[leaf-user] Re: Using LEAF with a cable modem
kwon wrote: On 6/17/2005 23:54, John Desmond wrote: Thanks, everybody, for your advice. I got a nice note from roadrunner support, too. I'm going to go get cable tonight! John --- Kory Krofft [EMAIL PROTECTED] wrote: John, It should work fine with all of them. Just be sure to ask for an ethernet style modem not USB. I have been using LEAF with RoadRunner for 5 years with no problems. Kory Krofft Can you please post the differences in setting up your cable modem vs. DSL? Especially settings for ppp and pppoe? Thanks! Kwon Kwon- I stepped up my Bering uClibC from version 1.2 to 2.2.3 but essentially just needed to drop ppp and pppoe from the load list, add dhcpcd.lrp, and make the appropriate changes in the network interfaces file in lrcfg (use option 1.3 instead of 1.1) Dnsmasq was new, too... had been using dnscache. Just pulled out the old installation manual and stepped through it and it ran pretty much out of the box. The only odd thing to look out for with that version is that log.lrp is on the default image but not in the default load list. Don't know if that was intentional or something I mangled, but the weblet sure isn't too happy with it! -John --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Using LEAF with a cable modem
Thanks, everybody, for your advice. I got a nice note from roadrunner support, too. I'm going to go get cable tonight! John --- Kory Krofft [EMAIL PROTECTED] wrote: John, It should work fine with all of them. Just be sure to ask for an ethernet style modem not USB. I have been using LEAF with RoadRunner for 5 years with no problems. Kory Krofft --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Using LEAF with a cable modem
I've been using LEAF for several years on a DSL line to Verizon in the Washington, DC area. I've retired and moved to Plant City, Florida (near Tampa) and I'm too far from the CO to get DSL. Cable looks like the way to go. Four ISPs are available through the Bright House cable provider: RoadRunner, EarthLink, Internet Junction, and AOL. Has anyone had any experience in getting LEAF to work with any of these cable broadband providers? -John --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Netfilter logs have bad dates in them (apologies to Shorewall)
I figured out the same thing after finding a routine for changing EST to UTC. The same odd dates show up in logs all over the net as well as some that others have posted to leaf-user, so I thought perhaps this is a well-know thing. Empty dates seem to translate to 1/1/70 00:00:00 UTC and then get further translated to ones own TZ and then into the logs they go. -John --- Erich Titl [EMAIL PROTECTED] wrote: Dec 31 19:00:00 for the date for REJECTS in the all2all chain. The puzzling thing is the time stamp, 5 hours off the 1st of january (probably UTC), somehow it looks like an empty date field converted somehow to east coast time A guess would be to ask around in the netfilter team. Erich --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Netfilter logs have bad dates in them (apologies to Shorewall)
--- Erich Titl [EMAIL PROTECTED] wrote: John At 17:05 28.07.2004, John Desmond wrote: I figured out the same thing after finding a routine for changing EST to UTC. The same odd dates show up in logs all over the net as well as some that others have posted to leaf-user, so I thought perhaps this is a well-know thing. Empty dates seem to translate to 1/1/70 00:00:00 UTC and then get further translated to ones own TZ and then into the logs they go. Have you been able to pinpoint the problem, are these odd dates alwais related to iptables? cheers Erich All log entries with bad dates are from iptables. The following set from shorewall.log I got by issuing the command cat /var/log/shorewall.log |grep REJECT. They include all the lines that have bad dates. It also includes some with good dates. The bad ones have no MACs. The good ones do. That's the only difference I can see. I've sent an inquiry to the netfilter mail list. -John == 8 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.185 LEN=331 TOS=00 PREC=0x00 TTL=64 ID=39369 CE DF PROTO=UDP SPT=67 DPT=68 LEN=311 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.185 LEN=331 TOS=00 PREC=0x00 TTL=64 ID=61980 CE DF PROTO=UDP SPT=67 DPT=68 LEN=311 Jul 28 15:11:29 firewall Shorewall:all2all:REJECT: IN=eth1 OUT= MAC=00:60:08:08:78:81:00:50:da:60:19:20:08:00 SRC=192.168.1.167 DST=192.168.1.254 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=33058 CE PROTO=ICMP TYPE=0 CODE=0 ID=47691 SEQ=0 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.167 LEN=112 TOS=00 PREC=0x00 TTL=255 ID=64632 CE PROTO=ICMP TYPE=3 CODE=1 Jul 28 15:11:30 firewall Shorewall:all2all:REJECT: IN=eth1 OUT= MAC=00:60:08:08:78:81:00:50:da:60:19:20:08:00 SRC=192.168.1.167 DST=192.168.1.254 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=33059 CE PROTO=ICMP TYPE=0 CODE=0 ID=47691 SEQ=256 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.167 LEN=112 TOS=00 PREC=0x00 TTL=255 ID=41846 CE PROTO=ICMP TYPE=3 CODE=1 Jul 28 15:11:31 firewall Shorewall:all2all:REJECT: IN=eth1 OUT= MAC=00:60:08:08:78:81:00:50:da:60:19:20:08:00 SRC=192.168.1.167 DST=192.168.1.254 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=33060 CE PROTO=ICMP TYPE=0 CODE=0 ID=47691 SEQ=512 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.167 LEN=112 TOS=00 PREC=0x00 TTL=255 ID=50951 CE PROTO=ICMP TYPE=3 CODE=1 Jul 28 15:11:32 firewall Shorewall:all2all:REJECT: IN=eth1 OUT= MAC=00:60:08:08:78:81:00:50:da:60:19:20:08:00 SRC=192.168.1.167 DST=192.168.1.254 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=33061 CE PROTO=ICMP TYPE=0 CODE=0 ID=47691 SEQ=768 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.167 LEN=112 TOS=00 PREC=0x00 TTL=255 ID=17950 PROTO=ICMP TYPE=3 CODE=1 Jul 28 15:11:33 firewall Shorewall:all2all:REJECT: IN=eth1 OUT= MAC=00:60:08:08:78:81:00:50:da:60:19:20:08:00 SRC=192.168.1.167 DST=192.168.1.254 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=33062 CE PROTO=ICMP TYPE=0 CODE=0 ID=47691 SEQ=1024 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.167 LEN=112 TOS=00 PREC=0x00 TTL=255 ID=27414 PROTO=ICMP TYPE=3 CODE=1 Jul 28 15:11:34 firewall Shorewall:all2all:REJECT: IN=eth1 OUT= MAC=00:60:08:08:78:81:00:50:da:60:19:20:08:00 SRC=192.168.1.167 DST=192.168.1.254 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=33063 CE PROTO=ICMP TYPE=0 CODE=0 ID=47691 SEQ=1280 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.167 LEN=112 TOS=00 PREC=0x00 TTL=255 ID=59951 CE PROTO=ICMP TYPE=3 CODE=1 Jul 28 15:11:35 firewall Shorewall:all2all:REJECT: IN=eth1 OUT= MAC=00:60:08:08:78:81:00:50:da:60:19:20:08:00 SRC=192.168.1.167 DST=192.168.1.254 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=33064 CE PROTO=ICMP TYPE=0 CODE=0 ID=47691 SEQ=1536 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.167 LEN=112 TOS=00 PREC=0x00 TTL=255 ID=46897 CE PROTO=ICMP TYPE=3 CODE=1 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.185 LEN=331 TOS=00 PREC=0x00 TTL=64 ID=17791 DF PROTO=UDP SPT=67 DPT=68 LEN=311 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.185 LEN=331 TOS=00 PREC=0x00 TTL=64 ID=12037 DF PROTO=UDP SPT=67 DPT=68 LEN=311 = --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https
[leaf-user] Shorewall logs have bad dates in them
Sorry if this has been covered before. It looks like a real obvious problem, but I'm all Google-eyed from looking for it and couldn't find anything on it. I'm using Shorewall 2.0.2f and the logs always have Dec 31 19:00:00 for the date for REJECTS in the all2all chain. Example log from today: Jul 27 11:50:56 firewall Shorewall:net2all:DROP: IN=ppp0 OUT= MAC= SRC=219.150.118.21 DST=138.88.147.32 LEN=1147 TOS=00 PREC=0x00 TTL=107 ID=60031 CE PROTO=UDP SPT=15008 DPT=1026 LEN=1127 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.185 LEN=331 TOS=00 PREC=0x00 TTL=64 ID=46672 CE DF PROTO=UDP SPT=67 DPT=68 LEN=311 Dec 31 19:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.185 LEN=331 TOS=00 PREC=0x00 TTL=64 ID=34851 CE DF PROTO=UDP SPT=67 DPT=68 LEN=311 Jul 27 12:01:16 firewall Shorewall:net2all:DROP: IN=ppp0 OUT= MAC= SRC=218.78.209.68 DST=138.88.147.32 LEN=1108 TOS=00 PREC=0x00 TTL=108 ID=48679 CE PROTO=UDP SPT=18585 DPT=1026 LEN=1088 Have I misconfigured something? -John --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Does dropbear support port forwarding?
I've replaced my Bering/sshd firewall with a Bering uClibc/dropbear combo and I don't seem to be able to make tunnels like I used to from an outside location using PuTTY. (For instance, I used to connect with Windows/PuTTY to my firewall and open a shell while forwarding a local port. Then I could connect local port xyz on my work desktop to port 22 on my home desktop through the firewall and open a shell there. And then on to my SL-5500 which is connected and left running. All great fun. I often demo these abilities to amazed engineers in the office whose only computer experience is MS Office on MS Windows) Now, I can open the shell but the tunnel doesn't seem to happen. If I try to use it, the original session crashes. The man page for the full-up version of dropbear indicates that forwarding ports is the default behavior and a switch is used to disable it. But when Bering-uClibc 2.01 was introduced, dropbear port forwarding evidently only partly worked. Has anyone sucessfully used dropbear 0.41 for port forwarding? Is there a diagnostic that will show the forwarding is active? netstat -a shows the server listening and the established connection but would a forwarded port show up there? -John --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Does dropbear support port forwarding?
Ooops! I meant to say that I have already added a rule to shorewall to allow port 22 conections from fw to loc. -John --- John Desmond [EMAIL PROTECTED] wrote: I've replaced my Bering/sshd firewall with a Bering uClibc/dropbear combo and I don't seem to be able to make tunnels like I used to from an outside location using PuTTY. (For instance, I used to connect with Windows/PuTTY to my firewall and open a shell while forwarding a local port. Then I could connect local port xyz on my work desktop to port 22 on my home desktop through the firewall and open a shell there. And then on to my SL-5500 which is connected and left running. All great fun. I often demo these abilities to amazed engineers in the office whose only computer experience is MS Office on MS Windows) Now, I can open the shell but the tunnel doesn't seem to happen. If I try to use it, the original session crashes. The man page for the full-up version of dropbear indicates that forwarding ports is the default behavior and a switch is used to disable it. But when Bering-uClibc 2.01 was introduced, dropbear port forwarding evidently only partly worked. Has anyone sucessfully used dropbear 0.41 for port forwarding? Is there a diagnostic that will show the forwarding is active? netstat -a shows the server listening and the established connection but would a forwarded port show up there? -John --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Stumped trying to get Bering uClibc 2.2.0b4 inter faces to light up
OK, here's what I did wrong. The User Guide shows how to insert info into /etc/networks/interfaces for PPPoE. It shows all the lines for auto, lo, ppp0 and eth1 all together. The interfaces file has them separated out into Steps and Options. Taking it all a little too literally, I stuck all those interface lines together near the top of the file, but also left in all the configuration lines later in the file. As a result, the interfaces had doubled lines in the configuration. The boot was actually trying to tell me that, too; but the warnings weren't dire enough to ring any bells. No errors made it into any of the log files. After removing the duplicates, IP addresses were assigned to the i/f's. Thanks for your help with this. By the way, the PPPoE interface info seems to have eth0 and eth1 info swapped, like it's using eth1 for the outside interface. Also, it uses the 'masklen' keyword instead of 'netmask'. Is that a problem? -John --- Luis.F.Correia [EMAIL PROTECTED] wrote: Hi! They seem to be OK I'm just curious that you don't have _any_ errors on the logs... What does 'ip -s addr' show you? BTW, which exact 486 type is yours? Luis Correia Bering uClibc Team Member PGP Fingerprint: BC44 D7DA 5A17 F92A CA21 9ABE DFF0 3540 2322 21F6 Key Server: http://pgp.mit.edu --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Stumped trying to get Bering uClibc 2.2.0b4 interfaces to light up
Friends- I've stared at this problem for several hours now and must admit I'm missing something very important but can't see it. I'm currently running Bering 1.0-rc3 on a 486 and have run EigerStein and LRP previously, so I've got several years of LEAF under my belt. I downloaded the stock uClibc 2.2.0b4 and made some configuration changes to bring up a PPPoE link with Verizon. I used my old configuration changes as guidance as I stepped through the Bering [ uClibc] Installation [ User] Guides. Everything boots up except eth0 and eth1 appear not to have TCP/IP bound to them and Shorewall spits and hisses about interfaces. The output of ping 127.0.0.1 is: - PING 127.0.0.1 (127.0.0.1): 56 data bytes ping: sendto: Network is unreachable - The output of ip link show is: - 1: lo: LOOPBACK mtu 16436 qdisc noop link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 1000 link/ether 00:10:4b:00:64:c4 brd ff:ff:ff:ff:ff:ff 4: eth1: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 1000 link/ether 00:60:08:08:78:81 brd ff:ff:ff:ff:ff:ff - Troubleshooting info follows. The strings in 3c509.o say: - kernel_version=2.4.26 description=3Com Etherlink III (3c509, 3c509B) ISA/PnP ethernet driver - so I seem to have the right compiled version of the ethernet card driver. syslinux.cfg is unchanged from stock. leaf.cfg looks like this: - LRP=root config etc local modules iptables dhcpcd shorwall ulogd dnsmasq dropbear weblet ppp pppoe PKGPATH=/dev/fd0u1680:msdos syst_size=6M log_size=2M - ls -l /lib/modules/3c509.o: - -rwxr-xr-x1 root root13632 Jul 3 10:21 3c509.o - 3c509.o is the first and only uncommented entry in /etc/modules until the PPPOE section, like in my current working /etc/modules. lsmod: - Module Size Used byNot tainted softdog 1508 1 ipt_state336 2 ipt_helper 464 0 (unused) ipt_conntrack820 0 ipt_REDIRECT 544 0 (unused) ipt_MASQUERADE 1056 0 (unused) ip_nat_irc 2152 0 (unused) ip_nat_ftp 2792 0 (unused) iptable_nat15716 2 [ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp] ip_conntrack_irc2876 1 ip_conntrack_ftp3484 1 ip_conntrack 18312 2 [ipt_state ipt_helper ipt_conntrack ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp] pppoe 6732 0 (unused) pppox924 1 [pppoe] ppp_synctty 4632 0 (unused) ppp_generic16204 0 [pppoe pppox ppp_synctty] n_hdlc 5792 0 (unused) slhc4296 0 [ppp_generic] 3c509 8240 0 (unused) - dmesg shows the two 3c509's getting IRQs (which IIRC doesn't happen if 3c509.o isn't present): - Linux version 2.4.26 ([EMAIL PROTECTED]) (gcc version 2.95.3 20010315 (release)) #1 Sun Jun 6 11:44:34 CEST 2004 BIOS-provided physical RAM map: BIOS-88: - 0009f000 (usable) BIOS-88: 0010 - 0100 (usable) 16MB LOWMEM available. On node 0 totalpages: 4096 zone(0): 4096 pages. zone(1): 0 pages. zone(2): 0 pages. DMI not present. Kernel command line: BOOT_IMAGE=linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 LEAFCFG=/dev/fd0u1680:msdos Initializing CPU#0 Console: colour VGA+ 80x25 Calibrating delay loop... 33.28 BogoMIPS Memory: 14004k/16384k available (973k kernel code, 1992k reserved, 111k data, 64k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Dentry cache hash table entries: 2048 (order: 2, 16384 bytes) Inode cache hash table entries: 1024 (order: 1, 8192 bytes) Mount cache hash table entries: 512 (order: 0, 4096 bytes) Buffer cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 4096 (order: 2, 16384 bytes) CPU: After generic, caps: 0003 CPU: Common caps: 0003 CPU: Intel 486 DX/2 stepping 05 Checking 'hlt' instruction... OK. POSIX conformance testing by UNIFIX PCI: System does not support PCI Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd pty: 256 Unix98 ptys configured Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ DETECT_IRQ SERIAL_PCI enabled Real Time Clock Driver v1.10f Floppy drive(s): fd0 is 1.44M, fd1 is 1.44M FDC 0 is a post-1991 82077 RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize Initializing Cryptographic API NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured
Fwd: Re: [leaf-user] PPPD and dynamic dns (pppoe)
Neglected to include [EMAIL PROTECTED] --- John Desmond [EMAIL PROTECTED] wrote: Date: Fri, 2 Jul 2004 10:05:53 -0700 (PDT) From: John Desmond [EMAIL PROTECTED] Subject: Re: [leaf-user] PPPD and dynamic dns (pppoe) To: Erich Titl [EMAIL PROTECTED] Erich- I think I had the same problem on an earlier version of LEAF. IIRC, I solved it with some hints from the ip-up example at /usr/share/doc/ppp-2.4.1/sample on Red Hat: - # The environment is cleared before executing this script # so the path must be reset # PATH=/usr/sbin:/sbin:/usr/bin:/bin export PATH - There were also some other relevant factoids to keep in mind, such as it runs with the ID of pppd and output is directed to /dev/null. Anyways, it gave me many hours of troubleshooting fun. It's probably the same with LEAF. -John --- Erich Titl [EMAIL PROTECTED] wrote: Hi everybody ... - Is there an easy way to detect a line down condition on the DLS end, e.g. does PPPD report this somewhere? I already tried to to set a few scripts in ip_up.d ip_down.d to now avail yet. ... Erich --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Do I need to adjust my MTU?
I just noticed (I've been using LEAF for a couple of years now) that the MTU for eth0 and eth1 is set at 1500 but the MTU for ppp0 is 1492. I'm told that's to make room for an 8-byte pppoe header. Is there any efficiency gain to matching the ethx MTUs to the ppp0 MTU? -John 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:00:64:c4 brd ff:ff:ff:ff:ff:ff 4: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:08:08:78:81 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: ppp0: mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 138.88.95.206 peer 10.1.61.1/32 scope global ppp0 __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Need advice on wireless LAN segment
Folks- I am currently using Bering to protect a simple home LAN: Internet | ADSL | Bering | Hub | | PCs (2: 1 Win 1 Lin) I have to move my Linux machine into a room that has no easy way to get Cat 5 to it. I'm thinking about getting a couple of Linksys wireless ethernet bridges and using their point-to-point capability to connect the Linux box to the LAN and to disallow other (bad boyz) to attach. [Or so the brochure would have me believe.] My first shot at it looks like this: Internet | ADSL | Bering | Hub --- WET11 . . . WET11 --- PC(Lin) | PC (Win) Assuming this works, how can I encrypt all the traffic across that link? Is IPSec a reasonable solution here? Does the LAN-attached WET11 need to be hung off the Bering box instead of the hub? (The FreeS/WAN documentation has about two sentences that apply to this situation and it shows a gateway machine on the LAN side.) Would IPSec encrypt *all* the ethernet chatter on the link (as, I guess, WEP does) or just that associated with a particular session with another box on the LAN? -John __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ --- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Mini-Qmail and dotted-decimal addressed email
I've been using mini-qmail on Bering (per Hendry D. Lee: http://sourceforge.net/tracker/index.php?func=detailaid=586953group_id=13751atid=313751 ) but recently discovered that mail addressed to me in the form postmaster@[1.2.3.4] was being rejected. I tested this because of what I read at anti-spam Distributed Server Boycott List (http://dsbl.org/) concerning their emails to admins of blacklisted servers. They will only attempt to send mail addressed as above. Other RBLs might be doing the same. When mail is addressed to my domain (let's say dork.face.name), mini-qmail on the firewall compares the domain to the allowed delivery domains in /var/qmail/control/rcpthosts. If it's in there, mini-qmail will forward the mail to the main mail server behind the firewall (server.dork.face.name). Naturally, at least dork.face.name would be one of the domains in rcpthosts. When mini-qmail receives email addressed to the firewall's external IP addie, it replaces the IP with a domain name and forwards it to the mail server. Unless otherwise specified, mini-qmail will replace the IP with *its own* fully-qualified name (in my case firewall.dork.face.name), which, of course, is not going to be delivered on the firewall, so it gets rejected. The fix is to put dork.face.name into a new file /var/qmail/control/localiphost. If this file exists, mini-qmail will replace the IP addie with the dork.face.name domain, compare the resulting address with the list of domains in rcpthosts and, lo, there is a match. The mail gets forwarded to the server. Hope this helps if you're using mini-qmail and get blacklisted :-) -John __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ez-ipupdate dynamic DNS service providers
Greg- I've been using DynDNS for several months without any problems at all. I have a dynamic IP address. Setup was easy. Use the custom DNS services for a one-time start-up fee of $30. http://support.dyndns.org/mydyndns/custom/howto/ It's been great fun having my own domain, my own server and an infinite supply of email addresses! I'm using qmail on the firewall to interface to the server/workstation behind it and am growing more confident of the setup every day. Let me know if you need any help. -John --- Greg Morgan [EMAIL PROTECTED] wrote: I own my very own domain name. I want to point it at my leaf box and have a dynamic IP. Can anyone provide feedback on their experiences with any of the dynamic DNS service providers listed here? http://leaf.sourceforge.net/devel/jnilo/ezipupd1.html Thanks, Greg Morgan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering goes comatose fpr short periods.
I'm using Bering 1.0-rc3 - June 2002 with Verizon DSL. I've noticed over the months that I would occasionally lose connectivity and would have to reboot. Tonight I waited it out and eventually got the connection partially back. When I first noticed the problem, it appeared that Bering had gone opaque again but I had the time to investigate. We could not browse the web from either of our computers behind the router. I can ping between all the computers on the local net and to Bering and back. I can ping *some* Internet sites: www.yahoo.com is ok. Can't ping www.ebay.com or www.50megs.com, but I can now browse all three sites. (Bering came out of its coma partially). I started looking at the logs and noticed that some entries are missing: (packet logging edited out) Dec 31 13:59:57 firewall -- MARK -- Dec 31 17:59:57 firewall -- MARK -- Jan 2 05:59:57 firewall -- MARK -- Jan 2 09:59:57 firewall -- MARK -- Jan 2 13:59:57 firewall -- MARK -- Jan 2 17:59:57 firewall -- MARK -- Jan 2 21:59:57 firewall -- MARK -- Jan 3 01:59:57 firewall -- MARK -- Jan 3 05:59:57 firewall -- MARK -- Jan 3 09:59:57 firewall -- MARK -- Jan 3 17:59:57 firewall -- MARK -- Jan 3 21:59:57 firewall -- MARK -- Jan 4 05:59:57 firewall -- MARK -- Jan 4 09:59:57 firewall -- MARK -- Jan 4 13:59:57 firewall -- MARK -- Jan 4 21:59:57 firewall -- MARK -- As you can see, some MARKs are missing. I saw that the Jan 4 17:59:57 was missing but soon after I started digging around, the system started logging again with the 21:59:57 entry and started logging packets again, too. I've attached some data from the weblet which also seems to be working OK. I haven't rebooted, so if there's some diagnostic I can use, please let me know. -John == ::Interfaces:: 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:00:64:c4 brd ff:ff:ff:ff:ff:ff 4: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:08:08:78:81 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: ppp0: mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 151.200.47.185 peer 10.1.32.1/32 scope global ppp0 ::Routes:: 10.1.32.1 dev ppp0 proto kernel scope link src 151.200.47.185 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 10.1.32.1 dev ppp0 ::Statistics:: 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 8184842115268 0 0 0 0 TX: bytes packets errors dropped carrier collsns 8184842115268 0 0 0 0 2: dummy0: mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 00 0 0 0 TX: bytes packets errors dropped carrier collsns 0 00 0 0 0 3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:4b:00:64:c4 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 2005329302 1816910 0 0 0 0 TX: bytes packets errors dropped carrier collsns 146703239 1243293 0 0 0 70 4: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:08:08:78:81 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 132329438 1023266 0 0 0 0 TX: bytes packets errors dropped carrier collsns 1971211362 1600843 0 0 0 159 5: ppp0: mtu 1492 qdisc pfifo_fast qlen 3 link/ppp RX: bytes packets errors dropped overrun mcast 1958204569 1628681 0 0 0 0 TX: bytes packets errors dropped carrier collsns 117379954 1055064 0 0 0 0 ::Masqueraded Connections:: tcp src=192.168.1.10 33651 dst=205.188.10.8 5190 --431992 sec. ESTABLISHED tcp src=192.168.1.10 33653 dst=205.188.9.167 5190 --431977 sec. ESTABLISHED ::Other Connections:: tcp src=204.108.8.5 49488 dst=151.200.47.185 22 --59324 sec. ESTABLISHED tcp src=192.168.1.10 35271 dst=192.168.1.254 22 --431858 sec. ESTABLISHED tcp src=192.168.1.10 35275 dst=192.168.1.254 443 --431997 sec. ESTABLISHED EXAMPLE OF A CONNECTION REPORT WHILE A FAILED PING IS ONGOING: icmp src=16 dst=208.185.127.167 dst=src=151.200.47.185 type=8 --1 sec. id=22583 [UNREPLIED] src=208.185.127.167 dst=151.200.47.185 type=0 code=0 id=22583 use=1 ::General System Info:: Uptime: 10:32pm up 16 days, 16:34, load average: 0.59, 0.18, 0.05 Kernel:Linux firewall 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i486 unknown Modules: ip_nat_irc 2384 0 (unused) ip_nat_ftp
Re: [leaf-user] Mail Servers (was: Help!.... lrp_PING_HOSTS doesn't work why???)
Jacques- I'm using rc3. What is the distinction between the variable lrp_MAIL_SERVER in lrp.conf and the variable MAIL_SERVER in POSIXness.conf ? I set them both to the same value but was wondering if they are used in different ways or might conflict somehow. -John Le Samedi 9 Novembre 2002 08:08, Thitiporn Pornpirunrak a écrit : You don't tell us which version of LEAF you are using If you are using Bering rc4 my advice would be to check the following chapters of the documentation: http://leaf.sourceforge.net/devel/jnilo/bumail.html http://leaf.sourceforge.net/devel/jnilo/bisystem.html#AEN842 Please note that these instructions are Bering specific and only work with rc4. Jacques Hi all, Today I try to set my bering box to alert me when the connection from my firewall to router down. I found that in System Configuration and Master LRP Setting has lrp_PING_HOSTS option and I config them like this.. ## # Host SMTP server for the 'mail' command. If blank the host 'mail' is used. lrp_MAIL_SERVER=mail.mymail.com # Email address to use for notices and alerts. If blank alerts won't be sent. lrp_MAIL_ADMIN=[EMAIL PROTECTED] # Server that will be contacted via 'rdate' for the time service daily. # Turning this on also updates the CMOS clock lrp_DATE_SERVER=time.nuri.net # List of hosts to ping check. ADMIN will be sent mail if any fail. lrp_PING_HOSTS=1.1.1.1 ## I try to test my configuration by set lrp_PING_HOSTS=1.1.1.1 that my firewall should send mail to me because my firewall can't ping 1.1.1.1 absolutely. However I try to send mail from my firewall to my email manually by use mail command to make sure that my firewall can connect to my email server like this ## myfirewall: -root- # mail -s test [EMAIL PROTECTED] test ipsfw: -root- # ## When i check my email I found that that mail was sent to me. So now I don't know that why my firewall don't send email to me from lrp_PING_HOSTS option... Please help me. __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [LRP] [leaf-user] How to send mail on bering box without 'CTRL+D'
I've been using the following when all the info is in the subject line: echo | mail -ssubject user@host The echo can also be used to put something in the body of the message. -John Hi all I am using Bering RC3 and heard that lrp_ping_hosts doesn't work and i want to write some script to ping my host and send mail if fail. I use mail command like mail -s Error to [EMAIL PROTECTED] I have to use CTRL+D to send that mail. I would like to know how to send them without CTRL+D. Anyone who know please tell me. Thank in Advance. Thitiporn. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html __ Do you Yahoo!? Yahoo! Mail Plus Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Switched from ES to Bering. NAT not working right
I hope you can help me. I've been using ESb4 and its predecessors for about two years and decided it's time to upgrade to a more modern LEAF. I downloaded Bering V1.0-rc3 and documentation and made the suggested changes for my particular situation: several workstations behind LEAF, which is handling the pppoe connection to the ISP through the ADSL modem. No port forwarding going on. The pppoe link came up without a hitch but packet forwarding is not working. Symptoms: 1. I can ping the firewall from a workstation and can browse the weblet (nice improvements there, BTW). 2. I can ping the workstations and external sites from the firewall. 3. I *can't* ping (unreachable destination) external sites by IP from the workstations through the firewall. It also causes a reject in the logs. See excerpt from logs below. 4. I *can't* ping (long delay and eventual unknown host xxx) an external site by name. It also causes a flurry of rejects in the logs as dnscache tries to hit the root nameservers (which seems at odds with #2, above). See excerpt from logs below. Examples from logs. In response to ping from workstation, through firewall, to internet by IP: Aug 4 15:15:48 firewall kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.1.10 DST=64.58.76.223 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=11272 SEQ=0 In response to ping from workstation, through firewall, to internet by name: Aug 4 15:17:31 firewall kernel: Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90 DST=192.36.148.17 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=60946 DF PROTO=UDP SPT=33411 DPT=53 LEN=39 Aug 4 15:17:31 firewall kernel: Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90 DST=192.5.5.241 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=53616 DF PROTO=UDP SPT=2809 DPT=53 LEN=39 ... etc. ((many, many of these)) The only suspicious thing during bootup is a Shorewall warning: Setting up Kernel Route Filtering... Warning: Cannot set route filtering on eth0 I went into /etc/shorewall/shorewall.conf and set route filtering to Yes and that caused the warning to go away. I also set clamp to MSS to Yes since the documentation mentioned similar symptoms and that it might be needed by braindead ISP using pppoe, which is definately my situation. Neither change helped the main problem, though. Following is some diagnostics that I hope will help. Please let me know if there's something else I should be looking for. Hope it doesn't wrap too badly; I'm using Yahoo mail. -John = Shorewall configuration data - /etc/shorewall/shorewall.conf: (most comments deleted) ## # /etc/shorewall/shorewall.conf V1.3 - Change the following variables to ## FW=fw SUBSYSLOCK=/var/run/shorwall STATEDIR=/var/lib/shorewall ALLOWRELATED=yes MODULESDIR= LOGRATE= LOGBURST= LOGUNCLEAN=info LOGFILE=/var/log/messages NAT_ENABLED=Yes MANGLE_ENABLED=Yes IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS=No ROUTE_FILTER=No NAT_BEFORE_RULES=Yes -- /etc/shorewall/zones #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks /etc/shorewall/interfaces #ZONEINTERFACE BROADCAST OPTIONS #net eth0 detect dhcp,routefilter,norfc1918 net eth0detect routefilter,norfc1918 loc eth1detect routestopped --- /etc/shorewall/rules #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINAL # PORTPORT(S) DEST # Accept DNS connections from the firewall to the network # ACCEPT fwnet tcp 53 ACCEPT fwnet udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fwtcp 22 # Bering specific rules: # allow loc to fw udp/53 for dnscache to work # allow loc to fw tcp/80 for weblet to work # ACCEPT loc fwudp 53 ACCEPT loc fwtcp 80 /etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth0eth1 = ESbeta4 versus Bering setup OLD = ESbeta4 output NEW = Bering v1.0-rc3 output OLD ip route show 10.1.61.1 dev ppp0 proto kernel scope link src 138.88.7.20 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 10.1.61.1 dev ppp0 NEW ip route show 10.1.61.1 dev ppp0 proto kernel
[leaf-user] Question about Dynamic DNS
I just got myself an account on dyndns.org and, as I wait for the FQDN to waft through the world's DNS servers, I thought I might ask how others have avoided dyndns abuse. They say they'll block your name if you automatically update their server with the same ip you had last time. I noticed that when I reboot the router I often receive the same ip as I had before. I guess ez-ipupdate caches the ip, but that gets lost on the reboot (ESBeta2). Has anyone developed some script to compare the interface ip to an ip received from a web-based ip checker before calling ez-ipupdate? -John __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [Leaf-user] ssh firewall
Greg/Charles, that was a really good HOWTO you just wrote. I wish you had done it a few days ago :-) I spent the last few months puzzling out how to do exactly what you just described. Just yesterday I attained my 'holy grail' of networking which was to click'n'drag files from my Windoze workstation at work to my Linux workstation behind EigerStein2B4 at home. I use Secure iXplorer (www.i-tree.org) on the Windoze machine, which works well with the Putty programs. It's a GUI front end for the Putty Secure Shell Copy (PSCP) program. If anyone needs to see details of the setup, drop me a line. I guess I need a new holy grail now. (I already got VNC working, too, but my upload speed at home is only 90KB which makes for realy slow screen updates.) Any suggestions for a new grail? -John --- Greg Morgan [EMAIL PROTECTED] wrote: Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever
Re: [Leaf-user] ssh firewall
--- Matt Schalit [EMAIL PROTECTED] wrote: John Desmond wrote: Any suggestions for a new grail? -John 1) QoS (discussed recently, though) The Q stands for 'Quality'. Since my ISP is Verizon, I probably wouldn't notice any differences. 2) multiple ISP load balancing Two Verizons... three Verizons... O, the horror! 3) debug.lrp that works on all LEAF distros It's Linux... no need to debug! 4) hardware protectable IDE Flash disk module I took some flash pictures of the IDE disk and it didn't hurt it, so I guess it's protected. Good Luck :) Matthewinfo/leaf-user Happy April Fool's! And if you want to get some good ideas for a 'wired house' go see Panic Room this weekend. I can't see why, though, they didn't have a 'net connection and a little LEAF in the corner! :-) -John __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering user's guide (the cook book)
--- Jacques Nilo [EMAIL PROTECTED] wrote: Next contributions under preparation: 3/ PPoE configuration (Eric) I anxiously await! :-) __ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] An ssh attack against ESb2
Good idea. When I set this up, I was in my 'textbook' phase. I could probably afford to get a little fancier now. -John --- Simon Bolduc [EMAIL PROTECTED] wrote: Another thing you can do is to have SSH listen on a port other than 22. I moved mine up into the 2 range. Most people scan only on well known ports (FTP, WWW, SSH, SMTP, etc) so if they don't find anything they move on, plenty of vulnerable systems out there, why waste time scanning one that doesn't appear to be online, and if it is is probably well protected. S From: John Desmond [EMAIL PROTECTED] To: [EMAIL PROTECTED], LEAF User List [EMAIL PROTECTED] Subject: Re: [Leaf-user] An ssh attack against ESb2 Date: Thu, 14 Feb 2002 12:24:36 -0800 (PST) Right you are. And I just tightened it up to only the one external location I really want to access it from. Too bad that newer OpenSSL is *so-o-o* big. I can't fit it. -John --- Glenn A. Thompson [EMAIL PROTECTED] wrote: hey: Jeff Newmiller wrote: On Sun, 27 Jan 2002, John Desmond wrote: I just picked the following off my ESbeta2 a few minutes ago. It claims a crc32 compensation attack was made against it. It went on for about 1/2 hour. Is it significant that the source port changes with every connection attempt? I have sshd set up to receive connections from two external IPs (EXTERN_TCP_PORTS=0/0_ssh 2 locations Doesn't 0/0_ssh mean that the whole world can connect to port 22 not just two hosts? Glenn __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com __ Do You Yahoo!? Got something to say? Say it better with Yahoo! Video Mail http://mail.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] An ssh attack against ESb2
Right you are. And I just tightened it up to only the one external location I really want to access it from. Too bad that newer OpenSSL is *so-o-o* big. I can't fit it. -John --- Glenn A. Thompson [EMAIL PROTECTED] wrote: hey: Jeff Newmiller wrote: On Sun, 27 Jan 2002, John Desmond wrote: I just picked the following off my ESbeta2 a few minutes ago. It claims a crc32 compensation attack was made against it. It went on for about 1/2 hour. Is it significant that the source port changes with every connection attempt? I have sshd set up to receive connections from two external IPs (EXTERN_TCP_PORTS=0/0_ssh 2 locations Doesn't 0/0_ssh mean that the whole world can connect to port 22 not just two hosts? Glenn __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Geocrawler search not working?
Peter- I also reported this several months ago. It looked then like no message past about 11/15/2000 was indexed. It removes a lot of the utility of having a list if past info can't be searched. Like in Memento, we have no memory! Fortunately, we have Charles. ;-D -John --- Peter Nosko [EMAIL PROTECTED] wrote: pn] I can't get a single match on words I'm picking out of recent messages, like dachstein. I'm entering single words (without quotes) in the search field. Would someone confirm this problem please? = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with getting weblet logs into weblet
--- Charles Steinkuehler [EMAIL PROTECTED] wrote: Continuing, the reason you need ramdisk.lrp (or ramlog.lrp) is because otherwise there is no provision for creating and formatting additional ramdisks. You could put mount entries in fstab, but without formatting them first, the ramdisks are pretty much useless. There I hate to appear to be perserverating on this, but I'm having trouble understanding how ram0 gets created and formatted, but an add-on package is required to format the ram1. My ES2 gives this in response to 'mount': /dev/ram0 on / type minix (rw) /proc on /proc type proc (rw) /dev/ram1 on /var/log type minix (rw) Is there a reference for installing linux to a ramdrive, or for file systems at bootup that might help? -John __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with getting weblet logs into weblet
--- Michael D. Schleif [EMAIL PROTECTED] wrote: John Desmond wrote: --- Michael D. Schleif [EMAIL PROTECTED] wrote: John Desmond wrote: I must have a different version... no sh-log directory in the package. I think it's dynamic. Which version are you using? I have v1.1.2. @#$%%! It *was* in there! My Windoze-based archive viewer-extracter ignores empty directories. I believe that (additional) ramdisks are created *after* root.lrp is unrolled; but, *before* anything goes into /var/log or /tmp. But how does LRP know to install ramdisk.lrp and execute the included bootup file before any of the other .lrp's that depend on it? *I* didn't tell it to! Which brings up another question that's been nagging at me ever since I installed ramdisk.lrp to put /var/log on it's own: why do I need ramdisk.lrp, anyway? The whole LRP-thing is operating out of a ram drive! Can't a second ramdrive be specified in /etc/fstab mounted at /var/log? Is it a different kind of ramdrive? Anybody know? -John __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with getting weblet logs into weblet
--- Michael D. Schleif [EMAIL PROTECTED] wrote:
John Desmond wrote:
..
(One of
the commands buried in the scripts has a
'preserve'
option which I think is supposed to keep this from
happening but it didn't seem to work)
...
independently? Or can someone point out how to set
up
symlinks during the boot-up?
Here's how I do it; but, bear in mind, this involves
re-building
weblet.lrp and ramlog.lrp. I rebuild many LRP's and
also rebuild the CD
image so nothing is on my floppy, except those files
required to boot
(e.g., contents of bootdisk.bin.)
I'm a little embarrassed to admit that the only linux
system I have is the LRP. I administer the box and CM
my builds from a Windoze station.
First, un-tar weblet.lrp into a temporary directory.
cd temp/var
rm -fr sh-log
ln -s /var/log sh-log
At this point, rebuild weblet.lrp from this tree.
Actually, I rebuild my .lrp's by setting up the system
the way I want, hacking the package .list files and
jiggling the handle. Your basic technique I can do as
long as I don't have to recompile something :)
I must have a different version... no sh-log directory
in the package. I think it's dynamic.
H. Important question: if I create a symlink and
use the LRP package backup, will it save the symlink
or the contents of the linked file? If the former,
this will work for me.
I work on a full install Debian system; so, I have
no idea how to do
this on your Dachstein system; but, making these
changes to your
firewall and lrcfg/backup should also work.
Next, un-tar ramlog.lrp (or, ramdisk.lrp should also
work) into a
temporary directory. I'm not clear what to do if
/var/log is *not* on
its own ramdisk.
cd temp/var/log
rm sh-httpd.log (it's probably *not* there)
sh-httpd.log
chown 50:4 sh-httpd.log
chmod 640 *
This looks like the opposite of what I was doing. I
had the file in /var/sh-log and the link in /var/log.
At this point, rebuild ramlog.lrp from this tree.
Also, as you surmised, you will need to edit
/etc/cron.daily/multicron-d, modifying the call to
savelog in the
rotatelogs subroutine:
savelog -p -c ${lrp_LOGS_DEPTH:-4} $LOG /dev/null
Of course, etc.lrp requires backup/update for these
changes to persist.
What do you think?
I'm going to have to play with this some more. It
seems like putting the simlinks into weblet is the
best bet if they can be backed up.
You know, I just remembered why I dropped this in
confusion a few weeks back. I was uncertain when the
ramdisk gets created, and whether it would be there to
receive files from a package installation during
bootup. I was guessing that /etc/init.d/ramdisk
wouldn't be run until after all the packages were read
in; therefore, no ramdisk when weblet.lrp was read;
so, no place for my symlinks. I was thinking that
perhaps empty weblet logs and the links to them should
be created in one of the bootup scripts like the links
to 'ln' and 'grep', but that was such a dark forest, I
wasn't ready to go in it.
P.S. Charles, *why* isn't ``savelog -p'' the default
in Dachstein-CD? I
cannot figure out any reason to force ownership of
everything to
root:adm, as this current configuration does:
savelog -g adm -m 640 -u root -c
${lrp_LOGS_DEPTH:-4} $LOG /dev/null
I added the -p option back when I was experimenting
with it and it didn't seem to help.
--
Best Regards,
mds
Thanks.
-John
__
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Help with getting weblet logs into weblet
I've been messing with the weblet logs in EigenSteinB2, trying to figure out how to get them to show up in the weblet along with messages.log and the others. There seem to be some interacting problems with this, though. If I move the weblet sh-log's into /var/log, everything works peachy until the next log rotation, at which point the ownership of the files revert to root and the weblet can't access them anymore. (One of the commands buried in the scripts has a 'preserve' option which I think is supposed to keep this from happening but it didn't seem to work) I tried the reverse, leaving the sh-log's in /var/sh-log but don't seem to be able to find a way to get the weblet cgi to access the logs in the other directory. Check this out, though. I tried creating a set of symbolic links in /var/log that don't rotate but point to the /var/sh-log's and that actually worked great. Except.. I lose all the symlinks on a reboot. So, has anyone figured out how to do this independently? Or can someone point out how to set up symlinks during the boot-up? Incidentally, the logs section of my weblet looks like this now (note the new sh-httpd.log entry): --- 8 --- Log Files: Current Archives All Description messages 0 1 2 3 All System Messages, including denied packets syslog 0 1 2 3 All General log file - lots of info auth.log 0 1 2 3 All Who's logged in recently debug 0 1 2 3 All debugging information daemon.log 0 1 2 3 All daemon (server programs) messages kern.log 0 1 2 3 All kernel messages ppp.log 0 1 2 3 All ppp log files pslave.log 0 1 2 3 All portslave log files user.log 0 1 2 3 All user log files sh-httpd.log 0 1 2 3 All http log files --- 8 --- -John __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Trouble with pscp==sshd on internal side only
I have sshd running stand-alone on EigerStein2BETA PPPoE Image v.0.4. I'm using Putty pscp 0.51 to send and receive files from an internal workstation and from an external workstation. I normally have only RSA authentication working with a passphrase for a special login account, then I su to root to check status, etc. No root logins. No password authentication. I also use Putty ssh for access. Recently I noticed that internal pscp access defaults down to password authentication (I've temporarily enabled it on to make it work for the examples below.) External access still works with a passphrase. Also, Putty ssh works from everywhere with a passphrase. The network is simply the LRP NAT'ing several Windows workstations in a home ethernet setup. I assume I accidentally made a change in a config file somewhere and didn't realize the impact. How can I make the passphrase work again for pscp on the internal network? -John From the Internet: == C:\pscp -ls [EMAIL PROTECTED]:/ Passphrase for key newbie-at-work: drwxr-xr-x 16 root root 640 Jun 30 20:39 . drwxr-xr-x 16 root root 640 Jun 30 20:39 .. drwxr-xr-x 2 root root 1824 Jun 30 20:39 bin ..etc.. == From the internal network: == C:\WINDOWSpscp -ls [EMAIL PROTECTED]:/ [EMAIL PROTECTED]'s password: passphrase doesn't work here [EMAIL PROTECTED]'s password: drwxr-xr-x 16 root root 640 Jun 30 20:39 . drwxr-xr-x 16 root root 640 Jun 30 20:39 .. drwxr-xr-x 2 root root 1824 Jun 30 20:39 bin ..etc.. == The ssh daemon config file: == # This is ssh server systemwide configuration file. Port 22 ListenAddress 0.0.0.0 HostKey /etc/ssh/ssh_host_key RandomSeed /etc/ssh/ssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts yes StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd no KeepAlive yes SyslogFacility DAEMON RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no UseLogin no # CheckMail no # PidFile /u/zappa/.ssh/pid # AllowHosts # DenyHosts lowsecurity.theirs.com *.evil.org evil.org # Umask 022 # SilentDeny yes EOF == The hosts.allow file: == sshd: ALL ALL: 192.168.1.0/255.255.255.0,www.xxx.yyy.zzz EOF == Note: www.xxx.yyy.zzz is my firewall address at work. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user
