Re: [leaf-user] DNAT vs. Proxy Arp DMZ ???
Michael D Schleif wrote: This is the problem: [1] As desired, tcp 3389 is forwarded (DNAT) from the Bering-uClibc/shorewall box to a server on the local LAN, when using the the firewall's external interface. [2] When using a DMZ address, tcp 3389 is also forwarded to that server on the local LAN, and NOT the desired DMZ host. [3] The desired result is tcp 3389 to DMZ host when DMZ host is specified; and forwarded to local LAN when firewall external address is specified. I think that I know what is going on here; but, I do NOT know what is the proper configuration. What is the correct configuration for this? What do you think? I think that you need to specify the firewall's external IP address in the ORIGINAL DEST column of your DNAT rule for tcp port 3389. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub to SourceForge.net Plus IDC's 2005 look-ahead and a copy of this survey Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Building and Using QEMU
Eric Arne: I finally got both QEMU and VDE built and fired up a generic LEAF Router in QEMU. It seems very fast! I could not find how to add Ethernet ports in the man page and html docs. The only place I could find it was using qemu -h. Apparently, the man page and HTML haven't been updated in a while. I haven't begun using VDE yet. Once I get the VMs running I'll tackle that. Thanks for the help getting QEMU built. The CVS source is the key if you want to use the accelerator. Building it was more complicated than it needed to be, though, mostly because of the instructions on the QEMU web site. They assume you're using the CVS tree, but the download source doesn't match. The directions in the CVS tree assume too much also. Anyway, I've spend the last few days trying to get a QEMU virtual IDE disk to boot. It's easy enough to create, but two glaring problems pop right up. 1) It cannot be mounted with fstype msdos as with the LEAF floppy images, and 2) It will not boot. It hangs at the initial startup with Booting from Hard Disk message. I've posted a query on the QEMU users forum, but no one is answering. I can't afford to spend more time on that right now so I'm proceeding with a 2-floppy setup in QEMU. You can view the article here: http://m2.dad-answers.com/qemu-forum/viewtopic.php?t=596 If anyone has any suggestions for this problem I'm all ears. --Cal Webster --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering-uClibc Docs and IPSEC: FreeSwan or OpenSwan?
To the list: I need to get local copies of all the documentation for Bering-uClibc and all its packages, especially for OpenSwan which is what's contained in the Bering-uClibc IPSEC package (ipsec.lrp). First, I cannot find a complete documentation package in any form for Bering-uClibc. There is a link to a PDF file supposedly containing the LEAF Guide Collection, but it is dead. I'd really like to get the HTML version, but a comprehensive PDF would be okay. Second, the IPSEC documentation on the Shorewall site all refers to FreeSwan which does not match the contents of ipsec.lrp. So, I figured I just download it from the OpenSwan site. No such luck! All the documentation is contained in the distribution files, which means you have to build the source to get it. I've been going round-and-round trying to get some documentation pertaining to installation, configuration, and use of the IPSEC implemtation in Bering-uClibc. It sure would be nice to have all the docs in one place. Would it be possible for whomever is building the packages to build the documentation to go with them and provide a link next to or below the main package? Is there somewhere I'm not looking to download the LEAF and Bering-uClibc docs? This is getting to be frustrating. --Cal Webster --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering-uClibc Docs and IPSEC: FreeSwan or OpenSwan?
Calvin Webster wrote: Second, the IPSEC documentation on the Shorewall site all refers to FreeSwan which does not match the contents of ipsec.lrp. The proliferation of Swan species has been an absurd spectacle to observe to be sure but from the point of view of Shorewall, there are only two kinds of IPSEC: A) Kernel 2.4 using *Swan. B) Kernel 2.6 using any configuration manager/IKE daemon combination. This includes 2.4 systems running the backported 2.6 Native IPSEC code. Given that Bering* only runs on the 2.4 kernel and to my knowledge does not include the backport of the Kernel 2.6 Native IPSEC code, you want the Kernel 2.4 docs (http://shorewall.net/IPSEC.htm) regardless of what color your Swans are. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering-uClibc Docs and IPSEC: FreeSwan or OpenSwan?
On Fri, 2005-04-29 at 13:16, Tom Eastep wrote: Calvin Webster wrote: Second, the IPSEC documentation on the Shorewall site all refers to FreeSwan which does not match the contents of ipsec.lrp. ... Given that Bering* only runs on the 2.4 kernel and to my knowledge does not include the backport of the Kernel 2.6 Native IPSEC code, you want the Kernel 2.4 docs (http://shorewall.net/IPSEC.htm) regardless of what color your Swans are. -Tom Thanks Tom. I've been referencing that page already. It's great for the configuration items. What about initial IPSEC setup, though (i.e. generating keys, etc.). That's supposed to be in the *Swan docs that are missing. What is everyone else using? Am I the only one trying to survive on pre-built packages? --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering-uClibc Docs and IPSEC: FreeSwan or OpenSwan?
Calvin Webster wrote: Thanks Tom. I've been referencing that page already. It's great for the configuration items. What about initial IPSEC setup, though (i.e. generating keys, etc.). That's supposed to be in the *Swan docs that are missing. What is everyone else using? Am I the only one trying to survive on pre-built packages? Can't answer that, I'm afraid -- I haven't run *Swan in years. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering-uClibc Docs and IPSEC: FreeSwan or OpenSwan?
Calvin Webster wrote: -Tom/ Can I ask what you are using for IPSEC, then? It might be better for me than flying blind. I'm using the 2.6 kernel under Debian/Sarge with ipsec-tools/racoon -- not an option with Bering. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering-uClibc Docs and IPSEC: FreeSwan or OpenSwan?
Given that Bering* only runs on the 2.4 kernel and to my knowledge does not include the backport of the Kernel 2.6 Native IPSEC code, you want the Kernel 2.4 docs (http://shorewall.net/IPSEC.htm) regardless of what color your Swans are. -Tom Thanks Tom. I've been referencing that page already. It's great for the configuration items. What about initial IPSEC setup, though (i.e. generating keys, etc.). That's supposed to be in the *Swan docs that are missing. What is everyone else using? Am I the only one trying to survive on pre-built packages? http://leaf.sourceforge.net/doc/guide/buipsec.html Jacques's documentation is still relevant and nice :). Bering-uClibC is basically bering that's more up to date with a smaller compiler. P --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Building and Using QEMU
On Fri, 2005-04-29 at 12:24 -0400, Calvin Webster wrote: Eric Arne: Hi Calvin! I haven't begun using VDE yet. Once I get the VMs running I'll tackle that. i use the following script to start 2 vde-switches (actually hubs) and load the kqemu module...Of course you can use more switches if you like, just add them like the others and don't forget to pass the control socket as argument to qemu. - #! /bin/sh if [ $(id -u) -ne 0 ] ; then echo you need to be root exit 1 fi killall vde_switch #start vde_switch vde_switch -sock /tmp/vde0.ctl -hub -tap tap0 -daemon chmod 777 /tmp/vde0.ctl vde_switch -sock /tmp/vde1.ctl -hub -tap tap1 -daemon chmod 777 /tmp/vde1.ctl modprobe kqemu - the qemu instance can be started like this: vdeq qemu -sock /tmp/vde0.ctl,/tmp/vde1.ctl -fda Bering-uClibc_2.2.2_img_bering- uclibc-1680.bin (should be one line...). you can assign ip addresses on the host system to tap0/tap1/tapN via ifconfig tap0 address , or just use tcpdump to see what is going on in your virtual network (that's why i use the -hub option to be able to see it). Thanks for the help getting QEMU built. The CVS source is the key if you want to use the accelerator. Building it was more complicated than it needed to be, though, mostly because of the instructions on the QEMU web site. They assume you're using the CVS tree, but the download source doesn't match. The directions in the CVS tree assume too much also. now that qemu 0.7 is out, things are a lot easier (no more cvs needed).. Anyway, I've spend the last few days trying to get a QEMU virtual IDE disk to boot. It's easy enough to create, but two glaring problems pop right up. 1) It cannot be mounted with fstype msdos as with the LEAF floppy images, and 2) It will not boot. It hangs at the initial startup with Booting from Hard Disk message. I've posted a query on the QEMU users forum, but no one is answering. I can't afford to spend more time on that right now so I'm proceeding with a 2-floppy setup in QEMU. You can view the article here: i ran into the same problems, too while trying to create the disk with linux. I have it running now, but had to use a (real) dos boot floppy to get it work...I created an empty hd image (64M) which is already syslinuxed, you can get it from:http://www.ucbering.de you can mount it like: mount -o loop,offset=32256 leaf.img /mnt -t msdos and copy the leaf files that you want (don't forget to use a initrd capable of harddisks for it). Another option would be to use the bering-uclibc iso image for booting as cdrom (and if not, use it for getting the packages...). Hope that helps, --arne If anyone has any suggestions for this problem I'm all ears. --Cal Webster -- Arne Bernin [EMAIL PROTECTED] --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering-uClibc Docs and IPSEC: FreeSwan or OpenSwan?
On Fri, 2005-04-29 at 14:06, Peter Mueller wrote: Given that Bering* only runs on the 2.4 kernel and to my knowledge does not include the backport of the Kernel 2.6 Native IPSEC code, you want the Kernel 2.4 docs (http://shorewall.net/IPSEC.htm) regardless of what color your Swans are. -Tom Thanks Tom. I've been referencing that page already. It's great for the configuration items. What about initial IPSEC setup, though (i.e. generating keys, etc.). That's supposed to be in the *Swan docs that are missing. What is everyone else using? Am I the only one trying to survive on pre-built packages? http://leaf.sourceforge.net/doc/guide/buipsec.html Jacques's documentation is still relevant and nice :). Bering-uClibC is basically bering that's more up to date with a smaller compiler. P Thank you Peter! I keep forgetting about going back to the Bering docs. Even though often I have to extrapolate for Bering-uClibc, it's better than no docs. You should see my desktop right now. I've got 4 Firefox browsers with 8 or more tabs in each, along with several terminal windows for mounted LEAF images, running QEMU sessions, gedit, mail and whatnot. It would sure be nice to have a single source for the docs, since there are so many of them. --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Building and Using QEMU
On Fri, 2005-04-29 at 14:09, Arne Bernin wrote: On Fri, 2005-04-29 at 12:24 -0400, Calvin Webster wrote: Eric Arne: Hi Calvin! I haven't begun using VDE yet. Once I get the VMs running I'll tackle that. i use the following script to start 2 vde-switches (actually hubs) and load the kqemu module...Of course you can use more switches if you like, just add them like the others and don't forget to pass the control socket as argument to qemu. Thanks! I'll try that when I get more than one LEAF router up and running. Thanks for the help getting QEMU built. The CVS source is the key if you want to use the accelerator. Building it was more complicated than it needed to be, though, mostly because of the instructions on the QEMU web site. They assume you're using the CVS tree, but the download source doesn't match. The directions in the CVS tree assume too much also. now that qemu 0.7 is out, things are a lot easier (no more cvs needed).. That's good. Anyway, I've spend the last few days trying to get a QEMU virtual IDE disk to boot. It's easy enough to create, but two glaring problems pop right up. 1) It cannot be mounted with fstype msdos as with the LEAF floppy images, and 2) It will not boot. It hangs at the initial startup with Booting from Hard Disk message. I've posted a query on the QEMU users forum, but no one is answering. I can't afford to spend more time on that right now so I'm proceeding with a 2-floppy setup in QEMU. You can view the article here: i ran into the same problems, too while trying to create the disk with linux. I have it running now, but had to use a (real) dos boot floppy to get it work...I created an empty hd image (64M) which is already syslinuxed, you can get it from:http://www.ucbering.de you can mount it like: mount -o loop,offset=32256 leaf.img /mnt -t msdos and copy the leaf files that you want (don't forget to use a initrd capable of harddisks for it). Another option would be to use the bering-uclibc iso image for booting as cdrom (and if not, use it for getting the packages...). Hope that helps, --arne I got your image and used it - now I can boot. I just used the LEAF initrd.lrp from the diskette and it works okay. However, I still need to be able to create one that will boot and I'd like to be able to do it without Bill Gates' help. Everything I'm doing needs to be repeatable and documented. Someone had to be able to do it from Linux at some point since the docs claim it can be done. Actually, the offset you used to mount your image allowed me to mount the image that I had created. I was not trying to mount from an offset before. How did you arrive at that offset number? The first times that I ran syslinux -o from within my Linux shell I was using the unit value from fdisk to get past cyl 0 (516096). It was failing complaining that it didn't look like a valid FAT filesystem. Now, using the 32256 offset, I no longer get any errors, appearing to succeeed. However, it still won't boot. Actually I have tried running syslinux several different ways without success, with both the original RHL9 stock version and the newest ver 3.07-1. The only way I got no errors was to boot into QEMU. I copied syslinux to a Win95 boot diskette and booted the RHL9 CD into rescue mode with the Win95 diskette as a fd1, and the LEAF hard disk as hda then ran it from there. Am I going to have to download a windows exe to the Win95 rescue diskette and boot it into QEMU with the hard disk image? I assume that's what you did. This is going to bug me, you know. I won't be able to let it go until I figure out why it's not working. --Cal --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Building and Using QEMU
Calvin, Am I going to have to download a windows exe to the Win95 rescue diskette and boot it into QEMU with the hard disk image? I assume that's what you did. This is going to bug me, you know. I won't be able to let it go until I figure out why it's not working. The hdimage from Arne is already syslinuxed, so that shouldn't be the problem. You need to use the initrd_ide.lrp (rename to initrd.lrp), which contains the ide modules and edit syslinux.cfg and leaf.cfg to use the right bootdevice. Eric --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Building and Using QEMU
On Fri, 2005-04-29 at 16:08, Eric Spakman wrote: Calvin, Am I going to have to download a windows exe to the Win95 rescue diskette and boot it into QEMU with the hard disk image? I assume that's what you did. This is going to bug me, you know. I won't be able to let it go until I figure out why it's not working. The hdimage from Arne is already syslinuxed, so that shouldn't be the problem. You need to use the initrd_ide.lrp (rename to initrd.lrp), which contains the ide modules and edit syslinux.cfg and leaf.cfg to use the right bootdevice. Eric You're right of course, I've already booted a LEAF router in Arne's pre-made ide image. I didn't know about the initrd_ide.lrp so I followed one of the guides to add the ide modules. I used the original initrd.lrp, but manually added the ide-core.o ide-disk.o and ide-detect.o modules and updated the config. What I was talking about above was being able to produce a bootable ide image without having to depend upon a pre-built one. I'd much prefer to be able to do everything in Linux. As I indicated, everything I'm doing here must be capable of being duplicated for local configuration management. Thanks! --Cal Webster --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
