Re: [leaf-user] Project Admin
While the LEAF project goals may not include the word floppy, and even taking into account the LRP history, there are a lot of posts in the archives discussing the need/perceived requirement to keep the Bering (and Bering uClibc) minimal runnable configuration small enough to fit on a floppy (maybe a non-standard 1.6Mb, but still on a floppy). My question, Is a LEAF distribution required to fit on and boot from a 1.44Mb floppy? was more rhetorical in nature, intended to spur discussion to get the real requirements figured out. Ken On Mon, Aug 10, 2009 at 04:18, Gordon Bos gor...@q-ry.nl wrote: Mike Noyes wrote: -snip- Is a LEAF distribution required to fit on and boot from a 1.44Mb floppy? Ken, No. See: Project Goals Maintain as small a footprint as possible for release/branch target installations. Ken, Just to clarify, the LEAF project description and goals haven't had the word floppy in them for years. I'm guessing that would be an honoust mistaken from anyone that remembers the abandoned Linux Router Project. With LEAF having adopted so much from that earlier project it can be hard to tell the difference at first glance. The concept of having read-only media to boot from has, in my opinion, not lost its validity. The thought of being able to reboot and loose anything a hacker has changed, is very assuring. Obviously you'll still need to plug the leak that the hacker discovered, but at least you have no immediate worry about others discovering the hackers backdoor. I realize that none of the commercial products appear to be using this concept, but their solution is to reset to factory defaults. In essence that is no different, but it offers a lot less flexibility towards the people operating it. I do not use LEAF out of cheapness, I use it because I think I can do a better job than those commercial products. Gordon -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Project Admin
On Fri, Aug 7, 2009 at 17:12, Ken Gentle wrote: Write protecting the Floppy is a feature I value (I routinely use it). I would not change firewalls just because I couldn't use a floppy for the configuration. I use uClibc Bering to protect my business and home networks; The write-protect is a little bit of extra reassurance that I can get back to exactly the configuration I had if a compromise of either network occurred. I've never needed to do so. However, I think we're off topic - the real requirement question is this: Is a LEAF distribution required to fit on and boot from a 1.44Mb floppy? My personal opinion is that booting from CD is great. However, I haven't tried to put LEAF distros in teeny, tiny, minimal hardware architectures. LEAF has always been a very small distribution and should continue with that goal. What is the smallest non-disk media in use these days? 2Mb? 4Mb? Find that number and set that as the max size for a LEAF distro. FWIW Ken On Fri, Aug 7, 2009 at 12:35, Dillabough, Dave dave.dillabo...@bcgeu.cawrote: Ken, Is the fact that you can write protect the floppy a consideration (and do you do this) or is it just the convenience of having one around Dave -- *From:* Ken Gentle [mailto:jkennethgen...@gmail.com] *Sent:* Friday, August 07, 2009 8:51 AM *To:* Dillabough, Dave *Cc:* Erich Titl; leaf-user@lists.sourceforge.net *Subject:* Re: [leaf-user] Project Admin I still use floppies for config files. It is the easiest configuration for a software geek to mangle together - take a floppy off an old system, plug in the IDE cable and you're in business. My earliest LEAF systems (Dachstein and uClibc Bering) ran completely off of the floppy (on a 486DX w 16Mb of RAM) I'm interested in the CF media or moving off old PC platforms to something like the Alix platform. But that is a lot of hardware/low level software learning curve. Having said all that, I do boot my current systems from CD and just save configuration to floppy. I believe that would work nicely with a 2.6 kernel. Ken On Wed, Aug 5, 2009 at 18:39, Dillabough, Dave dave.dillabo...@bcgeu.ca wrote: Hi Erich, How much of an issue is having write protection? I can understand that it is better in theory but I can't think of a commercial firewall product (Cisco PIX, Linksys, DLink etc) that does not use flash and that has any sort of write protection. If having boot from R/O media is an issue you could boot from CD and save to a floppy. You could also write protect CF media with a hardware hack to the cable. With USB/CF systems I always keep a backup of the boot media. It's not as simple as a power cycle but I can always get back to a known state if I need to although this has yet to be an issue for me. So from my perspective this would seem to be a non issue for most users and that for those few where it is an issue there are ways around it with some extra work. Obviously I don't have your perspective on the issue and I may be in the minority here and while I don't need 2.6 features yet it does seem to me that there must be quite a lot of development work that goes into squeezing a working system onto a floppy. It would be a shame if this is being done to no purpose. Does anyone on the list boot a system from floppy disk or save config files to floppy disk? I will take a look at the 2.6 CVS. Dave -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Wednesday, August 05, 2009 2:40 PM To: Dillabough, Dave Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Project Admin Dave Dillabough, Dave wrote: I'm wondering how much of an issue it is to have a system that will fit on a floppy. I would think that being able to boot off of a USB drive or a CD/USB combo would be more pertinent today given as few machines even come with a floppy as standard equipment anymore. USB booting would eliminate the futzing around with non standard disk sizes and would be a lot more reliable and as well. I have been running some variant of LRP/LEAF since the 2.x days both at home and for various work related uses and the most common failure is mechanical i.e. drives or fans. I switched to booting off of CF cards and fanless power supplies a couple of years ago and am much closer to my goal of having a solid state appliance that I can install and ignore. Even buying the smallest CF cards available I still need only a small fraction of the card to boot LEAF. The world has moved on from the floppy drive and I think trying to keep future versions of LEAF small enough to boot from a floppy is l argely an artificial constraint now. If for some reason the use of a floppy is required then older versions of LEAF are still available
Re: [leaf-user] Project Admin
On Fri, Aug 7, 2009 at 11:51, Ken Gentle wrote: I still use floppies for config files. It is the easiest configuration for a software geek to mangle together - take a floppy off an old system, plug in the IDE cable and you're in business. My earliest LEAF systems (Dachstein and uClibc Bering) ran completely off of the floppy (on a 486DX w 16Mb of RAM) I'm interested in the CF media or moving off old PC platforms to something like the Alix platform. But that is a lot of hardware/low level software learning curve. Having said all that, I do boot my current systems from CD and just save configuration to floppy. I believe that would work nicely with a 2.6 kernel. Ken On Wed, Aug 5, 2009 at 18:39, Dillabough, Dave dave.dillabo...@bcgeu.cawrote: Hi Erich, How much of an issue is having write protection? I can understand that it is better in theory but I can't think of a commercial firewall product (Cisco PIX, Linksys, DLink etc) that does not use flash and that has any sort of write protection. If having boot from R/O media is an issue you could boot from CD and save to a floppy. You could also write protect CF media with a hardware hack to the cable. With USB/CF systems I always keep a backup of the boot media. It's not as simple as a power cycle but I can always get back to a known state if I need to although this has yet to be an issue for me. So from my perspective this would seem to be a non issue for most users and that for those few where it is an issue there are ways around it with some extra work. Obviously I don't have your perspective on the issue and I may be in the minority here and while I don't need 2.6 features yet it does seem to me that there must be quite a lot of development work that goes into squeezing a working system onto a floppy. It would be a shame if this is being done to no purpose. Does anyone on the list boot a system from floppy disk or save config files to floppy disk? I will take a look at the 2.6 CVS. Dave -Original Message- From: Erich Titl [mailto:erich.t...@think.ch] Sent: Wednesday, August 05, 2009 2:40 PM To: Dillabough, Dave Cc: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] Project Admin Dave Dillabough, Dave wrote: I'm wondering how much of an issue it is to have a system that will fit on a floppy. I would think that being able to boot off of a USB drive or a CD/USB combo would be more pertinent today given as few machines even come with a floppy as standard equipment anymore. USB booting would eliminate the futzing around with non standard disk sizes and would be a lot more reliable and as well. I have been running some variant of LRP/LEAF since the 2.x days both at home and for various work related uses and the most common failure is mechanical i.e. drives or fans. I switched to booting off of CF cards and fanless power supplies a couple of years ago and am much closer to my goal of having a solid state appliance that I can install and ignore. Even buying the smallest CF cards available I still need only a small fraction of the card to boot LEAF. The world has moved on from the floppy drive and I think trying to keep future versions of LEAF small enough to boot from a floppy is l argely an artificial constraint now. If for some reason the use of a floppy is required then older versions of LEAF are still available. do not misinterpret me, I wrote an early HOWTO about using secure flash disks for leaf :-( and yes, I agree, I live easily with the flash memory world. There are 2 main things that are different from a floppy - size - write protection In my eyes, the write protection is the more important factor. There have been multiple attempts to solve this, amongst it unloading the device driver. There has been a experimental 2.6 release on CVS which was hardly used by anyone, hey, this is an open source project, get your hands dirty. cheers Erich -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Re: [leaf-user] Upgrading to new version 3.1.1
Thank you for your response. The problem was the protocol that WinSCP used when attempting to connect. The connection was refused when using SFTP but was successful when using SCP. Apparently the LEAF system wasn't set up to use SFTP and couldn't complete the connection. Thanks Ken Luis.F.Correia wrote: Hi Ken, -Original Message- From: Ken M [mailto:ke...@wi.rr.com] Sent: Wednesday, March 04, 2009 12:35 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] Upgrading to new version 3.1.1 I am running Bering 3.0 from a CF card on an IDE to CF adapter. It has run flawlessly but I was interested in moving up to the latest rev. When I decided to update to the latest version I kept my syslinux.cfg file my leaf.cfg file my configdb.lrp file and my moddb.lrp file from my working 3.O system. I loaded a new CF with the new kernel and LRP files as well as the new *.SER files and the config files from my working system. Everything works but I can not log in remotely to the LEAF box using WinSCP. It connects originally but disconnects after the root password is entered. It could be a problem with WinSCP itself but I am able to log in to the router when the original 3.0 system is booted. The problem is certainly a cached credential for r...@your_system. With a new installation, a new SSH key is generated. Delete that key from where WinSCP keeps it, and you'll ne fine. Luis Correia Bering uClibc team member No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.7/1983 - Release Date: 03/04/09 07:41:00 -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Upgrading to new version 3.1.1
Thanks I assume then that I can safely remove these files from my boot disk without causing problems. I only connect using the local console or via SSC or SCP from my local network. Thanks Ken Martin Hejl wrote: Hi Ken, What are the *.ser files for and how do they fit into the picture? They weren't in the original 3.0 system. They contain the config for setups that use a serial console - they were introduced with Bering uClibc 3.1 RC1 to make life easier for those of us who run Bering uClibc on a box without a video card (in such a case, simply rename syslinux.ser to syslinux.cfg, and configdb.ser to configdb.lrp and the default image will work on a box that has only a serial console). Martin -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.7/1983 - Release Date: 03/04/09 07:41:00 -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Upgrading to new version 3.1.1
I am running Bering 3.0 from a CF card on an IDE to CF adapter. It has run flawlessly but I was interested in moving up to the latest rev. When I decided to update to the latest version I kept my syslinux.cfg file my leaf.cfg file my configdb.lrp file and my moddb.lrp file from my working 3.O system. I loaded a new CF with the new kernel and LRP files as well as the new *.SER files and the config files from my working system. Everything works but I can not log in remotely to the LEAF box using WinSCP. It connects originally but disconnects after the root password is entered. It could be a problem with WinSCP itself but I am able to log in to the router when the original 3.0 system is booted. My questions are. Should I be able use the *db.lrp flies from LEAF Bering 3.0 with the 3.1.1 version? Do I need to update modules? I use tulip and via-rhine nic modules with crc32, mii and the standard modules that come with the distribution package. What are the *.ser files for and how do they fit into the picture? They weren't in the original 3.0 system. Hopefully the answers will help me get my remote login back the router is running in an old electrical cabinet in the basement and is not easily accessible so the remote administration is a great help. Thanks for your help. It works but I use WinSCP to update my addon hosts file and would like to be able to continue to use it so I have reverted to my original 3.0 install. Ken -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Bering uClibc 3.1.1-beta1 package/binary for 'cutter'?
I'm sorry if this ends up duplicated on the list - I posted it yesterday and haven't seen it show up. On Tue, Dec 2, 2008 at 13:21, Ken Gentle [EMAIL PROTECTED] wrote: Hello! Thanks again to everyone who makes Bering uClibc such a great package! I'm running Bering uClibc 3.1.1-beta1 (kernel 2.4.34) I'm looking for a way to drop established connections and came across the following thread in the Shorewall group (comp.security.shorewall) http://article.gmane.org/gmane.comp.security.shorewall/2543 -- Dropping established connections In this response http://article.gmane.org/gmane.comp.security.shorewall/2567 cutter is pointed out as forcing established connections to drop (http://www.lowth.com/cutter/) Does anyone have a binary or LEAF/Bering uClibc package for this small program? Alternatively, does anyone know of another way to force connections to a particular IP to be dropped (without a reboot?) The specific problem is dropping new requests and dropping established connections to an Xbox-360 at a particular time. I'm currently using a cron job with a one-line script shorewall drop internal-ip, but that doesn't force existing connections to be dropped. Thanks! Ken - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Bering uClibc 3.1.1-beta1 package/binary for 'cutter'?
Hello! Thanks again to everyone who makes Bering uClibc such a great package! I'm running Bering uClibc 3.1.1-beta1 (kernel 2.4.34) I'm looking for a way to drop established connections and came across the following thread in the Shorewall group (comp.security.shorewall) http://article.gmane.org/gmane.comp.security.shorewall/2543 -- Dropping established connections In this response http://article.gmane.org/gmane.comp.security.shorewall/2567 cutter is pointed out as forcing established connections to drop (http://www.lowth.com/cutter/) Does anyone have a binary or LEAF/Bering uClibc package for this small program? Alternatively, does anyone know of another way to force connections to a particular IP to be dropped (without a reboot?) The specific problem is dropping new requests and dropping established connections to an Xbox-360 at a particular time. I'm currently using a cron job with a one-line script shorewall drop internal-ip, but that doesn't force existing connections to be dropped. Thanks! Ken - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ezipupd question
This is based on sparse notes and faulty memory of what I did about a year ago. Please feel free to correct mistakes/suggest better idioms or current best practices for these steps. Ken How to get ezipupd running for DynDNS on Bering uClibc 3.x: 1) Added ezipupd to the LRP variable in leaf.cfg. On startup, this loads the ezipupd module and creates the startup file in /etc/init.d/ez-ipupd 2) After booting with the change above, use lrcfg to edit ez-ipupd.conf (Packages Config:ezipupd:ez-ipupdate configuration): Here's mine with names changed to protect the, uh, poster: service-type=dyndns-custom user=dyndns-username:dyndns-password interface=eth0 host=mybusiness.com,mybusiness.org,personal.com,personal.org,personal.net # 21 days: 21*24*60*60 seconds max-interval=1814400 cache-file=/var/run/ez-ipupdate.cache pid-file=/var/run/ez-ipupdate.pid daemon 21 days is completely arbitrary. 3) Change Shorewall rules to allow outbound from FW to DynDNS: # # 2007-06-09 JKG # DynDns address changed (apparently some time ago) to .96, # so we'll open it up enough to use a range of DynDns addresses. # # 2007-02-02 JKG # Allow the fw to update DynDNS with our ip address. # Name:members.dyndns.org # Address: 63.208.196.95-62.208.196.100 # HTTP/ACCEPT $FWnet:63.208.196.95-63.208.196.100 4) Reboot or update Shorewall and start ez-ipupd: # shorewall refresh # /etc/init.d/ez-ipupd start - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ezipupd question
ez-ipudate works just fine...
I have it configured as a daemon, the current default IIRC. The only
trick was adjusting my Shorewall rules to allow outgoing connections to
the DynDNS servers.
I can post more detail if that would be helpful
On Jan 21, 2008 12:54 AM, Victor McAllister [EMAIL PROTECTED] wrote:
Last week I set up a uClibc 3.1b3 for a friend using dhcpcd to configure
eth0.
Now I want to assign a dns name to the box.
I haven't run ezipupd recently - explanation is here.
http://leaf.sourceforge.net/doc/bucu-ezipupd.html
Does this script go in /etc/interfaces where I define eth0?
reload_all() {
/sbin/shorewall restart
echo Starting ez-ipupd from dhclient ...
/etc/init.d/ez-ipupd start
}
Anyone know if ezipupd still works for dyndns.com?
-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
--
J. Kenneth Gentle (Ken)
Gentle Software LLC
Phone: 484.371.8137
Mobile: 302.547.7151
Email: [EMAIL PROTECTED]
Email: [EMAIL PROTECTED]
www.gentlesoftware.com
-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
Re: [leaf-user] Help diagnosing heartbeat errors, please!
Just a follow up on this issue: I replaced the hubs with switches (FS108 FS105) and haven't seen an error yet - a little over two days of running, but with a lot of LAN and LAN to NET traffic. Thanks! Ken On Dec 14, 2007 10:06 PM, Bob Gregory [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:leaf-user- [EMAIL PROTECTED] On Behalf Of Bob Coffman - Info From Data Corp. Sent: Friday, December 14, 2007 11:23 AM To: 'LEAF User' Subject: Re: [leaf-user] Help diagnosing heartbeat errors, please! FS108 8 port SWITCH for less than a UPS would cost Yes do that. In fact, if its not too much bother, I personally would get rid of the other hub too, but if it remains where it is there should be no problems. How would I track down a bad NIC? Swap the cable, and connect a switch on ETH1 temporarily. Reboot Bering to reset the stats on the card (or do it through software if you can) and use the connection for a while to see what you get. With the number of errors you are getting it should be obvious fairly quickly. I'll second that. Better to get rid of all the old hubs. An FS108 is about USD 40 and the FS105 is ~ USD 25. Cheers, -Bob - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ -- J. Kenneth Gentle (Ken) Gentle Software LLC Phone: 484.371.8137 Mobile: 302.547.7151 Email: [EMAIL PROTECTED] Email: [EMAIL PROTECTED] www.gentlesoftware.com - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Help diagnosing heartbeat errors, please!
I've been experiencing some sporadic slowness (perceived, no hard measurement) on my local Lan subnet. When I started looking into it I found a lot of errors on my eth1, the lan subnet in question: # ip -s link show eth1 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:e9:34:dd brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 579054358 3829354 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 03643158 0 3643158 0 # ip -s -s link show eth1 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:e9:34:dd brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 579095638 3829655 0 0 0 0 RX errors: length crc frame fifomissed 00 0 0 0 TX: bytes packets errors dropped carrier collsns 0 03643405 0 3643405 0 TX errors: aborted fifowindow heartbeat 00 0 3619749 I believe I've tracked the problem to a misconfiguration of hardware, but would like a sanity check before I start rebuilding my network. Here's the diagram in classic ASCII art: +-+ | | Motorola Surfboard Cable Modem | | (dynamic IP from Comcast) +-+ | | eth0: +-+ | | Bering uClibc/Shorewall +-+ eth1: | | eth2: | | | +- DMZ (Website) | +-+ | | NETGear DS108 10/100 +-+ 8 port HUB Business||| | Computers -+|| | Printer --+|++ NetGear SC101 ---+|| Linksys Etherfast 10/100 ++ 5 port SWITCH | | +--+ +--- XBox 360 (with XBox LIVE) | +-+ NetGear DS104 | | 4 port HUB +-+ | | | | Home Computer -+ | Spouse's Work Lap Top --+ (Occasionally) If the ASCII art gets mangled, the important detail is this: firewall/router(eth1:)---DS108 HUB--EtherFast 10/100 SWITCH--DS104 HUB My theory is that the problem lies in having the Linksys SWITCH between the two NetGear HUBs. I only recently (hangs head) learned the real difference between HUBs and SWITCHes. The Linksys SWITCH only talks full duplex upstream; My understanding of the NETGear doc says that it only talks half duplex. So while my network is functioning, I'm losing half the packets at the SWITCH - HUB connection, and that is the cause of the heartbeat errors I'm seeing. While on the diagram it looks easy enough to reconfigure in order to put the SWITCH directly connected to eth1: with the two NETGear HUBS connected to the switch firewall/router(eth1:)--EtherFast 10/100 SWITCH--(DS108 and DS104 in separate SWITCH ports) Physically, that means some movement of gear between floors and likely purchasing another UPS (moving cable modem, firewall and probably the SC101). Alternatively, I could replace the DS108 HUB with an FS108 8 port SWITCH for less than a UPS would cost. Here's the sanity check: Does the HUB/SWITCH misconfiguration theory fit with the errors reported? Or is it really more likely a bad NIC somewhere? How would I track down a bad NIC? Thanks in advance! Ken PS: LEAF, Bering uClibc and Shorewall are just an unbeatable combination! Thanks to everyone who make it possible. Details on the firewall follow: LEAF CONFIG DETAILS: Pentium 2, 100Mhz, 168Mb RAM Bering uClibc, v3.0.1 3 Linksys Etherfast 10/100 NICs Fairly standard 3 card setup, Local Lan with DMZ # uname -a Linux 2.4.33 #1 Sun Jan 14 12:15:07 CET 2007 i686 unknown # ip addr show 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,NOTRAILERS,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:ec:40:78 brd ff:ff:ff:ff:ff:ff inet 69.253.57.107/21 brd 255.255.255.255 scope global eth0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:e9:34:dd brd ff:ff:ff:ff:ff:ff inet 192.168.225.254/24 brd 192.168.225.255 scope global eth1 5: eth2: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link
[leaf-user] leaf.cfg modules not all loading (NF!)
I am using Bering uclibc 3.02 booting from an IDE CF card. The system boots normally except that the last two modules in the LRP= list don't load. depending on which modules are last I get a not found error (NF!) on the first of the modules that don't load. I have found references to a line length limitation in the syslinux.cfg file that can cause this problem but no mention of this for leaf.cfg. The overall length of the line in which he LRP variable is declared was 100 characters including the LRP= and all punctuation and spaces. I did try splitting the line using a line feed but without success. I am using the editor in the LEAF package to make changes to leaf.cfg. Is there a limit to the length of the LRP variable in the leaf.cfg and if so can the lrpkg.cfg file be used to load packages? I will look into trying that next while waiting for an answer. Thank you for your time Ken - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] leaf.cfg modules not all loading (NF!)
Thanks Martin, I found the problem and the cause. I was backing up a working system so that I would be able to recover it as quickly as possible in case of a failure of the CF or IDE adapter. The way I was doing this was to mount the working boot disk and copy all files except ldlinux.sys over the network to a windows system. I then burned them to a CD with Nero and copied the files from the CD to the second CF in another machine that had a CD rom installed. After I had copied the files to the new CF I booted it and found that the system wasn't loading properly. The reason that I found was that every line in the leaf.cfg file had a period appended to it which caused several problems when rebooting the system. Once the periods were removed the system booted normally again. This may have been caused by the windows system or the transfer to the CD I don't know yet. I need to experiment with the system to find out where in the process the periods appeared. Thanks Ken Martin Hejl wrote: Hi Ken, I am using Bering uclibc 3.02 booting from an IDE CF card. The system boots normally except that the last two modules in the LRP= list don't load. depending on which modules are last I get a not found error (NF!) on the first of the modules that don't load. Please post your leaf.cfg file (in-line - posting it as an attachment will not work on this list). A length of 100 characters should not be an issue (on my setup, it is 202 characters long), so I guess there's something else causing the issue. Martin - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] leaf.cfg modules not all loading (NF!)
Ok. After doing some research it appears that windows/dos line feeds were added to both leaf.cfg and syslinux.cfg when the files were uploaded from the router to the windows system. The program used for this was winscp400. I was able to remove them with a windows editor called edit pad lite that has a feature that allows the file to be converted from windows cr/lf to Unix lf only. The files were only uploaded never edited on the windows system so I don't see how the files got changed. So this is something I will be aware of in the future Ken Martin Hejl wrote: Hi Ken, I found the problem and the cause. I'm glad you found the problem. The reason that I found was that every line in the leaf.cfg file had a period appended to it which caused several problems when rebooting the system. Once the periods were removed the system booted normally again. This may have been caused by the windows system or the transfer to the CD I don't know yet. I need to experiment with the system to find out where in the process the periods appeared. I've never seen this kind of thing happen on any of the systems I'm in charge of - but since it's now documented in the list archives, it may help other people who might run into the same thing in the future. Thanks for reporting back the results of your troubleshooting. Martin - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Any experience with eMTA Cable Modems and Bering uClibc?
Thanks, Charles. Comcast Tech support said I could keep my current Surfboard for data and use theirs for the voice. I thought that was redundant, but I see your point. One of my co-workers has voice and data on the same modem and he'll occasionally drop out on our phone conversations - it is really annoying. Just what I need - another electronic device to plug in... ;-) As usual, you've been a big help, Charles. Sounds like separate modems for voice/data is the way to go. Ken At 16:45 2007-04-16, Charles Steinkuehler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ken Gentle wrote: I'm trying to figure out if adding Comcast's Digital Voice service, which requires me to lease an eMTA modem from them, is going to cause me any problems with my current network setup. Comcast will supply either an Arris Touchstone or Motorola Surfboard/Voice modem, with battery backup. My research on the Motorola finds that there is a firewall and NAT on the modem (which I don't want). I can't find anything similar about the Arris Touchstone. Does anyone have any experience with either of these modems and Bering uClibc? I have two Arris Touchstone modems for digital voice on Cox cable-modem service (one for business phone, one for residential), but neither is hooked to my firewall (which is hooked to a third modem). When I setup my business-class network service with digital voice, the Cox folks brought me a new Arris modem for voice, but told me to keep the existing cable modem for data. I was told there can be issues with traffic prioritization within a single modem if it's running both data and voice (ie: if your local computer starts spewing garbage full-speed out to the 'net, your phone might stop working). I'm not sure how seriously to take this, but that's what the installer said. You might ask and see if you can just keep your existing modem for data when they install your new voice service. If you're nice to the installer, (s)he'll probably even provide the required splitter and coax patch cables. If you're *REALLY* nice, you might be able to get them to put their demark on your backboard in the wiring closet, instead of hanging off the side of your house somewhere. :) - -- Charles Steinkuehler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGI+B5LywbqEHdNFwRAgo0AJwPbRzE6QjZah8aCXrw7y4+KMf9AACg9u41 VKR3Lb+2REOQ9KFncxPbd+4= =RpM7 -END PGP SIGNATURE- - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Any experience with eMTA Cable Modems and Bering uClibc?
I'm trying to figure out if adding Comcast's Digital Voice service, which requires me to lease an eMTA modem from them, is going to cause me any problems with my current network setup. Comcast will supply either an Arris Touchstone or Motorola Surfboard/Voice modem, with battery backup. My research on the Motorola finds that there is a firewall and NAT on the modem (which I don't want). I can't find anything similar about the Arris Touchstone. Does anyone have any experience with either of these modems and Bering uClibc? TIA Ken - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Ok, the Cable Modem discussion has me concerned...
After reading the thread, I checked my Bering uClib 3.0.1 (latest and greatest ISO) and discovered the following using ip -s link: 3: eth0: BROADCAST,MULTICAST,NOTRAILERS,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:ec:40:78 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 2724718608 42870003 0 0 0 0 TX: bytes packets errors dropped carrier collsns 441074316 4000179 2 0 2 0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:e9:34:dd brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 1152457833 11965659 79 0 0 0 TX: bytes packets errors dropped carrier collsns 0 011399780 0 11399778 0 5: eth2: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:e9:36:79 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 6273713538700 0 0 0 TX: bytes packets errors dropped carrier collsns 97303534 772500 0 0 0 I am connected to my ISP via a Motorola Surfboard SB4100 then to my LEAF box which has three LinkSys LNE100TX ver 5.1 cards. eth0: is the FW, as usual eth1: is the private LAN -- connected to a NETGEAR dual speead DS108 10/100 hub eth2: is the DMZ Concerning me is the number of errors on eth1 - I'm wondering if I have similar duplex problems as Bob had. ethtool shows me nothing about my cards, for some reason. I have had intermittent bizarre behavior on the network (that I've been blaming on Comcast). Do I have a problem here? Performance improvements would be a big hit with my users. Ken - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Ok, the Cable Modem discussion has me concerned...
Just what a Software geek loves to hear - its a hardware problem. ;-) Oh, wait a minute, its *my* hardware problem! *PANIC* =-O Luckily, I do have some diagnostic equipment for the CAT 5... and plug pray for the hub ports. Thanks, George. BTW, is there a RTFM of the ip -s link output somewhere? The google for man ip wasn't particularly helpful... At 15:45 2007-02-26, George Metz wrote: Ken Gentle wrote: snip! 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:e9:34:dd brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 1152457833 11965659 79 0 0 0 TX: bytes packets errors dropped carrier collsns 0 011399780 0 11399778 0 snip! Concerning me is the number of errors on eth1 - I'm wondering if I have similar duplex problems as Bob had. Nope, that's not a duplex issue. If it were, you'd be getting overruns and collisions. What we've got here is, probably, a bad NIC, bad wire, or bad port on the hub, or a bad hub in general. Notice that you've got zero transmit packets, but nearly as many transmit errors as you do receive packets. I'd try changing the cat 5 and the card, if you've got a spare; probably not the hub, or if it is then it's probably just the port itself, so try a different port too. George Metz - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Re: Bering uClibc 2.3-rc1: ifup: Don't seem to have all the variables for eth0/inet
Thanks all for your suggestions - Kwon, I think you were closest to the problem originally, Eric and Larry's talking about dhcpcd and dnsmasq triggered the Aha!. Somebody (who shall remain nameless) removed dhcpcd (having read it dhcpd) from leaf.cfg, thinking that dnsmasq (which said someone has not used before) was handling dhcp. eth0 has all its variables now. Now if I can just get my kids off Runescape long enough to switch cables, I'll have a better-stronger-faster firewall in place. Add another one to the Stupid User Tricks list... Thanks again, all. Ken --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Bering uClibc 2.3-rc1: ifup: Don't seem to have all the variables for eth0/inet
At 03:33 2005-09-22, you wrote: Hello Ken, snip Looks ok, are you sure there is a driver loaded for eth0? (lsmod). Yep, tulip is loaded. You can try to make a fixed config (like you did for eth1) to check if the interface is brought up correctly. The address is supposed to be assigned dynamically by my ISP/Cable Modem (and works just fine on the old box with ancient network cards). I don't understand enough of the config here to assign the values. I guess I could assign it the DHCP value that the old firewall - but I'm afraid that if the MAC address changes (and it will) that the modem or my ISP will invalidate the DHCP lease. How should I configure it? Also take a look in the various logfiles (/var/log) to see some clues when you do an ifdown/ifup. Nothing in these files is useful -- some lines in messages saying that each of the cards was found, using the tulip driver, and what IRQs were found (11, 12 and 5) and some lines in debug on ifdown saying that tulip_stop_rxtx() failed on eth1 and eth2. Eric --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Bering uClibc 2.3-rc1: ifup: Don't seem to have all the variables for eth0/inet
Hello all -- I must be overlooking something really simple here, but I just can't seem to find it. I'm upgrading my old 486 based Dachstein system to a PII based Bering uClibc and I want to ultimately add a DMZ (moving up from two cards to three). I've got three LinkSys EtherFast 10/100 pci cards in the box. I'm trying to get the simple LAN working, using a private subnet of 192.168.225. On startup (or on /etc/init.d/networking restart) I get the following message: Reconfiguring network interfaces: Nothing to flush. ifup: Don't seem to have all the variables for eth0/inet done. My interfaces file has the following: # Step 1: configure external interface # uncomment/adjust one of the following 4 options # Option 1.1 (default): eth0 / dynamic IP from pump/dhclient auto eth0 iface eth0 inet dhcp snip commented lines # Step 2: configure internal interface # Default: eth1 / fixed IP = 192.168.1.254 auto eth1 iface eth1 inet static address 192.168.225.254 netmask 255.255.255.0 broadcast 192.168.225.255 Would someone kindly point me at the FM to RT on this one, please? I'm stumped, Google wasn't of any help, and I think I followed the instructions correctly... TIA Ken --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Dachstein Bin to ISO?
Guys, I know I've seen this on this list and in the documentation, but I can't seem to put my hands on it. I want to take the new Dachstein bin image and make an ISO cd out of it -- would some kind, benevolent soul please point me at the correct FM to RT? Thanks! (This old-timer's disease is really getting bad!) Ken --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Firewall compromised-V2.0 uClibc-0. image Bering-uClibc_2.0_img_bering-uclibc-1680.exe
Hello All, Please be patient with me, I am new to the Linux world and I am not a security expert. I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. For the most part this is a default configuration with no special services needed or running, I setup dropbear (default config) but have not removed the package yet. The Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I have not changed anything in this configuration file. Please see Configuration and rules below for more detail and please let me know if you need any additional information. Thank you in advance to all that will help me. I am learning, and I am sure this is NOT an issue with the shorewall product but with my configuration. Please also remember who you are addressing (dope newbie/wannabie) so please if you could. :) Ken [EMAIL PROTECTED] Issue: ===-==-= = My shorewall has been compromised. I need to find out how they are compromising this machine repeatedly and what I need to do to stop it! The hackers have already used the shorewall box to spam others on the internet and god knows what else. I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to 192.168.1.99. As far as I can tell it has not been compromised and I have not noticed any strange events internally on my home network (yet). (I am told the PIX cannot be configured for dhcp so I am using shorewall for this; unfortunately in my area I have a choice between Comcast and dialup). The version of uClibc I am using may need some patches but I am not sure about this as I downloaded this image and set it up less than a month ago, please let me know if there are any critical updates that I need to apply. I have read the installation/user guides and have read hundreds of man pages and I can only hope I did everything right. This clip is from my shorewall.log:0: Note the date on the first entry and the source IP. The problem is that the SRC is my IP and I do not have an IP 192.43.244.18 on my network. I have added 123.1.1.1 to my blacklist. Since this IP has been added to my blacklist it still shows up in my log and looks something like the log from DEC 20 below with Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99. This is bad because this IP is eth0 to my CISCO PIX 515. Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0 Dec 21 10:19:38 firewall Shorewall:logdrop:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=123.1.1.1 DST=12.213.227.185 LEN=783 TOS=00 PREC=0x00 TTL=112 ID=28872 PROTO=UDP SPT=14833 DPT=1026 LEN=763 Dec 21 15:13:10 firewall Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=205.240.153.242 DST=12.213.227.185 LEN=60 TOS=00 PREC=0x00 TTL=49 ID=13109 DF PROTO=TCP SPT=1787 DPT=21 SEQ=3260295433 ACK=0 WINDOW=5840 SYN URGP=0 Also SRC IP 66.218.70.35 has seemingly exploited the uClibc firewall. The IP 192.168.1.99 is eth0 for my CISCO PIX 515. You can see shorewall start and then 66.218.70.35 (v4.vc.scd.yahoo.com [66.218.70.35]) is out eth1, looks bad to me. The hacker is using several boxes from yahoo IP's: v3.vc.scd.yahoo.com [66.218.70.45], v1.vc.scd.yahoo.com [66.218.70.32], v13.vc.scd.yahoo.com [66.218.70.34] Dec 20 14:59:16 firewall dhcpcd.exe: interface eth0 has been configured with new IP=12.213.227.185 Dec 20 14:59:23 firewall root: Shorewall Started Dec 20 15:41:06 firewall kernel: Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=66.218.70.35 DST=192.168.1.99 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=2091 DF PROTO=TCP SPT=5001 DPT=10468 WINDOW=65535 RES=0x00 ACK SYN URGP=0 Configuration: ===-==-= = The Shoewall box has two Intel Pro 100 NIC's. Eth0 to internet with dhcp, routefilter, blacklist, rfc1918 and dropunclean set to yes. I had set blacklist logging to 6 (informational) and then changed it to 4 (ergent) just to see if this would show different events in the log. Eth0 pulls dhcp IP 12.213.227.185 from Comcast. Eth1 is configured with default address 192.168.1.254. Incoming ICMP on port 8 set to DROP packets. Ident Port 113 set to DROP packets. Modules Loaded: ===-==-= = Modules: softdog 1476 1 ip_nat_irc 2176 0 (unused) ip_nat_ftp 2784 0 (unused) ip_conntrack_irc2880 1 ip_conntrack_ftp3648 1 eepro100
RE: [leaf-user] weblet extension version 2
Hi Tony, I tried this code as well and I think that you have to substitute /var/log/shorewall.log for /var/log/messages in the code that Eric provided. It didn't work for me until I made this change. Perhaps an older version of Bering or Dach used the messages file to log packets, hence the confusion. Please correct me if I'm wrong, Eric. Thanks, Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Sent: Saturday, May 31, 2003 3:33 PM To: eric wolzak; Leaf-User Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] weblet extension version 2 HI Eric and Jeff, Thanks Eric for the code, this is half of what I was looking for, Jeff gave the other half. If you use the proverb: Give a man a fish, he eats today Teach a man to fish, he eats forever you both gave me one of those lines and I appreciate it. But, I do have some questions about the code, I can get the portsort section to work (from a previous e-mail, but the ipsort section is giving me the headers, but no data under it. I have some observations, but should I move this discussion to the devel list? I don't want to clog up this list with any more messages than necessary. Please advise, and I can pick up with my observations. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of eric wolzak Sent: Saturday, May 31, 2003 12:26 PM To: Tony; Leaf-User Subject: Re: [leaf-user] weblet extension version 2 Hello Tony Another variant is to change in the file viewhits the option ipsort to - ipsort) HEAD='trtd width=50 Hits /tdtdIP-Adress/tdtdnbsp;/td/tr' AUS=`grep DPT=$content /var/log/messages |\ sed 's/.*SRC=\(.* \)DST.*$/a href=viewhits?x_\1\1\/a\/tdtd\/td\/tr/'| sort -n | uniq -c |sort -rn|\ sed 's/^/trtd/ s/a/\/tdtda/` ;; --- this is a little bit slower but let you click on each ip address that tried to connect to the certain port and shows the messages that it caused, including those to another port Regards Eric Wolzak member of the bering crew --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697- 6916-5 -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/l eaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] weblet extension version 2
No problem.
This actually got me playing around with this and I added one other thing
that I've wanted for a while: a link to whois for each IP address that gets
logged. I changed the following section:
hitssort)
HEAD='trtd
width=20%Hits/tdtdIP-Address/tdtdWhois/tdtdDate/t
AUS=`grep Shorewall: /var/log/shorewall.log |\
sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\\/td\\td\\a
href=\viewhits?x_\3\\\3\\/a\\/td\\
\td\\a
href=\http:\/\/ws.arin.net\/cgi-bin\/whois.pl\?queryinput=\3\\Whois-\3\\
/a\\/td\\td\\
\1\\/td\\\/tr\'|\
sort |uniq -c | sort -rn |sed 's/^/\tr\\td\/'`
titel=Hits sorted by frequency and by ip address
;;
That's a lot of escapes. :)
Ken
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
eric wolzak
Sent: Monday, June 02, 2003 10:11 AM
To: Ken Marshall; 'Tony'; 'Leaf-User'
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] weblet extension version 2
Hi Ken.
I tried this code as well and I think that you have to
substitute /var/log/shorewall.log for /var/log/messages in
the code that Eric provided. It didn't work for me until I
made this change. Perhaps an older version of Bering or Dach
used the messages file to log packets, hence the confusion.
Please correct me if I'm wrong, Eric.
Thanks,
Ken
You are of course right , the log file should be the one the
messages for shorewall are directed to. Bering 1.0 stable did
the logging still in the /var/log/messages file ( this was
the version I used to debug the script.) I should make things
more modular again ;)
Thanks for your feedback.
---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering Ipsec and Shorewall rules
Hi Simon, I recently got my IPSec tunnel up and running using Bering 1.1. I had a few problems as well, but they were due to my not COMPLETELY following the instructions that Tom wrote. I made a couple of assumptions about the ipsec.conf file and my tunnel didn't work until I went back and read the docs again. I did not have to create any additional rule sets in Shorewall. The documents at http://shorewall.net/IPSEC.htm and http://jixen.tripod.com were extremely helpful and got the whole thing up and running once I followed the instructions to the letter. :-) My set up is a LAN-to-LAN tunnel using RSA keys. HTH -- Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Chalk Sent: Thursday, April 03, 2003 6:08 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Bering Ipsec and Shorewall rules Please can someone confirm whether the Shorewall Tunnels file internally manages the UDP Port 500 and Protocols 50 and 51? Or do I need to create rules? I have created the tunnel files as per documentation on the Bering site and Shorewall. But I am currently unable to get ipsec working between two firewalls. I am assuming at this point that something is blocking the path. Regards, Simon. --- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020 aff/direct/01/ -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/l eaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Eject Bering CD and console output
umount /dev/cdmnt I'm not sure why, but Bering automatically mounts the CD and leaves it mounted. Once you umount it you can eject it. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M Lu Sent: Tuesday, March 25, 2003 2:25 PM To: [EMAIL PROTECTED] Subject: [leaf-user] Eject Bering CD and console output On the weekend I wanted to make a copy of my Bering CD for a friend but I cannot eject it by pusing the button on the CD drive. I am sure I do not it mounted at all. I used to be able to do that with Daschtein. Does anyone know why? Also while booting the router with Bering floppy, I would like to show him the output on console but cannot move back and forth with Shift-PageUp and Shift-PageDown like in Daschtein. Is it because of Bering or because of my keyboard? Thank you. M.Lu --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/l eaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Adding Extra Static IP's on External Interface
Hello! Thanks to the help provided by Ray Olszewski it has become obvious that my secondary IP addresses on my external interface are not working properly. I have a static IP of 206.127.76.231/27 for my primary IP on my Dachstein box. I have also been assigned the block of 206.127.77.48/28 (14 useable IP's). They are being routed correctly by my ISP, but my Dach box does not reply to ping requests on that range of IP's. Here is the setup: # ip addr show 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10 link/ipip inet 206.127.76.231/27 brd 206.127.76.255 scope global ipsec0 3: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip 6: brg0: BROADCAST,MULTICAST mtu 1500 qdisc noop link/ether fe:fd:0f:00:38:68 brd ff:ff:ff:ff:ff:ff 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:02:26:05:1a brd ff:ff:ff:ff:ff:ff inet 206.127.76.231/27 brd 206.127.76.255 scope global eth0 inet 206.127.77.48/28 scope global eth0 8: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:02:26:05:37 brd ff:ff:ff:ff:ff:ff inet 192.168.10.1/24 brd 192.168.10.255 scope global eth1 # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 206.127.77.48 0.0.0.0 255.255.255.240 U 0 0 0 eth0 206.127.76.224 0.0.0.0 255.255.255.224 U 0 0 0 ipsec0 206.127.76.224 0.0.0.0 255.255.255.224 U 0 0 0 eth0 192.168.10.00.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 206.127.76.225 0.0.0.0 UG0 0 0 eth0 In the network.conf, I setup the additional range using: eth0_IPADDR=206.127.76.231 eth0_MASKLEN=27 eth0_BROADCAST=+ # Use this to set the default route if required - ONLY one to be set. # routed or gated could be used to set this so only use if not running these. eth0_DEFAULT_GW=206.127.76.225 # Secondary IP addresses/networks on same wire - add them here eth0_IP_EXTRA_ADDRS=206.127.77.48/28 The only thing that I can think of is that I haven't specified a broadcast address for the secondary network. Is there any way I can add that in the scripts? If not, could someone give me any help in getting it set up manually? Thanks for any help, Ken --- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Adding Extra Static IP's on External Interface
The reason I am trying to configure these additional IP's is so that our clients can connect to our internal workstations using pcAnywhere. I've got 6 people here who use pcAnywhere to support clients. We need to take control of the client workstations, so we configure our PCA Remote to Wait for a Connection. Then we have the client right-click on their PCA host and select Call Remote. This brings up a dialog asking for the IP of the remote to which they want to connect. I would like the client to be able to type in 206.127.77.50 which would then get port forwarded in to my machine (192.168.10.50). The only traffic I want to let through on those additional IP's is PCA traffic (TCP 5631 and UDP 5632). I don't think this qualifies as a DMZ setup because the machines I want to access are the same machines as my internal network. However, if it would work, I wouldn't mind putting another NIC in the Dach box and just connect it to my main switch. Do you think this is the best approach, or is there another solution? Thanks very much for your help Charles. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Steinkuehler Sent: Thursday, March 13, 2003 9:36 AM To: Ken Marshall Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Adding Extra Static IP's on External Interface Ken Marshall wrote: Hello! Thanks to the help provided by Ray Olszewski it has become obvious that my secondary IP addresses on my external interface are not working properly. I have a static IP of 206.127.76.231/27 for my primary IP on my Dachstein box. I have also been assigned the block of 206.127.77.48/28 (14 useable IP's). They are being routed correctly by my ISP, but my Dach box does not reply to ping requests on that range of IP's. massive snippage The only thing that I can think of is that I haven't specified a broadcast address for the secondary network. Is there any way I can add that in the scripts? If not, could someone give me any help in getting it set up manually? First, let's back up a bit and try to clarify exactly what you're trying to setup. It sounds like you have a traditional setup with a block of IP's being routed to you by your ISP. With this sort of setup you would normally set up your firewall as a router, or choose a routed DMZ, rather than trying to add multiple IP's to your external interface, ie: ISP | -- 206.127.76.231 Ext. interface Dachstein Firewall/router Int. interface DMZ interface 192.168.0.254206.127.77.49 -- - || 192.168.0.0/24 206.127.77.48/28 NOTE: I arbitrarily picked 206.127.77.49 as the IP of the firewall on your DMZ network...you can assign IP's however you want. I suggest sticking with the above network architecture (or something similar) unless you have a good reason or requirement to do something different. If you need help getting this going, re-post to the list with whatever you don't understand about configuring a DMZ. Back to your origional question: If you want to add a broadcast address to extra IP ranges, you'll need to modify the if_up procedure, or do it manually (handy for testing). Look for the interface case statement in the if_up () procedure in /etc/network.conf, and modify it as follows: *) # default interface startup brg_iface $1 up $BRIDGE [ -n $IPADDR ] \ ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1 for ADDR in $IP_EXTRA_ADDRS; do ip addr add $ADDR $IFCFG_BROADCAST dev $1 done The part you need to change is the line in the for ADDR in ... loop. Adding the $IFCFG_BROADCAST will use the broadcast specification from the main interface configuration variables. This will break if you have different networks and specify the exact broadcast address, but will work as expected if you use the shorthand + for the broadcast address. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0031en -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/l eaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
RE: [leaf-user] Adding Extra Static IP's on External Interface
Thanks to everyone who offered help on this. I decided to go ahead and try the Bering distribution and I got it to work after about 30 minutes of reading and configuring! Wow! I was pretty pleased with that. If anybody is interested in how the config stuff looks, send me an email and I'll mail back the config files. Thanks, Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lynn Avants Sent: Thursday, March 13, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Adding Extra Static IP's on External Interface On Thursday 13 March 2003 11:45 am, Charles Steinkuehler wrote: OK, so you want port-forwarding on the router, rather than any sort of DMZ setup. You can probably get this to work, but the configuration details may require some experimentation. I know Dachstein can run with multiple networks on the same interface, as I have done that several times. I don't think you actually have two networks on your upstream link, but instead have one network with a block of IP's routed to you. This has the potential to confuse the equipment upstream if you assign the extra IP's directly to the external interface. Thanks Charles, I wasn't aware this was possible on different subnets because of the resulting netmask used w/o hardcoding everything and bypassing parts of the scripts. My concern is that the 206.127.76.231/27 and the block of 206.127.77.48/28 are not at all within the mask range of his ISP. If you change the outgoing netmask to accept both blocks, then your also accepting a ton of addresses that aren't yours. The normal way to do this would be to assign public IP's to the desired desktop systems, but this is not necessarily ideal from either a network topology (I'm assuming you have additional machines you do *NOT* which to connect to, and limited IP space), or a security standpoint. If you can get the external interface to respond to the ip's, then you could simply 1-to-1 proxy-arp or static-NAT them to the machines inside and filter out everything but the desired protocol(s). Using static-NAT would also allow the machines to participate as normal LAN machines as well. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://www.guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Port Forwarding and pcAnywhere
the primary IP, I have to use the alternate variables. Thanks very much for any help offered. Ken --- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Port Forwarding and pcAnywhere
Sorry, I actually did read the SR FAQ... But that was in addition to about 10,000 other documents and my mind is not what it used to be. Anyway here is the info. As you can see on the extra addresses I have both 206.127.77.48/28 as well as each IP individually. I did that because I wasn't sure how to make sure that I got the network and broadcast addresses entered properly. # ip addr show 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:01:02:26:05:1a brd ff:ff:ff:ff:ff:ff inet 206.127.76.231/27 brd 206.127.76.255 scope global ipsec0 3: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip 6: brg0: BROADCAST,MULTICAST mtu 1500 qdisc noop link/ether fe:fd:0f:00:38:68 brd ff:ff:ff:ff:ff:ff 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:02:26:05:1a brd ff:ff:ff:ff:ff:ff inet 206.127.76.231/27 brd 206.127.76.255 scope global eth0 inet 206.127.77.48/28 scope global eth0 inet 206.127.77.50/32 scope global eth0 inet 206.127.77.51/32 scope global eth0 inet 206.127.77.52/32 scope global eth0 inet 206.127.77.53/32 scope global eth0 inet 206.127.77.54/32 scope global eth0 inet 206.127.77.55/32 scope global eth0 inet 206.127.77.56/32 scope global eth0 inet 206.127.77.57/32 scope global eth0 inet 206.127.77.58/32 scope global eth0 inet 206.127.77.59/32 scope global eth0 inet 206.127.77.60/32 scope global eth0 inet 206.127.77.61/32 scope global eth0 inet 206.127.77.62/32 scope global eth0 inet 206.127.77.49/32 scope global eth0 8: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:02:26:05:37 brd ff:ff:ff:ff:ff:ff inet 192.168.10.1/24 brd 192.168.10.255 scope global eth1 # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 206.127.77.48 0.0.0.0 255.255.255.240 U 0 0 0 eth0 206.127.76.224 0.0.0.0 255.255.255.224 U 0 0 0 eth0 206.127.76.224 0.0.0.0 255.255.255.224 U 0 0 0 ipsec0 192.168.10.00.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 206.127.76.225 0.0.0.0 UG0 0 0 eth0 Thanks, Ken -Original Message- From: Ray Olszewski [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 4:50 PM To: Ken Marshall; [EMAIL PROTECTED] Subject: RE: [leaf-user] Port Forwarding and pcAnywhere You didn't read the SR FAQ, did you? Please report the output of: ip addr show netstat -nr These will tell us what interfaces and routes are *actually* being set up on your Dach router, not what you are *trying* to set up (in the end, that is all that the config files tell us). If the extra-address interfaces do not show up, or there is a problem with routing back to them ... well, then we can try to help you figure out where you went wrong. But it's quickest to check the actual settings before starting out on a possible snipe hunt for config-file errors. One blue-sky thought ... I've never tried to set up one of these multi-address external interfaces where the extra addresses are on a different network than the primary address (and the default gateway). I wonder if packets going back out those interfaces can find the default gateway? (Charles, are you around??? How does that part work on Dach?) At 04:37 PM 3/12/2003 -0700, Ken Marshall wrote: Thank you for your reply Ray. You are correct in your assumptions. I have not tried to route the pcAnywhere stuff from my primary IP. That is a test that forgot about. :-) I also was stupid in thinking that if I tried to ping one of my secondary addresses from an internal computer that I would get a valid result. Obviously, that's not the case. I am taking your advice and going to look at the routing stuff to see why packets are not getting to my firewall. I think you're right about this not being a port forward issue. I saw the DNS stuff late yesterday afternoon and called my ISP about it. I know who owns the msdcomputers.com domain, so I called them too. My ISP said that the problem is that they have not updated their reverse lookup stuff, but would get it fixed soon. I don't think that is causing the problem though, because the packets get routed correctly when I've got my Windows Server 2003 box running. I've set up the following information about my external interface: eth0_IPADDR=206.127.76.231 eth0_MASKLEN=27 eth0_BROADCAST=+ # Use this to set the default route if required - ONLY one to be set. # routed or gated
RE: [leaf-user] Port Forwarding and pcAnywhere
Thank you for your reply Ray. You are correct in your assumptions. I have not tried to route the pcAnywhere stuff from my primary IP. That is a test that forgot about. :-) I also was stupid in thinking that if I tried to ping one of my secondary addresses from an internal computer that I would get a valid result. Obviously, that's not the case. I am taking your advice and going to look at the routing stuff to see why packets are not getting to my firewall. I think you're right about this not being a port forward issue. I saw the DNS stuff late yesterday afternoon and called my ISP about it. I know who owns the msdcomputers.com domain, so I called them too. My ISP said that the problem is that they have not updated their reverse lookup stuff, but would get it fixed soon. I don't think that is causing the problem though, because the packets get routed correctly when I've got my Windows Server 2003 box running. I've set up the following information about my external interface: eth0_IPADDR=206.127.76.231 eth0_MASKLEN=27 eth0_BROADCAST=+ # Use this to set the default route if required - ONLY one to be set. # routed or gated could be used to set this so only use if not running these. eth0_DEFAULT_GW=206.127.76.225 # Secondary IP addresses/networks on same wire - add them here eth0_IP_EXTRA_ADDRS=206.127.77.48/28 206.127.77.50 206.127.77.51 206.127.77.52 \ 206.127.77.53 206.127.77.54 206.127.77.55 206.127.77.56 206.127.77.57 \ 206.127.77.58 206.127.77.59 206.127.77.60 206.127.77.61 206.127.77.62 \ 206.127.77.49 # Additional routes for this interface, if any # Space seperated list: PREFIX[_more ip route options] #eth0_ROUTES=1.1.1.13 2.2.2.0/24_via_1.1.1.18 # IP spoofing protection on this interface - YES/NO eth0_IP_SPOOF=YES Is there more that I have to do for routing in Dach? Do I have to configure eth0_ROUTES to make this work properly? If so, could you please tell me what I should enter here? Thanks a lot for your help, Ray. I appreciate it. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ray Olszewski Sent: Wednesday, March 12, 2003 3:54 PM To: Ken Marshall; [EMAIL PROTECTED] Subject: Re: [leaf-user] Port Forwarding and pcAnywhere Ken -- Thanks for a good, clear posting of the details. Based on it, I have a couple of comments. First, it does not appear that you have tested pcAnywhere with your primary IP address (206.127.76.231). This assumes some significance when I note ... Second, I *can* ping your primary IP address ... but I cannot ping or traceroute to several of your alternate IP addresses (all the ones I tried). Here is example output for 206.127.77.53: [EMAIL PROTECTED]:~$ ping 206.127.77.53 PING 206.127.77.53 (206.127.77.53): 56 data bytes --- 206.127.77.53 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss [EMAIL PROTECTED]:~$ traceroute 206.127.77.53 traceroute to 206.127.77.53 (206.127.77.53), 30 hops max, 38 byte packets 1 maxwell.comarre.lan (192.168.1.86) 2.003 ms 0.305 ms 0.285 ms 2 adsl-63-198-182-254.dsl.snfc21.pacbell.net (63.198.182.254) 13.246 ms 15.221 ms 19.922 ms 3 dist1-vlan60.snfc21.pbi.net (216.102.187.130) 20.473 ms 17.212 ms 16.250 ms 4 bb2-g8-1.snfc21.pbi.net (216.102.176.194) 16.526 ms 16.767 ms 16.486 ms 5 sl-gw11-sj-3-0.sprintlink.net (144.228.44.49) 18.256 ms 17.382 ms 23.385 ms 6 sl-bb20-sj-8-1.sprintlink.net (144.232.3.137) 16.782 ms 15.860 ms 16.231 ms 7 sl-bb20-tac-11-1.sprintlink.net (144.232.9.214) 34.775 ms 36.766 ms 36.675 ms 8 sl-bb20-sea-8-1.sprintlink.net (144.232.18.42) 109.899 ms 183.186 ms 218.496 ms 9 sl-gw13-sea-0-0-0.sprintlink.net (144.232.6.2) 36.727 ms 34.954 ms 36.678 ms 10 sl-mt-6-0.sprintlink.net (160.81.44.6) 52.743 ms sl-mt-5-0.sprintlink.net (160.81.44.10) 66.063 ms sl-mt-6-0.sprintlink.net (160.81.44.6) 50.737 ms 11 * * * (A traceroute to your primary address matches this one, except that it arrives at step 11.) I know you previously said you could ping these other addresses ... but I don't think you were specific as to where you tested this *from*. Can the host that is trying to make the pcAnywhere connection to one of these addresses ping and traceroute to it? In any case, before focusing too tightly on port-forwarding problems, I would make sure you haver routing working (look at the stuff in the SR FAQ that you didn't do for ways to check on the LEAF router's interfaces and routing table). Beyond that, another oddity ... if I do reverse lookups of two of the addresses, I find that the primary is associated with your domain, but one of the others is associated with a different domain: [EMAIL PROTECTED]:~$ host 206.127.77.55 Name: train4.msdcomputers.com Address: 206.127.77.55 [EMAIL PROTECTED]:~$ host 206.127.76.231
[leaf-user] LCD display
hi, this LCD display that you can wire up, it says winamp LCD at the bottom of charles' diagram, and in some descriptions i have seen. my question is this, when pluged into a windows box and when winamp is running what is it supposed to say or do? thanks antken --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] help with boot loader recompilation
hello, i am currently playing with the syslinux bootloader code stuff ( the one by peter anvin ) and i was wondering how do i recompile it? thanks antken --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] a more clean startup?
hi, i am currently building myself a new router, it consists of a small main board ( very lucy find ) with two ISA slots on it two ne2000 network cards and a nice new compact flash hard disk type thing. to make it look all nice and neat i would like to suppress most of the boot messages for example dhclient spews out a load of text that i would like to suppress how would i go about suppressing the less useful information and only displaying the more useful information like the ipaddress dhclient has obtained ? or if possible move the startup messages to another tty i dont mind message like starting syslog i just want to tidy it up a bit any one have any ideas?? thanks antken --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] power down the hard disk after use
hi, for speed on one of my test routers i boot from a hard drive when it is finnished booting i would like to power it down so the box makes less noise and uses less power ( this is an absolute must in todays energy conscious society :-) ) could i put something in one of the init files so when it has read everything from harddisk it can just switch it off? does any one have any ideas? thanks antken ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] getting make and gcc on lrp
hi, how would i go about getting make and gcc and any other development tools on to lrp? is there a package avalible? antken email: [EMAIL PROTECTED] ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: Forgotten my password for DS (floppy)
hello i have had trouble like this before what i did was this get your boot floppy, or if your running from a hard disk, a copy of syslinux.cfg edit it and change the time out value to something like 5 the default is: timeout 0 this seemed to work on mine caution dont edit the file in windows notepad, it messes it all up :-( good luck, and i hope you get your router back!!! antken ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Recommendations for 10/100 NICs?
OK, I want to upgrade my NICs, not only in my Dachstein box (thanks again Charles!), but also in a couple of servers (Compaq Proliant 1500s), for a total of 5 PCI 100 or 10/100 NICs. I don't want to spend more than I have to, but I'd like good quality cards. Searching the archives, I found recommendations for the following, with prices from Tom's Hardware/PriceGrabber * 3Com 3c905 $26.50 (3c905BTX) * Intel EtherExpress Pro 100$18.90 (PILA8460) * Netgear FA-310TX specifically $12.00 (but not other Netgear NICS) I currently have a couple of boxes using SMC 1255TX's, they seem to work OK, and can be had for $15.63. But I didn't find them mentioned much in the archive. So the question is, what is the most bang for the buck? Or are there other models I should consider as well? What else should I consider in making this selection? They all appear to be supported for LEAF/LRP. Thanks in advance... Ken = J. Kenneth Gentle (Ken)| Phone: (610) 255-0361 Gentle Software, LLC | Email: [EMAIL PROTECTED] = ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] OT: Stupid shell question
IIRC, you must have at least 'x' (execute, or 1) access to every directory in the path to access a specific file. To get a list of files in a directory, you must have 'x' access to all directories in the path, and 'r' (read, or 4) access to the directory you wish to list. I may have the octal wrong -- I use the symbols most often -- 4: read, 2: write, 1: execute? Ken At 02:16 AM 4/30/2002, [EMAIL PROTECTED] wrote: Aanhalen Peter Nosko [EMAIL PROTECTED]: Although I am not a real expert on the matter I think it has always been this way. I seem to remember something that the calculate access the entire path is being checked, and if you don't have access somewhere along the way that access is blocked. Kim pn] I'm trying to CD to a directory that has 755 permissions, and as world I'm denied permission. I see that the dir two levels above has 770. Changing it to 775 fixes it. Has it always been this way (...having a brain fart)? --- Peter Nosko leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html - This mail sent through Tiscali Webmail (http://webmail.tiscali.be) leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html = J. Kenneth Gentle (Ken)| Phone: (610) 255-0361 Gentle Software, LLC | Email: [EMAIL PROTECTED] = leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[Leaf-user] mail server?
hello all, are there any mail server packages avalible for the lrp system? if you need it, i am running the Dachstein image. while i am on the subject of packages does the Dachstein image have a samba package avalible? i have noticed this issue on the recent lists but have deleted them by mistake - ooops! thanks in advance to any one that replys antken ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RESOLVED: [Leaf-user] Problem with DachsteinCD 'bootdisk.bin'
Thanks everyone - as Charles' suggested earlier, I downloaded syslinux, rewrote the boot sector and the box now boots - won't read the CD rom media, but that's tonight's problem... I thought I'd replied to the list when I responded to Charles post, but I must have missed 'reply-to-all'... Charles is *THE* man... Ken At 11:12 AM 04/04/2002 -0500, Simon Bolduc wrote: I've had problems with various versions of syslinux and certain drives previously. Sometimes when using 2 virtually identical computers (same mobo, floppy drive, cpu and ram) one will boot and the other won't. Generally I just grab a few different versions of syslinux and rewrite the boot sector until it works. You can get Syslinux here: http://www.kernel.org/pub/linux/utils/boot/syslinux/ Or you could try booting solely from the CDR - if your BIOS supports that kinda thing. Makes boot up a lot faster. S From: Ken Gentle [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Leaf-user] Problem with DachsteinCD 'bootdisk.bin' Date: Wed, 03 Apr 2002 19:43:40 -0500 Hello again. After successfully getting DachsteinCD running on a 486DX/16Mb, I thought I'd try my luck on a bigger box, a P100/128Mb. However, I'm running into a problem with the boot floppy. On the 486, both the Dachstien 1.0.2 floppy distribution and the bootdisk.bin on a floppy from the DachsteinCD work like a charm. On the P100, the floppy distribution boots and goes about loading linux, etc. However, when I try to boot from the DachsteinCD bootdisk.bin floppy, syslinux reports 'boot failed' and nothing else happens. The only obvious difference that I see is that the Dachstein floppy distribution is 'syslinux 1.62 2001-04-24' but the CD distribution is 'syslinux 1.52 2001-02-07' Two questions: 1) Is this version difference a likely cause for the boot failure? 2) Would duplicating the floppy distribution boot disk and re-populating it with the packages and stuff from the CD distribution boot disk work? If not, how would I go about creating boot disk compatible with DachsteinCD but with the newer syslinux? A pointer to RTFM would be just fine... Thanks! Ken == J. Kenneth Gentle (Ken) | Phone: (610) 255-0361 FAX:(610) 255-0418 Gentle Software, LLC | Email: [EMAIL PROTECTED] == ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx == J. Kenneth Gentle (Ken) | Phone: (610)255-0361 FAX:(610)255-0418 Gentle Software, LLC | Email: [EMAIL PROTECTED] == ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Problem with DachsteinCD 'bootdisk.bin'
Hello again. After successfully getting DachsteinCD running on a 486DX/16Mb, I thought I'd try my luck on a bigger box, a P100/128Mb. However, I'm running into a problem with the boot floppy. On the 486, both the Dachstien 1.0.2 floppy distribution and the bootdisk.bin on a floppy from the DachsteinCD work like a charm. On the P100, the floppy distribution boots and goes about loading linux, etc. However, when I try to boot from the DachsteinCD bootdisk.bin floppy, syslinux reports 'boot failed' and nothing else happens. The only obvious difference that I see is that the Dachstein floppy distribution is 'syslinux 1.62 2001-04-24' but the CD distribution is 'syslinux 1.52 2001-02-07' Two questions: 1) Is this version difference a likely cause for the boot failure? 2) Would duplicating the floppy distribution boot disk and re-populating it with the packages and stuff from the CD distribution boot disk work? If not, how would I go about creating boot disk compatible with DachsteinCD but with the newer syslinux? A pointer to RTFM would be just fine... Thanks! Ken == J. Kenneth Gentle (Ken) | Phone: (610) 255-0361 FAX:(610) 255-0418 Gentle Software, LLC | Email: [EMAIL PROTECTED] == ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] libz on Dach-CD
I certainly have to defer to Charles and Michael - but if you want an example, here's how I did it, based on Charles instructions in the Dachstein CD notes. Feedback or suggestions for improvement of my setup are welcome! I have an ancient 486DX with a mere 16Mb of ram for my firewall, boot off a floppy, then read the CDROM for modules. I added the floppy drive to the PKGPATH in syslinux.cfg on the boot floppy, and libz.lrp to lrpkg.cfg as well, with the search order R (reverse search of PKGPATH, stop on first match). Here's the content of the files: # mount -t msdos /dev/fd0u1680 /mnt mount: /dev/fd0u1680 is write-protected, mounting read-only firewall: -root- # cat /mnt/syslinux.cfg display syslinux.dpy timeout 0 default linux append=load_ramdisk=1 initrd=root.lrp initrd_archive=minix ramdisk_size=12288 root=/dev/ram0 boot=/dev/fd0u1680,msdos PKGPATH=/dev/cdrom:iso9660,/dev/fd0u1680:msdos LRP=etc,ramlog,local,modules,dhclient,dhcpd,dnscache,weblet firewall: -root- # cat /mnt/lrpkg.cfg etc,ramlog,local,modules,dhclient,dhcpd,dnscache,weblet,ifconfig,mawk,ipsec,sshd,libz:R,tcpdump On boot, only the libz.lrp from the floppy is loaded. Now, if I can just figure out what kind of memory to put in this ancient box, I'll get enough to load bash... Ken At 04:35 PM 03/21/2002 -0600, [EMAIL PROTECTED] wrote: Hi All, Am I correct in assuming that Dachstein-CD will use the libz.lrp from the floppy if I copy it there, rather than the one burned onto the CD? I am also assuming J. Nilo's updated libz is suitable for this use -- is that the case? Thanks, Dan -- Optimum Networks, Inc. Small Business IT Services Serving Minneapolis/St. Paul Metro ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user == J. Kenneth Gentle (Ken) | Phone: (610) 255-0361 FAX:(610) 255-0418 Gentle Software, LLC | Email: [EMAIL PROTECTED] == ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] FAQ Clarification? LRP won't route to private range IP
Hello all! Kudos to the LEAF and LRP team, esp. Mr. Steinkuehler - once I actually understood the installation instructions (having misread one section about a dozen times), Dachstein came up and just worked! I have a question regarding ipchain rules that are enabled by default. The FAQ (sourceforge LEAF, sec06) on 'LRP won't route to a private IP Range' states: As your external NIC address falls in the 192.168.x.x range, comment out that one line # $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $* save and exit the file. If my understanding is correct, commenting this line allows traffic from *ALL* Class C private networks, which makes me a bit nervous - I mean, I have to assume that the reason the rule is there is because there is a known risk to allowing these networks access! From a brief look through the ipchains documentation, it appears that it might be possible to allow a particular host on a net in while denying all others. Is this the case? Why couldn't one allow HTTP access to 192.168.100.1 but deny access to all other 192.168.0.0 subnets and protocols? The 192.168.100.1 is the address of my cable modem, and is physically attached to eth0 - http access to that address allows me to view parameters and configuration of the modem. Thanks! Ken == J. Kenneth Gentle (Ken) | Phone: (610)255-0361 FAX:(610)255-0418 Gentle Software, LLC | Email: [EMAIL PROTECTED] == ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] FAQ Clarification? LRP won't route to private range IP
Thanks for the response, Charles. I did not mean to imply that the list had let an obvious security hole get propagated - I know my own understanding is limited and probably flawed, and I probably phrased the post poorly. Just to confirm my understanding: In order to allow HTTP access to 192.168.100.1, I do need to comment the explicit DENY rule, but there should not be a need to add an explicit ACCEPT rule for 192.168.100.1 allowing HTTP traffic. After disabling the DENY rule, the cable modem becomes, for all intents and purposes, just another web site on the web. Right? Is there a way, or any reason, to DENY everything *but* 192.168.100.1? A pointer to TFM to RTFM would be a appreciated! Thanks again... Ken At 09:05 AM 03/13/2002 -0600, Charles Steinkuehler wrote: I have a question regarding ipchain rules that are enabled by default. The FAQ (sourceforge LEAF, sec06) on 'LRP won't route to a private IP Range' states: As your external NIC address falls in the 192.168.x.x range, comment out that one line # $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $* save and exit the file. If my understanding is correct, commenting this line allows traffic from *ALL* Class C private networks, which makes me a bit nervous - I mean, I have to assume that the reason the rule is there is because there is a known risk to allowing these networks access! Commenting the line mentioned does *NOT* allow all 192.168.x.x IP's into your system...while everyone can make mistakes, such an obvious security hole would not last long with as many sharp eyes as there are on this list. Remember, packets still have to go through the rest of the rule-chain, and you're not allowing the packets when you comment the rule, you're just not blindly denying them anymore. What commenting the above line essentially does, is treat the commented private IP range as just another IP on the internet. With the rule commented, you're at no higher risk from a private IP than from any other random IP on the internet at large... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user == J. Kenneth Gentle (Ken) | Phone: (610)255-0361 FAX:(610)255-0418 Gentle Software, LLC | Email: [EMAIL PROTECTED] == ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] floppy to hard disk?
hello all, are there any how-to's that help you to get leaf from a floppy to a hard disk? if so what are the urls? thanks you for your time antken ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] a message to NTL customers in the uk
hello, if you use the NTL broadband in the UK you will have problems setting you router up, heres what you have to do: when a new network card ( ie your new router ) is switched on for the first time your cable box gives you an ip address of something like 10.xxx.xxx.xxx, via DHCP Because of the ip filters setup on the box you will not be able to immediately browse the web, you have to either install a version of linux with X and netscape on or install M$ windows then try and access the web you will be presented with the ntl account administration page. enter your account PID and password, login and click the add button. type a name in for your router ( any thing does not matter ( letters, numbers, - and _ only )) when you have done this either restart your network interface's or restart windows when you have done all that then you can start configuring your router to do what ever you want! if any one has any queries email me and just ask antken ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] a few questions
hi, thanks for your reply with regards to question 2, i know my network cards are configured correctly because the dhcp server on my cable box gives me an ip address but i cannot go any where. its probably because when you plug a computer in to the cable box for the first time it gives you an ip address of some thing like 10.10.10.10 ( thats not the ip address i get, i am just using it as an example ) and changes my dns servers to something like 10.10.10.87 and 10.10.10.84 . then if you try and browse to any where ( ie www.yahoo.com ) it takes you to the configuration page and you have to add in the mac address of the card to the ISP's configuration, when you have done this the web page asks you to re-request your ip address. any way my point is that when my cable box gives out the ip address ( and every thing changes, every time ) i want the dhcp client to reconfigure the DNS, gateway, IP address, network, and subnet is this possible at the moment? if so, how? and i dont think the ipchains thing is letting everything through by default, if i type the command ipchains -v -L it gives me screen full's of rules and 99.9% if them have the word deny in them. i dont know where i got that command from, i am just cluching at straws at the moment. again i thank you, or any one that reply's, in advance antken At 15:45 02/03/02 -0600, you wrote: comments inline :) On Saturday 02 March 2002 14:00, Ant Ken wrote: 1. My cable connection gives out IP address, DNS, and gateways via dhcp, is there a way to make the system automatically update its gateway and DNS settings? Yep, using the dhcp client. This is default for Dachstein. If you need to login, send a certain client-name/identifier such as a MAC address or computername, further configuration will be needed. You don't say this is needed, so I'm assuming it doesn't. 2. if i set up my cable connection with static settings i cannot ping anything outside ( on the web ) how can i disable/re-configure ipchains to allow all traffic in all directions? ( i know this can be dangerous, but this is only temporary ) Sounds to me as if you network card(s) aren't configured. Check out the FAQ: http://sourceforge.net/docman/display_doc.php?docid=1418group_id=13751 other FAQ's explain the configuration of LEAF in detail. These docs are quite complete. Charles S's site will have any modules you might need if they are not on the disk itself. 3. and finally, how would i go about setting up ipchains to allow trafic from inside to outside on certain ports and ip addresses? This is setup for you automagically in Dachstein. You shouldn't need to change anything for this to happen if your hardware is setup properly. The following FAQ explains any information to help you get some useful information to us if the relevent FAQ's don't get you going. http://sourceforge.net/docman/display_doc.php?docid=1891group_id=13751 i am using the latest version of the dachstein image I hope this helps, -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! antken email: [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] router?
hello all, i am trying to setup a router that will share my cable internet connection with the rest of my house please could some one tell me how to do this, i under stand the bit upto getting the image on floppy ( i am not even sure i have the right one ) and putting two network cards in the box etc etc but i dont under stand the config files and the last time i tryed it ( about a year ago with LRP ) i failed i could not get the machines on the inside of the network to ping stuff on the out side of the network. and the lrp box kept saying something about a martian ip address. i am getting to know linux quite well now, so you dont have to explain things at a begginers level, and if i dont know it i will pick it up along the way. please please can some one help thank you all for your time antken ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
SSH issues - was RE: [Leaf-user] OpenSSH Solved
Sorry the advisory that I remembered seeing was this one not the one listed below but both seem to have some relevance. http://www.cert.org/advisories/CA-2001-35.html Ken -Original Message- From: Jeff Newmiller [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Newmiller Sent: Sunday, December 16, 2001 1:19 AM To: Ken Cc: Leaf User Support List Subject: Re: [Leaf-user] OpenSSH Solved - was Dachstien Documentation Idiosyncrasies On Sat, 15 Dec 2001, Ken wrote: [...] I find it interesting that OpenSSH works with Putty when they explicitly say on their website that they do NOT support OpenSSH unless Jacques Nilo's version of OpenSSH just degrades itself to use ssh v1 or v2 when attaching from Putty. It may be that we are not getting all the features of OpenSSh we think we are getting. Don't know, and in my case (closed internal network no ssh from external) I don't really care. It is more of a learning experience then a necessity for me. Still interested if the CIAC bulletin has caught anyone's attention to check if we have a security hole. The website is http://www.ciac.org/ciac/bulletins/m-026.shtml Well, a) you would have to be using multiple logins (which I think is true with weblet) b) an untrusted person would have to know or be able to set the password for that account. They rate it medium. For LEAF, I think it looks even less critical. I think it is more important to not use login access from outside your LAN at all anyway. If you want to come in from outside, use public-key access. The exact verbiage from the Putty website (could just be an out of date FAQ - hey, how often could that happen?) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#A .1.2 A.1.2 Does PuTTY support reading OpenSSH or ssh.com SSHv2 private key files? Not at present. OpenSSH and ssh.com have totally different formats for private key files, and neither one is particularly pleasant, so PuTTY has its own. We do plan to write a converter at some stage. Seems pretty clear to me. They don't support the file format for OpenSSH private key files. That would mean... don't try to create a v2 private key file using OpenSSH and transfer it to a Winbox and expect to be able to use it with Putty. Says nothing about compatibility with v1 private key files, or with on-the-wire public key exchanges. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Memory Warning Yellow too quick? - Clearer now
Sorry for wasting the bandwidth on this issue. I later realized that in three out of four refreshes of the webpage the light was green and the fourth one was yellow. Re-reading the included note helped to explain the reason for the yellow light. Possibly this could be specifically spelled out in the Note: for us newbies who don't know that This behavior is perfectly normal, and reflects the dynamic, multi-tasking nature of linux. means you gonna see yellow lights now and then. Also explaining exactly what the threshold is and if there is a way to set it to not be so sensitive. Not exactly sure what I would do if I saw a red light or at what point I might see a red light and/or what the implications would be. i.e. Am I running too many packages, is my memory going bad, did my log files fill up, is my ramdisk misallocated? Just some thoughts. Ken Message: 9 From: Ken [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sat, 15 Dec 2001 22:46:32 -0500 Subject: [Leaf-user] Memory Warning Yellow too quick? I guess I don't really know what the memory stoplight is trying to tell me but I have a strange occurrence in that they light is Yellow and when I click on it inside it is green 'ok' and shows the following: :: Memory Status :: Sat Dec 15 22:40:47 EST 2001 firewall Memory Status: ok Free Memory 38 % of your system memory is currently used. 9000 K bytes available 1472 K bytes free NOTE: You may notice changes in the memory status, especially if you are near one of the threshold levels, as memory is allocated and freed to run the web server. This behavior is perfectly normal, and reflects the dynamic, multi-tasking nature of linux. Details: total:used:free: shared: buffers: cached: Mem: 14729216 13438976 1290240 6791168 5836800 1871872 Swap:000 MemTotal: 14384 kB MemFree: 1260 kB MemShared: 6632 kB Buffers: 5700 kB Cached:1828 kB SwapTotal:0 kB SwapFree: 0 kB I think I have 16 M RAM but I forget right now what it is and I don't particularly want to reboot. Do I need to re-allocate something or change where I store things. Any hints or should I just not worry about it? By the way the light comes up green first then goes to yellow less than an hour after a reboot. Ken ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
