Re: [leaf-user] Netflow type output from leaf-bering machine

[Jaime Nebrera]

  Hi Ad,

 I've done some search and have found a bunch of information about collecting
 netflows from cisco etc etc.
 What I'm after is there any application that would have my leaf bering
 machine OUTPUT netflow information. So I can collect the flows from my leaf
 router in another application. As I have replaced my old beat up cisco with
 a nice new bering-uclibc machine :)

  We have been using nprobe from ntop.org (yes, you have to pay for it
even when GPL, but is a great way to support its development and is not
that expensive) for about a couple of years in production environments
using embedded systems without a hitch. I definetlly recommend that one.
fprobe is also ok as many others, but nprobe was designed from the
beginning for embedded systems and we like that

  For the collector IMHO the situation is a bit worse as there is no
real option capable of doing advanced stuff. Yes, plenty of RRD stuff
but nothing else. We even developed our own commercial collector just
because of this :)

  Regards

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Pol. PISA - C/ Manufactura 6, P1, 3B
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18




leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] [OT] VRRP on dedicated interface

[Jaime Nebrera]

  Hi all,

  A bit of topic question, do you know if it is possible to send VRRP
synning messages trough a different dedicated interface than the real
interface VIP is attached?

  We use keepalived and dont want to flod internal network with VRRP
messages.

  Thanks and sorry for the OT.

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Pol. PISA - C/ Manufactura 6, P1, 3B
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Bering uClibc HA

[Jaime Nebrera]

  Hi Markus,

 can you give me some hints for a firewall/gateway HA solution based on
 two Bering uClibc 2.3 boxes. I've seen keepalived.lrp, but for
 connection state syncronisation I need also ct_sync kernel module from
 netfilter-ha project. Can I get somewhere this kernel module for Bering
 uClic 2.3? Has somebody a howto for a Bering uClibc HA solution?

  ct_sync is really a mess, dont know many people that uses them.

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 619 04 55 18



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] High End QoS

[Jaime Nebrera]

  Hi all,

  I write to this list as its full of networwing experts.

  A client asked if it was possible to replace a very expensive QoS
appliance with a Linux box to make QoS on a big network. Sustained
traffic is around 400Mbps and they need around 1000 QoS classes.

  Some thoughts on this:

  1) Of course we will purchase the fastest box we can find around, dual
xeon and such.

  2) As the system runs as a bridge we are kind of scared to use 2.6
kernel as it seems quite unstable in that mode.

  3) Instead of using standard QoS clasdsification (linear) we were
thinking about using clasiffy target in shorewall and use all its zone 
decission tree power. That way, we stll have all those classes but are 
not read linearly but some logic is applied in the tree.

  4) As this box ideally would include a netflow probe, we were thinking
about using pf_ring kernel patch. Any experience in the list using this
patch with a system that is both a probe and QoS?

  5) We were thinking about using hipac, but we dont know if it supports
clasiffy target, do you know if it does?

  Any ideas will be REALLY appreciated.

  Thanks in advance. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 619 04 55 18



---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] LEAF Project QBox Launched

[Jaime Nebrera]

  Hi Ron,

 We are now launching a new product (open source - free - GPL) called
 QBox. Qbox is a plug and play network appliance for traffic shaping
 and uses LEAF as its build and (for now) the PC Engines WRAP board as
 the hardware.
 
 If anyone would like to check out the website and tell me what you
 think I would really appreciate it. My goal here is to try and give
 something back to the open source community.

  Were is it?

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 619 04 55 18



---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Wanted: easy way to see load over time

[Jaime Nebrera]

  Hi,

 A very effective but not so easy way to see exactly what sort of traffic
 your router has been moving, is to install a NetFlow probe on your
 router. It will forward flows to a NetFlow collector, permitting further
 analysis and graphing on the traffic. You would then be able to
 categorize the traffic (for example http/ftp/mail/p2p/other for in/out,
 by host/subnet, period of time) quite precisely.
 
 Some pointers:
 * A NetFlow probe that runs on Bering-uClibc: fprobe-ulog (I compiled it
 successfully but no extensive tests done) [1]

  We are currently using nprobe without any problem in various
production environments in the Lince branch.

 * A NetFlow collector / processor: NfDump [2]

  There are plenty of those.

 * A NetFlow web-based reporting engine: NfSen [3]

  We have developed our own (propietary) as none of the open source
alternatives had the features we needed. You can see some screens at:

http://www.eneotecnologia.com/mambo/ = Software = Eneo Flow = View
screen

  Hope it helps.

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
SF.Net email is Sponsored by the Better Software Conference  EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] multiple static ip address router/firewall

[Jaime Nebrera]

El jue, 14-07-2005 a las 11:18 -0500, Andrew Nance escribió:
 It is hard to estimate but somewhere around 750 Kbps to 1.5 Mbps total
 bandwidth.

  From the graph, you see WRAP box is capable of sustaining around 4Mbps
for 50 firewall rules (1500PPS and 350bytes/package). I think you could
live with it :)

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Firewall performance graph

[Jaime Nebrera]

  Hi all,

  For all people just testing firewall performance.

  We are in the process of publishing some graphs regarding firewall
performance (mainly in low end hardware). We have compared mainly Linux
(2.4.30 and 2.6.11) and FreeBSD (m0n0wall) on a Geode 266, Via 533 and
Via 1Ghz all with Realtek 8139 ethernets.

  You can see the first results in:

http://www.eneotecnologia.com/archivos/Firewall_512.png

  Some comments on the experiment:

  1) We tested this with a much better box (P4 3Ghz, PCIE, Marvel
chipset), but currently we dont have access to it. It supported more
than 10.000 consecutive rules for 1.200 pps But we had to give this
hardware to our client and cant test any more.

  2) We have to make the same tests with 1500 bytes and 64 bytes
packages

  3) Traffic was generated from a few PC (sorry, we couldnt create more
traffic at the moment) using hping2. Traffic was UDP to port 80.

  4) The rules means, # number of non matching rules before the matching
rule.

  Some comments on results:

  A) We are unable to determinate if we are using NAPI or not on this
boxes. We tested 2.4.23 too with the same results. After some reading,
we discovered the driver needs to support NAPI too, but after finding
what seems a valid one (ftp://ftp.ovh.net/made-in-ovh/kernel/) we dont
get better results (neither for 2.4.30 and 2.6.11) We need some help to
see if really we are using NAPI on this boxes.

  B) Linux 2.6.11 and 2.4.30 show more or less the same behavior (?)

  C) All linux seem to hit a wall around 800 rules. This is a known
limit in current iptables / netfilter design. (See Hi-PAC and others)
With the better box this wall was much further away) Also, this limit
is quite similar with different CPUs (Geode 266, Via 533, Via 1Ghz) and
is shared on all boxes that use Realtek chipsets (we about to test it
with a P4 2.1Ghz Realtek) Maybe a problem of the driver? Maybe the lack
of NAPI even when supposed to be used?

  D) FreeBSD (actually dont know what BDS m0n0wall uses) is much more
linear and predictable on its behavior, standing for higher loads.

  What do you think? Any comments? Any help?

  Hope it helps. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] lets talk about something--anything!

[Jaime Nebrera]

  Hi James and others,

 One tricky thing I've found as a Windows  LEAF user is the wall of
 choice when it comes to picking which Linux distro to add to my WinXP
 machine for the purpose of building for LEAF.

  Well, we are developing a new branch for Lince based on GNAP (Gentoo
Network Appliances) They provide pretty much info regarding a build
environment (of course not just a Live CD :))

 Would it be feasible to create another LEAF branch but one for running
 buildtool and creating the disk image, not for actually being a
 firewall/router device? A bootable CD perhaps. Or a USB mass storage
 device. That would be perfect. A Bering-uClibc compile environment on a
 USB data key.

  Sure, as others have commented, the main problem is lack of time. In
our case we have decided to departure completelly from debian as all our
systems run Gentoo and we need to have a virtual machine just to keep
compiling for Lince :)

 And speaking of idiot images for CF/HDDs. If it's not possible to have a
 generic image because of the many different hardware configurations out
 there, would it not be possible to create an installer? Full blown
 distros have them. Maybe we then just hit the problem of if you need
 that sort of support why not just buy a home cable/DSL router and be
 done. :\

  Well, the first Lince version was more or less that without the
installer. You had all in an iso image and was quite easy to install (we
even made it bootable, you just needed to choose where to write the
image :))

  In our case, we didnt invest any time on hardware detection as all our
boxes are pretty much the same.

  So we are about to release the new version of Lince, but before we
have to solve a problem we have encountered with NAPI suppor on realtek
chipsets. It seems realtek doesnt use NAPI on 2.4 but we have found a
patch that includes that functionality. The problem is, after some
testing we dont see any difference with / without NAPI and we dont know
if the patch is wrong or we are doing something wrong and are not
activating this feature. Any help on that will accelerate the public
day :)

  Questions:

  * How do we know if NAPI is being used?
  * Is this patch working for anybody?
  * Will upgrading to kernel 2.6 solve this NAPI problem on realteks?

  Very thankful in advance. Regards

PS.- Realtek NAPI Patch ftp://ftp.ovh.net/made-in-ovh/kernel/

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Lince future (was lets talk about something--anything!)

[Jaime Nebrera]

  Hi all,

  As main coordinator of Lince project (Juan Jesus is its main
developer) I want to comment on future of Lince as it has been mentioned
in this list latelly.

  Some of the features some people are asking about in the list (mainly
easy perdurable updates and flexibility) have been incorporated in
Lince, but this release has not been made public. The reason? In this
time our company has gone a major redo and has been very hard to explain
to our business angels that it was a good idea to release to the public
something we have done and are charging our clients :)

  In this time we have been mainly busy discussing this, and at the end
we have reached an agreement. Most probably we will release to the
public old releases and keep current ones to our paid customers. We are
planning on a new public release in about a week or so.

  So whats new in Lince?

  1) As said when Lince was born, we keep to the idea of including more
software than standard leaf. The reason is we use Compact Flash as
storage system and this days 128MB is really cheap. So some decisions
and features are not very polished, we could reduce space a bit more,
but frankly, we dont care we have plenty of space to use :) Currently we
are migrating Lince from a Leaf based glibc distro to a GNAP uClibc
based distro (Gentoo), so this public release might be one of the latest
to be done based on Debian.

  2) Even when we think of Lince as a whole (firmware) sometimes we have
needed to include extra packages, thats why is still compatible with old
lrp style packages (Now supports cloop, cramfs and lrp packages).

  3) We have developed our own propietary Management App in JAVA called
MarteGUI. Currently it manages all aspects of Lince. Still, its possible
to use Lince without this management app (actually, thats what we
release to the public). This app is done in such a way that we dont need
to modify the core system. We pack Lince and this app in some hardware
appliances that we sell to our clients (as a box or as a managed
service). You can see pictures of the boxes and software in
www.eneotecnologia.com/mambo/ - Hardware / Software. BTW, the app is in
english too and we are seeking for resellers :)

  4) Lince (core) currently has the following features:

  * Standard and bridged system
  * Advanced firewall (Shorewall 2.4)
  * QoS
  * NetFlow Probe
  * Automatic update (via http)
  * Web proxy and filtering
  * Web user auth (LDAP, MSAD)
  * High availability (VRRP and STP)
  * Load Balancing (IPVS)
  * IPSec VPN

  All of them are managed from the GUI but can be managed without it.

  We are releasing this to the public again as a way to foster
development around Lince. If we have success on this and some people
step forward and give us a hand, we will continue releasing Lince to the
public. We could even pay for this help for long term contributers with
our software :) If not, well we will need to discuss this topic again
with the investors :(

  5) We are currently working on:

  * Snort Inline integration
  * IPVS syncronization between different load balancers

  As said, we intend to stay using Debian for a short time, just until
we get GNAP working properly. That means porting to 2.6 and many others,
but this needs a different email :)

  What do you think? Good enough to increase the emails in the
list? :

  Regards

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Lince future (was lets talk about something--anything!)

[Jaime Nebrera]

  Hi Paul,

 Do you have a strategy for doing this while remining compliant with the 
 terms of the software you have licensed (the GPL)?

  Yes, we have been very careful on that. Actually all of the code in
the core system (what you know as Lince) is under GPL, LGPL, BSD
except antivirus (if used). We have done some improvements to some of
the GPL apps used but they are in the core too as GPL (of course).

  MarteGUI is just a manager that connects to a system, donwloads a
config database, parses new configuration files, copies them to the
system and restarts services as needed. In essence, it mimics the
commands the admin executes. That way we dont have problems with GPL.

 Netgear and linksys are two very profitable organizations who produce 
 GPL derived router products and release the source code and development 
 kits for their GPL based products.

  Actually we are thinking on using their hardware to port our software
solution. BTW, we have done the same with a Crossbeam X40 system :)

  Regards

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Strange problem, please help

[Jaime Nebrera]

  Hi,

 I don't know, but i would assume that you should ask this question on
 the kernel bridge list (You find it under
 http://bridge.sourceforge.net/), the people on this List have deep
 knowledge on the linux networking/driver subsystems. 

  Just done that :) I needed to wait for acceptance in the list.

2) Can such a beast sustain 8 ethernet as a single bridge? Bear in
  mind they dont have gigabit traffic, they just use gigabit ethernets :)
  Whats the limit for a linux bridge?
  
 see above... But i doubt you can run this under full speed on all
 interfaces (or better the pci-express ones)...

  Sure, I dont expect full speed. Actually, the box is overdimensioned
in the ethernet side. Think more in the 20Mbps margin for WAN to LAN
traffic and some peaks of around 100Mbps for local ethernets.

  Thanks

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Firewall failover

[Jaime Nebrera]

  Hi,

 http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/netfilter-ha/
 
 You want ct_sync, or connection tracking syncronization.  I am not sure what
 it's status really is, but I think it is in 'testing' or 'works for me'.

  Yep, all of you agreed on this solution. It seems active know, it
would be just a matter of investigating it a bit more.

  Thanks !!

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Realtek NAPI

[Jaime Nebrera]

  Hi all,

  We are experiencing with a pathed Realtek driver with NAPI support
under 2.4.26
(http://www.uwsg.iu.edu/hypermail/linux/net/0312.0/0002.html) and think
the system now uses this driver but dont know how to verify so. Is there
any way to verify NAPI is being used? Does the driver need some
configuration on loading to activate this?

  Thanks

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Strange problem, please help

[Jaime Nebrera]

  Hi all,

  We are experiencing a very strange problem and would like some help.
We have a Leaf based box (actually a Lince box kernel 2.4.26) running as
a bridge with 8 gigabit ethernets, PIV 3Ghz, 2GB RAM. 4 of them share
the same PCI Express and the other 4 a different PCI bus. We have NAPI
enabled on all ethernets and IRQ moderation enabled (dynamic)

  Some ASCII art before proceeding.

 Router 1   Router 2
|   |
- Switch 
 |
 |
  Firewall

  Both routers use HSRP from Cisco to share information about who is
alive. This app uses multicast UDP packets to 224.0.0.1 address, port
1985.

  The problem is, after a while (1 or 2 minutes) the CPU reaches 100%
(0.99 load 99% System) with the process ksoftirqd_CPU0 reaching 99%.
Using iptraf we discover ethernets 4 to 7 (the ones that share the PCI
bus) are at full speed. The traffic is on port 1985 and comes from the 2
virtual IP from the redundant routers. It seems they enter an infinite
loop and completely kill the system. BTW, the only used ethernets are 0
and 1, both on the PCI-X bus, and eth2 and eth3 seem unaffected (no
traffic). Bear in mind, real traffic on eth0 and eth1 doesnt surpass
1Mbps. Also, no service is provided at this point, not even firewalling.

  The problem appears with and without STP activated and we have
verified there is not a loop in the network.

  If we disable ethernets from 4 to 7 (ip link set ethx down) the
problem seems to disappear, but we are not sure as we didnt want to
disturb the client more time (actually, for 15 minutes the problem didnt
appear, while the other way it appeared in much less than 5 minutes). In
this case, even activating things like a Netflow probe in eth0 dont
disturb at all the system.

  The same problem seems to appear with a Via 1Ghz box with 4 realtek
ethernets and around 4Mbps of traffic (this system was placed under
heavier load, and as the problem appeared, we tested with the big one).
When the problem appeared this box was so slow we could not even make a
ssh session so we dont know if this is the same problem (but bet it is).

  So, some questions:

  1) Is this related to running as a bridge? Would this problem
disappear if we used a pseudo bridge (proxy ARP)?

  2) Can such a beast sustain 8 ethernet as a single bridge? Bear in
mind they dont have gigabit traffic, they just use gigabit ethernets :)
Whats the limit for a linux bridge?

  3) As this traffic is only needed on both routers but doesnt need to
pass trough the firewall, will dropping it on eth0 solve the problem?
(That way there is no way the packets enter into other ethernet ports)
What would happen with other multicast based apps? Would they need to be
dropped too?

  Very thankful in advance. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Firewall failover

[Jaime Nebrera]

  Hi all,

  We are investigating on firewall failover design. I have searched the
net and found that projects like LVS have it mostly solved for their
side but that netfilter lacks it.

  Of course, a simple failover of the firewall is available using things
like VRRP (KeepAlive software) but without state syncronization, and
that is preciselly the part we need to investigate.

  Is this issue solved in netfilter? How? Any ideas? Does it work with
kernel 2.4?

  Bear in mind I'm not talking about ISP redundancy but the firewall
itself, if possible set as an active/active failover solution.

  Thanks in advance. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] ksoftirqd_CPU0 extreme CPU usage

[Jaime Nebrera]

  Hi all,

  We are experiencing severe CPU usage in a Leaf based system. Using top
we see ksoftirqd_CPU0 is using a lot of CPU (around 50%). The CPU as a
global is at 95%, Any clue what this process is for? Is it possible to
disable it?

  Searching in google I have found there was a bug in the kernel. Do you
know since what version has this bug been solved in standard kernel?
Also, I have seen its possible to disable HIL in the kernel as its a
headless system.

  Please, its quite urgent. As always, VERY thankful in advance.

  BTW, the box is a Via Eden 1Ghz with 256MB RAM

  Regards




---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393alloc_id=16281op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ksoftirqd_CPU0 extreme CPU usage and latency

[Jaime Nebrera]

  Hi all,

  We are experiencing severe CPU usage in a Leaf based system. Using top
we see ksoftirqd_CPU0 is using a lot of CPU (around 50%) while the
system tops almost 95%. Any clue what this process is for? Is it
possible to disable it?

  Searching in google I have found there was a bug in the kernel. Do you
know since what version has this bug been solved in standard kernel?
Also, I have seen its possible to disable HIL in the kernel as its a
headless system.

  Please, its quite urgent. As always, VERY thankful in advance.

  BTW, the box is a Via Eden 1Ghz with 256MB RAM Realtek Chipsets

  Regards

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393alloc_id=16281op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Some stupid question (IPSec VPN)

[Jaime Nebrera]

  Hi all,

  Just a fast stupid question.

  I want to create a lot (~20) LAN to LAN tunnels using OpenSwan. Do I
need an ipsec device for each one? From memory, default kernel comes
with 4 of such devices, do you need to recompile to get more?

  Also, in this same machine want to stablish a Roadwarrior - LAN
scenario with around 10 users. Again, do I need an ipsec device for each
one?

  Very thankful in advance.

PS.- Yes, I know I should ask in OpenSwan list, but I'm already
subscribed to a lot of lists and don't want to subscribe to a new one
just for one question :)

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Updated Kernel with IPSec and grsecurity

[Jaime Nebrera Herrera]

  Hi all,

  We are tryibg to compile a more recent kernel (say 2.4.22 or afterwards) 
with support for both FreeSWAN AND grsecurity without luck.

  At this moment we are using stock 2.4.22 kernel with the last 1.99 FreeSwan 
available and 1.9.13 grsecurity, but no way, we cant get it to compile using 
a gcc 3.2 compiler (Gentoo 1.4 system)

  Anybody has done this? Any clue?

  Thanks in advance. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] LEAF on compact flash

[Jaime Nebrera Herrera]

  Hi John,

  Does anyone have LEAF images that can be 'dd' onto a CF card? What size
 ones are needed ?

  Lince is just a branch of Bering that makes it easier to install it in 
devices bigger than a floppy. In our case we developed it preciselly to run 
in a CF. You just need to install Quagga.

  Just follow the installer and should install in a CF. We are working on a 
quite improved release, based on cramfs and with some updates applied (newer 
kernel and so on). Actually we have it ready, we have just not made it public 
for the GUI to be ready for real usage (testing it right now).

  As allways the core system will be GPL and available in SF, but the GUI will 
be closed source. The core can work without the GUI as allways.

  So our next steps regarding Lince willl be:

  1) Finish GUI tests (almost done)
  2) Release image and GUI for paying customers
  3) Sell preinstalled Lince (with or without GUI) boxes based on embedded 
system.  
  4) A bit later release GPL lince core in SF (you can pay for GUI later on if 
you want to)
  5) Give VAR members of this list the chance to buy OEM and branded versions 
of the GUI and the box.

  So for those of you that want to be in a complete GPL side, you will allways 
have the choice to go to SF and download it. We will give part of our sales 
to the members of the Leaf team to contribute in the development of the GPL 
core (besides contributing code ourselves)

  You can see a screenshot of the GUI here:

http://www.eneotecnologia.com/pantallazolince.png

  You can see pictures of the box here:

http://www.eneotecnologia.com/soho_fotos.html

  Sorry, there is no more information on the website as we are just preparing 
to start this process.

  Regards

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid

[Jaime Nebrera Herrera]

  Hi again,

 I notified my ISP soon as I realized that my bandwith is maxed out and
 my private net has nothing to do with it.

  This just confirms my previous post.

 What is physically evident is that, during my tests, my external
 device kept
 on blinking like mad. Isuing an 'ifconfig' command shows that RX and
 TX
 packets of the external device kept on incrementing while the internal
 RX/TX isn't moving at all. This shows that unwanted packets are simply
 flowing into the box then back out again (perhaps to the spam
 target/s),
 without touching my private net.

  Exactly, this also confirms that the webmail system is not affected at all. 
You have an OPEN RELAY proxy. The abuser just asks for a page (coming traffic 
in your external interface), the proxy accepts and connects to it (outgoing 
traffic in the outside interface). The internal interface is not touched at 
all :)

 Then my ISP forwarded me this:
 [...]

  PLEASE shut down this abusive user.
 
  This user has open proxies running on port 80. The proxycheck

 program

  clearly shows the open proxy port:
   [EMAIL PROTECTED] pck XXX.XXX.XXX.XXX
   To check: hosts=1, proto:ports=63, host:proto:ports=63
   XXX.XXX.XXX.XXX:hc:80: HTTP request successeful (200)
   XXX.XXX.XXX.XXX hc:80 open
   NumOpen=1(1) NRead=119 Time=23

  Your ISP has detected the open relay proxy :)

 At present I'm scouring the net for info on how to go about with this.
 This is really embarassing as I had no idea that having an open proxy
 server is a no-no. (http://theproxyconnection.com/openproxy.html)

  Please, understand a reverse proxy is not the same than an open relay proxy. 
A reverse proxy is just a proxy that acts as a web server, listenning in port 
80. The difference is it only accepts url behind the proxy. An open relay 
proxy is configured exactly the same BUT accepts any url.

 But it is my requirement to allow EVERYBODY to be able to access
 my web server in the private net.

  A reverse proxy will do this.

 Perhaps some more squid howto is the answer. But further tips on
 tightening a firewall is also very much welcome (TIA).

  Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid

[Jaime Nebrera Herrera]

  Hi,

 I needed to perform transparent proxying wherein
 web clients
 from both public and private net can access my
 internal web
 site.

  Why do you need the transparent proxy? Do you need a reverse proxy to speed 
up web access (local cache), do you need load balancing, do you need extra 
protection?

 Now my problem is that, the setup ended getting
 abused
 as it was used to send spam all over. 

  Do you run some kind of webmail? If the problem is spam related, most 
probably your users are using your wemail system to send spam. In that case, 
a proxy wont help you at all. You have to educate your users, impose some 
restrictions (like number of emails a day a user can send) or improve your 
user selection. Still, nothing to do with the proxy.

  But I believe most probably you have been banned because of an open proxy. 
In this case, your proxy does its work even with urls that you dont control 
and this is bad. You have to configure the proxy to allow petitions only for 
those domains you control and that are BEHIND the reverse proxy.

 My IP got
 black listed
 on some sites and so on. An exact explanation of
 what
 happend is found here:
 http://www.fr2.cyberabuse.org/?page=abuse-proxy

  Reading this page clarifies ALL. Now my guess was right. You have not been 
banned because of spam but because you have an OPEN RELAY proxy. Configure it 
properly.

  For local users I dont recall right now if SQUID allowed for different 
behaviour in different interfaces. If yes, configure it properly, if not, try 
to run two instances of squid or use a different box.

 My question now is, how do I get this requirement
 properly
 set? I needed to do transparent proxying at port
 80
 and at the same time, avoid getting abused. Any
 hists on
 proper firewalling techniques, etc, on this matter
 is greately
 appreciated.

  If you need further profesional assistance with this part we can help you. 
Just email me privatelly.

  Regards

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid

[Jaime Nebrera Herrera]

  Hi again,

  Why do you need the transparent proxy? Do you need a 
  reverse proxy to speed up web access (local cache), do 
  you need load balancing, do you need extra protection?

 Yes, I'm using it as a reverse proxy.

  Yes, but why? There are better solution depending of what you want to 
achieve.

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Windows VPN newbie

[Jaime Nebrera Herrera]

  Hi all,

  I want to stablish a net to net VPN using Bering as a gateway. On both ends 
will have windows machines :(

  They want to see both nets as a whole, with all computers (remember windows) 
showing in the explorer, so they can access a shared hard disk from both 
sites.

  I want to do this the easiest and cheapest way. Options considering:

  1) If possible use only one PC on each end. I dont know if they have a WNT 
or W200 server that could act as a WINS server, but adding a linux (or a 
couple of) just for WINS is not desirable unless there is no other way 
(higher price and complexity).

  2) How bad isfor security adding WINS (samba) in the gateway?

  3) Even better, is really necesary to have a WINS service? I know that for 
IP services (http, ftp) there is no need for it, but the user just want to 
see the whole as if there was no separation in the middle :)

  4) What option is better, PPTP or FreeSWAN? Remember, both in the 
gateway/firewall. Do I need WINS if I use PPTP?

  I know this are very basic questions, is there any good online documentation 
about this topics?

  Very thankful in advance. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
This SF.Net email is sponsored by: INetU
Attention Web Developers  Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] System for 500 users and 20MB download

[Jaime Nebrera Herrera]

  Hi,

 You don't say what this router is going to do.

  OK, more detailed this time. I dont have the exact specifications but will 
try to explain it the better I can.

  First of all, I have very few information yet. A frien of us that is helping 
organicing a local Computer Party asked us if we wanted to cooperative 
placing a Lince system in it. They are just designing the infraestructure and 
for us being in such a party would mean a lot of publicity and a real hard 
test for our little system.

  This system will manage the Internet access of around 500 users and servers 
in a Computer Party. Other servers will provide the needed services (FTP; 
DHCP, Quake,...) This system just needs to be the last frontier.

  This system has 3 Realtek ethernet interfaces. One will go to the WAN link 
(20MB) and the other two I dont know yet. The servers wont provide access 
from the Internet, so dont know if they will need a DMZ.

  The system will do firewalling to the ouside and HTB (or CBQ if too hard for 
CPU) based QoS. All the inside computers will have a real public IP so NAT 
wont be needed. Just that.

  Inside we will have very expensive and intelligent equipment from Cisco 
(dont know the models yet). I guess all internall 100MB traffic will be 
managed by them. So the LEAF system only needs to manage the internet 
bandwith.

  A little ASCII art :)

   INTERNET
 |
 | 20 MB
 |
 LEAF
 |   |
  DMZ---   | 100 MB
 |
 |
  Cisco (s)
  | | | | | | | | |
  | | | | | | | | |
   100 MB
   Internal servers and clients


 Do you want 500 users to have simultaneous Internet access? 

  Yes

 With Nat? 

  No

 DCHP?

  No

 With two cards, 2 Lans?

  The board has 3 ethernets, but dont know the exact configuration yet (with 
DMZ or two internal). I guess that placing both as internal will force the 
system to manage a 100MB stream and this will be surelly blow in peaces. So 
or DMZ or just leave the third interface unused.

 On a single T1?

  It will be a single connection, dont know the typeyet.

 Are you going to chain together 50 to 100 hubs?

  I guess they are going to chain toguether SWITCHES and use real Cisco 
routers.

 A Via 533 is not going to service 100MBS total bandwith.

  I saw that. That is why the system is just in the border to manage only 
20MB. All internal traffic will be managed by dedicated equipment from Cisco.

 And this sounds like downtown collision city.

  All the infraestructure will be conmutated.

  We have other options. We could use the same system but with 2x Intel 
Ethernet 10/100 and 1x Intel 10/100/1000, we could use one with 512 MB RAM or 
we could update the CPU to a VIA C3 800. I just one to know if the other box 
will be enough.

  Thanks in advance. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]



---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Future development

[Jaime Nebrera Herrera]

  Hi,

 I've come to the conclusion that LEAF will most likely come very close.
 Still:

 - Are there any plans on porting LEAF to the 2.4 series of kernels and most
 importantly, are there any plans on replacing ipchains with iptables?

  Done, Bering is the 2.4 kernel branch of LEAF

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] WISP and Atmel AT76C503A

[Jaime Nebrera Herrera]

  Hi all,

  A quick and easy question, does WISP support an Atmel AT76C503A based USB 
wireless devices?

  We are preparing an offer based on that board. If its not directly 
supported but could be integrated (the tools and code are there), if the 
offer is approved we could donate or pay for such a feature.

  Thanks in advance. Regards.

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] easy traffic shaping?

[Jaime Nebrera Herrera]

  Hi Bryan,

  Lince will do this quite easily (with htbinit). The problem is JJ, the main 
(and only) developer is with the flu and didnt get to update it from Bering 
1.0 stable. I guess this week Lince 1.0 Stable will be on the download are :)

 Finally upgrade my old Eiger box to Bering.  I wanted to try some
 traffic shaping, but I'm a bit intimidated by tc.lrp and all the
 shorewall stuff surrounding it.  Basically all I want to do is limit my
 web traffic so that it cannot use more than 3/4 of my bandwidth.  Anyone
 know an easy way to work this or have simple examples?

 Shapecfg seems to have gone the way of the VMS bird.  Gack, I'm dating
 myself here, arent I?

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power  Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] QMail email gateway

[Jaime Nebrera Herrera]

  Hi there:

 smtp without disk?

  Yep

 hum ... what if your LEAF dies when the queue is not empty??
 you end up loosing mail!

  Not really. OK, I will try to explain myself. Im not talking about a real 
smtp server but a SMTP proxy. The proxy listens on port 25 for a connection 
and passes it toan internal real SMTP server WITHOUT ackoledging the origin 
server. When the inside server receives the email, and says everything is OK, 
the proxy tells the origin server that it was OK.

  So if during the process the power goes down, as you have not acknowledge 
the message yet, the origin server as not deleted it from its HD and will try 
again.

  We have tested it and promise it works wonders. Actually it was quite hard 
to find the solution as only 1 piece of software really acted as a proxy.

  The beauty is, you can process the email in the proxy and scan it for 
viruses or antirelay or in the future antispam.

  Please, just be calm, we are in the middle of a big project for our company 
and we havent found time to upload the iso now that we have our CVS ready 
(that was just a few days ago). Also we are considering releasing just with 
stable 1.0 instead of 1.0rc3 with some bugfixes that we are using). Its just 
we are very high on the todo list.  

 I believe there are 2 answers to the problem:
 without disk:
 * you should be able to add a  DNAT line in Shorewall to forward all
 traffic from the Internet to
 the FW:25 to your Mail server:25 inside the firewall ...  and configure
 NATing to allow your Mailserver
 to send mail out ( or to your ISP mail relay)

  Of course this solution is viable, but doesnt allow for processing in the 
firewall. Lets say you have an inside E2000 server (ugghhh) and want to 
protect it from relaying email or viruses, now you have this choice.

 with disk:
 * you can mount /dev/hdaX /var/qmail/queue in /etc/init.d/qmail start ( and
 umount it in stop )
 to keep your queue on disk.
 The trick is to modify the /var/lib/lrp/qmail.list and qmail.exclude.list
 in qmail.list replace var/qmail/queue/lock by  var/qmail/queue (you need to
 create the mount point )
 and add var/qmail/queue/* in exclude.list
 when performing the installation the first time, you'll have to get all the
 files  [ the one created dynamically
 and the lock directory ] from /var/qmail/queue to the Hard Disk

  Surelly this is another option, but most of the times if the traffic 
ismoderate you will be able to get by with our solution without moving parts 
:)

  Regards.

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] QMail email gateway

[Jaime Nebrera Herrera]

  Hi Brad,

 Jamie,

  Well, if I recall right, Jamie was a girl's name and Jaime is a guys name 
:) Dont worry, I spent a whole year in California trying to explain the 
difference :P

 Can you tell us what SMTP proxy you used?  A URL would be
 excellent.  Thank you.

  OK, I will exploit the surprise, its emailrelay 
(http://emailrelay.sourceforge.net) but PLEASE dont jump into it and try to 
implement it by yourselves as we have already done so, just give us some days 
to prepare the iso and upload it.

  Regards

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by: 
Battle your brains against the best in the Thawte Crypto 
Challenge. Be the first to crack the code - register now: 
http://www.gothawte.com/rd521.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] QMail email gateway

[Jaime Nebrera Herrera]

  Hi,

 I would like to use the qmail.lrp package for Bering in a firewall/gateway
 capacity only to shuffle mail from my internal mail server out and deliver
 external mail to the mail server.  I was wondering if the current package
 as-is is sufficient and what configuration changes might be needed?  Any
 help or point in the right direction would be appreciated.

  Or you could just wait a bit until Lince is released. We have found a great 
alternative for smtp without needing hard disk, if you have a real smtp 
inside (your own) and outside (your isp).

  Mike has just created or cvs area so we will upload the iso in just a few 
days as soon as we get ourselves used to sourceforge way of doing things.

  Regards.

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Leaf LINCE

[Jaime Nebrera Herrera]

  Hi,

 Great! The WP'ed SST dom would also be a great option (or CD-ROM).
 I'll love to check it out!

  Yes, could you give me the link for that DOM?

 Out of curiousity, do you really feel the http/smtp/pop proxy should
 be on the firewall? I understand many people would love this option,
 but to many people (especially for enterprise installations) this would
 seem to be akin to sending invitations to hackers by filtering on the
 firewall.

  Yes indeed. We put all those components in the Compact Flash or Hard Disk, 
then is your choice what you want / need to activate but all will be ready to 
go. In a small company you might end up activating all of them, in an 
enterprise level compamy you might end up not activating any extra because 
you already have them in other / better hardware. 

  Say the http load balancer. If you need such a feature you surelly wont 
activate anithing but that getting a cheap HTTP Alteon equivalent, but if 
you are a big company with lots of bucks you would already have an Alteon or 
Cisco or whatever.

  I dont think Linux (Leaf) can compete with such hardwarem but htey lack the 
flexibility. So we give you the swish army knife firewall :) You have 
plenty of features on it, and you decide wich ones to use.

 I'm sure many of us would contribute when and if we have the time!

  I know, its just we had a very sad experience with our LUG. Leaf is already 
a quite active development community.

Things we are planning to add in the near feature:
 
1) Bridge functionality. Yes, this is done with Bering but we have
  never done it, need to learn how to do it.
2) Proxy ARP - the same

 There are many of us using both of these options. The proxy-arp is
 easy to test if you don't mind opening the server to the internet less
 securely IMHO. The bridge option simply uses the box as a hub. It
 can be used to tie together tp-10/100, bnc, fiber, etc..., however
 tp-to-tp testing would be adaquate.

3) HTTP load balancer.- We are just awaiting somebody will pay us
  to do this :)
4) SNORT, inline SNORT, high availability (heartbeat), 

 David D/Oxygen has a snort package available, though I have
 not used it personally.

  We have a volunteer that is working in this side. We might end up with a 
snort sensor or in other option with hogwash to make a inline IDS capable 
of dropping packages based on IDS signatures (only way to protect an 
exploitable server).

 Many of us are doing this, in various degree's. Best of luck to
 succeeding in your project, I hope to someday do the same
 successfully!

  Yes I know, is the beaty of OS. We all try to compete in the same business 
but at the same time need to colaborate :) Here in Spain Barahona, one of the 
OS evangelists gies a little talk just of that and is really incredible. 
Also, is quite easier to get real knowledge because you end up knowing how 
the guts of it go.

  Regards

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Leaf LINCE

[Jaime Nebrera Herrera]

  Hi Sebastiano,

 am I wrong or somebody recently wrote about a future Leaf branch called
 LINCE?
 Can anybody give more details?
 I'm so curious

  I'm the Project Manager of LINCE release. We are just awaiting to solve a 
couple of problems with our CVS area to upload the iso image.

  LINCE is just a Bering distribution on steroids oriented to a Compact Flash 
(or Hard Disk) system. Bering is just wonderful but it lacks some features a 
professional firewall might need. BTW, is based on glibc 2.2

  For example we have done already:

  1) Easy installation of Bering or LINCE from a CD installer (its provided 
as an iso image). All Bering packages in a convenient place (the iso). 
  2) Most popular ethernet adapters by default loaded
  3) HTB QoS trough htbinit
  4) SQUID 2.4Stable6 configured to run in memory
  5) SMTP Proxy for Antivirus (FPROT done), antirelay or antispam (this one 
not done yet)
  6) POP3 transparent proxy for antivirus (FPROT)
  7) Web filter content (IP, URL, words, MIME, PICS)
  8) IPSec with FreeSWAN

  We dont know if all this will be released at the first moment, or just in 
future releases (first we need to try to sell them to other people :))) but 
they will come, specially if this community helps us getting some of that 
functionality done.

  All his is already there (excep IPSec we are working now) and runs without 
the need for a hard disk. The project idea is make a professional firewall 
with open software. All this features are not activated by default (dont 
activate anything you dont need) but they are installed in the Compact Flash 
for rapid deployment.

  Things we are planning to add in the near feature:

  1) Bridge functionality. Yes, this is done with Bering but we have never 
done it, need to learn how to do it.
  2) Proxy ARP - the same
  3) HTTP load balancer.- We are just awaiting somebody will pay us to do 
this :)
  4) SNORT, inline SNORT, high availability (heartbeat), 

  I think its just a great project, so keep in touch !! If you want to see 
more details of the project in spanish you can go to:

http://www.eneotecnologia.com/proyectos_lince.html

  We plan to live from improving this platform (somebody will pay us to add 
some functionality), giving support, selling preassambled systems (you can 
see great pictures of the box in 
http://www.eneotecnologia.com/soho_fotos.html) and so on, well you get the 
point.

  Thats all folks ! :) Regards.

BTW, we have to update to 1.0stable. Great jobs guys:) We were just using rc3 
with bugs solved.

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Leaf LINCE

[Jaime Nebrera Herrera]

  Hi,

  After reading this, I'm a bit confused.  Is it a commercial or opensource
 product?

  It a commercial quality opensourced project. That is, we want to mimic the 
best functionality around but keep it as opensource as possible. Of course, 
some parts of it are closed source, antivirus, but the hook to the 
antivirus engine is opensource.

  The difference is we plan to provide support and sell it already installed 
in a great hardware. Also, we plan to make custom development, say you want 
us to add HTTP load balancing with session control. We need to to debote 
company resources to such a task and will charge you for that, but then 
provide it for free to the community.

  Of course, not everything is money. As part of our apport to the great Leaf 
project we will privide quite a bit of functionallity allready in the first 
image. We have made an easy Bering (or Lince) installer, we have added 
htbinit for QoS, we provide those lurky modifications you need to install it 
right away in a hard disk, and so on. As we hope this will catch some 
attention in this list, and as new features are developed by the community we 
will release more code ourselves.

  Also, if our business model succeeds, we plan to donate money and 
resources to this great community. Say hosting space, hardware, $$$, 
whatever. This way we will just thank in a clear way those efforts done in 
Leaf.

  If you know coyotelinux is more or less the same stuff but with a big 
difference, we wont restrict the downloading. Once a feature has been 
developed and payed for (say in money, say in other functionality) we will 
release more code into the public sourceforge area. FE, we might be 
interested in zebra integration. We could do it ourselves, or somebody could 
provide it (I dont care if that coder is getting paid or not for his job). 
In exchange we will release a new feature, and so on.

  So if the community really involves itself in developing and testing we 
will provide much code than if they just wait and wait. We have already 
devoted a 3 month period of coding from my partner and friend. He has 
implemented all the points I said in a prior email, we are just eager to make 
them public as this project evolves, but dont expect us to make ALL public 
the first time. We had such a experience with our local LUG and was really 
frustating to see a 0 code contribution when you gave them quite a bit of 
resources.

  Thanks in advance.

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] bandwidth management.

[Jaime Nebrera Herrera]

  Hi,

 Has anyone used htbinit.lrp? I've downloaded and it gives a script error
 when executed. Google search gave me a Chinese/Korean site that had this.

  We expect to upload a new Leaf branch called LINCE with htbinit support and 
easy installation in HD or Compact Flash very soon.

 I'm looking at setting up a LEAF Bering box as a bridge between my LAN and
 my existing CISCO PIX VPN/FW router. I want to use LEAF as a bandwidth
 manager alone. Reason for bridge is ease of plugging in and out this box in
 case something does not work too well during trials without reconfiguring
 the network.

  Well if you could provide us with the details of how you make it work would 
be great !!!

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Sharing Internet access privatelly

[Jaime Nebrera Herrera]

  Hi all,

  We are planning to use LEAF Bering to provide shared Internet access to a 
whole home area. The Internet access will be provided by a 4Mb radiofrecuency 
access to SKN. Internally, all the users will use wireless devices to access 
a wireless bridge then the firewall the internet. All users will have a 
public IP all in the same IP range.

  OK, this is quite easy to setup, and its allready done (with QoS too). The 
problem comes when we want to do it in a more privatelly way. I dont know yet 
how the wirelles access point behaves as we have been contracted just for the 
firewall side but if we can, we would like to protect users form each other 
even if that device does it too. The main reason is we dont know yet if the 
wireless device is capable of rouing a packet form one user to the other user 
or it has to go through the firewall.

  In the second case is quite easy, as we would just set up the corresponding 
firewall rules to separate the different users. The problem comes if this 
device has more intelligence and tries to send the package by itself.

  Is more or less the same situation cable providers have but in wireless. We 
have tried o asign a 255.255.255.255 netmask but it doesnt work (funn with 
ppp it does work).

  Any ideas? Please remember to use the fewer IP as possible as we have to 
pay for them :( The first choice was to provide by DHCP pairs of IP that with 
the correct mask make a 2 computer network but this uses a lot of IP and 
forces as to set uo the firewall with a lot of virtual IP in the internall 
interface. Any other idea?

  Thanks in advance.

-- 
Jaime Nebrera Herrera
[EMAIL PROTECTED]


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html