Re: [leaf-user] A couple of odd behavior issues???

2005-02-21 Thread Mike Leone 
Luis.F.Correia wrote:
>  
> Hi!
> 
> answer to question 1
> 
>> -Original Message-
>> From: Craig Caughlin [mailto:[EMAIL PROTECTED] 
>> Sent: Thursday, February 17, 2005 3:04 AM
>> To: LEAF
>> Subject: [leaf-user] A couple of odd behavior issues???
>> 
>> Hi folks,
>> I'm having a little seemingly odd behavior maybe someone can 
>> help me with.
>> 
>> 1.) If I "ps ax | grep eth", I only see eth0, there's no 
>> eth1. I should see
>> both, shouldn't I? I'm using the dnsmasq.lrp package and its 
> 
> if you are using ADSL, then your network device is ppp0

Not always correct. If your ADSL connection uses PPPOE, then you would
be correct. However, I have an ADSL connection, that does not use PPPOE.
So I have 2 eth interfaces.



---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] howto_restart/reload modules

2003-03-23 Thread Mike Leone 
Jeff Newmiller ([EMAIL PROTECTED]) had this to say on 03/23/03 at 16:56: 
> > 
> > Can I get help on this in this fourm?
> 
> This is an odd question...

I think he meant it as "Should I ask this here, or on the Shorewall list?".
At least, I hope that's what he meant 



pgp0.pgp
Description: PGP signature

Re: [leaf-user] Dachstein Port Forwarding

2003-02-14 Thread Mike Leone 
Doug Sampson ([EMAIL PROTECTED]) had this to say on 02/14/03 at 15:07: 
> > 
> > But ... the ONLY change we are suggesting you make is to the Exchange 
> > server's default gateway. Does that *really* require a reboot 
> > on Windows? 
> > (I know the old joke about "You have moved your mouse - press 
> > any key to 
> > reboot", but surely Microsoft has make networking 
> > reconfiguration a bit 
> > more sane by now). OR does the proxy server require that it 
> > be the default 
> > gateway to function (if so, in what sense does it proxy)?
> 
> Yep, Win NT still requires a reboot for most configuration changes. Yes, we
> are still using Win NT- haven't seen the need to upgrade. See below for
> further info.

I've changed IP addresses in NT, w/o rebooting. Don't recall if that
included a gateway address change, tho. If you're up-to-date with SPs, *and*
that post-SP6 rollup, you should be able to make that change without
rebooting (I think).





msg13099/pgp0.pgp
Description: PGP signature

Re: [leaf-user] More Bering IPSec questions ...

2003-02-10 Thread Mike Leone 
Lynn Avants ([EMAIL PROTECTED]) had this to say on 02/10/03 at 22:05: 
> On Monday 10 February 2003 06:31 pm, Mike Leone wrote:
> > Hopefully, we'll find out soon. I followed the Shorewall VPN document to
> > the letter, and now will be trying to verify my ipsecrets.conf entries.
> >
> > (left is me, right is them - do I have that right? If so, I have all the
> > entries, except for that rightnexthop .. is that the gateway entry for the
> > other subnet?)
> 
> rightnexthop would be the ISP's router(gateway) for the 'other' network.
> The external interface on the router's themselves are 'right'/'left'.

That's about what I thought ... I'll have to check what the office Pix uses
as a gateway. I do have the external IPs of both subnets. 

Thanks; I'll post back the results, perhaps tomorrow.




msg12939/pgp0.pgp
Description: PGP signature

Re: [leaf-user] More Bering IPSec questions ...

2003-02-10 Thread Mike Leone 
Lynn Avants ([EMAIL PROTECTED]) had this to say on 02/10/03 at 19:17: 
> On Monday 10 February 2003 10:58 am, Charles Steinkuehler wrote:
> 
> > I am unaware of any issue that would prevent you from continuing to use
> > PSKs after switching to the 509 version of FreeS/WAN.  As far as I know,
> > PSKs work identically between the "plain" and x.509 patched versions.
> 
> That might be, I thought the packages (after 1.91 anyway) would bomb out
> on initiation if the certs weren't loaded (or there) on the x509 package. In 

Actually, I have the certs already, and they seem to be loading (which
doesn't mean that they *work*, of course :-) And if not, almost certainly my
error creating/configuring the certs). 

I think that if they load without error, I can then use PSKs instead of the
certs, if I choose. Or use both, perhaps, depending on the tunnel config.

> any case, it would be one less layer of possible problems until it tries to
> authenticate using PSK.

Hopefully, we'll find out soon. I followed the Shorewall VPN document to the
letter, and now will be trying to verify my ipsecrets.conf entries.

(left is me, right is them - do I have that right? If so, I have all the
entries, except for that rightnexthop .. is that the gateway entry for the
other subnet?)




msg12930/pgp0.pgp
Description: PGP signature

[leaf-user] More Bering IPSec questions ...

2003-02-09 Thread Mike Leone 
OK; so I think I'm making progress ...

Anyway, when ipsec starts, I get:

# svi ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup:  (/proc/sys/net/ipv4/conf/eth0/rp_filter = , should be 0)

However, I have changed /etc/network/options, and changed spoofprotect to
no. Doesn't that turn off route filtering?

Also, Shorewall complains that the gw zone is empty. The zones file looks
like:

gw  ipsec0  IPSec

with a tunnels file of:

# TYPE  ZONEGATEWAY GATEWAY ZONE
#
ipsec   net 146.145.122.19  gw

That's the public IP of my office's PIX firewall.

Did I miss something?

my /var/log/auth.log:

Feb 9 23:53:18 ellcrys ipsec__plutorun: Starting Pluto subsystem...
Feb 9 23:53:18 ellcrys pluto[29637]: Starting Pluto (FreeS/WAN Version 1.99)
Feb 9 23:53:18 ellcrys pluto[29637]: including X.509 patch (Version 0.9.15)
Feb 9 23:53:18 ellcrys pluto[29637]: Changing to directory '/etc/ipsec.d/cacerts'
Feb 9 23:53:18 ellcrys pluto[29637]: loaded cacert file 'cacert.pem' (1623 bytes)
Feb 9 23:53:18 ellcrys pluto[29637]: Changing to directory '/etc/ipsec.d/crls'
Feb 9 23:53:18 ellcrys pluto[29637]: loaded crl file 'crl.pem' (686 bytes)
Feb 9 23:53:18 ellcrys pluto[29637]: loaded my default X.509 cert file 
'/etc/x509cert.der' (1203 bytes)
Feb 9 23:54:13 ellcrys pluto[29637]: listening for IKE messages
Feb 9 23:54:13 ellcrys pluto[29637]: adding interface ipsec0/eth0 216.158.26.254
Feb 9 23:54:13 ellcrys pluto[29637]: loading secrets from "/etc/ipsec.secrets"
Feb 9 23:54:13 ellcrys pluto[29637]: loaded private key file 
'/etc/ipsec.d/private/IPSecServerKey.pem' (1751 bytes)
 
 
It seems that I'm waiting for incoming IPSec connections. Which is cool, and
which I will eventually want. But right now, I want to establish the IPSec
tunnel from me (216.158.26.254) to my Pix (146.145.122.19), using preshared
keys.

ipsec.secrets:

%any 146.145.122.19: PSK "-my-preshared-key"

: RSA   IPSecServerKey.pem  -my-passphrase-

ipsec.conf:

config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes

---
I have no idea what else to put into this file; I've seen so many
differently configured samples, that I'm just lost at this point. :-)

Clues appreciated.
 
 
  


msg12878/pgp0.pgp
Description: PGP signature

Re: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?

2003-02-09 Thread Mike Leone 
S Mohan ([EMAIL PROTECTED]) had this to say on 02/09/03 at 21:18: 
> You do not need fswcert for Freeswan 1.96 upwards. In the ipsec.secrets
> file, you can give the name of the pem file itself. Freeswan will
> "automagically" discover the format of the key and extract it at
> startup. 

Good to know. :-) Meanwhile, I did find a copy of the fswcert program in an
old downloads directory.

> Your ipsec gateway's certificate should be stored in the
> /etc/ipsec.d/private directory (in either der or pem format) and be
> referenced in ipsec.secrets by filename with an optional passphrase as
> under:
> 
> : RSA  
> 
> The : RSA must start at the left margin. The file MUST have no more than
> 700 permissions and be owned by root to be secure.
> 
> It works. I've tried this.

I will try that, thanks.

The example /etc/ipsec.secrets file has a format like this:

: RSA   {
# -- Create your own RSA key with "ipsec rsasigkey"
}

Should I just include the filename and passphrase starting at the point of
that has mark?

I'm trying to start small, and just connect to the Pix at work. Ideally, I'd
like a subnet-to-subnet connection (we use pre-shared keys, 3DES-level), so
that the office will be transparently available to me, regardless of what
machine I am using on my home LAN (Win2K, Linux, etc).

Later, I'll see if I can do it via certs.

Then work the other way, and connect from work to home LAN, using certs.

That's the game plan, anyway. :-)



msg12875/pgp0.pgp
Description: PGP signature

[leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?

2003-02-09 Thread Mike Leone 
I'm trying to set up my Bering 1.0-stable installation to use IPSec
(eventually, I want to do IPSec passthru to my office's Pix firewall, but I
might also want to use IPSec to connect into my LAN from the outside). 

I'm following http://leaf.sourceforge.net/devel/jnilo/buipsec.html, creating
the certs on my Debian testing machine. However, the directions call for
using the "fswcert" utility from the FreeS/WAN package (I assume that's
where it's from; the docs don't say, but that's what my Googling has turned
up) to extract out the private key of the server. Apparently, Debian does
not include this utility anymore (altho I'm unclear why).

Anyway, how can I extract out the private server key, without using the
fswcert utility? I have the CA cert, server cert, and client cert already
created.




msg12868/pgp0.pgp
Description: PGP signature

Re: [leaf-user] Trouble getting to the Web (2nd time)

2003-01-24 Thread Mike Leone 
Jay Langford ([EMAIL PROTECTED]) had this to say on 01/24/03 at 00:44: 
> 
> I think this is the problem
> 
> >>LRP=root,dhcpd,etc,local,modules,iptables,shorwall,dnscache,weblet
> 
> Not enough packages there by the look of it.., You said you have a DSL
> modem.. you should use the PPPOE package to get online...

PPOE is *not* automatically required for DSL; only if your provider uses it,
do you need it. For example, my ISP does not, so I don't need or use PPPOE for
my DSL.



msg12443/pgp0.pgp
Description: PGP signature

Re: [leaf-user] ICQ direct connection

2002-11-14 Thread Mike Leone 
Vaclav Bouse ([EMAIL PROTECTED]) wrote this on 11 13, 02 at 15:04: 
> But I the biggest problem with Bering is, that it's impossible to use ssh
> (too big and the smaller from dachstein need some libaries) and telnet

Works fine for me. But then, I use 2 floppy drives, and store ssh on the 2nd
one.

-- 
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Member, LEAF Project AIM: MikeLeone
Public Key - 
Registered Linux user# 201348




msg11003/pgp0.pgp
Description: PGP signature

Re: [Leaf-user] AOL vpn restricted??

2002-03-12 Thread Mike Leone 

> We have a user trying to use our VPN (ipsec)
> thru a dialup AOL account and it dont work.
> 
> Does anyone know for sure if AOL filters ipsec,
> protocol 50 & 51,  udp port 500 ??

Empirically, I'm gonna say yes. Which means I had the same problems as you - using AOL 
v6, I could not complete an IPSec connection to my Cisco Pix firewall. 

Dial with a normal (i.e., non-AOL) ISP (a standard PPP connection) ... IPSec connects 
just fine.

I believe Comcast was talking about doing the same - filtering out IPSec connections, 
even thoise initiated by their customers - since they seem to think that you should 
pay more for a business style connection, if you wish to work from home .. or even 
make *any* kind of IPSec connection, work-related or not.



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Help with demand dial on Dachstein

2002-02-19 Thread Mike Leone 


- Original Message - 
From: "Matt Schalit" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 19, 2002 12:39 PM
Subject: Re: [Leaf-user] Help with demand dial on Dachstein


> Mike Leone wrote:
> > 
> > > This FAQ and many others needs to be updated. The lrp.c0wz.com site is no
> > > longer maintained. There are mirrors of its content at:
> > 
> > Really? Rick called it quits with LRP/LEAF? How sad.
> 
> 
>   I thought we were all happy that Rick found a job to
> keeps him so busy.  I didn't hear that he "quit" so to 
> speak.  (Though he left awful quite like :-)

Well, he's not maintaining his site anymore. Stopped providing ongoing support and 
resources, even if he didn't quit being a user.

I wondered where he was; I remember his posts about being out of work; guess I missed 
the one about finding new work.

Oh, well - good luck to you, Rick, if you're listening. :-)




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Help with demand dial on Dachstein

2002-02-19 Thread Mike Leone 

> This FAQ and many others needs to be updated. The lrp.c0wz.com site is no 
> longer maintained. There are mirrors of its content at:

Really? Rick called it quits with LRP/LEAF? How sad.




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN horsepower

2002-02-01 Thread Mike Leone 

Think it would depend smore on the number of simultaneous connections, and the amount 
of traffic.

My Cisco Pix 515 firewall has a Pentium 200, 32M of RAM in it. I'd had a couple 
simultaneous connections with it with no problems.

- Original Message - 
From: "Christopher Holmes" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 01, 2002 1:20 PM
Subject: [Leaf-user] VPN horsepower


> Forgot to ask in my last post...
> 
> Is a Pentium 90 beefy enough to handle the encryption on a VPN?  We've
> got about 200K DSL connection.
> 
> Chris
> 
> 
> 
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> 


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] tcp ports 445 & 524 ???

2002-01-09 Thread Mike Leone 

> Jan  8 17:12:31 trout kernel: Packet log: input DENY eth0 PROTO=6
> a.b.c.157:63882 x.y.z.86:524 L=48 S=0x00 I=15350 F=0x4000 T=112 SYN
> (#45)
>
> Jan  8 17:12:55 trout kernel: Packet log: input DENY eth0 PROTO=6
> a.b.c.157:63884 x.y.z.86:445 L=48 S=0x00 I=15570 F=0x4000 T=112 SYN
> (#45)
>
> Coincidentally, around these same times -- *no* direct correlation, yet
> -- we were doing testing, trying to get windoze networking working
> across the ipsec gateways, also established between these same two
> firewalls.
>
> However, a.b.c and x.y.z are the un-encrypted, external addresses of
> these firewalls.
>
>  doesn't really answer the
> questions about what is happening here.

Isn't port 445 the port that Win2K uses for non-NETBios communication? The
port it uses if you disable NETBios over TCP/IP.





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] loading PCMCIA modules; PCI vs ISA

2002-01-04 Thread Mike Leone 

> > The problem is that the bridge chips don't handle ISA
> > interrupts too well: Basically, the 4:1 clock speed difference
> > causes each ISA interrupt to cause 4 interrupts on the PCI
> > bus. OUCH!
>
> Could you clarify this a little?  Could you explain *why* it generates
> 4 interrupts?  I *do* understand that 4 x 8 = 32, but this is the
> first time I have heard this story about 4 PCI interrupts for each ISA
> interrupt.  I just can't see *why*?

I can see where the TIME need to process the an ISA interrupts is 4x the
time needed to process an equivalent PCI interrupt (since ISA is so much
slower), but why would the PCI bridge controller issue *4* interrupts, every
time it saw 1 ISA interrupt coming ? Wouldn't that be ridiculously
repetitive - issuing the same interrupt 4 times? I can see where the PCI
device could have had 4 interrupts serviced in the time it takes an ISA to
process one.




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Charles makes it into Linux Journal!

2001-12-12 Thread Mike Leone 

Among others here on this list  ...

I have created a single-diskette distribution that installs the base
configuration of a VPN firewall based on the Linux Router Project (LRP,
www.linuxrouter.org), a compact Linux distribution that can fit on a single,
bootable floppy diskette. The distribution here is essentially Charles
Steinkuehler's Eiger disk image with Steinkuehler's IPSec-enabled kernel and
LRP IPSec package. Firewalling is carried out through Linux ipchains. This
particular version is based on the 2.2.16 kernel of Linux. This distribution
is called DUCLING (Diskette- based Ultra Compact Linux IPSec Network
Gateway). Compact Linux distributions have a twisted history. LRP
technically refers to Dave Cinege's compact distribution. There are many
variants around, including Charles Steinkuehler's distribution (EigerStein)
of Matthew Grant's defunct Eiger version (lrp1.steinkuehler.net). Another
such distribution is David Douthitt's Oxygen
(leaf.sourceforge.net/content.php?menu=900&page_id=1). Also, there is LEAF
(Linux Embedded Appliance Firewall), a developer's umbrella that tries to
coordinate releases and documentation, sort of like a one-stop shop for
compact Linux distributions (leaf.sourceforge.net). I use the term LRP to
refer to the compact Linux distribution presented here, even though some may
consider this terminology incorrect.

http://www.linuxjournal.com/article.php?sid=4772

By Duncan Napier

--
Goodbye youth, goodbye dreams,
The good times and the friends I used to know.
Goodbye freedom, hello fear,
A brave new world has suddenly appeared.
  "Salvation Road", The Kinks


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] DNS flood?

2001-10-26 Thread Mike Leone 

> I've checked, double checked, and triple checked this a number of times -
> the culprit is ads.x10.com.  Every time I see this ad, I check my lrp.
> Consistently, this is the onlysite for me that causes this DNS flood in my
> logs.  Unfortunately, this ad site is attaching to more and more web sites
> including yahoo and my local small town newspaper site!

Try putting "ads.x10.com127.0.0.1" in your hosts file. Should stop them
from popping up, I think.




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user