[leaf-user] 2.9.8 network interfaces
... put together the 2.9.8 distribution from LRP, and I'm stuck here: Although I have two 'identical' (in the same way that snowflakes are identical) 3com cards, and they appear to be properly configured: eth0 Link encap:Ethernet HWaddr 00:10:5A:E1:E3:8B inet addr:10.1.1.202 Bcast:10.1.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12362 errors:0 dropped:0 overruns:0 frame:0 TX packets:1639 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0xe800 eth1 Link encap:Ethernet HWaddr 00:A0:24:57:55:BE inet addr:10.1.1.203 Bcast:10.1.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1474 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:12 Base address:0xec00 apparently the second interface is not being used (I'm at a loss to explain the small number of RX/TX packets. I cannot, by any activity, increment these stats). I base this on: 1) Unplugging the second card still lets both ip #'s respond to pings; 2) Unplugging the first card stops both addresses from pinging; and 3) This datum from another box on the network, that I'm pinging from: [] quack (10.1.1.202) at 0:10:5a:e1:e3:8b (802.3) linux2 (10.1.1.203) at 0:10:5a:e1:e3:8b (802.3) [] Both cards have link lights. Some data: quack# uname -a Linux quack 2.2.16 #1 Sun Jul 16 18:29:35 EDT 2000 i386 unknown quack# ip addr show 1: lo: mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: brg0: mtu 1500 qdisc noop link/ether fe:fd:03:bb:63:33 brd ff:ff:ff:ff:ff:ff 3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:5a:e1:e3:8b brd ff:ff:ff:ff:ff:ff inet 10.1.1.202/24 brd 10.1.1.255 scope global eth0 4: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:24:57:55:be brd ff:ff:ff:ff:ff:ff inet 10.1.1.203/24 brd 10.1.1.255 scope global eth1 quack# ip route show 10.1.1.0/24 dev eth0 proto kernel scope link src 10.1.1.202 10.1.1.0/24 dev eth1 proto kernel scope link src 10.1.1.203 default via 10.1.1.248 dev eth0 metric 1 quack# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.1.1.00.0.0.0 255.255.255.0 U 0 0 0 eth0 10.1.1.00.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 10.1.1.248 0.0.0.0 UG0 0 0 eth0 quack# lsmod Module PagesUsed by 3c59x 17988 2 from /etc/network.conf: [...] IF0_IFNAME=eth0 IF0_IPADDR=10.1.1.202 IF0_NETMASK=255.255.255.0 IF0_BROADCAST=10.1.1.255 IF0_IP_SPOOF=YES IF1_IFNAME=eth1 IF1_IPADDR=10.1.1.203 IF1_NETMASK=255.255.255.0 IF1_BROADCAST=10.1.1.255 IF1_IP_SPOOF=YES [...] (would posting more of this be useful? Any suggestions, etc. would be appreciated. (trivia q: is there any way to ping by MAC address?) Thanks! NYZ -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] 2.9.8 network interfaces
Ray Olszewski wrote (on Tue, May 28, 2002 at 12:15:09PM -0700): | You will need to make some allowances in reading this response (and | probably any others you get here), since LRP 2.9.8 is pretty much ancient | history to most active LEAF users. (In face, I didn't even remember that | 2.9.8 included the "ip" command.) | | Both interfaces are shown as having addresses on the same private-address | network. That's odd and it suggests a fundamental error in your physical | setup. Perhaps you can tell us what the physical setup is and what networks | the internal and external interfaces are *supposed* to be connected to? I | see that you specified adjacent addresses by hand in /etc/network.conf, but | that doesn't tell us what the underlying physical setup is (or perhaps we | need to know *why* you want two interfaces connected to the same LAN and | network). I picked consecutive ip addresses for convenience. This is my setup: Lan -> LRP -> DSL Router -> DSL Provider & 'the cloud'. I'm not why the two interfaces cannot be on the same subnet, but I changed it to clarify matters: IF0_IFNAME=eth0 IF0_IPADDR=10.1.1.202 IF0_NETMASK=255.255.255.0 IF0_BROADCAST=10.1.1.255 IF0_IP_SPOOF=YES IF1_IFNAME=eth1 IF1_IPADDR=10.1.2.203 IF1_NETMASK=255.255.255.0 IF1_BROADCAST=10.1.2.255 IF1_IP_SPOOF=YES NET0_NETADDR=10.1.1.0 NET0_NETMASK=$IF1_NETMASK NET0_GATEWAY_IF=$IF1_IFNAME #NET0_GATEWAY_IP=10.1.2.248 NET0_IPMASQ=YES NET0_IPMASQ_IF=$IF0_IFNAME GW0_IPADDR=10.1.2.248 GW0_IFNAME=$IF1_NAME GW0_METRIC=1 route add 10.1.2.248 eth1 # from the network_direct file (where 10.1.2.248 is the address of the DSL router). shemesh# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.1.2.248 0.0.0.0 255.255.255.255 UH0 0 0 eth1 10.1.1.00.0.0.0 255.255.255.0 U 0 0 0 eth0 10.1.2.00.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 10.1.2.248 0.0.0.0 UG0 0 0 eth1 This seems to work a littler better; I can ping into the box and telnet from both ends. But I cannot go *through* the box; i.e. I cannot telnet into the DSL router from the LAN. This is where I am stuck. | The second interface is not being used because there is no reason local to | the router to use it; the routing table has identical entries for the two | interfaces, and eth0 comes first. I'm a wee bit surprised that this affects | the arp responses as well as higher level ones, though ... unless the | pinging machine itself has a fairly unusual routing table. But the outside world does not ask the kernel which internal interface to use; it just supplies it with an IP address. This address was supplied - already, at boot time - to the dormant card. Are you telling me that Linux 'revokes' the IP address assignment dynamically? This would be a way cool feature. But if it does, why does ifconfig still show the assignment to eth1? | Even if you disconnect the first card from the LAN, the routing table still | believes it to be the route to the LAN, so it tries to use it (and fails) | to respond to pings. | | The small number of RX packets are easy to understand; something else on | the LAN tried to connect to that IP address. (What? Beats me; I don't know | anything about your LAN. Probably the pings and the related arp queries.) | The small number of TX packets are a bit toughter to understand. If you | were using DHCP, I'd guess they were connected with getting a lease, but as | it is, I've no idea what they are. | | There is no way to "ping" a MAC address directly; ping is a network-layer | (IP) protocol, not a link-layer (Ethernet or equivalent) one. I can't think | of a link-layer equivalent, either, offhand ... unless maybe this | capability is included in a network monitoring package like ethereal? (Does | anyone know?) | | At 02:37 PM 5/28/02 -0400, Nachman Yaakov Ziskind wrote: | >... put together the 2.9.8 distribution from LRP, and I'm stuck here: | > | >Although I have two 'identical' (in the same way that snowflakes are | >identical) | >3com cards, and they appear to be properly configured: | > | >eth0 Link encap:Ethernet HWaddr 00:10:5A:E1:E3:8B | > inet addr:10.1.1.202 Bcast:10.1.1.255 Mask:255.255.255.0 | > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | > RX packets:12362 errors:0 dropped:0 overruns:0 frame:0 | > TX packets:1639 errors:0 dropped:0 overruns:0 carrier:0 | > collisions:0 txqueuelen:100 | > Interrupt:10 Base address:0xe800 | > | >eth1 Link encap:Ethernet HWaddr 00:A0:24:57:55:BE | > inet addr:10.1.1.203 Bcast:10.1.1.255 Mask:255.255.255.0 | > UP BROADCAST RUNNIN
Re: [leaf-user] 2.9.8 network interfaces
Mike Noyes wrote (on Fri, May 31, 2002 at 05:26:22PM -0700): | On Fri, 2002-05-31 at 16:47, Nachman Yaakov Ziskind wrote: | > Ray Olszewski wrote (on Tue, May 28, 2002 at 12:15:09PM -0700): | > | You will need to make some allowances in reading this response (and | > | probably any others you get here), since LRP 2.9.8 is pretty much ancient | > | history to most active LEAF users. (In face, I didn't even remember that | > | 2.9.8 included the "ip" command.) | | Nachman, | Listen to Ray's advice above. LRP 2.9.8 is over 1 1/2 years old. It has | security problems that newer LEAF releases/branches have addressed. If | you still insist on using LRP 2.9.8, we'll help you, but be aware of the | security risk. Ok, I'm willing to switch before I invest any more of my time (and the lists!) in the project, but which release should I use? All I need are the basics: IP Masq (many to one) Static IP address translation (one to one) Some port forwarding Basic firewall features ... with an emphasis on simplicity. :-) Thanks in advance for your recommendation ... -- _________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Modules backup in Dachstein 1.0.2
| Nachman, | There are two LEAF releases/branches that fit your needs. Dachstein | 1.0.2 is one and Bering 1.0-rc2 is the other. Ok, I bit the bullet and d/loaded Dachstein 1.0.2. I feel like I'm back at square one again. :-( My two 3coms, which worked flawlessly in 2.9.8, refused to load - four unresolved symbol errors. (I found out later that the problem was caused by not loading pciscan). So, I figured that I would grab 3c59x.o from the 2.9.8 system. However, I kept getting the identical errors. Further, my drivers kept getting overwritten with the distro drivers. Some more head scratching made me realize that the modules were not being backed up, when I selected "Everything." They also were not getting backed up when I selected them alone: "Unable to mount backup device". I finally figured out that the fact that 'modules' appeared twice (5 and 6) on the backup menu was a Bad Thing(tm). After some more poking and prodding, I found out that backup stuff lived in /var/lib/lrpkg. A file called 'backdisk' contains lines for each item on the menu, and lo and behold! - modules appears twice. Remove one line, and the modules get written to disk. (That's when I found out the old 3com driver was even worse). But, when I rebooted, the double menu item, with the concomitant backup disability. That's when I noticed that /var/lib/lrpkg/root.exclude.list had backdisk listed. I assumed that when I removed that exclusion, all would be well. I assumed wrong. :-) So, how do I fix the backup problem? -- _____ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Modules backup in Dachstein 1.0.2
Nachman Yaakov Ziskind wrote (on Sun, Jun 02, 2002 at 03:38:56PM -0400): | | After some more poking and prodding, I found out that backup stuff lived in | /var/lib/lrpkg. A file called 'backdisk' contains lines for each item on the | menu, and lo and behold! - modules appears twice. Remove one line, and the | modules get written to disk. (That's when I found out the old 3com driver was | even worse). | | But, when I rebooted, the double menu item, with the concomitant backup | disability. That's when I noticed that /var/lib/lrpkg/root.exclude.list had | backdisk listed. I assumed that when I removed that exclusion, all would be | well. I assumed wrong. :-) | | So, how do I fix the backup problem? Never mind! I had left an extra comma in syslinux.cfg. Duh. Now, here's where I'm stuck: attempts to ping to the external interface yield a Type 3 error. But I haven't configured any firewall rules yet. Does it come out of the box blocking everything? -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Combining NAT with PAT
I'd like to combine NAT with PAT in Dachstein 1.0.2; e.g. to have private addresses on 10.1.1 to PAT to a single public IP number, except for 10.1.1.[1- 5], which should each NAT to a (separate and distinct) public IP address. I've looked through the FAQ's, the sample network.conf/ipfilter.conf & and the HOWTO's for ipchains and masquerading, and reached a point of MEGO. Can anyone point me in the right direction? Thanks. Some stuff: # uname -a Linux kochav 2.2.19-3-LEAF #1 Sat Dec 1 12:15:05 CST 2001 i386 unknown # ip addr show 1: lo: mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:5a:e1:e3:8b brd ff:ff:ff:ff:ff:ff inet 10.1.2.203/24 brd 10.1.2.255 scope global eth0 3: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:24:57:55:be brd ff:ff:ff:ff:ff:ff inet 10.1.1.202/24 brd 10.1.1.255 scope global eth1 # ip route show 10.1.1.0/24 dev eth1 proto kernel scope link src 10.1.1.202 10.1.2.0/24 dev eth0 proto kernel scope link src 10.1.2.203 default via 10.1.2.248 dev eth0 -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Combining NAT with PAT
Omar D. Samuels wrote (on Thu, Jun 06, 2002 at 04:36:46PM -0500): | One learns something new everyday... does PAT stand for Private Address | Translation? NAT = Network Address Translation (one to one). PAT = Port Address Translation (one to many). | Is it different from NAR (Network Address Retention)? Dunno. :-) | Okay, just wanting to learn. Thanks. | | > I'd like to combine NAT with PAT in Dachstein 1.0.2; e.g. to have private | > addresses on 10.1.1 to PAT to a single public IP number, except for | 10.1.1.[1-5], which should each NAT to a (separate and distinct) public IP | >address. | > I've looked through the FAQ's, the sample network.conf/ipfilter.conf & and | the HOWTO's for ipchains and masquerading, and reached a point of MEGO. Can | anyone point me in the right direction? Thanks. | > | > Some stuff: | > | > # uname -a | > Linux kochav 2.2.19-3-LEAF #1 Sat Dec 1 12:15:05 CST 2001 i386 unknown | > | > # ip addr show | > 1: lo: mtu 3924 qdisc noqueue | > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | > inet 127.0.0.1/8 brd 127.255.255.255 scope global lo | > 2: eth0: mtu 1500 qdisc pfifo_fast qlen 100 | > link/ether 00:10:5a:e1:e3:8b brd ff:ff:ff:ff:ff:ff | > inet 10.1.2.203/24 brd 10.1.2.255 scope global eth0 | > 3: eth1: mtu 1500 qdisc pfifo_fast qlen 100 | > link/ether 00:a0:24:57:55:be brd ff:ff:ff:ff:ff:ff | > inet 10.1.1.202/24 brd 10.1.1.255 scope global eth1 | > | > # ip route show | > 10.1.1.0/24 dev eth1 proto kernel scope link src 10.1.1.202 | > 10.1.2.0/24 dev eth0 proto kernel scope link src 10.1.2.203 | > default via 10.1.2.248 dev eth0 -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Zeroing out ipchains
Say, how come I can't zero out the ipchains counters? # ipchains -nvL Chain input (policy ACCEPT: 15420 packets, 3599705 bytes): Chain forward (policy ACCEPT: 178 packets, 13155 bytes): Chain output (policy ACCEPT: 8343 packets, 3177138 bytes): # ipchains --zero # ipchains -nvL Chain input (policy ACCEPT: 15491 packets, 3602979 bytes): Chain forward (policy ACCEPT: 193 packets, 14154 bytes): Chain output (policy ACCEPT: 8389 packets, 3179717 bytes): # ipchains -V ipchains 1.3.10, 1-Sep-2000 -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Combining NAT with PAT
Omar D. Samuels wrote (on Thu, Jun 06, 2002 at 05:09:49PM -0500): | What do you mean, I still don't understand. | | > | One learns something new everyday... does PAT stand for Private Address | > | Translation? | > | > NAT = Network Address Translation (one to one). | > PAT = Port Address Translation (one to many). | > | > | Is it different from NAR (Network Address Retention)? | > | > Dunno. :-) In NAT, the router essentially changes the source IP number to some other (presumably better :-) one, and makes no other changes. So, your network address is hidden, but you still need one public IP address for every host on your network. In PAT, the router changes the port number as well (to some random port number), and keeps track of a table consisting of: the original source IP number, and the port coded to the packet. The point is that the router can inspect the reply packet, check the table, and send it off to the machine that sent the source packet because it knows the port it arrived on. So, many hosts can use the same IP number. Both NAT and PAT have their uses; we use both here. -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Using HOSTS file
Ray Olszewski wrote (on Thu, Jun 06, 2002 at 11:38:09PM -0700): | One low-tech solution that should work, BTW, is to add the hostname/IP | address pair to the hosts file on each workatation (/etc/hosts for Linux | workstations; I don't know the WinXX analog, though I do know there is | one). For windows 9x: \windows\hosts For NT, 2000, XP: \winnt\system32\drivers\etc\hosts Format is the same as /etc/hosts. -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Combining NAT with PAT
| > In NAT, the router essentially changes the source IP number to some other | > (presumably better :-) one, and makes no other changes. So, your network | > address is hidden, but you still need one public IP address for every host | > on your network. | > In PAT, the router changes the port number as well (to some random port | > number), and keeps track of a table consisting of: the original source IP | > number, and the port coded to the packet. The point is that the router can | > inspect the reply packet, check the table, and send it off to the machine | > that sent the source packet because it knows the port it arrived on. So, | > many hosts can use the same IP number. | > | > Both NAT and PAT have their uses; we use both here. | | As I understand it, netfilter (iptables) can do what you want, although | the terminology and approach may be unfamiliar. Start here: | http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html | | The Bering branch of LEAF uses a 2.4 kernel with netfilter. Dachstein | still uses a 2.2 kernel. | | -Richard *Groan* another distribution? My third. Okay. Another question for the list: can Linux cum Dachstein a) alias the eth0 (external) interface to multiple ip numbers (in SCO unix we use 'ifconfig alias', and b) pass along somehow (to ipchains or whatever) which ip number the packet arrived with? If so, I suppose I could use ipchains to REDIRECT to a local port, and then portfw to push it to the right machine. Well. NYZ -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering Firewall guidance
... I need some basic pointers here. Specifically, I flushed all the rules (iptables -F) and changed the policy of all the builtins to ACCEPT: # iptables -nL|more Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain all2all (0 references) target prot opt source destination Chain common (0 references) target prot opt source destination Chain fw2loc (0 references) target prot opt source destination Chain fw2net (0 references) target prot opt source destination Chain icmpdef (0 references) target prot opt source destination Chain loc2fw (0 references) target prot opt source destination Chain loc2net (0 references) target prot opt source destination Chain logdrop (0 references) target prot opt source destination Chain net2all (0 references) target prot opt source destination Chain net2fw (0 references) target prot opt source destination Chain reject (0 references) target prot opt source destination Chain rfc1918 (0 references) target prot opt source destination Chain shorewall (0 references) target prot opt source destination The box should be wide open now. So, why I can I not ping out eth0? # ping 10.1.2.248 PING 10.1.2.248 (10.1.2.248): 56 data bytes # tail syslog Jun 10 22:50:03 yoreach kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:10:5a:e1:e3:8b:00:20:6f:05:f9:6d:08:00 SRC=10.1.2.248 DST=10.1.2.203 LEN=44 TOS=0x00 PREC=0x00 TTL=60 ID=5663 PROTO=TCP SPT=23 DPT=1025 WINDOW=4096 RES=0x00 ACK SYN URGP=0 So, what am I missing? # uname -a Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] MASQ/NAT problem in Shorewall
Using Bering: Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown with Shorewall 1.2.12. I'm MASQ'ing the local net to the outside, except for a few servers which are using Static NAT. Zones: net Net Internet loc Local Local networks Ifaces: net eth0detect routefilter loc eth1detect routestopped All my policies are set to ACCEPT, for testing purposes. My RULES file is unmodified. So the firewall is wide open, right? Problem: from my MASQ'ed boxes, I can see the whole 'NET - except for the Static NAT boxes. But I can see the Static NAT boxes from the outside. Also, the Static NAT boxes can see each other (even using the public IP addresses). It is not a DNS problem, as using the public IP addresses is no better (the private IP addresses work fine). I'm stumped. How do I troubleshoot this? [I noticed these errors in syslog: Jun 18 21:24:18 yoreach kernel: eth0: Transmit error, Tx status register 82. Jun 18 21:24:18 yoreach kernel: Probably a duplex mismatch. See Documentation/networking/vortex.txt Jun 18 21:24:18 yoreach kernel: Flags; bus-master 1, dirty 249226(10) current 249226(10) Jun 18 21:24:18 yoreach kernel: Transmit list vs. c3fed480. Jun 18 21:24:18 yoreach kernel: 0: @c3fed200 length 8226 status 00010226 related?] -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf<<< leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] MASQ/NAT problem in Shorewall
Tom Eastep wrote (on Wed, Jun 19, 2002 at 05:55:04AM -0700):
| On Wed, 19 Jun 2002, Nachman Yaakov Ziskind wrote:
|
| > Tom Eastep wrote (on Tue, Jun 18, 2002 at 07:53:08PM -0700):
| > | On Tue, 18 Jun 2002, Nachman Yaakov Ziskind wrote:
| > |
| > | > Using Bering:
| > | > Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown
| > | >
| > | > with Shorewall 1.2.12. I'm MASQ'ing the local net to the outside,
| > | > except for a few servers which are using Static NAT.
| > | >
| > | > Zones:
| > | >
| > | > net Net Internet
| > | > loc Local Local networks
| > | >
| > | > Ifaces:
| > | >
| > | > net eth0detect routefilter
| > | > loc eth1detect routestopped
| > | >
| > |
| > | Given that you are having a problem involving NAT and MASQ, it would be
| > | helpful if you posted the contents of those files.
| >
| > Okay:
| >
| > MASQ:
| >
| > eth010.1.1.0/24!10.1.1.252,10.1.1.253,10.1.1.254,10.1.1.63
| >
|
| While it's ok to exclude the static NAT addresses, it is not necessary.
| The static NAT rules get applied before the MASQ rule. Also, since you
| have static external IPs, you should probably use SNAT (i.e., list the
| external IP address that you want to SNAT through).
|
| > NAT:
| > 216.236.142.81 eth010.1.1.1
| > 216.236.142.82 eth010.1.1.252
| > 216.236.142.83 eth010.1.1.253
| > 216.236.142.84 eth010.1.1.254
| > 216.236.142.85 eth010.1.1.63
|
| Ok.
|
| >
| > | > All my policies are set to ACCEPT, for testing purposes. My RULES file
| > | > is unmodified. So the firewall is wide open, right?
| > |
| > | Yes, plus you don't have to look at any helpful diagnostic messages that
| > | way.
| >
| > I'm ignorant enough not to know if this is sarcasm. Seriiously, shouldn't I
| > start with the fireall in a minimalist configuration - to make sure
| > everything else works - and then build from there? Isn't it better to
| > troubleshoot one piece at a time, rather than try to debug everything at
| > once and just get frustrated?
|
| With only static NAT and MASQ, opening up the firewall as you have done is
| fine. In general, I prefer to start with the firewall closed so that I
| open only as much as is necessary and no more.
|
| > | > Problem: from my MASQ'ed boxes, I can see the whole 'NET - except for
| > | > the Static NAT boxes. But I can see the Static NAT boxes from the
| > | >outside. Also, the Static NAT boxes can see each other (even using the
| > | > public IP addresses).
| > | >
| >
| > | Without knowing what your configuration looks like (including IP
| > | addresses, subnetting and routing), it's hard to know what's wrong.
| > Inside: 10.1.1.0/24, of which the above named hosts are assigned public IP
| > addresses, the rest use PAT. Outside: 216.236.142.80/240 are the public
| > IP's the router is assigned a public IP on another subnet
| > (64.49.72.186/30), and the default gateway is .185 on the same subnet.
| >
| > | > It is not a DNS problem, as using the public IP addresses is no better
| > | > (the private IP addresses work fine).
| > | > I'm stumped. How do I troubleshoot this?
| > |
| > | First please tell us what your configuration really looks like then tell
| > | us which computers can communicate with which other computers and which
| > | can't using which addresses (remember, computers can't SEE each other --
| > | they can only communicate with one another).
| > Okay, the outside can communicate (i.e., pull up web pages) on the Static
| > NAT addresses above. The Static NAT machines themselves can communicate
| > with each other and the outside world.
|
| Are you sure that they can communicate with each other? Are you just using
| 'ping'? If you are just using 'ping', it is the firewall that is
| responding to ping, not the NAT machine. There is nothing in your
| configuration that would let these systems communicate using their
| external IP addresses.
Really?? The firewall does not pass along the ICMP packets to the destination
host? I'm wondering why this would be. It certainly lessens the value of the
ping utility ("Ok, host x is up. Unless it's not.")
| > But the MASQ'ed machines cannot use the public IP
| > addresses (they *can* address the Static NAT machines by their RFC 1918
| > addresses), although they can access other part of the Internet. I *think*
| > they can ping the public IP's, although I didn't have enough time t
Re: [leaf-user] MASQ/NAT problem in Shorewall
Tom Eastep wrote (on Sun, Jun 23, 2002 at 05:48:16PM -0700): | On Sun, 23 Jun 2002, Nachman Yaakov Ziskind wrote: | | > | > [I have no clue what Bind 9 views is, or how to set it up. But I suspect | > it involves doing things through DNS. I further suspect it will be like | > pulling teeth with every w/s pointing to my ISP's DNS servers. I suppose | > I *could* just load a hosts file on every workstation. Ouch.] | > | | Now who is being sarcastic? Not I, Brother Tom. :-) | It is possible to run a DNS server that only serves your local hosts. If | you are using DHCP to configure your local hosts, changing the DNS servers | is trivial. It sounds like you are configuring your hosts statically | though; in that case, requests from your local network that are addressed | to your ISP's servers can be transparently redirected to this local DNS | server so that you don't have to change your local host's configuration. | Setting up the redirection involves adding two Shorewall rules. This sounds like more work than I'd like to do (right now); maybe later. Actually, I have two local DNS servers, one running NT and the other SCO Unix (for extra credit, guess which DNS server crashes three times a day :-) Eventually, I'll train the clients to query the local servers, as soon as I'm convinced that the situation is stable. | In either case, you would have to learn how to set up a DNS server. Been there, done that. Got the tee shirt. | Network administration is more than inserting a CD and clicking a couple | of Yes/No boxes. To do it right, you actually have to learn something. | | Sorry With six years of Unix admin under my belt, and having just programmed a Cisco Pix 506 (to do essentially what Bering will do, someone wants the Pix back :-() I take gentle umbrage at your last. :-) Thanks for your help to date. In another post you mentioned, "Groan -- you mentioned at the outset that you are running Shorewall 1.2.12 yet I referred you to the 1.3.x FAQ. My bad... The syntax for 1.2.x is different." but didn't supply the syntax. Having read both the (1.2) documentation and the (1.3) FAQ, and being somewhat bleary-eyed, I was wondering if you could post the correct syntax. Thanks! NYZ -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] How to fix a duplex mismatch?
Bering firewall, 1.0rc2: Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown My logs are filling up with entries like: Jun 24 17:14:00 yoreach kernel: eth0: Transmit error, Tx status register 82. Jun 24 17:14:00 yoreach kernel: Probably a duplex mismatch. See Documentation/networking/vortex.txt Jun 24 17:14:00 yoreach kernel: Flags; bus-master 1, dirty 579(3) current 579(3) Jun 24 17:14:00 yoreach kernel: Transmit list vs. c3da62c0. Jun 24 17:14:00 yoreach kernel: 0: @c3da6200 length 820f status 0001020f etc., etc. ad nauseam. I did a web search and found: http://www.scyld.com/network/vortex.html which told me that a host on the network was incorrectly transmitting full- duplex (and, by implication, that my network interface is set to half-duplex). But, I am confused. Eth0 is connected, I'm told (by my ISP, who may be the least reliable source on this subject!), to one other machine, a router in the basement. Since internet access appears to work reasonably well, should I change anything? Persuade my ISP to change something (ha ha)? I assume that the place to change things would be in the module line in /etc/modules? Now, I can live with the error messages, but, my logs are filling up. Apparently, Bering creates a temporary filesystem in Ramdisk to hold the logs (good), allots it 2 meg (ok, I guess) and shuts logging down when /var/log exceeds capacity (bad). So, how do I: 1) Stop these messages from being logged; or 2) tell syslogd/klogd to wrap around or do something useful when the logs fill up; or 3) increase the size of the logging filesystem? I'd like to increase the amount of ram in play (anyway) as I have a lot on this machine (it was a hand me down :-) -- _____ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] 3 Bering problems
Using Bering 1.0rc2: Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown with Shorewall 1.2.12. I'm MASQ'ing the local net to the outside, except for a few servers which are using Static NAT. Inside zone is 10.1.1.x, outside is 216.236.142.80/29. Zones: net Net Internet loc Local Local networks Ifaces: net eth0detect routefilter,norfc1918 loc eth1detect routestopped hosts:unmodified policy: everything ACCEPT Rules: ACCEPT loc loc:10.1.1.1tcp smtp-216.236.142.81:10.1.1.200 ACCEPT loc loc:10.1.1.252 tcp www -216.236.142.82:10.1.1.200 ACCEPT loc loc:10.1.1.253 tcp www -216.236.142.83:10.1.1.200 ACCEPT loc loc:10.1.1.254 tcp www -216.236.142.84:10.1.1.200 (the above four rules put in per Tom Eastep in order to allow inside boxes to use the NAT'ed servers) REJECT net loc tcp 1433 REJECT net loc udp 137 REJECT net loc udp 138 REJECT net loc udp 139 (the rest as in the original) NAT: eth0 10.1.1.0/24!10.1.1.252,10.1.1.253,10.1.1.254,10.1.1.63,10.1.1.1 I have three problems (should I post them separately?) 1) Incoming connections to the servers are identified as coming from the router, not the original IP address. This makes life difficult for several reasons. How do I address this? 2) FTP connections do not work. That is, web based ftp does not work, but command line seems to be fine. This mysifies me as I thought ftp encapsulated in the browser would stress the router less(?) Nothing in messages, but this in `shorewall status`: tcp 6 431875 ESTABLISHED src=216.194.21.212 dst=216.236.142.81 sport=1656 dport=21 src=10.1.1.1 dst=216.194.21.212 sport=21 dport=1656 [ASSURED] use=1 On the server side: Jul 3 21:33:57 egps ftpd[28601]: FTP LOGIN FROM as5300-6.216-194-21- 212.nyc.ny.metconnect.net [216.194.21.212], awacs So I assume a connection has been established, and it just sits there. after breaking out: Jul 3 21:39:35 egps ftpd[28601]: FTP session closed I have loaded: ip_conntrack_ft p/ ip_conntrack_irc / ip_nat_ftp /ip_nat_irc 3) I'm getting LOTS of duplex errors, like this: Jun 18 21:24:18 yoreach kernel: eth0: Transmit error, Tx status register 82. Jun 18 21:24:18 yoreach kernel: Probably a duplex mismatch. See Documentation/networking/vortex.txt Jun 18 21:24:18 yoreach kernel: Flags; bus-master 1, dirty 249226(10) current 249226(10) Jun 18 21:24:18 yoreach kernel: Transmit list vs. c3fed480. Jun 18 21:24:18 yoreach kernel: 0: @c3fed200 length 8226 status 00010226 I don't care about the errors, but how to keep them from filling up the logs? What other info do I need to provide to diagnose these three problems? Thanks in advance. -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with bering host lookups
guitarlynn wrote (on Thu, Jul 04, 2002 at 02:05:21PM -0500): | > Okay by me. I thought I had a development issue. My guess is I've | > stripped something that's required for name resolution. So I ask, | > what is used for host lookups (the udp/53 call) on lrp? | | Probably not a development issue, noone else has had problems with | DNS problems unless it has been a mis-configuration issue. I would | find it safe to assume that in this case as well. udp/53 is correct. if | the routing and netfilter rules will allow the traffic to and from the | proper subnets. By chance, you are not attempting to connect to a | DMZ server from a Masq'ed subnet using an external ip address??? | This will not work due to ip spoofing rules, you will need to use the | private-DMZ addressing to connect from a Masq'ed subnet instead. Don't forget that *sometimes* (large packets?) DNS uses TCP instead of UDP. -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Still can't FTP
Running Bering V1.0-rc2, I am unable to access the internal FTP servers with passive FTP. I can use command-line FTP, so I am puzzled. Some details: ___ /etc/shorewall/ifaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0detect routefilter,norfc1918 loc eth1detect routestopped,multi /etc/shorewall/rules: ACCEPT loc:10.1.1.0/24 loc:10.1.1.1tcp smtp- 216.236.142.81:10.1.1.1 ACCEPT loc:10.1.1.0/24 loc:10.1.1.252 tcp www,https - 216.236.142.82:10.1.1.1 ACCEPT loc:10.1.1.0/24 loc:10.1.1.253 tcp www,https - 216.236.142.83:10.1.1.1 ACCEPT loc:10.1.1.0/24 loc:10.1.1.254 tcp www,https - 216.236.142.84:10.1.1.1 ACCEPT loc:10.1.1.0/24 loc:10.1.1.63 tcp ftp - 216.236.142.85:10.1.1.1 ACCEPT net loc:10.1.1.1 tcp smtp,22,2023,ftp ACCEPT net loc:10.1.1.252 tcp www,https ACCEPT net loc:10.1.1.253 tcp www,https ACCEPT net loc:10.1.1.254 tcp www,https ACCEPT net loc:10.1.1.63 tcp ftp ACCEPT net fw tcp 80 ACCEPT net loc:10.1.1.1 tcp pop-3 /etc/shorewall/policy: #SOURCE DESTINATION POLICY LOG LEVEL loc net ACCEPT loc fw ACCEPT fw loc ACCEPT loc loc ACCEPT net all REJECT info all all REJECT info /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNALALL INTERFACES LOCAL 216.236.142.81 eth010.1.1.1 216.236.142.82 eth010.1.1.252 216.236.142.83 eth010.1.1.253 216.236.142.84 eth010.1.1.254 216.236.142.85 eth010.1.1.63 /etc/shorewall/masq eth010.1.1.0/24!10.1.1.252,10.1.1.253,10.1.1.254,10.1.1.1,10.1.1.63 # lsmod Module PagesUsed by ip_nat_ftp 2672 0 (unused) ip_conntrack_ftp2848 0 (unused) 3c59x 24504 2 --- Now that (at the suggestion of various list members, incuding Mr. Eastep) I've changed the firewall posture from 'relaxed' to aggressive', I get hundreds of hits every day - but nothing when I ftp. So, I assume that the firewall is *not* blocking the data connection. (There *is* a incoming connection to port 21 shown, e.g., on the weblet, but no other connection.) Earlier suggestions that there might be a server-side problem are belied by the fact that two separate servers, one running Unix and the other NT, both ran properly with both the DSL router and the Cisco PIX that supplanted it. So, I am missing something. But what? BTW, I tried replacing ip_conntrack_ftp.o and ip_nat_ftp.o with newer versions from: http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/net/ipv4/netfilter/ and got only panics for my trouble. :-( -- _________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Still can't FTP
Tom Eastep wrote (on Fri, Aug 02, 2002 at 05:25:08PM -0700): | On Fri, 2 Aug 2002, Nachman Yaakov Ziskind wrote: | | > Running Bering V1.0-rc2, I am unable to access the internal FTP servers | > with passive FTP. I can use command-line FTP, so I am puzzled. | > | | Has anyone on the list gotten a NATed ftp server to work in passive mode? | I have corresponded with other Shorewall users that run a monolithic | 2.4.18 kernel (like Bering) who are having FTP problems. You mean it's not just me? :-) | Nachman: What does "grep _ftp /proc/ksyms" show? c4812920 ip_ftp_lock[ip_conntrack_ftp] c4812924 ip_conntrack_ftp [ip_conntrack_ftp] either with or without a connection attempted. NYZ -- _____________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Annoying duplex errors
[Bering rc2] ... getting lots of errors in both syslog and kern.log: Aug 12 11:21:21 yoreach kernel: eth0: Transmit error, Tx status register 82. Aug 12 11:21:21 yoreach kernel: Probably a duplex mismatch. See Documentation/networking/vortex.txt Aug 12 11:21:21 yoreach kernel: Flags; bus-master 1, dirty 3351435(11) current 3351435(11) Aug 12 11:21:21 yoreach kernel: Transmit list vs. c3bf14c0. Aug 12 11:21:21 yoreach kernel: 0: @c3bf1200 length 8036 status 00010036 Aug 12 11:21:21 yoreach kernel: 1: @c3bf1240 length 8036 status 00010036 etc., etc. filling up the logs. I've read the vortex page, and I think that those packets are spurious; since the firewall works quite well, thank you, changing the duplex mode of my network card seems not to be in order. But the messages are quite a bother, and they exhaust the log filesystem. Is there anyway to supress these error messages, short of turning off logging altogether? NYZ -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Annoying duplex errors
Luis.F.Correia wrote (on Mon, Aug 12, 2002 at 04:31:12PM +0100): | Well... you could also try using another NIC driver for your board. | | I guess that the 'vortex' series loosely identifies a 3Com card. | | There are a large number of cards that work with that driver. I also | recall that Donald Becker wrote drivers for those cards. | | Try other drivers and if all still goes wrong, you could also try | another NIC... But it's not the NIC or the drivers; they all work splendidly. I just want to suppress those error messages ... | [Bering rc2] | | ... getting lots of errors in both syslog and kern.log: | | Aug 12 11:21:21 yoreach kernel: eth0: Transmit error, Tx status register 82. | Aug 12 11:21:21 yoreach kernel: Probably a duplex mismatch. See | Documentation/networking/vortex.txt | Aug 12 11:21:21 yoreach kernel: Flags; bus-master 1, dirty 3351435(11) | current 3351435(11) | Aug 12 11:21:21 yoreach kernel: Transmit list vs. c3bf14c0. | Aug 12 11:21:21 yoreach kernel: 0: @c3bf1200 length 8036 status | 00010036 | Aug 12 11:21:21 yoreach kernel: 1: @c3bf1240 length 8036 status | 00010036 | | etc., etc. filling up the logs. | | I've read the vortex page, and I think that those packets are spurious; | since the firewall works quite well, thank you, changing the duplex mode of | my network card seems not to be in order. | | But the messages are quite a bother, and they exhaust the log filesystem. | | Is there anyway to supress these error messages, short of turning off | logging altogether? | | NYZ -- _________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Annoying duplex errors
Luis.F.Correia wrote (on Mon, Aug 12, 2002 at 05:19:08PM +0100): | My friend, if you are receiving odd kernel errors, it is either a | faulty NIC or a puzzled driver. Or an unhappy router on the other end. Or other faulty hosts on the (outside) subnet - both things I cannot control. | I know that 'cause I once had the same problem. | | You know, most of us use rather old NIC's gathered from old PC's. | At least I do. If you got that card from one of these old doorstop | computers, who can assure you that it has no problems? I bought two brand new 3com's for this project. | Or it could be a faulty cable, or a problem on your HUB/Switch port. I have one cable, leading to the ISP. Swapping the cable helps not. Look at the docs: "0x82 Out of window collision. This typically occurs when *some other* (emphasis added) Ethernet host is incorrectly set to full duplex on a half duplex network. " "Both of these errors are the result of network errors that should be corrected. They do not represent driver malfunction." So, I suspect that the problem is on the other end of the wire. [Therefore] changing my end will accomplish nothing except breaking what I already have in place. I suppose I could open a dialogue to my brain-dead ISP (but, I repeat myself) and get nowhere, but why? I'd jusd like to get rid of the messages. I suppose I could try my hand at re- writing the driver, but ... | When transmit errors occour on LAN, it means that there ARE hardware | problems. But not on my machine, I suspect. | I can understand that since everything works quite well on your | internal net and all connections to the internet, your wish is to | have those messages removed. | But removing the messages 'per se' does not solve your problem. Why not? The messages are precisely the problem. Removing the messages would solve the problem nicely. "if it ain't broke, don't fix it." | Please explain us more about your setup. Sure: internal LAN talks to one NIC on the router; the other NIC talks to the ISP which routes for the internet. | Luis.F.Correia wrote (on Mon, Aug 12, 2002 at 04:31:12PM +0100): | | Well... you could also try using another NIC driver for your board. | | | | I guess that the 'vortex' series loosely identifies a 3Com card. | | | | There are a large number of cards that work with that driver. I also | | recall that Donald Becker wrote drivers for those cards. | | | | Try other drivers and if all still goes wrong, you could also try | | another NIC... | | But it's not the NIC or the drivers; they all work splendidly. | | I just want to suppress those error messages ... | | | [Bering rc2] | | | | ... getting lots of errors in both syslog and kern.log: | | | | Aug 12 11:21:21 yoreach kernel: eth0: Transmit error, Tx status | | register 82. Aug 12 11:21:21 yoreach kernel: Probably a duplex mismatch. | See | | Documentation/networking/vortex.txt | | Aug 12 11:21:21 yoreach kernel: Flags; bus-master 1, dirty 3351435(11) | | current 3351435(11) | | Aug 12 11:21:21 yoreach kernel: Transmit list vs. c3bf14c0. | | Aug 12 11:21:21 yoreach kernel: 0: @c3bf1200 length 8036 status | | 00010036 | | Aug 12 11:21:21 yoreach kernel: 1: @c3bf1240 length 8036 status | | 00010036 | | | | etc., etc. filling up the logs. | | | | I've read the vortex page, and I think that those packets are | | spurious; since the firewall works quite well, thank you, changing the | | duplex mode of my network card seems not to be in order. | | | | But the messages are quite a bother, and they exhaust the log | | filesystem. | | | | Is there anyway to supress these error messages, short of turning off | | logging altogether? -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering cd without shorewall
Jeff Newmiller wrote (on Tue, Aug 13, 2002 at 01:09:52AM -0700): | On Mon, 12 Aug 2002, Tom Eastep wrote: | | > On Mon, 12 Aug 2002, Cass Tolken wrote: | > | > > I suppose you can take out "shorwall" (note no "e") from the LRP=... in | > > the syslinux.cfg file and then create your own package with your own | > > scripts. But I'd have to ask why? | > | > I wanted to ask the same question but then I'm a bit biased :-) | | I don't recommend removing Shorewall, but it is larger than a very simple | direct-scripted iptables configuration file would be, and given how some | people are about disk space, there could be a compelling need. Couldn't run Shorewall (on a separate box, say), scarf the resulting iptables commands that result, and implement them directly on the production machine? NYZ -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Annoying duplex errors
Charles Steinkuehler wrote (on Mon, Aug 12, 2002 at 02:41:25PM -0500): | > Ok, I'm game. I can look at my nic card lights to know if I'm at 10 or | 100, but | > how do I figure out if I'm half duplex or full duplex? I'm running | Bering rc-2 | > with 3c59x.o. | | It depends...check the logs for driver messages, and look for a | low-level diagnostic utility for your NIC driver. If you using Dan | Becker's NIC drivers, you can find several utility programs here: | http://www.scyld.com/diag/ | | You probably want mii-diag and vortex-diag... | | NOTE: This will tell you if you're half or full duplex ON YOUR END, but | not necessarily what you're attached to (the only info you'll get about | the far end is from auto-negotiation messages, if the far end supports | it, and even that could be mis-leading or wrong, since a lot of early | hardware didn't do auto-negotiation properly). If your ISP's hardware | does not properly support auto-negotiation (highly likely, given your | description of the troubles you're having), you will have to find out | from them what you're hooked to, or make an educated guess by forcing | half and full duplex on your end, and seeing what sorts of errors crop | up. Ok, the ISP said 10mbps full duplex. I grabbed mii-diag and vortex-diag and ran them. Forcing it there does not resolve the errors. Neither did setting it to half-duplex. Setting to 100mbps just made things worse. :-( SO, I guess I'll have to live with the error messages ... -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LEAF -vs- Cisco...what's YOUR opinion?
Craig wrote (on Wed, Aug 21, 2002 at 12:28:01PM -0700): | Hi folks, | I read the article in last month's Linux Journal about LEAF -vs- Cisco | but unfortunately, I don't think they came to any real conclusions. I | was particularly interested because I would like to use LEAF (Bering in | particular) at my company (and I was hoping the article would provide | some credible statistics)...but I'm afraid management will sneer and | "poo-poo" my decision to implement it. I think they feel, like I'm sure | other businesses feel, that because they've heard their competitor Brand | X uses a Cisco router (oooh, ahhh), that it MUST be the smart thing to | do. So, I thought I would ask so many of you who probably know both of | these products like the "back of your hand", and probably use them on a | daily basis. So...how DOES Linux/LEAF compare to Cisco? Do you think | that Linux/LEAF can handle most business scenarios? I know Charles says | that he uses Dachstein at his businesses. What do you think are its | limitations? Other comments? Thank you as always. | | Craig I've used both PIX 506 and Bering for the same purpose. Cisco costs a little more (1,000 - 1,500) but the main difference is power vs. configurability. Cisco has a nice, polished CLI - still a steep learning curve. But there are somethings it just will not do (in my case, Static NAT port forwarding), and then you are SOL. Linux, on the other hand, lets you do whatever you want to, but the learning curve is steeper still for a newbie. Support is better on the Cisco side, but Linux has the power of the internet. If you have a gearhead in your shop, Linux is a clear win. Otherwise, buy both - very much not a waste of money. If Linux wins, you can always find something for Cisco to do. If Cisco wins, well a good Linux box can always do something else. And it doesn't hurt to have two firewalls, right? -- _____ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://yankel.com Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] VPN Suggestions?
I'd like to implement a VPN at work (seems to be the in thing to do); I don't really so much want encryption (but I'll take it :-) as better user authentication (right now, I use TCP Wrappers and firewall rules to keep out undesireables; this is becoming more and more unworkable as folks wish to connect with dynamic IP addresses). Right now, I have Bering V1.0-RC2 running off a floppy (love that firewall!) and a Mandrake box on the interior. Primary criterion: ease of setup on the admin's part. :-) Any suggestions would be appreciated. Thanks! -- _________ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VPN Suggestions?
> -Original Message- > > I'd like to implement a VPN at work (seems to be the in thing to do); I don't > really so much want encryption (but I'll take it :-) as better user > authentication (right now, I use TCP Wrappers and firewall rules to keep out > undesireables; this is becoming more and more unworkable as folks wish to > connect with dynamic IP addresses). Right now, I have Bering V1.0-RC2 > running off a floppy (love that firewall!) and a Mandrake box on the > interior. > > Primary criterion: ease of setup on the admin's part. :-) > > Any suggestions would be appreciated. > > Thanks! Jorn Eriksen wrote (on Wed, Mar 17, 2004 at 12:15:47PM +0100): > Norman, > > I've used PPTP for quite some time. It's very stable! The best thing is > that it do not require ANY software on W2K / XP machines... > > Have a look here for details: > http://leaf.sourceforge.net/devel/jnilo/bering/latest/packages/pppd/ Thanks, Jorn. But I am now confused - there was very little documentation there. And, from Googling, I see that pppd is supposed to transmit datagrams over serial links - and I'm not sure how that fits in to a VPN over broadband ethernet, or how pppd relates to pptp. Can you point me to some documentation? Thanks! -- _ Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED] Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering uCibc docs
The docs I downloaded (500+ separate web pages) indicate that there's a .pdf flat file out there, but the link just brings back to where I started. Anyone know where the .pdf (or a flat file .html) lives? Thanks! - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
