Re: [leaf-user] Netflow type output from leaf-bering machine
Hi Ad, I've done some search and have found a bunch of information about collecting netflows from cisco etc etc. What I'm after is there any application that would have my leaf bering machine OUTPUT netflow information. So I can collect the flows from my leaf router in another application. As I have replaced my old beat up cisco with a nice new bering-uclibc machine :) We have been using nprobe from ntop.org (yes, you have to pay for it even when GPL, but is a great way to support its development and is not that expensive) for about a couple of years in production environments using embedded systems without a hitch. I definetlly recommend that one. fprobe is also ok as many others, but nprobe was designed from the beginning for embedded systems and we like that For the collector IMHO the situation is a bit worse as there is no real option capable of doing advanced stuff. Yes, plenty of RRD stuff but nothing else. We even developed our own commercial collector just because of this :) Regards -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Pol. PISA - C/ Manufactura 6, P1, 3B Mairena del Aljarafe - 41927 - Sevilla Telf.- 955 60 11 60 / 619 04 55 18 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] [OT] VRRP on dedicated interface
Hi all, A bit of topic question, do you know if it is possible to send VRRP synning messages trough a different dedicated interface than the real interface VIP is attached? We use keepalived and dont want to flod internal network with VRRP messages. Thanks and sorry for the OT. -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Pol. PISA - C/ Manufactura 6, P1, 3B Mairena del Aljarafe - 41927 - Sevilla Telf.- 955 60 11 60 / 619 04 55 18 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Bering uClibc HA
Hi Markus, can you give me some hints for a firewall/gateway HA solution based on two Bering uClibc 2.3 boxes. I've seen keepalived.lrp, but for connection state syncronisation I need also ct_sync kernel module from netfilter-ha project. Can I get somewhere this kernel module for Bering uClic 2.3? Has somebody a howto for a Bering uClibc HA solution? ct_sync is really a mess, dont know many people that uses them. -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 619 04 55 18 --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] High End QoS
Hi all, I write to this list as its full of networwing experts. A client asked if it was possible to replace a very expensive QoS appliance with a Linux box to make QoS on a big network. Sustained traffic is around 400Mbps and they need around 1000 QoS classes. Some thoughts on this: 1) Of course we will purchase the fastest box we can find around, dual xeon and such. 2) As the system runs as a bridge we are kind of scared to use 2.6 kernel as it seems quite unstable in that mode. 3) Instead of using standard QoS clasdsification (linear) we were thinking about using clasiffy target in shorewall and use all its zone decission tree power. That way, we stll have all those classes but are not read linearly but some logic is applied in the tree. 4) As this box ideally would include a netflow probe, we were thinking about using pf_ring kernel patch. Any experience in the list using this patch with a system that is both a probe and QoS? 5) We were thinking about using hipac, but we dont know if it supports clasiffy target, do you know if it does? Any ideas will be REALLY appreciated. Thanks in advance. Regards. -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 619 04 55 18 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] LEAF Project QBox Launched
Hi Ron, We are now launching a new product (open source - free - GPL) called QBox. Qbox is a plug and play network appliance for traffic shaping and uses LEAF as its build and (for now) the PC Engines WRAP board as the hardware. If anyone would like to check out the website and tell me what you think I would really appreciate it. My goal here is to try and give something back to the open source community. Were is it? -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 619 04 55 18 --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Wanted: easy way to see load over time
Hi, A very effective but not so easy way to see exactly what sort of traffic your router has been moving, is to install a NetFlow probe on your router. It will forward flows to a NetFlow collector, permitting further analysis and graphing on the traffic. You would then be able to categorize the traffic (for example http/ftp/mail/p2p/other for in/out, by host/subnet, period of time) quite precisely. Some pointers: * A NetFlow probe that runs on Bering-uClibc: fprobe-ulog (I compiled it successfully but no extensive tests done) [1] We are currently using nprobe without any problem in various production environments in the Lince branch. * A NetFlow collector / processor: NfDump [2] There are plenty of those. * A NetFlow web-based reporting engine: NfSen [3] We have developed our own (propietary) as none of the open source alternatives had the features we needed. You can see some screens at: http://www.eneotecnologia.com/mambo/ = Software = Eneo Flow = View screen Hope it helps. -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] multiple static ip address router/firewall
El jue, 14-07-2005 a las 11:18 -0500, Andrew Nance escribió: It is hard to estimate but somewhere around 750 Kbps to 1.5 Mbps total bandwidth. From the graph, you see WRAP box is capable of sustaining around 4Mbps for 50 firewall rules (1500PPS and 350bytes/package). I think you could live with it :) -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Firewall performance graph
Hi all, For all people just testing firewall performance. We are in the process of publishing some graphs regarding firewall performance (mainly in low end hardware). We have compared mainly Linux (2.4.30 and 2.6.11) and FreeBSD (m0n0wall) on a Geode 266, Via 533 and Via 1Ghz all with Realtek 8139 ethernets. You can see the first results in: http://www.eneotecnologia.com/archivos/Firewall_512.png Some comments on the experiment: 1) We tested this with a much better box (P4 3Ghz, PCIE, Marvel chipset), but currently we dont have access to it. It supported more than 10.000 consecutive rules for 1.200 pps But we had to give this hardware to our client and cant test any more. 2) We have to make the same tests with 1500 bytes and 64 bytes packages 3) Traffic was generated from a few PC (sorry, we couldnt create more traffic at the moment) using hping2. Traffic was UDP to port 80. 4) The rules means, # number of non matching rules before the matching rule. Some comments on results: A) We are unable to determinate if we are using NAPI or not on this boxes. We tested 2.4.23 too with the same results. After some reading, we discovered the driver needs to support NAPI too, but after finding what seems a valid one (ftp://ftp.ovh.net/made-in-ovh/kernel/) we dont get better results (neither for 2.4.30 and 2.6.11) We need some help to see if really we are using NAPI on this boxes. B) Linux 2.6.11 and 2.4.30 show more or less the same behavior (?) C) All linux seem to hit a wall around 800 rules. This is a known limit in current iptables / netfilter design. (See Hi-PAC and others) With the better box this wall was much further away) Also, this limit is quite similar with different CPUs (Geode 266, Via 533, Via 1Ghz) and is shared on all boxes that use Realtek chipsets (we about to test it with a P4 2.1Ghz Realtek) Maybe a problem of the driver? Maybe the lack of NAPI even when supposed to be used? D) FreeBSD (actually dont know what BDS m0n0wall uses) is much more linear and predictable on its behavior, standing for higher loads. What do you think? Any comments? Any help? Hope it helps. Regards. -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] lets talk about something--anything!
Hi James and others, One tricky thing I've found as a Windows LEAF user is the wall of choice when it comes to picking which Linux distro to add to my WinXP machine for the purpose of building for LEAF. Well, we are developing a new branch for Lince based on GNAP (Gentoo Network Appliances) They provide pretty much info regarding a build environment (of course not just a Live CD :)) Would it be feasible to create another LEAF branch but one for running buildtool and creating the disk image, not for actually being a firewall/router device? A bootable CD perhaps. Or a USB mass storage device. That would be perfect. A Bering-uClibc compile environment on a USB data key. Sure, as others have commented, the main problem is lack of time. In our case we have decided to departure completelly from debian as all our systems run Gentoo and we need to have a virtual machine just to keep compiling for Lince :) And speaking of idiot images for CF/HDDs. If it's not possible to have a generic image because of the many different hardware configurations out there, would it not be possible to create an installer? Full blown distros have them. Maybe we then just hit the problem of if you need that sort of support why not just buy a home cable/DSL router and be done. :\ Well, the first Lince version was more or less that without the installer. You had all in an iso image and was quite easy to install (we even made it bootable, you just needed to choose where to write the image :)) In our case, we didnt invest any time on hardware detection as all our boxes are pretty much the same. So we are about to release the new version of Lince, but before we have to solve a problem we have encountered with NAPI suppor on realtek chipsets. It seems realtek doesnt use NAPI on 2.4 but we have found a patch that includes that functionality. The problem is, after some testing we dont see any difference with / without NAPI and we dont know if the patch is wrong or we are doing something wrong and are not activating this feature. Any help on that will accelerate the public day :) Questions: * How do we know if NAPI is being used? * Is this patch working for anybody? * Will upgrading to kernel 2.6 solve this NAPI problem on realteks? Very thankful in advance. Regards PS.- Realtek NAPI Patch ftp://ftp.ovh.net/made-in-ovh/kernel/ -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Lince future (was lets talk about something--anything!)
Hi all, As main coordinator of Lince project (Juan Jesus is its main developer) I want to comment on future of Lince as it has been mentioned in this list latelly. Some of the features some people are asking about in the list (mainly easy perdurable updates and flexibility) have been incorporated in Lince, but this release has not been made public. The reason? In this time our company has gone a major redo and has been very hard to explain to our business angels that it was a good idea to release to the public something we have done and are charging our clients :) In this time we have been mainly busy discussing this, and at the end we have reached an agreement. Most probably we will release to the public old releases and keep current ones to our paid customers. We are planning on a new public release in about a week or so. So whats new in Lince? 1) As said when Lince was born, we keep to the idea of including more software than standard leaf. The reason is we use Compact Flash as storage system and this days 128MB is really cheap. So some decisions and features are not very polished, we could reduce space a bit more, but frankly, we dont care we have plenty of space to use :) Currently we are migrating Lince from a Leaf based glibc distro to a GNAP uClibc based distro (Gentoo), so this public release might be one of the latest to be done based on Debian. 2) Even when we think of Lince as a whole (firmware) sometimes we have needed to include extra packages, thats why is still compatible with old lrp style packages (Now supports cloop, cramfs and lrp packages). 3) We have developed our own propietary Management App in JAVA called MarteGUI. Currently it manages all aspects of Lince. Still, its possible to use Lince without this management app (actually, thats what we release to the public). This app is done in such a way that we dont need to modify the core system. We pack Lince and this app in some hardware appliances that we sell to our clients (as a box or as a managed service). You can see pictures of the boxes and software in www.eneotecnologia.com/mambo/ - Hardware / Software. BTW, the app is in english too and we are seeking for resellers :) 4) Lince (core) currently has the following features: * Standard and bridged system * Advanced firewall (Shorewall 2.4) * QoS * NetFlow Probe * Automatic update (via http) * Web proxy and filtering * Web user auth (LDAP, MSAD) * High availability (VRRP and STP) * Load Balancing (IPVS) * IPSec VPN All of them are managed from the GUI but can be managed without it. We are releasing this to the public again as a way to foster development around Lince. If we have success on this and some people step forward and give us a hand, we will continue releasing Lince to the public. We could even pay for this help for long term contributers with our software :) If not, well we will need to discuss this topic again with the investors :( 5) We are currently working on: * Snort Inline integration * IPVS syncronization between different load balancers As said, we intend to stay using Debian for a short time, just until we get GNAP working properly. That means porting to 2.6 and many others, but this needs a different email :) What do you think? Good enough to increase the emails in the list? : Regards -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Lince future (was lets talk about something--anything!)
Hi Paul, Do you have a strategy for doing this while remining compliant with the terms of the software you have licensed (the GPL)? Yes, we have been very careful on that. Actually all of the code in the core system (what you know as Lince) is under GPL, LGPL, BSD except antivirus (if used). We have done some improvements to some of the GPL apps used but they are in the core too as GPL (of course). MarteGUI is just a manager that connects to a system, donwloads a config database, parses new configuration files, copies them to the system and restarts services as needed. In essence, it mimics the commands the admin executes. That way we dont have problems with GPL. Netgear and linksys are two very profitable organizations who produce GPL derived router products and release the source code and development kits for their GPL based products. Actually we are thinking on using their hardware to port our software solution. BTW, we have done the same with a Crossbeam X40 system :) Regards -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Strange problem, please help
Hi, I don't know, but i would assume that you should ask this question on the kernel bridge list (You find it under http://bridge.sourceforge.net/), the people on this List have deep knowledge on the linux networking/driver subsystems. Just done that :) I needed to wait for acceptance in the list. 2) Can such a beast sustain 8 ethernet as a single bridge? Bear in mind they dont have gigabit traffic, they just use gigabit ethernets :) Whats the limit for a linux bridge? see above... But i doubt you can run this under full speed on all interfaces (or better the pci-express ones)... Sure, I dont expect full speed. Actually, the box is overdimensioned in the ethernet side. Think more in the 20Mbps margin for WAN to LAN traffic and some peaks of around 100Mbps for local ethernets. Thanks -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Firewall failover
Hi, http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/netfilter-ha/ You want ct_sync, or connection tracking syncronization. I am not sure what it's status really is, but I think it is in 'testing' or 'works for me'. Yep, all of you agreed on this solution. It seems active know, it would be just a matter of investigating it a bit more. Thanks !! -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Realtek NAPI
Hi all, We are experiencing with a pathed Realtek driver with NAPI support under 2.4.26 (http://www.uwsg.iu.edu/hypermail/linux/net/0312.0/0002.html) and think the system now uses this driver but dont know how to verify so. Is there any way to verify NAPI is being used? Does the driver need some configuration on loading to activate this? Thanks -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Strange problem, please help
Hi all, We are experiencing a very strange problem and would like some help. We have a Leaf based box (actually a Lince box kernel 2.4.26) running as a bridge with 8 gigabit ethernets, PIV 3Ghz, 2GB RAM. 4 of them share the same PCI Express and the other 4 a different PCI bus. We have NAPI enabled on all ethernets and IRQ moderation enabled (dynamic) Some ASCII art before proceeding. Router 1 Router 2 | | - Switch | | Firewall Both routers use HSRP from Cisco to share information about who is alive. This app uses multicast UDP packets to 224.0.0.1 address, port 1985. The problem is, after a while (1 or 2 minutes) the CPU reaches 100% (0.99 load 99% System) with the process ksoftirqd_CPU0 reaching 99%. Using iptraf we discover ethernets 4 to 7 (the ones that share the PCI bus) are at full speed. The traffic is on port 1985 and comes from the 2 virtual IP from the redundant routers. It seems they enter an infinite loop and completely kill the system. BTW, the only used ethernets are 0 and 1, both on the PCI-X bus, and eth2 and eth3 seem unaffected (no traffic). Bear in mind, real traffic on eth0 and eth1 doesnt surpass 1Mbps. Also, no service is provided at this point, not even firewalling. The problem appears with and without STP activated and we have verified there is not a loop in the network. If we disable ethernets from 4 to 7 (ip link set ethx down) the problem seems to disappear, but we are not sure as we didnt want to disturb the client more time (actually, for 15 minutes the problem didnt appear, while the other way it appeared in much less than 5 minutes). In this case, even activating things like a Netflow probe in eth0 dont disturb at all the system. The same problem seems to appear with a Via 1Ghz box with 4 realtek ethernets and around 4Mbps of traffic (this system was placed under heavier load, and as the problem appeared, we tested with the big one). When the problem appeared this box was so slow we could not even make a ssh session so we dont know if this is the same problem (but bet it is). So, some questions: 1) Is this related to running as a bridge? Would this problem disappear if we used a pseudo bridge (proxy ARP)? 2) Can such a beast sustain 8 ethernet as a single bridge? Bear in mind they dont have gigabit traffic, they just use gigabit ethernets :) Whats the limit for a linux bridge? 3) As this traffic is only needed on both routers but doesnt need to pass trough the firewall, will dropping it on eth0 solve the problem? (That way there is no way the packets enter into other ethernet ports) What would happen with other multicast based apps? Would they need to be dropped too? Very thankful in advance. Regards. -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Firewall failover
Hi all, We are investigating on firewall failover design. I have searched the net and found that projects like LVS have it mostly solved for their side but that netfilter lacks it. Of course, a simple failover of the firewall is available using things like VRRP (KeepAlive software) but without state syncronization, and that is preciselly the part we need to investigate. Is this issue solved in netfilter? How? Any ideas? Does it work with kernel 2.4? Bear in mind I'm not talking about ISP redundancy but the firewall itself, if possible set as an active/active failover solution. Thanks in advance. Regards. -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ksoftirqd_CPU0 extreme CPU usage
Hi all, We are experiencing severe CPU usage in a Leaf based system. Using top we see ksoftirqd_CPU0 is using a lot of CPU (around 50%). The CPU as a global is at 95%, Any clue what this process is for? Is it possible to disable it? Searching in google I have found there was a bug in the kernel. Do you know since what version has this bug been solved in standard kernel? Also, I have seen its possible to disable HIL in the kernel as its a headless system. Please, its quite urgent. As always, VERY thankful in advance. BTW, the box is a Via Eden 1Ghz with 256MB RAM Regards --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393alloc_id=16281op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ksoftirqd_CPU0 extreme CPU usage and latency
Hi all, We are experiencing severe CPU usage in a Leaf based system. Using top we see ksoftirqd_CPU0 is using a lot of CPU (around 50%) while the system tops almost 95%. Any clue what this process is for? Is it possible to disable it? Searching in google I have found there was a bug in the kernel. Do you know since what version has this bug been solved in standard kernel? Also, I have seen its possible to disable HIL in the kernel as its a headless system. Please, its quite urgent. As always, VERY thankful in advance. BTW, the box is a Via Eden 1Ghz with 256MB RAM Realtek Chipsets Regards -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18 --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393alloc_id=16281op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Some stupid question (IPSec VPN)
Hi all, Just a fast stupid question. I want to create a lot (~20) LAN to LAN tunnels using OpenSwan. Do I need an ipsec device for each one? From memory, default kernel comes with 4 of such devices, do you need to recompile to get more? Also, in this same machine want to stablish a Roadwarrior - LAN scenario with around 10 users. Again, do I need an ipsec device for each one? Very thankful in advance. PS.- Yes, I know I should ask in OpenSwan list, but I'm already subscribed to a lot of lists and don't want to subscribe to a new one just for one question :) -- Jaime Nebrera - [EMAIL PROTECTED] --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Updated Kernel with IPSec and grsecurity
Hi all, We are tryibg to compile a more recent kernel (say 2.4.22 or afterwards) with support for both FreeSWAN AND grsecurity without luck. At this moment we are using stock 2.4.22 kernel with the last 1.99 FreeSwan available and 1.9.13 grsecurity, but no way, we cant get it to compile using a gcc 3.2 compiler (Gentoo 1.4 system) Anybody has done this? Any clue? Thanks in advance. Regards. -- Jaime Nebrera - [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LEAF on compact flash
Hi John, Does anyone have LEAF images that can be 'dd' onto a CF card? What size ones are needed ? Lince is just a branch of Bering that makes it easier to install it in devices bigger than a floppy. In our case we developed it preciselly to run in a CF. You just need to install Quagga. Just follow the installer and should install in a CF. We are working on a quite improved release, based on cramfs and with some updates applied (newer kernel and so on). Actually we have it ready, we have just not made it public for the GUI to be ready for real usage (testing it right now). As allways the core system will be GPL and available in SF, but the GUI will be closed source. The core can work without the GUI as allways. So our next steps regarding Lince willl be: 1) Finish GUI tests (almost done) 2) Release image and GUI for paying customers 3) Sell preinstalled Lince (with or without GUI) boxes based on embedded system. 4) A bit later release GPL lince core in SF (you can pay for GUI later on if you want to) 5) Give VAR members of this list the chance to buy OEM and branded versions of the GUI and the box. So for those of you that want to be in a complete GPL side, you will allways have the choice to go to SF and download it. We will give part of our sales to the members of the Leaf team to contribute in the development of the GPL core (besides contributing code ourselves) You can see a screenshot of the GUI here: http://www.eneotecnologia.com/pantallazolince.png You can see pictures of the box here: http://www.eneotecnologia.com/soho_fotos.html Sorry, there is no more information on the website as we are just preparing to start this process. Regards -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hi again, I notified my ISP soon as I realized that my bandwith is maxed out and my private net has nothing to do with it. This just confirms my previous post. What is physically evident is that, during my tests, my external device kept on blinking like mad. Isuing an 'ifconfig' command shows that RX and TX packets of the external device kept on incrementing while the internal RX/TX isn't moving at all. This shows that unwanted packets are simply flowing into the box then back out again (perhaps to the spam target/s), without touching my private net. Exactly, this also confirms that the webmail system is not affected at all. You have an OPEN RELAY proxy. The abuser just asks for a page (coming traffic in your external interface), the proxy accepts and connects to it (outgoing traffic in the outside interface). The internal interface is not touched at all :) Then my ISP forwarded me this: [...] PLEASE shut down this abusive user. This user has open proxies running on port 80. The proxycheck program clearly shows the open proxy port: [EMAIL PROTECTED] pck XXX.XXX.XXX.XXX To check: hosts=1, proto:ports=63, host:proto:ports=63 XXX.XXX.XXX.XXX:hc:80: HTTP request successeful (200) XXX.XXX.XXX.XXX hc:80 open NumOpen=1(1) NRead=119 Time=23 Your ISP has detected the open relay proxy :) At present I'm scouring the net for info on how to go about with this. This is really embarassing as I had no idea that having an open proxy server is a no-no. (http://theproxyconnection.com/openproxy.html) Please, understand a reverse proxy is not the same than an open relay proxy. A reverse proxy is just a proxy that acts as a web server, listenning in port 80. The difference is it only accepts url behind the proxy. An open relay proxy is configured exactly the same BUT accepts any url. But it is my requirement to allow EVERYBODY to be able to access my web server in the private net. A reverse proxy will do this. Perhaps some more squid howto is the answer. But further tips on tightening a firewall is also very much welcome (TIA). Regards. -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hi, I needed to perform transparent proxying wherein web clients from both public and private net can access my internal web site. Why do you need the transparent proxy? Do you need a reverse proxy to speed up web access (local cache), do you need load balancing, do you need extra protection? Now my problem is that, the setup ended getting abused as it was used to send spam all over. Do you run some kind of webmail? If the problem is spam related, most probably your users are using your wemail system to send spam. In that case, a proxy wont help you at all. You have to educate your users, impose some restrictions (like number of emails a day a user can send) or improve your user selection. Still, nothing to do with the proxy. But I believe most probably you have been banned because of an open proxy. In this case, your proxy does its work even with urls that you dont control and this is bad. You have to configure the proxy to allow petitions only for those domains you control and that are BEHIND the reverse proxy. My IP got black listed on some sites and so on. An exact explanation of what happend is found here: http://www.fr2.cyberabuse.org/?page=abuse-proxy Reading this page clarifies ALL. Now my guess was right. You have not been banned because of spam but because you have an OPEN RELAY proxy. Configure it properly. For local users I dont recall right now if SQUID allowed for different behaviour in different interfaces. If yes, configure it properly, if not, try to run two instances of squid or use a different box. My question now is, how do I get this requirement properly set? I needed to do transparent proxying at port 80 and at the same time, avoid getting abused. Any hists on proper firewalling techniques, etc, on this matter is greately appreciated. If you need further profesional assistance with this part we can help you. Just email me privatelly. Regards -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Hi again, Why do you need the transparent proxy? Do you need a reverse proxy to speed up web access (local cache), do you need load balancing, do you need extra protection? Yes, I'm using it as a reverse proxy. Yes, but why? There are better solution depending of what you want to achieve. -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Windows VPN newbie
Hi all, I want to stablish a net to net VPN using Bering as a gateway. On both ends will have windows machines :( They want to see both nets as a whole, with all computers (remember windows) showing in the explorer, so they can access a shared hard disk from both sites. I want to do this the easiest and cheapest way. Options considering: 1) If possible use only one PC on each end. I dont know if they have a WNT or W200 server that could act as a WINS server, but adding a linux (or a couple of) just for WINS is not desirable unless there is no other way (higher price and complexity). 2) How bad isfor security adding WINS (samba) in the gateway? 3) Even better, is really necesary to have a WINS service? I know that for IP services (http, ftp) there is no need for it, but the user just want to see the whole as if there was no separation in the middle :) 4) What option is better, PPTP or FreeSWAN? Remember, both in the gateway/firewall. Do I need WINS if I use PPTP? I know this are very basic questions, is there any good online documentation about this topics? Very thankful in advance. Regards. -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.Net email is sponsored by: INetU Attention Web Developers Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] System for 500 users and 20MB download
Hi, You don't say what this router is going to do. OK, more detailed this time. I dont have the exact specifications but will try to explain it the better I can. First of all, I have very few information yet. A frien of us that is helping organicing a local Computer Party asked us if we wanted to cooperative placing a Lince system in it. They are just designing the infraestructure and for us being in such a party would mean a lot of publicity and a real hard test for our little system. This system will manage the Internet access of around 500 users and servers in a Computer Party. Other servers will provide the needed services (FTP; DHCP, Quake,...) This system just needs to be the last frontier. This system has 3 Realtek ethernet interfaces. One will go to the WAN link (20MB) and the other two I dont know yet. The servers wont provide access from the Internet, so dont know if they will need a DMZ. The system will do firewalling to the ouside and HTB (or CBQ if too hard for CPU) based QoS. All the inside computers will have a real public IP so NAT wont be needed. Just that. Inside we will have very expensive and intelligent equipment from Cisco (dont know the models yet). I guess all internall 100MB traffic will be managed by them. So the LEAF system only needs to manage the internet bandwith. A little ASCII art :) INTERNET | | 20 MB | LEAF | | DMZ--- | 100 MB | | Cisco (s) | | | | | | | | | | | | | | | | | | 100 MB Internal servers and clients Do you want 500 users to have simultaneous Internet access? Yes With Nat? No DCHP? No With two cards, 2 Lans? The board has 3 ethernets, but dont know the exact configuration yet (with DMZ or two internal). I guess that placing both as internal will force the system to manage a 100MB stream and this will be surelly blow in peaces. So or DMZ or just leave the third interface unused. On a single T1? It will be a single connection, dont know the typeyet. Are you going to chain together 50 to 100 hubs? I guess they are going to chain toguether SWITCHES and use real Cisco routers. A Via 533 is not going to service 100MBS total bandwith. I saw that. That is why the system is just in the border to manage only 20MB. All internal traffic will be managed by dedicated equipment from Cisco. And this sounds like downtown collision city. All the infraestructure will be conmutated. We have other options. We could use the same system but with 2x Intel Ethernet 10/100 and 1x Intel 10/100/1000, we could use one with 512 MB RAM or we could update the CPU to a VIA C3 800. I just one to know if the other box will be enough. Thanks in advance. Regards. -- Jaime Nebrera - [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Future development
Hi, I've come to the conclusion that LEAF will most likely come very close. Still: - Are there any plans on porting LEAF to the 2.4 series of kernels and most importantly, are there any plans on replacing ipchains with iptables? Done, Bering is the 2.4 kernel branch of LEAF -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] WISP and Atmel AT76C503A
Hi all, A quick and easy question, does WISP support an Atmel AT76C503A based USB wireless devices? We are preparing an offer based on that board. If its not directly supported but could be integrated (the tools and code are there), if the offer is approved we could donate or pay for such a feature. Thanks in advance. Regards. -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] easy traffic shaping?
Hi Bryan, Lince will do this quite easily (with htbinit). The problem is JJ, the main (and only) developer is with the flu and didnt get to update it from Bering 1.0 stable. I guess this week Lince 1.0 Stable will be on the download are :) Finally upgrade my old Eiger box to Bering. I wanted to try some traffic shaping, but I'm a bit intimidated by tc.lrp and all the shorewall stuff surrounding it. Basically all I want to do is limit my web traffic so that it cannot use more than 3/4 of my bandwidth. Anyone know an easy way to work this or have simple examples? Shapecfg seems to have gone the way of the VMS bird. Gack, I'm dating myself here, arent I? -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] QMail email gateway
Hi there: smtp without disk? Yep hum ... what if your LEAF dies when the queue is not empty?? you end up loosing mail! Not really. OK, I will try to explain myself. Im not talking about a real smtp server but a SMTP proxy. The proxy listens on port 25 for a connection and passes it toan internal real SMTP server WITHOUT ackoledging the origin server. When the inside server receives the email, and says everything is OK, the proxy tells the origin server that it was OK. So if during the process the power goes down, as you have not acknowledge the message yet, the origin server as not deleted it from its HD and will try again. We have tested it and promise it works wonders. Actually it was quite hard to find the solution as only 1 piece of software really acted as a proxy. The beauty is, you can process the email in the proxy and scan it for viruses or antirelay or in the future antispam. Please, just be calm, we are in the middle of a big project for our company and we havent found time to upload the iso now that we have our CVS ready (that was just a few days ago). Also we are considering releasing just with stable 1.0 instead of 1.0rc3 with some bugfixes that we are using). Its just we are very high on the todo list. I believe there are 2 answers to the problem: without disk: * you should be able to add a DNAT line in Shorewall to forward all traffic from the Internet to the FW:25 to your Mail server:25 inside the firewall ... and configure NATing to allow your Mailserver to send mail out ( or to your ISP mail relay) Of course this solution is viable, but doesnt allow for processing in the firewall. Lets say you have an inside E2000 server (ugghhh) and want to protect it from relaying email or viruses, now you have this choice. with disk: * you can mount /dev/hdaX /var/qmail/queue in /etc/init.d/qmail start ( and umount it in stop ) to keep your queue on disk. The trick is to modify the /var/lib/lrp/qmail.list and qmail.exclude.list in qmail.list replace var/qmail/queue/lock by var/qmail/queue (you need to create the mount point ) and add var/qmail/queue/* in exclude.list when performing the installation the first time, you'll have to get all the files [ the one created dynamically and the lock directory ] from /var/qmail/queue to the Hard Disk Surelly this is another option, but most of the times if the traffic ismoderate you will be able to get by with our solution without moving parts :) Regards. -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] QMail email gateway
Hi Brad, Jamie, Well, if I recall right, Jamie was a girl's name and Jaime is a guys name :) Dont worry, I spent a whole year in California trying to explain the difference :P Can you tell us what SMTP proxy you used? A URL would be excellent. Thank you. OK, I will exploit the surprise, its emailrelay (http://emailrelay.sourceforge.net) but PLEASE dont jump into it and try to implement it by yourselves as we have already done so, just give us some days to prepare the iso and upload it. Regards -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by: Battle your brains against the best in the Thawte Crypto Challenge. Be the first to crack the code - register now: http://www.gothawte.com/rd521.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] QMail email gateway
Hi, I would like to use the qmail.lrp package for Bering in a firewall/gateway capacity only to shuffle mail from my internal mail server out and deliver external mail to the mail server. I was wondering if the current package as-is is sufficient and what configuration changes might be needed? Any help or point in the right direction would be appreciated. Or you could just wait a bit until Lince is released. We have found a great alternative for smtp without needing hard disk, if you have a real smtp inside (your own) and outside (your isp). Mike has just created or cvs area so we will upload the iso in just a few days as soon as we get ourselves used to sourceforge way of doing things. Regards. -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Leaf LINCE
Hi, Great! The WP'ed SST dom would also be a great option (or CD-ROM). I'll love to check it out! Yes, could you give me the link for that DOM? Out of curiousity, do you really feel the http/smtp/pop proxy should be on the firewall? I understand many people would love this option, but to many people (especially for enterprise installations) this would seem to be akin to sending invitations to hackers by filtering on the firewall. Yes indeed. We put all those components in the Compact Flash or Hard Disk, then is your choice what you want / need to activate but all will be ready to go. In a small company you might end up activating all of them, in an enterprise level compamy you might end up not activating any extra because you already have them in other / better hardware. Say the http load balancer. If you need such a feature you surelly wont activate anithing but that getting a cheap HTTP Alteon equivalent, but if you are a big company with lots of bucks you would already have an Alteon or Cisco or whatever. I dont think Linux (Leaf) can compete with such hardwarem but htey lack the flexibility. So we give you the swish army knife firewall :) You have plenty of features on it, and you decide wich ones to use. I'm sure many of us would contribute when and if we have the time! I know, its just we had a very sad experience with our LUG. Leaf is already a quite active development community. Things we are planning to add in the near feature: 1) Bridge functionality. Yes, this is done with Bering but we have never done it, need to learn how to do it. 2) Proxy ARP - the same There are many of us using both of these options. The proxy-arp is easy to test if you don't mind opening the server to the internet less securely IMHO. The bridge option simply uses the box as a hub. It can be used to tie together tp-10/100, bnc, fiber, etc..., however tp-to-tp testing would be adaquate. 3) HTTP load balancer.- We are just awaiting somebody will pay us to do this :) 4) SNORT, inline SNORT, high availability (heartbeat), David D/Oxygen has a snort package available, though I have not used it personally. We have a volunteer that is working in this side. We might end up with a snort sensor or in other option with hogwash to make a inline IDS capable of dropping packages based on IDS signatures (only way to protect an exploitable server). Many of us are doing this, in various degree's. Best of luck to succeeding in your project, I hope to someday do the same successfully! Yes I know, is the beaty of OS. We all try to compete in the same business but at the same time need to colaborate :) Here in Spain Barahona, one of the OS evangelists gies a little talk just of that and is really incredible. Also, is quite easier to get real knowledge because you end up knowing how the guts of it go. Regards -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Leaf LINCE
Hi Sebastiano, am I wrong or somebody recently wrote about a future Leaf branch called LINCE? Can anybody give more details? I'm so curious I'm the Project Manager of LINCE release. We are just awaiting to solve a couple of problems with our CVS area to upload the iso image. LINCE is just a Bering distribution on steroids oriented to a Compact Flash (or Hard Disk) system. Bering is just wonderful but it lacks some features a professional firewall might need. BTW, is based on glibc 2.2 For example we have done already: 1) Easy installation of Bering or LINCE from a CD installer (its provided as an iso image). All Bering packages in a convenient place (the iso). 2) Most popular ethernet adapters by default loaded 3) HTB QoS trough htbinit 4) SQUID 2.4Stable6 configured to run in memory 5) SMTP Proxy for Antivirus (FPROT done), antirelay or antispam (this one not done yet) 6) POP3 transparent proxy for antivirus (FPROT) 7) Web filter content (IP, URL, words, MIME, PICS) 8) IPSec with FreeSWAN We dont know if all this will be released at the first moment, or just in future releases (first we need to try to sell them to other people :))) but they will come, specially if this community helps us getting some of that functionality done. All his is already there (excep IPSec we are working now) and runs without the need for a hard disk. The project idea is make a professional firewall with open software. All this features are not activated by default (dont activate anything you dont need) but they are installed in the Compact Flash for rapid deployment. Things we are planning to add in the near feature: 1) Bridge functionality. Yes, this is done with Bering but we have never done it, need to learn how to do it. 2) Proxy ARP - the same 3) HTTP load balancer.- We are just awaiting somebody will pay us to do this :) 4) SNORT, inline SNORT, high availability (heartbeat), I think its just a great project, so keep in touch !! If you want to see more details of the project in spanish you can go to: http://www.eneotecnologia.com/proyectos_lince.html We plan to live from improving this platform (somebody will pay us to add some functionality), giving support, selling preassambled systems (you can see great pictures of the box in http://www.eneotecnologia.com/soho_fotos.html) and so on, well you get the point. Thats all folks ! :) Regards. BTW, we have to update to 1.0stable. Great jobs guys:) We were just using rc3 with bugs solved. -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Leaf LINCE
Hi, After reading this, I'm a bit confused. Is it a commercial or opensource product? It a commercial quality opensourced project. That is, we want to mimic the best functionality around but keep it as opensource as possible. Of course, some parts of it are closed source, antivirus, but the hook to the antivirus engine is opensource. The difference is we plan to provide support and sell it already installed in a great hardware. Also, we plan to make custom development, say you want us to add HTTP load balancing with session control. We need to to debote company resources to such a task and will charge you for that, but then provide it for free to the community. Of course, not everything is money. As part of our apport to the great Leaf project we will privide quite a bit of functionallity allready in the first image. We have made an easy Bering (or Lince) installer, we have added htbinit for QoS, we provide those lurky modifications you need to install it right away in a hard disk, and so on. As we hope this will catch some attention in this list, and as new features are developed by the community we will release more code ourselves. Also, if our business model succeeds, we plan to donate money and resources to this great community. Say hosting space, hardware, $$$, whatever. This way we will just thank in a clear way those efforts done in Leaf. If you know coyotelinux is more or less the same stuff but with a big difference, we wont restrict the downloading. Once a feature has been developed and payed for (say in money, say in other functionality) we will release more code into the public sourceforge area. FE, we might be interested in zebra integration. We could do it ourselves, or somebody could provide it (I dont care if that coder is getting paid or not for his job). In exchange we will release a new feature, and so on. So if the community really involves itself in developing and testing we will provide much code than if they just wait and wait. We have already devoted a 3 month period of coding from my partner and friend. He has implemented all the points I said in a prior email, we are just eager to make them public as this project evolves, but dont expect us to make ALL public the first time. We had such a experience with our local LUG and was really frustating to see a 0 code contribution when you gave them quite a bit of resources. Thanks in advance. -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] bandwidth management.
Hi, Has anyone used htbinit.lrp? I've downloaded and it gives a script error when executed. Google search gave me a Chinese/Korean site that had this. We expect to upload a new Leaf branch called LINCE with htbinit support and easy installation in HD or Compact Flash very soon. I'm looking at setting up a LEAF Bering box as a bridge between my LAN and my existing CISCO PIX VPN/FW router. I want to use LEAF as a bandwidth manager alone. Reason for bridge is ease of plugging in and out this box in case something does not work too well during trials without reconfiguring the network. Well if you could provide us with the details of how you make it work would be great !!! -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Sharing Internet access privatelly
Hi all, We are planning to use LEAF Bering to provide shared Internet access to a whole home area. The Internet access will be provided by a 4Mb radiofrecuency access to SKN. Internally, all the users will use wireless devices to access a wireless bridge then the firewall the internet. All users will have a public IP all in the same IP range. OK, this is quite easy to setup, and its allready done (with QoS too). The problem comes when we want to do it in a more privatelly way. I dont know yet how the wirelles access point behaves as we have been contracted just for the firewall side but if we can, we would like to protect users form each other even if that device does it too. The main reason is we dont know yet if the wireless device is capable of rouing a packet form one user to the other user or it has to go through the firewall. In the second case is quite easy, as we would just set up the corresponding firewall rules to separate the different users. The problem comes if this device has more intelligence and tries to send the package by itself. Is more or less the same situation cable providers have but in wireless. We have tried o asign a 255.255.255.255 netmask but it doesnt work (funn with ppp it does work). Any ideas? Please remember to use the fewer IP as possible as we have to pay for them :( The first choice was to provide by DHCP pairs of IP that with the correct mask make a 2 computer network but this uses a lot of IP and forces as to set uo the firewall with a lot of virtual IP in the internall interface. Any other idea? Thanks in advance. -- Jaime Nebrera Herrera [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html