[leaf-user] RE: Bering1.0-stable Problem with 2.4.20 onnet4501 (Steve Bihari)
Well who would of thunk ?! Downgrading to 2.4.18-14 (stock RHAT 8.0 kernel) fixed it. I feel so much better. Man, are you sure you are using modules that _perfectly_ match the kernel you are booting? I am quite sure there is something about the natsemi driver in particular that makes it intolerant to being used on different kernels. Maybe search back through the archives of this list. I am fairly certain that this subject is the first one I posted to this list when I got my soekris. -- --- Chad Carr [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). I thought it might, but the Bering docs indicate otherwise - that the easiest way is by changing /etc/network/options. Trust but verify. There has been a new release of shorewall on bering since I last touched or tested that doc. It could be that it is overriding the setting I recommended. Also, I have found that it really only matters is quite strange tunneling setups (like I was using at the time). It could pay to understand what reverse path filtering actually does: If the packet comes in from a given source ip address on an interface that would not be used to send a packet to that address, the packet is dropped if rp_filter is set on the interface OR if it is set on all interfaces. Example from Mobile IP: A foreign agent receives traffic on an ipip tunnel interface (tunl0) for delivery to a mobile node in his visitor list. The source address is someone on the internet (say, www.yahoo.com). If he were to send a packet to www.yahoo.com, it would be sent through eth0, his default route. rp_filter will drop this packet (in an excruciatingly silent manner) because it was received on tunl0 (when de-tunneled), but traffic sent to that host would be sent through eth0. That is what rp_filter means. In practice, with ipsec, if you are using the %defaultroute command in ipsec.conf, you will probably not really need rp_filter disabled because all traffic coming in on the ipsecN interface will also be routed back out the same ipsec interface it came in on. There you go. -- --- Chad Carr [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] distribution for flash + 2.4.20 + iptables (no shorewall)
On Tue, 28 Jan 2003 20:16:13 -0800 [EMAIL PROTECTED] wrote: Message: 3 From: Peter Mueller [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Date: Tue, 28 Jan 2003 18:35:03 -0800 Subject: [leaf-user] distribution for flash + 2.4.20 + iptables (no shorewall) Hi gang, What would be the best distribution to use on a flash + 2.4.x system? I like Bering, but I am going to be setting up linux routers with BGP so I don't want to experiment with learning shorewall on these systems. Space is not an issue as I have 256-mb flash cards. I have a make-driven system to customize the Bering floppies for a bootable cf image. It is not quite ready for prime-time, but email me off list if you are interested and I will send it to get you started. -- --- Chad Carr [EMAIL PROTECTED] --- msg12605/pgp0.pgp Description: PGP signature
[leaf-user] [ leaf-Support Requests-675725 ] IPSEC error messages (SourceForge.net)
Initial Comment: I'm using the uclibc version of Bering (1.0.2) and am attempting to use ipsec. I've downloaded ipsec.o from http://leaf.sourceforge.net/devel/jnilo/bering/latest/module s/2.4.18/kernel/net/ipsec and placed it into the /lib/modules directory. I've modified /etc/modules to load the module on startup. When the system boots I receive three errors as follows: /sbin/ipsec: /lib/ipsec/eroute : not found /sbin/ipsec: /lib/ipsec/spi : not found /sbin/ipsec: /lib/ipsec/tncfg : not found snip -- Comment By: Lynn Avants (guitarlynn) Date: 2003-01-27 17:07 Message: Logged In: YES user_id=176069 Ipsec that you are using is compiled with glibc-2.0.7 instead of uClibcthus the lib errors. You can use an ipsec package if one is available in the uClibc cvs area of the LEAF site or compile your own with uClibc. There are many script changes to the ipsec package, so if you compile your own, you will probably want to change out the old libs with the freshly compiled ones. ~Lynn Avants If you wish to package ipsec or ipsec509 for uClibc bering, I have a little development environment to do so that you night be inserested in. It is still a little hairier than I would like due to lack of time, but contact me off list if you are interested. -- --- Chad Carr [EMAIL PROTECTED] --- msg12527/pgp0.pgp Description: PGP signature
Re: [leaf-user] Super-Freeswan and Bering user mode app compiler
Message: 6 From: Mike North [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 05 Dec 2002 00:24:12 +0200 Subject: [leaf-user] Super-Freeswan and Bering user mode app compiler Hi, I sent a question about compiling Super-Freeswan user mode application for Bering into Freeswan mailing list. Then I found this LEAF mailing list and I think that this is better place for the question. Good job sending it here. I am working on it. I have attempted to apply the alg patches and tried to compile them. Same errors as yourself. I am currently trying to come up with a better solution to the problem than hacking the code to make it compile (as we did with the x509 patch), since the maintenance problem is forever. -- --- Chad Carr [EMAIL PROTECTED] --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] netfiltering in user space.
Message: 10 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Mon, 2 Dec 2002 09:31:59 -0600 Subject: [leaf-user] netfiltering in user space. There is a lot of allusion to iptables allowing you to do some filtering in user space, but I can't seem to get started. Like how to specify the target and to reject, accept. etc. I DO NOT want a complex solution like Snort or a proxy, I just want to see certain packets, and make a simple decision. Can someone point me how to get started on this? Under Debian I did apt-get install iptables-dev. Then do man libipq to get started. The target will be QUEUE. You must write a userspace program to receive the packets, rules to direct the packets you desire to target QUEUE, and finally, set the verdict on the packet to DROP or ACCEPT. There is also a perl interface to libipq. Depending on how far you need to peek into the packet, it may not be suitable for production use. I have some source code if you need it. I don't have it right here but can get it to you tomorrow. -- --- Chad Carr [EMAIL PROTECTED] --- --- This SF.net email is sponsored by: Microsoft Visual Studio.NET comprehensive development tool, built to increase your productivity. Try a free online hosted session at: http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: leaf-user digest, Vol 1 #1391 - 8 msgs
I believe this is your problem. Yeah, that seemed the most obvious reason to me too but I have turned this off both ways and it does not fix the problem. I do recall seeing a similar message displayed with a subnet-to-subnet tunnel that I ran between two Dachstein boxes and it did work, so I think this error message may be a hangover from the way Shorewall enables the connection. When you understand what the rp_filter options means, it bcomes easier to say whether or not it will effect your setup. In general, if you are using %defaultroute as the interface, it will likely not hurt if it is turned on. This is because the rp_filter option tells the kernel _not_ to accept packets from a given source address on a given interface if it would not use that interface to send a packet back to that source address. e.g. you have an interface directly connected to the 192.168.2.0/24 network, and receive a tunneled packet from an address on the 192.168.1.0/24 net. If the option is turned off properly, you will not get the error message from freeswan. Also, I just realized that I forgot to put backup and reboot after changing the /etc/network/options file. If you are unable to get it working after that measure, follow this link to enable debugging on the Windows side. There don't seem to be any more problems on the freeswan side. http://www.ntfaq.com/Articles/Index.cfm?ArticleID=15321 Thanks, Chad Carr --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] X.509 certificates
On Wed, 06 Nov 2002 12:18:12 -0800 [EMAIL PROTECTED] wrote: Message: 9 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Wed, 6 Nov 2002 14:19:13 -0600 Subject: [leaf-user] X.509 certificates Anyone using X.509 ? Yes. Not in a production environment, but yes. I have some questions. Is it like RSA , a public and private key pair? Yes, basically. Generally, the public/private key pair is contained, along with the public key of the signing authority, in a package commonly called a certificate. Does the patch include a key generation utility? The regular openssl utility is used for this. There is no userspace material that comes with the X.509 patch. Does the patch build smoothly? Yes. A little trouble on glibc 2.0, but if you needed the patches, you can get them from me or Jacques. Are the keys inserted in ipsec.conf and ipsec.secrets? Yes. See http://leaf.sourceforge.net/devel/jnilo/buipsec.html#AEN1466 for more details on this. Does the patch appear to be solid? Yes. Is it gonna work with WinXP's ipsec client? Yes. That is one of the main reasons for using it rather than RSA keypairs. There are others as well. Thanks. HTH --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ipsec and static nat problem
On Tue, 1 Oct 2002 13:09:36 +0200 Tomaso Scarsi [EMAIL PROTECTED] wrote: anyone can help me? Please post your ipsec.conf and ipsec.secrets files. Also send the output of ip addr and ip route. We will get into barf if we have to. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: DEDICATED SERVERS only $89! Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] trouble with ipip encapsulation tunnels (well, unexpected behavior, really)
Thanks to everyone who helped me out with this, both on and off list. I am posting a follow-up since I finally got it worked out yesterday. Here is a re-posting of the clarified version of the problem: On Sun, 29 Sep 2002 14:05:44 -0700 Chad Carr [EMAIL PROTECTED] wrote: Thanks very much for your patience. This diagram is trying to detail something that doesn't happen usually in nature, which is the existence of a mobile node on the wrong subnet, with two computers in cooperation(home agent and foreign agent) attempting to get packets to it. I'll try again: 172.24.8.1/24172.24.20.1/22 ^^__ | switch |---| router |---| switch | || || |__| | | | __|__|__|___ || | | | | | home agent | | foreign agent | | mobile node | || |___| |_| 172.24.8.99/24 172.24.20.104/22 172.24.8.24/24 All links are CAT5 ethernet. Home agent, foreign agent and mobile node are each separate, regular PC hosts with one NIC (eth0) and one IP address each. The titles home agent and foreign agent are simply relative to the mobile node. The home agent catches packets destined for the mobile node (via proxy arp), tunnels them through the router to the foreign agent, who has agreed to detunnel them and deliver them (via the mobile node's known _hardware_ address) to the mobile node. The mobile node really belongs on the same network as the home agent. The foreign agent is not a bridge - it knows the ethernet address of the mobile node and has a host route to it that indicates that it is on the same link (see below). The IP-in-IP tunnel is between the home agent and the foreign agent. I have verified that the packets routing between them are properly formed and have correct checksums in all the right places. I have verified that the foreign agent is receiving the tunneled packet on eth0 by logging all packets seen on PREROUTING and INPUT using the following rules: iptables -A PREROUTING -t mangle -j LOG iptables -A INPUT -t mangle -j LOG I also see the de-tunneled packet arriving on tunl0 via the PREROUTING chain. I have also added the following rule to track packets on the FORWARD chain, which is where I think the de-tunneled packet should go next. iptables -F FORWARD -t mangle -j LOG I see nothing. I am sorry I do not have the logs at home. I can send them on Monday. The following are reconstructions of the setup on the foreign agent to the best of my memory. snip; for brevity The packet and byte count increment properly when packets are received. The byte count increases by the size of the _inner_ packet. Two things were eluding me, which I had tried independently, but not together until yesterday. 1) Netfiliter does not like receiving ip packets from interfaces that do not have any ip address configured. Although I had shown this... 19: tunl0@NONE: NOARP mtu 1480 qdisc noop link/ipip 0.0.0.0 brd 0.0.0.0 inet 172.24.8.104/32 scope global tunl0 as the output of ip addr, it was something that I was playing with at the time, and apparently did not have set when I tried number 2 below. It shows the value of using make as a system integration tool, if simply for repeatability purposes. If I had been using make, I wouldn't have overlooked setting the ip address of the device, ever! 2) Linux, by defaults set in Debian (and therefore Bering), does not like receiving ip packets from a given source address on an interface that it would not choose for sending to that address. E.g. I was receiving packets from the home agent on tunl0, but if I had to send to him, I would have chosen eth0 to do so. See routing table: 172.24.8.24 dev eth0 scope link 172.24.20.0/22 dev eth0 proto kernel scope link src 172.24.20.104 default via 172.24.20.1 dev eth0 If I were using the mobile ip concept called reverse tunneling, which basically uses the source address to choose the tunnel device and gateway for routing the outbound packets, I probably would not have seen this problem. In mobile ip, the default behavior is that outbound packets (from the mobile node) are routed normally, while inbound packets (to the mobile node) are routed in triangular fashion, through the home agent, tunneled to the foreign agent, then detunneled and delivered on the last hop by the foreign agent. I was doing the default behavior, so packets destined to the home agent would have chosen the default route on eth0 and been delivered to the gateway, but tunneled packets coming from the home agent were arriving on the tunl0 interface. I had to set /proc/sys/net/ipv4/conf/*/rp_filter off by modifying spoofprotect
Re: [leaf-user] trouble with ipip encapsulation tunnels (well, unexpected behavior, really)
On Sun, 29 Sep 2002 12:37:42 -0700 Matthew Schalit [EMAIL PROTECTED] wrote: Hi Chad, Hope things are working out. I like your diagram, and then again I don't. But maybe it's just me, I don't know, but I can't understand it as much as I need to. I admire your attempt, though, because it was properly spaced, readable, and darn good for what it was. Thanks very much for your patience. This diagram is trying to detail something that doesn't happen usually in nature, which is the existence of a mobile node on the wrong subnet, with two computers in cooperation (home agent and foreign agent) attempting to get packets to it. I'll try again: 172.24.8.1/24172.24.20.1/22 ^^__ | switch |---| router |---| switch | || || |__| | | | __|__|__|___ || | | | | | home agent | | foreign agent | | mobile node | || |___| |_| 172.24.8.99/24 172.24.20.104/22 172.24.8.24/24 All links are CAT5 ethernet. Home agent, foreign agent and mobile node are each separate, regular PC hosts with one NIC (eth0) and one IP address each. The titles home agent and foreign agent are simply relative to the mobile node. The home agent catches packets destined for the mobile node (via proxy arp), tunnels them through the router to the foreign agent, who has agreed to detunnel them and deliver them (via the mobile node's known _hardware_ address) to the mobile node. The mobile node really belongs on the same network as the home agent. The foreign agent is not a bridge - it knows the ethernet address of the mobile node and has a host route to it that indicates that it is on the same link (see below). The IP-in-IP tunnel is between the home agent and the foreign agent. I have verified that the packets routing between them are properly formed and have correct checksums in all the right places. I have verified that the foreign agent is receiving the tunneled packet on eth0 by logging all packets seen on PREROUTING and INPUT using the following rules: iptables -A PREROUTING -t mangle -j LOG iptables -A INPUT -t mangle -j LOG I also see the de-tunneled packet arriving on tunl0 via the PREROUTING chain. I have also added the following rule to track packets on the FORWARD chain, which is where I think the de-tunneled packet should go next. iptables -F FORWARD -t mangle -j LOG I see nothing. I am sorry I do not have the logs at home. I can send them on Monday. The following are reconstructions of the setup on the foreign agent to the best of my memory. ip addr sh on foreign agent: 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:b0:45:f6:d8 brd ff:ff:ff:ff:ff:ff inet 172.24.20.104/22 brd 172.24.23.255 scope global eth0 19: tunl0@NONE: NOARP mtu 1480 qdisc noop link/ipip 0.0.0.0 brd 0.0.0.0 inet 172.24.8.104/32 scope global tunl0 ip route sh on foreign agent: 172.24.8.24 dev eth0 scope link 172.24.20.0/22 dev eth0 proto kernel scope link src 172.24.20.104 default via 172.24.20.1 dev eth0 ip neigh sh on foreign agent 172.24.8.24 dev eth0 lladdr 00:00:0d:2f:0f:0b nud permanent 172.24.20.1 dev eth0 lladdr 00:d0:b7:1c:5a:90 nud reachable ip -s tunnel sh on foreign agent tunl0: ip/ip remote any local any ttl inherit nopmtudisc RX: PacketsBytesErrors CsumErrs OutOfSeq Mcasts 5 580 0 000 TX: PacketsBytesErrors DeadLoop NoRoute NoBufs 0 00 000 The packet and byte count increment properly when packets are received. The byte count increases by the size of the _inner_ packet. Again, I appreciate your time and patience. I hope these drawings and material are a little clearer; it is by nature a bit of a weird setup. I feel that I have sort of covered all of the bases on this one and still have a disconnect. My next step is to get inside the kernel itself and try and figure out where the packets are getting dropped and why - sort of an inside-out approach, I guess. Thanks. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https
[leaf-user] trouble with ipip encapsulation tunnels (well, unexpected behavior, really)
Hello routing and tunneling guys and gals! I have a tunneling quandry for ye. I am doing an implementation of mobile ip and have finally solidified all of the protocol bits to implement a foreign agent, and have come to the part where I need to accept ip-in-ip tunneled packets for a mobile node, detunnel them, and deliver them to him. I am using the kernel ipip.o module for this, and have configured the tunnel as follows: __ _ ___ | | | || | |home agent|===(router)===|foreign agent|---|mobile node| |__| |_||___| home agent ip- 172.24.8.99 foreign agent ip - 172.24.20.104 mobile node ip - 172.24.8.24 (on the foreign network) I am not in control of the home agent, but I have verified with a sniffer that he is sending me well-formed ip-in-ip packets for the mobile node, plus he works with anothe foreign agent that I have, so he is not the problem. foreign agent configuration: # bring up tunnel device ip tunnel add mode ipip # (default tunnel tunl0; local *-remote *) # add static arp table entry since mobile node can't reply ip neigh add 172.24.8.24 lladdr 00:00:0d:2f:a0:b0 dev eth0 nud perm # add static host route ip route add 172.24.8.24 dev eth0 I have verified the following: 1) The packets are getting delivered to the foreign agent; 2) The packets are being accepted by tunl0 and processed; 3) They are the expected size (the size of the inner ip packet); 4) They are not being delivered anywhere outside the box. I figure the following bits are true: The foreign agent is holding a copy of the ip packet addressed to the mobile node. He may do one of the following: a) assume that the packet is for delivery on the local link, look up the ip in the arp table, and deliver it to the mobile node b) hit the routing table again and see the host route, see that it is directly connected, look up the ip in the arp table, and deliver it to the mobile node. c) drop the packet Obviously, given the way I have configured the box, I believe that b should be what is happening. However, it seems plain that c is the option that has been chosen by the tunl0 device. I am obviously missing something quite overt, so I thought that one of you guys might be able to see what I can't. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] bering and x509
On 17 Sep 2002 08:35:11 +0200 Ronny Aasen [EMAIL PROTECTED] wrote: Hello After spending yesterday. messing with x509 certificates. reading docs and howtoos, i am at a dead end. i have made self signed sertificates. installed the ca and the host sertificates on bering and vpn client, and tweaked and tweaked ipsec.conf and secret files i wonder if anyone have a working example of ipsec.conf and ipsec.secrets using x509 keys.? the log states illegal certificate signature, but i have made the certificates by following the leaf bering user guide. any clues ? i use safenet softremote, and it works perfectly using shared secret. Have you tried to connect two bering boxes using your configuration to ensure that it is not the softremote itself? Also, which side is saying illegal signature? -- Chad Carr [EMAIL PROTECTED] --- This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Question: (user's guide) 12. Monitoring Bering through a terminal console
On 11 Sep 2002 11:47:22 -0700 Stephen Lee [EMAIL PROTECTED] wrote: On Wed, 2002-09-11 at 11:16, Jacques Nilo wrote: On Wednesday 11 September 2002 15:09, David Shu wrote: Hi Jacques, Firstly thanks for the great work with the berings firewall. Your documentation is second to none and I've found it very easy to get things working despite my limited knowledge and experience with *nix. I've just enabled my router/firewall to be serially accessed through a terminal console and all seems to be working fine till I edit files. Some how, there seems to be a severe lag and refresh line going through the screen everytime I move down or up a line. Is this a known bug? Or have I possibly done something wrong. I've not changed anything from your recommended values (Serial Port 1, baud 19200). I'm using secureCRT with similar values to access the router (I tried TeraTerm with similar results). Like I said before, there are no problems till I edit files (I've tried e3, e3vi, ae). All other times everything is displaying well and smoothly.. Any ideas? I understand that you only have that pb when using the editor (by the way e3, e3vi and ae are all linked to the same program ...) I am forwarding your mail to the leaf-user list for assistance on this mater since I never user serial connection myself Any idea anyone ? Jacques I have the same refresh problem when communicating with the serial port to Bering 1.0rc2 via Minicom. It's a bear to edit anything with e3vi. There must be some com setting that can fix this problem... If there was a way to fix it (which I doubt there is), it would be a setting with e3. It is just really slow because of the way it repaints the screen. vim has no problems. There has to be some tradeoff with size! -- Chad Carr [EMAIL PROTECTED] --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] (no subject)
On Wed, 4 Sep 2002 13:59:39 -0700 Scott Ritchie [EMAIL PROTECTED] wrote: --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html Wow. For once a no subject post where the contents really match the subject line! ;-) -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ipsec509 packages configuration
On 30 Aug 2002 11:34:12 +0200 Ronny Aasen [EMAIL PROTECTED] wrote: is there any partiqular reason why i don't find a ipsec entry under the lrcfg packagemanegement when using ipsec509.lrp from this location ? http://leaf.sourceforge.net/devel/jnilo/bering/update/freeswan-1.98b/ i thought that ipsec509.lrp under bering don't require ipsec.lrp ? Well, there is definitely _something_ wrong with the x509 version of the package, since all of the files in the var/lib/lrpkg dir have the name ipsec.* instead of ipsec509.* (and because the x509 certificate file isn't listed in the ipsec.list file, they will not get backed up properly; add etc/x509cert.der), but I still think you should have a menu item for ipsec alone. I don't have a router currently set up to check it out, unfortunately. I think that this is not a release package, but I could be wrong. It will be fixed by the time it is released, I'm sure. I am working on another release, but it may have some additional patch goodies that are not behaving under slink, so it is slow going. It will alos have bug fixes for all of my silly ppp issues. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: (Fwd) Re: [leaf-user] Bering ipsec question
On Sun, 25 Aug 2002 13:03:46 +0200 Eric Wolzak [EMAIL PROTECTED] wrote: 2- if a file is listed in two different packages then it is NOT backed up. the reason for this is that the package system functions so: It creates a list of all files and deselect the files that are listed in another packages include list according to rule 1. As your specifications are identical in both ipsec and ipsec509 they are not backed up ( gives small files ;) ) If you remove etc/ipsec* etc/ipsec.conf and etc/ipsec.secretes from one ot the two then everything will backup. Now you get the package from cdrom. Yes. Basically, your only problem is that you shouldn't load both. Unlike the Dachstein packages of the same name, each of the Bering packages is stand alone. You only need one. (Perhaps we should have made it consistent with Dachstein, but it is done this way nonetheless). -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering: ifconfig needed for manual ipsec tunnels?
On Sun, 25 Aug 2002 23:17:23 +0200
Jacques Nilo [EMAIL PROTECTED] wrote:
case $interfs in
'') interfs=`ifconfig |
awk ' /^ipsec/ { interf = $1 ; next }
/^[^ \t]/ { interf = ; next }
/^[ \t]*inet addr/ {
sub(/:/, , $0)
if (interf != )
print $3 @ interf
}' | tr '\n' ' '`
;;
esac
snip
Chad: something to fix for the next release ?
Oops. Will do.
--
Chad Carr [EMAIL PROTECTED]
---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Mobile IP for LEAF
I'm gonna take a flyer here and guess that it was the lack of a subject header rather than lack of interest in the subject material that led people to delete my first unsolicited mail to the list in months. I am such a bonehead sometimes! Anyways, is anyone interested in Mobile IP for LEAF? Does anyone know anything about Mobile IP? I realize that these are incredibly general questions, but if you can just send me yes or no answers to these two questions, in order, we can get continue with the thread. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] (no subject)
Okay, trolling here. Anybody know anything (or want to know anything) about mobile ip HA/FA support for LEAF? -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More bering/ipsec questions
On Mon, 19 Aug 2002 13:07:45 -0700 (PDT) Tom Eastep [EMAIL PROTECTED] wrote: http://www.shorewall.net/IPSEC.htm. PLEASE folks -- at least _try_ to find this kind of thing on the Shorewall site before posting. Hey! I have a crazy idea! Why don't Lynn and I point to your site in our docs? -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering rc3 and ipsec problems
On Wed, 14 Aug 2002 19:15:11 -0600 Jeff Lush [EMAIL PROTECTED] wrote: I have 3DES checked off on the appliance. Maybe this is the problem... Did enabling 3DES work for you? If not, send me the whole barf output offline and I will try to troubleshoot it. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSec doesn't found public interface
On Sun, 11 Aug 2002 13:47:20 +0200
Francois BERGERET [EMAIL PROTECTED] wrote:
Hi Chad,
Thanks to spend your time to help me (and others).
I have understood that you have trieve a bug in the IPSec package,
but I don't know how correct it by myself, due to my lack of competence
with Linux.
I have tempted an idiot editing with ae without success, of course.
How can I proceed ?
Could you, please, correct this bug for me (and the community) and
post the file to replace ?
Sorry about that. Attached inline below. Please excuse the bug. It will be fixed in
the next release.
After this bug correction, how can I start correctly IPSec tunnels
between my two boxes ? As described by Jacques Nilo's user manual ?
Yes. The users manual has a section on ipsec. If you have additional questions,
please post to the list.
http://leaf.sourceforge.net/devel/jnilo/buipsec.html
--
Chad Carr [EMAIL PROTECTED]
# BEGIN /usr/lib/ipsec/_startklips #
#!/bin/sh
# KLIPS startup script
# Copyright (C) 1998, 1999, 2001, 2002 Henry Spencer.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See http://www.fsf.org/copyleft/gpl.txt.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _startklips,v 1.6.2.6 2002/06/21 05:05:01 mcr Exp $
me='ipsec _startklips' # for messages
# KLIPS-related paths
sysflags=/proc/sys/net/ipsec
modules=/proc/modules
# full rp_filter path is $rpfilter1/interface/$rpfilter2
rpfilter1=/proc/sys/net/ipv4/conf
rpfilter2=rp_filter
ipsecversion=/proc/net/ipsec_version
moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec
bareversion=`uname -r | sed -e 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9-]*\).*/\1.\2.\3/'`
moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec
modulename=ipsec.o
info=/dev/null
log=daemon.error
for dummy
do
case $1 in
--log) log=$2 ; shift;;
--info) info=$2 ; shift ;;
--debug)debug=$2 ; shift ;;
--omtu) omtu=$2 ; shift ;;
--fragicmp) fragicmp=$2 ; shift ;;
--hidetos) hidetos=$2 ; shift;;
--default) packetdefault=$2 ; shift ;;
--) shift ; break ;;
-*) echo $me: unknown option \`$1' 2 ; exit 2 ;;
*) break ;;
esac
shift
done
# some shell functions, to clarify the actual code
# set up a system flag based on a variable
# sysflag value shortname default flagname
sysflag() {
case $1 in
'') v=$3 ;;
*) v=$1 ;;
esac
if test ! -f $sysflags/$4
then
if test $v != $3
then
echo cannot do $2=$v, $sysflags/$4 does not exist
exit 1
else
return # can't set, but it's the default anyway
fi
fi
case $v in
yes|no) ;;
*) echo unknown (not yes/no) $2 value \`$1'
exit 1
;;
esac
case $v in
yes)echo 1 $sysflags/$4;;
no) echo 0 $sysflags/$4;;
esac
}
# set up a Klips interface
klipsinterface() {
# pull apart the interface spec
# Bering
# virt=`expr $1 : '\([^=]*\)=.*'`
# phys=`expr $1 : '[^=]*=\(.*\)'`
virt=`echo $1 | sed 's/=.*//g'`
phys=`echo $1 | sed 's/[^=]*=//g'`
# /Bering
case $virt in
ipsec[0-9]) ;;
*) echo invalid interface \`$virt' in \`$1' ; exit 1 ;;
esac
# figure out ifconfig for interface
addr=
#Bering
# eval `ifconfig $phys |
# awk '$1 == inet $2 ~ /^addr:/ $NF ~ /^Mask:/ {
# gsub(/:/, , $0)
# print addr= $3
# other = $5
# if ($4 == Bcast)
# print type=broadcast
# else if ($4 == P-t-P)
# print type=pointopoint
eval `ip addr show $phys |
awk '$1 == inet {
print addr= $2
other = $4
if ($3 == brd)
print type=broadcast
else if ($3 == peer)
print type=pointopoint
else if (NF
Re: [leaf-user] problem with _startklips on [non ethernet] connections
On 18 Jul 2002 15:18:09 +0200
Ronny Aasen [EMAIL PROTECTED] wrote:
Hi again
I have setup a new bering box using isdn for external and 3com nic for
internal.
on this box i get the same error as on a adsl box
**console output while trying to restart ipsec**
isdnvpn: -root-
# ipsec setup restart
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: unable to determine address of `ippp0'
IANAC but i think some of the problem is in this passage in
/lib/ipsec/_startklips.
eval `ip addr show $phys |
awk '$1 == inet $3 == brd {
print addr= $2
other = $4
if ($3 == brd)
print type=broadcast
else if ($3 == peer)
print type=pointopoint
else if (NF == 5) {
print type=
other = }
else
print type=unknown
print otheraddr= other
# print mask= $NF
gsub(/\//, , $0)
}'`
if test $addr = then
echo unable to determine address of \`$phys'
exit 1
fi
You know, I finally see a problem with this script. The meat of the script is not
going to execute unless the first field is inet and the third field is brd. Not
going to work with ppp devices!
Welcome to the Bering testing team!
Try this:
=== BEGIN SCRIPT FRAGMENT
eval `ip addr show $phys |
awk '$1 == inet {
print addr= $2
other = $4
if ($3 == brd)
print type=broadcast
else if ($3 == peer)
print type=pointopoint
else if (NF == 5) {
print type=
other = }
else
print type=unknown
print otheraddr= other
# print mask= $NF
gsub(/\//, , $0)
}'`
END SCRIPT FRAGMENT =
'ip addr show ippp0' on my system shows
# ip addr show ippp0
8: ippp0: POINTOPOINT,NOARP,DYNAMIC,UP mtu 1500 qdisc pfifo_fast qlen
30
link/ppp
inet 130.67.214.178 peer 130.67.213.128/16 scope global ippp0
^
See, your third field isn't 'brd'! Duh!
i have messed up my ipsec.lrp' so often now i almost bought a zywall,
luckily i got a hold of myself.
Don't give up the good fight yet, Ronny!
--
Chad Carr [EMAIL PROTECTED]
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.0-rc3 segmentation fault
On Tue, 16 Jul 2002 19:38:34 -0700 (PDT) Tom Eastep [EMAIL PROTECTED] wrote: On Tue, 16 Jul 2002, wing newton wrote: Greetings, I just brought up Bering 1.0-rc3 (latest) and it went into segmentation fault - caused by Shorewall/iptables. Any hints. Shorewall is a set of shell scripts -- I'd love to hear how a shell script can segfault You weren't supposed to call _that_ shell builtin... -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering RC2 and additional routes to other private networks
On Sat, 13 Jul 2002 23:11:56 -0700 Brock Nanson [EMAIL PROTECTED] wrote: I've been playing with an Orinoco access point tonight, attempting to add an additional private IP subnet to my Bering RC2 box. The AP is essentially a router, allowing traffic from the wireless network of 192.168.200.0 to pass to the 192.168.1.0 network which is my internal wired LAN as far as the Bering box is concerned. I've tweaked shorewall to allow traffic back and forth from this wireless network to my DMZ, internet etc. It all seems to work, except that I am so far forced to manually add a route to Bering after boot to tell it where to look for the router to the wireless network. Is this something that Shorewall should take care of, or do I need to enter this information somewhere else? So far I haven't stumbled on any obvious places... Okay, let me make sure I'm following you correctly. If so, this is identical to the setup I had back when we were testing ipsec on rc2. You have a router, with one interface hooked up to a wired lan (lets say for arguments sake 192.168.1.1) and another hooked via hub or crossover to a wireless AP server network 192.168.200.0. This interface is, again for the sake of argument, 192.168.200.1. The AP will also have an ip address, but really unused except for management. From there, if there is access to the internet, there would be another interface hooked up to that, with an external ip address. Or you could be like me, where you just route everything to your wired lan and you have another router on that network which handles your internet traffic. In order for the machines on the wired lan _not_ to each need a static route to the wireless lan, this other router would need a static route back to the wireless lan, using 192.168.1.1 as the gateway address for the 192.168.200.0/24 network. As far as I know, and Mr. Eastep can correct me if I'm wrong, Shorewall doesn't usually need to set up routes (and maybe can't?). That is done by the regular networking scripts when the interfaces are set up. This process is controlled by /etc/network/interfaces. You will probably have lines like: auto eth0 iface eth0 inet static address 192.168.1.1 netmask 255.255.255.0 auto eth1 iface eth1 inet static address 192.168.200.1 netmask 255.255.255.0 These lines should set up routes like this: # ip route 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 192.168.200.0/24 dev eth0 proto kernel scope link src 192.168.200.1 So, short answer, you shouldn't have to do anything, assuming my incredibly verbosely stated assumptions are true! -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] samba for bering based leaf box
On 14 Jul 2002 17:09:20 +0200 Fabian Linzberger [EMAIL PROTECTED] wrote: Hi guys! I have already asked about the availability of a halfway recent samba package about a month ago. Unfortunately no one has answered my request... does this mean there is nothing out there? is anyone working on something like that? I am well aware that windows filesharing is not one of the standard things one is doing with a firewall/router, but a friend of mine has only a small home network and the other pcs are laptops with limited space, that his 40 gb ide-harddisk doesn't fit into. If someone can think of another solution to let him play his mp3s, please tell me ;) I am starting to get ready to dig into the developers documentation and work on my own samba package. are there any hints you have for my in that case? should i compile from scratch, or just try to find a suitable binary from debian pre potato (that i can't remember the name of right now - never saw toy story, sorry), that doesn't need glibc? Space constraints aren't that much an issue as it obviously needs a hard drive, that I already have configured as the booting device. Anyway, I am ready to do this, but would like to be sure that I don't have to repeat work that others have already completed. By the way, if you are interested in running samba on leaf too, tell me now and I might put in some effort to make something others can use as well. I could see this being a good thing. Probably the easiest way to get going on packaging (at least for Bering) is to follow the instructions at http://leaf.sourceforge.net/devel/jnilo/uml.html to make a virtual pre-potato (slink) machine that will allow you to compile modern software (preferably without security bugs) with a distinctly non-modern glibc. Generally, only the core components are included in LEAF packages, i.e. not the docs and not even some less needed utilities (like swat, for instance). Sometimes you have to change things in modern software to get it to compile under slink. The compiler and find are your friends. If you contribute the package back, make sure and write documentation for it. With Samba that could be a little open-ended (how far do you want to get into it?), but even a basic doc is helpful. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: [Leaf-devel] is Bering GNU?
On Sat, 13 Jul 2002 01:55:44 -0400 George Georgalis [EMAIL PROTECTED] wrote: In all sincerity, Bering is very cool. It could just be a lot better if it was more in the spirit of _encouraging_ open source development rather than barley qualifying, actually I bet if it was audited, it wouldn't pass. If there are scripts to tar and gzip a lrp package, why aren't they part of a tools.tgz right beside package_src.tgz and compile_configs.tgz next to the Leaf_UML packages and extraction instructions for odd archives? I know asking for doc is a lot, but maintaining a file of command lines used to make the binaries from source would be an excellent first step. http://www.franzdoodle.com/bering/dev.tgz Here is the development environment I use to customize Bering for compact flash. If it is useful, I will contribute it to the project. It is incomplete, and lacking documentation (two of your pet peeves, I see), but I am working hard at a day job in an economic downturn and the projects I am involved in at work have been steered away from embedded linux since I started on the project /excuse It is only a framework, somewhat quick and dirty. I will write a doc if it looks useful to anyone at first glance. I suspect, however, that it is not that much different than what others might be using for their custom projects. I hope that this helps some. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: [Leaf-devel] is Bering GNU?
On Sat, 13 Jul 2002 01:55:44 -0400 George Georgalis [EMAIL PROTECTED] wrote: Is Bering GNU? That was pretty funny. Was it what you expected? I hope whatever you wanted to get out of that post you got out of one of the respondents (or more). Feel free to post again if your questions haven't been answered. And, seriously, if you want to enhance or otherwise contribute to the project, or even just monitor the list to help other users avoid getting into the jams you got into (or help them get out in time for their conferences ;-)), I think I speak for most of the folks on the list when I say, go to it! Open source projects are invariably best supported by their users, especially the ones who have been through the more rough paths. I think that if you watch the leaf-user list for awhile, you'll find that it is one of the best support lists out there. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on bering rc3
On 12 Jul 2002 12:48:01 +0200
Ronny Aasen [EMAIL PROTECTED] wrote:
Hello
i have a a testing setup with ipsec between 3 linux bering firewalls and
a zywall 10 router, all on static ip address i also have roadwarrior
support from dhcp clients on isdn/modem line using windows 98/ssh
sentinel and windows 2000/xp (with the aid of vpn.ebootis.de)
my problem arises when i try to setup a lan-lan tunnel between my master
vpn bering firewall and a adsl gateway
{worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl
dynamic 880.212.112.*]{homelan}
I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet.
but running ipsec setup i expected the tunnel to come up
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.97...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: unable to determine address of `ppp0'
Is the above output the result of /etc/init.d/ipsec restart?
Can you post the output of ipsec barf?
Thanks.
--
Chad Carr [EMAIL PROTECTED]
---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] eth1:Tx timeout! Resetting card
On Tue, 9 Jul 2002 21:15:23 -0700 Brock Nanson [EMAIL PROTECTED] wrote: The Lucent is NOT a PRISM2 card. The orinoco_cs driver will work with many PRISM2 cards, but I think what this suggests is that the /etc/pcmcia/config file is being checked and the wrong card is found. I don't know if that is causing your problem, but who knows ;-). I had my configuration miss my card at first too, so I deleted all the extra entries from the file... didn't need the other stuff anyway as I won't be using other cards. It eventually settled on using the right entry. http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/ http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.html#WavelanIEEE -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC Howto for LRP
, but does NOT initiate a connection,
it WAITS for initiation.
auto=start # This starts ipsec and initiates the connection.
With this in mind, you cannot have two machines attempt to initiate
(start) a connection, only one
machine can be configured this way per connection. With a
Host-To-Subnet (Road Warrior) type connection,
the Road Warrior would be the machine that would initiate the
connection. With a Subnet-To-Subnet
connection, normally NEITHER of the Gateway machines are set to
initiate the connection since both
of them are normally on 24/7. Instead, when the VPN tunnel is known to
be down, one of the machines is
manually used to initiate the connection with the command ipsec auto
--up {connection-name}.
The connection names in the sample /etc/ipsec.conf used earlier would
be roadwarrior and subnet-to-subnet.
12) TROUBLESHOOTING
The output of a few commands can be the best source of information if
your VPN connection does not work.
The results of: Tell you:
-
ipsec barfVirtually everything about
what is happening and what has happened with ipsec.
cat /var/log/auth.log Authentication success and
failure messages.
ipsec look, route -n, and ifconfigShows a connected tunnel
through interface ipsecX.
ipsec auto --status Shows the status of the
connection.
Look for authentication failure or success with ipsec barf and/or the
/var/log/auth.log file. A failure
in these files usually indicate that port 500 and/or protocols 50 and
51 aren't making it through the
firewall or your authentication key is not setup properly. If the
authentication was successful, check
ipsec look, ifconfig, and/or route -n. You should have an
interface ipsec0 up with the external
interface's ip address and a route showing the remote subnet/host via
the local default gateway or your
ISP. Failure at this point would indicate improper ipsec.conf
configuration or port 500 not allowing
traffic. The contents of /var/log/messages will show denied packets at
the firewall check for any
denied packets at port 500.
If these commands do not help you locate the problem, monitoring the
firewall activity will be the
next source of information. Use the command ipchains --zero and note
the output that refers to port 500 and
protocols 50 and 51 or use a packet sniffer, while attempting to
initiate a VPN connection.
13) LINKS
LINKS TO BE ENTERED HERE ###
# end of HowTo ###
--
~Lynn Avants
aka Guitarlynn
guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net
If linux isn't the answer, you've probably got the wrong question!
___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
--
Chad Carr [EMAIL PROTECTED]
---
This sf.net email is sponsored by:ThinkGeek
Stuff, things, and much much more.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein/Linux equivalent to ipconfig /all ???
On Mon, 8 Jul 2002 06:25:55 -0700 Craig [EMAIL PROTECTED] wrote: Hi folks, Is there a Dachstein/Linux equivalent to Microsoft's ipconfig /all so I can see my complete info??? Do I have to be logged in as Root to execute it? Thank you. ifconfig by itself on a command line will show you all the interfaces that are up, plus some additional information that Microsoft doesn't think it's safe for you to have, like the mtu of the device, etc. Very strictly, you don't need to be root to use it, but it is in /sbin usually, so you might have to type the full path if you are not root. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Oh, it's good to be a geek. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Web server question
On Thu, 4 Jul 2002 15:08:38 -0500 guitarlynn [EMAIL PROTECTED] wrote: On Thursday 04 July 2002 14:58, Scott Ritchie wrote: Is there a httpd package for bering? That is other than weblet. Just need something very simple. Charles has thttpd packaged on his site, it should work fine with Bering. Weblet/sh-httpd is the smallest of the available ones and if it is larger than what you are wanting, you can strip the weblet html/cgi files and replace with what you would like to use instead. I also have a mini_httpd package for Bering (by the same author - http://www.acme.com/software/mini_httpd/) which can do ssl (by itself) if you're interested. It is not, small, however, being statically compiled against openssl. It has not been documented, however. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: ipsec error
On Mon, 1 Jul 2002 22:24:11 -0500 guitarlynn [EMAIL PROTECTED] wrote: On Monday 01 July 2002 16:51, Abjin M H wrote: Thank you Charles. Now I am getting a different error Jul 1 14:30:38 babylon ipsec_setup: Starting FreeS/WAN IPsec 1.91... Jul 1 14:30:38 babylon ipsec_setup: KLIPS debug `all' Jul 1 14:30:39 babylon ipsec_setup: KLIPS ipsec0 on eth0 24.72.35.91/255.255.255.0 broadcast 24.72.35.255 Jul 1 14:30:39 babylon ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work Jul 1 14:30:39 babylon ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0) Jul 1 14:30:39 babylon ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work Jul 1 14:30:39 babylon ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0) Jul 1 14:30:39 babylon ipsec_setup: ...FreeS/WAN IPsec started This can be safely ignored and should not affect operation. Unfortunately, I have found this not to be the case with my configuration. I see the above statement on many lists, but a few months ago when I was doing heavy experimentation with freeswan, I found that I needed to unset rp_filter on the interfaces involved. I cannot tell you the specific circumstances involved at the time, only that it was very definitely needed. -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering-VPN-ipsec-x509 question
On Mon, 27 May 2002 16:18:08 -0700 Scott Ritchie [EMAIL PROTECTED] wrote: Hey all, I'm trying to make x509 certificates on a RH7.3 system using the instructions in the Bering User's Guide. Everything looks good till i enter... openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -certfile demoCA/cacert.pem -out clientCert.p12 What i get back after entering the PEM pass phrase is Error loading certificate from input 20254:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: CERTIFICATE Can you give us an 'ls -l' from your working directory? I get this error when I have somehow gone through the proceeding steps and ended up with an empty clientCert.pem (because of an error in a previous step). I just went through the steps line by line and came up with good results, so if there are not errors in any of your previous steps, I will have to go back to the drawing board. Thanks, -- -- Chad Carr[EMAIL PROTECTED] -- ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering-VPN-ipsec-x509 question
On Tue, 28 May 2002 10:12:31 -0700 Scott Ritchie [EMAIL PROTECTED] wrote: - Original Message - Can you give us an 'ls -l' from your working directory? I get this error when I have somehow gone through the proceeding steps and ended up with an empty clientCert.pem (because of an error in a previous step). I just went through the steps line by line and came up with good results, so if there are not errors in any of your previous steps, I will have to go back to the drawing board. Thanks!, I'll try it again on a different machine (slackware). Here's the dir listing... total 35 -rw-r--r--1 root root0 May 27 16:02 clientCert.p12 -rw-r--r--1 root root0 May 27 16:02 clientCert.pem -rw-r--r--1 root root 1751 May 27 16:02 clientKey.pem -rw-r--r--1 root root 1001 May 27 16:02 clientReq.pem -rw-r--r--1 root root 690 May 27 15:41 crl.pem drwx--4 root root 4096 May 27 15:52 demoCA -rw-r--r--1 root root 2490 May 27 15:48 ipsec.secrets -rw-r--r--1 root root 1692 May 27 15:45 serverCert.pem -rw-r--r--1 root root 1751 May 27 15:44 serverKey.pem -rw-r--r--1 root root 1058 May 27 15:44 serverReq.pem -rw-r--r--1 root root 1209 May 27 15:47 x509cert.der As I thought, you have a clientCert.pem file with a zero byte count. Try running the command: openssl ca -policy policy_anything -in clientReq.pem -days 1825 -out \ clientCert.pem -notext again and send the output. There may be something wrong with the documentation or something. Do you have an openssl.cnf file? -- -- Chad Carr[EMAIL PROTECTED] -- ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPsec client for windows (free)
On Tue, 21 May 2002 11:16:03 -0400 (ART) Roberto Pereyra [EMAIL PROTECTED] wrote: Hi Someone knows some IPsec client for windows (best free) that works with Bering. Win2k ipsec client works reliably with Bering with preshared secrets and x509 certificates. Documentation is found at http://leaf.sourceforge.net/devel/jnilo/buipsec.html -- -- Chad Carr[EMAIL PROTECTED] -- ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] bering rc2 ipsec
On Wed, 15 May 2002 13:58:09 -0500 Joey Officer [EMAIL PROTECTED] wrote: Coming a little late to the thread, but I was reading this message and had a question. I also get the rp_filter=0 ... etc... but I never really needed to fix that. I have since only made sure that the leftfirewall=yes option is set in ipsec.conf. Has anyone seen a true need to try and fix that error? Yes. It is documentented (tersely) at http://leaf.sourceforge.net/devel/jnilo/buipsec.html#AEN1214 I couldn't get mine to work without it. -- -- Chad Carr[EMAIL PROTECTED] -- ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Loading packages on bering
On Sun, 5 May 2002 08:11:25 -0700 (PDT) Larry Platzek [EMAIL PROTECTED] wrote: You did not tell what version you are using, some already have solution ready to work. The problem is the total line length 256 characters. Sorry I do not remember details at this time. This has been asked before. Give us the version and someone may give you the solution. If you are using Bering or Dachstein, try putting the packages you want to load, separated by commas, minus the extension, in lrpkg.cfg on your floppy. -- -- Chad Carr[EMAIL PROTECTED] -- ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VPN-IPSEC and Road-Warrior setup error
On Sat, 4 May 2002 00:49:44 -0700 MLU [EMAIL PROTECTED] wrote: Hi, After successful FreeS/WAN setup with 2 subnets using Daschtein CDs on both sides, I try to set up for the Road-Warrior on XP/W2K. I tried the steps for built-in IPSEC as Chad suggested (http://leaf.sourceforge.net/devel/jnilo/buipsec.html#AEN1227) but always got stuck at the step l) select the outbound traffic filter list, next (it said that a valid IP must be selected and I do not understand what IP it asks about) Which dialog are you in when you encounter this condition? Maybe I can help, then make the instructions clearer for others, if you have the patience to work through Windows (and my instructions') inadquacies. Thanks. -- -- Chad Carr[EMAIL PROTECTED] -- ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [Leaf-user] VPN error, please help
On Sat, 27 Apr 2002 14:12:14 -0500 Charles Steinkuehler [EMAIL PROTECTED] wrote: 1. Do you know of any free client for Windows which works with Free/SWAN? The newer windows systems have IPSec built-in, although configuring them to talk to a non-microsoft IPSec implementation can be quite a challange. Most of the reports I see on the FreeS/WAN mailing list seem to indicate the SSH Sentinel client is pretty good. IIRC, there's a list of windows clients known to interoperate with FreeS/WAN in the FreeS/WAN docs... I would hate for someone to have to go through the mess that I did learning how to configure the Windows 2000 ipsec client, so take a look at http://leaf.sourceforge.net/devel/jnilo/buipsec.html#AEN1227 Even though it's Windows, I'd be happy to support folks if they have trouble with it. I am not a general Windows guru, but I did learn the ipsec and certificate management utilities pretty thoroughly. Let me know how it goes, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] router memory needs
I am putting perl on my compact flash router, and realize at this point that the problem with putting huge numbers of packages on a LEAF boot disk is not the space on the boot device (obviously on compact flash I have more than enough) but the RAM needed to hold the tmpfs or ramdisk. How much memory does a router need to do its job? I realize that this is a totally open-ended question with as many answers as routers, but I need some way to gauge my need. The only reference point I have is my cisco routers, which have between 4 and 8 MB flash images and between 32 and 40 MB of RAM. Does cisco store its flash IOS image compressed? How much of it does it decompress to memory on boot? What kind of compression do they use and how large is the IOS image in memory? I realize that you guys might not know the answers to this stuff off the tops of you head, but if you can point me in the right direction, I will be greatly appreciative. After all, what good is an 8 MB cf card and 64 MB of RAM if you don't fill it up completely?!?! -- -- Chad Carr[EMAIL PROTECTED] -- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] cat /proc/interrupts
On Thu, 25 Apr 2002 22:35:05 -0700 (PDT) David Smead [EMAIL PROTECTED] wrote: Can anyone running Bering tell me what they be when executing the command: cat /proc/interrupts Mine reads: CPU0 0: 12582 XT-PIC timer 1: 0 XT-PIC keyboard 2: 0 XT-PIC cascade 4:416 XT-PIC serial 10: 0 XT-PIC eth0 11: 3 XT-PIC eth1 14: 5687 XT-PIC ide0 NMI: 0 ERR: 0 But I am running on a very trimmed down embedded box, so it's liable to look much different than yours. HTH, Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering - rtl8139 module
On Fri, 26 Apr 2002 11:31:02 + (GMT) Angel Martin Alganza [EMAIL PROTECTED] wrote: Hello, Is it possible to find the rtl8139.o module (RealTeak NIC) already compiled for Bering rc2 (kernel 2.4.18)? I cannot find it at SF and haven't a box with such kernel to compile it myself. Use the mii.o and 8139too.o modules in the modules tarball. Put themn in /lib/modules. Load them in /etc/modules in that order. Mail if you have more questions. Thanks, Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
On Thu, 25 Apr 2002 08:54:02 -0700 Brock Nanson [EMAIL PROTECTED] wrote: If I recall correctly, ipsec.secrets will NOT allow a catch-all entry if you are using preshared secrets. That's the reason you want to go to RSA keys if you have a dynamic end to the tunnel - they will allow this, if you set a name as Charles suggested. You can have only one catch-all (and therefore one preshared secret) if you are using preshared secrets. The identifier to use is %any in the ipsec.secrets file. Like so: %any 192.168.3.1: PSK unsecure HTH Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
On Thu, 25 Apr 2002 23:09:38 -0400 Morgan Reed [EMAIL PROTECTED] wrote: Scott, A quick follow-up question regarding allowing protocol 47 packets though, I attempted to manually set the IPCHAINS rules just to do a quick test, and this is what I got: firewall: -root- # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT firewall: -root- # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT ipchains: can only specify ports for icmp, tcp or udp Try `ipchains -h' or 'ipchains --help' for more information. This ipchains rule should not specify port 1723. Ports are not a part of the GRE header, so they cannot be specified as targets for ipchains. The rule should read: ipchains -A input -p 47 -j ACCEPT To be absolutely minimal about it. If no source or destination address is given, the default is everything. HTH, Chad p.s. take a look at http://www.protocols.com/pbook/tcpip3-1.htm and http://www.protocols.com/pbook/tcpip.htm#TCP for more details on this. This is pretty heavy stuff if you're not used to it, but it tells you what is in the headers of the packets you are trying to filter. It is invaluable if you want to really nkow what you can do with ipchains. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ip_masq_ipsec.o for bering
On Wed, 24 Apr 2002 00:27:23 -0400 Eric B Kiser [EMAIL PROTECTED] wrote: damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Your assumptions are correct. As Tom said, the only ip_conntrack and ip_nat (formerly ip_masq) modules available in the default kernel sources are ftp and irc. Any others will need to be applied to your kernel sources as a patch (I believe Tom pointed you at the netfilter site before), then configure your kernel to build those new options as modules and build it. http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.txt As far as I have seen, Bering does not include any non-standard netfilter modules. But, since Bering and Dachstein seem to be gaining some popularity for ipsec-based systems, it never hurts to ask Jacques whether he can patch his kernel with these. Well, it won't hurt you anyways (eh, Jacques!) ;-) HTH, Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Compact Flash
On Wed, 24 Apr 2002 10:17:22 -0400 Simon Bolduc [EMAIL PROTECTED] wrote: Don't most people log to ram? Assuming this is the case with bering (which it should be as it is a floppy dist) moving over to CF shouldn't matter unless Paul decided to log to CF - and leave his CF mounted all the time (I don't think this would work - how would he ever back up a modification??). Yes. This is what I do. Log to RAM and only back it up you you need to to do a postmortem. I would not recommend running from CF. The unique thing about LEAF is that boot media is boot media, and the running system functions the same no matter what type of bitholder you use to get the stuff into RAM. Thanks, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering on HD ??
On Tue, 23 Apr 2002 17:04:14 +0200 (CEST) [EMAIL PROTECTED] wrote: Aanhalen Przemyslaw Rudy [EMAIL PROTECTED]: I don't think bering has builtin support for ide so booting might be a problem. Unless /boot/lib/modules can help. But if I am not mistaken that won't allow you to put lrp packages on that disk since those modules are loaded after unpacking the lrp packages. Could be just mumbling here though. This is the Makefile I use for making a Bering floppy img bootable on compact flash (ignore the steps for serial boot messages if you don't need them): * Makefile inline * # # Makefile to build new soekris image from bering floppy image # *THIS WILL DESTROY WHATEVER IS ON YOUR CF CARD* # Instructions: put this Makefile and a bering floppy image in a scratch # directory. Get the modules you want to load before packagesChange the following vars to reflect your system: # BERING_IMAGE - the name of the floppy image # CF_DEV - the device name or your compact flash drive # BERING_BOOT_MOD_DIR - relative path to modules needed for package load # (for soekris, serial, ide-mod, ide-probe-mod, ide-disk) # BERING_OTHER_MOD_DIR - relative path to other modules you want to load # (for soekris, natsemi) # BERING_IMAGE=Bering_1.0-rc2_img_bering_1680_last.bin CF_DEV=/dev/hde1 BERING_BOOT_MOD_DIR=bootmods BERING_OTHER_MOD_DIR=othermods .DUMMY: bering bering: # make mountpoint and mount floppy image mkdir -p mnt mount -t msdos $(BERING_IMAGE) mnt -o loop # make mountpoint, format fs and mount cf mkdir -p cf mkdosfs $(CF_DEV) mount -t msdos $(CF_DEV) cf # copy all the files from the floppy image to the cf cp mnt/* cf/ # umount the filesystems umount mnt umount cf # run syslinux to make them bootable syslinux $(CF_DEV) # remount the cf so me can muck with it mount -t msdos $(CF_DEV) cf # get packages from hda1 and send messages to serial console # remove syslinux.dpy banner; it messes up serial console sed -e 's/fd0u1680/hda1/g' cf/syslinux.cfg cf/syslinux.tmp grep -v syslinux.dpy cf/syslinux.tmp cf/syslinux.cfg echo append console=ttyS0,19200 cf/syslinux.cfg rm cf/syslinux.dpy # modify etc.lrp to allow serial console login from root mkdir -p scratch tar xzf cf/etc.lrp -C scratch sed -e 's/^\([12]:\)/#\1/g' \ -e 's/^#T1\(.*\)ttyS1/T0\1ttyS0/' scratch/etc/inittab \ scratch/etc/inittab.tmp mv scratch/etc/inittab.tmp scratch/etc/inittab sed -e '/^tty[0-9]/d' scratch/etc/securetty scratch/etc/securetty.tmp echo ttyS0 scratch/etc/securetty.tmp mv scratch/etc/securetty.tmp scratch/etc/securetty tar czf cf/etc.lrp -C scratch `ls scratch` # get boot modules into initrd.lrp gunzip -S .lrp cf/initrd.lrp mount -t minix cf/initrd mnt -o loop # cp $(BERING_BOOT_MOD_DIR)/serial.omnt/boot/lib/modules cp $(BERING_BOOT_MOD_DIR)/ide-mod.o mnt/boot/lib/modules cp $(BERING_BOOT_MOD_DIR)/ide-disk.o mnt/boot/lib/modules cp $(BERING_BOOT_MOD_DIR)/ide-probe-mod.o mnt/boot/lib/modules # echo serial mnt/boot/etc/modules echo ide-modmnt/boot/etc/modules echo ide-disk mnt/boot/etc/modules echo ide-probe-mod mnt/boot/etc/modules umount mnt gzip -S .lrp cf/initrd # unmount cf umount cf ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] serial console access
On Fri, 12 Apr 2002 08:40:01 -0500 Charles Steinkuehler [EMAIL PROTECTED] wrote: Bering doesn't have serial support compiled into the kernel. Yes. True. I have used the posts at the beginning of this thread to configure my serial-as-a-module kernel to boot, and I get (finally) a login message, but no boot messages. I just get the initial message which lets me know Linux is loading, then nothing until the login prompt. All I want to know is if there is something I am missing to see this relevant stuff (even if it is just a file to look at or a command to issue post-login) Without serial support complied into the kernel, this is all you will get. To see kernel boot messages, you need to have serial support compiled into the kernel (ie not a module), and you also need to pass the kernel a console= parameter, telling it to send messages to the serial port. Okay. That's what I thought. There is nothing I can do. Either it is compiled in or I don't get boot messages. It's as simple as that. I'm sorry I dragged this out. Thanks, Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] serial console access
On Thu, 4 Apr 2002 15:18:59 -0500 Eric B Kiser [EMAIL PROTECTED] wrote: _SUCCESS_ The results as copied from my hyperterm window.. LEAF configuration menu 1 ) Network configuration 2 ) System configuration 3 ) Packages configuration b) Back-up a package c) Back-up your LEAF disk h) Help q) quit - --- Selection: The contents of this thread make a delightful howto, but I am wondering when you say success what you really mean. I can copy the same results as you from my minicom window (i.e the boot happens and I can log in) but there is one large thing missing: boot messages. I see none. Are you seeing them? Can you tell me how I can see them? Aren't boot messages important? They probably aren't for a production box, I guess, but for developers on headless boxes? Maybe. Is the boot information available any other way in LEAF? Of course it is successful not to have to use a custom compiled kernel on your leaf box, because it makes it easier to stay up with the latest version. That is what i am going for. But I think I need my boot messages. Please tell me if I am wrong or if there is something I can do to not have to live without them. Thanks in advance, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Adding to syslinux.cfg on DCD
On Fri, 12 Apr 2002 00:04:42 -0400 Upnet Joe [EMAIL PROTECTED] wrote: I don't know how to do it with WinImage... this is what I did ( I have a access to RedHat Linux machine) so mount -t msdos bootdisk.bin -o loop /mnt/lrpmnt cd /mnt/lrpmnt vi syslinux.cfg Have you tried mounting the iso image on loopback like so: mount -t iso9660 dach.iso /mnt -o loop then mounting the bootdisk image from the mounted iso image like this: cd /mnt; mount -t msdos bootdisk.bin /some/other/mount/point -o loop then modifying your files and umounting them in the opposite order? Will that work? I don't really know how iso filesystems work, but it ought to. I've done that _sort_ of thing before, but not with iso9660, I'm afraid, so I don't know. I don't really know how hard life is with a Windows machine, though. I have never had to do real work with them. Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] tinydns: UID: readonly variable
On Sat, 06 Apr 2002 16:21:23 -0800 Robert Williams [EMAIL PROTECTED] wrote: Hi all, I just added another computer to my network and decide to install tinydns instead of updating all of those host files. I am using DS CD 1.2. However tinydns doesn't seem to work. I am using it straight out of the box. the only changes I have made was to add entries to the /etc/tinydns-private/root/data. I am sure I am missing something incredibly simple, but if you could point it out to me I would sincerely appreciate it. Thanks Robert firewall: /root # svi tinydns restart /etc/init.d/tinydns: UID: readonly variable Are you using bash as your shell? In ash, UID isn't a readonly variable. In bash, it is. I had to use daemontls.lrp to start my dnscache on Bering when I switched my shell to bash. It may be the same problem you are having. The only other way I know to get UID to be set to something else (which it needs to be to have any of the djb tools run as their proper user instead of root) is to use su or something like it (envuidgid - part of the bering daemontls.lrp package) to actually change the user before the program is run. The djb stuff expects the UID environment variable to be set to the user it is supposed to run as. Thanks, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] bering - pump fails to obtain lease on boot
On Sat, 6 Apr 2002 22:15:05 -0800 Brock Nanson [EMAIL PROTECTED] wrote: As a side note, how does one see the interface information in bering? I'm used to using ifconfig and netstat in eiger and feel hamstrung without them... Can't help with the dynamic address stuff, but using iproute2 commands will get you where you want to go without stringing any hams or the like. ip addr will get you most of what you used to see with ifconfig. ip route will get you a view of the routing table. These commands are also quite powerful once you start to manipulate the interfaces, routes, etc. There is a good reference at http://defiant.coinet.com/iproute2/ip-cref/ Hope that helps some, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: porting scripts from ifconfig and awk to iproute and sed
* Charles Steinkuehler ([EMAIL PROTECTED]) wrote: I am going to try to do this. I think I am mostly done. Any advice on getting rid of the expr commands that are doing math? See the ash/bash man page. You can do simple math with $(( )) expansion (add, sub, multiply, divide), although numbers are limited in range...ie: echo 2 + 2 = $(( 2 + 2 )) Thanks. I saw that in the man page just as I got your mail. I have been looking at more sh documentation. It really doesn't pay to try to do these things halfway, esp. with shell scripting. Just more heartache. The IFS/set solution you gave me works great, except for one unintended consequence: it seems that everytime I run test on a file path, it parses the path elements into separate args. Let me just tell you a little about some hilarious shell scripting antics, because anyone who has done this before will laugh. I solved the problem above by capturing the value of IFS into a variable called oldIFS so I could use it later, then adding my delimiter like so: oldIFS=$IFS IFS=$IFS/ I then proceeded to set IFS back to the old value after I got done, like so (thinking I had the problem licked): IFS=oldIFS Only to find that I still had my error. Strangely, when I echo'ed the value of the path variable, it showed up like this: pr c/sys/net/ipv4/c nf/ipsec0/rp_fi ter Whacky! Of course, for any shell scripting newbies who might be reading this escapade in the future from the archives, what is should have done is actually dereference the variable in question, rather than set IFS to the sequence of letters in the name of my variable! Like this: IFS=$oldIFS Thanks, Charles. I should be done in the next few days. --- Chad Carr [EMAIL PROTECTED] --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Default editor in Bering
* Stephen Lee ([EMAIL PROTECTED]) wrote:
Hi,
I would like to make vi the default editor in Bering. Under Dachstein I
simply added export EDITOR=e3vi to /etc/profiles to get the vi mode.
This doesn't seem to work in Bering. Is there another variable I need to
set?
You may add the following lines (in addition to the one you described in
/etc/profile) to the top of the /bin/edit file:
. /etc/profile
EDITOR=${EDITOR:=/bin/e3}
Then delete the EDITOR=/bin/e3 line below. You can then change the editor
whenever you want through the lrcfg menu by editing the /etc/profile file. Or,
you can just change it in /bin/edit directly if it is a one-time proposition.
---
Chad Carr [EMAIL PROTECTED]
---
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Default editor in Bering
* Eric Wolzak ([EMAIL PROTECTED]) wrote: Hi Stephen, you wrote Hi, I would like to make vi the default editor in Bering. Under Dachstein I simply added export EDITOR=e3vi to /etc/profiles to get the vi mode. This doesn't seem to work in Bering. Is there another variable I need to set? The Editor is exactly the same but there is a default editor set in /bin/edit makeing the whole profile variable Editor not working ;) modify the file /bin/edit and comment the line # Set editor to use: EDITOR=/bin/e3 out set EDITOR in profile and its works. I am laughing at myself. I did not realize that /bin/edit already had sourced /etc/profile. --- Chad Carr [EMAIL PROTECTED] --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ipsec with x509 certs - no RSA public key known for peer
I am close to getting Bering and Dachstein working together to provide an IPSec gateway using x.509 certificates. I am getting errors in the auth.log file (attached inline) that say no RSA public key known for DN of my win2k client What do I do to solve this? I have attached both the log and the instructions I used to get to this point. Thanks. I am really close, I can feel it. --- Chad Carr [EMAIL PROTECTED] --- ==Contents of auth.log== Feb 3 09:14:12 wlanfw Pluto[1901]: Starting Pluto (FreeS/WAN Version 1.91) Feb 3 09:14:12 wlanfw Pluto[1901]: including X.509 patch (Version 0.9.3) Feb 3 09:14:12 wlanfw Pluto[1901]: Changing to directory '/etc/ipsec.d/cacerts' Feb 3 09:14:12 wlanfw Pluto[1901]: loaded cacert file 'RootCA.der' (1182 bytes) Feb 3 09:14:12 wlanfw Pluto[1901]: Changing to directory '/etc/ipsec.d/crls' Feb 3 09:14:12 wlanfw Pluto[1901]: loaded crl file 'crl.pem' (698 bytes) Feb 3 09:14:12 wlanfw Pluto[1901]: loaded my X.509 cert file '/etc/x509cert.der' (1220 bytes) Feb 3 09:14:15 wlanfw Pluto[1901]: added connection description w2k-road-warriors Feb 3 09:14:15 wlanfw Pluto[1901]: listening for IKE messages Feb 3 09:14:15 wlanfw Pluto[1901]: adding interface ipsec0/eth0 192.168.3.1 Feb 3 09:14:15 wlanfw Pluto[1901]: loading secrets from /etc/ipsec.secrets Feb 3 09:15:58 wlanfw Pluto[1901]: packet from 192.168.3.10:500: ignoring Vendor ID payload Feb 3 09:15:58 wlanfw Pluto[1901]: w2k-road-warriors #1: responding to Main Mode from unknown peer 192.168.3.10 Feb 3 09:15:59 wlanfw Pluto[1901]: w2k-road-warriors #1: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr, [EMAIL PROTECTED]' Feb 3 09:15:59 wlanfw Pluto[1901]: w2k-road-warriors #1: Certificate is invalid Feb 3 09:15:59 wlanfw Pluto[1901]: w2k-road-warriors #1: Invalid X.509 certificate Feb 3 09:15:59 wlanfw Pluto[1901]: w2k-road-warriors #1: deleting connection w2k-road-warriors instance with peer 192.168.3.10 Feb 3 09:15:59 wlanfw Pluto[1901]: w2k-road-warriors #1: no RSA public key known for 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr, [EMAIL PROTECTED]' Feb 3 09:17:21 wlanfw Pluto[1901]: w2k-road-warriors #2: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr, [EMAIL PROTECTED]' Feb 3 09:17:21 wlanfw Pluto[1901]: w2k-road-warriors #2: Certificate is invalid Feb 3 09:17:21 wlanfw Pluto[1901]: w2k-road-warriors #2: Invalid X.509 certificate Feb 3 09:17:21 wlanfw Pluto[1901]: w2k-road-warriors #2: no RSA public key known for 'C=US, ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr, [EMAIL PROTECTED]' ==Instructions== SECTION 4 - TURNING BERING INTO A CERTIFICATE AUTHORITY (BROKEN) Using x.509 certificates - this doesn't quite work yet. I will get this document up to date when it works. The outcome of this whole process: root certificate authority certificate in /etc/ipsec.d/cacerts/RootCA.der root CA certificate revocation list in /etc/ipsec.d/crls/crl.pem binary gateway certificate in /etc/x509cert.der ? ascii private key for gateway in /etc/ipsec.secrets ? ascii gateway certificate in /etc/ipsec.d ? ascii private key for gateway in /etc/ipsec.d/private ? But we must start at the beginning, which is getting openssl onto your system. I did this by doing apt-get install openssl on Debian Woody and then waiting for it to install properly, but if you use Red Hat or one of the other distibutions out there, use your way instead. I recommend going with the package way whenever possible. You will have to adjust the paths below to correspond to where your distibution puts things. If you have to install from source, so be it, but there are other better documents for you to learn that from. Try http://www.bayour.com/LDAPv3-HOWTO.html#3.1.OpenSSL|outline. If that doesn't work, search for openssl howto on www.yahoo.com and see where life takes you. We want our certificates to be longer than the default 1024 bits, and we want them to last longer than the default 365 days, so we go into the /etc/ssl/openssl.conf file and change default_bits to 2048 and default_days to 3650. Do all of the rest of the operations in your ~scrathc directory. 1) Create a new Trusted Root CA on your compact flash a) generate root certificate i) /usr/lib/ssl/misc/CA.sh -newca (choose a good passphrase) ii) openssl x509 -in demoCA/cacert.pem -outform der -out \ /mnt/cf/etc/ipsec.d/cacerts/RootCA.der b) generate a certificate revocation list openssl ca -gencrl -out /mnt/cf/etc/ipsec.d/crls/crl.pem 2) Create and sign
Re: [Leaf-user] List Manager filters
* Mike Noyes ([EMAIL PROTECTED]) wrote: Everyone, I'm filtering our leaf-user list on header Content-Type. The only two types that post without getting flagged for administrative action are: text/plain, and multipart/signed. Note: this means that posts with attachments will not reach our leaf-user list. It seems fine to deny text/html since it can muddle people with normal MUAs and no web browser installed, but what is the problem with attachments? Isn't it more convenient to read attachments if you feel like it than to have to wade through a long inline attachments that _might_ have some salient text at the end? I don't know. I'm just asking. --- Chad Carr [EMAIL PROTECTED] --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering Cookbook
* Jacques Nilo ([EMAIL PROTECTED]) wrote: Chad: A real thanks for your contribution. I think it will be really useful for users who have been requesting IPSEC support within Bering. May I include your mail content in a Bering cookbook documentation that will complement the user's guide and will gather contributions from Bering users describing specific configurations? Of course. I will spend the day getting them cleaned up properly and repost them this evening. --- Chad Carr [EMAIL PROTECTED] --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering Kernel 2.4 IDE Support?
* Jacques Nilo ([EMAIL PROTECTED]) wrote: Is there a Bering kernel with IDE support? I'm trying to set up Bering booting from HD and I current linux file does nor support HD. Where can I get it?? Standard Bering kernel supports IDE. You need to download the 3 following modules from the module directory: ide-mod ide-disk ide-probe-mod and to load them in this order through the modules package (there is a template for that in the modules configuration file). Check the doc: http://leaf.sourceforge.net/devel/jnilo/leaffw04.html#AEN3 93 If you need to load the modules package itself from the hard drive, I found that you have to add these lines to the /boot/etc/modules and the modules to the /boot/lib/modules directory. Is that not the case? If you need to do this, you have to first uncompress and mount the initrd.lrp package gunzip -S .lrp initrd.lrp mount -t minix initrd /mnt -o loop Then you can copy the files to /mnt/boot/lib/modules and make the changes to /mnt/boot/etc/modules. Then umount the image and recompress it. umount /mnt gzip -S .lrp -n initrd Is there an easier way? That is just how I got it to work. --- Chad Carr [EMAIL PROTECTED] --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering Kernel 2.4 IDE Support?
* Jacques Nilo ([EMAIL PROTECTED]) wrote: and to load them in this order through the modules package (there is a template for that in the modules configuration file). Check the doc: http://leaf.sourceforge.net/devel/jnilo/leaffw04.html#AEN3 93 If you need to load the modules package itself from the hard drive, I found that you have to add these lines to the /boot/etc/modules and the modules to the /boot/lib/modules directory. Is that not the case? Yes it is. I think this is mentionned in the doc. There is a README file in the /boot/etc directory. If you need to do this, you have to first uncompress and mount the initrd.lrp package gunzip -S .lrp initrd.lrp mount -t minix initrd /mnt -o loop Then you can copy the files to /mnt/boot/lib/modules and make the changes to /mnt/boot/etc/modules. Then umount the image and recompress it. umount /mnt gzip -S .lrp -n initrd Is there an easier way? That is just how I got it to work. There are basically two strategies if you want to boot Bering (or any LEAF variant) distro from an hard disk (be careful: you loose the security attached to a write-protected media): 1/ You make a ***msdos*** partition on your hard disk, install syslinux on it an copy all the packages you need on the hard disk. Do not unpack anything. You modify syslinux.cfg to declare the new PKGPATH to hdx and you put your ide modules in /boot/lib/modules and save this in modules.lrp (do that on a floppy distro before copying initrd.lrp to the IDE disk). linux kernel and initrd.lrp will be loaded thanks to syslinux, the ide modules will be loaded then and after that the /linuxrc script will load the other packages from the hard disk. Bering will be run from a /tmpfs fs as with a floppy distro. Your IDE disk is just another boot media where your packages are stored. This is definitely the preferred way, I have found. The hardware I am using precludes me from doing it the floppy way. Otherwise it definitely would have been easier to copy the modules to the floppy, boot on it, mount it once booted, copy the modules to the /boot/lib/modules directory on the tmpfs, then back up initrd.lrp using lrcfg. Backing up modules.lrp doesn't back up /boot/lib/modules, as far as I can see. 2/ You make a linux ***ext2*** partition on your hard disk and ***unpack*** all the packages you need there. This is a more hackish approach where you get a quasi linux distro on your disk. Not really recommended and requires some knowledge of the program structure and some tuning too. This is for the same type of people who wake up in the morning and beat themselves in the head with a baseball bat. They are probably better off with a manually trimmed down debian image. --- Chad Carr [EMAIL PROTECTED] --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] (no subject)
On Mon, 11 Mar 2002 21:57:36 -0600 JamesSturdevant [EMAIL PROTECTED] wrote: I want to add an email service to this machine with a 500MB disk for storage. I will be making pakages for fetchmail and procmail to retrieve the email from the ISP, but I need suggestions for smtp and pop3 services. What programs would be best to use given the space issues of typical LEAF systems? Bering has packages for both fetchmail and qmail (a very secure and small smtp server) at http://leaf.sf.net/devel/jnilo. It also seems he has included the pop3d daemon, so it is one-stop shopping! (Beware: I haven't used the package myself, only seen it on this page. I am just pointing you in A direction, not necessarily the CORRECT direction) For qmail instructions, see Jacques Nilo's user manual, http://cr.yp.to, and http://www.lifewithqmail.org -- --- Chad Carr [EMAIL PROTECTED] --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
