Re: [leaf-user] Bering-uClibc 2.1.3 ProxyARP and DMZ settings again

2004-07-24 Thread Tom Eastep 
Robert K Coffman Jr - Info From Data Corporation wrote:
I set up one Bering 1.2 router with Proxyarp.
I don't recall needing to add the IP addresses to the external interface.  I
just had to specify them in the proxyarp file.  For the interface addressing
I believe I followed Tom Eastep's recommendations.  The client I built this
for is dragging its feet on implementation so I can't get to it right now to
send you the config, but I'll ask them to put it up this afternoon so I can
take a look.
Folks: There is a WARNING at http://shorewall.net/ProxyARP.htm not to 
add the address of the internal server to the firewall's external 
interface; I don't know how much clearer I can make this and I'm not 
going to sent confirming emails to everyone who gets it right.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] uml networking problem solved; probably the ActionTek dsl modem

2004-07-24 Thread Eric House 
Here's a summary I just posted to the uml developers list about the
solution to the uml networking problem I posted here this afternoon.
Since some of us are stuck with those modems I figure it's doubly
relevant -- and hope it helps.



This mail details the solution to a problem I had with UML networking.
My UML instance was able to ping any host on the LAN or internet, but
could only make TCP connections within the LAN.  On looking closer I
found that the initial packets were making it from the host to the
router and then to my cable modem but not reaching the internet
server.  I was unable to determine whether the cable modem was
dropping them (or why), or whether they were making it further.

Eventually I looked closely at the packets leaving the router, both
for (successful) telnet connections from non-UML hosts and for the
(doomed) attempt from the UML instance.  The only difference,
according to tcpdump running on the router, was that the
non-UML-sourced packets had only the S flag set while the UML-sourced
packets had three set: SWE.

The first hit when googling for "tcpdump SWE" is 

http://lists.debian.org/debian-user/2001/06/msg01577.html

a page that explains that some commercial firewalls block packets for
which TCP ECN is enabled.  And sure enough, the kernel that's part of
Debian's UML package has it enabled.  Once I turned it off using the
following command all was well.  I'm currently running apt-get to
bring the rootfs up to date.

sysctl -w net.ipv4.tcp_ecn=0

Of course I still don't know where the packets were getting blocked,
but my ActionTek DSL modem is the most likely suspect.

UML rocks!  Thanks!

--Eric House
-- 
**
* From the desktop of: Eric House, [EMAIL PROTECTED]*
*Crosswords 4.0.6 for PocketPC is out!:   *
**


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering-uClibc 2.1.3 ProxyARP and DMZ settings again

2004-07-24 Thread Tom Eastep 
Tom Eastep wrote:

Folks: There is a WARNING at http://shorewall.net/ProxyARP.htm not to 
add the address of the internal server to the firewall's external 
interface; I don't know how much clearer I can make this and I'm not 
going to sent confirming emails to everyone who gets it right.

Groan -- make that "I'm not going to send a confirming email to everyone 
who gets it right"

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html