Re: [leaf-user] Moving from Dachstein to Bering
Try: DNATnet loc:192.168.1.200:22 tcp 333 On Tue, Mar 02, 2004 at 03:18:38PM -0600, Karl Schmidt wrote: I've just moved a fire wall from Dachstein to Bering and have everything working except one thing. Before there was a set up where if I would: ssh -P333 firewall.domain.com The firewall would pass that on to a private server using port 22. Thus, if you wanted to ssh to the fire wall you would just: ssh firewall.domain.com and if I wanted to ssh to the internal server I would add -p333 to the command string. Rules: ACCEPT fw loc tcp 37 DNATnet loc:192.168.1.200 tcp 333 22 DNATnet loc:192.168.1.200 tcp smtp Policy: loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT #netfw ACCEPT ULOG net all DROPULOG all all REJECT ULOG -- -- Karl Schmidt EMail[EMAIL PROTECTED] Transtronics, Inc.WEB http://xtronics.com 3209 West 9th Street Ph(785) 841-3089 Lawrence, KS 66049FAX(785) 841-0434 He's about a quarter turn past hand tight. - --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Lee Kimber Techworld Technical Writer http://www.techworld.com/ Tel: (206) 632 7649 Track what Linux users are saying about Microsoft http://www.kimberconsulting.com/linux_news.htm --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Tinydns to block adware/spyware
Thanks, Michael, to you and to Roberto. This is clearly the way I have to go to achieve this. On Wed, Feb 25, 2004 at 12:27:35PM -0600, Michael D Schleif wrote: * Lee Kimber [EMAIL PROTECTED] [2004:02:25:09:21:18-0800] scribed: Has anyone tried using tinydns to block HTTP requests to ad-tracking sites, adware, and spyware? I had a play at using tinydns's private zone file to block domain names from a list of known trackers I have (I currently keep this list in /etc/hosts on various machines). I couldn't get it to work because (I think) I couldn't get tinydns to consider itself authorative for these domains in terms of DNS requests from my network clients. So, for example, I tried adding entries like this to the private zones file: =www2.doubleclick.com:127.0.0.1 That didn't stop tinydns resolving the name correctly so I trawled around and found DJB saying that you need to set up your DNS server as a SOA for other domains. That's where it gets a whole lot more complex! I did try: .doubleclick.com::localhost =www2.doubleclick.com:127.0.0.1 but that didn't work either. Anyone had a go at this? snip / Is this what you want? http://cr.yp.to/djbdns/dot-local.html hth -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- -- Lee Kimber Techworld Technical Writer http://www.techworld.com/ Tel: (206) 632 7649 Track what Linux users are saying about Microsoft http://www.kimberconsulting.com/linux_news.htm --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Tinydns to block adware/spyware
Has anyone tried using tinydns to block HTTP requests to ad-tracking sites, adware, and spyware? I had a play at using tinydns's private zone file to block domain names from a list of known trackers I have (I currently keep this list in /etc/hosts on various machines). I couldn't get it to work because (I think) I couldn't get tinydns to consider itself authorative for these domains in terms of DNS requests from my network clients. So, for example, I tried adding entries like this to the private zones file: =www2.doubleclick.com:127.0.0.1 That didn't stop tinydns resolving the name correctly so I trawled around and found DJB saying that you need to set up your DNS server as a SOA for other domains. That's where it gets a whole lot more complex! I did try: .doubleclick.com::localhost =www2.doubleclick.com:127.0.0.1 but that didn't work either. Anyone had a go at this? I'm happy to share my hosts file with anyone that wants it but it needs editing as it blocks a rnage of sites that some folks might not be bothered about. -- Lee Kimber Track what Linux users are saying about Microsoft http://www.kimberconsulting.com/linux_news.htm --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Print Server on Bering 1.2
Can you send us the complete 15 lines of error message? And also the output of lsmod and dmesg? Eg log in as root and type: lsmod /root/godfriedlp.txt followed by dmesg /root/godfriedlp.txt The print server document was written around two Bering 1.1 machines so I can't claim to have seen what the 1.2 kernel and modules output when they load. At 06:33 PM 6/23/03 -0500, you wrote: I do have parport and parport_pc modules loading prior to lp as stated in the doc. Jeff Newmiller [EMAIL PROTECTED] 6/23/03 5:57:01 PM On Mon, 23 Jun 2003, Godfried Duodu wrote: Loading the lp module produces about 15 lines lines of unresolved symbols as shown below: insmod lp using /lib/modules/lp.o insmod: unresolved symbol mod_use_count_ insmod: unresolved symbol kfree_R801a0af7 insmod: unresolved symbol register_chrdev_RD43c9af4 etc... Any suggestions to help with setting up Bering 1.2 as a print server. when one module depends on another, you can usually find out about this by looking in the modules.dep file that came with the compiled modules you are looking at. In this case, lp.o depends on parport.o. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- --- This SF.Net email is sponsored by: INetU Attention Web Developers Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: INetU Attention Web Developers Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: INetU Attention Web Developers Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] File downloads using weblet
Hi, I've been tinkering with a weblet cgi script to download logs that I'm keeping on a spare hdd in one of my Bering systems. I've put an ash shell script in /var/sh-www/cgi-bin/. I'm close... oh so close... but not quite there! The problem is that the shell script does deliver the file I want but never names it correctly. The script always names the file with the same name as the shell script. Eg, the script is a file called filetest. The file to download is /mnt/hdd/logs.tar.gz When I use any browser (Mozilla on Linux or IE on Windows) to hit http://firewall/cgi-bin/filetest, I get a dialog box prompting me to save the file as filetest. If I save it and open it up, it contains the contents of logs.tar.gz - a gzipped tar. The content of the shell script are: - #!/bin/sh echo Pragma: no-cache echo Expires: 0 echo Content-Type: application/force-download echo Content-Type: application/download echo Content-Type: application/octet-stream echo Content-Disposition: attachment; filename=logs.tar.gz echo Content-Transfer-Encoding: binary echo cat /mnt/hdd/logs.tar.gz - /etc/sh-httpd.mime contains: htm text/html htmltext/html txt text/plain css text/css gif image/gif jpg image/jpeg jpegimage/jpeg tif image/tiff tiffimage/tiff png image/png lrp application/octet-stream gz encoding/x-gzip tgz encoding/x-gzip I *think* the problem may be to do with mime types because Mozilla prompts to download a file of type text/plain - the default filetype for Bering weblet, even though the shell script is stating Content-Type: application/octet-stream . I don't know. Somehow it feels as though I'm almost there. Am I missing something simple here? Thanks! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Documentation link on LEAF site not working
Funny! I had the print version open on the desk in front of me as I read your mail. Superb book. Great knowledge and great and from the trenches homour. At 08:26 PM 6/10/03 -0700, Peter Nosko wrote: pn] From http://leaf.sourceforge.net, I clicked Web Links under the main menu, then Linux Documentation, then the The Linux Network Administrator's Guide, Second Edition link. It isn't working. pn] Has anyone seen this before? I just found out about it. http://www.icon.co.za/~psheer/book/index.html.gz = - Peter Nosko ([EMAIL PROTECTED]) This is a good place for a tagline. __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering and processor temperature
At 10:46 AM 3/10/2003 +, Luis.F.Correia wrote: Hi! AFAIK, a P200 needs both heatsink fan. Besides processor temperature, what did you change in your setup? Are you running VPN on 1.1? Any extra services, or was it a plain ole upgrade? If nothing has really changed, then there is no real answer to your problem... I didn't add anything, though I can see that the release has ulogd.lrp added to it. Ipsec is on it too but is not yet configured. Mmmm, could that be it? There are no extra services. I've started a second build of it and this is running much cooler so far. I'm bringing it to the same state as the original router step by step while checking the temperature between each step. Hopefully this will highlight where the temperature increase starts. It seems to run a little warmer once it has ipsec and mawk on it and before ipsec is configured, though nothing like as hot as the first one. I'll let you know if I find the answer! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering and processor temperature
How do the load averages[1] compare on the hot vs. cool setups? If the load average is significantly higher on the hot configuration, you could grab a copy of top.lrp[2] and see which processes are responsible for the increased load average. Running top will itself increase load average (and likely cpu temp), so be sure to account for that increase when measuring temp with top running. It seems unlikely, but I suppose changes between the 2.4.18 (Bering 1.0) and 2.4.20 (Bering 1.1) kernels could also be responsible for increased load on the CPU. Good luck! --Brad [1] Use the uptime command or cat /proc/loadavg. [2] There are versions at http://leaf.sourceforge.net/devel/khadley/packages.html and http://www.monkeynoodle.org/lrp/lrp/packages/ . top may require a package that provides libncurses, e.g. libncurs.lrp, which in turn may require a copy of the terminfo data file for your desired terminal. Great - I didn't know you could do that on a Bering box. I will do it and let you know. Lee --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering and processor temperature
Has anyone noticed that their processor runs hotter under Bering 1.1? I have a P200 motherboard loaded with NICs by my desk that I use for testing and the processor heatsink runs considerably hotter under Bering 1.1 than under Bering 1.0. It has no fan so my rough temperature gauge is that I could touch it comfortably for extended periods of time (a useful finger warmer after a winter motorbike ride!) under Bering 1.0 but it's too hot to do so under Bering 1.1. Same configuration and NICs in both versions. Same low network traffic on both... I've noticed that it runs hotter during boot under both distros but then cools down after the boot process is complete in Bering 1.1. Just an idle inquiry really but I'd be interested to know if it does signify anything! Lee --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Floppy Image Problems
At 02:51 AM 12/1/2002 -0500, you wrote: I have downloaded the v1.0 stable windows executable file and ran it on a windows machine to format and copy the necessary LRP packages to a floppy disk. When I boot on the disk for the first time, everything is fine; however once I have added a few new modules (*.o files in /boot/lib/modules) and backed up my initrd.lrp package, I see read errors when writing the new lrp image to the disk. If anyone can help me out here I'd be greatful. So far, this has happened with 7 diskettes and I'm beginning to doubt the fact it's the disks that are the problem as the diskettes have worked fine in the past. Thanks for any help on the matter! Chris If the error is something like Could not mount device then your disk is still mounted from when you added the new modules and you need to unmount it first. (You'll have to reboot and start again once this has happened, I think) If the backup seems to go OK with some packages and then starts producing errors along the lines of Could not save... (or similar), then it is because your disk is full. You can hopefully avoid this by removing unneeded modules before backing up. Look for modules that are in /lib/modules but which are commented out in /etc/modules and remove them from /lib/modules. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] wireless problems
Are you able to manually assign wireless config to that device? What follows works for an Aironet PCI card in a Bering box. I don't get that /proc/net/dev/wlan0 device in my Bering box so you will need to change this to even try it. My card is located as: /proc/driver/aironet/eth1 So the following works for the above device in the above location. It may work for your wlan0 device but it might not. Having located the device in /proc you can try assigning individual settings using this format: echo SSID /proc/driver/aironet/eth1/SSID and repeat for: NodeName, Mode, WEP and optionally I think DataRates If these don't barf, you should get connectivity when you set network configs. Iwconfig does work for me so I script this lot in my Bering box with this script in /etc/init.d/ #!/bin/sh # # wireless.sh: configures wireless iface # RCDLINKS=2,S30 iwconfig eth1 essid WLAN iwconfig eth1 mode Ad-Hoc iwconfig eth1 nick Bering iwconfig eth1 power off iwconfig eth1 key off echo iwconfig eth1 If iwconfig is not working for you might work around by replacing the iwconfig eth1 essid WLAN in the above scripts lines with: echo SSID /proc/driver/aironet/eth1/SSID etc, but with the path changed for whatever works with your card. The RCDLINKS line fires the script before the network config scripts fire Hope this helps. At 10:32 AM 11/22/2002 -0600, [EMAIL PROTECTED] wrote: I'm kinda struggling here to get going. I got a DLink DWL 520 802.11b card and the hostap_pci.o modules likes it. It gives me a wlan0 in /proc/net/dev. I could even assign, ip addr add, an address to it. but iwconfig wlan0 gives me no wireless extensions. ( wisp scripts indicate this means not in wireless mode) and iwconfig wlan0 --any command-- gives me SIOCS : Invalid argument errors. I feel that I am missing something, something in kernel or an incompatible library. I did not load the prism2.o module, I thought hostap would do all. Just need a little help getting started if anyone has ideas. Thanks. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPsec troubleshooting pointers
Hi, I'm trying to create a host subnet connection from an XP box to a subnet behind a Bering V1 rc4 NAT firewall. When the XP client pings an interface on the firewalled subnet, it returns one Negotiating IP security response followed by Request timed out for its other ping packets. Judging from /var/log/auth.log, the problem occurs after IPsec SA is established. I'm out of ideas to troubleshoot for what that problem might be. In producing ipsec barf, there is clearly a problem with there being no md5sum on the system, but shouldn't that be part of ipsec.lrp if it is required for operation? Grateful for any ideas auth.log, ipsec start up and ipsec barf are below. Thanks! Lee IPsec Windows XP to Bering/FreeS/WAN connection failures What auth.log shows when I attempt to connect: Nov 16 23:02:37 beringfirewall ipsec__plutorun: Starting Pluto subsystem... Nov 16 23:02:37 beringfirewall pluto[7363]: Starting Pluto (FreeS/WAN Version 1.98b) Nov 16 23:02:38 beringfirewall pluto[7363]: added connection description w2k-road-warriors Nov 16 23:02:38 beringfirewall pluto[7363]: listening for IKE messages Nov 16 23:02:38 beringfirewall pluto[7363]: adding interface ipsec0/eth0 192.168.2.253 Nov 16 23:02:38 beringfirewall pluto[7363]: loading secrets from /etc/ipsec.secrets Nov 16 23:03:50 beringfirewall pluto[7363]: packet from 192.168.2.1:500: ignoring Vendor ID payload Nov 16 23:03:50 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #1: responding to Main Mode from unknown peer 192.168.2.1 Nov 16 23:03:50 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #1: sent MR3, ISAKMP SA established Nov 16 23:03:51 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #2: responding to Quick Mode Nov 16 23:03:51 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #2: IPsec SA established then it pauses until eventually... Nov 16 23:04:54 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #1: ignoring Delete SA payload Nov 16 23:04:54 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #1: received and ignored informational message IPsec start up # /etc/init.d/ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.98b... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0) ipsec barf beringfirewall Sat Nov 16 23:12:05 UTC 2002 + _ version + + ipsec --version Linux FreeS/WAN 1.98b See `ipsec --copyright' for copyright information. + _ proc/version + + cat /proc/version Linux version 2.4.18 (root@samsung) (gcc version 2.95.4 20011002 (Debian prerelease)) #6 Sun Oct 20 15:06:22 CEST 2002 + _ proc/net/ipsec_eroute + + sort +3 /proc/net/ipsec_eroute sort: +3: No such file or directory + cat /proc/net/ipsec_eroute 0 192.168.3.0/24 - 192.168.2.1/32 = [EMAIL PROTECTED] + _ ip/route + + ip route 192.168.2.1 via 192.168.2.1 dev ipsec0 192.168.3.0/24 dev eth1 proto kernel scope link src 192.168.3.254 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.253 192.168.2.0/24 dev ipsec0 proto kernel scope link src 192.168.2.253 default via 192.168.2.254 dev eth0 + _ proc/net/ipsec_spi + + cat /proc/net/ipsec_spi [EMAIL PROTECTED] IPIP: dir=out src=192.168.2.253 life(c,s,h)=addtime(495,0,0) [EMAIL PROTECTED] IPIP: dir=in src=192.168.2.1 life(c,s,h)=addtime(495,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=192.168.2.253 iv_bits=64bits iv=0x9ce1a78a77432e41 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(495,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=192.168.2.1 iv_bits=64bits iv=0xbd540ccc4e86f6d7 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(495,0,0) + _ proc/net/ipsec_spigrp + + cat /proc/net/ipsec_spigrp [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] + _ proc/net/ipsec_tncfg + + cat /proc/net/ipsec_tncfg ipsec0 - eth0 mtu=16260(1500) - 1500 ipsec1 - NULL mtu=0(0) - 0 ipsec2 - NULL mtu=0(0) - 0 ipsec3 - NULL mtu=0(0) - 0 + _ proc/net/pf_key + + cat /proc/net/pf_key sock pid socket next prev e n p sndbfFlags Type St c1fb93f0 7363 c118d75000 0 0 2 65535 3 1 + _ proc/net/pf_key-star + + cd /proc/net + egrep ^ pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c118d750 7363 c1fb93f0 pf_key_registered: 3 c118d750 7363 c1fb93f0 pf_key_registered: 9 c118d750 7363 c1fb93f0 pf_key_registered:10 c118d750 7363 c1fb93f0 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2
Re: [leaf-user] IPsec troubleshooting pointers
Likely this is a incorrect option set up on the WinXP client. The Bering Users manual ( http://leaf.sourceforge.net/devel/jnilo/buipsec.html#AEN1436 ) has instructions for Win2K, if they help. Possibly Chad Carr or someone else that has connected with WinXP could help here. Yeah, I have been through it pretty thoroughly (and I did find config mistakes that I'd made ;-)). What auth.log shows when I attempt to connect: Nov 16 23:02:37 beringfirewall ipsec__plutorun: Starting Pluto subsystem... Nov 16 23:02:37 beringfirewall pluto[7363]: Starting Pluto (FreeS/WAN Version 1.98b) Nov 16 23:02:38 beringfirewall pluto[7363]: added connection description w2k-road-warriors Nov 16 23:02:38 beringfirewall pluto[7363]: listening for IKE messages Nov 16 23:02:38 beringfirewall pluto[7363]: adding interface ipsec0/eth0 192.168.2.253 Nov 16 23:02:38 beringfirewall pluto[7363]: loading secrets from /etc/ipsec.secrets Nov 16 23:03:50 beringfirewall pluto[7363]: packet from 192.168.2.1:500: ignoring Vendor ID payload Nov 16 23:03:50 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #1: responding to Main Mode from unknown peer 192.168.2.1 Nov 16 23:03:50 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #1: sent MR3, ISAKMP SA established Nov 16 23:03:51 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #2: responding to Quick Mode Nov 16 23:03:51 beringfirewall pluto[7363]: w2k-road-warriors[1] 192.168.2.1 #2: IPsec SA established Hmm it appears to be extremly strange to be connecting to rfc1918 class address via the internet (or even having Shorewall accept anything from this address). Could we get some more information on the WAN link? This is a wireless link running from my main router - a Dachstein box - to a subnet that is hanging off this new Bering box. So the Bering router is a on one of the subnets of the Dachstein box (192.168.2.0/24). This link and both routers work great. The XP box is a laptop that is also on the 192.168.2.0/24 subnet and is able to ssh into boxes hanging off either of the routers. Shorewall is set to ignore RFC1918 on the Bering box in the Shorewall interface set up. (Shorewall is not running on the Dachstein box) IPsec start up # /etc/init.d/ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.98b... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0) This is a problem. I believe you will have to change this option. This is noted in the Bering User Manual: Quote You must not turn on route filtering for any interfaces involved in ipsec. The Bering recommended way to turn this off is to use the /etc/network/options file and change the spoofprotect parameter to no Yeah, I have done that. The messages you are seeing are occurring despite the spoofprotect option being set to no. IIRC, IPsec seems to return this message regardless. + ip route 192.168.2.1 via 192.168.2.1 dev ipsec0 192.168.3.0/24 dev eth1 proto kernel scope link src 192.168.3.254 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.253 192.168.2.0/24 dev ipsec0 proto kernel scope link src 192.168.2.253 default via 192.168.2.254 dev eth0 This appears to be a very unclear test system. Using a 10./8 on the WAN would clarify a lot between WAN and LAN networks. Using the same net block addressing makes it much harder to see what is exactly going on. I'm sitting behind DSL that is NATted by the ISP. My Dachstein router breaks that up into a bunch of of 192.168.x.x/24 subnets, all of which work fine. One of of the subnets is 192.168.2.0/24, on which the Bering box sits. The Bering box hides a single 192.168.3.0/24 subnet. Boxes on that subnet are able to reach the Internet fine using the Bering box as their first hop, then the Dachstein box and then whatever my ISP has imposed. I run it like this because the servers can't be near the main DSL router for space and noise reasons. They sit on the 192.168.3.0/24 subnet hosts in a different room. # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. # authby=rsasig # leftrsasigkey=%dns # rightrsasigkey=%dns # Following added by Lee just as above 3 commented by Lee authby=secret left=192.168.2.253 leftsubnet=192.168.3.0/24 leftfirewall=yes pfs=yes auto=add Get rid of the leftfirewall-yes entry, it will not allow a reconnection if a tunnel drops w/o a reboot. It will not be needed if Shorewall is configured correctly for ipsec. Thanks, I didn't know that and will try it. + sed -n 210,$p /var/log/syslog + egrep -i ipsec|klips|pluto + cat Nov 16 23:02:36 beringfirewall ipsec_setup: Starting FreeS/WAN IPsec 1.98b... Nov 16
Re: [leaf-user] WISP partition questions
At 12:15 PM 11/3/2002 +0200, Vladimir I. wrote: The card is set up and has a non-conflicting IRQ but WISP is not finding it on boot. Edit /etc/modules and uncomment ne there: #ne io=0x300,0x350 Change the IO port to the one you use. You may also need to specify IRQ, like ne io=0x200 irq=5 Oh right. As with other LEAFs. What I meant is, is there a route to this via the menu system? --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] WISP partition questions
I've just started to play with WISP on a compact flash card. I've created a bootable WISP CF card but the process brought unexpected torment. It has left me with a few questions. ;-) Environment: 32Mb CF card in Silicon Kit IDE to CF adapter BIOS using CHS to see the CF card Torment: The CF card came out of a PocketPC and had files on it that I could see if I booted the WSIP hardware using a DOS floppy. In other words, it had a working partition on it. I found it impossible to create two partitions on this card using fdisk on a Win98 disk or using Partition Magic 6.0 or 7.0. After I'd fdised, all three tools misreported the the CF as having about 15Mb of free space after the first partition - even if the partition was 27Mb! When I ran syslinux.com -s c: against this card, I got no error but the system would hang on boot. In the end I formatted the card in a friend's PocketPC and then found it possible to copy the WISP files to it from the .zip file on the WISP downloads page at: http://sourceforge.net/project/showfiles.php?group_id=13751 I then made the CF bootable by booting a floppy and running syslinux -s c: against the CF card. Great! WISP now boots. But I'd like to create a second partition for WISP's read/write files... Now I looking at shoving an ancient Antec Descartes CF card reader/writer in a separate Linux box so I'm wondering if people have successfully partitioned and formatted the CF card for WISP using straightforward Linux fdisk and fdformat? Also, is the second partition to be DOS or minix or does it not matter? I've got an 8MB CF card so in theory I can dd the wisp-dist_2348_img_wdist.bin file on the LEAF downloads page. But... I can get this binary to yield its .img content. I've made it executable but executing it doesn't do anything. Is this a MacBinary? I'll bet I'm missing something else so I'm looking for a clue! I'll also be trying to work out how to get a RTL8019AS driver on to the CF but I reckon I'll be able to work that out on my own. I'm willing to contribute back to the WISP documentation of course. Thanks... Lee --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] WISP partition questions
Wait, this *is* an image. In other words, it's already extracted and ready to be dd'ed. :-) Ho ho! That caught me out nicely! ;-) I'll also be trying to work out how to get a RTL8019AS driver on to the CF but I reckon I'll be able to work that out on my own. What is the usual Linux driver for it? ne2k-pci? This is an ISA card so I'm guessing it is ne. The card is set up and has a non-conflicting IRQ but WISP is not finding it on boot. -- Best Regards, Vladimir Systems Engineer (RHCE) --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Anyone tried USR2415 card in Dachstein?
Hi, Wondered if anyone has tried the US Robotics 2415 combined PCI adapter and 802.11b PC Card in a Dachstein box? A post on Seattlewireless says this Prism 2.5 chipset card works with the deprecated wvlan_cs driver so I'm wondering if this will work on Dachstein, where there only seems to be a wavelan.o module. See: http://lrp.steinkuehler.net/files/diskimages/dachstein-CD/CD-Contents/lib/mo dules/net/ Manufacturer's page is: http://www.usrobotics.com/products/networking/wireless-product.asp?sku=USR2415 I'm seeing a $76 price on it - prior to $30 mail in rebate - at: http://www.ecost.com/ecost/shop/detail.asp?dpno=975350 Thanks! Lee --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Port Forwarding
What you need is in the /etc/network.conf file, which you can edit from the lrcfg menu by going to Network Settings and then Network Configuration. IIRC you need to do two things: 1. open the firewall to port 113 in the section that begins: # IP Filter setup - can pull in settings from above 2. create a port forwarding rule in the section that begins: # Port Forwarding There are plenty of examples of what to do in both sections. Yell if you can't figure it out from the examples. At 10:40 PM 5/29/2002 -0700, Jonathan Berglund wrote: I'm using the Dachstein floppy distribution and I need to setup port forwarding to one of my lan workstations. My router is at 192.168.1.254, while my workstation I'm trying forward to is 192.168.1.1. There are a number of ports for different programs I need to direct, but the one I'm trying to do now is the identd port (port 113) to connect to DALnet over IRC. I don't know if there is support for port forwarding already, or if I need to download a package. Can anyone help? Thanks in advance for the help! - Jon ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] How to use ipchains.forward
At 11:19 PM 5/19/2002 -0700, MLU wrote: Here is the only command I have in my /etc/ipchains.forward (credited to Charles Steinkuehler) to route between 192.168.9.x and 192.168.3.x internal subnets $IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.3.0/24 -b That solved it. Thanks. Lee ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] How to use ipchains.forward
Hi, I've not been able to find what I think is an efficient solution to my problem so I'm wondering if anyone knows of documentation on this. I've got a four NIC Dachstein box with one NIC connected to the Internet and the other three NICs all set up on 192.168.x.0/24 subnets. To make the box route between these subnets I know I need to add a rule or rules to /etc/ipchains.forward. (I've added the subnets to INTERN_NET in /etc/network.conf). So I've tried to get my head around ipchains and come up with the following ruleset for /etc/ipchains.forward ipchains -A forward -p all -s 192.168.0.0/16 0:65535 -d 192.168.0.0/16 0:65535 -i eth1 ipchains -A forward -p all -s 192.168.0.0/16 0:65535 -d 192.168.0.0/16 0:65535 -i eth2 ipchains -A forward -p all -s 192.168.0.0/16 0:65535 -d 192.168.0.0/16 0:65535 -i eth3 Anyone know of a more efficient (ie troubleshootable) way of writing this set of rules? I'm way beyond my comfort level with ipchains as you can probably tell ;-) Thanks Lee ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [Leaf-user] Bering v1.0-rc1 available
At 11:35 PM 3/19/2002 +0100, Jacques Nilo wrote: I haven't been able to test whether my system actually works yet due to a long-standing inability to get modem dial up working on Bering (and Dachstein) ;-) Roll on that Bering dial up cookbook! Here you are: http://leaf.sourceforge.net/devel/jnilo/busers01.html Jacques Excellent! Thanks Jacques, I will be on to that tonight. Lee ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Draft CIPE on LRP how-to
This should be my last act of arrogance in 2001 ;-) I've drafted this how-to on how to get Sandro Minola's ciped-1 package working on LRP (Dachstein). It's arrogant because I haven't been able to get cipe working myself work yet! But I think I'm pretty close and the How-to includes some troubleshooting that should help others. If anyone interested in cipe could have a look at it and tell me if there are any obvious errors, I will update it and make it available. Once I've got cipe working, I'm going to turn my attention to IPsec and will write that up as it goes along if there is a demand. Happy New Year everyone and thanks to Charles, Sandro and the many others who work so hard to make this stuff available. Lee CIPE on LRP how-to -Getting and installing the software- Grab the latest ciped-1 package from Sandro Minola's package archive at: http://leaf.sourceforge.net/devel/sminola/files/packages Save it to your LRP floppy and tell LRP to call it on boot by editing either syslinux.cfg (if you boot LRP from a floppy) or the lrpkg.cfg (if you boot from a floppy or a CD) file. Edit it by adding ciped-1 to the end of the line that starts LRP= -Configuring cipe on LRP- Boot the system and make sure that cipe is being loaded. If it is, you should see error messages in the boot display that show that cipe is unable to load the cipe modules using the parameter my.hostname.here and peer.hostname.here. This is a good sign. It means that the ciped-1 package has dumped the cipecb module in the /lib/modules directory and the options files into the /etc/cipe directory. The two options files in the /etc/cipe directory are used to configure two cipe tunnels. We only need to configure one tunnel. (Is that right?) We're going to assume that you want to use cipe to link two subnets, each of which is attached to eth1 of each of your LRP firewalls. Firewall 1's eth1 subnet is 192.168.1.0/24 and Firewall 2's eth1 subnet is 192.168.2.0/24. The network looks like this: (clean up ASCIIgram!) 192.168.1.254 eth1 ---+--| |--+- eth1 192.168.2.254 |Firewall 1+- eth0 111.22.333.4-WAN-111.22.333.55 eth0 --+Firewall 2| 192.168.1.253 cipcb0 -+--| |--+- cipcb0 192.168.2.253 You tell cipe this information either by using LRP's lrcfg menu system and going to Packages | CIPE | Options or by using vi to edit the options files in each firewall's /etc/cipe directory On Firewall 1 /etc/cipe/options.cipcb0 should look like this: # the peer's IP address ptpaddr 192.168.2.253 # our CIPE device's IP address ipaddr 192.168.1.253 # my UDP address. Note: if you set port 0 here, the system will pick # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. me 111.22.333.4:9990 # ...and the UDP address we connect to. Of course no wildcards here. peer111.22.333.55:9990 # The static key. Keep this file secret! # The key is 128 bits in hexadecimal notation. key 3248fd20adf9c00ccf9ecc2393bbb3e4 On Firewall 2 /etc/cipe/options.cipcb0 should look like this: # the peer's IP address ptpaddr 192.168.1.253 # our CIPE device's IP address ipaddr 192.168.2.253 # my UDP address. Note: if you set port 0 here, the system will pick # one and tell it to you via the ip-up script. Same holds for IP 0.0.0.0. me 111.22.333.55:9990 # ...and the UDP address we connect to. Of course no wildcards here. peer111.22.333.4:9990 # The static key. Keep this file secret! # The key is 128 bits in hexadecimal notation. key 3248fd20adf9c00ccf9ecc2393bbb3e4 Save your edits. Do a *full* backup of the ciped-1 package to floppy and reboot. Note: that if you do a *partial* backup of a package that you are loading from a floppy then you will lose the modules from your /lib/modules directory and cipe will not work. When the machines come back up, watch the boot messages for any signs of problems. If there are none, test that you have got it right so far. At the command line issue the command: ip add on each firewall to see if your cipcb module has loaded and picked up the IP address you want to bind to it. On Firewall 2 in our example network you should see an entry similar to the one below (though you will probably have a lower index number than 9 ;-)): 9: cipcb0: POINTOPOINT,NOARP,NOTRAILERS,UP mtu 1442 qdisc pfifo_fast qlen 100 link/ipip 00:00:5e:83:62:00 peer 00:00:00:00:00:00 inet 192.168.2.253 peer 192.168.1.253/32 scope global cipcb0 Ping the IP address to see if it is listening and responds. p75firewall: -root- # ping 192.168.2.253 PING 192.168.2.253 (192.168.2.253): 56 data bytes 64 bytes from 192.168.2.253: icmp_seq=0 ttl=255 time=3.2 ms 64 bytes from 192.168.2.253: icmp_seq=1 ttl=255 time=1.3 ms Now check that the ciped-1 package correctly loaded the route
[Leaf-user] Cipe modules not found
Hi, Do any of you CIPE on LRP experts know how to fix this one? I have added S. Minola's ciped-1 package to my Dachstein boxes. These boxes are booting from a floppy then picking packages from the CD, except that the ciped-1 package is on the floppy. Do I need to manually move cipe modules around on the system? I ask because I am seeing the following among the boot messages: Starting additional networking services:. insmod: /lib/modules/2.2.19-3-LEAF-RAID: No such file or directory insmod: cipcb.o: no module by that name found Starting ciped-cb on cipcb0 using /etc/cipe/options.cipcb0 ciped-cb: not found pid [] Starting ciped-cb on cipcb1 using /etc/cipe/options.cipcb1 ciped-cb: not found pid [] dnscache queries allowed from 192.168... In one box there is a cipcb.o module in /lib/modules and in the other box there isn't (only the network card modules) but it doesn't matter because I get the same error message on both boxes. I'm willing (indeed eager) to write a CIPE on Dachstein faq in return as I get my systems up! Thanks Lee ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Can't save etc.lrp - modules don't load
Hi there, I'm booting Dachstein from a floppy which then reads packages from the latest Dachstein CD. The problem I'm experiencing is, I think, that the changes I am trying to make to /etc/modules are not being saved on to the floppy. I'm not entirely sure I've understood the config process for a Dachstein floppy and CD combination so I've set out my assumptions below in case I've got the concept wrong... If I understand it correctly, I need to modify /etc/modules to remove the comments from the modules that I need and then save the file - as one would with E2B. I then need to back up the /etc system on to the floppy so that the modified etc.lrp gets loaded on boot. So that is what I am doing. I am seeing a back up menu item for: 2) etc Full fd0 msdos and I am issuing b 2 to back this system up to the floppy. There's then a green write light on the floppy ad all looks well. When the system boots I see what I think is a sign that the floppy version of etc.lrp is being read, ie: Linuxrc: Installing etc: /dev/cdrom /dev/fd0 but I don't see any signs that the uncommented modules are being loaded. The only clues I see to what is happening are a series of SIOCGIFFLAGS: Operation not supported by device exiting errors. These come after the message that invites contributions to dhcp code development. When the system tries to start the two interfaces in this box, it says it can't find them. The problem is not restricted to NIC modules. If I uncomment kernel helper modules that are commented out by default in the /etc/module file - such as pptp support - and save and back up the file, I note that there is no sign this module loaded, although the modules that are uncommented on the CD do load. I've tried manually loading the etc.lrp package using lrpkg -i etc and can see that etc.lrp loads but when I go back into the lrcfg menu system and then into Package Settings - Modules - Modules, I see that the lines I had uncommented are still commented. I got on fine with E2B so I suspect the problem is that I have misunderstood part of the back up process for a floppy-booted Dachstein CD. Anyone know what I am dong wrong? Any help would be greatly appreciated! Thanks Lee ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user