Re: [leaf-user] RFC1918 packets to NET

[grharry]

 At 16:44 15.07.2004 +0300, [EMAIL PROTECTED] wrote:
 
 I 've noticed that when installing the default shorewall configuration of=
  Bering-*
 there is no block of rfc1918 packets going out to NET 
 That is traceroute from LOC of any address not included in LOCAL LAN but in=
  the RFC1918 range will go out and traverse the net( Default route ).
 
 Are you tracing the external interface? You should see a masqueraded source=
  address there.
 
 Who is responsible of stopping this packets ???
 
 NAT

OK I shall make this more clear ...
I am refering to Destination Address...

Supose 
LOC=192.168.1.0/24
DMZ=NONE
NET IF=ppp0=62.12.1.1 ( DYNAMIC )

No other addresses are involved in this hypothetical configuration.

Supose a user from LOC LAN  and address 192.168.1.4  pings or trace(s)route to  
10.0.1.1 which it is not used in local or any other zone ..

10.0.1.1 is DST

If an observer in the net zone  ( the ISP )  observes packets comming in from 
source address 62.12.1.1 
tcpdump -i someif0 src address 62.12.1.1

She will see these ping or traceroute packets with the following characteristics.

SRC=62.12.1.1  DST=10.0.1.1 

Am I right or am I right ???

So we have a packet destined to a private address space looking around the internet to 
contact address 10.0.1.1 ( noise ).


So let me repeat

Who is responsible to stop or drop or kill this packet ?
The ISP or The firewall admin ???

Best Regards

Harry



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Dropbear and sshd in Bering_uClibc 2.1.3

[[EMAIL PROTECTED]]

HI AGAIN,

I am new to LEAF and have just got my Leaf system running.
However, I have been reading about dropbear, dropbearkeys, and SSH and it seems if 
these have to do with some sort of remote admin packages.  Am I right?  Is there some 
good beginer information you could point me to to read about these topics?  Or could 
you tell me what they do and their benefits?

Thanks,
Andrew


The best thing to hit the Internet in years - Juno SpeedBand!
Surf the Web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] RFC1918 packets to NET

[Luis.F.Correia]

Hi! 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 Sent: Friday, July 16, 2004 7:06 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [leaf-user] RFC1918 packets to NET
 
 
  At 16:44 15.07.2004 +0300, [EMAIL PROTECTED] wrote:
  
  I 've noticed that when installing the default shorewall 
 configuration of=
   Bering-*
  there is no block of rfc1918 packets going out to NET 
  That is traceroute from LOC of any address not included in 
 LOCAL LAN but in=
   the RFC1918 range will go out and traverse the net( 
 Default route ).

RFC1918 cannot be blocked by default, because some ISP's provide
these addresses to their customers, so, if we did block them
Bering-uClibc would no longer work, and that would be our fault.

[snip]

 
 Supose a user from LOC LAN  and address 192.168.1.4  pings or 
 trace(s)route to  10.0.1.1 which it is not used in local or 
 any other zone ..
 
 10.0.1.1 is DST
 
 If an observer in the net zone  ( the ISP )  observes packets 
 comming in from 
 source address 62.12.1.1 
 tcpdump -i someif0 src address 62.12.1.1
 
 She will see these ping or traceroute packets with the 
 following characteristics.
 
 SRC=62.12.1.1  DST=10.0.1.1 
 
 Am I right or am I right ???
 
 So we have a packet destined to a private address space 
 looking around the internet to contact address 10.0.1.1 ( noise ).
 
 
 So let me repeat
 
 Who is responsible to stop or drop or kill this packet ?
 The ISP or The firewall admin ???
 

IMHO it is the firewall admin's responsability.

Use 'norfc1918' in the interface that connects to the net in
'/etc/shorewall/interfaces'



Luis Correia   
Bering uClibc Team Member

PGP Fingerprint: BC44 D7DA 5A17 F92A CA21 9ABE DFF0 3540 2322 21F6 
Key Server: http://pgp.mit.edu


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] RFC1918 packets to NET

[grharry]

 Hi!
 
  
   I 've noticed that when installing the default shorewall
  configuration of=
Bering-*
   there is no block of rfc1918 packets going out to NET 
   That is traceroute from LOC of any address not included in
  LOCAL LAN but in=
the RFC1918 range will go out and traverse the net(
  Default route ).
 
 RFC1918 cannot be blocked by default, because some ISP's provide
 these addresses to their customers, so, if we did block them
 Bering-uClibc would no longer work, and that would be our fault.
 
 [snip]
 
 
  Supose a user from LOC LAN  and address 192.168.1.4  pings or
  trace(s)route to  10.0.1.1 which it is not used in local or
  any other zone ..
 
  10.0.1.1 is DST
 
  If an observer in the net zone  ( the ISP )  observes packets
  comming in from
  source address 62.12.1.1
  tcpdump -i someif0 src address 62.12.1.1
 
  She will see these ping or traceroute packets with the
  following characteristics.
 
  SRC=62.12.1.1  DST=10.0.1.1
 
  Am I right or am I right ???
 
  So we have a packet destined to a private address space
  looking around the internet to contact address 10.0.1.1 ( noise ).
 
 
  So let me repeat
 
  Who is responsible to stop or drop or kill this packet ?
  The ISP or The firewall admin ???
 
 
 IMHO it is the firewall admin's responsability.
 
 Use 'norfc1918' in the interface that connects to the net in
 '/etc/shorewall/interfaces'

NOPE 

The norfc1918 option in the interfaces file is about packets that come IN from 
NET- to net interface .
Not about packets that go out destined to rfc1918 address space and the net...
At least it operates like that... I don't know if it was intended to operate both 
ways

The funny thing that I saw with this experiment is that when I traceroute some rfc1918 
address I get full legitimate responses from the ISP's routers out there.

I stoped them by typing a few lines to the rules file

[DROP]|[REJECT]loc net:192.168.0.0/16  all

etc

Regards

Harry...

Please consider me as a Fool.


 



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall)

[Frank Dauer]

Ben,

 I want to use LEAF as a simple router inside my internal 
 networks.  I don't need any firewalling or NAT.

if you have Bering-uClibc 2.1:

- delete all references to shorewall in syslinux.cfg

if you have Bering-uClibc 2.2:

- delete all references to shorewall in leaf.cfg

In both cases you may want to delete shorwall.lrp to save space.

then you should have a system that comes up without any iptables
rules and things like that.

You now have to configure your interfaces in /etc/network/interfaces.

You may want to enable ip_forward in /etc/network/options in order
for the router to acually forward packets.

Don't forget to back up etc. ;)

Bye,

Frank


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

[Charles Steinkuehler]

Erich Titl wrote:
Charles
interesting approach do you do any mac based filtering?
Not at the moment...filtering is strictly based on IP (and on the 
interface a system is connected to).

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall)

[Robert K Coffman Jr - Info From Data Corporation]

The first thing that came to mind to do this was to change the following in
the shorewall policy file:

all all REJECT  ULOG

to

all all ACCEPT

However this doesn't meet the requirement of getting rid of shorewall.
Also, I don't know what the performance implications are of doing it this
way versus eliminating Shorewall.  Maybe someone can comment on that.


- Bob Coffman

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ben Conrad
Sent: Thursday, July 15, 2004 5:59 PM
To: [EMAIL PROTECTED]
Subject: [leaf-user] Using LEAF (Bering-uClibc) as a router (no
shorewall)


Hello,

I want to use LEAF as a simple router inside my internal networks.  I
don't need any firewalling or NAT.

What is the best way to turn off all the Shorewall and IPTables
configurations so that I can pass all traffic in/out of eth0 and eth1?
 I tried to rename /etc/rc2.d/S41shorewall and then backed up all the
packages but on next boot the /etc/rc2.d/S41shorewall still exists!

Thanks,

Ben


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

[Tom Eastep]

Erich Titl wrote:
Charles
At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote:
Erich Titl wrote:
Charles
interesting approach do you do any mac based filtering?
Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to).

Thanks, one more question though, IIRC you can only proxy arp a single address per interface.
Definitely not so -- You can have multiple entries in your proxyarp file 
for the same (pair of) interface(s) and you can also use the proxyarp 
option in /etc/shorewall/interfaces to use Proxy ARP on ALL hosts 
attached to an interface.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] arm-linux Cross Debugger

[karthik bala guru]

Hello everyone,

I am cross compiling a arm program using
arm-linux-gcc.
Now i want to use a debugger to trace my program using
arm-linux-gdb
from being in a x86 machine.

That is - cross debug arm-linux program from
linux-i386 machine.

i would also like to know where would the simulator be
??

My gdb's version is 5.3, and I built it like this:
 for the first time
./configure --target=arm-linux 
make
make install

I did not get the binaries of the gdb simulaor and
arm-cross-debugger.

I tried like this now ---
and like this also
--- for the second time
./configure --target=arm-linux
--build=i686-pc-linux-gnu --prefix=/usr  
--- for the third time 
./configure --host=i686-pc-linux-gnu
--target=arm-linux --prefix=/usr
x --prefix=/usr
 followed by make and make install

But now i got the arm-linux-gdb. but invokation
problem .

someone here tell me how to use arm-linux-run and
arm-linux-dgb?
When I use arm-linux-run hello, nothing happened.
When I use arm-linux-gdb hello, entering the gdb
environment, and type 
run, It flashes the message'Try 'help target'. 

I need to setup the Cross debugger and simulator in
x86 for arm. kindly give tips.

Any Help is Highly appreciated.
Thanks  Regards.
karthik bala guru



__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

[Erich Titl]

Tom

At 06:36 16.07.2004 -0700, you wrote:
Erich Titl wrote:
Charles
At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote:

Erich Titl wrote:

Charles
interesting approach do you do any mac based filtering?

Not at the moment...filtering is strictly based on IP (and on the interface a 
system is connected to).

Thanks, one more question though, IIRC you can only proxy arp a single address per 
interface.

Definitely not so -- You can have multiple entries in your proxyarp file for the same 
(pair of) interface(s) and you can also use the proxyarp option in 
/etc/shorewall/interfaces to use Proxy ARP on ALL hosts attached to an interface.

Thanks, will go back to the drawing board

Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] arm-linux Cross Debugger

[Larry Platzek]

Just what does this gave to do with LEAF?
I think this is very off topic and as such is SPAM!!!
As a guru you should have known this!
On Fri, 16 Jul 2004, karthik bala guru wrote:
Date: Fri, 16 Jul 2004 06:52:03 -0700 (PDT)
From: karthik bala guru [EMAIL PROTECTED]
To: Robert K Coffman Jr - Info From Data Corporation
[EMAIL PROTECTED], Ben Conrad [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: [leaf-user] arm-linux Cross Debugger
Hello everyone,
I am cross compiling a arm program using
arm-linux-gcc.
Now i want to use a debugger to trace my program using
arm-linux-gdb
from being in a x86 machine.
That is - cross debug arm-linux program from
linux-i386 machine.
i would also like to know where would the simulator be
??
My gdb's version is 5.3, and I built it like this:
 for the first time
./configure --target=arm-linux
make
make install
I did not get the binaries of the gdb simulaor and
arm-cross-debugger.
I tried like this now ---
and like this also
--- for the second time
./configure --target=arm-linux
--build=i686-pc-linux-gnu --prefix=/usr
--- for the third time
./configure --host=i686-pc-linux-gnu
--target=arm-linux --prefix=/usr
x --prefix=/usr
followed by make and make install
But now i got the arm-linux-gdb. but invokation
problem .
someone here tell me how to use arm-linux-run and
arm-linux-dgb?
When I use arm-linux-run hello, nothing happened.
When I use arm-linux-gdb hello, entering the gdb
environment, and type
run, It flashes the message'Try 'help target'. 
I need to setup the Cross debugger and simulator in
x86 for arm. kindly give tips.
Any Help is Highly appreciated.
Thanks  Regards.
karthik bala guru

__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Larry Platzek  [EMAIL PROTECTED]

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall)

[Ben Conrad]

Thanks all, 

I removed shorewall from the syslinux.cfg and set ip_forward=yes.  I
setup a temporary route on my firewall to point to the network behind
the LEAF router and it's working!

Ben

On Fri, 16 Jul 2004 12:17:42 +0200, Frank Dauer [EMAIL PROTECTED] wrote:
 Ben,
 
  I want to use LEAF as a simple router inside my internal
  networks.  I don't need any firewalling or NAT.
 
 if you have Bering-uClibc 2.1:
 
 - delete all references to shorewall in syslinux.cfg
 
 if you have Bering-uClibc 2.2:
 
 - delete all references to shorewall in leaf.cfg
 
 In both cases you may want to delete shorwall.lrp to save space.
 
 then you should have a system that comes up without any iptables
 rules and things like that.
 
 You now have to configure your interfaces in /etc/network/interfaces.
 
 You may want to enable ip_forward in /etc/network/options in order
 for the router to acually forward packets.
 
 Don't forget to back up etc. ;)
 
 Bye,
 
 Frank
 
 
 ---
 This SF.Net email is sponsored by BEA Weblogic Workshop
 FREE Java Enterprise J2EE developer tools!
 Get your free copy of BEA WebLogic Workshop 8.1 today.
 http://ads.osdn.com/?ad_idG21alloc_id040op=click
 
 
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Firewall error on Weblet

[[EMAIL PROTECTED]]

HI,

I am new to leaf and am running bering_uclibc 2.1.3.  Ihave only just recently got my 
firewall up and runnng, protecting my local network using the default shorewall 
settings. However,in Weblet, I have a red light for Firewall under LEAF status and it 
says error.  When I click on the red stop light it says, You have 113 denied or 
rejected packets in your recent packet logs.  The other two traffic light are green 
(OK).  When I look at my logs they have come in the 4 hours.  Should I be worried 
about this?  Do others get this many hits on there IP's?  By the way, I am running 3 
public ip's on my LEAF.  Only two of them are getting the traffic.  Let me know if you 
want to see the logs.  Let me know which logs you would want: sorted by IP, Port, 
pretty log, or the regular one.


Thank,
Andrew


The best thing to hit the Internet in years - Juno SpeedBand!
Surf the Web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bering 1.2 NAT-traversal?

[Tibbs, Richard]

Hello list:
In booting up Bering 1.2, one of the messages in auth.log is:
Jul 16 13:07:15 firewall pluto[25864]:   including NAT-Traversal patch
(Version0.5a) [disabled]

How does one enable NAT traversal -- and is it right for what I want to
do (pretty sure it is but thought I would ask the list)?

I am interested in allowing machines on a local internal net connect
into a distant VPN. These machines are behind a Bering FW running NAT--
basically masquerading or Port Address translation. The local FW has a
single static IP on the external interface (thru DSL). 

I am interested in running a road-warrior config on the distant firewall
(also Bering 1.2) and connecting my client machine(s) through the local
firewall.
I have tried an identical w2000 client IP security policy behind the
local firewall and in front of it. The behind case doesn't work, but the
in front does. Ascii art:

(won't work)
Win2kclient --- local FW (NAT/PAT)-- internet -- distant FW
(NAT/PAT+IPSEC) --- distant net
   | win2kclient (will
work)  

Both win2000 clients are set up like the Bering user's guide, using
ESP/MD5.  I believe NAT traversal is specifically for ESP.

I looked on the Freeswan user's list and found  some kind of info about
a different error message -- not sure if I need a recompiled Bering
kernel...?

The other alternative seems to be client patches and/or extra VPN client
s/w to enable NAT traversal, which I believe puts the original IP inside
a UDP packet.  Rather not have to do this for all machines (i.e.
Windoze, Macs, linux).
For anyone interested, the one for Win 2000 is located at
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2
tpclient.asp

Any help appreciated.

TIA,
Rick.


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] dns resolution - Dachstein

[Doug Sampson]

Hi all,

I'm having trouble getting a Mailman server (using Exim 3.35) to resolve
names properly. It is situated in the DMZ (192.168.2.x) of a network using
Dachstein CD102. I have an Exchange mail server in the internal network
(192.168.1.x).

I have tinyDNS running on the firewall. The internal TinyDNS zone file has a
MX record that points to the Exchange server at 192.168.1.4. There is no
public TinyDNS zone file.

While the server is pointed to the internal TinyDNS server on the firewall,
telnetting to port 25 of the internal Exchange server fails as expected.
However, this means email designated for internal users will also fail. This
is not the desired result.

When I point the name resolver on the Mailman machine to various external
name servers, mail gets delivered but to the external IP address of
Dachstein which in turn gets forwarded to the Exchange server. That works
just fine. However, when I try to do an apt-get update on the Mailman
machine, name resolution fails.

I added the external IP address of our internal Exchange server to the
'hosts' file on the Mailman machine thinking that Exim will deliver mail to
the external IP address. With the machine pointed to the internal name
server, Mailman pings correctly to the external IP address. But email
delivery fails due to the internal MX record on the internal name server
which is pointed to the internal IP address of the Exchange server.

One solution would be to relocate the Exchange server into the DMZ where it
should have been all along. But I would like to explore other options. Are
there any other options I am overlooking?

~Doug


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] dns resolution - Dachstein

[Victor McAllister]

Doug Sampson wrote:
Hi all,
I'm having trouble getting a Mailman server (using Exim 3.35) to resolve
names properly. It is situated in the DMZ (192.168.2.x) of a network using
Dachstein CD102. I have an Exchange mail server in the internal network
(192.168.1.x).
I have tinyDNS running on the firewall. The internal TinyDNS zone file has a
MX record that points to the Exchange server at 192.168.1.4. There is no
public TinyDNS zone file.
While the server is pointed to the internal TinyDNS server on the firewall,
telnetting to port 25 of the internal Exchange server fails as expected.
However, this means email designated for internal users will also fail. This
is not the desired result.
When I point the name resolver on the Mailman machine to various external
name servers, mail gets delivered but to the external IP address of
Dachstein which in turn gets forwarded to the Exchange server. That works
just fine. However, when I try to do an apt-get update on the Mailman
machine, name resolution fails.
I added the external IP address of our internal Exchange server to the
'hosts' file on the Mailman machine thinking that Exim will deliver mail to
the external IP address. With the machine pointed to the internal name
server, Mailman pings correctly to the external IP address. But email
delivery fails due to the internal MX record on the internal name server
which is pointed to the internal IP address of the Exchange server.
One solution would be to relocate the Exchange server into the DMZ where it
should have been all along. But I would like to explore other options. Are
there any other options I am overlooking?
~Doug
 

I could not get timydns to answer for two internal networks.  My 
solution is:

.private.network::localhost
.1.168.192.in-addr.arpa::localhost
=tworoute.private.network:192.168.1.254
=localhost.private.network:192.168.1.1
.dmz.network::localhost
.2.168.192.in-addr.arpa::localhost
=dmzbox.private.network:192.168.2.1
notice that the DMZ has a address in another network but it's name is in 
the private.network. This works for me.



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bug in processing leaf.cfg? (Bering 1.2)

[Tibbs, Richard]

Folks,
Back to the issue of getting daemontl.lrp to load. There was a previous
thread on the list titled:
 [leaf-user] Bering 1.2 CD won't load daemontl.lrp
There, I was using a syslinux.cfg line and leaf.cfg as follows:

default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0
LEAFCFG=/dev/fd0:msdos PKGPATH=/dev/fd0:msdos,/dev/cdrom:iso9660
syst_size=12M log_size=4M
LRP=root,etc,local,modules,iptables,pump,keyboard,shorwall,ulogd,dnscach
e,ipsec,mawk,dhcpd
Leaf.cfg:
# Example:
LRP=$KCMD_LRP rsync
LRP=$KCMD_LRP daemontl
LRP=$KCMD_LRP weblet

Basically weblet will load but daemontl will not.
Now, swapping things around because I can do without dhcpd, I use:

default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0
LEAFCFG=/dev/fd0:msdos PKGPATH=/dev/fd0:msdos,/dev/cdrom:iso9660
syst_size=12M log_size=4M
LRP=root,etc,local,modules,iptables,pump,keyboard,shorwall,ulogd,dnscach
e,ipsec,mawk,daemontl
Leaf.cfg:
# Example:
LRP=$KCMD_LRP rsync
LRP=$KCMD_LRP dhcpd
LRP=$KCMD_LRP weblet

Now weblet still loads (daemontl loads fine) but dhcpd doesn't load.
Is there a possible problem with the script or its handling?

Rick.


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bug in processing leaf.cfg? (Bering 1.2)

[Charles Steinkuehler]

Tibbs, Richard wrote:
Folks,
Back to the issue of getting daemontl.lrp to load. There was a previous
thread on the list titled:
 [leaf-user] Bering 1.2 CD won't load daemontl.lrp
There, I was using a syslinux.cfg line and leaf.cfg as follows:
default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0
LEAFCFG=/dev/fd0:msdos PKGPATH=/dev/fd0:msdos,/dev/cdrom:iso9660
syst_size=12M log_size=4M
LRP=root,etc,local,modules,iptables,pump,keyboard,shorwall,ulogd,dnscach
e,ipsec,mawk,dhcpd
Leaf.cfg:
# Example:
LRP=$KCMD_LRP rsync
LRP=$KCMD_LRP daemontl
LRP=$KCMD_LRP weblet
Try the following instead:
  LRP=$KCMD_LRP rsync
  LRP=$LRP daemontl
  LRP=$LRP weblet
Note the removal of KCMD_ from all but the first LRP= line, so you don't 
over-write previous changes to the LRP environment variable, but append 
to it, which seems to be what you're trying to accomplish.

HTH,
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

[Charles Steinkuehler]

Erich Titl wrote:
At 17:11 16.07.2004, Charles Steinkuehler wrote:
Erich Titl wrote:
Charles
At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote:
Erich Titl wrote:
Charles
interesting approach do you do any mac based filtering?
Not at the moment...filtering is strictly based on IP (and on the 
interface a system is connected to).
Thanks, one more question though, IIRC you can only proxy arp a single 
address per interface. Do you have single hosts on these interfaces? 
Because in my case we will have parts of the entire net being fed off the 
interfaces.
Where did you get that idea?
Probably dreamt it... :-(
The way I understand proxy arp is that the interface which is the proxy 
replies to arp requests for the corresponding IP.
So I have to enter all addresses of all the other interfaces to each of the 
interfaces for them to reply to arp requests?
Um...it's a lot simpler than I think you're trying to make it.  In a 
nutshell:

If 'proxy-arp' is enabled for an interface and the kernel recieves an 
arp request for an IP address that the kernel would route out a 
*DIFFERENT* interface than the arp request was recieved on, the kernel 
'proxys' the arp request, or answers on behalf of the IP address which 
would otherwise be unreachable.

Now here is my problem with this set up. Two of those separate 
subnets/branches have a radio interface and another disjunct branch of this 
net connects to either of them (actually it's a train moving back and forth 
between two stations). The train nets are of the overall net. I have no 
control on how the addresses have been assigned to the net and don't know 
if it is subnettable at all.
snip detail
I don't really understand exactly how your network is numbered.
Suffice it to say if you have fairly static IP allotment (regardless of 
how haphazard and non-subnettted), you can use either proxy-arp or 
bridging to connect them (although the more jumbled the IP assignments, 
the more routing rules required to correctly build the kernel routing 
table).

If your IPs are fairly dynamic (more so than would be possible to track 
by hand configuration changes or a routing protocol), the use of 
bridging is probably more appropriate.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

[Erich Titl]

Charles
At 23:10 16.07.2004, Charles Steinkuehler wrote:
Erich Titl wrote:
...
The way I understand proxy arp is that the interface which is the proxy 
replies to arp requests for the corresponding IP.
So I have to enter all addresses of all the other interfaces to each of 
the interfaces for them to reply to arp requests?
Um...it's a lot simpler than I think you're trying to make it.  In a nutshell:
If 'proxy-arp' is enabled for an interface and the kernel recieves an arp 
request for an IP address that the kernel would route out a *DIFFERENT* 
interface than the arp request was recieved on, the kernel 'proxys' the 
arp request, or answers on behalf of the IP address which would otherwise 
be unreachable.
Ah, that's the thing I missed Of course that maks it a lot easier

Now here is my problem with this set up. Two of those separate 
subnets/branches have a radio interface and another disjunct branch of 
this net connects to either of them (actually it's a train moving back 
and forth between two stations). The train nets are of the overall net. I 
have no control on how the addresses have been assigned to the net and 
don't know if it is subnettable at all.
snip detail
I don't really understand exactly how your network is numbered.
Most of it is fairly static, not necessarily contiguous, the thing I am 
uncertain about is the moving subnet(s) which may connect on multiple 
locations of the net.


Suffice it to say if you have fairly static IP allotment (regardless of 
how haphazard and non-subnettted), you can use either proxy-arp or 
bridging to connect them (although the more jumbled the IP assignments, 
the more routing rules required to correctly build the kernel routing table).

If your IPs are fairly dynamic (more so than would be possible to track by 
hand configuration changes or a routing protocol), the use of bridging is 
probably more appropriate.
That's what my gut feeling tells me, but your analysis helped a lot.
Thanks
Erich
THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Upgrading uClibC 2.1.0 to 2.2.0b4 with HDD boot.

[steve]

-- 
steve [EMAIL PROTECTED]



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] uClibC 2.1.0 2.2.0b5 with CF.

[steve]

I have followed the directions listed below and have gotten
the 2.1 version to boot fine off my CF (16mb)

http://leaf.sourceforge.net/doc/guide/buc-install.html
http://leaf.sourceforge.net/doc/guide/bucu-ide.html

but wheb I try to boot up with the 2.2 version I get a kernal panic.
The last of which is:

hda: attached ide-disk driver
hda: task_no _data_intr: status=0x51 ( DriveReady SeeComplete Error )
hda: task_no_data_intr: error=0x04 ( DriveStatusError )
hda: 31360 sectors (16MB) w/1KiB Cache, CHS=490/2/32
Partition check:
 hda: hda1
 hda: hda1
VFS: Can't find a Minix or Minx V2 filesystem on device 03:00
 hda: hda1
 hda: hda1
FAT: bogus logical sector siz 64543
VFS: Can't find valid FAT filesystem on dev 0.:00
 hda: hda1
 hda: hda1
VFS: Can't find a Minix or Minx V2 filesystem on device 03:00
 hda: hda1
 hda: hda1

LINUXRC: Installing - BOOT_IMAGE=linux: BOOT_IMAGE=linux(nf!) - Finished
cat: /var/lib/lrpkg/root.pn.lins: No such flie or directory
;; Can't open  /var/lib/lrpkg/root.dev.own
Kernel panic:  Attemted to killinit!


I thought at first maybe I had a bad CF, but when I installed the 2.1
ver on it, it worked fine.

I did make the changes to both the syslinux.cfg and leaf.cfg as noted in
the User's guide, changing /dev/fd0u1680:msdos to /dev/hda1:msdos

Thanks in advance
-- 
steve [EMAIL PROTECTED]



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] dns resolution - Dachstein

[Doug Sampson]

 I could not get timydns to answer for two internal networks.  My 
 solution is:
  
 .private.network::localhost
 .1.168.192.in-addr.arpa::localhost
 =tworoute.private.network:192.168.1.254
 =localhost.private.network:192.168.1.1
 
 .dmz.network::localhost
 .2.168.192.in-addr.arpa::localhost
 =dmzbox.private.network:192.168.2.1
 
 notice that the DMZ has a address in another network but it's 
 name is in the private.network. This works for me.
 

I made the changes similar to what you described above. Basically what I did
was to add to the private file as follows:

.dmz.dawnsign.com::ns.dawnsign.com
.2.168.192.in-addr.arpa::ns.dawnsign.com
# mail exchanger
@dawnsign.com::mercury.dawnsign.com
=mercury.dawnsign.com:216.xxx.xxx.xxx
=myrouter.dawnsign.com:192.168.1.254

ns.dawnsign.com was already defined for the .dawnsign.com domain so there
wasn't any need to define it within the .dmz.dawnsign.com domain.

It seems to have worked. Am I correct in my assumption that when a name
resolution request comes in from any machine in the 192.168.2.x network, the
request will be checked against the entries defined for the
.dmz.dawnsign.com domain and not the .dawnsign.com domain?

~Doug


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] dropbear 0.43 - security update

[K.-P. Kirchdörfer]

Today we received an update of dropbear to v 0.43 fixing potential security 
problems.

The new lrp is in cvs:
http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc-0.9/20/?sortby=date#dirlist

To update your dropbear version:

1) scp the new dropbear.lrp to your boot media's root.
2) on the router mount the media to /mnt
3) copy new dropbear.lrp to /mnt
4) install new dropbear.lrp with lrpkg -i form your root dir
5) If you changed the config edit it to fit your needs - the keys will be 
preserved.
6) run lrcfg and backup dropbear. 

kp


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Firewall error on Weblet

[Darcy Parker]

Hi Andrew,  If you can send me your log file I can have a look to see what
is being reported.  Some of these may be harmless DNS or traceroute queries
that can be dropped from logging.

Darcy Parker ([EMAIL PROTECTED])

Message: 4
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Fri, 16 Jul 2004 17:40:27 GMT
To: [EMAIL PROTECTED]
Subject: [leaf-user] Firewall error on Weblet


HI,

I am new to leaf and am running bering_uclibc 2.1.3.  Ihave only just
recently got my firewall up and runnng, protecting my local network using
the default shorewall settings. However,in Weblet, I have a red light for
Firewall under LEAF status and it says error.  When I click on the red
stop light it says, You have 113 denied or rejected packets in your recent
packet logs.  The other two traffic light are green (OK).  When I look
at my logs they have come in the 4 hours.  Should I be
worried about this?  Do others get this many hits on there IP's?  By the
way, I am running 3 public ip's on my LEAF.  Only two of them are getting
the traffic.  Let me know if you want to see the logs.  Let me know which
logs you would want: sorted by IP, Port, pretty log, or the regular
one.


Thank,
Andrew




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] uClibC 2.1.0 2.2.0b5 with CF.

[K.-P. Kirchdörfer]

Do you use the initrd_ide_cd.lrp from
http://cvs.sourceforge.net/viewcvs.py/leaf/bin/bering-uclibc/beta/

kp

Am Samstag, 17. Juli 2004 00:55 schrieb steve:
 I have followed the directions listed below and have gotten
 the 2.1 version to boot fine off my CF (16mb)

 http://leaf.sourceforge.net/doc/guide/buc-install.html
 http://leaf.sourceforge.net/doc/guide/bucu-ide.html

 but wheb I try to boot up with the 2.2 version I get a kernal panic.
 The last of which is:

 hda: attached ide-disk driver
 hda: task_no _data_intr: status=0x51 ( DriveReady SeeComplete Error )
 hda: task_no_data_intr: error=0x04 ( DriveStatusError )
 hda: 31360 sectors (16MB) w/1KiB Cache, CHS=490/2/32
 Partition check:
  hda: hda1
  hda: hda1
 VFS: Can't find a Minix or Minx V2 filesystem on device 03:00
  hda: hda1
  hda: hda1
 FAT: bogus logical sector siz 64543
 VFS: Can't find valid FAT filesystem on dev 0.:00
  hda: hda1
  hda: hda1
 VFS: Can't find a Minix or Minx V2 filesystem on device 03:00
  hda: hda1
  hda: hda1

 LINUXRC: Installing - BOOT_IMAGE=linux: BOOT_IMAGE=linux(nf!) - Finished
 cat: /var/lib/lrpkg/root.pn.lins: No such flie or directory
 ;; Can't open  /var/lib/lrpkg/root.dev.own
 Kernel panic:  Attemted to killinit!


 I thought at first maybe I had a bad CF, but when I installed the 2.1
 ver on it, it worked fine.

 I did make the changes to both the syslinux.cfg and leaf.cfg as noted in
 the User's guide, changing /dev/fd0u1680:msdos to /dev/hda1:msdos

 Thanks in advance


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dropbear and sshd in Bering_uClibc 2.1.3

[K.-P. Kirchdörfer]

Am Freitag, 16. Juli 2004 08:53 schrieb [EMAIL PROTECTED]:
 HI AGAIN,

 I am new to LEAF and have just got my Leaf system running.
 However, I have been reading about dropbear, dropbearkeys, and SSH and it
 seems if these have to do with some sort of remote admin packages.  Am I
 right?  

It's about remote administrating your LEAF box - a secure remote shell and 
secure copy (scp) to/from your LEAF box.

 Is there some good beginer information you could point me to to 
 read about these topics?  Or could you tell me what they do and their
 benefits?

To start with dropbear on LEAF router read:
http://leaf.sourceforge.net/doc/guide/bucu-dropbear.html

For general information about ssh look at
http://www.openssh.com/

or google for ssh.

kp


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bering uClibC 2.1.3, Shorewall, and AIM

[mcartter]

How does Shorewall handle AOL Instant messenger?  I have noticed that when
my two daughters are both using AIM there is a lot of activity in the
firewall log (it turns to red very quickly).

I found the following in an AIM FAQ:

What can I do if I'm having trouble using Instant Messenger at work?

If you're experiencing problems connecting to Instant Messenger from your
office network, talk to your Network or System Administrator. Chances are
you're behind a 'firewall,' and need to ask your System Administrator to
open up port 5190 (this is Instant Messenger's 'default' port, which is
like a secure door in your company's firewall).

Thanks.






---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html