Re: [leaf-user] dns or rule problem?????
Hello Andrew , you wrote I´m running Bering u-Clibc 2.1.3 I have 5 static IP´s coming in from my ISP. (eth 0) 4 of them are proxyARPed to the DMZ. (eth 2) The last IP is serving my local network. (eth 1) My dmz is basically web servers with port 80 open. Outside my network, people can see my servers just fine, but from my local network I can´t access my websites even using their public IP´s. Do you have any recomendations for allowing me to access my dmz websites from my local network coomputers? Security to and from my local network to and from the dmz is also a high priority. I am a novice at this, so please be kind. I have not made many changes to the settings on the firewall box. I don't know if it matters but I am using my ISP's dns service. Let me know if you need more info. Thanks, Andrew It seems, that this is a routing /Firewall problem. Your static IPs if coming from the outside are routed to a DMZ server. If coming from your internal network they end at your external interface. If they reach your server, than your firewall restrict their answers.(from dmz to local) You have to set a rule allowing a machine on your local network to access the machine on the dmz and back!. In that case use something like in the shorewall rulesfile . ACCEPT loc dmz tcp80 Or if you only want a special machine to be allowed to go to the dmz use something like. ACCEPT loc:192.168.1.10 dmz tcp 80 Hope this helps I assume that the syntax is correct so, I still use an old Bering ;) regards Eric Wolzak --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Bering 1.2 CD won't load daemontl.lrp
Hello Richard Are you sure that dnscache is really running over daemontools. You should set up the /service directory as stated in the cr.yp.to page. so multilog can use the settings there. didn't try it myself on bering, ( only in debian) you should have processes with supervise .log and the running process. Regards eric Wolzak member of the Bering Crew I am attempting to boot *everything* from Bering 1.2 CD, rather than using CD plus helper floppy. This is to teach a class in the fall using Bering and distribute only CDs to the students. I am including so many lrps -- ipsec, daemontl, etc -- that I am over the 254 char line limit on syslinux.cfg. So, I transition to using leaf.cfg to load the extra modules i.e. changed the LEAFCFG as follows in syslinux.cfg: display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 LEAFCFG=/dev/cdrom:iso9660 PKGPATH=/dev/fd0:msdos,/dev/cdrom:iso9660 syst_size=12M log_size=4M LRP=root,etc,local,modules,iptables,pump,keyboard,shorwall,ulogd,dnscach e,ipsec,mawk,dhcpd I have the above syslinux.cfg and following leaf.cfg files injected into bootdisk.bin using winimage. I save the bootdisk.bin file with winimage, and burn a CD. The CD boots fine, and all other functions from the syslinux.cfg LRP= load, plus weblet from leaf.cfg. But I get no daemontl to log dns. (/etc/dnscache/env/QUERYLOG is set to YES) The verbose flag in leaf.cfg seems to put no additional lines in any file in /var/log... Curiouly, (but harmlessly) no initrd in the packages menu of lrcfg, although I can see initrd loading when the machine boots up. What could be wrong? TIA Rick. # This file is parsed as a shell script # Kernel command line paramters are avaialble as KCMD_variable # ie: KCMD_LRP contains the LRP= portion of the kernel command line # NOTE: For kernel command line settings that do not include an equals # sign (ie: rw or similar), the variable is set to itself, allwoing # for easy testing (ie: KCMD_rw=rw). # LRP and PKGPATH variables now support whitespace (space, tab, newline) # as well as commas for seperators. # Uncomment for more verbose execution. VERBOSE=1 # Other variables you might want to set in this file include: # LRP Packages to load # PKGPATH Device(s) to load packages from # syst_size Size of root ramdisk # tmp_sizeSize of /tmp ramdisk # log_sizeSize of /var/log ramdisk # Example: LRP=$KCMD_LRP rsync LRP=$KCMD_LRP daemontl LRP=$KCMD_LRP weblet --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 backup destination problem
Hello Charles, Richard. The strange thing on Bering is that the /dev/fd0 is changed depending on the boot device or the last device used. First time you use fd0 after boot it is a fd01680 device . If you backup a file to a fd01440 and use /dev/fd0 next time it is a 1440 So I wouldn't use /dev/fd0 but fd01440 or fd01680. to be sure about the format. Regards Eric Wolzak member of the Bering Crew Take out Bering boot floppy, insert a 1440kb floppy. lrcfg b) backup a package Then for each package etc, shorwall, etc. I change the destination to fd0, msdos by typing d 3 (for etc) and selecting the appropriate options, then b 3 This works for the first package backed up -- but upon backing up a second package i.e. d 5 (select fd0) Then b 5 results in the message cant mount backup device. I have tried to umount the floppy, but it is not mounted (getting out of lrcfg, then going back into lrcfg). Forever, any further backups to fd0 fail with the above message until reboot from the Bering (fd0u1680) floppy. Any idea what to do? I can reboot between each package, but it is a bit tedious. I suspect you're having consistency problems going between 1680K and 1440K disks. Note that /dev/fd0 *should* be 1440K, but I believe the default bering floppy backup target is actually /dev/fd0u1680, which is a 1680K formatted disk. I suggest adding a 1440K backup target by running the following at the command line: echo /dev/fd0u1440 /var/lib/lrpkg/pkgpath.disks Then you can change the backup target for all packages (d e) to the 1440K disk (probably choice #3). You can also try backing up everything at once (b e), but I prefer to do backups one at a time. Note: You can also just copy the LRP's from one disk to another: # mount bering 1680 disk mount -t msdos /dev/fd0u1680 /mnt # copy files to /tmp cp /mnt/*.lrp /tmp # unmount disk umount /mnt # mount 1440K disk mount -t msdos /dev/fd0u1440 /mnt # copy files from /tmp cp /tmp/*.lrp /mnt # unmount disk umount /mnt HTH... -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] looking for Bering 1.2 and 2.1 kernel .config files
Hello Newton the kernel config for Bering 1.2 is at http://leaf.sourceforge.net/devel/jnilo/bering/latest/development/kernel/Bering- 2.4.20.config Regards Eric Wolzak member of the bering crew Greetings, The .config files used to be with the development files in the previous version of LRP/Bering e.g. rc3. Where can I locate the linux kernel .config files for 1.2 and 2.1 ? Thanks. Newton __ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering still active?
To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject:[leaf-user] Bering still active? Date sent: Mon, 29 Mar 2004 12:39:51 +0100 Hello Gustav, list It is, As a matter of fact, I was (am) occupied a lot with a new job, so there wasn't time for a new release. Still working on Bering though. Regards Eric Wolzak member of the bering Crew Hi, I'm new to the list, and soon to become new to Bering. So please bear with me. I've read quite a lot about the Bering distro, including it's installation documentation. Looks like Bering could match my needs. What makes me wonder is that the latest release of Bering dates to May 2003 (unless I've missed something), which is almost ten months ago. So: - Is Bering still alive and active? -- or -- - Is Bering being phased out for what? Gus --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does anyone knows a PPoE server for bering ?
Does anyone knows a PPPoE server for bering ? Hello Miquel, if you only want to be able to connect with a limited amount of connections, you can use the standard pppoe and pppd.lrp that comes with bering The only thing you have to do is make some changes to the pppoe options. I described this method to the mailing list look at http://www.mail-archive.com/[EMAIL PROTECTED]/msg06510.html Good luck and please report back your experiences Eric Wolzak member of the bering Crew --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
(Fwd) Re: [leaf-user] Problems loading D-link de650
Sorry, forgot list On 3 Feb 2004 at 13:02, Henning Jebsen wrote: (Bering 1.0 stable, Kernel 2.4.18) Hi folks, my second problem is to load this PCMCIA Card I already did some search. Afaik the needed modules are 8390.o pcnet_cs.o 8390.o loads fine...(no error at least ;-)) pcnet_cs reports: insmod: unresolved symbol register_pccard_driver insmod: unresolved symbol unregister_pccard_driver My pcmcia.lrp is not yet configured ! I think I don't need to, unless the card in not recognised correctly... I tried to use the ne2000-modules, providing a IO Port Did not work The card itself works properly under Suse 7.1 and winME. To me it seems, pcnet_cs is missing a certain module... Hello Henning pcnet_cs depends on pcmcia_core.o ds.o and 8390.o please try this modules. This informations is from the modules.dep file (not tested) Regards Eric Wolzak member of the bering crew. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Future of Bering and Bering-uClibc?
Hello Timothy, list [EMAIL PROTECTED] wrote on 01/29/2004 08:00:09 AM: I have been using Bering quite successfully for some time now, but I'm at a spot where it would be good to evaluate a change to uClibc. I haven't seen any discussion regarding development on Bering. Of course, most of the development on uClibc has been to recompile existing Bering packages... :) Either I miss you're irony, or you better reread the Changelog for Bering-uClibc - none of the entries mentions other packages than theone from the base image, and I can assure that recompiling packages has been a minor effort compared to the changes for base image, addition of ipv6 and gaining more space on the base image. From my (admittedly limited) research, it seemed that most of the messages regarding new items for Bering-uClibc were from people compiling (new) versions of software that already existed under traditional Bering. Maybe I am mistaken: I have not followed it that closely. I asked a similar question about 4 months ago. I was told to stick with Bering unless I needed the reduction in size that uClibc gave me. Seeing as I'm running on EPIA's with 128MB RAM and 32MB DOM, I really didn't. The only thing that has prompted my question is I have seen no real development on Bering since 1.2, and Bering uClibc is readying its second or third release since then. I am working on a webinterface at the moment, due to professional ( not leaf related) changes) time is somewhat limited. ( and the nice snow is distracting ;) ) The inherent problem of Bering is the library, which isn't maintained anymore. on the other hand the uniformity of the old lib means that there are a whole bunch of packages available. One of the reasons the uclibc group did release new versions is that if the uclibc library is updated, the packages mostly must be recompiled. What I mean with this is that those changes deserve the name new release. The interesting is that the IMHO most important improvement the uclibc guys made, stays largely unnoted .namely the use of automatic package making. The necessity of recompiling with every new version of uclibc will hopefully change as soon as uclibc will reach a version 1.0. My plans with bering are. Updateing to a new kernel version, thereby keeping as close to uclibc as possible. Improvement of the installation and maintainance issue. Working on a change a setting only in one place version. This will also be usuable with ucblic. Recompiles of single packages were and are done, but didn't need a complete new release. so they weren't that obvious. Hope to have answered your question with that. Regards Eric Wolzak member of the bering Crew I'm really not looking for anything specific. I just want something that is going to keep up with, e.g., bugfixes in the underlying packages and kernel. I'm not looking for any new features. Tim Massey --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Qmail questions
Hello Kory, sorry I haven't read the whole thread. But as I understand, you have a mail server in the dmz running on a leaf box. called DMZ_BOX DMZ = 192.168.10.0/24 route will be 192.168.10.0/24 via 192.168.10.x default via 192.168.10.254 ( DMZ address on LEAFBOX) and a leaf router connected to internet and local. here you run dnscache listening on 192.168.1.254 and tinydns listening on localhost. (127.0.0.1) called LEAFBOX Route 192.168.10.0/24 via 192.168.10.254 192.168.1.0/24 via 192.168.1.254 default via external ip address Now you have a problem, that the DMZ_BOX, cannot resolve names. 1. do you have dnscache running on your DMZ_BOX ? if yes then you have to use the forwardonly option and set it to yes, to use your nameserver on LEAFBOX the address to forward to is 192.168.1.254. otherwise, your DMZ_BOX will use the root servers to find the MX for kroffts.com, this will point you to your provider, they point hopefully to your external interface, and now you are trying to get an address from your external interface. This might get a problem with your shorewall rules. insert 192.168.1.254 in /etc/resolv.conf after opening the firewall rules to allow udp 53 from dmz to fw now it is possible to resolve anything that you can resolve from the local net. regards Eric Wolzak member of the bering crew. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] AVM Fritz!Card v2.x
Hello List for others that might be interested AVM Fritzcard version 2.x does work with Bering. Modules needed are: #modules need for AVM-Fritz!Card v2.x ISDN slhc isdn hisax hisac_isac hisax_fcpcipnp # Thanks to felix theodor for tying this out Regards Eric Wolzak member of the Bering Crew --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
(Fwd) Re: [leaf-user] AVM Fritz!Card v2.x
Sorry forgot the list. --- Forwarded message follows --- From: Eric Wolzak [EMAIL PROTECTED] To: Felix Theodor [EMAIL PROTECTED] Subject:Re: [leaf-user] AVM Fritz!Card v2.x Date sent: Thu, 11 Dec 2003 19:16:36 +0100 Hello Felix First of all , you have to use the hisax.fcpcipnp.o http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/2.4.20/ke rnel/drivers/isdn/hisax/hisax_fcpcipnp.o and probably also the hisax.isac.o The hisax type number is probably 27 Sorry I cannot try this , as I only used the old fritz which is an completely different card. If you are successful please contact the list. If you still have trouble append the output from the module loading. Regards eric Wolzak member of the bering crew On 11 Dec 2003 at 16:33, Felix Theodor wrote: Dear Bering friends, last time I have to Install Bering(kernel 2.4.20) on a computer with a AVM Fritz!Card. My self use also AVM Fritz!Card v1.0 it works without any problems. But with the Fritz!Card v2.x hisax doesn't found it. :( Can someone tell me what I can do? Thank you! Felix --- End of forwarded message --- --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] AVM Fritz!Card v2.x
Hello Felix, you probably misunderstood something. you will need the normal hisax probably type=27 and additional hisax_fcpipnp I just don't know in what order als slhc isdn hisax type=27 hisax_fcpcipnp # this is the special driver for the Fritz Card PCI PNP . If you get unresolved symbols now. please look which symbols that are, Those are indications that the order of the modules is wrong. You can do the following on the command line : # insmod slhc # insmod isdn # insmod hisax type=27 # insmod hisax_fcpcipnp At what stage do get what unresolved symbols ## Background about your card, Normally it is ment to be used with a capi interface , that is what large distros do. But with the hisax_fcpcipnp it is possible to use the older, and more basic hisax interface I only don't know the order, I even suspect that the special hisax_fcpcipnp should be first. ### Good luck Eric Wolzak On 12 Dec 2003 at 9:15, Felix Theodor wrote: Hello Eric, I've loaded the modules but unfortunately both are not success. # Modules needed for ISDN # Look for type, io and irq settings at help page of isdn.lrp documentation slhc isdn hisax_fcpcipnp type=27 protocol=2 I get insmod: unresolved sympbol . --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] dmz possible within same physical network?
Hello Eric, you wrote I'm setting up LEAF (Bering uClib 2.0) for a new condo with in-the-wall ethernet and lots of tech-savvy visitors some of whom run virus hosts from Redmond. I want vistors to be able to plug their laptops into any jack in the wall, including jacks that may be used by members of the household. But I don't want to allow them the same priveleges as known hosts, esp. access to other hosts on the LAN. The problem you are describing isn't a special bering problem. You can certainly have two different subnets on one physical lan You can give dynamic addresses with dhcp that are in one subnet for all unknown mac's and give addresses in another net for known mac's or use static ip's in the trusted net. 1.The problem however is that if someone wants to be evil, he can just change the address or use tools to eavesdrop the lan, Now he has the possibilitie to imitate a mac in the known network, if your services are mac dependent. 2. If a strange machine on the lan has access to one of the trusted hosts is also dependant of the configuration of the desktophost itself and less of the router. So you have to make it impossible to read the dataflow on the LAN, one way I could imagine is to encrypt all the traffic on this lan with trusted desktop--- encrypted tunnel --- router . internet or other trusted host on the lan. If this is doable, depends on the number of trusted desktops, their OS and might involve some kind of routing. on the soekris box. Regards Eric Wolzak (fan of crosswords and palm OS ;) ) Bering Crew Basically, I want to offer DHCP leases on eth1, and if the MAC address is unknown to put it in an effective dmz that's only allowed access to the WAN via eth0. This would be trivial to do if I had an eth2, but there's only one jack at each location so I can't just add a new NIC. I'd also like to refuse connections to static IP addresses that happen to be in the right range so that folks have to go through dhcp. Is this possible using Bering? Any suggestions where to start reading on how to set it up? The hardware in this case is a Soekris box (boot medium is a CF card), so I'm not limited to a floppy-based distro; but I use Bering everywhere else and want to keep things compatible. Thanks, --Eric House -- ** * From the desktop of: Eric House, [EMAIL PROTECTED]* *Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords * ** --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] (Fwd) IPSEC route question war : Problem with manual IP route commands in
Hello SImon, I am not that experienced with the ipsec so U forward this to the list again --- Forwarded message follows --- From: Simon Chalk [EMAIL PROTECTED] To: Eric Wolzak [EMAIL PROTECTED] Subject:RE: [leaf-user] Problem with manual IP route commands in Start file Date sent: Wed, 10 Dec 2003 11:19:35 - Hi Eric, I have now discovered that the shorewall start file is not a good place to put my ip route add commands. I am adding a manual route through the ipsec0 interface and I think shorewall is loading before ipsec, so the ipsec device is not known at this stage. Do you know if there is any file that I can put my ip route commands, which is not loaded until after ipsec. Maybe there is an ipsec file that I can add to? Regards, Simon. -Original Message- From: Eric Wolzak [mailto:[EMAIL PROTECTED] Sent: 09 December 2003 20:27 To: Simon Chalk Subject: Re: [leaf-user] Problem with manual IP route commands in Start file Hello Simon the shorewall start is saved with the weblet.lrp regards Eric Wolzak member of the bering crew Hi All, I need to add some ip route commands. Please can you tell me where I can locate them. They need to be seen once my IPSEC gateway has loaded. I have actually put them in the Shorewall Start script, but I find that this file is deleted after a reboot, even though I saved the file to disk. I have version 1.4.5 running on Bering 1.2 So I essentiallally have two issues. Where should I put ip route commands, and why does the Shorewall start file lose the commands I enter, this doesn't happen on the init file. Regards, Simon. --- End of forwarded message --- --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] PPPoE without username and password
Hello lasse are you sure your new provider does use pppoe and not another method to connect. pppoe without an user and a password is unusual. another strange symptom is that your ISP doesn't answer any PADI . so you don't get a channel number. This is all on a level before any authentication, compression and so on starts. So possible causes are 1. you don't need pppoe but for example pump ( ask your provider) 2. you have an hardware problem 3. your provider has an hardware problem on the access concentrator 4. another , i didn't think of 5 I made a mistake :) To get more information increase the debug level in the option file Regards Eric Wolzak member of the bering crew I have been using Bering1.2 as a PPPoE ADSL router for some time, without any problems. I´v just followed the PPPoE howto, filled in my username and password and all the other things the howto says, all worked perfect, then I switched from one ISP to a other, they come up with a better offer but with my new ISP i don´t have to enter any username and password it´s the same modem, and the same everything besides the ISP plog don´t give anything, the only thing i get is in deamon.log Dec 9 13:20:54 firewall pppd[26716]: Plugin /usr/lib/pppd/pppoe.so loaded. Dec 9 13:20:54 firewall pppd[26716]: PPPoE Plugin Initialized Dec 9 13:20:54 firewall pppd[20072]: pppd 2.4.1 started by root, uid 0 Dec 9 13:20:54 firewall pppd[20072]: Sending PADI Dec 9 13:55:00 firewall pppd[20072]: Connecting PPPoE socket: 00:00:00:00:00:00 0x807c260 Dec 9 13:55:00 firewall pppd[20072]: Couldn't get channel number: Transport endpoint is not connected Dec 9 13:55:00 firewall pppd[20072]: Doing disconnect Dec 9 13:55:30 firewall pppd[20072]: Sending PADI Dec 9 14:29:36 firewall pppd[20072]: Connecting PPPoE socket: 00:00:00:00:00:00 0x807c260 Dec 9 14:29:36 firewall pppd[20072]: Couldn't get channel number: Transport endpoint is not connected Dec 9 14:29:36 firewall pppd[20072]: Doing disconnect Dec 9 14:30:06 firewall pppd[20072]: Sending PADI after 6-8 attempt pppd exits hope someone can help best regards Lasse Jensen DK Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og virusscan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering: time to hand on the torch ...
Jacques, List I want to thank you for your great contribution to this project, and for your trust in me to carry on the project. I hope that I will be able to do it as good as you did. I also hope that we will be seeing you around in the near future All the best and thanks a lot merci beaucoup Eric Wolzak --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering Dial in, problems with ppp - long
Hello Hening, you wrote On 28 Nov 2003 at 15:06, Henning Jebsen wrote: Hi Erik Nov 25 08:53:37 firewall pppd[7359]: No response to 3 echo-requests Nov 25 08:53:37 firewall pppd[7359]: Serial link appears to be disconnected. Troy could try this one as parameter for pppd: man pppd lcp-echo-failure n If this option is given, pppd will presume the peer to be dead if n LCP echo-requests are sent without receiving a valid LCP echo-reply. If this happens, pppd will terminate the connection. Use of this option requires a non-zero value for the lcp-echo-interval parameter. This option can be used to enable pppd to terminate after the physical connection has been broken (e.g., the modem has hungup) in situations where no hardware modem control lines are available. lcp-echo-interval n If this option is given, pppd will send an LCP echo-request frame to the peer every n seconds. Normally the peer should respond to the echo-request by sending an echo-reply. This option can be used with the lcp-echo-failure option to detect that the peer is no longer connected. Those Parameters are allready set in the pppoe options file. The problem with his setup seems to be that the server here the bering box starts sending the LCP ( echo requests) and that those aren't answered within the LCP-echo-interval. After 3 tries exactly that happens what you described, namely the server gets no response and supposes the line ( connection) is dead and does an hangup. unfortunately the whole pppd is stopped, also takeing down the dialout part on ppp0. Interesting is why 1 the client doesn't answer the lcp-echo requests. a--They don't reach the client (firewall /route issue locally or on client.) b -The client answers but sends them over a wrong interface or the outgoing answer is blocked . ( route /firewall ) if the client is also a bering box it could be that the external interface is declared as eth0 and not as pppo for example c- the server is blocking the answers on the firewall (remember that now the ppp1 is also an external interface). Troy might setup the shorewall rules to log all incoming and blocked traffic. or clear the firewall for the test. Regards Eric Wolzak member of the Bering Crew. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering Dial in, problems with ppp - long
Hello Matthew, I hope that I can help you a bit. 1. the difference between dachstein and bering is that Dachstein uses rp-pppoe and bering uses kernel pppoe. 2. you can setup an pppoe server without getty and so on, just by using the pppoe.lrp and ppp.lrp. I set a test one up . how I did it : http://www.mail-archive.com/[EMAIL PROTECTED]/msg06510.html Interesting is that you get a connection Nov 25 08:53:01 firewall pppd[8591]: pppd 2.4.1 started by LOGIN, uid 0 Nov 25 08:53:01 firewall pppd[8591]: using channel 25 Nov 25 08:53:01 firewall pppd[8591]: Using interface ppp1 Nov 25 08:53:01 firewall pppd[8591]: Connect: ppp1 -- /dev/ttyS0 Nov 25 08:53:04 firewall pppd[8591]: remote IP address 192.168.5.99 Nov 25 08:53:04 firewall pppd[8591]: Script /etc/ppp/ip-up started (pid 4309) Nov 25 08:53:04 firewall pppd[8591]: Script /etc/ppp/ip-up finished (pid 4309), status = 0x100 After establishing the connection the pings aren't answered by the client.. Nov 25 08:53:37 firewall pppd[7359]: No response to 3 echo-requests Nov 25 08:53:37 firewall pppd[7359]: Serial link appears to be disconnected. and the server hangs up again. or better said pppd hangsup.. it seems that the whole pppd gets a signal to go down ov 25 08:53:37 firewall pppd[7359]: Couldn't increase MTU to 1500. Nov 25 08:53:37 firewall pppd[7359]: Couldn't increase MRU to 1500 Nov 25 08:53:43 firewall pppd[7359]: Connection terminated. Nov 25 08:53:43 firewall pppd[7359]: Connect time 561.8 minutes. And so your dialout connection over ppp0 is also taken down. I don't know why this is done. I suppose this should be an option setting. The other problem is why does the dialin client doesn't answer on lcp requests. 1. is this a route problem on the client ? 2 is the client running a firewall and doesn't answer pings ? 3 ? Now the catch is that when the connection drops out (why it does it, I do not know why) the external pppoe connection is then also torn down, and it has to reconnect and get a new address, which it does. I can only assume that it is something to do with the pppd setup interacting between the two ppp interfaces. I suppose so too ;) I include my /etc/network/interfaces, and /etc/ppp/peers/dialin, /etc/ppp/peers/adslprovider, and /etc/ppp/options and /etc/options.ttyS0 files in the hope that someone can point out why this interaction is occurring. I have no options file. pppd is called from login.config as: /AutoPPP/ - - /usr/sbin/pppd debug file /etc/ppp/options.ttyS0 Try it the way I described in the archived mail pleas give a feedback if this worked. Regards eric Wolzak member of the bering crew # # original configuration files # # # So as far as I can see the dial in connection should not reference /etc/ppp/options # /etc/network/interfaces -- configuration file for LEAF network # J. Nilo, April 2002 # # Loopback interface. auto lo iface lo inet loopback auto ppp0 iface ppp0 inet ppp pre-up ip link set eth0 up provider adslprovider eth0 iface ppp1 inet ppp provider dialin auto eth1 iface eth1 inet static address 192.168.5.254 masklen 24 broadcast 192.168.5.255 auto eth2 iface eth2 inet static address 203.a.b.c masklen 27 broadcast 203.a.b.255 # ---End of File--- /etc/ppp/peers/dialin debug ms-dns 192.168.5.254 asyncmap 0 auth crtscts modem noccp -detach +pap -chap +pap require-pap refuse-chap proxyarp lcp-echo-interval 300 lcp-echo-failure 4 noipx # ---End of File--- /etc/ppp/peers/adslprovider # Configuration file for PPP, using PPP over Ethernet # to connect to a DSL provider. plugin /usr/lib/pppd/pppoe.so name [EMAIL PROTECTED] pty pppoe -I eth0 -T 80 -m 1452 noipdefault hide-password lcp-echo-interval 20 lcp-echo-failure 3 # Override any connect script that may have been set in /etc/ppp/options. connect /bin/true noauth persist mtu 1492 # ---End of File--- /etc/ppp/options is empty /etc/ppp/options.ttyS0 debug -detach auth asyncmap 0 modem crtscts lock noccp +pap require-pap refuse-chap proxyarp lcp-echo-interval 300 lcp-echo-failure 10 ms-dns 192.168.5.254 netmask 255.255.255.0 192.168.5.254:192.168.5.99 # ---End of File--- I appreciate Shorewall plays a part in this, but I have not yet seen one rejected packet in its logs, and it is setup to allow masq from 192.168.5.0/24 (which is my internal network) and this works as well as a non mentioned wlan setup using hostap that is working fine as well. Can anyone shed some light on this, otherwise I will have to go back to Dachstein which worked very easily and was easy to set up. By far the most difficult this in this setup is pppd however the debian format /etc/network/interfaces file is an absolute mystery to me never having used anything like it before. With many thanks, Matthew
Re: [leaf-user] sending Email from Bering 1.2
Hello felix you've got allready some answers, don't forget to open the firewall to connect to the net for mail . See : instructions at : http://leaf.sourceforge.net/doc/guide/bumail.html Regards Eric Wolzak member of the bering Crew Hi All, how can I let my Bering 1.2 send me a email eg. with the logs? Thanks Felix --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering Citrix WinFrame?
Hello Craig The policy for a default firewall for outward connections is ACCEPT. So as long as the other side sends answers to your packets they will be accepted. Regards Eric Wolzak member of the bering Crew Hi folks, My wife has a computer that needs to access a server at her workplace running Citrix WinFrame. Does anyone know: will I have to open a port on Bering in order for the signal to pass through? I know Citrix runs on port 1494, but I'm not sure if I'll need to modify my Bering 1.2 firewall for success. Comments??? Thank you, Craig --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: ncurses5.lrp in Bering 1.2 (Ray Olszewski)
Hello Felix with your first problem (ncurses) I can't help you but your second question is easy 1. call the lrcfg menu # lrcfg 2- b for backup b 3. The number of the isdn.lrp xxx 4 confirm that the space on your floppy is enough. It can also be done in 1 call with different parameter but this is easier. BTW for my information 1 what isdn card did you use ? 2 did you use the full hisax or the cardspecific ones Regards Eric Wolzak Member of the Bering Crew Hallo Ray, actually I just want to implemented a small programm that allowed the user easyly to change the provider information suchs MSN, REMMSN, USER and PWD. So I started with... #include stdio.h #include stdlib.h #include curses.h int main() { initscr();/*curses initialisieren*/ endwin(); return 0; } in Redhat there is no error. Just when I start it in Bering 1.2 with ncurses5.lrp I got that error message: Error opening terminal: Linux. I hope you or someone else can help me. Because now I just implemented it with usual Text mode. My menu ist now finished but I have another problem. How can I backup the isdn.lrp manually? I'm very thanksfull if someone can help me also with this problem. Thanks you very much Felix __ Gesendet von Yahoo! Mail - http://mail.yahoo.de Logos und Klingeltöne fürs Handy bei http://sms.yahoo.de --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Now On-Line but big trouble...
Hello Michelle I have disconnected all 5 Switches from the router and it continue to log alone... So there is no problem with my Network which is working for years... But what can make this traffic !!! All 90-150 seconds I have around 5-12 packages TX and 2-4 packages RX So the request must come from the firewall. And this is probably a dns issue , or you see theLCP echo LCP echo-reply Packets sendet over the line. You can look at what packages are send by setting the pppd options to kdebug debug 7 Now everything sent out ppp0 will be logged, by tail -f /var/log/messages or /var/log/syslog You might see what kind of packages are going out and or where they come from Regards eric Wolzak member of the Bering Crew --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Weblet Oddness.
Hello James Hello all, You wrote : Well, after some badness with Microsoft ISA server, it got ditched and replaced with a Bering 1.2 box. We have a 3 interface setup, net, loc dmz. In the dmz is our corporate web server. On the net interface is one of our external IP addresses. Both the dmz and the loc are SNAT'ed behind that address. Port 80 is DNAT'ed to the webserver, Port 25 is DNAT'ed to the Exchange server in the local zone. External clients can see our website. But when clients on the loc zone browse to our website, all they see is the Bering weblet! Even if they browse direct to the external IP address, not the IP address for the loc adaptor. Do I have to set up a another rule to redirect loc to our website? Yes 1) move weblet to another port, otherwise they will allways see weblet. 2) DNAT 80 from loc to dmz webserver. It is natural that they don't see your webserver on 192.168.1.254 and if you use your external interface than the packet is snatted to the external ip and will never be dnatted after that. Regards Eric Wolzak member of the bering crew --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I open individual ports?
Hello Mike, If you use Bering, you should use the settings in shorewall. As the answer depends on your setup ( masquerading , DNAT) etc, I would suggest reading the shorewall manual especially the section about zones interfaces and rules http://www.shorewall.net Documentation If you use Dachstein, you have to change settings in the network configuration script If I remember correctly. Link for this is: http://leaf.sf.net/devel/cstein/files/packages/network.txt Regards Eric Wolzak member of the Bering crew This may seem like a dumb question but please bare in mind that I am very new to this. I am familiar with cisco routers to a certain extent so... My question is how do I open individual ports? I'm sure it's easy but I need it spelled out for me. --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VPN Setup
Hello Mike Could it be that your commandline in syslinux.cfg is too long ( exceeding the 255) after boot, you can login and with #cat /proc/cmdline you should see your commandline from syslinux.cfg that is recognised. If your packages aren't there, this could be the cause. To avoid having a too long commandline ,you can put everything that is behind LRP in a new file on the boot medium or packagepath: with the name lrpkg.cfg and as content everything behind LRP= in syslinux.cfg in other words the content from lrpkg.cfg will be viewed , as if it was written in syslinux.cfg after LRP=. Regards Eric Wolzak member of the bering crew. -Ursprüngliche Nachricht- Von: Mike Koceja [EMAIL PROTECTED] An: leaf [EMAIL PROTECTED] Datum: Donnerstag, 17. Juli 2003 05:00 Betreff: [leaf-user] VPN Setup Hello, I actually sent an E-MAIL concerning this sometime ago so I apologize for not replying to anyone how offered advice. I'm trying to get a VPN connection to my worksite to function through the Dachstein Firewall. I downloaded the following files... ifconfig.lrp ipsec.lrp ipsec509.lrp mawk.lrp I added them to the LRP= part of the kernel command line in syslinux.cfg. There are no errors reported but my VPN connection still doesn't function nor do they show up in the package configuration menu. On a side note I added sshd as well and that does show up and function. Any idea __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Now On-Line but big trouble...
Hello Michelle Don't mix up demand has something to do with connecting idle with disconnecting demand does function correctly, not dialing in untill you do a ping or want to get a webpage and so on. demand doesnot effect dial out again. idle xxx will hangup the modem after an inactivity intervall of xxx seconds soinclude idle in the ppp options. your question about the ppprouter. with bering and the beinguserguide and install guide, you should have a good working router on a floppy too. (as with other variants). You only have to download a bin or a exe each about 1,68 M and probably the individual modules for your nic. feel free to mail if you have any questions Regards Eric Wolzak member of the Bering Crew -Ursprüngliche Nachricht- Von: Michelle Konzack [EMAIL PROTECTED] An: leaf-user [EMAIL PROTECTED] Datum: Dienstag, 15. Juli 2003 00:39 Betreff: [leaf-user] Now On-Line but big trouble... Hello, I am using the older LRP 2.9.4 and now after creating my Router image for an analog modem it does not work correctly: Config: eth0NW 192.168.1.64 IP 192.168.1.65 BC 192.168.1.95 NM 255.255.255.224 IP-Masquerading active ppp0idle300 demand Problem 1: Does not dialin on demand from network. If I do a 'ping -c 1 www.bundesregierung.de' on the router it logs in and all is working fine inclusive the network... (I can write/send this message) Problem 2: The idle tome is ignored !!! grrr !!! - quiet expensive ! Question 1: Does anyone have a working ppp-router and give me a link to it ? With a 33600 BpS Modem I can not surf very much and downloading the whole leaf mirror is not... Thanks Michelle -- Registered Linux-User #280138 with the Linux Counter, http://counter.li.org. +-- + | Michelle's Internet-ServiceInh. Michelle Konzack | | FunkLAN-Providerin | +-- + --- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing more. Download eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ntpdate, Bering 1.0 stable (german time zone ?)
Hello Hein As you can read from other messages in this thread. you have to distinguish between two causes 1. ntpdate doesn't work at all. -- in that case the most probable cause is that you didn't set the shorewall rules as in the butime document 2. ntpdate works, but your localtime on the router is UTC --- if you want to change that on bering an easy way is to copy a local zoneinfo file to /etc/localtime. you can take that from every linux distribution. I send you one as attachement offlist Regards Eric Wolzak -Ursprüngliche Nachricht- Von: Hein Bauer [EMAIL PROTECTED] An: Leaf-User [EMAIL PROTECTED] Datum: Donnerstag, 10. Juli 2003 08:01 Betreff: [leaf-user] ntpdate, Bering 1.0 stable (german time zone ?) Dear list, the package ntpdate does not work correctly here. The time is 2 hours minus actual time. ntpdate does connect to its given time-server (ntps2-2.wismar.de), but results in an incorrect time. I think my Beringbox has a wrong timezone defined... /etc/localtime points to UTC, CEST did not work either, any german ntpdate-users outside, who could give me a hint ;-) ? on my other linuxboxes I use netdate instead of ntpdate. netdate gets the correct time... ntpdate doesnt I think my problem belongs to definitions of time zones, but I am just guessing. help me out please ... ;-) --- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing more. Download eval WebKing and get a free book. www.parasoft.com/bulletproofapps leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing more. Download eval WebKing and get a free book. www.parasoft.com/bulletproofapps leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Fw: some strange behavior
Forwarded to thelist Von: jed anderson [EMAIL PROTECTED] An: Eric Wolzak [EMAIL PROTECTED] Datum: Mittwoch, 9. Juli 2003 11:00 Betreff: some strange behavior Firs of all. ... HI ..it pass long time since we write each other ...so ...recently i iam making some experiments with Bering ... this is what i have: 1º- download the New Bering 1.2 2º- take INITRD.LRP and ROOT.LRP and upgraded to glibc_2.3.1 (with the procedure known for all in the forum) 3º- configure Bering 1.2 to run from my HD (the modules thing and all the stuff) using the upgraded INITRD.LRP and ROOT.LRP but here comes the stragne... after copy all the files to run from the hd ..everything works fine (hardware,kernel, even the print server configuration) except SHOREWALL in all flavors (1.3.x to 1.4.5) , all shorewall than i try were pretty configured to run with two intrfaces. After break my brain i discover than when i use the old IPTABLES.lrp (1.2.7a) from Bering 1.1 SHOREWALL works perfect. In summary why when i use a modificated INITRD.LRP and ROOT.LRP,a pretty two interfaces Bering 1.2 with a IPTABLES.LRP (1.2.8) shorewall don't work... only when i replace IPTABLES.LRP with a old one from Bering 1.1 it works like a charm. So what is wrong with Iptables 1.2.8 ? ...i try to looking for something ...but ... no ones sims to have the same predicament Can you help me? P.D. the shorewall output looks like: -- Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... Signal 11 Signal 11 Signal 11 Signal 11 Signal 5 Processing /etc/shorewall/stopped ... -- Best regard Jed Anderson H. --- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing more. Download eval WebKing and get a free book. www.parasoft.com/bulletproofapps leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Making DNSCache start before Shorewall
Hello James you wrote Hello all, I'm trying to make DNSCache start before shorewall. This is because I need DNS lookups in the shorewall rules file. I spoke to a friend of mine and we changed the RCDLINKS in the init.d files to the following DNSCache RCDLINKS=2,S45 3,S45 6,K45 Shorewall RCDLINKS=2,S41 3,S41 6,K46 Before, shorewall have a lower value after 6,K Is this the correct way to make DNSCache start first? Because it made no difference. almost correct ;) runlevel 6 is however the runlevel used to stop the box. K is Kill and S is Start. So if you go to runlevel 2 ( the normal operating modus) Shorewall is started at position 41 and dnscache at 45 changeing to : DNSCache RCDLINKS=2,S41 3,S41 6,K45 Shorewall RCDLINKS=2,S45 3,S45 6,K46 lets dnscache starts before shorewall. But I am not sure if that will solve your problem as shorewall will probably be necessary to allow your network to be used after it is started. This will also depend on your connection mode. If it would be possible to use an open connection to the external network during the startup of shorewall, you have a potential security risk. I'm loath to make any more changes in case I kill my box and have to start again :\ The other suggestions I have to try are: Change 6 to 7 Add Sleep 30 to the beginning of the shorewall init script. And I have no idea whether they would be fatal changes. Any advice? Thanks, James Regards Eric Wolzak member of the bering crew --- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing more. Download eval WebKing and get a free book. www.parasoft.com/bulletproofapps leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: [leaf-user] Bering often doesn´t connect at startup
EchoReq id=0x1 magic=0x847ea138 00 00 00 00] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Jul 2 09:14:28 firewall pppd[5337]: sent [LCP EchoRep id=0x1 magic=0x77aa3ee9 68 6f 61 40] Jul 2 09:14:38 firewall pppd[5337]: rcvd [LCP EchoReq id=0x2 magic=0x847ea138 00 00 00 00] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # # then a lot of successfull LCP pings are sent and received . # So your connection is setup to the route level. The problem will probably not be in the pppd or pppoe system. Did you set the clampmss Did you look at the connections you have after you put your router up. If you have lots of clients that starts to game and request a server list, you've got thousands of connections and that might just fill the nat-list. after some time the traffic is becoming less , and you can use the internet. The same might occur by filesharing. Also Check http://192.168.1.254 from an internal machine, look for current connections. . ping a ip number from your firewall to look if it is a dns problem. check back for further advice my 2eurocent ;) Eric Wolzak member of the Bering Crew --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Some questions about leaf PPPoE
Hello Raymond, Lynn list Hello Lynn, Raymond, I don't think the modem is a router, the internal modem addres is probably only for maintainance btw, be carefull, that this is a private ip and might be blocked by shorewall, if you try to do maintainance. So if it is internal network -- LEAF ---normal ethernet Router --- pppoe ---Provider ýou have a normal network firewall setup and don't need ppp pppoe but probably pump as Lynn stated you exernal interface is eth0 if it si internal -- LEAF ---PPPOE Modem PPPOE ( modulated ) --Provider you need pppd and pppoe. and in that case there is something ´wrong with your settings to identify user name not corresponding to entry in pap.secrets or chap.secrets your external interface is ppp0 Part of your log file (time,date and firewall name removed for line length) # mycomments # before this there should have been a communication to establish a Access Concentrator and the offer to use channel 1 : using channel 1# ok we use channel 1 # pppd[557]: sent [LCP ConfReq id=0x1 magic 0x52cf66a9] pppd[557]: rcvd [LCP ConfReq id=0xc3 mru 1492 auth chap MD5 magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # AC request to identify with chap # pppd[557]: sent [LCP ConfRej id=0xc3 auth chap MD5] # Identifikation by chap from you rejected ## pppd[557]: rcvd [LCP ConfAck id=0x1 magic 0x52cf66a9] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 pppd[557]: rcvd [LCP ConfReq id=0xc4 mru 1492 auth pap magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 # received reqiest to identify yourself with pap # pppd[557]: sent [LCP ConfRej id=0xc4 auth pap] # I don't identify with pap # pppd[557]: rcvd [LCP ConfReq id=0xc5 mru 1492 magic 0x3d5cac04] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 pppd[557]: sent [LCP ConfAck id=0xc5 mru 1492 magic 0x3d5cac04] pppd[557]: sent [LCP EchoReq id=0x0 magic=0x52cf66a9] # pinging the line Jan 5 23:40:50 firewall pppd[557]: sent [IPCP ConfReq id=0x1 addr 0.0.0.0] # please give me an IP # Jan 5 23:40:50 firewall pppd[557]: rcvd [LCP TermReq id=0xc6] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... # your provider shuts the connection down, as you didn't identify yourself # Jan 5 23:40:50 firewall pppd[557]: sent [LCP TermAck id=0xc6] # ok I understand # Jan 5 23:41:23 firewall pppd[557]: using channel 2 # in between there was another try to start up the basic conecction and the game starts a new # On Saturday 28 June 2003 09:02 pm, PAGE,RAYMOND wrote: [...] eth0 is definitely connected to the modem, and ?trying? to talk to the modem. The modem has an IP of 192.168.7.1. The internal nic, eth1, is able to connect to internal boxes. It's ip is 192.168.0.1. I know it works because I can ssh to that IP from an internal machine. I don't believe that udhcpd(as opposed to the standard daemon because it's so much larger in size) is working properly for me, however I've statically assigned other boxes temporarily so it doesn't have to work right now and that shouldn't affect getting this to work. Lynn wrote: Ok, your DSL-modem/router is running as a NAT'ing router with DNS-cache on it. This is changes your settings considerably, since this DSL-modem/router is also the machine authenticating your DSL connection (you had to set it up with username/password, correct?). With these assumptions on my part, you should NOT need a PPPoE client on the LEAF box and you will need a dhcp client such as pump/dhclient/ udhcpcd/etc to get an ip from your DSL-modem/router. There may be some application problems due to running NAT twice (once at the DSL-modem/router and again at the Bering box), but that depends on whether you can set the DSL-modem/router to NOT NAT the ip address assigned to you. DNS-cache can be run on either the DSL-modem/router or on the Bering box (dnscache package), that is simply preference left to you. I'm attaching the output you requested, along with my syslinux.cfg, because I'm not sure if udhcpd should be called before or after pump and ppp/pppoe. Eric Wolzak member of the bering crew --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Because the list auto-rejects emails with attachments....here's my configs for everyone inline
Yes suppose that WWWRaymond is you login and PAGESecret is your password than you have to have in your pppoe option file a name WWWRaymond or user WWWRaymond and in your pap-secrets file WWWRaymond * PAGESecret put those in quotes if you have any special characters in them -Ursprüngliche Nachricht- Von: PAGE,RAYMOND [EMAIL PROTECTED] An: [EMAIL PROTECTED] [EMAIL PROTECTED] Datum: Sonntag, 29. Juni 2003 16:02 Betreff: [leaf-user] Because the list auto-rejects emails with attachmentshere's my configs for everyone inline Eric, I'm not sure if this is what you were conveying, but do you think that I have a incorrect login/password in my pap/chap.secrets? Thanks for all the input, this helps a lot. What I tried to tell you is 1. debug was not set with debug 7 so the first part of the communication isn't in the log file 2. There is something communicating with you in pppoe mode. ( probably your provider) 3. your side rejected pap and chap authentification. this is mostly because you don't have a corresponging username-password pair. 4. If your had a corresponding user-password name than your side would have tried to identify, and if the password was wrong , you would have had a different termination. if you don't find the cause here, then post me your ppp and pppd options original post deleted see list for more details-- --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] natsemi driver..
Hello Homer, are you sure you got the correct modules. in my modules on a 2.4.20 pci_drv_register and pci_drv_unregister are not mentioned. in the modules on a 2.2.20 they are. those are dependant of pci-scan. So please check if you have the correct module. If so try installing pci-scan before. Regards Eric Wolzak member of the bering crew. -Ursprüngliche Nachricht- Von: Homer Parker [EMAIL PROTECTED] An: [EMAIL PROTECTED] [EMAIL PROTECTED] Datum: Dienstag, 24. Juni 2003 20:43 Betreff: [leaf-user] natsemi driver.. Bering 1.2 in a Net4501 Soekris box.. Loading natsemi.o gives me: # insmod natsemi Using /lib/modules/natsemi.o insmod: unresolved symbol pci_drv_unregister insmod: unresolved symbol pci_drv_register Looking at modules.dep, it doesn't look like it relies on anything else.. --- Homer Parker /\ ASCII Ribbon Campaign \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net/ \ Respect for open standards Bill Gates reports on security progress made and the challenges ahead. -- Microsoft's Homepage, on the day an SQL Server bug crippled large sections of the Internet. --- This SF.Net email is sponsored by: INetU Attention Web Developers Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Edit Bering Config files Offline
Hello Simon, David Hi David, I have managed to unzip the file to a temporary folder /temp on another Bering box using mount -t msdos /dev/fd0u1680 /mnt cd /mnt tar -zxvf /temp/etc.lrp # all steps in one liners ;) mkdir /temp mount -t msdos /dev/fd0u1680 /mnt cp /mnt/etc.lrp /temp cd /temp tar -xzf etc.lrp rm etc.lrp # can be easier but more dangerous.don't leave etc.lrp in temp, otherwise it will be package in the new etc.lrp #now edit your files cd . edit #if ready move back to temp cd /temp #tar all your files and the subdirectories to etc.tar tar -cf etc.tar * # zip the tar file this will create etc.tar.gz gzip etc.tar # rename etc.tar.gz back mv etc.tar.gz etc.lrp # check the size for security reasons ls -l etc.lrp # and compare with the original and free disk space ls -l /mnt # if ok mv etc.lrp /mnt # clean up cd / rm /temp -rf umount /mnt # wait till everything is written back. # of course you can tar and zip as a one pipe process. btw if you can edit etc.lrp from the boot disk, you also can edit the real files in etc.lrp ;) and back them up. On Sun, 2003-06-08 at 17:21, Simon Chalk wrote: Is it possible to edit an lrp package on a Bering floppy on another machine. yes see above. I have a problem on one machine where incorrect configuration has stopped access to the console. So I am unable to use LRCFG, since no console access is possible. regards Eric Wolzak member of the bering crew --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Fw: comment/question about Bering, pppoe
Hello All does somebody know an option for pppd to specify the access concentrator I didn't findone Regards Eric Wolzak member of the bering crew -Ursprüngliche Nachricht- Von: Rossen Antonov [EMAIL PROTECTED] An: [EMAIL PROTECTED] [EMAIL PROTECTED] Datum: Donnerstag, 5. Juni 2003 22:44 Betreff: comment/question about Bering, pppoe Mr. Wolzak, I'm very keen on Bering. I would like to set it in a small LAN where I live. My ISP uses another big LAN and I'm connected to it directly via eth0, without a DSL device. The provider uses PPPoE. It has one Access Concentrator (PPPoE server) with four Service Names. In default situation like that figured in LEAF Bering user's guide there is no need to specify a Service Name when making a connection, but in my situation I need to connect exactly to one of those four Service Names. This is a result of pppoe -A -I eth0 executed under Knoppix on my mashine where Berin is supposed to be. It shows the exact situation: Access-Concentrator: hl-pppoe Service-Name: int3 Service-Name: ok1 Service-Name: ok2 Service-Name: ok3 AC-Ethernet-Address: 00:08:c7:8a:ec:2b -- And then to connect I use this command: pppd pty 'pppoe -I eth0 -S ok2' noipdefault defaultroute hide-password passive persist name antonov My comment is that if in Bering the Service Name can be set up this should be described in LEAF Bering user's guide. And my question is: is possible in Bering to set up a Service Name? Thank you for reading my mail! I wish you all the best! Please, if you have a little time replay me with an answer on my question. Just yes or no is enough. --Rossen Antonov, Bulgaria, 20 years old. _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] kernel pppoe was Fw: comment/question about Bering, pppoe
Hello Ray , thanks for your reaction your answer apply for the rp-pppoe package, here a pppoe application is sending its output to a pseudoterminal and then leading this over the ppp connection. With kernel mode as I understand it, it is different. a pppd connection is translated by the pppoe plugin to a kernel-pppoe connection. The connection on pppoe level is done by the pppoe plugin. So the option -S and -A are not possible. It might be possible to use the name of the access-concentrator in the pap-secrets as server name., I cannot test this yet. Regards Eric Wolzak member of the Bering Crew -Ursprüngliche Nachricht- Von: Ray Olszewski [EMAIL PROTECTED] An: [EMAIL PROTECTED] [EMAIL PROTECTED] Datum: Freitag, 6. Juni 2003 00:28 Betreff: Re: [leaf-user] Fw: comment/question about Bering, pppoe At 11:43 PM 6/5/2003 +0200, eric wolzak wrote: Hello All does somebody know an option for pppd to specify the access concentrator I didn't findone Eric -- I don't have the answer, but I think you want to ask a different question. If I follow the discussion here -- http://www.roaringpenguin.com/slides/pppoe-slides.pdf -- correctly, the Access Concentrator gets identified by the pppoe wrapper to pppd via a device-discovery step (that looks analogous to dpclient asking are there any DHCP servers out there who can give me an address?), not by pppd itself. Or maybe I do have at least a candidate answer at that. The man page for pppoe (on Debian-Sid) lists the following options: -S service_name Specifies the desired service name. pppoe will only initiate sessions with access concentrators which can provide the speci- fied service. In most cases, you should not specify this option. Use it only if you know that there are multiple access concentrators or know that you need a specific service name. -C ac_name Specifies the desired access concentrator name. pppoe will only initiate sessions with the specified access concentrator. In most cases, you should not specify this option. Use it only if you know that there are multiple access concentrators. If both the -S and -C options are specified, they must both match for pppoe to initiate a session. The pppoe discussed here is probably the RP package, but the docs are not completely clear on that part. Hope this is what you need. Good luck. [earlier, quoted message deleted] --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] kernel pppoe was Fw: comment/question about Bering, pppoe
Hello All kernel mode pppoe ( the one that is used at bering ) can be used to specify a certain access concentrator. my previous post with a proposition to change the etc/ppp/pap-secrets is not correct. The access concentrator is chosen as a first step the authentication is used in a later stage. So the correct solution is : in the pppoe options : /etc/ppp/peers/dsl-provider add the following line pppoe_ac_name name of the accessconcentrator example if your accessoncentrator is AC_To then pppoe_ac_name AC_To Now PADO from other accessconcentrators will be ignored. This is not necessary for everybody, only for those that have to specify a special AC with the roaring penguin package this equivalent to pppoe -S name of the accessconcentrator - By the way. with the standard pppoe.lrp package it is possible to create your own pppoe server. it was easier as it seems ;) I will post the howto in a few days. Regards Eric Wolzak --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] weblet extension version 2
Hi Ken. I tried this code as well and I think that you have to substitute /var/log/shorewall.log for /var/log/messages in the code that Eric provided. It didn't work for me until I made this change. Perhaps an older version of Bering or Dach used the messages file to log packets, hence the confusion. Please correct me if I'm wrong, Eric. Thanks, Ken You are of course right , the log file should be the one the messages for shorewall are directed to. Bering 1.0 stable did the logging still in the /var/log/messages file ( this was the version I used to debug the script.) I should make things more modular again ;) Thanks for your feedback. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Sent: Saturday, May 31, 2003 3:33 PM To: eric wolzak; Leaf-User Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] weblet extension version 2 HI Eric and Jeff, Thanks Eric for the code, this is half of what I was looking for, Jeff gave the other half. If you use the proverb: Give a man a fish, he eats today Teach a man to fish, he eats forever you both gave me one of those lines and I appreciate it. But, I do have some questions about the code, I can get the portsort section to work (from a previous e-mail, but the ipsort section is giving me the headers, but no data under it. I have some observations, but should I move this discussion to the devel list? I don't want to clog up this list with any more messages than necessary. Please advise, and I can pick up with my observations. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of eric wolzak Sent: Saturday, May 31, 2003 12:26 PM To: Tony; Leaf-User Subject: Re: [leaf-user] weblet extension version 2 Hello Tony Another variant is to change in the file viewhits the option ipsort to - ipsort) HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr' AUS=`grep DPT=$content /var/log/messages |\ sed 's/.*SRC=\(.* \)DST.*$/a href=viewhits?x_\1\1\/a\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\ sed 's/^/trtd/ s/a/\/tdtda/` ;; --- this is a little bit slower but let you click on each ip address that tried to connect to the certain port and shows the messages that it caused, including those to another port Regards Eric Wolzak member of the bering crew Regards Eric Wolzak member of the bering crew. --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
;Re: [leaf-user] weblet/sed question
Hello Tony, if I understand your mail correct, you want the possibility to identify which machines are responsible for the logged traffic to a certain port . Good Evening all, I'm sorry to ask a question like this, but here goes. I want to expand weblet a little and would like some pointers. I'm currently running weblet 1.2 under Bering v1.1. I like the screens where you can view the hits by either port or sorted IP address. What I want to do is, add the functionality of the IP address screen to the port screen. On the IP screen, the addresses are clickable to view the actual hits the IP was associated with. What I would like to do is have the ports be clickable to view a sorted list of IP addresses. So if I clicked port 53, I could get a listing of all the IP's who hit that port. I could then get the offending IP's without having to plow through the current IP list to see who hit what port. Did I describe that clearly enough? I viewed the code to see how the different pages are rendered and how the sub routines are called, but I don't really know sed. I'm not sure where to start. You can make following changes to weblet #edit /var/sh-www/cgi-bin/viewhits change following to subroutines : -- ipsort) ;; --- to ipsort) HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr' AUS=`grep DPT=$content /var/log/messages |sed 's/.*SRC=/\/tdtd/ s/ .*$/\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\ sed 's/^/trtd/` titel=hits on port $content ;; and portsort) .. ;; to - portsort) HEAD='trtdhits/tdtdport/tdtdService/td/tr' AUS=` grep Shorewall:.* DPT /var/log/messages |\ sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/'|\ sort | uniq -c |sort -rn |\ while read count port ; do printf trtd$count/tdtda href=viewhits?ipsort_$port$port/a/tdtd grep \\b$port\\b /etc/services |sed /^#/d |cut -f 1 |uniq printf /td/tr done ` titel=Hits sorted by porttype ;; Than save viewhits and backup weblet. this should do the trick ( at least it did it for me.) If there are more people interested at this kind of information, I could implement some of those to weblet. Possible were for example also those ip number that are logged for many different ports -- scanners. Any comment is welcomed Regards Eric Wolzak member of the bering Crew --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] weblet extension version 2
Hello Tony Another variant is to change in the file viewhits the option ipsort to - ipsort) HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr' AUS=`grep DPT=$content /var/log/messages |\ sed 's/.*SRC=\(.* \)DST.*$/a href=viewhits?x_\1\1\/a\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\ sed 's/^/trtd/ s/a/\/tdtda/` ;; --- this is a little bit slower but let you click on each ip address that tried to connect to the certain port and shows the messages that it caused, including those to another port Regards Eric Wolzak member of the bering crew --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Router Stops
Hello David, All My router stops periodically and I can restart it by restarting Shorewall. Lynn has suggested it might be a memory problem. Any suggestions how I can monitor RAM usage? Commands built into Bering? Packages I can run? 1. The Ram usage can be viewed from the weblet . 2 activate Spacecheck in lrp settings file and you get an email as the disks fill ( as long as your router isn't stopped yet ;)) 3. But I don't think the RAM is the cause ,sorry I didn't follow this treat before, What do you mean by router stops. I suppose you mean, you cannot get connections to the internet anymore. Restarting Shorewall does reinstall the firewall rules. and detects some broadcasts thereby setting a route Only restarting shorewall doesn't delete files. ( and doesn't create more space on the Filesystem so why should the router function after the restart if it was a disk ram problem ) It might however stop remaining unused connections and clear your table from outdated connections The same should be done by takeing your external interface down and up again. I have seen a pseudo none functional router after someone playing network games on theinternal net and requesting for free gameserver. just filled the tables. ( kind of unpurposed DOS ;) ) Try useing weblet to view the active connections or with the different shorewall commands If you have to much active connections weblet will time out. Regards Eric Wolzak member of the Bering Crew David Pitts IT Services Manager Reid Library University of Western Australia Telephone: (08) 9380 3492 Fax: (08) 9380 1012 --- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] unusual firewall applications ( a little off-topic)
Hello Frank As I understand it, a firewall prevents computers from communicating undesirable communications. Poorly worded, perhaps, but I am sure it addresses the intent of firewalls. This is partly true, the decision to accept a communication depends at a firewall on source/dest (ip) , Protocol ( tcp etc) and port This is ofcourse a simplification. But the package filter that is build in leaf doesn't look at the content of a message. (so if a webserver is allowed to pass, it passes indepent if this is a scientifc information or a advertisement for uh cars.) Content filtering is done by other programs, (f.e. junkbuster,squid etc). I get lots of undesireable communications on my telephone. There seems to be a marketing industry devoted to using my phone number as a sales tool. I am sure everyone on the reflector can identify with this plague. Now to your telephone, If you want to block certain protocols (fax f.e) this is built in most telephones. if you want to block connections depending on their origin ( src telephonenumber ) this can be done only if the src-telnr is transmitted. In different countries this is done. In Germany this is done on a voluntary base, so as soon as somebody wants to stay unrecognized he will block this feature. In that case you could blacklist notorious callers or reject all but a selected group of numbers. Programms like that are build in in almost any mobile telephone and home telephone switch. To filter on the content is almost impossible It takes for you, with a higher intelligence as your computer, even some time to detect that the message the caller is telling you is not interesting for you. To build a speach recognition and interpretation is far beyond a lrp box ;) Getting to the point, has anyone every considered building a firewall to prevent this abuse? A telephone firewall. Could something of this nature be implemented on an LRP box? A rethorical question because I know it can be implemented. I would do that but don't know how. My lack of knowledge extends to the programming. I am pretty sure I can handle the hardware requirements. What can be done in my opinion is filtering for special numbers or only allowing authorized callers, for example with a telephone login After connecting to a box, they hear a message please enter your telephone code. If they have that wrong, the connection is broken But that would prevent any person with honest intention to contact you. A simpler method is useing the display with the telephon number and your decision to take the phone. But all that demands that the calling number is transmitted, which isn't always true. The question is, does anyone know of any efforts to do this? no My Dachstein firewall is on all the time, connected to my cable modem. It could just as well be handling telephone traffic on the same 24/7/365 basis. And for a lot of other interesting applications, secureing your home printserver makeing coffe ; ) but remember lots of applications means drilling holes in your firewall. Anyhow, I like thought experiments :) Regard Eric Wolzak member of the bering crew --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] A Couple Of Problems...
Hello Nick I'm using Bering 1.1 and overall think it's wonderful. There are just a couple of things that I'm having difficulty with: 1) I can't get Bering to send me emails. Every hour there's an entry in cron.log similar to the following: MAIL (mailed 19 bytes of output but got status 0x0001 ) sorry to see it is still there, this is due to a line i inserted in a debugging session and forgot to remove. Remove the line: # echo $prog in routine main() around linenr 33. in the multicron-p script If I use the MAIL command from the command-line, I can get it to send a message, but never via cron. Did you set the lrp_SPACECHECK=YES lrp_SC_MAIL_LEVEL=2 in this settings Cron will only send a message if the Space is so limited that it had to go to step 2 deleting files. If this situation doesn't occur, you won't get mail :) If you want a mail every day, for example get your log files mailed make a script like you did by hand and inserted as cron job. Remember to set the full path to executables ! Incidentally I discovered that pointing it at an Exchange 5.5 server does not work, as the mail command appears to disagree with Exchange as to the correct sequence of an SMTP conversation... (who is right ;) ) I've now re-pointed it at a Linux box, running Sendmail and all is well on that front. Any pointers that anyone could give me would be very much appreciated! Thanks Nick Regards Eric Wolzak member of the Bering Crew --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Connecting to dsl was adsl: can't set mru/mtu to 1500 (T-online)
Hello Henning Hi Folks, I got a great problem connecting to t-online. I got 2 running devices(eth0 eth1) When I issue pon dsl-provider eth0, SYSLOG tells me: connecting ppp0 - eth0 Shouldn't it be ppp0 - /dev/ttyp0 ? Then SYSLOG says: cannot set MTU to 1500 cannot set MRU to 1500 MTU and MRU should be set to 1452 because I use the default config file dsl-provider with the entry pty pppoe -I eth0 -T 80 -m 1452 What am I doing wrong ? Any help is greatly appriciated ! For other readers T-DSL is ADSL named after the Telekom To connect with bering 1.0 you use the ppp and pppoe package Assuming that your eth0 is connected to the external interface - dsl modem Change the settings to Package ppp System wide ppp settings # /etc/ppp/options asyncmap 0 auth crtscts lock hide-password modem proxyarp lcp-echo-interval 30 lcp-echo-failure 4 noipx ... Pap secret [EMAIL PROTECTED] * PASSWORD don't forget the @t-online.de part if you use special symbols in Password put it in Quotes -- pppoe 1 dsl provider plugin /usr/lib/pppd/pppoe.so user [EMAIL PROTECTED] noipdefault defaultroute hide-password lcp-echo-interval 20 lcp-echo-failure 3 connect /bin/true noauth persist mtu 1492 -- shorewall masq ppp0 eth1 --- shorewall interfaces net ppp0 - - -- shorewall config CLAMPMSS=yes basic setup interfaces auto ppp0 iface ppp0 inet ppp pre-up ip link set eth0 up provider dsl-provider eth0 Attention your external interface is ppp0 not eth0 To bring the connection up use ifup ppp0 don't use pon ( this tries to connect over a serial line) down with ifdown ppp0 hope I didn't forget anything. if you haven't a flat rate you should set the demand option. that 's all ignore the message cannot change mtu or mru setting to 1500 they don't harm :) Eric Wolzak member of the bering Crew --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] newbie question.
Hello Troy Hello there. I have a quick newbie question here. I would just like to know the CLI Command that I use to show the output below. I am assuming that it is some variation of Ip addr . almost correct ;) #ip -s link show the -s option includes the statistics Eric Wolzak member of the Bering Crew --- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Shorewall Web GUI
Hello Steve I know this question has probably been posted many times before, but I can't seem to find any solution out there. Does anyone know if there is a publicly available Web-based GUI for shorewall? If so, what's a good one to use? I have an alpha weblet version that among others supports parts of shorewall rules, masq, zones and interfaces. But take care this uses Get and the weblet has to run as root to change some of the settings As we are trying to update the configuration database, the weblet will be also changed So no guarantee ;) http://leaf.sourceforge.net/devel/ericw/bering/weblet.lrp some information about the change of the setting in inetd you can find at my site http://leaf.sourceforge.net/devel/ericw Regards Eric Wolzak member of the bering Crew --- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering1.0-stable Problem with 2.4.20 on net4501
Hi all, I'm getting the following kernel panic on my bering1.0_stable box with kernel 2.4.20 This is running on a Soekris net4501 . Anyone else see this? Hello Steve, Kernel panic with the kernel is often a problem of a corrupt media, or corrupt download. From what kind of media are you booting Unable to handle kernel NULL pointer dereference at virtual addr ess printing eip: *pde = Oops: CPU:0 EIP:0010:[]Not tainted EFLAGS: 00010286 eax: c10d3da0 ebx: c3c1f2b0 ecx: c4815860 edx: 0025 esi: c0241f08 edi: 0002 ebp: c3dde81e esp: c0241e70 ds: 0018 es: 0018 ss: 0018 Process swapper (pid: 0, stackpage=c0241000) Stack: c01e8caf c3dde81e 0025 c3c1f2b0 0002 0002 c0241ee8 c01bcf70 c0279d80 c01afef6 c0241f08 c10db800 c01bcf70 c01bcf70 c01b01a3 c0279d80 c0241f08 Call Trace:[c01e8caf] [c01bcf70] [c01afef6] [c01bcf70] [c01bcf70] [c01b01a3] [c01bcf70] [c01bcd74] [c01bcf70] [c01aa15e] [c01aa269] [c01aa37f] [c011a323] [c010a2b0] [c0107040] [c010c858] [c0107040] [c0107063] [c0107102] [c0105000] Code: Bad EIP value. 0Kernel panic: Aiee, killing interrupt handler! In interrupt handler - not syncing Eric Wolzak member of the bering Crew --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering, Diagnosing Weblet LRP status warnings
Hello Brian the actuall number of packet logs is not that important. for example edonky and programms like that make a lot connection trys Your summary shows that almost all connections came from 193.163.220.4 proxy-scanner.eris.dk The intersting thing would be to see what kind of packages the ones from or to this ip are. I have the following message Thu Feb 6 09:49:28 UTC 2003 firewall Firewall Status: error You have 438 denied or rejected packets in your recent packet logs. See the messages in the log files for details Or check the hits sorted by port or by IP adress and when I look at the log file this is what it has (excerpt) Feb 6 08:31:05 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:60:08:08:6d:f3:00:03:4b:ab:10:0e:08:00 SRC=144.134.250.37 DST=203.217.17.249 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=41523 DF PROTO=TCP SPT=1146 DPT=3511 WINDOW=8192 RES=0x00 SYN URGP=0 token apart this means at feb 6 08:31:05 the Shorewall chain net2all DROP dropped a package comeing from the eth0 interface (IN=eth0) and was mend for the firewall ( OUT= ) (info on eth0 MAC=00:60:08:08:6d:f3:00:03:4b:ab:10:0e:08:00) The source addres from this package was: SRC=144.134.250.37 and the destination ( DST=203.217.17.249) which should have been your external ip at that moment. The protocoll was TCP the src port 1146 and the destination port 3511 further Package information : length 48 Type of service 00 Timetolive 120The syn bit was set so it was a start of communication ( LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=41523 DF PROTO=TCP SPT=1146 DPT=3511 WINDOW=8192 RES=0x00 SYN URGP=0 ) You should read now some of the denyed or dropped packages from the 193.163.220.4 host. It might seem that you have outgoing connections to this host that are blocked ( IN= resp OUT= ) and if the ports are changeing ( than it might be a scan) or that it is allways the same port that tries to connect ( for example with a configuration error) - hits port Service 42 1080 28 8080 webcache 28 6552 28 23 telnet sorted by ip address Hits IP-Adress Date 406 193.163.220.4 Feb 6 7 24.192.28.48 Feb 6 6 202.129.102.26 Feb 6 6 144.134.250.37 Feb 6 4 192.168.1.254 Feb 6 3 24.123.122.189 Feb 6 3 203.59.187.164 Feb 6 3 203.45.122.188 Feb 6 what does it mean?? am i being attacked or is it something in shorwall that I have not configured properly? good luck Eric Wolzak member of the bering crew --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] When my IP changes my DSL interface disconnects
08:58:38 firewall pppd[9920]: Couldn't increase MRU to 1500 Jan 24 08:58:48 firewall pppd[9920]: Connection terminated. Jan 24 08:58:48 firewall pppd[9920]: Connect time 58.8 minutes. Jan 24 08:58:48 firewall pppd[9920]: Sent 4236 bytes, received 8209 bytes. Jan 24 08:58:48 firewall pppd[9920]: Doing disconnect Jan 24 08:59:18 firewall pppd[9920]: Sending PADI - Jan 24 09:00:01 firewall /USR/SBIN/CRON[23934]: (root) CMD (/etc/keepalive_script) Jan 24 09:00:01 firewall /USR/SBIN/CRON[6709]: (root) CMD (`/etc/init.d/ntpdate start`) Jan 24 09:00:01 firewall /USR/SBIN/CRON[27318]: (root) CMD (/etc/multicron-p) Jan 24 04:00:06 firewall ntpdate[18431]: sendto(132.246.168.148): Network is unreachable the default route is taken down with the ppp0 interface ? The ppp0 should try to connect again. Jan 24 04:00:09 firewall last message repeated 3 times Jan 24 04:00:10 firewall ntpdate[18431]: no server suitable for synchronization found Jan 24 09:00:10 firewall /USR/SBIN/CRON[14147]: (root) MAIL (mailed 19 bytes of output but got status 0x0001 ) Jan 24 09:10:01 firewall /USR/SBIN/CRON[19360]: (root) CMD (/etc/keepalive_script) Jan 24 09:15:01 firewall /USR/SBIN/CRON[2952]: (root) CMD (/etc/multicron-p) Jan 24 09:20:01 firewall /USR/SBIN/CRON[14049]: (root) CMD (/etc/keepalive_script) Jan 24 09:30:01 firewall /USR/SBIN/CRON[18832]: (root) CMD (/etc/keepalive_script) Jan 24 09:30:01 firewall /USR/SBIN/CRON[16748]: (root) CMD (/etc/multicron-p) It is unclear why the pppd daemon is trying to connect now after more than 30 minutes did you cut something out of the logfiles ? Jan 24 09:33:24 firewall pppd[9920]: Connecting PPPoE socket: 00:90:1a:40:44:2c eth0 0x807c2c8 Jan 24 09:33:24 firewall pppd[9920]: Couldn't get channel number: Transport endpoint is not connected This message means that there is a problem at a level before password exchange etc occurs could be your modem or the provider endpoint Jan 24 09:33:24 firewall pppd[9920]: Doing disconnect Jan 24 09:33:54 firewall pppd[9920]: Sending PADI If this occur more often you should check your pppoe options file in /etc/peers/dsl-provider should be something like : plugin /usr/lib/pppd/pppoe.so user * noipdefault defaultroute hide-password lcp-echo-interval 20 lcp-echo-failure 3 connect /bin/true noauth persist mtu 1492 Regards Eric Wolzak member of the bering crew --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ipsec vs ipsec509
Hello Heriberto Hy I´m setting up a VPN conection with ipsec.lrp. I also seen a ipsec509.lrp module. In few words, what is the main difference between ipsec.lrp and ipsec509.lrp? The ipsec.lrp is the freeswan package. The ipsec509 is the same package patched for the use of certificates to identify. Regards Eric Wolzak member of the bering Crew Regards Heriberto Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé cómo hacerlo en Yahoo! Móvil: http://ar.mobile.yahoo.com/sms.html --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Mail Bug in multicron-p
Hello List. I just discovered a bug in the /etc/multicron-p script in Bering Stable 1 (probably also in Bering-uClibc ? ) This bug is not critical, just annoying. In the /var/log/syslog file you could find : Jan 5 22:00:01 firewall /USR/SBIN/CRON[26546]: (root) MAIL (mailed 12 bytes of output but got status 0x0001 ) every 15 minutes. The mail is sent to root@ and has as content multicron-p The reason is the rest of a debugging session that was forgotten to remove (shame on me ;) ) Remove the line: # echo $prog in routine main() around linenr 33. Allthough from the logic nothing should have happened the output was piped through mailadmin function. If you have set your mail-admin you could have received mails with multicron-p as content. No Subject. Sorry for the discomfort Regards Eric Wolzak member of the bering crew --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] adsl connection doesn't work
Hello mike. i've got a problem with bering 1.0-stable. i followed the PPPoE configuration in the user's guide to get my dsl connection to work and i'm at the same provider as the one, whos written the user guide. (t-dsl from t-online in germany). That's me ;) but after configuring both, the ppp and pppoe package, the ppp deamon is unable to establish a connection. here is what the debug from pppd says: let's take a look . Jan 6 21:30:07 firewall pppd[4949]: Plugin /usr/lib/pppd/pppoe.so loaded. Jan 6 21:30:07 firewall pppd[4949]: PPPoE Plugin Initialized Jan 6 21:30:07 firewall pppd[4949]: pppd 2.4.1 started by root, uid 0 Jan 6 21:30:07 firewall pppd[4949]: Sending PADI Jan 6 21:30:07 firewall pppd[4949]: HOST_UNIQ successful match Jan 6 21:30:08 firewall pppd[4949]: HOST_UNIQ successful match you got an user setting and a corresponding pap Jan 6 21:30:08 firewall pppd[4949]: Got connection: 696 Jan 6 21:30:08 firewall pppd[4949]: Connecting PPPoE socket: 00:90:1a:10:14:fa 9606 eth0 0x807c260 Jan 6 21:30:08 firewall pppd[4949]: using channel 15 Jan 6 21:30:08 firewall pppd[4949]: Using interface ppp0 Jan 6 21:30:08 firewall pppd[4949]: Connect: ppp0 -- eth0 got a virtual ppp0 Jan 6 21:30:08 firewall pppd[4949]: Couldn't increase MTU to 1500. Jan 6 21:30:08 firewall pppd[4949]: Couldn't increase MRU to 1500 never mind just ignore. you send mru 1492 request later confirmed Jan 6 21:30:08 firewall pppd[4949]: sent [LCP ConfReq id=0x1 mru 1492 magic 0x3198d3b9] here is the trouble .. you receive config request mru 1492 and authenticate with pap Jan 6 21:30:08 firewall pppd[4949]: rcvd [LCP ConfReq id=0xb2 mru 1492 auth pap magic 0x6061cca1] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 you send reject authentication with pap !! Jan 6 21:30:08 firewall pppd[4949]: sent [LCP ConfRej id=0xb2 auth pap] do you have a correct pap user setting ? you receve confirmation mru1492 Jan 6 21:30:08 firewall pppd[4949]: rcvd [LCP ConfAck id=0x1 mru 1492 magic 0x3198d3b9] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Jan 6 21:30:08 firewall pppd[4949]: rcvd [LCP ConfReq id=0xb3 mru 1492 magic 0x6061cca1] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Jan 6 21:30:08 firewall pppd[4949]: sent [LCP ConfAck id=0xb3 mru 1492 magic 0x6061cca1] Jan 6 21:30:08 firewall pppd[4949]: sent [LCP EchoReq id=0x0 magic=0x3198d3b9] Jan 6 21:30:08 firewall pppd[4949]: sent [IPCP ConfReq id=0x1 addr 0.0.0.0] As you didn't allow pap authentication the connection is brought down Jan 6 21:30:08 firewall pppd[4949]: rcvd [LCP TermReq id=0xb4] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... Cut the rest as this is normal disconnecting What is the output of grep -v ^# /etc/ppp/peers/dsl-providers mine (with nined out user ident ) -- plugin /usr/lib/pppd/pppoe.so user [EMAIL PROTECTED] noipdefault defaultroute hide-password lcp-echo-interval 20 lcp-echo-failure 3 connect /bin/true noauth persist mtu 1492 - don't forget the @t-online.de in your user name does anybody know any solution to this problem ? I hope this solved it. The package worked out of the box for pppoe t-dsl thanks for any help bitte schön ;) mike Eric Wolzak --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] PPPoE and static IPs
Hello Stephen Hi, I have a friend moving to Florida where he will connect to Sprint DSL service with static IP. At his old location he was connected to a provider with static IP via Bering 1.0rc2. Since Sprint DSL uses PPPoE, will he still need the PPPoE.lrp package even if static IPs are used? He will still need the pppoe plugin and a configuration file ( and pppoe.lrp isn't much more :) So the answer is yes. You might want to change the noipdefault setting. regards Eric Wolzak member of the Bering Crew. --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Configuring remote logging.
Hello Troy, part of this is allready answered by Jeff. just one remark, I don't know if you used the correct rule in shorewall I have also made a rule in shorewall to allow my windows box to talk to the firewall on port 514. It is more the firewall talking to the windows box o you should allow firewall to local udp port 514 ACCEPT fwloc udp 514 you wrote : I m attempting to configure remote logging on a LEAF Bering router and I am wondering if anyone can show me the proper way to go about it. This is what I have entered in the syslog.conf file. The syslog client is running on my windows box at 192.168.140.25 listening on port 514. It does not seem to be working and I just want to be sure if I have not misconfigured the router. Can anyone please show me the proper syntax for this. I have also made a rule in shorewall to allow my windows box to talk to the firewall on port 514. I am pretty sure I goofed on the settings on the syslog.conf. Thanks in advance. Troy # # Log everything remotely. The other machine must run syslog with '-r'. # WARNING: Doing this is unsecure and can open you up to a DoS attack. # *.*;auth,authpriv.none @192.168.140.25:514.192.168.140.25:514 *.*;daemon.* @192.168.140.25:514.192.168.140.25:514 *.*.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none @192.168.140.25:514.192.168.140.25:514 Regards Eric Wolzak member of the Bering Crew --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v? http://www.sun.com/javavote leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] help with ISDN?
Hello Phillip some comments inline. Emailed the ISP what I saw, then talked to him. He was confused and couldn't get a terminal emulator to work to see for himself. So I said, Dude, the thing is not putting out login: Is there a chance auth is CHAP or PAP? Oh yeah, I think it is. ( Jeez) Well, Chap or PAP? Uh, I'm not sure, maybe CHAP? (Jeez) Unencrypted secret? I dunno. (Jeez ) So I turned on CHAP and got a couple dozen LCP exchanges. just a short help, this may solve the pap chap problem too :) The communication will be something like sent [LCP ConfReq id=0x1 asyncmap 0x0 magic 0xd7c7d0ab pcomp accomp] your side sending ConfReq with id 0x1 rcvd [LCP ConfReq id=0x8b asyncmap 0xa auth pap magic 0x2279e419 pcomp accomp] As an answer you receaf authentication is pap sent [LCP ConfAck id=0x8b asyncmap 0xa auth pap magic 0x2279e419 pcomp accomp] you confirmed ConfAck that you use pap as an answer to request id=0x8b Now notice if a connection in LCP level is established. if not what requests are not confirmed (Acknowledged) After this the next step will be sent [PAP AuthReq id=0x1 user=user password=hidden] and if you have luck :) rcvd [PAP AuthAck id=0x1 ] Ofcourse with chap things look like send [ CHAP .] during the first stage you could find allready some lcp pings sent [LCP EchoReq id=0x0 magic=0x83709a1d] and the answers to this rcvd [LCP EchoRep id=0x0 magic=0x52791570] if that is the case the hardware should be ok . Rejected me so now I'll read about CHAP. HOW can you run an ISP and not have someone on site or a quick phone call away who knows what they are doing? (off topic) you can even run governements in that way ;) I hope that this helps to find the cause of your problem Regards Eric Wolzak member of the Bering Crew --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] partial backup bug in Bering RC3
Hello Brad , you are right about the error, I would make a different change, to prevent problematic entries in the exclude list change : /^[xXeE]/{ s/^[^ ]*[ ]*// w '$EXCLUDE' }' $LOCAL to /^[xXeE]/{ s/^[^ ]*[ ]*// w '$TMP_EXCLUDE' }' $LOCAL Thanks Eric Wolzak member of the Bering Crew Eric wolzak I found what looks like a bug in Bering RC3's lrcfg.back.script that affects parial backups. That script calls mk_inc_part() for partial backups which populates the $INCLUDE and $EXCLUDE files based on the contents of the $LRPKG/$PACKAGE.local file for the package being backed up. After mk_inc_part() is run, line 172 sed 's/\/$//' $TMP_EXCLUDE $EXCLUDE runs and clobbers the initial $EXCLUDE from mk_inc_part(). I think line 172 should be: sed 's/\/$//' $TMP_EXCLUDE $EXCLUDE ^^^ Eric W or Jacques, can you confirm? --Brad --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering VPN questions-School project
Hello Craig Why do you want to use a tunnel through your school net to the private Student net By this method you protect the private student net against attacks from the school net but opens up the school net a litle bit more to the outside world ( it is more difficult to get into a tunnel from the outside than to leave a tunnel ;) ) I would think that it is saver to keep the school Lan apart from the Student Lan Why don't you use a different setup internet ---Bering Box 1 --school Lan internet -- Bering Box 2 --- --Private Student Lan or even with a second network card in Box 1 as internet Beringbox . School Lan ^ 1 Private Student lan you could use your second Bering box for additional Security or someother usefull task . All three setups can be done with bering regards Eric wolzak member of the Bering Crew Hi folks, At our high school, we have some extra, public IP addresses. For a project, I want to set up 2 Bering boxes. I want to use our extra public IP addresses and have the internet traffic to these addresses flow through the first Bering box to the final Bering box which will service several boxes on a LAN. In between the two Bering boxes is the school LAN, which I (obviously) need to safeguard, so I'm thinking that I need to create a VPN between the two Bering boxes and have all traffic tunnel through??? The purpose is to set up boxes on the internal private student LAN that students can access from home, etc. by using the public IP addresses (We want them to experiment with creating web sites and experience, invariably, getting hacked, etc. while protecting the existing school LAN). Internet-Bering Box 1(School LAN)-Bering Box 2-Private Student LAN 1.) This should be pretty easy to do with Bering, shouldn't it? 2.) Will the internal school LAN be effectively protected by creating a VPN between the two boxes? 3.) Any problems with my scenario that you can see? Comments, suggestions...??? (I welcome ALL thoughts and suggestions) Thank you, Craig --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering VPN questions-School project
Hello Tom , of course you are right that it can be done safely, but I still have some second thoughts about potential hackers being behind the net I have to secure. In that case I have to defend my school net from both sides. especially if the students can execute programms on their net. Then they could attack the second bering Box to get access to the school net. If It was my school I would prefer to use a dmz for the student net and put my second Bering Box between the first and the school net. So I would have some logs about what is going on. ;) Regards Eric Wolzak Eric Wolzak wrote: Hello Craig Why do you want to use a tunnel through your school net to the private Student net By this method you protect the private student net against attacks from the school net but opens up the school net a litle bit more to the outside world ( it is more difficult to get into a tunnel from the outside than to leave a tunnel ;) ) I would think that it is saver to keep the school Lan apart from the Student Lan Why don't you use a different setup internet ---Bering Box 1 --school Lan internet -- Bering Box 2 --- --Private Student Lan or even with a second network card in Box 1 as internet Beringbox . School Lan ^ 1 Private Student lan you could use your second Bering box for additional Security or someother usefull task . All three setups can be done with bering Another approach would be to use Craig's original topology but on Bering Box 2, make the School LAN a separate zone (nested in its 'net' zone). You can then make the student-school policy REJECT and the student-net policy ACCEPT. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Backup problems - partial backup in Bering
Hello Lars You wrote : Hello I am trying to set up and testing a VPN-network with Bering and Ipsec. For testing I am using VmWare (on W2000). VmWare can only read 1,44MB disk and my plan was to strip down a disk and use Partial Backup and a CD-image. But I can not get Partial Backup working correct. I am using Bering_1.0-rc3_img_bering_1680 I have removed all except: initrd root etc local modules shorwall I am doing a full Backup on initrd and trying to do Partial on the rest. The only changes I have done to the disk are adding the files for the CD (IDE) in /boot/... and removing some modules in /lib/modules I get the message for all package I try to do a Partial Backup: WARNING - List of local configuration files not found! Defaulting to package files in /etc and /varlib/lrpkg I am also losing information e.g. settings for the interfaces after the backup. I have used the Partial Backup on Dachstein without problem and I can not find any information that helps me. Anyone who can help me? /Lars Emilsson There is some help on partial backup at http://leaf.sourceforge.net/devel/jnilo/bubooting.html#AEN1168 but on reading again I have to admit it can be a little bit more clearer ;) Partial Backup is a means of backing up that part of the package that changes ( usually because you configured some settings) It cannot be the only backup . The idea ,as you recognised correctly ,is that the bulk programm package is on one ( for example a read-only) media and a smaller part usually the configuration files is written to a space limited or slow (f.e a floppy) media I will describe now how to perform these useing a cd and a floppy I use these devices because it easyer to read, but it can ofcourse be done with other media as well. Now what should happen at boot time The package is loaded from CD, and is installed ( which means extracted to its definive destination), At this moment the configuration is in the state you wrote the package to cd (usually a default setting) Now the partially backed up file is read from the floppy file and the files are extracted to their destination, replaceing the default values with your settings. During backup the programm has to now what files should be backed up. So it is possible to use a configuration file for each package to list what files are in the partial backup ( lots a like the list for the full backup) This file is called packagenname.local and contains lines with I /nameof the files to include this file and E/name_of_a_file to exclude name_of_a_file always include I/var/lib/lrpkg/PACKAGENAME so at least packagename.local is backed up. Now to your questions. If this .local file is not found then the backup assumes that you want to backup the configuration files, hence all files belonging to this package and located in /etc and the /var/lib/lrpkg/thispackage files. This is for most situations a good selection. Note this is not an error . 2. If at reboot the order in which the package are loaded is not CD and after that floppy, you will overwrite the configured files with the ones from CD and all your settings are lost again. read the chapter on partially backup and order of file loading at http://leaf.sourceforge.net/devel/jnilo/bubooting.html#AEN1168 Note If i recall correctly the search order is slightly different from the Dachstein CDversion. Hope this helps Eric Wolzak member of the Bering Crew --- This sf.net email is sponsored by: DEDICATED SERVERS only $89! Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] PPPoE difficulty
Hello Scott Comments inline I'm trying out Bering for a remote office, mostly because I've been using (and loving!) Tom Eastep's Shorewall. This remote office has SBC Ameritech DSL, which uses PPPoE. I used a CoyoteLinux floppy, and everything worked fine. Using Bering, though, I fail to connect to the DSL. I assume you use the pppoe like described in the installation guide I read this message in the archives: http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg07764.html which seems like my problem, as evidenced by these lines from the syslog: The message Couldn't increase MTU or MRU to 1500 has no effect on your ability to connect. There seems to be a problem with the login sequence Comments inline Sep 20 16:57:41 firewall pppd[12169]: Plugin /usr/lib/pppd/pppoe.so loaded. Sep 20 16:57:41 firewall pppd[12169]: PPPoE Plugin Initialized Sep 20 16:57:41 firewall pppd[30223]: pppd 2.4.1 started by root, uid 0 OK Sep 20 16:57:42 firewall pppd[30223]: Serial connection established. This is a rather strange message for me. try to comment out all pty * Sep 20 16:57:42 firewall pppd[30223]: Couldn't get channel number: Input/output error Sep 20 16:57:42 firewall pppd[30223]: ioctl(PPPIOCGFLAGS): Bad file descriptor Sep 20 16:57:42 firewall pppd[30223]: Exit. Sep 20 16:57:43 firewall pppd[17649]: Connection terminated. Sep 20 16:57:43 firewall pppd[17649]: Doing disconnect Now your computer tries again. Sep 20 16:58:13 firewall pppd[17649]: Sending PADI Sep 20 16:58:13 firewall pppd[17649]: HOST_UNIQ successful match User name in options and pap-secrets match Sep 20 16:58:13 firewall pppd[17649]: HOST_UNIQ successful match Sep 20 16:58:13 firewall pppd[17649]: Got connection: 1614 Sep 20 16:58:13 firewall pppd[17649]: Connecting PPPoE socket: 00:10:67:00:1c:25 1416 eth0 0x807c260 Sep 20 16:58:13 firewall pppd[17649]: using channel 2 Sep 20 16:58:13 firewall pppd[17649]: Using interface ppp0 Sep 20 16:58:13 firewall pppd[17649]: Connect: ppp0 -- eth0 Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MTU to 1500. Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MRU to 1500 Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MRU to 1500 Until here everything seems ok Sep 20 16:58:13 firewall pppd[17649]: LCP terminated by peer Now your provider cut the connection . Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MTU to 1500. Sep 20 16:58:13 firewall pppd[17649]: Couldn't increase MRU to 1500 Sep 20 16:58:16 firewall pppd[17649]: Connection terminated. Sep 20 16:58:16 firewall pppd[17649]: Doing disconnect I tried using all three of the pre-configured options in dsl-provider: pty pppoe -I eth0 -T 80 -m 1452 pty pppoe -I eth0 -T 80 pty pppoe -I eth0 -T 80 -m 1412 but none of these worked. comment them all out. (it works here without all of them) Thanks in advance for any suggestions! 1. check your shorewall setting ppp0 is external interface ( not eth0) add the line debug 7 in your dsl pppd options now you will have additional messages: Like: The messages are shortened to stay readable sent [LCP ConfReq id=0x1 magic 0x32bx] rcvd [LCP ConfReq id=0xb3 mru 1492 auth pap magic 0xc04y] 00 ... sent [LCP ConfAck id=0xb3 mru 1492 auth pap magic 0xc04y] rcvd [LCP ConfAck id=0x1 magic 0x32bx] 00 00 00 . sent [LCP EchoReq id=0x0 magic=0x32x] Now follows the authentication request sent [PAP AuthReq id=0x1 user=[EMAIL PROTECTED]password=hidden] rcvd [LCP EchoRep id=0x0 magic=0xc04yy] 00 00 00 00 00 00 00 00 00 00 00 00 rcvd [PAP AuthAck id=0x1 ] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 --- OK your authentication is succesfull notice the change of the protocoll what follows now is the debate about what ip number you will get. sent [IPCP ConfReq id=0x1 addr 0.0.0.0] rcvd [IPCP ConfReq id=0xf3 addr 11.22.33.44] 00 00 00 00 00 00 00 00 00 00 sent [IPCP ConfAck id=0xf3 addr 11.22.33.44 OK you take this IP ;) Now the same happens for the peers IP ] I hope this will help you to find the cause , Some frequent problems are: 1. including special characters in name and or password and not putting the name and or password in Quotes () 2. wrong external interface eth0 and not ppp0 as it should be 3. automatically dialing of pppd to serial with a file in /etc/ppp see manual. Regards Eric Wolzak member of the bering crew --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering-rc3: Weblet says Error for Firewall - yet Weblet says /var/log only used 6%
Hello Jay just to clarify things the Error message in the firewall, just indicates that the number of logged Firewall packets is greater than the Error warn level. You can set this in the weblet configuration file : The default settings are screen # Firewall thresholds: deny/reject messages WRN_FW=5 ERR_FW=50 /screen after 5 logged packets the status is warn, after 50 it is error The log files are rotated once a day and after this the firewall is again in status ok. You can change this settings. If you have to worry about a number of logged packets or not depends on the source and the kind of packets. I have, they are all looking at port 53 This could have several reasons, there was a thread for some time about useing 53 for loadbalancing. It could also be a wrong configured computer on the inside. It says: '146 denied or rejected packets' Yes. but the firewall weblet says error after only 146. I've done port scans before and got this to say 3200 before the weblet said error. The weblet error level is default 50. The reason you got different values after turning red is: The amount logged packets is checked if you show the index page. Now if you let your browser stand at this screen the next time the packets are counted is after the refresh time. (oops there is none :() or if you press the refresh button on your browser. So if you are portscanning you got 1 packet = green After some time you reload the page and now the number of packets is over the treshold of 50 (independent from how much) During portscanning there are a lot of packets showing up). I guess , I have to include the refresh in the index page ;) The space on /var/log is not tested yet and has got nothing to do with the firewall level, in the next version it will be checked in the diskspace. BTW, if you are portscanning the firewall from outside, this is normal! I wasn't at the time, if i do a external portscan, it lasts alot longer (usually around the 3000 mark) before going to error status.. Confused.. - Original Message - From: Luis.F.Correia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 16, 2002 6:07 PM Subject: RE: [leaf-user] Bering-rc3: Weblet says Error for Firewall - yet Weblet says /var/log only used 6% You should check the /var/log/messages file You'll find the offencidg packets. BTW, if you are portscanning the firewall from outside, this is normal! The firewall logs EVERY 'invalid' packet. As you can see from below, It says: '146 denied or rejected packets' That's it! -Original Message- From: Jay Langford [mailto:[EMAIL PROTECTED]] Sent: Monday, September 16, 2002 6:49 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Bering-rc3: Weblet says Error for Firewall - yet Weblet says /var/log only used 6% Hi EveryOne! I've got the following setup: Bering-rc3 shorwall-1.3.7b *Single Floppy Setup On the following hardware: P166Mhz 64MB RAM 1.44MB Floppy 64K ISDN Ext. Modem (Serial) I've just got the basic rules as per the setup in the installation guide ** Weblet says the following re: Firewall firewall Firewall Status: error You have 146 denied or rejected packets in your recent packet logs. I've seen this cranked up as far as 3200 (Note: This was after a series of portscans to check the firewall) ** Weblet says the following about my RAM disk. --- Filesystem 1k-blocks Used AvailableUse% Mounted on /dev/root 6144 3256 2888 53% / tmpfs15292 4 15288 0% /tmp tmpfs 2048 124 1924 6% /var/log -- Does anyone know what i should be checking? or if i should be running over to the wall and unplugging the phone cord? Thanks!! ~Jay Eric Wolzak member of the bering crew --- This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Webbased configuration
Hallo Ed, Mohan, Erich, Lynn, Brad,Craig and Charles for your rections on the Webbased configuration Thread. If I may summarize the results we need an optional webbased configuration package. This should be modular, so everybody takes the modules he needs as a base there should be modules for the standard items . textbased configuration must still be able. It doesn't have to fit on a floppy based firewall.(allthough , if somebody has this option it would be fine ;) ) for a more secure connection , it could be usefull to tunnel the webserver. Requirements from my point of view: - no major change to the distro necessary. .. I hope I didn't cut off someones opinion to much. A webtool, that allow all those requirements is webmin, but the perl package need unpacked 8-9 Mb, Does someone knows a miniperl and the webmin as tar.gz is about 30 Mb. The last one can be cut, omitting alternative languages, alternative operating systems and not used servers, but I estimate it will still be about 10 Mb I tested webmin on a pII bering system and it runs acceptable. I don't know how well this functions on my 486er router. (not enough ram :( ) Advantage of webmin, there are all kinds of modules. Adaption is much easier than building from scratch. Disadvantage memory and CPU. Alternatively, use the same fields and write the engine in shell.script or php using sh-httpd. or a small server (boa, thttpd) Advantage probably, less memory and cpu consuming. Disadvantage we have to start from zero, and are on our own. ... I think any how, this should be a project for a group, who wants to contribute. Regards Eric Wolzak member of the Bering Crew. --- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] telnet to LEAF bering box.
Hello Andrew, list On Tue, 27 Aug 2002, Meng, Andrew wrote: Hello, I want to administrator LEAF box using telnet, I have done: 1 In inetd.conf, uncomment in.telnetd. 2 In securetty, add ttyp0 and ttyp1 But it still does not work(refused connection...), can anyone shed any light on this? the following is a part of a new bering user guide page still under construction, if you ignore the xml , I hope it will help sect2titleRemote Administration with Telnet/title paraI don't want to start a discussion over the security aspects of telnet here. Be aware that telnet is much less secure than ssh, but especially for floppy users with a trusted internal network it might be interesting to use telnet nevertheless. /parapara What do I need: itemizedlist in.telnetd.lrp lncurses.lrp /itemizedlist both can be found on the ulinkhttp://prdownloads.sourceforge.net/leaf/Oxygen_Mar.2001_pk g_packages.tar.gz/ulink of oxygen. copy both to the floppy disc and add them to the list of packages to load. titleopen up the firewall for telnet from the localnet/title edit shorewall rules Add: screen ACCEPT loc fw tcp 23 /screen edit /etc/inetd.conf uncomment the line: screen telnet stream tcp nowait root/usr/sbin/tcpd /usr/sbin/in.telnetd /screen allow root to use the virtual console edit /etc/securetty add: screen ttyp0 ttyp1 /screen for each ttypX you get a new console, it could be usefull to limit this to one or two. backup root, etc and shorewall. /para/sect2 greetings ;) Regards /greetings ;) Eric Wolzak member of the bering crew --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: [Leaf-devel] serial IP of null modem cable?
Hello Joey http://www.thelinuxreview.com/howto/ppp/index.lxp?lxpwrap=c1768 %2ehtm I have an old laptop that is running Linux that I'd rather not invest in a pc-nic for it, but I do have a null modem serial cable to connect to the LRP box. Is there a way to get an IP over the serial line. Similar to using a modem I would think? Or is this something that has not been done. And to take it a step further, how difficult would it be to setup a modem to accept a connect within a Dachstein/LEAF enviroment. Yes it is possible, depending on what you want to do 1 remote terminal then you can use the serial line as connection to a terminal http://www.tldp.org/HOWTO/Remote-Serial-Console- HOWTO/index.html on Charles pages there is also a howto ( more compact ;) ) 2. You want a real ip to do some firewall testing auditing etc, in that case you run a pppd server on one and a ppp client on the other ( in reality these are the same programms :=) http://www.thelinuxreview.com/howto/ppp/index.lxp?lxpwrap=c1768 %2ehtm one link from the ppp howto. Just something I was thinking of this weekend... Just something I answered on monday ;) Joey Officer Sales Operations Eric Wolzak member of the Bering Crew. --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
(Fwd) Re: [leaf-user] Bering ipsec question
And one for the list. Hello ABjin The problem you have is due to the way the packagesystem handles wich files are included. The files are backed up with the package that describes it the most precisely. 1- If in one package list there is /etc/ppp and in the second /etc/ppp/options then options is backed up in the second. This is correct in your specification. 2- if a file is listed in two different packages then it is NOT backed up. the reason for this is that the package system functions so: It creates a list of all files and deselect the files that are listed in another packages include list according to rule 1. As your specifications are identical in both ipsec and ipsec509 they are not backed up ( gives small files ;) ) If you remove etc/ipsec* etc/ipsec.conf and etc/ipsec.secretes from one ot the two then everything will backup. Now you get the package from cdrom. Hi, I am trying to configure ipsec. After making changes to the ipsec.conf and ipsec.secrets files I made a backup of ipsec and ipsec509, but when I reboot the system both .conf and .secrets files go back to the default page and all the changes I have made is gone. Backup works fine for all the modules except ipsec ipsec509. This is my lrpkg.cnf file root:f,etc:f,local:f,modules:f,shorwall:f,ipsec:f,ipsec509:f,mawk,dhcpd:f,dnscache:f,weblet:f,tcpdump,libpcap,ifconfig I have these entries in /var/lib/lrpkg/ipsec.local and /var/lib/lrpkg/ipsec509.local I etc/ipsec* I etc/ipsec.conf I etc/ipsec.secrets Thanks Abjin Regards Eric Wolzak member of the bering crew --- End of forwarded message --- --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] No screen / Beep at startup
Hello, I don't want to connect a screen to my leaf firewall. Some time ago, I found a script or a command which produced 3 beeps when the firewall had finished to boot up... Do you know that command / script ? Thanks a lot. Blaise Hello Blaise I use beep.lrp about 3 K this is a lrp package original from oxygen. The binary beep can beep in different duration and frequency. As I use it to signalize interface up and down it is possible to take for example for one the ascending frequency for the other the descending. This is the advantage over a simple echo charachter 07 that only allows different count of beeps. In bering is a command after interface up down allready implemented, you only have to take care that beep.lrp is loaded. To hear if your firewall is up , you could edit a file called /etc/shorewall/start this is executed after shorewall is started. insert beep -f 1200 -n -f 1800 -n -f 600 and you hear a melody. For composers there could be a complete shorewall song ;) regards eric wolzak member of the bering crew --- --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Backing up .lrp with Bering CD
Hello Craig , in the backup menu the options provided directly are only the one you are booting or getting package from. It is however no problem to backup to another medium To backup for example package 3 to a floppy do the following in the backup menu d 3 Set Backup Destination 1) fd0u1680 msdos c) custom destination q) quit selection: c Device [fd0]: now you put in the device name without any /dev stuff before. to backup to a 1,44 floppy in drive 2 ( /dev/fd1u1440) Device [fd0]: fd1u1440 Filesystem : msdos now you will return to the backup menu wit fd1u1440 as backup device. Something to improve is take the new medium in the device to choose ( uptome ;) ) PS it could be interesting for you to do a partial backup, only write the configuration files to disk Good Luck Eric Wolzak member of the bering crew Hi folks, I notice that I don't have an option to back up packages to a floppy disk from the main menu with my Bering CD. Do I need to modify my isolinux.cfg file and somehow add a /dev/fd0 entry to allow for this or is there something else I need to do? Below is my isolinux.cfg file entries. Thank you. Craig display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0 boot=/dev/cdrom:iso9660 PKGPATH=/dev/cdrom:iso9660 --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Backing up .lrp with Bering CD
Hi Craig, Francois, Jeff and list To change a destination you have to specify for what package you want a different backup. So d followed by the name or the number of the package. To backup etc you have to put: Selection d 3 then you will have the destination available. I mentioned in my previous post that a custom destination is not saved and so it doesn't show up the next time you want to change a destination. I have a fix for this that will be included in the next release change /usr/bin/lrcfg.back in function SetDest() line 132: change qt mv $CONFF $CONFB sed ${PKGn}s:=.*\$:=-t $FS /dev/$DEV: $CONFB $CONFF qt rm $CONFB --- to qt mv $CONFF $CONFB sed ${PKGn}s:=.*\$:=-t $FS /dev/$DEV: $CONFB $CONFF if ! `grep -q $DEV $FS $LRPKG/pkgpath.disks`;then echo $DEV $FS $LRPKG/pkgpath.disks fi qt rm $CONFB in Text if the backup device $FS is not yet in the pkgpath disk than insert it. . Backup root.lrp after this change. Attention this is only necessary to keep the custom destination also for the next package. Backing up does function allready Regards Eric Wolzak member of ther Bering team Hi folks, I tried backing up .lrp packages from the main lrcfg menu by selecting option d, but unfortunately you get an Unknown package! error instead of being able to select your floppy drive. I then recreated another Bering CD with the package path statement in my isolinux.cfg file to look like- PKGPATH=/dev/cdrom:iso9660,/dev/fd0:msdos but that doesn't work either. Is there another way to enable your floppy drive as a backup destination option using a bootable CD??? Thank you...have a great week! Craig --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Problem 1 3.6.lrp was Re: [leaf-user] How to update Shorewall on Bering
Hello Tom, Korry I also noticed that the latest.lrp (shorewall 1.3.6) has a changed entry in shorewall.config that could cause problems, STATEDIR=/tmp/shorewall this should probably be STATEDIR=/var/lib/shorewall as it was before. (Tom are I makeing a mistake here ? ) had to retry the 1.3.6 version just to be sure it wasn't me. The result is that Shorwall.lrp 1.3.6 will not work on Bering as it is. I searched the mail archives and saw where another user had the same issue some time back. There was speculation but I saw no solution in the thread. I am quite happy with 1.3.3 since I can now use the Dynamic Blacklisting to control my kids late night surfing. Does the later version offer anything that I should have such as improved security? Thanks again for a great package. I absolutely agree with that ! Regards Eric Wolzak member of the bering crew --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Sloooow Starting system log daemon: syslogd
Hello Craig, Ray, jeff and list Hi folks, Whether I use my Bering floppy or my really cool, new bootable Bering CD (yeehaw!), I get this message on boot-up- Starting system log daemon: syslogd and it seems to take a really long time to get beyond it. Is that normal for Bering??? I'd say it takes, maybe, 2 or 3 minutes to get beyond that. What do you think? Thanks! It means the system has a problem with DNS resolution. DNS requests time out after 3 minutes. I forget now what DNS thingie syslog is doing on startup, but it is some sort of reverse lookup, possibly of the host's own IP address --- you can tell by checking your logs to see what is reported with an IP address instead of FQN. To eliminate the delay, fix the DNS problem. (I'm calling it DNS, but that's not really correct; it's a resolver problem, which can be fixed by a suitable /etc/hosts file as well as by getting DNS working.) As ray stated This is in effect a timeout the syslog tries to resolve the host name it is running on at startup. You probably have a non official name to your firewall, so dnscache cannot resolve the name. As soon as you have an correct host entry in /etc/host the problem is solved. ( the fqdn of your firewall is probably different from firewall.private.network , as is mine ;) ) Regards Eric Wolzak member of the berign crew --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Cannot backup network configuration
Hi Abjin Hi, I created a Bering cd and when I boot the cd after backing up all the configuration changes, I find that my network configuration is not getting saved during backup. I made changes to network configuration several time, made backup and every time when I reboot the network files default to the initial file. These are the files that I load from lrpkg.cfg. root,etc,local,modules,shorwall,openssl,mawk,ipsec,ipsec509,dhcpd,dnscache,weblet,tcpdump,libpcap How did you backup, on a floppy ? probably yes, are you sure that the backed up files are loaded during booting. To test if your etc.lrp is backed up correctly you should do the following: mount /dev/fd0u1680 /mnt if you have a 1680 Kb floppy or mount /dev/fd0u1440 /mnt if you have a 1440 Kb (normal) floppy then cp /mnt/etc.lrp / cd / lrpkg -i etc.lrp now check the settings in interface etc. If they are now set to the correct value, you have a good backup, but a problem with loading the correct package. if etc.lrp doesn't exist, you possible tried to backup to the cdrom ( look at the destination option.) Now look at the lrcfg backup menu after a new boot, what backup device is listed at the backup device for etc. if this is CD than the cdrom is loaded as the only one or as the last one. Did you specify the F or R options in syslinux.cfg look at http://leaf.sourceforge.net/devel/jnilo/bubooting.html in the section 9.5 Good Luck regards Eric Wolzak member of the Bering Crew --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] isdn help needed
I have an old, never used ISDN modem, 3Com Impact IQ, for FREE. This gets me outa my ISP's router and I can use a Linux router and do my kinda VPN, firewall, dmz, etc. YEAH! But I don't know how. 1) This modem comes with Windows install floppies. Surely that doesn't mean it actually configures the modem? 2) The modem will connect to my serial port Does that mean my external interface will be ttyS0? Or do I use ppp somehow and my interface is ppp0? 3) How do I connect? For my dialup connection I use wvdial. Are ISDN modems anything like Hayes command set? 4) BIG Question. My linux is not configured for ISDN. But the ISDN Subsystem part of config seem to be about ISDN card drivers. Do I need to configure in ISDN? 5) the only help on the internet comes from Germany and seems to be about ISDN4. this information is about from ISDN4linux ( isdn for linux) That is a programm used among others on the eigerstein and Bering floppy to control ISDN cards ! The programm is of no use for you if you use an external modem. Regards Eric Wolzak member of the bering crew --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering installation guide for additional modules
Hello Godfired I have transferred my Bering-rc3 files to a hard disk and boots up ok. I added more programs to syslinux.cfg but found out that not all were started and that defeats the whole purpose of booting from the hard disk. Is there any other way to add more programs tp syslinux.cfg? What is the reason that they are not starting. look at the bootup screen if they ar nf means they are not found, perhaps a typo. If they are just ignored, then your syslinux.cfg has to much characters. In the last case there is an easy work around. create a file lrpkg.cfg on your boot media copy in this file everyhing that is written after LRP= so if you have LRP=root,etc,ppp.. the content of lrpkg.cfg is root,etc,ppp After booting the all package devices are checked for this file. regards Eric Wolzak member of the bering crew --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code1 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: re sh-httpd perm Bug
Of course weblet is still doing something I consider wrong -- it's saying the firewall is in red light / ERROR mode just because it has 251 denied or rejected packets. Isn't this the whole point of a firewall, to deny and reject those packets? How is this an ERROR? At worst, it should be at yellow alert. This depends on what you log and in what environment you are. On some of my internal boxes 251 would be a whole lot :) You can change the settings for your individual system in 3) Packages configuration Weblet 2) LRP web page configuration # Warning/Error thresholds for the weblet utility # Disable checking of any value by setting it to -1 # Firewall thresholds: deny/reject messages WRN_FW=5 ERR_FW=50 WRN_FW is the number of logged packets after which the color changes to yellow ERR_FW is the number of logged packets to change to red Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ Eric Wolzak member of the bering Crew --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What are syslinux.cfg and/or lrpkg.cfg files ???
Hey Erich, I think I now understand (and agree with you) that the purpose of the lrpkg.cfg is to override the CD. But I have not seen ANY documentation on what should be included within it and why. If you know of some instructions, tutorial, etc. I would enjoy seeing it. Thank you. lrpkg.cfg was created to override the CD or to be able to specify a longer configuration line. In the lrpkg.cfg you write everything ,you would have written in the syslinux.cfg after LRP= you can read something about this file in http://leaf.sourceforge.net/devel/jnilo/bubooting.html look at the booting from CDRom part. Eric Wolzak member of the bering Crew Craig --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] re sh-httpd perm Bug
Hello Dan, list you wrote: (Answer at the end , sorry (Copy and paste :) ) Dan Harkless [EMAIL PROTECTED] writes: In any case, doing a leaf-user archive search, it looks like one of the bugs I was going to report (sh-httpd should be in group 4 rather than 10, or it can't read log files after they get cycled) has already been discussed. Since the bug tracking isn't really used, though, it's not really possible to verify that this will be addressed in the successor to 1.0-rc3... Actually, I just came across this page: http://leaf.sourceforge.net/article.php?sid=43mode=n estedorder=0 which explains that sh-httpd was intentionally changed to GID 10 (which it erroneously calls the wheels group, but that's wheel, singular) in 1.0-rc3 to get weblet to work with the grsecurity- patched kernel. So it would appear that my above-mentioned fix of putting the group back to 4 (adm) isn't valid. I'm curious why not, though. That's how my copy of Bering is currently running (and I have rebooted since the change), and weblet appears to be working fine. What is it that wasn't working for the authors until the sh-httpd group was changed to wheel? If it _is_ necessary for sh-httpd to be in wheel, either the log-cycling cron jobs (including the weblet-specific one) will need to be changed to use -g wheel, or they'll need to be changed to use -m 644 instead of -m 640. This would seem to be a reasonable change, as the default (empty) log files that come with Bering are indeed mode 644. They don't get changed to mode 640 until the log cyclers run, and this disjoint seems undesirable. -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ -- What doesn't function anymore if the group of sh- httpd is adm are parts of the viewsys page: the listing of the modules for example. This was the reason the wheel ( not wheels you are right ;)) group was used. In the new release of weblet the modification to the cron job assigning the logfiles to -g wheel is allready done. Thanks for your feedback. Eric Wolzak member of the bering crew. --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] O.K. *how* do I put it? (cgi-question)
Hello Jon Hi again So my 'blinder' project is moving along. I got (almost) everything in working order. I still need to do a couple of things before I start cleaning up, and move everything into the 'proper' fhs-locations. But none of that is really all that complicated. There is one obstacle remaining, however, that I *am* going to need help with. Using the weblet and some cgi-scripts I can now generate a crontab which includes the original content, and has some entries added that will call the programs to open/close my blinds at designated times. For a number of reasons I decided to generate this file in a temporary location, as opposed to try and edit /etc/crontab on the fly. It works, and reliably generates the file as it should look. My problem at this stage is getting the generated file inserted into the system. Because of the (very sensible) fact that cgi-scripts may not write to crontab, and setting suid on the script doesn't work either, I'm kind of stumped on how to achieve this. 1. As you are not afraid for security problems you could solve this rather easy by changeing the user running the sh-httpd to root. change the www stream tcp nowait sh-httpd/usr/sbin/tcpd /usr/sbin/sh-httpd to www stream tcp nowait root and restart inetd . 2. second possibility create a cron job that looks for an alternative crontab at regular intervals and insert this alternative one in the main crontab. - 3. make a small c-script that reads your alternative file, and writes it to crontab. This file can be owned by root. suid 4755 execute this file from a special page or option in cgi-bin .. Questions: Is there a sensible way to let a cgi-script update crontab? Without opening ridiculous security issues, like hacking sh-httpd to let cgi execute outside of cgi-bin... Does cron allow for 'sourcing' of additional files from /etc/crontab? (Like adding a: . /path/to/sh-httpd/writeable/file to /etc/crontab) look above Can I have cron look at a (different) crontab that is writeable by sh-httpd? yes see above Most of the programming that I've already done is probably full of security issues, as it is, but I don't worry too much about that (yet), as the whole thing is well shielded from the Net. Evenso, I'd rather avoid having to open up the system even further. If anyone is curious, there's a dummy version of the form that I built at http://bund.dk/~jon/blinder somewhere. And the function that's my problem is with the Commit Changes-button... Never mind the colors/layout, though, I'm *not* a web-programmer ;-P I know this is borderline [OT], but I figure this list is my best bet at getting some useful tips on this. Sorry if I'm being a nuisance, but well... TIA Jon Clausen regards Eric Wolzak member of the Bering crew. ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] modules needed for pppoe?
Hello Georg Are these (Bering) modules necessary for pppoe? ppp_async.o AFAIK no ppp_deflate.o could be useful by decompressing AFAIK no ppp_mppe.o They don't show up in lsmod. Correct They are not loaded in the standard setup . That's nearly 70KB. Ka-ching! uncompressed that is :) Regards Eric Wolzak member of the bering crew ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] PPP/PPPoE problems - continued
I assume you use pap for pppoe : ? if so then you don't need provider, isp login script Here are my PPP/PPPoE scripts. Are the settings valid for a dynamically assigned aDSL connection? Provider file: # ISP pppd options file # What follows is OK for Compuserve # noauth debug # log transaction to /var/log/messages /dev/ttyS0 # (ttyS0=com1, ttyS1=com2, ...) 115200 # baud rate modem crtscts # use hardware flow control asyncmap 0 defaultroute# ppp becomes default route to the internet noipdefault lock# don't let other processes besides PPP use the device connect /usr/sbin/chat -v -f /etc/chatscripts/provider ISP Login script: # ISP login script # What follows is OK for Compuserve # Adjust to your taste ABORT BUSY ABORT NO CARRIER ABORT VOICE ABORT NO DIALTONE ABORT NO ANSWER ATZ # ISP telephone number: 124567890 OK ATDT1234567890# CONNECT '' Name: CIS # With compuserve your_login_account=12345,6789 ID: your_login_account/go:pppconnect Password: your_password PPP Options file: Options OK # /etc/ppp/options asyncmap 0 auth crtscts lock hide-password modem proxyarp lcp-echo-interval 30 lcp-echo-failure 4 noipx There is no entry in the CHAP file, but the PAP file contains my username and password. Here's my config file for PPPoE: - Here there is something different . # Configuration file for PPP, using PPP over Ethernet # to connect to a DSL provider. # plugin /usr/lib/pppd/pppoe.so # MUST CHANGE: Uncomment the following line, replacing the [EMAIL PROTECTED] # by the DSL user name given to your by your DSL provider. # (There should be a matching entry in /etc/ppp/pap-secrets with the password.) name [EMAIL PROTECTED] # Use the pppoe program to send the ppp packets over the Ethernet link # This line should work fine if this computer is the only one accessing # the Internet through this DSL connection. This is the right line to use # for most people. pty pppoe -I eth0 -T 80 -m 1452 despite the previous comment this can be left commented out # If the computer connected to the Internet using pppoe is not being used # by other computers as a gateway to the Internet, you can try the following # line instead, for a small gain in speed: #pty pppoe -I eth0 -T 80 # An even more conservative version of the previous line, if things # don't work using -m 1452... #pty pppoe -I eth0 -T 80 -m 1412 # The following two options should work fine for most DSL users. # Assumes that your IP address is allocated dynamically # by your DSL provider... noipdefault # Comment out if you already have the correct default route installed defaultroute ## # Section 2 # # Uncomment if your DSL provider charges by minute connected # and you want to use demand-dialing. # # Disconnect after 300 seconds (5 minutes) of idle time. #demand #idle 300 ## # Section 3 # # You shouldn't need to change these options... hide-password lcp-echo-interval 20 lcp-echo-failure 3 # Override any connect script that may have been set in /etc/ppp/options. connect /bin/true noauth persist mtu 1492 Anyone spot anything wrong here, that would cause my connection to fall over every so often and not get up? see above , allthough I am not sure if this is the reason. If it doesn't work try the debug option. Thanks, Adam. Regards Eric WOlzak ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [Leaf-devel] Re: [leaf-user] To Bering users: help us to release 1.0
Hello Charles , KP and list Another point, is the handling of /lib/modules. Charles approach in Dachstein-CD has been an intelligent /etc/modules and load process - with mount/umount commands and cd capabilty. Eric create a link and hold the CD mount in /cdmnt. Couldn't decide, which way is better... Any feedback from the list on this issue ? I'd just like to point out that the mount/umount commands I proivded when processing /etc/modules were intentionally made general purpose enough to support devices *OTHER* than the CD (ie hard-disk, flash-disk, etc), and even the possability of loading modules from multiple devices. I can't comment on Eric's solution, since I'm not familiar with it, but I'd vote for whichever allows the most flexible run-time configuration (even if it's not my solution :-), as long as there are no big space problems (the extra code to process mount commands in /etc/modules was pretty small...I don't know about Eric's solution). Sorry Charles, I have to look at your code, My idea was to mount the CD or whatever devices the modules are on will be mounted. At boot time a symbolic link is created from /lib/modules/kernelversion to the modules directoy on the mounted device. That way programms that load modules dynamically (pcmcia ) can find the modules too. Is it possible to create for example a script insmod that mount the device does the real insmod and unmount the device again. I wanted to keep the modules that are not used out of the memory. (saves space) My actual script only loads from cd but that could and will be changed to mount the device that has got the /modules directory. But I am always in for good (better) ideas. Regards Eric Wolzak member of the bering crew ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Problem with userguide
Le Lundi 3 Juin 2002 13:30, J.L. Blom a écrit : Dear sir, In your latest userguide you wrote for the setup using 2 floppies a syslinux.cfg which doesn't work in my system. The problem is the fact that it looks like you use a CR in line 3: display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0 boot=/dev/fd0u1680:msdos diskwait=yes PKGPATH=/dev/fd0u1680 LRP=root,etc,local,modules,pump,keyboard,shorwall,dnscache,sshd,ipsec,weble t Another problem I have is that when using the harddrive as disk to download extra packages (I use fetchmail and qmail a.o. on my firewall). This works well but when I try to backup the packages lrcfg can only look at the directory /mnt where the floppy disk is mounted. I hope you can help me out mount your hard disk at another point (e.g. /disk ) Why don't you use the PKGPATH=/dev/fd0u1680:msdos, /dev/hda1:msdos I assume that your harddisk is hda1 then your packages will be loaded automatically from the harddisk. In that case both options harddisk and floppy will be presented to choose for a backup. ps with backups the mounting point is /var/lib/lrpkg/mnt as I like the Bering firewall extremely well as it is the only one working with IP-tables. It is regularly checked by a security investigator from IBM who assures me that the firewall is completely closed. Moreover, I use it on an old Pentium system where the longest run was 2 months (I restart regularly to update the firewall) without any problem. I previously used Windows (!!) with Winroute which crashed approx. once a week (the system was only used as a firewall mailserver!). good to hear :) Sincerely yours J.L. Blom [EMAIL PROTECTED] groeten naar nederland . Eric Wolzak member of the bering crew. ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] bering weblet
Hi Kim hi all, I am playing around with the weblet found in bering, and noticed that the firewall rules are displayed by displaying a firewall file in /var/sh-www/data. Now I wonder which process is responsable This is done by /etc/shorewall/start. This file is called by shorewall after the firewall is up. for putting that file there? I want to make some minor adjustments like adding linenumbers. I am also troubleshooting a little because the values for packets bytes look extremely low, most of them stay just 0. The reason I used this setup was that weblet runs as a non privileged user and an iptables command can only be issued at root. A variant to let a suid script doit should also be possible. As the firewall doesn't change automatically ( unless you use other than the standard scripts) to see the rules this is sufficient. To see the statistics it is of course not that good ;) Regards Eric Wolzak member of the bering crew ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] rdate
Hello Joe, List you wrote Thanks for the tip about adjusting the lrp.conf to automatically run rdate. This is a very nice feature of bering and it works quite well. I also updated my /etc/localtime file so that my clock would read my local time. That would be the solution but what did you put there ;=) try dateif you've got your localtime, then everything is ok. You should get the zoneinfo file from a linux distro, corresponding to your timezone. Copy this about 1Kb large file to f.e /usr/share/zoneinfo. make /etc/localtime a symbolic link to /usr/share/zoneinfo. now date will no longer show 16:21 UTC but 9:21 whatsyourtimezone. The logging is also in localtime. don't forget to backup root and etc. I noticed my logs seem to be using UTC for the time stamp. Do you have any information that would allow me to use my local time for logging? Having to subtract 7 hours every time I want to analyze my log file is getting to be a drag. This is correct regards Eric Wolzak member of the bering crew. ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] rdate
Is there any way to add something to the Bering leaf distribution that will allow the firewall machine to keep proper time? in : t system configuration - master lrp settings - /etc/lrp.conf you will find # Server that will be contacted via 'rdate' for the time service daily. # Turning this on also updates the CMOS clock lrp_DATE_SERVER=put here your public timeserver backup etc.lrp that should be all Regards Eric Wolzak member of the bering crew. I use rdate along with cron to keep my other machines in sync with timeservers, but I'm unsure about how to do this with Bering. -- Joe ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ISDN with 16 lines/modems possible with Bering ?
Hello Francois, Hi folks and gurus ! I have started Bering this week on PPPoE / WANADOO / France Telecom with success ! .. But, my question is other today : One of my friends want to have 15/20 ISDN lines/modems to connect externals employees to his company's mail server. This server have not other access, no Internet or WAN. CISCO has a router to do that, but, is it possible to do with Bering ? I didn't try it out yet, as you have ofcourse some hardware problems, most isdncards only allow at most two connections, so you will get out of pci /isa slots and interrupts. I used for the isdn connection the following programm isdn4linux www.isdn4linux.de the faq is rather extensiv, special interest will be : http://www.isdn4linux.de/faq/i4lfaq-5.html#ss5.14 and a few links from this question. http://www.isdn4linux.de/faq/i4lfaq-6.html#config_manycards we limited the number of utilities in the isdn.lrp for reason of size, if you have a problem please feel free to ask again. Please if you succeed in accomplishing this task report back too :) Eric Wolzak member of the Bering Crew Best Regards. Francois BERGERET France [EMAIL PROTECTED] ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Specifying directories in lrpkg.cfg
Hello Kim, all you wrote Hi all, I just created my first bering cd and it works like a charm. great :=) Still have a question though, I would like to add quite a few packages To the cd and organize them in subdirectories, so I was wondering if I could specify Subdirectories in lrpkg.cfg. In other words would root:f,etc:f,modules:f,local:f,subdir/tools/dns-utils:f Work?? Yes and no . ( more no ;) ) THe pkg would be loaded , as this is done by gzip and tar, this programms get the complete path and file name As long as you don't want to do any configuration or backup, it should be ok but not advisable. The problem however is that you won't find a configuration menu nor the possibility to save your files. ! The path and file name are stored together as the package name. To show the configuration menu : The directory /var/lib/lrpkg is searced for files with the name package name.conf this is not found as your conf file is named dns-utils.conf and not subdir/tools/dns-utils.conf At the backup: the backup programm tries to find the file subdir/tools/dns- utils.list (which doesn't exist.) and the next problem shows up as soon as the programm tries to create /tmp/subdir/tools/dns-utils.lrp which also fails. If there are more people interested in getting this fixed, it could be done.but would require some rewriting in the backup programm, and in the initrd (linuxrc) possibly breaking compatibility with other leaf versions. Regards Eric Wolzak member of the Bering Crew ___ Hundreds of nodes, one monster rendering program. Now thats a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering and MAC match support
Hello Dragon I am using Bering with Shorewall 1.2.12. I can't seem to use a rule to filter by MAC address. Does the Bering kernel include CONFIG_IP_NF_MATCH_MAC support? Thanks. Yes it is included as modular, so you have to load the appropriate modules before it works, you can do that automatically in /etc/shorewall/start or by adding the module to /etc/modules Get the modules from the modules.tar.gz file in the download area I think that you need the net/ipv4/netfilter/ipt_mac.o I am not sure if there are some more dependencies, so you would eventually need to load some more modules. Eric Wolzak member of the bering crew. ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple routing tables
Hello David I would like to be able to create multiple rotuing tables for a box with two interfaces for internet access and one for LAN. I am useing Dachstein v.1.0.2-1680. Internet interfaces - eth0, eth2. LAN - eth1. I want to make sure that traffice originating from eth0 will go back out eth0 instead of eth2. So to start creating the first routing table I type : ip rule add from 208.180.95.aaa lookup 1, but it gives me an error RTNETLINK answer:Invalid argument. I think you made an error in the syntax. use table not lookup 1 ip rule add from 208.180.95.aaa table 1 ip rules show will give you : 32765: from 208.180.95.aaa lookup x this is what caused the error If I do a ip addr all NICs are listed with IP addresses. I can ping the internet all day long. I have read the IP how to, but I am not quite getting something. Can someone give me some clues?? (did you read the advanced routing howto ? ) thanks, David Hopes this will help you Eric Wolzak Member of the bering crew http://leaf.sf.net/devel/ericw http://leaf.sf.net/devel/jnilo/bering ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering bootable cd (Help)
Hello Kim I am trying to create a bering bootable cd, but can't quite get it to work. I must admit that I created my own kernel which probably doesn't make life easier. I created the initrd.lrp myself and have done everything in the users manual to create the cd. So far, I managed to get the cd to boot, but I am still having to problems. When loading the ide-probe-mod module I get a message stating that ide0 ide1 are already busy that probe is as a result skipped. (this could be because I compiled quite some idestuff in the kernel) Try to remove or uncomment the modules. Btw the new kernel was necessary to boot from flashmodule from apacer which is an idedrive. At the end of /boot/etc/modules isofs.o is trying to load. I said trying, because it is failing stating insmod: init_modules isofs.o device or resource busy Did you use your own created modules, or did you download the modules ( in that case you could have a problem due to the fact that the modules on the bering site, are from a patched kernel. Afterwards I get the tempfs linuxrc Installing packages : (all my packages are the (nf!) or not found I get a kernel panic stating that I tried to kill init. It seems that your cdrom is not recognized that reason the packages are not found. If I use all the same .lrp files kernel on the flash module everything runs fine except for the above mentioned ide-probe isofs problem. Which isn't a real concern when booting from the module. I expect that you included the flash rom ide support in the kernel itself. After you boot from the ide-rom, can you mount the cdrom or at least try to insmod the modules from boot/lib one by one and try to mount the cdrom then. Perhaps a conflict betweeen the ide driver for the cdrom and the disk ( Master slave conflict ? ) Hope I have given you a few hints where you might look for a solution. Any help greatly appreciated. Kim regards to all Eric Wolzak Member of the Bering Crew http://leaf.sf.net/devel/jnilo/bering http://leaf.sf.net/devel/ericw ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[Leaf-user] Re: bering port forwarding?
Hello Joe If I understand your drawing correctly you want to forward the request on your external addres 207.5.x.y for port 80 (www) to the computer in the internal net with the ip number 192.168.1.200 In general : The information about portforwarding, you can find on the shorewall page :www.shorewall.net in this case under: documentation rules Apart form the discussion if it isn't better to put your webserver in a dmz ;) you can accomplish this by Adding a rule to shorewall -rules ACCEPT net loc:192.168.1.200 tcp www - 207.5.xx.yy or if you have an external dynamic address ACCEPT net loc:192.168.1.200 tcp www - all restart shorewall / or reload rules and you should be up . Attention you can not try it out from the local net by typing in your external address in a browser. Hello, I reciently upgraded my version of LEAF to the current Bering release. I = have an internal web server (configured with a static ip). I cannot seem = to find any documentation on how to port-forward port 80 to my internal = web server. Can you point me any where that can help me? Or do you have = any suggestions? Your help would be much appreciated. Thanks- Joe [EMAIL PROTECTED] Eric Wolzak member of the Bering crew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Routing Problem with Dachstien CD and ISDN
Hello Andrew, you wrote. I have not done much with the dachstein -CD version, but I possibly found a cause. I don't have a dachstein running ( using Bering :) ) The main difference between your eigerstein and your dachstein setup seems to be the route. eigerstein 139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30 dachstein 139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30 The interface ippp0 is in eigerstein probably declared as 139.130.0.0./16 so will be the firewall rules connected to this interface In the dachstein version your firewall rules might be so that the ippp0 is only 139.130.195.1 check that. From the route itself you should be able to route through ippp0 as the default route is directed in this direction. The ippp0_MASKLEN is not set eval local MASKLEN=\${$1_MASKLEN:-} IMHO if you set ippp0_MASKLEN=16 then you should get the same setup as before Eric Wolzak member of the Bering crew ---original message - I have configured a DACHSTIEN CD firewall which I am using at home with a dialup system and it works very well and now have several deployed around Australia on remote sites for the company I work for. The latter of these units are connected by modem to Bigpond Direct and have proven themselves to be very reliable. My problem occurs when I updated the main office firewall to DACHSTIEN CD. This firewall currently is running Eigerstien with 2 ISDN channels and working very reliably but I wanted to upgrade to take advantage of the latest security features and additions. On the Eigerstien version, the routes are: # ip route 203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65 192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1 139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30 default dev ippp0 scope link This has been working well. To get ISDN support for the DACHSTIEN CD version, I found the files where the devices are created and added the appropriate text to the files, /var/lib/lrpkg/root.dev.mk /var/lib/lrpkg/root.dev.mod and /var/lib/lrpkg/root.dev.own, copying the exact text to each file that had been used in the Eigerstien version I am currently running. The interface devices were created in /dev and all appear to run correctly except for the routing when the firewall starts. The routes on this machine are: # ip route 139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30 203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65 192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1 default dev ippp0 scope link The address 139.130.195.1 is the peer address of the box when connected to the Bigpond Direct point of presence. The additions to the network.conf shown below were typed in exactly as they were in the previous version, so this may be part of the problem if some of the functions act differently in the DACHSTIEN CD version. The firewall, when tested, dialled and connected both channels in multilink configuration to the ISP but is only able to access ip addresses in the 139.130.0.0/16 address range. These are only within our ISP's internal network and therefore do not allow access to the internet at large. Any assistance would be greatly appreciated as I have been tearing my hair out for the last three weeks in my attempt to find the problem myself. Interfaces: # Interfaces to start on boot go here - ie ppp0 eth0 # Do NOT include interfaces configured by dhcp! IF_AUTO=ippp0 eth0 eth1 # List of all configured interfaces, manual start and boot start IF_LIST=$IF_AUTO Device settings: ### # ISDN Link - the isdn.lrp is required for this to work. (External Interface) ### ippp0_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic. ippp0_PTPADDR=139.130.195.1 # Their IP Address, again only if not dynamic. ippp0_MYMSN=38049800 # My telephone Number ippp0_REMMSN=30073300 # Their telephone number (The ISP) ippp0_IP_SPOOF=YES ippp0_IP_KRNL_LOGMARTIANS=NO # Simple QOS support, Options are same as ethernet above. ippp0_FAIRQ=YES ippp0_TXQLEN=64 ippp0_BNDWIDTH=64kbit # Device Bandwidth ippp0_HNHL=3 # Queue Handle - must be unique ippp0_IABURST=25 # Interactive Burst ippp0_IARATE=30Kbit # Interactive Rate ippp0_PXMTU=1500 # Physical MTU - includes Link Layer Header ippp1_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic. ippp1_PTPADDR=139.130.195.1 # Their IP Address, again only if not dynamic. ippp1_MYMSN=38049800 # My telephone Number ippp1_REMMSN=30073300 # Their telephone number (The ISP
Re: [Leaf-user] Making Disk Images
Under Linux use dd if=/dev/fd0u1680 of=yourfilename or if you have a 1440 disk dd if=/dev/fd0 of=yourfilename Under Windows you can use for example winimage http://www.winimage.com to create a binary image from your disk or to write a disk from your image. With this programm you can even create a selfinstalling exefile Hello again, I would be very interested in making disk images of my modified LEAF versions. I would like to do this for Linux images and perhaps a windows installer as well. Can anyone point me in the right direction? What tools are available to do so? Thanks, Jason Massey Eric Wolzak member of the Bering crew http://leaf.sf.net/devel/jnilo/bering ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] rdate, udp and Bering
Hello Stephen, Michael Stephen Lee wrote: On Thu, 2002-03-28 at 12:56, Michael D. Schleif wrote: Thanks. I installed xntpd.lrp and pointed it to one of the public ntp servers. The problem is that my hardware clock is so far off that it's going to take ntpd a long time to synchronize the local time to the remote ntp server time. I would normally use rdate to do a quick fix but in this case rdate doesn't work with tock.usno.navy.mil. It, like all of the other rdate servers tried, only accepts udp queries. I suppose if all else fails I could manually set the time with 'date' and 'hwclock'. Try this: rdate -s ntp0.cornell.edu I get rdate: ntp0.cornell.edu: Connection refused on Bering boxes but it works on Eigerstein2b boxes. Could there be some firewall setting causing this problem? as Tom allready stated it is. rdate uses port 37 and this is denied by default change shorewall settings 1 ) params FW_TCP_OUT_PORTS=53,37 and restart shorewall (don't forget to backup ) I do not know which `rdate' is in Bering. Dachstein, c. uses busybox rdate. Bering uses also Busybox v0.60.2 rdate Regarding firewalled ports, have you checked these? ntp 123/tcpNetwork Time Protocol ntp 123/udpNetwork Time Protocol With me rdate ntp0.cornell.edu functions after the modification i indicated above. The connection refused comes from your own router not from the timeserver. PS you are talking about using rdate from the router not from a linux machine in the internal network ? The parameter I talked about before is firewall --- timeserver. otherwise the firewall should not be blocking. Regards Eric Wolzak member of the bering crew ;) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Documentation ISDN on Bering
Hello everybody We have another Chapter for our Bering User Guide ready. this describes the use of bering to make a ppp connection with the help of a passive ISDN card you can find it at http://leaf.sourceforge.net/devel/jnilo/busers04.html Any comments and additions are welcome Jacques and Eric the Bering crew :) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering with SSH and TinyDNS
Hello Stephen You wrote Has anyone managed to make a 1.68M Bering floppy image with SSH and TinyDNS? This was possible under Eigerstein. It will be very hard. sshd.lrp is about 312K You can try to remove those modules and packages you do not need. http://leaf.sourceforge.net/devel/jnilo/leaffw01.html#AEN197 tc ppp pppoe keyboard bridge dhcpd pump are potential candidates + remove whatever is unecessary in /lib/modules 2nd solution (if you only have a single floppy drive) Make 2 copies of the same Bering floppy On the first one just keep the following 4 files: syslinux.cfg and dpy, linux, initrd.lrp edit the syslinux and add diskwait=yes after PKGPATH=/dev/fd0u1680 On the second one (same format !) just keep whatever other packages you need. You will just keep the *.lrp files here You have 800K left from the previous operation ! You will keep this second disquette in the floppy drive if you need to backup. You generally never need to backup initrd.lrp Thanks. Unfortunately most of my routers are only accessible via remote connection so 2 floppy booting is out of the question. Alternatively, a rather cheap alternative solution is the use of a second floppy drive. I use this setup with remote access for a bering how safe would it be to run a telnet daemon on Bering but only listen on the internal net where a linux box (running ssh) can access it? (a windows box can too ,) using f.e teraterm ssh Be carefull this is going to originate a rather religous thread, some on this list like telnet some don't ; ) I would say it depends on how safe your internal network is If there are more people on your network and you don't trust them completely, it is kind of a risk, as passwords are rather easy to catch. And somebody logging into your router with root permission is kind of sceary. They could easily change your firewall etc. Eric Wolzak ---Bering ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Switching off LCD backlight on laptop
Hello christian Hello, I'm using Bering (great package !) on a Hewlett-Packard Omnibook 3000 I have dedicated to protect my home network. Almost everything is working smoothly except three points: - I have to start by-hand dnscache (/etc/init.d/dnscache start) and I don't know why. No error message in logs, and the link in /etc/rc2.d is present. - I'm confused with PPP and PPPoE. In fact I want PPPoE to start at boot time but this is PPP (chap) which starts and fails miserably and PPPoE is not launched. You have to switch off ppp at boot time. leave the file no_ppp_at _boot in /etc/ppp. change the external interface to ppp0 uncomment the following lines in interface # Option 1.3: PPP/PPPOE (modem connected to eth0) auto ppp0 iface ppp0 inet ppp pre-up ip link set eth0 up provider dsl-provider eth0 now ppp0 the pppoe interface will be started at boot time. more precisely (i hope) you can read this in: http://leaf.sourceforge.net/devel/jnilo/busers03.html - How to switch off the backlight of the LCD screen when the laptop if left unattented for a while ? I've setup the BIOS to switch off the screen after 5 minutes. That's works, the screen is blanked but the backlight remains on... I know that this light can be switch off, because under KDE/Mandrake with the same laptop it works, but how?This is out of question to put KDE on Bering :-) Sorry cannot help you there, you could look at the sourcecode of the function this is probably a message to send to a port. but isn't switching the screen off not an alternative FN-F7 (at least at thinkpad) Thanks for your help. And again, this Bering package is really great, all of that on a floppy ! Merci :=) Christian - Grenoble success Eric Wolzak Bering http://leaf.sf.net/devel/jnilo http://leaf.sf.net/devel/ericw ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipchains ?
Hello Antken i am just messing about on a spare machine with the Dachstein floppy image, i forget witch version it is any way i am struggling with ipchains and how to use it on the command line so far i know how to list the rules in the chains and how to flush them Depending on your setup (masquerading or not) Make the first line a accept all or if you are masquerading f.e. # ipchains -P forward DENY # ipchains -A forward -i ppp0 -j MASQ # echo 1 /proc/sys/net/ipv4/ip_forward from the guide below (I use iptables, so I cannot check the rules) my first question is: how can i change the rules in the current chains to let all traffic in and out ? ( i know this is dangerous but i am just messing on a test machine ) second question: does any one know of a getting started with ipchains for dummies type guide ? I think this is a rather good start. http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html And if you cannot get enough or want to know something about iptables look at ( same author) http://netfilter.samba.org/unreliable-guides/ third question: how would i go about letting a particular port both in and out, for example port ? For each part of the firewall input forward and output this rule should have the port specified and allowed. But remember the firewall script is not like routeing it is not the rule that is the most accurate that determines what is done with your package but the first rule that matches. So it does not only depends on which rule but also where is it placed. thanks in advance to any one that replys to this antken Sorry that I didn't give you the exact syntax but I use iptables and makeing a small mistake would give you more trouble as looking the rule op yourself. Greetings Eric Wolzak ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Static routes in Bering
Hi paul Hi all, Just a quick question, how can I set routes in Bering? I cant seem to find it in the documentation anywhere. I know how to set them using iproute2 but don't know how to save them so they are there on a reboot. In Dachstein, its by adding the ROUTE= command to each interface in Network conf is there a similar way in Bering? The routes to the devices you have declared are set automatically by shorewall, for extra routes you can add after each interface up followed by the iproute command . I give an example to add route 192.168.3.0/24 and an extra adress 192.168.3.245 to eth2 edit interfaces () auto eth2 iface eth2 inet static address 192.168.2.254 masklen 24 broadcast 192.168.2.255 # untill hear normal setup the following commands are executed # as device comes up up ip addr add 192.168.3.245 dev eth2 up ip route add 192.168.3.0/24 dev eth2 () backup etc . Greetings Eric Wolzak (the bering crew) http://leaf.sf.net/devel/ericw http://leaf.sf.net/devel/jnilo Thanks in advance, Paul ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] bering v1.0-rc1: 8139cp.o: undefined mii_ethtool_sset symbol
Hello Doug others, I've downloaded and created a boot floppy with Bering v1.0-rc1. I've got a nic with a RealTek 8139 chip, so I copied and installed the http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/drivers/net/8139cp.o driver. When booting, it gives me 4 undefined symbols, the first of which is mii_ethtool_sset (the others start with mii_ too). Which module do I need to install to satisfy the linker? I can run Dachstein with the rtl8139.o and pci_scan.o modules with no problems. This is correct you need the mii.o before the rtl8139.o and rtl8139too.o mii rtl8139 in /etc/modules. This is a change in respect to the previous 2.2. kernel versions. Thanx, Doug. Eric Wolzak http://leaf.sf.net/devel/ericw http://leaf.sf.net/devel/jnilo/bering ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Bering pppoe guide
Hello all In our series cookbooks ;) now official named user guides for the bering distribution we have released another section. This describes the connection to a DSL on a PPPoE basis. The difference with the other pppoe versions is the use of the kernel based pppoe module. The url is http://leaf.sourceforge.net/devel/jnilo/busers03.html the url for the whole book is http://leaf.sourceforge.net/devel/jnilo/busers.html we hope you enjoy it any reactions are welcome. the bering crew Jacques Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user