Re: [leaf-user] dns or rule problem?????

[Eric Wolzak]

Hello Andrew , you wrote

 I´m running Bering u-Clibc 2.1.3
 I have 5 static IP´s coming in from my ISP. (eth 0)
 4 of them are proxyARPed to the DMZ. (eth 2)
 The last IP is serving my local network. (eth 1)
 My dmz is basically web servers with port 80 open.
 Outside my network, people can see my servers just fine, but from my
 local network I can´t access my websites even using their public IP´s.
 Do you have any recomendations for allowing me to access my dmz
 websites from my local network coomputers?  Security to and from my
 local network to and from the dmz is also a high priority.
 I am a novice at this, so please be kind.  I have not made many
 changes to the settings on the firewall box.
 I don't know if it matters but I am using my ISP's dns service.
 Let me know if you need more info.

 Thanks,
 Andrew

It seems, that this is a routing /Firewall problem.
Your static IPs if coming from the outside are routed to a DMZ server.
If coming from your internal network they  end at your external interface.
If they reach your server, than your firewall restrict their answers.(from dmz
to local)
You have to set a rule allowing a machine on your local network to access the
machine on the dmz and back!.
In that case use something like in the shorewall rulesfile .
ACCEPT  loc   dmz   tcp80

Or if you only want a special machine to be allowed to go to the dmz use
something like.

ACCEPT  loc:192.168.1.10 dmz tcp 80

Hope this helps
I assume that the syntax is correct so, I still use an old Bering  ;)

regards

Eric Wolzak




---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Bering 1.2 CD won't load daemontl.lrp

[Eric Wolzak]

Hello Richard 

Are you sure that dnscache is really running over daemontools.
You should set up the /service directory as stated in the cr.yp.to page.
so multilog can use the settings there. 
didn't try it myself on  bering, ( only in debian)
you should have processes with supervise .log 
and the running process.

Regards
eric Wolzak
member of the Bering Crew




 I am attempting to boot *everything* from Bering 1.2 CD, rather than
 using CD plus helper floppy. This is to teach a class in the fall using
 Bering and distribute only CDs to the students. I am including so many
 lrps -- ipsec, daemontl, etc -- that I am over the 254 char line limit
 on syslinux.cfg. So, I transition to using leaf.cfg to load the extra
 modules i.e. changed the LEAFCFG as follows in syslinux.cfg:
 
 display syslinux.dpy
 timeout 0
 default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0
 LEAFCFG=/dev/cdrom:iso9660 PKGPATH=/dev/fd0:msdos,/dev/cdrom:iso9660
 syst_size=12M log_size=4M
 LRP=root,etc,local,modules,iptables,pump,keyboard,shorwall,ulogd,dnscach
 e,ipsec,mawk,dhcpd
 
 I have the above syslinux.cfg and following leaf.cfg files injected into
 bootdisk.bin using winimage. I save the bootdisk.bin file with winimage,
 and burn a CD. 
 
 The CD boots fine, and all other functions from the syslinux.cfg LRP=
 load, plus weblet from leaf.cfg. But I get no daemontl to log dns.
 (/etc/dnscache/env/QUERYLOG is set to YES) The verbose flag in leaf.cfg
 seems to put no additional lines in any file in /var/log...
 
 Curiouly, (but harmlessly) no initrd in the packages menu of lrcfg,
 although I can see initrd loading when the machine boots up.
 
 What could be wrong?
 
 TIA
 Rick.
 
 # This file is parsed as a shell script
 # Kernel command line paramters are avaialble as KCMD_variable # ie:
 KCMD_LRP contains the LRP= portion of the kernel command line # NOTE:
 For kernel command line settings that do not include an equals # sign
 (ie: rw or similar), the variable is set to itself, allwoing # for easy
 testing (ie: KCMD_rw=rw).
 
 # LRP and PKGPATH variables now support whitespace (space, tab, newline)
 # as well as commas for seperators.
 
 # Uncomment for more verbose execution.
 VERBOSE=1
 
 # Other variables you might want to set in this file include:
 # LRP Packages to load
 # PKGPATH Device(s) to load packages from
 # syst_size   Size of root ramdisk
 # tmp_sizeSize of /tmp ramdisk
 # log_sizeSize of /var/log ramdisk
 
 # Example:
 LRP=$KCMD_LRP rsync
 LRP=$KCMD_LRP daemontl
 LRP=$KCMD_LRP weblet
 
 
 ---
 This SF.Net email sponsored by Black Hat Briefings  Training.
 Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
 digital self defense, top technical experts, no vendor pitches, 
 unmatched networking opportunities. Visit www.blackhat.com
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering 1.2 backup destination problem

[Eric Wolzak]

Hello Charles, Richard. 
The strange thing on Bering is that the /dev/fd0 is changed depending on the 
boot device or the last device used.
First time you use fd0 after boot it is a fd01680 device .
If you backup a file to a fd01440 and use /dev/fd0 next time it is a 1440
So I wouldn't use /dev/fd0 but fd01440  or fd01680. to be sure about the 
format.

Regards

Eric Wolzak
member of the Bering Crew

  
  Take out Bering boot floppy, insert a 1440kb floppy.
  lrcfg
  b) backup a package
  Then for each package etc, shorwall, etc. I change the destination to
  fd0, msdos by typing 
  d 3 (for etc) and selecting the appropriate options, then
  b 3  
  
  This works for the first package backed up -- but upon backing up a
  second package
  i.e. d 5  (select fd0)
  Then b 5  results in the message cant mount backup device.  
  
  I have tried to umount the floppy, but it is not mounted (getting out of
  lrcfg, then going back into lrcfg).
  Forever, any further backups to fd0 fail with the above message until
  reboot from the Bering (fd0u1680) floppy. 
  
  Any idea what to do?  I can reboot between each package, but it is a bit
  tedious.
 
 I suspect you're having consistency problems going between 1680K and 
 1440K disks.  Note that /dev/fd0 *should* be 1440K, but I believe the 
 default bering floppy backup target is actually /dev/fd0u1680, which is 
 a 1680K formatted disk.
 
 I suggest adding a 1440K backup target by running the following at the 
 command line:
 
echo /dev/fd0u1440 /var/lib/lrpkg/pkgpath.disks
 
 Then you can change the backup target for all packages (d e) to the 
 1440K disk (probably choice #3).  You can also try backing up everything 
 at once (b e), but I prefer to do backups one at a time.
 
 Note:  You can also just copy the LRP's from one disk to another:
 
# mount bering 1680 disk
mount -t msdos /dev/fd0u1680 /mnt
 
# copy files to /tmp
cp /mnt/*.lrp /tmp
 
# unmount disk
umount /mnt
 
# mount 1440K disk
mount -t msdos /dev/fd0u1440 /mnt
 
# copy files from /tmp
cp /tmp/*.lrp /mnt
 
# unmount disk
umount /mnt
 
 HTH...
 
 -- 
 Charles Steinkuehler
 [EMAIL PROTECTED]
 
 
 
 ---
 This SF.Net email is sponsored by: Oracle 10g
 Get certified on the hottest thing ever to hit the market... Oracle 10g. 
 Take an Oracle 10g class now, and we'll give you the exam FREE.
 http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] looking for Bering 1.2 and 2.1 kernel .config files

[Eric Wolzak]

Hello Newton 

the kernel config for Bering 1.2 is at 
http://leaf.sourceforge.net/devel/jnilo/bering/latest/development/kernel/Bering-
2.4.20.config 


Regards

Eric Wolzak
member of the bering crew

 Greetings,
 
 The .config files used to be with the development
 files in the previous version of LRP/Bering e.g. rc3.
 Where can I locate the linux kernel .config files for
 1.2 and 2.1 ?
 
 Thanks.
 
 Newton
 
 
 
   
   
 __
 Do you Yahoo!?
 Yahoo! Tax Center - File online by April 15th
 http://taxes.yahoo.com/filing.html
 
 
 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering still active?

[Eric Wolzak]

To: [EMAIL PROTECTED]
From:   [EMAIL PROTECTED]
Subject:[leaf-user] Bering still active?
Date sent:  Mon, 29 Mar 2004 12:39:51 +0100


Hello  Gustav,  list

It is,  As a matter of fact, I was (am) occupied a lot with a new job, so there 
wasn't time for a new release. 
Still working on Bering though.

Regards
Eric Wolzak
member of the bering Crew

 
 
 
 
 Hi,
 
 I'm new to the list, and soon to become new to Bering. So please bear with
 me.
 
 I've read quite a lot about the Bering distro, including it's installation
 documentation. Looks like Bering could match my needs.
 
 What makes me wonder is that the latest release of Bering dates to May 2003
 (unless I've missed something), which is almost ten months ago.
 
 
 So:
 
 - Is Bering still alive and active?
 
 -- or --
 
 - Is Bering being phased out for what?
 
 
 
 
 
 Gus
 
 
 
 
 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Does anyone knows a PPoE server for bering ?

[Eric Wolzak]

 Does anyone knows a PPPoE server for bering ?

Hello Miquel,  if you only want to be able to connect with a limited amount of 
connections, you can use the standard pppoe and pppd.lrp  that comes with 
bering
The only thing you have to do is make some changes to the pppoe options. 
I described this method to the mailing list look at 
http://www.mail-archive.com/[EMAIL PROTECTED]/msg06510.html

Good luck and please report  back your experiences 



Eric Wolzak
member of the bering Crew


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

(Fwd) Re: [leaf-user] Problems loading D-link de650

[Eric Wolzak]

Sorry, forgot list

On 3 Feb 2004 at 13:02, Henning Jebsen wrote:

 (Bering 1.0 stable, Kernel 2.4.18)
 Hi folks,
 my second problem is to load this PCMCIA Card
 
 I already did some search. Afaik the needed modules are
 8390.o
 pcnet_cs.o
 
 8390.o loads fine...(no error at least ;-))
 
 pcnet_cs reports:
 insmod: unresolved symbol register_pccard_driver
 insmod: unresolved symbol unregister_pccard_driver
 
 My pcmcia.lrp is not yet configured ! I think I don't
 need to, unless the card in not recognised correctly...
 
 I tried to use the ne2000-modules, providing 
 a IO Port Did not work 
 
 The card itself works properly under Suse 7.1 and 
 winME.
 
 To me it seems, pcnet_cs is missing a certain module...
Hello  Henning 

pcnet_cs depends on 
pcmcia_core.o
ds.o 
and 
8390.o

please try this modules.
This informations is from the modules.dep file (not tested)

Regards

Eric Wolzak
member of the bering crew.





---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Future of Bering and Bering-uClibc?

[Eric Wolzak]

Hello Timothy, list

 [EMAIL PROTECTED] wrote on 01/29/2004 08:00:09 AM:
 
I have been using Bering quite successfully for some time now, but I'm
at a spot where it would be good to evaluate a change to uClibc.  I
haven't seen any discussion regarding development on Bering.  Of 
 course,
most of the development on uClibc has been to recompile existing Bering
packages...  :)
  
   Either I miss you're irony, or you better reread the Changelog for
   Bering-uClibc - none of the entries mentions other packages than 
 theone from
   the base image, and I can assure that recompiling packages has been a 
 minor
   effort compared to the changes for base image, addition of ipv6 and 
 gaining
   more space on the base image.
 
  From my (admittedly limited) research, it seemed that most of the 
 messages regarding new items for Bering-uClibc were from people 
 compiling (new) versions of software that already existed under 
 traditional Bering.  Maybe I am mistaken:  I have not followed it that 
 closely.
 
 I asked a similar question about 4 months ago.  I was told to stick with 
 Bering unless I needed the reduction in size that uClibc gave me.  
 Seeing as I'm running on EPIA's with 128MB RAM and 32MB DOM, I really 
 didn't.  The only thing that has prompted my question is I have seen no 
 real development on Bering since 1.2, and Bering uClibc is readying its 
 second or third release since then.
I am working on a webinterface at the moment, due to professional ( not leaf 
related) changes) time is somewhat limited.  ( and the nice snow is distracting 
;) ) 
The inherent problem of Bering is the library, which isn't maintained anymore. 
on the other hand the uniformity of the old lib means that there are a 
whole bunch of packages available.
One of the reasons the uclibc group did release new versions is that if the 
uclibc library is updated, the packages mostly must be recompiled. What I mean 
with this is that those changes deserve the name  new release. 
The interesting is that the IMHO most important improvement the uclibc guys 
made, stays largely unnoted .namely the  use of  automatic package making. 

 The necessity of recompiling with every new version of uclibc  will hopefully 
change as soon as uclibc will reach a version 1.0. 

My plans with bering are. Updateing to a new kernel version, thereby keeping as 
close to uclibc as possible.   
Improvement of the installation and maintainance issue. 
Working on a change a setting only in one place version. This will also be 
usuable with ucblic.
Recompiles of single packages were and are done, but didn't need a complete new 
release. so they weren't that obvious.

Hope to have answered your question with that. 

Regards
Eric Wolzak
member of the bering Crew

 
 I'm really not looking for anything specific.  I just want something 
 that is going to keep up with, e.g., bugfixes in the underlying packages 
 and kernel.  I'm not looking for any new features.
 
 Tim Massey
 



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

[Eric Wolzak]

Hello Kory,

sorry I haven't read the whole thread.
But as I understand, you have a mail server in the dmz
running on a leaf box.
called DMZ_BOX
DMZ = 192.168.10.0/24
route will be 192.168.10.0/24 via 192.168.10.x
default via 192.168.10.254 ( DMZ address on LEAFBOX)


and a leaf router connected to internet and local.
here you run dnscache  listening on  192.168.1.254
and tinydns  listening on localhost. (127.0.0.1)
called  LEAFBOX
Route 192.168.10.0/24 via 192.168.10.254
192.168.1.0/24 via 192.168.1.254
default via external ip address


Now you have a problem, that the DMZ_BOX, cannot resolve names.
1. do you have dnscache running on your DMZ_BOX ?  
if yes then you have to use the forwardonly option and set it to yes, to use 
your nameserver on LEAFBOX 
the address to forward to is  192.168.1.254. 
otherwise, your DMZ_BOX will use the root servers to find the MX for 
kroffts.com, this will point you to your provider, they point hopefully  to 
your external interface, and now you are trying to get an address from your 
external interface.
This might get a problem with your shorewall rules.
insert 192.168.1.254 in /etc/resolv.conf

after opening the firewall rules to allow udp 53 from dmz to fw 
now it is possible to resolve anything that you can resolve from the local net.

regards

Eric Wolzak
member of the bering crew.




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] AVM Fritz!Card v2.x

[Eric Wolzak]

Hello List 

for others that might be interested 

AVM Fritzcard version 2.x does work with Bering.

Modules needed are:

#modules need for AVM-Fritz!Card v2.x ISDN
slhc
isdn
hisax
hisac_isac
hisax_fcpcipnp 
#

Thanks to felix theodor for tying this out

Regards

Eric Wolzak
member of the Bering Crew


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

(Fwd) Re: [leaf-user] AVM Fritz!Card v2.x

[Eric Wolzak]

Sorry forgot the list. 


--- Forwarded message follows ---
From:   Eric Wolzak [EMAIL PROTECTED]
To: Felix Theodor [EMAIL PROTECTED]
Subject:Re: [leaf-user] AVM Fritz!Card v2.x
Date sent:  Thu, 11 Dec 2003 19:16:36 +0100

Hello Felix 

First of all , you have to use the hisax.fcpcipnp.o
http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/2.4.20/ke
rnel/drivers/isdn/hisax/hisax_fcpcipnp.o 
and probably also the hisax.isac.o 

The hisax type number is probably 27 
Sorry I cannot try this , as I only used the old fritz which is an 
completely different card.

If you are successful please contact the list.
If you still have trouble append the output from the module loading.

Regards
eric Wolzak
member of the bering crew


On 11 Dec 2003 at 16:33, Felix Theodor wrote:

 Dear Bering friends,
 
 last time I have to Install Bering(kernel 2.4.20) on a
 computer with a AVM Fritz!Card. My self use also AVM
 Fritz!Card v1.0 it works without any problems. But
 with the Fritz!Card v2.x hisax doesn't found it. :( 
 Can someone tell me what I can do?
 
 Thank you!
 
 Felix

--- End of forwarded message ---


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] AVM Fritz!Card v2.x

[Eric Wolzak]

Hello Felix, you probably misunderstood something.

you will need the normal hisax probably type=27 and 
additional hisax_fcpipnp
I just don't know in what order als

slhc
isdn
hisax type=27
hisax_fcpcipnp # this is the special driver for the Fritz Card PCI  PNP .

If you get unresolved symbols now.
please look which symbols that are,
Those are indications that the order of the modules is wrong. 
You can do the following 
on the command line :

# insmod slhc
# insmod isdn
# insmod hisax type=27
# insmod hisax_fcpcipnp  

At what stage do get what unresolved symbols 


##
Background about your card, Normally it is ment to be used with a capi 
interface , that is what large distros do.
But with the hisax_fcpcipnp it is possible to use the older, and more basic 
hisax interface 
I only don't know the order,  I even suspect that the special hisax_fcpcipnp 
should be first.

###

Good luck
Eric Wolzak



On 12 Dec 2003 at 9:15, Felix Theodor wrote:

 Hello Eric,
 
 I've loaded the modules but unfortunately both are not
 success. 
 
 # Modules needed for ISDN
 # Look for type, io and irq settings at help page of
 isdn.lrp documentation
 slhc
 isdn
 hisax_fcpcipnp type=27 protocol=2
 
 I get insmod: unresolved sympbol .



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] dmz possible within same physical network?

[Eric Wolzak]

Hello Eric, 
you wrote
 I'm setting up LEAF (Bering uClib 2.0) for a new condo with
 in-the-wall ethernet and lots of tech-savvy visitors some of whom run
 virus hosts from Redmond.  I want vistors to be able to plug their
 laptops into any jack in the wall, including jacks that may be used by
 members of the household.  But I don't want to allow them the same
 priveleges as known hosts, esp. access to other hosts on the LAN.

The problem you are describing isn't a special bering problem.
You can certainly have two different subnets on one physical lan
You can give dynamic addresses with dhcp that are in one subnet for all 
unknown mac's and give addresses in another net for known mac's or use static 
ip's in the trusted net.
1.The problem however is that if someone wants to be evil, he can just change 
the address or use tools to eavesdrop the lan, Now he has the possibilitie to 
imitate a mac in the known network,  if your services are mac dependent.
2. If  a strange machine on the lan has access to one of the trusted hosts is 
also dependant of the configuration of the desktophost itself and less of the 
router. 
So you have to make it impossible to read the dataflow on the LAN,
one way I could imagine is to encrypt all the traffic on this lan with 
trusted desktop---  encrypted tunnel ---  router . internet  or other 
trusted host on the  lan.
If this is doable, depends on the number of trusted desktops, their OS and 
might involve some kind of routing. on the soekris box.

Regards 
Eric Wolzak
(fan of crosswords and palm OS ;)  )
Bering Crew


 
 Basically, I want to offer DHCP leases on eth1, and if the MAC address
 is unknown to put it in an effective dmz that's only allowed access to
 the WAN via eth0.  This would be trivial to do if I had an eth2, but
 there's only one jack at each location so I can't just add a new NIC.
 
 I'd also like to refuse connections to static IP addresses that happen

 to be in the right range so that folks have to go through dhcp.
 
 Is this possible using Bering?  Any suggestions where to start reading
 on how to set it up?  The hardware in this case is a Soekris box (boot
 medium is a CF card), so I'm not limited to a floppy-based distro; but
 I use Bering everywhere else and want to keep things compatible.
 
 Thanks,
 
 --Eric House
 -- 
 **
 * From the desktop of: Eric House, [EMAIL PROTECTED]*
 *Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords  *
 **



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] (Fwd) IPSEC route question war : Problem with manual IP route commands in

[Eric Wolzak]

Hello  SImon, I am not that experienced with the ipsec so U forward this to the 
list again 

--- Forwarded message follows ---
From:   Simon Chalk [EMAIL PROTECTED]
To: Eric Wolzak [EMAIL PROTECTED]
Subject:RE: [leaf-user] Problem with manual IP route commands in Start 
file
Date sent:  Wed, 10 Dec 2003 11:19:35 -

Hi Eric,

I have now discovered that the shorewall start file is not a good place to
put my ip route add commands. I am adding a manual route through the ipsec0
interface and I think shorewall is loading before ipsec, so the ipsec device
is not known at this stage.

Do you know if there is any file that I can put my ip route commands, which
is not loaded until after ipsec. Maybe there is an ipsec file that I can add
to?

Regards,

Simon.

-Original Message-
From: Eric Wolzak [mailto:[EMAIL PROTECTED]
Sent: 09 December 2003 20:27
To: Simon Chalk
Subject: Re: [leaf-user] Problem with manual IP route commands in Start
file


Hello Simon

the shorewall start is saved with the weblet.lrp

regards
Eric Wolzak
member of the bering crew

 Hi All,

 I need to add some ip route commands. Please can you tell me where I can
 locate them. They need to be seen once my IPSEC gateway has loaded. I have
 actually put them in the Shorewall Start script, but I find that this file
 is deleted after a reboot, even though I saved the file to disk. I have
 version 1.4.5 running on Bering 1.2

 So I essentiallally have two issues. Where should I put ip route commands,
 and why does the Shorewall start file lose the commands I enter, this
 doesn't happen on the init file.

 Regards,

 Simon.

--- End of forwarded message ---


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] PPPoE without username and password

[Eric Wolzak]

Hello lasse

are you sure your new provider does use pppoe and not another method to
connect.
pppoe without an user and a password is unusual.
another strange symptom is  that your ISP doesn't answer any
PADI . so you don't get a  channel number.
This is all on a level before any authentication, compression and so on starts.

So possible causes are
 1.  you don't need pppoe but for example pump  ( ask your provider)
2. you have an hardware problem
3. your provider has an hardware problem on the access concentrator
4. another , i didn't think of
5 I made a mistake :)

To get more information increase the debug level in the option file

Regards
Eric Wolzak
member of the bering crew


 I have been using Bering1.2 as a PPPoE ADSL router for
 some time, without any problems.
 I´v just followed the PPPoE howto, filled in my
 username and password and all the other things
 the howto says, all worked perfect,
 then I switched from one ISP to a other, they come up
 with a better offer
 but with my new ISP i don´t have to enter any username
 and password
 it´s the same modem, and the same everything besides
 the ISP

 plog don´t give anything, the only thing i get is in
 deamon.log

 Dec 9 13:20:54 firewall pppd[26716]: Plugin
 /usr/lib/pppd/pppoe.so loaded.
 Dec 9 13:20:54 firewall pppd[26716]: PPPoE Plugin
 Initialized
 Dec 9 13:20:54 firewall pppd[20072]: pppd 2.4.1
 started by root, uid 0
 Dec 9 13:20:54 firewall pppd[20072]: Sending PADI
 Dec 9 13:55:00 firewall pppd[20072]: Connecting PPPoE
 socket: 00:00:00:00:00:00  0x807c260
 Dec 9 13:55:00 firewall pppd[20072]: Couldn't get
 channel number: Transport endpoint is not connected
 Dec 9 13:55:00 firewall pppd[20072]: Doing disconnect
 Dec 9 13:55:30 firewall pppd[20072]: Sending PADI
 Dec 9 14:29:36 firewall pppd[20072]: Connecting PPPoE
 socket: 00:00:00:00:00:00  0x807c260
 Dec 9 14:29:36 firewall pppd[20072]: Couldn't get
 channel number: Transport endpoint is not connected
 Dec 9 14:29:36 firewall pppd[20072]: Doing disconnect
 Dec 9 14:30:06 firewall pppd[20072]: Sending PADI

 after 6-8 attempt pppd exits

 hope someone can help
 best regards Lasse Jensen DK

 Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og 
 virusscan


 ---
 This SF.net email is sponsored by: IBM Linux Tutorials.
 Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
 Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
 Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering: time to hand on the torch ...

[Eric Wolzak]

Jacques, List

I want to thank you for your great contribution to this project, and for your 
trust in me to carry on the project.
I hope that I will be able to do it as good as you did.
I also hope that we will be seeing you around in the near future


All the best  and thanks a lot
merci beaucoup 
Eric Wolzak



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering Dial in, problems with ppp - long

[Eric Wolzak]

Hello Hening, you wrote

On 28 Nov 2003 at 15:06, Henning Jebsen wrote:

 Hi Erik
 Nov 25 08:53:37 firewall pppd[7359]: No response to 3 echo-requests
 Nov 25 08:53:37 firewall pppd[7359]: Serial link appears to be disconnected.


 Troy could try this one as parameter for pppd:

 man pppd

 lcp-echo-failure n
 If this option is given, pppd will presume the peer to be dead if n LCP 
 echo-requests are sent  with­out  receiving  a valid LCP echo-reply.  If this 
 happens, pppd will terminate the connection.  Use of this option requires a non-zero 
 value for the lcp-echo-interval parameter.  This option can  be  used to  enable  
 pppd to terminate after the physical connection has been broken (e.g., the modem has 
 hungup) in situations where no hardware modem control lines are available.

 lcp-echo-interval n
 If this option is given, pppd will send an LCP echo-request frame to the peer every 
 n seconds. Normally  the peer should respond to the echo-request by sending an 
 echo-reply.  This option can be used with the lcp-echo-failure option to detect that 
 the peer is no longer connected.

Those Parameters are allready set in the pppoe options file.
The problem with his setup seems to be that the server here the bering box
starts sending the LCP ( echo requests) and that those aren't answered within
the LCP-echo-interval.   After 3 tries exactly that happens what you described,
namely the server gets no response and supposes the line ( connection) is dead
and does an hangup.
unfortunately the whole pppd is stopped, also takeing down the dialout part on
ppp0.

Interesting is why
1 the client doesn't answer the lcp-echo requests.
 a--They don't reach the client   (firewall  /route issue locally or on
client.)
 b -The client answers but sends them over a wrong interface or the outgoing
answer is blocked .  ( route /firewall )
  if the client is also a bering box it could be that the external interface is
declared as eth0 and not as pppo for example
 c- the server is blocking the answers on the firewall
(remember that now the ppp1 is also an external interface).

Troy might setup the shorewall rules to log all incoming and blocked traffic.
or clear the firewall for the test.

Regards

Eric Wolzak
member of the Bering Crew.


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering Dial in, problems with ppp - long

[Eric Wolzak]

Hello Matthew, 
I hope that I can help you a bit. 

1. the difference between dachstein and bering is that Dachstein uses rp-pppoe 
and bering uses kernel pppoe.
2. you can setup an pppoe server without getty and so on, just by using the 
pppoe.lrp and ppp.lrp.
I set a test one up . how I did it : 
http://www.mail-archive.com/[EMAIL PROTECTED]/msg06510.html

Interesting is that you get a connection 
 
 Nov 25 08:53:01 firewall pppd[8591]: pppd 2.4.1 started by LOGIN, uid 0
 Nov 25 08:53:01 firewall pppd[8591]: using channel 25
 Nov 25 08:53:01 firewall pppd[8591]: Using interface ppp1
 Nov 25 08:53:01 firewall pppd[8591]: Connect: ppp1 -- /dev/ttyS0

 Nov 25 08:53:04 firewall pppd[8591]: remote IP address 192.168.5.99
 Nov 25 08:53:04 firewall pppd[8591]: Script /etc/ppp/ip-up started (pid
 4309)
 Nov 25 08:53:04 firewall pppd[8591]: Script /etc/ppp/ip-up finished (pid
 4309), status = 0x100

After establishing the connection the pings aren't answered by the client..

 Nov 25 08:53:37 firewall pppd[7359]: No response to 3 echo-requests
 Nov 25 08:53:37 firewall pppd[7359]: Serial link appears to be disconnected.

and the server hangs up again.  or better said pppd hangsup.. 
it seems that the whole pppd gets a signal to go down 


ov 25 08:53:37 firewall pppd[7359]: Couldn't increase MTU to 1500.
 Nov 25 08:53:37 firewall pppd[7359]: Couldn't increase MRU to 1500
 Nov 25 08:53:43 firewall pppd[7359]: Connection terminated.
 Nov 25 08:53:43 firewall pppd[7359]: Connect time 561.8 minutes.

And so your dialout connection over ppp0 is also taken down. 
I don't know why this is done.
I suppose this should be an option setting. 

The other problem is why does the dialin client doesn't answer on lcp requests.
1. is this a route problem on the client ? 
  
2 is the client running a firewall and doesn't answer pings ?

3  ? 

 Now the catch is that when the connection drops out (why it does it, I do
 not know why) the external pppoe connection is then also torn down, and it
 has to reconnect and get a new address, which it does. I can only assume
 that it is something to do with the pppd setup interacting between the two
 ppp interfaces.
I suppose so too ;)

 I include my /etc/network/interfaces, and /etc/ppp/peers/dialin,
 /etc/ppp/peers/adslprovider, and /etc/ppp/options and /etc/options.ttyS0
 files in the hope that someone can point out why this interaction is
 occurring. I have no options file.
 
 pppd is called from login.config as:
 
 /AutoPPP/ - - /usr/sbin/pppd debug file /etc/ppp/options.ttyS0
Try it the way I described in the archived mail
pleas give a feedback if this worked.

Regards 
eric Wolzak
member of the bering crew




#
#  original configuration files
#
#
#

 So as far as I can see the dial in connection should not reference
 /etc/ppp/options
 
 # /etc/network/interfaces -- configuration file for LEAF network
 # J. Nilo, April 2002
 #
 # Loopback interface.
 auto lo
 iface lo inet loopback
 
 auto ppp0
 iface ppp0 inet ppp
 pre-up ip link set eth0 up
 provider adslprovider eth0
 
 iface ppp1 inet ppp
 provider dialin
 
 auto eth1
 iface eth1 inet static
 address 192.168.5.254
 masklen 24
 broadcast 192.168.5.255
 
 auto eth2
 iface eth2 inet static
 address 203.a.b.c
 masklen 27
 broadcast 203.a.b.255
 # ---End of File---
 
 
 /etc/ppp/peers/dialin
 
 debug
 ms-dns 192.168.5.254
 asyncmap 0
 auth
 crtscts
 modem
 noccp
 -detach
 +pap
 -chap
 +pap
 require-pap
 refuse-chap
 proxyarp
 lcp-echo-interval 300
 lcp-echo-failure 4
 noipx
 # ---End of File---
 
 
 /etc/ppp/peers/adslprovider
 
 # Configuration file for PPP, using PPP over Ethernet
 # to connect to a DSL provider.
 plugin /usr/lib/pppd/pppoe.so
 name [EMAIL PROTECTED]
 pty pppoe -I eth0 -T 80 -m 1452
 noipdefault
 hide-password
 lcp-echo-interval 20
 lcp-echo-failure 3
 # Override any connect script that may have been set in /etc/ppp/options.
 connect /bin/true
 noauth
 persist
 mtu 1492
 # ---End of File---
 
 /etc/ppp/options is empty
 
 /etc/ppp/options.ttyS0
 
 debug
 -detach
 auth
 asyncmap 0
 modem
 crtscts
 lock
 noccp
 +pap
 require-pap
 refuse-chap
 proxyarp
 lcp-echo-interval 300
 lcp-echo-failure 10
 ms-dns 192.168.5.254
 netmask 255.255.255.0
 192.168.5.254:192.168.5.99
 # ---End of File---
 
 I appreciate Shorewall plays a part in this, but I have not yet seen one
 rejected packet in its logs, and it is setup to allow masq from
 192.168.5.0/24 (which is my internal network) and this works as well as a
 non mentioned wlan setup using hostap that is working fine as well.
 
 Can anyone shed some light on this, otherwise I will have to go back to
 Dachstein which worked very easily and was easy to set up. By far the most
 difficult this in this setup is pppd however the debian format
 /etc/network/interfaces file is an absolute mystery to me never having used
 anything like it before.
 
 With many thanks,
 Matthew

Re: [leaf-user] sending Email from Bering 1.2

[Eric Wolzak]

Hello felix

you've got allready some answers, don't forget to open the firewall to connect 
to the net for mail .

See : 
instructions at : 

http://leaf.sourceforge.net/doc/guide/bumail.html

Regards 
Eric Wolzak
member of the bering Crew


 Hi All,
 
 how can I let my Bering 1.2 send me a email eg. with
 the logs?
 
 
 Thanks
 
 Felix



---
This SF.net email sponsored by: Enterprise Linux Forum Conference  Expo
The Event For Linux Datacenter Solutions  Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office;  in the Server Room 
http://www.enterpriselinuxforum.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering Citrix WinFrame?

[Eric Wolzak]

Hello Craig 
The policy for a default firewall for outward connections is ACCEPT.
So  as long as the other side sends answers to your packets they will be 
accepted. 

Regards 
Eric Wolzak 
member of the bering Crew


 Hi folks, 
 My wife has a computer that needs to access a server at her workplace
 running Citrix WinFrame. Does anyone know: will I have to open a port on
 Bering in order for the signal to pass through? I know Citrix runs on port
 1494, but I'm not sure if I'll need to modify my Bering 1.2 firewall for
 success. Comments???
 
 Thank you,
 Craig
 
 



---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Re: ncurses5.lrp in Bering 1.2 (Ray Olszewski)

[Eric Wolzak]

Hello Felix

with your first problem (ncurses) I can't help you but your second question is
easy
1. call the lrcfg menu
# lrcfg
2- b for backup
b
3. The number of the isdn.lrp
xxx
4 confirm that the space on your floppy is enough.

It can also be done in 1 call with different parameter but this is easier.

BTW for my information
1 what isdn card did you use ?
2 did you use the full hisax or the cardspecific ones 

Regards

Eric Wolzak
Member of the Bering Crew



 Hallo Ray,

 actually I just want to implemented a small programm
 that allowed the user easyly to change the provider
 information suchs  MSN, REMMSN, USER and PWD.

 So I started with...

 #include stdio.h
 #include stdlib.h
 #include curses.h

 int main()
 {
initscr();/*curses initialisieren*/
endwin();

return 0;
 }

 in Redhat there is no error. Just when I start it in
 Bering 1.2 with ncurses5.lrp I got that error message:

 Error opening terminal: Linux.

 I hope you or someone else can help me.

 Because now I just implemented it with usual Text
 mode.
 My menu ist now finished but I have another problem.

 How can I backup the isdn.lrp manually?
 I'm very thanksfull if someone can help me also with
 this problem.

 Thanks you very much

 Felix


 __

 Gesendet von Yahoo! Mail - http://mail.yahoo.de
 Logos und Klingeltöne fürs Handy bei http://sms.yahoo.de


 ---
 This SF.net email is sponsored by: SF.net Giveback Program.
 SourceForge.net hosts over 70,000 Open Source Projects.
 See the people who have HELPED US provide better services:
 Click here: http://sourceforge.net/supporters.php
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Now On-Line but big trouble...

[eric wolzak]

Hello Michelle


I have disconnected all 5 Switches from the router and it continue to
log alone... So there is no problem with my Network which is working
for years...

But what can make this traffic !!!

All 90-150 seconds I have around 5-12 packages TX and 2-4 packages RX

So the request must come from the firewall.
And this is probably a  dns issue , or you see theLCP echo  LCP
echo-reply  Packets sendet over the line.
You can look at what packages are send by setting the pppd options to
kdebug
debug 7
Now everything sent out ppp0 will be logged, by tail -f  /var/log/messages
or /var/log/syslog
You might see what kind of packages are going out and or where they come
from

Regards
eric Wolzak
member of the Bering Crew



---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Weblet Oddness.

[eric wolzak]

Hello James
Hello all,

You wrote : 
Well, after some badness with Microsoft ISA server, it got ditched and
replaced with a Bering 1.2 box.
We have a 3 interface setup, net, loc  dmz.

In the dmz is our corporate web server. On the net interface is one of
our external IP addresses.
Both the dmz and the loc are SNAT'ed behind that address.
Port 80 is DNAT'ed to the webserver, Port 25 is DNAT'ed to the Exchange
server in the local zone.
External clients can see our website.
But when clients on the loc zone browse to our website, all they see is
the Bering weblet!

Even if they browse direct to the external IP address, not the IP
address for the loc adaptor.

Do I have to set up a another rule to redirect loc to our website?

Yes
1) move weblet to another port, otherwise they will allways see weblet.
2)  DNAT 80  from loc to dmz webserver.

It is natural that they don't see your webserver on 192.168.1.254
and if you use your external interface than the packet is snatted to the
external ip and will never be dnatted after that.

Regards
Eric Wolzak
member of the bering crew





---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] How do I open individual ports?

[eric wolzak]

Hello Mike,

If you use Bering, you should use the settings in shorewall.
As the answer depends on your setup  ( masquerading , DNAT) etc,
I would suggest reading the shorewall manual  especially the section about
zones
interfaces
and rules
http://www.shorewall.net   Documentation

If you use Dachstein, you have to change settings in the network
configuration script
If I remember correctly.
Link for this is: 
http://leaf.sf.net/devel/cstein/files/packages/network.txt

Regards
Eric Wolzak
member of the Bering crew


This may seem like a dumb question but please bare in
mind that I am very new to this. I am familiar with
cisco routers to a certain extent so...

My question is how do I open individual ports? I'm
sure it's easy but I need it spelled out for me.






---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] VPN Setup

[eric wolzak]

Hello Mike
Could it be that your commandline in syslinux.cfg is too long ( exceeding
the 255)
after boot, you can login and with
#cat  /proc/cmdline
you should see your commandline from syslinux.cfg that is recognised. If
your packages aren't there,  this could be the cause.

To avoid having a too long commandline ,you can put everything that is
behind LRP in a new file on the boot medium
or packagepath:
with the name
lrpkg.cfg

and as content everything behind LRP= in syslinux.cfg
in other words the content from lrpkg.cfg will be viewed , as if it was
written in syslinux.cfg after LRP=.

Regards
Eric Wolzak
member of the bering crew.

-Ursprüngliche Nachricht-
Von: Mike Koceja [EMAIL PROTECTED]
An: leaf [EMAIL PROTECTED]
Datum: Donnerstag, 17. Juli 2003 05:00
Betreff: [leaf-user] VPN Setup


Hello,

I actually sent an E-MAIL concerning this sometime ago
so I apologize for not replying to anyone how offered
advice.

I'm trying to get a VPN connection to my worksite to
function through the Dachstein Firewall. I downloaded
the following files...

ifconfig.lrp
ipsec.lrp
ipsec509.lrp
mawk.lrp

I added them to the LRP= part of the kernel command
line in syslinux.cfg. There are no errors reported but
my VPN connection still doesn't function nor do they
show up in the package configuration menu.

On a side note I added sshd as well and that does show
up and function. Any idea

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Now On-Line but big trouble...

[eric wolzak]

Hello Michelle

Don't mix up
demand   has something to do with connecting
idle  with disconnecting

demand does function correctly, not dialing in untill you do a ping or want
to get a webpage and so on.
demand doesnot effect dial out again.

idle xxx  will hangup the modem after an inactivity intervall of xxx seconds
soinclude idle in the ppp options.

your question about the  ppprouter.
with bering and the beinguserguide and install guide, you should have a good
working router on a floppy too.
(as with other variants). You only have to download a bin or a exe each
about 1,68 M and probably  the individual modules for your nic.
feel free to mail if you have any questions

Regards

Eric Wolzak
member of the Bering Crew


-Ursprüngliche Nachricht-
Von: Michelle Konzack [EMAIL PROTECTED]
An: leaf-user [EMAIL PROTECTED]
Datum: Dienstag, 15. Juli 2003 00:39
Betreff: [leaf-user] Now On-Line but big trouble...


Hello,

I am using the older LRP 2.9.4 and now after creating my Router
image for an analog modem it does not work correctly:

Config:

eth0NW  192.168.1.64
IP  192.168.1.65
BC  192.168.1.95
NM  255.255.255.224
IP-Masquerading active

ppp0idle300
demand


Problem 1:  Does not dialin on demand from network.
If I do a 'ping -c 1 www.bundesregierung.de' on the
router it logs in and all is working fine inclusive
the network... (I can write/send this message)

Problem 2:  The idle tome is ignored !!! grrr !!! - quiet expensive !

Question 1: Does anyone have a working ppp-router and give me a
link to it ? With a 33600 BpS Modem I can not surf
very much and downloading the whole leaf mirror is not...

Thanks
Michelle

--
Registered Linux-User #280138 with the Linux Counter,
http://counter.li.org.
+--
+
| Michelle's Internet-ServiceInh.  Michelle Konzack
|
| FunkLAN-Providerin
|
+--
+



---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing  more.
Download  eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ntpdate, Bering 1.0 stable (german time zone ?)

[eric wolzak]

Hello Hein

As you can read from other messages in this thread. you have to distinguish
between two causes
1. ntpdate  doesn't work at all.
-- in that case the most probable cause is that you didn't  set the
shorewall rules as in the butime document
2. ntpdate works, but your localtime on the router is UTC
 --- if you want to change that on bering an easy way is to copy a local
zoneinfo file to /etc/localtime.
   you can take that from every linux distribution.
  I send you one as attachement offlist

Regards

Eric Wolzak

-Ursprüngliche Nachricht-
Von: Hein Bauer [EMAIL PROTECTED]
An: Leaf-User [EMAIL PROTECTED]
Datum: Donnerstag, 10. Juli 2003 08:01
Betreff: [leaf-user] ntpdate, Bering 1.0 stable (german time zone ?)


Dear list,
the package ntpdate does not work correctly here.
The time is 2 hours minus actual time. ntpdate does
connect to its given time-server (ntps2-2.wismar.de),
but results in an incorrect time.
I think my Beringbox has a wrong timezone defined...
/etc/localtime points to UTC, CEST did not work either,

any german ntpdate-users outside, who could give
me a hint ;-) ?

on my other linuxboxes I use netdate instead of ntpdate.
netdate gets the correct time... ntpdate doesnt

I think my problem belongs to definitions of time zones,
but I am just guessing.

help me out please ... ;-)







---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing  more.
Download  eval WebKing and get a free book.
www.parasoft.com/bulletproofapps

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing  more.
Download  eval WebKing and get a free book.
www.parasoft.com/bulletproofapps

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Fw: some strange behavior

[eric wolzak]

Forwarded to thelist



Von: jed anderson [EMAIL PROTECTED]
An: Eric Wolzak [EMAIL PROTECTED]
Datum: Mittwoch, 9. Juli 2003 11:00
Betreff: some strange behavior



Firs of all. ... HI ..it pass long time since we write each other ...so
...recently i iam making some experiments with Bering ... this is what i
have:

1º- download the New Bering 1.2
2º- take INITRD.LRP and ROOT.LRP and upgraded to glibc_2.3.1 (with the
procedure known  for all in the forum)
3º- configure Bering 1.2 to run from my HD (the modules thing and all the
stuff) using the upgraded INITRD.LRP and ROOT.LRP

but here comes the stragne...
after copy all the files to run from the hd ..everything works fine
(hardware,kernel, even the print server configuration) except SHOREWALL in
all flavors (1.3.x to 1.4.5) , all shorewall than i try were pretty
configured to run with two intrfaces.
 After break my brain i discover than when i use the old IPTABLES.lrp
(1.2.7a) from Bering 1.1 SHOREWALL works perfect.
 In summary why when i use a modificated INITRD.LRP and ROOT.LRP,a
pretty two interfaces Bering 1.2 with a IPTABLES.LRP (1.2.8) shorewall don't
work... only when i replace IPTABLES.LRP with a old one from Bering 1.1 it
works like a charm.

 So what is wrong with Iptables 1.2.8 ? ...i try to looking for
something ...but ... no ones sims to have the same predicament


Can you help me?
P.D.
the shorewall output looks like:

--
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
Initializing...
Determining Zones...
   Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
   Local Zone: eth1:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
Signal 11
Signal 11
Signal 11
Signal 11
Signal 5
Processing /etc/shorewall/stopped ...
--




Best regard
Jed Anderson H.





---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing  more.
Download  eval WebKing and get a free book.
www.parasoft.com/bulletproofapps

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Making DNSCache start before Shorewall

[eric wolzak]

Hello James

you wrote

Hello all,

I'm trying to make DNSCache start before shorewall.
This is because I need DNS lookups in the shorewall rules file.
I spoke to a friend of mine and we changed the RCDLINKS in the init.d
files to the following

DNSCache
RCDLINKS=2,S45 3,S45 6,K45

Shorewall
RCDLINKS=2,S41 3,S41 6,K46

Before, shorewall have a lower value after 6,K

Is this the correct way to make DNSCache start first? Because it made no
difference.

almost correct  ;)
runlevel 6 is however the runlevel used to stop the box.
K is Kill and S is Start.
So if you go to runlevel 2 ( the normal operating modus) Shorewall is
started at position 41 and dnscache at 45
changeing
to :
DNSCache
RCDLINKS=2,S41 3,S41 6,K45

Shorewall
RCDLINKS=2,S45 3,S45 6,K46

lets dnscache starts before shorewall.
But I am not sure if that will solve your problem as shorewall will probably
be necessary to
allow your network to be used after it is started.
This will also depend on your connection mode.
If it would be possible to use an open connection to the external network
during the startup of shorewall, you have a potential security risk.



I'm loath to make any more changes in case I kill my box and have to
start again :\

The other suggestions I have to try are:
Change 6 to 7
Add Sleep 30 to the beginning of the shorewall init script.

And I have no idea whether they would be fatal changes.
Any advice?

Thanks,

James


Regards
Eric Wolzak
member of the bering crew




---
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing  more.
Download  eval WebKing and get a free book.
www.parasoft.com/bulletproofapps

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: [leaf-user] Bering often doesn´t connect at startup

[eric wolzak]

 EchoReq id=0x1
magic=0x847ea138 00 00 00 00] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
Jul  2 09:14:28 firewall pppd[5337]: sent [LCP EchoRep id=0x1
magic=0x77aa3ee9 68 6f 61 40]
Jul  2 09:14:38 firewall pppd[5337]: rcvd [LCP EchoReq id=0x2
magic=0x847ea138 00 00 00 00] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
#
# then a lot of successfull LCP pings are sent and received .
#
So your connection is setup to the route level.
The problem will probably not be in the pppd or pppoe system.
Did you set the  clampmss

Did you look at the connections you have after you put your router up.
If you have lots of clients that starts to game and request a server list,
you've got thousands of connections and that might just fill the nat-list.
after some time the traffic is becoming less , and you can use the internet.
The same might occur by filesharing.

Also
Check http://192.168.1.254 from an internal machine, look for current
connections. .
ping a ip number from your firewall to look if it is a dns problem.
check back for further advice

my 2eurocent ;)

Eric Wolzak
member of the Bering Crew





---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Re: Some questions about leaf PPPoE

[eric wolzak]

Hello Raymond, Lynn list
Hello Lynn, Raymond, I don't think  the modem is a router, the internal
modem addres is probably only for maintainance
btw, be carefull, that this is a private ip and might be blocked by
shorewall, if you try to do maintainance.

So if it is  internal network -- LEAF ---normal ethernet Router ---
pppoe ---Provider
ýou have a normal network firewall setup and don't need ppp pppoe but
probably pump as Lynn stated
you exernal interface is eth0

if it si  internal -- LEAF ---PPPOE Modem PPPOE (
modulated ) --Provider
you need pppd and pppoe.  and in that case there is something ´wrong with
your settings to identify
user name not corresponding to entry in pap.secrets or chap.secrets
your external interface is ppp0

Part of your log file  (time,date and firewall name removed for line length)
# mycomments #

before this there should have been a communication to establish a  Access
Concentrator and the offer to use channel 1
: using channel 1# ok we use channel 1 #
 pppd[557]: sent [LCP ConfReq id=0x1 magic 0x52cf66a9]
 pppd[557]: rcvd [LCP ConfReq id=0xc3 mru 1492 auth chap MD5 magic
0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   # AC
request to identify with chap  #
 pppd[557]: sent [LCP ConfRej id=0xc3 auth chap MD5]  # Identifikation by
chap from you rejected ##
pppd[557]: rcvd [LCP ConfAck id=0x1 magic 0x52cf66a9] 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 pppd[557]: rcvd [LCP ConfReq id=0xc4 mru 1492 auth pap magic
0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
# received  reqiest to identify yourself with pap #
pppd[557]: sent [LCP ConfRej id=0xc4 auth pap]   # I don't identify with
pap #
pppd[557]: rcvd [LCP ConfReq id=0xc5 mru 1492 magic 0x3d5cac04] 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
pppd[557]: sent [LCP ConfAck id=0xc5 mru 1492 magic 0x3d5cac04]
pppd[557]: sent [LCP EchoReq id=0x0 magic=0x52cf66a9]  # pinging the line
Jan  5 23:40:50 firewall pppd[557]: sent [IPCP ConfReq id=0x1 addr
0.0.0.0]  # please give me an IP  #
Jan  5 23:40:50 firewall pppd[557]: rcvd [LCP TermReq id=0xc6] 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 ... # your provider shuts the connection down, as you didn't
identify yourself #
Jan  5 23:40:50 firewall pppd[557]: sent [LCP TermAck id=0xc6]   # ok I
understand #
Jan  5 23:41:23 firewall pppd[557]: using channel 2  # in between there was
another try to start up the basic conecction and the game starts a new #


On Saturday 28 June 2003 09:02 pm, PAGE,RAYMOND wrote:
[...]
 eth0 is definitely connected to the modem, and ?trying? to talk to
 the modem.  The modem has an IP of 192.168.7.1.  The internal nic,
 eth1, is able to connect to internal boxes.  It's ip is
 192.168.0.1.  I know it works because I can ssh to that IP from an
 internal machine.  I don't believe that udhcpd(as opposed to the
 standard daemon because it's so much larger in size) is working
 properly for me, however I've statically assigned other boxes
 temporarily so it doesn't have to work right now and that
 shouldn't affect getting this to work.

Lynn wrote:

Ok, your DSL-modem/router is running as a NAT'ing router with
DNS-cache on it. This is changes your settings considerably,
since this DSL-modem/router is also the machine authenticating
your DSL connection (you had to set it up with username/password,
correct?).

With these assumptions on my part, you should NOT need a PPPoE client
on the LEAF box and you will need a dhcp client such as pump/dhclient/
udhcpcd/etc to get an ip from your DSL-modem/router. There may be
some application problems due to running NAT twice (once at the
DSL-modem/router and again at the Bering box), but that depends on
whether you can set the DSL-modem/router to NOT NAT the ip address
assigned to you. DNS-cache can be run on either the DSL-modem/router
or on the Bering box (dnscache package), that is simply preference
left to you.

 I'm attaching the output you requested, along with my
 syslinux.cfg, because I'm not sure if udhcpd should be called
 before or after pump and ppp/pppoe.

Eric Wolzak
member of  the bering crew



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Because the list auto-rejects emails with attachments....here's my configs for everyone inline

[eric wolzak]

Yes
suppose that WWWRaymond is you login and PAGESecret is your password
than you have to have in your pppoe option file
a
name WWWRaymond  or
user  WWWRaymond

and in your pap-secrets file
WWWRaymond  *  PAGESecret

put those in quotes if you have any special characters in them


-Ursprüngliche Nachricht-
Von: PAGE,RAYMOND [EMAIL PROTECTED]
An: [EMAIL PROTECTED] [EMAIL PROTECTED]
Datum: Sonntag, 29. Juni 2003 16:02
Betreff: [leaf-user] Because the list auto-rejects emails with
attachmentshere's my configs for everyone inline


Eric, I'm not sure if this is what you were conveying, but do you
think that I have a incorrect login/password in my
pap/chap.secrets?  Thanks for all the input, this helps a lot.

What I tried to tell you is
1. debug was not set with debug 7 so the first part of the communication
isn't in the log file
2. There is something communicating with you in pppoe mode. ( probably
your provider)
3. your side rejected pap and chap authentification. this is mostly because
you don't have a corresponging username-password pair.
4. If your had a corresponding user-password name than your side would have
tried to identify, and if the password was wrong , you would have had a
different termination.

if you don't find the cause here, then post me your ppp and pppd options


original post deleted see list for more details--




---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] natsemi driver..

[eric wolzak]

Hello Homer,

are you sure you got the correct modules.
in my modules on a 2.4.20  pci_drv_register and pci_drv_unregister are not
mentioned.
in the modules on a 2.2.20 they are.   those are dependant of pci-scan.
So please check if you have the correct module. If so try installing
pci-scan before.

Regards
Eric Wolzak
member of  the bering crew.

-Ursprüngliche Nachricht-
Von: Homer Parker [EMAIL PROTECTED]
An: [EMAIL PROTECTED] [EMAIL PROTECTED]
Datum: Dienstag, 24. Juni 2003 20:43
Betreff: [leaf-user] natsemi driver..


 Bering 1.2 in a Net4501 Soekris box.. Loading natsemi.o gives me:

# insmod natsemi
Using /lib/modules/natsemi.o
insmod: unresolved symbol pci_drv_unregister
insmod: unresolved symbol pci_drv_register

 Looking at modules.dep, it doesn't look like it relies on anything else..

---
Homer Parker  /\ ASCII Ribbon Campaign
  \ / No HTML/RTF in email
http://www.homershut.net   x  No Word docs in email
telnet://bbs.homershut.net/ \ Respect for open standards

Bill Gates reports on security progress made and the challenges ahead.
-- Microsoft's Homepage, on the day an SQL Server bug crippled large
   sections of the Internet.







---
This SF.Net email is sponsored by: INetU
Attention Web Developers  Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Edit Bering Config files Offline

[eric wolzak]

Hello Simon, David

Hi David,

I have managed to unzip the file to a temporary folder /temp on another
Bering box using

mount -t msdos /dev/fd0u1680 /mnt
cd /mnt
tar -zxvf /temp/etc.lrp

# all steps in one liners ;)
mkdir /temp
mount -t msdos /dev/fd0u1680  /mnt
cp /mnt/etc.lrp  /temp
cd /temp
tar -xzf  etc.lrp
rm etc.lrp
# can be easier but more dangerous.don't leave etc.lrp in temp, otherwise it
will be package in the new etc.lrp

#now edit your files
cd .
edit 

#if ready  move back to temp
cd /temp
#tar all your files and the subdirectories to etc.tar
tar -cf etc.tar  *
# zip the tar file this will create etc.tar.gz
gzip etc.tar
# rename etc.tar.gz back
mv etc.tar.gz  etc.lrp
# check the size for security reasons
ls -l etc.lrp
# and compare with the original and free disk space
ls -l /mnt
# if ok
mv etc.lrp /mnt
# clean up
cd /
rm /temp -rf
umount /mnt
# wait till everything is written back.
# of course you can tar and zip as a one pipe process.

btw if you can edit etc.lrp from the boot disk, you also can edit the real
files in etc.lrp ;)
and back them up.


On Sun, 2003-06-08 at 17:21, Simon Chalk wrote:
 Is it possible to edit an lrp package on a Bering floppy on another
machine.

yes see above.


 I have a problem on one machine where incorrect configuration has stopped
 access to the console. So I am unable to use LRCFG, since no console
access
 is possible.

regards
Eric Wolzak
member of the bering crew



---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Fw: comment/question about Bering, pppoe

[eric wolzak]

Hello All
does somebody know an option for pppd to specify the access concentrator
I didn't findone

Regards
Eric Wolzak
member of the bering crew

-Ursprüngliche Nachricht-
Von: Rossen Antonov [EMAIL PROTECTED]
An: [EMAIL PROTECTED] [EMAIL PROTECTED]
Datum: Donnerstag, 5. Juni 2003 22:44
Betreff: comment/question about Bering, pppoe


Mr. Wolzak,
I'm very keen on Bering. I would like to set it in a small LAN where I
live.
My ISP uses another big LAN and I'm connected to it  directly via eth0,
without a DSL device.

The provider uses PPPoE. It has one Access Concentrator (PPPoE server) with
four Service Names. In default situation like that figured in LEAF Bering
user's guide there is no need to specify a Service Name when making a
connection, but in my situation I need to connect exactly to one of those
four Service Names.

This is a result of pppoe -A -I eth0 executed under Knoppix on my mashine
where Berin is supposed to be. It shows the exact situation:

Access-Concentrator: hl-pppoe
   Service-Name: int3
   Service-Name: ok1
   Service-Name: ok2
   Service-Name: ok3
AC-Ethernet-Address: 00:08:c7:8a:ec:2b
--

And then to connect I use this command:

pppd pty 'pppoe -I eth0 -S ok2' noipdefault defaultroute hide-password
passive persist name antonov

My comment is that if in Bering the Service Name can be set up this should
be described in LEAF Bering user's guide. And my question is:  is
possible
in Bering to set up a Service Name?

Thank you for reading my mail!
I wish you all the best!
Please, if you have a little time replay me with an answer on my question.
Just yes or no is enough.

--Rossen Antonov, Bulgaria, 20 years old.

_
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus




---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] kernel pppoe was Fw: comment/question about Bering, pppoe

[eric wolzak]

Hello Ray , thanks for your reaction
your answer apply for the rp-pppoe package,
here a pppoe application is sending its output to a pseudoterminal and then
leading this over the ppp connection.

With kernel mode as I understand it, it is different.
a pppd connection  is translated by the pppoe plugin to a kernel-pppoe
connection.
The connection on pppoe level is done by the pppoe plugin.
So the option -S and -A are not possible.
It might be possible to use the name of the access-concentrator in the
pap-secrets as server name., I cannot test this yet.

Regards
Eric Wolzak
member of the Bering Crew

-Ursprüngliche Nachricht-
Von: Ray Olszewski [EMAIL PROTECTED]
An: [EMAIL PROTECTED] [EMAIL PROTECTED]
Datum: Freitag, 6. Juni 2003 00:28
Betreff: Re: [leaf-user] Fw: comment/question about Bering, pppoe


At 11:43 PM 6/5/2003 +0200, eric wolzak wrote:
Hello All
does somebody know an option for pppd to specify the access concentrator
I didn't findone

Eric -- I don't have the answer, but I think you want to ask a different
question. If I follow the discussion here --

 http://www.roaringpenguin.com/slides/pppoe-slides.pdf

-- correctly, the Access Concentrator gets identified by the pppoe
wrapper to pppd via a device-discovery step (that looks analogous to
dpclient asking are there any DHCP servers out there who can give me an
address?), not by pppd itself.

Or maybe I do have at least a candidate answer at that. The man page for
pppoe (on Debian-Sid) lists the following options:

-S service_name
   Specifies the desired service name.  pppoe  will  only
initiate
   sessions  with access concentrators which can provide the
speci-
   fied service.  In  most  cases,  you  should  not  specify
this
   option.   Use it only if you know that there are multiple
access
   concentrators or know that you need a specific service name.


   -C ac_name
   Specifies the desired access concentrator name.  pppoe will
only
   initiate  sessions  with  the specified access concentrator.
In
   most cases, you should not specify this option.  Use it only
if
   you  know that there are multiple access concentrators.  If
both
   the -S and -C options are specified, they must  both  match
for
   pppoe to initiate a session.

The pppoe discussed here is probably the RP package, but the docs are not
completely clear on that part.

Hope this is what you need. Good luck.

[earlier, quoted message deleted]





---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] kernel pppoe was Fw: comment/question about Bering, pppoe

[eric wolzak]

Hello All
kernel mode pppoe  ( the one that is used at bering )
can be used to specify a certain access concentrator.

my previous post with a proposition to change the etc/ppp/pap-secrets  is
not correct.
The access concentrator is chosen as a first step  the authentication is
used in a later stage.

So the correct solution is :

in the pppoe options :  /etc/ppp/peers/dsl-provider
add the following line

pppoe_ac_name name of the accessconcentrator

example if your accessoncentrator is AC_To then
pppoe_ac_name AC_To

Now  PADO from other accessconcentrators will be ignored.
This is not necessary for everybody, only for those that have to specify a
special AC
with the roaring penguin package this equivalent to pppoe -S name of the
accessconcentrator

-
By the way.
with the standard pppoe.lrp package it is possible to create your own pppoe
server.
it was easier as it seems ;)

I will post the howto in a few days.

Regards
Eric Wolzak




---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] weblet extension version 2

[eric wolzak]

Hi Ken.


I tried this code as well and I think that you have to substitute
/var/log/shorewall.log for /var/log/messages in the code that Eric provided.
It didn't work for me until I made this change.  Perhaps an older version of
Bering or Dach used the messages file to log packets, hence the confusion.
Please correct me if I'm wrong, Eric.

Thanks,
Ken

You are of course right , the log file should be the one the messages for
shorewall are directed to.
Bering 1.0 stable did the logging still in the /var/log/messages file  (
this was the version I used to debug the script.)
I should make things more modular again ;)

Thanks for your feedback.
 -Original Message-

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tony
 Sent: Saturday, May 31, 2003 3:33 PM
 To: eric wolzak; Leaf-User
 Cc: [EMAIL PROTECTED]
 Subject: RE: [leaf-user] weblet extension version 2


 HI Eric and Jeff,

 Thanks Eric for the code, this is half of what I was looking
 for, Jeff gave the other half.  If you use the proverb:

 Give a man a fish, he eats today
 Teach a man to fish, he eats forever

 you both gave me one of those lines and I appreciate it.

 But, I do have some questions about the code, I can get the
 portsort section to work (from a previous e-mail, but the
 ipsort section is giving me the headers, but no data under it.

 I have some observations, but should I move this discussion
 to the devel list?  I don't want to clog up this list with
 any more messages than necessary.

 Please advise, and I can pick up with my observations.

 Thanks,

 Tony



  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] Behalf Of
 eric wolzak
  Sent: Saturday, May 31, 2003 12:26 PM
  To: Tony; Leaf-User
  Subject: Re: [leaf-user] weblet extension version 2
 
 
  Hello Tony
 
 
  Another variant is to change in the file viewhits the
 option ipsort to
  -
  ipsort)
  HEAD='trtd width=50 Hits
  /tdtdIP-Adress/tdtdnbsp;/td/tr'
 
  AUS=`grep DPT=$content  /var/log/messages |\
  sed 's/.*SRC=\(.* \)DST.*$/a
  href=viewhits?x_\1\1\/a\/tdtd\/td\/tr/'|
  sort -n | uniq -c   |sort -rn|\
  sed 's/^/trtd/
  s/a/\/tdtda/`
  ;;
  ---
  this is a little bit slower but let you click on each ip
 address that
  tried to connect to the certain port and  shows the
 messages that it
  caused, including those to another port
 
  Regards
  Eric Wolzak
  member of the bering crew
 


Regards Eric Wolzak
member of the bering crew.




---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

;Re: [leaf-user] weblet/sed question

[eric wolzak]

Hello Tony,  if I understand your mail correct, you want the possibility to
identify which machines are responsible for the logged traffic to a certain
port .

Good Evening all,

I'm sorry to ask a question like this, but here goes.  I want to expand
weblet a little and would like some pointers.  I'm currently running weblet
1.2 under Bering v1.1.  I like the screens where you can view the hits by
either port or sorted IP address.  What I want to do is, add the
functionality of the IP address screen to the port screen.

On the IP screen, the addresses are clickable to view the actual hits the
IP
was associated with.  What I would like to do is have the ports be
clickable
to view a sorted list of IP addresses.  So if I clicked port 53, I could
get
a listing of all the IP's who hit that port.  I could then get the
offending
IP's without having to plow through the current IP list to see who hit what
port.

Did I describe that clearly enough?  I viewed the code to see how the
different pages are rendered and how the sub routines are called, but I
don't really know sed.  I'm not sure where to start.

You can make following changes to weblet

#edit   /var/sh-www/cgi-bin/viewhits
change following to subroutines  :
--
ipsort)
;;
---
to

ipsort)
HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr'
AUS=`grep DPT=$content  /var/log/messages   |sed 's/.*SRC=/\/tdtd/
s/ .*$/\/tdtd\/td\/tr/'| sort -n | uniq -c   |sort -rn|\
sed 's/^/trtd/`
 titel=hits on port $content
;;

and
portsort)
..
;;
to
-
portsort)
 HEAD='trtdhits/tdtdport/tdtdService/td/tr'
AUS=` grep Shorewall:.* DPT /var/log/messages |\
sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/'|\
   sort | uniq -c |sort -rn |\
   while read count port ; do
   printf trtd$count/tdtda
href=viewhits?ipsort_$port$port/a/tdtd
   grep \\b$port\\b /etc/services |sed /^#/d |cut -f 1 |uniq
   printf /td/tr
  done `
  titel=Hits sorted by porttype
;;

Than save viewhits and backup weblet.

this should do the trick ( at least it did it for me.)
If there are more people interested at this kind of information, I could
implement some of those to weblet.
Possible were for example also those ip number that are logged for many
different ports -- scanners.

Any comment is welcomed

Regards
Eric Wolzak
member of the bering Crew



---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] weblet extension version 2

[eric wolzak]

Hello Tony


Another variant is to change in the file viewhits the option ipsort to
-
ipsort)
HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr'

AUS=`grep DPT=$content  /var/log/messages |\
sed 's/.*SRC=\(.* \)DST.*$/a
href=viewhits?x_\1\1\/a\/tdtd\/td\/tr/'|
sort -n | uniq -c   |sort -rn|\
sed 's/^/trtd/
s/a/\/tdtda/`
;;
---
this is a little bit slower but let you click on each ip address that tried
to connect to the certain port and  shows the messages that it caused,
including those to another port

Regards
Eric Wolzak
member of the bering crew




---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Router Stops

[eric wolzak]

Hello David, All

My router stops periodically and I can restart it by restarting Shorewall.
Lynn has suggested it might be a memory problem.  Any suggestions how I can
monitor RAM usage?  Commands built into Bering?  Packages I can run?

1. The Ram usage can be viewed from the weblet .
2 activate Spacecheck  in  lrp  settings file  and you get an email as the
disks fill ( as long as your router isn't stopped yet ;))

3. But I don't think  the  RAM is the cause  ,sorry I didn't follow this
treat before,
What do you mean by router stops. I suppose you mean, you cannot get
connections to the internet anymore.
Restarting Shorewall does reinstall the firewall rules. and  detects some
broadcasts thereby setting a route
Only restarting shorewall doesn't delete files. ( and doesn't create more
space on the Filesystem so why should the router  function after the restart
if it was a disk ram problem )
It might  however stop remaining unused connections and clear your  table
from outdated connections
The same should be done by takeing your external interface down and up
again.
I have seen a pseudo none functional router after someone playing network
games on theinternal net and requesting for free gameserver. just filled the
tables. ( kind of unpurposed DOS ;) )
Try useing weblet to view the active connections or with the different
shorewall commands
If you have to much active connections weblet will time out.

Regards
Eric Wolzak
member of the Bering Crew


David Pitts
IT Services Manager
Reid Library
University of Western Australia

Telephone:   (08) 9380 3492 Fax:  (08) 9380 1012





---
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] unusual firewall applications ( a little off-topic)

[Eric Wolzak]

Hello Frank

 As I understand it, a firewall prevents computers from communicating
 undesirable communications.  Poorly worded, perhaps, but I am sure it
 addresses the intent of firewalls.
This is partly true, the decision to accept a communication depends 
at a firewall on source/dest (ip) , Protocol ( tcp etc) and port 
This is ofcourse a simplification.
But the package filter that is build in leaf doesn't look at the content 
of a message. 
(so if a webserver is allowed to pass, it passes indepent if this is a 
scientifc information or a advertisement for uh cars.)
Content filtering is done by other programs, (f.e. junkbuster,squid 
etc).

 I get lots of undesireable communications on my telephone.  There seems
 to be a marketing industry devoted to using my phone number as a sales
 tool.  I am sure everyone on the reflector can identify with this
 plague. 

Now to your telephone,
If you want to block certain protocols (fax f.e) this is built in most 
telephones.
 if you want to block connections depending on their origin ( src 
telephonenumber ) this can be done only if the src-telnr is 
transmitted. In different countries this is done. In Germany this is 
done on a voluntary base, so as soon as somebody wants to stay 
unrecognized he will block this feature.
In that case you could blacklist notorious callers or reject all but a 
selected group of numbers. 
Programms like that are build in in almost any mobile telephone and 
home telephone switch.
To filter on the content is almost impossible
It takes for you, with a higher intelligence as your computer, even 
some time to detect that the message the caller is telling you is not 
interesting for you. 
To build a speach recognition and interpretation is far beyond a lrp 
box ;) 

 Getting to the point, has anyone every considered building a firewall to
 prevent this abuse?  A telephone firewall.  Could something of this
 nature be implemented on an LRP box?  A rethorical question because I
 know it can be implemented. I would do that but don't know how. My lack
 of knowledge extends to the programming.  I am pretty sure I can handle
 the hardware requirements.
What can be done in my opinion is filtering for special numbers or 
only allowing authorized callers, for example with a telephone login
After connecting to a box, they hear a message please enter your 
telephone code. 
If they have that wrong, the connection is broken
But that would prevent any person with honest intention to contact 
you.
A simpler method is useing the display with the telephon number and 
your decision to take the phone. 
But all that demands that the calling number is transmitted, which 
isn't always true.

 
 The question is, does anyone know of any efforts to do this?
no 
 
 My Dachstein firewall is on all the time, connected to my cable modem.
 It could just as well be handling telephone traffic on the same 24/7/365
 basis.
And  for a lot of other interesting applications,  
secureing your home
printserver
makeing coffe ; ) 
but remember lots of applications means drilling holes in your 
firewall.

Anyhow, I like thought experiments :) 

Regard
Eric Wolzak
member of the bering crew


---
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] A Couple Of Problems...

[Eric Wolzak]

Hello Nick

 
 I'm using Bering 1.1 and overall think it's wonderful. There are
 just a couple of things that I'm having difficulty with:
 
 1) I can't get Bering to send me emails. Every hour there's an
entry in cron.log similar to the following:
 
MAIL (mailed 19 bytes of output but got status 0x0001 )
sorry to see it is still there, this is due to a line i inserted in a 
debugging session and  forgot to remove.

Remove the line:
# echo $prog 
in routine main()  around linenr 33.
in the multicron-p script


If I use the MAIL command from the command-line, I can get it
to send a message, but never via cron.
Did you set the
lrp_SPACECHECK=YES
lrp_SC_MAIL_LEVEL=2
in this settings
Cron will only send a message if the Space is so limited that it had to 
go to step 2 deleting files.
If this situation doesn't occur, you won't get mail :) 

If you want a mail every day, for example get your log files mailed 
make a script like you did by hand and inserted as cron job.
Remember to set the full path to executables !
 
Incidentally I discovered that pointing it at an Exchange 5.5
server does not work, as the mail command appears to disagree
with Exchange as to the correct sequence of an SMTP conversation...

(who is right ;) ) 
 
I've now re-pointed it at a Linux box, running Sendmail and all
is well on that front.
 Any pointers that anyone could give me would be very much
 appreciated!
 
 Thanks
 
 Nick

Regards
Eric Wolzak
member of the Bering Crew


---
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Connecting to dsl was adsl: can't set mru/mtu to 1500 (T-online)

[Eric Wolzak]

Hello Henning 


 Hi Folks,
 I got a great problem connecting to t-online. I got 2 running
 devices(eth0  eth1)
 When I issue pon dsl-provider eth0, SYSLOG tells me:
 connecting ppp0 - eth0
 Shouldn't it be ppp0 - /dev/ttyp0 ?
 Then SYSLOG says:
 cannot set MTU to 1500
 cannot set MRU to 1500
 MTU and MRU should be set to 1452 because I use the
 default config file dsl-provider with the entry
 pty pppoe -I eth0 -T 80 -m 1452
 
 What am I doing wrong ?
 Any help is greatly appriciated !

For other readers T-DSL is ADSL named after the Telekom
To connect with bering 1.0 you use the ppp and pppoe package 
Assuming that your eth0 is connected to the external interface - dsl modem

Change the settings to 
Package  ppp


System wide ppp settings

# /etc/ppp/options
asyncmap 0
auth
crtscts
lock
hide-password
modem
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
...
Pap secret
[EMAIL PROTECTED] * PASSWORD
don't forget the @t-online.de part   
if you use special symbols in Password put it in Quotes 
--
pppoe
1 dsl provider

plugin /usr/lib/pppd/pppoe.so
user [EMAIL PROTECTED]
noipdefault
defaultroute
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
connect /bin/true
noauth
persist
mtu 1492

--
shorewall 

masq

ppp0   eth1 

---
shorewall interfaces
net  ppp0 -   -
--

shorewall config
CLAMPMSS=yes

basic setup interfaces
auto ppp0
iface ppp0 inet ppp
pre-up ip link set eth0 up
provider dsl-provider eth0



Attention your external interface is ppp0 not eth0
To bring the connection up 
use  
ifup ppp0 

don't use pon ( this tries to connect over a serial line)

down with
ifdown ppp0

hope I didn't forget anything.
if you haven't a flat rate you should set the demand  option. 
that 's all
ignore the message cannot change mtu or mru setting to 1500 they don't harm :)

Eric Wolzak
member of the bering Crew


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] newbie question.

[Eric Wolzak]

Hello Troy 
 Hello there. I have a quick newbie question here. I would just like to know
 the 
 CLI Command that I use to show the output below. I am assuming that it is
 some variation of 
 Ip addr . 
almost correct ;)

#ip -s link show

the -s option includes the statistics


Eric Wolzak
member of the Bering Crew


---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Shorewall Web GUI

[Eric Wolzak]

Hello Steve 


 I know this question has probably been posted many times before, but I can't
 seem to find any solution out there.
 
 Does anyone know if there is a publicly available Web-based GUI for
 shorewall?  If so, what's a good one to use?

I have an alpha weblet version that among others supports parts of 
shorewall  
rules, masq, zones and interfaces.
But take care this uses Get and the weblet has to run as root to 
change some of the settings 

As we are trying to update the configuration database, the weblet will 
be also changed  So no guarantee ;) 

http://leaf.sourceforge.net/devel/ericw/bering/weblet.lrp
some information about the change of the setting in inetd you can 
find at my site
http://leaf.sourceforge.net/devel/ericw 

Regards
Eric Wolzak
member of the bering Crew



---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering1.0-stable Problem with 2.4.20 on net4501

[Eric Wolzak]

 Hi all,
  
 
 I'm getting the following kernel panic on my bering1.0_stable box with
 kernel 2.4.20   This is running on a Soekris net4501 .  Anyone else see
 this?
Hello Steve,  Kernel panic with  the kernel is often a problem of a 
corrupt media, or corrupt download.

From what kind of media are you booting 

 Unable to handle kernel NULL pointer dereference at virtual addr ess
  printing eip:  *pde = 
 
 Oops: 
 CPU:0
 EIP:0010:[]Not tainted
 EFLAGS: 00010286
 eax: c10d3da0   ebx: c3c1f2b0   ecx: c4815860   edx: 0025
 esi: c0241f08   edi: 0002   ebp: c3dde81e   esp: c0241e70
 ds: 0018   es: 0018   ss: 0018
 Process swapper (pid: 0, stackpage=c0241000)
 Stack: c01e8caf c3dde81e 0025 c3c1f2b0 0002  0002 
 c0241ee8
c01bcf70 c0279d80  c01afef6  c0241f08 c10db800 
 
c01bcf70    c01bcf70 c01b01a3 c0279d80 
 c0241f08
 Call Trace:[c01e8caf] [c01bcf70] [c01afef6] [c01bcf70] 
 [c01bcf70]
   [c01b01a3] [c01bcf70] [c01bcd74] [c01bcf70] [c01aa15e] 
 [c01aa269]
   [c01aa37f] [c011a323] [c010a2b0] [c0107040] [c010c858] 
 [c0107040]
   [c0107063] [c0107102] [c0105000]
 Code:  Bad EIP value.
 0Kernel panic: Aiee, killing interrupt handler!
 In interrupt handler - not syncing

Eric Wolzak
member of the bering Crew


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering, Diagnosing Weblet LRP status warnings

[Eric Wolzak]

Hello Brian 

the actuall number of packet logs is not that important.
for example edonky and programms like that make a lot connection 
trys 
Your summary shows that almost all connections came from  
193.163.220.4  proxy-scanner.eris.dk

The intersting thing would be to see what kind of packages 
the ones from or to this ip are. 
 I have the following message
 
 Thu Feb 6 09:49:28 UTC 2003
 
 firewall Firewall Status: error
 
 You have 438 denied or rejected packets in your recent packet logs.
 
 See the messages in the log files for details
 Or check the hits sorted by port or by IP adress
 
 
 and when  I look at the log file this is what it has (excerpt)

 Feb 6 08:31:05 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
 MAC=00:60:08:08:6d:f3:00:03:4b:ab:10:0e:08:00 SRC=144.134.250.37 
 DST=203.217.17.249 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=41523 DF PROTO=TCP 
 SPT=1146 DPT=3511 WINDOW=8192 RES=0x00 SYN URGP=0
token apart this means 

at feb 6 08:31:05 the  Shorewall chain net2all DROP dropped a 
package comeing from the eth0 interface (IN=eth0) and was mend 
for the firewall (  OUT= )
(info on eth0 MAC=00:60:08:08:6d:f3:00:03:4b:ab:10:0e:08:00)
The source addres from this package was:  SRC=144.134.250.37 
and the destination ( DST=203.217.17.249) which should have been 
your external ip at that moment. The protocoll was TCP the src port  
1146 and the destination port  3511 
further Package information : length 48 Type of service 00  
Timetolive 120The syn bit was set so it was a start of 
communication
( LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=41523 DF 
PROTO=TCP 
 SPT=1146 DPT=3511 WINDOW=8192 RES=0x00 SYN URGP=0 )

You should read now some of the denyed or dropped packages from 
the 193.163.220.4 host.  It might seem that you have outgoing 
connections to this host that are blocked ( IN= resp OUT= ) and if the 
ports are changeing  ( than it might be a scan) or that it is allways the 
same port that tries to connect ( for example with a configuration 
error) -

 hits port Service
 42 1080
 28 8080 webcache
 28 6552
 28 23 telnet
 
 
 sorted by ip address
 
 Hits IP-Adress Date
 406  193.163.220.4 Feb 6
 7  24.192.28.48 Feb 6
 6  202.129.102.26 Feb 6
 6  144.134.250.37 Feb 6
 4  192.168.1.254 Feb 6
 3  24.123.122.189 Feb 6
 3  203.59.187.164 Feb 6
 3  203.45.122.188 Feb 6
 
 what does it mean?? am i being attacked or is it something in shorwall that 
 I have not configured properly?
 
good luck
Eric Wolzak
member of the bering crew 



---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] When my IP changes my DSL interface disconnects

[Eric Wolzak]

 08:58:38 firewall pppd[9920]: Couldn't increase MRU to 1500
Jan 24 08:58:48 firewall pppd[9920]: Connection terminated.
Jan 24 08:58:48 firewall pppd[9920]: Connect time 58.8 minutes.
Jan 24 08:58:48 firewall pppd[9920]: Sent 4236 bytes, received 8209 bytes.
Jan 24 08:58:48 firewall pppd[9920]: Doing disconnect
Jan 24 08:59:18 firewall pppd[9920]: Sending PADI
-
Jan 24 09:00:01 firewall /USR/SBIN/CRON[23934]: (root) CMD 
(/etc/keepalive_script)
Jan 24 09:00:01 firewall /USR/SBIN/CRON[6709]: (root) CMD 
(`/etc/init.d/ntpdate start`)
Jan 24 09:00:01 firewall /USR/SBIN/CRON[27318]: (root) CMD
(/etc/multicron-p)
Jan 24 04:00:06 firewall ntpdate[18431]: sendto(132.246.168.148): Network is
unreachable

the default route is taken down with the ppp0 interface  ?
The ppp0 should try to connect again. 

Jan 24 04:00:09 firewall last message repeated 3 times
Jan 24 04:00:10 firewall ntpdate[18431]: no server suitable for 
synchronization found
Jan 24 09:00:10 firewall /USR/SBIN/CRON[14147]: (root) MAIL (mailed 19 bytes
of output but got status 0x0001 )
Jan 24 09:10:01 firewall /USR/SBIN/CRON[19360]: (root) CMD 
(/etc/keepalive_script)
Jan 24 09:15:01 firewall /USR/SBIN/CRON[2952]: (root) CMD (/etc/multicron-p)
Jan 24 09:20:01 firewall /USR/SBIN/CRON[14049]: (root) CMD 
(/etc/keepalive_script)
Jan 24 09:30:01 firewall /USR/SBIN/CRON[18832]: (root) CMD 
(/etc/keepalive_script)
Jan 24 09:30:01 firewall /USR/SBIN/CRON[16748]: (root) CMD
(/etc/multicron-p)

It is unclear why the pppd daemon is trying to connect now after more than 30 
minutes did you cut something out of the logfiles ? 

Jan 24 09:33:24 firewall pppd[9920]: Connecting PPPoE socket: 
00:90:1a:40:44:2c  eth0 0x807c2c8
Jan 24 09:33:24 firewall pppd[9920]: Couldn't get channel number: Transport 
endpoint is not connected

This message means that there is a problem at a level before password exchange 
etc occurs
could be your modem or the provider endpoint 

Jan 24 09:33:24 firewall pppd[9920]: Doing disconnect
Jan 24 09:33:54 firewall pppd[9920]: Sending PADI

If this occur more often you should check your pppoe options file in 
/etc/peers/dsl-provider

should be something like : 

plugin /usr/lib/pppd/pppoe.so
user *
noipdefault
defaultroute
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
connect /bin/true
noauth
persist
mtu 1492


Regards  
Eric Wolzak
member of the bering crew


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ipsec vs ipsec509

[Eric Wolzak]

Hello Heriberto

 Hy

 I´m setting up a VPN conection with ipsec.lrp. I also seen a ipsec509.lrp
 module. In few words, what is the main difference between ipsec.lrp and
 ipsec509.lrp?
The ipsec.lrp is the freeswan package.
The ipsec509 is the same package patched for the use of
certificates to identify.

Regards
Eric Wolzak
member of the bering Crew






 Regards
 Heriberto






 Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé cómo hacerlo en Yahoo! 
Móvil: http://ar.mobile.yahoo.com/sms.html


 ---
 This SF.NET email is sponsored by: Thawte.com
 Understand how to protect your customers personal information by implementing
 SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
 Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.NET email is sponsored by: Thawte.com
Understand how to protect your customers personal information by implementing
SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Mail Bug in multicron-p

[Eric Wolzak]

Hello List.

I just discovered a bug in the /etc/multicron-p script 
in Bering  Stable 1   (probably also in Bering-uClibc ? )

This bug  is not critical, just annoying.

In the /var/log/syslog file you could find :

Jan  5 22:00:01 firewall /USR/SBIN/CRON[26546]: (root) MAIL 
(mailed 12 bytes of output but got status 0x0001 )
every 15 minutes. 

The mail is sent to root@  and has as content multicron-p 

The reason is the rest of a debugging session that was forgotten to 
remove  (shame on me ;)  ) 

Remove the line:
# echo $prog 
in routine main()  around linenr 33.

Allthough from the logic nothing should have happened the output 
was piped through mailadmin function. 

If you have set your mail-admin you could have received mails with 
multicron-p  as content.  No Subject.  

Sorry for the discomfort 

Regards 
Eric Wolzak
member of the bering crew



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] adsl connection doesn't work

[Eric Wolzak]

Hello mike.

 i've got a problem with bering 1.0-stable.
 i followed the PPPoE configuration in the user's guide to get my dsl
 connection to work and i'm at the same provider as the one, whos written the
 user guide. (t-dsl from t-online in germany).
That's me ;)
 but after configuring both, the ppp and pppoe package, the ppp deamon is
 unable to establish a connection.
 here is what the debug from pppd says:
let's take a look .

 Jan 6 21:30:07 firewall pppd[4949]: Plugin /usr/lib/pppd/pppoe.so loaded.
 Jan 6 21:30:07 firewall pppd[4949]: PPPoE Plugin Initialized
 Jan 6 21:30:07 firewall pppd[4949]: pppd 2.4.1 started by root, uid 0
 Jan 6 21:30:07 firewall pppd[4949]: Sending PADI
 Jan 6 21:30:07 firewall pppd[4949]: HOST_UNIQ successful match
 Jan 6 21:30:08 firewall pppd[4949]: HOST_UNIQ successful match
you got an user setting and a corresponding pap
 Jan 6 21:30:08 firewall pppd[4949]: Got connection: 696
 Jan 6 21:30:08 firewall pppd[4949]: Connecting PPPoE socket:
 00:90:1a:10:14:fa 9606 eth0 0x807c260
 Jan 6 21:30:08 firewall pppd[4949]: using channel 15
 Jan 6 21:30:08 firewall pppd[4949]: Using interface ppp0
 Jan 6 21:30:08 firewall pppd[4949]: Connect: ppp0 -- eth0
got a virtual ppp0

 Jan 6 21:30:08 firewall pppd[4949]: Couldn't increase MTU to 1500.
 Jan 6 21:30:08 firewall pppd[4949]: Couldn't increase MRU to 1500
never mind just ignore.

you send mru 1492 request  later confirmed
 Jan 6 21:30:08 firewall pppd[4949]: sent [LCP ConfReq id=0x1 mru 1492
 magic 0x3198d3b9]

here is the trouble ..

you receive config request  mru 1492 and authenticate with pap
 Jan 6 21:30:08 firewall pppd[4949]: rcvd [LCP ConfReq id=0xb2 mru 1492
 auth pap magic 0x6061cca1] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00

you send reject authentication with pap !!
 Jan 6 21:30:08 firewall pppd[4949]: sent [LCP ConfRej id=0xb2 auth pap]

do you have a correct pap user setting  ? 


you receve confirmation mru1492
 Jan 6 21:30:08 firewall pppd[4949]: rcvd [LCP ConfAck id=0x1 mru 1492
 magic 0x3198d3b9] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00
 Jan 6 21:30:08 firewall pppd[4949]: rcvd [LCP ConfReq id=0xb3 mru 1492
 magic 0x6061cca1] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00
 Jan 6 21:30:08 firewall pppd[4949]: sent [LCP ConfAck id=0xb3 mru 1492
 magic 0x6061cca1]
 Jan 6 21:30:08 firewall pppd[4949]: sent [LCP EchoReq id=0x0
 magic=0x3198d3b9]
 Jan 6 21:30:08 firewall pppd[4949]: sent [IPCP ConfReq id=0x1 addr
 0.0.0.0]

As you didn't allow pap authentication the connection is brought down
 Jan 6 21:30:08 firewall pppd[4949]: rcvd [LCP TermReq id=0xb4] 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 ...

Cut the rest as this is normal disconnecting

What is the output of grep -v ^# /etc/ppp/peers/dsl-providers
mine (with nined out user ident )
--
plugin /usr/lib/pppd/pppoe.so
user [EMAIL PROTECTED]
noipdefault
defaultroute
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
connect /bin/true
noauth
persist
mtu 1492
-
don't forget the @t-online.de in your user name

 does anybody know any solution to this problem ?
I hope this solved it.
The package worked out of the box for pppoe t-dsl


 thanks for any help
bitte schön  ;)

 mike

Eric Wolzak



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] PPPoE and static IPs

[Eric Wolzak]

Hello Stephen

 Hi, 
 
 I have a friend moving to Florida where he will connect to Sprint DSL
 service with static IP. At his old location he was connected to a
 provider with static IP via Bering 1.0rc2. Since Sprint DSL uses PPPoE,
 will he still need the PPPoE.lrp package even if static IPs are used?
He will still need the pppoe plugin and a configuration file ( and 
pppoe.lrp isn't much more :) So the answer is yes.
You might want to change the  noipdefault setting.

regards 
Eric Wolzak
member of the Bering Crew.


---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Configuring remote logging.

[Eric Wolzak]

Hello Troy, part of this is allready answered by Jeff.
just one remark, I don't know if you used the correct rule in shorewall
 I have also made a rule in shorewall to allow my windows box to 
talk to the firewall on port 514.

It is more the firewall talking to the windows box 

o you should allow 
firewall to local udp port 514 
ACCEPT  fwloc   udp 514 

you wrote : 
I m attempting to configure remote logging on a LEAF Bering
 router and I am wondering if anyone can show me the proper way to go about
 it.
   This is what I have entered in the syslog.conf file. The
 syslog client is running on my windows box at 192.168.140.25 listening on
 port 514. 
   It does not seem to be working and I just want to be sure if
 I have not misconfigured the router. Can anyone please show me the proper 
   syntax for this. I have also made a rule in shorewall to
 allow my windows box to talk to the firewall on port 514. I am pretty sure I
 goofed 
   on the settings on the syslog.conf. Thanks in advance. Troy
 
   #
   # Log everything remotely. The other machine must run syslog
 with '-r'.
   # WARNING: Doing this is unsecure and can open you up to a
 DoS attack.
   #
 
   *.*;auth,authpriv.none
 @192.168.140.25:514.192.168.140.25:514
   *.*;daemon.*
 @192.168.140.25:514.192.168.140.25:514
   *.*.=info;*.=notice;*.=warn;\
   auth,authpriv.none;\
   cron,daemon.none;\
   mail,news.none
 @192.168.140.25:514.192.168.140.25:514
 
Regards 
Eric Wolzak
member of the Bering Crew


---
This sf.net emial is sponsored by: Influence the future of 
Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) 
program now. http://ad.doubleclick.net/clk;4699841;7576301;v?
http://www.sun.com/javavote

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] help with ISDN?

[Eric Wolzak]

Hello Phillip 
some comments inline.
 
 Emailed the ISP what I saw, then talked to him.
 He was confused and couldn't get a terminal emulator to work
 to see for himself.
 
 So I said, Dude, the thing is not putting out  login:
 Is there a chance auth is CHAP or PAP?
 Oh yeah, I think it is.  ( Jeez)
 Well, Chap or PAP?
 Uh, I'm not sure, maybe CHAP? (Jeez)
 Unencrypted secret?
 I dunno.  (Jeez )
 
 So I turned on CHAP and got a couple dozen LCP exchanges.
just a short help, this may solve the pap chap problem too :) 

The communication will be something like 
sent [LCP ConfReq id=0x1 asyncmap 0x0 magic 0xd7c7d0ab 
pcomp accomp]
your side sending ConfReq with id 0x1 

rcvd [LCP ConfReq id=0x8b asyncmap 0xa auth pap 
magic 0x2279e419 pcomp accomp]
As an answer you receaf authentication is pap 

sent [LCP ConfAck id=0x8b asyncmap 0xa auth pap 
magic 0x2279e419 pcomp accomp]
you confirmed  ConfAck that you use pap as an answer to request 
id=0x8b 

Now notice if a connection in LCP level is established. if not what 
requests are not confirmed (Acknowledged)

After this the next step will be 
sent [PAP AuthReq id=0x1 user=user password=hidden]

and if you have luck :)
rcvd [PAP AuthAck id=0x1 ]

Ofcourse with chap things look like  send [ CHAP .]

during the first stage you could find allready some lcp pings 
sent [LCP EchoReq id=0x0  magic=0x83709a1d]
and the answers to this 
rcvd [LCP EchoRep id=0x0 magic=0x52791570] 

if that is the case the  hardware should be ok .

 Rejected me so now I'll read about CHAP.
 
 HOW can you run an ISP and not have someone on site or a quick
 phone call away who knows what they are doing?
(off topic) you can even run governements in that way ;) 

I hope that this helps to find the cause of your problem

Regards
Eric Wolzak
member of the Bering Crew


---
This sf.net emial is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] partial backup bug in Bering RC3

[Eric Wolzak]

Hello Brad ,  
you are right about the error, I would make a different change, to 
prevent problematic entries in the exclude list 
change :

/^[xXeE]/{
s/^[^   ]*[ ]*//
w '$EXCLUDE'
}' $LOCAL

to 

/^[xXeE]/{
s/^[^   ]*[ ]*//
w '$TMP_EXCLUDE'
}' $LOCAL

 
Thanks 
Eric Wolzak 
member of the Bering Crew 

Eric wolzak 


 I found what looks like a bug in Bering RC3's lrcfg.back.script
 that affects parial backups.  That script calls mk_inc_part()
 for partial backups which populates the $INCLUDE and $EXCLUDE
 files based on the contents of the $LRPKG/$PACKAGE.local file
 for the package being backed up.
 
 After mk_inc_part() is run, line 172
 
   sed 's/\/$//' $TMP_EXCLUDE $EXCLUDE
 
 runs and clobbers the initial $EXCLUDE from mk_inc_part().
 I think line 172 should be:
 
   sed 's/\/$//' $TMP_EXCLUDE $EXCLUDE
 ^^^
 Eric W or Jacques, can you confirm?
 
 --Brad
 
 
 
 ---
 This sf.net email is sponsored by:ThinkGeek
 Welcome to geek heaven.
 http://thinkgeek.com/sf
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering VPN questions-School project

[Eric Wolzak]

Hello Craig 

Why do you want to use a tunnel through your school net to the 
private Student net
By this method you protect the private student net against attacks 
from the school net but opens up the school net a litle bit more to the 
outside world
( it is more difficult to get into a tunnel from the outside than to leave 
a tunnel ;) )
I would think that it is saver to keep the school Lan apart from the 
Student Lan 

Why don't you use a different setup 

internet ---Bering Box 1 --school Lan
internet -- Bering Box 2 --- --Private Student Lan

or even with a second network card in Box 1 as
internet Beringbox . School Lan
  ^
  1
Private Student lan 
you could use your second Bering box for additional Security or 
someother usefull task .


All three setups can be done with bering
regards 

Eric wolzak

member of the Bering Crew

 Hi folks,
 At our high school, we have some extra, public IP addresses. For a
 project, I want to set up 2 Bering boxes. I want to use our extra public
 IP addresses and have the internet traffic to these addresses flow
 through the first Bering box to the final Bering box which will service
 several boxes on a LAN. In between the two Bering boxes is the school
 LAN, which I (obviously) need to safeguard, so I'm thinking that I need
 to create a VPN between the two Bering boxes and have all traffic
 tunnel through??? The purpose is to set up boxes on the internal
 private student LAN that students can access from home, etc. by using
 the public IP addresses (We want them to experiment with creating web
 sites and experience, invariably, getting hacked, etc. while
 protecting the existing school LAN).
 
 Internet-Bering Box 1(School LAN)-Bering Box 2-Private
 Student LAN
 
 1.) This should be pretty easy to do with Bering, shouldn't it?
 2.) Will the internal school LAN be effectively protected by creating a
 VPN between the two boxes?
 3.) Any problems with my scenario that you can see? Comments,
 suggestions...??? (I welcome ALL thoughts and suggestions)
 
 Thank you,
 Craig



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering VPN questions-School project

[Eric Wolzak]

Hello Tom , of course you are right that it can be done safely, but I 
still have some second thoughts about potential hackers being 
behind the net I have to secure. In that case I have to defend my 
school net from both sides.
especially if the students can execute programms on their net.
Then they could attack the second bering Box to get access to the 
school net. 

If It was my school I would prefer to use a dmz for the student net 
and put my second Bering Box between the first and the school net.
So I would have some logs about what is going on. ;) 

Regards Eric Wolzak
 
 Eric Wolzak wrote:
  Hello Craig 
  
  Why do you want to use a tunnel through your school net to the 
  private Student net
  By this method you protect the private student net against attacks 
  from the school net but opens up the school net a litle bit more to the 
  outside world
  ( it is more difficult to get into a tunnel from the outside than to leave 
  a tunnel ;) )
  I would think that it is saver to keep the school Lan apart from the 
  Student Lan 
  
  Why don't you use a different setup 
  
  internet ---Bering Box 1 --school Lan
  internet -- Bering Box 2 --- --Private Student Lan
  
  or even with a second network card in Box 1 as
  internet Beringbox . School Lan
^
1
  Private Student lan 
  you could use your second Bering box for additional Security or 
  someother usefull task .
  
  
  All three setups can be done with bering
 
 Another approach would be to use Craig's original topology but on Bering 
 Box 2, make the School LAN a separate zone (nested in its 'net' zone). You 
 can then make the student-school policy REJECT and the student-net 
 policy ACCEPT.
 
 -Tom
 -- 
 Tom Eastep\ Shorewall - iptables made easy
 AIM: tmeastep  \ http://www.shorewall.net
 ICQ: #60745924  \ [EMAIL PROTECTED]
 




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Backup problems - partial backup in Bering

[Eric Wolzak]

Hello Lars 

You wrote : 

 Hello
 I am trying to set up and testing a VPN-network with Bering and Ipsec. For
 testing I am using VmWare (on W2000). VmWare can only read 1,44MB disk and
 my plan was to strip down a disk and use Partial Backup and a CD-image.
 
 But I can not get Partial Backup working correct.
 I am using Bering_1.0-rc3_img_bering_1680
 I have removed all except:
   initrd
   root
   etc
   local
   modules
   shorwall
 
 I am doing a full Backup on initrd and trying to do Partial on the rest.
 
 The only changes I have done to the disk are adding the files for the CD
 (IDE) in /boot/... and removing some modules in /lib/modules
 
 I get the message for all package I try to do a Partial Backup:
 
 WARNING - List of local configuration files not found!
   Defaulting to package files in /etc and /varlib/lrpkg
 
 I am also losing information e.g. settings for the interfaces after the
 backup.
 
 I have used the Partial Backup on Dachstein without problem and I can not
 find any information that helps me.
 
 Anyone who can help me?
 
 /Lars Emilsson
 
There is some help on partial backup at 
http://leaf.sourceforge.net/devel/jnilo/bubooting.html#AEN1168
but on reading again I have to admit it can be a little bit more clearer 
;) 

Partial Backup is a means of backing up that part of the package that 
changes ( usually because you configured some settings) 
It cannot be the only backup . 
The idea ,as you recognised correctly ,is that the bulk programm 
package is on one ( for example a read-only) media and a smaller 
part usually the configuration files is written to  a space limited or 
slow  (f.e  a floppy) media
I will describe now how to perform these useing a cd and a floppy  
I use these devices because it easyer to read, but it can ofcourse be 
done with other media as well. 

Now what should happen at boot time
The package is loaded from CD, and is installed ( which means 
extracted to its definive destination), At this moment the configuration 
is in the state you wrote the package to cd (usually a default setting)
Now the partially backed up file is read from the floppy file and the 
files are extracted to their destination, replaceing the default values 
with your settings. 

During backup the programm has to now what files should be 
backed up. So it is possible to use a configuration file for each 
package to list what files are in the partial backup ( lots a like the list 
for the full backup) 
This file is called  packagenname.local and contains lines with 
I /nameof the files  to include this file 
and
E/name_of_a_file to exclude name_of_a_file
always include 
I/var/lib/lrpkg/PACKAGENAME so at least packagename.local is 
backed up.

Now to your questions.
If this .local file is not found then the backup assumes that you want 
to backup the configuration files, hence all files belonging to this 
package and located in /etc and the /var/lib/lrpkg/thispackage files.
This is for most situations a good selection.
Note this is not an error .

2. If at reboot the order in which the package are loaded is not CD 
and after that floppy, you will overwrite the configured files with the 
ones from CD and all your settings are lost again.
read the chapter on partially backup and order of file loading at 

http://leaf.sourceforge.net/devel/jnilo/bubooting.html#AEN1168

Note If i recall correctly the search order is slightly different from the 
Dachstein CDversion.


Hope this helps 

Eric Wolzak
member of the Bering Crew 



---
This sf.net email is sponsored by: DEDICATED SERVERS only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your own server 
today at http://www.ServePath.com/indexfm.htm

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] PPPoE difficulty

[Eric Wolzak]

Hello Scott
Comments inline 

 I'm trying out Bering for a remote office, mostly because I've been using (and 
 loving!) Tom Eastep's Shorewall.
 
 This remote office has SBC Ameritech DSL, which uses PPPoE.  I used a 
 CoyoteLinux floppy, and everything worked fine.  Using Bering, though, I fail 
 to connect to the DSL.
I assume you use the pppoe like described in the installation guide
 I read this message in the archives:
 http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg07764.html
 which seems like my problem, as evidenced by these lines from the syslog:
The message Couldn't increase MTU or MRU to 1500 has no 
effect on your ability to connect.
There seems to be a problem with the login sequence  
Comments inline 
 
 Sep 20 16:57:41 firewall pppd[12169]: Plugin /usr/lib/pppd/pppoe.so loaded.
 Sep 20 16:57:41 firewall pppd[12169]: PPPoE Plugin Initialized
 Sep 20 16:57:41 firewall pppd[30223]: pppd 2.4.1 started by root, uid 0
OK
 Sep 20 16:57:42 firewall pppd[30223]: Serial connection established.
This is a rather strange message for me.  
try to comment out all pty *
 Sep 20 16:57:42 firewall pppd[30223]: Couldn't get channel number: 
 Input/output error
 Sep 20 16:57:42 firewall pppd[30223]: ioctl(PPPIOCGFLAGS): Bad file descriptor
 Sep 20 16:57:42 firewall pppd[30223]: Exit.
 Sep 20 16:57:43 firewall pppd[17649]: Connection terminated.
 Sep 20 16:57:43 firewall pppd[17649]: Doing disconnect

Now  your computer tries again.

 Sep 20 16:58:13 firewall pppd[17649]: Sending PADI
 Sep 20 16:58:13 firewall pppd[17649]: HOST_UNIQ successful match 

User name in options and pap-secrets match

 Sep 20 16:58:13 firewall pppd[17649]: HOST_UNIQ successful match 
 Sep 20 16:58:13 firewall pppd[17649]: Got connection: 1614
 Sep 20 16:58:13 firewall pppd[17649]: Connecting PPPoE socket: 
 00:10:67:00:1c:25 1416 eth0 0x807c260
 Sep 20 16:58:13 firewall pppd[17649]: using channel 2
 Sep 20 16:58:13 firewall pppd[17649]: Using interface ppp0
 Sep 20 16:58:13 firewall pppd[17649]: Connect: ppp0 -- eth0
 Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MTU to 1500.
 Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MRU to 1500
 Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MRU to 1500

Until here everything seems ok 

 Sep 20 16:58:13 firewall pppd[17649]: LCP terminated by peer

Now your provider cut the connection  .

 Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MTU to 1500.
 Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MRU to 1500
 Sep 20 16:58:16 firewall pppd[17649]: Connection terminated.
 Sep 20 16:58:16 firewall pppd[17649]: Doing disconnect
 
 I tried using all three of the pre-configured options in dsl-provider:
 pty pppoe -I eth0 -T 80 -m 1452
 pty pppoe -I eth0 -T 80
 pty pppoe -I eth0 -T 80 -m 1412
 but none of these worked.
comment them all out. (it works here without all of them)
 Thanks in advance for any suggestions!

1. check your shorewall setting ppp0 is external interface ( not eth0)

add the line debug 7 in your dsl pppd options

now you will have additional messages: 
Like:  
The messages are shortened to stay readable
 
sent [LCP ConfReq id=0x1 magic 0x32bx]
 rcvd [LCP ConfReq id=0xb3 mru 1492 auth pap magic 
0xc04y] 00 ...
 sent [LCP ConfAck id=0xb3 mru 1492 auth pap magic 
0xc04y]
 rcvd [LCP ConfAck id=0x1 magic 0x32bx] 00 00 00 .
 
 sent [LCP EchoReq id=0x0 magic=0x32x]

Now follows the authentication request 

 sent [PAP AuthReq id=0x1 
user=[EMAIL PROTECTED]password=hidden]
 rcvd [LCP EchoRep id=0x0 magic=0xc04yy] 00 00 00 00 00 00 
00 00 00 00 00 00
 rcvd [PAP AuthAck id=0x1 ] 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 0
 
--- OK your authentication is succesfull  notice the change of the 
protocoll
what follows now is the debate about what ip number you will get. 

sent [IPCP ConfReq id=0x1 addr 0.0.0.0]
 rcvd [IPCP ConfReq id=0xf3 addr 11.22.33.44] 00 00 00 00 00 
00 00 00 00 00
 sent [IPCP ConfAck id=0xf3 addr 11.22.33.44

OK you take this IP ;) 
Now the same happens for the peers IP 
]

I hope this will help you to find the cause , 

Some frequent problems are:
1.  including special characters in name and or password and not 
putting the name and or password in  Quotes ()

2. wrong external interface eth0  and not ppp0 as it should be

3. automatically dialing of pppd to serial with a file in /etc/ppp see 
manual.

Regards Eric Wolzak
member of the bering crew


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering-rc3: Weblet says Error for Firewall - yet Weblet says /var/log only used 6%

[Eric Wolzak]

Hello Jay  just to clarify things the Error message in the firewall, just 
indicates that the number of logged Firewall packets is greater than 
the Error warn level.
You can set this in the weblet configuration file :
The default settings are
screen
# Firewall thresholds: deny/reject messages
WRN_FW=5
ERR_FW=50   
/screen
after 5 logged packets the status is warn, after 50 it is error
The log files are rotated once a day and after this the firewall is 
again in status ok. 
You can change this settings.

If you have to worry about a number of logged packets or not 
depends on the source and the kind of packets.

 I have, they are all looking at port 53 
This could have several reasons, there was a thread for some time 
about useing 53 for loadbalancing.  
It could also be a wrong configured computer on the inside.
 
  It says: '146 denied or rejected packets'
 Yes. but the firewall weblet says error after only 146. I've done port scans
 before and got this to say 3200 before the weblet said error.
 
The weblet error level is default 50. 
The reason you got different values after turning red is:
The amount logged packets is checked if you  show the index page. 
Now if you let your browser stand at this screen the next time the 
packets are counted is after the refresh time.  (oops there is none :() 
or if you press the refresh button on your browser.
So if you are portscanning you got 1 packet = green
After some time you reload the page and now the number of 
packets is over the  treshold of 50 (independent from how much)
During portscanning there are a lot of packets showing up).
I guess , I have to include the refresh in the index page  ;)
The space on /var/log is not tested yet and has got nothing to do 
with the firewall level, in the next version it will be checked in the 
diskspace. 


  BTW, if you are portscanning the firewall from outside, this is normal!
 I wasn't at the time, if i do a external portscan, it lasts alot longer
 (usually around the 3000 mark) before going to error status..
 
 Confused..
 
 
 - Original Message -
 From: Luis.F.Correia [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Monday, September 16, 2002 6:07 PM
 Subject: RE: [leaf-user] Bering-rc3: Weblet says Error for Firewall - yet
 Weblet says /var/log only used 6%
 
 
  You should check the /var/log/messages file
 
  You'll find the offencidg packets.
 
  BTW, if you are portscanning the firewall from outside, this is normal!
  The firewall logs EVERY 'invalid' packet. As you can see from below,
  It says: '146 denied or rejected packets'
 
  That's it!
 
  -Original Message-
  From: Jay Langford [mailto:[EMAIL PROTECTED]]
  Sent: Monday, September 16, 2002 6:49 AM
  To: [EMAIL PROTECTED]
  Subject: [leaf-user] Bering-rc3: Weblet says Error for Firewall - yet
 Weblet
  says /var/log only used 6%
 
 
  Hi EveryOne!
 
  I've got the following setup:
  Bering-rc3
  shorwall-1.3.7b
  *Single Floppy Setup
 
  On the following hardware:
  P166Mhz
  64MB RAM
  1.44MB Floppy
  64K ISDN Ext. Modem (Serial)
 
  I've just got the basic rules as per the setup in the installation guide
 
 
  ** Weblet says the following re: Firewall
  
  firewall Firewall Status: error
  You have 146 denied or rejected packets in your recent packet logs.
  
   I've seen this cranked up as far as 3200 (Note: This was after a
   series of
  portscans to check the firewall)
 
 
  ** Weblet says the following about my RAM disk.
  ---
  Filesystem   1k-blocks  Used AvailableUse% Mounted
  on
  /dev/root 6144  3256  2888  53%  /
  tmpfs15292 4 15288   0%
  /tmp
  tmpfs 2048   124  1924   6%
  /var/log
  --
 
  Does anyone know what i should be checking? or if i should be running over
  to the wall and unplugging the phone cord?
 
  Thanks!!
 
  ~Jay
 
Eric Wolzak
member of the bering crew


---
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source  Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Webbased configuration

[Eric Wolzak]

Hallo Ed, Mohan, Erich, Lynn, Brad,Craig and Charles for your 
rections on the Webbased configuration Thread.

If I may summarize the results 
we need an optional webbased configuration package. 

This should be modular, so everybody takes the modules he needs
as a base there should be modules for the standard items .

textbased configuration must still be able. 

It doesn't have to fit on a floppy based firewall.(allthough , if 
somebody has this option it would be fine ;) )

for a more secure connection , it could be usefull to tunnel the 
webserver.

Requirements from my point of view:
- no major change to the distro necessary.  
..

I hope I didn't cut off someones opinion to much.

A webtool, that allow all those requirements is 
webmin, but the perl package need unpacked 8-9 Mb,
Does someone knows a miniperl 
 and the webmin as tar.gz is about 30 Mb.
The last one can be cut, omitting alternative 
languages, alternative operating systems and not 
used servers, but I estimate it will still be 
about 10 Mb  
I tested webmin on a pII bering system and it runs 
acceptable. I don't know how well this functions 
on my 486er router. (not enough ram :( )

Advantage of webmin, there are all kinds of 
modules. Adaption is much easier than building 
from scratch. 

Disadvantage memory and CPU.

Alternatively, use the same fields and write the 
engine in shell.script or php using sh-httpd. or a 
small server (boa, thttpd)

Advantage probably, less memory and cpu consuming.

Disadvantage we have to start from zero, and are 
on our own.

...
I think any how, this should be a project for a group, who wants to 
contribute. 


Regards
Eric Wolzak
member of the Bering Crew.

 


---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] telnet to LEAF bering box.

[Eric Wolzak]

Hello Andrew, list 
 On Tue, 27 Aug 2002, Meng, Andrew wrote:
 
  Hello,
  
  I want to administrator LEAF box using telnet, I have done:
  
  1 In inetd.conf, uncomment in.telnetd.
  2 In securetty, add ttyp0 and ttyp1
  
  But it still does not work(refused connection...), can anyone shed any light
  on this?
 
the following is a part of a new bering user guide page still under 
construction, if you ignore the xml , I hope it will help 

sect2titleRemote Administration with Telnet/title
paraI don't want to start a discussion over the security aspects of 
telnet here. Be aware that telnet is much less secure than ssh, but 
especially for floppy users with a trusted internal network it might be 
interesting to use telnet nevertheless.
/parapara
What do I need:
itemizedlist

in.telnetd.lrp
lncurses.lrp
/itemizedlist
both can be found on the 
ulinkhttp://prdownloads.sourceforge.net/leaf/Oxygen_Mar.2001_pk
g_packages.tar.gz/ulink of oxygen.
copy both to the floppy disc and add them to the list of packages to 
load.
titleopen up the firewall for telnet from the localnet/title
edit shorewall rules
Add:
screen
ACCEPT  loc fw  tcp 23
/screen
edit /etc/inetd.conf
uncomment the line:
screen

telnet  stream  tcp nowait  root/usr/sbin/tcpd 
/usr/sbin/in.telnetd
/screen
allow root to use the virtual console
edit /etc/securetty
add:
screen
ttyp0
ttyp1
/screen
for each ttypX you get a new console, it could be usefull to limit this 
to one or two.
backup root, etc and shorewall.

/para/sect2

greetings ;) 
Regards
/greetings ;)

Eric Wolzak 
member of the bering crew


---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: [Leaf-devel] serial IP of null modem cable?

[Eric Wolzak]

Hello Joey 



http://www.thelinuxreview.com/howto/ppp/index.lxp?lxpwrap=c1768
%2ehtm


 I have an old laptop that is running Linux that I'd rather not invest in a
 pc-nic for it, but I do have a null modem serial cable to connect to the LRP
 box.  Is there a way to get an IP over the serial line.  Similar to using a
 modem I would think?  Or is this something that has not been done.  And to
 take it a step further, how difficult would it be to setup a modem to accept
 a connect within a Dachstein/LEAF enviroment.

Yes it is possible, depending on what you want to do 
1 remote terminal  then you can use the serial line as connection to a 
terminal 
http://www.tldp.org/HOWTO/Remote-Serial-Console-
HOWTO/index.html
on Charles pages there is also a howto  ( more compact ;) )

2. You want a real ip to do some firewall testing auditing etc, in that 
case you run a pppd server on one and a ppp client on the other ( in 
reality these are the same programms :=)

http://www.thelinuxreview.com/howto/ppp/index.lxp?lxpwrap=c1768
%2ehtm

one link from the ppp howto.


 Just something I was thinking of this weekend...
Just something I answered on monday ;) 

 
 Joey Officer
 Sales  Operations

Eric Wolzak
member of the Bering Crew.


---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

(Fwd) Re: [leaf-user] Bering ipsec question

[Eric Wolzak]

And one for the list.

Hello ABjin
The problem you have is due to the way the packagesystem handles 
wich files are included. 
The files are backed up with the package that describes it the most 
precisely. 

1- If in one package list there is /etc/ppp
and in the second  /etc/ppp/options  then options is backed up in the 
second.
This is correct in your specification. 

2- if a file is listed in two different packages then it is NOT backed up.

the reason for this is that the package system functions so:
It creates a list of all files and deselect the files that are listed in 
another packages include list according to rule 1.
As your specifications are identical in both ipsec and ipsec509 they 
are not backed up ( gives small files ;) ) 

If you remove etc/ipsec* etc/ipsec.conf and etc/ipsec.secretes from 
one ot the two then everything will backup.
Now you get the package from cdrom.


 Hi,
 
 I am trying to configure ipsec. After making changes to the ipsec.conf and 
ipsec.secrets files I made a backup of ipsec
 and ipsec509, but when I reboot the system both .conf and .secrets files go back to 
the default page and all the changes
 I have made is gone. Backup works fine for all the modules except ipsec  ipsec509.
 This is my lrpkg.cnf file
 
root:f,etc:f,local:f,modules:f,shorwall:f,ipsec:f,ipsec509:f,mawk,dhcpd:f,dnscache:f,weblet:f,tcpdump,libpcap,ifconfig
 
 I have these entries in /var/lib/lrpkg/ipsec.local and /var/lib/lrpkg/ipsec509.local
 
 I etc/ipsec*
 I etc/ipsec.conf
 I etc/ipsec.secrets
 
 Thanks
 Abjin
Regards
Eric Wolzak
member of the bering crew

--- End of forwarded message ---


---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] No screen / Beep at startup

[Eric Wolzak]

 Hello,
 
 I don't want to connect a screen to my leaf firewall.
 
 Some time ago, I found a script or a command which produced 3 beeps when the
 firewall had finished to boot up...
 
 Do you know that command / script ?
 
 Thanks a lot.
 
 Blaise

Hello Blaise 
I use beep.lrp about 3 K this is a lrp package original from oxygen.
The binary beep can beep in different duration and frequency. 
As I use it to signalize interface up and down it is possible to take for 
example for one the ascending frequency for the other the descending.
This is the advantage over a simple echo charachter 07 that only allows 
different  count of beeps.

In bering is  a command after interface up down allready implemented, 
you only have to take care that beep.lrp is loaded. 


To hear if your firewall is up , you could  edit a file called 
/etc/shorewall/start  this is executed after shorewall is started.
insert 
beep -f 1200 -n -f 1800 -n -f 600  
and you hear a melody. 
For composers there could be a complete shorewall song ;) 

regards 
eric wolzak
member of the bering crew
 
 ---



---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Backing up .lrp with Bering CD

[Eric Wolzak]

Hello Craig , in the backup menu the options provided directly are only 
the one you are booting or getting package from.
It is however no problem to backup to another medium
 To backup for example package 3 to a floppy do the following
in the backup menu

d 3
   Set Backup Destination

   1) fd0u1680 msdos
   
  c) custom destination
  q) quit

selection:  c  

Device [fd0]: 
now you put in the device name without any /dev stuff before.
to backup to a 1,44 floppy in drive 2  ( /dev/fd1u1440)
Device [fd0]: fd1u1440
Filesystem : msdos

now you will return to the backup menu wit fd1u1440 as backup device.
Something to improve is take the new medium in the device to choose ( 
uptome ;) ) 

PS it could be interesting for you to do a partial backup, only write the 
configuration files to disk 
Good Luck

Eric Wolzak
member of the bering crew 

 Hi folks,
 I notice that I don't have an option to back up packages to a floppy
 disk from the main menu with my Bering CD. Do I need to modify my
 isolinux.cfg file and somehow add a /dev/fd0 entry to allow for this or
 is there something else I need to do? Below is my isolinux.cfg file
 entries. Thank you.
 
 Craig
 
 display syslinux.dpy
 timeout 0
 default linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0
 boot=/dev/cdrom:iso9660 PKGPATH=/dev/cdrom:iso9660
 
 
 
 
 ---
 This sf.net email is sponsored by: OSDN - Tired of that same old
 cell phone?  Get a new here for FREE!
 https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Backing up .lrp with Bering CD

[Eric Wolzak]

Hi Craig, Francois, Jeff and list
 
To change a destination you have to specify for what package you want 
a different backup. 
So d followed by the name or the number of the package.
To backup etc you have to put:

Selection d 3

then you will have the destination available.
I mentioned in my previous post that a custom destination is not saved 
and so it doesn't show up the next time you want to change a 
destination. 
I have a fix for this that will be included in the next release 

change  
/usr/bin/lrcfg.back 
in function SetDest() 
line 132: change  
qt mv $CONFF $CONFB
sed ${PKGn}s:=.*\$:=-t $FS /dev/$DEV: $CONFB $CONFF
qt rm $CONFB
---
to 
qt mv $CONFF $CONFB
sed ${PKGn}s:=.*\$:=-t $FS /dev/$DEV: $CONFB $CONFF
if ! `grep -q $DEV $FS $LRPKG/pkgpath.disks`;then
echo $DEV $FS $LRPKG/pkgpath.disks
fi
qt rm $CONFB

in Text if the backup device $FS is not yet in the pkgpath disk  than 
insert it.
.
Backup root.lrp after this change.

Attention this is only necessary to keep the custom destination also for 
the next package.  Backing up does function allready

Regards 
Eric Wolzak
member of ther Bering team



 Hi folks,
 I tried backing up .lrp packages from the main lrcfg menu by selecting
 option d, but unfortunately you get an Unknown package! error
 instead of being able to select your floppy drive. I then recreated
 another Bering CD with the package path statement in my isolinux.cfg
 file to look like- PKGPATH=/dev/cdrom:iso9660,/dev/fd0:msdos but that
 doesn't work either. Is there another way to enable your floppy drive as
 a backup destination option using a bootable CD??? Thank you...have a
 great week!
 
 Craig
 
 
 
 
 ---
 This sf.net email is sponsored by: OSDN - Tired of that same old
 cell phone?  Get a new here for FREE!
 https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 
 
 
 ---
 This sf.net email is sponsored by: OSDN - Tired of that same old
 cell phone?  Get a new here for FREE!
 https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Problem 1 3.6.lrp was Re: [leaf-user] How to update Shorewall on Bering

[Eric Wolzak]

Hello Tom, Korry  
I also noticed that the latest.lrp (shorewall 1.3.6) has a changed entry in 
shorewall.config that could cause problems, 
STATEDIR=/tmp/shorewall
this should probably be
STATEDIR=/var/lib/shorewall as it was before. (Tom are I makeing a 
mistake here ? )

 had to 
 retry the 1.3.6 version just to be sure it wasn't me. The result is that 
 Shorwall.lrp 1.3.6 will not work on Bering as it is. I searched the mail 


 archives and saw where another user had the same issue some time back. 
 There was speculation but I saw no solution in the thread. I am quite 
 happy with 1.3.3 since I can now use the Dynamic Blacklisting to control
 my kids late night surfing. Does the later version offer anything that I
 should have such as improved security?
 
 Thanks again for a great package.

I absolutely  agree with that !  

Regards Eric Wolzak
member of the bering crew
 




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Sloooow Starting system log daemon: syslogd

[Eric Wolzak]

Hello  Craig, Ray, jeff and list 

 Hi folks,
 Whether I use my Bering floppy or my really cool, new bootable Bering CD
 (yeehaw!), I get this message on boot-up- Starting system log daemon:
 syslogd and it seems to take a really long time to get beyond it. Is
 that normal for Bering??? I'd say it takes, maybe, 2 or 3 minutes to
 get beyond that. What do you think? Thanks!
 
 It means the system has a problem with DNS resolution. DNS requests time 
 out after 3 minutes. I forget now what DNS thingie syslog is doing on 
 startup, but it is some sort of reverse lookup, possibly of the host's own 
 IP address --- you can tell by checking your logs to see what is reported 
 with an IP address instead of FQN.
 
 To eliminate the delay, fix the DNS problem. (I'm calling it DNS, but 
 that's not really correct; it's a resolver problem, which can be fixed by a 
 suitable /etc/hosts file as well as by getting DNS working.)
As ray stated
This is in effect a timeout  the syslog tries to resolve the host name it is 
running on at startup. You probably have a non official name to your 
firewall, so dnscache cannot resolve the name.
As soon as you have an correct host entry in /etc/host the problem is 
solved.  ( the fqdn of your firewall is probably different from 
firewall.private.network , as is mine ;) )
 
Regards 
Eric Wolzak
member of the berign crew


---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Cannot backup network configuration

[Eric Wolzak]

Hi Abjin
 
 Hi,
 
 I created a Bering cd and when I boot the cd after backing up all the 
configuration changes, I find that my network
 configuration is not getting saved during backup. I made changes to network 
configuration several time, made backup and
 every time when I reboot the network files default to the initial file. These are 
the files that I load from lrpkg.cfg.
 
root,etc,local,modules,shorwall,openssl,mawk,ipsec,ipsec509,dhcpd,dnscache,weblet,tcpdump,libpcap

How did you backup, on a floppy ? probably yes, are you sure that the 
backed up files are loaded during booting. 

To test if your etc.lrp is backed up correctly you should do the following:

mount /dev/fd0u1680  /mnt if you have a 1680 Kb floppy or
mount /dev/fd0u1440 /mnt if you have a 1440 Kb (normal) floppy

then 
cp /mnt/etc.lrp   /
cd  /
lrpkg -i etc.lrp 

now check the settings in interface etc. If they are now set to the correct 
value,  you have a good backup, but a problem with loading the correct 
package.
if etc.lrp doesn't exist, you possible tried to backup to the cdrom ( look 
at the destination option.)

Now look at the lrcfg backup menu 
after a new boot, what backup device is listed at the backup device for 
etc. 
if this is CD than the cdrom is loaded as the only one or as the last one.
Did you specify the F or R options in syslinux.cfg 
look at 
http://leaf.sourceforge.net/devel/jnilo/bubooting.html
in the section 9.5

Good Luck
regards

Eric Wolzak 
member of the Bering Crew




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] isdn help needed

[Eric Wolzak]

 I have an old, never used ISDN modem, 3Com Impact IQ, for FREE.
 This gets me outa my ISP's router and I can use a Linux router and
 do my kinda VPN, firewall, dmz, etc.  YEAH!
 
 But I don't know how.
 
 1)  This modem comes with Windows install floppies.
  Surely that doesn't mean it actually configures the modem?
 
 2)  The modem will connect to my serial port
  Does that mean my external interface will be  ttyS0?
  Or do I use ppp somehow and my interface is ppp0?
 
 3) How do I connect?  For my dialup connection I use wvdial.
Are ISDN modems anything like Hayes command set?

 
 4)  BIG Question.   My linux is not configured for ISDN.
  But the ISDN Subsystem part of config seem to be about
   ISDN card drivers.
  Do I need to configure in ISDN?
 
 5)  the only help on the internet comes from Germany and seems to be
   about ISDN4.  
this information is about from ISDN4linux ( isdn for linux)
That is a programm used among others on the eigerstein and Bering floppy to control 
ISDN cards ! 
The programm is of no use for you if you use an external modem.

Regards Eric Wolzak
member of the bering crew


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering installation guide for additional modules

[Eric Wolzak]

Hello Godfired 

 I have transferred my Bering-rc3 files to a hard disk and boots up ok.  I added  
more programs to syslinux.cfg but found out that not all were started
 and that defeats the whole purpose of booting from the hard disk. 
 Is there any other way to add more programs tp syslinux.cfg?
What is the reason that they are not starting. 
look at the bootup screen if they ar nf means they are not found, 
perhaps a typo.
If they are just ignored,  then your syslinux.cfg has to much characters.
In the last case there is an easy work around.
create a file lrpkg.cfg  on your boot media 
copy in this file everyhing that is written after LRP=
so if you have  LRP=root,etc,ppp..
the content of lrpkg.cfg is
root,etc,ppp

After booting the all package devices are checked for this file.

regards
Eric Wolzak 
member of the bering crew

 
 
 
 ---
 This sf.net email is sponsored by: Dice - The leading online job board
 for high-tech professionals. Search and apply for tech jobs today!
 http://seeker.dice.com/seeker.epl?rel_code1
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Re: re sh-httpd perm Bug

[Eric Wolzak]

 Of course weblet is still doing something I consider wrong -- it's saying
 the firewall is in red light / ERROR mode just because it has 251 denied
 or rejected packets.  Isn't this the whole point of a firewall, to deny and
 reject those packets?  How is this an ERROR?  At worst, it should be at
 yellow alert.
This depends on what you log and in what environment you are.
On some of my internal boxes 251 would be a whole lot :) 

You can change the settings for your individual system in 
3) Packages configuration  
Weblet

2) LRP web page configuration


# Warning/Error thresholds for the weblet utility
# Disable checking of any value by setting it to -1

# Firewall thresholds: deny/reject messages
WRN_FW=5
ERR_FW=50

WRN_FW is the number of logged packets after which the color 
changes to yellow

ERR_FW is the number of logged packets to change to red


 Dan Harkless
 [EMAIL PROTECTED]
 http://harkless.org/dan/
 
Eric Wolzak
member of the bering Crew
 ---
 This sf.net email is sponsored by: Dice - The leading online job board
 for high-tech professionals. Search and apply for tech jobs today!
 http://seeker.dice.com/seeker.epl?rel_code=31
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] What are syslinux.cfg and/or lrpkg.cfg files ???

[Eric Wolzak]

 Hey Erich,
 I think I now understand (and agree with you) that the purpose of the
 lrpkg.cfg is to override the CD. But I have not seen ANY documentation
 on what should be included within it and why. If you know of some
 instructions, tutorial, etc. I would enjoy seeing it. Thank you.

lrpkg.cfg was created to override the CD or to be able to specify a 
longer configuration line. 
In the lrpkg.cfg  you write everything ,you would have written in the 
syslinux.cfg after  LRP=

you can read something about this file in 
http://leaf.sourceforge.net/devel/jnilo/bubooting.html

look at the booting from CDRom part.


Eric Wolzak
member of the bering Crew
 
 Craig
 
 
 
 
 ---
 This sf.net email is sponsored by: Dice - The leading online job board
 for high-tech professionals. Search and apply for tech jobs today!
 http://seeker.dice.com/seeker.epl?rel_code=31
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] re sh-httpd perm Bug

[Eric Wolzak]

Hello Dan, list

you wrote:  (Answer at the end , sorry (Copy and paste :) )

Dan Harkless [EMAIL PROTECTED] writes:
 In any case, doing a leaf-user archive search, it looks like one of the
 bugs I was going to report (sh-httpd should be in group 4 rather than 10,
 or it can't read log files after they get cycled) has already been
 discussed. Since the bug tracking isn't really used, though, it's not
 really possible to verify that this will be addressed in the successor to
 1.0-rc3...

Actually, I just came across this page:


http://leaf.sourceforge.net/article.php?sid=43mode=n
estedorder=0

which explains that sh-httpd was intentionally 
changed to GID 10 (which it
erroneously calls the wheels group, but that's 
wheel, singular) in
1.0-rc3 to get weblet to work with the grsecurity-
patched kernel.

So it would appear that my above-mentioned fix of 
putting the group back to
4 (adm) isn't valid.  I'm curious why not, though.  
That's how my copy of
Bering is currently running (and I have rebooted 
since the change), and
weblet appears to be working fine.  What is it that 
wasn't working for the
authors until the sh-httpd group was changed to 
wheel?

If it _is_ necessary for sh-httpd to be in wheel, 
either the log-cycling
cron jobs (including the weblet-specific one) will 
need to be changed to
use -g wheel, or they'll need to be changed to use -m 
644 instead of -m
640.  This would seem to be a reasonable change, as 
the default (empty) log
files that come with Bering are indeed mode 644.  
They don't get changed to
mode 640 until the log cyclers run, and this disjoint 
seems undesirable.

--
Dan Harkless
[EMAIL PROTECTED]
http://harkless.org/dan/

--
What doesn't function anymore if the group of sh-
httpd is adm are parts of the viewsys page: 
the listing of the modules for example.
This was the reason the wheel ( not wheels you are 
right ;)) group was used.
In the new release of weblet the modification to the  
cron job assigning the logfiles to -g wheel is 
allready done.

Thanks for your feedback.

Eric Wolzak 
member of the bering crew.


---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] O.K. *how* do I put it? (cgi-question)

[Eric Wolzak]

Hello Jon
 Hi again
 
 So my 'blinder' project is moving along. I got (almost) everything in
 working order. I still need to do a couple of things before I start
 cleaning up, and move everything into the 'proper' fhs-locations. But
 none of that is really all that complicated.
 There is one obstacle remaining, however, that I *am* going to need help
 with.
 
 Using the weblet and some cgi-scripts I can now generate a crontab which
 includes the original content, and has some entries added that will call
 the programs to open/close my blinds at designated times.
 
 For a number of reasons I decided to generate this file in a temporary
 location, as opposed to try and edit /etc/crontab on the fly. It works,
 and reliably generates the file as it should look.
 
 My problem at this stage is getting the generated file inserted into the
 system. Because of the (very sensible) fact that cgi-scripts may not
 write to crontab, and setting suid on the script doesn't work either,
 I'm kind of stumped on how to achieve this.
1. As you are not afraid for security problems you could solve this rather easy by 
changeing the user running the sh-httpd to root.
change the   
www stream  tcp nowait  sh-httpd/usr/sbin/tcpd  /usr/sbin/sh-httpd 
to 
www stream tcp nowait root 
and restart inetd

.
2. second possibility create a cron job that looks for an alternative crontab at 
regular 
intervals and insert this alternative one in the  main crontab.
-
3. make a small c-script that reads your alternative file, and writes it to crontab.
This file can be owned by root.  suid 4755 
execute this file from a special page or option in cgi-bin  
 ..
 Questions:
 Is there a sensible way to let a cgi-script update crontab? Without
 opening ridiculous security issues, like hacking sh-httpd to let cgi
 execute outside of cgi-bin...
 

 Does cron allow for 'sourcing' of additional files from /etc/crontab?
 (Like adding a: . /path/to/sh-httpd/writeable/file to /etc/crontab)
look above
 
 Can I have cron look at a (different) crontab that is writeable by 
 sh-httpd?
yes see above
 Most of the programming that I've already done is probably full of
 security issues, as it is, but I don't worry too much about that (yet), as the
 whole thing is well shielded from the Net. Evenso, I'd rather avoid
 having to open up the system even further.
 
 If anyone is curious, there's a dummy version of the form that I built
 at http://bund.dk/~jon/blinder somewhere. And the function that's my
 problem is with the Commit Changes-button... Never mind the colors/layout,
 though, I'm *not* a web-programmer ;-P
 
 I know this is borderline [OT], but I figure this list is my best bet at
 getting some useful tips on this. Sorry if I'm being a nuisance, but
 well...
 
 TIA
 
 Jon Clausen
regards

Eric Wolzak
member of the Bering crew.


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - 
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] modules needed for pppoe?

[Eric Wolzak]

Hello Georg

 Are these (Bering) modules necessary for pppoe?
 
 ppp_async.o
AFAIK no
 ppp_deflate.o
could be useful by decompressing
AFAIK no
 ppp_mppe.o

 
 They don't show up in lsmod.
Correct
They are not loaded in the standard setup .
 That's nearly 70KB.  Ka-ching!
uncompressed that is :) 

Regards Eric Wolzak
member of the bering crew

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] PPP/PPPoE problems - continued

[Eric Wolzak]

I assume you use pap for pppoe : ? 
if so then you don't need provider, isp login script 


 Here are my PPP/PPPoE scripts. Are the settings valid for a dynamically 
 assigned aDSL connection?
 
 Provider file:
 
 # ISP pppd options file
 # What follows is OK for Compuserve
 #
 noauth
 debug   # log transaction to /var/log/messages
 /dev/ttyS0  # (ttyS0=com1, ttyS1=com2, ...)
 115200  # baud  rate
 modem
 crtscts # use hardware flow control
 asyncmap 0
 defaultroute# ppp becomes default route to the internet
 noipdefault
 lock# don't let other processes besides PPP use the device
 connect /usr/sbin/chat -v -f /etc/chatscripts/provider
 
 ISP Login script:
 
 # ISP login script
 # What follows is OK for Compuserve
 # Adjust to your taste
 ABORT BUSY
 ABORT NO CARRIER
 ABORT VOICE
 ABORT NO DIALTONE
 ABORT NO ANSWER
  ATZ
 # ISP telephone number: 124567890
 OK ATDT1234567890#
 CONNECT ''
 Name: CIS
 # With compuserve your_login_account=12345,6789
 ID: your_login_account/go:pppconnect
 Password: your_password
 PPP
 
 Options file:

Options OK

 
 # /etc/ppp/options
 asyncmap 0
 auth
 crtscts
 lock
 hide-password
 modem
 proxyarp
 lcp-echo-interval 30
 lcp-echo-failure 4
 noipx
 
 There is no entry in the CHAP file, but the PAP file contains my username and 
 password.
 
 Here's my config file for PPPoE:
 
-
Here there is something different . 



 # Configuration file for PPP, using PPP over Ethernet
 # to connect to a DSL provider.
 #
 plugin /usr/lib/pppd/pppoe.so
 
 # MUST CHANGE: Uncomment the following line, replacing the [EMAIL PROTECTED]
 # by the DSL user name given to your by your DSL provider.
 # (There should be a matching entry in /etc/ppp/pap-secrets with the password.)
 name [EMAIL PROTECTED]
 
 # Use the pppoe program to send the ppp packets over the Ethernet link
 # This line should work fine if this computer is the only one accessing
 # the Internet through this DSL connection. This is the right line to use
 # for most people.
 pty pppoe -I eth0 -T 80 -m 1452

despite the previous comment this can be left commented out 
 
 # If the computer connected to the Internet using pppoe is not being used
 # by other computers as a gateway to the Internet, you can try the following
 # line instead, for a small gain in speed:
 #pty pppoe -I eth0 -T 80
 
 # An even more conservative version of the previous line, if things
 # don't work using -m 1452...
 #pty pppoe -I eth0 -T 80 -m 1412
 
 
 # The following two options should work fine for most DSL users.
 
 # Assumes that your IP address is allocated dynamically
 # by your DSL provider...
 noipdefault
 # Comment out if you already have the correct default route installed
 defaultroute
 ##
 # Section 2
 #
 # Uncomment if your DSL provider charges by minute connected
 # and you want to use demand-dialing.
 #
 # Disconnect after 300 seconds (5 minutes) of idle time.
 
 #demand
 #idle 300
 
 ##
 # Section 3
 #
 # You shouldn't need to change these options...
 
 hide-password
 lcp-echo-interval 20
 lcp-echo-failure 3
 # Override any connect script that may have been set in /etc/ppp/options.
 connect /bin/true
 noauth
 persist
 mtu 1492
 
 Anyone spot anything wrong here, that would cause my connection to fall over 
 every so often and not get up?
 
see above , allthough I am not sure if this is the reason. 
If it doesn't work try the debug option. 
 Thanks,
 
 Adam.
 
Regards Eric WOlzak

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [Leaf-devel] Re: [leaf-user] To Bering users: help us to release 1.0

[Eric Wolzak]

Hello Charles , KP and list
   Another point, is the handling of /lib/modules.
   Charles approach in Dachstein-CD has been an intelligent /etc/modules
 and
   load process - with mount/umount commands and cd capabilty. Eric create
 a
   link and hold the CD mount in /cdmnt. Couldn't decide, which way is
   better...
 
  Any feedback from the list on this issue ?
 
 I'd just like to point out that the mount/umount commands I proivded when
 processing /etc/modules were intentionally made general purpose enough to
 support devices *OTHER* than the CD (ie hard-disk, flash-disk, etc), and
 even the possability of loading modules from multiple devices.
 
 I can't comment on Eric's solution, since I'm not familiar with it, but I'd
 vote for whichever allows the most flexible run-time configuration (even if
 it's not my solution :-), as long as there are no big space problems (the
 extra code to process mount commands in /etc/modules was pretty small...I
 don't know about Eric's solution).
Sorry Charles, I have to look at your code,  My idea was to mount the CD or whatever 
devices the modules are on will be mounted. 
At boot time a symbolic link is created from /lib/modules/kernelversion to the 
modules 
directoy on the mounted device. 
That way programms that load modules dynamically  (pcmcia  ) can find the  modules 
too. 
Is it possible to create for example a  script insmod that mount the device does the 
real insmod and unmount the device again. 
I wanted to keep the modules that are not used out of the memory. (saves space)
My actual script only loads from cd but that could and will be changed to mount the 
device that has got the /modules directory. 
But I am always in for good  (better) ideas. 

Regards Eric Wolzak
member of the bering crew

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Re: Problem with userguide

[Eric Wolzak]

 Le Lundi 3 Juin 2002 13:30, J.L. Blom a écrit :
  Dear sir,
  In your latest userguide you wrote for the setup using 2 floppies a
  syslinux.cfg which doesn't work in my system.
 
  The problem is the fact that it looks like you use a CR in line 3:
 
  display syslinux.dpy
  timeout 0
  default linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0
  boot=/dev/fd0u1680:msdos diskwait=yes PKGPATH=/dev/fd0u1680
  LRP=root,etc,local,modules,pump,keyboard,shorwall,dnscache,sshd,ipsec,weble
 t


  Another problem I have is that when using the harddrive as disk to download
  extra packages (I use fetchmail and qmail a.o. on my firewall). This works
  well but when I try to backup the packages lrcfg can only look at the
  directory /mnt where the floppy disk is mounted. I hope you can help me out
 mount your hard disk at another point (e.g. /disk )
Why don't you use the PKGPATH=/dev/fd0u1680:msdos, /dev/hda1:msdos
I assume that your harddisk is hda1  then your packages will be loaded automatically
from the harddisk.
In that case both options harddisk and floppy will be presented to choose for a backup.
ps with backups the mounting point is /var/lib/lrpkg/mnt
  as I like the Bering firewall extremely well as it is the only one working
  with IP-tables. It is regularly checked by a security investigator from IBM
  who assures me that the firewall is completely closed. Moreover, I use it
  on an old Pentium system where the longest run was 2 months (I restart
  regularly to update the firewall) without any problem. I previously used
  Windows (!!) with Winroute which crashed approx. once a week (the system
  was only used as a firewall mailserver!).
good to hear :)
  Sincerely yours
 
  J.L. Blom
  [EMAIL PROTECTED]

groeten naar nederland .


Eric Wolzak
member of the bering crew.

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] bering weblet

[Eric Wolzak]

Hi Kim

 hi all,
 
 I am playing around with the weblet found in bering, and noticed that the 
 firewall rules are
 displayed by displaying a firewall file in /var/sh-www/data. Now I wonder 
 which process is responsable
This is done by /etc/shorewall/start.
This file is called by shorewall after the firewall is up.
 for putting that file there? I want to make some minor adjustments like 
 adding linenumbers.
 
 I am also troubleshooting a little because the values for packets  bytes 
 look extremely low, most of them stay
 just 0.
The reason I used this setup was that weblet runs as a non privileged 
user and an iptables command can only be issued at root.
A variant to let a suid script doit should also be possible.
As the firewall doesn't change automatically ( unless you use other than 
the standard scripts) to see the rules this is sufficient. To see the 
statistics it is of course not that good ;) 

Regards

Eric Wolzak
member of the bering crew

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] rdate

[Eric Wolzak]

Hello Joe, List 
you wrote
 Thanks for the tip about adjusting the lrp.conf to automatically run
 rdate.  This is a very nice feature of bering and it works quite well.
 
 I also updated my /etc/localtime file so that my clock would read my
 local time.
 
That would be the solution but what did you put there ;=)
try dateif you've got your localtime, then everything is ok.
You should get the zoneinfo file from a linux distro, corresponding to your timezone.
Copy this about 1Kb large file to f.e /usr/share/zoneinfo.
make /etc/localtime a symbolic link to /usr/share/zoneinfo.
now date will no longer show 16:21 UTC but 9:21 whatsyourtimezone.
The logging is also in localtime. 
don't forget to backup root and etc.

 I noticed my logs seem to be using UTC for the time stamp.  Do you have
 any information that would allow me to use my local time for logging? 
 Having to subtract 7 hours every time I want to analyze my log file is
 getting to be a drag.
 
This is correct

regards 
Eric Wolzak

member of the bering crew.

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] rdate

[Eric Wolzak]

 Is there any way to add something to the Bering leaf distribution that
 will allow the firewall machine to keep proper time?
in : t 

system configuration -
master lrp settings -
/etc/lrp.conf

you will find 

# Server that will be contacted via 'rdate' for the time service daily.
# Turning this on also updates the CMOS clock
lrp_DATE_SERVER=put here your public timeserver

backup etc.lrp 

that should be all

Regards 
Eric Wolzak
member of the bering crew.
 
 I use rdate along with cron to keep my other machines in sync with
 timeservers, but I'm unsure about how to do this with Bering.
 
 -- Joe
 
 
 
 ___
 
 Don't miss the 2002 Sprint PCS Application Developer's Conference
 August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
 
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ISDN with 16 lines/modems possible with Bering ?

[Eric Wolzak]

Hello Francois, 

 Hi folks and gurus !

 I have started Bering this week on PPPoE / WANADOO /
 France Telecom with success !
..
 But, my question is other today :
 One of my friends want to have 15/20 ISDN lines/modems to connect 
 externals employees to his company's mail server.
 This server have not other access, no Internet or WAN.
 
 CISCO has a router to do that, but, is it possible to do with Bering ?
I didn't try it out yet, as you have ofcourse some hardware 
problems, most isdncards only allow at most two connections, so 
you will get out of pci /isa slots and interrupts.
I used for the isdn connection the following programm
isdn4linux 
www.isdn4linux.de
the faq is rather extensiv, 
special interest will be :
http://www.isdn4linux.de/faq/i4lfaq-5.html#ss5.14
and a few links from this question.

http://www.isdn4linux.de/faq/i4lfaq-6.html#config_manycards

we limited the number of utilities in the isdn.lrp for reason of size, if 
you have a problem please feel free to ask again.
Please if you succeed in accomplishing this task report back too :)

Eric Wolzak
member of the Bering Crew


 Best Regards.
 Francois BERGERET 
 
 France
 
 [EMAIL PROTECTED]
 
 
 ___
 
 Don't miss the 2002 Sprint PCS Application Developer's Conference
 August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
 
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Specifying directories in lrpkg.cfg

[Eric Wolzak]

Hello Kim, all

you wrote 
 
 Hi all,
 
 I just created my first bering cd and it works like a charm.
great :=)
 
 Still have a question though, I would like to add quite a few packages
 To the cd and organize them in subdirectories, so I was wondering if I could
 specify
 Subdirectories in lrpkg.cfg.
 
 In other words would
 
 root:f,etc:f,modules:f,local:f,subdir/tools/dns-utils:f
 
 Work??
Yes and no .  ( more no ;) )
THe pkg would be loaded , as this is done by gzip and tar, this 
programms get the complete path and file name 
As long as you don't want to do any configuration or backup, it 
should be ok but not advisable.

The problem however is that you won't find a configuration menu 
nor the possibility to save your files. !

The path and file name are stored together as the package name.
To show the configuration menu :
The directory /var/lib/lrpkg is searced for files with the name 
package name.conf  this is not found as your conf file is named 
dns-utils.conf and not subdir/tools/dns-utils.conf

At the backup:
 the backup programm tries to find the file  subdir/tools/dns-
utils.list (which doesn't exist.) and the next problem shows up as 
soon as the programm tries to create /tmp/subdir/tools/dns-utils.lrp 
which also fails.

If there are more people interested in getting this fixed, it could be 
done.but would require some rewriting in the backup programm, 
and in the initrd (linuxrc) possibly breaking compatibility with other 
leaf versions.

Regards 

Eric Wolzak
member of the Bering Crew

___

Hundreds of nodes, one monster rendering program.
Now that’s a super model! Visit http://clustering.foundries.sf.net/


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering and MAC match support

[Eric Wolzak]

Hello Dragon

 I am using Bering with Shorewall 1.2.12. I can't seem
 to use a rule to filter by MAC address. Does the
 Bering kernel include CONFIG_IP_NF_MATCH_MAC support? Thanks.
 
Yes it is included as modular, so you have to load the appropriate 
modules before it works, you can do that automatically in 
/etc/shorewall/start  or by adding the module to /etc/modules


Get the modules from the modules.tar.gz file in the download area
I think that you need the net/ipv4/netfilter/ipt_mac.o 
I am not sure if there are some more dependencies, so you would 
eventually need to load some more modules. 

Eric Wolzak
member of the bering crew.

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple routing tables

[Eric Wolzak]

Hello David 

 I would like to be able to create multiple rotuing tables for a box with two
 interfaces for internet access and one for LAN.  I am useing Dachstein
 v.1.0.2-1680.  Internet interfaces - eth0, eth2.  LAN - eth1.  I want to
 make sure that traffice originating from eth0 will go back out eth0 instead
 of eth2.  So to start creating the first routing table I type :
 ip rule add from 208.180.95.aaa lookup 1, but it gives me an error
 RTNETLINK answer:Invalid argument.

I think you made an error in the syntax. 
use table not lookup 1

ip rule add from 208.180.95.aaa table 1 

ip rules show will give you :
 32765:  from 208.180.95.aaa lookup x
this is what caused the error 

 If I do a ip addr all NICs are listed with IP addresses.  I can ping the
 internet all day long.
 I have read the IP how to, but I am not quite getting something.  Can
 someone give me some clues??
(did you read the advanced routing howto ? )
 thanks,
 David
Hopes this will help you 

Eric Wolzak
Member of the bering crew 

http://leaf.sf.net/devel/ericw 
http://leaf.sf.net/devel/jnilo/bering 
 
 ___
 
 Have big pipes? SourceForge.net is looking for download mirrors. We supply
 the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
 
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering bootable cd (Help)

[Eric Wolzak]

Hello Kim

 I am trying to create a bering bootable cd, but can't quite get it to work.
 
 I must admit that I created my own kernel which probably doesn't make life 
 easier.
 I created the initrd.lrp myself and have done everything in the users 
 manual to create the cd.
 So far, I managed to get the cd to boot, but I am still having to problems.
 
 When loading the ide-probe-mod module I get a message stating that ide0  
 ide1 are already
 busy  that probe is as a result skipped. (this could be because I compiled 
 quite some idestuff in the kernel)
Try to remove or uncomment the modules. 

 Btw the new kernel was necessary to boot from flashmodule from apacer which 
 is an idedrive.
 
 At the end of /boot/etc/modules isofs.o is trying to load. I said trying, 
 because it is failing stating
 insmod: init_modules isofs.o device or resource busy
Did you use your own created modules, or did you download the 
modules ( in that case you could have a problem due to the fact 
that the modules on the bering site, are from a patched kernel.
 Afterwards I get the tempfs  linuxrc 
 Installing packages : (all my packages are the (nf!) or not found  I get a 
 kernel panic stating that I tried to kill init.
It seems that your cdrom is not recognized that reason the 
packages are not found.
 If I use all the same .lrp files  kernel on the flash module everything 
 runs fine except for the above mentioned ide-probe  isofs problem.
 Which isn't a real concern when booting from the module.
I expect that you included  the flash rom ide support in the kernel 
itself.  After you boot from the ide-rom, can you mount the  cdrom  
or at least try to insmod the modules from boot/lib one by one 
and   try to mount the cdrom then.
Perhaps a conflict betweeen the  ide driver for the cdrom and the 
disk ( Master slave conflict ? ) 
Hope I have given you a few hints where you might look for a 
solution. 

 Any help greatly appreciated.
 
 Kim

regards to all
Eric Wolzak
Member of the Bering Crew 

http://leaf.sf.net/devel/jnilo/bering
http://leaf.sf.net/devel/ericw

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[Leaf-user] Re: bering port forwarding?

[Eric Wolzak]

Hello Joe

If I understand your drawing correctly you want to forward the 
request on your external addres 207.5.x.y for port 80 (www) to the 
computer in the internal net with the ip number 192.168.1.200

In general : 
The information about portforwarding, you can find on the shorewall 
page  :www.shorewall.net
in this case under: documentation rules

Apart form the discussion if it isn't better to put your webserver in a 
dmz ;)   you can accomplish this by

Adding a rule to shorewall -rules

ACCEPT net loc:192.168.1.200 tcp www  -  207.5.xx.yy 

or if you have an external dynamic address

ACCEPT net loc:192.168.1.200 tcp www  -  all
restart shorewall / or reload rules and you should be up .
Attention you can not try it out from the local net by typing in your 
external address in a browser.
 Hello,
 I reciently upgraded my version of LEAF to the current Bering release. I =
 have an internal web server (configured with a static ip). I cannot seem =
 to find any documentation on how to port-forward port 80 to my internal =
 web server. Can you point me any where that can help me? Or do you have =
 any suggestions? Your help would be much appreciated.
 
 Thanks- Joe
 [EMAIL PROTECTED]
 
Eric Wolzak
member of the Bering crew 



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Routing Problem with Dachstien CD and ISDN

[Eric Wolzak]

Hello  Andrew,  you wrote.

I have not done much with the dachstein -CD version, but I possibly 
found a cause.
I don't have a dachstein running ( using Bering :) )
The main difference between your eigerstein and your dachstein 
setup seems to be the route.
eigerstein
 139.130.0.0/16 dev ippp0  proto kernel  scope link  src 139.130.195.30

dachstein
 139.130.195.1 dev ippp0  proto kernel  scope link  src 139.130.195.30

The interface ippp0 is in eigerstein probably declared as 
139.130.0.0./16 so will be the firewall rules connected to this 
interface

In the dachstein version your firewall rules might be so that the 
ippp0 is only 139.130.195.1
check that.
From the route itself you should be able to route through ippp0 as 
the default route is directed in this direction.

The ippp0_MASKLEN is not set 
   eval local MASKLEN=\${$1_MASKLEN:-}
IMHO if you set ippp0_MASKLEN=16 then you should get the 
same setup as before


Eric Wolzak 
member of the Bering crew

---original message -

 I have configured a DACHSTIEN CD firewall which I am using at home with a
 dialup system
 and it works very well and now have several deployed around Australia on
 remote sites for
 the company I work for.   The latter of these units are connected by modem
 to Bigpond
 Direct and have proven themselves to be very reliable.   My problem occurs
 when I updated
 the main office firewall to DACHSTIEN CD.   This firewall currently is
 running Eigerstien
 with 2 ISDN channels and working very reliably but I wanted to upgrade to
 take advantage
 of the latest security features and additions.
 
 On the Eigerstien version, the routes are:
 
 # ip route
 203.47.153.64/26 dev eth1  proto kernel  scope link  src 203.47.153.65
 192.168.45.0/24 dev eth0  proto kernel  scope link  src 192.168.45.1
 139.130.0.0/16 dev ippp0  proto kernel  scope link  src 139.130.195.30
 default dev ippp0  scope link
 
 This has been working well.   To get ISDN support for the DACHSTIEN CD
 version, I found
 the files where the devices are created and added the appropriate text to
 the files,
 /var/lib/lrpkg/root.dev.mk /var/lib/lrpkg/root.dev.mod and
 /var/lib/lrpkg/root.dev.own,
 copying the exact text to each file that had been used in the Eigerstien
 version I am
 currently running.   The interface devices were created in /dev and all
 appear to run
 correctly except for the routing when the firewall starts.   The routes on
 this machine
 are:
 
 # ip route
 139.130.195.1 dev ippp0  proto kernel  scope link  src 139.130.195.30
 203.47.153.64/26 dev eth1  proto kernel  scope link  src 203.47.153.65
 192.168.45.0/24 dev eth0  proto kernel  scope link  src 192.168.45.1
 default dev ippp0  scope link
 
 The address 139.130.195.1 is the peer address of the box when connected to
 the Bigpond
 Direct point of presence.   The additions to the network.conf shown below
 were typed in
 exactly as they were in the previous version, so this may be part of the
 problem if some
 of the functions act differently in the DACHSTIEN CD version.   The
 firewall, when
 tested, dialled and connected both channels in multilink configuration to
 the ISP but is
 only able to access ip addresses in the 139.130.0.0/16 address range.
 These are only
 within our ISP's internal network and therefore do not allow access to the
 internet at
 large.
 
 Any assistance would be greatly appreciated as I have been tearing my hair
 out for the
 last three weeks in my attempt to find the problem myself.
 
 Interfaces:
 # Interfaces to start on boot go here - ie ppp0 eth0
 # Do NOT include interfaces configured by dhcp!
 IF_AUTO=ippp0 eth0 eth1
 
 # List of all configured interfaces, manual start and boot start
 IF_LIST=$IF_AUTO
 
 Device settings:
 
 ###
 # ISDN Link - the isdn.lrp is required for this to work. (External
 Interface)
 
 ###
 ippp0_IPADDR=139.130.195.30   # My IP Address, only set if not dynamic.
 ippp0_PTPADDR=139.130.195.1   # Their IP Address, again only if not dynamic.
 ippp0_MYMSN=38049800  # My telephone Number
 ippp0_REMMSN=30073300 # Their telephone number (The ISP)
 ippp0_IP_SPOOF=YES
 ippp0_IP_KRNL_LOGMARTIANS=NO
 # Simple QOS support, Options are same as ethernet above.
 ippp0_FAIRQ=YES
 ippp0_TXQLEN=64
 ippp0_BNDWIDTH=64kbit # Device Bandwidth
 ippp0_HNHL=3  # Queue Handle - must be unique
 ippp0_IABURST=25  # Interactive Burst
 ippp0_IARATE=30Kbit   # Interactive Rate
 ippp0_PXMTU=1500  # Physical MTU - includes Link Layer Header
 
 ippp1_IPADDR=139.130.195.30   # My IP Address, only set if not dynamic.
 ippp1_PTPADDR=139.130.195.1   # Their IP Address, again only if not dynamic.
 ippp1_MYMSN=38049800  # My telephone Number
 ippp1_REMMSN=30073300 # Their telephone number (The ISP

Re: [Leaf-user] Making Disk Images

[Eric Wolzak]

Under Linux use 

dd if=/dev/fd0u1680 of=yourfilename 
or if you have a 1440 disk
dd if=/dev/fd0  of=yourfilename

Under Windows you can use for example winimage

http://www.winimage.com 
to create a binary image from your disk or to write a disk from your 
image.
With this programm you can even create a selfinstalling exefile

 Hello again,
 
 I would be very interested in making disk images of my modified LEAF 
 versions. I would like to do this for Linux images and perhaps a windows 
 installer as well. Can anyone point me in the right direction? What tools 
 are available to do so?
 
 Thanks,
 
 Jason Massey
 
Eric Wolzak

member of the Bering crew

http://leaf.sf.net/devel/jnilo/bering


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] rdate, udp and Bering

[Eric Wolzak]

Hello Stephen, Michael 
 
 Stephen Lee wrote:
  
  On Thu, 2002-03-28 at 12:56, Michael D. Schleif wrote:

Thanks. I installed xntpd.lrp and pointed it to one of the public ntp
servers. The problem is that my hardware clock is so far off that it's
going to take ntpd a long time to synchronize the local time to the
remote ntp server time. I would normally use rdate to do a quick fix but
in this case rdate doesn't work with tock.usno.navy.mil. It, like all of
the other rdate servers tried, only accepts udp queries. I suppose if
all else fails I could manually set the time with 'date' and 'hwclock'.
  
   Try this:
  
 rdate -s ntp0.cornell.edu
  
  
  I get rdate: ntp0.cornell.edu: Connection refused on Bering boxes but
  it works on Eigerstein2b boxes. Could there be some firewall setting
  causing this problem?
as Tom allready stated it is.
rdate uses port 37 and this is denied by default 
change shorewall settings
1 ) params 

FW_TCP_OUT_PORTS=53,37
and restart shorewall  (don't forget to backup )
 I do not know which `rdate' is in Bering.  Dachstein, c. uses busybox
 rdate.
Bering uses also Busybox v0.60.2 rdate 

 Regarding firewalled ports, have you checked these?
 
   ntp 123/tcpNetwork Time Protocol
   ntp 123/udpNetwork Time Protocol
 
With me rdate ntp0.cornell.edu functions after the modification i 
indicated above. 
The connection refused comes from your own router not from the 
timeserver.

PS you are talking about using rdate from the router not from a 
linux machine in the internal network ?
The parameter I talked about before is firewall --- timeserver.
otherwise the firewall should not be blocking.

Regards

Eric Wolzak

member of the bering crew ;) 


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Documentation ISDN on Bering

[Eric Wolzak]

Hello everybody

We have another Chapter for our Bering User Guide ready.
this describes the use of bering to make a ppp connection with the 
help of a passive ISDN card 
you can find it at 
http://leaf.sourceforge.net/devel/jnilo/busers04.html

Any comments and additions are welcome

Jacques and Eric

the Bering crew :) 


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Bering with SSH and TinyDNS

[Eric Wolzak]

Hello Stephen

You wrote
   Has anyone managed to make a 1.68M Bering floppy image with SSH and
   TinyDNS? This was possible under Eigerstein.
  It will be very hard.
  sshd.lrp is about 312K
  You can try to remove those modules and packages you do not need.
  http://leaf.sourceforge.net/devel/jnilo/leaffw01.html#AEN197
  tc ppp pppoe keyboard bridge dhcpd pump are potential candidates
  + remove whatever is unecessary in /lib/modules
  
  2nd solution (if you only have a single floppy drive)
  
  Make 2 copies of the same Bering floppy
  
  On the first one just keep the following 4 files:
  syslinux.cfg and dpy, linux, initrd.lrp
  edit the syslinux and add diskwait=yes after PKGPATH=/dev/fd0u1680
  
  On the second one (same format !) just keep whatever other packages you need.
  You will just keep the *.lrp files here
  You have 800K left from the previous operation !
  You will keep this second disquette in the floppy drive if you need to backup.
  You generally never need to backup initrd.lrp
 
 Thanks. Unfortunately most of my routers are only accessible via remote
 connection so 2 floppy booting is out of the question. Alternatively,
 a rather cheap alternative solution is the use of a second floppy 
drive. I use this setup with remote access for a bering

 how safe would it be to run a telnet daemon on Bering but only listen on
 the internal net where a linux box (running ssh) can access it? 
(a windows box can too ,) using f.e teraterm ssh
Be carefull this is going to originate a rather religous thread, some 
on this list like telnet some don't  ; )

I would say it depends on how safe  your internal network is
If there are more people on your network and you don't trust them 
completely, it is kind of a risk, as passwords are rather easy to 
catch. And somebody logging into your router with root permission 
is kind of sceary. They could easily change your firewall etc.

Eric Wolzak

---Bering 



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Switching off LCD backlight on laptop

[Eric Wolzak]

Hello christian
 Hello,
 
 I'm using Bering (great package !) on a Hewlett-Packard Omnibook 3000 I have
 dedicated to protect my home network.
 Almost everything is working smoothly except three points:
 
 - I have to start by-hand dnscache  (/etc/init.d/dnscache start) and I don't
 know why. No error message in logs, and the link in /etc/rc2.d is present.

 - I'm confused with PPP and PPPoE.
 In fact I want PPPoE to start at boot time but this is PPP (chap) which
 starts and fails miserably and PPPoE is not launched.
You have to switch off ppp at boot time. leave the file 
no_ppp_at _boot in /etc/ppp.
change the external interface to ppp0 uncomment the following 
lines in interface
# Option 1.3: PPP/PPPOE (modem connected to eth0)
auto ppp0
iface ppp0 inet ppp
pre-up ip link set eth0 up
provider dsl-provider eth0

now ppp0 the pppoe interface will be started at boot time.

more precisely (i hope) you can read this in: 
http://leaf.sourceforge.net/devel/jnilo/busers03.html
 - How to switch off the backlight of the LCD screen when the laptop if left
 unattented for a while ?
 I've setup the BIOS to switch off the screen after 5 minutes. That's works,
 the screen is blanked but the backlight remains on...
 I know that this light can be switch off, because under KDE/Mandrake with
 the same laptop it works, but how?This is out of question to put KDE on
 Bering :-)
Sorry cannot help you there, you could look at the sourcecode of 
the function this is probably a message to send to a port.
but isn't switching the screen off not an alternative FN-F7 (at least 
at thinkpad)
 
 Thanks for your help.
 
 And again, this Bering package is really great, all of that on a floppy
 !
Merci :=)
 
 Christian - Grenoble
success

Eric Wolzak

Bering
http://leaf.sf.net/devel/jnilo
http://leaf.sf.net/devel/ericw



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ipchains ?

[Eric Wolzak]

Hello Antken
 i am just messing about on a spare machine with the Dachstein floppy image, 
 i forget witch version it is any way
 i am struggling with ipchains and how to use it on the command line
 so far i know how to list the rules in the chains and how to flush them

Depending on your setup (masquerading or not)
Make the first line a accept all or if you are masquerading f.e. 
# ipchains -P forward DENY
# ipchains -A forward -i ppp0 -j MASQ
# echo 1  /proc/sys/net/ipv4/ip_forward

from the guide below
(I use iptables, so I cannot check the rules)

 my first question is:
 how can i change the rules in the current chains to let all traffic in and 
 out ? ( i know this is dangerous but i am just messing on a test machine )
 
 second question:
 does any one know of a getting started with ipchains for dummies type guide ?

I think this is a rather good start.
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
And if you cannot get enough or want to know something about 
iptables look at  ( same author) 
http://netfilter.samba.org/unreliable-guides/
 
 third question:
 how would i go about  letting a particular port both in and out, for 
 example port  ?
For each part of the firewall input  forward and output 
this rule should have the port specified and allowed.
But remember the firewall script is not like routeing 
it is not the rule that is the most accurate that determines what is 
done with your package but the first rule that matches. 
So it does not only depends on which rule but also where is it 
placed. 
 thanks in advance to any one that replys  to this
 antken
Sorry that I didn't give you the exact syntax but I use iptables and 
makeing a small mistake would give you more trouble as looking 
the rule op yourself.

Greetings Eric Wolzak


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Static routes in Bering

[Eric Wolzak]

Hi paul

 Hi all,
 Just a quick question,
 how can I set routes in Bering? I cant seem to find it in the documentation
 anywhere.
 I know how to set them using iproute2 but don't know how to save them so
 they are there on a reboot.
 In Dachstein, its by adding the ROUTE= command to each interface in Network
 conf is there a similar way in Bering?
The routes to the devices you have declared are set automatically 
by shorewall, for extra routes you can add after each interface
up followed by the iproute command .
I give an example to add 

route 192.168.3.0/24 and an extra adress 192.168.3.245  to eth2 
edit interfaces
()
auto eth2
iface eth2 inet static
address 192.168.2.254
masklen 24
broadcast 192.168.2.255
# untill hear normal setup the following commands are executed
# as device comes up
  up ip addr add 192.168.3.245 dev eth2
up ip route add 192.168.3.0/24 dev eth2
()


backup etc . 

Greetings 
 
Eric Wolzak
(the bering crew)

http://leaf.sf.net/devel/ericw
http://leaf.sf.net/devel/jnilo




 Thanks in advance,
 
 Paul
 
 
 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] bering v1.0-rc1: 8139cp.o: undefined mii_ethtool_sset symbol

[Eric Wolzak]

Hello Doug others,

 I've downloaded and created a boot floppy with Bering v1.0-rc1.  I've got a nic with 
a RealTek 8139 chip, so I copied and installed the 
http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/drivers/net/8139cp.o 
driver.  When booting, it gives me 4 undefined symbols, the first of which 
is mii_ethtool_sset (the others start with mii_ too).  
 
 Which module do I need to install to satisfy the linker?  I can run Dachstein with 
the rtl8139.o and pci_scan.o modules with no problems.
 
This is correct you need the mii.o  before the rtl8139.o and 
rtl8139too.o 

mii
rtl8139 

in /etc/modules.
 
This is a change in respect to the previous 2.2. kernel versions.
 Thanx, Doug.
 
Eric Wolzak

http://leaf.sf.net/devel/ericw
http://leaf.sf.net/devel/jnilo/bering


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Bering pppoe guide

[Eric Wolzak]

Hello all

In our series cookbooks ;) now official named user guides for 
the bering distribution we have released another section. 
This describes the connection to a DSL on a PPPoE basis.
The difference with the other pppoe versions is the use of the kernel 
based pppoe module. 

The url is http://leaf.sourceforge.net/devel/jnilo/busers03.html


the url for the whole book is 
http://leaf.sourceforge.net/devel/jnilo/busers.html

we hope you enjoy it  
any reactions are welcome.  

the bering crew
Jacques  Eric 


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user