Re: [Leaf-user] How to adjust the fw rules to access my ADSL modem

[George Metz]

On Sat, 21 Apr 2001, Eyal Lebedinsky wrote:

> The alcatel "speed touch" has a web server on 10.0.0.138. I can do:
>   ifconfig eth0 10.0.0.1 netmask 255.255.255.0
> and then ping it (from the leaf machine). However I cannot do it
> from any other machine on my internal netwrok.
>
> I assume the firewall rules stop the access (the 10.* range is not
> forwarded).
>
> I want to allow explicit access to 10.0.0.138 (and nothing else) and
> still deny any incoming connections.
>
> Anyone done that?

I haven't done that myself, no. However, it should be just a matter of
adding an ACCEPT rule from 10.0.0.138/32 at the beginning of the IPChains
filter list. That should take care of the issue, yet still leave the
default Martian rules in place.

As for syntax, that I'm not too sure on since I'm weak on IPChains.

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] wanted: lrp with 2.43 and patched iptables

[George Metz]

On Fri, 4 May 2001, Mike Noyes wrote:

> George compiled a 2.4.3 kernel with the patch. You can get it at the url
> below. Note: this is still in testing, and is NOT to be considered
> production ready.

Correct. I'm working on getting a 2.4.4 kernel up and running, but I'm
getting issues with autoconf.h for some reason. It's starting to annoy me,
since I've had the issues before, and I was never quite sure what solved
it.

> http://leaf.sourceforge.net/devel/wolfstar/

Please note that the kernel tarball is up to date, but the disk images are
not. That is, the disk images do not have the patched kernel on them, and
you should download the kernel tarball and replace the file "linux" on the
floppy with "kernel.upx" from the kernel tarball.

> >I just configured a pix firewall worth 5000$ and it seems to me that
> >such a disk could do the same.
>
> We're working on it. :)

Aye, we are. Would be nice if we had a free floppy-bootable device that
worked on hardware totalling about $50 that could do the same job as a
Cisco Pix firewall costing a hundred times as much. =)

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Martians: please, help track this one down ???

[George Metz]

On Tue, 30 Oct 2001, Michael D. Schleif wrote:

> > now for the header
> >
> > >   ll header: ff ff ff ff ff ff 00 30 c1 d8 b6 80 08 06
>
> Found it!
>
> Eradicated it!
>
> Thank you, all for quick response . . .

Out of curiosity, what's the manufacturer on that NIC card? I did a search
for the first three at standards.ieee.org and it came up blank, so I'd be
interested in knowing if you've got the info available and easily to hand.

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Martians: please, help track this one down ???

[George Metz]

On Tue, 30 Oct 2001, Michael D. Schleif wrote:

> Yes -- it turns out that mac's beginning with:
>
>   00 30 c1 d8
>
> at least in this case (3 specimens), are HP switches.

Cool, thanks.

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Martians: please, help track this one down ???

[George Metz]

On Tue, 30 Oct 2001, Simon Bolduc wrote:

> Doing a search on http://standards.ieee.org/regauth/oui/index.shtml for just
> the first 3 hex parts of the MAC indicated that it belongs to HP -

Ah! There's the issue. Yeah, put it in with spaces. Never mind, I'm stupid
today. =)

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Problem with 3c59x.o on Dachstein disk

[George Metz]

On Wed, 6 Mar 2002, Boyd Kelly wrote:

> A quick look at the modules for dachstein, oxygen and lrp 2.9.8 don't
> have any 3c90x module available.  I remember finding one somewhere, but
> found that the 3c59x works.  Why does 3com have such a confusing
> numbering system for their products anyways?  905; 509; 59x?.
>
> Cheers and have a good one.
>
> BK

Having just installed Potato 2.2R5 on my workstation, I can say that the
2.2.19 kernels SHOULD support the 905C NICs with the 3c59x.o module. ALL
versions of 2.4.x after around -test7 have been changed so that the 3c59x
will work with it.

Personally, I think that the driver will work fine and the error is
somewhere else. Prior to the fixes to the 3c59x.o driver, it would load
with a 905C, was able to receive packets just fine, and was totally and
completely unable to respond.

Sounds to me like the module isn't the right one for the kernel you've got
running, actually.

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] openssh security hole

[George Metz]

On Thu, 7 Mar 2002, Joey Officer wrote:

> I don't know how much this affects LRP/Leaf distributions, but I thought
> that I would at least make mention of it here.  There is a root hole in
> OpenSSH, you can read about it here
>
> http://www.pine.nl/advisories/pine-cert-20020301.txt
>
> I am not sure if the SSH implementations being used by the current LRP
> distros are affected, but I figured it would atleast be worth a read.  Also
> check out slashdot.org for more discussion on this.
>
> http://slashdot.org/article.pl?sid=02/03/07/1617211&mode=thread&tid=128

Note that at present, this is a local root hole, with a possibility for it
to be a remote root exploit - think they're still digging on that.

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] OSPF on LEAF?

[George Metz]

On Sat, 9 Mar 2002, Andy McLeod wrote:

> Does anyone have any experience of using OSPF on leaf (e.g. with gated or
> zebra) that they would care to share? I am trying to establish a multihomed
> service at my colo facility and the provider is offering OSPF to manage my
> connections to his two routers. He then manages outbound with BGP4.
>
> I am currently planning to use Bering/Shorewall but (a) don't know how this
> would "fit" with OSPF and (b) would love to hear of similar experiences with
> any LEAF release.

Well, since it's been sitting for 3 days without a reply, I'll take a
quick stab at it.

Frankly, OSPF scares me on Ciscos, and they're at least sorta designed for
it. =)

I don't know too much about OSPF in general, but if you do, then from what
I've been told the Zebra implementation is pretty easy for OSPF. I
personally would rather use default route/weighted route methods rather
than OSPF unless there's a pressing need to do so - such as the two
routers mentioned happen to be in totally different locations
topography-wise. Even then, it could be sticky.

Not much help at all, I know, but at least a "we don't know" is better
than no comment.

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] routing more than 1 hop

[George Metz]

Wow. I got a headache trying to follow all of those routes. Truly
complicated stuff. Let's dig in!


>  Site 1:  10.10.1.0
>  eth0 10.10.1.40/24
>  eth1 192.168.1.254/24
>
>  Destination  MaskGatewayDev
>  0.0.0.0  0.0.0.0 10.10.1.254eth0  (to internet)
>  10.10.1.0255.255.255.0   10.10.1.40 eth0  (wired interface)
>  10.10.12.0   255.255.255.0   192.168.1.253  eth1  (wireless to site 2)
>  10.10.13.0   255.255.255.0   192.168.1.253  eth1  (wireless to site 2)
>  192.168.1.0  255.255.255.0   192.168.1.254  eth1  (wireless interface)
>  192.168.2.0  255.255.255.0   192.168.1.253  eth1  (wireless to site 2)

As a side note here, you can do some trimming down of routes pretty
thoroughly. For example, the 10.10.12.x and 10.10.13.x can be condensed
into 10.10.12.0 255.255.254.0 with a gateway of 192.168.1.253. Remember,
the router only needs to know how to send to the next hop on the path;
the next hop's job is to determine what to do with it. This is the same
reasoning behind what Matt said regarding using a 0.0.0.0 gateway. With
the subnet your worried about, there should be some hop in there between
the site's individual router and that destination net that will examine
the destination traffic and send it correctly. Sending stuff straight out
the default gateway should work just fine as long as there's something
between you and the Internet that can catch the traffic and redirect it
(locally).

In the one I pointed out, Site 2 is going to be doing all the work to
determine where the IPs in those two /24s are going to be going. All Site
1 needs to know is how to get it to site two. If whatever has the
10.10.1.254 IP has routes for public IPs that are NOT destined for the
general internet (and any devices it sends to also have those routes)
shoving it out default gateway works.

Now, you stated that the problem seems to be coming from trying to reach
Site 3 from Site 1, yes?

Site 1 sends traffic from - for example - 10.10.1.8 to a host on Site 3 at
10.10.13.20. Assuming 10.10.1.40 is Default Gateway for all hosts on
10.10.1.0/24 except for the 254 host.

10.10.1.8 -> 10.10.1.40 -> 192.168.1.253 -> 10.10.12.253 -> 192.168.2.253
-> 10.10.13.20.

Response would be:

10.10.13.20 -> 10.10.13.254 -> 192.168.2.254 -> 10.10.12.254 ->
192.168.1.254 -> 10.10.1.8


Site 3 appears to be the problem, though without knowing for sure what the
firewalling is doing there I can't say that the firewalling or the routing
is actually the issue here. Check to make sure IP Forwarding is turned on
as was suggested, and if it is, try adding a specific route for
10.10.1.0/24 pointing to 192.168.1.254 on Site 3. There's no real reason
why it SHOULD work, but stranger things have happened before. The default
routes your using in the later sites should do the job, and indeed do up
until Site 3. It's possible that somewhere, somehow something got altered
by accident routing wise, but it SHOULD show up in the routing tables
(something like a 10.10.13.0 255.255.0.0 would REALLY confuse the
routing...) in at least some form.

This is an interesting problem (for me, at any rate, probably very
frustrating to you) so I'll bang my head on it for a bit and see if I come
up with anything interesting.

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Looking for alternate 3c59x module for 3c905c

[George Metz]

On Fri, 15 Mar 2002, Simon Bolduc wrote:

> I've found that using older NICs is generally your best bet if using a
> consumer DSL or Cable connection.  You'll probably never saturate the 10
> Mb/s offered by them and you can avoid all the potential Driver related
> pitfalls (different chipset revisions etc).  At home I'm using 2 old 10 Mb
> NICs that have ports for AUX, BNC, and Cat 5 - and they work wonderfully.
> Unfortunately I've never seen a version of the 3c905 driver from 3com that
> was compiled for LEAF/LRP...

Bering most likely includes it, as I'm posting this from my Windows box to
my server through a 905C. Whether the CX is enough functionally different
that the 2.4 Series 3c59x won't work either is another matter. What I DO
know is that prior to 2.4.1, none of the 3c905C cards were supported by
the 3c59x, and I almost had a conniption fit when I realized that the new
card I had with my brand new system didn't want to run under Linux.

I thought that the 3c59x module was backported from 2.4.x to 2.2.19 and
later, but I can't say for sure.

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] LRP behind Cisco Router, FTP?, DMZ?

[George Metz]

On Thu, 14 Mar 2002, Luis.F.Correia wrote:

> I guess you can't do a double NAT.
>
> I've also tried that to no avail...
>
> You must try to get them to configure the Cisco 1720
> as Bridge with at least one public IP on your side.
>
> Then you can use LEAF to do the rest of the job.

Won't happen, not in a million years.

There's dozens of reasons why it won't, but for the most part it boils
down to the fact that they own the Cisco, and if they change that over to
a bridge-mode (not even sure if you CAN do that with a 1720; probably can,
but it'd be messy) then they have absolutely no way to access the router
remotely. This means that they'd have to rely on the end user (someone who
freely admits he doesn't know everything) or a consultant (who REFUSES to
admit that he really knows nothing) for spotty diagnostics. And for that
matter, the end user or consultant would have to console into the 1720 to
get the info needed, which is not precisely easy to do either.

It IS possible to get them to cut a /30 out for use between the Cisco and
the E2B box; whether they'll do it is another story. For the most part,
they probably will but the IPs will incur another charge.

Onward to the problem!

> I have tried to configure the LRP box directly to WWW using the fixed
> address provided to me. I was told it wouldn't work by my ISP (and it
> doesn't) - not sure why??  Assumed FTP won't work because of NAT done by
> the Cisco router.  Any suggestions?

I'm going to take a guess here, as I really can't say for sure. Login to
the LEAF box, and exit to a command prompt. then run 'lsmod' and it should
tell you which modules are loaded. Look and see if there's an entry in the
list that says "ip_masq_ftp" or something to that effect. If there is,
then I'm at a loss. FTP was always a particularly difficult service to
implement on 2.2 series kernels behind NAT, and I never delved into it
specifically.

Also, you don't state whether or not you're trying to set up FTP so that
other people can access FTP from your site, or whether or not you're
having issues reaching FTP sites on the internet. The distinction is
pretty important there. =)

> I would like to add a DMZ and (possibly later VPN) off the LRP
> box.  Winstar said they will reconfigure the Cisco router if I ask them
> (not sure what to ask them though).  Not sure where to start.  Any
> suggestions on setup options?

Most likely what you would be asking them to do is forward a port for FTP
from the Cisco's external IP to the LRP's external IP. (You may in fact
need to do this to solve the first problem as well.) You can then add a
third Network card to the LEAF machine for the DMZ, and set that part up
as you normally would. (Check the FAQs on the LEAF site.)

> Sorry if my terminology/explanation is poor - my occupation has nothing to
> do with computers and I learn by reading only.

Believe me, after having worked support for high-speed internet for two
years, the very fact that you know there's stuff you don't know puts you
ahead of the curve. =)

--
George Metz
Commercial Routing Engineer
[EMAIL PROTECTED]

"We know what deterrence was with 'mutually assured destruction' during
the Cold War. But what is deterrence in information warfare?" -- Brigadier
General Douglas Richardson, USAF, Commander - Space Warfare Center


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [leaf-user] 3C905CX Network Card

[George Metz]

Your problem is that the 3c905C series cards use the 3c59x.o module, not 
the 3c90x.o one. I've no idea why the architecture was changed that 
drastically with only a single letter to mark the difference, but it 
does, and I used a 905C as a main ethernet card for 3 years on the 3c59x 
module so you shouldn't have any problems with a 3c905CX on that one either.


George

James F wrote:

Yes, ICMP is allowed. When we put 3c905b-tx cards in,
we are able to pass traffic. It's only on that model
that we are having trouble.

--- Robert K Coffman Jr - Info From Data Corporation
<[EMAIL PROTECTED]> wrote:



Did you allow ICMP traffic to originate from your
firewall?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of James F
Sent: Thursday, June 30, 2005 12:00 PM
To: leaf-user@lists.sourceforge.net
Subject: [leaf-user] 3C905CX Network Card


Using these cards with the 3c90 module, the cards
are
being detected and come up with no errors. The
problem
is that no traffic is coming back across these
cards.
When I ping from the LEAF machine and  sniff the
traffic, I see arp request being sent by the leaf
box
and answered by the other machine. But no icmp
packets
are being sent. Any ideas

Thanks





Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football


http://football.fantasysports.yahoo.com





---


SF.Net email is sponsored by: Discover Easy Linux
Migration Strategies from
IBM. Find simple to follow Roadmaps, straightforward
articles, informative
Webcasts and more! Get everything you need to get up
to speed, fast.



http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click




leaf-user mailing list:
leaf-user@lists.sourceforge.net



https://lists.sourceforge.net/lists/listinfo/leaf-user


Support Request -- http://leaf-project.org/






---


SF.Net email is sponsored by: Discover Easy Linux
Migration Strategies
from IBM. Find simple to follow Roadmaps,
straightforward articles,
informative Webcasts and more! Get everything you
need to get up to
speed, fast.



http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click




leaf-user mailing list:
leaf-user@lists.sourceforge.net



https://lists.sourceforge.net/lists/listinfo/leaf-user


Support Request -- http://leaf-project.org/







 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/




---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] multiple static ip address router/firewall

[George Metz]

None of the over-the-counter router-in-a-boxes are going to be able to 
handle multiple static IPs, with the possible exception of a Linksys 
that's had it's firmware replaced with a Linux-based one from the 
hardware hacking groups.


An entry level Cisco is hideously expensive; I found two on Pricewatch 
for $389 USD from a retailer with truly bad reviews. Last time I looked 
for one (which, admittedly, was a couple of years ago) the same model 
was going for $1500 USD refurbished.


I adore Cisco equipment and the IOS, but it is way too pricey if you're 
not running a major site - and even then, it's questionable. You're 
going to be far better off with Bering uClibc and any kind of hardware 
than you are spending the money a Cisco will cost, especially since most 
of them you'll need to buy a second ethernet card for your external 
interface and actually get a license for IOS.


George


Andrew Nance wrote:

Hi group,
I have been using Bering uClibc for a couple of years now.  It has been rock
solid and great.  My thanks go out to everyone.
I currently use my leaf box with 5 static ip's without any major problems.

But my question to you guys and gals is do you know of an over the counter
firewall/router (like Linksys, D-Link, or Netgear) that can route multiple
public static IP's for a single cable or dsl connection?
If there are no "cheaper" solutions, what would an entry level cisco model
be? 
How would these solutions compare price wise to a WRAP running uClibc?



Thanks in advance,
Andrew



---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/




---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] multiple static ip address router/firewall

[George Metz]

Honestly, I'm not up on the specs for the WRAP or Soekris boards, but 
I'd be fairly surprised if they wouldn't serve admirably. I'm currently 
using, of all things, a Microsoft wireless router that normally just 
serves as my AP point (we just moved, and I have to rebuild my LEAF box 
now that I have a connection the old ISA 3Com cards would throttle) and 
I've had a radio stream, 2 connections to World of Warcraft, and about 5 
threads downloading large files without a real problem. Given that the 
thing is probably the most underpowered router-in-a-box I've seen, just 
about anything should work fine for you.


Andrew Nance wrote:

Thanks George,

That's what I was afraid of.  It looks like my options now are to build (or
buy cheep dell ($300 w/ no OS)) computer to handle firewall/routing or go
with the wrap or soekris.
I plan on having multiple video streams going through this router/firewall
nearly 24/7. (i.e. Lots of bandwidth, very few connections) Do you think I
need the extra cpu of a regular computer or will the wrap be able to handle
it?

Thanks,
Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George Metz
Sent: Wednesday, July 13, 2005 5:27 AM
To: leaf-user@lists.sourceforge.net
Subject: Re: [leaf-user] multiple static ip address router/firewall

None of the over-the-counter router-in-a-boxes are going to be able to 
handle multiple static IPs, with the possible exception of a Linksys 
that's had it's firmware replaced with a Linux-based one from the 
hardware hacking groups.


An entry level Cisco is hideously expensive; I found two on Pricewatch 
for $389 USD from a retailer with truly bad reviews. Last time I looked 
for one (which, admittedly, was a couple of years ago) the same model 
was going for $1500 USD refurbished.


I adore Cisco equipment and the IOS, but it is way too pricey if you're 
not running a major site - and even then, it's questionable. You're 
going to be far better off with Bering uClibc and any kind of hardware 
than you are spending the money a Cisco will cost, especially since most 
of them you'll need to buy a second ethernet card for your external 
interface and actually get a license for IOS.


George


Andrew Nance wrote:


Hi group,
I have been using Bering uClibc for a couple of years now.  It has been


rock


solid and great.  My thanks go out to everyone.
I currently use my leaf box with 5 static ip's without any major problems.

But my question to you guys and gals is do you know of an over the counter
firewall/router (like Linksys, D-Link, or Netgear) that can route multiple
public static IP's for a single cable or dsl connection?
If there are no "cheaper" solutions, what would an entry level cisco model
be? 
How would these solutions compare price wise to a WRAP running uClibc?



Thanks in advance,
Andrew



---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar


happening


July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by


HP,


AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/





---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/



---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/




---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graph

[leaf-user] SF Site down?

[George Metz]

Getting the following as a text line when I try and load either 
www.leaf-project.org or leaf.sourceforge.net:


Unable to load database indicated by configuration file.

No errors, just that one line.

Incidentally, whatever's going on, it's been going on long enough that 
the 4th unique result from Google, which is www.leaf-project.org, is 
actually using that as it's cache file.


So, does anyone have an idea of what's happening with it?

George


---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] SF Site down?

[George Metz]

Thanks Mike, that would explain it.

George

Mike Noyes wrote:

On Sat, 2005-09-10 at 13:49, George Metz wrote:

Getting the following as a text line when I try and load either 
www.leaf-project.org or leaf.sourceforge.net:


Unable to load database indicated by configuration file.

No errors, just that one line.

Incidentally, whatever's going on, it's been going on long enough that 
the 4th unique result from Google, which is www.leaf-project.org, is 
actually using that as it's cache file.


So, does anyone have an idea of what's happening with it?



Everyone,
The SF project database server is overloaded. Hardware is on order.

SF Site Status:
https://sourceforge.net/docman/display_doc.php?group_id=1&docid=2352
( 2005-08-08 10:53:31 - Project Database Service  )   MySQL
database performance has been stabilized as of 2005-08-04.
Additional hardware is expected to be deployed in 2-3 weeks
time. We are continuing to monitor and tune performance in the
mean time. Additional service improvements expected once
additional hardware deployment is completed.

( 2005-06-17 06:24:57 - Project Database Service  )  
SourceForge.net staff are aware of ongoing increases in volume

to the project MySQL service. Plans are under way to double
hardware capacity of the project MySQL service; upgrades will be
scheduled and announced here (including any downtime notices).
Projects are encouraged to transition to use of the mysql-LETTER
hostname (replacing LETTER with the first letter of the project
UNIX name), as covered in the Project Web, Shell and Database
Services documentation.




---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] CRC32.o and Tulip in Bering uClibC

[George Metz]

Might I make a suggestion here?

There should be some form of documentation, either in the installation 
doc or on the /etc/modules file, stating that tulip.o for Bering uClibC 
has dependencies within crc32.o. I spent a profitable couple of hours 
banging my head on that issue with 2.3 rc1, eventually rolling to 2.2.3 
to see if that would fix it. It finally dawned on me that the 
'unresolved symbol: crc32_le' message I was getting might actually be 
fixed by adding in crc32.


Just a thought, and I'm not even sure if you guys were aware that this 
was a problem. I'd see if I could submit a corrected /etc/modules file 
that points this out, but I don't have a linux box up and running yet 
after my latest move, and cvs is a bit beyond my ability to comprehend 
at 3:45am. =)


George


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] CRC32.o and Tulip in Bering uClibC

[George Metz]

That's odd.

I actually used that page, but it didn't supply the crc32.o without 
being manually told to use it. I doublechecked lsmod and tulip is the 
only thing relying on it.


Looks like, checking the modules.dep, that the change occurred between 
2.4.20 from release 2.0 and 2.4.26 from 2.2.0.


Just a head's up!

George

[EMAIL PROTECTED] wrote:

Hello George,



Might I make a suggestion here?


There should be some form of documentation, either in the installation
doc or on the /etc/modules file, stating that tulip.o for Bering uClibC has
dependencies within crc32.o. I spent a profitable couple of hours banging
my head on that issue with 2.3 rc1, eventually rolling to 2.2.3 to see if
that would fix it. It finally dawned on me that the 'unresolved symbol:
crc32_le' message I was getting might actually be fixed by adding in
crc32.

Just a thought, and I'm not even sure if you guys were aware that this
was a problem. I'd see if I could submit a corrected /etc/modules file that
points this out, but I don't have a linux box up and running yet after my
latest move, and cvs is a bit beyond my ability to comprehend at 3:45am.
=)



It's no problem to add that info to the /etc/modules file and we weren't
aware of the (new?) dependency. But there are numerous other modules, not
part of the standard modules.lrp package, that depend on other modules and
we can't list them all. The best advice is to always look at the
modules.dep file in the modules tarball. I'm not sure if the dependency
file is mentioned in the documentation, but if it isn't I will add a note.

You can also use the "Build modules online" link, mentioned on the LEAF
homepage (links to: http://www.ucbering.de/cgi-bin/modules.cgi). By using
that tool all dependencies are automatically fullfilled.

Eric





---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/




---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] CRC32.o and Tulip in Bering uClibC

[George Metz]

Ah-HAH!

That would explain it. I did that mostly because it looked like, when I 
was actually doing it the other way, that I'd have to add in all the 
conntrack modules and such, and I'm too lazy to do that. :)


Thanks for a truly excellent CGI script that I dearly enjoy. :)

George

Arne Bernin wrote:

On Wed, 2005-09-14 at 23:59 -0400, George Metz wrote:
Hi George!



That's odd.

I actually used that page, but it didn't supply the crc32.o without 
being manually told to use it. I doublechecked lsmod and tulip is the 
only thing relying on it.





I suppose you used your old modules file as base for the modules
generator cgi. In this case , the dependencies are not checked.
I will fix ASAP.

--arne




---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] 3Com driver

[George Metz]

I can confirm 100% that the 3c59x.o module works with the 3c905C 3Com 
NIC. Said module and NIC are in use as I type this on eth0 on my Bering box.


George

[EMAIL PROTECTED] wrote:

Eric,

The modules tarball for the kernel 2.4.31 does not include 3c905c. It
includes 3c501, 503, 505, 507, 509, 515 and 59x. I have however seen some
sites that mentions that the 3c59x supports 3c905c.

Can you kindly confirm that the 3c59x.o is the driver to support 3c905c
adapter.

Thanks.

Sherif  



mail2web - Check your email from the web at
http://mail2web.com/ .




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmdlnk&kid3432&bid#0486&dat1642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/





---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Fwd: Cable Modem speeds with Bering-uClibc

[George Metz]

Andrew Haninger wrote:
> I don't think I explained the "different IP" well enough. I get
> assigned an from a completely different range IP and also a different
> gateway:
> 
> Slow LEAF box:



> 71.72.x.x/22 dev eth0  proto kernel  scope link  src 71.72.x.x
> default via 71.72.96.1 dev eth0
> 
> 
> Fast WinXP box:
> 
> (From Network Connection Details)
> IP Address: 75.185.x.x
> Subnet Mask: 255.255.252.0
> Default Gateway: 75.185.24.1
> DHCP Server: 65.24.6.194 (How do I get this on LEAF?)
> 
> So the actual network that I'm connecting to is, to me, vastly
> different. It could be that my router is connecting to a very busy or
> poorly-configured network link and my laptop is connecting to a
> less-busy or correctly-configured network.

This is, in fact, irrelevant, just to put your mind at ease. Most cable 
providers take a massive pool of IPs and toss them out there for a 
common pool of DHCP servers. I work for a cable provider in their tech 
support department, and I also live in their territory. If I were to 
take my PC from Connecticut, where I live, and move to central Jersey, 
odds are good that I'd get the exact same IP address, but my speeds 
would be drastically different (because NJ tends to be overcrowded, 
where CT is not). Regardless of which IP address you have, you're still 
going thru the same physical network structure, and the physical 
structure is where the delays are.

This is almost certainly an issue of half vs. full duplex. The only 
reason a hub would cause a problem is if you were using a hub to connect 
the router and the cablemodem. If the cablemodem is directly connected 
to the LEAF box, you should have no collisions at all showing up, 
because the SB4200 is usually capable of 100BaseTX Full Duplex.

Speaking of which, check your provider's top available speeds. More and 
more cable providers are realizing that going to rates higher than 10 
Mbit/sec max gives them a significant advantage over DSL without causing 
much in the way of additional traffic. If you're with one of the 
providers doing 10-15 Mbit/sec, you'll probably want to get rid of the 
venerable old 3c509B and upgrade to something with a 100BaseTX ethernet 
port and PCI slots to run them from. When I moved to my employer's 
territory, I had to do the same thing because my 509Bs wouldn't give me 
the full 10Mbit, and they've since upgraded to 15Mbit. An upgrade to a 
more modern, autosensing card would also solve the issue of collisions 
and duplex mismatches.



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Cable Modem speeds with Bering-uClibc

[George Metz]

Andrew Haninger wrote:
> I half understand duplex (don't bother explaining it - I'll look it up
> for myself) but I don't understand how duplex could be negotiated
> improperly?

Any number of things could cause that. My concern is, sometimes 
Motorolas don't handle forced duplex settings well, and sometimes 
half-duplex will make things problematic to begin with.

Example: I have an SB5120. I was testing my father's rather old Wireless 
B Linksys router because he was getting constant network drops on his 
DSL. I hooked it up, and it ran okay, but I saw some of the same drops. 
Upgraded the firmware to the latest and greatest, and suddenly there's a 
dropdown to configure it for 10 or 100, full or half, but no autodetect. 
So, since my downstream is 30Mbit/sec, I set it to 100 Full... and it 
started running like a slug. 100 Half didn't help any either.

So I hooked up my PC to the modem direct, and discovered that the SB5120 
doesn't like forced duplex modes. 100 Full and Half ran like a slug, but 
autodetect would configure for 100 full and it ran like a champ. So, 
it's possible that you've got a similar problem. The difficulty in 
determining that is that it could just be the firmware on my modem that 
caused that, and every cable provider does their own firmware releases.

You can always try connecting the laptop and forcing 10 full and 10 half 
to see if the performance is similar to what you're getting out of the 
LEAF box. If you are, then the problem is that the modem doesn't like 
the forced settings. If not, then it's probably something on either the 
cards or the motherboard.

Out of curiosity, have you tried switching which card is connected 
where? In other words, Eth0 internal and Eth1 external?

> For what it's worth, I've acquired a replacement box that has PCI
> slots in it and I'll set up my LEAF box with 3c905's (10/100) which
> should (hopefully) solve the problem.

Probably will. I myself had switched over to 3c905Cs when I finally got 
rid of the 486 system.

George

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Ok, the Cable Modem discussion has me concerned...

[George Metz]

Ken Gentle wrote:



> 4: eth1:  mtu 1500 qdisc pfifo_fast qlen 1000
>  link/ether 00:0c:41:e9:34:dd brd ff:ff:ff:ff:ff:ff
>  RX: bytes  packets  errors  dropped overrun mcast
>  1152457833 11965659 79  0   0   0
>  TX: bytes  packets  errors  dropped carrier collsns
>  0  011399780 0   11399778 0



> Concerning me is the number of errors on eth1 - I'm wondering if I 
> have similar duplex problems as Bob had.

Nope, that's not a duplex issue. If it were, you'd be getting overruns 
and collisions.

What we've got here is, probably, a bad NIC, bad wire, or bad port on 
the hub, or a bad hub in general. Notice that you've got zero transmit 
packets, but nearly as many transmit errors as you do receive packets. 
I'd try changing the cat 5 and the card, if you've got a spare; probably 
not the hub, or if it is then it's probably just the port itself, so try 
a different port too.

George Metz

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Cable Modem speeds with Bering-uClibc

[George Metz]

Andrew Haninger wrote:
> On 2/26/07, George Metz <[EMAIL PROTECTED]> wrote:
>> Any number of things could cause that. My concern is, sometimes
>> Motorolas don't handle forced duplex settings well, and sometimes
>> half-duplex will make things problematic to begin with.

> Okay, more of my confusion: Why would setting the duplex on the card
> with the 3Com software be any different from setting it with ethtool?
> Is setting it on the card "cleaner"?

Nope, just me not making myself very clear. :)

Motorola modems seem to, occasionally, have an issue with a connection 
that can't autodetect on the other end. In the example I gave, if I let 
my PC autodetect, it comes up at 100BaseTX full duplex, and everything 
works great. If I force settings to 100BaseTX full duplex, and don't let 
the modem autonegotiate with the PC, it runs like a slug in molasses, 
traveling uphill.

> It has solved the problem, pretty much. Speeds are much, much better and:
> 



> No errors!
> Thanks, everyone! (Sorry for being a pain in the ass.)

Excellent, and no worries, glad you've got good speeds going on. :)

George

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Any experience with eMTA Cable Modems and Bering uClibc?

[George Metz]

FYI, this may be something that Comcast doesn't do, but we (Cablevision) 
actually segregate the bandwidth used for the VoIP services completely 
from that of the internet connection, and it was my understanding that 
that is standard practice within the industry. Forex, our service flows 
have individual listings for carrier signal and for the actual phone 
conversation, in addition to the rate shaping being done for the net 
connection.

As far as the NAT/Firewall aspects of the Motorola goes, to my 
knowledge, Comcast never uses them. At least, they didn't when I lived 
in their territory. It's an available option in the modems, but 99% of 
the time cable companies don't want to use them, preferring 1 PC to 1 
Modem connection. We're actually implementing a static IP service in the 
next couple of months, something that the Motorola can also handle, and 
our solution involves a Cisco router instead.

Also, if your co-worker is getting drop-outs on calls, he probably has 
other issues. I've held an hour-long conversation with no hiccups before 
while downloading at 28 Mbit/sec the entire time.

George Metz

Ken Gentle wrote:
> Thanks, Charles.  Comcast Tech support said I could keep my current 
> Surfboard for data and use theirs for the voice.  I thought that was 
> redundant, but I see your point.  One of my co-workers has voice and 
> data on the same modem and he'll occasionally drop out on our phone 
> conversations - it is really annoying.
> 
> Just what I need - another electronic device to plug in... ;-)
> 
> As usual, you've been a big help, Charles.  Sounds like separate 
> modems for voice/data is the way to go.
> 
>  Ken
> 
> At 16:45 2007-04-16, Charles Steinkuehler wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Ken Gentle wrote:
>>> I'm trying to figure out if adding Comcast's Digital Voice service,
>>> which requires me to lease an eMTA modem from them, is going to cause
>>> me any problems with my current network setup.
>>>
>>> Comcast will supply either an Arris Touchstone or Motorola
>>> Surfboard/Voice modem, with battery backup.  My research on the
>>> Motorola finds that there is a firewall and NAT on the modem (which I
>>> don't want).  I can't find anything similar about the Arris Touchstone.
>>>
>>> Does anyone have any experience with either of these modems and 
>> Bering uClibc?
>>
>> I have two Arris Touchstone modems for digital voice on Cox cable-modem
>> service (one for business phone, one for residential), but neither is
>> hooked to my firewall (which is hooked to a third modem).
>>
>> When I setup my business-class network service with digital voice, the
>> Cox folks brought me a new Arris modem for voice, but told me to keep
>> the existing cable modem for data.  I was told there can be issues with
>> traffic prioritization within a single modem if it's running both data
>> and voice (ie: if your local computer starts spewing garbage full-speed
>> out to the 'net, your phone might stop working).  I'm not sure how
>> seriously to take this, but that's what the installer said.
>>
>> You might ask and see if you can just keep your existing modem for data
>> when they install your new voice service.  If you're nice to the
>> installer, (s)he'll probably even provide the required splitter and coax
>> patch cables.  If you're *REALLY* nice, you might be able to get them to
>> put their demark on your backboard in the wiring closet, instead of
>> hanging off the side of your house somewhere. :)
>>
>> - --
>> Charles Steinkuehler
>> [EMAIL PROTECTED]
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.0 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFGI+B5LywbqEHdNFwRAgo0AJwPbRzE6QjZah8aCXrw7y4+KMf9AACg9u41
>> VKR3Lb+2REOQ9KFncxPbd+4=
>> =RpM7
>> -END PGP SIGNATURE-
>>
>> -
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> 
>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>> Support Request -- http://leaf-project.org/
> 
> 
> 
> --

[leaf-user] Compression Format for initrd.lrp?

[George Metz]

Hey gang,

Well, after recently moving, my old firewall system decided that the 
floppy controller on the motherboard didn't want to actually read disks 
anymore. Or certainly not WRITE them.

So, I went ahead and used an older (but still newer than the old router) 
system, a P3-500 with a 64-meg DIMM, to throw together a new system. 
Right now, I'm trying to get things set up with an upgrade - since I had 
to move from DSL with Static IP to Cablemodem with DHCP - to Bering, and 
I'd like to do it on CD-ROM. And the easiest way for me to make the 
infamously-missing initrd.cdrom file myself would be to extract initrd 
on my workstation, make the changes, and close it back up. 
Unfortunately, things seem to choke when I try that. Winzip, itself, 
certainly doesn't think it's a tarball that's been gzipped, and neither 
does Winrar. Since the hard drive that had my Linux install on it just 
died (literally; happened about two hours ago) that's not really an 
option for me either.

So could anyone give me a pointer on whether or not what I'm trying to 
do is even possible? Or am I going to have to go at this the hard way - 
setting up a boot image on floppy and borrowing a computer?

Thanks!

George Metz



---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Compression Format for initrd.lrp?

[George Metz]

Jeff Newmiller wrote:
On Sun, 20 Jul 2003, George Metz wrote:


I'd like to do it on CD-ROM. And the easiest way for me to make the 
infamously-missing initrd.cdrom file myself would be to extract initrd 
on my workstation, make the changes, and close it back up. 
Unfortunately, things seem to choke when I try that. Winzip, itself, 
certainly doesn't think it's a tarball that's been gzipped, and neither 
does Winrar.
Thank goodness. ;)

That's because it isn't a tarball.  It is a gzipped minix filesystem
image.
Well that would explain that. :)

Or am I going to have to go at this the hard way - 
setting up a boot image on floppy and borrowing a computer?
Not sure I understand why you need to borrow a computer... you obviously
have one capable of burning a CDR.  As long as it also has a floppy drive,
you should be able to use that.
The floppy would be the key issue. I was having some fairly serious 
issues - repeatedly - with getting any of the floppies I made to boot. 
Or if they would boot, they wouldn't backup packages without I/O 
errors. I tried every floppy drive I had, too.

I did manage to get it set up, though. I'm guessing that the floppies 
don't take kindly to Win2K doing file operations on the superformatted 
images, so I basically ran the win32 binary and didn't bother clearing 
space first. That allowed me to reboot, edit packages, and save them, 
then just used Winimage to read the drive into an Image file. Little 
convoluted, but it works.

Thanks for the info!

George



---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Now On-Line but big trouble...

[George Metz]

Michelle Konzack wrote:

No I have not...

because I curently no running SLINK-System (HD crash) 
and can not build new LRP 2.9.4 Packages... 
You could try the windows port of it, WinDump. It runs on 
Win9x/ME/NT/2K/XP, and only requires a (freely available) single file 
in addition to itself.

http://windump.polito.it/



---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Now On-Line but big trouble...

[George Metz]

As a start, I'd like to say, please take the politics off this list. 
Matt did. You can too. Furthermore:

I was working for the french gov and I have very good access to some 
non-public informations... The European had scanned by satelit the 
Near-East (from Syria to Iran) for Radioactivity... 

There is noting !!!
Then their scans didn't work. Iran has nuke power plants and uranium 
mines in there own territory. There was a rather large Nuclear Energy 
facility in Tuwaitha. One that looters hit, and that people are 
getting radiation poisoning from.

Please, if you're going to fling attacks, do so with credible 
information at a minimum. And most importantly, please stay on topic.

So Boy-George W.B. like to play Ware-Games for noting but economy...
He is a terrorist, a killer and a thief. 
And I, too, am done with this thread. For any number of reasons. If 
you'd like them, forward this statement to me privately and I'll be 
happy to explain off-list.





---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] interfaces / shorewall assist please

[George Metz]

Steve Wright wrote:

Bit of a red herring here; just want to make sure that he doesn't need 
to spend time chasing down a ghost...


lsmod output:
Module PagesUsed by
3c589_cs8580   0 (unused)


I can see no module here that looks like an ethernet driver.  Either you
have the driver (for your ethernet chipset) built in to the kernel, or 
it is not loaded.

What is the ethernet chipset for eth0 ?  Try to insmod the module for it 
and see what happens.
3c589_cs is the Ethernet module there. It's a 3Com nic; all of their 
cards which use their own chipsets have modules that start with "3c" 
as a designator.

George Metz



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] followup to interfaces / shorewall assist

[George Metz]

Steve Wright wrote:

I know Linux and WISP-DIST, but I am not familiar with Bering, per se.

Try these things ;

boot Bering, and see if pump is running on eth0.  It should not be.

Start from scratch, with a perfectly clean image and have another go.

Write a little script that that restarts the network - basically what 
you are doing now, but automatically.
For that matter, removing pump entirely from the list of packages to 
be loaded would be indicated. PPP has it's own method to assign an IP 
address to the connecting device, and with eth0 being the only 
Ethernet interface, and the internal at that, then Pump doesn't need 
to be on the disk.



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] VPN security issue? Slightly O/T...

[George Metz]

Craig Caughlin wrote:
Hi Eric,
Thanks for the response. I think I'm like Alex, I don't quite understand
what you mean when you say "Then the entire Internet gets access to the
other side of your VPN without having to compromise your system." Could
you explain that a little bit? Thank you.
It's fairly straightforward. Let's say you've got a machine on the 
internet with nothing between you and the 'net. You're running with a 
public IP(I'm gonna use a private, so just pretend) of 172.16.8.1 on 
your machine, and you're connected to a VPN. Routing is also turned on 
on this particular machine.

I'm a bit rusty on my Linux routing statements, but on a Cisco, the 
way you'd do it is:

ip route 0.0.0.0 0.0.0.0 172.16.8.1
ip route 172.16.8.1 255.255.255.255 192.168.1.1
Where the 192.168 address is the far side of your WAN connection. This 
provides a route to your machine, and tells the cisco to send ALL 
traffic to your machine for routing. After that it's a fairly 
straightforward issue to run an ICMP scan with a relatively low 
timeout setting on the 10/8, 172.16/12, and 192.168/16 IP blocks until 
you find a valid IP, then work on that area of the block and play with 
someone's corporate LAN.

So yeah, this can be a really, REALLY big security hole.

Just one thing; if you can browse while connected to a VPN, make 
CERTAIN that you're not browsing THROUGH the VPN before you go getting 
all panicky. It's certainly a strong likelihood, and AFAIK there's 
relatively little chance of the hole you're referring to from 
happening. (IOW, browsing on your public connection while connected 
via VPN.)

George Metz



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: RE: [leaf-user] VPN security issue? Slightly O/T...

[George Metz]

Two addendum points:

1. A LOT of ISPs use RFC1918 address space as connector IPs on their 
own network. It conserves IP addresses that they can sell/lease to 
customers, and overall it works well. This means that if your ISP is 
doing this, and your VPN is on a different block, AND the ISP routers 
somehow became aware of the block you're routing to (bit of a stretch, 
I know, on that last), then you end up serving as a gateway. More 
likely, traffic just dead-ends in your ISP, possibly at one of their 
routers.

2. Lots of folks use cablemodems as their internet access. Those that 
do rarely think about security from their friendly neighborhood fellow 
cablemodem users. That would be, at minimum, 252 users who could access 
your system and invade the VPN Network. Including Little Jimmy, who's 
now 13 and thinks cracking corporate networks is way l33t. More likely, 
it includes everyone in your town, and all of little Jimmy's l33t 
friends. All because a cablemodem network is like one big LAN. I get at 
least 50 hits a day on Netbios ports just from people who have no clue 
that their computer is a sitting target, and is actively looking to 
compromise itself for you.

That's the real threat. Granted, maybe not the entire net, but a far 
larger portion than you'd like to think is healthy.

George Metz

- Original Message -
From: Eric B Kiser <[EMAIL PROTECTED]>
Date: Tuesday, July 29, 2003 7:42 pm
Subject: RE: [leaf-user] VPN security issue? Slightly O/T...

> Alex,
> 
> Most modern IPsec clients have better security than they used. 
> There was
> a time that if your company was using public addresses internally 
> ...anda remote client had a VPN connection across the Internet 
> ...and said
> remote client also was inadvertently configured to route traffic from
> the internet across the VPN ...and someone knew enough to target you.
> 
> It was (and still is) possible to get into the company network 
> that way.
> I realize that the chances of this happening are extremely remote. I
> have, however, witnessed this very thing while working for Ascend
> communications. Thankfully FreeS/WAN is a much better product and 
> publicaddresses are not as commonly used internally as they once were.
> 
> Assuming that you are using private addressing internally and assuming
> that your ISP is filtering the RFC 1918 addresses, then yes the 
> next-hop
> "should" be the extent of the threat. This threat, however, can be
> mitigated by good fire-walling practices.
> 
> Best Regards,
> 
> Eric "In the grip of paranoia." Kiser
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [leaf-user-
> > [EMAIL PROTECTED] On Behalf Of Lynn Avants
> > Sent: Tuesday, July 29, 2003 6:38 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [leaf-user] VPN security issue? Slightly O/T...
> > 
> > On Tuesday 29 July 2003 04:53 pm, Alex Rhomberg wrote:
> > > > It's fairly straightforward. Let's say you've got a machine 
> on the
> > > > internet with nothing between you and the 'net. You're running
> with a
> > > > public IP(I'm gonna use a private, so just pretend) of 
> 172.16.8.1on
> > > > your machine, and you're connected to a VPN. Routing is also
> turned on
> > > > on this particular machine.
> > >
> > > I still don't get it: Let's say I have the setup you 
> described, with
> > > 192.168.1.0/24 being my VPN. You're sitting on the other side 
> of the
> > > Internet, say 10 hops away. How can you send a packet to
> 192.168.1.1? Is
> > > there a standard tunneling method that is always activated? 
> The 10
> hops
> > on
> > > the way would all drop a packet sent to 192.168.1.1.
> > >
> > > Wouldn't the cryptic commands you described only work on my next
> hop,
> > i.e.
> > > the ISPs router? This would reduce the number of people who 
> can get
> at
> > my
> > > VPN quite significantly (ISP admins instead of "whole Internet")
> > 
> > The private addressing sent via the tunnel is encapsulated and
> encrypted
> > under
> > the public ip address of the VPN gateway. Nothing outside of the VPN
> > gateways
> > (ie... internet) would have any idea that any private addressing is
> > attached
> > to these packets.
> > 
> > To further the earlier question of using both VPN and internet 
> accessat
> > the
> > same time. you can't run a VPN w/o internet access can you? :)
> > In all cases, the proper routing is needed for *any* VPN to work
> properly.
> > Improper routing is the secu

Re: [leaf-user] DHCP client

[George Metz]

To clarify, however...

Bering is indeed setup to use pump.lrp by default, and it works 
extremely well. HOWEVER, since Bering is set up so that you can use 
DHCP, PPP, or PPPoE with the default image, pump.lrp is NOT loaded by 
default in syslinux.cfg.

So, if you open up syslinux.cfg and add pump to the LRP= statement, 
you should have no issues getting your Bering box to grab an IP from 
your provider for eth0.

George

M Lu wrote:
Bering uses pump.lrp by default.



From: Alexander Borghgraef <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [leaf-user] DHCP client
Date: Sat, 2 Aug 2003 11:08:48 +0200 (CEST)
 Ok, I finally got the via-rhine driver installed, but now I can't get 
the
dhcp client running (I've got a cable modem internet connection). After
some browsing through the docs I noticed dhclient.lrp is not standard
included in Bering, which seems strange since the default network setup
is eth0 dhcp, eth1 fixed IP. Dhcpd.lrp is included though. Do I need the
dhclient package, or am I missing something? Also, are there any remote
login tools included in the standard boot disk?

--
Alex Borghgraef


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


_
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] DHCP client

[George Metz]

Um.

Okay, color me stupid.

For some reason, I mixed up pump and DHCPd for some reason. DHCPd is 
not loaded in there by default, but is on the disk.

Sorry for confusing you...

George Metz

Luis.F.Correia wrote:
If you are using Bering, then type 'ip addr'.




-Original Message-
From: Alexander Borghgraef [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 04, 2003 9:23 AM
To: George Metz
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] DHCP client

On Sat, 2 Aug 2003, George Metz wrote:


To clarify, however...

Bering is indeed setup to use pump.lrp by default, and it works 
extremely well. HOWEVER, since Bering is set up so that you can use 
DHCP, PPP, or PPPoE with the default image, pump.lrp is NOT 
loaded by 

default in syslinux.cfg.
Hmm... Strange, it was in my syslinux.cfg, and I didn't do it myself.
Anyway, when I run ps I see pump -i eth0 running, but when I try to
ping either google or my proxy, I get nothing. I don't know yet if I
don't get an IP, or if the problem lies with contacting the DNS. 
How can I check if I've been granted an IP address? Ifconfig doesn't
seem to be part of the LEAF distro, and I don't know what else checks
it.
--
Alex



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet
_072303_01/01
--
--
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Routing 192.168.231.255

[George Metz]

- Original Message -
From: Ray Olszewski <[EMAIL PROTECTED]>
Date: Wednesday, August 6, 2003 10:13 am
Subject: Re: [leaf-user] Routing 192.168.231.255

> As an aside, from time to time people post questions here about 
> whether 
> blocked packets from/to ports 137/139 are attacks. I usually reply 
> suggesting that they are more likely to be a "leaky router" on the 
> ISP's 
> "LAN" than a deliberate attack. This problem is (I think) an 
> example of 
> just such a misconfigured router.

These days, though, it's more likely to be annoying maliciousness, 
rather than an outright attack. If you're on a cable network, you're 
likely to see a LOT of incoming stuff from all over the 'net with 
destination ports for 138/139 and 135. These - especially the 135s - 
tend to be the now-pervasive Windows Messenger Service popups that a 
lot of folks are getting. Any of those ports will work though, and if 
you're doing any sharing of Windows drives on your LAN, you really want 
to have those blocked.

I'd recommend you check your external IP though before blocking RFC1918 
addresses wholesale; your provider may be using them as a WAN IP 
between you and them and doing further NAT or PAT on their side.



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] OT - How many users will a T1 line service?

[George Metz]

From experience on the far end of the line, a T-1 can hold anywhere 
from 2 to 1000 users simultaneously. If this setup is mostly web 
browsing for research purposes - for example, a school library - where 
they either won't want to or won't be able to run their own programs 
on it, then a frac T-1 should do okay. If you've got more than 50 
users though, I wouldn't go much below 512k.

Also, consider Frame Relay. It's often cheaper, and can be set up so 
that you have, say, 768k most of the time, with a "burst" capability 
up to full T-1 levels. It also allows you to go with a good many more 
ISPs.

Note that this is conditional on the number of simultaneous users - or 
more to the point, the number of available workstations. And below a 
certain speed rate, people are going to grumble about slow speeds no 
matter how many folks are using it. Also, I've seen full T-1s range in 
price from as little as $300 per month to as much as (or more than) 
$1000 per month, exclusive of any equipment charges - T-1 routers are 
expensive! Make SURE that, if it looks like you're getting a good 
deal, the price of the service INCLUDES the price of the local loop; 
That $250 T-1 deal might be pretty crappy if your site is 5 miles out 
from the CO and you've got to pay for the charges yourself.

Steven had a point as well; if you're doing e-mail, limit attachments 
- I prefer 10 megs, to allow larger PDFs and MS Bloatware application 
files through - right off the bat. Set up a transparent caching 
webserver, probably (to tie it in) in a LEAF DMZ, with the bulk of 
users on an inside network to get a solid firewall going. If you're 
doing your own e-mail, set it up so that the e-mail server is also on 
the DMZ, and make sure that you've got it set up to scan for virii. 
This will also allow you to set up something like SpamAssassin. After 
that, I strongly recommend IMAP rather than POP; even on a local 
network, you'll get a much easier time of the bandwidth usage. If 
someone else is hosting for you, request IMAP specifically, then block 
POP. Someone downloading a fistful of SoBig e-mails is one surefire 
way to clog up even a T-1 line.

Craig Caughlin wrote:
Hi folks,
I'm working on a little project with a school district, and I'm
wondering if anyone has an idea (or firsthand experience) how many users
that you might "reasonably" expect either a full T1 line or fractional
T1 line to provide internet service for??? I need to do some "financial
planning" and I'm trying to factor in how much our internet access is
going to cost :-)
Thank you,
Craig


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] WAP

[George Metz]

I would strongly recommend that if you do this, you either:

1. Get a router-in-a-box with a WAP on it, instead of just a WAP.

2. Put the WAP on a DMZ from a third NIC.

3. Both of the above - can't be too careful.

Wireless, even running WEP encryption, can be a serious security flaw 
in any network. Anyone in your neighborhood is going to be able to 
access it one way or another, either by directional antenna or by 
taking a laptop and sitting outside your house. Apartments are even worse.

If you're going to be using wireless basically as a method to sit 
outside on a nice day and use a laptop to browse the net, then putting 
the WAP on a DMZ with rules in shorewall to prevent it from accessing 
the wired LAN is probably a good idea. For extra security, sticking it 
behind a Router/WAP combo that's actually doing NAT masquerading from 
the DMZ isn't a bad idea either, as long as the shorewall rules are in 
place as well.

For a good deal, check Best Buy if you have one in your area. I 
managed to get the Microsoft MN-500 Wireless router/4 port switch 
combo for $30 because someone had opened it and returned it - it was 
fully functional. (Oddly enough though, in routing mode, you can't 
play Asheron's Call - one of Microsoft's games - from more than one 
client at a time. I'm assuming this would be an issue as a router for 
any online games that use multiple UDP connections. Bering 1.2 and 
Shorewall handle it out of the box, as it were.)

George Metz

C. Dummy wrote:
Hi .
I just came back to mailing list after a while. I'm running Bering 1.2 
with dsl modem and than switch with 4 computers on static internal ip's. 
I'd like to add wireless access point. What is the best way to do that? 
Plug in wap to switch which is behind Bering? Can they exist together 
Bering switch and WAP? Or Bering switch and wireless router? Most of the 
WAP's comes with router, should I buy one with router built in or 
without? Is this the way to go running WAP from the switch? I want my 
wire connections to be as a main structure I'll use WAP only from time 
to time. Sorry if all this sounds stupid but I have never had any 
experience with wireless connections?
Andrey



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] D-Link 520+ Bering 1.2 problem with acx100_pci.o

[George Metz]

If you didn't compile the module with the kernel that Bering uses 
running, or with links pointing to the Bering kernel's config and 
source directories, you will not be able to successfully get the 
module to work.

Sebastian A. Aresca wrote:

Hi i buy a D-Link 520+ and I am trying to make it work under 
Bering 1.2 kernel 2.4.20
I compile it but can't make the acx100_pci.o but can't make it work.
I think the problem is with the bin files. The acx how to say to get
thoose files from windows but i don't have it.

Thanks in advance.
 
Sebastian A. Aresca



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] WAP

[George Metz]

Just as a note, my primary reasoning for thinking to put NAT behind 
NAT - and it wouldn't be an issue, BTW, since many ISP/MSP/MSSP 
companies, including the one I work for, provide RFC1918 address space 
for the WAN side and run NAT behind it on the LAN side, because it's 
all going out a managed Firewall - is because you could then have a 
hub in between the WAP and your Bering box to connect into to run 
Ethereal through to find out what kind of traffic is passing over your 
WAP link. Furthermore, it would also mean that you can actually access 
the WAP - something not easily done, if at all, in Bridging mode - if 
you needed to change the Wireless keys out for some reason, or do some 
sort of other configuration work on the device.

I like having lots of powerful options, even if I'm unlikely to use 
them much.

George

C. Dummy wrote:
 My WAP might stand right on the bering box so thats no problem. Looks 
like third nic is the easiest resolution. I don't know much about squid 
proxy,
and viz sshd (probably requires multiple flopppies or cd), not yet at 
least I just need WAP for simple browsing internet on laptop. Thanks for 
all the help. I'll have to read user's guide about third nic, DMZ and 
diffrent  ip subnets on the same LAN I hope there are some examples. 
Thank you.
Andrey
Steve Wright wrote:

On Sun, 2003-09-07 at 15:24, M Lu wrote:
 

I am not familiar to the 'scope' thing, but I am sure you do not need 
the router, you need only the access point if you connect your WAP to 
a separate NIC in the Bering router. I disable the router function in 
my D-Link 713P.
  


Yes, you can use a separate NIC, but then the AP must be next to the
Bering Router, or run a new long cable.  This is inconvenient, and is
not required, unless the AP *is* right next to the Bering Box.
These are scopes ;

10/8
172.16.1/24
192.168.0.0/24
You may run multiple scopes on one subnet(network cable/switch/NIC) and
add rules about who may talk to who.
It can be complicated at first, but it is very powerful, and much easier
than heaps of iptables entries.


/steve



 





---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SpeedStream R1483 + bridging

[George Metz]

RFC1483 is simply a means - that is as far as you're concerned, 
completely and totally transparent - for encapsulating IP traffic for 
transport over an ATM circuit. The DSL Modem handles all of this, and 
it has absolutely zilch to do with your IP address or even with 
anything that actually touches your location.

Quickie Lesson on DSL setups:

DSL, or Digital Subscriber Line, is a last-mile technology. Oddly 
enough T-1 lines in the US use a very similar, but more robust, 
technology in many cases. The actual DSL part, and the only thing the 
DSL modem does, is function the same as a network card but for DSL 
instead of Ethernet. The actual DSL part is only between points A and 
B, usually Customer Premises and Telco Central Office.

RFC1483 only comes in because most DSL providers use ATM circuits to 
connect from the hundreds of Central Offices where their equipment 
resides back to either their own internet connections, or to an ATM 
circuit for the ISP that you ordered service to.

Note, both the ATM and the DSL portions of this setup are entirely 
done transparently; you'll never see or have to deal with anything 
other than "Is my line up".

The Speedstream 5660 is a DSL bridge, meaning it passes anything that 
it receives on one port and passes it to the other port. It's 
completely transparent. In fact, it's really just a glorified 
DSL-to-Ethernet converter. It has absolutely no routing functions, and 
if it has an IP address at all - which I highly doubt - then you 
wouldn't be able to access it as it's set up for Technician access 
only, and therefore probably on the WAN side. It is NOT your WAN IP 
address, that gets passed to the WAN side of your Bering box.

To make an already long story short, you got told a bunch of 
information that you didn't need to know and got confused. RFC1483 has 
nothing to do with what you're looking at, and is totally transparent, 
and the Speedstream is only a bridge, which is also totally 
transparent. PPPoE is simply a means to assign an IP address to a host 
dynamically, as well as enabling certain bandwidth controls on the ISP 
side. DHCP serves the same function IP-wise, as does a static IP address.

I recommend calling your ISP and asking them how you will be assigned 
an IP Address; that should tell you all you'll need to know to get it 
set up and running.

George - who spent far too much time fixing DSL at one point. :)

Lars Karlslund wrote:

Hi,

I want to do a setup with my Bering box on a site in Spain, which has
the following characteristics:
- The line is running RFC1483 LCC encapsulation with a fixed IP-address
- The router is a SpeedStream 5660
I thought the line ran PPPoE with authentication, but it seems it runs
RFC1483 (is that a variant of PPPoE or is that just a synonym?)
The setup can be configured so far that the SpeedStream acts as a bridge
and does the RFC1483 encapsulation to the ADSL line. The SpeedStream's
WAN port then has the external IP address. But I need my Bering box to
have that address - but two units can't share the same address?
Pointers would be appreciated.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dachstein, 2 internal nets routing

[George Metz]

Negative, 192.168.0/23 will route 192.168.0.0/24 and 192.168.1.0/24 
but ignore 192.168.2.0/24. You'd need to do a /22 to do aggregate 
routing with the specified /24s, and at that you'd have two /24s 
floating in limbo.

Victor McAllister wrote:
Dachstein will not route between interfaces unless you tell it to do so.
To masquerade both  networks
INERN_NET=192.168.0/23 should cover both networks.


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] DSL troubleshooting.....

[George Metz]

This cannot be a DNS issue. It's like saying, every time a plane flies 
over my house, the subway train that runs underneath it gets derailed.

DSL modem sync is a Layer 2 function, whereas DNS is a Layer 7(?) 
function. (I'm talking about the OSI Layer Model. Layer 2 is Data Link, 
Layer 7 is application, though I'm too tired to place DNS accurately, so 
it might be in the 4-6 range.) More than likely, there's something 
screwy with your DSL modem and a request on port 80 is causing it to 
keel over. I would contact your DSL provider and request that they have 
the line tested - you'll need to be on hand for that - and if that 
doesn't turn anything up, see if they'll send you a replacement modem. 
Explain everything in detail to them when you call.

If you want to verify that it isn't your Bering box before you call, 
just run the ethernet cable straight from the modem to your workstation, 
set whatever needs to be set for getting an IP address, and try 
accessing a website and see if it does the same thing.

George

John Mullan wrote:
Can anyone give me hints about what to look for?

My DSL modem (apparently) loses sync when I try to access an external web
site.  After it syncs back up, and I try again, I lose sync again.  Ping
works the same way except if I try to ping an IP rather than URL.
Now this would seem to me to be a DNS problem.  But can this be with my
internal DNS or ISP's DNS ???  Could it be either?
HISTORY:  This is my home/personal network.  I have Bering/Shorewall and it
has been working up until yesterday.  I have not made any changes in the
last couple of days.  I have a Win2K server (192.168.1.128) inside and it
is the primary DNS of the internal network.  Bering box (192.168.1.254) is
secondary DNS (DNSCache).  IE; Win2K will forward unresolved addresses to
it (obvious!?!).
Ideas please..

John (www.mullan.ca)
==
http://www.olgc.ca888-345-7568 ext. 2210
mailto:[EMAIL PROTECTED]416-213-2210 (direct)
==
If each of us have one object, and we exchange them,
  then each of us still has one object.
If each of us have one idea, and we exchange them,
  then each of us now has two ideas.
==
KNOW YOUR LIMIT, PLAY WITHIN IT!
ONTARIO PROBLEM GAMBLING HELPLINE   1 888 230-3505
DÉPASSER SES LIMITES, CE N'EST PLUS DU JEU.
LA LIGNE ONTARIENNE D'AIDE SUR LE JEU PROBLÉMATIQUE1 888 230-3505


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] firewall or just router

[George Metz]

Couple of things on this. Interspersed where relevant.

Brian Kolaci wrote:
Hi,

I'm looking to setup a box mainly as a routing decision maker.
I'll have 2 DSL lines, a primary and backup (to 2 different ISP's).  I'd
like traffic to go out the primary (faster and static IP's) when its up
and have it automatically failover to the second DSL router when the first
dies.  I have a LAN -> watchguard -> linux box -> 2 DSL connections.
Careful with the Watchguards. They have a nasty tendency to stop working 
 right around the time they run out of ports to masq to. So if you've 
got a lot of clients behind the Watchguard, it can be a real pain in the 
posterior.

Actually, the linux box and the 2 DSL lines are on the same physical
network.  I'd setup the linux box with static routes to force pings
through each of the DSL lines and when it notices one line down to force
the default route through the backup.
Okay, sounds good so far...

The trick I'm finding is getting it to forward packets from the watchguard
back out the same interface to one of the DSL lines.  I can't seem to get
it to work like a router when there's only a single ethernet interface.
Have you tried setting up subinterfaces? (eth0:0 and eth0:1) That might 
work better, as you can assign different IP and gateway data to the same 
physical controller, and would make things overall less cranky.

I'm looking to make a transparent failover (and recovery) between the
DSL lines.  The watchguard can only take a single IP address for its
default internet connection.
There is some data out there on this, but it's been a while (I think) 
since anyone's done it. It IS possible, though.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] CABLE + WIFI + IPSEC + WINDOWS + BERING = ???

[George Metz]

The problem with this approach is that WEP, the security protocol that 
most Wireless points use, is fairly weak and relatively easily broken. 
If you want to ensure that only authorized users can get in, you kind of 
want to use both WEP (Wired Equivalent Protocol, even though it's not... 
:) ) and something like IPSec for authenticated access to the WAN. 
Otherwise, someone who really wants to can eventually sniff and break 
the encryption, and use your pipe for anything they want.

As a note, if the intended home environment happens to have metal siding 
of any type, this can REALLY kill your ability to use WiFi out in your 
yard. On the other hand, it makes it really difficult for someone to 
pick up your WiFi signal from across the street, as well. Old wiring and 
proximity to a microwave transmission tower can also have all sorts of 
interesting effects.

Remember, if you want to get it set up quick and dirty, set up the DMZ, 
don't worry about the IPSec for now and just go with the built-in 
encryption, and just get her online with a strong caution that anyone 
can drive down the street with a laptop and pick up anything she sends 
across it, so don't send credit cards or other financial data over the 
line. Then, when you've got time, go back and research, then implement 
the IPSec tunnel. WEP should be enough to fend off the simply curious 
for the time being, though turning off the WAP when she's not going to 
be using it might not be a bad idea. (Trips, busy weeks at work, etc.)

George

[EMAIL PROTECTED] wrote:
I have done something similar but not using a DMZ.   I simply added a second
Private network for the WiFi network using a normal NIC and a Separate
Wireless Access Point.   Simply don't add any rules that will allow the two
networks to interact into your shorewall rules and you have 2 independent,
isolated internal networks both of which have internet access through your
firewall.   The WiFi equipment we used had the capability to encrypt it's
own communications which we implemented to ensure that other laptops could
not be connected to the wireless network and use our satellite connection
without permission.   All of our gear was from Alloy.
Andrew Gray

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Sean E. Covel
Sent: Tuesday, 16 Dec 2003 06:19
To: [EMAIL PROTECTED]
Cc: Leaf User List
Subject: Re: [leaf-user] CABLE + WIFI + IPSEC + WINDOWS + BERING = ???
Julian,

On Mon, 2003-12-15 at 11:32, Julian Church wrote:

Hi Sean

On Mon, 15 Dec 2003 10:02:35 -0500, Sean E. Covel <[EMAIL PROTECTED]>
wrote:

Here is what I am proposing to do:

Cable Modem -> Bering --> (Private Network) Current PC (Windows XP)
|
---> DMZ --> WAP --> Laptop (Windows XP)
The question is, of course, how to secure the WIFI and Laptop.  I was
hoping that the Laptop could establish an IPSEC connection through the
WAP to Bering.
Strange!

That's exactly what I'm planning at home, except there are two laptops,
both running Mac OS X (which has an IPSEC client built in.
As far as I've determined by searching the internet, as long as your
access point is set up as a transparent bridge, the IPSEC traffic will
pass straight through.
cheers

Julian




Since this needs to be up-and-running quickly, and I'm doing it in my
spare time, I wanted to go the path of least resistance.  How soon till
you implement?  I was hoping to learn from someone else's mistakes ;-).
Don't want to be the trailblazer on this one.  It just sounds too easy.
Anyone actually done it?  Even with 802.11a/b/g?


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
__ NOD32 1.579 (20031215) Information __

This message was checked by NOD32 antivirus system.
http://www.nod32.com


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LIN

Re: [leaf-user] CABLE + WIFI + IPSEC + WINDOWS + BERING = ???

[George Metz]

Yeah, I know. I was more replying to someone else saying that WEP was 
enough. It's clearly not.

The actual Access Point SHOULD work exactly like a standard ethernet 
bridge/hub, so it should pass through the IPSec without issue. My 
suggestion was more in the nature of "here's how you get it up quickly 
if you can't locate the information you're looking for."

It's infinitely better to do it right the first time, but when you're in 
a time crunch with folks who don't understand why you have to jump 
through hoops, life gets a bit more difficult. :)

Sean E. Covel wrote:
George,

My original message included IPSEC.  I guess my biggest concern is: Can
IPSEC from a windows machine pass through the WAP and end at the Bering
box.  This would require a few things:  The WAP passing IPSEC.  The MS
Box using IPSEC.  Bering able to understand whatever it is that
Microsoft "embraced and extended" when they wrote "their" implementation
of IPSEC.  I was hoping someone had done this and would point out all
the potholes in the road.
I read in detail about the WEP flaws.  15 min. to break RC4 encryption
because their implementation is so flawed, and no infrastructure to
change keys when they have been compromised.  That's why IPSEC is so
important.
Sean

On Thu, 2003-12-18 at 12:19, George Metz wrote:

The problem with this approach is that WEP, the security protocol that 
most Wireless points use, is fairly weak and relatively easily broken. 
If you want to ensure that only authorized users can get in, you kind of 
want to use both WEP (Wired Equivalent Protocol, even though it's not... 
:) ) and something like IPSec for authenticated access to the WAN. 
Otherwise, someone who really wants to can eventually sniff and break 
the encryption, and use your pipe for anything they want.

As a note, if the intended home environment happens to have metal siding 
of any type, this can REALLY kill your ability to use WiFi out in your 
yard. On the other hand, it makes it really difficult for someone to 
pick up your WiFi signal from across the street, as well. Old wiring and 
proximity to a microwave transmission tower can also have all sorts of 
interesting effects.

Remember, if you want to get it set up quick and dirty, set up the DMZ, 
don't worry about the IPSec for now and just go with the built-in 
encryption, and just get her online with a strong caution that anyone 
can drive down the street with a laptop and pick up anything she sends 
across it, so don't send credit cards or other financial data over the 
line. Then, when you've got time, go back and research, then implement 
the IPSec tunnel. WEP should be enough to fend off the simply curious 
for the time being, though turning off the WAP when she's not going to 
be using it might not be a bad idea. (Trips, busy weeks at work, etc.)



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] CABLE + WIFI + IPSEC + WINDOWS + BERING = ???

[George Metz]

Mike,

Not really. Actually, I'd PROBABLY consider using that as an additional 
step, except that IIRC IPSec will handle all the auth. All this is 
really doing is preventing unauthorized users from using your net 
connection, whereas IPSec is actually establishing a tunnel, allowing 
you to send all of your data between the LEAF box and the client in an 
encrypted form.

The real difference is that NoCat is designed to allow folks to login 
and use the hotspot - making it great for a community project where you 
only want to charge a small upkeep fee or only let community residents 
access it (like, say, wireless for an apartment complex). You're still 
going to be sending all of your data in the clear or only using WEP 
encryption though. Which means that anyone with a little free time on 
their hands and a few handy tools is going to be able to pick up 
everything you're sending to the WAP in the first place.

George

Mike Noyes wrote:

On Fri, 2003-12-19 at 10:16, Mike Noyes wrote:

On Fri, 2003-12-19 at 09:24, George Metz wrote:

Yeah, I know. I was more replying to someone else saying that WEP was 
enough. It's clearly not.
George,
Is NoCatAuth/NoCatSplash an acceptable solution to wireless security?
   NoCat
   http://nocat.net/
   
   BTW, do we have a package for this yet?


Additional link:

NoCatSplash
http://nocat.net/wiki/index.cgi?NoCatSplash




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ICSA certification

[George Metz]

If I recall correctly, this was looked at in the past and the cost was 
prohibitive, to say the least. A quick poke around on Google isn't 
turning up an amount, but I remember it being significantly more than 
was worth the effort.

Not to mention that ICSA Certification is designed for commercial 
firewall products. That will drive the cost up even more.

Jaime Nebrera Herrera wrote:
  Hi all,

  Anybody knows how much can cost ICSA certification for firewalls? We might 
be interested in certifying a Leaf based firewall and need a gross estimate 
of the money needed :)

  Thanks in advance





---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering-uClibc Weblet

[George Metz]

It depends on which of the three traffic light graphics is red. If it's 
the Firewall light, this means there is probably a bunch of traffic that 
your firewall has rejected.

If you want to see the traffic that is being dropped, click on the 
"shorewall.log" link on the page that tells you there's an error.

I'll warn you, unless you have some experience in reading logs, a lot of 
it is going to look like gibberish. With a little research though, you 
shouldn't have too many problems deciphering it.

Basically, the error is to inform you that you're getting a lot of 
invalid traffic. Depending on your connection type, that could be fairly 
common (cablemodem in an area with a lot of customers) or relatively 
rare (DSL on occasion).

If the Red light/error is for Memory or RamDisk, you're having issues 
with the amount of memory in your LEAF box, and should probably look at 
getting another stick of memory if possible.

joah moat wrote:
I was just wondering if anyone can tell me why I get an "error" (red 
light) when I access weblet.  I cannot find any good documentation for 
weblet.  Is there another tool I can use other than weblet to monitor my 
firewall?

_
MSN Premium with Virus Guard and Firewall* from McAfee® Security : 2 
months FREE*   
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Playing games through Dachstein

[George Metz]

If this is a roleplaying game like Everquest, Asheron's Call, Dark Age 
of Camelot, Horizons, etc. then most likely no configuration will need 
to be done. Most of the massively-multiplayer RPGs out there work on a 
single outbound UDP connection, with multiple inbound UDP connections in 
response. Dachstein and Bering (and even the original, outdated LRP) all 
operate using "loose UDP", meaning that if an outbound UDP connection 
passes through the firewall, and a half-dozen inbound UDP connections 
come back from the same server on nearby ports, it passes them on to the 
originating client.

If the game is Asheron's Call, by any chance, I can confirm that Bering, 
at least, will work out of the box, and I'm reasonably sure that 
Dachstein will as well.

Everquest might be cranky about it - the official website mentions 
setting ZoneAlarm's security setting to Low, which is abysmal practice. 
Dark Age of Camelot is all TCP outbound connections, so there should be 
no issues. Same for Ultima Online. Horizons should work fine out of the 
box. Star Wars Galaxies initiates all the traffic outbound, and none 
inbound, so should be fine. At least Star Wars and Horizons, and 
probably Everquest, want ICMP turned on, though I would try it first 
without it if you have it turned off already.

If it's NOT a Massively Multiplayer RPG, then yes, we definitely need to 
know the game involved at a minimum. Most of the information above - 
except for Asheron's Call - comes from searching on Google for "[Game 
Name] Ports Firewall" without the quotes.



Arnold Wiegert wrote:
Hi,

two of my sons, one at home with his machine behind a Dachstein 
firewall, the other on the other side of the firewall, somewhere on the 
net, want to play a role playing game over the internet.

I've run the firewall for some time, but am still a newbie in many 
respects.

I'm looking for a way to let them play, while keeping up the firewall, 
but am not at all sure how to do it.

Any suggestions would be most welcome and if I need to provide more 
specifics, please let me know. At this point I'm not sure what might or 
might not be relevant :-(

Arnold



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Linux magazine LEAF versus CISCO article?

[George Metz]

Looks like Issue 100 (August 2002) of Linux Journal. I'm having a bit of 
difficulty actually pulling it up on their website, however. That might 
be just a slow load... ah, there we go. Just give it a little bit and it 
will come up just fine.

And frankly, having worked with both LEAF (specifically, Bering + 
Shorewall) and Cisco PIXes, a LEAF box is far more powerful, flexible, 
and rugged. Not to mention being cheaper.

Here's a link to the article:

http://linuxjournal.com/article.php?sid=5826

Craig Caughlin wrote:
Hi folks,
Management wants to buy a CISCO PIX firewall because they have no confidence
in a "free" firewall product. I've told them to reconsider and thought it
would help if I could find that article in Linux magazine that compared the
two...but I can't find which month/year it was. Does anyone know which month
and year that was??? Thank you.
Craig



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Linux magazine LEAF versus CISCO article?

[George Metz]

To follow up, note that this article is hideously and severely out of 
date; it's still using IPChains, references the old LRP, mentions the 
"Idiot Images", and a few other issues.

You may want to stress that in comparison, but also realize that this is 
comparing the LRP to a Cisco Router, NOT a LEAF Project image to a Cisco 
PIX firewall. PIXen are a totally different animal than a Cisco router - 
not least of which is because their IOS is less capable and flexible - 
and the simple change to the 2.4 Kernel and introduction of Shorewall 
and IPTables completely changes the way LEAF handles stuff compared to LRP.

George Metz wrote:

Looks like Issue 100 (August 2002) of Linux Journal. I'm having a bit of 
difficulty actually pulling it up on their website, however. That might 
be just a slow load... ah, there we go. Just give it a little bit and it 
will come up just fine.

And frankly, having worked with both LEAF (specifically, Bering + 
Shorewall) and Cisco PIXes, a LEAF box is far more powerful, flexible, 
and rugged. Not to mention being cheaper.

Here's a link to the article:

http://linuxjournal.com/article.php?sid=5826

Craig Caughlin wrote:

Hi folks,
Management wants to buy a CISCO PIX firewall because they have no 
confidence
in a "free" firewall product. I've told them to reconsider and thought it
would help if I could find that article in Linux magazine that 
compared the
two...but I can't find which month/year it was. Does anyone know which 
month
and year that was??? Thank you.

Craig



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ISP and DNS issues

[George Metz]

Honestly, you should probably NOT be using the root servers. They're in 
general designed to provide updates to other DNS servers on the net, and 
in the case of on-network resources that may not have a publically 
routable IP address, going to the root server is going to give you an IP 
address that you wouldn't be able to reach anyhow due to the way NAT 
works. Additionally, the root servers don't necessarily know of 
variations that allow you to access servers on your ISP's network that 
are set up in an area you can get to easily.

All in all, you're just probably going to run into more problems using 
those root servers than you ever would by using your ISP's designated 
DNS server.

John Wittenberg wrote:

Thank you all for your valuable time.

Well, I managed to get things working despite my ISP.  I changed 
dnscache to forward my ISPs DNS instead of using the root servers, per 
http://leaf.sourceforge.net/devel/jnilo/dnscache3.html#AEN113.  Now I'm 
able to resolve my mail server, mail.bllvwa.cablespeed.com correctly.  
When I had tried to ping the mail server from XP and failed, this was 
the error message :  Ping request could not find host 
mail.bllvwa.cablespeed.com. Please check the name and try again.

At the moment I'll probably leave well enough alone, but what real 
problems am I going to have by not using the root name servers and 
sticking with the ISP name servers?  As this exercise shows, one benefit 
could be that no matter how bad my ISP messes up the name records, I'll 
always be able to find it.

Thanks again,

John

(Snipped Excess)

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] trouble accessing firewall

[George Metz]

Step 1: Doublecheck your cable. Try swapping the cable on eth1 for the 
cable on eth0, and vice versa, and see if the lights follow the cables. 
If they do (eth0 dark, eth1 lit) then replace the bad cable.

That's the only thing that leaps to mind, probably because I had the 
same problem with my own 3c509Bs. They're wonderfully solid cards, 
though. Been using mine for four years now.

Dave Rose wrote:

I am standing up a bering firewall and have made it through the 3c509
troubleshooting phase, or so I thought. I am unable to ping the internal
side of the firewall from my other computers.
My hardware
-
486DX4 100Mhz
PCI video card
20MB RAM
Floppy disk
3c509B-TP (I have two of these cards installed in the ISA bus)
Hardware configuration
---
NO Hard drive (controller disabled in BIOS)
NO comm/parallel ports (disabled in BIOS)
Set the 3c509-TP cards to IRQ7,5 and IO addresses of 0x300,0x280 and
disabled the ISA plug and play feature and successfully ran the 3COM
diagnostics function on each card)
Software configuration

1.) downloaded the bering 1.2 software (Windows utility to make the boot
floppy- Bering_1.2_img_bering-1680.exe from
http://download.sourceforge.net/leaf/)
2) downloaded the bering 1.2 modules (Bering_1.2_modules_2.4.20.tar.gz from
http://download.sourceforge.net/leaf/)
3) I booted the floppy I made in the first step and added the 3c509.o
ethernet card driver to /lib/modules
4.) I modified /etc/modules to add the line

3c509

5) I pretty much left /etc/network/interfaces to the default settings since
they are set up initially for the configuration that I am looking for
The problem

Although the system recognizes both cards (IRQs and IO addresses) at
startup, the eth1 interface fails to activate, light up the led on the hub
and can not be pinged from my other workstation on the internal lan. Any
ideas how to proceed would be much appreciated.
Thanks
Dave


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] trouble accessing firewall

[George Metz]

Really wouldn't matter, just yet, that ping isn't enabled. If he has no 
link light from the LEAF box on his switch/hub, and no light on the 
networking card, then there's an issue that's lower than Layer 3 (IP), 
and probably an issue at Layer 1 (Physical).

After he figures out the reason he doesn't have link, then yeah, the 
firewall issue with ICMP comes into play. :)

Henning Jebsen wrote:

Did you allow pinging to/from the firewall ?
You have to switch it on explicitly in recent versions:
http://www.shorewall.net/ping.html

Greetings !



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Is my NIC the bottleneck?

[George Metz]

You shouldn't be, because you were right that there's a bottleneck, you 
just missed what the bottleneck is.

A 768k T-1 or Cablemodem line is going to give you around 
90-95Kbytes/sec on a download, whereas your DSL is only turning out 
around 70Kbytes/sec. The reason for this is pretty straightforward: DSL 
uses ATM connections between the Central Office DSLAM and the ISP's 
router. Since ATM only works in packets 53 bytes large, a packet of 1500 
bytes gets chopped up into a bunch of other packets, each with it's own 
control and error markers, and doesn't actually get reassembled until it 
arrives at the DSL modem. It's worse, too, if you've got PPPoE, as that 
adds in it's own overhead.

The net result is, if you've got a DSL line of speed X, and a Cable line 
of speed X, then as long as the cable line isn't on an overloaded cable 
node, the cable line will be faster, because it doesn't have to convert 
to a half-dozen different Layer 2/3 Protocols along the way.

Oh, and yes, some DSL modems do have firewall/NAT routers built in these 
days, but they tend not to work too well for gaming applications.

George

Peter Nosko wrote:
pn] Thanks, all.  I'm ashamed that I was unable to do
that math myself.
--- [EMAIL PROTECTED] wrote:

Do you run your DSL modem as a modem only, or does
it do DHCP, DNS and firewall as well?


pn] Not sure what you mean (do DSL modems do all
that?).  My LEAF boxes do the DHCP, DNS and firewall
(and good 'ole routing).
pn] Hey Charles, E2B is still solid.  ;)

=

-
Peter Nosko ([EMAIL PROTECTED])
This is a good place for a tagline.
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] shorewall policy question (lots of hits from fw to loc)

[George Metz]

The first thing I'd be doing here is NOT asking how to allow these 
packets to pass, but trying to figure out why they're being sent in the 
first place.

If you're using a default Bering install without monkeying with the 
Bering settings, and you're using DHCP, then your gateway should be 
192.168.1.254, and 192.168.1.1 would be a machine on your LAN.

Either way, if you're getting a flood of ICMP packets from anywhere to 
anywhere, it's questionable. I don't know of anything that would 
generate ICMP from a Bering box to anything without user input, at least 
in the basic setup, so a little forensics work would be in order to find 
out what's really going on.

Given the number of worms and virii out there that use ICMP sweeps to 
find vulnerable systems, I'd be hesitant to allow ICMP of any kind. It 
technically breaks RFC standards, but I don't know of anything that it 
actually causes a problem with by doing.

Matt wrote:

hi, i'm new to bering-uclibc and shorewall (but have used lrp and
dachstein).
I'm getting hundreds of icmp "hits" showing up in the shorewall log
between my bering box and one of my local machines.  here's an example:
Jan 1 00:00:00 unity Shorewall:all2all:REJECT: IN= OUT=eth0 MAC=
SRC=192.168.1.1 DST=192.168.1.5 LEN=83 TOS=00 PREC=0x00 TTL=64 ID=29297
PROTO=ICMP TYPE=3 CODE=0
eth0 is my lan interface (192.168.1.1), and ppp0 is the net interface (dialup).  I
think that a solution would be to add the following line to the
shorewall policy, but i have some questions on it...
fw loc ACCEPT
this seems like a very "normal" thing to do, so why is it not set in the
default config?  are there any reasons to not accept these connections
(other than local attacks on the firewall)?
thanks,
-matt




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Re: BGP

[George Metz]

This is not entirely correct. There is, in fact, an RFC1918 equivalent 
for AS routing numbers, for one. Of course, a private AS should only 
really be used if you're multihoming to two different gateways on the 
same provider network.

Additionally, ARIN only requires that you have a unique routing policy 
that differs from that of your border gateway peers or that you are 
multi-homed, in the sense that you are connected to two or more upstream 
providers - one provider with two gateway locations can be handled, if 
necessary, by a Private AS.

Most likely, the connection size limitation is enforced either by an LIR 
providing the number, or (possibly) the nation's laws, though that would 
be a stretch. RIPE itself only requires that you have your own, 
independently owned address space, that your routing policy is 
consistent and unique in comparison to your peers, that you can't use a 
private ASN, and that you are multi-homed. If you're having issues with 
bandwidth limitations preventing you from getting an AS, bypass the LIR 
and go straight to RIPE (or ARIN, in the States) for it.

Oh, and from experience, Michelle, if you're setting that system up on 
BGP for redundancy purposes, make damned sure that if all the fibre is 
going to the same site that they do not pass through the same locations 
on their way to the upstream providers. It really stinks when your 
redundant connections all die at once because of a power loss at the 
central office.

Michelle Konzack wrote:
Am 2004-04-22 23:01:21, schrieb William Burns:

I was thinking of building a BGP aware router (W/ only ethernet 
interfaces) and having it communicate w/ the 2 ISPs through the existing 
cisco routers.
I've been told that BGP routers can't do that and that I need a single 
BGP aware router w/ 2 v.35 interfaces on it.
Is that true?
If so, where do I get V.35 interfaces for use w/ LEAF?

I've got 2 T1s w/ two different ISPs (hence the desire to use BGP)
I already have two dinky cisco routers w/ v.35 interfaces.


If you have only two T1's you will never get your AS-Number for 
BGP-Routing. I planing to do this in Morocco with 4 BGP-4 Routers
(Do not know wether Debian or CISCO) but with much more the OC3's

The minimum is an E3 (34 MBit) en Europe or T3 (45 MBit) in the USA

It is new for me to and I have to learn many things about this.. =8O

Greetings
Michelle


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Re: [leaf-devel] ANN: Bering-uClibc 2.2 beta2

[George Metz]

Because not everyone uses Linux on anything but their LEAF box. Heck, I 
DO use Linux, and when I do an upgrade it's usually with WinImage.

K.-P. Kirchdörfer wrote:
Am Dienstag, 11. Mai 2004 20:04 schrieb Marko Nurmenniemi:

K.-P. Kirchdörfer wrote:

Due to new linuxrc "backupdisk" is broken and has been removed.
With scp and dd support it shouldn't be a problem though - will anyone
miss this feature?
I will miss it.


Noted. thx for feedback.


Keep it simple for the common people.
Menu option needs no learning and floppies do break from time to time...


If you build your floppy from baseimage with dd, what's the problem todo dd 
your configured floppy back to onto your /home - where it will be safer as on 
a second floppy and backup'ed? 

But if there is demand, we will try to find a solution.

kp

---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=dnemail3

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Dachstein as border_router? (public ip addresses etc)

[George Metz]

Don't know about shorewall (which you would have to configure to allow 
VPN traffic to pass through to that specific IP address), but what you 
basically want it to do is substitute for a traditional router. 
Effectively, you'd simply have to turn off NAT and let DNS and the 
public IP addresses do the rest.

I'd probably use Bering or Bering-uClibC instead of Dachstein, which I 
don't think is actively developed any longer. (Charles, please hit me 
with the correction-bat if that's wrong.)

Configuring Shorewall, on the other hand, is pretty straightforward; all 
you need to do is forward the ports you want to hit each device to the 
respective devices, and deny all (probably both ways - loc to net and 
net to loc) on everything else.

Going from memory, the commands would be:

ACCEPT	net	loc:addrPUBB	TCP/UDP*	PortNum

* Whichever protocol is correct.

That would be VPN. If addrPUBC is a Web and FTP server, and addrPUBD is 
a mailserver, then you'd do:

ACCEPT  net loc:addrPUBCTCP http
ACCEPT  net loc:addrPUBCTCP https
ACCEPT  net loc:addrPUBCTCP ftp
ACCEPT  net loc:addrPUBCTCP ftp-data
ACCEPT	net	loc:addrPUBD	TCP	smtp

(Again, please correct me if I've flubbed this.)

The routing itself, any variant of LEAF is going to be able to 
accomplish with ease, as it will be straight vanilla routing without 
even a need for connection tracking, because there's no NAT type stuff 
going on. Shorewall shouldn't be too tough, either, as long as you know 
what needs access where.

Craig Johnson wrote:
Wondering if I can get some help?

I have a static public IP from ISP for an ADSL account (call it
addrISP). We also have our own public IP range. I want to setup an LEAF
box (eg dachstein), which holds the addrISP on one NIC, and one of our
public IP addresses on another NIC. Then it will route all traffic
through to other servers on the public IP addresses. Also there is an
internal network beheind one of the other public IP addresses, with a
VPN server attached.
So, two questions:

* what is the best way/distro to setup a LEAF box as this kind of border
router? (I noticed references to border_router options on the dachstain
network.conf documentation page, but haven't been able to find any
substantial documentation about setting one up.)
* how do I also set up the LEAF box so that it can receive VPN server
requests on it's IP address (addrISP), but forward those requests to be
served by another firewall server connected to the internal lan?
Diagramatically, I guess I want something like:

[Internet]
|
  eth0 (addrISP)
|
LEAF Box
|
  eth1 (addrPUBA)
|
  -
  | | |
 (addrPUBB) (addrPUBC)   (addrPUBD)
  Server 1 (VPN etc) Server 2 Server 3
(addrPRIVA)
  |
  internal network

Thanks!

Craig

---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] LEAF article

[George Metz]

Couple of things to let you know about:

Jim Hubbard wrote:

1. What sort of throughput, for instance, could LEAF-Bering theoretically
provide on a Pentium 100 system with edo ram and with 10/100 nics, cables,
and switch, assuming that all other systems connected have unlimited speed?
Check the archives; sometime in the last month or so someone ran some 
throughput tests (or posted old test results from somewhere, not sure 
which) that might give you an idea on this.

2. How does the throughput of a LEAF-Bering system running on hardware X
compare to Cisco switch X?
Different animals; LEAF does routing, firewalling, and DMZ. Switches - 
even Cisco switches, aren't designed to do that. You're generally still 
going to need a switch behind a LEAF box, unless you're going into the 
realms of quad-port NICs and other specialized hardware. What a switch 
will do is allow you to define virtual LANs and prevent unnecessary data 
spewing all over your networks, as well as provide some rudimentary 
filtering based on MAC and IP. A Cisco router is where all the 
firewalling would be done, and on a price/performance ratio - or even on 
a performance ratio - a $200 LEAF box will be way overpowered and blow 
the doors off of most Cisco routers.

3. How does LEAF-Bering compare, overall, to a Cisco switch?
Same as above.

4. What hardware do you run LEAF-Bering on, and what sort of performance do
you get from it?
For me, P3-500, 64MB memory, floppy for configs plus CD boot. And I've 
got WAY more horsepower than I need for the four systems (two 
wireless-connected computers and two ethernet connected) hooked up to 
it. I'm on 3Mbit down, 256k up cablemodem, and I routinely max my line 
out for several hours at a clip without issue - I have actually seen 
3.13 Mbit/sec out of it for about 3 minutes before it drops back down to 
3.01 or so, which I tend to think was just a good minute on my 
cablemodem. With 10Mbit 3Com NICs, I believe there's a practical limit 
of around 5Mbit/sec, but very few people - even in the business world - 
are going to be using 10Mbit NICs with a pipe bigger than 5 Mbit/sec for 
their uplink.



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] CISCO 1600 Router Replacment

[George Metz]

Chris Lee wrote:
As I don't know how to config CISCO, I use Getif to peek the config via
SNMP.
For Interface, it show:
descr.  ip address
Ethernet0   10.0.108.254/255.255.255.0
203.198.77.78/255.255.240
Ethernet1   172.23.76.154/255.255.255.252
Tunnel5 192.168.79.94/255.255.255.252
I think Ehternet1 is the WAN IP address?? And don't know what is Tunnel5?
Woopsie. Tunnel5 is your default gateway interface. It's either an IPSec 
or PPTP tunnel from your location back you your ISP, and that means a 
couple of things:

1. Your ISP is likely to get grouchy if they don't own the system 
connecting to them via the tunnel;

2. You'll need the information your ISP is using to form the tunnel, 
obtainable probably from the ISP only, especially if you're not familiar 
with configuring a Cisco.

First I want leaf to peform normat NAT router for range of internet ip
address
Then, I want to setup SNMP to collect networking perform per ip
Finally, setup QOS for each ip.
It is possible?
It is, but is there any reason that it HAS to replace the Cisco? LEAF 
would work quite well sitting right behind the Cisco, and while it might 
be a bit redundant, at least you wouldn't have to worry about your ISP 
wanting access to your firewall - something nearly guaranteed to mess it up.

You might get lucky and have a good ISP who would be willing to work 
with you on the subject, so it can't hurt to ask them - you'd need to 
get all the tunnel info anyhow - but from personal experience, most 
commercial internet companies are really leery of letting their 
customers control whatever the inbound side of the line is connected to, 
simply because it makes their lives far harder.

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Zoom CableModem Model 5001 Support?

[George Metz]

Anyone know if there's an already-compiled module out there for Bering 
or Bering uClibC for the Zoom Model 5001 PCI cablemodem? There's a 
reference driver up on their website that's distributed under the GPL; 
I'm just wondering if anyone's grabbed it.

I'm looking to buy a new cablemodem, and not only is this the cheapest 
option, but it'll save space on the plugs, power consumption for the 
same, and eliminate one more bit of flashing-LED equipment from the rack.

---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html