[Leaf-user] My New Dachstein LRP

2002-03-08 Thread Lonnie Cumberland

Hello All,

I have been noticing some errors in my logs that look like:

Mar 8 00:33:44 a904j637 kernel: Packet log: input DENY eth0 PROTO=17
192.168.159.129:137 192.168.159.255:137 L=96 S=0x00 I=13824 F=0x
T=128 (#12)

but I have no machine 192.168.159.129 on my subnet and am only using
192.168.1.x

What does this mean?

Cheers,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] New Dachstein Up and running, but

2002-03-05 Thread Lonnie Cumberland

Hello All,

could some one please tell me what some of these connections are:

IP masquerading entries
prot   expire source   destination  ports
udp   4:27.27 192.168.1.12 141.217.16.103464 - 53
(61036)
udp   1:47.05 192.168.1.12 141.217.16.103452 - 53
(61033)
udp   1:26.98 192.168.1.2  141.217.1.15 44155 - 53
(61026)
tcp 224:13.85 192.168.1.2  141.217.17.10143 - 61670
(143)
udp   4:19.25 192.168.1.12 141.217.16.103463 - 53
(61035)
tcp 232:44.85 192.168.1.12 216.136.226.118  3417 - 5050
(61008)

the port 53 is DOMAINNAME, I think, and 143 is IMAP, right?

those should be there I think, but what about the others?

Cheers,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] forwarding Protocal 47(gre) on Eigerstein LRP

2002-03-04 Thread Lonnie Cumberland

Thanks Scott,

I think that I will now proceed to upgrade my old EigerStein LRP to
the newer Dachstein one.

Could you please tell me about this EchoWall?

Thandk again for being a REAL help.
cheers,
Lonnie

 Lonnie, Boyd:

   Ah, serendipity. :) One email, two answers...

   To get a PPTP-based VPN client working from behind a
 LEAF/LRP disk, you need to do four things (none of which is
 to search the email archives, though that works too ;):

 1. Be sure to be using a VPN enabled kernel. Dachstein has
   this by default. Earlier stuff, including 2.9.8, doesn't.
   See Charles' page for the kernels. If you install a new
   one, *always* install with it the associated modules.

 2. Load the PPTP masq module: uncomment its line in /etc/modules,
   backup, reboot.

 3. Goof the firewall rules to allow protocol 47 and port 1723
   in.

 4. Use the ipfwd utility (ships by default) to forward the
   GRE (protocol 47) packets across the firewall.


   As you'd expect, steps 3  4 are done for you automagically
 using the echoWall package.
   Hope this helps!

 -Scott


 On Sun, 3 Mar 2002, Lonnie Cumberland wrote:

 Hello,

 Could you please tell me how to prot forward this protocal 47 on
 my Eigerstein LRP box?

 I know how to forward regular ports coming in to a server behind
 the firewall, but I do not know about htis protocal 47 (gre)

 Thanks,
 Lonnie


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] forwarding Protocal 47(gre) on Eigerstein LRP

2002-03-04 Thread Lonnie Cumberland

Sorry for the dumb question Scott, but is Echowall an LRP package
that is either added to, or already on, the Dachstein CDROM?

Or, is a a complete seperate LRP Firewall distro?

I guess that I have not been keeping up much since I have been using
the Eigerstein LRP version which was very easy t oget set up for
masquerading and the like.

Thanks again,
Lonnie

 Lonnie:

   You can best find echoWall on freshmeat.net. The blurb
 there is fairly accurate. :)

 http://freshmeat.net/projects/echowall/

 cheers,
 Scott


 On Mon, 4 Mar 2002, Lonnie Cumberland wrote:

 Thanks Scott,

 I think that I will now proceed to upgrade my old EigerStein LRP
 to the newer Dachstein one.

 Could you please tell me about this EchoWall?

 Thandk again for being a REAL help.
 cheers,
 Lonnie

  Lonnie, Boyd:
 
 Ah, serendipity. :) One email, two answers...
 
 To get a PPTP-based VPN client working from behind a
  LEAF/LRP disk, you need to do four things (none of which is
  to search the email archives, though that works too ;):
 
  1. Be sure to be using a VPN enabled kernel. Dachstein has
this by default. Earlier stuff, including 2.9.8, doesn't.
See Charles' page for the kernels. If you install a new
one, *always* install with it the associated modules.
 
  2. Load the PPTP masq module: uncomment its line in
  /etc/modules,
backup, reboot.
 
  3. Goof the firewall rules to allow protocol 47 and port 1723
in.
 
  4. Use the ipfwd utility (ships by default) to forward the
GRE (protocol 47) packets across the firewall.
 
 
 As you'd expect, steps 3  4 are done for you automagically
  using the echoWall package.
 Hope this helps!
 
  -Scott


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] My Mistake, but?

2002-03-04 Thread Lonnie Cumberland

Oops!!!

Sorry for the last email.

I just found out that Echowall is an LRP package that is added to
Dachstein. I guess that I will have to add it to the boot floppy when
I use the CDROM version.

Actuall, I am wondering if it would be easy to put the Dachstein
CDROM LRP onto a small hard disk partition and have it boot from
there.

That is how I actually had the Eigerstein running and was very easy
to maintain.

Cheers,
Lonnie

 Lonnie:

   You can best find echoWall on freshmeat.net. The blurb
 there is fairly accurate. :)

 http://freshmeat.net/projects/echowall/

 cheers,
 Scott


 On Mon, 4 Mar 2002, Lonnie Cumberland wrote:

 Thanks Scott,

 I think that I will now proceed to upgrade my old EigerStein LRP
 to the newer Dachstein one.

 Could you please tell me about this EchoWall?

 Thandk again for being a REAL help.
 cheers,
 Lonnie

  Lonnie, Boyd:
 
 Ah, serendipity. :) One email, two answers...
 
 To get a PPTP-based VPN client working from behind a
  LEAF/LRP disk, you need to do four things (none of which is
  to search the email archives, though that works too ;):
 
  1. Be sure to be using a VPN enabled kernel. Dachstein has
this by default. Earlier stuff, including 2.9.8, doesn't.
See Charles' page for the kernels. If you install a new
one, *always* install with it the associated modules.
 
  2. Load the PPTP masq module: uncomment its line in
  /etc/modules,
backup, reboot.
 
  3. Goof the firewall rules to allow protocol 47 and port 1723
in.
 
  4. Use the ipfwd utility (ships by default) to forward the
GRE (protocol 47) packets across the firewall.
 
 
 As you'd expect, steps 3  4 are done for you automagically
  using the echoWall package.
 Hope this helps!
 
  -Scott


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] Samba across Eigerstein LRP

2002-02-22 Thread Lonnie Cumberland

Actually your are VERY right and I am now really looking into a VPN
solution.

Thnaks for the advice.
Lonnie

 Yeech, you seems to want to broadcast all that NetBIOS stuff
 into the WAN connection that we're all spending years trying
 to block :(

 First, I will warn you  opening those ports on your firewall
 with any OS (particuarly the Win9x/ME group) is pretty much
 like using a piece of cardboard to stop a tank. Opening up
 ssh/sftp or IPSec would be _highly_ recommended to doing NetBIOS.


 In fact, I am not sure that this would work at all w/o VPN
 because of the name resolution and MAC addressing. I wouldn't
 suggest
 WINS here at all, but you may come up with something possibly
 with a hosts or lmhosts file(s) on both computers. WINS
 addressing and DNS are similar, yet worlds apart in reality which
 makes me
 think that this would be very difficult to accomplish regardless
 of what you do to the firewall.

 In my experience, I would either do ftp w/address filtering (and
 permissions), VPN, or ssh/sftp with the emphasis on the latter
 two.
 --

 ~Lynn Avants
 aka Guitarlynn

 guitarlynn at users.sourceforge.net
 http://leaf.sourceforge.net

 If linux isn't the answer, you've probably got the wrong
 question!

 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] Samba across Eigerstein LRP

2002-02-21 Thread Lonnie Cumberland

Hello All,

I have been having some trouble to be able to use Samba across my
LRP. Has anyone had luck with this?

I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports on
tcp/udp 137,138,139 but still I cannot connect to my Samba server
which is on a Linux Redhat 7.2 box from outside the firewall.

I can connect while I am inside the firewall from my Winsows ME
machine with no problems.

Is there some way to fix this?

Best Regards,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office with out boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] Samba across Eigerstein LRP

2002-02-21 Thread Lonnie Cumberland

Hello All,

I have been having some trouble to be able to use Samba across my
LRP. Has anyone had luck with this?

I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports on
tcp/udp 137,138,139 but still I cannot connect to my Samba server
which is on a Linux Redhat 7.2 box from outside the firewall.

I can connect while I am inside the firewall from my Winsows ME
machine with no problems.

Is there some way to fix this?

Best Regards,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] Samba across Eigerstein LRP

2002-02-21 Thread Lonnie Cumberland

Hi Jonathan,

I think that it can be made into a WINS server by modifying a few of
the settings in the smb.conf file, but will I need to change my LRP
more?

I am runnning the Eigerstein LRP and have had VERY good luck in the
past with these masquerading firewalls that Charles has put together.

PS) Great Job Charles on the LRP!!!

cheers,
Lonnie


 Hi Lonnie,
   Since you already have a Samba server running, you can tell it
   to act
 as the WINS server also, which will allow Windows machines to see
 each other across subnets.  What kind of firewall is it?  Do you
 use IP Masq?
   There is a bit of debate as to whether or not a WINS server is
 necessary, but it will make it work.
   - Jon

 Lonnie Cumberland wrote:

 Hello All,

 I have been having some trouble to be able to use Samba across
 my LRP. Has anyone had luck with this?

 I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports
 on tcp/udp 137,138,139 but still I cannot connect to my Samba
 server which is on a Linux Redhat 7.2 box from outside the
 firewall.

 I can connect while I am inside the firewall from my Winsows ME
 machine with no problems.

 Is there some way to fix this?

 Best Regards,
 Lonnie

 --
  Lonnie Cumberland
  OutStep Technologies Incorporated
  EMAIL: [EMAIL PROTECTED]
   : [EMAIL PROTECTED]

  The Basis Express Virtual Office

  Data Backup and Recovery Services

  URL: http://www.basis-express.com

 The Virtual Office with out boundries!!!

 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] Samba across Eigerstein LRP

2002-02-21 Thread Lonnie Cumberland

Hi Scott,

So you can now have Windows client connections from outside the LRP
to your Samba server inside the Firewall?

Is it working for you?

Also, what is on port 445? I do not know that one.

Cheers,
Lonnie

 Lonnie:
   Heya. Here's what I put into the SMB section of the
 echowall ruleset:

 #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 135 -p tcp -j ACCEPT
 #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 137:139 -p udp -j
 ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 139 -p tcp -j
 ACCEPT
 #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 445 -p tcp -j ACCEPT

   I'm not sure if all of them are needed for every
 SAMBA session, but I'd be hesitant to leave any out...

 cheers,
 Scott

 I have been having some trouble to be able to use Samba across
 my LRP. Has anyone had luck with this?

 I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports
 on tcp/udp 137,138,139 but still I cannot connect to my Samba
 server which is on a Linux Redhat 7.2 box from outside the
 firewall.

 I can connect while I am inside the firewall from my Winsows ME
 machine with no problems.

 Is there some way to fix this?

 Best Regards,
 Lonnie


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] Samba across Eigerstein LRP

2002-02-21 Thread Lonnie Cumberland

Hu Scott,

Where in the ipfilters.conf did you put these?

I cold not locate a specific area that had already been set up for
SMB.

cheers,
Lonnie


 Lonnie:
   Heya. Here's what I put into the SMB section of the
 echowall ruleset:

 #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 135 -p tcp -j ACCEPT
 #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 137:139 -p udp -j
 ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 139 -p tcp -j
 ACCEPT
 #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 445 -p tcp -j ACCEPT

   I'm not sure if all of them are needed for every
 SAMBA session, but I'd be hesitant to leave any out...

 cheers,
 Scott

 I have been having some trouble to be able to use Samba across
 my LRP. Has anyone had luck with this?

 I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports
 on tcp/udp 137,138,139 but still I cannot connect to my Samba
 server which is on a Linux Redhat 7.2 box from outside the
 firewall.

 I can connect while I am inside the firewall from my Winsows ME
 machine with no problems.

 Is there some way to fix this?

 Best Regards,
 Lonnie


 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] Samba across Eigerstein LRP

2002-02-21 Thread Lonnie Cumberland

Well, no luck so far.

I added the rules to the bottom of my /etc/ipfilters.conf and
rebooted the LRP.

while trying to connect from an outside Linux machine I get:

smbclient -L www.outstep.com

but then get a connection timed out on 141.217.140.65:139

I have also added these in my port-forward section
-
# This is the Samba Netbios-ns
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP netbios-ns -R 192.168.1.7
netbios-ns
$IPMASQADM portfw -a -P udp -L $EXTERN_IP netbios-ns -R 192.168.1.7
netbios-ns
echo Added Netbios-ns Port -- Samba Service

# This is the Samba Netbios-dgm
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP netbios-dgm -R 192.168.1.7
netbios-dgm

$IPMASQADM portfw -a -P udp -L $EXTERN_IP netbios-dgm -R 192.168.1.7
netbios-dgm
echo Added Netbios-dgm Port -- Samba Service

# This is the Samba Netbios-ssn
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP netbios-ssn -R 192.168.1.7
netbios-ssn
$IPMASQADM portfw -a -P udp -L $EXTERN_IP netbios-ssn -R 192.168.1.7
netbios-ssn
echo Added Netbios-ssn Port -- Samba Service


the 192.168.1.7 is my Linux Samba server that I can connect to from
the other machines currently behind the Firewall.

cheers,
Lonnie


 Lonnie:

   Hello! Yes, that's the idea. No, I've not tested
 it. Perhaps you can? Port-445 is Microsoft Domain Service,
 I believe. I saw it once in a tech-support document on
 their site.

 -Scott

 So you can now have Windows client connections from outside the
 LRP to your Samba server inside the Firewall?

 Is it working for you?

 Also, what is on port 445? I do not know that one.

 Cheers,
 Lonnie

  Lonnie:
 Heya. Here's what I put into the SMB section of the
  echowall ruleset:
 
  #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 135 -p tcp -j
  ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 137:139 -p
  udp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 139
  -p tcp -j ACCEPT
  #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 445 -p tcp -j
  ACCEPT
 
 I'm not sure if all of them are needed for every
  SAMBA session, but I'd be hesitant to leave any out...
 
  cheers,
  Scott
 
  I have been having some trouble to be able to use Samba
  across my LRP. Has anyone had luck with this?


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]

 The Basis Express Virtual Office
   
 Data Backup and Recovery Services

 URL: http://www.basis-express.com

The Virtual Office without boundries!!!





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] VPN idea

2002-02-11 Thread Lonnie Cumberland

Hello All,

I had asked a question about mapping NFS through the firewall some
time ago and agree that it was not a good idea, but recently the idea
of setting up a VPN started to make sence to me regarding this
problem.

If I were to setup a VPN between 2 machines, the LRP I wold guess and
the outside client, then the client on the VPN should act as though
it it is really behind the firewall.

Wouldn't the then allow me to use NFS to connect to the client
machine from the server which is inside the real firewall protection?

cheers,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] https port 443 problems

2002-02-09 Thread Lonnie Cumberland

Hello All,

I have gotten my Eigerstein LRP firewall up and running better these
days, but cannot seem to connect to my serure web server behind the
firewall eventhough port 443 is being forwarded through the LRP just
fine.

does someone know what might be going on here and how I might be able
to fix it?

Thanks,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] https port 443 problems

2002-02-09 Thread Lonnie Cumberland

Hello,

Thanks all for the response to this email chain.

Well, you see I am just not getting any response when I try to
connect with a client outside of the LRP and the connection just
times-out.

and the rule that I have in place is:

$IPMASQADM portfw -a -P tcp -L $EXTERN_IP https -R 192.168.1.2 https

If I try to connect to https://192.168.1.2 from my client inside the
firewall at 192.168.1.12 then I can connect just fine.

It is only when I try t oconnect from a client outside the firewall
that everything seems to time-out.

I have also adjusted the VirtualHost settings for my Apache SSL
configuration which is running on Mandrake Linux 8.1.

Cheers,
Lonnie

 At 03:11 PM 2/9/02 -0500, Lonnie Cumberland wrote:
Hello All,

I have gotten my Eigerstein LRP firewall up and running better
these days, but cannot seem to connect to my serure web server
behind the firewall eventhough port 443 is being forwarded
through the LRP just fine.

does someone know what might be going on here and how I might be
able to fix it?

 Well ... if they are being forwarded through the LEAF router,
 can we assume they are arriving at the https server? Or do you
 just mean that the LEAF router is *supposed* to be forwarding the
 port?

 If they are reaching the https server, what can you tell us about
 it? What OS? What https server software? What do its logs report
 about the attempted connection?

 And what does the browser tell you about the failures?  Surely
 you get more feedback from it than cannot seem to connect
 conveys to us.

 I've run SSL behind a NAT'ing firewall before (though I haven't
 done it in some time, and not here), so I know it can be done in
 principle. As usual, troubleshooting requires details.


 --
 Never tell me the odds!---
 Ray Olszewski-- Han Solo
 Palo Alto, CA
[EMAIL PROTECTED]
 


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] multiple web DNS on LRP

2002-01-31 Thread Lonnie Cumberland

Hi There,

No actually I really think that it is an LRP problem because the IP
is being port-forwarded to the actual web server and thus the name
information is being lost.

From what I can tell about the Virtual hosting, if the Apache web
server resolves and redirects based upon the name then it should work.

My thought now are that maybe I need to install a web servcer onto my
LRP that can support virtual hosts.

cheers and thanks for the help,
Lonnie

 it sounds like you have an apache issue.
 try http://httpd.apache.org/docs/vhosts/index.html for
 help with virtual hosts with apache.
 HTH,
 brett

 --- Lonnie Cumberland [EMAIL PROTECTED] wrote:
 Hello All,

 How are you doing today? Good I hope.

 I have another small problem that I hope someone
 might have an answer
 for.

 The problem is this. I have 2 (real) DNS names that
 are pointing to
 the same (real) IP. I then have my LRP firewall and
 some servers
 behind it on a masquerade setup.

 From what I can find out, with Virtual hosting on my
 Apache webserver
 machine, I am supposed to be able to have 2
 different DNS entries
 like www.test1.com and www.test2.com point to the
 same IP, 1.2.3.4
 and the web server will bring up the correct pages
 based upon the
 name that the user was trying to reach.

 Currently when a user comes to my IP, the LRP
 port-forwards to my
 masqd machine web server.

 How can I handle these 2 DNS entries with my LRP and
 still only have
 one IP?

 All help would be greatly appreciated.
 Lonnie
 --
  Lonnie Cumberland
  OutStep Technologies Incorporated
  (313) 832-7366

  URL: http://www.outstep.com
  EMAIL: [EMAIL PROTECTED]
   : [EMAIL PROTECTED]




 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]

 https://lists.sourceforge.net/lists/listinfo/leaf-user


 __
 Do You Yahoo!?
 Great stuff seeking new owners in Yahoo! Auctions!
 http://auctions.yahoo.com


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] multiple web DNS on LRP

2002-01-31 Thread Lonnie Cumberland

Thanks Lee for taking the time to explain this to me.

It clears up a lot of my confusion about the basic process.

Sorry if it was off-topic but I had originally thought that it had to
do with the LRP port-forwrding process.

Thanks again,
Lonnie





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] Re: NFS mounting through Firewall

2002-01-30 Thread Lonnie Cumberland

Hello All,

while looking around on the net I came across this NFS via SSH that
you might be interested in taking a look at.

http://www.math.ualberta.ca/imaging/snfs/

Cheers,
Lonnie

 Would NFS tunneled through SSH be acceptable?

 dbc.


 On Tue, 29 Jan 2002, Lonnie Cumberland wrote:

 Hi Nicolas,

 I think that after much thought that I will opt to try to
 explain to them the security problems of using NFS over the
 firewall and try to use another solution instead.

 Thanks for all of the help to you and everyone on the list who
 always seems to try to answer most of my seemingly dumb
 questions.

 Cheers,
 Lonnie

  Hi Lonnie!
 
   Actually was are still a amall company and this particular
   job if for some friends, a research group the university who
   has recently had problems, who will not listen to reason
   about the problems of port- forwarding services like NFS.
   With that in mind, I told them that I would help get them as
   secure as
   possible given their specific
   requirements.
 
  Sorry, that's what I realized when I rethought about this (ie
  that it must have been something not internal to your
  company...).
 
  BTW, I hope these people are not in CS...
 
   Like many people in the academic arena, it will take getting
   hacked and attacked a few time before they realize that they
   should have listened to more well informed people in the
   past, like me, who has tried very hard to get them out of
   the current mentality of patch- work until the next
   problem.
 
  If these weren't your friends I would almost be tempted to
  suggest that you get this in writing that they prefer that
  solution over a more secure one (after being informed of the
  security implications)  (Some good ol' CUA...)
 
   So, being this, I will simple try to make the best out of
   what they have and will let get done.
 
  The problem seem to be that NFS doesn't seem to be very
  firewall friendly...
 
   These guys will learn with time I am sure.
 
  For their sake I hope so... (and before they get seriously
  hacked)
 
  After making some changes to the firewall and setting up the
  port- forwarding for sunrpc and nfs on udp packets, I am no
  longer getting an RPC time out but now just:
   mount: RPC: Unable to receive; errno = Connection refused
 
  This might seem like a dumb question (and sorry if you
  mentionned the answer to this one before, I couldn't find it)
  but where they communicating with each other before the
  firewall was installed?
 
  Anything in the logs?
 
  I haven't played with NFS recently but if I had that message
  I think I would check if I got the appropriate/relevant
  entries in hosts.allow  hosts.deny (ie lines for portmap,
  lockd, mountd, rquotad  statd).
 
  [The text at the following URL might be useful in getting this
  right:
  http://www.smartcomputing.com/editorial/article.asp?
 article=articles%2F2001%2Fs1206%2F48s06web%2F48s06web%2Easp]
 
  (Sorry, this might be two long for the mailing list, you'll
  probably have to cut  paste it...)
 
 
  on the client machine when I try to mount the directory.
 
  The client can been seen on the DNS as well as the server has
  the client IP in its hosts file.
 
  I assumed here that you meant the hosts files and not the
  hosts.allow  hosts.deny file, sorry if that was not the
  case...
 
 
  Any ideas from here?
 
 
  BTW, did you try opening the ports mentionned in the messages
  I posted? Apparently it's not easy getting them right but I do
  believe one of the messages actually mentionned a way of
  finding them out (rpcinfo -p or rpcinfo -p localhost)
 
  I did see a mention at the following URL
  http://www.io.com/help/linux/NFS-HOWTO-5.html (NFS and
  firewalls) that it might be possible to change the ports used
  by NFS to some specific ports but how this is done I
  unfortunatly don't know (sorry...).
 
  Have a nice day  good luck!
 
  Nick
 
 
  ___
  Leaf-user mailing list
  [EMAIL PROTECTED]
  https://lists.sourceforge.net/lists/listinfo/leaf-user





-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] NFS mounting through Firewall

2002-01-28 Thread Lonnie Cumberland

Hello Ray,

Actually because of the nature of our setup here, w have 2 machines
that need allow for nfs mounting and although my personnal thoughts
are that they too should be behind the firewall completely,
unfortunately I do not get the last word in this.

Opening port 2049 means that I have added this rule to the
ipfilter.conf file.

$IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16 2049

That is strance because the information that I was seeing from nmap
suggested taht the nfs port was udp and on 2049 although I might be
wrong.

I actually do, from the client mount 1.2.3.4:/testdir /test
and after about 3 - 4 minutes I get:

mount: RPC: Timed out

does this help to clear things up?

Do I also need to open udp/tcp port 111?

Cheers,
Lonnie

 I haven't actually tried doing this, so I'm guessing a bit here
 (despite your fairly complete report this time) ... but the rpc
 portmapper will need to communicate to do the NFS mount. It
 listens on port 111 (TCP, I think). Your firewall probably blocks
 port 111 coming in and surely doesn't port-forward it to your
 inside NFS server.

 Then, I'm not sure what opened a udp port 2049 means, exactly.
 Since this is an outside machine coming in, you'll need both to
 open and to
 port-forward it.

 Finally, how long is a long time? If about 3 minutes, check
 once again for a DNS problem ... is the remote mount command
 using the right FQDN for your changed setup?

 Aside from that ... have you thought through the security
 implications of this setup? I haven't, but it feels risky to me.

 At 07:36 PM 1/28/02 -0500, Lonnie Cumberland wrote:
Hello All,

I have been trying, with no luck so fat to mount a directory from
a machine that I have behind the Eigerstein LRP to a client
machine outside the firewall.

I have opened a udp port 2049 which is supposed to be for nfs,
but still I cannot seem to mount the server directory even though
I can mount the server directory to other machines that are also
inside the firewall.

When I issue the mount command on the external client it just
times out after a long time.

Does anyone have some idea?

I would give more specific details, but I am not getting any
information from the logs or on the command prompt.


 --
 Never tell me the odds!---
 Ray Olszewski-- Han Solo
 Palo Alto, CA
[EMAIL PROTECTED]
 


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] NFS mounting through Firewall

2002-01-28 Thread Lonnie Cumberland

Thanks Ray,

If I can find a solution then I will post it so that others can see
what I had to do.

Thanks again,
Lonnie

 The NFS port is 2049. The rpc.portmapper port is 111, and it is
 involved in NFS mounts. I really don't know the detials of how
 this should work through a firewall (unlike you, I *do* get the
 last word here, and we wouldn't even try this), but the RPC
 in your failure message is probably the failed Remote Procedure
 Call to the portmapper. (I assume the 1.2.3.4 part of what you
 posted is fake and you are using the correct real IP address.)

 I'm sorry I can't help you more specifically than this. You're
 probably going to have to experiment a bit to get this working
 right, and once you do, it may be worth your posting the details
 here, since I haven't ever seen this question posed before.

 At 08:39 PM 1/28/02 -0500, Lonnie Cumberland wrote:
Hello Ray,

Actually because of the nature of our setup here, w have 2
machines that need allow for nfs mounting and although my
personnal thoughts are that they too should be behind the
firewall completely,
unfortunately I do not get the last word in this.

Opening port 2049 means that I have added this rule to the
ipfilter.conf file.

$IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16
2049

That is strance because the information that I was seeing from
nmap suggested taht the nfs port was udp and on 2049 although I
might be wrong.

I actually do, from the client mount 1.2.3.4:/testdir /test
and after about 3 - 4 minutes I get:

mount: RPC: Timed out

does this help to clear things up?

Do I also need to open udp/tcp port 111?

 [old stuff deleted]

 --
 Never tell me the odds!---
 Ray Olszewski-- Han Solo
 Palo Alto, CA
[EMAIL PROTECTED]
 


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] Re: NFS mounting through Firewall

2002-01-28 Thread Lonnie Cumberland

Hello Nicolas,

Actually was are still a amall company and this particular job if for
some friends, a research group the university who has recently had
problems, who will not listen to reason about the problems of port-
forwarding services like NFS. With that in mind, I told them that I
would help get them as secure as possible given their specific
requirements.

Like many people in the academic arena, it will take getting hacked
and attacked a few time before they realize that they should have
listened to more well informed people in the past, like me, who has
tried very hard to get them out of the current mentality of patch-
work until the next problem.

So, being this, I will simple try to make the best out of what they
have and will let get done.

Supprisingly, I have put in a few other eigerStein LRP firewalls
around here and those departments and groups completely, and I must
say easily, decided to go for the better protection schemes which I
had initially suggested.

These guys will learn with time I am sure.
Best Regards,
Cheers,
Lonnie

 Hello All,

   I have been trying, with no luck so fat to mount a directory
   from a machine that I have behind the Eigerstein LRP to a
   client machine outside the firewall.

 Considering that, AFAIK, NFS has a very bad reputation
 security-wise I kinda think that this is a very bad idea (TM) (-;
 but if you still want to do it I think reading the following
 messages
 http://www.geocrawler.com/archives/3/90/1999/2/0/350356/ and
 http://www.esker.fr/itspublic/Documents/2804044B.htm might
 be useful to you.

 Apparently ( as far as I'm concerned fortunatly) NFS doesn't
 appear to be very firewall friendly (It's apparently the port
 mapper which listens at port 111 tcp  udp (apparently, BTW, the
 name of this service is sunrpc/portmap) which hands out the port
 addresses which will be used...)

   I have opened a udp port 2049 which is supposed to be for nfs,
   but still I cannot seem to mount the server directory even
   though I can mount the server directory to other machines that
   are also inside the firewall.

 According to the list of well known port numbers
 (http://www.iana.org/assignments/port-numbers), and to the
 messages I posted the URL to previously you would have to open
 this in udp also (and as I believe Ray suggested probably to port
 forward them too...)

 BTW, I do believe that they are usually opened by default...

  Actually because of the nature of our setup here, w have 2
  machines that need allow for nfs mounting and although my
  personnal thoughts are that they too should be behind the
  firewall completely,
  unfortunately I do not get the last word in this.

 (-; (-; (-;

 If the President/CEO doesn't get the last word on this, who does?
 (I confess, I paid a visit to your website... (rackmounted
 servers/firewall, nice... (-; ). (-; (-; (-;

 Couldn't you establish a VPN tunnel between them instead,
 wouldn't that work better  be more secure?

  Opening port 2049 means that I have added this rule to the
  ipfilter.conf file.
 
  $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16
  2049

 BTW, this is probably a typo that got there when you retyped that
 line but you've got port 2040 (instead of 2049) on the extern
 interface...

 If you do open these ports I would highly suggest that you open
 them only for the IP addresses of the other pc/server as some of
 these ports (especially 111) are regularly probed by people
 wanting to get into your pc...

 Good luck!

 Nicolas Riendeau

 PS: Please forgive my English as it is not my mother tongue.
 Thanks!


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] Re: NFS mounting through Firewall

2002-01-28 Thread Lonnie Cumberland

Hello Again

After making some changes to the firewall and setting up the port-
forwarding for sunrpc and nfs on udp packets, I am no longer getting
an RPC time out but now just:

mount: RPC: Unable to receive; errno = Connection refused

on the client machine when I try to mount the directory.

The client can been seen on the DNS as well as the server has the
client IP in its hosts file.

Any ideas from here?

Cheers,
Lonnie

 Hello All,

   I have been trying, with no luck so fat to mount a directory
   from a machine that I have behind the Eigerstein LRP to a
   client machine outside the firewall.

 Considering that, AFAIK, NFS has a very bad reputation
 security-wise I kinda think that this is a very bad idea (TM) (-;
 but if you still want to do it I think reading the following
 messages
 http://www.geocrawler.com/archives/3/90/1999/2/0/350356/ and
 http://www.esker.fr/itspublic/Documents/2804044B.htm might
 be useful to you.

 Apparently ( as far as I'm concerned fortunatly) NFS doesn't
 appear to be very firewall friendly (It's apparently the port
 mapper which listens at port 111 tcp  udp (apparently, BTW, the
 name of this service is sunrpc/portmap) which hands out the port
 addresses which will be used...)

   I have opened a udp port 2049 which is supposed to be for nfs,
   but still I cannot seem to mount the server directory even
   though I can mount the server directory to other machines that
   are also inside the firewall.

 According to the list of well known port numbers
 (http://www.iana.org/assignments/port-numbers), and to the
 messages I posted the URL to previously you would have to open
 this in udp also (and as I believe Ray suggested probably to port
 forward them too...)

 BTW, I do believe that they are usually opened by default...

  Actually because of the nature of our setup here, w have 2
  machines that need allow for nfs mounting and although my
  personnal thoughts are that they too should be behind the
  firewall completely,
  unfortunately I do not get the last word in this.

 (-; (-; (-;

 If the President/CEO doesn't get the last word on this, who does?
 (I confess, I paid a visit to your website... (rackmounted
 servers/firewall, nice... (-; ). (-; (-; (-;

 Couldn't you establish a VPN tunnel between them instead,
 wouldn't that work better  be more secure?

  Opening port 2049 means that I have added this rule to the
  ipfilter.conf file.
 
  $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16
  2049

 BTW, this is probably a typo that got there when you retyped that
 line but you've got port 2040 (instead of 2049) on the extern
 interface...

 If you do open these ports I would highly suggest that you open
 them only for the IP addresses of the other pc/server as some of
 these ports (especially 111) are regularly probed by people
 wanting to get into your pc...

 Good luck!

 Nicolas Riendeau

 PS: Please forgive my English as it is not my mother tongue.
 Thanks!


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] NFS hanging up

2002-01-27 Thread Lonnie Cumberland

Thanks for the info,

the problem turned out to be the DNS, but it is all better now.

cheers,
Lonnie

 Lonnie --

 it just seems to hang is a bit too imprecise to make a good
 starting point. So I'll just take a wild shot at it -- might you
 have left in /etc/exports an entry for a hostname or IP address
 that is now unresolvable? If so, that would introduce a 3-minute
 delay at the point where you say the system hangs.

 More generally, do the Mandrake systems *ever* resume init'ing?
 Operationally, ever means wait about 5 minutes before deciding
 that they are completely blocked. Then see if a ^C will cause
 boot/init to resume.

 If you can get the boot/init sequence to complete, do the logs
 report anything interesting?

 Whatever is going on, your LEAF router is extremely unlikely to
 be involved (unless you need access to an off-LAN nameserver that
 you now cannot reach, or unless you were exporting to off-LAN
 hosts).

 At 11:18 PM 1/26/02 -0500, Lonnie Cumberland wrote:
Hello All,

I have just installed an EigerStein LRP firewall and it seems to
be working good, but

I have 6 machines which were NFS mounting and exporting various
directories before I put them behind the firewall so that they
could cross communicate. They worked just fine at that time with
the NFS.

I then put them behind the Eigersten LRP firewall and changed all
of their /etc/hosts files so reflect the new IP's on each machine
and so that each machine could lookup the name of the other
machine from their hosts file.

The problem now is that when the NFS daemon is started on each
machine, it just seems to hang after reporting Starting the
NFS daemon.

My OS on these machines is Linux Mandrake 8.1.

does anyone have any idea as to what is happening here and how I
might be able to fix it?

 --
 Never tell me the odds!---
 Ray Olszewski-- Han Solo
 Palo Alto, CA
[EMAIL PROTECTED]
 


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] FreeSCO firewall and Eigerstein LRP

2002-01-27 Thread Lonnie Cumberland

Hello All,

I came across another firewall called FreeSCO, not to be confused
with the OS, which is built from Linux as well and was wondering if
anyone had any expeience with it?

Actually I was just trying to find out a comparison between it and
the Eigerstein LRP.

cheers,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] FreeSCO firewall and Eigerstein LRP

2002-01-27 Thread Lonnie Cumberland

Thanks for the info!!!

It was very helpful...

cheers,
Lonnie


 On Sunday 27 January 2002 19:34, Lonnie Cumberland wrote:
 Hello All,

 I came across another firewall called FreeSCO, not to be
 confused with the OS, which is built from Linux as well and was
 wondering if anyone had any expeience with it?

 Actually I was just trying to find out a comparison between it
 and the Eigerstein LRP.


 For my IMHO, look at http://www.geocities.com/guitarlynn/lrp.html

 --

 ~Lynn Avants
 aka Guitarlynn

 guitarlynn at users.sourceforge.net
 http://leaf.sourceforge.net

 If linux isn't the answer, you've probably got the wrong
 question!


-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] Secure Apache Server Question

2002-01-27 Thread Lonnie Cumberland

Hello All,

it seems that my firewall is now almost working the way that we want,
but we are having a little trouble getting the Apache SSL secure web
server to work even though we have set up a port forward for port 443
which is supposed to be for the secure connection I think.

Does anyone have any ideas?

The secured SSL Apache web server was working just fine before we
placed it behind the firewall, just to let you know.

Cheers,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] NFS hanging up

2002-01-26 Thread Lonnie Cumberland

Hello All,

I have just installed an EigerStein LRP firewall and it seems to be
working good, but

I have 6 machines which were NFS mounting and exporting various
directories before I put them behind the firewall so that they could
cross communicate. They worked just fine at that time with the NFS.

I then put them behind the Eigersten LRP firewall and changed all of
their /etc/hosts files so reflect the new IP's on each machine and so
that each machine could lookup the name of the other machine from
their hosts file.

The problem now is that when the NFS daemon is started on each
machine, it just seems to hang after reporting Starting the NFS
daemon.

My OS on these machines is Linux Mandrake 8.1.

does anyone have any idea as to what is happening here and how I
might be able to fix it?

All healp would be greatly appreciated,
Lonnie

-- 
 Lonnie Cumberland
 OutStep Technologies Incorporated
 (313) 832-7366

 URL: http://www.outstep.com
 EMAIL: [EMAIL PROTECTED]
  : [EMAIL PROTECTED]




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



Re: [Leaf-user] Proxy-ARP Script Problems

2001-09-17 Thread Lonnie Cumberland



Hello Charles,

I will be able to send you the "network.conf" and "ipfilter.conf" tomorrow.
As they are large, I will send them directly to you, ok.


Now then the test network that I had set up looked like this:


  INTERNET
  |  Gate (146.9.31.1)
  |  Class "C" (146.9.31.x)
  |
  |  146.9.31.19
   --
   | LRP | 
   --
  |  146.9.31.19
  | 
  |
  |  146.9.31.56 
   --- (gate 146.9.31.1)
   | Test PC |
   ---

With this basic setup I would have thought that I should be able to complete
the connection although it only seems to resolve the names if I try to run
Netscape. I can also PING from the LRP to the "Test PC" but I cannot PING
from the "Test PC" to anywhere.

cheers,
Lonnie



Charles Steinkuehler wrote:
104601c13fc7$98355b80$4101220a@csteinathlon">
  Please use reply-all to keep the leaf-user list in the thread...
  
I had put the IP of the external machines in the DMZ_EXT_ADDRS, but onin the ethext_ROUTES.I will go and do that now.The only last problem seems to be as I have described in my last emailto you.If I start up Netscape, for example, from a server in the DMZ and try toconnect to a URL, www.yahoo.com for example, then it seems that netscapewill resolve the address into its IP and then just say "connecting tox.x.x.x", but never actually connect.This same thing happens if I try to PING some address on the Internet totest my being able to connect to the server in the DMZ.any ideas as to why things are not connecting?

Not without any more details...you are resolving names, which means you'vegot some sort of network connectivity (or cached data).  It could besomething as simple as letting the arp caches timeout on your network (ormanually flushing them), or there could be something wrong with yourconfiguration (either in LRP, the systems you're trying to put in the DMZ,or both).  You need to provide details of exactly how things are configured,and exactly how you're testing.  Since you're trying to get DMZ systemsrunning, in addition to the LRP configuration, we'll need information on howyour DMZ system is configured as well.  See the troubleshooting HOWTO(available at my support page) for details on how to get the configinformation from your LRP system to a floppy.  Ideally, you can post thefiles online somewhere...if not, you can e-mail them directly to me.  Ifthere's not too much data, you can send them as plain 
text through theleaf-user list, just copied into the body of the message.Charles Steinkuehlerhttp://lrp.steinkuehler.nethttp://c0wz.steinkuehler.net (lrp.c0wz.com mirror)___Leaf-user mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/leaf-user






[Leaf-user] Proxy-ARP Script Problems

2001-09-15 Thread Lonnie Cumberland

Hello All,

I have been trying for a long time now to get the Proxy-ARP set up 
but I cannot seem to get the scripts to work. 

In every case, I can easily configure eth0 to talk to the outside 
world, but then I cannot talk to the DMZ

I have been using the EigerStein LRP and in the past have had not 
troubles setting up the Masquerading firewall.

I havebeen trying to set up:

   With gate (146.9.31.1)

  INTERNET
 |
 | 146.9.31.19
   -
   |LRP|
   -
 | 146.9.31.19
 | (DMZ)
 |
-- 146.9.31.x -
|||
  Server   Server...Server
  (38)  (18) N

Could some one please send me some scripts that they have which are 
working?

I cannot seem to find the problem with mine.

Sincerely,
Lonnie

-- 
Lonnie Cumberland
OutStep Technologies Incorporated
TEL:(313) 832-7366

URL: http://www.outstep.com
EMAIL: [EMAIL PROTECTED]
 : [EMAIL PROTECTED]


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user



[Leaf-user] Re: [Leaf-user] EigerStein DMZ v1.1 Proxy ARP installation

2001-07-12 Thread Lonnie Cumberland

Thanks everyone for the help and I will start trying to get things set
up with all of this great information.

The only last thing is that my current LRP installations are the
Eigerstein-Static versions that I have placed onto a small hard disk
on to the router so that I do not have to boot from a floppy.

Which version do I need to get that contains these scripts? Is this
the Eigetstein Beta or the CDROM version that I have heard about?

In any case, I want to also have it boot off of the small MSDOS hard
disk just like my old faithful masquarading firewall does so I presume
that I do not need any special re-compiled version, or do I?

Thanks for the help all,
Lonnie

 Actually I was also interested in only needing 2 ethernet cards
 as the scripts that I have seen seem to need 3.

 If all you want is the Proxy-arp DMZ, just ignore the internal
 network interface.  Of course, if you only have 2 NIC's
 installed, you'll have to change a few things (DMZ is setup for
 eth2 by default, which you don't have).

 Off the top of my head:
 Swap instances of eth1  eth2 in network.conf (ie internal
 network=eth2, DMZ network=eth1)
 Remove eth2 from the IF_AUTO list, so the scripts don't try to
 automatically configure it
 Everything *should* work...

 Of course, you'll have some firewall rules masquerading your
 (non-existant) internal network on eth2 to the internet, but the
 rules don't hurt anything (except burning a few CPU cycles, which
 you should have pleanty of, even with a 486).

 Holler if you run into trouble with the above changes, or still
 have problems once you've altered the DMZ for eth1.

 Charles Steinkuehler
 http://lrp.steinkuehler.net
 http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 http://lists.sourceforge.net/lists/listinfo/leaf-user


-- 
Lonnie Cumberland
President/CEO
OutStep Technologies Incorporated

TEL:(313) 832-7366
FAX:(313) 832-7366

URL: http://www.outstep.com

EMAIL: [EMAIL PROTECTED]
 : [EMAIL PROTECTED]


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user