Re: [leaf-user] Multiple ISP redundancy
> -Original Message- > From: Trev Peterson [mailto:t...@advanced-reality.com] > Sent: Tuesday, January 20, 2009 2:03 PM > To: leaf-user > Subject: [leaf-user] Multiple ISP redundancy > > Hello, > > I'm trying to see if there is a config guide / example / howto for > setting up bering uclibc (2.4.2) for multiple ISP connections with > auto-failover should one link go down. I've checked leaf and shorewall > documentation but I don't have a clear picture on how this should be > done. If anyone knows of a guide to do this please reply with a link. > > Any information on how shorewall 3.0.9 interaction between routing and > the shorewall multiple providers feature is also sought. I am > considering using quagga (zebra) or some custom bash scripts that alter > the routing table directly but am not sure how this will affect > shorewall (NAT, interface selection, etc). Should I go with a custom > script I will make it available once it is tested. [Bob Gregory] I've wondered about this too, off and on. If you figure it out please post back to the list. Cheers, -Bob http://leaf-project.org/ -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] remote WOL
Boris said: > > I need a user-usable (not shell) possibility to switch on a PC behind a > leaf router in a remote LAN and I'm thinking of how to do. > > First idea was to create the magic paket by a protected webfrontend on a > server in a different location but as far as I understand this magic > paket is not routable to the target PC. > > So the next idea is to build a web frontend on the leaf box. I don't > know yet about the capabilities of mhttpd. Is it possible (protection > etc.)? > > Any more ideas? Is there perhaps already a solution for this topic? Doing it via mhttpd seems like the best approach. Please post back when you get it working - I would also like this capability. Regards, Bob Gregory - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] [OT] Windows 2003 SBS behind leaf router
>Gordon writes: > > ...If you run Windows 2003 Server as a domain-controller for Windows XP or > Vista workstations then the Windows 2003 server *has* to be the DNS > server and possibly DHCP as well... True, but the fact is that if you run Windows 2003 *SBS* (Small Business Server) *at all*, then it *must* be the primary domain controller for your one (and only) Windows domain. Otherwise it's not "SBS": you can't use SQL Server, Exchange, SharePoint, etc. Running an SBS network behind a leaf/bering firewall is a great idea, and easy to do without changing the standard SBS configuration in any way. ~Bob - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] [OT] Windows 2003 SBS behind leaf router
Boris, Apologies for top-posting, but I can't see how to respond piecemeal. I run SBS2003 behind a LEAF bering firewall but my setup is different: Two NICs on the SBS server and the SBS manages an interior "Windoze" network (for example 192.168.0.0) to which it serves DHCPD, DNS - everything configured using the SBS wizards as if the upstream interface were connected directly to the public Internet. SBS works best when you use it's wizards and don't tinker around with individual service configurations. Otherwise you really need to understand how things interoperate with AD, Remote Access, etc. The SBS upstream interface is on a seperate private network (192.168.1.0 for example) that is managed by the LEAF bering firewall (two NICS). The bering upstream is a public IP from my ISP. The bering box serves dhcpd and dns to the intermediate network. The SBS upstream has a static address on this network and the gateway and DNS point to the bering box. SBS is configured to forward all DNS queries not resolved internally to the bering box just as you might do to an ISP's DNS server if the bering firewall and intervening network weren't in the path. There are a few internal linux servers and workstations on the .1 network (inside the bering firewall but outside of the SBS network) and various other things which don't affect the topology. Yes, there are two layers of NAT for clients connecting to external sites from inside the SBS network. I've never had any problems resulting from this for over 5 years now. It's an office network which I designed and continue to manage and it has been extremely stable and trouble free. The main benefit of this design is that both the LEAF bering firewall and the SBS 2003 begin life with very simple "stock" configurations. It is easy to tweak to get something like SBS "Remote Web Workplace" (a very useful feature, IMO) or Remote Access (RAS, a VPN server) working from the Internet by configuring DNAT rules (I use shorewall) for the various ports and protocols (all are documented and easily found). The SBS server need not be bogged down running advanced or third party firewall solutions and there is less exposure to various Micro$oft security risks. The SBS environment (and M$ server stuff generally) has extensions and dependencies among DHCPD, AD, DNS, RAS. The best way I've found to avoid these pitfalls is to isolate the Windows environment. [Internet]--firewall--["dmz" net]--SBS--[Windows net] Hope this is helpful, ~Bob > -Original Message- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Boris > Sent: Thursday, September 04, 2008 1:25 PM > To: leaf-user@lists.sourceforge.net > Subject: [leaf-user] [OT] Windows 2003 SBS behind leaf router > > Hej all, > > > I'm sorry to annoy you with that off-topic theme, but I'm quite sure > there is somebody with the right knowledge on this list because the > setup is quite common and I'm hoping strongly for help. Here's the story: > > I have a small network connected to the web with a Bering uClibc that > works as dhcpd and of course dns server. Center of the network is a > Windows 2003 SmallBusinessServer as domain-controller, file-, print-, > and MSSQL-server. The network is slow and I get a lot of serious errors > in the event-logs that seem to cause the bad performance: > > > event-id 4004: The DNS server was unable to complete directory service > enumeration of zone .. This DNS server is configured to use information > obtained from Active Directory for this zone and is unable to load the > zone without it. Check that the Active Directory is functioning properly > and repeat enumeration of the zone. The event data contains the error. > > > event-id 4015: The DNS server has encountered a critical error from > the Active Directory. Check that the Active Directory is functioning > properly. The event data contains the error. > > I agree my question is quite flat but it is simple: What should I look > for and what can I do? > > My own brain puts out something like this: > > - I don't want to make the windows server dncpd. > > - afaik Windows Active Diretory needs the own DNS-Service, so it's > impossible to deactivate it. > > - Could the problem be solved through building something like a > dns-cascade (windows-server asks bering-box -> bering-box asks > windows-server). How can I do something like this? > > Thanks a lot for your ideas! > > Boris [...snip...] - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/lis
Re: [leaf-user] ALIX board
> -Original Message- > From: ... Martin Hejl ... > > Hi Erich, > > >> Pascal Dornier from PC Engines says he will prepare some DOS sample > code > >> - if someone wants to try to implement a watchdog for ALIX. > > > > I doubt this would help much, it might be better to port back the 2.6 > code. > Indeed it would, if somebody were willing to port the driver. > > But in all honesty, I don't see the need (which is why I won't volunteer > for the job) - I don't recall the last time that a leaf box locked up > hard [...snip...] Martin, If the ALIX is like the (now obsolete) PC Engines WRAP, isn't a watchdog driver needed for software reboot? Otherwise, I recall the only way to restart one was to power cycle the box (not so handy for remote admin). My Wrap box has a watchdog so I can't confirm this but my recollection is that without the watchdog driver "reboot" == "halt". -Bob - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Need to block IP's from spamers...
> -Original Message- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Gordon Bos > Sent: Wednesday, January 09, 2008 10:17 AM > To: Michelle Konzack > Cc: leaf-user > Subject: Re: [leaf-user] Need to block IP's from spamers... > > You might want to look at another project: ASSP > http://assp.sourceforge.net/ > > This is a spam filter that blocks at the SMTP level, essentially > catching the spammer in the act. Since it immediately drops the > connection it also prevents the spammer from sending several emails at > once. It even includes a tarpit function in case the spammer tries to > reconnect and send additional spam. How cool is that? > > Gordon I'll second that. I've used ASSP for years now and like it a lot. It is incredibly tweakable, which does make the learning curve a bit steep. As with LEAF, expect to invest time up front in exchange for minimal attention to ongoing maintenance. I agree with Gordon that a filter that drops incoming connections in progress is what you need. ASSP does this. My server rejects over 90% of external incoming messages according to the stats. My volume of incoming connections is an order of magnitude lower (less than 4000 per day) but I'm running ASSP on an old 1Ghz Celeron (Centos 4) along with sendmail and dovedot (imap & pop). ASSP averages under 4% CPU utilization. -Bob Gregory > Michelle Konzack wrote: > > Hello, > > > > I am running a 3.5 MBit SDSL from <http://www.nerim.net/> and have a > > @home Mailserver which is currently (since 2007-12-17) hit by daily > > several 100.000 spams (2-5 times 30-120 minutes) from over 2000 > > different IP's. > > > > My mailserver is rejecing thios shit nearly perfect but the server > > has a System- and CPU-load of nearly 100% which make the IMAP server > > unusable and since the sevrer does automated mailprocessing (40.000 > > per day) I hit a real problem. > > > > Now, since most senders (over 90%) have wrong reverse DNS I like to > > know, whether there is a possibility to block such connections on > > the router with iptables and helpers? > > > > Thanks, Greetings and nice Day > > Michelle Konzack > > Systemadministrator > > Tamay Dogan Network > > Debian GNU/Linux Consultant ..snip... - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Help diagnosing heartbeat errors, please!
> -Original Message- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Bob Coffman - Info From Data > Corp. > Sent: Friday, December 14, 2007 11:23 AM > To: 'LEAF User' > Subject: Re: [leaf-user] Help diagnosing heartbeat errors, please! > > >FS108 8 port SWITCH for less than a UPS would cost > > Yes do that. In fact, if its not too much bother, I personally would get > rid of the other hub too, but if it remains where it is there should be no > problems. > > >How would I track down a bad NIC? > > Swap the cable, and connect a switch on ETH1 temporarily. Reboot Bering > to > reset the stats on the card (or do it through software if you can) and use > the connection for a while to see what you get. With the number of errors > you are getting it should be obvious fairly quickly. I'll second that. Better to get rid of all the old hubs. An FS108 is about USD 40 and the FS105 is ~ USD 25. Cheers, -Bob - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Maximum number of wifi connections
> -Original Message- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Stephen Lee > Sent: Friday, December 07, 2007 4:00 PM > To: Leaf-user > Subject: [leaf-user] Maximum number of wifi connections > > Hi, > > I need to build a network that can handle roughly 850 802.11b wifi > devices. Each device sends very little traffic ... I'm curious to hear more... what's the application? And why is the "network" constrained to one AP? -Bob Gregory - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Automatic failover
> -Original Message- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Bob Coffman - Info From Data > Corp. > Sent: Monday, December 03, 2007 1:14 PM > To: 'Leaf-User (E-mail)' > Subject: [leaf-user] Automatic failover > > Are there instructions somewhere for a uClibc Leaf router to fail over its > internet connection if the primary link goes down? Or can this be done > with > a couple of simple scripts? > > Thanks - > > Bob Coffman I'm also interested in a solution like this. Regards, Bob Gregory - SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] can spoofprotect=yes explain a dhcp client problem?
Hello all, After many frustrating hours I finally got my LEAF uClib3.0beta1 (an old 3 interface WRAP box) running again. It's a home router on a cable modem. It started failing to acquire an address on the upstream side via dhcp and I couldn't remember everything I'd changed in the last day or two. I changed spoofprotect in /etc/network/options from yes (the default on most boxen I've touched) to no and now it works fine. I was seeing messages in the log from dhcpd-bin about martians but I didn't copy them and they are lost. I'm groggy enough to be unsure whether that's all I changed to get it working and also wary of hosing this again to find out. My questions are (1) is this a plausible cause, or is it more likely that I'm confused? (2) since I'm running shorewall and the upstream interface settings are dhcp,routefilter,nosmurfs,norfc1918,logmartians does it matter if spoofprotect=no in /etc/network/options? Cheers, -Bob - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] The old floppy question
> -Original Message- > Sent: Wednesday, July 18, 2007 6:29 PM > To: leaf-user@lists.sourceforge.net > Subject: Re: [leaf-user] The old floppy question > > >Lets make a poll to find out how many of us are booting bering from a > >floppy and decide from there. > > I still favor & use Bering 1.2 floppies. I like the security of the > write-protect slider. And part of the idea about Linux, and Bering > firewalls in particular, is repurposing old hardware for a new & useful > task. It's not so hard to find boxes of an appropriate horsepower for the > task that came with floppies. My production firewall boxen are still running off diskettes. The downside compared with a CF/IDE box I use for testing is (1) slower boot and (2) limited space for packages. But as long as the required packages fit on a diskette, this is just not an issue for a firewall that reboots maybe a couple of times a year. I have access to a virtually unlimited supply of P3 desktops with diskette drives. These have plenty of horsepower for a firewall. My production setup has an identical spare sitting on top of the running firewall with a copy of the diskette in the drive and instructions to move the Ethernet cables and and power cord to the spare should anything happen. There is no display, no keyboard, no mouse and the IDE disk is disconnected. The BIOS is configured to boot whenever power is restored. This provides a very high level of redundancy, essentially at no cost. There are many other ways to achieve this. But this solution is so simple and straightforward to understand and implement that I can see no reason to change. I believe diskette based LEAF routers will live a long life because once you get one set up and configured there is rarely a good reason to mess with it unless something breaks or until the needs change. Bottom line: "If it ain't broke, don't fix it". Cheers, -Bob - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ftp server
> -Original Message- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of C.Dummy > Sent: Wednesday, June 13, 2007 9:22 AM > To: leaf-user@lists.sourceforge.net > Subject: [leaf-user] ftp server > > Hello . I'm running single floppy Bering-u 3.0 distro. I'm thinking > about adding small HDD and setting up ftp server on Bering box. I'd like > to have this server on demand so I can start or stop server any time I > want. Can this be done? Are there any docs or guide about that? What > server would be the best to do that? Tftpd, vsftpd? Thanks for great > distro and help. > Andrey >[.snip.] If the BUC is the fw/router I wouldn't run an FTP server or other services unrelated to that function. I would run an FTP server on some system inside the firewall (local or dmz network) and control it at the BUC. If you want to turn it off & on it would be simple to block/allow that FTP traffic at the firewall. Likewise to allow/deny FTP from/to specific hosts or networks. Cheers, -Bob - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Problem with Writing Shorewall Rule from DMZ to DMZ?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Kwon > Sent: Tuesday, April 17, 2007 5:41 AM > To: leaf-user@lists.sourceforge.net > Subject: Re: [leaf-user] Problem with Writing Shorewall Rule from DMZ to > DMZ? > > > It's kind of hard to say exactly what rule you need without more info, > > but it looks like you're trying to talk to the mail server using the > > public IP of your firewall. If you want this to work, you'll have to > > craft a shorewall rule that allows DMZ -> firewall traffic on port 25, > > and you may have to craft some custom tweaks, as well (looping through > > the firewall and back to the same network is not usually done, and since > > I haven't personally done this, I can't tell you exactly what rule(s) > > you might need). > > > You have described my problem precisely! Currently I have a rule: > DNAT net dmz:192.168.73.76 tcp 25,80,110,143,443 - $IP_QC > allow net traffic to the dmz. But this rule does not allow traffic > from dmz -> firewall -> DNAT -> dmz? > > > I'd personally recommend you configure your asterisk box to talk to the > > private IP of the gentoo mail server directly, rather than try to relay > > traffic through the firewall, which is inefficient and may require > > custom tweaks. > > > I am trying to do that at the moment; but the Trixbox/Asterisk box > use sendmail, and the following rule in /etc/mail/sendmail.rc: > define(`SMART_HOST',`192.168.73.76') > may or may not work? I use Postfix mostly and not sure if the > above works? I will ask in another mailing list. That rule tells the sendmail on your Asterix box to relay everything which is not local to 192.168.73.76. That should do what you want, as long as the MTA running on your mail server is configured to relay mail from any host on your internal network (a typical configuration). For that change to have an effect, follow the instructions in the comments at the beginning of sendmail.rc. You need to compile sendmail.rc to generate sendmail.cf which is the configuration file used by the sendmail daemon. Sendmail.rc is the "source" file containing macros that are expanded by m4 to generate sendmail.cf. Then reload or restart your sendmail and send a test message somewhere. -Bob Gregory - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Bering uClibc 3.0-beta1 : is webconf / Backup Packages broken?
-Original Message- From: Eric Spakman [mailto:[EMAIL PROTECTED] >Hi Bob, >> I've been testing & configuring BU2.x on a WRAP box for a couple of weeks >> and decided to start fresh with BU3.0. After a day of struggling I'm >> runningagain. The new backup works fine from a shell, but webconf Backup >> Packages is broken. That link now generates: >> >> bin/sh: /tmp/7e6c44ee011a.vars: 18: mount.back: not found Could not mount >> backup device. >> >> Should the webconf Backup script be working or did I break it somehow? >> >That's a known error and it will hopefully be solved in the next beta. For >the time being just use the shell backup. Thanks, that's a relief. Thought I messed something up getting this to boot. So far BU3.0 is good on the WRAP box. To get it up I extracted the 3.0 floppy image and copied everything to a dos formatted (and syslinuxed) CF card with a windoze box. Then I replaced the initrd.lrp with initrd_ide.lrp from the CD iso. Other steps included editing syslinux.cfg to use the serial console and the final step was extracting inittab from leaf.lrp, commenting out the usual gettys and uncommenting the serial getty and rebuilding leaf.lrp (using a linux box). It is bootable at that point and from there loading modules for the network devices and other necessary configuration can be done from the serial console on the WRAP box. It seemed like a lot of bother but educational at any rate. If there's an easier way to get going on a WRAP box from scratch I'd like to hear about it. Today I noticed "wrap1c.o" in the root of the modules archive. What is that? Something needed or useful got BU on WRAP? Cheers, -Bob - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Bering uClibc 3.0-beta1 : is webconf / Backup Packages broken?
I've been testing & configuring BU2.x on a WRAP box for a couple of weeks and decided to start fresh with BU3.0. After a day of struggling I'm runningagain. The new backup works fine from a shell, but webconf Backup Packages is broken. That link now generates: bin/sh: /tmp/7e6c44ee011a.vars: 18: mount.back: not found Could not mount backup device. Should the webconf Backup script be working or did I break it somehow? TIA for any clues, -Bob - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/