Re: [leaf-user] RoadWarrior and RSA: What does leftid or rightid mean? conn example

2003-03-26 Thread Michael Leone 

William Brinkman said:
> Thitiporn,
>
> I looked over my notes again and the configuration I
> used was left - road warrior, right - firewall with
> ipsec.

FreeS/WAN uses "left" as the local information (i.e., the settings for the
machine it's running on), and "right" as the remote machine's settings. (l
& r, get it? :-)

So, on your firewall, left = the firewall settings, right = roadwarrior's
settings.

But on your roadwarrior, left = the roadwarrior settings, right = the
firewall's settings.

Each is a mirror image of the other.

At least, that's my understanding of it. My Pix IPSec here at work is
broke, and so I can't connect my Bering to it, and haven't had a chance to
configure my laptop as a roadwarrior, and connect from off-site (i.e.,
away from home).

HTH

>
> conn vpn
>
>type=tunnel
>left=%any
>leftrsasigkey=
>.
>.
>.
>right=aaa.bbb.ccc.ddd
>[EMAIL PROTECTED]
>.
>.
>
>#There is no leftid in my working configuration
> file
>
> Perhaps this plus the other will help-
>
> R - Bill
>





---
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] More Bering IPSec questions ...

2003-02-10 Thread Michael Leone 
Lynn Avants said:
> It would definately be in your best interest to read the Shorewall
> Ipsec/VPN  page on http://www.shorewall.net . IPSec definately won't
> work with Shorewall unless you configure shorewall correct. Do not use

OK. Haven't gotten that far yet; was just following the Bering docs for
the moment. And the samples linked off the FreeS/WAN page for connecting
to a Pix didn't seem to match up with the simple (?) config I wanted, of
PSKs between my Bering and the Pix.

> the 509 package if you are not using certs, the 509 package probably
> will not work with PSK's. --

It won't? Shoot. I do want to move to using certs, both between my Pix and
for any remote clients to my Bering box that I may have in future. But at
the moment, I have PSKs to my Pix. I'd hate to have to redo all my configs
when I do move to certs.

Ah, well. I do still have all the keys and certs and all on my main Linux
box; I suppose it won't be too bad to move them again later. I'll load up
the ipsec instead of the ipsec509, and see where it takes me.

Thanks.


-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 
Registered Linux user# 201348




---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?

2003-02-10 Thread Michael Leone 
I had replied privately, but I'll include the list (BTW, please don't send
me private copies of list mail; it just means twice the bandwidth, since I
will see the message on the list anyway).

S Mohan said:
> If you are using Win2K clients, Chad has put up a good chapter. It would

No, I am not using any Win2K clients, not at this time. For now, I want a
subnet-to-subnet IPSec tunnel, between my Bering 1.0 box and my Pix at
work.

Thanks for the info, tho - it will come in handy, since eventually I will
want remote Win2K clients to connect to my Bering box.

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 
Registered Linux user# 201348




---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] More Bering IPSec questions ...

2003-02-10 Thread Michael Leone 

K.-P. Kirchdörfer said:
> Am Montag, 10. Februar 2003 06:19 schrieb Mike Leone:
>> OK; so I think I'm making progress ...
>>
>> Anyway, when ipsec starts, I get:
>>
>> # svi ipsec start
>> ipsec_setup: Starting FreeS/WAN IPsec 1.99...
>> ipsec_setup: Using /lib/modules/ipsec.o
>> ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may
>> not work ipsec_setup:  (/proc/sys/net/ipv4/conf/eth0/rp_filter = ,
>> should be 0)
>>
>> However, I have changed /etc/network/options, and changed spoofprotect
>> to no. Doesn't that turn off route filtering?
>
> It's set in shorewall configuration (interfaces(?)).

I thought it might, but the Bering docs indicate otherwise - that the
easiest way is by changing /etc/network/options.

> If that's all the "real" tunnel config is missing, these are only the
> "general" settings for every tunnel you'll define.

Correct; the tunnel definition is missing. That's what I was asking about
- what do I need to put here to make the tunnel work properly with a Pix
using pre-shared keys. The examples I've found on the FreeS/WAN site are
confusing and contradictory.

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 
Registered Linux user# 201348




---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?

2003-02-10 Thread Michael Leone 

S Mohan said:
> If you are using Win2K clients, Chad has put up a good chapter.

I am not using Win2K clients.

(Not yet, anyway. Eventually, but that's a bit far in the distance)

What I want is for my Bering 1.0 to make an IPSec connection to my Pix. No
Win2K involved, at this point in time.

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 
Registered Linux user# 201348




---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] How do I punch a dynamic hole thru firewall?

2002-09-11 Thread Michael Leone 


Duke Ionescu said:
> [This was originally posted to the LRP mailing list, where I was spat
> upon :]

How is the old LRP list? Haven't seen that since the mass exodus of users
and developers. I tried searching thru it via the web archive once, and
all I found was spam. :-)

Is Dave Cinege still doing any development with LRP? I thought he wanted
to stick with that Butterfly project of his instead.

(sorry; I don't have an answer for your question :-)

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 

( Memoriam )
 ;===;()
 # # # #::
 # # # #::
 # # # #::
 # # # #::
 # # # # # # #
 # # # # # # #
 # # # # # # #
 # # # # # # #
 # # # # # # #
 # # # # # # #



Random Thought:
--




---
In remembrance
www.osdn.com/911/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering SSH set-up...SSH file???

2002-09-04 Thread Michael Leone 


Craig said:
> Hi folks,
> I'll try to combine my responses to all of the suggestions. 1.) I'm
> using Bering_1.0-rc3 2.) sshd appears to be running, i.e., if I use the
> ps | grep sshd command I see 31509 root 892 S grep sshd, but if I ps ax
> I don't see any sshd referenced (but I can't see all of the messages
> either due to screen size).

If you don't see something like:

turgon@mail:~$ ps ax | grep sshd
  526 ?S  0:17 /usr/sbin/sshd
29033 ?S  0:00 /usr/sbin/sshd
29035 ?S  0:00 /usr/sbin/sshd

... then sshd is *not* running.

Try "svi sshd restart". What happens?

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 

Some days you're the pigeon; some days you're the statue.




Random Thought:
--
Mais perdido que cusco em procissão.




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering SSH set-up...SSH file???

2002-09-04 Thread Michael Leone 


Craig said:
> Hi folks,
> If there's one thing that seems to be agreed on, it sounds like having
> SSH installed and set-up on your router makes it easier to supply the
> newsgroup with sometimes needed file(s) info by literally copying and
> pasting.

Mailing list, not newsgroup, but 

> Having said that, I'm trying to set-up SSH on Bering and have a
> couple of questions: Do I also need to use the ssh.lrp package or do I

No; the ssh.lrp package is to allow you to ssh out from the firewall to
other hosts. You don't need it to ssh into the firewall, nor to sftp files
off the firewall. For that, you need the sshd (and associated libz, etc).

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 

Some days you're the pigeon; some days you're the statue.




Random Thought:
--




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Mailing logs from Bering

2002-09-01 Thread Michael Leone 


Erich Titl said:
> Hi Michael
>
> Michael Leone wrote the following at 17:52 30.08.2002:
>
>
>>I could have them log to my home mail machine. Again, tho - why?
>
> You would need no mail process...

On where, the home machine? Sure I do - it's how I (and a couple others)
send mail. :-) It's already doing mail for me and a couple virtual
domains. On Bering, mail is not a continously running process.

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project <http://leaf.sourceforge.net>AIM: MikeLeone
Public Key - <http://www.mike-leone.com/~turgon/turgon-public-key.asc>

Some days you're the pigeon; some days you're the statue.




Random Thought:
--




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Mailing logs from Bering

2002-08-30 Thread Michael Leone 


Julian Church said:
> Hi Michael

Hi!

> At 10:18 30/08/02 -0400, Michael Leone wrote:
>
>>Julian Church said:
>> > I think you're missing the "to" keyword.  The line in your script
>> should be:
>>
>>No, the "to" is unecessary; mail will work without it. My problem was
>> that Shorewall was blocking SMTP traffic from the firewall out to other
>> hosts.
>
> Thanks for the clarification, and sorry for the misleading info.

Oh, no problem. Thanks for trying to help.

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project <http://leaf.sourceforge.net>AIM: MikeLeone
Public Key - <http://www.mike-leone.com/~turgon/turgon-public-key.asc>

Some days you're the pigeon; some days you're the statue.




Random Thought:
--




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Mailing logs from Bering

2002-08-30 Thread Michael Leone 


Craig said:
> Hi folks,
> One of the things I enjoy so much about this newsgroup is all of the
> information one gleans from some of you people! Having said that, could
> someone explain to me...why would you WANT to have your log files
> e-mailed to you??? What are trying to really achieve (i.e., what are you
> looking for)??? Thank you, have a great weekend!

The same reason you look at any logs - spot suspicious activity, trends,
problems, etc. If I have them emailed to me, I can keep copies, print
them, use them as evidence of disallowed user activity, if need be, etc.
Why SSH in, and use an editor/pager, when they will come to you? Why
WOULDN'T you want them emailed to you? :-)

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 

Some days you're the pigeon; some days you're the statue.




Random Thought:
--




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Mailing logs from Bering

2002-08-30 Thread Michael Leone 


Julian Church said:
> Hi Michael

> So I think you're missing the "to" keyword.  The line in your script
> should be:
>
> mail -s $LOG to [EMAIL PROTECTED] http://leaf.sourceforge.net>AIM: MikeLeone
Public Key - 

Some days you're the pigeon; some days you're the statue.




Random Thought:
--




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Mailing logs from Bering

2002-08-30 Thread Michael Leone 


Brad Fritz said:

>> 192.168.100.20. Will I need a special Shorewall rule to allow SMTP out
>> from the fw to a host on the LAN?
>
> Yes.  One that allows from the firewall zone to the mail
> server, e.g.
>
>   ACCEPT   fwloc:192.168.100.20  tcp smtp

Yes, that works. I thought it might be that, but didn't want to mess
around with it without checking first. Thanks, Brad.

Perhaps the next rc of Bering would have an option "Do you want logs
mailed to you", and if so, then add the mail line, and the shorewall rule.

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 

Some days you're the pigeon; some days you're the statue.




Random Thought:
--




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Mailing logs from Bering

2002-08-30 Thread Michael Leone 


Luis.F.Correia said:
> Have you checked shorewall configuration?
>
> You might need to add something there.

Well, I do have shorewall configured to let thru SMTP, from the outside:

/etc/shorewall/rules:

#
ACCEPT  fwnet   tcp 53
ACCEPT  fwnet   udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT  loc fw  tcp 22
DNATnet loc:192.168.100.20  tcp ssh,ftp,http,smtp,pop-3,imap2

# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT  loc   fwudp 53
ACCEPT  loc   fwtcp 80

I can send email out from other machines on the local LAN thru
192.168.100.20. Will I need a special Shorewall rule to allow SMTP out
from the fw to a host on the LAN?



>
> -Original Message-
> From: Michael Leone [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 30, 2002 2:05 PM
> To: [EMAIL PROTECTED]
> Subject: [leaf-user] Mailing logs from Bering
>
>
> I'm having trouble getting Bering 1.0-rc3 to mail me it's logs everyday.
> I used to have Dachstein email my logs everyday, and so I'd thought I'd
> have Bering do the same. So I changed /etc/multicron-p's rotatelogs to
> look like this:
>
> rotatelogs () {
>
> case $prog in
> *-d ) LOGFILES=$lrp_LOGS_DAILY  ;;
> *-w ) LOGFILES=$lrp_LOGS_WEEKLY  ;;
> *-m ) LOGFILES=$lrp_LOGS_MONTHLY ;;
> * )   return 1 ;;
> esac
>
> cd /var/log
> for LOG in $LOGFILES; do
> if [ -f $LOG ]; then
> savelog -g adm -m 640 -u root -c
> ${lrp_LOGS_DEPTH:-4} $L
> mail -s $LOG [EMAIL PROTECTED]
>  fi
> done
>
> svi sysklogd reload
> }
>
> which worked on DS. However, it doesn't work on Bering. In fact, it
> doesn't even work from the command line:
>
> : -root-
> # mail -s "messages" [EMAIL PROTECTED]  nc: connect: Connection refused
> Error: Unknown response.
>   RSET
>   0:
> Aborting due to connection error
>   Killing child processes: 1327 19012
>
> /etc/lrp.conf has this:
>
> # Host SMTP server for the 'mail' command. If blank the host 'mail' is
> used. lrp_MAIL_SERVER="192.168.100.20"
>
> # Email address to use for notices and alerts. If blank alerts won't be
> sent.
> lrp_MAIL_ADMIN="[EMAIL PROTECTED]"
>
> But I see nothing in the logs on my mailserver (which is indeed at the
> above IP).
>
> Thoughts?
>
> --
> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
> Member, LEAF Project <http://leaf.sourceforge.net>AIM: MikeLeone
> Public Key - <http://www.mike-leone.com/~turgon/turgon-public-key.asc>
>
> Some days you're the pigeon; some days you're the statue.
>
>
>
>
> Random Thought:
> --
>
>
>
>
> ---
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
>
>
> ---
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project <http://leaf.sourceforge.net>AIM: MikeLeone
Public Key - <http://www.mike-leone.com/~turgon/turgon-public-key.asc>

Some days you're the pigeon; some days you're the statue.




Random Thought:
--




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Mailing logs from Bering

2002-08-30 Thread Michael Leone 

I'm having trouble getting Bering 1.0-rc3 to mail me it's logs everyday. I
used to have Dachstein email my logs everyday, and so I'd thought I'd have
Bering do the same. So I changed /etc/multicron-p's rotatelogs to look
like this:

rotatelogs () {

case $prog in
*-d ) LOGFILES=$lrp_LOGS_DAILY  ;;
*-w ) LOGFILES=$lrp_LOGS_WEEKLY  ;;
*-m ) LOGFILES=$lrp_LOGS_MONTHLY ;;
* )   return 1 ;;
esac

cd /var/log
for LOG in $LOGFILES; do
if [ -f $LOG ]; then
savelog -g adm -m 640 -u root -c
${lrp_LOGS_DEPTH:-4} $L
mail -s $LOG [EMAIL PROTECTED] http://leaf.sourceforge.net>AIM: MikeLeone
Public Key - 

Some days you're the pigeon; some days you're the statue.




Random Thought:
--




---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] portforward with ipchains

2002-06-04 Thread Michael Leone 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 4 Jun 2002 at 7:36, T Burt wrote:

> 
> I prefer to use VNC tunneled thru an SSH connection to manage my
> remote windoze boxes.

Actually, TS is on the order of about a THOUSAND times faster than 
VNC, even without SSH. :-)

(a slight exaggeration; I do use VNC to control my Windows boxes, and 
there is no sane comparison - for speed - between RDP and VNC. Also, 
RDP is like getting a *separate* virtual console in Linux; it is not 
remote control, like VNC is. It can be, if you install it that way, 
but usually is meant as a whole VM session)

Security may be a different issue.


-BEGIN PGP SIGNATURE-
Version: PGP 7.0.4 -- QDPGP 2.68 
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBPPzShZq0HvZapbzfEQIC2QCfb0N3uprhsg4u1e3Q1POY8K363oUAnRTk
blrIKyeJB4ZoWipSgupiu4hk
=tBU+
-END PGP SIGNATURE-

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] portforward with ipchains

2002-06-04 Thread Michael Leone 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 4 Jun 2002 at 6:49, Joe Copeland wrote:

> On Tue, 2002-06-04 at 06:37, Jaime Goncalves wrote:
> > Hi I'm trying to rdp into my win2k server behind my lrp box this is
> > the command to open the port on the lrp box from the command line 
> > "ipchains -A  forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d
> > xxx.xxx.xxx.xxx 3389 -j ACCEPT" can any one see a problem with the
> > syntax
> 
> I'm not sure what rdp is, but I wouldn't limit my source port to 3389.
> It seems unlikely that your source port will always be 3389.

RDP is Remote Desktoip Protocol, what MS uses for their Terminal 
Services. And indeed, opening only 3389 incoming will work; I just 
set up my Pix at work yesterday to allow access to our TS server, and 
I only needed to open TCP 3389. MS doesn't send via a random high 
port, like some unix services do, so specifying 3389 as a source port 
will probably be fine.

I'm told that there are also times when it will use TCP 1494, but I 
don't know that for a fact. I do know we're doing production work 
specifying 3389.


-BEGIN PGP SIGNATURE-
Version: PGP 7.0.4 -- QDPGP 2.68 
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBPPzKipq0HvZapbzfEQKscgCeLxEcJLXO5DxQPGgfeEHVQ1VHWG4AoNgX
2kYENJo9ssefNExCT5nylCQD
=hxvS
-END PGP SIGNATURE-

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] portforward with ipchains

2002-06-04 Thread Michael Leone 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 4 Jun 2002 at 6:49, Joe Copeland wrote:

> On Tue, 2002-06-04 at 06:37, Jaime Goncalves wrote:
> > Hi I'm trying to rdp into my win2k server behind my lrp box this is
> > the command to open the port on the lrp box from the command line 
> > "ipchains -A  forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d
> > xxx.xxx.xxx.xxx 3389 -j ACCEPT" can any one see a problem with the
> > syntax
> 
> I'm not sure what rdp is, but I wouldn't limit my source port to 3389.
> It seems unlikely that your source port will always be 3389.

RDP is Remote Desktoip Protocol, what MS uses for their Terminal 
Services. And indeed, opening only 3389 incoming will work; I just 
set up my Pix at work yesterday to allow access to our TS server, and 
I only needed to open TCP 3389. MS doesn't send via a random high 
port, like some unix services do, so specifying 3389 as a source port 
will probably be fine.

I'm told that there are also times when it will use TCP 1494, but I 
don't know that for a fact. I do know we're doing production work 
specifying 3389.


-BEGIN PGP SIGNATURE-
Version: PGP 7.0.4 -- QDPGP 2.68 
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBPPzKiZq0HvZapbzfEQLcbgCg4rjhNTM1jBZhppcfLMRPlBGIkl4An2kU
PrfuaBlMqLuemqL1RUzPLST0
=dqVB
-END PGP SIGNATURE-

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] RE: Forgotten my password for DS (floppy) - UPDATE

2002-05-19 Thread Michael Leone 

On Sun, 2002-05-19 at 18:00, Michael Leone wrote:
> 
> Time to try editing the etc.lrp, and then re-inserting it onto the
> diskette.

I edited out the root password from /etc/passwd, /etc/shadow, and
/etc/shadow-, and then recopied the newly made etc.lrp to my diskette.
(so there were no characters between the "::" after "root", in all 3
files). This worked, and allowed me to boot with no root password.

So, first thing, I decided to change the root password to something
else. So I issued a "passwd" command, and it said it was successfully
changed. However, when I log out, and log back in, root still has no
password.

I've checked; the floppy is not write-protected.

Thoughts, anyone?

-- 

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:
<http://www.mike-leone.com/~turgon/turgon-public-key.gpg>

Conform or be cast out.




signature.asc
Description: This is a digitally signed message part

Re: [leaf-user] RE: Forgotten my password for DS (floppy)

2002-05-19 Thread Michael Leone 

On Sun, 2002-05-19 at 16:34, Ant Ken wrote:
> hello
> 
> i have had trouble like this before what i did was this
> get your boot floppy, or if your running from a hard disk, a copy of 
> syslinux.cfg
> edit it and change the time out value to something like 5
> the default is:
>   timeout 0
> 
> 
> this seemed to work on mine

Changed it to 20 (using vim on linux), and it made no difference; on
boot, it went right to "Loading". Never sat there and waited.

> good luck, and i hope you get your router back!!!

And, naturally, the backup diskette I made 6 months ago now doesn't
boot. :-(

Time to try editing the etc.lrp, and then re-inserting it onto the
diskette.

-- 

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Conform or be cast out.




signature.asc
Description: This is a digitally signed message part

[leaf-user] Forgotten my password for DS (floppy)

2002-05-18 Thread Michael Leone 

Now this is embarassing ...

I just had to reboot my dachstein (floppy) router/firewall for the first
time in 108 days. And now I've forgotten my root password . :-(

I must have changed it, and forgotten what it was.

Ordinarily, I would do a "linux single" at the boot prompt. Except that
there's no boot prompt. :-) How can I get back into my system?

-- 

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Conform or be cast out.




signature.asc
Description: This is a digitally signed message part

Re: [Leaf-user] Unbelievable

2002-04-21 Thread Michael Leone 

On Sun, 2002-04-21 at 02:47, Greg Morgan wrote:
> [EMAIL PROTECTED] wrote:
> > 
> > http://www.theregus.com/content/4/24611.html
> > 
> > It is absolutely inconceivable to me, if true, that
> > that is not some kind of criminal offense.
> 
> Ahhh but you and I are honest people that work for a living.  Like maybe
> a
> handshake still seals the deal.  However, if you're current business
> model is losing money, then you have to change licensing models, and
> switch to dot net.  

The company in question is not losing money, however. And even
profitable companies have to switch to the new licensing models, if they
wish to retain their current levels of ... I suppose support, and
pricing.

> > users.  I wonder if Japanes industrialists run XP.
> 
> China has adopted linux because the price of windows products eat
> too much of their GNP.

I thought they created their own distribution of Linux, because they
didn't trust that MS would not include NSA backdoors, other "phone
home"/"spy on user habits" features, etc.

-- 

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Conform or be cast out.




signature.asc
Description: This is a digitally signed message part

Re: [Leaf-user] updated weblet

2002-04-19 Thread Michael Leone 

On Fri, 2002-04-19 at 16:27, Charles Steinkuehler wrote:
> 
> Where does all the time go?

Minneapolis, home of Morris Day and the Time, of course.



(sorry, it's been a rough day)

-- 

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Conform or be cast out.



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] forwarding Protocal 47(gre) on Eigerstein LRP

2002-03-04 Thread Michael Leone 

On Mon, 2002-03-04 at 18:32, Matt Schalit wrote:
> 
>  > EchoWall Firewall Package for LEAF/LRP
>  > Version 1.40
>  > 06 Jan 2002
>  > 
>  >
>  > EchoWall is a firewall configuration package, meant for
>  > LEAF/LRP Linux (kernel 2.2.x) systems acting as IP-masquerading
>  > firewall/routers. It was built and tested for both the ES2B and
>  > Dachstein releases.
> 
> 
>Here in the readme, you even say that it's for ES2B and DF.

No, only that those distros were used to test and develop. It doesn't
say exclusively.

I run Mandrake 8.1, but I can use RPMs that say they were built and
tested on RedHat 7.x.

-- 

Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


This email scanned for viruses by SOPHOS Sweep for Unix, and
found to be virus-free.


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Testing

2002-02-18 Thread Michael Leone 

Hi. Don't mind me; I'm only a test of new filtering rules.

-- 

Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:




signature.asc
Description: This is a digitally signed message part

Re: [Leaf-user] Problems accessing POP server behind DS floppy

2002-02-09 Thread Michael Leone 

On Sat, 2002-02-09 at 15:41, Charles Steinkuehler wrote:

> >
> > SO, what is so different about port 110 (pop-3) that is causing DS to
> > block it, and not the other ports?
> 
> Make sure you're allowing port 110 requests through the firewall (with
> either EXTERN_TCP_PORTS or EXTERN_TCP_PORTn).  If you're using the port name
> instead of number, make sure the name you use is EXACTLY as it appers in
> /etc/services.

D'OH!

THAT'S what I was overlooking; thanks.

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


"Sometimes your lack of sympathy gets hard to explain, 
 So on your mask of make-up you just paint a little parody of pain" 
 "When you were young", Del Amitri


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Problems accessing POP server behind DS floppy

2002-02-09 Thread Michael Leone 

I'm having a problem accessing my POP server that is behind my DS
(floppy) firewall. I have no problems accessing it locally, so it
appears that the POP3 software is working fine.

>From network.conf:

###
# Port Forwarding
###
# Remember to open appropriate holes in the firewall rules, above

# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
#   
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp 
tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
EX_IP=216.158.26.254
IN_IP=192.168.100.20
INTERN_SERVERS="tcp_${EX_IP}_ftp_${IN_IP}_ftp
tcp_${EX_IP}_smtp_${IN_IP}_smtp tcp_${EX_IP}_110_${IN_IP}_110
tcp_${EX_IP}_ssh_${IN_IP}_ssh tcp_${EX_IP}_www_${IN_IP}_www"

(line above is wrapped)

Only the port 110 service doesn't work; all the other services listed in
the INTERN_SERVERS line works (i.e., ftp, smtp, www - all are accessible
thru the firewall)

The port forwarding seems to be OK:

prot localaddrrediraddr   lportrport  pcnt  pref
TCP  216.158.26.254   192.168.100.20 22   22 410
TCP  216.158.26.254   192.168.100.20 24   221010
TCP  216.158.26.254   192.168.100.20143  1431010
TCP  216.158.26.254   192.168.100.20110  1101010
TCP  216.158.26.254   192.168.100.20 80   80 310
TCP  216.158.26.254   192.168.100.20 21   21 810
TCP  216.158.26.254   192.168.100.20 25   25 510

But DS is still blocking port 110:

Feb  9 13:49:38 ellcrys kernel: Packet log: input DENY eth0 PROTO=6
216.136.172.21:16762 216.158.26.254:110 L=44 S=0x00 I=27402 F=0x4000
T=50 SYN (#46)
Feb  9 13:49:44 ellcrys kernel: Packet log: input DENY eth0 PROTO=6
216.136.172.21:16762 216.158.26.254:110 L=44 S=0x00 I=30646 F=0x4000
T=50 SYN (#46)
Feb  9 13:49:56 ellcrys kernel: Packet log: input DENY eth0 PROTO=6
216.136.172.21:16762 216.158.26.254:110 L=44 S=0x00 I=38424 F=0x4000
T=50 SYN (#46)
Feb  9 13:50:20 ellcrys kernel: Packet log: input DENY eth0 PROTO=6
216.136.172.21:16762 216.158.26.254:110 L=44 S=0x00 I=53383 F=0x4000
T=50 SYN (#46)

SO, what is so different about port 110 (pop-3) that is causing DS to
block it, and not the other ports?

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


"Sometimes your lack of sympathy gets hard to explain, 
 So on your mask of make-up you just paint a little parody of pain" 
 "When you were young", Del Amitri


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] DCD & java ???

2002-02-03 Thread Michael Leone 

On Sun, 2002-02-03 at 17:31, Mark Plowman wrote:
> I am still of the opinion that LEAF is a floppy based
> firewall/router/network connectivity "thing" and *not* an appliance
> server, but then I am still running Eigerstien from a floppy instead
> of Dachstein from a CD ("if it ain't broke, don't fix it")!

I run Dachstein from a floppy and no hard drive. DS has a better kernel,
and somewhat easier network scripts, etc. So yeah, you can run it in
exactly the same way as Eigerstein. I am. :-)

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


"Sometimes your lack of sympathy gets hard to explain, 
 So on your mask of make-up you just paint a little parody of pain" 
 "When you were young", Del Amitri


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] psentry problems

2002-01-27 Thread Michael Leone 

I'm trying to install psentry.lrp, from
http://leaf.sourceforge.net/devel/sminola/files/packages/, and I'm
having problems.

1. Before I go further, is this the latest psentry?
2. When I do a "lrpkg -i psentry", I get

# lrpkg -i psentry
Installing psentry... gunzip: Invalid gzip magic
Done.

And the installation doesn't fully complete - there are no configuration
options in lrcfg.

Thoughts? Suggestions?
-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


"Sometimes your lack of sympathy gets hard to explain, 
 So on your mask of make-up you just paint a little parody of pain" 
 "When you were young", Del Amitri



signature.asc
Description: This is a digitally signed message part

[Leaf-user] Dachstein (floppy) passing IPSec ...

2002-01-21 Thread Michael Leone 

I'm using Dachstein (floppy). I'd like to use the Cisco Secure client,
on a Win98 station on my LAN, to connect to my Pix at work. I do NOT
want the Dachstein to be one end of the IPSec tunnel; only to pass the
IPSec traffic to my (NATed) workstation. (eventually, when I get the
3DES license for my Pix, I'll want the Dachstein to be an end-point. Not
yet, tho)

1. I'd need to load ip_masq_ipsec on Dachstein, yes?
2. I'd need to open port 50, and port-forward protocol 500? Are there
entries already in Dachstein (/etc/ipfilter.conf?) to do this already,
and just need to be uncommented?

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


"Sometimes your lack of sympathy gets hard to explain, 
 So on your mask of make-up you just paint a little parody of pain" 
 "When you were young", Del Amitri



signature.asc
Description: This is a digitally signed message part

[Leaf-user] Junkbuster

2002-01-19 Thread Michael Leone 

I know there used to be a junkbuster.lrp. I've searched the LEAF page at
sourceforge, but didn't see it, or a link to it.

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


"Sometimes your lack of sympathy gets hard to explain, 
 So on your mask of make-up you just paint a little parody of pain" 
 "When you were young", Del Amitri



signature.asc
Description: This is a digitally signed message part

RE: [Leaf-user] Is this newbie even in the right ballpark withLEAF? (Summary)

2001-12-25 Thread Michael Leone 

On Mon, 2001-12-24 at 15:52, Dan Schwartz wrote:

> 
> >although this is not a particularly main-stream
> >thing.  If you really want to burst to 155 MBits/sec, you'll probably need
> >some form of hardware acceleration (at least for a year or two, until the
> >5-6 GHz CPU's come out).
> 
> 
>   If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead.

Not with LEAF; it's x86 only. 

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Foreman, roving paving crew, Dept. of Roads, Hades.



msg02933/pgp0.pgp
Description: PGP signature

RE: [Leaf-user] PPPoP DachStein Firewall going to two disk

2001-12-23 Thread Michael Leone 

On Sun, 2001-12-23 at 19:21, Kevin wrote:

> Charles - once I added the multi298.lrp and rebooted, the backup script is

The multi298.lrp? Why are ou loading this ? Eiger (and later versions)
have multi-floppy support built-in.

> the one from Eiger and the boot process does not show the lrp packages
> loading from the /dev/fd0u1680, it shows them on one line as in Eiger.
> 
> How can we have two floppy disk support with DachStein for us with no cdrom
> boot support?

I use 2 floppies w/Dachstein (not CD version), in a system w/no CD.

> Then I went to Ken's single PPPoP floppy image. Was able to get it to work,
> however I need ssh, oidentd and junkbuster on my router. The single floppy

I run ssh (must be on first floppy, for some reason), and oidentd, and a
few others from the second floppy.

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Foreman, roving paving crew, Dept. of Roads, Hades.



msg02907/pgp0.pgp
Description: PGP signature

RE: [Leaf-user] Dachstein 1.0.2 with PPPoE

2001-12-17 Thread Michael Leone 

On Mon, 2001-12-17 at 20:51, Ray Olszewski wrote:
>
> Cable never (that I know of) uses PPPoE, and not all DSL lines do (mine
> doesn't, for example). For them, a 486 should be able to handle T1 speeds
> (1.5 Mbps) easily.

It's not the line that dictates PPPOE; it's the ISP. I have Verizon as a
line provider, and my ISP does not use PPPOE. When I had Verizon as an
ISP (as well as line provider), I *did* have to use PPPOE. This is over
the same line; I just switched the Internet servicing from Verizon to
DCA.NET.

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Foreman, roving paving crew, Dept. of Roads, Hades.



msg02749/pgp0.pgp
Description: PGP signature

RE: [Leaf-user] Dachstein 1.0.2 with PPPoE

2001-12-17 Thread Michael Leone 

On Mon, 2001-12-17 at 20:09, Paul Rimmer wrote:
> This really suprises me.  I was under the impression that a 486/66 would be
> able to service a maxed out cable modem?  I happen to be using a 486/66 on a
> cable connection but will upgrade if it will help throughput.
> 
> Any comments on 486 vs Pentium servicing a cable or ADSL modem?

Sure. It's not the processor; it's the bus speed that is a limiting
factor. I use a P90 (with PCI bus) on a 640Kb ADSL line; I routinely
average 62KB (that equates to 620Kb) downloads.


-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Foreman, roving paving crew, Dept. of Roads, Hades.



msg02747/pgp0.pgp
Description: PGP signature

[Leaf-user] ESB2 and NetMeeting

2001-10-12 Thread Michael Leone 

Hi. trying to use NetMeeting, from behind an EigerSteinbeta2 firewall.

I loaded up the ip_masq_h232 module. Based on the FAQ at 
http://www.coritel.it/coritel/ip/sofia/nat/nat2/nat2.htm, I'm trying to
port-forward the traffic properly (looks like tcp port 1503 and 1720). 
But I'm getting this:

# ipmasqadm portfw -a -P tcp -L 165.247.16.137/1720 -R
192.168.100.40/1720
165.247.16.137/1720: Unknown host
portfw: illegal local address/port specified


165.247.16.137 being the public IP of the station trying to call me.
My workstation is 192.168.100.40.
ESB2 is 192.168.100.254.

The FAQ says (as an example): 

/usr/sbin/pmasqadm portfw -f
/usr/sbin/pmasqadm portfw -a -P tcp -L public_nat_ip/1720 -R
private_host_ip/1720
/usr/sbin/pmasqadm portfw -a -P tcp -L public_nat_ip/1503 -R
private_host_ip/1503

What am I doing wrong?

-- 

--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890 AIM: MikeLeone

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
PGP public key:


Taking a mental stroll through the psychic park of pleasure.



msg02189/pgp0.pgp
Description: PGP signature

Re: [Leaf-user] Re: Firewall testing

2001-06-27 Thread Michael Leone 

> I tried scanning with it too, and it gave no open ports.
>
> However, i have SSH and www open. I have a feeling it either tried to scan
> 192.168.0.3, which is the IP on this computer, or my ISP's transparent web
> proxy servers..

Actually, according to my logs, it looked like they were trying to scan with
a SOURCE IP address of 192.168.0.x. ESB2, by default, blocks all incoming
traffic with a RFC 1918 address (i.e., private range like 192.168.x.x). So,
I *think* that whatever port they were trying to test got thrown out ANYWAY,
since the source IP was invalid, and they never got to even test the port
they were trying for.

Altho why they would spoof their IP address for a *test* scan ... I dunno.



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-26 Thread Michael Leone 

On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote:
> To all,
> 
> This is an interesting new test site.  Uses IP Spoofing, so it does not
> set off portsentry (first test that DIDN'T)  It was also the first test
> ever to say I had ports open/visible.  I'm using EB2 LRP, and have been
> on it awhile.  I'm no expert, so could some of you experts take a look
> at the tests (there are 2) and tell me what you see?

This is the only scan I've ever taken (with EigerSteinBeta2) that told
me I have ports 135, 137, 138 and 139 open. And ESB2 by default closes
these ports. 

Also, it says port 21 (ftp), 80 (web) is open for me. This is true. Yet
somehow, the scan missed port 22 (SSH), and port 113 (ident), both of
which I am also running, and therefore should both show as open.

Also says some of the 'scare' ports - 27374, 31337, etc (the ports that
SubSeven, Back Oriface, and others use) - are visible, but not open.

Makes me wonder about this scan. It missed some blatent ones, and
reported on other ports that other scan sites did not.


-- 
 
--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF

Pysche closed for renovations.



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ESB2 and IPSec question

2001-06-21 Thread Michael Leone 

> Unless you're trying to get something to work and know kernel support for
it
> is missing, you should be just fine with the floppy-only or IDE kernel.

Ah. Thanks.

>
> > 2. Are these kernels different from the ones here?
> > http://lrp.steinkuehler.net/files/kernels/2.2.16-1-VPNMasq/
>
> Yes.  The previous include KLIPS (Kernel Level IPSec) support, required
for
> FreeS/WAN (running IPSec on your router/firewall).  The VPNMasq kernel
> includes support for masquerading IPSec (running IPSec on a machine on
your
> internal network).

Ok; thanks for pointing that difference out. Perhaps I missed it, but it
might not be a bad idea to mention that on the IPSec page (the differences
between them, and what situations you would need each kernel for).
>
> > 3. Do I use the modules from the page above with a kernel from the IPSec
> > page?
>
> Use standard Eiger moduels with the IPSec kernels.  Use the VPNMasq
modules
> with the VPNMasq kernel.

O-Tay.

Always, Charles is DA MAN. :-)



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] ESB2 and IPSec question

2001-06-20 Thread Michael Leone 

Hello

Using EigerSteinBeta2. I want to add IPSec support, to connect to a
Cisco Pix firewall. On Charles's IPSec page
(http://lrp.steinkuehler.net/Packages/ipsec1.5.htm#DOWNLOAD), there are
3 IPSec-enabled kernels listed.

1. I can figure out what a floppy-only, and an IDE-enabled kernel is.
But what's a "full Eiger"? What does it add, that the others don't?

2. Are these kernels different from the ones here?
http://lrp.steinkuehler.net/files/kernels/2.2.16-1-VPNMasq/

3. Do I use the modules from the page above with a kernel from the IPSec
page?


-- 
 
--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] eiger2beta

2001-06-19 Thread Michael Leone 

On 19 Jun 2001 21:29:42 -0500, Dan wrote:
> Image is here:
> 
> http://lrp.steinkuehler.net/DiskImages/Eiger/EigerStein2BETA.htm
> 

I believe there used to be an "Eiger" image, which came before (and is
different from) the EigerStein (and EigerStein2BETA) image. I think this
is what he's referring to.

-- 
 
--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] LRP 2.9.8 (2.0.x) and sshd

2001-06-19 Thread Michael Leone 

> If you want a direct link to the latest openssh lrp package, here it is:
> http://leaf.sourceforge.net/devel/jnilo/openssh.html

FYI ... the web page here says to save boot.lrp, after adding the libz.

On EigersteinBeta2, there is no boot.lrp (at least, mine doesn't have one).
Saving root.lrp did save that library.



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] USB for legacy systems

2001-06-15 Thread Michael Leone 

From: "Luis.F.Correia" <[EMAIL PROTECTED]>

> By using USB, they are trying to keep people from using Linux based
> routers, for which they normally do NOT make drivers. Also no support.

They may not have the expertise to write Linux drivers. Or (more likely)
they feel that 9 out of 10 of their prospective customers use Windows/Mac,
and so they concentrate their efforts on those OSes. "Majority wins"
thinking. Doubt that it's the deliberate effort to force customers off
Linux, as you suggest.

> Well, three times the price is obscene!!!

THAT'S the truth. Lucky for me, my DSL "modem" just uses a standard Ethernet
port.

> I still think you should opt for a Pentium based router with on board USB,
> if that's your choice!

I'd agree. a 2nd hand Pentium 75 level machine should be more than enough
for LRP, and should be relatively inexpensive enough. I have a Pentium 100,
and most of the time, it might as well be asleep - using my 640K DSL line
doesn't tax it at all, really.




___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN pre-install question

2001-06-14 Thread Michael Leone 

> One of my clients has just bought a Cisco PIX firewall and I will be
> attempting to set up a VPN connection to them. Do you know if the PIX
> firewall can accept an IPSEC connection from a dynamic IP address.
> I have read that FreeSWAN can, I know that Checkpoint and W2K can't.
> I don't want to spend too much time attempting the impossible.

I can tell you that, when I was testing my PIX, we dialed a laptop into a
local ISP (and got a dynamic IP), and used the Cisco IPSec software to
connect to our Pix with no problem.

When you configure the Pix, you will have (probably) an RFC 1918 address on
the internal interface (i.e., 192.168.1.x). You would then also assign a
DIFFERENT RFC 1918 address to the incoming IPSec connection (we used
172.16.x.x); the incoming IPSec is then assigned this 2nd address. The Pix
will automatically route between them.




___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN pre-install question

2001-06-14 Thread Michael Leone 

> CS>
> Your best bet is to wander over to the FreeS/WAN site.  They have
> configuration examples and interoperation details for most mainstream
IPSec
> providers.  Look at the latest (1.9) documentation as well as the 1.5
stuff,
> as 99% of the details are the same between versions, and the more recent
> docs are more complete.
>
> The FreeS/WAN list archives should also contain lots of info on getting
> tunnels up with a Cisco peer.

OK, I'll do that. But will they have examples specifically tailored for LRP,
or LRP packages? Those I'd need to get from you, seeing as to how I'm not a
package developer myself, and I'd want to establish the connection from my
LRP box, not from any of the workstations on the LAN (which is how I presume
most of the FreeS/WAN example configurations detail). It's why I asked here.




___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] VPN pre-install question

2001-06-14 Thread Michael Leone 



Howdy all
 
I've set up my work firewall (a Cisco Pix) to 
support IPSec, for VPN use. Now, most of the employees will no doubt use Cisco's 
software to securely connect, from Windows.
 
Me, OTOH, want to do it via IPSec from my 
EigerStein2Beta. :-)
 
So ...
 
1. Anybody doing this yet?
2. I'm probably going to use the VPN-enabled 
kernels and supporting files from Charles's site. That's FreeS/Wan 1.5, I 
believe. Will there be a problem connecting, considering that I'm using MASQ at 
home? Or will it be a LAN-to-LAN connection, and therefore (relatively) 
transparent to me, the user?
 
Any docs that refernce this particular kind of 
situation? I know Charles has a set of kernels, files and docs, but do they 
cover this situation?
 
Thanks!
 

[Leaf-user] "Your message to linux-router awaits moderator approval"

2001-06-12 Thread Michael Leone 

Hmmm. Dave seems to have turned the LRP list into a moderated list. 
Or perhaps it's just me - I got some (what I considered to be) snide offlist email,
which he says was sent to everyone involved in the thread (about unsubscribing from 
the list).

Which, I may add, I never said I was doing, nor advocated others doing,
nor did myself. Merely said I was also going to subscribe to LEAF.

If he wants to make LRP a moderated list for all users, it's my opinion
he'll find out that he likes all the work that entails even less. And if
it's just me, as one who participated in the "unsubscribing" threads ...
hey, if Dave wants to play little dictatorial power games, that's just
fine by me. 

Anyway ... just thought I'd point this out, in case anybody didn't know yet.

Forwarded message:
> Your mail to 'linux-router' with the subject
> 
> Re: [LRP] Looking for consensus
> 
> Is being held until the list moderator can review it for approval.
> 
> The reason it is being held:
> 
> Post to moderated list
> 
> Either the message will get posted to the list, or you will receive
> notification of the moderator's decision.
> 
> 

-- 
 
--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF

In Pennsylvania, it it illegal to sleep on top of a refrigerator outdoors.



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user