Re: [leaf-user] Bering cd without shorewall

2002-08-12 Thread George Georgalis 

On Mon, Aug 12, 2002 at 06:55:05PM -0600, Abjin M H wrote:
Hi,

Is it possible to run Bering cd and iptables without shorewall. If possible in which 
file should I write iptables/nat
scripts.


if you put your firewall script in in /etc/init.d/
and add a line like this 
RCDLINKS='0,K31 1,K31 2,S29 3,S29 4,S29 5,S29 6,K20'
the rc*.d symlinks will be generated automatically
same with your network script, here's how I control 
the interfaces...

down () {
d=`ip -o link show | cut -d: -f2`
for i in $d ; do
ip addr flush $i
ip link set $i down
done
}
up () {
ip link set lo up
ip link set eth0 up
ip link set eth1 up
ip link set eth2 up
ip link set eth3 up
ip addr add 127.0.0.1/8 label lodev lo
ip addr add 11.22.33.44/27  label eth0  dev eth0 # ISP
ip addr add 192.168.0.1/24  label eth1  dev eth1 # LAN
ip addr add 10.0.0.1/8  label eth2  dev eth2 # DMZ
ip addr add 10.0.0.2/8  label eth2:1dev eth2 # an alias
ip route add 0/0via 11.22.33.1  table main
}
case $1 in
start)
down
up
;;
stop)
down
;;
restart)
down
up
;;
*)
echo Usage: $0 {start|stop|restart}
exit 1
esac


// George

-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering - internet disappears, clues for newbie

2002-07-29 Thread George Georgalis 

On Sun, Jul 28, 2002 at 07:46:55PM -0700, Tom Eastep wrote:
On Sun, 28 Jul 2002, George Georgalis wrote:

 
 Do you mean if you reboot it, it works again? Can you dump 
 ipchains -t nat -vnL 
 and
 ipchains -vnL
 
 to the list? Post again if you have trouble with this...
 

George -- the poster is running Bering so dumping ipchains isn't 
relevant.

Yes, well I meant iptables,
iptables -t nat -vnL  zz
iptables --vnL  zz


Also, it is unlikely that his iptables configuration is spontaneously 
changing itself after it has been running for a while

But it sounds like it's not keeping up with his DHCP lease so I wanted
to see how the rules are.

// George


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering - internet disappears, clues for newbie

2002-07-29 Thread George Georgalis 

On Sun, Jul 28, 2002 at 11:03:08PM -0400, lbilyeu wrote:
 Can you dump
 ipchains -t nat -vnL
 and
 ipchains -vnL

#
ipchains: not found

Bering1.0 rc3, after a random time period, the internet disappears from 
eth0.
I have to reboot Bering and
power-cycle the cable modem as well.


Yes, per my other response the command should be iptables...

iptables -t nat -vnL  zz
iptables --vnL  zz

add this too...
ip addr  zz

Then send/copy the zz file over to the list. I'm thinking your DHCP
lease is changing faster than your firewall rules. It would probably work
fine to turn on anti-spoofing and masq everything from the LAN net to
0/0.

# Turn on reverse path filtering
# Since we don't have any asymmetric routing, we can simply turn on
# anti-spoofing for all interfaces.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1  $f; done

iptables -t nat -A POSTROUTING -s $192.168.0.0/24 -o ppp0 -j $M
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0  --state NEW -j ACCEPT


pump -s  gives me addresses outside of RFC1918 (65.34.x.x), so I don't 
think that is the problem.
The Renewal/expiration for my DHCP lease is for tomorrow.

What logs/dumps should I be examining for Bering rc3 diagnosis?

I haven't looked at pump logs in a while, but I suspect it's changing 
the IP when you loose functionality.

// George

-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Using ifconfig?

2002-07-29 Thread George Georgalis 

Try these... (the default is 'show')
ip addr
ip route
ip link
ip help
ip addr help
etc... I know the help is not easy, but it's all there

I bring up my interfaces something like this...

# first bring everything down...
d=`ip -o link show | cut -d: -f2`
for i in $d ; do
ip addr flush $i
ip link set $i down
done

# then bring up each interface like so...
ip link set lo up
ip link set eth0 up
ip addr add 127.0.0.1/8 label lodev lo
ip addr add 192.168.0.1/24  label eth0  dev eth0
ip route add 0/0via 12.34.56.78 table main # use your GW

Not sure how to ppp/chat with the ip command.

// George

On Mon, Jul 29, 2002 at 04:18:51PM +0200, Erich Titl wrote:
Craig

IIRC Dachstein by default does not have ifconfig but the iproute2 command 
suite, e.g. you have to use ip.
There is a ifconfig.lrp module at 
http://leaf.sourceforge.net/devel/cstein/Packages/ifconfig.htm

HTH

Erich

At 16:04 29.07.2002, you wrote:
Hi everyone,
How do I, or I should say, WHERE do I run the ifconfig command from???
I've tried just logging in to Dachstein, and changing to the sbin
directory and nothing works. Hmmph, I'm stumped! Thank you, have a great
week.

Craig




---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code1

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code1

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] hwclock error?

2002-07-12 Thread George Georgalis 

On Fri, Jul 12, 2002 at 09:30:30AM +0100, [EMAIL PROTECTED] wrote:
The command is just

date hhnn[mmdd][]

where n = minutes

can't remember whether it's ddmm or mmdd I'm  guessing mmdd


# date 09450007122002
date: invalid date `09450007122002'

also tried 
# date 094500071202
# date 094500
# date 0945

no go. The busybox home page was not much help either.

// George


TTFN

Antony Briggs

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of George
Georgalis
Sent: 12 July 2002 01:12
To: [EMAIL PROTECTED]
Subject: [leaf-user] hwclock error?


I tried to set the clock today, but I get this error, I must be looking
at the wrong man page.  Can't find any more doc. How does the syntax
belong? (Bering_rc2, soon to be rc3)
(also tried  hwclock --set --date=1026432127)


# hwclock --set --date='07/11/02 19:59:49'
date: invalid option -- -
BusyBox v0.60.2 (2002.04.04-20:23+) multi-call binary

Usage: date [OPTION]... [+FORMAT]

The date command issued by hwclock returned unexpected results.
The command was:
  date --date=07/11/02 19:59:49 +seconds-into-epoch=%s
The response was:
  
No usable set-to time.  Cannot set clock.



Thanks,
// George


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
PC Mods, Computing goodies, cases  more
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] hwclock error?

2002-07-12 Thread George Georgalis 

On Fri, Jul 12, 2002 at 09:17:52AM -0500, Charles Steinkuehler wrote:
 # date 09450007122002
 date: invalid date `09450007122002'

 also tried
 # date 094500071202
 # date 094500
 # date 0945

 no go. The busybox home page was not much help either.

I'm not sure the minimal busybox date command can be used by the hwclock
command.  The normal procedure is to set the system clock using date,
rdate, ntpclient, or whatever, then copy the system time to the CMOS
clock with the hwclock command.  Something like:

tempest: -root-
# rdate time-A.timefreq.bldrdoc.gov
Fri Jul 12 09:07:44 2002

tempest: -root-
# hwclock --systohc --utc

Yes, I routinely use rdate, and there appears to be systohc in the 
shutdown/startup scripts.

I just found date and hwclock and it seemed like the way on lrp.
Thanks for pointing out rdate.

// George



-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] can't login

2002-07-12 Thread George Georgalis 

Hi,

I've been making .lrp's touching rsyncing dding calling remote hands to
swap floppies and reboot *all* day, so please forgive me if I've missed
something obvious.

There doesn't seem to be any /bin/sh in Bering rc3? 
Should /etc/passwd read /bin/tinylogin for root???

Okay, I see there is a /bin/sh in the running filesystem... is it from
initrd.lrp?

but when trying to login with ssh I get this in the logs:

Jul 12 21:20:01 firewall sshd[10380]: Accepted publickey for root from 192.168.2.36 
port 58543 ssh2
Jul 12 21:20:02 firewall sshd[10380]: syslogin_perform_logout: logout() returned an 
error

and this from my remote prompt:

# ssh  fw01.local
login: No such file or directory
Connection to fw01.local closed.


These are the files in my sshd.lrp

# find | sort
.
./etc
./etc/init.d
./etc/init.d/sshd
./etc/ssh
./etc/ssh/sshd_config
./etc/ssh/ssh_host_dsa_key
./etc/ssh/ssh_host_dsa_key.pub
./root
./root/.ssh
./root/.ssh/authorized_keys2
./usr
./usr/bin
./usr/bin/scp
./usr/sbin
./usr/sbin/sshd
./var
./var/lib
./var/lib/lrpkg
./var/lib/lrpkg/sshd.conf
./var/lib/lrpkg/sshd.help
./var/lib/lrpkg/sshd.list
./var/lib/lrpkg/sshd.version

and these are the packages I'm using
etc.lrp ldlinux.sys  linux  log.lrp  root.lrp  syslinux.cfg  tc.lrp
initrd.lrp  libz.lrp local.lrp  modules.lrp  sshd.lrp  syslinux.dpy  weblet.lrp

my syslinux.cfg:

display syslinux.dpy
timeout 0
default linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0 log_size=20M 
boot=/dev/fd0u1680:msdos PKGPATH=/dev/fd0u1680 
LRP=root,etc,local,modules,weblet,libz,sshd,tc 


humm, log.lrp is missing from my PKGPATH? Could this be causing the
problem? How?  It doesn't seem to be in the rc3 syslinux.dpy image
either, yet it does work, even on mine.

Ideas? What file is missing? How is Bering built anyway? 
 
Thanks,
// George

-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] seting up networking...

2002-07-10 Thread George Georgalis 

Bering rc2

This is the general procedure I use to bring up networking...  I
understand there is a way to bring up an interface to listen to an
entire subnet, not just an address. Can someone help me with the ip
syntax?

Thanks,
// George



down () {
d=`ip -o link show | cut -d: -f2`
for i in $d ; do
ip addr flush $i
ip link set $i down
done
}

up () {
ip link set lo up
ip link set eth0 up
ip link set eth1 up
ip addr add 127.0.0.1/8 label lo dev lo
ip addr add 192.168.2.66/24label eth0   dev eth0
ip addr add 10.1.1.1/8 label eth1   dev eth1
ip route add 127/8 via 127.0.0.1   table main
}

case $1 in
  start)
down
up
;;

  stop)
down
;;

  restart)
down
up
;;

  *)
echo Usage: /etc/init.d/network.sh {start|stop|restart}
exit 1
esac
exit 0


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] seting up networking...

2002-07-10 Thread George Georgalis 

On Wed, Jul 10, 2002 at 07:30:39PM -0700, Tom Eastep wrote:


--On Wednesday, July 10, 2002 21:13:53 -0500 guitarlynn 
[EMAIL PROTECTED] wrote:

 On Wednesday 10 July 2002 20:52, George Georgalis wrote:
 Interesting, but not what I had in mind. I'm using nat for a dmz and
 rather than bring up an each available ip as an alias, I thought
 there was a way to bring up the subnet and let iptables take over
 from there.

 You can set an interface as an entire subnet w/o alias'ing. Your
 interface must have atleast one set address for routing to work.
 You seem to be looking at something more along the lines of
 WAN routing.

He may be refering to the MIRROR target -- that code must still be in 
Patch-O-Matic since my 1.2.6a iptables doesn't mention it under man 
iptables. AFAICT though, the MIRROR target only takes care of the NAT 
table stuff -- it doesn't make your external NIC magically start responding 
for an entire subnet.

I think Lynn described exactly what I'm looking for, set up an interface
as an entire subnet and an address in that net for routing. I don't mind
specifying each ip in iptables rules (I'm generating the tables from a
db), but I would like to avoid an alias for each internet ip. Not sure
of the syntax though.

// George



-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] DNS problem

2002-07-05 Thread George Georgalis 

On Thu, Jul 04, 2002 at 08:45:32PM -0700, Alan Silvester wrote:
Hi

I've got my Bering firewall working, but there's a small problem with
DNS lookups.  My ISP's mail and news servers are shawmail and
shawnews.  When I ping these from the firewall, they are resolved to
shawmail.cg.shawcable.net and shawnews.ok.shawcable.net.  However, if I
ping shawmail / shawnews from a LAN computer, I get an unknown host
error (pinging the fqdn works).  How do I get this to work?  I'm running
tinydns (private only) and dnscache on the firewall.


Take a look at your /etc/resolv.conf on the firewall, my guess is you
are using dhcp and the isp is adding search/domain lines along with
the nameservers. Just copy over that file if they are unix boxin on
your lan, if they are windows, I think there is a dialog under network
settings for the info.

// George

-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: [Leaf-devel] problem with bering host lookups

2002-07-05 Thread George Georgalis 

On Thu, Jul 04, 2002 at 10:39:24AM -0700, Ray Olszewski wrote:
As far as I recall -- though Jacques is really the one to answer here -- 
Bering uses the same resolver calls as any standard Linux distro. But if 
you want to try to address the problem at that level, I do suggest you wait 
for Jacques to reply.

I don't really know the low level stuff, just want a user program I can
run. I normally run dig or dnsq/dnsqr or host, but there's no room for
those. What is being used.

But I suspect a more conventional configuration error of some sort. In 
responding before, I had assumed that the LEAF router was supposed to be 
resolving through an external DNS server. You refer here to the LAN 
resolver, though, which suggests that you want it to use a host on one of 
the internal interfaces.

So, if you want to explore this possibility ...

1. What resolver address(es) is the LEAF router trying to use?


DOH! Isn't that what friends are for... resolv.conf listed an internet
resolver. The box has been disconnected from it's gateway and my remote
hands are presently unavailable. Explains everything.

Thanks,
// George

-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] problem with bering host lookups

2002-07-05 Thread George Georgalis 

On Thu, Jul 04, 2002 at 02:05:21PM -0500, guitarlynn wrote:
On Thursday 04 July 2002 11:35, George Georgalis wrote:

 ping galis.org just hangs. not sure how else to look up a name, am
  I missing a package? What could be wrong? It does ping ip
  addresses.

The ping works here, so it is safe to say that you are attempting global
DNS and likely to a DMZ DNS server behind your router/firewall from
what I can assume from different pieces of different posts. Are you 
attempting to resolve from this local DNS server or an ISP-based one??/

Yes, the dns cache/server is on a LAN host using another
firewall/gateway.  The problem turns out to have been an incorrect
resolv.conf that I thought I checked, err umm, thought I checked
*first*.


 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
 link/ether 00:a0:cc:5a:b6:12 brd ff:ff:ff:ff:ff:ff
 inet 192.168.9.66/24 scope global eth0

Hmmm, normally you use eth0 for your ISP connection, not the masq'ed LAN
connection. Do the proper packages know that eth2 is your WAN connection
and not eth0 There are several packages that assume that eth0 is
the WAN connection.

Some time back I learned to bring up secure networks first then
insecure. dhcp can't figure this out so if I'm not on static ISP put the
internet on eth0. I don't think it makes much difference actually, as
long as programs are configured right. I haven't had any other problems
anyway.

 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
 link/ether 00:a0:cc:d9:21:e0 brd ff:ff:ff:ff:ff:ff
 inet 10.1.1.1/8 scope global eth1
 inet 10.0.0.1/8 scope global secondary eth1:1
 inet 10.0.0.2/8 scope global secondary eth1:2
 inet 10.0.0.3/8 scope global secondary eth1:3
 inet 10.0.0.4/8 scope global secondary eth1:4

OK, this is a DMZ right. I seems strange that you have a need to alias
interfaces unless you are running multiple web-,ftp-, etc... servers in
DMZ. In any case this is still a rather in-eloquent solution and a
possible source of problems.

yeah, just an artifact of my stock networking scripts. When I set up
apache DMZ vhosts, I like to have them on different IPs, so even if they
are on the same computer now, moving them to another computer will be
easy.

 5: eth2: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
 link/ether 00:a0:cc:5b:1c:37 brd ff:ff:ff:ff:ff:ff
 inet 62.81.93.66/26 scope global eth2

OK, this appears to be the default WAN connection. See note with eth0.


 6: eth3: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
 link/ether 00:40:05:41:9d:1d brd ff:ff:ff:ff:ff:ff
 inet 201.13.105.34/27 scope global eth3

This appears to be a secondary WAN connection. I hope you have set up 
static routing for this interface/traffic. What exactly are you doing
with this interface???

In the short term, we are changing ISPs and this box will be catching
both of them for a spell. I might find an excuse to try iproute2 load
balancing. but we won't need it, and the original isp will go away, with
the big plus of then being able to fit a video card in this box X-)

 201.13.105.32/27 dev eth3  proto kernel  scope link  src
 201.13.105.34 62.81.93.64/26 dev eth2  proto kernel  scope link  src
 62.81.93.66 192.168.9.0/24 dev eth0  proto kernel  scope link  src
 192.168.9.66 10.0.0.0/8 dev eth1  proto kernel  scope link  src
 10.1.1.1
 127.0.0.0/8 via 127.0.0.1 dev lo
 default via 62.81.93.65 dev eth2

What a routing table!!! I believe you might want to drop one or two
interfaces and get the name-resolution problem fixed before attempting
this complicated of a setup. I will not assume what error you have made
w/o knowing exactly what you have done to attempt this configuration.
I would guess that something is wrong due to using two external
interfaces and the configuration required to do this, OR no route/rules
for the information to get back to (whatever segment your using) from
the DMZ DNS server. This setup leaves us guessing at tons of possible
mis-configuration.

Sorry, I guess an 'internet' resolver got put in resolv.conf while I
was making this image on another network. Since somebody unplugged the
gateway connection, it just wasn't getting a responce... even though I
thought it was looking at the LAN resolver.

Thanks for all the help! :-)

// George

-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] DNS problem

2002-07-05 Thread George Georgalis 

On Fri, Jul 05, 2002 at 12:41:57AM -0400, George Georgalis wrote:
On Thu, Jul 04, 2002 at 08:45:32PM -0700, Alan Silvester wrote:
Hi

I've got my Bering firewall working, but there's a small problem with
DNS lookups.  My ISP's mail and news servers are shawmail and
shawnews.  When I ping these from the firewall, they are resolved to
shawmail.cg.shawcable.net and shawnews.ok.shawcable.net.  However, if I
ping shawmail / shawnews from a LAN computer, I get an unknown host
error (pinging the fqdn works).  How do I get this to work?  I'm running
tinydns (private only) and dnscache on the firewall.


Take a look at your /etc/resolv.conf on the firewall, my guess is you
are using dhcp and the isp is adding search/domain lines along with
the nameservers. Just copy over that file if they are unix boxin on
your lan, if they are windows, I think there is a dialog under network
settings for the info.

I forgot to mention, if you are running dhcp, you could add this to your
/etc/dhcpd.conf

option domain-name ok.shawcable.net cg.shawcable.net;

Then dhcp will take care of updating the resolv.conf/win equivalent
files.  I would recommend just using the full path though.

// George


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: [Leaf-devel] lrp partition size...

2002-07-05 Thread George Georgalis 

Cool, thanks.

// George

On Thu, Jul 04, 2002 at 08:14:27PM +0200, Manfred Schuler wrote:
Hi George,

you can change the size of the file systems by adding
   syst_size=xM
   log_size=xM
   tmp_size=xM
to change ths size of /, /var/log or /tmp to x MB to your syslinux.cfg.

Manfred

George Georgalis schrieb:
 
 Just subscribed to this list... but I have been browsing the archives.
 
 I'm working on an lrp image, and I clearly don't have the partitioning
 down right.
 
 # df -h
 FilesystemSize  Used Available Use% Mounted on
 /dev/root 6.0M  3.4M  2.6M  57% /
 tmpfs30.7M 0 30.7M   0% /tmp
 tmpfs 2.0M  2.0M 0 100% /var/log
 
 How does one go about changing them? This is a Bering distro.
 
 Also I noticed the new ssh looks like it can be compiled without zlib,
 saving ~24k.  Anyone more experienced putting that together?
 
 // George
 
 --
 GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229
 Security Services, Web, Mail,mailto:[EMAIL PROTECTED]
 File, Print, DB and DNS Servers.   http://www.galis.org/george
 
 ---
 This sf.net email is sponsored by:ThinkGeek
 No, I will not fix your computer.
 http://thinkgeek.com/sf
 
 ___
 Leaf-devel mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-devel

-- 
Manfred Schuler
Beerenweg 4
31275 Lehrte
Tel.: (0 51 75) 66 54
Fax:  (07 21) 1 51 22 22 17
E_Mail: mailto:[EMAIL PROTECTED]


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: [Leaf-devel] problem with bering host lookups

2002-07-04 Thread George Georgalis 

On Thu, Jul 04, 2002 at 07:36:29AM -0700, Ray Olszewski wrote:
At 08:26 AM 7/4/02 -0400, George Georgalis wrote:
I just remembered, my bering distro won't do hostname lookups.

resolv.conf is okay
hosts.allow/deny are okay
the route is okay


How do you know all of these are okay? In particular, have you confirmed 
that you can ping the IP addresses of the resolvers listed in resolv.conf? 
You should confirm that, at least, before looking to more complicated answers.

I know they are okay, because I pretty much know what I'm doing. I'm
new to LRP not Linux. I can ping the LAN resolver, and it does work. I
forgot to mention, I've also checked the iptables rules and they are
okay, verified by no messages in the log.

I also tried adding these to both the lrp and the LAN resolver.

# iptables -I INPUT -p udp --dport 53 -j ACCEPT
# iptables -I INPUT -p udp --dport 53 -j LOG --log-prefix DNS-in 

The LAN resolver logs other host lookups but not the lrp. Likewise, the
lrp logs when I dig it, but no log when I try to ping a hostname, I can
ping the resolver by ip.

ping galis.org just hangs. not sure how else to look up a name, am I
missing a package? What could be wrong? It does ping ip addresses.


If your system passes the above test, try posting the usual dagnostics.

I didn't assign a broadcast address when I brought up the interfaces,
could that be a problem?

Bering V1.0-rc2
Linux fw01 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i586 unknown
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop 
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:cc:5a:b6:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.9.66/24 scope global eth0
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:cc:d9:21:e0 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/8 scope global eth1
inet 10.0.0.1/8 scope global secondary eth1:1
inet 10.0.0.2/8 scope global secondary eth1:2
inet 10.0.0.3/8 scope global secondary eth1:3
inet 10.0.0.4/8 scope global secondary eth1:4
5: eth2: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:cc:5b:1c:37 brd ff:ff:ff:ff:ff:ff
inet 62.81.93.66/26 scope global eth2
6: eth3: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:05:41:9d:1d brd ff:ff:ff:ff:ff:ff
inet 201.13.105.34/27 scope global eth3
201.13.105.32/27 dev eth3  proto kernel  scope link  src 201.13.105.34 
62.81.93.64/26 dev eth2  proto kernel  scope link  src 62.81.93.66 
192.168.9.0/24 dev eth0  proto kernel  scope link  src 192.168.9.66 
10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.1 
127.0.0.0/8 via 127.0.0.1 dev lo 
default via 62.81.93.65 dev eth2 


Finally, this sort of question belongs on leaf-user, NOT leaf-devel. I'be 
moved it in my reply.

Okay by me. I thought I had a development issue. My guess is I've
stripped something that's required for name resolution. So I ask, what
is used for host lookups (the udp/53 call) on lrp?

// George


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
File, Print, DB and DNS Servers.   http://www.galis.org/george 



---
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html