[leaf-user] Bandwidth control

[Doug Sampson]

Hello LEAFers-

We are experiencing issues with bandwidth usage. Currently we are using three 
T-1 lines for a total of 4.5Mbits of bandwidth. We use Shorewall on our 4.3.1 
Bering uClibc system to prioritize packets as follows:


#   
   
# Shorewall version 4 - Tcdevices File  
   
#   
   
# For information about entries in this file, type "man shorewall-tcdevices"
   
#   
   
# See http://shorewall.net/traffic_shaping.htm for additional information.  
   
#   
   
### 
   
#NUMBER:IN-BANDWITH OUT-BANDWIDTH   OPTIONS REDIRECTED  
   
#INTERFACE  INTERFACES  
   
eth04400kbit4200kbit   


#   
   
# Shorewall version 4 - Tcclasses File  
   
#   
   
# For information about entries in this file, type "man shorewall-tcclasses"
   
#   
   
# See http://shorewall.net/traffic_shaping.htm for additional information.  
   
#   
   
### 
   
#INTERFACE:CLASSMARKRATE:   CEILPRIORITY
OPTIONS
#   DMAX:UMAX   
   
eth01   full*56/100 full*9/10   1   
tos-maximize-throughput
eth02   full*34/100 full2   
tos=0x68/0xfc,tos=0xb8/0xfc
eth03   full*2/100  full*20/100 3   
tcp-ack,tos-minimize-delay 
eth04   full*2/100  full*10/100 4   
   
eth05   full*4/100  full5   
tcp-ack,tos-minimize-delay 
eth06   full*2/100  full*9/10   6   
default   


#   
   
# Shorewall version 4 - Tcrules File
   
#   
   
# For information about entries in this file, type "man shorewall-tcrules"  
   
#   
   
# See http://shorewall.net/traffic_shaping.htm for additional information.  
   
# For usage in selecting among multiple ISPs, see   
   
# http://shorewall.net/MultiISP.html
   
#   
   
# See http://shorewall.net/PacketMarking.html for a detailed description of 
   
# the Netfilter/Shorewall packet marking mechanism. 
   
###
#MARK   SOURCE  DESTPROTO   DESTSOURCE  USER
TESTLENGTH  TOS   CONNB
#   PORT(S) PORT(S) 
   
#   following are for Sorenson nTouchVP sessions
   
1:P 192.168.1.160/28  0.0.0.0/0   all   
 
#1:P192.168.1.160/28  0.0.0.0/0   tcp 1720  
 
#1:P0.0.0.0/0  

[leaf-user] Upgrading from 4.3.1 to 4.3.3

[Doug Sampson]

How does one upgrade from 4.3.1 to 4.3.3 on a system with Bering uClibc 
installed on /dev/sda1?

Here's what I think needs to be done.

I've downloaded the Bering-uClibc_4.3.3_i686_isolinux_vga.iso and opened it 
using a CD emulator. I can see that I can copy the following files to a share 
mounted as /dev/sda1:
* .lrp
*.lwp
*.tgz

Taking care NOT to overwrite leaf.cfg.

However I see that there is a syslinux folder on /dev/sda1 with the following 
files:

linux
syslinux.cfg
syslinux.dpy

On the ISO file in the ISOLINUX folder are the following files:

ISOLINUX.CFG
ISOLINUX.DPY
LINUX
BOOT.CAT
ISOLINUX.BIN

I am unsure how to handle these files. It looks like I can copy the first three 
files on the ISO and rename these similarly to the three files in the syslinux 
folder on /dev/sda1. I would like confirmation before I take this step. In 
addition, is further action needed for the BOOT.CAT and the ISOLINUX.BIN files?

~Doug

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] redirecting HTTPS

[Doug Sampson]

Hello LEAF-

I'm running BuC 4.3.1 and one of the Shorewall rules I have in there redirects 
(DNAT) www.example.com:7999 to web.example.com.80 
and it works great. However when I've done my shopping on that web site and 
check out my cart, I lose my connectivity to the web site simply because when I 
check out, the protocol switches from 80 to 443. My web browser complains that 
it's unable to connect via HTTPS.

Is there a workaround for this?

~Doug
--
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] scp?

[Doug Sampson]

> > > I hardcode this to SCP for Leaf.  Also disable "Lookup user groups"
> > > under Environment - SCP/Shell.
> >
> > How do you hardcode this?
> >
> 
> firewall# find / | grep scp
> /sys/module/x_tables/holders/xt_dscp
> /sys/module/xt_dscp
> /sys/module/xt_dscp/holders
> /sys/module/xt_dscp/initstate
> /sys/module/xt_dscp/refcnt
> /sys/module/xt_dscp/sections
> /sys/module/xt_dscp/sections/.note.gnu.build-id
> /sys/module/xt_dscp/sections/.text
> /sys/module/xt_dscp/sections/.exit.text
> /sys/module/xt_dscp/sections/.init.text
> /sys/module/xt_dscp/sections/.rodata.str1.4
> /sys/module/xt_dscp/sections/.data..read_mostly
> /sys/module/xt_dscp/sections/.gnu.linkonce.this_module
> /sys/module/xt_dscp/sections/.symtab
> /sys/module/xt_dscp/sections/.strtab
> /sys/module/xt_dscp/notes
> /sys/module/xt_dscp/notes/.note.gnu.build-id
> /usr/bin/scp
> /lib/modules/xt_dscp.ko
> /lib/xtables/libxt_dscp.so
> 
> firewall# ll /usr/bin | grep scp
> lrwxrwxrwx1 root root21 Nov 15 17:39 scp ->
> ../sbin/dropbearmulti
> 
> firewall# ../sbin/dropbearmulti
> Dropbear multi-purpose version 2012.55
> Make a symlink pointing at this binary with one of the following names:
> 'dropbear' - the Dropbear server
> 'dropbearkey' - the key generator
> 'scp' - secure copy
> 
> firewall#
> 
> Does Leaf have its own SCP command? If so, what/where is it?
> 

I seem to have misconfigured the WinSCP setup for the scp connection to the BuC 
firewall. The scp connection is working fine now. I just had to choose to 
establish a SCP connection instead of a SFTP connection with fallback to SCP. 
Egads.

I also had to make sure that the shell points to /bin/sh as well.

~Doug

--
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] scp?

[Doug Sampson]

> > I hardcode this to SCP for Leaf.  Also disable "Lookup user groups"
> > under Environment - SCP/Shell.
> 
> How do you hardcode this?
> 

firewall# find / | grep scp
/sys/module/x_tables/holders/xt_dscp
/sys/module/xt_dscp
/sys/module/xt_dscp/holders
/sys/module/xt_dscp/initstate
/sys/module/xt_dscp/refcnt
/sys/module/xt_dscp/sections
/sys/module/xt_dscp/sections/.note.gnu.build-id
/sys/module/xt_dscp/sections/.text
/sys/module/xt_dscp/sections/.exit.text
/sys/module/xt_dscp/sections/.init.text
/sys/module/xt_dscp/sections/.rodata.str1.4
/sys/module/xt_dscp/sections/.data..read_mostly
/sys/module/xt_dscp/sections/.gnu.linkonce.this_module
/sys/module/xt_dscp/sections/.symtab
/sys/module/xt_dscp/sections/.strtab
/sys/module/xt_dscp/notes
/sys/module/xt_dscp/notes/.note.gnu.build-id
/usr/bin/scp
/lib/modules/xt_dscp.ko
/lib/xtables/libxt_dscp.so

firewall# ll /usr/bin | grep scp
lrwxrwxrwx1 root root21 Nov 15 17:39 scp -> 
../sbin/dropbearmulti

firewall# ../sbin/dropbearmulti
Dropbear multi-purpose version 2012.55
Make a symlink pointing at this binary with one of the following names:
'dropbear' - the Dropbear server
'dropbearkey' - the key generator
'scp' - secure copy

firewall#

Does Leaf have its own SCP command? If so, what/where is it?

~Doug

--
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] scp?

[Doug Sampson]

> I hardcode this to SCP for Leaf.  Also disable "Lookup user groups"
> under Environment - SCP/Shell.

How do you hardcode this?

~Doug
 


--
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] scp?

[Doug Sampson]

Running version 4.3.1. of BuC. Apparently I cannot scp into the firewall. 
/var/log/auth.log reports successful login but then my WinSCP app hangs and 
times out.

I've got SFTP set up to fall back into SCP. Both SFTP server and SCP shell is 
set to /bin/sh.

This WinSCP configuration worked with older version of 3.x. Is there a tweak I 
need to implement for version 4.3.x?

Should I consider a different SCP app for Windows?

~Doug

--
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Log Rotation BuC 4.3

[Doug Sampson]

> on 10.11.2012 17:03, KP Kirchdoerfer wrote:
> > Am 10.11.2012 03:10, schrieb Doug Sampson:
> >> I went looking for information on log rotation and came up dry:
> >>
> >> http://sourceforge.net/apps/mediawiki/leaf/index.php?title=Bering-
> uClibc_4.x_-_User_Guide_-_Basic_Configuration_-_Log_Files
> >>
> >> How is log rotation handled in BuC 4.3.x?
> >
> >
> > Hi;
> > agree, the link above is not very helpful.
> >
> > for simple things edit lrp.conf (choose 2 and 1 from the config
> interface).
> >
> > For more advanced settings use the syslog-ng documentation.
> 
> I have had a logrotat.lrp for a long time, I guess it goes back to
> Bering 1.2. It is not as complete as the real logrotate package, but
> performs pretty well. It does away with the logrotate code in
> multicron.d and does not rely on lrp.conf. It has been in production at
> my site for a number of years now. I left it with Eric W. those days and
> I guess it never made it into the mainstream. If anyone is interested,
> let me know.
> 

Nah, I think I'll stick with the basic log rotation functions found in 
lrp.conf. Thanks.

~Doug

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Log Rotation BuC 4.3

[Doug Sampson]

I went looking for information on log rotation and came up dry:

http://sourceforge.net/apps/mediawiki/leaf/index.php?title=Bering-uClibc_4.x_-_User_Guide_-_Basic_Configuration_-_Log_Files

How is log rotation handled in BuC 4.3.x?

~Doug
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Upgrading from 4.3 to 4.3.1?

[Doug Sampson]

> Am 09.11.2012 19:16, schrieb Doug Sampson:
> > How does one upgrade a running BuC 4.3 system booting from /dev/sda1 to
> version 4.3.1? The change log indicates there were a few
> kernel(?)/packages upgrades. What's the easiest way to do an upgrade?
> 
> 
> The updated packages are:
> tc.lrp
> initrd.lrp
> root.lrp
> ulogd.lrp
> tor.lrp
> dnsmasq.lrp
> and one new package bbnameif.lrp
> 
> You can download these packages from the Packages page
> http://leaf.sourceforge.net/bering-
> uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=23&MMN_p
> osition=41:41
> 
> mount /dev/sda1 on your LEAF box
> save the packages you want to replace
> scp the packages from the download directory to /dev/sda1 on your LEAF box
> umount /dev/sda1 and reboot.

That was easy! Now running version 4.3.1.

Thanks! Only if creating the ipt_ipp2p.ko was as easy as this one...

~Doug

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Upgrading from 4.3 to 4.3.1?

[Doug Sampson]

How does one upgrade a running BuC 4.3 system booting from /dev/sda1 to version 
4.3.1? The change log indicates there were a few kernel(?)/packages upgrades. 
What's the easiest way to do an upgrade?

~Doug

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipt_ipp2p.ko

[Doug Sampson]

> > I'm using version 4.3.1 of Bering uClibc and cannot locate the
> > ipt_ipp2p.ko module on the ISO image. Where can I find it?
> 
> I'm upgrading our firewall from version 3.1 to 4.3 and in the traffic
> shaping portion of Shorewall is a reference to the ipp2p:all function in
> tcrules. I would like to be able to carry over that rule to version 4.3.
> So that explains my request for the ipt_ipp2p.ko file.
> 
> Does anyone know where I can find it? Any pointers you could provide would
> be greatly appreciated!

So I located the source files at 
http://www.ipp2p.org/downloads/ipp2p-0.8.2.tar.gz but I'm not sure how to do a 
'make' as it appears a fully installed Linux system is needed in order to do a 
'make'. Would it be possible for one of you to build this? This module is for 
kernel version 2.4 and 2.6.

~Doug

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipt_ipp2p.ko

[Doug Sampson]

> > I'm using version 4.3.1 of Bering uClibc and cannot locate the
> > ipt_ipp2p.ko module on the ISO image. Where can I find it?
> 
> I'm upgrading our firewall from version 3.1 to 4.3 and in the traffic
> shaping portion of Shorewall is a reference to the ipp2p:all function in
> tcrules. I would like to be able to carry over that rule to version 4.3.
> So that explains my request for the ipt_ipp2p.ko file.
> 
> Does anyone know where I can find it? Any pointers you could provide would
> be greatly appreciated!

So I located the source files at 
http://www.ipp2p.org/downloads/ipp2p-0.8.2.tar.gz but I'm not sure how to do a 
'make' as it appears a fully installed Linux system is needed in order to do a 
'make'. Would it be possible for one of you to build this? This module is for 
kernel version 2.4 and 2.6.

~Doug

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] ipt_ipp2p.ko

[Doug Sampson]

> I'm using version 4.3.1 of Bering uClibc and cannot locate the
> ipt_ipp2p.ko module on the ISO image. Where can I find it?

I'm upgrading our firewall from version 3.1 to 4.3 and in the traffic shaping 
portion of Shorewall is a reference to the ipp2p:all function in tcrules. I 
would like to be able to carry over that rule to version 4.3. So that explains 
my request for the ipt_ipp2p.ko file.

Does anyone know where I can find it? Any pointers you could provide would be 
greatly appreciated!

~Doug

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] ipt_ipp2p.ko

[Doug Sampson]

I'm using version 4.3.1 of Bering uClibc and cannot locate the ipt_ipp2p.ko 
module on the ISO image. Where can I find it?

~Doug
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] SIP proxy for version 3.1?

[Doug Sampson]

Hello-

I need to set up a SIP proxy with NAT on our current Bering uClibc firewall 
version 3.1. I see that there is a siproxd package for version 4.x but none for 
version 3.x. Does anyone know of a package that will allow us to masquerade SIP 
calls via the Bering firewall? Can the version 4.x package be used on version 
3.1 of the firewall?

~Doug
--
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] sending a mail from a script

[Doug Sampson]

> OK I'll try, I just found out there are multiple versions in my
> various
> deployed systems and as they don't have a version stamp I cannot
> know
> what you have.
 
I'm running Bering uClibc 3.1.


> My home system looks like the latest in Bering 4 and works indeed.
> One
> system at a remote location had a line starting with 'source' and
> this
> is a wrong keyword for that specific version of busybox. So if you
> have
> that version
> 

I appear not to have it.


> Anyway I tested with my home gateway and here is the first result
> 
> gatekeeper# mail -s foo -h 194.124.158.51 erich.t...@think.ch
> hostname: gatekeeper: Unknown host
> 
> Debugging shell scripts is pretty easy
> 
> gatekeeper# which mail
> /usr/sbin/mail
> gatekeeper# sh -x /usr/sbin/mail -s foo -h 194.124.158.51
> erich.t...@think.ch
> + prog=mail
> + OIFS=
> 
> + CR=
> + LF=
> 
> + MASTCONF=/etc/POSIXness.conf
> + [ -f /etc/POSIXness.conf ]
> + . /etc/POSIXness.conf
> + TIMEOUT=60
> + date +%s
> + ContentBoundry=11733--1307998981
> + ptx=/tmp/smtp.tx.11733
> + prx=/tmp/smtp.rx.11733
> + fdata=/tmp/smtp.data.11733
> + fbody=/tmp/smtp.body.11733
> + [ -e /tmp/smtp.rx.11733 ]
> + [ -e /tmp/smtp.tx.11733 ]
> + [ -e /tmp/smtp.data.11733 ]
> + [ -e /tmp/smtp.body.11733 ]
> + mknod /tmp/smtp.tx.11733 p
> + mknod /tmp/smtp.rx.11733 p
> + :
> + :
> + chmod 600 /tmp/smtp.tx.11733 /tmp/smtp.rx.11733
> /tmp/smtp.data.11733
> /tmp/smtp.body.11733
> + hostname -f
> hostname: gatekeeper: Unknown host
> 

<..snip..>

> 
> >From foo...@mydomain.net  Mon Jun 13 23:35:01 2011
> Return-Path: 
> Received: from mydomain.net (gatekeeper.think.ch [194.124.158.99])
>   by luna.think.ch (8.14.3/8.14.3) with SMTP id p5DLZ0UL030723
>   for ; Mon, 13 Jun 2011 23:35:01 +0200
> Message-Id: <201106132135.p5dlz0ul030...@luna.think.ch>
> Date: Mon, 13 Jun 2011 21:34:54 +
> From: foo...@mydomain.net
> Subject: foobar
> To: erich.t...@think.ch
> X-Mailer: POSIXness Mail
> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-
> 4.2.3
> (luna.think.ch [194.124.158.51]); Mon, 13 Jun 2011 23:35:01 +0200
> (CEST)
> 
> scoobly oobly doobab
> 

My mail script appears to function as expected. It outputs all the
correct value for each of the required variables and then awaits
additional input for the mail message body. The trouble is- I do not
know how to end it normally. In FreeBSD, I use a period as the first and
only character followed by a carriage return on a line in order to
complete the message body input. This doesn't appear to work the same
way in Bering. What is the Linux busybox mail equivalent?

Ah, never mind- I googled and found an entry using Ctrl + D as the mail
message body break. It now functions as expected.

Thanks.

~Doug

--
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] sending a mail from a script

[Doug Sampson]

> - source on line 6 is bogus, just comment it out and insert a `.`
> where it is used
> 
I'm not sure exactly which line is the sixth line you are referring
here. Is it the "CR='.' line? When counting lines, are the first three
commented lines at the beginning of the file counted? Empty lines also?

Please elaborate. I would love to use the mail command!

~Doug

--
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] OpenVPN running in DMZ using Bering uClibc 3.1

[Doug Sampson]

> -Original Message-
> From: Doug Sampson [mailto:do...@dawnsign.com]
> Sent: Tuesday, March 29, 2011 06:02 PM
> To: leaf-user@lists.sourceforge.net
> Subject: [leaf-user] OpenVPN running in DMZ using Bering uClibc
> 3.1
> 
> Hello,
> 
> I'm experimenting with a dd-wrt type wireless access point in a
> DMZ
> setting using a three NIC router. I do not want to expose the WAP
> to the
> Internet- thus it sits in the DMZ. The network is as follows;
> 
>INTERNET
>   |
>   |
>FIREWALL-DMZ <<<<<<<<<< WAP
>   | 10.8.2.x10.8.2.5
>   |
>  LAN
>   10.8.1.x
> 
> I have been using OpenVPN successfully authenticating road
> warriors for
> years. They connect to the WAN card on the router. I used this
> documentation:
> 
> http://www.shorewall.net/3.0/OPENVPN.html
> 
> in configuring the firewall for OpenVPN access.
> 
> Now, the WAP has a fixed IP address in the DMZ zone and uses the
> firewall as the gateway to the Internet. I can connect to the
> Internet
> using a wireless client connected to the WAP in the DMZ zone.
> 
> I tried using the stock OpenVPN client configuration that worked
> well in
> the Internet behind the DMZ and it fails. I modified the
> /etc/shorewall/tunnels as follows:
> 
> #TYPE   ZONEGATEWAY GATEWAY
> 
> #   ZONE
> 
> openvpnserver   net 0.0.0.0/0
> 
> openvpnserver   dmz 0.0.0.0/0
> 
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> Reading the rest of the documentation, it appears there is
> nothing else
> I need to do. However, when I attempt to connect using OpenVPN
> from a
> wireless client with an IP address in the DMZ zone, I fail to
> connect. I
> get repeated error messages as follows:
> 
> Tue Mar 29 17:27:00 2011 TCP/UDP: Incoming packet rejected from
> 10.8.2.254:1194[2], expected peer address: 10.8.1.254:1194 (allow
> this
> incoming source address/port by removing --remote or adding --
> float)
> 
> I've restarted Shorewall after making the configuration change
> but not
> the system. What am I missing? There isn't any documentation
> showing a
> setup allowing OpenVPN connections from both the Internet and the
> DMZ.
> 
> Or is OpenVPN designed to handle one zone only?
> 

It turns out to be an OpenVPN issue. Once I hardcoded a static IP
address of the DMZ NIC of the firewall into the openvpn.conf file, I was
able to obtain a valid VPN IP address. However, I wasn't able to get
into the local network nor was I able to get out to the Internet.
Interestingly enough, I saw a CPU spike to 100% once the connection was
made. I'll bet this is a DNS/OpenVPN misconfiguration affecting clients
trying to access from the DMZ zone. I'll work some more on this tomorrow
morning.

~Doug

--
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] OpenVPN running in DMZ using Bering uClibc 3.1

[Doug Sampson]

Hello,

I'm experimenting with a dd-wrt type wireless access point in a DMZ
setting using a three NIC router. I do not want to expose the WAP to the
Internet- thus it sits in the DMZ. The network is as follows;

   INTERNET
  |
  |
   FIREWALL-DMZ << WAP
  | 10.8.2.x10.8.2.5
  |
 LAN
  10.8.1.x

I have been using OpenVPN successfully authenticating road warriors for
years. They connect to the WAN card on the router. I used this
documentation:

http://www.shorewall.net/3.0/OPENVPN.html

in configuring the firewall for OpenVPN access.

Now, the WAP has a fixed IP address in the DMZ zone and uses the
firewall as the gateway to the Internet. I can connect to the Internet
using a wireless client connected to the WAP in the DMZ zone. 

I tried using the stock OpenVPN client configuration that worked well in
the Internet behind the DMZ and it fails. I modified the
/etc/shorewall/tunnels as follows:

#TYPE   ZONEGATEWAY GATEWAY

#   ZONE

openvpnserver   net 0.0.0.0/0

openvpnserver   dmz 0.0.0.0/0

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Reading the rest of the documentation, it appears there is nothing else
I need to do. However, when I attempt to connect using OpenVPN from a
wireless client with an IP address in the DMZ zone, I fail to connect. I
get repeated error messages as follows:

Tue Mar 29 17:27:00 2011 TCP/UDP: Incoming packet rejected from
10.8.2.254:1194[2], expected peer address: 10.8.1.254:1194 (allow this
incoming source address/port by removing --remote or adding --float)

I've restarted Shorewall after making the configuration change but not
the system. What am I missing? There isn't any documentation showing a
setup allowing OpenVPN connections from both the Internet and the DMZ.

Or is OpenVPN designed to handle one zone only?

~Doug

--
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] VPN name resolution?

[Doug Sampson]

> > I tested from home. Here's what happened when I input nslookup:
> > 
> > C:\Documents and Settings\Doug>nslookup
> > *** Can't find server name for address 10.8.0.1: No 
> response from server
> > *** Can't find server name for address 192.168.1.254: No 
> response from
> > server
> > *** Can't find server name for address 192.168.0.1: 
> Non-existent domain
> > *** Default servers are not available
> 
> Ok this shows that the servers cannot be reached.
> 
> > Default Server:  UnKnown
> > Address:  10.8.0.1
> > 
> > The ipconfig /all command for the TAP-32 adapter shows 
> correct values for
> > all DHCP options.
> > 
> > However, when I modified the DHCP option for dns server to 
> point at a
> > different name server (192.168.1.1) on the loc area, 
> nslookup immediately
> > worked!
> > 
> > It looks like the DNS server (dnsmasq) on the Bering firewall isn't
> > accessible from VPN clients. As mentioned in an earlier 
> mail, I've followed
> > instructions on the Bering web site for setting up the 
> openvpn config file
> > as well as changes to Shorewall. Do I need to add rules to 
> allow connections
> > on port 53 between VPN and FW in Shorewall rules?
> 
> I am not that familiar with dnsmasq. I am still using 
> dnscache. Have you
> verified the traffic on tunx to see it there is a request on port 53
> passed.

Yes.
 
> Does dnsmasq need to be told on which IP address it accepts requests.

# If you want dnsmasq to listen for DHCP and DNS requests only on

# specified interfaces (and the loopback) give the name of the

# interface (eg eth0) here.

# Repeat the line for more than one interface.

#interface=eth1

#interface=eth2

# Or you can specify which interface _not_ to listen on

#except-interface=

# Or which to listen on by address (remember to include 127.0.0.1 if

# you use this.)

#listen-address=

listen-address=192.168.1.254

listen-address=192.168.2.254

listen-address=10.8.0.1

listen-address=127.0.0.1

> Do you allow DNS requests on your tunnel?

Yes.

I've modified the Shorewall rules to allow connections on port 53 between
vpn and fw. Will test tonight and report back.

Thanks, Erich, for walking me through this.

~Doug

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] VPN name resolution?

[Doug Sampson]

> > > What do I need to do in order to get names resolved on all 
> > openVPN clients?
> > > The following are possibilities but I would like to gather 
> > feedback from you
> > > guys first.
> > 
> > Make your DNS server accessible from the VPN client.
> > 
> > - You push 2 dhcp options to the client, are they actually 
> registered?
> > - If so, are they honoured when you run nslookup?
> > - Does nslookup return anything meaningful?
> > 
> > If everything fails, the OpenVPN mailing list is full of very
> > knowledgeable people.
> > 
> I will test from home tonight and report back.

I tested from home. Here's what happened when I input nslookup:

C:\Documents and Settings\Doug>nslookup
*** Can't find server name for address 10.8.0.1: No response from server
*** Can't find server name for address 192.168.1.254: No response from
server
*** Can't find server name for address 192.168.0.1: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  10.8.0.1

The ipconfig /all command for the TAP-32 adapter shows correct values for
all DHCP options.

However, when I modified the DHCP option for dns server to point at a
different name server (192.168.1.1) on the loc area, nslookup immediately
worked!

It looks like the DNS server (dnsmasq) on the Bering firewall isn't
accessible from VPN clients. As mentioned in an earlier mail, I've followed
instructions on the Bering web site for setting up the openvpn config file
as well as changes to Shorewall. Do I need to add rules to allow connections
on port 53 between VPN and FW in Shorewall rules?

~Doug

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] VPN name resolution?

[Doug Sampson]

> > What do I need to do in order to get names resolved on all 
> openVPN clients?
> > The following are possibilities but I would like to gather 
> feedback from you
> > guys first.
> 
> Make your DNS server accessible from the VPN client.
> 
> - You push 2 dhcp options to the client, are they actually registered?
> - If so, are they honoured when you run nslookup?
> - Does nslookup return anything meaningful?
> 
> If everything fails, the OpenVPN mailing list is full of very
> knowledgeable people.
> 

I will test from home tonight and report back.

~Doug

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] VPN name resolution?

[Doug Sampson]

I've been running OpenVPN on our Bering 2.4.2 firewall for some time now.
However, I have never been able to resolve FQDNs running as clients so I've
been using HOSTS files in place. I would like to see if I could get around
this limitation as this requires maintenance of these HOSTS files from time
to time. Our network uses a three interface model- loc, dmz, & net. The name
of the firewall is 'firewall'.

We support Windows and OS X clients. The Windows OpenVPN client 

Here's the openvpn.conf in condensed format:

server 10.8.0.0 255.255.255.0


ifconfig-pool-persist /var/state/openvpn-ipp.txt


push "route 192.168.1.0 255.255.255.0"


route 192.168.1.0 255.255.255.0 firewall


push "dhcp-option DNS 10.8.0.1"

push "dhcp-option DNS 192.168.1.254"

push "dhcp-option WINS 192.168.1.1"

push "dhcp-option DOMAIN dawnsign.com"

I have dnsmasq running on 192.168.1.254 & 192.168.2.254.

I've confirmed that the Shorewall is configured as follows:

- Add a new zone to /etc/shorewall/zones:

  vpn VPN Remote Subnet

- Add the tun interface to /etc/shorewall/interfaces:

  vpn tun+

- You can either open the traffic between the vpn zone and the local net
completely with adding

  loc vpn ACCEPT 
  vpn loc ACCEPT

  to /etc/shorewall/policy - or just add the ports you want to open in
/etc/shorewall/rules.

- As last step add your vpn to the shorewall tunnel defintions
(/etc/shorewall/tunnels)

  openvpn  net 0.0.0.0/0
  openvpn:udp:1195 net 0.0.0.0/0



What do I need to do in order to get names resolved on all openVPN clients?
The following are possibilities but I would like to gather feedback from you
guys first.

1) Do I need to enable any of the following in openvpn.conf?
  ;push "redirect-gateway def1"   or

  ;push "redirect-gateway" 

2) do I need to modify the /etc/shorewall/rules to allow port 53 connections
between VPN and fw?

I'd appreciate any advice you may have for us.

~Doug 

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Backing up to /dev/hda0

[Doug Sampson]

> > Something you might want to try is to rmmod the IDE modules 
> > and insmod 
> > them again - since they're unused according to lsmod, that 
> > should work 
> > (and who knows, you might be able to gain access to your hd 
> > that way again).
> > 
> > Just an idea - I have no clue if that will help or not.
> > 
> 
firewall# lsmod
Module  Size  Used byNot tainted
tun 2944   3
softdog 1360   1
ipt_physdev  580   0
ipt_recent  6608   5
ipt_ipp2p   5624   1
ipt_state272  30
ipt_helper   400   0 (unused)
ipt_conntrack692   0
ipt_REDIRECT 480   1
ipt_MASQUERADE  1024   2
ip_nat_irc  1704   0 (unused)
ip_nat_ftp  2152   0 (unused)
iptable_nat14452   3 [ipt_REDIRECT ipt_MASQUERADE ip_nat_irc
ip_nat_ftp]
ip_conntrack_irc2484   1
ip_conntrack_ftp3132   1
ip_conntrack   16516   2 [ipt_state ipt_helper ipt_conntrack
ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]
3c59x  23768   2
eepro100   16844   1
mii 1820   0 [eepro100]
crc32   2620   0 (unused)
isofs  15700   0
ide-detect   132   0 (unused)
ide-cd 26748   0
ide-disk   11308   0
ide-core   80476   0 [ide-detect ide-cd ide-disk]
cdrom  25344   0 [ide-cd]
firewall# insmod ide-disk
insmod: ide-disk.o: no module by that name found
firewall# insmod /lib/modules/ide-disk
insmod: ide-disk.o: no module by that name found
firewall# find / | grep ide-
/boot/lib/modules/ide-core.o
/boot/lib/modules/ide-disk.o
/boot/lib/modules/ide-detect.o
/boot/lib/modules/ide-cd.o
firewall# insmod /boot/lib/modules/ide-disk
insmod: ide-disk.o: no module by that name found
firewall# insmod /boot/lib/modules/ide-disk.o
Using /boot/lib/modules/ide-disk.o
insmod: A module named ide-disk already exists
firewall# rmmod /boot/lib/modules/ide-disk.o 
rmmod: /boot/lib/modules/ide-disk.o: No such file or directory
firewall# rmmod /boot/lib/modules/ide-disk  
rmmod: /boot/lib/modules/ide-disk: No such file or directory
firewall# find / | grep ide- 
/boot/lib/modules/ide-core.o
/boot/lib/modules/ide-disk.o
/boot/lib/modules/ide-detect.o
/boot/lib/modules/ide-cd.o
firewall# 

Can someone tell me whether this is normal behavior?

~Doug

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Backing up to /dev/hda0

[Doug Sampson]

When doing 'mount /dev/hda1 /mnt', /var/log/syslog reveals the following:

Nov  2 12:08:06 firewall kernel: end_request: I/O error, dev 03:01 (hda),
sector 2
Nov  2 12:08:06 firewall kernel: MINIX-fs: unable to read superblock
Nov  2 12:08:06 firewall kernel: end_request: I/O error, dev 03:01 (hda),
sector 0
Nov  2 12:08:06 firewall kernel: FAT: unable to read boot sector
Nov  2 12:08:06 firewall kernel: end_request: I/O error, dev 03:01 (hda),
sector 64
Nov  2 12:08:06 firewall kernel: isofs_read_super: bread failed, dev=03:01,
iso_blknum=16, block=32

What does these mean?

~Doug

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Backing up to /dev/hda0

[Doug Sampson]

> Am Donnerstag, 2. November 2006 20:51 schrieb Doug Sampson:
> > firewall# mount &dev/hda1 /mnt
> > /dev/root on / type tmpfs (rw)
> > /proc on /proc type proc (rw)
> > tmpfs on /tmp type tmpfs (rw)
> > tmpfs on /var/log type tmpfs (rw)
> > -sh: dev/hda1: Permission denied
> > [1] + Done                       mount
> > firewall#
> >
> > Permission denied???
> 
> If you provided a screenshot that's no surprise?
> 
> The command is 
> 
> mount /dev/hda1 /mnt
> 
> and  not
> 
> mount &dev/hda1 /mnt
> 

Sheesh!

firewall# mount /dev/hda1 /mnt
mount: Mounting /dev/hda1 on /mnt failed: Invalid argument
firewall# 

No luck. I'll keep on poking around.

~D

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Backing up to /dev/hda0

[Doug Sampson]

> > firewall# more pkgpath.disks
> > /dev/hda1 msdos
> > firewall# mount -t msdos /dev/hda1 /mnt
> > mount: Mounting /dev/hda1 on /mnt failed: Invalid argument
> very odd. Does "mount &dev/hda1 /mnt" (without the "-t 
> msdos") give you 
> a different error message? Most likely not, but who knows.
> 

firewall# mount &dev/hda1 /mnt
/dev/root on / type tmpfs (rw)
/proc on /proc type proc (rw)
tmpfs on /tmp type tmpfs (rw)
tmpfs on /var/log type tmpfs (rw)
-sh: dev/hda1: Permission denied
[1] + Done   mount
firewall# 

Permission denied???

> Something you might want to try is to rmmod the IDE modules 
> and insmod 
> them again - since they're unused according to lsmod, that 
> should work 
> (and who knows, you might be able to gain access to your hd 
> that way again).
> 
> Just an idea - I have no clue if that will help or not.
> 

I'm reluctant to do this. Will consider this as a last resort.

> 
> P.S. You might want to make a backup of your router using scp before 
> playing around too much - so at least you won't lose any 
> configuration 
> changes you might have done since your last backup. For all I know, 
> trying to rmmod the IDE modules might lock up your system, 
> forcing you 
> to reboot.

Yep. Definitely.

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Backing up to /dev/hda0

[Doug Sampson]

> You can check the bootup and package loading information in the
> /var/lib/lrpkg/backdisk (per package) and /var/lib/lrpkg/pkgpath.disks
> files.
> 
> Eric
> 

firewall# more backdisk
initrd=-t msdos /dev/hda1
root=-t msdos /dev/hda1
config=-t msdos /dev/hda1
etc=-t msdos /dev/hda1
local=-t msdos /dev/hda1
modules=-t msdos /dev/hda1
iptables=-t msdos /dev/hda1
keyboard=-t msdos /dev/hda1
shorwall=-t msdos /dev/hda1
ulogd=-t msdos /dev/hda1
dnsmasq=-t msdos /dev/hda1
dropbear=-t msdos /dev/hda1
easyrsa=-t msdos /dev/hda1
ntpdate=-t msdos /dev/hda1
mhttpd=-t msdos /dev/hda1
weblet=-t msdos /dev/hda1
webconf=-t msdos /dev/hda1
libm=-t msdos /dev/hda1
libsnmp=-t msdos /dev/hda1
netsnmpd=-t msdos /dev/hda1
liblzo=-t msdos /dev/hda1
libssl=-t msdos /dev/hda1
openssl=-t msdos /dev/hda1
libcrpto=-t msdos /dev/hda1
openvpnz=-t msdos /dev/hda1
firewall# more pkgpath.disks
/dev/hda1 msdos
firewall# mount -t msdos /dev/hda1 /mnt
mount: Mounting /dev/hda1 on /mnt failed: Invalid argument
firewall# cd /
firewall# ll
drwxr-xr-x2 root root 1180 Sep  4 11:37 bin
drwxr-xr-x4 root root   80 Mar  4  2006 boot
drwxr-xr-x2 root root   40 Mar  6  2006 cdrom
drwxr-xr-x4 root root 8660 Sep  4 11:37 dev
drwxr-xr-x   26 root root 1240 Sep  4 11:37 etc
drwxr-xr-x2 root root   40 Sep  4 11:37 initrd
drwxr-xr-x4 root root  440 Sep  4 11:37 lib
lrwxrwxrwx1 root root   26 Sep  4 11:37 linuxrc ->
var/lib/lrpkg/root.linuxrc
drwxr-xr-x3 root root   60 Oct 24 13:28 mnt
drwxr-xr-x2 root root   40 Sep  4 11:37 nfs
-rw---1 root root27013 Sep 20 14:41 openvpn.log
dr-xr-xr-x   42 root root0 Sep  4 11:37 proc
drwxr-xr-x2 root root   80 Sep 20 14:41 root
drwxr-xr-x2 root root  620 Sep  4 11:37 sbin
drwxrwxrwt3 root root   60 Nov  1 15:20 tmp
drwxr-xr-x8 root root  200 Oct 30  2004 usr
drwxr-xr-x   10 root root  220 Oct 30  2004 var
firewall# df
Filesystem   1k-blocks  Used Available Use% Mounted on
/dev/root98304  7976 90328   8% /
tmpfs   128620 0128620   0% /tmp
tmpfs32768  1228 31540   4% /var/log
firewall# 

/mnt exists. So what is going on?

~D

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Backing up to /dev/hda0

[Doug Sampson]

Hi Doug,

Try looking at /etc/syslinux.cfg.  It should give you a clue what device was
used.

jerome


syslinux.cfg doesn't exist in /etc. I think that Bering boots from /dev/hda1
so syslinux.cfg wouldn't be in /etc in RAM...

There's something fishy going on and I don't quite understand what is going
on. It's possible that it has booted up from CDROM instead of from
/dev/hda1. How do I confirm this theory without disrupting our production
network? The weird thing is- our DNS records are still there so those must
not have come from CDROM... There's no disk in /dev/fd0u1680 either...

~D

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Backing up to /dev/hda0

[Doug Sampson]

> Doug Sampson wrote:
> > firewall# lsmod
> ...
> > Module  Size  Used by
> > isofs  15700   0
> > ide-detect   132   0 (unused)
> > ide-cd 26748   0
> > ide-disk   11308   0
> > ide-core   80476   0 [ide-detect ide-cd ide-disk]
> > cdrom  25344   0 [ide-cd]
> > 
> > Seems to be loaded, no?
> > 
> 
> Loaded, but the "used by is 0" - that's weird.   Do you have 
> /dev/hda* 
> entries in /dev?  For example:
> 
> brw-rw 1 root disk 3, 0 2006-11-01 12:45 /dev/hda
> brw-rw 1 root disk 3, 1 2006-11-01 12:45 /dev/hda1
> brw-rw 1 root disk 3, 2 2006-11-01 12:45 /dev/hda2
> brw-rw 1 root disk 3, 3 2006-11-01 12:45 /dev/hda3
> 

firewall# cd /dev
firewall# ll *hda*
brw-rw1 root disk   3,   0 Sep  4 11:37 hda
brw-rw1 root disk   3,   1 Sep  4 11:37 hda1
brw-rw1 root disk   3,   2 Sep  4 11:37 hda2
brw-rw1 root disk   3,   3 Sep  4 11:37 hda3
brw-rw1 root disk   3,   4 Sep  4 11:37 hda4
brw-rw1 root disk   3,   5 Sep  4 11:37 hda5
brw-rw1 root disk   3,   6 Sep  4 11:37 hda6
brw-rw1 root disk   3,   7 Sep  4 11:37 hda7
brw-rw1 root disk   3,   8 Sep  4 11:37 hda8
firewall# 

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Backing up to /dev/hda0

[Doug Sampson]

> Doug Sampson wrote:
> > This is dumb but here it goes...
> > 
> > Much earlier this year I set up a router using Bering 
> uClibc 2.3.1 booting
> > off /dev/hda1 instead of a floppy. It has worked flawlessly 
> since then.
> > 
> > I have since then made some changes to our DNS records and 
> I wanted to back
> > up these changes to /dev/hda1. I'm using dnsmasq so I went 
> to the backup
> > menu and tried backing up dnsmasq. It failed. Ok, so /dev/hda1 isn't
> > mounted. So I typed in the following and this is what I got:
> > 
> > firewall# mount -t msdos /dev/hda0 /mnt
> > mount: Mounting /dev/hda0 on /mnt failed: No such file or directory
> > firewall# mount -t msdos /dev/hda1 /mnt
> > mount: Mounting /dev/hda1 on /mnt failed: Invalid argument
> > firewall# mount -t msdos /dev/hda2 /mnt
> > mount: Mounting /dev/hda2 on /mnt failed: Invalid argument
> > firewall# df
> > Filesystem   1k-blocks  Used Available Use% Mounted on
> > /dev/root98304  7960 90344   8% /
> > tmpfs   128620 0128620   0% /tmp
> > tmpfs32768  1144 31624   3% /var/log
> > firewall# 
> 
> I've seen this when forgetting to load the ide drivers. Do 
> you have the 
> module for your IDE drive loaded? You can check with lsmod.
> 

firewall# lsmod
Module  Size  Used byNot tainted
tun 2944   3
softdog 1360   1
ipt_physdev  580   0
ipt_recent  6608   5
ipt_ipp2p   5624   1
ipt_state272  30
ipt_helper   400   0 (unused)
ipt_conntrack692   0
ipt_REDIRECT 480   1
ipt_MASQUERADE  1024   2
ip_nat_irc  1704   0 (unused)
ip_nat_ftp  2152   0 (unused)
iptable_nat14452   3 [ipt_REDIRECT ipt_MASQUERADE ip_nat_irc
ip_nat_ftp]
ip_conntrack_irc2484   1
ip_conntrack_ftp3132   1
ip_conntrack   16516   2 [ipt_state ipt_helper ipt_conntrack
ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]
3c59x  23768   2
eepro100   16844   1
mii 1820   0 [eepro100]
crc32   2620   0 (unused)
isofs  15700   0
ide-detect   132   0 (unused)
ide-cd 26748   0
ide-disk   11308   0
ide-core   80476   0 [ide-detect ide-cd ide-disk]
cdrom  25344   0 [ide-cd]

Seems to be loaded, no?

~D

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Backing up to /dev/hda0

[Doug Sampson]

This is dumb but here it goes...

Much earlier this year I set up a router using Bering uClibc 2.3.1 booting
off /dev/hda1 instead of a floppy. It has worked flawlessly since then.

I have since then made some changes to our DNS records and I wanted to back
up these changes to /dev/hda1. I'm using dnsmasq so I went to the backup
menu and tried backing up dnsmasq. It failed. Ok, so /dev/hda1 isn't
mounted. So I typed in the following and this is what I got:

firewall# mount -t msdos /dev/hda0 /mnt
mount: Mounting /dev/hda0 on /mnt failed: No such file or directory
firewall# mount -t msdos /dev/hda1 /mnt
mount: Mounting /dev/hda1 on /mnt failed: Invalid argument
firewall# mount -t msdos /dev/hda2 /mnt
mount: Mounting /dev/hda2 on /mnt failed: Invalid argument
firewall# df
Filesystem   1k-blocks  Used Available Use% Mounted on
/dev/root98304  7960 90344   8% /
tmpfs   128620 0128620   0% /tmp
tmpfs32768  1144 31624   3% /var/log
firewall# 

I know I partitioned /dev/hda1 and /dev/hdb1 when I set up this router early
this year using msdos as the filetype. I believe the partition size is no
more than 32 MB each.

I've looked into http://leaf.sourceforge.net/doc/bk02ch11s03.html and cannot
figure out what I'm doing wrong. I can reboot and get it working just fine.
Typing 'man mount' at the command prompt doesn't work.

I don't quite understand this- I do not use Linux regularly. Like I said,
this is quite dumb...

~Doug

-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Bering Shorewall rejecting packets via VPN?

[Doug Sampson]

> Doug Sampson wrote:
> > Hi all,
> > 
> > I'm seeing these messages in my logs:
> > 
> > <..snip..>
> > Apr 25 14:07:30 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
> > SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 
> TTL=255 ID=41848 CE
> > PROTO=UDP SPT=5353 DPT=53 LEN=69 
> 
> This is vpn to fw traffic
> 
> ...
> 
> > 
> 
> 
> > 
> > Added to /etc/shorewall/policy
> > 
> >   loc   vpn ACCEPT
> >   vpn loc ACCEPT
> 
> and either here or in the rules it has to be allowed ...
> 
> ...
> 
> > 
> > 
> > What am I doing wrong?
> 
> :-)
> 
> cheers
> 
> Erich
>

That seems to be the trick. I'll look into this. Thanks for the response.

~D 


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Bering Shorewall rejecting packets via VPN?

[Doug Sampson]

Hi all,

I'm seeing these messages in my logs:

<..snip..>
Apr 25 14:07:30 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41848 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69 
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41851 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69 
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41853 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69 
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41855 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69 
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41857 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69 
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41859 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69 
Apr 25 14:07:44 firewall Shorewall:all2all:REJECT: IN=tun0 OUT= MAC=
SRC=10.8.0.14 DST=192.168.1.254 LEN=89 TOS=18 PREC=0x00 TTL=255 ID=41861 CE
PROTO=UDP SPT=5353 DPT=53 LEN=69 
<..snip..>

This occurs each time an OpenVPN client attempts to access the internal M$
Exchange server with his Mac Classic 8.2.1 Outlook running in Classic
Environment on his Mac OS X laptop. I've modified the /etc/hosts file so
that the internal mail server is referenced by its internal IP address- dhcp
options are not pushed to non-Windows clients (not without getting into the
nitty-gritty). I can ping the mail server via vpn with either the domain
name or the IP address.

I'm running Bering uClibc 2.4 RC2. What I've done to Shorewall:

I've added to /etc/shorewall/zones:

  vpn   VPN Remote Subnet

Added to /etc/shorewall/interfaces:

  vpn tun0

Added to /etc/shorewall/policy

  loc   vpn ACCEPT
  vpn loc ACCEPT

Added to /etc/shorewall/tunnels:

  openvpn   net 0.0.0.0/0
  openvpn:udp:1195  net 0.0.0.0/0

I've also added the following to /etc/shorewall/rules:

  #   VPN DNS Access to/from local/firewall DNS server

  ACCEPT  loc vpn tcp 53

  ACCEPT  loc vpn udp 53

  ACCEPT  vpn loc tcp 53

  ACCEPT  vpn loc udp 53

  ACCEPT  fw  vpn tcp 53

  ACCEPT  fw  vpn udp 53

  ACCEPT  vpn fw  tcp 53

  ACCEPT  vpn fw  udp 53

  #  


Output of restarting Shorewall as follows:

firewall# /etc/init.d/shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Not available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Not available
   IP range Match: Not available
   Recent Match: Available
   Owner Match: Not available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Not available
   CONNMARK Target: Not available
   Connmark Match: Not available
   Raw Table: Not available
Determining Zones...
   Zones: net loc dmz vpn
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
   Local Zone: eth1:0.0.0.0/0
   DMZ Zone: eth2:0.0.0.0/0
   VPN Zone: tun+:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.DropSMB...
   Pre-processing /usr/share/shorewall/action.RejectSMB...
   Pre-processing /usr/share/shorewall/action.DropUPnP...
   Pre-processing /usr/share/shorewall/action.RejectAuth...
   Pre-processing /usr/share/shorewall/action.DropPing...
   Pre-processing /usr/share/shorewall/action.DropDNSrep...
   Pre-processing /usr/share/shorewall/action.AllowPing...
   Pre-processing /usr/share/shorewall/action.AllowFTP...
   Pre-processing /usr/share/shorewall/action.AllowDNS...
   Pre-processing /usr/share/shorewall/action.AllowSSH...
   Pre-processing /usr/share/shorewall/action.AllowWeb...
   Pre-processing /usr/share/shorewall/action.AllowSMB...
   Pre-processing /usr/share/shorewall/action.AllowAuth...
   Pre-processing /usr/share/shorewall/action.AllowSMTP...
   Pre-processing /usr/share/shorewall/action.AllowSubmission...
   Pre-processi

[leaf-user] dropbear

[Doug Sampson]

How do I force use of public key authentication using dropbear? I can do
this with OpenSSH but can't find any examples of dropbear config files
anywhere on the 'net... Currently using Bering uClibc 2.4 beta.

~Doug


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Multiple OpenVPN configs?

[Doug Sampson]

> Doug Sampson wrote:
> > Can one run a TUN and a TAP connection using OpenVPN on 
> Bering uClibc
> > firewall successfully at the same time using different 
> ports- i.e. 1194 for
> > TUN and 1195 for TAP?
> 
> Yes, you can run multiple openvpn instances. Unless you really need
> bridging I would stick with routing.
> 
> cheers
> 
> Erich
>

We figured out how to do SSH tunneling. Smiles all around here. Now there's
no need for bridging at this point.

~D


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Multiple OpenVPN configs?

[Doug Sampson]

Can one run a TUN and a TAP connection using OpenVPN on Bering uClibc
firewall successfully at the same time using different ports- i.e. 1194 for
TUN and 1195 for TAP?

Currently the tunneling is functioning as expected. I am using a three
interface network using NET, LOC, and DMZ. Am using a proxy-arped server in
the DMZ. I see from the docs that a bridge needs to be established in
/etc/network/interfaces and I am unsure as to how I can successfully
implement a bridge on top of the OpenVPN tunnel. Do I need to replace LOC
with br0 in the Shorewall config files and rewrite the rules for the new br0
interface? I referred to this link:
http://www.shorewall.net/OPENVPN.html#Bridge. However, it appears this link
assumes that only a tap connection is used. This link
http://www.shorewall.net/myfiles.htm appears to contain information about a
tun connection only- along with a PPTP connection (if I understand
correctly).

Any pointers?

~Doug


___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯
 Doug Sampson
 Information Technology
 Dawn Sign Press
 dougs (at) dawnsign dot com
___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Recommended defense against dictionary attacks on ssh?

[Doug Sampson]

> On Sunday 05 March 2006 08:17, Tom Eastep wrote:
> > Doug Sampson wrote:
> > >> b) Use the 'Limit' Shorewall action to shut off ssh
> > >> connection requests
> > >> from persistent unsuccessful clients (see
> > >> http://www.shorewall.net/PortKnocking.html).
> > >
> > > How does one enable "Recent Match" support in the Bering 
> uClibc kernel?
> > >
> > > I've tried copying the ipt_RECENT.o module to 
> /lib/modules and added
> > > ipt_RECENT to /etc/modules. Doesn't seem to take effect 
> after rebooting.
> > >
> > > I *am* still a Linux newb.
> >
> > You also need ipt_recent.o
> 
> Or, as K.P. has pointed out, the module is 'ipt_recent.o', 
> not 'ipt_RECENT.o'.
> 

Problem solved- the file name was ipt_RECENT.O <<<<<<<<
Renamed to ipt_recent.o and 'shorewall show capabilities' now
indicates 'Recent Match' is available.

Thanks for your help- I think I have been pulling one too many
all-nighters!

~D


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Recommended defense against dictionary attacks on ssh?

[Doug Sampson]

> b) Use the 'Limit' Shorewall action to shut off ssh 
> connection requests
> from persistent unsuccessful clients (see
> http://www.shorewall.net/PortKnocking.html).
> 
How does one enable "Recent Match" support in the Bering uClibc kernel?

I've tried copying the ipt_RECENT.o module to /lib/modules and added
ipt_RECENT to /etc/modules. Doesn't seem to take effect after rebooting.

I *am* still a Linux newb.

~Doug


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] proxy arp

[Doug Sampson]

Thanks for enlightening me. Even after 2-3 years of using *nix systems, I
learn new things every day.

I've added the outgoing rule for port 5999 and cvsup'ing now works.

~D

> -Original Message-
> From: Tom Eastep [mailto:[EMAIL PROTECTED]
> Sent: Friday, March 03, 2006 05:45 PM
> To: Doug Sampson
> Cc: 'leaf-user@lists.sourceforge.net'
> Subject: Re: [leaf-user] proxy arp
> 
> 
> Doug Sampson wrote:
> > I've got a server proxy-arped in a DMZ. I've specified this 
> machine's IP
> > address in the /etc/shorewall/proxyarp file. I've also 
> specified that the
> > dmz zone be masqueraded.
> 
> Why in the world would you masquerade a system that has a public IP
> address?
> 
> > There I would think it stands to reason that I
> > could cvsup the server to an external web site
> 
> Why does that stand to reason? Neither Proxy ARP nor Masquerading has
> anything to do with allowing or disallowing connections.
> 
> 
> > Mar 3 09:27:25 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0
> > MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3
> > DST=130.94.149.166 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=102 DF 
> PROTO=TCP
> > SPT=50830 DPT=5999 SEQ=1850567826 ACK=0 WINDOW=65535 SYN URGP=0 
> 
> These packets are for TCP port 5999.
> 
> > Processing /etc/shorewall/rules...
> >Rule "ACCEPT fw net tcp 53" added.
> >Rule "ACCEPT fw net udp 53" added.
> >Rule "ACCEPT fw loc tcp 53" added.
> >Rule "ACCEPT fw loc udp 53" added.
> >Rule "ACCEPT fw dmz tcp 53" added.
> >Rule "ACCEPT fw dmz udp 53" added.
> >Rule "ACCEPT loc fw tcp 53" added.
> >Rule "ACCEPT loc fw udp 53" added.
> >Rule "ACCEPT dmz fw tcp 53" added.
> >Rule "ACCEPT dmz fw udp 53" added.
> >Rule "ACCEPT dmz loc:192.168.1.254 tcp 53" added.
> >Rule "ACCEPT dmz loc:192.168.1.254 udp 53" added.
> >Rule "ACCEPT loc fw tcp 22" added.
> >Rule "ACCEPT loc dmz tcp 22" added.
> >Rule "ACCEPT dmz net tcp 53" added.
> >Rule "ACCEPT dmz net udp 53" added.
> >Rule "ACCEPT net fw icmp 8" added.
> >Rule "ACCEPT loc fw icmp 8" added.
> >Rule "ACCEPT dmz fw icmp 8" added.
> >Rule "ACCEPT loc dmz icmp 8" added.
> >Rule "ACCEPT dmz loc icmp 8" added.
> >Rule "ACCEPT dmz net icmp 8" added.
> >Rule "ACCEPT fw net icmp" added.
> >Rule "ACCEPT fw loc icmp" added.
> >Rule "ACCEPT fw dmz icmp" added.
> >Rule "ACCEPT net dmz icmp 8" added.
> >Rule "ACCEPT net loc icmp 8" added.
> >Rule "DNAT:ULOG net loc:192.168.1.15 tcp 8080 www 
> 216.70.250.2" added.
> >Rule "DNAT net loc:192.168.1.149 tcp 52525" added.
> >Rule "DNAT net loc:192.168.1.149 udp 52525" added.
> >Rule "DNAT net loc:192.168.1.4 tcp smtp - 216.70.250.2" added.
> >Rule "DNAT:ULOG net loc:192.168.1.2 tcp www - 
> 216.70.250.2" added.
> >Rule "DNAT:ULOG net loc:192.168.1.2 tcp 443 - 
> 216.70.250.2" added.
> >Rule "DNAT net loc:192.168.1.4 tcp 8000 www 216.70.250.2" added.
> >Rule "ACCEPT loc fw udp 67,68" added.
> >Rule "ACCEPT:ULOG loc fw tcp 80,8080" added.
> >Rule "ACCEPT dmz net tcp 80" added.
> >Rule "ACCEPT dmz net tcp smtp" added.
> >Rule "ACCEPT dmz loc tcp smtp" added.
> >Rule "ACCEPT fw net tcp smtp" added.
> >Rule "ACCEPT fw loc:192.168.1.4 tcp smtp" added.
> >Rule "ACCEPT fw net tcp time" added.
> >Rule "ACCEPT fw net udp ntp" added.
> >Rule "ACCEPT loc fw udp ntp" added.
> >Rule "REJECT:ULOG loc net udp 1025:1031" added.
> >Rule "REJECT:ULOG dmz net udp 1025:1031" added.
> >Rule "ACCEPT:ULOG dmz net tcp 1024: 20" added.
> >Rule "REJECT:ULOG fw net udp 1025:1031" added.
> 
> There was no rule for port 5999.
> 
> > Processing /etc/shorewall/policy...
> >Policy REJECT for fw to net using chain all2all
> >Policy REJECT for fw to loc using chain all2all
> >Policy REJECT for fw to dmz using chain all2all
> >   Enabled SYN flood protection
> >Policy DROP for net to fw

[leaf-user] proxy arp

[Doug Sampson]

uot;REJECT - - udp 135" added.
   Rule "REJECT - - udp 137:139" added.
   Rule "REJECT - - udp 445" added.
   Rule "REJECT - - tcp 135" added.
   Rule "REJECT - - tcp 139" added.
   Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
   Policy REJECT for fw to net using chain all2all
   Policy REJECT for fw to loc using chain all2all
   Policy REJECT for fw to dmz using chain all2all
  Enabled SYN flood protection
   Policy DROP for net to fw using chain net2all
  Enabled SYN flood protection
   Policy DROP for net to loc using chain net2all
  Enabled SYN flood protection
   Policy DROP for net to dmz using chain net2all
   Policy REJECT for loc to fw using chain all2all
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for loc to dmz using chain all2all
   Policy REJECT for dmz to fw using chain all2all
   Policy REJECT for dmz to net using chain all2all
   Policy REJECT for dmz to loc using chain all2all
Masqueraded Networks and Hosts:
   To 0.0.0.0/0 (all) from 192.168.1.0/24 through eth0
   To 0.0.0.0/0 (all) from 192.168.2.0/24 through eth0
   To 0.0.0.0/0 (all) from 216.70.250.0/28 through eth0
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
   TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 1720   " added
   TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 15328:15338   " added
   TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 15328:15338   " added
   TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 5190,5222,5298   " added
   TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 5060,5190,5220,5297,5298,5353,5678
" added
   TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 16384:16403   " added
   TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 25   " added
   TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 22   " added
   TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 21   " added
   TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request   " added
   TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply   " added
   TC Rule "3:P 0.0.0.0/0 0.0.0.0/0 all" added
   TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 ipp2p" added
   TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 tcp 52525   " added
   TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 udp 52525   " added
Activating Rules...
Processing /etc/shorewall/start ...
Processing /etc/shorewall/start.d/weblet_start ...
Shorewall Restarted
Processing /etc/shorewall/started ...
firewall# 

Can I masquerade a proxy-arped server in a dmz?

I've googled around and also checked the Shorewall web site to no avail...
Something tells me I am not getting the big picture of proxy-arping...

~Doug

___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯
 Doug Sampson
 Information Technology
 Dawn Sign Press
 dougs (at) dawnsign dot com
___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] ipp2p

[Doug Sampson]

It's working beautifully!

However, an user is using a noncommon port for p2p sharing- namely the TCP
52525 port. He claims that common BT ports are blocked by some BT users. I
assume I should include that port in a lower priority TC class on top of
ipp2p?

Thanks for the assistance, Eric!

~D

> -Original Message-
> From: Eric Spakman [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 20, 2006 11:43 PM
> To: Doug Sampson
> Cc: 'leaf-user@lists.sourceforge.net'
> Subject: Re: [leaf-user] ipp2p
> 
> 
> Hello Doug,
> 
> Support for ipp2p isn't compiled into Bering-uClibc-2.3.x, but it's
> available for Bering-uClibc-2.4beta. What you could do is upgrade the
> packages that are needed for kernel 2.4.32, which can be found at
> http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc
> -0.9/20/2.4.32/
> :
> 
> initrd_*.lrp (if you use an initrd with included boot modules)
> iptables.lrp (compiled against 2.4.32, with included ipp2p module)
> modules.lrp (2.4.32 modules with included ipp2p kernel module, add the
> extra modules you need from the 2.4.32 tarball)
> linux-2.4.3-upx (rename to linux)
> 
> This would be enough to upgrade your setup to kernel 2.4.32 
> and have ipp2p
> support.
> 
> For traffic shaping you can find a document describing a setup for
> Bering-uClibc with shorewall 2.4.x at:
> http://www.ucbering.de/?Projects:traffic_control_for_shorewall
> 
> Or optional you can also update to shorewall 3.0.x
> (http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclib
c-0.9/20/testing/)
where traffic control is included.

Eric

> Is support for IPP2P traffic shaping already compiled/built into the
> default Bering uClibc 2.3x setup as well as the default Shorewall setup
> contained within the Bering setup? I would like to classify P2P traffic as
>  low-priority and saw that IPP2P is being offered as one of the protocols
> in /etc/shorewall/tcrules but it warned that support for IPP2P must be
> supported in the kernel and iptables.
>
> ~Doug
>
>
> ___
> «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
> ¯¯¯
> Doug Sampson
> Information Technology
> Dawn Sign Press
> dougs (at) dawnsign dot com ___
> «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
> ¯¯¯
>
>
>
> ---
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems?  Stop!  Download the new AJAX search engine that makes
>  searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>
>



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] ipp2p

[Doug Sampson]

Thanks for the info, Eric. I am going to try replacing the existing modules
and test Shorewall's traffic shaping feature. Video isn't implemented
heavily around here just yet. And I do know the exact ports used in our
video apps which makes it easier for me to implement queuing properly.

Any idea when Bering uClibc 2.4 will be released?

~Doug

> -Original Message-
> From: Eric Spakman [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 20, 2006 11:43 PM
> To: Doug Sampson
> Cc: 'leaf-user@lists.sourceforge.net'
> Subject: Re: [leaf-user] ipp2p
> 
> 
> Hello Doug,
> 
> Support for ipp2p isn't compiled into Bering-uClibc-2.3.x, but it's
> available for Bering-uClibc-2.4beta. What you could do is upgrade the
> packages that are needed for kernel 2.4.32, which can be found at
> http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc
> -0.9/20/2.4.32/
> :
> 
> initrd_*.lrp (if you use an initrd with included boot modules)
> iptables.lrp (compiled against 2.4.32, with included ipp2p module)
> modules.lrp (2.4.32 modules with included ipp2p kernel module, add the
> extra modules you need from the 2.4.32 tarball)
> linux-2.4.3-upx (rename to linux)
> 
> This would be enough to upgrade your setup to kernel 2.4.32 
> and have ipp2p
> support.
> 
> For traffic shaping you can find a document describing a setup for
> Bering-uClibc with shorewall 2.4.x at:
> http://www.ucbering.de/?Projects:traffic_control_for_shorewall
> 
> Or optional you can also update to shorewall 3.0.x
> (http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclib
c-0.9/20/testing/)
where traffic control is included.

Eric

> Is support for IPP2P traffic shaping already compiled/built into the
> default Bering uClibc 2.3x setup as well as the default Shorewall setup
> contained within the Bering setup? I would like to classify P2P traffic as
>  low-priority and saw that IPP2P is being offered as one of the protocols
> in /etc/shorewall/tcrules but it warned that support for IPP2P must be
> supported in the kernel and iptables.
>
> ~Doug
>
>
> ___
> «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
> ¯¯¯
> Doug Sampson
> Information Technology
> Dawn Sign Press
> dougs (at) dawnsign dot com ___
> «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
> ¯¯¯
>
>
>
> ---
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems?  Stop!  Download the new AJAX search engine that makes
>  searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>
>



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] traffic shaping - video

[Doug Sampson]

I've since then discovered qbox.lrp on Sourceforge. It appears to be version
1.1. Would that work with the existing Bering uClibc distro?

Also, I did not see anything regarding ipp2p.

~Doug

> -Original Message-
> From: Ron Senykoff [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 20, 2006 07:00 PM
> To: Doug Sampson
> Cc: leaf-user@lists.sourceforge.net
> Subject: Re: [leaf-user] traffic shaping - video
> 
> 
> > I would like to prioritize traffic using Shorewall running 
> Bering uClibc
> > 2.3x as follows:
> >
> > 1) video-conferencing
> > 2) normal traffic
> > 3) P2P sharing
> 
> Doug,
> 
> I think you may have better luck discussing this with the lartc.org
> people. I'm familiar with traffic shaping but have not utilized
> shorewall's 'interface' to the traffic control modules.
> 
> If you know that you will never run the risk of having someone soak
> your link with video, then straight priority queueing could work OK.
> However, it's more common to use some other shaping algorithms (HTB or
> CBQ, HTB being easier) with priority added for who gets to borrow
> additional bandwidth first.
> 
> As a shameless plug, I do have a solution using leaf for 
> quality of service.
> http://www.cs.luc.edu/projects/comp412/q-box/
> 
> It should be able to handle upwards of 40Mbps of traffic. For Video I
> usually just specify the IP addresses of our video units rather than
> try to match the wide range of ports used by h.323.
> 
> You can email me off list if you have any questions about my project.
> 
> HTH,
> -Ron
> 


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] traffic shaping - video

[Doug Sampson]

This is somewhat related to the other post I posted earlier today.

I would like to prioritize traffic using Shorewall running Bering uClibc
2.3x as follows:

1) video-conferencing
2) normal traffic
3) P2P sharing

We are a publishing company specializing in American Sign Language and Deaf
culture products. Thus we utilize video cams as our means of communication
with our authors and customers. Thus I must prioritize video packets in
order to ensure timely delivery of video packets. However, my familiarity
isn't great with TCP/IP priorization scheme and I suspect this is the place
to ask.

Looking at the default tcclasses file:

#INTERFACE  MARKRATECEILPRIORITYOPTIONS
ppp01   fullfull1
tcp-ack,tos-minimize-delay
ppp02   9*full/10   9*full/10   2   default
ppp03   8*full/10   8*full/10   2 

...and the default tcrules file:

#MARK SOURCEDEST  PROTO  PORT(S) CLIENT  USER
#PORT(S)
1:P   0.0.0.0/0 0.0.0.0/0 icmp   echo-request 
1:P   0.0.0.0/0 0.0.0.0/0 icmp   echo-reply 
# mark traffic which should have a lower priority with a 3: 
# mldonkey 
3 0.0.0.0/0 0.0.0.0/0 udp -  4666

Does the #1 rule in tcrules satisfy the requirement for prioritizing video
packets? Or do I have to create new rules pointing to appropriate ports used
in video communications?

~Doug
___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯
 Doug Sampson
 Information Technology
 Dawn Sign Press
 dougs (at) dawnsign dot com
___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] ipp2p

[Doug Sampson]

Is support for IPP2P traffic shaping already compiled/built into the default
Bering uClibc 2.3x setup as well as the default Shorewall setup contained
within the Bering setup? I would like to classify P2P traffic as
low-priority and saw that IPP2P is being offered as one of the protocols in
/etc/shorewall/tcrules but it warned that support for IPP2P must be
supported in the kernel and iptables.

~Doug

___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯
 Doug Sampson
 Information Technology
 Dawn Sign Press
 dougs (at) dawnsign dot com
___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] DMZ --> LAN?

[Doug Sampson]

> Note: Two messages below quote for reference.
> 
> While you could make this work it would it is far outside 
> best practices
> from an Exchange perspective.  However even if this did work I don't
> think it will go very far in making Exchange any more secure. 
>  A proper
> way to achieve this would be to build an Outlook Web Access (OWA)
> frontend system and place it in your DMZ and only open the ports it
> requires to talk to the backend. You would keep the Exchange server
> itself on your internal network.  
> 
> Also while you are at it you might want to consider moving to a more
> recent version of Exchange, as 5.5 is somewhat of a relic these days.
> 
> In reference to what Charles said with putting an SMTP smart 
> host in the
> DMZ, this is a very good idea.  I have something similar configured
> using Qmail-LDAP so that it can interface with Active 
> Directory to check
> validity of emails addresses before accepting them and it works
> exceptionally well.
> 
> R.

Considering how complex the MS domain functions play out, I'd agree that
it'd be less troublesome to use a smtp proxy in the DMZ and forward packets
through it to the Exchange box.

Would the following statement in /etc/network.conf enable me to punch a hole
from the DMZ to the LAN?:

INTERN_SERVER6="tcp 192.168.2.xxx smtp 192.168.1.xxx smtp"

whereas 192.168.2.xxx refers to the smtp proxy and 192.168.1.xxx is the
Exchange box assuming the DMZ IP address range is 192.168.2.0/24 and the LAN
IP address range is 192.168.1.0/24.

Currently the DMZ is set as a private DMZ switch. Is there any advantage to
changing the DMZ switch to something other than private under the
circumstances regarding the smtp proxy?

Any advice/tips would be greatly appreciated!

~Doug


> 
> -Original Message-
> From: Doug Sampson
> Sent: Friday, January 06, 2006 1:41 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [leaf-user] DMZ --> LAN?
> 
> It is both an Exchange 5.5 box and an OWA- all in one box. 
> I've opened a
> hole on the external interface to allow webmail connections 
> for webmail
> users. I am not comfortable with allowing connections into 
> the LAN- thus
> the
> reason why I want to move it to the DMZ.
> 
> When I boot up in the DMZ, it complains of not finding a domain
> controller.
> It is a member of our domain but is not a domain controller.
> 
> HTH.
> 
> ~D
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Charles
> Steinkuehler
> Sent: Friday, January 06, 2006 3:23 PM
> To: Doug Sampson
> Cc: leaf-user@lists.sourceforge.net
> Subject: Re: [leaf-user] DMZ --> LAN?
> 
> Unless someone with exchange experience chimes in (I've stayed as far
> away
> from exchange as I can), you'll probably need to ask your 
> question on a
> more
> MS centric list and/or search google/MSDN for information on putting a
> firewall between your exchange server and clients.
> 
> NOTE:  If you're moving the exchange box to the DMZ mainly because of
> concernes that it might get hacked, an alternative would be to install
> an
> SMTP server in the DMZ that simply forwards mail to the exchange box
> sitting
> on the internal LAN, shielding it from the 'raw' internet in the
> process.
> 


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] DMZ --> LAN?

[Doug Sampson]

> Well, your problem is you're using exchange...
> 
> You can fairly easily put a firewall between the exchange box and the
> internet, because all the involved protocols are standards 
> based and well
> documented.
> 
> Microsoft networking, however, (including high-port traffic 
> you mention,
> above) gets very upset if all parties are not in the same 
> broadcast domain
> (MS Motto:  What's a router?!?).  This makes life with 
> subnetted networks
> and routers tricky at best, and frequently downright 
> impossible (at least
> without paying big $$$ for lots of MS server licenses).
> 
> Unless someone with exchange experience chimes in (I've 
> stayed as far away
> from exchange as I can), you'll probably need to ask your 
> question on a more
> MS centric list and/or search google/MSDN for information on putting a
> firewall between your exchange server and clients.

I've located such information. However, I need to know where I can punch
holes between the DMZ and the LAN. Do I do that in the /etc/network config
file?

> 
> NOTE:  If you're moving the exchange box to the DMZ mainly because of
> concerns that it might get hacked, an alternative would be 
> to install an
> SMTP server in the DMZ that simply forwards mail to the 
> exchange box sitting
> on the internal LAN, shielding it from the 'raw' internet in 
> the process.

I've thought about doing that. I installed a smtp proxy in the DMZ but I
found I could not forward smtp packets from the DMZ to the LAN using
Dachstein. I may be missing something here but I cannot find documentation
on the 'Net where I can open ports between the DMZ and the LAN.

~Doug


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] DMZ --> LAN?

[Doug Sampson]

Hi all,

I'm still running the latest version of Dachstein CD. I want to move our
Exchange box to the DMZ from the LAN and have clients connect to it from the
LAN. However, the Exchange box needs to connect to our domain controllers in
the LAN for user authentication. I need to poke holes at port 136 through
139. Where do I make these holes?

I see that clients use ports above 1024 to make initial connections and that
the Exchange box opens ports above 1024 in response to the clients'
connection requests. Do I need to open holes for these? I believe I do not
need to do these because the connection coming from the Exchange box is in
response to the clients' connections so these would not be rejected by the
Dachstein router if that is how I understand it.

Someday I will upgrade to Bering uClibc but for now I need to solve this
issue.

~Doug
___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯¯¯¯¯
 Doug Sampson
 Information Technology
 Dawn Sign Press
 dougs (at) dawnsign dot com
___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] SCP/SFTP

[Doug Sampson]

Oh, and I should add that I am using dropbear.

~Doug

> 
> I'm building a stock Bering uClibc 2.3.1 router and am trying 
> to connect
> using WinSCP 3.7.6 from the internal network. I keep getting 
> a time-out.
> Error message says "Server refused to start a shell/command". I can
> successfully access using ssh. What do I need to get a shell 
> running on
> Bering? I would like to copy files to/from Bering.
> 
> ~Doug
> 
> ___
> «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
> ¯¯¯
>  Doug Sampson
>  Information Technology
>  Dawn Sign Press
>  dougs (at) dawnsign dot com
> ___
> «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
> ¯¯¯
> 
> 
> ---
> This SF.net email is sponsored by: Splunk Inc. Do you grep 
> through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  
> DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
> --
> --
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
> 


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] SCP/SFTP

[Doug Sampson]

I'm building a stock Bering uClibc 2.3.1 router and am trying to connect
using WinSCP 3.7.6 from the internal network. I keep getting a time-out.
Error message says "Server refused to start a shell/command". I can
successfully access using ssh. What do I need to get a shell running on
Bering? I would like to copy files to/from Bering.

~Doug

___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯¯¯¯¯
 Doug Sampson
 Information Technology
 Dawn Sign Press
 dougs (at) dawnsign dot com
___
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] dns resolution - Dachstein

[Doug Sampson]

> I could not get timydns to answer for two internal networks.  My 
> solution is:
>  
> .private.network::localhost
> .1.168.192.in-addr.arpa::localhost
> =tworoute.private.network:192.168.1.254
> =localhost.private.network:192.168.1.1
> 
> .dmz.network::localhost
> .2.168.192.in-addr.arpa::localhost
> =dmzbox.private.network:192.168.2.1
> 
> notice that the DMZ has a address in another network but it's 
> name is in the private.network. This works for me.
> 

I made the changes similar to what you described above. Basically what I did
was to add to the private file as follows:

.dmz.dawnsign.com::ns.dawnsign.com
.2.168.192.in-addr.arpa::ns.dawnsign.com
# mail exchanger
@dawnsign.com::mercury.dawnsign.com
=mercury.dawnsign.com:216.xxx.xxx.xxx
=myrouter.dawnsign.com:192.168.1.254

ns.dawnsign.com was already defined for the .dawnsign.com domain so there
wasn't any need to define it within the .dmz.dawnsign.com domain.

It seems to have worked. Am I correct in my assumption that when a name
resolution request comes in from any machine in the 192.168.2.x network, the
request will be checked against the entries defined for the
.dmz.dawnsign.com domain and not the .dawnsign.com domain?

~Doug


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] dns resolution - Dachstein

[Doug Sampson]

Hi all,

I'm having trouble getting a Mailman server (using Exim 3.35) to resolve
names properly. It is situated in the DMZ (192.168.2.x) of a network using
Dachstein CD102. I have an Exchange mail server in the internal network
(192.168.1.x).

I have tinyDNS running on the firewall. The internal TinyDNS zone file has a
MX record that points to the Exchange server at 192.168.1.4. There is no
public TinyDNS zone file.

While the server is pointed to the internal TinyDNS server on the firewall,
telnetting to port 25 of the internal Exchange server fails as expected.
However, this means email designated for internal users will also fail. This
is not the desired result.

When I point the name resolver on the Mailman machine to various external
name servers, mail gets delivered but to the external IP address of
Dachstein which in turn gets forwarded to the Exchange server. That works
just fine. However, when I try to do an apt-get update on the Mailman
machine, name resolution fails.

I added the external IP address of our internal Exchange server to the
'hosts' file on the Mailman machine thinking that Exim will deliver mail to
the external IP address. With the machine pointed to the internal name
server, Mailman pings correctly to the external IP address. But email
delivery fails due to the internal MX record on the internal name server
which is pointed to the internal IP address of the Exchange server.

One solution would be to relocate the Exchange server into the DMZ where it
should have been all along. But I would like to explore other options. Are
there any other options I am overlooking?

~Doug


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bind multiple IP addresses?

[Doug Sampson]

> Use eth0_IP_EXTRA_ADDRS="ip.ad.dr.es" in network.conf to add 
> additional public IP's to the router's external interface.
> 
> Once you have the new IP(s) assigned, you can then allow 
> inbound port 80 traffic through the firewall and port-forward that traffic
to an 
> internal machine.
> 
> When finished, you should have added something like the 
> following three lines to your network.conf file (IP addresses adjusted for

> your actual network, of course):
> 
> eth0_IP_EXTRA_ADDRS="1.2.3.4"
> EXTERN_TCP_PORT0="0/0 www 1.2.3.4"
> INTERN_SERVER0="tcp 1.2.3.4 www 192.168.1.123"
> 
> NOTE: The EXTERN_TCP_PORT0 and INTERN_SERVER0 settings are indexed 
> lists, which means the suffix (0 in the above example) has to 
> start at zero and there can be no missing numbers (ie:
>INTERN_SERVER0=...
>INTERN_SERVER1=...
>INTERN_SERVER2=...
>...
> If you already have some of these rules defined, you'll need 
> to adjust the index accordingly.

Charles,

I tried what you suggested. It works as advertised. Many thanks!

~Doug


---
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bind multiple IP addresses?

[Doug Sampson]

Can I bind more than one public IP address to an external interface in
Dachstein 1.02CD? If so, how? I've googled around to no avail. If not, is
there another app that does this? Bering?

The reason for this is I wish to port-forward packets to another web server
that is behind the firewall. Port 80 is already used by this one web server.
I do not wish to force users to add the port designation at the end of the
URL in order to reach the second web server. So I got around to thinking
that if I could bind a different public IP address to the external
interface, then add a rule to the firewall stating that if someone comes
knocking at this IP address at port 80 to please forward the packets to the
second web server.

I'm fully aware that I could establish port-forwarding at the ISP's name
server redirecting http packets to a different port- say 8000- which could
be redirected to port 80 of the second web server. I just would like to see
if I can avoid paying extra bucks for the port-forwarding feature. I happen
to have a few unused public IP addresses left.

Is that possible?

~Doug


---
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Types of DMZ - Dachstein

[Doug Sampson]

> DMZ=PROXY
> This setting uses proxy-arp to separate your DMZ systems from the "raw" 
> upstream connection.  The main benefit to using proxy-arp is your DMZ 
> systems can have REAL PUBLIC IP's.  The main drawback is it's kind of 
> complex to get the networking and firewall rules setup correctly, but 
> that's now pretty easy since I folded support into the main Dachstein 
> scripts for this sort of setup.



> I suggest using proxy-arp DMZ's if at all possible on both ends 
> (assuming you have multiple IP's you can allocate to DMZ systems).
> 
> Note there are a few tricks to setting up a proxy-arp DMZ 
> (mainly in how 
> you setup routing, and an understanding of the arp protocol and arp 
> cache timeouts), so don't be afraid to ask for help with the 
> config file 
> details if you decide to setup this sort of DMZ.
> 
> -- 

Very useful information, Charles. Although I don't quite get what proxy-arp
really does and how it differs from, say, a strictly public DMZ. Perhaps a
short explanation here will help set my mind straight. I am confused
especially by the statement regarding separating the DMZ systems from the
"raw" upstream connection. What is the benefit in that?

Unfortunately, we are constrained by very limited IP address range at work
so I believe we will be forced to use private DMZ. Since I use Cox as my ISP
at home, I only get one IP address and it's of the dynamic variety! So,
again, it looks like selecting private DMZ is the way to go at home.

Thanks for the write-up.

~Doug


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Types of DMZ - Dachstein

[Doug Sampson]

I'm using Dachstein CD 1.02 which works well in its present state. I would
like to add a DMZ using a second ethernet card. I see in the network.conf
file there are various types of DMZ- YES, PROXY, NAT, PRIVATE, and NO. I do
not know what a PROXY DMZ does nor do I know the purpose of a private DMZ.
Could someone explain what these are and under what conditions these may be
used.

Since I am using Dachstein here at home and also at work, there are two
scenarios that I am contemplating using the DMZes. At home, I wish to add a
video-conferencing solution which requires it be placed in a DMZ. Failing
that DMZ requirement, it needs to have inbound ports turned on:

Port 1720 (TCP)
Ports 15328-15333 (TCP & UDP)

and outbound ports turned on:

Ports 1024-65535 (TCP & UDP)
Port 389 (LDAP)
Port 80 (HTTP)

What is the optimal solution for this scenario?

The second scenario (at work) calls for a web server, a virus mail scanner,
and a http proxy (squid) to be located in the DMZ. Which type of DMZ should
be used for this? I would think a PRIVATE DMZ would be used but again I am
not familiar with the various types of DMZes.

I look forward to a positive reply.

~Doug



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Trouble with MaraDNS

[Doug Sampson]

Thanks for the update. I will update today and report back.

~Doug

> I have updated maradns.lrp to the latest 1.0.18 stable release.
> It's here:
> http://leaf.sourceforge.net/devel/jnilo/testing/maradns.lrp
> Check if that solve your pb and report the result.
> Jacques


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Trouble with MaraDNS

[Doug Sampson]

I'm running maradns.lrp with my DCD102 router. I'm seeing freezes with the
MaraDNS service almost daily and have to restart it. The maradns.log shows
compression errors as follows:

Timestamp: 1058923607  Log: All RRs have been loaded
Timestamp: 1059003929 Compression error:
\026\362\200\000\000\001\000\002\000\000\000\000\003175\00260\00294\00264\00
7in-addr\004arpa\000\000\014\000\001\003175\00260\00294\00264\007in-addr\004
arpa\000\000\005\000\001\000\000\250\300\000#\003175\007129-186\00260\00294\
00264\007in-addr\004arpa\000\003175\007129-186\00260\00294\00264\007in-addr\
004arpa\000\000\014\000\001\000\000\250\300\000\007NotFina
Timestamp: 1059020430 Compression error:
\027\005\200\000\000\001\000\002\000\000\000\000\00296\003193\00235\00266\00
7in-addr\004arpa\000\000\014\000\001\00296\003193\00235\00266\007in-addr\004
arpa\000\000\005\000\001\000\001Q\200\000
\00296\0040/24\003193\00235\00266\007in-addr\004arpa\000\00296\0040/24\00319
3\00235\00266\007in-addr\004arpa\000\000\014\000\001\000\001Q\200\000\000
Timestamp: 1059027502 Compression error:
\026\254\200\000\000\001\000\002\000\000\000\000\00229\003207\003253\00264\0
07in-addr\004arpa\000\000\014\000\001\00229\003207\003253\00264\007in-addr\0
04arpa\000\000\005\000\001\000\000\016\020\000!\00229\0040/24\003207\003253\
00264\007in-addr\004arpa\000\00229\0040/24\003207\003253\00264\007in-addr\00
4arpa\000\000\014\000\001\000\000\016\020\000\000
Timestamp: 1059028607 Compression error:
\027\026\200\000\000\001\000\002\000\000\000\000\0012\003146\003175\00263\00
7in-addr\004arpa\000\000\014\000\001\0012\003146\003175\00263\007in-addr\004
arpa\000\000\005\000\001\000\001Q\200\0001\00263\003175\003146\0012\004cust\
016awsconvergence\012sprintlink\003net\000\00263\003175\003146\0012\004cust\
016awsconvergence\012sprintlink\003net\000\000\014\000\001\000\001Q\200\000\
000
Timestamp: 1059037402 Compression error:
\026\266\200\000\000\001\000\002\000\000\000\000\003206\003250\00235\00266\0
07in-addr\004arpa\000\000\014\000\001\003206\003250\00235\00266\007in-addr\0
04arpa\000\000\005\000\001\000\000\016\020\000!\003206\0040/24\003250\00235\
00266\007in-addr\004arpa\000\003206\0040/24\003250\00235\00266\007in-addr\00
4arpa\000\000\014\000\001\000\000\016\020\000\000
Timestamp: 1059043385 Compression error:
\026\342\200\000\000\001\000\002\000\000\000\000\003206\003250\00235\00266\0
07in-addr\004arpa\000\000\014\000\001\003206\003250\00235\00266\007in-addr\0
04arpa\000\000\005\000\001\000\000\016\020\000!\003206\0040/24\003250\00235\
00266\007in-addr\004arpa\000\003206\0040/24\003250\00235\00266\007in-addr\00
4arpa\000\000\014\000\001\000\000\016\020\000\000
Timestamp: 1059043385 Compression error:
\027$\200\000\000\001\000\002\000\000\000\000\003206\003250\00235\00266\007i
n-addr\004arpa\000\000\014\000\001\003206\003250\00235\00266\007in-addr\004a
rpa\000\000\005\000\001\000\000\016\020\000!\003206\0040/24\003250\00235\002
66\007in-addr\004arpa\000\003206\0040/24\003250\00235\00266\007in-addr\004ar
pa\000\000\014\000\001\000\000\016\020\000\000
Timestamp: 1059043398 Compression error:
\026\274\200\000\000\001\000\002\000\000\000\000\003206\003250\00235\00266\0
07in-addr\004arpa\000\000\014\000\001\003206\003250\00235\00266\007in-addr\0
04arpa\000\000\005\000\001\000\000\016\020\000!\003206\0040/24\003250\00235\
00266\007in-addr\004arpa\000\003206\0040/24\003250\00235\00266\007in-addr\00
4arpa\000\000\014\000\001\000\000\016\020\000\000
Timestamp: 1059043400 Compression error:
\026\317\200\000\000\001\000\002\000\000\000\000\003206\003250\00235\00266\0
07in-addr\004arpa\000\000\014\000\001\003206\003250\00235\00266\007in-addr\0
04arpa\000\000\005\000\001\000\000\016\020\000!\003206\0040/24\003250\00235\
00266\007in-addr\004arpa\000\003206\0040/24\003250\00235\00266\007in-addr\00
4arpa\000\000\014\000\001\000\000\016\020\000\000
Timestamp: 1059056223  Log: Root directory changed
 Log: Binding to address 192.168.1.254 192.168.2.254
Timestamp: 1059056223  Log: Socket opened on UDP port 53
Timestamp: 1059056223  Log: Root privledges dropped
Timestamp: 1059056223  Log: All RRs have been loaded

Does anyone know wthat that means? I'm vaguely aware it has to do with the
maradns config file but I'm unsure as to where to look. I've set it to
resolve with root servers. Would it be better if I set it so that it
resolves with another dns server upstream instead of root servers? I'd be
happy to send the config file(s) if these are needed.

I had tinydns running fine for 2 years prior to switching to maradns and I
will return to tinydns if this isn't resolved to my satisfaction. I've
dropped an email two days ago to the maradns list and have yet to hear from
them.

~Doug


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013av

RE: [leaf-user] DCD 102 & MaraDNS

[Doug Sampson]

> 
> I want to be sure I understand this name resolution process 
> while running
> dnscache and tinydns. When loaded, dnscache looks for any 
> name resolution
> queries and, when caught, resolves these by checking the 
> content of the
> tinydns private or public zone files depending on the origin 
> of the name
> resolution query. Is that correct?
> 
> How does MaraDNS function under Dachstein? dnscache isn't 
> running under the
> maradns configuration.
> 

Found the problem- in the mararc config file, maradns bounded itself to ip
address 192.168.1.254 but I had set the router's DNS resolver address as
127.0.0.1. Once I reset the DNS resolver address for the router to
192.168.1.254, I was able to ping internal and external hosts from the
router. Lesson learned.

As a side note, the webmaster of www.dawnsign.com confirmed that it isn't
set to respond to pings. Seems it's quite common among web hosting servers
not to respond to pings in an effort to reduce traffic. Ummm.

On to the next problem!

~Doug


---
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

FW: [leaf-user] DCD 102 & MaraDNS

[Doug Sampson]

Forgot to include the LEAF list in my earlier reply below to Charles...

~Doug

-Original Message-
From: Doug Sampson 
Sent: Thursday, June 19, 2003 3:56 PM
To: 'Charles Steinkuehler'
Subject: RE: [leaf-user] DCD 102 & MaraDNS


Charles,

Thanks for your reply. Replies inline below.

> > Now, when I ping www.dawnsign.com I see that my request 
> resolves to an IP
> > address of 207.158.59.34 but then it drops dead announcing 
> it is unable to
> > reach the host. The same thing occurs if I try to ping 
> www.dawnsignpress.com
> > which is under our control as well. We use easyDNS to 
> manage our external
> > domain names and hosts records. When I attempt to ping 
> internal hosts from
> > the DCD router, it does not resolve- instead it announces 
> the internal host
> > as an unknown host. However, when I ping internal hosts 
> from an client
> > inside the internal network, it resolves correctly.
> > 
> > I had hoped that the router would use its own zone file but 
> I might not be
> > thinking correctly. At least MaraDNS appears to behave 
> differently from
> > tinyDNS which had it's internal and external zone files.
> > 
> > If anyone could enlighten me on this subject, I would be grateful.
> > Especially if there is a method where the router could 
> resolve its own
> > queries for internal hosts. I also apologize for this lengthy post.
> 
> I'm not familiar with MaraDNS, but I can think of at least 
> two possible 
> problems you could be having.  The first is the DNS configuration of 
> your router.  You need to make sure the router is setup to 
> use itself as 
> a DNS server if you're running a name server on the router.  It's 
> possible your internal systems are properly querying the 
> router for DNS 
> info, while your router is still querying your ISP, which may (but 
> probably does not) have correct DNS info for your local domain.

I've set up the dns server address as 127.0.0.1. Is that correct? 

> 
> The other potential problem is hinted at by your indication that 
> www.dawsign.com resolves to 207.158.59.34 (a public IP).  If you're 
> port-forwarding from your routers external IP (purely 
> speculation on my 
> part), or otherwise doing some form of NAT, masquerading, or other 
> manipulation of the IP address portion of traffic between the system 
> running your website and the internet in general, you 
> typically have to 
> present different IP's to querying hosts, depending on where they are 
> located.  For instance, your internal systems and the firewall should 
> probably access the internal (and likely private IP) address 
> of your web 
> server.  Systems on the internet in general (ie connecting via your 
> upstream link) should be given the public IP of your firewall.  The 
> interaction with firewall rules you may (or may not) have in 
> place gives 
> three major "zones": the external internet, your internal network(s), 
> and the firewall itself.  A problem with the IP address presented by 
> DNS, particulars of your port-forwarding/NAT/MASQ/etc setup, and IP 
> Chains rules currently in place all affect whether everything works 
> properly from each of the three major "zones".
> 
> Since you didn't provide anything but the MaraDNS setup 
> (which I'm not 
> familiar with, so pretty much skipped over), I can't help with more 
> specifics.  If the above isn't enough to help you figure out whats 
> causing the problem (assuming it's not fundamentally a 
> MaraDNS problem), 
> please post the complete output of "net ipfilter list", along 
> with the 
> exact ping results from both your firewall and an internal system.  A 
> general overview, discussing how you're trying to setup 
> access to your 
> public webserver would help as well.
> 

Correction:

I'm using a DMZ in this network schematic as follows:

Internet <---> DCD router <---> internal network
^
|
v
   DMZ

Am using NAT and using modules to masqurade various services.


Here's the output of the "net ipfilter list" command:

Chain input (policy DENY: 0 packets, 0 bytes):
 pkts bytes target prot opttosa tosx  ifname mark   outsize
sourcedestination   ports
0 0 DENY   icmp l- 0xFF 0x00  *
0.0.0.0/00.0.0.0/0 5 ->   *
0 0 DENY   icmp l- 0xFF 0x00  *
0.0.0.0/00.0.0.0/0 13 ->   *
0 0 DENY   icmp l- 0xFF 0x00  *
0.0.0.0/00.0.0.0/0 14 ->   *
0 0 DENY   al

[leaf-user] DCD 102 & MaraDNS

[Doug Sampson]

I finally got around to replacing TinyDNS with MaraDNS. The clients are able
to resolve names but the router itself isn't able to resolve two names- or
at least it does but then isn't able to ping these two addresses
successfully.

Network schematic:

Internet <---> DCD router <---> internal network


Here's what I did:

took out references to dnscache and tinydns and replaced these with maradns-
pointing to the .lrp package on the floppy.
updated the mararc file with what I believe to be appropriate changes.
Content of mararc file as follows:

# Example mararc file (unabridged version)
hide_disclaimer = "yes"
# The various zones we support

# We must initialize the csv1 hash, or MaraDNS will be unable to
# load any zone files
csv1 = {}

# This is just to show the format of the file
# csv1["example.com."] = "db.example.com"
csv1["dawnsign.com."] = "db.dawnsign.com"

# The address this DNS server runs on.  If you want to bind
# to all addresses a given machine has, use "0.0.0.0".
#bind_address = "192.168.1.254"
bind_address = "0.0.0.0"

# The directory with all of the zone files
chroot_dir = "/etc/maradns"

# The numeric UID MaraDNS will run as
# Bering: use dnscache uid
maradns_uid = 1001

# The (optional) numeric GID MaraDNS will run as
maradns_gid = 100

# The maximum number of threads (or processes, with the zone server)
# MaraDNS is allowed to run
maxprocs = 96

# It is possible to specify a different maximum number of processes that
# the zone server can run.  If this is not set, the maximum number of
# processes that the zone server can have defaults to the 'maxprocs' value
# above
# max_tcp_procs = 64

# Normally, MaraDNS has some MaraDNS-specific features, such as DDIP
# synthesizing, a special DNS query ("erre-con-erre-cigarro.maradns.org."
# with a TXT query returns the version of MaraDNS that a server is
# running), unique handling of multiple QDCOUNTs, etc.  Some people
# might not like these features, so I have added a switch that lets
# a sys admin disable all these features.  Just give "no_fingerprint"
# a value of one here, and MaraDNS should be more or less
# indistinguishable from a tinydns server.
no_fingerprint = 0

# Normally, MaraDNS only returns A and MX records when given a
# QTYPE=* (all RR types) query.  Changing the value of default_rrany_set
# to 15 causes MaraDNS to also return the NS and SOA records, which
# some registars require.  The default value of this is 3
default_rrany_set = 3

# These constants limit the number of records we will display, in order
# to help keep packets 512 bytes or smaller.  This, combined with
round_robin
# record rotation, help to use DNS as a crude load-balancer.

# The maximum number of records to display in a chain of records (list
# of records) for a given host name
max_chain = 8
# The maximum number of records to display in a list of records in the
# additional section of a query.  If this is any value besides one,
# round robin rotation is disabled (due to limitations in the current
# data structure MaraDNS uses)
max_ar_chain = 1
# The maximum number of records to show total for a given question
max_total = 20

# The number of messages we log to stdout
# 0: No messages except for fatal parsing errors and the legal disclaimer
# 1: Only startup messages logged (default)
# 2: Error queries logged
# 3: All queries logged (but not very verbosely right now)
verbose_level = 2

# Initialize the IP aliases, which are used by the list of root name
servers,
# the ACL for zone transfers, and the ACL of who gets to perform recursive
# queries
ipv4_alias = {}

# Various sets of root name servers
# Note: Netmasks can exist, but are ignored when specifying root name server

# ICANN: the most common and most controversial root name server
# http://www.icann.org
ipv4_alias["icann"] =
"198.41.0.4,128.9.0.107,192.33.4.12,128.8.10.90,192.203.23 

# OSRC: http://www.open-rsc.org/
ipv4_alias["osrc"] =
"199.166.24.1,205.189.73.102,199.166.24.3,207.126.103.16,19 

# AlterNIC: http://www.alternic.org/
ipv4_alias["alternic"] =
"160.79.129.192,24.6.78.12,160.79.133.70,65.15.8.202,21 

# OpenNIC: http://www.opennic.unrated.net/
ipv4_alias["opennic"] =
"131.161.247.226,209.151.84.102,64.247.218.140,64.247.21 

# Pacific Root: http://www.pacificroot.com/
# Disabled because Pacific Root no longer runs traditional style root
# servers
#ipv4_alias["pacificroot"] =
"204.107.129.2,208.179.42.162,12.28.140.20,204.107. 

# IRSC: http://www.irsc.ah.net/
# This group was terminated January 2002
#ipv4_alias["irsc"] =
"203.21.205.2,203.21.205.3,212.234.36.20,212.234.36.19,207 

# TINC: http://www.tinc-org.com/
# On 2002/11/15, the tinc domain was owned by a domain squatter
# The only working server on this list is 145.89.234.7
#ipv4_alias["tinc"] =
"64.6.65.10,208.128.113.35,212.172.21.254,207.112.147.14,1 

# Super Root: http://www.superroot.org/
# They no longer use a traditional list of root servers
#ipv4_alias["superroot"] =
"199.5.157.128,199.166.24.12,199.166.28.10,5.189.73.1 

[leaf-user] DMZ issues

[Doug Sampson]

Hi all,

running Dachstein 102CD using extended firewall scripts.

Am now planning on moving a very hardened Exchange box from the internal
network to the DMZ. It has a web interface.

What I need to ensure is the following:
1) clients from internal network can access their mailboxes on the Exchange
box in the DMZ.
2) allow external clients to access web interface of the Exchange box from
Internet.

I've set the DMZ type to PRIVATE and assigned a different private network
number (192.168.2.x) to it.


###
# DMZ setup (optional)

###
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
DMZ_SWITCH=PRIVATE
DMZ_IF="eth2"
DMZ_NET=192.168.2.0/24


Set up port forwarding as follows:

# PRIVATE DMZ switches

###
# Services port-forwarded to the DMZ network
# Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]"
DMZ_SERVER0="tcp $EXTERN_IP smtp 192.168.2.4 smtp"
DMZ_SERVER1="tcp $EXTERN_IP 8080 192.168.2.15 www"
DMZ_SERVER2="tcp $EXTERN_IP 8000 192.168.2.4 www"
DMZ_SERVER3="tcp $EXTERN_IP www 192.168.2.2 www"
DMZ_SERVER3="tcp $EXTERN_IP 443 192.168.2.2 443"

Before I move the Exchange box, I decided to test the existing NETWORK.CONF
file by placing a laptop in the DMZ and assigning 192.168.2.4 to it. I can
ping it from the internal network but I am finding that I cannot ping
192.168.1.1 or anything in the 192.168.1.1/24 network from 192.168.2.4. Is
that normal behavior?

Would Outlook clients in the internal network be able to access the Exchange
box inside the DMZ in the normal manner as if it was inside the internal
network? Does hosts in the DMZ have access to the private DNS records that
are available to the internal network hosts? Do I need to establish DNS
records on the public dns server for any of the hosts in the DMZ in order
for the internal network hosts to be able to reach DMZ hosts?

~Doug


---
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Backup

[Doug Sampson]

If I modify index.htm in the /var/sh-www directory, which of the packages in
the backup menu do I choose to make a backup? The weblet package? I'm using
DCD 1.0.2.

~Doug


---
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] port open for Exchange?

[Doug Sampson]

I need to reconfigure our Dachstein 1.0.2 router to interoperate with our
Outlook Web Access (OWA) which is the web interface for our Exchange 5.5
box. The Exchange box is in our internal network and initially accepts
incoming http requests at port 80 but redirects it over to port 443 for SSL
encryption.

The question I have is- do I need to open port 443 on the router in order to
pass packets onto the Exchange box? What I am thinking is since we've
enabled NAT on the router, would the Exchange box commence packet exchange
at port 443 from the internal network thus enabling connection via NAT with
the external client?

~Doug


---
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Dachstein Port Forwarding

[Doug Sampson]

Hi all,

I am back from vacation!

This morning I attempted to remove M$ Proxy Server from the Exchange box and
reconfigure TCP/IP settings. The Exchange box is now fully functioning
behind the Dachstein router as originally intended. 

Note: the box had to be rebooted for the gateway address change to take
effect. Not necessary for a name server change.

Next project- spam/virus filtering system that sits between the router and
the Exchange box.

Thanks to all who assisted.

~Doug

> > But ... the ONLY change we are suggesting you make is to 
> the Exchange 
> > server's default gateway. Does that *really* require a reboot 
> > on Windows? 
> > (I know the old joke about "You have moved your mouse - press 
> > any key to 
> > reboot", but surely Microsoft has make networking 
> > reconfiguration a bit 
> > more sane by now). OR does the proxy server require that it 
> > be the default 
> > gateway to function (if so, in what sense does it proxy)?
> 
> Yep, Win NT still requires a reboot for most configuration 
> changes. Yes, we
> are still using Win NT- haven't seen the need to upgrade. See 
> below for
> further info.
> 
> > 
> > In principle, this approach should work just fine for not 
> > dropping mail. 
> > But remember to do it far enough in advance so that the 
> > change propagates 
> > to cached records elsewhere. And consider if the Exchange 
> > server itself 
> > requires any special reconfiguration. The added MX record 
> > should point to 
> > an FQN that is externally resolvable to the router's IP address.
> > 
> > A quick check of your MX records says that you already have 
> > external MX 
> > backups:
> > 
> >  [EMAIL PROTECTED]:~$ host -t MX dawnsign.com
> >  dawnsign.comMX  20 smtp.easydns.com
> >  dawnsign.comMX  30 smtp2.easydns.com
> >  dawnsign.comMX  0 mercury.dawnsign.com
> >  dawnsign.comMX  10 mail.dawnsign.com
> > 
> > Both the 0 and 10 entries point to your proxy-server IP 
> > address. But if the 
> > 20 and 30 entries are functional, they should protect you 
> > against e-mail 
> > loss during your test phase.
>  
> Noted.
> 
> > But before you go on with this ... why do you need this 
> > Exchange server to 
> > be reachable both via the old proxy server and via the new 
> Dachstein 
> > router? Is it just a transition issue, or is there something more 
> > fundamental that requires this duplication? Why not handle 
> everything 
> > through suitable MX entries that get all mail to a single 
> IP address?
> > 
> 
> It's a transition issue. The proxy server and the Exchange 
> box is the same
> box! Due to cash flow restrictions, it was decided to combine 
> proxying and
> email functions in one box. Since then I've experienced random and
> intermittent crashes with the Winsock proxy service which I 
> was unable to
> resolve. I was advised to upgrade to ISA which I totally nixed.
> 
> I have to change the proxy server setting on all client 
> browsers to point to
> a Squid server which uses the Dachstein router as it's 
> gateway. Then remove
> the Proxy Server software (and the second NIC) and change the 
> IP settings on
> the Exchange box before I can use it as originally intended. 
> Not a change
> easily performed.
> 
> Since I will be going on vacation next week, I've tabled this until my
> return. I'll report back in once the switch-over has been attempted.
> 
> Thanks for all your help.
> 
> ~Doug
> 
> 
> ---
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your  SSL 
> security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> --
> --
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> 


---
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Dachstein Port Forwarding

[Doug Sampson]

> 
> But ... the ONLY change we are suggesting you make is to the Exchange 
> server's default gateway. Does that *really* require a reboot 
> on Windows? 
> (I know the old joke about "You have moved your mouse - press 
> any key to 
> reboot", but surely Microsoft has make networking 
> reconfiguration a bit 
> more sane by now). OR does the proxy server require that it 
> be the default 
> gateway to function (if so, in what sense does it proxy)?

Yep, Win NT still requires a reboot for most configuration changes. Yes, we
are still using Win NT- haven't seen the need to upgrade. See below for
further info.

> 
> In principle, this approach should work just fine for not 
> dropping mail. 
> But remember to do it far enough in advance so that the 
> change propagates 
> to cached records elsewhere. And consider if the Exchange 
> server itself 
> requires any special reconfiguration. The added MX record 
> should point to 
> an FQN that is externally resolvable to the router's IP address.
> 
> A quick check of your MX records says that you already have 
> external MX 
> backups:
> 
>  autovcr@waverly:~$ host -t MX dawnsign.com
>  dawnsign.comMX  20 smtp.easydns.com
>  dawnsign.comMX  30 smtp2.easydns.com
>  dawnsign.comMX  0 mercury.dawnsign.com
>  dawnsign.comMX  10 mail.dawnsign.com
> 
> Both the 0 and 10 entries point to your proxy-server IP 
> address. But if the 
> 20 and 30 entries are functional, they should protect you 
> against e-mail 
> loss during your test phase.
 
Noted.

> But before you go on with this ... why do you need this 
> Exchange server to 
> be reachable both via the old proxy server and via the new Dachstein 
> router? Is it just a transition issue, or is there something more 
> fundamental that requires this duplication? Why not handle everything 
> through suitable MX entries that get all mail to a single IP address?
> 

It's a transition issue. The proxy server and the Exchange box is the same
box! Due to cash flow restrictions, it was decided to combine proxying and
email functions in one box. Since then I've experienced random and
intermittent crashes with the Winsock proxy service which I was unable to
resolve. I was advised to upgrade to ISA which I totally nixed.

I have to change the proxy server setting on all client browsers to point to
a Squid server which uses the Dachstein router as it's gateway. Then remove
the Proxy Server software (and the second NIC) and change the IP settings on
the Exchange box before I can use it as originally intended. Not a change
easily performed.

Since I will be going on vacation next week, I've tabled this until my
return. I'll report back in once the switch-over has been attempted.

Thanks for all your help.

~Doug


---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Dachstein Port Forwarding

[Doug Sampson]

Ray/Charles,

I was afraid you'd both still point to the TCP/IP settings of the Exchange
box as the cause for the failure. I had thought that scanning a range of
ports was to check if it was open. But it looks like my assumption was
wrong. It checks for responses and obviously the scanner isn't getting a
proper response from port 25. What layer does the scanning work on? Layer 3
or higher (especially the application layer?) of the OSDI model?

Since this Exchange box is active, I cannot change the IP settings until
after hours. I also would need to change the MX record settings on our
external DNS server. I wonder if there's a neat trick one can do to ensure
no loss of email during this phase? For example, I could create a new MX
record for the Dachstein router leaving the original MX record in place but
assigning a different priority to the new MX record. When external mail
server checks for MX records, they would attempt to contact our mail server
with the first MX setting and failing that, check the next MX record and
find the mail server active at that MX record. Does this make sense? Is this
do-able? Should the MX record contain the name of the router port-forwarding
the mail to the Exchange box instead the name of the Exchange box?

Thanks for all of your help!

~Doug

> I agree with Ray that the place to look now is your Exchange 
> machine's 
> network configuration.  Please understand that just because 
> GRC reports 
> your port 25 as "stealth" doesn't mean the packets are being 
> firewalled. 
>   What it means is that the GRC system sent out a TCP packet 
> to port 25 
> at your IP and didn't get a response back.  From the firewall 
> information it looks like the packets are passing through 
> your Dachstein 
> firewall, which means either you've got port-forwarding setup to the 
> wrong IP, the exchange server isn't really running, or the exchange 
> server is incorrectly sending back the reply packets (ie 
> sending them to 
> the proxy-server instead of the Dachstein router).
> 
> Make sure the exchange server is using Dachstein as it's default 
> gateway, and I think everything will begin working.  If you 
> continue to 
> have problems, post the network confiuration ("ipconfig /all" 
> and "route 
> print") from the Exchange box for debugging.
> 
> -- 
> Charles Steinkuehler
> [EMAIL PROTECTED]
> 
> 


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Dachstein Port Forwarding

[Doug Sampson]

Ray,

> But with all of that, I cannot connect (using telnet) to your 
> mail server 
> from here (though I can ping you and connect to the Web server).

You couldn't- all attempts to port 23 are blocked.

> 
> So ... how thoroughly have you checked the Exchange server for 
> configuration problems? Is the Dachstein router its default 
> gateway (and 
> not the proxy server at 216.70.236.235)? Does Exchange do any 
> authentication (such as auth) of a sort that might work with 
> the proxy 
> server but not an ordnary port-forwarding router? I hesitate 
> to go down 
> this road very far, since I suspect you know more about 
> Windows sysadmin 
> issues than I do, but I would encourage you to spend some 
> time thinking 
> about possible problems with Exchange or the server it runs on.
 
No, I haven't configured the Exchange server for use with the Dachstein
router. I assumed that since the firewall had an internal address that the
Exchange server would accept connections from it. Currently Exchange is
configured to accept unauthenticated connections.

> Is the Dachstein router replacing a prior router of some 
> sort? Or is this a 
> new connection (that is, did everything previously use the 
> proxy server at 
> 216.70.236.235)?
 
No, Dachstein isn't replacing anything that used to exist at that address. I
am still running a Proxy Server 2.0 at that address and it shows port 25 and
80 being open. Running a port scanner from outside the network against the
Dachstein router shows only port 80 (and 22) as being open. You can try
scanning against 216.70.236.236 (Dachstein) and see for yourself. Try the
same scan against 216.70.236.235 (the Proxy Server) and you will notice that
ports 25 and 80 are open.

All evidence points to the Dachstein router. Ray, I understand what you're
saying about the firewall being correctly configured- it does seem like it
is. But the port scanner isn't reporting port 25 as being open.

~Doug


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Dachstein Port Forwarding

[Doug Sampson]

> OK, are several things that could be going wrong, besides 
> mis-configuration (it looks like you've got everything setup 
> properly, 
> but I can't tell for sure without the full output of "net 
> ipfilter list").
> 
> 1) Your ISP is blocking port 25.  This is fairly common, and is 
> typically encountered along with blocking of port 80.  To test this, 
> keep the EXTERN_TCP_PORTS setting above, but comment out the 
> INTERN_SERVERS port-forwarding setting.  This will let 
> packets through 
> your firewall, but they will have nowhere to go (no listening 
> service or 
> port-forward), so the firewall will send out a TCP reset packet.  GRC 
> should show this as a "closed" port, rahter than "open" or "stealth". 
> You can also try a normal traceroute to your box, then a traceroute 
> using TCP port 25 packets, to see if your ISP is filtering 
> traffic (Note 
> you have to do this from *OUTSIDE* your ISP's network).

Definitely not blocked by my ISP- we have a Proxy Server 2.0 router running
on another machine at address 216.70.236.235 subnet mask 255.255.255.248 and
it's receiving packets destined for the Exchange box. We've had this setup
for at least 4 years now. So I'm ruling out SMTP blocking.

> 
> 2) Your firewall is actually mis-configured, and your 
> firewall rules or 
> port-forwarding setup is preventing packets from getting to your mail 
> server, even though your network.conf settings look OK.  Send 
> the output 
> of "net ipfilter list" so we can verify your setup and/or 
> trace packets 
> as they make their way through your network (with ipchains packet 
> counts/logging, tcpdump, or some other means).

Here's the net ipfilter list:

Chain input (policy DENY: 0 packets, 0 bytes):
 pkts bytes target prot opttosa tosx  ifname mark   outsize
sourcedestination   ports
0 0 DENY   icmp l- 0xFF 0x00  *
0.0.0.0/00.0.0.0/0 5 ->   *
0 0 DENY   icmp l- 0xFF 0x00  *
0.0.0.0/00.0.0.0/0 13 ->   *
0 0 DENY   icmp l- 0xFF 0x00  *
0.0.0.0/00.0.0.0/0 14 ->   *
0 0 DENY   all  l- 0xFF 0x00  eth0
0.0.0.0  0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
255.255.255.255  0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
127.0.0.0/8  0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
224.0.0.0/4  0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
10.0.0.0/8   0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
172.16.0.0/120.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
192.168.0.0/16   0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
0.0.0.0/80.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
191.255.0.0/16   0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
240.0.0.0/4  0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
192.168.1.0/24   0.0.0.0/0 n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
216.70.236.236   0.0.0.0/0 n/a
0 0 REJECT all  l- 0xFF 0x00  eth0
0.0.0.0/0127.0.0.0/8   n/a
0 0 REJECT all  l- 0xFF 0x00  eth0
0.0.0.0/0192.168.1.0/24n/a
0 0 REJECT tcp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 * ->   137
   20   800 REJECT tcp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 * ->   135
   53  4134 REJECT udp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 * ->   137
0 0 REJECT udp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 * ->   135
   20   800 REJECT tcp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 * ->   138:139
0 0 REJECT udp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 * ->   138
0 0 REJECT udp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 137:138 ->   *
0 0 REJECT udp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 135 ->   *
0 0 REJECT tcp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 137:139 ->   *
0 0 REJECT tcp  -- 0xFF 0x00  eth0
0.0.0.0/00.0.0.0/0 135 ->   *
0 0 ACCEPT tcp  -- 0xFF 0x00  eth0
xxx.xxx.0.0/16 <--edited out
0.0.0.0/0 * 

[leaf-user] Dachstein Port Forwarding

[Doug Sampson]

I want to port forward any packets sent to port 25 on the external interface
to an internal email server but I seem to be having trouble doing so. I've
made the necessary changes to the network config file but the changes aren't
taking hold. I've rebooted the server twice to no avail (I'm a M$ techie :)
).

Here's the network config file condensed:



# ICMP types to open
# Space seperated list: proto_destIP/mask_port#NOMASQ_DEST="tcp_0/0_ssh"
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"

## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
#EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"

# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
EXTERN_TCP_PORTS="xxx.xxx.0.0/16_ssh 0/0_www 0/0_8080 0/0_25"  <--edited to
hide actual addrs

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"




###
# Port Forwarding

###
# Remember to open appropriate holes in the firewall rules, above

# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
#   
INTERN_SERVERS="tcp_${EXTERN_IP}_smtp_192.168.1.4_smtp
tcp_${EXTERN_IP}_8080_192.168.1.15_www

# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1  # Internal FTP server to make available
#INTERN_WWW_SERVER=192.168.1.1  # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1  # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH
access

# Advanced settings: parameters passed directly to portfw and autofw
# Indexed list: ""
#INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
#INTERN_SERVER1=""
# Indexed list: ""
#INTERN_AUTOFW0="-A -r tcp 2 20050 -h 192.168.1.1"
#INTERN_AUTOFW1=""



Running the Port Probe function at www.grc.com reveals port 25 to be in
stealth mode which under any other circumstances would be great but not
under the current circumstance! The same probe shows port 80 to be open
which is what I intended. The IP address for our email server is
192.168.1.4. It's an Exchange box with ports SMTP, POP3, and IMAP opened.

Currently running Dachstein CD 1.0.2.

~Doug


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Dachstein firewall monitor

[Doug Sampson]

Sheesh, it *was* an issue with my browser! I run Opera and recently replaced
my PC with a faster one. Needless to say, I neglected to install Java at the
time I reinstalled Opera. Pure stupidity on my part!

Thanks to all who replied.

~Doug

> -Original Message-
> From: Martin Hejl [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 09, 2002 11:15 AM
> To: '[EMAIL PROTECTED]'
> Subject: Re: [leaf-user] Dachstein firewall monitor
> 
> 
> Wrigglesworth, Colin wrote:
> > Do you really mean it was working now has stopped? I 
> haven't seen it work
> > yet on my Dachstein CD 1.0.2 so would be interested to know 
> if you have had
> > it working. I thought my problem was Java related but maybe not.
> 
> well, I've seen it working on plenty of Dachtstein boxes (and the odd 
> Matterhorn box as well) - so as far as I can tell, it _does_ 
> work. And I 
> guess Charles would have removed it from Dachstein, if it 
> didn't work at 
> all.
> 
> Since Weblet ran "out of the box" on the images I tried, I 
> tend to agree 
> with you that it indeed is a Java related problem on your 
> browser - but 
> lacking any info what it is (or isn't) doing, I could only 
> speculate on 
> what's happening.
> 
> The short version is, if the applet loads, but displayes "No 
> data", it's 
> likely a problem with your setup on Dachstein (the most common being 
> settings in hosts.allow/hosts.deny and the firewall settings - check 
> http://leaf.sourceforge.net/devel/hejl/troubleshooting.html for more 
> info about troubleshooting that part).
> 
> If you don't even see the applet starting (but rather a some message 
> about getting a plugin, or simply a gray window), it's likely 
> an issue 
> with the browser. The easiest to check that would be to go to a page 
> that loads a java applet (for example, on
> http://java.sun.com/docs/books/tutorial/applet/overview/compon
entMethods.html
  - there should be a small applet near the bottom of the page)
and see if it works there (if it does but the status monitor of weblet 
still doesn't work, please let me know - you might be the first to come 
across a new bug...)

I hope that helps.

Martin




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Dachstein firewall monitor

[Doug Sampson]

The firewall monitor running on top of the weblet has stopped functioning.
It does not display anything in the window when I double-click on the
firewall monitor link in the weblet page.

I've issued a "killall -HUP inetd" to no avail. I would rather not restart
the router if at all. What else can I do to re-enable the firewall monitor
to start working?

I am running Dachstein CD 1.0.2.

~Doug


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Disable logging?

[Doug Sampson]

What protocol does PROTO=2 refer to?

Example:

Dec 4 16:23:40 CX269409-C kernel: Packet log: input DENY eth0 PROTO=2
192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x T=1 (#12)

Thanks for the reply.

~Doug

>
> Use the "SILENT_DENY" parameter in network.conf.  If you need more
> flexability than this proivdes, you can add custom deny statements in
> /etc/ipchains.input



---
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Disable logging?

[Doug Sampson]

How does one go about disabling logging for a particular IP address in a
Dachstein CD 1.0.2 setup? My logs are filling up quickly...

~Doug



---
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [Leaf-user] DCD Port forwarding not working

[Doug Sampson]

I am completely embarrassed 'cause the web server was missing a gateway
address!

Actually, it makes quite a lot of sense when you think about why I was able to
browse from within the internal network as opposed to from the 'Net.  The web
server knew what address to pass back the requested packets.  But when it came
to serving the packets to the 'Net, it didn't have a clue where to deliver it.
So the browsers on the external network timed out waiting for the packets.

Twenty lashes are in order!

Thanks to those who tried to help me!

Doug "Red as a Beet" Sampson

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Ray Olszewski
> Sent: Wednesday, March 13, 2002 3:49 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Leaf-user] DCD Port forwarding not working
>
>
> At 05:14 PM 3/13/02 -0600, guitarlynn wrote:
> >On Wednesday 13 March 2002 12:45, Doug Sampson wrote:
> >
> >> I still can't access the web server via
> >> http://www.cybersampson.com!!! #$%#!&
> >
> >It works now from my house!
>
>
> And from mine as well. But it didn't before when I tried, so
> you did fix
> something, Doug. What?
>
> --
> "Never tell me the odds!"---
> Ray Olszewski-- Han Solo
> Palo Alto, CA  [EMAIL PROTECTED]
> 
>
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
>



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] DCD Port forwarding not working

[Doug Sampson]

> If I understand the setup right, you are referring here to 
> hosts.allow and
> hosts.deny on the LEAF router. But the actual Web server runs 
> on a different
> host, on its port 80, and gets (or is supposed to get, once everything
> works) traffic forwarded from port 8080 on the LEAF router's 
> external interface.
> 
> If I have all of that right, then the entries you describe 
> will have no
> effect on this problem. Only the port-forwarding code in the kernel is
> involved on the LEAF router, and that makes no use fo these 
> files, which are
> used by inetd (and a few other server processes).
> 
> If I have any of my assumptions wrong, then please clarify 
> appropriately.

No, you've got it right.  Ok, ruling out one thing then...

I still can't access the web server via http://www.cybersampson.com!!!
#$%#!&

I'm beginning to think it's the web server that is denying access.  I'm
thinking that the web server does accept requests from the private network
but is *somehow* denying requests that pass through the DCD router.  Would
that be possible even though the forwarded packets are now inside the
private network?  I do not know enough about TCP/IP packet structure to be
able to answer this question adequately.

Can someone verify or debunk this?

~Doug

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] DCD Port forwarding not working

[Doug Sampson]

I just thought of something else.  If there wasn't any entry in the
/etc/hosts.allow file for web access (i.e., in.www:ALL; in:8080:ALL), would
this stop any incoming traffic from coming in?  I am using the default
/etc/hosts.deny file (ALL:PARANOID; ALL:ALL in that order).

Does this shed any light on my situation?

In any case, I've modified the /etc/network.conf file per Lynn's suggestion
and will check from work tomorrow.

~Doug

>
> Change the line:
>
> # Set EXTERN_IP to "DYNAMIC" if you need the rules to read
> the IP from
> the
> # interface, but you arn't using DHCP (ie PPPoE and dialup users)
> #EXTERN_IP=DYNAMIC
>
> To read "EXTERN_IP=NO"
> I belive the dynamic option is not needed for typical cablemodem
> connections, but then again, it may not matter since "eth0" is listed
> as the external interface.
>
> The original stated problem and fix is likely the error in the port
> forwarding anyway.
> --
>
> ~Lynn Avants
> aka Guitarlynn
>
> guitarlynn at users.sourceforge.net
> http://leaf.sourceforge.net
>
> If linux isn't the answer, you've probably got the wrong question!
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
>



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] DCD Port forwarding not working

[Doug Sampson]

> I don't know exactly how eth0 is supposed to come up and be 
> configured when running PPPoE, which is what I am assuming 
> you using with this config. If your not running PPPoE, you need
> to fix the general config before it will work.
> 
Am running dhclient on eth0 that is connected 7/24 to cable (Cox).

Will make the changes when I get home tonight and report back.  Thanks for
the follow-up.

~Doug

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] DCD Port forwarding not working

[Doug Sampson]

Yes, that would be a big help!  I'm extremely frustrated by the fact there
doesn't seem to be a hole opened at port 8080...  Or is it there and I didn't
see it?

Here's the content of network.conf:

##
#
# Extended firewall configuration scripts
# By Charles Steinkuehler
# Version 1.3.2
# September 29, 2001
##
#
# Brief instructions for this file
##
#
#
# VERBOSE=(YES/NO)  Default: Yes
# Be verbose about settings.
#
# MAX_LOOP=(int)Default: 10
# Maximum number of incrementable entries to search for.
# IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached.
# (DNS0 - DNS7 == 8 entires)
# Setting this value too high will decrease the speed of the configuration
# system.
#
# IPFWDING_KERNEL=(YES/NO/FILTER_ON)Default: NO
# Enable IP forwarding in the kernel.  FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
#
# IPALWAYSDEFRAG_KERNEL=(YES/NO)Default: NO
# Enable IP Global defragmentation in the kernel.
#
# **WARNING** - If this was turned on everywhere in a network of routers,
# it can result in TCP connections failing and TCP connection resets.
#
# ONLY turn this on if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm.  DO NOT turn this on if the box is a
# conventional router as it breaks the TCP/IP RFCes.  This option is
# needed when using IP NAT, IP masquerading, IP autofw, IP portfw,
# transparent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a useful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
#
# CONFIG_HOSTNAME=(YES/NO)  Default: NO
# Create /etc/hostname file using HOSTNAME entry.
# Any current hostname file will be **OVERWRITTEN**
#
# CONFIG_HOSTSFILE=(YES/NO) Default: NO
# Create /etc/hosts file using HOSTSx entries.
# Any current hosts file will be **OVERWRITTEN**
#
# CONFIG_DNS=(YES/NO)   Default: NO
# Create /etc/resolv.conf file using DOMAINS and DNSx entries.
# Any current resolv.conf file will be **OVERWRITTEN**
#
# IF_LIST   Default: "$IF_AUTO"
# A space seperated list of interfaces that can be ACTIVE on this machine
# This controls which interfaces can be brought up and down manually.
#
# IF_AUTO   Default: "eth0"
# A space separated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw  interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are
# shutdown in the reverse order of IF_LIST.
#
# IPFILTER_SWITCH=(none|router|firewall)Default: "none"
# Selects the basic IP filtering/firewalling setup of the router.  "None"
# is used for a straight through router, "router" for a filtering router with
# IP spoof protection and Martian protection and "firewall" for a basic IP
# masquerading/NAT firewall.  The basic filter types are provided in
# /etc/ipfilter.conf.  If you want more than what is provided read the man
# pages for ipchains or ipfwadm and BE CAREFUL when you edit this!
#
##
#
# General Settings
##
#

VERBOSE=YES
MAX_LOOP=10

IPFWDING_KERNEL=FILTER_ON

IPALWAYSDEFRAG_KERNEL=YES

CONFIG_HOSTNAME=YES

CONFIG_HOSTSFILE=NO

CONFIG_DNS=NO

##
#
# Interfaces
##
#

# Start pppd PPP interfaces first as pppd's use of DNS can delay startup.
#
# Interfaces to start on boot go here - ie "ppp0 eth0"
# Do NOT include interfaces configured by dhcp!
IF_AUTO="eth1"

# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"

# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO

# Need these both for interfaces run by daemons - ie PPP, CIPE, some
# WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES

# Bridge Setup - Global stuff
#
# Enable bridging - YES/NO
BR

RE: [Leaf-user] DCD Port forwarding not working

[Doug Sampson]

> > I would be happier knowing what it says rather than what it
> > "essentially"
> > says. Also what "it" is (what browser is reporting the
> > error). From here,
> > Netscape (on Win95) gets the right translated address from
> > DynDNS, but times
> > out with its standard "The server is not responding ..." message.
> >
>
> Noted.
>
Currently I'm behind the firewall instead of out on the 'Net so am unable to
replicate the exact error message.  I will be able to find out when I head off
to work tomorrow.  But what you're showing on your end is very much similar to
what I'm seeing.  I currently use Opera 6.01 as my browser.  So my error
messages may be different from those shown on IE or Nutscrape.  If my memory
serves me correctly, it goes like this, "Connection request refused".

Thanks!

~Doug





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] DCD Port forwarding not working

[Doug Sampson]

> I would be happier knowing what it says rather than what it
> "essentially"
> says. Also what "it" is (what browser is reporting the
> error). From here,
> Netscape (on Win95) gets the right translated address from
> DynDNS, but times
> out with its standard "The server is not responding ..." message.
>

Noted.

> >Here is the data for analysis:
>
> Where in the config file are you setting up the port
> forwarding? If I look
> at the section on port forwarding, all I see is a
> commented-out line to
> specify the port-forwarding link:
>
> >#INTERN_SERVERS="tcp_${EXTERN_IP}_8080_192.168.1.200_80"
>
> (You do uncomment the line to identify the internal WWW
> server, but that
> doesn't include any port-8080 information.)
>
> >INTERN_WWW_SERVER=192.168.1.200 # Internal WWW server to make
> >available

I've been trying out various ways to make port-forwarding work. Thus the
reason why you see so many commented out lines.

>
> You might want to check if the port-forwarding rule you
> desire is actually
> in place. I always forget this command, but I think it is --
>
> ipmasqadm mfw -L -n

Here it is.

# ipmasqadm mfw -L -n
fwmark   rediraddr   rport  pcnt  pref


Looks like there isn't any port-forwarding rules in place?  What do I need to
do then?  Would uncommenting the "INTERN_SERVERS" line listed above open port
8080 for forwarding to port 80 on 192.168.1.200?

~Doug




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] DCD Port forwarding not working

[Doug Sampson]

Hi all,

I'm still having a problem with port forwarding packets to the internal web
server...  I am on a Cox network that supposedly blocks packets coming inward
via port 80.  I've set up an account with DynDNS that forwards packets
directed at http://www.cybersampson.com to http://www2.cybersampson.com:8080.
I am getting an error message that essentially says "connection request
refused".

Here is the data for analysis:

Running DCD 1.02 on a system with 2 NICs.

NETWORK.CONF



# Traffic to completely ignore...define here to prevent filling your logs
# Space seperated list: protocol_srcip[/mask][_dstport]
#SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37"
SILENT_DENY="udp_10.8.238.1_68 tcp_10.8.238.1_68 icmp_192.168.100.1_65535"

# Extra rule scripts added by Charles Steinkuehler to more easily support
# non-standard extentions of the pre-configured ipchains rules
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output

# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"

## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
# EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
EXTERN_UDP_PORTS="0/0_bootpc"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"

# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
#EXTERN_TCP_PORTS="216.70.236.234/29_ssh 0/0_www 0/0_1023 0/0_8080"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"
EXTERN_TCP_PORT0="216.70.236.236/29 ssh"
EXTERN_TCP_PORT1="0/0 www"
EXTERN_TCP_PORT2="0/0 8080"
#EXTERN_TCP_PORT3="0/0 8080"

# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"

# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
#EXTERN_PROTO0="8080 0/0 192.168.1.1/32"

##
#
# Port Forwarding
##
#
# Remember to open appropriate holes in the firewall rules, above

# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
#   
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.200_ftp
tcp_${EXTERN_IP}_smtp_19
#INTERN_SERVERS="tcp_${EXTERN_IP}_8080_192.168.1.200_80"

# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.200# Internal FTP server to make
available
INTERN_WWW_SERVER=192.168.1.200 # Internal WWW server to make
available
#INTERN_SMTP_SERVER=192.168.1.200   # Internal SMTP server to make
available
#INTERN_POP3_SERVER=192.168.1.200   # Internal POP3 server to make
available
#INTERN_IMAP_SERVER=192.168.1.200   # Internal IMAP server to make
available
#INTERN_SSH_SERVER=192.168.1.200# Internal SSH server to make
available
#EXTERN_SSH_PORT=24 # External port to use for internal
SSH

# Advanced settings: parameters passed directly to portfw and autofw
# Indexed list: ""
#INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
INTERN_SERVER0="tcp ${EXTERN_IP} 8080 192.168.1.200 80"
# Indexed list: ""
#INTERN_AUTOFW0="-A -r tcp 2 20050 -h 192.168.1.1"
#INTERN_AUTOFW0="-A -r tcp 8080 -h 192.168.1.200"

##
#
# DMZ setup (optional)
##
#
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
DMZ_SWITCH=NO
DMZ_IF="eth2"
DMZ_NET=192.168.2.0/24

# DMZ switches for all flavors except PRIVATE




# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0   U 0 0  0 eth1
68.7.204.0  0.0.0.0 255.255.252.0   U 0 0  0 eth0
0.0.0.0 68.7.204.1  0.0.0.0 UG0 0  0 eth0

# netstat -nre
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.1.0 0.0.0.0 255.255.255.0   U 0  00 eth1
68.7.204.0  0.0.0.0 255.255.252.0   U 0  00 eth0
0.0.0.0 68.7.204.1  0.0.0.0 UG0  00 eth0

# ip addr show
1: lo:  mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0:  mtu 0 qdisc noop qlen 10

[Leaf-user] DCD port forwarding [second attempt]

[Doug Sampson]

I'm trying again as I haven't heard back from any of you since last night.
Please forgive me if this is annoying to you.  I'd like to fix this
port-forwarding issue I'm having right now.  Thanks for your patience!

~Doug

++
++

I'm having trouble port forwarding on a DCD 102 router.  Standard
public/private network set-up with a web server behind the router.  Since I'm
on a Cox network, I cannot run a web server using port 80 as it's being
blocked by Cox.  So I've resorted to using port 8080 in the past which has
worked out rather well.  However, since switching to Dachstein, I've never
been able to get web site requests redirected to the web server via port 8080.

Here's my configuration files:

# ip addr
1: lo:  mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0:  mtu 0 qdisc noop qlen 10
link/ipip
3: ipsec1:  mtu 0 qdisc noop qlen 10
link/ipip
4: ipsec2:  mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec3:  mtu 0 qdisc noop qlen 10
link/ipip
6: brg0:  mtu 1500 qdisc noop
link/ether fe:fd:09:00:3f:ff brd ff:ff:ff:ff:ff:ff
7: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f4:2a:f3:d4 brd ff:ff:ff:ff:ff:ff
inet 68.7.207.39/22 brd 68.7.207.255 scope global eth0
8: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:97:78:8c:16 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1

# ip route
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
68.7.204.0/22 dev eth0  proto kernel  scope link  src 68.7.207.39
default via 68.7.204.1 dev eth0

# netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500   0   65630  0  0  09840  0  0  0 BMRU
eth1   1500   0   16628  3  0  0   18807  0  0  0 BMRU
lo 3924   0   7  0  0  0   7  0  0  0 LRU


# network.conf
# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"

## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
# EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
EXTERN_UDP_PORTS="0/0_domain"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"

# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
EXTERN_TCP_PORTS="216.70.236.234/29_ssh 0/0_www 0/0_1023 0/0_8080"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"
#EXTERN_TCP_PORT0="216.70.236.234/29 ssh"
#EXTERN_TCP_PORT1="0/0 www"
#EXTERN_TCP_PORT2="0/0 1023"
#EXTERN_TCP_PORT3="0/0 8080"

# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"

# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
#EXTERN_PROTO0="8080 0/0 192.168.1.1/32"

##
#
# Internal Interface
##
#
# Comment 3 settings below for no internal network (DMZ only configuration)
INTERN_IF="eth1"# Internal Interface
INTERN_NET=192.168.1.0/24   # One (or more) Internal network(s)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO

# These services are not masqueraded from int to ext/DMZ, preventing access
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST="tcp_0/0_ssh"

# Override for above...only the listed dest IP's can be accessed
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"

##
#
# Port Forwarding
##
#
# Remember to open appropriate holes in the firewall rules, above

# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
#   
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.
INTERN_SERVERS="tcp_${EXTERN_IP}_8080_192.168.1.1_8080"

# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1   # Internal FTP server to make available
INTERN_WWW_SERVER=192.1

[Leaf-user] DCD RAMLOG

[Doug Sampson]

I have a Pentium 166 MHz router that has 82 MB RAM running DCD 102.  It seems
to me that the default ramlog configuration was designed for machines with
smaller amount of RAM.

Here is what I've done to my router:

#/ETC/RAMDISK.CONF:
# [-c | -l filename] [-nXX] [-iXX] /dev/name [blocks]
dev/ram1 8192


# /etc/fstab: static file system information.
#
#
proc/proc   procnoauto  0   0
/dev/ram0   /   minix   rw,noauto   1   1
/dev/ram1   /var/logminix   defaults1   2


# free
total:used:free:  shared: buffers:  cached:
Mem:  81174528 21143552 60030976  6213632  8908800  4788224
Swap:000
MemTotal: 79272 kB
MemFree:  58624 kB
MemShared: 6068 kB
Buffers:   8700 kB
Cached:4676 kB
SwapTotal:0 kB
SwapFree: 0 kB


What can I do to optimize the use of available RAM on this router?

~Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] DCD port forwarding

[Doug Sampson]

I'm having trouble port forwarding on a DCD 102 router.  Standard
public/private network set-up with a web server behind the router.  Since I'm
on a Cox network, I cannot run a web server using port 80 as it's being
blocked by Cox.  So I've resorted to using port 8080 in the past which has
worked out rather well.  However, since switching to Dachstein, I've never
been able to get web site requests redirected to the web server via port 8080.

Here's my configuration files:

# ip addr
1: lo:  mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0:  mtu 0 qdisc noop qlen 10
link/ipip
3: ipsec1:  mtu 0 qdisc noop qlen 10
link/ipip
4: ipsec2:  mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec3:  mtu 0 qdisc noop qlen 10
link/ipip
6: brg0:  mtu 1500 qdisc noop
link/ether fe:fd:09:00:3f:ff brd ff:ff:ff:ff:ff:ff
7: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f4:2a:f3:d4 brd ff:ff:ff:ff:ff:ff
inet 68.7.207.39/22 brd 68.7.207.255 scope global eth0
8: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:97:78:8c:16 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1

# ip route
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
68.7.204.0/22 dev eth0  proto kernel  scope link  src 68.7.207.39
default via 68.7.204.1 dev eth0

# netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500   0   65630  0  0  09840  0  0  0 BMRU
eth1   1500   0   16628  3  0  0   18807  0  0  0 BMRU
lo 3924   0   7  0  0  0   7  0  0  0 LRU


# network.conf
# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"

## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
# EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
EXTERN_UDP_PORTS="0/0_domain"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"

# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
EXTERN_TCP_PORTS="216.70.236.234/29_ssh 0/0_www 0/0_1023 0/0_8080"

# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"
#EXTERN_TCP_PORT0="216.70.236.234/29 ssh"
#EXTERN_TCP_PORT1="0/0 www"
#EXTERN_TCP_PORT2="0/0 1023"
#EXTERN_TCP_PORT3="0/0 8080"

# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"

# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
#EXTERN_PROTO0="8080 0/0 192.168.1.1/32"

##
#
# Internal Interface
##
#
# Comment 3 settings below for no internal network (DMZ only configuration)
INTERN_IF="eth1"# Internal Interface
INTERN_NET=192.168.1.0/24   # One (or more) Internal network(s)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO

# These services are not masqueraded from int to ext/DMZ, preventing access
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST="tcp_0/0_ssh"

# Override for above...only the listed dest IP's can be accessed
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"

##
#
# Port Forwarding
##
#
# Remember to open appropriate holes in the firewall rules, above

# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
#   
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.
INTERN_SERVERS="tcp_${EXTERN_IP}_8080_192.168.1.1_8080"

# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1   # Internal FTP server to make available
INTERN_WWW_SERVER=192.168.1.1   # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1  # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1   # I

[Leaf-user] NIC card switching

[Doug Sampson]

I have a 3C509b and a RTL8139 PCI card in my router.  The rtl8139 is assigned
eth0 while 3c509b is assigned eth1.  The router runs DCD 102.

The rtl8139 is a 10/100 PCI card and thus I would like to use as the internal
card instead of as the external card.  The external card connects to a cable
modem.

I've identified two possibilities for switching these two cards around as
follows:
1) rearrange the order in which the NICs are listed in the /etc/modules file.
2) identify eth1 as the external card in /etc/network.conf and allow dlclient
to retrieve an ip address for eth0.

What's the best way to switch so that the rtl8139 card is assigned as eth1 and
the 3c509b is eth0?

~Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] silent_deny not working

[Doug Sampson]

> > # cat /etc/ipchains.input
> >  $IPCH -I input -j DENY -p all -s 0/0 -d 255.255.255.255 -i
> $EXTERN_IF
> >
> > Exactly what does the ipchain statement say?  Exactly what
> does it deny?
> > Obviously I'm not at all familiar with ipchaining...  and I
> want to understand
> > it fully before I implement it...
>
> $IPCH -- /etc/ipfilter.conf:
> IPCH="/sbin/ipchains --no-warnings"
> -d 255.255.255.255-- destination address
> -i $EXTERN_IF -- interface via which a packet is received
> -I input  -- Insert one or more rules in the
> selected chain as the given
> rule number
> -j DENY   -- what to do if the packet
> matches this rule
> -p all-- protocol  of the rule or of
> the packet to check
> -s 0/0-- Source specification
>
> I struggled with this for sometime last December, after being dragged
> into attbi.com.  Since it is possible that that source ip can
> change and
> that I have never found any reason to _log_ packets broadcast to the
> entire universe (e.g., -d 255.255.255.255); therefore, I conclude that
> such packets deserve anonymity in that great bit bucket somewhere near
> /dev/null . . .
>

How is this implemented in DCD 102?  In the network.conf file?  I understand
that I can type the ipchain command at the command prompt.  However that is
good only until it is rebooted and I'd like to make that a permanent solution.

~Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] silent_deny not working

[Doug Sampson]

>
> # SILENT_DENY="ProtoNumber_SourceAddress/Netmask_DestinationPort"
> Try:  SILENT_DENY="udp_10.8.238.1_68"
>-or-
>SILENT_DENY="17_10.8.238.1_68"
>-or  drop the destination port altogether-
>SILENT_DENY="all_10.8.238.1"
>
> The last field is the destination port rather than the
> sender's port and
> you don't have to designate it at all if you don't want to.

Ah, the destination port instead of the source port!  I tried using 68 as the
destination port and now the logs have stopped filling up with entries from
Cox's DHCP server!

>
> Hope this helps,

Yup, sure does!

Thanks!

~Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] silent_deny not working

[Doug Sampson]

>
> I maintain that this is the cleanest solution:
>
>   
>

I've copied your proposed solution here for reference.

# cat /etc/ipchains.input
 $IPCH -I input -j DENY -p all -s 0/0 -d 255.255.255.255 -i $EXTERN_IF


Exactly what does the ipchain statement say?  Exactly what does it deny?
Obviously I'm not at all familiar with ipchaining...  and I want to understand
it fully before I implement it...

~Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] silent_deny not working

[Doug Sampson]

Awhile ago was a post to this newsgroup about repeat entries in the message
logs by a DHCP server as follows:

Feb 12 16:18:00 CX269409-C kernel: Packet log: input DENY eth0 PROTO=17
10.8.238.1:67 255.255.255.255:68 L=328 S=0x00 I=30881 F=0x T=255 (#10)

I'm on a Cox Communication network and this looks like a DHCP server sending
out broadcast packets.  The post earlier said to put udp_108.238.1_67 after
the SILENT_DENY variable in network.conf as follows:

SILENT_DENY="udp_10.8.238.1_67"

Even with that in, the logs are still filling up.  After 30 minutes the logs
show approximately 2,500 of these!

Am running DCD 102.  What am I missing?

~Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] SSH access error

[Doug Sampson]

I noticed two entries for sshd in the back up menu of LRCFG.  I changed the
first entry's backup destination back to /dev/cdrom leaving the other entry
pointing to the dev/fd0u1680 as its backup destination.  Upon rebooting, sshd
loaded correctly and now I am able to ssh in from my Windoze machine!

I did not have to add an entry in the hosts.allow file as Guitarlynn
suggested.  I did not regenerate the keys- I merely used the ones that were
originally generated.  This means that root.lrp does not have to be backed up
after the keys are generated- only the local configuration file of the
sshd.lrp.

Now that I have conquered the ssh thing (hurrah for this newb!), on to the
silent_deny issue!  Which will be in the next post from me!

~Doug


> >
> > I have /usr/sbin/sshd in my ps ax, so as I thought, you are _not_
> > loading the package. Check the "lrpkg.cfg" file on your floppy.
> > The "lrpkg.cfg" file overrides the "LRP=" line in "syslinux.cfg".
> > You will also need to add this line to /etc/hosts.allow:
> > sshd: 192.168.1 127.
>
> I already have the config file listed in the lrpkg.cfg file.
> However I had
> appended ":R" to it- i.e. sshd:R.  I took the :R parameter
> out and rebooted.
> Upon rebooting it reports as follows:
>
> sshd  dev/cdrom dev/fd0u1680 (nf!)
>
> I don't understand why I have to specify sshd: 192.168.1.xxx in the
> /etc/hosts.allow file when it contains ALL:
> 192.168.1.0/255.255.255.0?  This
> line exists in DCD's default hosts.allow file.
>
> >
> > > Am backing up sshd.lrp partially as described in Steinkuehler's
> > > README.txt documentation on the LRP-CD.  Do I need to back up the
> > > root.lrp as well as the sshd.lrp each time a new key is generated?
> >
> > I didn't have any luck with that, but I am also running a
> stand-alone
> > cd, so I can't say for sure. I always backup both to make sure,
> > someone else might shed better light on this for me.
>
> Looks like I have to regenerate the keys and back up root.lrp
> as well as
> sshd.lrp, eh?
>
> ~Doug
>
>
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
>



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] SSH access error

[Doug Sampson]

>
> I have /usr/sbin/sshd in my ps ax, so as I thought, you are _not_
> loading the package. Check the "lrpkg.cfg" file on your floppy.
> The "lrpkg.cfg" file overrides the "LRP=" line in "syslinux.cfg".
> You will also need to add this line to /etc/hosts.allow:
>   sshd: 192.168.1 127.

I already have the config file listed in the lrpkg.cfg file.  However I had
appended ":R" to it- i.e. sshd:R.  I took the :R parameter out and rebooted.
Upon rebooting it reports as follows:

sshd  dev/cdrom dev/fd0u1680 (nf!)

I don't understand why I have to specify sshd: 192.168.1.xxx in the
/etc/hosts.allow file when it contains ALL: 192.168.1.0/255.255.255.0?  This
line exists in DCD's default hosts.allow file.

>
> > Am backing up sshd.lrp partially as described in Steinkuehler's
> > README.txt documentation on the LRP-CD.  Do I need to back up the
> > root.lrp as well as the sshd.lrp each time a new key is generated?
>
> I didn't have any luck with that, but I am also running a stand-alone
> cd, so I can't say for sure. I always backup both to make sure,
> someone else might shed better light on this for me.

Looks like I have to regenerate the keys and back up root.lrp as well as
sshd.lrp, eh?

~Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] SSH access error

[Doug Sampson]

I guess I should say that I am quite familiar with SSH in general.

I am unsure whether I should copy the public key from the sshd server to the
client.  Or whether I should enable SSH1 or SSH2 authentication on the client
machine.

I worked on an Eigerstein set-up in the past and it was relatively simple to
set up SSH on that machine.  I did not copy the key over to the client machine
nor did I make any changes to the client configuration.  Unfortunately it
isn't so simple with this Dachstein CD set-up...  But then I've only set up
SSH once before.

Any pointers or tips would be greatly appreciated.

~Doug

-Original Message-----
From: Doug Sampson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 12, 2002 12:33 PM
To: '[EMAIL PROTECTED]'
Subject: SSH access error


Running DCD 102 booting off a floppy using openssh 3.0p1.

When I attempt to ssh into the DCD router from the local network using the
latest puTTY client, I receive the following error message:

Network error: connection refused.

The hosts.allow file allows access from the local network as follows:

ALL: 192.168.1.0/255.255.255.0

ps aux shows the following:

  PID  Uid Stat Command
1 root Sinit
2 root S[kflushd]
3 root S[kupdate]
4 root S[kswapd]
5 root S[keventd]
6 root S[mdrecoveryd]
 1086 root S/usr/sbin/dhclient eth0
 1275 root S/sbin/syslogd -m 240
 1277 root S/sbin/klogd
 1281 root S/usr/sbin/inetd
 1285 root S/usr/sbin/watchdog
 1288 root S/usr/sbin/cron
 1309 tinydns  S/usr/bin/tinydns
 1334 dnscache S/usr/bin/dnscache
 1335 root S-sh
 1336 root S/sbin/getty 38400 tty2
 2331 sh-httpd Ssh /usr/sbin/sh-httpd
 2367 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys
 2368 sh-httpd Ssleep 1
 2369 sh-httpd Scat
 2370 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys
 2447 sh-httpd Rps aux

I don't see any entry for the sshd daemon.

I followed the instructions in the DCD documentation for generating the keys
and made a partial backup.  But no dice.

What am I missing here?

~Doug






___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] SSH access error

[Doug Sampson]

Running DCD 102 booting off a floppy using openssh 3.0p1.

When I attempt to ssh into the DCD router from the local network using the
latest puTTY client, I receive the following error message:

Network error: connection refused.

The hosts.allow file allows access from the local network as follows:

ALL: 192.168.1.0/255.255.255.0

ps aux shows the following:

  PID  Uid Stat Command
1 root Sinit
2 root S[kflushd]
3 root S[kupdate]
4 root S[kswapd]
5 root S[keventd]
6 root S[mdrecoveryd]
 1086 root S/usr/sbin/dhclient eth0
 1275 root S/sbin/syslogd -m 240
 1277 root S/sbin/klogd
 1281 root S/usr/sbin/inetd
 1285 root S/usr/sbin/watchdog
 1288 root S/usr/sbin/cron
 1309 tinydns  S/usr/bin/tinydns
 1334 dnscache S/usr/bin/dnscache
 1335 root S-sh
 1336 root S/sbin/getty 38400 tty2
 2331 sh-httpd Ssh /usr/sbin/sh-httpd
 2367 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys
 2368 sh-httpd Ssleep 1
 2369 sh-httpd Scat
 2370 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys
 2447 sh-httpd Rps aux

I don't see any entry for the sshd daemon.

I followed the instructions in the DCD documentation for generating the keys
and made a partial backup.  But no dice.

What am I missing here?

~Doug






___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Extended scripts to DachStein CD-3?

[Doug Sampson]

I have DachStein CD RC-3 up and running.  However, it's set for only 2 NICs.
I'd like to add a third NIC for a DMZ.  Could the extended script from the
Eigerstein/Materhorn releases be successfully applied to the DachStein CD
setup?  Any caveats or gotchas?

I seem to recall something on this list related to the extended script being
applied to the DachStein CD version but it has been a while ago.

~Doug


_|_|_|_| Doug Sampson
_|_|_|_| Director of Information Technology
_|_|_|_| Dawn Sign Press
_|_|_|_| dougs (at) dawnsign.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Squid for Dachstein/E2B?

[Doug Sampson]

Is there a squid.lrp for the Dachstein release or the Eigerstein2Beta
release?  I see there is one for Oxygen but using Oxygen is way over my head
as I'm a Linux newbie.

I have 30 users in this company and we're using a Pentium/90 with 32 MB of
RAM.  Will this be adequate to support this number of users using Squid as a
web proxy?

~Doug

_|_|_|_| Doug Sampson
_|_|_|_| Director of Information Technology
_|_|_|_| Dawn Sign Press
_|_|_|_| dougs (at) dawnsign.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user