RE: [leaf-user] Save Zebra config fails
Wim, Glad to be of service. Please let us know if you run into any other snags. Eric Kiser -Original Message- From: Wim Acke [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:37 PM To: Eric B Kiser; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [leaf-user] Save Zebra config fails Eric and Eric, Thanks for your quick responses ! I tried again today, and suddenly everything is working fine ?! Probably the problem was indeed caused by a full ram filesystem yesterday, since I was testing with lots of logging active at that time (which I switched off now...). I didn't check with 'df' at that time. Thanks again for your replies. Best regards, Wim -Original Message- From: Eric B Kiser [mailto:[EMAIL PROTECTED] Sent: dinsdag 16 december 2003 5:01 To: 'Wim Acke'; [EMAIL PROTECTED] Subject: RE: [leaf-user] Save Zebra config fails Hi Wim, The command you are using to back-up the configuration was built based on the idea of working with a standard distribution of either Linux or *BSD. Where the OS, applications, etc. are stored on a hard drive and are running in RAM. When making modifications to the configuration through the CLI you are modifying the running configuration in RAM and when you save those changes to startup the changes are saved to the *.conf files on the hard drive. LEAF distro's work a little different. When you boot from the floppy the OS, applications, etc. are uncompressed and written to a RAM drive and then your system starts up by loading what it needs into your remaining RAM. Having said that, on a box running Bering uClibc, when you modify the running configuration you are moding what is in RAM. When you save to startup you are moding what is stored in the RAM drive based on the config that is currently in RAM. This would only be read if you then stopped and restarted the service. If you then want the router to be able to reboot from the floppy you would need to backup /etc from the backup menu. This takes all of the changes made to files under /etc and writes them down to disk from the RAM drive. On the other hand, if you are saying that commands issued from the CLI are not successfully modifying the appropriate *.conf file in the RAM drive there is another problem. Before I open that can of worms please respond to the list and let us know if this solved your problem. Regards, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user- [EMAIL PROTECTED] On Behalf Of Wim Acke Sent: Monday, December 15, 2003 4:20 PM To: [EMAIL PROTECTED] Subject: [leaf-user] Save Zebra config fails Hi, I'm experimenting with Bering uClibc and the Zebra package. When i try to save the ospfd configuration from the vty (with 'write' or 'copy running-config startup-config', I get the message Configuration save to /etc/zebra/ospfd.conf. But when i check this file, it is still the default one, so it seems nothing is saved. Am I doing something wrong ? Any suggestions ? Thanks, Wim --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: [leaf-devel] Bering: time to hand on the torch ...
Jacques, It is with great respect and appreciation that I say, thank you for all of your hard work on behalf of the LEAF-Project. You will be missed. Best regards, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-devel- [EMAIL PROTECTED] On Behalf Of Jacques Nilo Sent: Monday, December 08, 2003 4:30 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [leaf-devel] Bering: time to hand on the torch ... Dear folks After quite some years spent working on LEAF, most of them dedicated to the Bering variant, I realise that the time I can spend on the project is diminishing every day. I have therefore decided to follow one of the many good principle from Eric Raymond's seminal paper (The cathedral and the Bazaar): When you lose interest in a program, your last duty to it is to hand it off to a competent successor. Eric Wolzak, my Bering fellow from the begining in this project, will from now on take over the responsability of pursuing the Bering project on his own. I am sure they are now many knowledgeable people around who will bring fresh ideas and energy. And the doc is still around :-) It has been a real pleasure to work with such a nice community Long life to the LEAF project ! Cheers Jacques --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] VPN security issue? Slightly O/T...
Well said, thanks George. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user- [EMAIL PROTECTED] On Behalf Of George Metz Sent: Tuesday, July 29, 2003 9:56 AM To: Craig Caughlin Cc: LEAF (LEAF) Subject: Re: [leaf-user] VPN security issue? Slightly O/T... Craig Caughlin wrote: Hi Eric, Thanks for the response. I think I'm like Alex, I don't quite understand what you mean when you say Then the entire Internet gets access to the other side of your VPN without having to compromise your system. Could you explain that a little bit? Thank you. It's fairly straightforward. Let's say you've got a machine on the internet with nothing between you and the 'net. You're running with a public IP(I'm gonna use a private, so just pretend) of 172.16.8.1 on your machine, and you're connected to a VPN. Routing is also turned on on this particular machine. I'm a bit rusty on my Linux routing statements, but on a Cisco, the way you'd do it is: ip route 0.0.0.0 0.0.0.0 172.16.8.1 ip route 172.16.8.1 255.255.255.255 192.168.1.1 Where the 192.168 address is the far side of your WAN connection. This provides a route to your machine, and tells the cisco to send ALL traffic to your machine for routing. After that it's a fairly straightforward issue to run an ICMP scan with a relatively low timeout setting on the 10/8, 172.16/12, and 192.168/16 IP blocks until you find a valid IP, then work on that area of the block and play with someone's corporate LAN. So yeah, this can be a really, REALLY big security hole. Just one thing; if you can browse while connected to a VPN, make CERTAIN that you're not browsing THROUGH the VPN before you go getting all panicky. It's certainly a strong likelihood, and AFAIK there's relatively little chance of the hole you're referring to from happening. (IOW, browsing on your public connection while connected via VPN.) George Metz --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click- url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] VPN security issue? Slightly O/T...
Alex, Most modern IPsec clients have better security than they used. There was a time that if your company was using public addresses internally ...and a remote client had a VPN connection across the Internet ...and said remote client also was inadvertently configured to route traffic from the internet across the VPN ...and someone knew enough to target you. It was (and still is) possible to get into the company network that way. I realize that the chances of this happening are extremely remote. I have, however, witnessed this very thing while working for Ascend communications. Thankfully FreeS/WAN is a much better product and public addresses are not as commonly used internally as they once were. Assuming that you are using private addressing internally and assuming that your ISP is filtering the RFC 1918 addresses, then yes the next-hop should be the extent of the threat. This threat, however, can be mitigated by good fire-walling practices. Best Regards, Eric In the grip of paranoia. Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user- [EMAIL PROTECTED] On Behalf Of Lynn Avants Sent: Tuesday, July 29, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] VPN security issue? Slightly O/T... On Tuesday 29 July 2003 04:53 pm, Alex Rhomberg wrote: It's fairly straightforward. Let's say you've got a machine on the internet with nothing between you and the 'net. You're running with a public IP(I'm gonna use a private, so just pretend) of 172.16.8.1 on your machine, and you're connected to a VPN. Routing is also turned on on this particular machine. I still don't get it: Let's say I have the setup you described, with 192.168.1.0/24 being my VPN. You're sitting on the other side of the Internet, say 10 hops away. How can you send a packet to 192.168.1.1? Is there a standard tunneling method that is always activated? The 10 hops on the way would all drop a packet sent to 192.168.1.1. Wouldn't the cryptic commands you described only work on my next hop, i.e. the ISPs router? This would reduce the number of people who can get at my VPN quite significantly (ISP admins instead of whole Internet) The private addressing sent via the tunnel is encapsulated and encrypted under the public ip address of the VPN gateway. Nothing outside of the VPN gateways (ie... internet) would have any idea that any private addressing is attached to these packets. To further the earlier question of using both VPN and internet access at the same time. you can't run a VPN w/o internet access can you? :) In all cases, the proper routing is needed for *any* VPN to work properly. Improper routing is the security risks that would be commonly found, though FreeS/WAN makes this setup extremely simple (built-in). -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click- url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] VPN security issue? Slightly O/T...
It gets even worse if routing is turned ON. Then the entire Internet gets access to the other side of your VPN without having to compromise your system. Regards, Eric - Eric B Kiser, CISSP VP of Information Technology NetOps Training Solutions - -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user- [EMAIL PROTECTED] On Behalf Of Scott Sent: Monday, July 28, 2003 6:47 PM To: Craig Caughlin; LEAF (LEAF) Subject: Re: [leaf-user] VPN security issue? Slightly O/T... The only thing I can think of is if the given box's connection has been compermised, then the attacker would also have access to the systems on the other side ot the VPN. - Original Message - From: Craig Caughlin [EMAIL PROTECTED] To: LEAF (LEAF) [EMAIL PROTECTED] Sent: Monday, July 28, 2003 3:35 PM Subject: [leaf-user] VPN security issue? Slightly O/T... Hi folks, I seem to remember a while back reading somewhere (likely either here at the newsgroup or perhaps a Microsoft security bulletin?) that it's a SIGNIFICANT security problem if you have an active VPN connection on a given box and can browse the internet at the same time. It was my understanding that either one is fine...but not both at the same time. Does this sound familiar to anyone? I also don't remember why it posed such a gaping security problem, per se. Comments??? Thank you, Craig --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click- url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click- url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering/Dachstien/writein on HD (was Is there a way to install Bering on HD)
Dr. Tibbs, Debian, RedHat, or any version of Linux or BSD would be perfectly fine for what you are doing. In fact, as much as I would rather continue to champion LEAF, for your situation it would probably be easier in the long run for you to choose whatever OS is going to be most familiar to you and your class. That way they do not have to learn the specifics of configuring LEAF when what they are really trying to do is learn routing protocols. On the other hand, if you had a huge amount of time for development and documentation (or some grad students to abuse) you could use User Mode Linux with the latest Bering and Zebra to produce a virtual environment that would allow each student to create multiple routing environments on a single physical system and then connect the physical systems together through multiple physical interfaces. Very sleek stuff! If you do intend to continue with using LEAF then I would recommend Bering. It has the greatest user base to provide you with answers to any questions that you might have. Also, here is a bit of zebra stuff that might help you make the decision. There are actually three versions of Zebra: ZebOS - A commercial version developed by IP Infusion which was founded by Kunihiro Ishiguro, the original creator of the Zebra Routing Engine. Their version is supposed to be exceptionally feature rich (such as MPLS support) and stable enough for the most grueling of production environments. As a learning institution this could be an avenue for you. Check www.ipinfusion.com. Zebra - This is the GPL version of the ZebOS software. Sometime ago there was a split with ZebOS being developed primarily by IP Infusion internal programmers and Zebra being developed by the Internet community. The only real maintainer of Zebra is Kunihiro himself. Having a profitable company to run, he is notoriously bad about putting out new stable releases and in the past many good patches took for ever to be accepted if they were not forgotten outright. Zebra-PJ - So named by the Zebra mailing list since it has been maintained by Paul Jakma. Over the last six months this version has become the standard. It even just recently got its own Debian package maintainer. It is also the version that is currently recommended on the Zebra mailing list. Having said all of this, my zebra.lrp packages are based on the standard Zebra release NOT Zebra-PJ and I DO recommend using the latest release of Zebra-PJ. Hopefully, in the near future, work will allow me the time to get these packages updated, however, that is at least three months out. If you have any further questions please do not hesitate to ask. Respectfully, Eric - Eric B Kiser, CISSP VP of Information Technology NetOps Training Solutions - -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user- [EMAIL PROTECTED] On Behalf Of Dr. Richard W. Tibbs Sent: Thursday, July 24, 2003 10:39 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Bering/Dachstien/writein on HD (was Is there a way to install Bering on HD) List, Thank you all for your advice. Someone advised to simply install debian with such a generous hard drive. I thought the capabilities of the LEAF variants (having descended from LRP) made them attractive for router applications. If debian or Red Hat would do just as well, I may as well use that. My intentions, FWIW, are to teach a class in configuring BGP and OSPF using zebra.lrp. Are there any advantages/disadvantages to Bering as opposed to Dachstein or other distribs for this purpose? Thanks, Rick. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click- url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] wisp-dist zebra ripd routing and multiple IP addresses per interface
Hello J. Use of the Zebra Routing Engine is not very wide spread in the leaf project(yet...). The best place to pose this question would be the zebra mailing list. Here is the link to subscribe. http://www.zebra.org/mailing.html Best Regards, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of wispdist Sent: Wednesday, February 26, 2003 1:03 PM To: Leaf-user Subject: [leaf-user] wisp-dist zebra ripd routing and multiple IP addresses per interface I found that the zebra ripd only sends out routing info referencing the source as the primary address / subnet on the interface it is running on. therefore, if you connect two routers running just the ripd and they are connected to each other on a subnet that is a secondary subnet on both interfaces, no routes will propagate . In order for routes to propagate, both interfaces must have an IP address that exists in the Primary subnet of the other interface. Also, routes can propagate in only one direction if one interface is running on the Primary address/subnet and the other on the Secondary. Example: Routers A and B are connected to each other via thier eth0 interfaces. router A : eth0: 10.0.0.1/24, 172.16.0.1/24 router B: eth0: 192.168.1.1/24, 10.0.0.2/24 Note that router B's Secondary IP address of 10.0.0.2/24 exists on the subnet of the Primary IP address of 10.0.0.1/24 on Router A Now, routes from router A will propagate to router B But, routes from router B WILL NOT propagate to router A. Now this is OK as long as router A is the downstream router supplying router B and router B's default gateway is router A. But routes will become unreachable by some on the network if it is the other way around. If anyone has found out anything additional or find an error in my analysis, please respond. J. --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Unable to run linuxuml Virtual Router
Hi Derek, This usually happens because you are using an incompatible version of UML Utilities. Here is the site to get the version you need: http://user-mode-linux.sourceforge.net/dl-sf.html. The trick here is to find the version that works. Try to choose the one that has the date code that is closest to the date code for the kernel patch that you are using. If you are using kernel 2.4.18-45 try using uml_utilities_20020729.tar.bz2. If this does not work for you then it will be a matter of testing different UML utilities until you find the one that works for you. Best of luck and let us know how it turns out. Regards, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Derek Jennings Sent: Wednesday, December 04, 2002 7:08 PM To: [EMAIL PROTECTED] Subject: [leaf-user] Unable to run linuxuml Virtual Router Hi It is probably me doing something idiotic, but I am having trouble running Bering_1.0-stable_img_bering_1680.bin in the linuxuml-2.4.18-45 Virtual environment. I have followed Jacques Nilo's instructions, and can successfully create the Bering_fs file system, but when I run my startuml script I get this output in my xterm. early stuff SNIPPED RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 2048 bind 2048) Linux IP multicast router 0.06 plus PIM-SM ip_conntrack version 2.0 (256 buckets, 2048 max) - 312 bytes per conntrack ip_tables: (C) 2000-2002 Netfilter core team NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. Initializing software serial port version 1 mconsole (version 2) initialized on /home/leafuml/.uml/YEarYZ/mconsole unable to open root_fs for validation UML Audio Relay Initializing stdio console driver RAMDISK: Compressed image found at block 0 Freeing initrd memory: 401k freed VFS: Mounted root (minix filesystem). LINUXRC: Bering - Initrd - V1.0-stable Mounting a 6M TMPFS filesystem... LINUXRC: Could not mount the boot device. Can't install packages. Kernel panic: Attempted to kill init! My startuml script looks like :- #!/bin/sh ./linuxuml-2.4.18-45 udb0=Bering_fs initrd=initrd.lrp root=/dev/ram0 init=/linuxrc \ boot=/dev/udb0:minix PKGPATH=/dev/udb0 devfs=nomount LRP=root,etc,local,log,modules,shorwall Any suggestions would be welcome. derek --- This SF.net email is sponsored by: Microsoft Visual Studio.NET comprehensive development tool, built to increase your productivity. Try a free online hosted session at: http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] zebra ospf routing problem
Hi Jay, This question is probably best posed to the zebra mailing list. You can register for that here: http://www.zebra.org/mailing.html. You did not say what version of ospfd you are using but I would definitely recommend getting at least the latest standard release, zebra-0.93b. If you want to build your own package the tarball is located here: ftp://ftp.zebra.org/pub/zebra/. You can also try the most recent tarball put together by Paul Jakma. It includes a whole bunch of patches that have yet to be accepted into the standard zebra distribution. (They are notoriously slow about integrating any new patches.) The only warning about this is apparently one of the patches Paul uses breaks IPv6 in zebra. For IPv4 it seems to be well tested and resolves a number of ospf problems. Once again, if you want to build your own package you can find his tarball here: http://people.ie.alphyra.com/~paulj/zebra/2002/. As a note: The Paul Jakma release is more than likely what I am going to use for my next set of packages specifically because of all the ospf bug fixes that it has. The only reason that I have not moved to this already is I have not had the time to verify whether the vanMaarseveen_patch actually breaks anything with IPv6 or not. Last that I saw this is still speculative. Or you can grab my package located at: http://www.eric.kiser.com/download.htm. I would recommend using the one that is listed under Zebra-0.93b *.lrp Packages (zebra-0.93b-gv.0.05). Compared to my most recent version, zebra-0.93b-gv.0.07, it is smaller and it is only missing support for MPLS. Best of luck and let us know what resolves the issue for you. Regards, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of wispdist Sent: Wednesday, November 27, 2002 7:05 PM To: Leaf-user Subject: [leaf-user] zebra ospf routing problem I am running wisp-dist release 2002-09-21(2348) I have been running the ospfd with zebra and it seemed to start out working fine. however, over time one of the units will drop all learned routes and all other routers on the system lose the learned routes from that router as well. usually if I restart zebra ( /etc/init.d/zebra restart) all routes come back and propagate thru the network within 40 to 60 seconds. Also, sometimes a single route will not propagate thru the network. I have 7 routers in the network and when the ospf works it's great. But I have had to restart too many times now. I have set the router-id manually on each unit to make sure there were no duplicate router-id's. Also, I have several IP addresses on each interface. Anyone having any issues with this? Or any ideas ? --Jay --- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering and IPv6 (XS26)
Hello Radim, Since this is a new installation and you don't have to worry about versioning issues across your network I recommend updating to Bering 1.0-stable. Other than that I would recommend checking iptables. Bering does not have iptables support for ipv6 by default. Please keep us posted on your progress. Regards, Eric = Eric B Kiser Unemployed Engineer eMail: [EMAIL PROTECTED] = -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Radim Novotny Sent: Monday, November 25, 2002 6:25 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Bering and IPv6 (XS26) Hi all, I tried to configure my Bering (1.0-rc1) to have IPv6 support. There are my steps: - insmod ipv6 (success) - compile iptunnel, ping6, ifconfig, route, ip to support IPv6 (success) - configure IPv6 tunnel as described on xs26.net Help page (success) - ping6 outside the Bering (failure with error From ::1 Destination unreachable: Address unreachable) - ping6 into Bering from outside world (failure with error From 3ffe:80ef:100::: Destination unreachable: Address unreachable) I have configured other IPv6 XS26 account on other Linux box (with RH7.1) and it works perfectly there. I don't know, why my Bering box does not :-((( I hope, all configured correctly, XS26 account is active. Thanks, Radim --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering v1.0-stable released !
Great job guys, thanks for all your hard work. Most respectfully, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user-admin;lists.sourceforge.net]On Behalf Of Jacques Nilo Sent: Thursday, November 14, 2002 5:53 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [leaf-user] Bering v1.0-stable released ! Finally, it's out. All the details are here: http://leaf.sourceforge.net/article.php?sid=63 We will probably take a rest for a while :-) Enjoy! Jacques Eric --- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] network restart command
Does this work for anyone else using Bering 1.0-rc3 or rc2. Periodically this comes up on the list so I give it a try and I get the same response from both: #svi network restart /etc/init.d/network: No such file or directory Am I the only one seeing this? Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Troy Aden Sent: Tuesday, October 15, 2002 3:40 PM To: 'Charley King'; [EMAIL PROTECTED] Subject: RE: [leaf-user] network restart command svi networking restart should do it. -Original Message- From: Charley King [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 1:35 PM To: [EMAIL PROTECTED] Subject:[leaf-user] network restart command I am using Bering 1.0-rc3 and was wondering if there was a command to restart the interfaces like 'service network restart' or something. Or do the interfaces update after the file has been saved? Thanks Charley King --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v?http://www.viaverio.com/ consolidator/osdn.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] network restart command
Um...hmnh! Hows um 'bout that jive? You are 100% correct! Now I will adjourn myself to someplace far away from computer-anything and issue prayer that this thread will miraculously disappear. Yikes...that's just...damn! Most humbly, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ray Olszewski Sent: Tuesday, October 15, 2002 6:11 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [leaf-user] network restart command Eric -- I don't use Bering myself, but I don't need to in order to point out the problem. You tried the command: #svi network restart /etc/init.d/network: No such file or directory The prior message said to try the command: svi networking restart networking != network At 04:46 PM 10/15/02 -0400, Eric B Kiser wrote: Does this work for anyone else using Bering 1.0-rc3 or rc2. Periodically this comes up on the list so I give it a try and I get the same response from both: #svi network restart /etc/init.d/network: No such file or directory Am I the only one seeing this? Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Troy Aden Sent: Tuesday, October 15, 2002 3:40 PM To: 'Charley King'; [EMAIL PROTECTED] Subject: RE: [leaf-user] network restart command svi networking restart should do it. -Original Message- From: Charley King [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 1:35 PM To: [EMAIL PROTECTED] Subject:[leaf-user] network restart command I am using Bering 1.0-rc3 and was wondering if there was a command to restart the interfaces like 'service network restart' or something. Or do the interfaces update after the file has been saved? Thanks Charley King -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA[EMAIL PROTECTED] --- --- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: [leaf-devel] snort and nmap
Thanks David, I will keep my eyes open for them. Regards, Eric Kiser -Original Message- From: David Douthitt [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 9:52 PM To: Eric B Kiser Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [leaf-devel] snort and nmap On Wed, Oct 09, 2002 at 02:05:49PM -0400, Eric B Kiser wrote: I am looking for the most recent versions of nmap.lrp and snort.lrp. I checked the CVS packages repository and the only thing I found was an older version of nmap and no snort. I'm the one who's probably responsible for those packages - and responsible for them being so old. I've not kept up development as I ought. However, I'm planning to get back into the game. I recently configured a Pentium with Red Hat 6.x and Oxygen dual boot; we'll see how it goes. Also, the Oxygen/LEAF Resource CDROM contains all binaries and sources and probably also the compile-time options in a patch and so forth. These days, I've been working towards putting all source code into a sort of ports tree like FreeBSD and Gentoo Linux; it becomes very flexible. I'll see if I can compile nmap and/or snort in coming days. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] snort and nmap
Howdy Folks, I am looking for the most recent versions of nmap.lrp and snort.lrp. I checked the CVS packages repository and the only thing I found was an older version of nmap and no snort. Your guidance is appreciated... Eric --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] (no subject)
Howdy Johnnattanh, The old LRP mailing lists are virtually unused. Just wanted to let you know before you got your hopes up about getting a response from that arena. After rereading your last message I had thought that you were referring to *.lrp packages. My mistake. I am not familiar with the modules that you are referring to. If you could point me in the direction that you found them I would appreciate it. Default routing on all of the LEAF distributions is statically configured. However you can add packages that will give you the ability to use various dynamic routing protocols. I recommend using zebra.lrp packaged by David Douthitt. It is based on zebra-0.92 and supports bgp, ospf, and rip. I have had problems running it on the LEAF Bering distro but I know of people that have used it with the LEAF Oxygen distro with great success. It can be found here: http://www.leaf-project.org/devel/ddouthitt/packages/ EIGRP is a cisco specific protocol. The only way to play with this is to play with cisco. I am currently working on an updated version of the zebra package. The new version is built around the original modular concept that zebra was built on and you will be able to load the different protocol daemons as independent packages. Meaning that if you want bgp you would load the bgpd.lrp and do not have to give up precious space to protocols that you may not want or need. Hope this was helpful, Eric Kiser -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Johnnattanh 23 Sent: Monday, October 07, 2002 10:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [leaf-user] (no subject) Hi everyone, Again somebody can tell me how to manage the routing protocols in a LRP/LEAF box. (RIP, OSPF, BGP, ISIS, maybe IGRP and EIGRP) I think that the default routing protocol is RIP but only listen RIP advice or also send routing RIP advice. I saw some modules named like ospf.o and igrp.o, but how can configure them. If somebody have some information about it please tell me. Thank you in advance. Johnnattanh _ Send and receive Hotmail on your mobile device: http://mobile.msn.com --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] current ipsec
Hi, Can anyone point me in the direction of the most current ipsec.lrp's. For the life of me I can't find them today. Thanks in advance, Eric Kiser --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] current ipsec
Thanks for the many responses. Regards, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen Lee Sent: Wednesday, October 02, 2002 11:38 AM To: Eric B Kiser Cc: Leaf-user Subject: Re: [leaf-user] current ipsec On Wed, 2002-10-02 at 07:57, Eric B Kiser wrote: Hi, Can anyone point me in the direction of the most current ipsec.lrp's. For the life of me I can't find them today. For Bering: http://leaf.sourceforge.net/devel/jnilo/bering/latest/packages/ Stephen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] OT: Won't boot if headless
Ah, makes perfect sense now. Thanks, Larry. Regards, Eric -Original Message- From: Larry Platzek [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 11:12 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] OT: Won't boot if headless Hi Eric, In this context pcb means printed circuiit board The board where the keyboard encoder chip is usually a 40 connection chip. Some keyboards have a small pcb connected to the keyboard and the cable coming from the computer. I hope this helps. Larry Platzek [EMAIL PROTECTED] On Wed, 25 Sep 2002, Eric B Kiser wrote: Date: Wed, 25 Sep 2002 10:38:56 -0400 From: Eric B Kiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [leaf-user] OT: Won't boot if headless Hi Sjaak, What is a pcb? Thanks, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sjaak Aarnoutse Sent: Wednesday, September 25, 2002 8:51 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] OT: Won't boot if headless A quick and dirty solution, Why don't you create your own emulator? Take the old keyboard apart, all you need from it is the tiny pcb inside it, remove the rest, wrap the pcb in tape, and voila, your home-built keyboard emulator is ready to go... Sjaak I suspect that the problem is hardwired and the only solution is to change the motherboard. (I see no BIOS settings that should affect the keyboard.) But somebody prove me wrong, please. One solution would be to get one of those keyboard emulators. They're not cheap so maybe a used LEAF-compatible motherboard is the best bet. Have a look at these sites for some pricing on the emulators: http://www.blackbox.com and seach for Ghost emulators http://www.cadesigns.co.uk/dk1b.htm Stephen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] (no subject)
Howdy Johnnattanh, The LRP mailing lists are virtually unused. Just wanted to let you know before you got your hopes up about getting a response from that arena. Hello, My name is Johnnattanh My question is this if I want to my LRP/LEAF box advertise routing tables with certain protocol (RIP,OSPF,IS-IS,maybe IGRP or EIGRP) I would recommend using zebra.lrp it is based on zebra-0.92 and supports bgp, ospf, and rip. I have had problems running it on the LEAF Bering distro but I know of people that have used it with the LEAF Oxygen distro with great success. EIGRP is a cisco specific protocol. The only way to play with this is to play with cisco. There is a sourceforge project that is currently working on IS-IS support for zebra but apparently it is still rather buggy and is only available as a patch or series of patches to the main zebra source. IGRP is just plain old and doesn't really compare to any of the more modern OSPF, IS-IS, EIGRP. I have seen some modules but, I only have to load them and that's it or I can configure them in some configuration file. Yes, they must be configured. I would recommend joining the zebra mailing list at zebra.org if you are going to work with it. One word of warning though, the zebra mailing list can be caustic. There is usually nothing warm, fuzzy, or even polite about it. Generally, though, if you show that you have done your homework you can get the answers you need out of them. Thank you in advance for the help and thank you for this greatful project. Also someone knows where or if I can do a back to back connection between 2 ISDN boxes or connect 2 LRP/LEAF running ISDN in a serial link (I mean without have a ISDN switch of the telco between the two boxes) or the LRP can be used like an NT1 or NT2. Nope, you would have to have something in between. Tens of thousands of dollars just for an emulator, IIRC. Good luck, Eric _ Send and receive Hotmail on your mobile device: http://mobile.msn.com --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] file system problems.
I just checked the help file for WinZip 8.0 and it states... [snip] TAR, Z, GZ, TAZ, and TGZ files are often found on Unix-based Internet sites. TAR stands for “Tape ARchive”. The TAR format does not provide compression; it is used only to group files. GZ and Z files are gzip files. GZ and Z files cannot contain multiple files. TAZ and TGZ files are TAR files compressed in the gzip format. Since almost all new archives are created in Zip format, WinZip does not provide facilities to add to or create files in these formats (however, all other WinZip functions are supported). WinZip does not use external programs when working with files in these formats. Copyright © 1991-2000 by WinZip Computing, Inc. All rights reserved. [/snip] Regards, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of S Mohan Sent: Friday, September 06, 2002 12:58 AM To: guitarlynn; [EMAIL PROTECTED] Subject: RE: [leaf-user] file system problems. Winzip reads tar but does not write tar. Saving is in zip format perforce. If I'm wrong, please let me know. Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of guitarlynn Sent: 06 September 2002 09:42 To: [EMAIL PROTECTED] Subject: Re: [leaf-user] file system problems. On Thursday 05 September 2002 22:59, S Mohan wrote: In the recent past, we have seen a lot of mail on partition size and associated problems. I initially had problems with MSDOS 8.3 name format and had to go thro' renaming object files. If we take the netfilter objects, it is particularly difficult with the long names where the difference comes only beyond the 8th character. Why not just tar the modules and stick the tar file on the floppy? WinZIP supports tar, doesn't it? ;-) -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] LEAF Newbie - Questions reguarding 4501 Bering install
Hi Matt, You mentioned that you had emBSD running on the 4501 previously. I have a few questions for you. What is your opinion of emBSD? What made you decide to try out LEAF? Do you have a comparative opinion? If so, what do you think? Thanks, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Stockdale Sent: Thursday, August 29, 2002 6:35 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] LEAF Newbie - Questions reguarding 4501 Bering install As is usual, I got it working all of 15 seconds after I sent this out. Turns out I shouldn't have fdisked it, just used mkdosfs /dev/hde Matt On Thu, Aug 29, 2002 at 06:09:36PM -0400, Matt Stockdale wrote: I've searched the archives to some extent, but I couldn't find anything relevant.. If however, I missed something, please point me in the right direction.. I'm attempting to install Bering rc3 onto a CF card, which will go into my soekris 4501. I'm using RedHat 7.2 running on my IBM thinkpad (which has a CF adapter built into it) to place the files on the CF. However, the 4501 just refuses to boot it. I've followed the instructions at http://www.franzdoodle.com/bering/net4501_cf.txt, and also the very similar set at http://www.mail-archive.com/leaf-cvs-commits@lists.sourceforge.net/msg00074. html. I wasn't sure how the CF was supposed to be made bootable as listed in the franzdoodle docs, there was no mention of running syslinux on the CF (which I did anyways), and I even tried adding serial 0 19200 to the top of syslinux.cfg, to see if it was even booting syslinux, which is doesn't appear to be. the CF I'm using is a Transcend 32mb that worked fine w/ emBSD. I used linux fdisk to partition it w/ 1 partition, spanning the whole CF, of type FAT16 (hde1), and made the partition bootable. I copied all the files over from the floppy image, replaced the kernel w/ one I compiled (2.4.19) w/ serial support and serial console support built in, copied over the ide and natsemi modules, and edited added the ttyS0 getty to inittab and securetty.. Any idea where I can start troubleshooting? Thanks, Matt -- --- Matt StockdaleSr. Network Engineer - logicworks.net [EMAIL PROTECTED]Dura lex, sed lex --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- --- Matt StockdaleSr. Network Engineer - logicworks.net [EMAIL PROTECTED]Dura lex, sed lex --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] LEAF Newbie - Questions reguarding 4501 Bering install
Thanks allot for getting back so quickly. I certainly hope you stick it out with us. Your insight was appreciated,' Eric -Original Message- From: Matt Stockdale [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 10:35 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] LEAF Newbie - Questions reguarding 4501 Bering install I had to move away from emBSD because it has bugs when interacting w/ either the 4501 or the natsemi ethernet onboard specifically. When I had a lot of open connections through NAT (edonkey2000, winmx, etc), the ethernet would just stop responding, and the box would eventually lock up. You could bring it back by running a tcpdump on the interface (?!?!?! you could even tell it to just capture a single packet. I don't know if it was flushing buffers or something, but it did the trick). For the unit to be usable as a firewall, I had to run tcpdumps once a minute, across all the interfaces, which impacted performance pretty severly. Also, I work for an ISP, and we've been forced to move all of our firewalls to linux because OpenBSD fails so miserably under any sort of real load in every version 3.0 release. (and older versions 2.7, 2.8, etc. The only version we've found to be stable is 2.9-CURRENT) As far as LEAF goes, It's a little early for me to have much of an opinion, but I have to say, except for the bugs, working w/ emBSD was so much better. No mucking about w/ packages, it just ran w/ ufs right on the CF. SSH and SCP by default. It's not an entirely fair comparison, of course, because LEAF needs to be able to have basic functionality on just a single floppy. I mainly chose leaf because none of the other mini-linux distros that I could fit on a 32mb CF card seemed very polished. I'm going to continue to play w/ bering, I'm also toying w/ the idea of getting a larger flash card (128,192, or 256Mb perhaps) and just doing a normal redhat (or more likely debian, which has a far smaller minimum footprint, although I never really liked it) and install to the CF, or, just getting a Mini-ITX case and Mobo and using a regular hard drive. Matt On Fri, Aug 30, 2002 at 09:27:52AM -0400, Eric B Kiser wrote: Hi Matt, You mentioned that you had emBSD running on the 4501 previously. I have a few questions for you. What is your opinion of emBSD? What made you decide to try out LEAF? Do you have a comparative opinion? If so, what do you think? Thanks, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Stockdale Sent: Thursday, August 29, 2002 6:35 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] LEAF Newbie - Questions reguarding 4501 Bering install As is usual, I got it working all of 15 seconds after I sent this out. Turns out I shouldn't have fdisked it, just used mkdosfs /dev/hde Matt On Thu, Aug 29, 2002 at 06:09:36PM -0400, Matt Stockdale wrote: I've searched the archives to some extent, but I couldn't find anything relevant.. If however, I missed something, please point me in the right direction.. I'm attempting to install Bering rc3 onto a CF card, which will go into my soekris 4501. I'm using RedHat 7.2 running on my IBM thinkpad (which has a CF adapter built into it) to place the files on the CF. However, the 4501 just refuses to boot it. I've followed the instructions at http://www.franzdoodle.com/bering/net4501_cf.txt, and also the very similar set at http://www.mail-archive.com/leaf-cvs-commits@lists.sourceforge.net/msg00074. html. I wasn't sure how the CF was supposed to be made bootable as listed in the franzdoodle docs, there was no mention of running syslinux on the CF (which I did anyways), and I even tried adding serial 0 19200 to the top of syslinux.cfg, to see if it was even booting syslinux, which is doesn't appear to be. the CF I'm using is a Transcend 32mb that worked fine w/ emBSD. I used linux fdisk to partition it w/ 1 partition, spanning the whole CF, of type FAT16 (hde1), and made the partition bootable. I copied all the files over from the floppy image, replaced the kernel w/ one I compiled (2.4.19) w/ serial support and serial console support built in, copied over the ide and natsemi modules, and edited added the ttyS0 getty to inittab and securetty.. Any idea where I can start troubleshooting? Thanks, Matt -- --- Matt StockdaleSr. Network Engineer - logicworks.net [EMAIL PROTECTED]Dura lex, sed lex --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] [off-topic]cf/sm cards/readers
Thanks for the info, Mike. Not much of a comparison when my solution was 10x that price. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Noyes Sent: Friday, August 23, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [leaf-user] [off-topic]cf/sm cards/readers On Thu, 2002-08-22 at 21:40, Eric B Kiser wrote: Can anyone recommend where I can find prices better than this? Mike, is this price range within the bounds of what you originally had in mind when you were researching this previously? Eric, No. The SST ATA-Disk Module is less than $20 US. ATA-Disk Module http://www.sst.com/products/58sm_lm.html ATA-Disk Chip Application Notes http://www.sst.com/superflash/pdf/222.pdf ATA-Disk Module Product Brief http://www.sst.com/ata_disk/admbrief.pdf ATA-Disk Module (Apacer) http://www.apacer.com/product/flash/index_adc_adm.html Last question. Is write-protect on an ATA Flash PC Card a new thing? It's a relatively new development. My understanding is, that CF PC Card (PCMCIA) devices that support write protect don't run in true IDE mode. The newer secure memory types may be supported as a bootable device. CF 1.4 specifications. http://www.compactflash.org/cfspc1_4.pdf Note: we have links to flash disks and adapters in our web links section of our web site. http://leaf-project.org/links.php?menu=2 -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Recommended NICs?
whoops, that was the original intent. Been gone for awhile and came back to find over a thousand email in my inbox... starting to get a little fuzzy Eric -Original Message- From: Cass Tolken [mailto:[EMAIL PROTECTED]] Sent: Friday, August 16, 2002 7:25 PM To: Eric B Kiser Subject: RE: [leaf-user] Recommended NICs? Hi Eric, Did you mean to reply to the LEAF list too? You seem to have sent this e-mail only to me ;-). --- Eric B Kiser [EMAIL PROTECTED] wrote: I have also been using the FA311 cards and have never had a problem. They also require only one instance of the natsemi.o driver module, like the tulip. The natsemi.o module, however, is not part of the Bering default installation and would have to be added separately. The documentation is excellent and the process of adding it is painless. Good Luck, Eric __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] RE: Problem to get wisp working!
Samuel, Last time I checked the Soekris boxes werre using National Semiconductor for the Ethernet. You will need the natsemi.o module. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brock Nanson Sent: Friday, July 05, 2002 12:30 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] RE: Problem to get wisp working! Date: Thu, 04 Jul 2002 19:23:51 -0300 From: Samuel Abreu de Paula [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [leaf-user] RE: Problem to get wisp working! Ok, it's /dev/sda1 here, cos i use a CF Reader(USB) to access the CF! For linux, the CF it's a emul like a scsi device! so the /dev/sda is my CF in Linux! Thankz... but i did the Wisp boot in my aaeon! The CF has to be CHS, not LBA, the format of the first partition must be FAT16 32mb (in my case), and i use the newer version of syslinux! =) Now, one more question, wisp use IPTABLES??? in a iptables -L show none rules! Samuel, Let me preface this by saying you are now further along with wisp than I am. After successfully booting it I spent literally 2 minutes poking around the menus before pulling the plug until I can get access to an AP for real testing. So in the absence of any other replies I'll try my best. By the way, I'm glad to hear that wisp has joined sourceforge... I had wondered initially why it wasn't there (here)! Wisp is based on Bering if I understand correctly. I think you can access the 'old' bering menus from the new main menu. I would (because I use bering) tend to work from there. I don't recall seeing shorewall in the package, so I don't know what sort of firewalling is in effect. My impression was that there was no firewall capabilities as distributed. I don't know if that means it runs with iptables or ipchains... If you don't get an error with that command, I would assume iptables are supported, but that no rules have been created (?). I would be curious to know if shorewall could just 'drop in' to wisp and if so, why it isn't there already (unless I just missed it). In another message you ask about 'Hermes' assigned as a nickname. I think that is set in wireless.opts which should be found through the bering menu (pcmcia). If the wireless tools are present, iwconfig could be used at the command prompt to change this temporarily. See the link to the man page on Jacques Nilo's sourceforge site. As for the onboard NIC in the soekris SBC, you will need the matching module for the chipset. Again this would likely be done by adding the correct module(s) to /lib/modules and the corresponding entry(s) in /etc/modules. If you haven't already experimented with Bering, I'd suggest you start there and get a feel for how it works before adding the complexity of wisp. My brief encounter with wisp suggested some significant additions to bering! Brock --- This sf.net email is sponsored by:ThinkGeek Bringing you mounds of caffeinated joy. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Bringing you mounds of caffeinated joy. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Double Private Network / FreeS/WAN problem
Not a problem Phil. It just so happened that I worked through this issue
just recently, with much help from Tom and others.
As for your original question Jon... I went back and read through and
couldn't find what LEAF distro you are using.
Regards,
Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jonathan
French
Sent: Friday, June 21, 2002 7:09 PM
To: [EMAIL PROTECTED]
Cc: Eric B Kiser; [EMAIL PROTECTED]
Subject: Re: [leaf-user] Double Private Network / FreeS/WAN problem
Hm, just for reference, my original problem was a machine behind a
masquerading firewall which was behind another masquerading firewall
(Charter cable). Would NAT traversal work with that?
Thanks,
Jon
[EMAIL PROTECTED] wrote:
Aha, I stand corrected.
SSH Sentinel and other IPSec clients for Windows claim to have
NAT traversal working, also the company that supplies
IPSec to Cisco.
At this time however, I believe NAT traversal is experimental or
in development at FreeSWAN.
I'll try to keep current. Thanx.
Eric B Kiser [EMAIL PROTECTED] on 06/21/2002 03:12:27 PM
To: Phillip Watts/austin/Nlynx@Nlynx
cc:
Subject: RE: [leaf-user] Double Private Network / FreeS/WAN problem
Whoa there,
I am running a NAT'd client that connects via IPsec through my Bering
Firewall everyday.
NT4.0 box w/IPsec clnt Bering doin NAT Internet IPsec Server
If you are running short term connection (establish tunnel, check mail,
tear
down tunnel) you do not even need to modify shorewall. For maintaining
IPsec
tunnels of longer duration Tom Eastep reccomended adding these rules.
ACCEPT net loc:local endpoint ip udp 500 - all
ACCEPT net loc:local endpoint ip 50 - - all
The problem that I am aware of is establishing more than one tunnel
through
the NAT'd connection.
Regards,
Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, June 21, 2002 1:41 PM
To: Jonathan French
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Double Private Network / FreeS/WAN problem
Without looking at this in any depth, it appears you are trying to
ipsec from behind a NAT router and I don't believe that will work.
Why will Charter not hand out a public address ?
Maybe you should inquire. Then you'd have to , if i'm right, not do nat
on the Dlink.
IPSec is, of course, they say, and are working on it,
NATable, but it is really designed
as a point to point tunnel, with subnets behind the endpoints.
Jonathan French [EMAIL PROTECTED] on 06/21/2002 12:13:50 PM
To: [EMAIL PROTECTED]
cc:(bcc: Phillip Watts/austin/Nlynx)
Subject: [leaf-user] Double Private Network / FreeS/WAN problem
Howdy,
I've been setting up a VPN. One of my clients has a Charter Pipeline
internet connection at home, and wants to communicate with the LEAF box
at his work via FreeS/WAN. I got him a D-Link firewall box to stick
between his cable modem and his computer as an added layer of security.
Then I had him do a traceroute to www.yahoo.com so I could get his
nexthop information to configure /etc/ipsec.conf. From this file, I
noted:
1 192.168.0.1 {d-link box}
2 10.d.e.f{Charter Pipeline gateway saving IP's!}
3 24.205.g.h {a real IP that can be pinged from the outside world}
4 {and so forth to www.yahoo.com}
So his network looks like:
192.168.0.115 {internal machine address}
|
|
192.168.0.1 {d-link internal address}
10.a.b.c{d-link external address}
|
|
10.d.e.f{Charter cable internal gateway}
24.205.g.h {Charter cable external gateway - pingable from outside}
Charter Pipeline is apparently saving money by using IP masquerading
themselves. This leaves me with a problem defining right /
rightnexthop / rightsubnet in /etc/ipsec.conf. Any ideas?
Thanks,
Jon
---
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
---
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
---
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891
RE: [leaf-user] Re: IPSec NAT
Hi Jason, Could you give a little more information about your setup and what it is that you are trying to accomplish? Are you wanting to use the LEAF box to do NAT and IPsec pass-through or something else? If you do just want pass-through, then what is the nature of your tunnel? Up all day, used to check mail at the company, business critical apps are surging across it 24/7. I am sure that we can help out, we just need a little more information. Regards, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jacques Nilo Sent: Tuesday, June 18, 2002 4:46 PM To: Jason Spence Cc: [EMAIL PROTECTED] Subject: [leaf-user] Re: IPSec NAT Can Bering 1.0-rc3 NAT IPSec? I see ipt_ah and ipt_esp modules in the distribution, but I'm not sure how I would get them to start NATting my IPSec boxen... I have never tried this. Someone more familiar with IPSEC on the leaf-user list might be able to answer that question. Jacques Bringing you mounds of caffeinated joy http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html Bringing you mounds of caffeinated joy http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering rc2 + ppp server : anyone done this?
Jon, Could you offer up a link on this to help me get started. It would be greatly appreciated. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jonathan French Sent: Tuesday, June 11, 2002 2:16 PM To: Matt Russell Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Bering rc2 + ppp server : anyone done this? Actually, the instructions for 2.9.4 aren't too far off - I used what I had set up 2.9.4/2.9.8, and copied the ppp.lrp and mgetty.lrp directly to Dachstein. The only real change was using the larger Dachstein kernel that had serial support compiled in. You will probably need to find new modules (ppp.o, slhc.o). I'd try the old pppd and mgetty to see if they work, and if not use the same scripts but replace the compiled parts (pppd and mgetty) with Bering versions.. Or, they might work - don't know. Good Luck, Jon French Matt Russell wrote: Just as the subject says, wondering if anyone has successfully setup a PPP server (single line) with bering rc2. Anyone know of a how-to URL? The only thing I could find was instructions for LRP 2.9.4, whose packages obviously won't work with bering. thanks, matt ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Multimillion Dollar Computer Inventory Live Webcast Auctions Thru Aug. 2002 - http://www.cowanalexander.com/calendar leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] traffic load balancing (again) from a Dachstein box?
Hi Alec, There is no simple answer to the Load Balancing question. First you need to tackle this... http://www.leaf-project.org/pub/doc/howto/LRP-Load-Balancing-HOWTO.html If you still have questions please submit them to the list. Regards, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alec Miller Sent: Friday, June 14, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: [leaf-user] traffic load balancing (again) from a Dachstein box? I've got 2 Speakeasy DSL lines both on the same Subnet/Gateway.Are there any FAQ/Quick links I can poke around at (that are up and running) that I can use for attempting a traffic balancer from a Dachstein box? OR should I move to another release? I've got a couple WWW servers I want to throw into my DMZ and I haven't called SE yet to check if they will turn on their equipment for me to pull this off. I want to read up on this before I make any phone calls. I saw a couple links posted previously in the list, but some of them seem to be broken.. thanks ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] OT: Origins of Bering and Dachstein names
Scott, Would you be kind enough to give some more details on the nature of your deployments or even write something for the testimonials section? Regards, /eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Ecker Sent: Wednesday, May 22, 2002 1:21 PM To: LEAF-user Subject: [leaf-user] OT: Origins of Bering and Dachstein names Very OT... It came up in conversation with some friends yesterday that we weren't clear on the origin of the names for these two popular floppy/cd firewall packages. Maybe Charles and Jacques can fill us in on why they're called Bering and Dachstein. I can see -stein, but why Dach? I'm probably missing out on a principle of linguistics here. BTW, I've been successfully deploying dachstein toasters all around the US. I love it. -Scott ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Gaming with Bering 1.0-rc2
My son has been giving me a hard time since he has not been able to get his Mech 4 fix ever since I set up my Bering box. Yes, I know that it is supposed to be a terrible thing to open up a firewall for game play but a balance must be realized. By chance has anyone gone through the process of configuring Shorewall so that you can play MechWarrior 4 on the Internet. I have been reading the documentation and it states... [/snip] The following TCP ports must be open: 27999, 28805, 28806, 28807, 28808 The following UDP port must be open: 28800 and... Connection Client configurationHost configuration Initial TCP Connection 47624 Outbound 47624 Inbound Subsequent Inbound TCP Connections 2300-2400 2300-2400 Subsequent Outbound TCP Connections 2300-2400 2300-2400 Subsequent Inbound UDP Connections 2300-2400 2300-2400 Subsequent Outbound UDP Connections 2300-2400 2300-2400 [/end snip] Unfortunately, the rules modification that I have made have not worked. If someone would be kind enough to recommend a set of rules for this, it would be much appreciated. Regards, Eric ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Testing IPsec pass-through
Tom, I am still a newbie here and I wanted to make sure that I understood what you meant so here is where I am at on this. What you suggested was this [1]: ACCEPT net loc:local endpoint ip udp 500 - all ACCEPT net loc:local endpoint ip 50 - - all I decided not to include the endpoint ip address because I wanted be able to use any machine on my local network. So... I did this [2]: ACCEPT net loc udp 500 ACCEPT net loc 50 all Following your suggestion of how I can identify the difference I used the command shorewall show net2loc. Below was my process: ReBOOT with Rule [1] in place. make ipsec connection break ipsec connection run shorewall show net2loc record results (see [1] below) modify shorewall config to use Rule [2] backup config ReBOOT with Rule [2] in place make ipsec connection break ipsec connection run shorewall show net2loc record results (see [2] below) results from [1] this connection was only up for a couple of minutes. # shorewall show net2loc Shorewall-1.2.8 Chain net2loc at firewall - Thu May 2 15:42:01 UTC 2002 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 27 4277 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.10 state NEW udp dpt:500 188 ACCEPT esp -- * * 0.0.0.0/0 192.168.1.10 state NEW 0 0 net2allall -- * * 0.0.0.0/0 0.0.0.0/0 results from [2] this connection was up for 25 minutes. # shorewall show net2loc Shorewall-1.2.8 Chain net2loc at firewall - Thu May 2 16:12:20 UTC 2002 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 1331 156K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:500 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 net2allall -- * * 0.0.0.0/0 0.0.0.0/0 The only difference here are the esp (protocol: 50) packets that were logged. Is this the difference that you were expecting me to find. I am not in control of the other end. Would you typically expect that a rekeying attempt would have been made in the 25 minutes that I had left the tunnel up? Thanks for your assistance thus far. /Eric -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 11:24 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] Testing IPsec pass-through On Wed, 1 May 2002, Eric B Kiser wrote: Since installing Bering 1.0-rc1 the only thing that I have changed in my shorewall config is adding the lines below. My understanding is that this is not static since it is my single publicly routable address on one side and I have three workstations using 192.168.1.x on the other side. Is static NAT the same as a 1:1 mapping? Yes -- in that case, I doubt that the rules that you posted have any effect. Most people using IPSEC have found that they also need incoming rules that forward UDP 500 and protocol 50 to the endpoint (as I recommended in a previous post). Without such rules, the tunnel will eventually die during a re-keying attempt. Look at the output of shorewall show net2loc -- I'm betting that the packet counts for those rules are zero. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Testing IPsec pass-through
Very interesting, Tom... Thanks for taking the time to get into more detail. I have modified my rules back to your original suggestion, however, I still have one question. [snip] In order for either of rules [2] to have been invoked, the ORIGINAL destination IP would have had to have been in your local network; clearly that is never going to be the case (my point from the last post). You may as well remove the rules since they will never do anything. [end snip] These rules did do something. They made it possible for me to bring up the tunnel. I understand the importance of doing it as per your example, I changed my rules accordingly. If I understand you correctly, based on the snip above, my rules shouldn't have worked at all? Respectfully, Eric -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 9:44 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] Testing IPsec pass-through On Fri, 3 May 2002, Eric B Kiser wrote: What you suggested was this [1]: ACCEPT net loc:local endpoint ip udp 500 - all ACCEPT net loc:local endpoint ip 50 - - all I decided not to include the endpoint ip address because I wanted be able to use any machine on my local network. So... I did this [2]: ACCEPT net loc udp 500 ACCEPT net loc 50 all results from [1] this connection was only up for a couple of minutes. # shorewall show net2loc Shorewall-1.2.8 Chain net2loc at firewall - Thu May 2 15:42:01 UTC 2002 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 27 4277 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.10 state NEW udp dpt:500 188 ACCEPT esp -- * * 0.0.0.0/0 192.168.1.10 state NEW 0 0 net2allall -- * * 0.0.0.0/0 0.0.0.0/0 results from [2] this connection was up for 25 minutes. # shorewall show net2loc Shorewall-1.2.8 Chain net2loc at firewall - Thu May 2 16:12:20 UTC 2002 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 1331 156K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:500 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 net2allall -- * * 0.0.0.0/0 0.0.0.0/0 The only difference here are the esp (protocol: 50) packets that were logged. Is this the difference that you were expecting me to find. I am not in control of the other end. Would you typically expect that a rekeying attempt would have been made in the 25 minutes that I had left the tunnel up? Depends on how you have set the re-key interval for the tunnnel. Also, remember that re-keying only involves the UDP connection. I no longer have any IPSEC tunnels so I don't have immediate access to the docs to see what the default interval is. In order for either of rules [2] to have been invoked, the ORIGINAL destination IP would have had to have been in your local network; clearly that is never going to be the case (my point from the last post). You may as well remove the rules since they will never do anything. The basic problem is that IPSEC tunnels are quiet when there is no traffic and the re-keying interval hasn't expired. In that time, the connection tracking entries created when the local endpoint first sent packets to the remote one will time out. Then, if a packet is received from the remote end-point, the RELATED,ESTABLISHED rule (first Shorewall-generated rule in both cases) won't match the incoming packet and the packet will be rejected. As long as the local endpoint speaks first after such a quiet time, everything works -- otherwise, it may not. By having rules [1], if the remote end sends a packet (either ESP or UDP/500) and there is no matching connection-tracking entry, the appropriate rule will: a) Re-establish a connection tracking entry between the end-points for that protocol[/port]; and b) Route the packet to the appropriate local host. If your tunnels are fairly busy when they are up and you have a short re-key interval, you should be fine without any IPSEC-related rules. If you leave these tunnels up overnight with no traffic, you will almost certainly encounter problems. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net
RE: [leaf-user] Testing IPsec pass-through
Okie-dokie, here is my sanity check... Establish IPsec connection ...done Tear down IPsec connection ...done Remove rules from config...done save...done backup ...done reboot ...done Establish IPsec connection ...done ...what? ...it failed every other time! urgh! All has now been revealed... [sigh]. My misconception in this was based on the belief that my rules actually were having an effect. This being due to the fact that I was never able to bring the tunnel up prior to adding the rules. In all fairness it had been quite a while since I had tried to establish an ipsec connection through my Bering box and it now seems entirely likely that their was something else in the path that was blocking my connection. This something else seems to have been fixed thus I am now able to make a connection without any trouble and without any extra rules. I only tunnel in to check my mail and such then I take down the tunnel so in all likelihood I would never even need Tom's extra rules. On the other hand if I was attempting to maintain constant connectivity between my workstation and the far end then I would possibly begin to see trouble because the rules would not be in place to allow the other end to initiate a key exchange. I realize that I am repeating things that Tom has already said, I just didn't understand them before because I was /confused/. Thanks Tom, your patience through this was much appreciated. Regards, Eric -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 10:39 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] Testing IPsec pass-through On Fri, 3 May 2002, Eric B Kiser wrote: Very interesting, Tom... Thanks for taking the time to get into more detail. I have modified my rules back to your original suggestion, however, I still have one question. [snip] In order for either of rules [2] to have been invoked, the ORIGINAL destination IP would have had to have been in your local network; clearly that is never going to be the case (my point from the last post). You may as well remove the rules since they will never do anything. [end snip] These rules did do something. They made it possible for me to bring up the tunnel. I understand the importance of doing it as per your example, I changed my rules accordingly. If I understand you correctly, based on the snip above, my rules shouldn't have worked at all? No -- the two rules you added had NO EFFECT WHATSOEVER on the outcome. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Testing IPsec pass-through
Good information, thanks for the insight. /Eric -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 11:04 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] Testing IPsec pass-through On Fri, 3 May 2002, Tom Eastep wrote: No -- the two rules you added had NO EFFECT WHATSOEVER on the outcome. To clarify -- since the packet and bytes counts for those two rules were zero after your second test, the rules could not have had any possible effect. One other thing -- be very careful when performing back-to-back tests using Netfilter-based firewalls. The connection-tracking entries for most protocols (TCP being the exception) live on after the connection has been terminated. If you establish a similar connection before these tracking entries have expired, the entries can be reused (this is especially true of protocols that do not make use of ports or that use the same port number for source and destination). This can lead you to believe that your latest set of rules worked when in fact it did not. A shorewall restart does not clear the tracking table (it can't because there is no way way for it to do so). There has been a lot of grumbling on the Netfilter mailing list about the lack of a means for removing connection-tracking entries. Until that grumbling results in a change though, caution is advised. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Testing IPsec pass-through
Tom, thanks for getting back to me so quickly yesterday. I have success! I am using NAT and these rules... ACCEPT net loc udp 500 ACCEPT net loc 50 all Thanks for your help, works like a charm. /Eric -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 8:15 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Testing IPsec pass-through On Tue, 30 Apr 2002, Eric B Kiser wrote: I have finally gotten the opportunity to test this out... I added these lines to the bottom /etc/shorewall/rules and I am still unable to connect to my IPsec endpoint on the other side of my Bering box. These are the only modifications from the default install of Bering. ACCEPTnet loc udp 500 ACCEPTloc net udp 500 ACCEPTnet loc 50,51 all ACCEPTloc net 50,51 all Did I miss something? Put these in the wrong place? um ...? Theww things: a) If you are using NAT or Masquerade, you must use port forwarding rules for net-loc. b) In that case, you don't need to pass protocol 51 since ESP and NAT don't mix. c) The default Bering loc-net policy is ACCEPT so your loc-net rules are just so much extra noise. The port forward rules would look like: ACCEPT net loc:local endpoint ip udp 500 - all ACCEPT net loc:local endpoint ip 50 - - all -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED]
RE: [leaf-user] Testing IPsec pass-through
Since installing Bering 1.0-rc1 the only thing that I have changed in my shorewall config is adding the lines below. My understanding is that this is not static since it is my single publicly routable address on one side and I have three workstations using 192.168.1.x on the other side. Is static NAT the same as a 1:1 mapping? /Eric -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 10:55 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] Testing IPsec pass-through On Wed, 1 May 2002, Eric B Kiser wrote: Tom, thanks for getting back to me so quickly yesterday. I have success! I am using NAT and these rules... ACCEPTnet loc udp 500 ACCEPTnet loc 50 all Thanks for your help, works like a charm. /Eric Eric, You must be using static NAT then? -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED]
[leaf-user] kernel 2.4.xl modules for IPsec pass-through when using NAT and netfilter/iptables
All, This is a follow up message for the post originally titled - ip_masq_ipsec.o for Bering. After communicating with three different sources on the Netfilter mailing list here are the results. There are /no/ additional modules required. Below is a brief of the messages exchanged... [my post] Howdy All, I am using Linux with kernel 2.4.18 as a firewall that is doing NAT. I need to be able to make an IPSec connection _through_ this firewall to an IPSec server on the internet. I am told that I need to have the modules ip_conntrack_ipsec.o and ip_nat_ipsec.o for my Linux 2.4.18 Firewall to be able to NAT this connection. It was also mentioned that a Mr. Harald Welte may have posted these on the netfilter site. I have gone through the FAQ, browsed the HOWTO, and done some cursory searching of the mail archive with no helpful results. Any guidance on this would be greatly appreciated. Regards, Eric [reply] Who has told you about this? The modules don't exist, at least not provided by the netfilter/iptables project. I also haven't heared that some 3rd party is providing those modules -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] [my post] Are there any required modifications, other than just /not/ restricting the required ports, to be able to pass IPsec traffic when using your Linux system as a router and performing NAT. [response from Julian Gomez] Nope. Let IKE + ESP/AH traffic through. That's it. [interesting test results from Pavlos] I did some testes last week and i found out that one VPN client behind the gateway can connect with the vpn server but two not! My vpn client use IPSEC with udp protocol nad 500 port ,and protocol 50. From ip_conntrack i saw that when 2 clients tried to connect to the VPN server only the one hava established connection for protocol 50,the second only had traffic for udp protocol udp and port 500. PAvlos Thanks to everybody for spurring me into this. /Eric ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Testing IPsec pass-through
I have finally gotten the opportunity to test this out... I added these lines to the bottom /etc/shorewall/rules and I am still unable to connect to my IPsec endpoint on the other side of my Bering box. These are the only modifications from the default install of Bering. ACCEPT net loc udp 500 ACCEPT loc net udp 500 ACCEPT net loc 50,51 all ACCEPT loc net 50,51 all Did I miss something? Put these in the wrong place? um ...? Any help would be appreciated. Thanks in advance, /Eric
[Leaf-user] RE: [Leaf-devel] Bering v1.0-rc2 available
We got serial support in the kernel!!! All right! Thanks Guys, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jacques Nilo Sent: Thursday, April 25, 2002 9:06 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: shorewall-users Subject: [Leaf-devel] Bering v1.0-rc2 available This new release includes, among other things, ipsec and pptp support. Also updated with latest 1.2.12 Shorewall and iptables 1.2.6a The documentation has been considerably extended Thanks to all the folks who helped us on this release ! The details are here: http://leaf.sourceforge.net/article.php?sid=37 Jacques Eric http://leaf.sourceforge.net/devel/jnilo ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ip_masq_ipsec.o for bering
Thanks for Dachstein suggestion (and, yes, Charles is amazingly patient and helpful) but I have to stick with Bering due to other requirements that I have set on myself. Specifically, the desire to learn iptables. If I end up having to figure out how to compile my own kernel then so it has to be. For the moment, however, I will go to the source... Mr. Nilo and Mr. Wolzak, how do you feel about including these patches into the Bering distribution. If this is feasible then could we expect it in the rc2 release? Awaiting your response, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chad Carr Sent: Wednesday, April 24, 2002 10:22 AM To: Eric B Kiser Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] ip_masq_ipsec.o for bering On Wed, 24 Apr 2002 00:27:23 -0400 Eric B Kiser [EMAIL PROTECTED] wrote: damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Your assumptions are correct. As Tom said, the only ip_conntrack and ip_nat (formerly ip_masq) modules available in the default kernel sources are ftp and irc. Any others will need to be applied to your kernel sources as a patch (I believe Tom pointed you at the netfilter site before), then configure your kernel to build those new options as modules and build it. http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.txt As far as I have seen, Bering does not include any non-standard netfilter modules. But, since Bering and Dachstein seem to be gaining some popularity for ipsec-based systems, it never hurts to ask Jacques whether he can patch his kernel with these. Well, it won't hurt you anyways (eh, Jacques!) ;-) HTH, Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ip_masq_ipsec.o for bering
Hello All, I need to be able to make an IPSec connection through my Bering 1.0-rc1 firewall. If I understand correctly I will need the ip_masq_ipsec.o module to be able to do this. I have been unable to find the ip_masq_ipsec.o for Bering. I have already searched through all of the files in the modules section online and did not come across it. Is it already compiled in to the kernel or is it somewhere else or have I just missed it? Thanks in advance, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Compact Flash
Here are some more links that might help you out... _Flash Memory_ www.pcengines.com/cflash.htm --Compact Flash to IDE converter (Internal Interface) www.abiatech.com/fb4617.htm --Compact Flash to IDE converter (External Interface) www.sandisk.com/main.htm --I found their prices to be surprisingly reasonable. www.flashmemory.com.au --Memory and more www.psism.com/psiiia.htm --CF to IDE converter that mounts in an external drive bay for easy access. Good Luck, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ip_masq_ipsec.o for bering
Joey, Thanks for the quick reply. Here is what I am looking at... [1] I have to use IPSec client software on an NT4.0 machine from inside my network to make a connection to the company firewall/IPSec server to be able to gain remote access into my company. Since we are unable to do both pass-through and termination I am forced to set this box up to do pass-through only. [2] I am planning on setting up a second box inside my network to act as an IPSec server so that I can connect to my lab while on the road. I hope this helped to explain it a little better. Regards, Eric -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 4:54 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Are you sure that you need the ip_masq_ipsec.o file. I think that this is only needed if you have an internal ipsec server. In my case I run the ipsec server (I'm sure as does everyone else) on the actual gateway server / leaf server... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] ip_masq_ipsec.o for bering Hello All, I need to be able to make an IPSec connection through my Bering 1.0-rc1 firewall. If I understand correctly I will need the ip_masq_ipsec.o module to be able to do this. I have been unable to find the ip_masq_ipsec.o for Bering. I have already searched through all of the files in the modules section online and did not come across it. Is it already compiled in to the kernel or is it somewhere else or have I just missed it? Thanks in advance, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ip_masq_ipsec.o for bering
damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Respectfully, Eric -Original Message- From: joey officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 10:05 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering ahh.. I think I understand know.. so you need to have the packets passed through on the home machine so that you can make the connection to work. I understand now. There was another post earlier that mentioned the nameing difference for the Bering ipsec.o files. You might look there. I'm not familiar at all w/ Bering, but I'll be glad to assist you by looking as well, and if necessary, maybe I or someone else can compile this for you. joey At Tuesday, 23 April 2002, Eric B Kiser [EMAIL PROTECTED] wrote: Joey, Thanks for the quick reply. Here is what I am looking at... [1] I have to use IPSec client software on an NT4.0 machine from inside my network to make a connection to the company firewall/IPSec server to be able to gain remote access into my company. Since we are unable to do both pass-through and termination I am forced to set this box up to do pass-through only. [2] I am planning on setting up a second box inside my network to act as an IPSec server so that I can connect to my lab while on the road. I hope this helped to explain it a little better. Regards, Eric -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 4:54 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Are you sure that you need the ip_masq_ipsec.o file. I think that this is only needed if you have an internal ipsec server. In my case I run the ipsec server (I'm sure as does everyone else) on the actual gateway server / leaf server... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] ip_masq_ipsec.o for bering Hello All, I need to be able to make an IPSec connection through my Bering 1.0-rc1 firewall. If I understand correctly I will need the ip_masq_ipsec. o module to be able to do this. I have been unable to find the ip_masq_ipsec. o for Bering. I have already searched through all of the files in the modules section online and did not come across it. Is it already compiled in to the kernel or is it somewhere else or have I just missed it? Thanks in advance, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Floppy VPN (Dachstein based)
Very interesting... thanks for the insight, Charles. Eric -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 16, 2002 10:47 AM To: Eric B Kiser; [EMAIL PROTECTED] Subject: Re: [Leaf-user] Floppy VPN (Dachstein based) I have seen this mentioned before. Why is it that it can't do both pass through and termination. Is this specific to Dachstein or Linux or ??? The IPSec VPN limitation (a single machine can masquerade IPSec, or run IPSec locally, but not both) is a limitation of the way IPSec masquerading and KLIPS (Kernel Level IPSec...the kernel portion of the FreeS/WAN IPSec implementation) are implemented in the kernel. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] serial console access
got called out of town so this response is a bit delayed... [Joey-snip] Not to sound impolite... but there is currently I HOW-TO already available, linked below... I know the excitement though of getting this particular project working [/snip] Not impolite at all. The only reason that I suggested it is because there are some _minor_ changes between the Dachstein HOW-TO and the one that would need to be written for Bering. Such as the affect of not having serial compiled in the kernel. I have, however, decided to wait until rc2 comes out. If Jacques decides to include it in the kernel then it would make a rewrite virtually pointless. [Chad-snip] I am wondering when you say success what you really mean. I can copy the same results as you from my minicom window (i.e. the boot happens and I can log in) but there is one large thing missing: boot messages. [/snip] Success, at this time, was to simply get access [1]. Having the serial module compiled into the kernel, thus allowing the reception of the kernel boot messages will be step two [2]. For me, step three [3] will be moving to a serial accessible bios that will let me see the hardware post. [Jacques-Snip] Bering v1.0-rc1 does not have serial compiled in the kernel. This seems necessary to have serial console access. I am considering to have serial compiled in v1.0-rc2 for that reason. Any comment from the list on that issue? [/snip] Based on the above statement Mr. Nilo is awaiting feedback from us to determine whether the serial module will be compiled in. I would like to ask that everyone who wants it to please be sure and hit the list with that request so that the Bering team is aware of our interest. Here is mine... Bering Team, please compile the serial module into the kernel for the rc2 release. It would be greatly appreciated. Thanks to everyone for their work on this. Once again proving that the LEAF project is greater than the sum of its parts. Respectfully, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Floppy VPN (Dachstein based)
Charles, I have seen this mentioned before. Why is it that it can't do both pass through and termination. Is this specific to Dachstein or Linux or ??? Regards, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Thursday, April 11, 2002 5:58 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] Floppy VPN (Dachstein based) I have a Dachstein box that does NAT and port forwarding for my network. I would now like to implement a VPN. I replaced the kernel with an IPSEC enabled one, and loaded the needed modules. I have the box able to boot and still NATing and port forwarding but get error messages. I do not have the exact messages, but would like to know if what I would like to do is possible. If it is I will post the exact messages. What I would like is for one LEAF box to: NAT Port Forward Endpoint of a VPN tunnel Please advise if this is possible. Yes, you can do what you want. The only restraint on VPN's and port-forwarding is the firewall cannot masquerade an internal VPN client (ie running a VPN client on an internal system...sometimes called VPN port-forwarding) at the same time the firewall is serving as a VPN gateway (ie running VPN software on the firewall itself). There are many folks running the standard NAT/masquerading firewall rules, and port forwarding services (like web, dns, e-mail, c), and using the firewall as an IPSec VPN gateway. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] serial console access
Jacques, Ah, well, such is life... I was unaware of being able to use dmesg to get the same information. I will experiment with this and see if it fits my need. Thanks for the quick reply, Eric -Original Message- From: leaf [mailto:leaf]On Behalf Of Jacques Nilo Sent: Monday, April 15, 2002 4:47 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] serial console access Eric B Kiser wrote: [Jacques-Snip] Bering v1.0-rc1 does not have serial compiled in the kernel. This seems necessary to have serial console access. I am considering to have serial compiled in v1.0-rc2 for that reason. Any comment from the list on that issue? [/snip] Based on the above statement Mr. Nilo is awaiting feedback from us to determine whether the serial module will be compiled in. I would like to ask that everyone who wants it to please be sure and hit the list with that request so that the Bering team is aware of our interest. Here is mine... Bering Team, please compile the serial module into the kernel for the rc2 release. It would be greatly appreciated. Eric: I am afraid I am going to disappoint you. I have been thinking about this issue and the only usage I see for serial built into the kernel is the ability to see the kernel logging messages on your serial terminal. Everything else can be done by putting the serial.o in /boot/lib/modules Once logged in the kernel logging messages can then be seen with dmesg Also you won't generally start directly with a console-only monitoring. You will generally setup your floppy to configure it on a normal machine and at the very end switch to console monitoring facility. Finally the cost of serial on the kernel is 10K. Quite significant from a floppy point of vue. Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] serial console access
heh! [grin/sigh] The 'ol not found portion of that message seems devastatingly obvious to me now. Thanks for being so polite in pointing that out. I did as you suggested: /sbin/getty -L ttyS0 9600 vt100 and after hanging for a couple of seconds I then got my prompt back. Before I go any further this way I am going to follow up on the issues surrounding serial.o and recheck my configuration. Respectfully, Eric -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 04, 2002 2:14 PM To: Eric B Kiser; Jacques Nilo; [EMAIL PROTECTED] Subject: Re: [Leaf-user] serial console access Charles, As you suggested I typed in the line below at a command prompt: T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 ...and got this response: T0:23:respawn:/sbin/getty: not found I assume, that as we have discovered, this is being caused by the absence of serial support in the kernel. If not and I am missing something else please let me know. Actually, you need to type: /sbin/getty -L ttyS0 9600 vt100 The T0:23:respawn: is part of the init configuration, not part of the getty command... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] serial console access
_SUCCESS_ The results as copied from my hyperterm window.. LEAF configuration menu 1 ) Network configuration 2 ) System configuration 3 ) Packages configuration b) Back-up a package c) Back-up your LEAF disk h) Help q) quit -- -- Selection: You guys have been incredibly helpful. Thanks to everyone. I have to leave town now but when I get back I will write up a HOW-TO for others to follow. Best Regards to All, Eric Kiser ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] serial.lrp
Howdy All, I have been unable to locate the serial.lrp package. If some one could please offer a pointer in the right direction it would be greatly appreciated. Thanks in advance, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] serial console access
After some discussion with Larry I am resubmitting this question to the list with more information and a more fitting title. _system_ Bering v1.0-rc1 _task_ I want to implement serial console access to my firewall. _resources_ LRP-Serial-HOWTO written by Charles. _questions_ Do I need to load the serial.o module? If so, where is it located? (I was unable to locate it when I was searching through the site.) It was suggested that setserial would be useful for this. Where can I find information on this? If this has been on the list already, my search missed it. Barring all of this is the LRP-Serial-HOWTO all that I will need? or... If no one has done this I will feel my way through it and report back what I come up with. Regards, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] serial.lrp
Jeff, Thanks for the reply. I have read the LRP-Serial-HOWTO written by Charles and I have messed around with Serge's Packet Filter which asks, shortly after boot time, whether you want to use your monitor and keyboard or the serial port. Somehow, in amidst these two things and remembering various emails that I had seen on the topic, I made the assumption that there existed a magical serial.lrp that I would need for this purpose. I now have that cleared up thanks to an off line conversation with Larry and have reposted my original question with more information. Subject: serial console access. You have already answered one of my questions. Now I understand why I was unable to find serial.o. Thanks, Eric -Original Message- From: Jeff Newmiller [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Newmiller Sent: Wednesday, April 03, 2002 6:21 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] serial.lrp On Wed, 3 Apr 2002, Eric B Kiser wrote: Howdy All, I have been unable to locate the serial.lrp package. If some one could please offer a pointer in the right direction it would be greatly appreciated. I don't know what a serial.lrp package would contain. You may be confused between packages and modules... modules are loadable kernel drivers, while packages usually contain application programs. There is one package, modules.lrp, that you typically customize for your system by putting appropriate modules in it. Note that many (if not most) LEAF kernels have compiled-in serial support, so the use of the loadable version of the driver (serial.o) is not very common. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] serial console access
Charles, Thanks for the response. Here is where I am so far... [1] modified /etc/inittab so that my serial terminal line looks like this: T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 also, I did verify that the serial port is set for com1 [2] added ttyS0 as the first entry on the list in /etc/securetty [3] backed up /etc [4] rebooted [5] didn't get anything on the terminal but I did start getting the message below on my leaf box: INIT: Id T0 respawning too fast: disabled for 5 minutes The above message repeats itself about very 5 minutes... Any ideas as too what this may mean would be appreciated. Thanks, Eric -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:13 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: Re: [Leaf-user] serial console access _system_ Bering v1.0-rc1 _task_ I want to implement serial console access to my firewall. _resources_ LRP-Serial-HOWTO written by Charles. _questions_ Do I need to load the serial.o module? Depends on your kernel. Try adding the following to your kernel command line (typically the syslinux append line): console=ttyS0,9600n8 If so, where is it located? (I was unable to locate it when I was searching through the site.) It would be with the kernel modules...typically in the misc directory. It was suggested that setserial would be useful for this. Where can I find information on this? One of the linux online man page or HOWTO sites. You probably won't need setserial if you're using a standard serial port, and have serial support compiled into the kernel. You can set baud rate and such with the kernel command line switch, and by passing parameters to your getty program. If this has been on the list already, my search missed it. Barring all of this is the LRP-Serial-HOWTO all that I will need? or... If no one has done this I will feel my way through it and report back what I come up with. My Serial HOWTO will get you started, but that was written for Materhorn, and a 2.2 series kernel...there may be a few tweaks required for running on Bering with a 2.4 kernel. Keep us posted... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] zebra.lrp based on zebra 0.92a
Been searching through the site for the zebra.lrp package based on zebra version 0.92a. I could swear that I remember an announcement on the leaf home page that said that it was available. If anyone can provide a pointer I would appreciate it. Thanks in advance, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Leaf Speed and workload
Maybe this will help. I stole this snip from an email on the zebra mailing list. [begin_snip/] this box is a PIII 733Mhz with 256M ram. Detected 731.483 MHz processor. Console: colour VGA+ 80x25 Calibrating delay loop... 1458.17 BogoMIPS Memory: 255024k/262080k available (1286k kernel code, 6668k reserved, 458k data, 312k init, 0k highmem) Interfaces in use are as follows: 2 - Fore/Marconi LE155 OC3 ATM NICs 2 - NetGear GA620 Gigabit Ethernet NICs 1 - Intel Ethernet Pro 100 Fast Ethernet NIC The box is running the 2.4.x kernel [/end_snip] The owner of the above box has maintained in the past that he has not seen any throughput problems. hope this help, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Tuesday, March 26, 2002 2:44 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] Leaf Speed and workload For Charles S. Could you please tell me (if you know) the cpu's cache size and the amount of memory in the Athlon machine. Um...which athlon machine? All my LEAF systems are currently running on pretty dated Pentium-1 class systems. For everyone Would a dual cpu system (AMD or Intel) increase the usability of a firewall/router box? Probably, although you'll need to migrate to a system based on the 2.4 kernel to see much improvement in networking performance. Most of the networking code in 2.2 kernels isn't multi-processor aware/capable. How about when running Intruder detection or IPsec? Is it feasible to use a lrp box as a border gateway router, either internal or external? It's quite feasible to use LRP/LEAF boxes as a border gateway router...that's how most LEAF boxes are used. For use as an internal router, you'll have to decide if the performance is high enough for your needs. You'll need fast hardware to route multiple 100MBit ethernet segments at full speed, and I'm not sure you could get wire-speed Giga-bit ethernet even with fast hardware...at the least, you'll want fast/wide PCI, and preferrably multiple fast/wide PCI or PCI-X busses, if you're really trying to route at Giga-bit speeds. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: SUMMARY?: [Leaf-user] newbie question (Bering/2.4/IDE)
Good Work Man, keep up the fight. I am currently still in the planning stages of doing my own strip down and kernel recompile of Bering. I have been watching your mail exchanges and your success has been an inspiration. Thanks for the follow up post. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Stovall Sent: Wednesday, February 27, 2002 5:56 PM To: 'Brad Fritz'; Adrian Stovall Cc: LEAF (E-mail) Subject: SUMMARY?: [Leaf-user] newbie question (Bering/2.4/IDE) Whew! today was an adventure...I decided that I wanted to try to compile all the modules that I need/use into my own 2.4 kernel (ide, eepro, pci, etc). I grabbed the latest kernel source, put it on my old, rusty Pentium Pro 200/redhat 6.2 box, and followed the instructions in the readme (spent a while updating gcc and other packages that were a bit out-of-date in my distro). I used the bering.config as my starting point, and started changing m's, y's, and n's as appropriate and copied it as .config in the dir I untarred the kernel stuff in. I ran make oldconfig and make dep, made a bzImage, copied it to the HD of my router as linux, etc...several hours and a few passes of syslinux later, I managed to get 2.4 to boot from the HD without having to include modules.lrp. Next up is some more slimming... I am a very happy man. If I can get the perl package to load successfully, I'll be a very happy man (and I'll work on getting a configuration utility I've been writing in perl to go). I want to thank everyone who responded...I may not follow everyones advice, but seeing the suggestions that people had made it easier for me to decide what road to travel. If I come up with any useful utilities, I'll be sure to let everybody in on it. -Original Message- From: Brad Fritz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 6:41 AM To: Adrian Stovall Cc: LEAF (E-mail) Subject: Re: [Leaf-user] newbie question (Bering/2.4/IDE) On Tue, 26 Feb 2002 14:48:09 CST Adrian wrote: Hi all...I had successfully finished a previous install with a 2.2.19-IDE kernel and run from a small IDE HD. Cool. What I would like to do is repeat this with a 2.4 kernel (currently messing around with Bering Beta4...no probs running from floppy). What do I need to do to make this run from a hard drive? I'm hoping for something other than compile a 2.4 kernel with IDE support enabled, but I'll try to if I have no choice (severe lack of experience with compiling a kernel on my own). Compiling a 2.4 kernel with IDE support using Jacques' kernel config [1] as a starting point shouldn't be too bad. For an alternative solution, read on... Is there a 2.4-IDE kernel out there? Am I stupid, and there's some simple config option to make the Bering 2.4 kernel boot from my HD? I recently setup Bering (beta 3) on a compact flash card plugged into an CF-to-IDE adaptor. I use the stock kernel with with the IDE modules loaded via the initrd image. This isn't necessarily easier than recompiling the kernel, but if you *really* want to avoid re-compiling the kernel, the procedure below should work. Disclaimer: This is mostly from memory, so there may be a few mistakes. I am also assuming the hard disk is /dev/hdc and is temporarily installed in a full-blown Linux system for installation of Bering. 1. Format a partition of your HDD with an MS-DOS filesystem as described in Charles' LRP Hard Disk HOTWO [2] or with the Linux fdisk and mkfs.msdos commands [3]. 2. Mount a copy of the Bering image somewhere convenient: mount -o loop /tmp/bering-1680-b4.bin /mnt/disk/ 3. Uncompress a copy of the Bering initrd.lrp: gunzip -c /mnt/disk/initrd.lrp /tmp/initrd 4. Mount the uncompressed ramdisk image: mount -o loop /tmp/initrd /mnt/initrd 5. Copy the ide-disk.o, ide-mod.o, and ide-probe-mod.o modules from the ide directory of Jacques' modules directory [4] to the mounted initrd image: cp /tmp/ide-disk.o /tmp/ide-mod.o /tmp/ide-probe-mod.o \ /mnt/initrd/boot/lib/modules/ 6. Add lines to boot/etc/modules of the initrd image to load the ide modules: echo ide-mod/mnt/initrd/boot/etc/modules echo ide-disk /mnt/initrd/boot/etc/modules echo ide-probe-mod /mnt/initrd/boot/etc/modules 7. Unmount the initrd image: umount /mnt/initrd 8. Mount the MS-DOS partition you created on the hard drive: mount /dev/hdc1 /mnt/newdisk 9. Copy all files from the Bering image to the new disk: cp /mnt/disk/* /mnt/newdisk 10. Replace the old initrd.lrp with the new one: gzip -9 /tmp/initrd /mnt/newdisk/initrd.lrp 11. Edit syslinux.cfg on the new disk and change the fd0u1680 references to hdc1. 12. Unmount the hard drive: umount /mnt/newdisk 13. Run syslinux on the hard drive partition: syslinux /dev/hdc1 14. Cross your fingers and try to boot
[Leaf-user] Having trouble finding what I am looking for...
Hello LEAF List, I have been keeping up with all of the lists for quite some time and have been doing a considerable amount of research on the LEAF site, yet I am either not finding what I am looking for or I am still shamelessly confused. First, I will detail what I am trying to accomplish then I will attempt to list my questions in some semblance of order. I am still a, relatively, new user of Linux. Your patience is appreciated... Below is the foundation that I need for my project: 2.4.x kernel iproute2 iptables ipv4 and ipv6 gnu zebra openssh frees/wan On with the questions... 1) Is their currently a LEAF distro using the 2.4.x kernel and glibc 2.1.3? 2) I was looking at Bering until I realized that it was using glibc 2.0.x and then I found that it also did not have all of the kernel features that I wanted. I have not been able to find the page with that information again. Could someone provide me with a pointer to that page? 3) If their is a distro that I want to use but want to replace the kernel with my own is it as simple as compile kernel, apply patches, copy to disk as linux? 4) David Douthitt had stated that the LRP patches were no longer needed in some situations. It was my understanding that they were what made LRP what it was and were the foundation of LEAF. If someone could explain this I would greatly appreciate it. 5) Does the version of glibc on your machine have an affect when compiling the kernel? 6) I have a computer that I have set aside as a development station. In the Developing for LRP How-To, Debian Slink was recommended, however, I have been unsuccessful in finding it. Also recommended was Red Hat 6.0. Are all of the Red Hat 6.x versions able to be used for my purposes (glibc 2.1.3) or is their a particular one that I should use (6.0 versus 6.2)? I guess that is probably enough for now. I am sure that I will have more later. Thank you in advance and best regards. Eric Kiser ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
