Re: [leaf-user] LEAF Print Server

[Paul G Rogers]

You may want to first confirm if the P2015 is capable of
running off a print server.  Some of the lower HP printers
require being hooked directly to a Windows PC in order for 

No, there are drivers for Linux.  I run my HP DeskJet 820Cse Winprinter
on Linux. He'd need the pnm2ppa package.  Getting them to run in LEAF
uClibc would be something else again.


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now  http://get.splunk.com/

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] The old floppy question

[Paul G Rogers]

This may be prudent, but it may not be reality.  If you were worried 
about resiliency, would you be using old or repurposed hardware to 
begin with?

Because some people (owners, bosses, comptrollers, et al) pinch pennies. 
Cost reduction is the business mantra these days.  There's always some
old box around that's been amortized down to nothing that can do the job.
 If you can do the job without spending money, vs. spending money to do
the same job, guess which they choose?

I agree that CF's or USB sticks are a better choice, 

If they are for you, feel free.  Why impose your preferences on everybody
else?

but the user base seems to be indicating that the floppy isn't dead yet.

Not around here.  Besides, NOBODY walks away with a diskette!  ;-) 
Thumbdrives seem to come with feet.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)


-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] The old floppy question

[Paul G Rogers]

main Hw decides to buy the farm. I have recently also salvaged a 5 1/2
floppy drive just in case I want to go really medieval on this...and yes
I have the floppies for a lifetime. I could always go to the
Pc-superstore

We also keep OLD hardware around, just in case.  There's never enough
budget to recopy all our old backups to new media, and our legal
department wouldn't even allow it.  We try hard to preserve our ability
to read any media we've ever used, even if we're not sure, but think
maybe someone might have, somewhere.

When NASA was planning its missions to Jupiter, it figured out it had
some useful data from old Voyager missions.  They found the tapes, nicely
cataloged.  But they were 7-track tapes.  Over the years ALL their
computers had been upgraded and replaced.  Call IBM!  Sorry, Sir, we
don't have any customers with maintenance contracts on 7-track tape
drives.  We don't know where you could read those tapes.  Have you tried
one of the computer museums?  Then MAKE us one!  Umm, we'll get back
to you, Sir.  Sir, we're sorry, we can find some old 9-track drives,
but we don't have any 7-track heads in any inventory.  We haven't made
any of those since the 50's.  Months later.  Umm, Sir?  Are you still
interested in a 7-track tape drive?  One of our people found one that had
fallen behind a rack.  We might be able to re-engineer one of the last
9-track drive models to use it.  Would you like an RPQ? (Request for
Price Quotation)  Sir, we have your RPQ available.  That would be
$1,000,000.  Would you like us to proceed?

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)


-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Seeking Samba v3 Pkg for BuCv3

[Paul G Rogers]

I'm setting up a FAT32 fileserver and thought that LEAF would make a 
nice tight base upon which to build that ... and I know LEAF quite 
well.

Pardon my asking but, why on Earth would anyone want Samba on a perimeter
firewall/router?!

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Dropping a link

[Paul G Rogers]

I'm still using Bering-1.2--it doesn't seem to be broke.  ;-)  I've got
it running on a computer in a room that's typically closed and unheated. 
The problem I'm having is I'm getting a little forgetful in my
maturity.  Sometimes I forget to turn it off, and it hangs onto the
dial-up line for a long time.  (There are enough scanners and pingers out
there to keep pppd from dropping it for lack of activity most of the
time.)  Is there some way I can tell pppd to ignore external activity
when it times-out the link?  

I just added a line to /etc/cron.d/multicron to run /usr/bin/poff at
midnight--so at least it won't stay up all night, again.  Something
better I could do?

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] connectivity

[Paul G Rogers]

But modem appers to be in sync, for all that time. I'll start next 
machine and see the log again.

Yeah, but that's on the other side, isn't it?  Between your DSL modem and
your provider?  

 How can I check this?
 If so, can you check if this is due to excessive traffic or some
 ethernet problem?

You might try running a netstat before and after.


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Modules

[Paul G Rogers]

I was suspicious that it was smaller, and there were so many new
modules.

On second look, it wasn't so much smaller.  Why were some modules
selected for the tarball and others left out?

 VFS: Can't find a Minix or Minix V2 filesystem on device 08:01.

The last line looks a bit suspicious, it has nothing todo with the scsi
driver but something is not working properly.

No, it's right.  The drives aren't Minix filesystems.

I wonder where you found that stuff, the only place I know of with some
old cruft is the
http://leaf.cvs.sourceforge.net/leaf/src/bering-uclibc/configs/;
directory. But this directory can only be removed by the sourceforge
staff.
All sources (up to date) are in the
http://leaf.cvs.sourceforge.net/leaf/src/bering-uclibc/apps/; 
directory.

I was just looking under every rock that looked like it might hide
something interesting.  My suggestion would be README files in the first
few levels of directories identifying contents and pointers to
alternative locations for similar or updated content.

Yup, I was about to remove that option from the kernel config ;-)

No, I think that would be a mistake.  (Now I need to edit root.blk to add
SCSI CDROMs.)  The thing is, many of us don't buy into the Detroit
Paradigm of upgrading HW/SW vendors try to sell users on.  Faster isn't
necessarily better, especially when it comes bundled with the expensive
latest version of, umm, bloatware.  ;-)  When one has older hardware,
it may be necessary or desireable to use contemporaneous software.  It
can be very frustrating when it's all been dumped into the bit-bucket. 
I'm still using Bering-1.2 on my firewall.  It doesn't seem to be broke,
and I don't really want to suffer the outage for doing the upgrade. 
Something could happen.

  to miss clues.  But ya' know, in my entire career, error messages
have
 NEVER been as helpful as they need to be and they've never gotten any
 better.

And that's been a while.  You might be amazed about the first computer I
programmed:
http://www.xprt.net/~pgrogers/Ibm1620.html


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Modules

[Paul G Rogers]

I will compile a 2.4.32 driver for you this evening (UTC), I hope that
one's working...

No need (Sorry, I'm 9hrs behind you, this might be too late).  I
recompiled this evening using your config file, and...  TADA!!!

Linux version 2.4.32 ([EMAIL PROTECTED]) (gcc version 3.3.3) #1 Sat Mar 4
21:00:13 CET 
...8...
Freeing unused kernel memory: 60k freed
Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4
ide: Assuming 50MHz system bus speed for PIO modes; override with
idebus=xx
ide2: ports already in use, skipping probe
SCSI subsystem driver Revision: 1.00
scsi0 : Adaptec AIC7XXX EISA/VLB/PCI SCSI HBA DRIVER, Rev 6.2.36
Adaptec 274X SCSI adapter
aic7770: Twin Channel, A SCSI Id=7, B SCSI Id=7, primary A, 4/253
SCBs

(scsi0:A:0): 10.000MB/s transfers (10.000MHz, offset 15)
  Vendor: SEAGATE   Model: ST51080N  Rev: 0943
  Type:   Direct-Access  ANSI SCSI revision: 02
(scsi0:A:4): 4.032MB/s transfers (4.032MHz, offset 15)
  Vendor: TOSHIBA   Model: CD-ROM XM-3401TA  Rev: 3593
  Type:   CD-ROM ANSI SCSI revision: 02
scsi0:A:0:0: Tagged Queuing enabled.  Depth 253
Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
SCSI device sda: 2109840 512-byte hdwr sectors (1080 MB)
Partition check:
 sda: sda1 sda2  sda5 
eth0: 3c5x9 at 0x5000, BNC port, address  00 20 af 2c 8e 02, IRQ 9.
3c509.c:1.19 16Oct2002 [EMAIL PROTECTED]
http://www.scyld.com/network/3c509.html
eth0: Setting Rx mode to 1 addresses.
VFS: Can't find a Minix or Minix V2 filesystem on device 08:01.


Thanks for your help, Eric.  I was over the edge on this one.  I didn't
really expect this to work.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Modules

[Paul G Rogers]

That shouldn't be a problem, you can just download a pristine 2.4.32 
kernel and unpack in a directory of choice. Do a make menuconfig, 
make dep and make modules. As long as you don't do a make install, it 
won't mess up your running system.
After that just replace the module. No need for an uClibc environment.

OK, I tried, but insmod gives me a couple screens of unresolved
references.  Here's what I did:

On my 2.4.31 system, root ran make clean.  Then as unpriveleged paul
copied /usr/src/linux/* to a directory of my own, make mrproper, patched
with 2.4.32, ran make menuconfig  make dep bzImage modules.  Then I
copied drivers/scsi/aic7xx/aic7xxx.o to the floppy.  It was smaller.  But
there are a lot of other object files there too, e.g. aic7xxx_core.o,
etc.  Find didn't show me an aic7xxx.o object file elsewhere.  I don't
now what these other files are about, but the name aic7xxx_core.o is
suggestive.  It's too big to get on the boot floppy with everything else.

That led me to question whether the kernel EISA support was enabled,
since you _did_ say, But EISA and VL are obsoleted for at least 10
years.  So I tried to find the config file you said was on the CVS. 
You probably read about that already.  A long time later I found a link
buried in one of the development doc files that took me to CVS files for
2.4.24, and there seemed to be something for 2.4.26, but nothing for
2.4.32.  I even tried coming in from Sourceforge, and it was easier to
get to the CVS that route, but it eventually led me to apparently the
same places.

With no other clues I went back to the kernel files and read
drivers/scsi/aic7xxx/README.aic7xxx.  It said I could insmod with
options aic7xxx aic7xxx=probe_eisa_vl to toggle the switch if it wasn't
compiled on.  I've tried that and got the same no such device error.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Modules

[Paul G Rogers]

Which eisa modules?
All 2.4.2 kernel modules can be found in the kernel 2.4.32 tarball:

Apologies, my bad.  I don't know what i was thinking--must have been
having another senior moment.  Of course, you can't have system bus,
e.g. EISA, support compiled as a modules!

I was trying to access SCSI drives on this EISA box with an Adaptec 2742
 3COM 3C579. Loaded scsi_mod  sd_mod OK, but insmod of the I/F driver
produced:
insmod: init module: aic7xxx: No such device
So I thought maybe the EISA support was missing.  But it found 
initialized the NIC  eth0!  Funny thing is, aic7xxx works with a
trinux-derived boot disk I made and a 2.4.21 kernel.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] CD hangs at LINUXRC: Loaded Packages

[Paul G Rogers]

Take a look to your leaf.cfg
Probably it is in windows format (cr/lf) and not in unix format (lf 
only)

Last month I needed to build a boot floppy for another purpose.  I
shamelessly adapted Bering uClibc (Thanks guys, you made it a piece of
cake).  But realizing that others might need to edit the cfg file(s) from
a DOSish environment and put in CR/LF, my version of linuxrc copies the
cfg files to the RAM disk with tr and filters CR out.  Shouldn't Bering
do that also?  It's just one line.


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Security and LEAF Bering UClibc

[Paul G Rogers]

I'm a Bering user, not a developer, but I too found the issues raised by
Troy and Richard relevant and interesting.  May I contribute some
thoughts, even of they are more psychological than technical?

Troy wished for apt-get functionality.  While I can understand the desire
for automating the process, I'm not so sure it's that great an idea when
it comes to security.  To me it's analogous to Americans' desire for a
simple little pill that will keep them thin and fit.  In both cases, it
seems to me the greater part of the value is in doing the work yourself.

It seems it would only exacerbate Richard's search for proof that would
reassure his boss.  If Bering were updated automagically, and one began
to rely on that, how long would it take for one to lose track of just
what the state of Bering's protections were?  Would you be more confident
or less?

I think I'm more on Martin's side.  

A considerable advantage of Bering, as opposed to a full-function Linux
distribution as a front-line defense, is the restriction on what is
there.  Supposing one did break-in and achieve a console prompt, there
are no compiler or tools there to assist one in going further and
penetrating the internal network.  That's not to say that it can't be
done without them, but that it's harder, rather than simpler as with a
full-featured distro, and probably beyond the capabilities of amateur
script-kiddies.

While watching the logs only reveals what was caught, and not what might
have been able to sneak through undetected (perhaps because it was
invited in by allowing some browser helper to install itself),
examining and perhaps reporting to the boss on all the attacks which were
detected and defeated does provide some measure of confidence.  It's
important to recognize that even with Bering functioning at the border,
an internal intrusion detector provides that final measure of confidence
that what, if anything, comes through will be detected.  Bering doesn't
relieve one of this responsibility.  And it is necessary on an internal
network of significant size to protect itself from internal as well as
external attacks.

Doing one's own maintenance and upgrades of Bering means one knows just
what's there, and gives one the opportunity to examine it's README,
CHANGELOG, etc.  If there is a flaw there, it is that the
installer/sysadmin installing and maintaining Bering hasn't been
publicizing just what Bering is in fact doing, and NOT doing, to protect
the internal network.  Management should be made aware and up to date on
just what Bering is doing.

No, I think since it involves security, automating Bering maintenance
isn't necessarily a good idea for the network sponsors.


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.geocities.com/paulgrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Re: leaf-user digest, Vol 1 #2438 - 8 msgs

[Paul G Rogers]

Subject: Re: [leaf-user] Weblet not rendering in Mozilla
From: Calvin Webster [EMAIL PROTECTED]
Looks like this time I'll have to find or build an RPM for the latest
Mozilla (or better, Firefox). I'll try a connection from my home office
RHL 7.3 machine running firefox too to see if that makes a difference.
If it's a problem with the Mozilla engine, it'll probably fail there too
since it's based on Mozilla.

Firefox's installer versions since 0.8 have problems installing on RHL8
and some other systems, there's a problem #618 with xpistub.  However,
0.8 w/o installer on RHL8 and 1.0PR on W95 both render the weblet.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



Get your name as your email address.
Includes spam protection, 1GB storage, no ads and more
Only $1.99/ month - visit http://www.mysite.com/name today!


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: leaf-user digest, Vol 1 #2427 - 196 msgs

[Paul G Rogers]

Today's Topics:

   1. WINSCP dropbear and editing LEAF conf files (Victor McAllister)
   2. RE: WINSCP dropbear and editing LEAF conf files (David Pitts)
   3. Re: editing lrp files in windows (Christian HOSTELET)
...8...
  190. Re: Shorewall rfc1918 list (M Lu)
  191. Re: Shorewall rfc1918 list (Erich Titl)
  192. Re: Shorewall rfc1918 list (M Lu)
  193. Re: Shorewall rfc1918 list (Erich Titl)
  194. Re: Shorewall rfc1918 list (M Lu)
  195. Re: Shorewall rfc1918 list (Erich Titl)
  196. Re: Shorewall rfc1918 list (M Lu)


Fortunately my email client cut the message at 60K.  I hope this was a
one-time aberration.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



Get your name as your email address.
Includes spam protection, 1GB storage, no ads and more
Only $1.99/ month - visit http://www.mysite.com/name today!


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: leaf-user digest, Vol 1 #2420 - 7 msgs

[Paul G Rogers]

On Thu, 23 Sep 2004 10:47:15 +0100 James Neave
[EMAIL PROTECTED] writes:
But simple to start with, a windows or platform independent application
that automates the download, assembly and initial configuration (meaning
the necessary steps from the installation docs) would greatly increase
the accessibility of LEAF for the likes of, well, me.

James.

It's that platform independent part that I anticipated would be
troublesome.  The developers must speak for themselves, but I've gotten
the impression that developers in the Linux community at large would
rather have a root canal than develop software for Windows.  The only
common language between them I can think of might be Java, which in the
Windows environment is sort of stuck in MSIE, for those versions which
provide Java support at all.  ;-)

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)




Get your name as your email address.
Includes spam protection, 1GB storage, no ads and more
Only $1.99/ month - visit http://www.mysite.com/name today!


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: leaf-user digest, Vol 1 #2420 - 7 msgs

[Paul G Rogers]

From: Tom Eastep [EMAIL PROTECTED]

I experimented with a parameterized Shorewall configuration for a while.
What I found was that it made it easier for people to install Shorewall
initially, but the first time that they wanted to do something for which
there wasn't a parameter, they had to deal with a complete paradigm
shift. I concluded that it was better to force users to deal with real
Shorewall configuration from the outset.

Tom, I agree with that, but if parameterization simplifies initial
installation of the default Shorewall, that would be worthwhile.  I
suppose anybody who knows they need customized tables won't have any
problems with the paradigm shift.  You're still providing a simpler way
for the average user to get his LEAF firewall functioning.


I agree that the biggest problem with LEAF is that is is way too labor
intensive to install and maintain -- I've never been willing to spend
the extra time fiddling with my firewall that running LEAF requires.

What I don't agree with is the idea that since the whole thing can't be
simplified, none of it should be.  Simple setups, setting the chat
scripts, IP addresses, etc., could be simplified.

The bottom line is if users want/need a firewall, they will use one they
can use.  If LEAF developers insist the user has to know his/her way
around a dozen *nix configuration files, then those are the only users
who will gravitate to LEAF.  That's by far a minority of all the users
who want/need a firewall like LEAF.  It's not enough to provide the
documentation, for a first time user the documentation itself can be
daunting--it's written by the experts!  

From: K.-P. =?iso-8859-1?q?Kirchd=F6rfer?= [EMAIL PROTECTED]
Preparing new package versions is improved with the move to make use 
of buildtool.

There are remaining issues to simplify remote maintenance - and 
upgrading to a newer version (incl. heavy stuff like kernel updates).
A solution may require a new packaging tool...

Any ideas how to make installation/configuration easier?

Firewall users are not so likely to be Linux users.  Most Linux distros
come with installable/installed firewalls, and workstations can be made
fairly secure in themselves.  A LEAF installation tool should either run
with whatever OS the user has and is seeking to protect, i.e. most likely
Windows, or it should include its own OS.  Do the developers want to
develop a Windows-based customization tool?  Now, one of LEAF's
attractions is running from a floppy, but even with a 1680KB floppy
there's little room left.  So if developers choose this route the initial
download would likely be two diskettes, one for the customization tool
and some packages, and one for the common code base to be customized. 
Certainly both are do-able, but trying to develop a useful customization
tool isn't easy.

From: K.-P. =?iso-8859-15?q?Kirchd=F6rfer?= [EMAIL PROTECTED]
 boot non-standard floppies, so I had to make it boot with grub from
 an IDE drive shared with RHL and Win98--and then disable the IDE
 support once it connects. 

That sounds really complicated - I wonder why you just didn't buy a 
CD-ROM for next to nothing, I recently paid less than 1 US$ on ebay.

It was complicated--I had to get help to do it.  The box already has a
CD-ROM drive.  But this way I can still run lrconfig BEFORE I make a
connection and save the changes--not so easy with a CD!  ;-)


Depends on your needs  - Bering-uClibc provides a newer kernel, 
updated packages, ipv6 and some features more requested by users. If 
are not that paranoid, there is no need to upgrade.

But I would like to see some of those sorts of upgrades to Bering 1.2.


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



Get your name as your email address.
Includes spam protection, 1GB storage, no ads and more
Only $1.99/ month - visit http://www.mysite.com/name today!


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: leaf-user digest, Vol 1 #2419 - 6 msgs

[Paul G Rogers]

I'm still receiving them, and saving them against the day I need them,
but rarely reading them.

1. Our releases are pretty mature and stable, so less goes wrong on the 
code side. So there is less to ask about.

I think that's part of it.  People don't want 1/4 drills, they want
1/4 holes!  My Bering 1.2 seems to be protecting me.  Last work I did
was when I changed boxes and the new one didn't want to boot non-standard
floppies, so I had to make it boot with grub from an IDE drive shared
with RHL and Win98--and then disable the IDE support once it connects. 
When the uClibc version came out what I saw seemed to present me with the
option of doing nothing or hassling with another difficult installation
and customization?


2. There are a LOT of other router-scale Linux distros out there. We
have 
more competition.

From the user's point of view, most don't understand all the details of
firewalling, able to judge the benefits of Shorewall vs other approaches.
 But what they do experience is the installation and customization
process.  I've always felt Bering should have easier ways to customize
all its parameters.  Granted grand schemes would be difficult to do and
keep everything small, but a parameterized variables file wouldn't be so
large.


3. Home NATing routers from Linksys, Netgear, D-Link, and the rest are
more 
competitive with home-built routers than they used to be. Plain routers
are 
dirt cheap, and even ones with 802.11g can be almost free (I just bought

one for about $US2, net after a $30 rebate) ... just try to get 802.11g
(or 
even b) workijng with Linux. Hah!

True.  I'm afraid any vulnerability, perhaps influenced by their race to
sell product as cheaply as possible, would spread like wildfire.  And
updates, such as when I went from Bering 1.0 to 1.2, means buying a new
box.


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



Get your name as your email address.
Includes spam protection, 1GB storage, no ads and more
Only $1.99/ month - visit http://www.mysite.com/name today!


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] setserial for Bering 1.2

[Paul G Rogers]

Can anybody direct me to a version of setserial I can run on Bering 1.2? 
I'm trying to use a USR 3CP5610A.  These modems apparently have some
idiosyncracies, e.g. insisting on being COM5, etc.  I looked on the site,
and some of the developers' pages, but didn't see one.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the Internet in years - Juno SpeedBand!
Surf the Web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bering/Grub on Compaq 2266

[Paul G Rogers]

I'm trying to port Bering 1.2 to a Compaq 2266.  It should be trivial,
but the BIOS refuses to recognize a 1680KB extended format floppy, so
syslinux won't boot it.

Now, one of my primary criteria for my firewalls is not to allow access
to permanent storage.  It has a 4GB HD, and the current configuration is:
hda0: Win98SE (for easier control of the PCI NIC  modem),
hda1: swap
hda2: RHL7.2 (to control grub, among other thngs),
hda3: LEAF/Bering.

I had hopes I could get the floppy-based Bering running from the HD
without even allowing IDE drivers in the system, tried that and got
Bering running with grub to the point that LINUXRC couldn't load the
packages, but now see in the documentation I need to add IDE drivers to
/boot/modules.

Darn.  So now my question is what can I do to prevent a hacker able to
penetrate Bering (which I believe hasn't yet been demonstrated) from
accessing the hard drive?  Unmount  remove /dev/hda3?  Unload  remove
the drivers from /boot/modules?  Something else?  (I realize this is only
a bit of slight of hand, hiding something present, hoping it isn't
discovered.)

p.s. I thought maybe I could get grub to chainload syslinux:
title LEAF/Bering via syslinux
hide (hd0,0)
unhide (hd0,3)
makeactive
rootnoverify (hd0,3)
chainloader +1
but I haven't quite figured that out yet.  Has anybody gone this way?


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the Internet in years - Juno SpeedBand!
Surf the Web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: leaf-user digest, Vol 1 #2256 - 14 msgs

[Paul G Rogers]

From: waeos [EMAIL PROTECTED]
Subject: [leaf-user] Added host to DMZ; host sees anything; no one 
sees host (ping)

#EXTERNAL INTERFACEINTERNAL   ALL INTERFACESLOCAL

212.202.143.196etho 10.22.22.196   Yes

Shouldn't that be eth0?  zero, not oh.  Don't know if that typo might
contribute to your problem.

---
From: Robert K Coffman Jr - Info From Data Corporation 
Subject: RE: [leaf-user] Bering on a Compaq2266
One thing to try is take a 1.44MB floppy, run syslinux on it, and put 
a copy
of the kernel on there from the Bering disk.  Then boot with it - that
should tell you if its a floppy drive problem or if the kernel has a 
problem
with your Cyrix chip... It will crash with no packages but at least 
you can
see if you get past the boot failed message.  If you succeed, throw 
another
floppy drive in there or boot from CD as someone suggested.


I'll give it a try.  I also need to check my Tom's RootBoot diskette and
see what size it is.

HP/Compaq tells me I have to go to one of their service centers for
anything like swapping the CPU with a classic Pentium, they won't tell me
what the missing silkscreen for the jumper settings would have shown. 
B**s!  Unfortunately the extended curved front bezel for this case
means the floppy drive has a big extended unload button, and its
attachment to the drive itself is different.  I'm beginning to see why
people curse Compaq.


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the Internet in years - Juno SpeedBand!
Surf the Web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: leaf-user digest, Vol 1 #2119 - 15 msgs

[Paul G Rogers]

From: Lynn Avants [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering with Shorewall compromised ?

I don't imagine a router would be much fun to compromise for the work
you
would have to put in. It would be a lot more fun and far easier just to 
hijack access to a client host through an IM channel on your favorite
messenger or exploit a server. 

I just read a warning about Cisco routers in the trade press, but I
didn't pay any attention since my router is LEAF/Bering, or before that
FreeSCO.  Somebody must have found it profitable.  But I think you're
right--there are more script kiddies out there who can break a
client/server machine than a router.


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering with Shorewall compromised ?

[Paul G Rogers]

From: Lynn Avants [EMAIL PROTECTED]

To my knowledge, no LEAF box has ever been compromised.
If there has been any compromises, there has never been any
proof that indicated as such.
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer

Thanks for a chuckle.  It reminds me of when I read about a CEO bragging,
There has never been an undiscovered bug in our code.  That's not what
you're saying, of course.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] It would appear Bering needs this patch.

[Paul G Rogers]

From: Lynn Avants [EMAIL PROTECTED]
Subject: Re: [leaf-user] It would appear Bering needs this patch.

The only account (by default) is 'root', which means that LEAF-Bering
isn't
(default) affected by this particular compromise unless you've added
some
users that allowed to login to the LEAF box. If they can login under
'root',
the compromise wouldn't need to be used. 

I suppose you're right, I just get a little paranoid about getting
cracked.  No, I haven't created accounts, but I did put a password on
root once I noticed it wasn't asking for one.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] It would appear Bering needs this patch.

[Paul G Rogers]

In case you didn't catch this.  (Granted, the idea of Bering is they
aren't supposed to get in so they could use it.)
---
Serious Linux Security Flaw Found
Tue Dec 2, 9:00 AM ET

/Robert McMillan, IDG News Service/

A serious vulnerability in the Linux 2.4 kernel has been discovered. The
flaw allows users on a Linux machine to gain unlimited access
privileges, according to a security advisory posted by developers of the
noncommercial Debian Linux distribution.

The bug affects versions of the Linux kernel prior to 2.4.23, and was
the method used during a recent attack on Debian's servers, according to
the advisory. In that attack four Linux servers that hosted Debian's bug
tracking system, mailing lists, and various Web pages were compromised.

The vulnerability can only be exploited by someone who has already been
given a user account on the Linux machine, and does not affect users of
every Linux system, said Linux creator Linus Torvalds in an e-mail
interview.

It's a local-only compromise that you can't trigger from the outside,
he said. To most people, it would thus become serious only after you
had some account hacked into--the bug then allows elevation of
privileges.


Patching the Problem

The bug does not only affect Debian users, however. Any Linux user
running a version of the kernel prior to 2.4.23 should contact their
distribution provider to see whether a patch for the exploit has been
made available, Torvalds said.

The problem was discovered by Linux kernel developer Andrew Morton in
September, and was fixed in the 2.4.23 version of the kernel. Linux
distributors had been working to coordinate a release of a fix for the
problem, said Dave Wreski, chief executive officer with Guardian
Digital, the vendor of a secure Linux distribution.

What all the hoopla is about is that Debian somehow let this patch
that's been available for a month or two slip and got bitten by it,
said Wreski.

As of Monday, patches that corrected the kernel bug had been issued for
a number of Linux distributions, including Red Hat, Debian, and Mandrake
Linux.


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bering v1.0 pppd didn't poff after idle expired

[Paul G Rogers]

Too bad, there's another issue I noticed with pppd.  I haven't checked in
v1.2 yet, and I don't know if this is the right place to report it, but I
did notice another issue with pppd: it didn't always terminate the link
after the idle period expired.  If that wasn't fixed it's probably still
an issue.  It might be a Shorewall interaction, because I think I once
read somewhere that activity from the net zone could keep the timer alive
after the local zone had shutdown.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)

On Sun, 16 Nov 2003 20:12:09 -0800
[EMAIL PROTECTED] writes:
Subject: Re: [leaf-user] Re: Bering 1.0 - 1.2 Upgrade (continues) 1/2
From: Lynn Avants [EMAIL PROTECTED]

Ok, I just looked far enough to see a PAP-failure authentication 
error on
every subsequent attempt to reconnect. I'm not a PPP expert, but I 
thought
this might narrow the possibilities.
-- 
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81




The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: leaf-user digest, Vol 1 #2053 - 12 msgs

[Paul G Rogers]

From: Luis.F.Correia [EMAIL PROTECTED]
Subject: RE: [leaf-user] Bering v1.0 pppd didn't poff after idle expired

Maybe you would want to look at the ppp-filter.lrp package.

Thanks for the reference.  I'll take a look at it.  I don't have much
room left on my floppy though.

When you set a ppp idle time, this package has the ability 
to discard for example, ICMP packets from that timer, thus
droping the line when the timer expires.

I thought I remembered something like that mentioned somewhere.

Many providers keep pinging or scanning you, not intentionally,
and this behaviuor keeps the line up. (and counting)

I'd say a lot of them are doing it intentionally. 


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: Bering 1.0 - 1.2 Upgrade (continues) 1/2

[Paul G Rogers]

No, Lynn, as you can see this first attempt to connect succeeded, and I
was on for an hour.  Now, I agree that since I got kicked off when four
echoes failed there's strong suspicion that something was going on at the
ISP PoP.  But all the subsequent attempts to reconnect failed (using the
same configuration!) until I rebooted.  Now that also casts some
suspicion on the Bering firewall as well.  After all, if Bering fumbled
the echo replies it might think the ISP was not responding.  Bering
terminated the link.  I don't know the details of the protocol exchanges
shown in the logs well enough to tell what's going on, except that the
UID wasn't corrupted.  Thought one of the experts might spot something.

Nov 15 09:55:29 foxfire pppd[12823]: Starting link
Nov 15 09:55:58 foxfire pppd[12823]: Serial connection established.
Nov 15 09:55:58 foxfire pppd[12823]: using channel 1
Nov 15 09:55:58 foxfire pppd[12823]: Connect: ppp0 -- /dev/ttyS1
Nov 15 09:55:59 foxfire pppd[12823]: sent [LCP ConfReq id=0x1 mru 576
asyncmap 0x0 magic 0x8a6091e6 pcomp accomp]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [LCP ConfReq id=0x1  00 04 00
00 mru 1524 asyncmap 0xa auth pap pcomp accomp mrru 1524
endpoint [local:6d.61.78.2d.70.64.78]  17 04 6f 01]
Nov 15 09:55:59 foxfire pppd[12823]: sent [LCP ConfRej id=0x1  00 04 00
00 mrru 1524  17 04 6f 01]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [LCP ConfAck id=0x1 mru 576
asyncmap 0x0 magic 0x8a6091e6 pcomp accomp]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [LCP ConfReq id=0x2 mru 1524
asyncmap 0xa auth pap pcomp accomp endpoint
[local:6d.61.78.2d.70.64.78]]
Nov 15 09:55:59 foxfire pppd[12823]: sent [LCP ConfAck id=0x2 mru 1524
asyncmap 0xa auth pap pcomp accomp endpoint
[local:6d.61.78.2d.70.64.78]]
Nov 15 09:55:59 foxfire pppd[12823]: sent [LCP EchoReq id=0x0
magic=0x8a6091e6]
Nov 15 09:55:59 foxfire pppd[12823]: sent [PAP AuthReq id=0x1
user=[EMAIL PROTECTED] password=hidden]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [LCP EchoRep id=0x0 magic=0x0]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [PAP AuthAck id=0x1 ]
Nov 15 09:55:59 foxfire pppd[12823]: sent [IPCP ConfReq id=0x1 addr
0.0.0.0 compress VJ 0f 01]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [IPCP ConfReq id=0x1 compress
VJ 0f 01 addr 209.102.126.5]
Nov 15 09:55:59 foxfire pppd[12823]: sent [IPCP ConfAck id=0x1 compress
VJ 0f 01 addr 209.102.126.5]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [CCP ConfReq id=0x1  11 05 00
01 04]
Nov 15 09:55:59 foxfire pppd[12823]: sent [CCP ConfReq id=0x1]
Nov 15 09:55:59 foxfire pppd[12823]: sent [CCP ConfRej id=0x1  11 05 00
01 04]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [IPCP ConfNak id=0x1 addr
209.102.126.143]
Nov 15 09:55:59 foxfire pppd[12823]: sent [IPCP ConfReq id=0x2 addr
209.102.126.143 compress VJ 0f 01]
Nov 15 09:56:00 foxfire pppd[12823]: rcvd [CCP ConfRej id=0x1]
Nov 15 09:56:00 foxfire pppd[12823]: rcvd [CCP ConfReq id=0x2  11 06 00
01 01 03]
Nov 15 09:56:00 foxfire pppd[12823]: sent [CCP ConfReq id=0x2]
Nov 15 09:56:00 foxfire pppd[12823]: sent [CCP ConfRej id=0x2  11 06 00
01 01 03]
Nov 15 09:56:00 foxfire pppd[12823]: rcvd [IPCP ConfAck id=0x2 addr
209.102.126.143 compress VJ 0f 01]
Nov 15 09:56:00 foxfire pppd[12823]: Local IP address changed to
209.102.126.143
Nov 15 09:56:00 foxfire pppd[12823]: Remote IP address changed to
209.102.126.5
Nov 15 09:56:00 foxfire pppd[12823]: Cannot determine ethernet address
for proxy ARP
Nov 15 09:56:00 foxfire pppd[12823]: sent [IP data] 45 1b 00 40 b2 00 40
00 ...
Nov 15 09:56:00 foxfire pppd[12823]: Script /etc/ppp/ip-up started (pid
11853)
Nov 15 09:56:00 foxfire pppd[12823]: rcvd [CCP ConfRej id=0x2]
Nov 15 09:56:00 foxfire pppd[12823]: Script /etc/ppp/ip-up finished (pid
11853), status = 0x100


Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: Bering 1.0 -1.2 upgrade (continues) 2/2

[Paul G Rogers]

(Sorry, this client has size limitations and it just wouldn't put any
more in that message.)

==messages
Nov 15 09:48:58 foxfire syslogd 1.3-3#31.slink1: restart.
Nov 15 09:48:58 foxfire kernel: klogd 1.3-3#31.slink1, log source =
/proc/kmsg started.
Nov 15 09:48:58 foxfire kernel: No module symbols loaded.
Nov 15 09:48:58 foxfire kernel: BIOS-provided physical RAM map: 
Nov 15 09:48:58 foxfire kernel: 32MB LOWMEM available. 
Nov 15 09:48:58 foxfire kernel: Initializing CPU#0 
Nov 15 09:48:58 foxfire kernel: Memory: 30128k/32768k available (948k
kernel code, 2252k reserved, -1176k data, 64k init, 0k highmem) 
Nov 15 09:48:58 foxfire kernel: Dentry cache hash table entries: 4096
(order: 3, 32768 bytes) 
Nov 15 09:48:58 foxfire kernel: Inode cache hash table entries: 2048
(order: 2, 16384 bytes) 
Nov 15 09:48:58 foxfire kernel: Intel Pentium with F0 0F bug - workaround
enabled. 
Nov 15 09:48:58 foxfire kernel: Checking 'hlt' instruction... OK. 
Nov 15 09:48:58 foxfire kernel: PCI: PCI BIOS revision 2.10 entry at
0xfc1e0, last bus=0 
Nov 15 09:48:58 foxfire kernel: PCI: Using configuration type 1 
Nov 15 09:48:58 foxfire kernel: PCI: Probing PCI hardware 
Nov 15 09:48:58 foxfire kernel: Linux NET4.0 for Linux 2.4 
Nov 15 09:48:58 foxfire kernel: Based upon Swansea University Computer
Society NET3.039 
Nov 15 09:48:58 foxfire kernel: Serial driver version 5.05c (2001-07-08)
with MANY_PORTS SHARE_IRQ DETECT_IRQ SERIAL_PCI enabled 
Nov 15 09:48:58 foxfire kernel: ttyS00 at 0x03f8 (irq = 4) is a 16550A 
Nov 15 09:48:58 foxfire kernel: ttyS01 at 0x02f8 (irq = 3) is a 16550A 
Nov 15 09:48:58 foxfire kernel: Real Time Clock Driver v1.10e 
Nov 15 09:48:58 foxfire kernel: Software Watchdog Timer: 0.05, timer
margin: 60 sec 
Nov 15 09:48:58 foxfire kernel: Floppy drive(s): fd0 is 1.44M 
Nov 15 09:48:58 foxfire kernel: FDC 0 is an 8272A 
Nov 15 09:48:58 foxfire kernel: NET4: Linux TCP/IP 1.0 for NET4.0 
Nov 15 09:48:58 foxfire kernel: IP Protocols: ICMP, UDP, TCP, IGMP 
Nov 15 09:48:58 foxfire kernel: IP: routing cache hash table of 512
buckets, 4Kbytes 
Nov 15 09:48:58 foxfire kernel: TCP: Hash tables configured (established
2048 bind 2048) 
Nov 15 09:48:58 foxfire kernel: NET4: Unix domain sockets 1.0/SMP for
Linux NET4.0. 
Nov 15 09:48:58 foxfire kernel: RAMDISK: Compressed image found at block
0 
Nov 15 09:48:58 foxfire kernel: Freeing initrd memory: 401k freed 
Nov 15 09:48:58 foxfire kernel: Freeing unused kernel memory: 64k freed 
Nov 15 09:48:59 foxfire kernel: 3c509.c:1.19 16Oct2002 [EMAIL PROTECTED] 
Nov 15 09:48:59 foxfire kernel: http://www.scyld.com/network/3c509.html 
Nov 15 09:48:59 foxfire kernel: CSLIP: code copyright 1989 Regents of the
University of California 
Nov 15 09:49:00 foxfire kernel: PPP generic driver version 2.4.2 
Nov 15 09:49:19 foxfire root: Shorewall Started
Nov 15 09:55:30 foxfire chat[6080]: abort on (BUSY)
Nov 15 09:55:30 foxfire chat[6080]: abort on (NO CARRIER)
Nov 15 09:55:30 foxfire chat[6080]: abort on (VOICE)
Nov 15 09:55:30 foxfire chat[6080]: abort on (NO DIALTONE)
Nov 15 09:55:30 foxfire chat[6080]: abort on (NO ANSWER)
Nov 15 09:55:30 foxfire chat[6080]: send (ATF1E1U14N24L3^M)
Nov 15 09:55:30 foxfire chat[6080]: expect (OK)
Nov 15 09:55:30 foxfire chat[6080]: ATF1E1U14N24L3^M^M
Nov 15 09:55:30 foxfire chat[6080]: OK
Nov 15 09:55:30 foxfire chat[6080]:  -- got it 
Nov 15 09:55:30 foxfire chat[6080]: send (ATDT5036240558#^M)
Nov 15 09:55:31 foxfire chat[6080]: expect (CONNECT)
Nov 15 09:55:31 foxfire chat[6080]: ^M
Nov 15 09:55:58 foxfire chat[6080]: ATDT5036240558#^M^M
Nov 15 09:55:58 foxfire chat[6080]: CONNECT
Nov 15 09:55:58 foxfire chat[6080]:  -- got it 
Nov 15 09:55:58 foxfire chat[6080]: send (^M)
Nov 15 10:59:05 foxfire chat[8378]: abort on (BUSY)
Nov 15 10:59:05 foxfire chat[8378]: abort on (NO CARRIER)
Nov 15 10:59:05 foxfire chat[8378]: abort on (VOICE)
Nov 15 10:59:05 foxfire chat[8378]: abort on (NO DIALTONE)
Nov 15 10:59:05 foxfire chat[8378]: abort on (NO ANSWER)
Nov 15 10:59:05 foxfire chat[8378]: send (ATF1E1U14N24L3^M)
Nov 15 10:59:06 foxfire chat[8378]: expect (OK)
Nov 15 10:59:06 foxfire chat[8378]: ATF1E1U14N24L3^M^M
Nov 15 10:59:06 foxfire chat[8378]: OK
Nov 15 10:59:06 foxfire chat[8378]:  -- got it 
Nov 15 10:59:06 foxfire chat[8378]: send (ATDT5036240558#^M)
Nov 15 10:59:06 foxfire chat[8378]: expect (CONNECT)
Nov 15 10:59:06 foxfire chat[8378]: ^M
Nov 15 10:59:33 foxfire chat[8378]: ATDT5036240558#^M^M
Nov 15 10:59:33 foxfire chat[8378]: CONNECT
Nov 15 10:59:33 foxfire chat[8378]:  -- got it 
Nov 15 10:59:33 foxfire chat[8378]: send (^M)
Nov 15 10:59:37 foxfire chat[14573]: abort on (BUSY)
Nov 15 10:59:37 foxfire chat[14573]: abort on (NO CARRIER)
Nov 15 10:59:37 foxfire chat[14573]: abort on (VOICE)
Nov 15 10:59:37 foxfire chat[14573]: abort on (NO DIALTONE)
Nov 15 10:59:37 foxfire chat[14573]: abort on (NO ANSWER)
Nov 15 10:59:37 foxfire chat[14573]: send (ATF1E1U14N24L3^M)
Nov 15 10:59:38 foxfire chat[14573]: expect (OK)
Nov 15 10:59:38 foxfire 

[leaf-user] Re: Bering 1.0 - 1.2 Upgrade (continues) 1/2

[Paul G Rogers]

Thanks to Richard Doyle I think I finally identified the final
customizations that allowed me to connect to my Bering firewall, and then
it connected to the ISP.  Today I was on for an hour, then echo losses
shut it down.  I tried many times to reconnect using the browser client,
all failed.  I don't have access to the ISP's logs so I can match-up what
it thought was wrong.  But between 11:05-11:20 you'll see time gaps in
daemon.log where I continued to try, and Firebird just timed-out, so I
kept going back to the weblet to check on the logs, but none of those
connection attempts show up in the logs.  (Using demand ppp
connection.)  After a few minutes break I grabbed these files then
rebooted the firewall, and then everything worked again.

One would think if it were line problems one of the many reconnect
attempts would have gotten through.  And I notice in the daemon.log
sometimes ppp sent the AuthReq UID string once, twice, or 9 times!

Questions: 1) I'm wondering if something in the sign-on could have been
corrupted.  Any way to get more information about the causes of the
failues? 2) Why weren't the subsequent attempts to connect logged?

==Files:
==version:
Linux foxfire 2.4.20 #1 Sun May 11 18:53:34 CEST 2003 i586 unknown

==route:
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254 

==address:
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop 
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:97:22:82:7d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0

==daemon.log
Nov 15 09:49:03 foxfire pppd[12823]: pppd 2.4.1 started by root, uid 0
Nov 15 09:49:03 foxfire pppd[12823]: Using interface ppp0
Nov 15 09:49:03 foxfire pppd[12823]: Cannot determine ethernet address
for proxy ARP
Nov 15 09:49:03 foxfire pppd[12823]: local  IP address 10.64.64.64
Nov 15 09:49:03 foxfire pppd[12823]: remote IP address 10.112.112.112
Nov 15 09:49:05 foxfire init: Entering runlevel: 2
Nov 15 09:54:10 foxfire sh-httpd[1620]: connect from 192.168.1.102
Nov 15 09:54:10 foxfire sh-httpd[9614]: connect from 192.168.1.102
Nov 15 09:54:11 foxfire sh-httpd[19375]: connect from 192.168.1.102
Nov 15 09:54:13 foxfire sh-httpd[13767]: connect from 192.168.1.102
Nov 15 09:54:36 foxfire sh-httpd[23729]: connect from 192.168.1.102
Nov 15 09:54:38 foxfire sh-httpd[3937]: connect from 192.168.1.102
Nov 15 09:54:48 foxfire sh-httpd[25265]: connect from 192.168.1.102
Nov 15 09:54:51 foxfire sh-httpd[22749]: connect from 192.168.1.102
Nov 15 09:54:52 foxfire sh-httpd[17582]: connect from 192.168.1.102
Nov 15 09:55:23 foxfire sh-httpd[23642]: connect from 192.168.1.102
Nov 15 09:55:29 foxfire pppd[12823]: Starting link
Nov 15 09:55:58 foxfire pppd[12823]: Serial connection established.
Nov 15 09:55:58 foxfire pppd[12823]: using channel 1
Nov 15 09:55:58 foxfire pppd[12823]: Connect: ppp0 -- /dev/ttyS1
Nov 15 09:55:59 foxfire pppd[12823]: sent [LCP ConfReq id=0x1 mru 576
asyncmap 0x0 magic 0x8a6091e6 pcomp accomp]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [LCP ConfReq id=0x1  00 04 00
00 mru 1524 asyncmap 0xa auth pap pcomp accomp mrru 1524
endpoint [local:6d.61.78.2d.70.64.78]  17 04 6f 01]
Nov 15 09:55:59 foxfire pppd[12823]: sent [LCP ConfRej id=0x1  00 04 00
00 mrru 1524  17 04 6f 01]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [LCP ConfAck id=0x1 mru 576
asyncmap 0x0 magic 0x8a6091e6 pcomp accomp]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [LCP ConfReq id=0x2 mru 1524
asyncmap 0xa auth pap pcomp accomp endpoint
[local:6d.61.78.2d.70.64.78]]
Nov 15 09:55:59 foxfire pppd[12823]: sent [LCP ConfAck id=0x2 mru 1524
asyncmap 0xa auth pap pcomp accomp endpoint
[local:6d.61.78.2d.70.64.78]]
Nov 15 09:55:59 foxfire pppd[12823]: sent [LCP EchoReq id=0x0
magic=0x8a6091e6]
Nov 15 09:55:59 foxfire pppd[12823]: sent [PAP AuthReq id=0x1
user=[EMAIL PROTECTED] password=hidden]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [LCP EchoRep id=0x0 magic=0x0]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [PAP AuthAck id=0x1 ]
Nov 15 09:55:59 foxfire pppd[12823]: sent [IPCP ConfReq id=0x1 addr
0.0.0.0 compress VJ 0f 01]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [IPCP ConfReq id=0x1 compress
VJ 0f 01 addr 209.102.126.5]
Nov 15 09:55:59 foxfire pppd[12823]: sent [IPCP ConfAck id=0x1 compress
VJ 0f 01 addr 209.102.126.5]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [CCP ConfReq id=0x1  11 05 00
01 04]
Nov 15 09:55:59 foxfire pppd[12823]: sent [CCP ConfReq id=0x1]
Nov 15 09:55:59 foxfire pppd[12823]: sent [CCP ConfRej id=0x1  11 05 00
01 04]
Nov 15 09:55:59 foxfire pppd[12823]: rcvd [IPCP ConfNak id=0x1 addr
209.102.126.143]
Nov 15 09:55:59 foxfire pppd[12823]: sent [IPCP ConfReq id=0x2 addr
209.102.126.143 compress VJ 0f 01]
Nov 15 09:56:00 foxfire pppd[12823]: rcvd [CCP 

[leaf-user] Re: Bering 1.0 1.2 upgrade

[Paul G Rogers]

From: Richard Doyle [EMAIL PROTECTED]
 customizing v1.2 a snap, if I started by making them the same.
One would think so. I've just switched to a Bering 1.2 firewall running
on an old portable with a dial-out connection, so it _is_ possible.

I expect so.

Look to
http://sourceforge.net/docman/display_doc.php?docid=1433group_id=13751
on using ping to debug firewall problems. It sounds like you were

Can't get there from here now, but I'll try to check it out later.  If I
got the interfaces section right I'd expect it to react to a ping,
because I wouldn't expect the Shorewall default to block them.

pinging the firewall from a Windows host attached to the internal
interface of the firewall. Is that the case?

Right.  100% failure.

The 10.x.x.x addresses are defaults, used before the a connection is
established. ppp0 will get real IPs from your ISP when the connection is
established.

The daemon.log for 1.0 doesn't mention that before a connection is
established.

You don't have any compression/deflation Modules, but that shouldn't be
a cause for concern at this point.

Would that be for doing s/w compression on the modem?  That would help. 
I've tested all my 56K modems on my lines in the firewall, and the best
of them can only get 37,333baud with any reliability.

 Shorewall status:
snip lots of 0 packet counts
Nothing enters the box on either interface. Run ip -s link show eth0
and ip -s link show ppp0 to see total packet counts

I'll try later, and report.  

[OK, see below.]

Nothing here seems unexpected.

It is odd that your Bering box isn't responding to pings aimed at its
internal interface, since you say that the same hardware, in the same
configuration works with a Bering 1.0 diskette. What happens when you
ping the internal computer from the Bering box? Observe the lights on

I tried that once, and IIRC Shorewall complained.  

[Damn, forgot to check this again.]

both NICs when you ping the Bering box from the other computer, and when
you ping the other computer from the Bering box.

Uhh, I don't think these 3C509B's have leds, and they certainly aren't
easy to get to!

As to the external interface, the problem could be in your Shorewall or
PPP configuration, or something else (tm).  You might want to post your

You mean trying pon/poff commands--I can't get there yet from the client
browser.

[I tried 'pon provider' and it didn't try to dial out.]

/etc/network/interfaces file and your ppp configuration files, with
username and passwords obscured. Shorewall usually loads late in the
boot process; look at the messages that scroll by right before you get
the login prompt. Anything odd?

Not that I can tell.  Thought that's what 'shorewall status' would tell.



[OK, let's see what else I got this evening.  You can see my 'chicken
tracks']

# /etc/hosts.allow: list of hosts that are allowed to access the system. 
See
#   hosts_access(5) and /usr/doc/net/portmapper.txt
#
# Example:ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# Allow anything from the local net
ALL: 192.168.1.0/255.255.255.0

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the
system.
#  See hosts_access(5) and /usr/doc/net/portmapper.txt
#
# Example:ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
ALL: PARANOID
# Prevent all access not explicitly allowed in hosts.allow
ALL: ALL

#PGR was here
# /etc/network/interfaces -- configuration file for LEAF network
# J. Nilo, April 2002
#
# Loopback interface.
auto lo
iface lo inet loopback

# Step 1: configure external interface
# uncomment/adjust one of the following 4 options
# Option 1.1 (default): eth0 / dynamic IP from pump/dhclient
#auto eth0
#iface eth0 inet dhcp
#
# Option 1.2: eth0 / Fixed IP (assumed to be 1.2.3.4). 
#   (broadcast/gateway optional)
#auto eth0
#iface eth0 inet static  
#   address 1.2.3.4
#   masklen 24
#   broadcast 1.2.3.255
#   gateway 1.2.3.1
# 
# Option 1.3: PPP/PPPOE (modem connected to eth0) 
#auto ppp0 
#iface ppp0 inet ppp
#   pre-up ip link set eth0 up
#   provider dsl-provider eth0
# 
# Option 1.4: PPP modem
# PGR: enabled
auto ppp0
iface ppp0 inet ppp
provider provider

# Step 2: configure  internal interface
# Default: eth1 / fixed IP = 192.168.1.254
# PGR: eth0 not 1
auto eth0
iface eth0 inet static
address 192.168.1.254
masklen 24
broadcast 192.168.1.255

# Step 3 (optionnal): configure DMZ
# Default: eth2 / fixed IP = 192.168.1.100
#auto eth2
#iface eth2 inet static
#   address 192.168.1.100
#   masklen 24
#   broadcast 192.168.1.255

# Step 4 (optionnal): configure a bridge
#auto br0
#iface br0 inet static
#   address 192.168.1.254
#   masklen 24
#   broadcast 192.168.1.255
#   bridge_ports all

[leaf-user] Bering 1.0 1.2 upgrade

[Paul G Rogers]

I'm trying to customize Bering 1.2 to replace a 1.0 dialup firewall I've
been using.  I've put both on side-by-side computers and been through the
lrconfig files one by one.  As far as I can tell I've got everything set
straight.  Now I can't ping it.  One thing I found is in
/var/log/daemon.log I see pppd is reporting the local IP is 10.64.64.64
and remote is 10.112.112.112.  Where is that comng from?  I'm _sure_
every place I've seen it's still set to 192.168.1.254!  The one thing I
did try differently is in ppp options I set several  ppp0 zone options
for RFC1918,  (IIRC), mangled packets, etc.  In the v1.0 config no
options were set.  Could that be where it's coming from?  It sure isn't
in the interfaces file.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Bering 1.0 1.2 upgrade

[Paul G Rogers]

From: Richard Doyle [EMAIL PROTECTED]
Date: Wed, 12 Nov 2003 08:55:40 -0800

On Tue, 2003-11-11 at 22:55, Paul G Rogers wrote:
 I'm trying to customize Bering 1.2 to replace a 1.0 dialup firewall
I've
 been using.  I've put both on side-by-side computers and been through
the
 lrconfig files one by one.  As far as I can tell I've got everything
set
 straight.  Now I can't ping it.  One thing I found is in...
...8...

Please follow How do I request help at 
http://sourceforge.net/docman/display_doc.php?docid=1891group_id=13751

Got that now, I think.  Sorry, I thought having v1.0 running would make
customizing v1.2 a snap, if I started by making them the same.

Here's the first part of the problem:
(Once I can reach the firewall I'll probably find more.)
Pinging 192.168.1.254 with 32 bytes of data:Request timed
out.Request timed out.Request timed out.Request timed out.Ping statistics
for 192.168.1.254:Packets: Sent = 4, Received = 0, Lost = 4 (100%
loss),Approximate round trip times in milli-seconds:Minimum = 0ms,
Maximum =  0ms, Average =  0ms==
When I use a v1.0 diskette in the firewall box then I can ping it with no
problem at all.  So it isn't a problem with the LAN or NIC.

OK, now for the status you asked for...
Version:
==
Linux foxfire 2.4.20 #1 Sun May 11 18:53:34 CEST 2003 i586 unknown
==
IP addresses:
==
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop 
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:20:af:d9:95:62 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
4: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 576 qdisc pfifo_fast qlen 3
link/ppp 
inet 10.64.64.64 peer 10.112.112.112/32 scope global ppp0
===
Hmmm, ppp should be getting an IP address from my ISP which would be
209.102.124.something.  I've never seen 10.anything with the v1.0 Bering
running.  (I changed the MTU/MRU to 576 because I once read that improved
performance.)
Maybe, modules next:
===
Module PagesUsed by
ip_nat_irc  2176   0 (unused)
ip_nat_ftp  2784   0 (unused)
ip_conntrack_irc2880   1
ip_conntrack_ftp3648   1
ppp_async   6284   0 (unused)
ppp_generic16152   1 [ppp_async]
slhc4352   0 [ppp_generic]
3c509   8484   1

Am I missing a ppp module?  Seems like I remember having to add an extra
module in v1.0.
Route next:

10.112.112.112 dev ppp0  proto kernel  scope link  src 10.64.64.64 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254 
default via 10.112.112.112 dev ppp0 

What's with this 10.112.112.112 again?  At this point I haven't made a
connection yet to the ISP.
Here's daemon.log:

Nov 12 15:36:03 foxfire pppd[25334]: pppd 2.4.1 started by root, uid 0
Nov 12 15:36:03 foxfire pppd[25334]: Using interface ppp0
Nov 12 15:36:03 foxfire pppd[25334]: Cannot determine ethernet address
for proxy ARP
Nov 12 15:36:03 foxfire pppd[25334]: local  IP address 10.64.64.64
Nov 12 15:36:03 foxfire pppd[25334]: remote IP address 10.112.112.112
Nov 12 15:36:04 foxfire init: Entering runlevel: 2

10 again.
I did leave some of the Shorewall options for unclean, RFC1918, 
tcpflags, on the ppp zone which I had removed in v1.0.
Shorewall status:

Shorewall-1.4.2 Status at foxfire - Wed Nov 12 15:37:45 UTC 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source  
destination 
0 0 ACCEPT all  --  *  *   0.0.0.0/0   
0.0.0.0/0  state ESTABLISHED 
0 0 ACCEPT udp  --  *  *   0.0.0.0/0   
0.0.0.0/0  udp dpt:53 
0 0 DROP  !icmp --  *  *   0.0.0.0/0   
0.0.0.0/0  state INVALID 
0 0 ACCEPT all  --  lo *   0.0.0.0/0   
0.0.0.0/0  

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source  
destination 
0 0 ACCEPT all  --  *  *   0.0.0.0/0   
0.0.0.0/0  state ESTABLISHED 
0 0 ACCEPT udp  --  *  *   0.0.0.0/0   
0.0.0.0/0  udp dpt:53 
0 0 DROP  !icmp --  *  *   0.0.0.0/0   
0.0.0.0/0  state INVALID 
0 0 TCPMSS tcp  --  *  *   0.0.0.0/0   
0.0.0.0/0  tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source  
destination 
0 0 ACCEPT all  --  *  *   0.0.0.0/0

[leaf-user] Re: leaf-user digest, Vol 1 #1818 - 15 msgs

[Paul G Rogers]

IMO this is great information, and should be put in the official Bering
Reference Manual.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)

On Sun, 08 Jun 2003 15:48:04 -0700
[EMAIL PROTECTED] writes:
Subject: Re: [leaf-user] Edit Bering Config files Offline
From: David M Brooke [EMAIL PROTECTED]

It may not be obvious from the name, but an LRP package file is just a
regular gzip'ed tar file, which you can unpack into a directory
structure and edit before re-creating the LRP package file.

If your other machine is running Linux, you can mount the disk as user
'root' under a temporary directory (e.g. /mnt/tmp - create this if it
doesn't already exist) using a command like mount -t msdos
/dev/fd0u1680 /mnt/tmp

You can then unpack the contents of e.g. etc.lrp with a command like
tar -zxvf /mnt/tmp/etc.lrp which will create a new directory etc in
the current directory containing the contents of the Bering /etc
directory.

Re-creating the LRP file once you've made the changes is mostly just the
reverse of the above (e.g. tar -zcvf /mnt/tmp/etc.lrp  etc). I seem to
recall that the maximum possible compression is used for LRP files to
make as much as possible fit onto a floppy disk, but presumably if you
don't do that it will get corrected next time you write the file from
LRCFG. Don't forget to umount /mnt/tmp before ejecting the disk.

If your other machine is running Windows then I think it's possible to
use WinZip to read .tar.gz files, but you may have to rename them as
such first. I'm not sure if WinZip can create a .tar.gz file though.


-- 
David M Brooke [EMAIL PROTECTED]

--__--__--

From: eric wolzak [EMAIL PROTECTED]
To: Simon Chalk [EMAIL PROTECTED],


# all steps in one liners ;)
mkdir /temp
mount -t msdos /dev/fd0u1680  /mnt
cp /mnt/etc.lrp  /temp
cd /temp
tar -xzf  etc.lrp
rm etc.lrp
# can be easier but more dangerous.don't leave etc.lrp in temp, 
otherwise it
will be package in the new etc.lrp

#now edit your files
cd .
edit 

#if ready  move back to temp
cd /temp
#tar all your files and the subdirectories to etc.tar
tar -cf etc.tar  *
# zip the tar file this will create etc.tar.gz
gzip etc.tar
# rename etc.tar.gz back
mv etc.tar.gz  etc.lrp
# check the size for security reasons
ls -l etc.lrp
# and compare with the original and free disk space
ls -l /mnt
# if ok
mv etc.lrp /mnt
# clean up
cd /
rm /temp -rf
umount /mnt
# wait till everything is written back.
# of course you can tar and zip as a one pipe process.

btw if you can edit etc.lrp from the boot disk, you also can edit the 
real
files in etc.lrp ;)
and back them up.





The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Creeping featuritis.

[Paul G Rogers]

There was a bit of talk a few days ago about new options for the firewall
hits sorted by ip address, e.g. reverse DNS lookup.  Seems to me another
nice thing to have when we see one of these is behaving particularly
badly, would be click and add to banned list.  (But it's not more
important than still having everything fit on a floppy.)

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] weblet extension version 2

[Paul G Rogers]

FWIW, I think that's a very useful addition for the standard
distribution.

Paul Rogers  ([EMAIL PROTECTED])
http://www.xprt.net/~pgrogers/
http://www.angelfire.com/or/paulrogers/
Rogers' Second Law: Everything you do communicates.
(I do not personally endorse any additions after this line. TANSTAAFL 
:-)
- Begin forwarded message --
From: Ken Marshall [EMAIL PROTECTED]
Subject: RE: [leaf-user] weblet extension version 2
Date: Mon, 2 Jun 2003 10:56:43 -0600
Organization: Black Mountain Software, Inc.

This actually got me playing around with this and I added one other thing
that I've wanted for a while: a link to whois for each IP address that
gets
logged.  I changed the following section:



The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html