references to shorewall in leaf.cfg In both cases you may want to delete shorwall.lrp to save space. then you should have a system that comes up without any iptables rules and things like that. You now have to configure your interfaces in /etc/network/interfaces. You may want to enable ip_forward in /etc/network/options in order for the router to acually forward packets. Don't forget to back up etc. ;) Bye, Frank --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Erich Titl wrote: Charles interesting approach do you do any mac based filtering? Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall)
The first thing that came to mind to do this was to change the following in the shorewall policy file: all all REJECT ULOG to all all ACCEPT However this doesn't meet the requirement of getting rid of shorewall. Also, I don't know what the performance implications are of doing it this way versus eliminating Shorewall. Maybe someone can comment on that. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ben Conrad Sent: Thursday, July 15, 2004 5:59 PM To: [EMAIL PROTECTED] Subject: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall) Hello, I want to use LEAF as a simple router inside my internal networks. I don't need any firewalling or NAT. What is the best way to turn off all the Shorewall and IPTables configurations so that I can pass all traffic in/out of eth0 and eth1? I tried to rename /etc/rc2.d/S41shorewall and then backed up all the packages but on next boot the /etc/rc2.d/S41shorewall still exists! Thanks, Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Erich Titl wrote: Charles At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote: Erich Titl wrote: Charles interesting approach do you do any mac based filtering? Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to). Thanks, one more question though, IIRC you can only proxy arp a single address per interface. Definitely not so -- You can have multiple entries in your proxyarp file for the same (pair of) interface(s) and you can also use the proxyarp option in /etc/shorewall/interfaces to use Proxy ARP on ALL hosts attached to an interface. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] arm-linux Cross Debugger
Hello everyone, I am cross compiling a arm program using arm-linux-gcc. Now i want to use a debugger to trace my program using arm-linux-gdb from being in a x86 machine. That is - cross debug arm-linux program from linux-i386 machine. i would also like to know where would the simulator be ?? My gdb's version is 5.3, and I built it like this: for the first time ./configure --target=arm-linux make make install I did not get the binaries of the gdb simulaor and arm-cross-debugger. I tried like this now --- and like this also --- for the second time ./configure --target=arm-linux --build=i686-pc-linux-gnu --prefix=/usr --- for the third time ./configure --host=i686-pc-linux-gnu --target=arm-linux --prefix=/usr x --prefix=/usr followed by make and make install But now i got the arm-linux-gdb. but invokation problem . someone here tell me how to use arm-linux-run and arm-linux-dgb? When I use arm-linux-run hello, nothing happened. When I use arm-linux-gdb hello, entering the gdb environment, and type run, It flashes the message'Try 'help target'. I need to setup the Cross debugger and simulator in x86 for arm. kindly give tips. Any Help is Highly appreciated. Thanks Regards. karthik bala guru __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Tom At 06:36 16.07.2004 -0700, you wrote: Erich Titl wrote: Charles At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote: Erich Titl wrote: Charles interesting approach do you do any mac based filtering? Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to). Thanks, one more question though, IIRC you can only proxy arp a single address per interface. Definitely not so -- You can have multiple entries in your proxyarp file for the same (pair of) interface(s) and you can also use the proxyarp option in /etc/shorewall/interfaces to use Proxy ARP on ALL hosts attached to an interface. Thanks, will go back to the drawing board Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] arm-linux Cross Debugger
Just what does this gave to do with LEAF? I think this is very off topic and as such is SPAM!!! As a guru you should have known this! On Fri, 16 Jul 2004, karthik bala guru wrote: Date: Fri, 16 Jul 2004 06:52:03 -0700 (PDT) From: karthik bala guru [EMAIL PROTECTED] To: Robert K Coffman Jr - Info From Data Corporation [EMAIL PROTECTED], Ben Conrad [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [leaf-user] arm-linux Cross Debugger Hello everyone, I am cross compiling a arm program using arm-linux-gcc. Now i want to use a debugger to trace my program using arm-linux-gdb from being in a x86 machine. That is - cross debug arm-linux program from linux-i386 machine. i would also like to know where would the simulator be ?? My gdb's version is 5.3, and I built it like this: for the first time ./configure --target=arm-linux make make install I did not get the binaries of the gdb simulaor and arm-cross-debugger. I tried like this now --- and like this also --- for the second time ./configure --target=arm-linux --build=i686-pc-linux-gnu --prefix=/usr --- for the third time ./configure --host=i686-pc-linux-gnu --target=arm-linux --prefix=/usr x --prefix=/usr followed by make and make install But now i got the arm-linux-gdb. but invokation problem . someone here tell me how to use arm-linux-run and arm-linux-dgb? When I use arm-linux-run hello, nothing happened. When I use arm-linux-gdb hello, entering the gdb environment, and type run, It flashes the message'Try 'help target'. I need to setup the Cross debugger and simulator in x86 for arm. kindly give tips. Any Help is Highly appreciated. Thanks Regards. karthik bala guru __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html Larry Platzek [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall)
Thanks all, I removed shorewall from the syslinux.cfg and set ip_forward=yes. I setup a temporary route on my firewall to point to the network behind the LEAF router and it's working! Ben On Fri, 16 Jul 2004 12:17:42 +0200, Frank Dauer [EMAIL PROTECTED] wrote: Ben, I want to use LEAF as a simple router inside my internal networks. I don't need any firewalling or NAT. if you have Bering-uClibc 2.1: - delete all references to shorewall in syslinux.cfg if you have Bering-uClibc 2.2: - delete all references to shorewall in leaf.cfg In both cases you may want to delete shorwall.lrp to save space. then you should have a system that comes up without any iptables rules and things like that. You now have to configure your interfaces in /etc/network/interfaces. You may want to enable ip_forward in /etc/network/options in order for the router to acually forward packets. Don't forget to back up etc. ;) Bye, Frank --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Firewall error on Weblet
HI, I am new to leaf and am running bering_uclibc 2.1.3. Ihave only just recently got my firewall up and runnng, protecting my local network using the default shorewall settings. However,in Weblet, I have a red light for Firewall under LEAF status and it says error. When I click on the red stop light it says, You have 113 denied or rejected packets in your recent packet logs. The other two traffic light are green (OK). When I look at my logs they have come in the 4 hours. Should I be worried about this? Do others get this many hits on there IP's? By the way, I am running 3 public ip's on my LEAF. Only two of them are getting the traffic. Let me know if you want to see the logs. Let me know which logs you would want: sorted by IP, Port, pretty log, or the regular one. Thank, Andrew The best thing to hit the Internet in years - Juno SpeedBand! Surf the Web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today! --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering 1.2 NAT-traversal?
Hello list: In booting up Bering 1.2, one of the messages in auth.log is: Jul 16 13:07:15 firewall pluto[25864]: including NAT-Traversal patch (Version0.5a) [disabled] How does one enable NAT traversal -- and is it right for what I want to do (pretty sure it is but thought I would ask the list)? I am interested in allowing machines on a local internal net connect into a distant VPN. These machines are behind a Bering FW running NAT-- basically masquerading or Port Address translation. The local FW has a single static IP on the external interface (thru DSL). I am interested in running a road-warrior config on the distant firewall (also Bering 1.2) and connecting my client machine(s) through the local firewall. I have tried an identical w2000 client IP security policy behind the local firewall and in front of it. The behind case doesn't work, but the in front does. Ascii art: (won't work) Win2kclient --- local FW (NAT/PAT)-- internet -- distant FW (NAT/PAT+IPSEC) --- distant net | win2kclient (will work) Both win2000 clients are set up like the Bering user's guide, using ESP/MD5. I believe NAT traversal is specifically for ESP. I looked on the Freeswan user's list and found some kind of info about a different error message -- not sure if I need a recompiled Bering kernel...? The other alternative seems to be client patches and/or extra VPN client s/w to enable NAT traversal, which I believe puts the original IP inside a UDP packet. Rather not have to do this for all machines (i.e. Windoze, Macs, linux). For anyone interested, the one for Win 2000 is located at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2 tpclient.asp Any help appreciated. TIA, Rick. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] dns resolution - Dachstein
Hi all, I'm having trouble getting a Mailman server (using Exim 3.35) to resolve names properly. It is situated in the DMZ (192.168.2.x) of a network using Dachstein CD102. I have an Exchange mail server in the internal network (192.168.1.x). I have tinyDNS running on the firewall. The internal TinyDNS zone file has a MX record that points to the Exchange server at 192.168.1.4. There is no public TinyDNS zone file. While the server is pointed to the internal TinyDNS server on the firewall, telnetting to port 25 of the internal Exchange server fails as expected. However, this means email designated for internal users will also fail. This is not the desired result. When I point the name resolver on the Mailman machine to various external name servers, mail gets delivered but to the external IP address of Dachstein which in turn gets forwarded to the Exchange server. That works just fine. However, when I try to do an apt-get update on the Mailman machine, name resolution fails. I added the external IP address of our internal Exchange server to the 'hosts' file on the Mailman machine thinking that Exim will deliver mail to the external IP address. With the machine pointed to the internal name server, Mailman pings correctly to the external IP address. But email delivery fails due to the internal MX record on the internal name server which is pointed to the internal IP address of the Exchange server. One solution would be to relocate the Exchange server into the DMZ where it should have been all along. But I would like to explore other options. Are there any other options I am overlooking? ~Doug --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] dns resolution - Dachstein
Doug Sampson wrote: Hi all, I'm having trouble getting a Mailman server (using Exim 3.35) to resolve names properly. It is situated in the DMZ (192.168.2.x) of a network using Dachstein CD102. I have an Exchange mail server in the internal network (192.168.1.x). I have tinyDNS running on the firewall. The internal TinyDNS zone file has a MX record that points to the Exchange server at 192.168.1.4. There is no public TinyDNS zone file. While the server is pointed to the internal TinyDNS server on the firewall, telnetting to port 25 of the internal Exchange server fails as expected. However, this means email designated for internal users will also fail. This is not the desired result. When I point the name resolver on the Mailman machine to various external name servers, mail gets delivered but to the external IP address of Dachstein which in turn gets forwarded to the Exchange server. That works just fine. However, when I try to do an apt-get update on the Mailman machine, name resolution fails. I added the external IP address of our internal Exchange server to the 'hosts' file on the Mailman machine thinking that Exim will deliver mail to the external IP address. With the machine pointed to the internal name server, Mailman pings correctly to the external IP address. But email delivery fails due to the internal MX record on the internal name server which is pointed to the internal IP address of the Exchange server. One solution would be to relocate the Exchange server into the DMZ where it should have been all along. But I would like to explore other options. Are there any other options I am overlooking? ~Doug I could not get timydns to answer for two internal networks. My solution is: .private.network::localhost .1.168.192.in-addr.arpa::localhost =tworoute.private.network:192.168.1.254 =localhost.private.network:192.168.1.1 .dmz.network::localhost .2.168.192.in-addr.arpa::localhost =dmzbox.private.network:192.168.2.1 notice that the DMZ has a address in another network but it's name is in the private.network. This works for me. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bug in processing leaf.cfg? (Bering 1.2)
Folks, Back to the issue of getting daemontl.lrp to load. There was a previous thread on the list titled: [leaf-user] Bering 1.2 CD won't load daemontl.lrp There, I was using a syslinux.cfg line and leaf.cfg as follows: default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 LEAFCFG=/dev/fd0:msdos PKGPATH=/dev/fd0:msdos,/dev/cdrom:iso9660 syst_size=12M log_size=4M LRP=root,etc,local,modules,iptables,pump,keyboard,shorwall,ulogd,dnscach e,ipsec,mawk,dhcpd Leaf.cfg: # Example: LRP=$KCMD_LRP rsync LRP=$KCMD_LRP daemontl LRP=$KCMD_LRP weblet Basically weblet will load but daemontl will not. Now, swapping things around because I can do without dhcpd, I use: default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 LEAFCFG=/dev/fd0:msdos PKGPATH=/dev/fd0:msdos,/dev/cdrom:iso9660 syst_size=12M log_size=4M LRP=root,etc,local,modules,iptables,pump,keyboard,shorwall,ulogd,dnscach e,ipsec,mawk,daemontl Leaf.cfg: # Example: LRP=$KCMD_LRP rsync LRP=$KCMD_LRP dhcpd LRP=$KCMD_LRP weblet Now weblet still loads (daemontl loads fine) but dhcpd doesn't load. Is there a possible problem with the script or its handling? Rick. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bug in processing leaf.cfg? (Bering 1.2)
Tibbs, Richard wrote: Folks, Back to the issue of getting daemontl.lrp to load. There was a previous thread on the list titled: [leaf-user] Bering 1.2 CD won't load daemontl.lrp There, I was using a syslinux.cfg line and leaf.cfg as follows: default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 LEAFCFG=/dev/fd0:msdos PKGPATH=/dev/fd0:msdos,/dev/cdrom:iso9660 syst_size=12M log_size=4M LRP=root,etc,local,modules,iptables,pump,keyboard,shorwall,ulogd,dnscach e,ipsec,mawk,dhcpd Leaf.cfg: # Example: LRP=$KCMD_LRP rsync LRP=$KCMD_LRP daemontl LRP=$KCMD_LRP weblet Try the following instead: LRP=$KCMD_LRP rsync LRP=$LRP daemontl LRP=$LRP weblet Note the removal of KCMD_ from all but the first LRP= line, so you don't over-write previous changes to the LRP environment variable, but append to it, which seems to be what you're trying to accomplish. HTH, -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Erich Titl wrote: At 17:11 16.07.2004, Charles Steinkuehler wrote: Erich Titl wrote: Charles At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote: Erich Titl wrote: Charles interesting approach do you do any mac based filtering? Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to). Thanks, one more question though, IIRC you can only proxy arp a single address per interface. Do you have single hosts on these interfaces? Because in my case we will have parts of the entire net being fed off the interfaces. Where did you get that idea? Probably dreamt it... :-( The way I understand proxy arp is that the interface which is the proxy replies to arp requests for the corresponding IP. So I have to enter all addresses of all the other interfaces to each of the interfaces for them to reply to arp requests? Um...it's a lot simpler than I think you're trying to make it. In a nutshell: If 'proxy-arp' is enabled for an interface and the kernel recieves an arp request for an IP address that the kernel would route out a *DIFFERENT* interface than the arp request was recieved on, the kernel 'proxys' the arp request, or answers on behalf of the IP address which would otherwise be unreachable. Now here is my problem with this set up. Two of those separate subnets/branches have a radio interface and another disjunct branch of this net connects to either of them (actually it's a train moving back and forth between two stations). The train nets are of the overall net. I have no control on how the addresses have been assigned to the net and don't know if it is subnettable at all. snip detail I don't really understand exactly how your network is numbered. Suffice it to say if you have fairly static IP allotment (regardless of how haphazard and non-subnettted), you can use either proxy-arp or bridging to connect them (although the more jumbled the IP assignments, the more routing rules required to correctly build the kernel routing table). If your IPs are fairly dynamic (more so than would be possible to track by hand configuration changes or a routing protocol), the use of bridging is probably more appropriate. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Charles At 23:10 16.07.2004, Charles Steinkuehler wrote: Erich Titl wrote: ... The way I understand proxy arp is that the interface which is the proxy replies to arp requests for the corresponding IP. So I have to enter all addresses of all the other interfaces to each of the interfaces for them to reply to arp requests? Um...it's a lot simpler than I think you're trying to make it. In a nutshell: If 'proxy-arp' is enabled for an interface and the kernel recieves an arp request for an IP address that the kernel would route out a *DIFFERENT* interface than the arp request was recieved on, the kernel 'proxys' the arp request, or answers on behalf of the IP address which would otherwise be unreachable. Ah, that's the thing I missed Of course that maks it a lot easier Now here is my problem with this set up. Two of those separate subnets/branches have a radio interface and another disjunct branch of this net connects to either of them (actually it's a train moving back and forth between two stations). The train nets are of the overall net. I have no control on how the addresses have been assigned to the net and don't know if it is subnettable at all. snip detail I don't really understand exactly how your network is numbered. Most of it is fairly static, not necessarily contiguous, the thing I am uncertain about is the moving subnet(s) which may connect on multiple locations of the net. Suffice it to say if you have fairly static IP allotment (regardless of how haphazard and non-subnettted), you can use either proxy-arp or bridging to connect them (although the more jumbled the IP assignments, the more routing rules required to correctly build the kernel routing table). If your IPs are fairly dynamic (more so than would be possible to track by hand configuration changes or a routing protocol), the use of bridging is probably more appropriate. That's what my gut feeling tells me, but your analysis helped a lot. Thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Upgrading uClibC 2.1.0 to 2.2.0b4 with HDD boot.
-- steve [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] uClibC 2.1.0 2.2.0b5 with CF.
I have followed the directions listed below and have gotten the 2.1 version to boot fine off my CF (16mb) http://leaf.sourceforge.net/doc/guide/buc-install.html http://leaf.sourceforge.net/doc/guide/bucu-ide.html but wheb I try to boot up with the 2.2 version I get a kernal panic. The last of which is: hda: attached ide-disk driver hda: task_no _data_intr: status=0x51 ( DriveReady SeeComplete Error ) hda: task_no_data_intr: error=0x04 ( DriveStatusError ) hda: 31360 sectors (16MB) w/1KiB Cache, CHS=490/2/32 Partition check: hda: hda1 hda: hda1 VFS: Can't find a Minix or Minx V2 filesystem on device 03:00 hda: hda1 hda: hda1 FAT: bogus logical sector siz 64543 VFS: Can't find valid FAT filesystem on dev 0.:00 hda: hda1 hda: hda1 VFS: Can't find a Minix or Minx V2 filesystem on device 03:00 hda: hda1 hda: hda1 LINUXRC: Installing - BOOT_IMAGE=linux: BOOT_IMAGE=linux(nf!) - Finished cat: /var/lib/lrpkg/root.pn.lins: No such flie or directory ;; Can't open /var/lib/lrpkg/root.dev.own Kernel panic: Attemted to killinit! I thought at first maybe I had a bad CF, but when I installed the 2.1 ver on it, it worked fine. I did make the changes to both the syslinux.cfg and leaf.cfg as noted in the User's guide, changing /dev/fd0u1680:msdos to /dev/hda1:msdos Thanks in advance -- steve [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] dns resolution - Dachstein
I could not get timydns to answer for two internal networks. My solution is: .private.network::localhost .1.168.192.in-addr.arpa::localhost =tworoute.private.network:192.168.1.254 =localhost.private.network:192.168.1.1 .dmz.network::localhost .2.168.192.in-addr.arpa::localhost =dmzbox.private.network:192.168.2.1 notice that the DMZ has a address in another network but it's name is in the private.network. This works for me. I made the changes similar to what you described above. Basically what I did was to add to the private file as follows: .dmz.dawnsign.com::ns.dawnsign.com .2.168.192.in-addr.arpa::ns.dawnsign.com # mail exchanger @dawnsign.com::mercury.dawnsign.com =mercury.dawnsign.com:216.xxx.xxx.xxx =myrouter.dawnsign.com:192.168.1.254 ns.dawnsign.com was already defined for the .dawnsign.com domain so there wasn't any need to define it within the .dmz.dawnsign.com domain. It seems to have worked. Am I correct in my assumption that when a name resolution request comes in from any machine in the 192.168.2.x network, the request will be checked against the entries defined for the .dmz.dawnsign.com domain and not the .dawnsign.com domain? ~Doug --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] dropbear 0.43 - security update
Today we received an update of dropbear to v 0.43 fixing potential security problems. The new lrp is in cvs: http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc-0.9/20/?sortby=date#dirlist To update your dropbear version: 1) scp the new dropbear.lrp to your boot media's root. 2) on the router mount the media to /mnt 3) copy new dropbear.lrp to /mnt 4) install new dropbear.lrp with lrpkg -i form your root dir 5) If you changed the config edit it to fit your needs - the keys will be preserved. 6) run lrcfg and backup dropbear. kp --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Firewall error on Weblet
Hi Andrew, If you can send me your log file I can have a look to see what is being reported. Some of these may be harmless DNS or traceroute queries that can be dropped from logging. Darcy Parker ([EMAIL PROTECTED]) Message: 4 From: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Fri, 16 Jul 2004 17:40:27 GMT To: [EMAIL PROTECTED] Subject: [leaf-user] Firewall error on Weblet HI, I am new to leaf and am running bering_uclibc 2.1.3. Ihave only just recently got my firewall up and runnng, protecting my local network using the default shorewall settings. However,in Weblet, I have a red light for Firewall under LEAF status and it says error. When I click on the red stop light it says, You have 113 denied or rejected packets in your recent packet logs. The other two traffic light are green (OK). When I look at my logs they have come in the 4 hours. Should I be worried about this? Do others get this many hits on there IP's? By the way, I am running 3 public ip's on my LEAF. Only two of them are getting the traffic. Let me know if you want to see the logs. Let me know which logs you would want: sorted by IP, Port, pretty log, or the regular one. Thank, Andrew --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] uClibC 2.1.0 2.2.0b5 with CF.
Do you use the initrd_ide_cd.lrp from http://cvs.sourceforge.net/viewcvs.py/leaf/bin/bering-uclibc/beta/ kp Am Samstag, 17. Juli 2004 00:55 schrieb steve: I have followed the directions listed below and have gotten the 2.1 version to boot fine off my CF (16mb) http://leaf.sourceforge.net/doc/guide/buc-install.html http://leaf.sourceforge.net/doc/guide/bucu-ide.html but wheb I try to boot up with the 2.2 version I get a kernal panic. The last of which is: hda: attached ide-disk driver hda: task_no _data_intr: status=0x51 ( DriveReady SeeComplete Error ) hda: task_no_data_intr: error=0x04 ( DriveStatusError ) hda: 31360 sectors (16MB) w/1KiB Cache, CHS=490/2/32 Partition check: hda: hda1 hda: hda1 VFS: Can't find a Minix or Minx V2 filesystem on device 03:00 hda: hda1 hda: hda1 FAT: bogus logical sector siz 64543 VFS: Can't find valid FAT filesystem on dev 0.:00 hda: hda1 hda: hda1 VFS: Can't find a Minix or Minx V2 filesystem on device 03:00 hda: hda1 hda: hda1 LINUXRC: Installing - BOOT_IMAGE=linux: BOOT_IMAGE=linux(nf!) - Finished cat: /var/lib/lrpkg/root.pn.lins: No such flie or directory ;; Can't open /var/lib/lrpkg/root.dev.own Kernel panic: Attemted to killinit! I thought at first maybe I had a bad CF, but when I installed the 2.1 ver on it, it worked fine. I did make the changes to both the syslinux.cfg and leaf.cfg as noted in the User's guide, changing /dev/fd0u1680:msdos to /dev/hda1:msdos Thanks in advance --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dropbear and sshd in Bering_uClibc 2.1.3
Am Freitag, 16. Juli 2004 08:53 schrieb [EMAIL PROTECTED]: HI AGAIN, I am new to LEAF and have just got my Leaf system running. However, I have been reading about dropbear, dropbearkeys, and SSH and it seems if these have to do with some sort of remote admin packages. Am I right? It's about remote administrating your LEAF box - a secure remote shell and secure copy (scp) to/from your LEAF box. Is there some good beginer information you could point me to to read about these topics? Or could you tell me what they do and their benefits? To start with dropbear on LEAF router read: http://leaf.sourceforge.net/doc/guide/bucu-dropbear.html For general information about ssh look at http://www.openssh.com/ or google for ssh. kp --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering uClibC 2.1.3, Shorewall, and AIM
How does Shorewall handle AOL Instant messenger? I have noticed that when my two daughters are both using AIM there is a lot of activity in the firewall log (it turns to red very quickly). I found the following in an AIM FAQ: What can I do if I'm having trouble using Instant Messenger at work? If you're experiencing problems connecting to Instant Messenger from your office network, talk to your Network or System Administrator. Chances are you're behind a 'firewall,' and need to ask your System Administrator to open up port 5190 (this is Instant Messenger's 'default' port, which is like a secure door in your company's firewall). Thanks. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html