[leaf-user] Bering uClibc - Adding static routes to local Shorewall zone
Hi All, I am configuring the Bering uClibc3.0.1 firewall for the first time and can't figure out where I should add definitions for the static routes on my internal network. If I manually add the routes and then restart shorewall then the routed subnets are added to the local zone and everything works the way I want it to but of course the routes do not persist through a reboot. I tried putting the route add commands in the shorewall init script which adds the routes OK but shorewall does not add the extra subnets to the local zone on boot up unless I manually do a shorewall restart. Is there another configuration file that I should be putting the route definitions in so that they are established before shorewall starts? It looks like I could mess with the shorewall zone and hosts files to get around this problem but having the routes in place before shorewall starts would seem to be a better way to go. Is there any documentation for more complex Bering configurations? Thanks for any help. Dave Shorewall zones file fw firewall netipv4 locipv4 dmzipv4 Shorewall interfaces file neteth0detect tcpflags,routefilter,norfc1918,nosmurfs loceth1detect tcpflags,detectnets,dhcp,nosmurfs dmzeth2detect Shorewall init file ip route add 192.168.52.0/24 via 172.22.255.231 ip route add 192.168.54.0/24 via 172.22.255.231 ip route add 192.168.55.0/24 via 172.22.255.231 ip route add 192.168.56.0/24 via 172.22.255.231 ip route add 192.168.57.0/24 via 172.22.255.231 ip route add 192.168.58.0/24 via 172.22.255.231 Shorewall hosts file is empty - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Bering uClibc - Adding static routes to local Shorewall zone
Hi Corey, Thanks for putting me on the right track with the Debian documentation. Your example won't work with the current Bering distro though as the route command is not included. Using the iproute syntax though worked for me. up ip route add 192.168.52.0/24 via 172.22.255.231 down ip route del 192.168.52.0/24 via 172.22.255.231 Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Corey Betka Sent: Thursday, April 05, 2007 7:29 PM To: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Bering uClibc - Adding static routes to local Shorewall zone On Thu, 5 Apr 2007, Dillabough, Dave wrote: > > Is there any documentation for more complex Bering configurations? > > Bering essentially uses Debian style network configs, so the docs from them are quite helpful: http://www.debian.org/doc/manuals/reference/ch-gateway.en.html For example: iface eth0 inet static address 192.168.0.111 netmask 255.255.255.0 gateway 192.168.0.1 up route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.2 dev $IFACE down route del -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.2 dev $IFACE -- Corey Betka - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] The old floppy question
Hi All, Here is my opinion on the floppy question. I have been using LEAF for firewalls ever since LRP 2.9.x. Over the years I have tried just about every way of booting the system, floppies, ZIP, LS120, HD, CD + floppy for config and CF. In all cases when a floppy or floppy like device (ZIP or LS120) was used I have had failures. The HD based systems have had much better reliability. I have just started using CF based systems so I don't have any history on reliability yet but I expect that this will be more reliable. If you want reliability then floppies are not the way to go. Use a modern air bearing HD or use CF. Floppies are also fading away. I have not bought a machine for work in the last 3 years that has a floppy installed Why do I use LEAF at all? You can buy a decent ready to go out of the box firewall that supports wireless, VPNs, web based config and runs an embedded Linux distro from Linksys for less that $50 now so what advantage does LEAF offer? I still use LEAF for firewalls because of the more complex things that I can do with it. Most of my configs will not even fit onto a floppy. LEAF and the future. I certainly have no objection to small or floppy based systems for those that want to use them unless doing so holds back the development of LEAF. It seems to me (from a non developers point of view) that a lot of effort is being expended trying to shoe horn the current system into a bootable system smaller than 1.6 MB. Splitting the distro into 2 streams has been mentioned. This could be a good solution if the resources are available to do it. Personally I would rather spend a little money on adding CF or USB boot capacity to a system. LEAF is a great distro. The recent changes to Bering uClibc especially the new backup procedures are a huge step forward. I would hate to see LEAF fall behind due to a decision to support obsolete hardware. So that's my opinion. Not a complaint, just another data point. I really appreciate all of the work that the LEAF team has put in. Dave - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] The old floppy question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kwon Sent: Friday, July 20, 2007 2:10 AM To: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] The old floppy question > My current LEAF box would not fit into a floppy - it is 3.1MB. Just want to be clear, my current Leaf box won't fit into a floppy neither. What I do is: 1. Download the leaf.iso image and burn to a CD 2. Create leaf.cfg into a floppy and boot from the CD 3. Save configuration (configdb.lrp) and backup modules (moddb.lrp) to floppy This way I don't have to recreate my own CD. One other reason why we experience many floppy failure is the fact that we are using /dev/fd0u1680 and not the standard /dev/fd0u1440. Can anyone has more experience comment on this? Nowadays, my floppy only has three files I can go back to the 1.44mb floppy format of which I have not experience any problem. I use(d) the CD boot, 1.44 meg floppy save combo in several installations. Some LEAF boxes are in climate controlled machine rooms, some are on a table in a back room. The main failure I see is that the PC is unable to read the floppy on a reboot. Usually this is due to dust in the floppy drive. In most cases the floppy disk will read in another drive. Sometimes blowing the dust out of the old drive will make it work. This is a minor inconvenience if the PC is in the next room. It does mean that there is more down time that the users like. However if the PC is in a branch office in a small town far away with a minimum 2 day courier delivery and poor or no local PC repair support it can be a major problem. The floppy vs. non floppy question for me gets down to time. Yes, it is nice to reuse an old box that in our disposable society would otherwise end up as landfill and yes it is nice that that box is "free" but this for me must be balanced against the time you have to spend phaffing around getting the system running and also keeping it running. My time is worth money and it is the one resource that I can't stretch any further. Older systems take more time to maintain, fans dies, floppies die etc. Those PCs are designed for a disposable society. I am currently working on the next generation of branch office routers for our organization. The platform is a VIA EPIA motherboard with CF boot in a 1U case with no fans and an external power supply. It is not a cheap way to go and it takes time to set up but it does give me the flexibility to do things that an off the shelf router won't and I'm hoping that it will be very reliable. For a simple firewall/VPN solution for home users we use a Linksys firewall router. $50 and a 5 minute config and you are out the door and very few problems. If I did not need other capabilities in the branch offices I would use the same routers there. At work for me LEAF fits into a mid range niche both for expense and for time spent. It allows me to do things that a cheap off the shelf box does not as long as I put in some extra time and buy reliable hardware for it to run on. To get the same reliability as an appliance it needs to be built on a reliable platform. This gives me what I want: a configurable appliance that I can install and forget about. If LEAF packages are not available to do what I want and would be a hassle to adapt then I move up to a Linux server. For a LEAF system to make sense for me it has to be less work than maintaining a server would in terms of time spent on maintenance and in reliability. At home I use LEAF on an old PC with CD boot and a 1.44 floppy to save my config. A different balance here. I have accepted the less reliable system but it was cheap and I was usually available to fix any issues. I will be moving to a CF boot system here as well though using CF card that is too small for a camera and a $25 CF to IDE adapter. Dave - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] The old floppy question
Some of the CF to IDE adapters have a write protect jumper that is easy to run out to a switch. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Sent: Friday, July 20, 2007 2:54 AM Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] The old floppy question This is actually my setup as well. I've been using the CD since it first came out way back when with Charles' distro (I think it was 1.02). I think the ability to lock the floppy with the sliding tab is invaluable. Test, make and save the changes, lock the tab and you can leave it right in the drive. Power Failure? No problem, no action needed and forget worrying about someone injecting a rootkit or what have you into system, no way to save it without physical access. Other than SD cards, do any of the CF/USB sticks offer a write protect switch? If so, I haven't seen one. Tony - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Packages 3.x link broken
Works for me in Firefox now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KP Kirchdoerfer Sent: Monday, July 23, 2007 1:55 PM To: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Packages 3.x link broken On Monday 23 July 2007 21:14:54 Christian Villa Real Lopes wrote: > I have the same problem and tried to inform about it. It only happens if > you are using a browser other than InternetExplorer (IE) - I'm using > Firefox. I hope that's fixed now. kp - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] PCI Utilities Package (including lspci) for Bering-uClibc 3.x
When I run into a similar situation (trying to get new hardware/drivers working) I usually boot up a LiveCD version of Linux and see what it takes to make the hardware work. Once I know which drivers are needed and have verified that the hardware works etc. I can switch to Bering check that the drivers exist and load the appropriate modules with a lot less futzing around. -Original Message- From: davidMbrooke [mailto:dmb.leaf-u...@ntlworld.com] Sent: Wednesday, July 29, 2009 12:52 PM To: leaf-user Subject: [leaf-user] PCI Utilities Package (including lspci) for Bering-uClibc 3.x Recently I have been trying to get an 802.11g PCI card working with Bering-uClibc and I found it difficult to work out whether I had the wrong drivers or whether the card was simply not recognized by my hardware. (It turned out to be the latter.) On any other Linux distribution I would have used the "lspci" command but I could not find a version of this for Bering-uClibc. I therefore created a package myself from the sources at http://mj.ucw.cz/pciutils.html The package is pciutils.lrp and it is available in my LEAF "devel" directory on SourceForge: http://leaf.cvs.sourceforge.net/viewvc/leaf/devel/davidmbrooke/bin/packages/uclib-0.9/28/pciutils.lrp Package pciutils.lrp includes the command "lspci" as well as "setpci". It is large (approx 213KB) and relies on libz.lrp (23KB) but it might be useful for debugging PCI problems. Most of the size is due to the data file (pci.ids.gz) so if you know which hardware you are expecting to find you could perhaps install a cut-down pci.ids.gz file. I compiled the code against Bering-uClibc 3.1.10beta3 but I think it should work on any Bering-uClibc 3.x release. I have done some testing with "lspci" and it seems to work OK for me. I have *not* tested "setpci" at all. For reference, I found lspci.lrp for older LEAF (non-uClibc) installations here: http://fritzfam.com/brad/leaftmp/ (mentioned in a 2002 posting to this mailing list). davidMbrooke -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Project Admin
I'm wondering how much of an issue it is to have a system that will fit on a floppy. I would think that being able to boot off of a USB drive or a CD/USB combo would be more pertinent today given as few machines even come with a floppy as standard equipment anymore. USB booting would eliminate the futzing around with non standard disk sizes and would be a lot more reliable and as well. I have been running some variant of LRP/LEAF since the 2.x days both at home and for various work related uses and the most common failure is mechanical i.e. drives or fans. I switched to booting off of CF cards and fanless power supplies a couple of years ago and am much closer to my goal of having a solid state appliance that I can install and ignore. Even buying the smallest CF cards available I still need only a small fraction of the card to boot LEAF. The world has moved on from the floppy drive and I think trying to keep future versions of LEAF small enough to boot from a floppy is largely an artificial constraint now. If for some reason the use of a floppy is required then older versions of LEAF are still available. -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Wednesday, August 05, 2009 6:41 AM To: Robert K Coffman Jr. -Info From Data Corp. Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Project Admin Hi Robert K Coffman Jr. -Info From Data Corp. wrote: >> Erich Titl (etitl) promoted to project admin, and Jeff Newmiller > > For those of us on the user list only, any comment on a 2.6 branch? :) M 2.6 is a bit fatter than 2.4, it has more recent drivers and most of the development is there. I am not particularly hampered by the bigger footprint of 2.6 but it might go against one of the early goals, the floppy size. Also, I believe, maintaining two branches is quite a task for the core developers team, which is only worth the trouble if the need really exists. > > Congratulations Erich. Thanks, have not found out what the real difference is. cheers erich -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Project Admin
Hi Erich, How much of an issue is having write protection? I can understand that it is better in theory but I can't think of a commercial firewall product (Cisco PIX, Linksys, DLink etc) that does not use flash and that has any sort of write protection. If having boot from R/O media is an issue you could boot from CD and save to a floppy. You could also write protect CF media with a hardware hack to the cable. With USB/CF systems I always keep a backup of the boot media. It's not as simple as a power cycle but I can always get back to a known state if I need to although this has yet to be an issue for me. So from my perspective this would seem to be a non issue for most users and that for those few where it is an issue there are ways around it with some extra work. Obviously I don't have your perspective on the issue and I may be in the minority here and while I don't need 2.6 features yet it does seem to me that there must be quite a lot of development work that goes into squeezing a working system onto a floppy. It would be a shame if this is being done to no purpose. Does anyone on the list boot a system from floppy disk or save config files to floppy disk? I will take a look at the 2.6 CVS. Dave -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Wednesday, August 05, 2009 2:40 PM To: Dillabough, Dave Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Project Admin Dave Dillabough, Dave wrote: > I'm wondering how much of an issue it is to have a system that will fit on a > floppy. I would think that being able to boot off of a USB drive or a CD/USB > combo would be more pertinent today given as few machines even come with a > floppy as standard equipment anymore. USB booting would eliminate the > futzing around with non standard disk sizes and would be a lot more reliable > and as well. I have been running some variant of LRP/LEAF since the 2.x days > both at home and for various work related uses and the most common failure is > mechanical i.e. drives or fans. I switched to booting off of CF cards and > fanless power supplies a couple of years ago and am much closer to my goal of > having a solid state appliance that I can install and ignore. Even buying > the smallest CF cards available I still need only a small fraction of the > card to boot LEAF. The world has moved on from the floppy drive and I think > trying to keep future versions of LEAF small enough to boot from a floppy is l argely an artificial constraint now. If for some reason the use of a floppy is required then older versions of LEAF are still available. do not misinterpret me, I wrote an early HOWTO about using secure flash disks for leaf :-( and yes, I agree, I live easily with the flash memory world. There are 2 main things that are different from a floppy - size - write protection In my eyes, the write protection is the more important factor. There have been multiple attempts to solve this, amongst it unloading the device driver. There has been a experimental 2.6 release on CVS which was hardly used by anyone, hey, this is an open source project, get your hands dirty. cheers Erich -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Project Admin
Ken, Is the fact that you can write protect the floppy a consideration (and do you do this) or is it just the convenience of having one around Dave From: Ken Gentle [mailto:jkennethgen...@gmail.com] Sent: Friday, August 07, 2009 8:51 AM To: Dillabough, Dave Cc: Erich Titl; leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Project Admin I still use floppies for config files. It is the easiest configuration for a software geek to mangle together - take a floppy off an old system, plug in the IDE cable and you're in business. My earliest LEAF systems (Dachstein and uClibc Bering) ran completely off of the floppy (on a 486DX w 16Mb of RAM) I'm interested in the CF media or moving off old PC platforms to something like the Alix platform. But that is a lot of hardware/low level software learning curve. Having said all that, I do boot my current systems from CD and just save configuration to floppy. I believe that would work nicely with a 2.6 kernel. Ken On Wed, Aug 5, 2009 at 18:39, Dillabough, Dave mailto:dave.dillabo...@bcgeu.ca>> wrote: Hi Erich, How much of an issue is having write protection? I can understand that it is better in theory but I can't think of a commercial firewall product (Cisco PIX, Linksys, DLink etc) that does not use flash and that has any sort of write protection. If having boot from R/O media is an issue you could boot from CD and save to a floppy. You could also write protect CF media with a hardware hack to the cable. With USB/CF systems I always keep a backup of the boot media. It's not as simple as a power cycle but I can always get back to a known state if I need to although this has yet to be an issue for me. So from my perspective this would seem to be a non issue for most users and that for those few where it is an issue there are ways around it with some extra work. Obviously I don't have your perspective on the issue and I may be in the minority here and while I don't need 2.6 features yet it does seem to me that there must be quite a lot of development work that goes into squeezing a working system onto a floppy. It would be a shame if this is being done to no purpose. Does anyone on the list boot a system from floppy disk or save config files to floppy disk? I will take a look at the 2.6 CVS. Dave -Original Message- From: Erich Titl [mailto:erich.t...@think.ch<mailto:erich.t...@think.ch>] Sent: Wednesday, August 05, 2009 2:40 PM To: Dillabough, Dave Cc: leaf-user@lists.sourceforge.net<mailto:leaf-user@lists.sourceforge.net> Subject: Re: [leaf-user] Project Admin Dave Dillabough, Dave wrote: > I'm wondering how much of an issue it is to have a system that will fit on a > floppy. I would think that being able to boot off of a USB drive or a CD/USB > combo would be more pertinent today given as few machines even come with a > floppy as standard equipment anymore. USB booting would eliminate the > futzing around with non standard disk sizes and would be a lot more reliable > and as well. I have been running some variant of LRP/LEAF since the 2.x days > both at home and for various work related uses and the most common failure is > mechanical i.e. drives or fans. I switched to booting off of CF cards and > fanless power supplies a couple of years ago and am much closer to my goal of > having a solid state appliance that I can install and ignore. Even buying > the smallest CF cards available I still need only a small fraction of the > card to boot LEAF. The world has moved on from the floppy drive and I think > trying to keep future versions of LEAF small enough to boot from a floppy is l argely an artificial constraint now. If for some reason the use of a floppy is required then older versions of LEAF are still available. do not misinterpret me, I wrote an early HOWTO about using secure flash disks for leaf :-( and yes, I agree, I live easily with the flash memory world. There are 2 main things that are different from a floppy - size - write protection In my eyes, the write protection is the more important factor. There have been multiple attempts to solve this, amongst it unloading the device driver. There has been a experimental 2.6 release on CVS which was hardly used by anyone, hey, this is an open source project, get your hands dirty. cheers Erich -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@
Re: [leaf-user] Kernel crash with vlan on Bering 3.1 Kernel 2.4.34
Hi Erich, It is working for me with 2.4.34 in one office and on my test LAN. I will be rolling it out in 12 other offices in the next month or so. Here is my configuration. >From /etc/interfaces # Step 2: configure internal interface auto eth1 iface eth1 inet static address 192.168.101.254 netmask 255.255.255.0 broadcast 192.168.101.255 vlan_raw_device eth1 # Add VLANS auto eth1.5 iface eth1.5 inet static address 192.168.201.254 netmask 255.255.255.0 broadcast 192.168.201.255 vlan_raw_device eth1 up echo 1 > /proc/sys/net/ipv4/conf/eth1.5/arp_filter up echo 2 > /proc/sys/net/ipv4/conf/eth1.5/arp_ignore up echo 1 > /proc/sys/net/ipv4/conf/eth1.5/rp_filter ip addr shows 4: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:63:ef:c4:b1 brd ff:ff:ff:ff:ff:ff inet 192.168.101.254/24 brd 192.168.101.255 scope global eth1 6: eth1.5: mtu 1500 qdisc noqueue link/ether 00:40:63:ef:c4:b1 brd ff:ff:ff:ff:ff:ff inet 192.168.201.254/24 brd 192.168.201.255 scope global eth1.5 The tagged VLAN is being used for public Internet access in a few meeting rooms and with a WiFi access point. I am using HP 2600 series switches to tie it all together. The LEAF hardware is a VIA Mini-ITX EK1G which uses the via-rhine driver. I also have a couple of Intel boards in the system which use the eepro100 driver but I am only using VLANs on the via-rhine interface. The system has been in place for about 2 months without issues with light loading. Let me know if you need any other details. Dave -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Wednesday, August 12, 2009 5:10 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] Kernel crash with vlan on Bering 3.1 Kernel 2.4.34 Hi folks has anyone successfully used vlan tagging on the above mentioned release. I have the folowing set up on a WRAP with natsemi interfaces # # eth2 / Fixed IP # auto eth2 iface eth2 inet static address 10.250.21.1 netmask 255.255.255.0 # end of generated interface file auto eth2.34 iface eth2.34 inet static address 192.168.223.1 netmask 255.255.255.0 So eth2 is untagged while eth2.34 is a tagged interface it shows up like 5: eth2: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0d:b9:00:80:42 brd ff:ff:ff:ff:ff:ff inet 10.250.21.1/24 scope global eth2 6: ipsec0: mtu 0 qdisc noop qlen 10 link/void 7: ipsec1: mtu 0 qdisc noop qlen 10 link/void 8: ipsec2: mtu 0 qdisc noop qlen 10 link/void 9: ipsec3: mtu 0 qdisc noop qlen 10 link/void 10: eth2.34: mtu 1500 qdisc noqueue link/ether 00:0d:b9:00:80:42 brd ff:ff:ff:ff:ff:ff inet 192.168.223.1/24 scope global eth2.34 so basically it looks like the vlan tagging is enabled and working, but as soon as I try to use the eth2.34 interface, for example to ping a station on that vlan like 192.168.223.11 the kernel panics with a NULL pointer dereference. STYX# ping 192.168.223.11 PING 192.168.223.11 (192.168.223.11): 56 data bytes Unable to handle kernel NULL pointer dereference at virtual address 003c *pgd =0 *pmd =0 Oops: CPU:0 EIP:0010:[]Not tainted EFLAGS: 00010206 eax: ebx: 0022 ecx: c391af00 edx: c48c5af4 esi: edi: 0081 ebp: 0040 esp: c0229f0c ds: 0018 es: 0018 ss: 0018 Process swapper (pid: 0, stackpage=c0229000) Stack: c37bd81e c48c41b2 0022 c391af00 0081 0040 c01920c3 c391af00 c48c5af4 c345e000 c0226b28 c019215b c391af00 00036ca3 c0226bf0 c0226b28 00036ca3 0046 c0192242 c0226b28 Call Trace:[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] Code: ff 70 3c e8 65 ff ff ff 89 c2 31 c0 85 d2 59 74 07 0f b7 c3 <0>Kernel panic: Aiee, killing interrupt handler! In interrupt handler - not syncing Thanks for pointers Erich -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Kernel crash with vlan on Bering 3.1 Kernel 2.4.34
I'm not using the vlan package only the 8021q module with a static config so that makes sense. -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Wednesday, August 12, 2009 11:40 PM To: Dillabough, Dave Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Kernel crash with vlan on Bering 3.1 Kernel 2.4.34 Hi Dave Dillabough, Dave wrote: > Hi Erich, > > It is working for me with 2.4.34 in one office and on my test LAN. I will be > rolling it out in 12 other offices in the next month or so. Here is my > configuration. > > From /etc/interfaces > Thanks for the info, after a few hours debugging the vlan driver I figured something out, it appears that the 8021q module conflicts with the vlan module, don't ask me why Anyway after loading only 8021q the problem appears to be gone. cheers Erich -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Adding wireless (WiFi) to Bering 3.1 uClibc box
There is no real need for another NIC in your router unless you want to subnet the WiFi. Just plug the WiFi AP into your existing LAN. -Original Message- From: Andrew Haninger [mailto:ahan...@mindspring.com] Sent: Monday, April 26, 2010 8:41 PM To: Brent Gardner Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Adding wireless (WiFi) to Bering 3.1 uClibc box So it seems like I'm on the right track in general, which is mostly what I wanted to know. It doesn't sound like PCI wireless NICs are all that stable on Windows, let alone Linux 2.4, so it would be a crapshoot as to whether or not I'd end up with a useful card. Every so often, I entertain the idea of using a USB NIC, but then remember that I don't want the added hassle of a USB NIC. On Mon, Apr 26, 2010 at 8:18 PM, Brent Gardner wrote: > Another option would be to buy another wired NIC and a wireless AP > supporting the wireless technology of your choice. > > Bridge the new wired NIC to your 'internal' NIC, connect the new NIC to > a LAN (not WAN) port on the wireless AP, and you should be good to go. This may be the most feasible and long-term option. More feasible since wired NIC drivers are pretty stable on Linux. Long term since PCI is heading the way of the floppy and I'd probably be able to reuse an external AP should I ever replace my LEAF system. I'm also trying to avoid cards that require ndiswrapper which counts out about 80% of cards available on Newegg. Luckily, I've got plenty of spare wired NICs. Thanks. Andy -- leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ -- leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Kernel module via-velocity.ko for 4.2beta1
Hi All, I'm trying to do some testing on the 4.2beta1 release but am missing a kernel module needed for 1 of my network interfaces. Any idea where I would find the via-velocity.ko module for this release? I've tried unpacking the modules.tgz file but it is not in there. Thanks for any pointers. Dave -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Backup Issue
I also see this when backing up 4.2.0 to a CF card on an IDE interface. In my case when I check the backup has actually completed. Hardware is VIA EPIA Sn and EK boards forced to PIO4 for the CF cards. From: Robert K Coffman Jr. -Info From Data Corp. [bcoff...@infofromdata.com] Sent: Tuesday, April 17, 2012 9:49 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] Backup Issue I'm having the following issue when trying to run configdb backup. Moddb backup works. Copying configdb.lrp Please wait: \Terminated If I run from /bin/sh: with_storage /var/lib/lrpkg/mnt lrcfg.backup configdb Same issue. I can mount the backup partition, write to it, etc. It is an IDE hard disk (vfat, /dev/sda1). Any ideas as to what could cause this? - Bob Coffman -- Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ -- Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Booting from USB
Hi fellow LEAFers. I am trying to run up a new router prototype using the current 4.2.1rc1 software as a first step in replacing my aging fleet of routers. My existing routers are used in branch offices in remote locations where IT help is usually not available so failures are dealt with by swapping in a new box using whatever local talent is available so the process must be very simple and non technical. The existing routers all use a CF card to boot from which makes swapping a router quite easy as the configuration moves with the CF card. I do not have monitors and keyboards on these systems. They are just black boxes that hang on the wall. As most new motherboards do not have an IDE interface I am thinking of switching to use a USB flash drive to boot instead. I have run into a boot issue thoughand am not sure of the best way forward so I am looking for some advice. The issue is that the routers also have 2 mirrored SATA hard drives in them. The hard drives and the USB drive are all recognized as SCSI (sdx) devices but not in a consistent way. For example the first hard drive as sda, the USB drive as sdb and the second hard drive as sdc. I could live with this and edit syslinux.cfg and leaf.cfg to point to sdb except that if a hard drive fails this order changes and I cannot reboot the router again without re-editing these files. Is there a way around this? If I could get the USB drive to consistently show up as sda that would be fine. Is there a way to use some sort of alias or dynamic assignment? This was not an issue with the CF cards as they used the hdx interface which was static. Thanks for any thoughts or idea, Dave -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] BuC 4.3 network woes
I ran into this issue when I switched to a LEAF version with a 2.6 based kernel and the only way that I found around it was to use a script to assign the interfaces in the way that I wanted them to be. I had tried varying load order of modules etc but never got it as solid as I wanted. If I remember the default assignment changed with releases as well. This is even an issue on a 2 interface router if you want the ports assigned in a certain way. For example only 1 port is gigabit and you want it on the LAN. Worst of all on a multiple interface router if an interface fails the other interfaces are reordered on bootup. I'm pretty sure I reassigned based on MAC address which works OK if all of your addresses are static. I'm travelling right now and can't check. - Dave Dillabough On 2012-10-02, at 10:01 PM, "Erich Titl" wrote: > Hi Martin > > at 02.10.2012 14:14, Martin Hejl wrote: >> Hi Erich, >> >>> I felt pretty sure, as I checked the set up more that once. BUt yes, you >>> are right, pulling down the interface shows that indeed the ethernet >>> numbering had nothing to do with the way I am used to. >> Indeed - it was quite a surprise to me at the time too, since one >> expects all kinds of issues when trying a new piece of hardware, but not >> that the network ports are arranged as "eth1 eth3 eth2 eth0" on one >> model (NSA 1040), and "eth2 eth3 eth0 eth1" on the other (NSA 1045)... >> >>> I do not trust in trial and error and feel like there must be a way to >>> forcibly enumerate the interfaces. How did you solve the issue, as this >>> is quite a showstopper. >> We never really solved it - since the assignment to the network ports >> didn't change with different versions of Linux (various versions of >> Leaf, but we also tried RHEL once), we simply labeled the ports with >> little stickers. It didn't look terribly professional, but it worked. > > I can imagine that it does, but what are the effects on, let's say, snmp > statistics on the interfaces and the fact that I want to use the 1G > interfaces on specific connections without rewiring the cabinet :-( > > This was, according to internet search, introduced in kernel 2.6 and > Dell, running into the same wall has published something to address it, > although only for _real_ distros. I am convinced that we need to address > this issue, as IMHO this is even more important in a firewall scenario. > > http://linux.dell.com/files/whitepapers/consistent_network_device_naming_in_linux.pdf > > cheers > > Erich > > -- > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ -- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] shorewall challenge
Have you tried looking in the Shorewall log to see what packets are being rejected? -Original Message- From: Boris [mailto:bo...@cation.de] Sent: Monday, July 29, 2013 9:17 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] shorewall challenge Hej all, I'm looking for help in a shorewall rule thing: There's a local software on 192.168.20.1 communicating on some ports with several hosts in the net, so the rules sound like ACCEPT loc:192.168.20.1 net:host1.theirdom.de80,443 ACCEPT loc:192.168.20.1 net:host2.theirdom.de80,999 host1 is resolved to a different IP than host2. Because the communication still doesn't work, I was asking (at least three times) for the complete set of communications that have to be accepted and got new rules every time. Now, that it's beginning to hurt, they tell me I should accept traffic to all hosts *.theirdom.de. In fact, theirdom.de cannot be resolved. So, what to do? Is it possible to work with a wildcard? The longer I think about, it seems to be nonsense !!?? Regards, Boris -- Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ -- Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] 5.01 booting on WRAP SOLVED
I have also found this to be the case with 4.0 and later versions and switched to booting from USB as a long term solution. Finding compatible CF cards was very hit and miss. Even buying the same brand and model did not alway guarentee compatibility. I tried various boot options and PIO modes but would still get occasional timeouts and errors. - Dave Dillabough On 2013-10-09, at 6:44 AM, "Erich Titl" wrote: > Hi KP > > on 08.10.2013 19:57, KP Kirchdörfer wrote: > ... >> >> I assume your findings may belong to 4.x as well - a bigger CF may always >> show >> the pb's you've seen. > > It is not necessarily the size, but the speed that goes along. Typically > bigger/newer CF's have higher throughput. For cheap implementations of > the IO channels this may lead to problems. > > The new libata stack is more flexible than the old driver implementation > and appears to be more vulnerable to such a situation. Luckily the > developers have provided options to handle this. > > Yes, 4.x is affected too. > > ... >> >> What about improving this section, and/or add it to the 5.x User Guide? I'm >> shure it will help other users. > > I can definitely give input, my Wiki experience is non existant though. > > cheers > > Erich > > > -- > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] GPT Disks
Hi All, I want to use LEAF for a NAS box and the drives that I have are 3TB. I don't see parted or any other GPT utilities and am wondering if GPT formatted disks are supported by LEAF 5. I can always format the drives in another linux system and move them to the LEAF box but it would be nice to be able to do this natively. Thanks, Dave -- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] How do you archive shorewall logs
A typical solution to extend flash life is to buffer to a RAM disk and write periodically to your flash storage. You should also flush to lash on shutdown. If you are that concerned with the integrity of the log data your system should also be on a UPS. Dave Dillabough > On Jan 20, 2016, at 12:34 PM, Sven Kirmess wrote: > >> On Wed, Jan 20, 2016 at 6:51 PM, Erich Titl wrote: >> >> >> I see, you want reliable central logging not archiving logs. > > I'm looking for a solution to preserve the log files when my firewall > reboots. I'm planning to use my APU2B4, with only a USB stick for storage. > I can now either add storage to that system that survives being written to > 24/7 or store the log files on a different system. > > >> So you have a number of options > > That's why I'm asking the list. No point in reinventing the wheel if > someone already found a perfect solution. But that's probably not the case. > :-) > -- > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] prevent Iot from the net
I would add logging so that you would know if anything was amiss. To test you could temporarily install a PC at the blocked address and see what happens. For more complete control as IoT devices proliferate I would add a separate zone and set up a VLAN for home automation etc. -Original Message- From: Victor McAllister [mailto:victo...@sonic.net] Sent: Thursday, November 03, 2016 11:53 AM To: Bering List Subject: [leaf-user] prevent Iot from the net I have a couple devices, such as a DVR, on the local net (loc) that I do not want to have access to the Internet. Remember the recent DDOS attacks that originated with Iot devices! I added this to shorewall rules. DROP loc:192.168.1.x,192.168.1.y net all They get their time from the local time server so they have no reason to access the net. I have not tested this, but at least shorewall compiles and runs. Any comments. Victor -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/