Re: [leaf-user] SSH login takes 40 seconds

[Doug Hite]

I don't like the /etc/hosts solution either, but 
its the one I use as well.

Doug


Date: Wed, 17 Nov 2004 08:18:51 +0100
From: Erich Titl [EMAIL PROTECTED]
To: cpu memhd [EMAIL PROTECTED]
CC: [EMAIL PROTECTED] 
Subject: Re: [leaf-user] SSH login takes 40 seconds

Hi

cpu memhd wrote:

Bering uClibc 2.2 - I got SSH working a few weeks ago. Now for some
reason it takes 40 seconds to display a console screen after I login. I
have read that this is likely a reverse DNS problem. But why should it
matter if I'm using private, 10.x.x.x IPs? Also, I don't recall making
any changes between the time SSH worked and now. Any ideas?
  

If you have a working DNS server then it should just return an NXDOMAIN 
and you should be fine. If not, sshd will try to reverse lookup your 
address and finally time out.

One possible solution is to include your management station in the 
/etc/hosts file (not that I specifically like this solution)

Erich





---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re:[leaf-user] vpn capability router

[Doug Hite]

Well, yes that is usually the case - otherwise what would be the 
point of setting up a VPN.  As far as controlling what has access
to what in a LEAF / Shorewall / OpenVPN setup - if it is setup
correctly, you would use the Shorewall rules and policies to 
determine what access the vpn segments have to the fw
and to the loc network.  

Doug

 chiew yock sang [EMAIL PROTECTED] 05/19/04 04:14AM 

Are u trying to say that without vpn, the network segment wouldn't be able 
to ping to another network segment?

thanks!

From: Doug Hite [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re:[leaf-user] vpn capability router
Date: Thu, 06 May 2004 08:04:48 -0500

Well, the most obvious way to tell it is working is that the network
subnets that are being connected can communicate with each other.
Say the local network segment on router A is 192.168.1.0, and on
router B is 192.168.2.0.  If after the VPN is up, and if the Shorewall
rules allow vpn to loc and loc to vpn access on both sides, then you
should be able to comminicate (ping, etc) from one network segment
to another.


Its hard to do these setups in a vacuum.  The best way to do it is to
get a router working - duplicate that to a second router - different
external ip and network segment and confirm that works.  You may
need client on the internal sides of these routers to confirm they
are working correctly.  Once all that is working - add the VPN stuf
to connect the 2 routers.

The clients can be any networked computer that connects to the
local subnet.  Windows, linux, whatever - its used to represent
the clients that will actually be on the networks and using the
VPN link (that would be the point of a VPN after all).

Doug

  chiew yock sang [EMAIL PROTECTED] 05/06/04 04:29AM 
How to know the vpn router is working fine? Do I need to make the 2nd router
before I can determine the router is working fine? Do i need to configure
the client? and how?

Please help me. I'm quite new in leaf, but with your help, I have achieved a
lot.

Thanks for your help and looking forward for your reply


From: Doug Hite [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re:[leaf-user] vpn capability router
Date: Wed, 05 May 2004 09:01:42 -0500

If I were pressed on time, I would do this -

Use Bering 1.2 stock.
Set up 1 router, and get it working.
add the ifconfig and openvpn packages as found here -
http://leaf.sourceforge.net/devel/jnilo/bering/latest/packages/ 
http://lrp.steinkuehler.net/Packages.htm 

add tun.o as found here -
http://download.sourceforge.net/leaf/Bering_1.2_modules_2.4.20.tar.gz 

Set up openvpn using the instructions here and here -
http://leaf.sourceforge.net/doc/guide/buopenvpn.html 
http://www.shorewall.net/OPENVPN.html 

Duplicate to 2nd router, and adjust configuration.

I set up a test vpn using these steps in about an hour.  Its very easy if
you have experience with LEAF.

Things to watch out for -
1) Watch the size on the disk - you will need to remove unused packages
2) In setting up the VPN, use shorewall clear and get it working, then
reactivate the firewall and test again.
3) If you follow the shorewall steps exactly - the firewall will not have
access to the vpn, so testing connection from the firewall to the remote
vpn may not be the best place to do it.  Use clients behind the
firewall, or open up access.

Doug

  I'm currently studying, my lecturer asked me to do a router with VPN
  capability with floppy disk(s). I have tried a for quite long and still
  haven get the result. I don't know what has gone wrong.
  
  Can anyone show me the proper way to start? I'm willing to start all over
  again to make sure I'm in the right track.
  
  I'm just hoping I can finish this project on time.
  
  Thanks.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149alloc_idn66op=click 

leaf-user mailing list: [EMAIL PROTECTED] 
https://lists.sourceforge.net/lists/listinfo/leaf-user 
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html 

_
Download the latest MSN Messenger http://messenger.msn.com.my 

_
Are you in love? Find a date on MSN Personals http://match.msn.com.my/ 



---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id%62alloc_ida84op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists

Re:[leaf-user] vpn capability router

[Doug Hite]

OpenVPN, and IPSec are different VPN standards.  There difference are
listed here - 

http://www.netheaven.com/TunnelTypes.html 

For ease of setup - when you have control of both ends, and speed of
setup is an issue - openvpn is what I would use.

As for wireless use - the docs in the Bering User manual go through 
using OpenVPN for use with a wireless network - but you can ignore
the 2nd half of that document if you are doing a router to router link,
and use the Shorewall docs for that piece.

For testing the VPN ... well, I'm doing it by testing the applications
that I have running through that link to the new subnet.  I guess
I could also sniff the wire using ethereal or something to see that the
traffic was encrypted.  The logs also show that the link is active, and
with the verbose level turned up - you can probably get all kinds of 
info in the log file.

Doug

 chiew yock sang [EMAIL PROTECTED] 05/05/04 10:48PM 
Can you tell me what is the difference between openVPN and IPSec? Is it 
openVpn only meant for wireless client?

How to know the VPN capability router is working? In other words, how to 
test it?

Thanks

P/s I have setup a router and it is working now


From: Doug Hite [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re:[leaf-user] vpn capability router
Date: Wed, 05 May 2004 09:01:42 -0500

If I were pressed on time, I would do this -

Use Bering 1.2 stock.
Set up 1 router, and get it working.
add the ifconfig and openvpn packages as found here -
http://leaf.sourceforge.net/devel/jnilo/bering/latest/packages/ 
http://lrp.steinkuehler.net/Packages.htm 

add tun.o as found here -
http://download.sourceforge.net/leaf/Bering_1.2_modules_2.4.20.tar.gz 

Set up openvpn using the instructions here and here -
http://leaf.sourceforge.net/doc/guide/buopenvpn.html 
http://www.shorewall.net/OPENVPN.html 

Duplicate to 2nd router, and adjust configuration.

I set up a test vpn using these steps in about an hour.  Its very easy if
you have experience with LEAF.

Things to watch out for -
1) Watch the size on the disk - you will need to remove unused packages
2) In setting up the VPN, use shorewall clear and get it working, then
reactivate the firewall and test again.
3) If you follow the shorewall steps exactly - the firewall will not have
access to the vpn, so testing connection from the firewall to the remote
vpn may not be the best place to do it.  Use clients behind the
firewall, or open up access.

Doug

 I'm currently studying, my lecturer asked me to do a router with VPN
 capability with floppy disk(s). I have tried a for quite long and still
 haven get the result. I don't know what has gone wrong.
 
 Can anyone show me the proper way to start? I'm willing to start all over
 again to make sure I'm in the right track.
 
 I'm just hoping I can finish this project on time.
 
 Thanks.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149alloc_idü66op=click 

leaf-user mailing list: [EMAIL PROTECTED] 
https://lists.sourceforge.net/lists/listinfo/leaf-user 
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html 

_
Are you in love? Find a date on MSN Personals http://match.msn.com.my/ 




---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re:[leaf-user] vpn capability router

[Doug Hite]

If I were pressed on time, I would do this - 

Use Bering 1.2 stock.
Set up 1 router, and get it working.
add the ifconfig and openvpn packages as found here -
http://leaf.sourceforge.net/devel/jnilo/bering/latest/packages/
http://lrp.steinkuehler.net/Packages.htm 

add tun.o as found here -
http://download.sourceforge.net/leaf/Bering_1.2_modules_2.4.20.tar.gz

Set up openvpn using the instructions here and here -
http://leaf.sourceforge.net/doc/guide/buopenvpn.html 
http://www.shorewall.net/OPENVPN.html 

Duplicate to 2nd router, and adjust configuration.

I set up a test vpn using these steps in about an hour.  Its very easy if 
you have experience with LEAF.  

Things to watch out for -
1) Watch the size on the disk - you will need to remove unused packages
2) In setting up the VPN, use shorewall clear and get it working, then
reactivate the firewall and test again.
3) If you follow the shorewall steps exactly - the firewall will not have 
access to the vpn, so testing connection from the firewall to the remote
vpn may not be the best place to do it.  Use clients behind the
firewall, or open up access.

Doug

I'm currently studying, my lecturer asked me to do a router with VPN 
capability with floppy disk(s). I have tried a for quite long and still 
haven get the result. I don't know what has gone wrong.

Can anyone show me the proper way to start? I'm willing to start all over 
again to make sure I'm in the right track.

I'm just hoping I can finish this project on time.

Thanks.




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149alloc_id66op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: Vonage and Bering

[Doug Hite]

Just to add to this discussion - I too am investigating this option. 
There has been some discussion of Vonage on the Shorewall mailing
lists - you can search them at shorewall.net - keyword vonage.  
Looks like users on that list have gotten it to work - and a listing 
of the rules can be found there.

Also you may want to check out 
http://www.voicepulse.com/default.aspx 

This is the other company I have heard mentioned on /.  Not as
much information on firewalls, but they use a different phone, 
so maybe its more NAT friendly.  Not as much coverage though
if having a local number is wanted.  

I'm wondering if a 3 nic DMZ setup would be in order for a 
home deployment of this - where the only device in the DMZ
was the phone.  Might that reduce some of the security issues ?

Doug




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] which VPN to use ?

[Doug Hite]

Hello all,

I have been using Bering (regular) very successfully for awhile here, 
and I will need to be setting up a VPN to connect our office in Texas 
with a newly opening office in Florida.  I will have full control over both
endpoints, and having interoperability between my VPN endpoints,
and other companies is not an issue, nor do I foresee it being an 
issue anytime soon.

Question: What would be the best VPN package to use ?
CIPE, IPSEC, something else ???  

Also - We are considering using IP Telephony to tie together the
phone systems.  The phone vendor recommends getting a 
managed VPN from some provider to ensure quality phone conversations,
I guess by maintaining and managing the bandwidth between the
endpoints ... but I am not sure.  If we opt for this option, does it take 
the place of the VPN, so that the provider is doing the VPN part ?  
Any interoperable issues with this setup with Bering ?

Any suggestions welcome.  Thanks.

Doug




---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] sshd taking too long ?

[Doug Hite]

Hello all -

I am trying to troubleshoot my Bering 1.0
router install with sshd (from http://leaf.sourceforge.net/devel/jnilo/ )  
The first time I try to connect with an ssh client
it takes anywhere from 25 to 50 seconds.  I can then 
immediately disconnect, and reconnect, and this time it does 
it almost immediately.  I can leave it disconnected for a few hours,
and then try again, and it will take 25 to 50 seconds to connect
again.  I have turned on the debugging - and have attached a 
sample of one of these long waits.  I also included an entry
that seems to be in the log about once per hour - where it
is regenerating the RSA key.  My working guess is that
the long wait happens with the first connection after a new 
key has generated.  Has anyone else had this problem ?  
I did look for an entry about reverse DNS lookup failing
in the AUTH log, and did not find anything like that.  Here
is the log section-

Mar 31 12:11:08 firewall sshd[30296]: Generating new 768 bit RSA key.
Mar 31 12:11:09 firewall sshd[30296]: RSA key generation complete.
Mar 31 13:24:25 firewall sshd[9276]: Connection from 192.168.3.50 port 1509
Mar 31 13:24:25 firewall sshd[30296]: debug1: Forked child 9276.
Mar 31 13:24:26 firewall sshd[9276]: debug1: Client protocol version 1.99; client 
software version 3.2.2 SSH Secure Shell for Windows
Mar 31 13:24:26 firewall sshd[9276]: debug1: no match: 3.2.2 SSH Secure Shell for 
Windows
Mar 31 13:24:26 firewall sshd[9276]: debug1: Enabling compatibility mode for protocol 
2.0
Mar 31 13:24:26 firewall sshd[9276]: debug1: Local version string 
SSH-1.99-OpenSSH_3.5p1
Mar 31 13:24:26 firewall sshd[9276]: Failed none for root from 192.168.3.50 port 1509 
ssh2
Mar 31 13:24:30 firewall sshd[9276]: Accepted password for root from 192.168.3.50 port 
1509 ssh2
Mar 31 13:24:30 firewall sshd[9276]: debug1: monitor_child_preauth: root has been 
authenticated by privileged process
Mar 31 13:24:30 firewall sshd[9276]: debug1: newkeys: mode 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: newkeys: mode 1
Mar 31 13:24:30 firewall sshd[9276]: debug1: Entering interactive session for SSH2.
Mar 31 13:24:30 firewall sshd[9276]: debug1: fd 3 setting O_NONBLOCK
Mar 31 13:24:30 firewall sshd[9276]: debug1: fd 5 setting O_NONBLOCK
Mar 31 13:24:30 firewall sshd[9276]: debug1: server_init_dispatch_20
Mar 31 13:24:30 firewall sshd[9276]: debug1: server_input_channel_open: ctype session 
rchan 0 win 1 max 512
Mar 31 13:24:30 firewall sshd[9276]: debug1: input_session_request
Mar 31 13:24:30 firewall sshd[9276]: debug1: channel 0: new [server-session]
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_new: init
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_new: session 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_open: channel 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_open: session 0: link with 
channel 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: server_input_channel_open: confirm session
Mar 31 13:24:30 firewall sshd[9276]: debug1: server_input_channel_req: channel 0 
request pty-req reply 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_by_channel: session 0 channel 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_input_channel_req: session 0 req 
pty-req
Mar 31 13:24:30 firewall sshd[9276]: debug1: Allocating pty.
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_pty_req: session 0 alloc 
/dev/ttyp0
Mar 31 13:24:30 firewall sshd[9276]: debug1: server_input_channel_req: channel 0 
request shell reply 1
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_by_channel: session 0 channel 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_input_channel_req: session 0 req 
shell
Mar 31 13:24:30 firewall sshd[9276]: debug1: fd 4 setting TCP_NODELAY
Mar 31 13:24:30 firewall sshd[9276]: debug1: channel 0: rfd 7 isatty
Mar 31 13:24:30 firewall sshd[9276]: debug1: fd 7 setting O_NONBLOCK
Mar 31 13:24:30 firewall sshd[15082]: debug1: Setting controlling tty using TIOCSCTTY.
Mar 31 13:24:30 firewall sshd[9276]: debug1: server_input_channel_req: channel 0 
request window-change reply 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_by_channel: session 0 channel 0
Mar 31 13:24:30 firewall sshd[9276]: debug1: session_input_channel_req: session 0 req 
window-change
Mar 31 13:24:58 firewall sshd[15082]: debug1: permanently_set_uid: 0/0
 
** notice the time is only a few seconds until that
last step - 28 seconds.  What is happening here ?
addtional note : router is a Pentium 233 - 32 meg running from a 5 meg compact flash.
2 different ssh clients tested - they both seem to have the same wait issue.

Doug






---
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

[leaf-user] moving from seawall to shorewall

[Doug Hite]

I am upgrading one of our work routers, and have a
few questions about shorewall setup in a multi-nic 
setup.  This router has one external interface (eth0),
and 3 internal nics (eth1-3).  The external nic is 
connected to an isdn router, and the internal nics
service the 3 internal lan segments we have.  This
router is the primary ip router for all the lan segments,
and is also used by the majority of the company for
outgoing internet access.

Questions - 1) For the 3 local nics, do I need just one 
loc in the zones file, or do I need loc1, loc2, ... ?  
The 3 internal segments need traffic to flow between 
them without restriction.
2) If I only have one loc, do I then add 3 entries in
the shorewall hosts file to map the interface to the
segment ?
3) Anyone have any examples of Multi-Local shorewall
setups ?

I am having some issues in this switchout - in particular
one of our Netware servers on our internal network will not 
communicate with other lan segments under my Bering
setup, but when I put the EigerStien/Seawall router
back - it works.  I suspect my Shorewall setup is not
quite right yet, so I want to check on the above 
before I start to gather better diagnotics.

Thanks -  Doug




---
This SF.net email is sponsored by: Tablet PC.
Does your code think in ink? You could win a Tablet PC.
Get a free Tablet PC hat just for playing. What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] CF boot problems

[Doug Hite]

Matt,
I have set up some systems using IDE-CF adapters, and
am amazed at what seems to trip me up in various 
configurations.  I had one motherboard that would not
boot the CF no matter what I did, until I found and updated
the bios (this was an older PII motherboard).  I currently
have a Pentium 100 system that boot with a 32 meg CF 
ok, but when I tried with a 6 meg, it will not do it.  I'm
still working on that one.  So, here are some things to
try - update the bios, try another CF, try fdisk /MBR to
see if redoing the dos master boot record on the CF 
does anything, try another motherboard, try the 
autodetect and use the settings it finds instead of AUTO...
Good luck.
Doug
==
I'm getting a whole lot of nothing when trying to boot my
new SanDisk 64MB CF using an ACS IDE-CF adapter.

I set the BIOS IDE detection to Auto/Auto, and I left the jumper
on the IDE-CF adapter in default position indicating it would be
Master.  It's installed on the Primary IDE cable.

The BIOS found the CF. detected as SDCFB-64.
That's all it said.

I bootded to DOS-6.22, fdisk'd a primary partition of 12MB
and made it active and rebooted and formatted c: /s.

I can reboot to DOS-6.22 off the floppy and copy and move files back
and forth from C to A and back.

But it won't boot.  The computer hangs right after post, as if the MBR
said go to paritition 1 and load the boot code which never happens.
No DOS6.22 message, nothing.

I spent hours trying syslinux and whatnot, to no avail.  1If I can't get
it to boot DOS, I don't think linux is going to do it.

So what is it?  Just the CF?  I could buy a smaller one,
maybe just 16 MB and see what happens.  (6.22 fdisk sees
it as 60MB not 64).

Thanks for any ideas,
matt




---
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Current Source for DLink - DFE-570TX ???

[Doug Hite]

Does anybody have a current US source for the 
DLink - DFE-570TX 4 port Tulip based card ?  This
card doesn't seem to be made anymore, and the
inventory is drying up.  Anyone using any other
4 port cards with LEAF ?

Doug




---
This SF.NET email is sponsored by: Thawte.com
Understand how to protect your customers personal information by implementing
SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] maybe you LEAF guys/gals can help me with this

[Doug Hite]

http://www.e-smith.org

This is not as good a firewall solution, but it can do it, and
does a great job at the rest.  Personally, I use a combination
of LEAF as a firewall, and E-SMITH as back end server.

Setup is easy, about 10 questions, then the admin is via
a web based application.

Doug


I am looking for an ALL-IN-ONE solution similar to the software that is used
on the 3Com internet/server appliance that was discontinued or like the SUN
Cobalt Qube.
What I am looking for is a complete, easy to install solution that provides:

Firewall
Windows File Server
Email Server
FTP Server
Telnet/SSH Server
DHCP
DNS
And can be administrated from a web page on a local machine.

I have used Smoothwall and IPCop but these 2 dists are firewall specific.
I have been trying to use Debian and Red Hat to do all of this but the setup
is murder, and Webmin is very general.

Is there currently a project/dist that does this?
--
David Batey
Network Administration Manger
Ohio Valley Cable
812-471-7506




---
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power  Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Seawall to Shorewall in a dialup

[Doug Hite]

I am currently doing some tests of my new home
router, with the configuration previously in EigerSteinBeta
using Seawall to Bering using Shorewall.  This is a dial-up
router using ppp0 as the external interface.  In my old
router I had to include a line in the /etc/ppp/ip-up file
that ran seawall restart when my ip changed.  Using
Shorewall, I don't see any mention of needing to reset
the firewall when the ip changes.  Can someone confirm
that this is no longer needed in Shorewall ?

Thanks.

Doug




---
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] help - need ipchain command to block a single ip

[Doug Hite]

Hello all,

I'm believe I'm currently being scanned on one of my 
LEAF routers (this one is still an EigerStien I think), 
all from a single ip.  It of course is filling
up my logs, and eventually stops my dhcpd server.
The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl
from this packet 

Oct 10 20:48:57 isdnfirewall kernel: Packet log: remote DENY eth0 
PROTO=6 216.224.239.106:58047 209.251.232.19:135 L=44 S=0x00 
I=9912 F=0x4000 T=107 SYN (#9) 

gives this response

You're very likely under attack here.

I used to have the syntax to completely block a single
ip, but I seem to have lost it, and my searches have
come up empty.  Can someone give me the syntax to
block this offender ?  I don't mind only plugging it in at
the command line - this router gets rebooted only
every 6 months or so - by that time, the person
may have lost interest.

Doug




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] help - need ipchain command to block a singleip

[Doug Hite]

Thanks for the quick response Jeff.  Yes, it is very much a sequential
thing - I don't know what a scan would look like from the logs, but if I
had to guess what it would look like, this would be it.  Here is a very 
brief snippit -

Oct 11 06:56:02 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61694 209.251.232.18:135 L=44 S=0x00 I=12220 F=0x4000 T=107 SYN (#9) 
Oct 11 06:56:26 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61697 209.251.232.19:135 L=44 S=0x00 I=12476 F=0x4000 T=107 SYN (#9) 
Oct 11 06:56:29 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61697 209.251.232.19:135 L=44 S=0x00 I=12732 F=0x4000 T=107 SYN (#9) 
Oct 11 06:56:35 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61697 209.251.232.19:135 L=44 S=0x00 I=12988 F=0x4000 T=107 SYN (#9) 
Oct 11 06:56:47 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61697 209.251.232.19:135 L=44 S=0x00 I=13244 F=0x4000 T=107 SYN (#9) 
Oct 11 07:09:11 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61982 209.251.232.18:135 L=44 S=0x00 I=17084 F=0x4000 T=107 SYN (#9) 
Oct 11 07:09:14 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61982 209.251.232.18:135 L=44 S=0x00 I=17340 F=0x4000 T=107 SYN (#9) 
Oct 11 07:09:20 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61982 209.251.232.18:135 L=44 S=0x00 I=17596 F=0x4000 T=107 SYN (#9) 
Oct 11 07:09:32 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61982 209.251.232.18:135 L=44 S=0x00 I=17852 F=0x4000 T=107 SYN (#9) 
Oct 11 07:09:56 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61983 209.251.232.19:135 L=44 S=0x00 I=18108 F=0x4000 T=107 SYN (#9) 
Oct 11 07:09:59 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61983 209.251.232.19:135 L=44 S=0x00 I=18364 F=0x4000 T=107 SYN (#9) 
Oct 11 07:10:05 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61983 209.251.232.19:135 L=44 S=0x00 I=18620 F=0x4000 T=107 SYN (#9) 
Oct 11 07:10:17 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:61983 209.251.232.19:135 L=44 S=0x00 I=18876 F=0x4000 T=107 SYN (#9) 
Oct 11 07:22:41 isdnfirewall kernel: Packet log: remote DENY eth0 PROTO=6 
216.224.239.106:62082 209.251.232.18:135 L=44 S=0x00 I=22460 F=0x4000 T=107 SYN (#9) 

The rule appears to have stopped this dead.  My logs can 
breath easier for awhile.  Thanks again.  

Does anyone have any other procedures that they do 
when in this situation ?  I certainly will save this rule in my 
personal LEAF documents folder if it happens again.

Doug

 Jeff Newmiller [EMAIL PROTECTED] 10/11/02 10:51AM 
On Fri, 11 Oct 2002, Doug Hite wrote:

 Hello all,
 
 I'm believe I'm currently being scanned on one of my 
 LEAF routers (this one is still an EigerStien I think), 
 all from a single ip.  It of course is filling
 up my logs, and eventually stops my dhcpd server.
 The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl 
 from this packet 
 
 Oct 10 20:48:57 isdnfirewall kernel: Packet log: remote DENY eth0 
 PROTO=6 216.224.239.106:58047 209.251.232.19:135 L=44 S=0x00 
 I=9912 F=0x4000 T=107 SYN (#9) 
 
 gives this response
 
 You're very likely under attack here.

This particular destination port is the Microsft RPC (DCOM) service port.

On its own, even repeated, I wouldn't automatically conclude you are
under attack.  Someone might have mistakenly put your ip address in
someplace(typo), or you might be running software from inside your
firewall that is prompting the server to try to get some more information
from you (check netstat -Mlen for connections).  (I don't think your ISP
has your ip address correctly reverse dns mapped, so some servers might
try alternate methods of reverse mapping.)

If it is part of a sequence of destination ports, then you are more likely
under attack.

 I used to have the syntax to completely block a single
 ip, but I seem to have lost it, and my searches have
 come up empty.  Can someone give me the syntax to
 block this offender ?  I don't mind only plugging it in at
 the command line - this router gets rebooted only
 every 6 months or so - by that time, the person
 may have lost interest.

You need to insert a rule into the input chain for interface eth0 that
denies (drops) all packets arriving from ip 216.224.239.106, without
logging:

ipchains -I input -j DENY -i eth0 -s 216.224.239.106

---
Jeff NewmillerThe .   .  Go Live...
DCN:[EMAIL PROTECTED]Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO

[leaf-user] Re: compact flash backup ?

[Doug Hite]

Erich, do you have a website link for where this can be purchased ?

Doug

 [EMAIL PROTECTED] 09/17/02 01:08PM 
I have contacted SST for their DOM's. Their distributor here in Europe 
asks $25 for a 16 MB secure DOM _NEW_. 
You might consider that as an option.

Erich






---
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source  Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] samba for bering based leaf box

[Doug Hite]

I use e-smith for this - it is a stripped down linux server distribution.
http://www.e-smith.org
Of course it would require a second computer.  But it is very easy
to install and manage.

Doug

I have already asked about the availability of a halfway recent samba
package about a month ago. Unfortunately no one has answered my
request... does this mean there is nothing out there? is anyone working
on something like that?

I am well aware that windows filesharing is not one of the standard
things one is doing with a firewall/router, but a friend of mine has
only a small home network and the other pcs are laptops with limited
space, that his 40 gb ide-harddisk doesn't fit into. If someone can
think of another solution to let him play his mp3s, please tell me ;)




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[Leaf-user] Re: looking for Linux distribution just for LAN DHCP server (1NIC)

[Doug Hite]

Not exactly what you are specifying, but it is what I use in this situation.  It
has dhcpd, and also Samba for file serving, an email server, webmail, and
the Apache web server.  Very, very easy to setup and administer.  But it
requires a hard drive.  For my money (and time) - this has been the best
server to put behind my LEAF firewall.  Mine at home is running on a 
Pentium 100 with 32-48 meg memory on 2 gig hard drive.

http://www.e-smith.org

Doug

 Unfortunately, LEAF requires two NIC's because it is a full LAN/WAN router.
 I was wondering if there is a good distribution just as easy and small as
 LEAF that can just do DHCP serving over Ethernet?




Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
How do I request help?
http://sourceforge.net/docman/display_doc.php?docid91group_id751

[Leaf-user] Changes for new Dachstein release

[Doug Hite]

I'm not wanting this to get out of hand ... but ...
my wish list of programs to be included on the next DCD version include

ez-ipupd.lrp

The newest version I think is at 

http://leaf.sourceforge.net/devel/jnilo/packages/ez-ipupd.lrp

Docs at

http://leaf.sourceforge.net/devel/jnilo/ezipupd.html 



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Re : martians on internal network ???

[Doug Hite]

We see martians from users on our private network that are using 
dial up internet accounts on W2k computers, external of the 
normal way of getting to the internet (through our LEAF router).
Does anyone have a fix either on the W2k side or on the router
to stop the console logging of these ?  (without turning off 
martian logging completely)

Doug

==
We are seeing martians on internal networks on a regular basis.
Usually, it is traceable to users logging into AOL over our high speed
internet connections:

   172.128.0.0 - 172.191.255.255

Today, we saw one from United Airlines:
   205.174.16.0 - 205.174.23.255

[1] How does this happen?
[2] Why does this happen?
[3] Is this exploitable?



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] RE: ez-ipupdate

[Doug Hite]

 [EMAIL PROTECTED] 12/19/01 01:22PM 

I'm working on building an LRP for ez-ipupdate. I've also updated the
program to allow use of dyndns custom domains. I've made the executable
available for those who don't want to wait for me to finish getting the LRP
built :)

http://sort.net/ez-ipupdate.tgz 

Use system type dyndns-custom for custom dyndns domains

jd

Thank you very much !!!  This is very much needed.  Having the
custom dyndns domains working will be great.  Does anybody 
know if setting the backup MX address is working yet ?  

Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] webcam for lrp information

[Doug Hite]

The packages for the LRP webcam can be downloaded at
http://www.penguincentral.com/webcam/ 

If I remember correctly, these packages were created for 2.9.3 
so the RCDLINKS was not set, but it is easy enough to fix.

They must use the old parallel port Connectix / Logitech
webcams (BW and 1st generation Color).  These are kinda
hard to find, but you can still get them on Ebay.  Once you 
get your exposure setting correct, it will snap a picture at the 
configured interval, a jpg, and then ftp it to a where you want.

Doug

ps.  Rick, can you put this link under your packages section ?
Thanks.



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user