Re: [leaf-user] Bering-uClibc 2.1.3 ProxyARP and DMZ settings again
Please help!! I really need some input here. Thanks. Andrew The best thing to hit the Internet in years - Juno SpeedBand! Surf the Web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today! --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering uC 2.2b5 bug? shorewall: handling of two 'blacklist'ed interfaces
Playing around with 2.2b5 I gave it my usual setup which includes having two interfaces flagged as blacklist-respecting (via /etc/shorewall/interfaces) even though I don't have any entries in the blacklist file. Thus, upon shorewall's startup it gives this error message (middle line): Adding Common Rules Processing /etc/shorewall/initdone ... local: 8: eth1:0.0.0.0/0: bad variable name Setting up Blacklisting... Blacklisting enabled on eth0:0.0.0.0/0 I ultimately verified this with the 'virgin' floppy image of 2.2b5. FWIW, if one or the other of the two interfaces in /etc/shorewall/interfaces is given the 'blacklist' flag then all is well, the problem only arises if both are flagged. Thanks for LEAF! scott; canada --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering-uClibc 2.1.3 ProxyARP and DMZ settings again
I set up one Bering 1.2 router with Proxyarp.
I don't recall needing to add the IP addresses to the external interface. I
just had to specify them in the proxyarp file. For the interface addressing
I believe I followed Tom Eastep's recommendations. The client I built this
for is dragging its feet on implementation so I can't get to it right now to
send you the config, but I'll ask them to put it up this afternoon so I can
take a look.
>From what I can tell, Proxyarp is what you want.
- Bob Coffman
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 9:59 AM
To: [EMAIL PROTECTED]
Subject: [leaf-user] Bering-uClibc 2.1.3 ProxyARP and DMZ settings again
THIs is round two since I didn't get any responses last time. I know you
guys are busy but if you could just look through what I have so that I know
I setup my firewall correctly. I really appreciate it.
THanks in advance.
I am a complete newbie to Linux and firewalling. I have only known windows
operating
systems up until now, so bear with me please.
I have recently got my LAN working with LEAF but I am now having trouble
setting up my
DMZ.
I have five (Cable Modem) static IP's: 24.227.166.194 thru 24.227.166.198.
My default
gateway is 24.227.166.193 with a netmask of 255.255.255.248.
In this setup, 2 of my ip's won't be used.
I have the cable modem going into eth0 of Bering-uClibc 2.1.3 machine.
I have eth1 going to a wireless router/switch which serves my lan.
Then I have eth2(trying to setup a dmz) which goes to a switch which goes to
a web
sever(24.227.166.197) {you can go there now if you want[not much to see
yet], i thnk
it is working now} and a media server{this server is down right now by
choice}
(24.227.166.198). Both run MS Server 2003 Enterprise Edition.
Both sever's need their own port 80. I was reading Eastep's Shorwall setup
for
proxyARP and was trying to duplicate that but am having trouble.
I am curious to know if you think Proxy ARP is the best way to go fo my
setup? Safety
and security? My setup is at home but I am running this for commercial use,
so it has
to be up and on line as much as possible.
As I was writing this email I think I got proxyARP working on my LEAF.
That's the
second time that's happened to me.
But if you could, check my settings to see if everything looks right
(Blocking and
Forwarding).
Here are my current settings:
In network Configuration: Interfaces File I have:
auto eth0
iface eth0 inet static
address 24.227.166.194
netmask 255.255.255.248
broadcast 24.227.166.255
gateway 24.227.166.193
up ip addr add 24.227.166.195/29 brd 24.227.166.255 dev eth0 label eth0:1
up ip addr add 24.227.166.196/29 brd 24.227.166.255 dev eth0 label eth0:2
#up ip addr add 24.227.166.197/29 brd 24.227.166.255 dev eth0 label eth0:3
#up ip addr add 24.227.166.198/29 brd 24.227.166.255 dev eth0 label eth0:4
If you notice here, I wasn't completely sure what to do, but this is how it
reads
right now.
Like I said before these are my 5 static IP's. I am not trying to use *.195
and *.196.
I just added them to this file in case I need them later (maybe DNAT, port
forwarding) and it is interesting to watch their activity on the weblet log.
I want to use *.197 and *.198 as my two DMZ addresses. After reading Tom
Eastep's
Shorewall setup guide ( for multiple ip addresses) I remarked the lines
because he
said not to add them (ProxyARP addresses) to my interfaces file. I guess
this is what
he meant, howver I am not sure if it was or not.
Then further down on Step 2 (Configure internal interface) I have:
auto eth1
iface eth1 inet static
address 192.168.1.254
netmask 255.255.255.0
broadcast 192.168.1.255
Then further down on Step 3 (Configure DMZ) I have:
auto eth2
iface eth2 inet static
address 192.168.2.254
netmask 255.255.255.0
broadcast 192.168.2.255
Then on Network configuration - Resolv.comf I have my dns nameservers
entered (Given
to me by my Cable Modem ISP).
Nameserver 24.93.40.62
Nameserver 24.93.40.63
Then in Packages Configuration: Shorewall I have:
I made no changes to PARAMS file
I changed Zones file to read:
#Zone Display Comments
net Net Intenet
loc Local Local Networks
dmz DMZ Demilitarized zone
#last Line
In Interfaces file it reads:
#zone Interface broadcastoptions
net eth0detect dhcp,routefilter,norfc1918
loc eth1detect
dmz eth2detect
#last Line
I made no changes to Hosts file
In Policy file it reads:
#source det policy log limit:burst
loc net accept
net all dropulog
all all reject ulog
#last line
In Rules it reads:
#Action source destproto dest port souce port
origanl dest
accept ne
[leaf-user] Does dropbear support port forwarding?
I've replaced my Bering/sshd firewall with a Bering uClibc/dropbear combo and I don't seem to be able to make tunnels like I used to from an outside location using PuTTY. (For instance, I used to connect with Windows/PuTTY to my firewall and open a shell while forwarding a local port. Then I could connect local port xyz on my work desktop to port 22 on my home desktop through the firewall and open a shell there. And then on to my SL-5500 which is connected and left running. All great fun. I often demo these abilities to amazed engineers in the office whose only computer experience is MS Office on MS Windows) Now, I can open the shell but the tunnel doesn't seem to happen. If I try to use it, the original session crashes. The man page for the full-up version of dropbear indicates that forwarding ports is the default behavior and a switch is used to disable it. But when Bering-uClibc 2.01 was introduced, dropbear port forwarding evidently only "partly" worked. Has anyone sucessfully used dropbear 0.41 for port forwarding? Is there a diagnostic that will show the forwarding is active? netstat -a shows the server listening and the established connection but would a forwarded port show up there? -John --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does dropbear support port forwarding?
Ooops! I meant to say that I have already added a rule to shorewall to allow port 22 conections from fw to loc. -John --- John Desmond <[EMAIL PROTECTED]> wrote: > I've replaced my Bering/sshd firewall with a Bering > uClibc/dropbear combo and I don't seem to be able to > make tunnels like I used to from an outside location > using PuTTY. (For instance, I used to connect with > Windows/PuTTY to my firewall and open a shell while > forwarding a local port. Then I could connect local > port xyz on my work desktop to port 22 on my home > desktop through the firewall and open a shell there. > And then on to my SL-5500 which is connected and > left > running. All great fun. I often demo these abilities > to amazed engineers in the office whose only > computer > experience is MS Office on MS Windows) > > Now, I can open the shell but the tunnel doesn't > seem > to happen. If I try to use it, the original session > crashes. > > The man page for the full-up version of dropbear > indicates that forwarding ports is the default > behavior and a switch is used to disable it. But > when > Bering-uClibc 2.01 was introduced, dropbear port > forwarding evidently only "partly" worked. > > Has anyone sucessfully used dropbear 0.41 for port > forwarding? > Is there a diagnostic that will show the forwarding > is > active? > netstat -a shows the server listening and the > established connection but would a forwarded port > show > up there? > > -John > > > > --- > This SF.Net email is sponsored by BEA Weblogic > Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 > today. > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > > leaf-user mailing list: > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: > http://leaf-project.org/pub/doc/docmanager/docid_1891.html > --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does dropbear support port forwarding?
Sorry that I cannot help but FYI I also got trouble with port-forwarding with dropbear. I used it to Remote-Terminal to Win2K server and IIRC I could go into the login screen but then things stopped. Switching back to SSHD and everything worked. However it was about half a year ago and later versions of dropbear may fix that. M Lu. - Original Message - From: "John Desmond" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 23, 2004 2:46 PM Subject: Re: [leaf-user] Does dropbear support port forwarding? > Ooops! I meant to say that I have already added a rule > to shorewall to allow port 22 conections from fw to > loc. > -John > > --- John Desmond <[EMAIL PROTECTED]> wrote: > > I've replaced my Bering/sshd firewall with a Bering > > uClibc/dropbear combo and I don't seem to be able to > > make tunnels like I used to from an outside location > > using PuTTY. (For instance, I used to connect with > > Windows/PuTTY to my firewall and open a shell while > > forwarding a local port. Then I could connect local > > port xyz on my work desktop to port 22 on my home > > desktop through the firewall and open a shell there. > > And then on to my SL-5500 which is connected and > > left > > running. All great fun. I often demo these abilities > > to amazed engineers in the office whose only > > computer > > experience is MS Office on MS Windows) > > > > Now, I can open the shell but the tunnel doesn't > > seem > > to happen. If I try to use it, the original session > > crashes. > > > > The man page for the full-up version of dropbear > > indicates that forwarding ports is the default > > behavior and a switch is used to disable it. But > > when > > Bering-uClibc 2.01 was introduced, dropbear port > > forwarding evidently only "partly" worked. > > > > Has anyone sucessfully used dropbear 0.41 for port > > forwarding? > > Is there a diagnostic that will show the forwarding > > is > > active? > > netstat -a shows the server listening and the > > established connection but would a forwarded port > > show > > up there? > > > > -John > > > > > > > > > --- > > This SF.Net email is sponsored by BEA Weblogic > > Workshop > > FREE Java Enterprise J2EE developer tools! > > Get your free copy of BEA WebLogic Workshop 8.1 > > today. > > > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > > > > > leaf-user mailing list: > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > SR FAQ: > > > http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > > > --- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering uC 2.2b5 bug? shorewall: handling of two 'blacklist'ed interfaces
freeman groups wrote: Playing around with 2.2b5 I gave it my usual setup which includes having two interfaces flagged as blacklist-respecting (via /etc/shorewall/interfaces) even though I don't have any entries in the blacklist file. Thus, upon shorewall's startup it gives this error message (middle line): Adding Common Rules Processing /etc/shorewall/initdone ... local: 8: eth1:0.0.0.0/0: bad variable name See http://shorewall.net/troubleshoot.htm under "shorewall start and shorewall restart Errors" Setting up Blacklisting... Blacklisting enabled on eth0:0.0.0.0/0 -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
