Re: [leaf-user] Shorewall log interpretation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim Ford wrote: Any tips regarding spotting genuine attacks on a Bering UClib box, rather than 'noise'? Are there any 'dead giveaway' ports or IP addresses? Jim Ford Jim, That's hard to answer because the pattern changes over time. What I have noticed is an IP address range scan. An attacker will look for say port 21 being open on any IP addresses in say the 10.1.1.0 network. There may be a new security risk for a ftp daemon. The attacker is searching for any ftp services with that vulnerability. If the attacker finds an IP address with the desired service open, then the service on the port may be tested for the known issue. If found, then the attack may begin. The kind of attack depends on the way the exploit has to be executed. Note that your ISP may be scanning selected ports so a single port test may not be an attack at all. Your ISP may need to resolve performance problems based on a service that some one is running. Hence, they would range scan all of their IP addresses looking for an open service. If someone is interested in your box, then you might see your logs full of input DENY messages for most of the common ports with services. Typically the ports are opened in sequential order and they are opened by the same source IP address. nmap is a tool used for these kinds of tests. There's a nice article that explains how nmap is used in the current linux pro magazine http://www.linux-magazine.com/issue/62 . The same information is found on the site used to maintain nmap http://www.insecure.org/ . Once again this may not be an attack but it is nice to know that all the doors are locked. Based on this, you have to watch your logs and get a feel for the current activity to find the dead giveaway ports. A serious attacker will spoof the source IP address used in the scan or actual attack. So you won't find any joy there either. Greg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDmSl9xyxe5L6mr7IRApnaAJ987V59OGMJB9YuckFHWSk2Jmi8GQCeLSZs /m+ElBydKvytbR9aPLZ8IIA= =U3Jp -END PGP SIGNATURE- --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Setting a Leaf machine with the lot (including fries)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Niedzwiedzki wrote: Hi all, I'm about to jump head first into a little project but I think I need to ask the pro's first.. I'm setting up a Bering uClibc machine, but I'm not 100% sure it can do it all. I wish to setup zebra (as I just got my AS number and a /24 approved) on the external interface, I have my DMZ that I wish to just have shorewall setup as a bridge, and then I have my internal network which I wish to nat with shorewall as the firewall. This first step I would take is make sure that your hardware and Bering uClibc are squared away. Put the three NICs in the PC that is sounds like you want to use. Is it possible to run all of the above on the one machine. Remember that a 486 is a kick-butt router in Leaf world. I know shorewall can handle the bridge/nat stuff, but will zebra play in this mix? I plead ignorance on the Zebra front. However, I believe a Leaf box with still handle the NAT/DMZ and Zebra just because Leaf runs in memory, etc. There are some interesting links that google found for starters. http://lists.debian.org/debian-isp/2003/06/msg00186.html http://www.lathspell.de/linux/uml/ http://www.zebra.org/what.html I hope this helps, Greg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCddBWxyxe5L6mr7IRAqrCAKCgTOfhBnrKmiX9iV5mPezcHa8lsACeIDgN y/e0APB8B4EethhhcXALCmk= =NAUi -END PGP SIGNATURE- --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Required EZ-IPUpdate Client Upgrade Notice
I suppose there's some more good news on this topic? I had sent a followup email to dyndns thanking them for their help with confirming Jacques' package. Vivian sent the response below. It is not critical that this change be made right away. For one thing, some analysis will have to be done to see if the change would cause problems with other services that ez-ipupdate supports. Moreover, it requires registration and other overhead that may not add much value to the change. I wonder then, if a person would also have to register the ez-ipupdate client modification with all the other services that ez-ipupdate supports? http://leaf.sourceforge.net/devel/jnilo/ezipupd.html http://leaf.sourceforge.net/devel/jnilo/ezipupd1.html#AEN6 Greg Morgan Thanks. One little thing: if you haven't (I didn't make this clear), can you ask Jacques to change the user agent to something unique (http://www.dyndns.org/developers/ has some guidelines he should look at) that identifies the leaf project so we don't run into this situation again next time someone abuses the ez-ipupdate user agent? If he has any questions about this, tell him to email [EMAIL PROTECTED] and put Attn: Vivien M. in the subject line so I look at it. Vivien Reginald R. Richardson wrote: Hi greg, thanks for your aleartness, I'm using dnydns and ez-ipupdate for a few years now, and the service is so darn good, i never had problems, i don't even take note of their website, after seeing your e-mail, i trance over to their website, and saw the whole big confusion what's happening overthere with the linksys equipment, I immediately, download the new version, so me and my 20 clients are all happy now, else what would have been a bachanal in the next few days, when they had shut us out. Jacques, once again, thanks for your prompt reply, u have never failed me/us when a new update of a product is needed in .lrp format. regarfds reggie Jacques, Problem solved. I received confirmation from dyndns.org tech support that your package update is working as intended. They also went on to say, ... the version of ez-ipupdate you're using now identifies itself differently from the Linksys version, so you should not have any problems. Note that your account was never dirty or anything like that: the fact that you got this email is simply the result of people embedding clients into things (Linksys, as we discovered the hard way, is not the only company to have done this) and not changing how these clients identify themselves, so we simply have no way to tell the problematic Linksys client apart from other, most likely perfectly acceptable, configurations of ez-ipupdate. Thanks again, Greg Morgan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Required EZ-IPUpdate Client Upgrade Notice
Has anyone else received an ez-ipupdate client upgrade request from dyndns.org? Most of the message carried on about problems with the Linksys WRT54G router. In a small little paragraph in both the email message and the web page below it talks about version 3.0.11b8 of ez-ipupdate being required. The current Leaf package is at 3.0.11b7 found here http://leaf.sourceforge.net/devel/jnilo/. Interesting! Linksys is causing all the problems. I was sent the notice on 12/5/2003 at 17:03. The message goes on to say Due to the problems caused by earlier versions of this router, we will be blocking all access by them to our systems on or after Monday, December 8th, 2003. I am disappointed that dyndns.org isn't providing more time to solve this problem. I haven't established a compile environment for LEAF. Would someone please create a new ezipupd.lrp package with version 3.0.11b8 found here http://www.gusnet.cx:8080/proj/ez-ipupdate/dist/ez-ipupdate-3.0.11b8.tar.gz ? Thanks, Greg Morgan http://www.dyndns.org/news/releases/archives/2003/11/288.html ... Conclusions ... ...This block will also impact a small number of customers running Angus Mackay's ez-ipupdate client, version 3.0.11b7 - if you are running that client, you should download and install the latest version (3.0.11b8) from the author's site, as that version will not be impacted. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Required EZ-IPUpdate Client Upgrade Notice
Jacques Nilo wrote: Le Samedi 6 Décembre 2003 09:37, Greg Morgan a écrit : Updated. http://leaf.sourceforge.net/devel/jnilo/packages/ezipupd.lrp Jacques Thanks for your quick response Jacques. If anyone else has to update to this version perform the following steps. It works because there are no structural changes to the configuration file. # Mount your floppy. mount -t msdos /dev/fd0 /mnt # Backup your current settings cp /etc/ez-ipupd.conf /mnt # Unmount the diskette. umount /mnt # Copy the new package to your diskette using your favorite technique. # Mount your floppy. mount -t msdos /dev/fd0 /mnt # Install the new package from the diskette. cd /mnt lrpkg -i ezipupd # Put your settings back in /etc. cp /mnt/ez-ipupd.conf /etc # Unmount the diskette. umount /mnt # Use lrpkg and follow the menu prompts to backup the new lrp package. lrcfg Thanks again, Jacques --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Required EZ-IPUpdate Client Upgrade Notice
Jacques, Problem solved. I received confirmation from dyndns.org tech support that your package update is working as intended. They also went on to say, ... the version of ez-ipupdate you're using now identifies itself differently from the Linksys version, so you should not have any problems. Note that your account was never dirty or anything like that: the fact that you got this email is simply the result of people embedding clients into things (Linksys, as we discovered the hard way, is not the only company to have done this) and not changing how these clients identify themselves, so we simply have no way to tell the problematic Linksys client apart from other, most likely perfectly acceptable, configurations of ez-ipupdate. Thanks again, Greg Morgan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: leaf-user digest, Vol 1 #1693 - 4 msgs
[EMAIL PROTECTED] wrote: From: Markus Koelle [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 30 Mar 2003 09:03:45 +0200 Subject: [leaf-user] timezone in uClibc-Bering 1.1 I need correct CET and CEST (summer time) an my Bering-uClibc 1.1 router. What ist the correct value of /etc/TZ for CET and CEST ? Regards Markus Markus, Try http://lrp.steinkuehler.net/files/kernels/zoneinfo/. I would think that you could these time zone files on Bering too. KP has a timezone package located at http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/devel/kapeka/packages/tz.lrp. Greg Morgan --- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Problem adding internal networks in Dachstein
Pär Johansson wrote: Hi I'm running Dachstein CD 1.0.1 on a 166 pentium with 32 MB RAM and it's been working great. I have some VPN tunnels using IpSec and TinyDNS running. But now I want to add three more internal networks. I added the cards and the modules, no problem, Eth3 reports transceiver problem but I guess that is because it's not hooked up to any network. Then I added this to network.conf: Right above your ethx_xxx variables you missed setting the IF_AUTO variable. Like so: # Start pppd PPP interfaces first as pppd's use of DNS can delay startup. # # Interfaces to start on boot go here - ie ppp0 eth0 # Do NOT include interfaces configured by dhcp! IF_AUTO=eth1 eth2 eth3 Notes earlier in the file say this: # IF_AUTO Default: eth0 # A space seperated list of interfaces that get started on boot. Tunneling # interfaces like CIPE should be after the raw interfaces they depend on. # The interfaces are started in the order they occur on the list, and are # shutdown in the reverse order of IF_LIST. eth2_IPADDR=192.168.20.254 eth2_MASKLEN=24 eth2_BROADCAST=+ eth2_ROUTES= eth2_IP_SPOOF=YES eth2_IP_KRNL_LOGMARTIANS=YES eth2_IP_SHARED_MEDIA=NO eth2_BRIDGE=NO eth2_PROXY_ARP=NO eth2_FAIRQ=NO snip Regards, Greg Morgan --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] wisp-dist - running mail from POSIXness script fromcron not working
Jeff Rhue wrote: I am trying to have the mail procedure in the POSIXness script send me an email via the cron . If I run mail from the command shell or directly from a script it works fine. but when it is run in a script that is run by cron it does not. I can see the mail processes using 'ps' but no mail is ever sent. Any ideas on this? J. Jeff, You were the person that finally helped me document all files for making email work from cron. This question comes up every once in awhile. It came up for me around July of 2002. I had to set up a remote LEAF box and wanted to see the logs from the firewall. So with the scripts documented by http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/leaf/devel/dr_kludge/email/00readme.txt?rev=HEADcontent-type=text/plain you can solve your cron email problem, send your IP address to yourself in email or email your firewall logs. The modifications support sending the logs and IP address to several system admins, if you need the functionality. The other files are at: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/leaf/devel/dr_kludge/email/POSIXness.conf?rev=HEADcontent-type=text/plain http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/leaf/devel/dr_kludge/email/POSIXness.mail?rev=HEADcontent-type=text/plain http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/leaf/devel/dr_kludge/email/dhclient-exit-hooks?rev=HEADcontent-type=text/plain http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/leaf/devel/dr_kludge/email/ipmail?rev=HEADcontent-type=text/plain http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/leaf/devel/dr_kludge/email/lrp.conf?rev=HEADcontent-type=text/plain http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/leaf/devel/dr_kludge/email/multicron-d?rev=HEADcontent-type=text/plain I wrote this information up yesterday. I reviewed it tonight. However, there still may be some rough edges. Please let me know if you need any more assistance or where the document needs clarification. I hope this helps, Greg Morgan --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Gigabit Router/Switch
The local computer store has some gigabit ethernet cards on sale. I was wondering if I could buy say three of these cards and create a high speed gigabit switch with either Dachstein or Bering? If I take the bottom range of the static list of IP addresses reserved for servers in the LEAF world i.e. 192.168.1.200, 192.168.1.201, and 192.168.1.202, then I think I would be able to make the gigabit router/switch. This is a new area for me so I'd like any pointers people can provide me. One area that looks like I should try is bridging http://bridge.sourceforge.net/docs/bridge.html. But where would proxy arp come into play? I am looking through the Dachstein network.conf file and http://leaf.sourceforge.net/devel/cstein/files/packages/network.txt. IPFILTER_SWITCH=router IPFWDING_KERNEL = NO It sounds like this should be turned off. IPALWAYSDEFRAG_KERNEL = NO Thanks, Greg Morgan --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: AW: [leaf-user] Public key authentication and root
Alex Rhomberg wrote: snip On our LEAF boxen, we allow direct root login, but only using pubkey auth. I move the public key file to a central location with the sshd_config lines PermitRootLogin yes AuthorizedKeysFile /etc/ssh/pubkeys/%u.pub PasswordAuthentication no Then a concatenate the public keys of all persons that are allowed access to the fw in /etc/ssh/pubkeys/root.pub This way, I don't have to share secret information (the root pw) - Alex Alex, Thanks for your insight. Yep. I had a lot of bad ideas trying to get to the answer. For as good as google is, I was amazed that it did not find something. But then I should have read the man page instead of relying completely on google! Thanks, Greg Morgan --- This SF.NET email is sponsored by: Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein Config, HW Issue or Comcast Download Cap?Approx 2MB dl Limit
Todd Pearsall wrote: Tonight I'll: 1) test the memory Try http://www.memtest86.com/ for testing memory. There is both a diskette and cd-rom test program. Just put it on a disk and reboot. 2) try an alternate driver for the Linksys NICs 3) try different NICs Greg Morgan --- This SF.NET email is sponsored by: Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering DMZ set-up questions
Tom Eastep wrote: --On Saturday, January 11, 2003 05:21:22 PM -0800 Craig Caughlin [EMAIL PROTECTED] wrote: Hi folks! I have carefully read Tom's Shorewall guide, but have a couple of questions. First, when you set up a DMZ with Bering / Shorewall, are boxes within the DMZ completely unprotected in that they have no ipchain rules, etc. that protect them (even if to only a small degree)...or are boxes in the DMZ pretty much completely open to attack? I believe you have been pointed to some good documentation to answer your question. One thing I have done in practice is to use double protection. I use a DMZ to shield public and private parts of a network using the firewall. The DMZ can route traffic to a particular server. Since I use Red Hat Linux quite a bit, I also use the Red Hat firewall on individual machines in the DMZ. For example, if the server's sole purpose is to be a Secure Shell Server, then I only allow that port on that server open in the DMZ. It helps protect yourself should you make a mistake elsewhere. I learned how important this is from reading defacements on attrition.org and alldas.de. I am not even sure, if the defacement achieves are around anymore. What caught my eye was the number of servers that were compromised because say samba, mysql or some other less secure service was available on the machine to the hostile Internet. Here's an example of what I am talking about http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/custom-guide/ch-basic-firewall.html as far as using a firewall on the server. You can use this technique with other distributions, firewalls, or other operating systems too. I hope this idea helps. Do what makes your level of paranoia feel comfortable. ;-) Greg Morgan Please CAREFULLY read the material referenced below -- this question is answered. Second, I noticed that Tom has made a three-interfaces.tgz file that (apparently) has all of the necessary files / modifications within it. Is that really all I need to do to set up a basic DMZ?, i.e copy the files within .tgz package over to Bering and backup?...that sort of thing? Thank you, have a great weekend! Craig, For a basic DMZ setup, you should be looking at http://www.shorewall.net/three-interface.htm. The Shorewall Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm) is for users with multiple public IP addresses or those who really want to understand what's going on and who don't want to use the sample configurations. This is hopefully made clear at http://www.shorewall.net/shorewall_quickstart_guide.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline,\ http://shorewall.sf.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Public key authentication and root
I have used Public key authentication before as described by http://the.earth.li/~sgtatham/putty/0.53b/htmldoc/Chapter8.html#8. The user's passwords were never enabled on the host. A public key part of public/private key had to be supplied by each user desiring access to the host. What bothers me is that root has to have a password. All the other users are using public key authentication, but poor old root is just hanging out in the breeze. I could not find a way to turn on public key authentication for root. I played with /etc/securetty. I wanted to disable remote access by root but allow another user to use public key to access the server, then su to root. One problem arises if I disable root's password, then the console of the server is useless. At times a person still has to logon at the server as root, but public key authentication is not available there. My google searches produced RFCs, etc., but nothing meaningful. Has anyone tried this? Is there too much paranoia here? Should I just be happy that the whole session for root is encrypted? Or someone has done this, but I am approaching it in the wrong manor? Any thoughts or pointers would be appreciated. Greg Morgan --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Public key authentication and root
Brad Fritz wrote: Greg, On Mon, 13 Jan 2003 17:45:09 MST Greg Morgan wrote: I have used Public key authentication before as described by http://the.earth.li/~sgtatham/putty/0.53b/htmldoc/Chapter8.html#8. The user's passwords were never enabled on the host. snip A public key part of public/private key had to be supplied by each user desiring access to the host. hhhummm I guess that was not written well. Yep first user configures the public key in $HOME/.ssh/authorized_keys on the server they will connect to(i.e. public key...supplied by each user desiring access...). ssh/OpenSSH asks the user to prove themselves with their private key stored on the client computer. You mean private key, right? The user signs a challenge with her private key and the host authentications it using her public key (stored in $HOME/.ssh/authorized_keys for OpenSSH). snip If by remote you mean ssh, you can do that with OpenSSH and the PermitRootLogin option (man sshd_config for details). You can also control whether password authentication is allowed with the PasswordAuthentication option. snip I think the most popular approach is to disable root access in ssh and any other remote access programs you run (telnet, ftp, vnc, etc). If you really want to disable root console access via passwords, you probably can via PAM on a full *nix distro or *possibly* by setting the root password to an asterisk. The /etc/shadow approach seems pretty drastic to me for most situations. In many installs console access equates to physical access and at that point there's not much you can do to stop a determined attacker. You might also be able to affect root logins via grsecurity (or other) ACL systems too, but I haven't done enough research to know for sure. Anyhow, that's my two cents. --Brad Brad, Thanks for your answer. It was a very valuable two cents. :-) With your patience you pieced together what I was struggling to find. PermitRootLogin was what I was searching for. I was stuck on /etc/securetty and how it is related to SSH/OpenSSH. Again, thanks for the helping hand up. Greg Morgan --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Drivers for 3C509B
Brad Fritz wrote: On Fri, 10 Jan 2003 19:37:25 GMT jtpian0 wrote: I posted a few weeks ago about a problem I was having getting Bering to recognize my NICs. I was using the wrong module! (stupid me.. ) Anyway, I loaded the 3c509.o module from Jacqes site using the 2.4.20 version and am still having trouble. Are there any oher needed modules? Both NICs are ISA and I've configured them using the DOS config progam from 3Com. Is there any thing I'm missing? When I try to insmod I am getting an error message. Are you running a 2.4.20 kernel? I think the stock Bering stable image still usses 2.4.18. If you have 2.4.18, you need the 2.4.18 3c905.o module. (uname -a will tell you what kernel version you have if you don't know.) I think Brad makes a good point jtpain0. I just put Bering stable on a floppy and it is using the 2.4.18 kernel. If the 2.4.18 3c509.o module still does not work try the ne.0 module. Most isa cards were NE2000 compatible because Novell was the dominate network player at the time of the ISA bus. I seem to recall that I only used ne.o on either of the linksys or netgear ISA cards that I used several users ago. http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/2.4.18/kernel/drivers/net/ne.o Greg Morgan --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Mail Questions
Gary St wrote: Hello Everyone. I'm using Eigerstien 2.2.16 and when i try to send mail with command: mail -s test [EMAIL PROTECTED] somefile I get back: Error: Unknown response. RSET 0: Aborting due to connection error Killing child processes: 2736 2739 with nothing in the logs. Any ideas why this is happening. There are one of two problems. The first is that you need an updated POSIXnessmail file. Once that script is in place, then you need to have the settings configured correctly. Otherwise, I recall that you will receive the same error type. Look on this page under grep in the table for instructions. http://lrp.steinkuehler.net/files/packages/Utilities POSIXness file is here. http://lrp.steinkuehler.net/files/packages/Utilities/grep I just retired a Eigerstien system after 18 months of uptime in December 2002. The floppy died on reboot after a power outage. I'd highly recommend upgrading to Dachstein floppy or CD. As the utilities page points out the updated POSIXness script is already included in the newer releases. Greg Morgan --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] qmail.lrp
PASI RAUHANIEMI wrote: When starting Qmail my logs are filling with: @40003e15f63d11f54464 alert: cannot start: unable to open mutex What's that error? Ok so I had to look up mutex. mutex = semaphore = lock file. Dictionary.com reports parallel A mutual exclusion object that allows multiple threads to synchronise access to a shared resource. A mutex has two states: locked and unlocked. Once a mutex has been locked by a thread, other threads attempting to lock it will block. When the locking thread unlocks (releases) the mutex, one of the blocked threads will acquire (lock) it and proceed. If multiple threads or tasks are blocked on a locked mutex object, the one to take it and proceed when it becomes available is determined by some type of scheduling algorithm. For example, in a priority based system, the highest priority blocked task will acquire the mutex and proceed. Another common set-up is put blocked tasks on a first-in-first-out queue. Many services use lock files to make sure that once a process has been started another one is not started. I have no experience with Qmail. I can offer what I found in google. Perhaps there is a problem with the leaf implementation of qmail? http://www.ornl.gov/cts/archives/mailing-lists/qmail/2000/03/msg00355.html snip [root@saturnin smtp]# ls -l /var/qmail/queue/lock total 1 - -rw--- 1 qmails qmail 0 May 13 1999 sendmutex - -rw-r--r-- 1 qmailr qmail1024 Mar 8 14:57 tcpto prw--w--w- 1 qmails qmail 0 Mar 8 14:57 trigger However, you need to recompile qmail with changed uids. No exception. qmail-send is running under a uid of qmails; it must be able to open the sendmutex file above... snip http://www.vmlinuz.ca/archives/mdkqmail/2002-11/msg00033.html snip Does /var/qmail/queue exist? @40003dd80fb10c88e684 alert: cannot start: unable to open mutex @40003dd80fb20e549634 alert: cannot start: unable to open mutex @40003dd80fb3131f7454 alert: cannot start: unable to open mutex @40003dd80fb4118dbc7c alert: cannot start: unable to open mutex I am assuming here that your queue directory doesn't exist. The only thing about mutex that I see there is a file /var/qmail/queue/lock/sendmutex. Does that file exist? snip Ok please do the following on your leaf box and report back to the list: What leaf distro are you using? What version of qmail are you using? cd /var/qmail ls -l What are the results? cd /var/qmail/queue/lock ls -l What are the results? I am speculating that there is either a problem with the package implementation i.e. the correct directories--queue, lock--do not exist, etc. possible problem with a backup of the package based on the above googling the package was compiled on one library and being run on another leaf distro with other C libraries the user ids and group ids don't match what is compiled in the leaf qmail package. I hope this starts you toward a resolution of your problem. Greg Morgan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: possible GPLed e1000 module source (was: Intel PRO/1000 (e1000)module...)
Stefan Engel wrote: Because these drivers are fairly old, I didn't try the ones from Depending on the libraries compiled with the drivers of your various distributions, my idea of borrowing the driver from one of them and using it on Bering might not have worked. these distros. Instead I used the e1000 driver module (v4.3.15) mailed to me by Jacques Nilo (Thanks). If anyone needs this driver too, please drop me an email. Because this driver is now available under GPLv2 and can also be found in upcoming kernel releases, maybe the module will also be available in the next Bering release candidate. BTW, according to Hopefully Jacques will place it in his development area for download. the sources/diffs of kernel-2.4.20-rc1, the e1000 driver v4.4.12 is included there, even newer version than the one on sourceforge. This concurs with an email Intel sent back to me. The sourceforge site was put up as an annoucement. Development on the e1000 driver is handled on the NetDev mail list([EMAIL PROTECTED]) or through this Intel address ([EMAIL PROTECTED]). Snickerthe scyld.com site updated their website with this at http://www.scyld.com/network/#gigabit. # Intel Pro/1000 Gigabit. Contact Intel directly for the Linux driver for their gigabit card. They have a e1000 driver distributed under license terms that have changed over time. Greg Morgan --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Need help getting Intel PRO/100 S Desktop Adapterrecognized.
[EMAIL PROTECTED] wrote: The PCI bus is scanned properly under RedHat 7.2 and works fine. I don't think that is it. In fact the dmesg output looks ok to me and is almost the same under redhat and bering rc4, except for the PCI stuff that is. I have disabled the realtek card. OK, I have a wild idea based on a troubling experience I had two weeks ago. Oracle has just created bug 2652798 on their Oracle Lite product. I had two identical servers at work. One had more memory than the other. The Compaq server with less memory displayed the Mobile Server webtogo site in Oracle Lite properly. The production server with over 1405MB would not serve the webtogo site up. Apache just hung on the page. Go figure! I lost a week on the project until I took some memory out. :-( I don't have time to try it now plus I'd have to try the Bering distribution, but my ECS board below has sockets for both PC 133 and PC2100 memory. PC2100 memory is faster, and perhaps requires a different bus architecturally in the kernel. (That's was the best speed increase in a computer that I have seen in awhile when I switched from PC133 to PC2100 on this mother board. YaDa YaDA.) So my proposal is to try and boot Bering on this mother board presuming it would fail to recognize the Ethernet cards. Switch back to PC133 and boot Bering again presuming it would recognize the Ethernet cards. If this proves to be true, then perhaps there are kernel options to recognize PC2100 and the newer PC2700 memory. Perhaps Red Hat has compiled them into the kernel? Perhaps Bering would have to compile them in? (H PC2700 memory bus speeds at 333MHZ. What a concept!?) On Fri, 01 Nov 2002 20:39:16 -0700 Greg Morgan [EMAIL PROTECTED] wrote: Jeff Greer wrote: It would appear to be a CPU issue. I am running an AMD 1700+ with 128MB DDR 2100 RAM. For what its worth many of these boards have lots of on-board extras. My Elitegroup ECS K7S5A, which sounds like yours has both a reltec ethernet and AMR devices onboard. I disabled them. Ummm...I go for cheap any more on component, which the ECS falls under. So far I've had no problems. Any chance the PCI bus is bad on the motherboard? Greg Morgan --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Intel PRO/1000 (e1000) module for Bering?
OK, I received a response from Intel support services to which I am blind coping my response. Here's a summary of what has happened. Essentially, the http://www.scyld.com/network/ site has provided us with a red herring complete with a shrubbery. This is no longer a correct statement though it was correct at one time: * Contact Intel directly for the Linux driver for their gigabit card. They have a non-GPL driver. Because of the license conflict this driver may not be pre-linked or pre-patched into the Linux kernel. The scyld gigabit page needs to be updated based on the following paragraph. At one time the Intel e1000 drivers were FreeBSD licensed and could not be included in a Linux kernel because of the GPL license. e1000 code is now licensed under GPLv2. Though he did not say, the Source Forge site Brad found is probably were they run the e1000 project from now. Moreover, the code is in the 2.4.20 kernel and many of the 2.5 kernels. It was recommended that the 2.4.20-rc1 kernel be used for a driver. This version will look almost like the next release of the driver. In tribute to Halloween, there were some scary bugs in the prior versions of the driver. So this driver can be compiled for 2.4 and 2.2 kernels and available for download for LEAF floppy distributions or included on a LEAF CD distribution. Greg Morgan --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Need help getting Intel PRO/100 S Desktop Adapterrecognized.
Jeff Greer wrote: It would appear to be a CPU issue. I am running an AMD 1700+ with 128MB DDR 2100 RAM. For what its worth many of these boards have lots of on-board extras. My Elitegroup ECS K7S5A, which sounds like yours has both a reltec ethernet and AMR devices onboard. I disabled them. Ummm...I go for cheap any more on component, which the ECS falls under. So far I've had no problems. Any chance the PCI bus is bad on the motherboard? Greg Morgan --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Intel PRO/1000 (e1000) module for Bering?
Dear Intel, I am one of many volunteers on the http://leaf.sourceforge.net project. LEAF stands for Linux Embedded Appliance Firewall. This project is a micro linux distribution. The aim is to create a firewall out of old Intel hardware such as Pentium 100s and the like. In a way, it is a kind-of Recycle, Reduce and Reuse way of avoiding send old PCs into a landfill somewhere. Incidentally, the firewall primarily boots off a write protected floppy diskette and runs solid state in memory making it a very secure firewall/router. However, the list has several people using newer equipment. They are using faster PCs with Intel Pro/1000 cards to function as company backbone routers. This is a smart strategy because it saves the cost of high dollar Cisco equipment and training. For the retail cost of several, say, Intel Pro/1000 MT Desktop Adapters and an older Intel PIII system, a LEAF user can have a high speed router for around $280US. I know that Intel has written their own Linux drivers for the gigabit series of cards. I know that the driver cannot be included in the kernel because of licensing concerns. However, can the LEAF project compile the e1000 driver into a binary module and redistribute it with the various LEAF firewalls? There's lots of micronization going on in the project to fit a distribution onto one 1680K formatted diskette. Essentially, a developer on the project would download the e1000 software from your website. Then compile the driver for the stripped down LEAF environment on one of their development boxes. Only the e1000.o module would be uploaded to the LEAF site and provided as part of a disk image, or a separate download file. Also may I post your answer to the list? Or will I need to summarize the answer and post it? I plan to post this initial letter to the list as part of answering Stefan Engel's question. I have included Stefan Engel's message as a sample e1000 question that was just posted to the user mailing list. Mailing list information can be found here http://leaf.sourceforge.net/mod.php?mod=userpagemenu=12page_id=5 Finally, I received your email address from a support question I posed to Intel some time ago. Thank you, Greg Morgan Stefan Engel wrote: Hello, I am having a little problem setting up a new machine (Dell PowerEdge 1650) with Intel PRO/1000 Dual ob board and Intel PRO/100 Dual as separate PCI card. I am trying to install Bering 1.0 rc4. I have been successful to setup the Intel PRO/100 Dual NIC (eepro100) but cannot find any module for the Intel PRO/1000 Dual (e1000). RedHat 8.0 is booting fine on this machine (from install CDs) and all NICs are recognized here. And that's how I found out about the missing e1000 module. Is there anybody out there who has the e1000.o module for Bering 1.0 rc4 already built? Or do I have to do it on my own? I already have the sources from the Intel WebSite but no Debian distro at our company (currently only RedHat 7.3/8.0 for testing and SuSE 7.3)? Thanks in advance, Stefan --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Intel PRO/1000 (e1000) module for Bering?
Stefan Engel wrote: snip Is there anybody out there who has the e1000.o module for Bering 1.0 rc4 already built? Or do I have to do it on my own? You may have to compile your own. I believe there are three problems here. Not all the developers have access to Intel Pro/1000 cards to test the compiled driver. Some have them but don't have a compile environment yet. Finally, as I just posted in another message on this thread, a software license question needs to be resolved about distribution of the compiled module. Since, You have the module from Red Hat 7.3 or 8.0, you may want to put the e1000.o module in your Bering module directory. Then load the driver as you would normally do with this distribution. The module is written to compile from 2.2.1x all the way to 2.4.x. If this is successful, please report back to the list. By the way some parts of the world can get the gigabit cards in the evaluation program found here http://inteleval.ententeweb.com/store.asp. I already have the sources from the Intel WebSite but no Debian distro at our company (currently only RedHat 7.3/8.0 for testing and SuSE 7.3)? I hope this helps, Greg Morgan --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] dhclient to dchp server handshaking
John Wittenberg wrote: snip Oct 30 19:06:36 firewall dhcpd: Oct 30 19:06:36 firewall dhcpd: No subnet declaration for eth1 (0.0.0.0). John here's the clue to some of you problems. If you are using dhcp for your internal clients you need to fix this error i.e. 0.0.0.0. This message occurs, when your Ethernet drivers are not correctly loaded or you have changed your private Lan address range. Use Package Settingsdhcpddhcpd daemon config from the lrcfg configuration program, if your isp or cable modem required you to change from the Dachstein default IP address range. If you are configuring static addresses on all your LAN clients this will not be an issue. Oct 30 19:06:36 firewall dhcpd: Please write a subnet declaration in your dhcpd.conf file for the Oct 30 19:06:36 firewall dhcpd: network segment to which interface eth1 is attached. Oct 30 19:06:36 firewall dhcpd: exiting. snip --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: possible GPLed e1000 module source (was: Intel PRO/1000 (e1000)module...)
Brad Fritz wrote: On Thu, 31 Oct 2002 20:29:47 MST Greg Morgan wrote: Stefan Engel wrote: snip Is there anybody out there who has the e1000.o module for Bering 1.0 rc4 already built? Or do I have to do it on my own? Finally, as I just posted in another message on this thread, a software license question needs to be resolved about distribution of the compiled module. Looks like the source at http://sourceforge.net/projects/e1000/ is GPLed. The LICENSE file in e1000-4.3.15.tar.gz says so anyhow: brad@lab:~$ head -n5 /tmp/e1000-4.3.15/LICENSE This software program is licensed subject to the GNU General Public License (GPL). Version 2, June 1991, available at http://www.fsf.org/copyleft/gpl.html there is a GPL license header in all the source files as well. Oh. I was looking at ftp://aiedownload.intel.com/df-support/2897/ENG/e1000.txt. This driver is only supported as a loadable module at this time. Intel is not supplying patches against the kernel source to allow for static linking of the driver. For questions related to hardware requirements, refer to the documentation supplied with your Intel PRO/1000 adapter. All hardware requirements listed apply to use with Linux. In times past I looked at the work Donald Becker did on gigabit cards. The scyld.com site always said to find your e1000 driver at Intel.com because Intel had written it. http://www.scyld.com/network/index.html#gigabit * Contact Intel directly for the Linux driver for their gigabit card. They have a non-GPL driver. Because of the license conflict this driver may not be pre-linked or pre-patched into the Linux kernel. Disclaimer: IANAL and I may be overlooking licensing and distribution issues here. No I think you have found a new source of gpled e1000 drivers. Greg Morgan --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] dhclient to dchp server handshaking
Hey John, I am sorry that I missed this eariler. You said that this was the boot log with just one nic. Please repost your boot log once you have both nics installed. Not having a second nic would cause this failure too. And it still looks like I've not put you any closer to an answer then. Greg Morgan wrote: John Wittenberg wrote: snip Oct 30 19:06:36 firewall dhcpd: Oct 30 19:06:36 firewall dhcpd: No subnet declaration for eth1 (0.0.0.0). John here's the clue to some of you problems. If you are using dhcp for your internal clients you need to fix this error i.e. 0.0.0.0. This message occurs, when your Ethernet drivers are not correctly loaded or you have changed your private Lan address range. Use Package Settingsdhcpddhcpd daemon config from the lrcfg configuration program, if your isp or cable modem required you to change from the Dachstein default IP address range. If you are configuring static addresses on all your LAN clients this will not be an issue. Oct 30 19:06:36 firewall dhcpd: Please write a subnet declaration in your dhcpd.conf file for the Oct 30 19:06:36 firewall dhcpd: network segment to which interface eth1 is attached. Oct 30 19:06:36 firewall dhcpd: exiting. snip --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] dhclient to dchp server handshaking
John, Based on these links that google coughed up, I'd try creating a new diskette and reconfiguring your router. Please look at the last link especially. Part of the reply message is quoted below. When a person questions the software integrity on a LEAF diskette distributing, it could be a failing floppy. The other option as noted below is that the network card is bad. I hope this angle helps, Greg Morgan dhrelay http://www.isc.org/ml-archives/dhcp-server/2000/11/msg00175.html http://www.isc.org/ml-archives/dhcp-server/2000/11/msg00225.html dhclient http://www.isc.org/ml-archives/dhcp-server/2000/05/msg00275.html http://www.isc.org/ml-archives/dhcp-server/2000/05/msg00276.html This means that the client mentioned afterwards is sending more bytes than it says it's sending, which indicates a bug in its IP stack. So I'd be very suspicious of the software running on that client, although this particular problem doesn't actually do any harm. if it does not work, then i have a message like this: May 13 19:11:46 grey dhcpd: ip length 328 disagrees with bytes received 332. May 13 19:11:46 grey dhcpd: accepting packet with data after udp payload. May 13 19:11:46 grey dhcpd: Client option option-100 (47) larger than buffer. This means that the packet's corrupt for some reason. Maybe the network card in the device is bad, or maybe the software running on it is. --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] dhclient to dchp server handshaking
John Wittenberg wrote: Oct 30 19:06:51 firewall kernel: Packet log: input DENY eth0 PROTO=2 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x T=1 (#10) I guess I am wanting to beat this dead horse a few more times. ;-) After you get your other issues squared away, you can remove this broadcast message by using the SILENT_DENY variable in the /etc/network.conf file. That is lrcfg menu Network settingsNetwork configuration. I used to get these irritating 224.0.0.1 broadcast messages all the time on the old @home network. The silent deny is a very effective was of removing them. Greg Morgan --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How to deal with P2P-apps? [was; What's this guy trying?]
Ray Olszewski wrote: At 08:06 AM 10/29/02 +0100, Jon Clausen wrote: I'm not at all sure but I suspect there might be *some* connection between the hordes of denied icmp-messages discussed before (see quote below), and the fact that one of the kids on the lan is running Morpheus (a P2P filesharing app). Now, why morpheus on the lan should result in incoming martian icmp messages on eth0, I haven't any idea...(?) BUT Me either, except to note that P2P services make a lot of connections to and from poorly configured systems. If your ISP uses private address snip or poorly written software--Morpheus kazaa. My solution was to format the MS Windows PC and reinstall. You can read my experience here. http://www.mail-archive.com/leaf-user;lists.sourceforge.net/msg09299.html Look at the darnit link, which takes awhile to load. http://209.68.48.119/inetexplorer/Darnit.htm#Kazaa I realize that this does not answer anything about the how to band width throttle, or blocking the ports Kazaa uses, but it will solve all of your problems. Those are the least of your worries after you understand all the spyware that it installs on your MS Windows PC. I have since found out that they also uses your PC for distributed processing without your known consent. The symtom was you would type in another web URL or other information in a text field. After a bit you'd finally see what you typed. Their software finally woke up and said, oh let me give you back your processor for just a bit. Perhaps this has some connection to the ICMP messages. Some time later I had a friend's son call me. The boy couldn't use IE for a game. Morpheus had so screwed up the machine that when I went to the control panel to perform the add/remove software function, the control panel applet gpfed. I was trying to follow the instructions here. http://and.doxdesk.com/parasite/DownloadWare.html The pc even gpfed when I brought up file explorer. They are looking for their Compaq recover CD now. His sister sheepishly grinned, when I explained the problem. Hey but, This software Rocks! Good Luck! Greg Morgan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] eth0: Too much work in interrupt
FYI, UI unknowingly performed my own Denial of Service attack. :-[ I was receiving a series of eth0: Too much work in interrupt, status ec01. and finally followed by a NETDEV WATCHDOG: eth0: transmit timed out eth0: transmit timed out, tx_status 00 status e000 Links like the one below from google did not provide much information. Some of the google links go back to 1998, when some of the Ethernet drivers were still maturing. I lost a switch. This is the second SMC eight port switch that I've seen go bad--it will be my last. The older switches had either an MDI switch or a special crossover port to control crossover connections. Most of the new switches out there are auto crossover detecting on all ports. I _finally_ replaced the SMC with a Netgear switch. (Blush..I took the hawking eight port switch back thinking it was bad.) I have two cable runs from one switch location to the other. The design is that one of the two cable runs should remain unplugged from the other switch. The second cable lets me play with the LEAF box or throw it up in the closet after the configuration has stabilized. I mistakenly plugged the second cable into both switches. All of a sudden I had eth0: Too much work in interrupt, status . being displayed on all my Linux boxes including the Dachstein-CD box. The MS Windows PCs just hung there or I would receive a No domain server available at the MS Windows network login. I thought the new switch was bad at first but did not realize that the samba server, Redhat 7.3, was wrapped around the axle trying to handle all the interrupts being generated from two routes two each switch. Normally in the MDI/crossover button next to a port and only one crossover jack available days of networking hardware, you wouldn't have received a link light on the second connection. Only one connection would have succeeded. However, both connections were successful on the new auto crossover switch. So for all you that find this via a google search in the future look at mis-connected switches/network hardware. That may just be one possibility. I wonder if a router with two NICs plugged into the same switch would produce the same result.? You'd also probably have to have two IP addresses on the same segment, etc. I sheepishly say, I hope this helps. knowing I am probably the only person willing to admit my bone mistake for others to find it in google. Hee! Hee! maybe that's why you can't find much on this topic in google! :-(*) Greg Morgan -- http://www.linuxmanagers.org/pipermail/linuxmanagers/2002-July/000611.html Does anybody know why this error is generated on a Redhat 7.0 server? It is a very high traffic server, but I'd like to understand a little more about what's going on here before I try to 'tune it away'. Also, which parameters control this, and what can I do about this? 'eth0: Too much work in interrupt, status ec01.' I've done a google search for it, to no avail. There are plenty of people with the same problem, but no concrete answers. Any help is appreciated. -- Brian K. Jones System Administrator Dept. of Computer Science, Princeton University [EMAIL PROTECTED] Voice: (609) 258-6080 --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering /var/log
Godfried Duodu and Brad Fritz wrote: On Mon, 26 Aug 2002 18:04:14 EST Godfried Duodu wrote: When I have Bering runing for a couple of hours /var/log size fills up and Godfried several entries from your messages log file would really help the list help you trouble shoot this. is uncompressed and error messages begin showing up on the screen. I have changed my log_size to 4M and I am still getting the same messages. Anyone noticed that? If you are getting 4MB of log messages in a couple hours, I would suggest tracking down the root cause of the log messages. Based on what you find, there might be a problem that needs to be fixed or an event that you may want to silently ignore. I concur with Brad here. Bumping up the the log file size is not the answer. In my experience I had two problems. In the old excite@home network, there was a broadcast packet sent out on 224.0.0.1--I think--every three minutes. I had to remove the logging of this deny message. Otherwise, my /var partition filled up. Likewise, the new cox.net network that I now live on has lots of activity to deny and not log. I don't know what it is and don't really care. I just turn off the logging. Have checked which files are the biggest ( ls -l /var/log ) and looked at them ( cat /var/log/big_file ) to see what messages are causing the logs to grow so large? --Brad If you are unaccustomed to reading the log files or need some help, please post some of the entries from you messages file in /var/log. I hope this helps, Greg Morgan --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Unknown traffic on firewall
Manfred Schuler wrote: Hi all, in the last few weeks I discovered some unknown traffic on my firewall. I inserted a rule to log all traffic on the input and output chains and found that the incoming packet is neither rejected nor denied, but answered by the firewall. I am using a stock eigerstein2beta firewall with no port redirection and no additional ports opened. What I don't understand is why the packets are not denied and who is responding to this packets. snip Manfred, I've never seen these ports before, but hey with 65K available port numbers, there are all kinds of services available. ;-) I was curious so I spent some time looking into your question. I may or may not have answered the question for you, but I guess it did give me a chance to get up on the soap box. :- (evil grin) A port is also called a service. The services are defined in /etc/services. A protocol, plus, a port number, and an ip address equals a socket that an application uses to talk to another application. All this information is supplied in case you didn't know this. I'd say that you didn't realize that you are running some sort of peer to peer file sharing service, or you are running one and didn't know the mechanics of how it works. Perhaps you are running Kazaa? Aug 18 13:24:08 tunix kernel: Packet log: input - ppp0 PROTO=6 213.168.220.62:2605 80.134.34.59:1214 L=48 S=0x00 I=29010 F=0x4000 T=114 SYN (#1) This is the first line you supplied from your log. 80.134.34.59 appears to be your current ip address supplied by your ISP. 1214 is the port number used by the application i.e. 80.134.34.59:1214. Notice too that this entry is from the input chain. google.com coughed up this with port showing Kazaa. http://www.ec11.dial.pipex.com/port-num1.shtml#1200 1214 Kazaa Morpheus or KaZaA peer to peer music/file sharing Aug 18 13:24:08 tunix kernel: Packet log: output - ppp0 PROTO=6 80.134.34.59:1214 213.168.220.62:2605 L=40 S=0x00 I=14602 F=0x T=255 (#1) This is the second line you supplied from your log. It is an output chain entry. Your firewall is responding back to ip address 213.168.220.62 and port 2605. The firewall is doing its job as NAT--network address translation. It translates the internal network address of your client PC to the firewall's IP address. There are a number of services that use ports 2600 through 2606. The name networksciences.net came up on one of the services list again supplied by google. If you look at the information I copied from their web site below, networksciences.net appears to supply tools to simplify the task a building a client sever application. I may be speculating wildly here, but perhaps Morpheus uses this tool in their application? seanecovel at attbi dot com supplied this sometime ago in the thread Re: [leaf-user] Blocking protocols at certain times http://documents.iss.net/whitepapers/X-Force_P2P.pdf I found it an interesting read. The angle of the document is how as a network admin do I reduce the risk of all these file and instant messaging systems? The issue in a business is one of trust. Do you really trust that these applications won't become a trojan, etc. The question for you as an individual is, if you are running Morpheus, do you want it serving data all the time? peer to peer applications still have a server component to them. If someone finds an exploitable hole in morpheus they can gain access to your client. This is why web servers are always being patched. Known holes must be patched or the web service will be owned by someone else. Please just be aware of the issues. You could become overly paranoid and not use any application. I think one of the most alarming concepts is how companies like Microsoft feel it is their right or duty to know about you. I not sure I'd trust aol any more on this one. MS Windows Media Player is supposed to send data about your media playing habits to a web site. How are you going to block that, if they are using port 80 that all web servers use? The firewall does not always block all ports. Some ports are used for other services and should be allowed out. I bring this up because the 260x port range appear to have some other useful ports. Here's the batch file I run on Windows ME every once in awhile to clear the MS media database, which includes the number of times you have played a song. The location is in a slightly differenct place on MS Windows 2000 and MS Windows XP. @echo off rem http://www.w2knews.com/index.cfm?id=352 Rem kill wmp database cd C:\WINDOWS\All Users\Application Data\Microsoft\Media Index attrib -r *.* del WMPLIBrary*.* I hope this helps, Greg P.S. here's the other port info and stuff on Network Sciences. http://www.mit.edu/afs/athena/system/rhlinux/config/9.1.10/etc/services # Ports numbered 2600 through 2606 are used by the zebra package without # being registered. The primary names are the registered names, and the # unregistered names used by zebra are
Re: [leaf-user] WISP-DIST hostap_plx issues
Zachariah Mully wrote: Disclaimer: I don't own any wireless equipment, but it looked like an interesting problem. Several things that I noticed while googling. These may or may not help. You may experience different issues while using this card on wisp box, Red hat box, and work w2k box: Hello all- I am having a strange issue with my Prism 2.5 card (USR 2445)... Unfortunately my WISP box is sufficiently fubar'ed that it really didn't provide much good diagnostic information, so I threw it into my RH7.3 box and got the following: hermes.c: 16 Jan 2002 David Gibson [EMAIL PROTECTED] 1.) date of the driver and version. There was this long thread at http://lists.samba.org/pipermail/wireless/2002-April/004045.html with David Gibson. There problems with version 11 of there driver dated 5 apr 2002. You have version .09b. orinoco.c 0.09b (David Gibson [EMAIL PROTECTED] and others) orinoco_plx.c 0.09b (Daniel Barlow [EMAIL PROTECTED]) orinoco_plx: CIS: 5201:CA03:5600:F800:85FF:C817:2A04:8A67:7C5A:CE08:7EFF:801D:A505:C603:E567:C85A: orinoco_plx: Local Interrupt already enabled 2.) h see very bottom of message. ^ Perhaps a hardware conflict? Detected Orinoco/Prism2 PLX device at 00:0d.0 irq:9, io addr:0xf080 eth1: Station identity 001f:0009:0001:0004 eth1: Looks like an Intersil firmware version 1.04 eth1: Ad-hoc demo mode supported eth1: IEEE standard IBSS ad-hoc mode supported eth1: WEP supported, 104-bit key eth1: MAC address 00:90:D1:06:19:A7 eth1: Station name Prism I eth1: ready eth1: Channel out of range (0)! eth1: Channel out of range (0)! Possible module paramenter? http://www.seattlewireless.net/index.cgi/DlinkCardComments?action=edit options orinoco_cs ignore_cis_vcc=1 On redhat people reported this to solve the problem, but still have errors in their logs. hermes @ 0xf080: Timeout waiting for card to reset (reg=0x8000)! eth1: orinoco_reset failed in orinoco_plx_open()3eth0: Bus master arbitration failure, status 88f3. http://www.uwsg.iu.edu/hypermail/linux/net/9511.1/0031.html Seems you have a hardware conflict with two PCI cards. You may need to look into the BIOS settiongs for PCI hardware. http://www.geocrawler.com/archives/3/82/1997/4/0/262565/ The MS Windows 2000 eXPerience may not provide you with any other clues but more headaches. http://www.seattlewireless.net/index.cgi/DlinkCardComments?action=edit I had issues with the drivers for Win2K on the CD but the ones on the website worked just fine. Did you try using a different laptop with Win2k?. Perhaps hardware conflicts are a good starting place on your Redhat box? Hope this helps, Greg Morgan --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] DCD: swap_free: Trying to free nonexistent swap-page ???
Michael D. Schleif wrote: One of our DCD installations has been exhibiting strange behaviour lately. This message comes through syslogd irregularly, often twice an hour or every couple hours: Aug 3 11:45:01 redtrout kernel: swap_duplicate: entry 1000, nonexistent swap file Aug 3 11:45:01 redtrout kernel: swap_free: Trying to free nonexistent swap-page snip Anybody know what this means? How to deal with it? What do you think? Interesting questions. I googled abit. I came across the patch code for 2.4 at http://linux.bkbits.net:[EMAIL PROTECTED]?[EMAIL PROTECTED]. If you look for bad_nofile, that is the a goto label for the printk(swap_free: Trying to free nonexistent swap-page\n); code you are seeing. I am speculating wildly here with a little bit of experience. LEAF runs on RAM. Perhaps bad ram is being used where the swapfile is. The messages comes and goes because of load demanding more swap. Hence, the message every so often. The message may come during _swap_free() function call as the load is reduced on the LEAF system. You could try http://www.memtest86.com/. I used this on two different systems at a site. One had a bad piece of memory while the other had a bad CPU/motherboard--I think test 10 or 11. I put in a new motherboard and the existing memory worked ok. I am wondering if this site was hit by a surge at some point. People have given feedback on slashdot that the tool works great to verify overclocked systems. ;-) Anyhow you might give memtest a shot and see if that answer the question. Greg Morgan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem portforwarding with DCD 1.02
Robin [EMAIL PROTECTED] wrote: well this is one long e-mail.. :D Ok i did everything it sais in yer e-mail. the forward shows up in my firewall rules (yes i run weblet aswel) AND IT WORKS.. many tanks to all you guyz who were helping me out here. Now i can also figure out howto run my ftp-servers aswel. Anyways.. many tanks. Robin snip Your welcome, Greg Morgan --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem portforwarding with DCD 1.02
it an executible file. By the way, you do not need to change these. That was not the intent of what I was trying to get you to do. If you use dot space filename, it is a Bash/ash shortcut to pull in the information contained in the file. Please try this. Note that I have put three spaces between the ., dot and the filename for clarity. . /etc/network.conf Now you have all the environment variables available to you from /etc/network.conf. Just use the echo command to see what is in one of the variables. echo $EXTERN_IP I hope this helps, Greg Morgan Here's the rest of the post. ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client EXTERN_UDP_PORTS=0/0_domain 0/0_bootpc #EXTERN UDP PORTS=0/0_411 #EXTERN UDP PORTS=0/0_412 # -or- # Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ] #EXTERN_UDP_PORT0=0/0 domain #EXTERN_UDP_PORT1=5.6.7.8 500 1.1.1.12 EXTERN_UDP_PORT2=0/0 411 192.168.0.2 EXTERN_UDP_PORT#=0/0 412 192.168.0.2 # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=0/0_411 EXTERN TCP PORTS=0/0_412 # -or- # Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ] #EXTERN_TCP_PORT0=5.6.7.8 domain 1.1.1.12 #EXTERN_TCP_PORT1=0/0 www #EXTERN_TCP_PORT2=0/0 411 192.168.0.2 #EXTERN_TCP_PORT3=0/0 412 192.168.0.2 I've uncommented both ways to forward, now the first manner is commented, but ive got the uncommented also. Please tell me what to type here exactly. it still doesn't work here. Hope u can help me out here further. other question. I ssh into my router from within my internal network, when i do ./etc/network.conf it sais permission denied.. how come.. i'm root right? anyways i hope u can help me out further.. thanks in advance, Robin - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Robin [EMAIL PROTECTED]; Joey Officer [EMAIL PROTECTED] Sent: Sunday, June 23, 2002 10:54 AM Subject: RE: [leaf-user] problem portforwarding with DCD 1.02 Joey Officer [EMAIL PROTECTED] wrote: and Robin [EMAIL PROTECTED] wrote: DCD is written in such a way that it does not matter if you have a dynamic address or a static address. You can get to both via EXTERN_IP. Type these two commands in a file or execute them and the DCD command prompt to get your current ip address. . /etc/network.conf echo $EXTERN_IP That should answer the first part of the FAQ. Write a letter to them and tell'em that sucks. But what to you expect from vbscript? http://www.neo-modus.com/?page=Help Q: I have a NATing router and would like to set Direct Connect up for active mode. What ports does it use? A: By default, Direct Connect Uses port 412 for TCP and UDP data. This can be changed in the Direct Connect settings. To make Direct Connect work properly with your NATing router, you must enter your routers WAN IP address in Direct Connect's Force Direct Connect to report this IP address text box, and check associated check box. To answer the second part of their FAQ, please look at both EXTERN_UDP_PORTS and EXTERN_TCP_PORTS as found in /etc/network.conf. This is what Joey is pointing you to. This is where you would setup your port forwarding on 412. Some other people have written scripts to support dynamic ips that support many of these dynamic ip servers. That will help if you want to get into hubs someday. Q: I want to run a Direct Connecttrade; Hub, but my IP address changes every time I sign online. What can I do? A: You will need to use a service like Dynip. Your fun is just beginning. I hope this helps you get going. Greg Morgan. Date: Sat, 22 Jun 2002 12:18:29 -0500 One way that I think you can do it, it to assign a range of numbers, (I think) by only specifying some of the ip address. Like so (someone correct me if I'm wrong here) EXTERN_PROTO0=xxx 0.0.0.0/32 I think that something like that would leave port xxx open to the world. Another way to do it, regardless of IP is to leave a specific port completely open under the ipforwarding rule set. I'm not really up on that, but I could check on it and get back to you... I'll see what I can find and let you know something. Joey -Original Message- From: Robin [mailto:[EMAIL PROTECTED]] Sent: Friday, June 21, 2002 5:20 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] problem portforwarding with DCD 1.02 Well i don''t think u understand my problem quite.. The ip number of my DCD BOX is dynamic assigned throiugh ppoe. Now i need to know the variable that is used in the network.conf script for my current ipnumber (as it changes @least every 72 hrs) With this variable i can the nopen or portforward any port i want. i read something bout the variable ${DYNAMIC_IP} but that didnt work
RE: [leaf-user] problem portforwarding with DCD 1.02
Joey Officer [EMAIL PROTECTED] wrote: and Robin [EMAIL PROTECTED] wrote: DCD is written in such a way that it does not matter if you have a dynamic address or a static address. You can get to both via EXTERN_IP. Type these two commands in a file or execute them and the DCD command prompt to get your current ip address. . /etc/network.conf echo $EXTERN_IP That should answer the first part of the FAQ. Write a letter to them and tell'em that sucks. But what to you expect from vbscript? http://www.neo-modus.com/?page=Help Q: I have a NATing router and would like to set Direct Connect up for active mode. What ports does it use? A: By default, Direct Connect Uses port 412 for TCP and UDP data. This can be changed in the Direct Connect settings. To make Direct Connect work properly with your NATing router, you must enter your routers WAN IP address in Direct Connect's Force Direct Connect to report this IP address text box, and check associated check box. To answer the second part of their FAQ, please look at both EXTERN_UDP_PORTS and EXTERN_TCP_PORTS as found in /etc/network.conf. This is what Joey is pointing you to. This is where you would setup your port forwarding on 412. Some other people have written scripts to support dynamic ips that support many of these dynamic ip servers. That will help if you want to get into hubs someday. Q: I want to run a Direct Connecttrade; Hub, but my IP address changes every time I sign online. What can I do? A: You will need to use a service like Dynip. Your fun is just beginning. I hope this helps you get going. Greg Morgan. Date: Sat, 22 Jun 2002 12:18:29 -0500 One way that I think you can do it, it to assign a range of numbers, (I think) by only specifying some of the ip address. Like so (someone correct me if I'm wrong here) EXTERN_PROTO0=xxx 0.0.0.0/32 I think that something like that would leave port xxx open to the world. Another way to do it, regardless of IP is to leave a specific port completely open under the ipforwarding rule set. I'm not really up on that, but I could check on it and get back to you... I'll see what I can find and let you know something. Joey -Original Message- From: Robin [mailto:[EMAIL PROTECTED]] Sent: Friday, June 21, 2002 5:20 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] problem portforwarding with DCD 1.02 Well i don''t think u understand my problem quite.. The ip number of my DCD BOX is dynamic assigned throiugh ppoe. Now i need to know the variable that is used in the network.conf script for my current ipnumber (as it changes @least every 72 hrs) With this variable i can the nopen or portforward any port i want. i read something bout the variable ${DYNAMIC_IP} but that didnt work, so i have to do something wrong here. please help me out. Robin - Original Message - From: Joey Officer [EMAIL PROTECTED] To: Robin [EMAIL PROTECTED] Cc: LRP Support [EMAIL PROTECTED] Sent: Friday, June 21, 2002 4:08 PM Subject: RE: [leaf-user] problem portforwarding with DCD 1.02 Well.. the way I do it is that my outside machines, although they are dhcp based, I leave the machines up, so the ip's never change (or very rarely) and in those cases I'm just stuck out. BUT ... in the case where the box loses its IP address, and regains a new one, you could just have someone on the local network of the other box connect to the weblet and review the ip addresses. It's a manual fix, but doing it this way would be more secure, than if you opened the port completely. But its your call... Joey -Original Message- From: Robin [mailto:[EMAIL PROTECTED]] Sent: Friday, June 21, 2002 2:35 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] problem portforwarding with DCD 1.02 ok guyz ty for the quick reaction. But i don't have a static ip adress. I have a dynamic. What is the stanrd variable called in witch DcD saves my EXTERNAL ip nu,ber. So i can fill that in instead. And i also can't specifie a single ipadress from internet that should have access.. every ip adress needs to be able to acces my computer. please help me out, Thanks, robin - Original Message - From: Joey Officer [EMAIL PROTECTED] To: Robin [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 21, 2002 3:17 AM Subject: RE: [leaf-user] problem portforwarding with DCD 1.02 There is an option within the network.conf file that would look similar EXTERN_UDP_PORTS=ip.ad.dr.es/32_xxx Where ipaddress is the ip address of the other machine, and the xxx is the port number you want to add, then there is also the protocol that you want to add, which is done similar to the following... EXTERN_PROTO0=xxx ip.ad.dr.es/32 Again where PROTO(0) is the a list of numbers (ie 1,2,3,4,5) and xxx is the tcp/ip port that you want to open.. HTH Joey Advocate in Action! -Original
Re: [leaf-user] Mail function on bering
[EMAIL PROTECTED] wrote: snip telnet isp.com 25 Response from that telnet: telnet smtp.kolumbus.fi 25 vestmvesa, I think you were following the mail instructions to literally at this point. When I try mail -s test [EMAIL PROTECTED] /var/log/messages Use smtp.kolumbus.fi in step two of the post while editing /etc/POSIXness.conf. smtp.myisp.com was just meant to be a sample smtp server name. From you telnet session you have connectivity. It appears that fep06-app is a server name if you need to use this to edit MAIL_DOMAIN i.e. replace iFoundOne.smtp.myisp.com with fep06-app.smtp.kolumbus.fi. However, I'd try smtp.kolumbus.fi in both the MAIL_SERVER and MAIL_DOMAIN variables first. Once these are configured change When I try mail -s test [EMAIL PROTECTED] /var/log/messages to mail -s test [EMAIL PROTECTED] /var/log/messages Here again you have to use your real email address in both the mail test command and the /etc/lrp.conf setting. I hope this clears up what I tried to write down so quickly. Greg Morgan 220 fep06-app.kolumbus.fi ESMTP server ready Tue, 18 Jun 2002 20:50:33 +0300 And exact error message to that mail command is: nc: connect: Connection refused Error: Unknown response. RSET 0: Aborting due to connection error Killing child processes: 24559 30653 ... and see what response you get. You might also want to check the MX record for host isp.com to see if it redirects to a different FQN (I'd check this myself if you hadn't made that impossible by choosing to conceal information behind the obviously fake [EMAIL PROTECTED]). At 01:24 PM 6/18/02 +0100, Vesa Vestman wrote: Hi all I'm using Bering v.1.0-rc2 and having problems getting mail to work. I've checked things that this post tells: http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg06764.html and opened port for mail to work but no luck. When I try mail -s test [EMAIL PROTECTED] /var/log/messages Error what it gives: Connection refused. Does my ISP need some authentication to send email or what might be the problem? I've fought with this for long time now and I'm really lost.. I'd really appreciate any help! -- ---Never tell me the odds!-- Ray Olszewski -- Han Solo Palo Alto, California, USA[EMAIL PROTECTED] --- __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com --__--__-- ___ leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user End of leaf-user Digest --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering, non-root crontab and more...
Jon Clausen [EMAIL PROTECTED] wrote: snip resulting QUERY_STRING, and echo back to a new page. This all works pretty much as I want it, even if my sed scripts *are* a bit clunky... Next step will be to have that data written to a file instead of just out to a page. Now, since this whole thing is meant to be time-centric (run at specified times) the logical thing to do is have the cgi-script write to a crontab, with the appropriate format. For a number of reasons, I'm not very comfortable with the idea of letting my own scripts modify root's crontab, one of the more obvious being that my scripts would have to run with root-privs to do that. Take it one step at a time. I'd make a backup of the files you will be modifying. Experiment with what you want to do as root, then worry about the uid thing. It is not like you're going to have to send hours reinstalling a full distro. Just hit reset if things go really bad. ;-) I'm beginning to think that I should probably add a uid to handle all this crap, instead of letting it run as sh-hhtp, but either way I'd like to get some clarification on a couple of issues: 1) How does cron handle itself on Bering? I.e. will it find and execute a user-crontab by itself? cron on dachstein/bering plays into your game plan. You do not have to use crontab -e to edit the file. Here's /etc/crontab. Look at run-parts command. ls -l cr* under /etc. It looks like you throw the file you want executed into a directory. runparts runs all the stuff in the directory. # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file. # This file also has a username field, that none of the other crontabs do. # SHELL=/bin/sh # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 42 6* * * rootrun-parts --report /etc/cron.daily 47 6* * 7 rootrun-parts --report /etc/cron.weekly 52 61 * * rootrun-parts --report /etc/cron.monthly 2) Any tricks/hints/pointers on how to actually writing to a file? Or rather *modifying* a file that is already there (i.e. changing some of the fields in a crontab line from f.x. 30 6 * * * to 00 7 * * *) Since you mention that your knowledge of sed is growing, that would be your tool here. Look at the \( and \). You have up to nine of them to replay values with \1 to \9, etc. I call these dog teeth because I imagine the character art to be dog fangs and you are taking a bite out of the line--YMMV here. Also consider first of line in sed. This is the ^. You may need any character too that is ., the period. The idea is to hold the parts of the line in multiple occurrences of \( \). Replace the parts of the line that changes with your new values and replay static values with \1. I leave you plenty of research room here. In some of my work I use what I call search tokens, PLACE_STEP_MOTOR_VALUE_HERE, for example. It makes an easy target in sed. You will have to experiment in the crontab line in how to apply this. 3) Are there any good candidates (scripts/routines) already present in Bering/packages, that I can use as starting point for 2) ? I think just pick a cgi page to modify. You would want some sort of confirmation page to print in weblet. Paint the page with the normal echos. Then echo string desired_file_name if a whole file. Otherwise, sed a line with your new value. Perhaps checkmem is an example. Think of how to use the level variable. Think of above case statement and below case statement. I must admit that I haven't done a great lot of research on this, before asking. But, as usual, what I'm asking is more on the order of 'where to look for docs on this' or 'advice/considerations, please?' rather than 'tell me what to write where', so I hope it's o.k... I hope I complied with your wishes. I used the sed manual pages, and Unix in a Nutshell to learn more about pattern matching in sed. They call pattern matching Regular Expressions. Man, this just keeps growing... but it's *fun*! (Next thing you know, I'm gonna want to have the ability to specify different runtimes, for different days of the week ;) Oh yeah, one other thing; Setting the time to open/close is all very nice, but I'd like to be able to specify a *duration* of the 'sunrise' as well... Ummm. I don't know. Have a scheduled job to start? Pass a parameter into job i.e. sunrise 20. Do stuff to turn motor on. After all motor control is done call sleep with value i.e. sleep $1. Then do more motor control to close blinds or whatever? There are ~576 'steps' of the stepper motor from extreme-open to extreme-closed. Any idea how to distribute x steps per minute...? TIA Jon Clausen Have fun exploring, Greg Morgan ___ Don't miss the 2002 Sprint PCS Application Developer's
Re: [leaf-user] Is there a way to auto email log files question -- was Need Help Debugging Firewall Rules
Vintage [EMAIL PROTECTED] wrote: snip Now, to change the subject, I was going through the archives and saw that you also had comments on the mailonerr utility. I also read the following thread and got to Greg Morgan's mini-HOWTO on mail. I get lost at his point 7 and from there it seems like he is trying to keep track of his dynamic ip address rather than have his log emailed to him. I have since gone on and have both my IP address and logs mailed to me. These scripts may be useful to others. To amuse myself, I have been making the scripts easy to configure. For example, you can configure the subject line, send logs or your ip address to multiple email addresses, specify a from user verses [EMAIL PROTECTED], and turn log mailing or ip mailing on and off independent of each other. I don't have it all documented or packaged yet, but if you want the scripts, I can send them to you. Regardless, there is a bug fix in the POSIXness.mail file that has to be installed in your root package. (I am wondering if Charles Steinkuehler's resorted to su to work around the bug?) Essentially, a sending email user id is missing, when you execute any kind of SMTP email scripts from the system startup scripts or multicron. I know Dachstien, and Bering are affected by this problem. I have not pryed open Oxygen, Packet Filter, or WRP yet. So I don't know if they are affected by the same problem. I believe K P Kirchdorfer spotted the problem and offered a solution. Mailing your logs will not work from multicron ,etc. without either the POSIXness.mail fix or the su command installed on your system. That is what step seven is all about. Since I wrote that original email I have a deeper understand of the problem. Hope this clarifies the step, Greg Morgan snip ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: rdate
Eric Wolzak and Brad Fritz wrote: snip I also updated my /etc/localtime file so that my clock would read my local time. That would be the solution but what did you put there ;=) try dateif you've got your localtime, then everything is ok. You should get the zoneinfo file from a linux distro, corresponding to your timezone. Copy this about 1Kb large file to f.e /usr/share/zoneinfo. It looks like this problem has been solved. I just wanted to point out some time resources. Charles has conveniently located these /usr/share/zoneinfo files at http://lrp.steinkuehler.net/files/kernels/zoneinfo/. There is also a tz.lrp package. This site may will help you pick US zones http://www.time.gov/. I found these links illuminating http://www.time.gov/exhibits.html. If you have Windows clients that you want to sync to your firewall, you can use http://www.oneguycoding.com/automachron/ in your systray. External time server lists can be found at http://www.eecis.udel.edu/~mills/ntp/servers.htm http://www.eecis.udel.edu/~mills/ntp/clock1.htm http://www.eecis.udel.edu/~mills/ntp/clock2.htm I just fixed my date this weekend. I used just a file out of /usr/share/zoneinfo( I had access to a Linux box). Arizona doesn't do daylight saving time. So I copied MTS7MDT to /etc/localtime.This technique saves some space especially for floppy users. All you have to do is then backup etc.lrp. make /etc/localtime a symbolic link to /usr/share/zoneinfo. now date will no longer show 16:21 UTC but 9:21 whatsyourtimezone. The logging is also in localtime. don't forget to backup root and etc. I noticed my logs seem to be using UTC for the time stamp. Do you have any information that would allow me to use my local time for logging? As Jeff Newmiller pointed out a restart of logging is required. Having to subtract 7 hours every time I want to analyze my log file is The default version of the file provided in /etc/localtime may have been GMT+0. getting to be a drag. This is correct regards Eric Wolzak member of the bering crew. I hope this helps, Greg Morgan ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh to host behind firewall: connect direct or through router?
Eric House [EMAIL PROTECTED] wrote: There seem to be two ways to allow ssh access from outside the firewall to a host inside: 1. forward some port on the fw to the host; 2. connect directly to sshd on the fw and use the -Lport:host:port flag to forward an additional connection to the host. Is there agreement on which method is better (where better means more secure, I guess)? To answer the security question, I believe you have to look at how often you are able to get a bug fix on each host. For example, if your are using the port forward method in #1. above, that would depend on the host you are forwarding to. I know Redhat had a security fix for the last ssh vulnerability right away. The same goes for method #2 above. Jacques Nilo had a ssh package for all the LEAF firewalls. So if the timeliness of the patches are the same, it depends on how quickly you apply the patches as to which method is more secure. The fw and host are at home. Most of the time I'm connecting from outside I'm either at work and want to xhost some app, or I want to transfer a bunch of files. Occasionally I need to tweak the router, so picking #1 above wouldn't remove the need to have sshd on the router's floppy. This may then depend on style in your case. If you are more comfortable port forwarding, method #1, then use it. If you want to stop at the firewall first and then jump off to somewhere else on your home network, then pick method #2 above. Perhaps there's another task that you would want to do in the future that would affect your decision. For now it does not seem to matter which method you use in your case. However, it appears that your ssh tasks appear geared toward your internal machine--xhosting and scp files-- verses firewall maintenance. Connections are always from machines that have keys in the router's (and inside host's) .ssh/authorized_keys files. Password login is disabled. I'm running Bering RC2. Thanks, --Eric Hope this helps, Greg Morgan ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Is there a way to auto email log files
# gpm I only needed one email address. # gpm mail -s Internet IP address [EMAIL PROTECTED] $prefix.msg # rm $prefix* # # written by # vette66 (chuck) # http://www.vette66.com I hope this helps, Greg Morgan - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; chuck [EMAIL PROTECTED]; Dragon Wood [EMAIL PROTECTED] Sent: Friday, May 17, 2002 3:32 PM Subject: Re: Re: [leaf-user] Is there a way to auto email log files chuck [EMAIL PROTECTED] wrote: I created a package to do just that... e-mail log files to a single or multiple addresses and you can specify which files to send. Its called mailstats.lrp and can be found at http://www.vette66.com It requires a working SU command and MAIL command. Is there a way to tell if you already have the working su and mail commands already on your LEAF release? I see from http://lrp.steinkuehler.net/Packages/Utilities.htm I can get su and grep (mail) command for Dachstien. Dargon was asking about this on bering rc2. From Charle's site is says that grep(mail) is in Dachstein releases. I looked all around in bin and sbin directories of my running DCD 1.02. I could not find su. So I guess su is not included on the CD. So do I 1.) put su in /bin? 2.) edit /var/lib/lrpkg/root*list to add su? 3.) backup root.lrp? I ask all these questions because I was unsuccessful using ipmail out of KP Kirchdoerfer's modification to DCD 1.02 described at http://leaf.sourceforge.net/article.php?op=Printsid=30. The release notes suggested that there still is a problem with mail. Can anyone provides some more tips or links to mail configuration? My goal is to mail the dyanmaic ip address to another client. The client needs to ssh to backup files on a LEAF protected network. Thanks, Greg Morgan I expanded what was done by Charles and his mailonerr script. Hope this helps, vette66 (Chuck) - Original Message - From: Dragon Wood [EMAIL PROTECTED] snip I am using bering rc2. The /var/log directory gets filled up quickly. How can I set it up such that the files get automatically forwarded to an email address and deleted when gets to a certain size? ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Is there a way to auto email log files
Brad Fritz wrote: snip My goal is to mail the dyanmaic ip address to another client. The client needs to ssh to backup files on a LEAF protected network. It seems like you should be able to use the dhclient hooks and the the mail command to do exactly what you want. I've never played with the hooks though, so I'm afraid I can't be much help there. Brilliant idea Brad. I looked at those scripts before and my eyes glazed over. Now they have some meaning enlight of this email discussion especially the dhclient-exit-hooks script. Thanks for all your help. Greg Morgan Hope that helps a little. Sorry for the lack of specifics. --Brad ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: Re: [leaf-user] Is there a way to auto email log files
chuck [EMAIL PROTECTED] wrote: I created a package to do just that... e-mail log files to a single or multiple addresses and you can specify which files to send. Its called mailstats.lrp and can be found at http://www.vette66.com It requires a working SU command and MAIL command. Is there a way to tell if you already have the working su and mail commands already on your LEAF release? I see from http://lrp.steinkuehler.net/Packages/Utilities.htm I can get su and grep (mail) command for Dachstien. Dargon was asking about this on bering rc2. From Charle's site is says that grep(mail) is in Dachstein releases. I looked all around in bin and sbin directories of my running DCD 1.02. I could not find su. So I guess su is not included on the CD. So do I 1.) put su in /bin? 2.) edit /var/lib/lrpkg/root*list to add su? 3.) backup root.lrp? I ask all these questions because I was unsuccessful using ipmail out of KP Kirchdoerfer's modification to DCD 1.02 described at http://leaf.sourceforge.net/article.php?op=Printsid=30. The release notes suggested that there still is a problem with mail. Can anyone provides some more tips or links to mail configuration? My goal is to mail the dyanmaic ip address to another client. The client needs to ssh to backup files on a LEAF protected network. Thanks, Greg Morgan I expanded what was done by Charles and his mailonerr script. Hope this helps, vette66 (Chuck) - Original Message - From: Dragon Wood [EMAIL PROTECTED] snip I am using bering rc2. The /var/log directory gets filled up quickly. How can I set it up such that the files get automatically forwarded to an email address and deleted when gets to a certain size? ___ Hundreds of nodes, one monster rendering program. Now thats a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] [OT] Weblet abuse
Jon Clausen [EMAIL PROTECTED] wrote: Subject: [leaf-user] [OT] Weblet abuse snip LOL..Wives or girlfriends still can't figure out why this stuff is so amusing. Sounds like an interesting project. So what I'm asking now is this: Is anyone aware of any way to have an input field on a page served by the weblet...? It just occurred to me that I might get away with setting up a 'settime' script in cgi-bin that could get the value from the address line in the browser... something like: http://blinder/cgi-bin/settime?06:30 -but a 'real' input field on the page *would* be nicer... I realize that the weblet is really only meant to be a passive thingy, but I If you can still find a copy of The CGI Book published by New Riders in 1995 by author Bill Weinman at http://bw.org/, then you will find many sh script examples for handling cgi data. The samples used to be on his web site. I think he had a crash and has not restored the files yet--http://bw.org/email/. I couldn't find any restrictions on posting the code, but I think you would want to talk to the author. It is not that it cannot be done, but sh, bash, or ash shell scripts have a difficult time processing the query string returned from html form get or post methods. In order to do your task in weblet with ash you will need to know a little about cgi and html conventions--that book is a perfect well written introduction to this issue, what variables a post or get method would return to your script how to handle regular expressions to process the query_string variable or on stdin with sed Since you are compiling in C already, a C program or other scripting language could do the same thing depending on the space you have available. Essentially, the language of choice would have to process QUERY_STRING = settime1=06%3A30settime2=09%3A30 using an example similar to your http://blinder/cgi-bin/settime?06:30 example. This is the wicked little string you get to parse in CGI. I did get weblet to produce this string by the way. The last issue is that you would have to include your (ash/c exe/other script) file in the weblet.lrp package. You would need to add the new scripts in the /var/lib/lrpkg/weblet.list file. You will also need to look at file permissions, ownership, and the placement of your files in the /var/sh-www weblet world. Finally backup weblet. There are some other docs in the faq and David Douthitt has a developer's guide that will help on the packaging issues. thought I might as well ask anyway... In case somebody had already made something that might be adapted... TIA for any thoughts/ideas Jon Clausen Hope this helps. Greg Morgan ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Restricting SMTP, IMAP and POP traffic
Enchufa2.com [EMAIL PROTECTED] wrote: Let me step out on a limb. I am just looking into the idea of using a private DMZ for a backup server. One LEAF box's protected server would send files to another LEAF box's port forwarded server via SSH. From my reading, I get the feeling that some of the ipchain rules Ray described are covered in the extended scripts available for Eigerstein Beta 2. I am too new in the learning curve to fully describe the configuration yet. The extended scripts are the default scripts in Dachstein. The scripts are available to EB2 as an add on package. Moreover, there are some hook files that may be useful in adding the specialized rules Ray talked about, if the extended scripts do not provide support by default. What I am thinking is that the extended scripts would help with adding a private network DMZ. See your modified diagram below. If your company can spring for the cost of one more network card in your LEAF box, then you would put all your servers on the DMZ. This would also offer your network more protection if one of your servers is compromised. A reverse masquerade rule is set for the servers in the extended scripts. You could block all the services Ray talked about and restrict them to 172.16.8.2. This would restrict the services to your internal servers on the DMZ because of the built in rules. Please see the ADVANCED FIREWALL CONFIGURATION section of the network.txt documentation file. Hopefully, I helped and not hindered here. Greg Morgan This is a commented diagram of the current setup: Internet Gateway 216.72.129.xxx | | LMMDS Wireless link to ISP network | | ISP router at building 172.16.8.1 subnet mask: 255.255.255.0 | LRP: Eigerstein Beta 2 ***|** * | * Router offers: * eth0: 172.16.8.2 * NAT for the LAN, portfw to internal ** servers, SSH access from the outside * eth1: 192.168.0.1 * * | * * eth2: 192.168.0.2 *3 interal servers network/DMZ moved here. * | * ***|** | | Internal network 192.168.0.0/24 | | hub/switch | | | | | | | |3 internal servers and several workstations: | | | | | | | |Services offered by the servers: | | | | | | | |- To the inside:proxy/cache (Squid),Socks5 proxy= , | | | |authentication,DHCP,SMTP,IMAP,DNS | | | | | | | |- To the outside: www | | | | | | | |All servers and workstations | | | |use 192.168.0.1 as defualt gateway | | | | | | | |Servers IP config is manual | | | | | | | |Workstations get IP config via DHCP | | | | | | | +--- 192.168.0.2 | | | | | +- 192.168.0.3 | | . | | . | | . | + 192.168.0.252 | +-- 192.168.0.253 ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: leaf-user digest, Vol 1 #873 - 6 msgs
Michael D. Schleif [EMAIL PROTECTED] wrote: Is there some meaning to getting 27,000 of these in five (5) minutes yesterday? Packet log: input DENY wan1 PROTO=17 207.112.196.241:48785 x.y.z.157:7 L=1494 S=0x00 I=37458 F=0x T=126 (#48) Obviously, it's probably not a good thing; but, I'm trying to figure out what they may have been trying to do . . . port 7 is the echo service. If open it can be used to help determine the type of OS the attacker is up against. This is certianly not a nmap scan. I don't know of any vulnerabilities except denial of service. If your logging partition, /var is in the same directory as /root, swap, /etc, and /home i.e. just one massive linux partition, then your var directory could fill up and clobber your firewall. One of the best things that DCD did was to put var in another partition. In the switch over from @home to @cox my /var partition filled up. @home used static ips coupled with long dhcp requests to retrieve them. @cox uses dhcp and broadcasts on 255.255.255.255. The separate var partition protected me here. All of a sudden my /var partition was full because it was logging all the dhcp requests on the network. The firewall stayed up, however. The book Maximum Linux Security says that partitioning is one of the first steps of securing you system. The author spends most all of chapter three describing partitioning. He also laments that most of the major distros do not spend enough time talking about the issue because it requires difficult choices. So there's one idea of what could have happened. I wonder if it was a DDos attack? Were all the ip addresses the same? Greg Morgan ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] udp 7 (echo) flood ???
Oh my. This time I'll match the subjects. :- Michael D. Schleif [EMAIL PROTECTED] wrote: Is there some meaning to getting 27,000 of these in five (5) minutes yesterday? Packet log: input DENY wan1 PROTO=17 207.112.196.241:48785 x.y.z.157:7 L=1494 S=0x00 I=37458 F=0x T=126 (#48) Obviously, it's probably not a good thing; but, I'm trying to figure out what they may have been trying to do . . . port 7 is the echo service. If open it can be used to help determine the type of OS the attacker is up against. This is certianly not a nmap scan. I don't know of any vulnerabilities except denial of service. If your logging partition, /var is in the same directory as /root, swap, /etc, and /home i.e. just one massive linux partition, then your var directory could fill up and clobber your firewall. One of the best things that DCD did was to put var in another partition. In the switch over from @home to @cox my /var partition filled up. @home used static ips coupled with long dhcp requests to retrieve them. @cox uses dhcp and broadcasts on 255.255.255.255. The separate var partition protected me here. All of a sudden my /var partition was full because it was logging all the dhcp requests on the network. The firewall stayed up, however. The book Maximum Linux Security says that partitioning is one of the first steps of securing you system. The author spends most all of chapter three describing partitioning. He also laments that most of the major distros do not spend enough time talking about the issue because it requires difficult choices. So there's one idea of what could have happened. I wonder if it was a DDos attack? Were all the ip addresses the same? Greg Morgan ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Module finder??
Kim Oppalfens [EMAIL PROTECTED] wrote: Hi all, Just wondering if a module finder service exists? Supposedly I have some sort of nic, which doesn't come with a linux module and the website of the manufacturer doesn't mention anything about linux neither. How would I go about finding the correct module? Does a list or search engine for such a thing exists? Or would I do what I usually do in Linux trouble and ask this or some other list? Or learn how to cheat and user other Linux distribution's documentation. ;-) http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/s1-modules-ethernet.html A good source of network driver information is located at http://www.scyld.com/network/. Other packages are being arranged by Pattrick Noyes on the LEAF site. But no module locator function exists as far as I know. Greg Morgan PS: It is just a hypothetical question, I am thinking about doing a presentation about leaf installation at work, and would like to find a nice solution for this problem. (Since I think it is the most difficult part in the installation if you don't have one of the standard modules included in most branches.) Kim Oppalfens MCT AZLAN -- Training ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering v1.0-rc2 with diskonchip?
Darren Martz [EMAIL PROTECTED] wrote: snip I'm at a disadvantage here, my background is windows development. Alot of us started as Windows only. No biggie. It will expand your background. I'm also trying to locate an Ethernet driver for an i82557 chip. I may be on my own with the net driver, Here's two links from the Intel site. But I'd try the eepro100.o driver first. I get the impression from the Intel site that this is just another version of the pro100 series of cards. I am using the eepro100 on my i82555 chipped cards with no problems. One is an old epro100B and the other is Intel's newer In Business 10/100 card. They look a little different, but work the same with the eepro100.o driver. You will also have to uncomment the pci-scan.0 driver too. The pci-scan driver has to be first in the modules.conf file before pci style adapters. Further information on the Linux driver can be found at http://www.scyld.com/network/eepro100.html.(This driver will work with the 10mbps PCI Pro-Plus boards that use the i82557 chip) This driver is available on all LEAF distros. http://www.intel.com/support/network/sb/1013651991539069-prd38.htm which redirects you to http://support.intel.com/support/network/adapter/pro100/21397.htm snip Darren How this helps, Greg ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[Leaf-user] ipmail config
Has anyone configured the ipmail.lrp package? Most of the list archives where about the release of ipmail. I am using kp's Dachstein 1.0.2.1 glibc-2.1.3 CD release. 1.) I added both ifconfig.lrp and ipmail.lrp in the order listed to the lrpkg.cfg file on the floppy. Hence, I am booting from the CD with the configuration saved on the floppy. 2.) I edited /usr/sbin/ipmail from lrcfg. Both MAILTO and MAILFROM where set. 3.) Performed a full backup of ipmail package. 4.) Followed instructions in ipmail to edit /etc/lrp.conf. Uncommented and set both lrp_MAIL_SERVER and lrp_MAIL_ADMIN. 5.) Performed a full backup on etc package to capture lrp.conf changes. 6.) Rebooted. I started to receive error messages that I have not seen on a DCD release. I saw Aborting due to timeout Killing child processes: : Terminated : Terminated I edited /usr/sbin/ipmail script and put some echos in the while loop. I set the time down to 5 seconds. I started the script and made sure no other version were running. The script had process 6017. I received two of the Aborting... messages above. The terminated processes were 6035, 6038, 6164, and 6167 i.e. not the original process. Next I saw the script started looping every five seconds while showing my echos. (I caused it to loop just to see if ipmail was working.) The desire is to email a dynamic IP from DCD to another system. The target system would pick up the email at an ISP. A script on the target system would then SCP backups to the originating DCD system. The DCD system would port forward to a server with a large hard drive on a DMZ. I know I have to be missing something. I don't see where I would put an SMTP user and password for the ISP in the configuration files. I would think that ipmail would have to use the SMTP user and password of the cable modem user to email the dynamically assigned IP address. More importantly, is what I am trying to do out of the question? Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Unbelievable
[EMAIL PROTECTED] wrote: http://www.theregus.com/content/4/24611.html It is absolutely inconceivable to me, if true, that that is not some kind of criminal offense. Ahhh but you and I are honest people that work for a living. Like maybe a handshake still seals the deal. However, if you're current business model is losing money, then you have to change licensing models, and switch to dot net. Nothing is out of the question to remain a favorite of Wall Street. To build in to an O/S release to automatically fetch files without your explicit knowledge and permission and even to fetch them from a company which is renowned for security holes even if the intent is benign(hah!). I think this is one of their milder excursions. See below for more. Think of all that they can do with dot net. If true, I am enraged and astounded that the American public is not enraged. I wonder how this affects corporate We come home and just want to click a button on the microwave, TV, DVD, or PC. users. I wonder if Japanes industrialists run XP. China has adopted linux because the price of windows products eat too much of their GNP. I wonder if Dell would be jointly criminally liable. How could this not be frontpage news with info on how to cripple this 'feature'? What is wrong with us? I actually hope this story is a hoax. Is The Register reliable? The story is true there are may more just like it. Take a look at the introductory article from http://www.w2knews.com/index.cfm?id=352. They are counting each time you play a file in windows media player. The story said that MS claims that the data is firewalled right now. Use this handy script on startup or shutdown. It is for me/98. There is a similar location in NT/2000 @echo off Rem kill wmp database cd C:\WINDOWS\All Users\Application Data\Microsoft\Media Index attrib -r *.* del WMPLIBrary*.* Also note that they have a globally unique id to let web sites track you in windows media player. It can be turned off, however. No wonder they have such disdain for the govt. and the law. They want to BE the govt. and the law. $29 billion in cash helps. Here's how to refuse the mark of the beast. http://www.theregister.co.uk/content/4/24668.html Read how MS killed DRDos in fyodor's bio. Fyodor designed nmap the port scanning tool. http://www.insecure.org/myworld.html So now let me direct this back more toward the itent of the mailing list. For along time I've used a varity of operating systems: hp 3000, IBM, windows, Unix and now Linux. So I am not a bigot or trying to start a flame war. I'll still use whatever makes the most sense for the job. That's what an analyst has to do. It is hard to read through all the marketing crap, however. If you disagree with policies of where Microsoft wants to tell you where to go, then refuse to follow. So here's what I plan to do. Windows ME is the end of the road for my house. I am getting ready to dual boot the windows PCs with Linux. I still have to bring the wife and kids along. The browsing MS tool oriented sites problem using Linux browers has been solved by the CrossOver Plugin found at http://www.codeweavers.com/home/. If I have to learn more about Windows, I'll do it at work. If I have to certify, I'll choose some other course than Microsoft such as Zair, Oracle, and Cisco. I find working with Unix/Linux more interesting to use than MS and I have used both for a long time. If you are truely interested in freedom as opposed to the picture that MS paints, then do what you can for a project like LEAF. I've learned alot of interesting things by reading the LEAF mailing list. Work on mini howtos in any available time you have. Encourage people just beginning and struggling to use LEAF, etc. In order to retain your online freedom, there still has to be a choice. Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
It is a simple request. Would you please provide both /mnt/floppy and /mnt/cdrom mounting points? Thanks, Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
Charles Steinkuehler wrote: - Alter weblet disk-checking script to ignore CD-ROM (always 100% full) I am not following the weblet CD-ROM issue. I am running weblet 1.2.0 off of DCD 1.0.2. I've clicked all around on the weblet web pages and I do not see where the CD-ROM is reported at all. If you mount the CD-ROM, the weblet disk-check script will report an error. This only occurs when the CD-ROM is actually mounted (ie it shows up in the output of df). The disk monitoring script should probably be modified to ignore read-only media. ahh. I see the problem now after I mounted the cdrom. I didn't save the original file to do a diff on it, but a weblet checkdisk solution is listed below. I am not posting all of it because my message would get bounced because of html content. I simply added a case statement and ignored all lines that are not /dev/ram? Four lines of comments explain my rational in the code below. I hope this helps, Greg Morgan for line in `df | grep /dev/` ; do # Look at the greped line returned from df. # We are only concerned about shortage of space on the ram drives. # All other mounted media is presumed to be some sort of boot media. # The default case statement will ignore it especially cdroms. case $line in *ram*) IFS=$OIFS set -- $line DEV=${1#/dev/} used=${5%\%} used=${used:-100} free=${4:-0} pcnt=$(( ${free} * 100 / ${2:-1} )) eval WRN_PCNT=\$WRN_DISK_${DEV}_PCNT eval WRN_K=\$WRN_DISK_${DEV}_K eval ERR_PCNT=\$ERR_DISK_${DEV}_PCNT eval ERR_K=\$ERR_DISK_${DEV}_K WRN_PCNT=${WRN_PCNT:-$WRN_DISK_PCNT} WRN_K=${WRN_K:-$WRN_DISK_K} ERR_PCNT=${ERR_PCNT:-$ERR_DISK_PCNT} ERR_K=${ERR_K:-$ERR_DISK_K} [ $pcnt -le ${WRN_PCNT} ] setwarn [ $free -le ${WRN_K} ] setwarn [ $pcnt -le ${ERR_PCNT} ] seterror [ $free -le ${ERR_K} ] seterror ;; *) continue ;; esac done ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] long delayed ssh messages
Mike Sussman [EMAIL PROTECTED] wrote: snip I have observed a strange message and I hope one of you can shed some light on it. Last night I logged into my university shell account using ssh. I did some work and logged out. This afternoon (maybe 18 hours later) I received the following message: Read from remote host euler.math.pitt.edu: Connection reset by peer The message appears to be saying that euler.math.pitt.edu sent me a message this afternoon and that my computer recognized it as related to last night's ssh session. If that interpretation is true, HOW DID THE MESSAGE GET THROUGH THE DACHSTEIN FIREWALL? I have no ports opened. Sometimes *nix systems keep track of your last logon and report it back to you but this may not be the case here. Second I think this is the university's ssh daemon talking to you and nothing is coming through your firwall. I think your connection worked 18 hours ago and now you are having problems. I searched google and came across this message. It hints that you may have a configuration problem, or the University may be having a problem. The url is here and a copy of the message. I'd replace putty with your ssh client and Redhat with the university's ssh server when you read the message. http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/20/pid/54/qid/197750 dpjc (Visitor) Mar 8, 2002 I tried to use PuTTY to make a ssh connection to a redhat 7.2 server running sshd daemon.( by installing openssh-server2.9p2). But instead of getting connected,it keep give me this error: Network error: connection reset by peer I have been looking for the solution for almost a day through numerous sites without still can't find the solution. Is anybody out there can help? ifincham (IS/IT--Manageme) Mar 8, 2002 Hi, First suspect would be the RH 7.2 firewall. Did you allow port 22 (ssh) through ? Unless you know you disabled that or configured it already then 'lokkit' is often one of the reasons people can't connect to a RH7.x machine out of the box. You can admin lokkit via : # /usr/sbin/lokkit ... simplest is to set you lan interface as trusted. Then restart the network : # /etc/rc.d/init.d/network restart Otherwise, see the openssh chapter of the RH Customisation guide -- http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/custom-guide/openssh.html When you have the basics working see also -- http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/s1-ssh-requiring.html Hope this helps aixmurderer (IS/IT--Manageme) Mar 8, 2002 For a client I have taken to SecureNetterm as my preferred ssh client, found it pretty robust with lots of extras built-in. One nice feature is the ability to generate private and public keys, doing away with the need for passphrase authentication when connecting. As for setting up SSH (openSSH) on a mix of Sun, AIX and Linux, the info out there was pretty sparse. I ended up buying the O-Reilly SSH book, a bit pricy, but excellent. The connection reset by peer may be that your sshd daemon isn't running, do a ps -ef|grep sshd and see if it's up. But then it may be a firewall/router issue as well as ifincham said. IBM Certified Specialist - MQSeries dpjc (Visitor) Mar 10, 2002 Thanks guys. It is the firewall setting which blocks the SSH port. Now it works. Thanks, ifincham aixmurderer. I have set ssh on the firewall to listen only to the internal net. I have no kernel modules to pass packets. I have no services (except the internal ssh) running on the firewall. I must be misinterpreting something. Please educate me. -- Mike Sussman [EMAIL PROTECTED] I hope this helps, Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Changes for new Dachstein release
) echo Content-type: image/gif echo Expires: Thu, 7 Mar 1968 00:00:00 GMT echo cat ../images/${level}.gif ;; *) echo Status: 400 Bad Request echo ;; esac ;; *) echo Content-type: text/html echo Status: 400 Bad Request echo echo HTMLHEADTITLEERROR/TITLE/HEAD echo BODY BGCOLOR=\#cc\H2400 Bad Request/H2 echo Unknown response format: $1 count=1 while [ ${count} -le 5 ] ; do echo !-- Padding to override IE 'friendly error pages' -- echo !-- Response must be longer than 0x200 bytes -- count=$(( $count + 1 )) done echo /BODY/HTML exit 1 ;; esac Greg Morgan Greg Morgan wrote: Charles Steinkuehler wrote: - Alter weblet disk-checking script to ignore CD-ROM (always 100% full) I am not following the weblet CD-ROM issue. I am running weblet 1.2.0 off of DCD 1.0.2. I've clicked all around on the weblet web pages and I do not see where the CD-ROM is reported at all. If you mount the CD-ROM, the weblet disk-check script will report an error. This only occurs when the CD-ROM is actually mounted (ie it shows up in the output of df). The disk monitoring script should probably be modified to ignore read-only media. ahh. I see the problem now after I mounted the cdrom. I didn't save the original file to do a diff on it, but a weblet checkdisk solution is listed below. I am not posting all of it because my message would get bounced because of html content. I simply added a case statement and ignored all lines that are not /dev/ram? Four lines of comments explain my rational in the code below. I hope this helps, Greg Morgan for line in `df | grep /dev/` ; do # Look at the greped line returned from df. # We are only concerned about shortage of space on the ram drives. # All other mounted media is presumed to be some sort of boot media. # The default case statement will ignore it especially cdroms. case $line in *ram*) IFS=$OIFS set -- $line DEV=${1#/dev/} used=${5%\%} used=${used:-100} free=${4:-0} pcnt=$(( ${free} * 100 / ${2:-1} )) eval WRN_PCNT=\$WRN_DISK_${DEV}_PCNT eval WRN_K=\$WRN_DISK_${DEV}_K eval ERR_PCNT=\$ERR_DISK_${DEV}_PCNT eval ERR_K=\$ERR_DISK_${DEV}_K WRN_PCNT=${WRN_PCNT:-$WRN_DISK_PCNT} WRN_K=${WRN_K:-$WRN_DISK_K} ERR_PCNT=${ERR_PCNT:-$ERR_DISK_PCNT} ERR_K=${ERR_K:-$ERR_DISK_K} [ $pcnt -le ${WRN_PCNT} ] setwarn [ $free -le ${WRN_K} ] setwarn [ $pcnt -le ${ERR_PCNT} ] seterror [ $free -le ${ERR_K} ] seterror ;; *) continue ;; esac done ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] long delayed ssh messages
I have one other _speculation_ based on all the other urls explaining what Network Error: The reason the University could get a message through your firewall is that your session did not or the server did not cleanly disconnect you the other night. Finally either the sys admin or the sshd daemon on the University computer disconnected you. Hence the Network Error: Connection Reset By Peer. Greg Mike Sussman wrote: Thanks, Greg, for the comments, but I still wonder how the University's computer managed to get a message to my computer through my Dachstein firewall. (My original ssh session worked fine. It was only 18 hours later that I got the Connection reset by peer message.) If the University can get to my computer, who else can? And how do I stop it? On Friday 12 April 2002 08:56 pm, you wrote: ummm...a little more research points to a problem on the university site. http://support.pinehurst.net/netscape/network_error.html Why do I get Network Error: Connection Reset By Peer? --- - Question: When I try to download something from a particular site, I receive a message that the connection was reset by peer. How do I resolve this? Answer: A connection reset by peer message means that the site you are connected to has reset the connection. This is usually caused by a high amount of traffic on the site, but may be caused by a server error as well. You will need to contact the site administrator or webmaster and inform them of this error message if it persists. Usually waiting a short amount of time and trying to access that site again is all it takes to get through to it. Greg Morgan wrote: Mike Sussman [EMAIL PROTECTED] wrote: snip I have observed a strange message and I hope one of you can shed some light on it. Last night I logged into my university shell account using ssh. I did some work and logged out. This afternoon (maybe 18 hours later) I received the following message: Read from remote host euler.math.pitt.edu: Connection reset by peer The message appears to be saying that euler.math.pitt.edu sent me a message this afternoon and that my computer recognized it as related to last night's ssh session. If that interpretation is true, HOW DID THE MESSAGE GET THROUGH THE DACHSTEIN FIREWALL? I have no ports opened. Sometimes *nix systems keep track of your last logon and report it back to you but this may not be the case here. Second I think this is the university's ssh daemon talking to you and nothing is coming through your firwall. I think your connection worked 18 hours ago and now you are having problems. I searched google and came across this message. It hints that you may have a configuration problem, or the University may be having a problem. The url is here and a copy of the message. I'd replace putty with your ssh client and Redhat with the university's ssh server when you read the message. http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/20/pid/54/qid/197750 dpjc (Visitor) Mar 8, 2002 I tried to use PuTTY to make a ssh connection to a redhat 7.2 server running sshd daemon.( by installing openssh-server2.9p2). But instead of getting connected,it keep give me this error: Network error: connection reset by peer I have been looking for the solution for almost a day through numerous sites without still can't find the solution. Is anybody out there can help? ifincham (IS/IT--Manageme) Mar 8, 2002 Hi, First suspect would be the RH 7.2 firewall. Did you allow port 22 (ssh) through ? Unless you know you disabled that or configured it already then 'lokkit' is often one of the reasons people can't connect to a RH7.x machine out of the box. You can admin lokkit via : # /usr/sbin/lokkit ... simplest is to set you lan interface as trusted. Then restart the network : # /etc/rc.d/init.d/network restart Otherwise, see the openssh chapter of the RH Customisation guide -- http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/custom-guide/open ssh.html When you have the basics working see also -- http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/s1-ssh- requiring.html Hope this helps aixmurderer (IS/IT--Manageme) Mar 8, 2002 For a client I have taken to SecureNetterm as my preferred ssh client, found it pretty robust with lots of extras built-in. One nice feature is the ability to generate private and public keys, doing away with the need for passphrase authentication when connecting. As for setting up SSH (openSSH) on a mix of Sun, AIX and Linux, the info out there was pretty sparse. I ended up buying the O-Reilly SSH book, a bit pricy, but excellent. The connection reset by peer may be that your sshd
Re: [Leaf-user] Changes for new Dachstein release
Charles Steinkuehler [EMAIL PROTECTED] wrote: It looks like it's getting to be time for a new Dachstein release. There are a number of minor bugs to fix in the system scripts, and (more importantly) security updates to some of the packages on the CD (SNMP and libz). My current ToDo list consists of the following. Please post if you think something else should be added to this list, or are willing to try your hand at implementing some of the listed changes. -- TODO -- - Support multiple mount points in space-check multicron script (currently, only the root partition is checked) - Fix ping check e-mail functionality - Fix package not found bug in /linuxrc (duplicates appear in package list if a package is not found) - Fix updatetime() in /etc/multicron-p - Fix mount.back dev = POSIXness bug - Add example lrpkg.cfg to CD Contents - Add example pkgpath.cfg to CD Contents - Alter weblet disk-checking script to ignore CD-ROM (always 100% full) I am not following the weblet CD-ROM issue. I am running weblet 1.2.0 off of DCD 1.0.2. I've clicked all around on the weblet web pages and I do not see where the CD-ROM is reported at all. Package updates: libz snmp There are newer versions of the ssh packages available, as well... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] can I run simple Samba server on a LEAF machine? or something similar,
Michael D. Schleif [EMAIL PROTECTED] wrote: Consider this: http://lrp.steinkuehler.net/files/diskimages/dachstein-CD/CD-Contents/ http://lrp.steinkuehler.net/files/diskimages/dachstein-CD/CD-Contents/nmbd-207.lrp Short answer: Not on LEAF. Unfortunately the LEAF package provides just half of the SAMBA package. See the section of the on-line O'Reilly book Using Samba copied below. The nmb package is the half that you are not looking for. The LEAF nmb package is provided to allow wins resolution across a VPN for, say, two different offices. To serve files, etc. you need the smb, or Server Message Block daemon. A pentium 166 mhz machine will do. It is advisable to run Samba on another server verses your firewall. Throw lots of memory at it--I started with just 128M. Redhat, Suse, and other distributions have a swat configuration tool to help with your setup. www.samba.org has lots of information. Here's more information on the O'Reilly book. http://www.oreilly.com/catalog/samba/index.html http://www.oreilly.com/catalog/samba/chapter/book/ch01_05.html smbd The smbd daemon is responsible for managing the shared resources between the Samba server machine and its clients. It provides file, print, and browser services to SMB clients across one or more networks. smdb handles all notifications between the Samba server and the network clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. nmbd The nmbd daemon is a simple nameserver that mimics the WINS and NetBIOS name server functionality, as you might expect to encounter with the LAN Manager package. This daemon listens for nameserver requests and provides the appropriate information when called upon. It also provides browse lists for the Network Neighborhood and participates in browsing elections. Of course, depending on what you need to do . . . HTH Gary Dodge wrote: can I run simple Samba server on a LEAF machine? or something similar, I need just a simple file share or server, no passwords or security. and to handle a 120 or 160 gig ide drive thanks for any ideas out there I hope this clarifies what you are trying to do. Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall revisited
Henning, Brian [EMAIL PROTECTED] wrote: Hello- I continue to have problems connecting to the webserver on my LAN. Here is my configurations using putty. Can anyone see what i am doing wrong? I thought i was following the directions. Thanks, brian putty at work: Source port:3005 Destination: LEAF ip:80 Local web browser at work: http://localhost:3005/ setup at home: Leaf/echowall - port forward ssh | | | w2k/apache - port 80 --__--__-- I think you are doing a great job and heading in the right direction. It appears that you have all the mechanics setup correctly. You have putty on your work computer. If you are using plink, then it appears that you are using a command similar to plink -L 3005:myLEAFipAddress:80 myuser@myW2kboxIPorName Now let's address the LEAF or W2K problems. 1.) If you have configured LEAF to port forward port 22 to the W2K box, then the W2K box needs to have a SSH server on it. In this configuration LEAF is not using SSH at all. LEAF just redirects the traffic to another server. I know the putty site does not have a SSH daemon, nor intends to create one. If this is your configuration, you need a SSH daemon on the W2K box to receive the port 22 forwards from your LEAF firewall. Perhaps someone else knows of a SSH daemon for Windows. 2.) If you are running SSH on your LEAF firewall, then the conection stops at the firewall i.e. -L 3005:myLEAFipAddress:80 is trying to talk to weblet. In this case it appears like you are mixing port forwarding and server processes. I do not know if you there is a way to have the SSH daemon send the decyrpted traffic to the W2K box from the firewall. If solutions cannot be found to either of these configurations, then ipsec sounds like an alternative. I cannot address that solution at this time. Can anyone else add comments to Brians' configuration issues? Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Celeron/Pentium vs Duron/Athlon
Scott C. Best wrote: You could start a religious war here. :) THG does a fairly good job of reporting about which systems are currently the top-dog at a given price target. I'd agree that AMD holds the lead here. However, THG also overclocks whatever they can get their hands on, to see whose system has more game left in it. In this category, Intel's P4 is out in front (though you'd pay more it). Yeah I should be careful. I really don't mean to start a religious war. I used to buy only Intel processors. That comes from the my days with early 80286 clones. AMD had some problems. Actually I was an Intel bigot for many years. Now at this day and age--and I speak for myself--I don't think the hardware much matters anymore. 500mhz is good enough, 1000mhz is just right for games even with a bad video card. The trouble is that it is hard to see the difference after your hardware is at a certain level of performance. For example I blew some money on DDR memory, and I don't now how much it matters for a Windows desktop. I'll soon be dual booting this machine with Linux and may be I might get excited!? LOL...I think I was more impressed with game texture map improvements generated by my recent video card purchase, than the kids were. In this day and age I buy for price and not name brands. Since I am buying for price. Since Intel has desupported socket7 hardware and the lowend desktop. Since AMD and others can create a chip set for a motherboard. I find that I have wound up with AMD hardware. I really don't worry about running hardware bench marks on my own equipment because there's not allot I worry about in tweaking hardware. In most cases, the general all around performance is good. I'll only really get excited if they can ever improve the bus speed because that's where the real problems lie these days. That's where I feel it is all commodity junk. If an Intel chip was on sale, I'd buy it. For the home market buy what you can afford and you'd do just fine. I think Dan Gilleece had some insightful comments on the subject too. I hope this helps, Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Celeron/Pentium vs Duron/Athlon
Michael E.T. Parker [EMAIL PROTECTED] wrote: Thanks for all the replies to '.. speed and workload'. I have another question. Is there a significant performance penalty when using a Celeron or Duron processor vs an Athlon or Pentium. Not just in speed but in in the ability to process. This is a really broad question. It all depends on what you want to do. I read a performance review on www.tomshardware.com. I don't recall the link but the data is almost a year old. It influenced how I look at hardware now. Tom showed how at around 800 mhz to 1000 mhz all the processors were about the same in the video game arena and office applications. An 800 mhz processor bottle necked at the same point the 1000 mhz did. They choke on graphics through put. His conclusion was to spend your money on the best graphics card you can get and that you only need an 800mhz processor. At these speeds it is really hard to see the difference anymore. For example my 500mhz k62 adm Samba server is fast enough. I have a 300amhz celeron on the shelf that would serve up files equally well. More memory on a file server for caching helps than cpu speed. Tom's Hardware has made other comparisons. He has found Duron and Athlon's out perform Intel chips. I get the picture that the food chain looks like celeron, pentium, duron, athlon...this is a genralization. The other problem when looking at speed is that Intel use this a marketing tool. AMD chips perform better at lower speeds suggesting that the ability to process is held by AMD chips. Closer home to LEAF, I'd worry more about bus speeds. Remember a 486 is good enough for LEAF. But a pentium, etc perform better because the system runs at a 66mhz bus speed. When I got my first 166mhz pentium, I realized that multimedia began to work because the bus speed could support video and sound. Likewise, your through put for network performance will be better on a celeron/pentium/duron/atlon than a 486 because of the improved bus speed. I hope this helps. I shot broad because you had a broad question. If you hang out on http://www.tomshardware.com or similar sites you'll get a feel for these issues. As you read a hardware site you may get a better answer for the specific ideas you are looking for. LOL to me it is all junk anymore. Especially when I purchased a mainboard and 1000mhz processor for $99US several months ago. Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
to perform peer tasks, then you will want to investigate CIPE. CIPE specializes in the tunneling that SSH does and sometimes has problems doing http://sites.inka.de/~bigred/devel/tcp-tcp.html. The main CIPE site is at http://sites.inka.de/~bigred/devel/cipe.html. I hope this helps. I had fun exploring it for you and others that may need this technique. I have not had the need to do this yet but it was interesting exploring it. Regards, Greg Morgan This information may be helpful even though it talks about using the putty client and not plink. http://www.chiark.greenend.org.uk/~sgtatham/putty/0.52/puttydoc.txt 3.5 Using port forwarding in SSH The SSH protocol has the ability to forward arbitrary network connections over your encrypted SSH connection, to avoid the network traffic being sent in clear. For example, you could use this to connect from your home computer to a POP-3 server on a remote machine without your POP-3 password being visible to network sniffers. In order to use port forwarding to connect from your local machine to a port on a remote server, you need to: - Choose a port number on your local machine where PuTTY should listen for incoming connections. There are likely to be plenty of unused port numbers above 3000. - Now, before you start your SSH connection, go to the Tunnels panel (see section 4.17.2). Make sure the `Local' radio button is set. Enter the local port number into the `Source port' box. Enter the destination host name and port number into the `Destination' box, separated by a colon (for example, `popserver.example.com:110' to connect to a POP-3 server). - Now click the `Add' button. The details of your port forwarding should appear in the list box. Now start your session and log in. (Port forwarding will not be enabled until after you have logged in; otherwise it would be easy to perform completely anonymous network attacks, and gain access to anyone's virtual private network). To check that PuTTY has set up the port forwarding correctly, you can look at the PuTTY Event Log (see section 3.1.3.1). It should say something like this: 2001-12-05 17:22:10 Local port 3110 forwarding to popserver.example.com:110 Now if you connect to the source port number on your local PC, you should find that it answers you exactly as if it were the service running on the destination machine. So in this example, you could then configure an e-mail client to use `localhost:3110' as a POP- 3 server instead of `popserver.example.com:110'. (Of course, the forwarding will stop happening when your PuTTY session closes down.) You can also forward ports in the other direction: arrange for a particular port number on the _server_ machine to be forwarded back to your PC as a connection to a service on your PC or near it. To do this, just select the `Remote' radio button instead of the `Local' one. The `Source port' box will now specify a port number on the _server_ (note that most servers will not allow you to use port numbers under 1024 for this purpose). The source port for a forwarded connection usually does not accept connections from any machine except the SSH client or server machine itself (for local and remote forwardings respectively). There are controls in the Tunnels panel to change this: - The `Local ports accept connections from other hosts' option allows you to set up local-to-remote port forwardings in such a way that machines other than your client PC can connect to the forwarded port. - The `Remote ports do the same' option does the same thing for remote-to-local port forwardings (so that machines other than the SSH server machine can connect to the forwarded port.) Note that this feature is only available in the SSH 2 protocol, and not all SSH 2 servers support it (OpenSSH 3.0 does not, for example). This might seem like a silly question but, here it goes anyway. Is it possible to tunnel http through ssh on port 22 and access a website from outside the local network? Absolutely! Run something like the following on your local system (use cygwin on a windows box) ssh -L 80:remote IP or domain:80 remote system -l remote-user-name This will connect your local port 80 to port 80 on remote IP or domain via an ssh connection to remote system. To access the remote website, just go to http://localhost , or http://127.0.0.1 Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https
Re: [Leaf-user] Martians!! Tracking them!!!
Sergio Morilla [EMAIL PROTECTED] wrote: snip It is an IPX NCP packet with destination port SAP (Service Advertizing = Protocol) I do have an IPX network. But this messages appeared a couple of day = ago. Excuse my ignorance but how does an IPX packet to handled and logged in LRP (DCD 1.02) as a TCP packet??? snip Sergio, I can venture a guess. Novell like alot of other people is seeing that it helps if you use open standards. Somewhere after Novell 5.1 or there abouts Novell lets a person replace the IPX protocol with IPX encapsulated in TCP/IP. If this is the answer IPX packet on LRP, has someone on you IPX network begun the move to TCP for your Novell network? I hope this helps, Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Sudo in Cgi
[EMAIL PROTECTED] wrote: I don't know what the big deal is. Some one wrote to the list about root access from Apache cgi. I responded with a Reply with History from Lotus Notes ( sorry that's what my company uses). My email was rejected by the moderator. snip I believe sourceforge has some restrictions on things that can be posted and it has nothing to do with the Leaf mailing lists. I tried to post a dos .bat file to the development list once and sourceforge didn't like that either. sigh...I am sure it has to do with security somehow. Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] embedded NICs / rack server
Merrick Munday wrote: Also, I think Donald Becker has drivers for the GBit Intel cards, and his drivers are almost always easy to compile and usually work quite well... Actually, Donald Becker's page at http://www.scyld.com/network/ says: Contact Intel directly for the Linux driver for their gigabit card. They have a non-GPL driver. Because of the license conflict this driver may not be pre-linked or pre-patched into the Linux kernel. See below. I had no trouble compiling the driver for Redhat 7.1. I am at Redhat Kernel 2.4.3 and SGI XFS file system. The warning below doesn't support anything past kernel 2.2.16. Although a new driver just released 2/13/2002 now supports, Linux* kernels 2.2.x through 2.2.20 and 2.4.x kernels through 2.4.16 http://downloadfinder.intel.com/scripts-df/Detail_Desc.asp?ProductID=749DwnldID=2897. I use this box as a Samba server. I am playing with a dedicated 1gbit line from server to one client. All the kids games are loaded on the samba server and they pull them over the net. 100 mbit is ok 1000 gbit is better. The 13 year old can burn cds over 100 at 4x. It is an old hp burner. I haven't finished the speed tests yet to see how fast the 1gbit card can support. Naturally this playland is protected by a LEAF firewall. From where I sit this is a not a positive sign, does this mean I should avoid PRO/1000 cards and/or embedded 82544 chips? Becker is only saying that this is not a GPLed driver. You may have challenges getting the driver compiled for leaf however. Moreover, I don't know if it could be precompiled and distributed as a binary with a leaf distro. If this is a router for an internal segment of a LAN, then the more speed the better. If this is a firewall attached to a cable modem or dsl line, then save your money and use the 10/100 cards. The cable modem cannot saturate a 10 mbit card. You can evaluate some Intel products. There are also 32bit and 64bit 1gbit cards in the eval program. You are only supposed to be able to buy one adapter in a year. How to save money: http://inteleval.ententeweb.com/product_detail.asp?item=PWLA8390T. Use two different email accounts, two different credit card numbers, and one network crossover cable, then you too can have a--turn head and cough--cheaper 1gbit link. ;-) You will need to use netscape with two different profiles for the cookies Intel records. Greg From the Intel cd-rom readme /mnt/cdrom/PRO1000/info/p1000.htm Linux This file describes the PRO/1000 driver for the Linux operating system. This package includes the source code for a Linux driver for the Intel PRO/1000 Server Adapter. This driver is known to build properly on 2.2.0 and newer Linux kernels. Most testing by Intel has been performed on the Linux 2.2.14 kernel on PCs with Intel processors. Kernels prior to 2.2.0 and beyond 2.2.16 are not officially supported. The PRO/1000 driver is only supported as a loadable module at this time. Intel is not supplying patches against the kernel source to allow for static linking of the driver. Please refer to the documentation supplied with your PRO/1000 adapter to answer any questions related to hardware requirements. All hardware requirements listed apply to use with Linux. Building and Installation Note: For the build to work properly it is important that the currently running kernel match the version and configuration of the installed kernel sources (and the header files in /usr/include/linux) 1) Enter the src directory ('cd src'). The rest of the build process should be run from here. 2) Run 'make' to build the driver as a loadable module. 3) Test the loading of the driver by running 'insmod e1000.o'. 4) Run 'make install' to install the e1000.o binary. The binary will be installed as: /lib/modules/[KERNEL_VERSION]/net/e1000.o Basic Configuration Once the driver has been installed it can be loaded by running 'modprobe e1000'. This will create a new Ethernet interface. For example, if no other Ethernet drivers are loaded the PRO/1000 will be called eth0. The interface can be activated and assigned an IP address by running: `ifconfig ethX yyy.yyy.yyy.yyy' where ethX is the Ethernet device and yyy.yyy.yyy.yyy is the IP address. ... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein CD, problem with connecting from DMZ to internal
Kjetil N=E6ss wrote: Hi all, I've spent too many hours trying to solve a problem I now hope some kind person can help me with.=20 I'm using the latest Dachstein CD version, 3 network cards as follows =20 eth0=3Dexternal (ip's 212.125.237.178, 180, 181,182) eth1=3Dinternal (ip's 192.168.1.0/24) eth2=3DDMZ(ip's 192.168.2.0/24) =20 I want to allow a machine in the DMZ to connect to a specific machine in the internal net on a specific port, ie. Kjetil this idea violates the whole idea of using a DMZ. eth1, your internal net should connect to both eth0, the external and eth2 the DMZ. However, eth2 should never connect to the internal net. The DMZ routing is designed to do this...on purpose. If a server on your DMZ net is compromised and it has access to your internal net, then your internal net is at risk. The DMZ leverages the router to serve both your protected internal net that is being protect from the big bad Internet, and the router allows you to host servers who are at risk on the Internet--the DMZ. It would be adviseable for you to rethink your strategy. Perhaps you could describe it in more detail and others could help you enable your goals safely. I hope this helps, Greg Morgan =20 machine 192.168.2.2 wants to connect to 192.168.1.250 on port 4711. =20 I have no problem going from internal to external, or from internal to dmz (can connect to web-server on dmz). All attempts to have=20 the machine in the dmz connect to the internal one fails. Some have mentioned to me that this will not be possible/allowed. True ? =20 At the moment, DMZ_SWITCH=3DPRIVATE. I've tried with YES/PROXY (what's = the difference between these three ?). I've also tried setting up rules for accepting traffic between these to machines to no avail. Telnet from 192.168.2.2 to 192.168.1.250 4711 fails,=20 and nothing appears in the log. Could it be a routing problem ? I've set default gateway on 192.168.2.2 to 192.168.2.254 which is the ip of eth2. Please help if you can. =20 Kjetil N=E6ss snip html..you only need to send text ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein CD, problem with connecting from DMZ to internal
I think I've seen Charles S recommend putting your db server on another ethernet card as one option. The db server can be on the DMZ, but nothing will route to it from the Internet because you would not port forward to it. You would maybe put a ssh connection to it for secure maintenance. The web server would talk to the db server thourgh normal tcp/ip traffic on the same net. You can minimize you web security issues by not loading in modules that you do not use. For instance if your CGI script is in perl do not load PHP modules, etc. Can anyone else on the list give Kjetil a more concrete answer? Greg Kjetil Næss wrote: What I want to do is to have a web-server in the DMZ. This web-server has a special cgi-script which I've written. It connects to another server which will receive all paramters from the cgi-script, do some database operation and then return a new dynamic html-page back through the cgi-script to the web-server. If there is no way to (ie. I should not be able to) connect dmz to internal does this mean I'll have to put this web-server in the internal net and expose it to the external net through the INTERN_WWW_SERVER ? Is that safe enough/more safe ? Kjetil -Original Message- From: Greg Morgan [mailto:[EMAIL PROTECTED]] Sent: 3. januar 2002 10:15 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] Dachstein CD, problem with connecting from DMZ to internal Kjetil N=E6ss wrote: Hi all, I've spent too many hours trying to solve a problem I now hope some kind person can help me with.=20 I'm using the latest Dachstein CD version, 3 network cards as follows =20 eth0=3Dexternal (ip's 212.125.237.178, 180, 181,182) eth1=3Dinternal (ip's 192.168.1.0/24) eth2=3DDMZ(ip's 192.168.2.0/24) =20 I want to allow a machine in the DMZ to connect to a specific machine in the internal net on a specific port, ie. Kjetil this idea violates the whole idea of using a DMZ. eth1, your internal net should connect to both eth0, the external and eth2 the DMZ. However, eth2 should never connect to the internal net. The DMZ routing is designed to do this...on purpose. If a server on your DMZ net is compromised and it has access to your internal net, then your internal net is at risk. The DMZ leverages the router to serve both your protected internal net that is being protect from the big bad Internet, and the router allows you to host servers who are at risk on the Internet--the DMZ. It would be adviseable for you to rethink your strategy. Perhaps you could describe it in more detail and others could help you enable your goals safely. I hope this helps, Greg Morgan =20 machine 192.168.2.2 wants to connect to 192.168.1.250 on port 4711. =20 I have no problem going from internal to external, or from internal to dmz (can connect to web-server on dmz). All attempts to have=20 the machine in the dmz connect to the internal one fails. Some have mentioned to me that this will not be possible/allowed. True ? =20 At the moment, DMZ_SWITCH=3DPRIVATE. I've tried with YES/PROXY (what's = the difference between these three ?). I've also tried setting up rules for accepting traffic between these to machines to no avail. Telnet from 192.168.2.2 to 192.168.1.250 4711 fails,=20 and nothing appears in the log. Could it be a routing problem ? I've set default gateway on 192.168.2.2 to 192.168.2.254 which is the ip of eth2. Please help if you can. =20 Kjetil N=E6ss snip html..you only need to send text ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: modules are unavailable
Peter Jay Salzman [EMAIL PROTECTED] wrote: complete LRP newbie here. i'm trying to set up dachstein cd 1.0.2. reading the comments in /etc/modules, it looks like cdrom:/lib/modules is supposed to be mounted on /lib/modules in the ramdisk. Dachstein takes care of this for you so there must be some other problem. 1.) Uncomment the Ethernet modules you need. Many of the newer PCI base ethernet modules require a pci-scan module. Uncomment the supporting modules too! 2.) Next hurdle is the new way of thinking with a LEAF distribution. The whole OS is all contained in memory. So even though you saved your changes, they will not survive a reboot. But on the flip side that's great because if there is a problem a person just reboots. What this means to you is that you many not be using the backup menu to save the changes you just made to the modules file. Please use lrcfg--you boot into it as root--and select the b option for Back-up. Use d modules and t modules to set the destination and type of backup respectfully. d should be floppy and t should be partial. You will use this technique later when you master the modules and start configuring other packages. 3.) Make sure you have some sort of configuration option on your floppy. I can boot from a cdrom so I only have a lrpkg.cfg file containing the single line with out quotes of etc,local,modules,ramlog,dhclient,dnscache,dhcpd,weblet,lncurses,vim. This is a good newbie configuration. 4.) reboot 5.) See if you have ethernet connectivity. If so continue on configuring the rest of the modules. 6.) Report back and let us know if you have success. 7.) Most of all give yourself patience. It is worth the wait to get your feet wet with a leaf distro. LOL we were all newbies once except people like Ray O., Charles S., and Dave Douthitt. They just know. that's not happening. as a result, none of the modules i specify in /etc/modules are loading. can someone help me out here? with the /dev/cdrom improvements of 1.0.2, it seems like this sort of thing should be working out of the box rather than try to hack it to work. pete ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: modules are unavailable
Peter Jay Salzman wrote: snip one question -- i grok the concept of the filesystem going away unless it's backed up to floppy. what i don't grok so much is the concept of partial backups. the readme file on the cd is confusing. what i'd LIKE to think is that anything i modify will be packaged up in its own etc.lrp file on the floppy and untarred over the /etc generated by the cd version of etc.lrp. however, the one thing i did manage to gather from the readme file is that it's not quite this simple. can you tell me a little bit about how partial backups work? snip For the etc.lrp I choose full backup. Partial backups have just been introduced with the CD release. I have not hacked a package but this is my conceptial idea of what Charles has just done. Before a full backup of the package was required. With the current version the boot scripts have been modified to read the binary stuff and the config seperately. A partial backup puts all the config stuff on a floppy. It overrides the config stuff that is on the cdrom package. The cdrom package is loaded then your config file is loaded. You will notice this one day as you see linuxrc do its magic. If you are still uncomfortable with this idea of partials, start using fullback ups and at a later point when things work migrate to partials. The whole point of either option is to save room on small foot print disks like floppies. LEAF distros are studies in micro engineering. I am excited about the CDrom versions because I loose lots of 168K formatted to Arizona dust bunnies. The normal 144k format seems to be be more dust resistant. Some time in 2002 I want to burn a CD with all my changes. My config doesn't change that much. (LOL the wife and kids hate it when I play.) The floppy would be there for just a place holder so that dachstein can boot. Finally, I take my floppy and copy it all to a directory on the windows/samba server. It is after all an msdos formatted disk. If you lose a floppy just make a new one off the windows directory and you're back in business. I hope this helps, Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: modules are unavailable
One more idea is to use some of the other documentation. Take a look at http://nw-hoosier.dyndns.org/rlohman/linux/firewall/index.html. Don't forget to wonder around leaf.sourceforge.net. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Passive FTP Working fine with Dachstein 1.0.1
Charles Steinkuehler wrote: snip #FTP Server #INTERN_SERVER2=-a -P tcp -L $EXTERN_IP 21 -R 192.168.1.2 21 #INTERN_SERVER3=-a -P tcp -L $EXTERN_IP 21000 -R 192.168.1.2 21000 The scripts stop at the first missing number, and they start counting from zero, so without INTERN_SERVER0 and INTERN_SERVER1 defined, the rest of your server settings will be ignored. This is kind of a pain, and an artifact of the broken sort command on earlier systems... If anyone wants a project, you could work on adapting the walklist function to support missing numbers and send me the code... Right now I don't see who to avoid the problem unless you impose some sort of maximum variable count. The walk_list condition is designed to stop via while eval ITEM=\$$BASENAME$x [ $ITEM != ] do I grepped walk_list in /etc and found 10 instances in both ipfilter.conf and network.conf. Suppose you set a max list variable size to 20. I might loose a few pico seconds off my life but how long will that take lrp to boot for each call to walk_list configured with a max list variable this big? Wouldn't 20 more than cover all the lists that LRP uses? I ripped this idea off from esb2 and modified it for a project I am working on. I wacked out a section of code and then modified the script to make widgets not Oracle instance directories. cat ./walk #!/bin/bash # Ident: walk # Define the number of widgets you are going to # create. This should equal then number of widgetsX # variables you have uncommented. This is for all you # performance freaks. The loop examines which variable # exists before using it. max_widgets=8 # Define the widgets variables. See max_widgets. # my_widget0=VULTURES my_widget1=BALOO my_widget2=MOWGLI # my_widget3=KAA # my_widget4=HATHI # my_widget5=BAGHEERA my_widget6=KING my_widget7=LOUIE # ad nausium # Now make the widgets # Starting widget variable number. widgets_list=0 while [ ${widgets_list} -lt ${max_widgets} ] do # See if the $my_widgetX varable exists eval current_widget=\$my_widget${widgets_list} if [ ${current_widget} != ] then # Now make the widget. echo widget produced = ${current_widget} fi # Next widget please. widgets_list=$((${widgets_list} + 1 )) done # Done creating widgets. Here's the output ./walk widget produced = BALOO widget produced = MOWGLI widget produced = KING widget produced = LOUIE Here's the walk_list function cat walk_list ### #General utilities to process lists of environment variables ### # A function to walk a list of environment variables # To use, define a series of BASENAMEx lines in network.conf # where x is an integer number # $1 = List Basename # $2 = Initial integer suffix (usually 0 or 1) # $3 = Procedure to call # $4+= Parameters to pass to procedure # NOTE: Called procedure can reference local walk_list variables, like x or y walk_list () { # x = Variable index, y = count of processed variables local BASENAME=$1 x=$2 PROCEDURE=$3 ITEM= y=0 shift 3 while eval ITEM=\$$BASENAME$x [ $ITEM != ] do y=$(($y + 1)) # 'Call' the procedure, passing the variable to process and any args eval $PROCEDURE $BASENAME$x $* x=$(($x + 1)) done WALK_COUNT=$y } Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Small Linux to the xbox rescue and ports used
Here's an interesting site http://www.xboxgw.com/index.html. They have used a bootdisk to enable xbox devices to play network games over the internet. So if Santa brings an xbox there is hope to network the thing before billg does sometime in 2002. The most important thing to know for this list is what ports to open up on a lrp/leaf firewall. Greg http://www.xboxgw.com/xboxgw_faq-v101.html Q: Does it work behind NAT? A: Yes. Even with NAT on both the client and server sides. Q: What ports do I need to configure for NAT/FIREWALL? A: Inbound: TCP port 7601 (Only required for server mode) A: Inbound: UDP port 7602 (Required for client and server) A: Outbound: TCP port 7601 (Only required for client mode) A: Outbound: UDP port 7602 (Required for client and sever) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Loading Net Drivers and packages in DS 1.0.1
Bob Smith wrote: Thank Greg, But that didn't help. I knew about lsmod, my problem was that ifconfig was missing. I have since found ifconfig.lrp. I had been doing a partial backup of modules.lrp. I tried a full backup, and now the drivers are attempting to load, but I still get the insmod errors: INSMOD: not an ELF file INSMOD: Could not load the module: No such file or directory That seems to tell me that they do not like the way the files have been created, like they were compiled with the wrong libraries. I doubt that is the case, since 8390 and ne are likely to be heavily used by others. Is there an additional package I should load before the modules. I agree with your assessment. Could a defective CD burn, defective media, or was the original ISO damaged in the download be causing these problems? Can you try a fresh download and burn? Here is my syslinux.cfg: display syslinux.dpy timeout 0 default linux append=load_ramdisk=1 initrd=root.lrp initrd_archive=minix ramdisk_size=8192 root=/dev/ram0 boot=/dev/fd0u1680,msdos PKGPATH=/dev/hda:iso9660 LRP=etc,ramlog,local,ifconfig,modules,dhclient,dhcpd,dnscache,weblet,dhttpd, dhis,web This is from my boot floppy, and it seems that it ignores the additions to the LRP line. Any suggestions on that one? LRP is the next line after PKGPATH without a blank line? LRP is all on one line without a hard return? I recall reading about a limit on the LRP= line length size. If you shorten the list do all the packages load? I don't know about dhttp,dhis, and web. Could they be conflicting with weblet especially dhttp? Some packages have dependencies. Are they loaded in the correct order? Cheers - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Bob Smith [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 12:37 AM Subject: Re: [Leaf-user] Loading Net Drivers in DS 1.0.1 Bob Smith wrote: Hi, I have been testing DS on a new box (floppy boot), I have been working = with LRP for about 1.5 years.=20 I edited the Modules file, did a partial backup of the modules package. = I know the edits are working, since the masq drivers that I selected are = all working.=20 When I mount the CD, copy the file locally (/lib/modules/2.2.19 - which = seems to be the path it wants the files in) , and try to manually load = the modules, I get: INSMOD: not an ELF file INSMOD: Could not load the module: No such file or directory dmesg does not show any errors, and the only network interface that I = see loaded is brg0.=20 What command is used to display my adapter settings, as ifconfig tells = me the file is not found? lsmod is the command to show what modules have been loaded to support the kernel. insmod, rmmod and lsmod are your module commands. The drivers that I am trying to load are 8930, ne, pci-scan, and = rtl8139. I check the modules.conf file, and the default paths and = loadlines are there to load the cd and change directories, I have even = tried to specify the path to the drivers eg. /net/ne hmmm I once tried to setup an esb2 box with two different adapters. I presume that is what you are doing here with the list of modules that you provided. After being cheap I bought another card to match one of the two so that they were both the same kind. Finally the modules loaded for the Ethernet adapters. I am on rc3. I tried lsmoding the modules you listed and they worked ok--not that it counts because of the different images. If you can load two different ethernet cards ok, I really think the hint may be in the order your /etc/modules loads the drivers. If you look on your cd in /lib/modules for modules.dep it lists the module dependencies. 8390.o has to be loaded before ne.o and pci-scan.o must be loaded before rtl8139.o. You may want to list the eth0 modules before the eth1 modules in the /etc/modules file since it looks like you are trying to use two dissimilar cards. A program reads /etc/modules and loads the modules in the order that you have them listed in the file. Backup and reboot. ! mount iso9660 /dev/hda ! dir /lib/modules/net I think these are just directives to the module loader program. They won't work at the command prompt. These do not seem to working. Any help would be appreciated. Cheers snipped html formatting/ I hoped this helped, Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Loading Net Drivers in DS 1.0.1
Bob Smith wrote: Hi, I have been testing DS on a new box (floppy boot), I have been working = with LRP for about 1.5 years.=20 I edited the Modules file, did a partial backup of the modules package. = I know the edits are working, since the masq drivers that I selected are = all working.=20 When I mount the CD, copy the file locally (/lib/modules/2.2.19 - which = seems to be the path it wants the files in) , and try to manually load = the modules, I get: INSMOD: not an ELF file INSMOD: Could not load the module: No such file or directory dmesg does not show any errors, and the only network interface that I = see loaded is brg0.=20 What command is used to display my adapter settings, as ifconfig tells = me the file is not found? lsmod is the command to show what modules have been loaded to support the kernel. insmod, rmmod and lsmod are your module commands. The drivers that I am trying to load are 8930, ne, pci-scan, and = rtl8139. I check the modules.conf file, and the default paths and = loadlines are there to load the cd and change directories, I have even = tried to specify the path to the drivers eg. /net/ne hmmm I once tried to setup an esb2 box with two different adapters. I presume that is what you are doing here with the list of modules that you provided. After being cheap I bought another card to match one of the two so that they were both the same kind. Finally the modules loaded for the Ethernet adapters. I am on rc3. I tried lsmoding the modules you listed and they worked ok--not that it counts because of the different images. If you can load two different ethernet cards ok, I really think the hint may be in the order your /etc/modules loads the drivers. If you look on your cd in /lib/modules for modules.dep it lists the module dependencies. 8390.o has to be loaded before ne.o and pci-scan.o must be loaded before rtl8139.o. You may want to list the eth0 modules before the eth1 modules in the /etc/modules file since it looks like you are trying to use two dissimilar cards. A program reads /etc/modules and loads the modules in the order that you have them listed in the file. Backup and reboot. ! mount iso9660 /dev/hda ! dir /lib/modules/net I think these are just directives to the module loader program. They won't work at the command prompt. These do not seem to working. Any help would be appreciated. Cheers snipped html formatting/ I hoped this helped, Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Dachstein-CD-rc3 available
Thanks for the response. Patrick Benson wrote: Greg Morgan wrote: I ran nmap against the firewall. It was from the internal net against the external interface so I don't know if this counts? I saw these ports open. Shouldn't these be closed or am I being fooled by the firewall and these are really on the inside?: (The 1520 ports scanned but not shown below are in state: closed) Port State Service 53/tcp opendomain 80/tcp openhttp 1023/tcp openunknown The main structure of the firewall is designed to prevent packets from entering on to your external interface from ip's on the outside, trying to initialize connections from their end and to penetrate your system without your consent. What you're trying to do with nmap is to peek from the inside and you will usually get ports that are listed as open but only from the inside part of your network. If you scan them from outside then they will be listed as closed, since the firewall is shielding them from that end. Rick Onanian has a security list with sites that use nmap, nessus, etc., try Secure Design or Vulnerabilities.org: http://leaf.sourceforge.net/devel/thc/#Security dnscache - 53/tcp open domain weblet - 80/tcp open http bandwidth monitor (weblet) - 1023/tcp openunknown Closed on the outside but open on the inside (but weblet can be configured to be seen on the outside but it's not, by default)... -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Dachstein-CD-rc3 available
Charles Steinkuehler [EMAIL PROTECTED] wrote: The third release-candidate version of Dachstein-CD is now available. snip I believe you have fixed many problems and it has come a long way. Thanks. I have two questions about rc3. I am looking at the eth1_broadcast setting. In eb2 there was an ip number here for the network i.e. x.x.x.255. I see eth1_broadcast=+. This must be some sort of shorthand that I am not familiar with. I ran nmap against the firewall. It was from the internal net against the external interface so I don't know if this counts? I saw these ports open. Shouldn't these be closed or am I being fooled by the firewall and these are really on the inside?: (The 1520 ports scanned but not shown below are in state: closed) Port State Service 53/tcp opendomain 80/tcp openhttp 1023/tcp openunknown Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: Dachstein-CD-rc2 available
Binh Do and Michael D. Schleif wrote: Binh Do wrote: Hi Charles, I would like to try the CD version so I burnt the ISO file (rc1 I think) but I cannot go to the login prompt. It stops in the middle asking something about Run Level. I tried on two machines and got same result. Those machines are running other OSes and have hard disks. I received Run Level prompt on the first Dachstein-CD release. I cannot remember if it was my network card driver or the hardware configuration. But here's a clue: hard disks. The linux kernel will detect all ide drives. I presume you have hda; a C: drive; that is primary master on ide channel one for your hard drive and hdc; a D: drive; that is a primary haster on ide channel two for your cdrom in both of the machines you tried this on. I did the same on one of the Windows boxes I have--no luck. Dachstein keeps with the LEAF/LRP reboot security philosophy. This idea is to have write protected disks and minimize having hard drives that could be comprimised. If you have an issue with the firewall you reboot from the readonly media and the ram drive is reimaged with a fresh OS. Hence, the Dachstein-CD configuration presumes that you have one or two floppies and your CD drive as the first primary on your first IDE channel, hda or C:. i.e. mimimal hardware in your LEAF box. I finally tested the CD on my LEAF box that has two floppies and an hda cdrom drive. It worked properly. If this doesn't help, Michael is pointing you to BIOS and boot configuration issues that you will have to solve. Charles has a write up in the readme.txt file. Should I change anything on the CD before writing? Place a formatted, empty floppy in the floppy drive and reboot. Does this make a difference? -- Best Regards, mds mds resource 888.250.3987 Hope this helps, Greg ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall testing
You have nothing to fear about grc.com. If anything Steve Gibson want's to protect your privacy. He even goes as far as mailing a confirmation email to you that you have to reply to. Once you reply, you are queued for a scan. grc.com is an interesting site. The dude is into writing most everything in assembler. He seems pretty picky and maybe his work is more acturate. I keep meaning to scan my firewall with nmap. nmap will look at the signature of your TCP stack and take a guess at your OS. Greg Glenn A. Thompson wrote: Hey, I'm a newbie also. I have a question. Doesn't using these testing sites say; hey, here I am come and get me? I mean are they really to be trusted? I know it's nice to know how secure you are but I'm afraid to use them. Glenn Dan wrote: ~~ D I S C L A I M E R ~~ I am a newb to this, but I am using the same system you guys are. My response here is a guess to see if my thinking is correct. Please don't confuse it with the well-informed input I hope it will draw :) ~~ My first guess: In looking thru my own filter rules, I notice the following: 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 135 257 20046 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 135 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 138:139 146 34019 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 138 ... and so forth. My _guess_ is that the default config rejects these packets, which sends back a message to the probing machine that allows it to determine that the port in fact exists and is responding. If the probe app is dumb it will report ANY reply as vulnerable. Most other filters in E2B seem to use DENY, but if I am correct, there are some comments in the E2B scripts related to Windows doing braindead things --- this may be part of the cure for that, as these are Windows default networking ports. As far as the 1080, that's SOCKS --- I don't know why it is showing for all of us (myself included). I am definitely NOT running any such proxy here. Port 3128 is not one I can find any info on. My last guess is this: the probe app is a POS, and not to be trusted. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Chambers Sent: Tuesday, June 26, 2001 11:35 PM To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Firewall testing I have also tried this site, and the same for me open ports 135, 137, 138, 139 and visable ports 1080, 3128. I am also running Eigerstien2beta. When I test my system with Steve Gibson's site grc.com it says that I am a hard target and all ports that are tested are in stealth mode. Robert Chambers Michael Leone wrote: On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote: To all, This is an interesting new test site. Uses IP Spoofing, so it does not set off portsentry (first test that DIDN'T) It was also the first test ever to say I had ports open/visible. I'm using EB2 LRP, and have been on it awhile. I'm no expert, so could some of you experts take a look at the tests (there are 2) and tell me what you see? This is the only scan I've ever taken (with EigerSteinBeta2) that told me I have ports 135, 137, 138 and 139 open. And ESB2 by default closes these ports. Also, it says port 21 (ftp), 80 (web) is open for me. This is true. Yet somehow, the scan missed port 22 (SSH), and port 113 (ident), both of which I am also running, and therefore should both show as open. Also says some of the 'scare' ports - 27374, 31337, etc (the ports that SubSeven, Back Oriface, and others use) - are visible, but not open. Makes me wonder about this scan. It missed some blatent ones, and reported on other ports that other scan sites did not. -- -- Michael J. Leone Registered Linux user #201348 mailto:[EMAIL PROTECTED]ICQ: 50453890 PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Pysche closed for renovations. ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] test_20010527 no space left on device
Victor McAllister wrote: I have been playing with Etienne.Charlier ESB2 test_20010527 pppoe image. I thought I would try this image for a friends pppoe router. I have a ram drive of 6 megs with a total of 24 megs of ram. Several times I got a message no space left on device. I am not connected to the Internet so no logs But what if you something on the LAN is logging, or perhaps the programs on the image are logging because you are not connected to the Internet? Why don't you look periodically before you run out of space. are filling up. When I use the lrcfg backup program and then try to copy a file to /tmp is one way I get the No space left on device. df also report 0% available and 100% used on /dev/ram0. I really like the editor, the 2.2.19, the compressed kernel and other neat things - I have managed to fill up the ramdrive several times in different ways - that makes me think there is a bug in there somewhere. Anyone else played with this and found similar problems or is it cockpit problems? ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user Greg ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] LEAF (LRP)
How about a second floppy drive for $15 to $25? I have two in my firewall just for easy of use. You would have to set your syslinux package path variable so that LEAF can find the modules on the second drive. From the optional section of http://lrp.steinkuehler.net/files/diskimages/eiger/EigerStein.readme You could use a path of PKGPATH=/dev/fd0u1440,/dev/fd1u1440 if you are having problems with large format floppies. OPTIONAL: snip Use two floppies for more space: You can hook a second 3 1/2 floppy drive up for more storage. Edit syslinux.cfg on your boot disk and add the second floppy drive to the PKGPATH variable (ie PKGPATH=/dev/fd0u1680,/dev/fd1u1440). Put your new packages on the second floppy, and add the package names to the LRP variable in syslinux.cfg (ie LRP=etc,log,local,modules,newpkg) to load them automatically. snip Greg NOC wrote: Well, I hate to say it... but the daemons have just gotten to big to keep updated with a floppy based router. There is NO way I can get the basics on a single floppy (sshd, telnet, psentry) and have the thing boot. My drive just doesnt like the larger floppies. The only sshd, for instance, that I can get to fit is 1.2.26 or something like that. I cant leave my network open by using using a daemon that may have a security hole. So, am I forced, with the masses, to get a hardware router? I find it hard to believe that they could be any more secure Thanks for your input! Chris Kulish ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user