Re: [Leaf-user] Help needed with portfw - Dachstein release
hi shane, a few thoughts: 1. before i got my firewall running, it was very useful to ssh in from a remote host. when you ssh to the external IP from a remote host, do you get your internal server, do you get the firewall or can you not connect at all? this might tell you whether the problem is in ipchains or port forwarding. 2. the electric cool-aid acid test: go onto your firewall. do: a. ipcchains -F b. ipmasqadm portfw -f ok, now you have a tabula rasa. c. add a default gateway (route add default gw blah) d. use ipmasqadm to forward your ports if you can't pass this test (and are confident in your knowledge of ipchains, ipmasqadm, route and ifconfig) then something is *seriously* wrong. pete begin Shane Veness [EMAIL PROTECTED] Hi Peter, Have tried all the settings you suggested etc. Everything discussed seems to be working, ie. ipmasqadm portfw -l and ipchains have all the right information. Do not know what else I can try? When I try to access the web site externally I get Web Site Found Waiting for reply, then it comes up with an internal server error, any thoughts? Thanks Shane -Original Message- From: Peter Jay Salzman [EMAIL PROTECTED] To: Shane Veness [EMAIL PROTECTED] Date: Sat, 5 Jan 2002 09:11:55 -0800 Subject: Re: [Leaf-user] Help needed with portfw - Dachstein release hi shane, begin Shane Veness [EMAIL PROTECTED] I am very new to LRP and have downloaded the latest Dachstein floppy release. I am trying to get to my internal web server from outside the network using port forwarding but am having no success. I have read through some of the mailing list, but this confuses me more. The firewall is running perfectly and I can get internet access from the clients inside the network. My settings are as follows - eth0 - 196.33.41.70/28 (external ip) - eth1 - 192.6.31.252/24 (internal ip) I am trying to forward requests on 196.33.41.70:80 to 192.6.31.253:80 do I need to run the command: ipmasqadm portfw -a -P tcp -L 196.33.41.70 80 -R 192.6.31.253 80 no -- you don't. dachstein will do this for you. one *big* word of advice. if everything looks good but portforwarding isn't working, don't forget to: 1. look at what port forwarding is already in place: ipmasqadm portfw -l 2. look at your hosts.deny and hosts.allow file. 3. look at ipchains -L to see exactly where the problem is. 3 might be difficult unless you're really comfortable with pouring through ipchains entries (after more than a year and a half of using ipchains, i'm still not very good at it). but 1 and 2 should be easy enough. also, when you make changes to network.conf, don't forget to restart networking. /etc/init.d/network stop; /etc/init.d/network start i put it on one line in case you're working through an ssh connection from one of your internal machines. (otherwise, you lose the connection. that's already happened to me). i noticed that the init.d scripts don't have the standard restart directive. # INTERN_SERVERS=tcp_196.33.41.70_80_192.6.31.253_80 (HAVE TRIED THIS!!!) # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available INTERN_WWW_SERVER=192.6.31.253 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access comment: i currently use both INTERN_SERVERS and INTERN_X_SERVER. i don't really understand what the difference is between them. perhaps some kind soul on the list would care to comment on this? also -- did you open up holes in your firewall for the services? i think you do this with the EXTERN_ variables. here's what i have: # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=0/0_ssh 0/0_www 0/0_smtp 169.237.105.80/0_123 128.115.14.97/0_ 123 0/0_1023 0/0_6346 without defining the EXTERN_TCP_PORTS, your firewall will be willing to forward stuff to an internal server, but won't allow the packets to enter in the first place (bride waiting at the doors of the chapel, but the doors are locked...) pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo
Re: [Leaf-user] ctrl+s doesn't work when trying to edit /etc/modules
try control-q then y for save or n to not save. pete begin Amar S. [EMAIL PROTECTED] I crearted a disk using the executeable image (diskimages/dachstein/dachstein-v1.0.2-1680.exe) No changes have been made to the image Running on pentium 75mhz with 32 mb RAM Pcnet32 and Rtl8139 nics It boots up fine. I am trying to edit /etc/modules to choose the right nic moudule but i can't save the changes. I tried (ctrl +s ) but it doesn't do anything. (Ctrl+c) (ctrl+q) also don't work. I am new linux. Please help. Much thanks in advance. -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] 2 minor corrections to the LRP boot disk howto
matt, this was on: http://c0wz.steinkuehler.net/dox/mirrors/LRP_Disc_HowTo.html truly, one of the most well written documents i've come across. the author did a _fantastic_ job outlining how to use high capacity floppy disks. the errors don't detract from it (one is a typo, the other is a broken email address). perhaps it should be assimilated into the LEAF docs? pete begin Matt Schalit [EMAIL PROTECTED] Peter Jay Salzman wrote: to whomever is maintaining the LRP bootdisk howto: 1. under rolling your own, # syslinux -s /dev/fd1680 should be # syslinux -s /dev/fd0u1680 2. the maintainer's email address [EMAIL PROTECTED] is no longer valid. pete Pete, the closest document I could find at leaf.sourceforge.net was http://sourceforge.net/docman/display_doc.php?docid=1416group_id=13751 and it doesn't have that syntax. What url were you refering to? Thanks. Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Newbie: Help choosing correct package
the linux kernel is written in C, but is programmed somewhat object orientedly. there have been discussions to switch to C++, but nobody was too serious. there are some good reasons not to switch. not the least of which is ALOT would have to change. support scripts are generally written in shell scripting. either bourne or bourne again. pete begin [EMAIL PROTECTED] [EMAIL PROTECTED] Here is another newbie question: What language is LEAF/LRP and it's assorted packages written in? Is C/C++ the standard language for Linux? Thanks to all!! Sincerely, Justin Pease N u a n c e N i n e Web Usability, Development and Design www.nuance9.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] difference between EXTERN_TCP_PORTS and EXTERN_TCP_PORT[0-9]{1,}
is the difference between EXTERN_TCP_PORTS and EXTERN_TCP_PORT[0-9]{1,} that it's more pleasing to the eye to look at EXTERN_TCP_PORT0=0/0 ssh EXTERN_TCP_PORT1=0/0 www EXTERN_TCP_PORT2=0/0 smtp EXTERN_TCP_PORT3=0/0 6346 than EXTERN_TCP_PORTS=0/0_ssh 0/0_www 0/0_smtp 0/0_1023 0/0_6346 or is there a real difference other than aesthetics between these variables? pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] a thought about modified file backups
a late night thought: why not intercept the write() system call? if the write is to a file on the filesystem, keep track of its path in some kernel data structure. better yet, generate a /proc file with the pathnames of all filesystem files that were modified by write(). the backup program would then read from this file and pop off the pathnames as they were backed up. this would be implemented as a kernel module. pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] a thought about modified file backups
begin Doug O'Halloran [EMAIL PROTECTED] a few early morning thoughts: -if booting with CD as source, why not back up anything newer than the CD creation date? I'm sure there's _some_ combination of actions that'd break under this(ie. updated *.LRP packages on floppy/HD with files older than CD's write time, but newer than CD's package), but for the most part, it *might* do the job. wouldn't this cause your changed files (ie- /etc/network.conf) to be a candidate for backup whether you recently modified them or not? i think the only people this would work for is people who burned custom cd's and don't use the boot/backup floppy. - why not have a 'backup package' that builds MD5 sums of current *.LRP packages and is the last to be backed up? Upon initiating a backup, it'd at least identify if the package is truly different from the last time thus needs to be backed up. might be doable. and easy to implement. the only downside i can see is that it might take awhile for those of us running firewalls/routers on rather old machines. other than that, i like this idea. pete Peter Jay Salzman wrote: a late night thought: why not intercept the write() system call? if the write is to a file on the filesystem, keep track of its path in some kernel data structure. better yet, generate a /proc file with the pathnames of all filesystem files that were modified by write(). the backup program would then read from this file and pop off the pathnames as they were backed up. this would be implemented as a kernel module. We couldn't pop off the pathnames, as subsequent backups would need to do the same files. -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: keyboard and cdrom errors
begin Matthew Schalit [EMAIL PROTECTED] unfortunately, i'm configuring the firewall right now (as in setting up the networking parameters) so ssh doesn't work quite yet. a keyboard would be useful. :-) Dachstein 1.0.2 is called Dachstein Firewall for the good reason that it comes complete. It is well enough written, including QoS, that you can get by to start with using it, as long as you use 192.168.1.0 for your internal network. Want a DMZ too? Not a problem. Want a different firewall? There's Shorewall, Echowall, rcf, and pfw. The first uses iptables, the last three use ipchains. question -- i'm thinking of going back to seawall. when using a different firewall package, i assume dachstein has no way of knowing a priori you're using another firewalling package? i assume the firewall packages simply wipe all ipchains, all port forwards and start fresh? on the upside, boot time is now cut by a third. People rarely reboot the firewall. So boot speed is not that significant, though using a cdrom to load all your packages is what's fast. i rebooted between eigerstein and dachstein like crazy, since i needed to access the internet to get help and read tutorials. remember -- i'm new at this, and it took me an awful long time and alot of trial and error to get dachstein working. yes, i know /afterwards/ the firewall doesn't get booted much. and my firewall would be able to accept/reject packets VERY QUICKLY. :) Yes, but how much quicker than the P66? well, actually that was a joke that you apparently didn't get. but now that you mention it, yes. i'm completely convinced that my net connectivity is faster. i know what conventional wisdom says; you share in that view point. however, i spend alot of time at the computer, and the difference IS noticeable. my girlfriend noticed it too. Good luck. I was sort of wondering what's going on, because the latest DF is so slick that it comes right up in about 30 mins, if you've set one of these up before you hit the and know your network.conf, nail on and your modules.conf. the head. pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: keyboard and cdrom errors
begin David B. Cook [EMAIL PROTECTED] Even if the keyboard is not your specific problem, eliminate it. Your firewall is a server that is available by SSH so there is no need for keyboards cluttering up you area. unfortunately, i'm configuring the firewall right now (as in setting up the networking parameters) so ssh doesn't work quite yet. a keyboard would be useful. :-) a friend gave me an old pentium II/233. perhaps my old pentium I/66 outlived its usefulness. i rebooted dachstein on the new machine with no problems (and boy was it faster). it kind of sucks that i had trouble with older hardware; seems like the very thing that LEAF should thrive on. on the upside, boot time is now cut by a third. and my firewall would be able to accept/reject packets VERY QUICKLY. :) with only 2 days till school starts again, i want this firewall up asap... pete ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: modules are unavailable
hi charles, i was under the (wrong) impression that cd:/lib/modules should aleady be mounted when the system boots. i didn't realize that all this is taken care of during the booting process. victor and greg pointed this out to me. the *other* problem was that /etc/modules didn't get backed up when i backed up etc.lrp. it took me awhile to figure this out. it gets backed up with modules.lrp. this was good old trial and error. right now my system boots correctly, and the nics are almost configured. when the system boots, i can configure them by hand. i just need to go through all options and start making the final changes and i think i'll have a working system. pete begin Charles Steinkuehler [EMAIL PROTECTED] reading the comments in /etc/modules, it looks like cdrom:/lib/modules is supposed to be mounted on /lib/modules in the ramdisk. that's not happening. as a result, none of the modules i specify in /etc/modules are loading. can someone help me out here? with the /dev/cdrom improvements of 1.0.2, it seems like this sort of thing should be working out of the box rather than try to hack it to work. Exactly what does your /etc/modules file look like? All you should have to do is uncomment the appropritae NIC drivers...no other changes should be necessary. Are the masquerade helper modules loading? What is the output of lsmod? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: modules are unavailable
is there a mirror of this? it appears to be dead right now. what's the title of the document? maybe i can google for copy somewhere... pete begin Greg Morgan [EMAIL PROTECTED] One more idea is to use some of the other documentation. Take a look at http://nw-hoosier.dyndns.org/rlohman/linux/firewall/index.html. Don't forget to wonder around leaf.sourceforge.net. -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] How do you use the bootdisk.bin file???
begin Craig Caughlin [EMAIL PROTECTED] Hi folks, I'm trying to understand how to create my own bootable CD and some of you have been kind enough to respond. Charles relied to me by saying: Create a new CD image using appropriate software...make sure you use the bootdisk.bin disk image to make the CD bootable. The proper mkisofs command is included in the CD-ROM readme. I don't understand how to use the bootdisk.bin image with my Nero software to create the CD (I think Nero only recognizes .nrg, .iso, or .cue files...not .bin)??? He goes on to say: i think a little confusion is going on here. if i'm not mistaken, nero is a cd writer, yes? there are two things you're going to create: a cd and a floppy. 1. burn the CD iso image. ie- make a copy of the cd. use nero for that. 2. make a copy of a boot floppy. i don't use windows (at all!), so i couldn't tell you how to do it from windows. however, from linux, you want to do: dd if=bootdisk.bin of=/dev/fd0 the file bootdisk.bin is, loosely, a raw copy of the floppy itself. it's not an ISO image. on the c0wz site, there's an excellent tutorial on boot floppies in general. it's thorough enough (imho) to be a definitive source on the topic. after you set up your router/firewall, you can play around with creating your own bootfloppy with a larger format, like 1.680MB instead of 1.44MB. hopefully, i've said something here that sparked understanding. if you understood all this, you can follow the first few steps of the README file on the dacherstein cd. WARNING: If you need to change root.lrp, the kernel, or any syslinux settings (including root ramdisk size), you'll need to modify the bootdisk.bin floppy-disk image...it's a plain 1.44 Meg disk image, and can be manipulated with all the normal tools (dd, winiamge, rawrite, c). What does he mean modify the bootdisk.bin image, and why would you want to or need to??? if you: 1. if you create a larger capacity boot floppy (optional. see above) 2. want to play around with loading different modules (optional) you need to modify the file syslinux.cfg and/or lrpkg.cfg (both are on the boot floppy). that's all i can really think of which is obvious. it's up to you. i don't think there's a pressing need to modify the boot disk -- i think you can pretty much get by without modifying it. however, the default list of packages may not be to your liking. for example, i can't live without tcpdump. :) in dachstein 1.0.1, you *had* to modify syslinux.cfg if the cdrom wasn't /dev/hda. in version 1.0.2 it, thankfully, detects the cdrom so you don't have to do this anymore. pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] dachstein cd 1.0.2: modules are unavailable
complete LRP newbie here. i'm trying to set up dachstein cd 1.0.2. reading the comments in /etc/modules, it looks like cdrom:/lib/modules is supposed to be mounted on /lib/modules in the ramdisk. that's not happening. as a result, none of the modules i specify in /etc/modules are loading. can someone help me out here? with the /dev/cdrom improvements of 1.0.2, it seems like this sort of thing should be working out of the box rather than try to hack it to work. pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: modules are unavailable
hi victor and greg, begin Greg Morgan [EMAIL PROTECTED] Peter Jay Salzman [EMAIL PROTECTED] wrote: reading the comments in /etc/modules, it looks like cdrom:/lib/modules is supposed to be mounted on /lib/modules in the ramdisk. Dachstein takes care of this for you so there must be some other problem. ok, so /lib/modules *should* be empty? that's the first thing that's gone right today. i've had 3 floppies in a row fail on me. i was getting ready to make a trip out to frys to buy a new drive when my girlfriend pulled out a brand new floppy and it worked. i swear floppies were more reliable a few years ago. 1.) Uncomment the Ethernet modules you need. Many of the newer PCI base ethernet modules require a pci-scan module. Uncomment the supporting modules too! ok, truth be told, i didn't configure /etc/modules because i was thinking that /lib/modules being empty was a show stopper. i'll go back and start configuring modules right now. one question -- i grok the concept of the filesystem going away unless it's backed up to floppy. what i don't grok so much is the concept of partial backups. the readme file on the cd is confusing. what i'd LIKE to think is that anything i modify will be packaged up in its own etc.lrp file on the floppy and untarred over the /etc generated by the cd version of etc.lrp. however, the one thing i did manage to gather from the readme file is that it's not quite this simple. can you tell me a little bit about how partial backups work? (good stuff snipped) ok, i'll go back and follow the instructions. wish me luck! 7.) Most of all give yourself patience. It is worth the wait to get your feet wet with a leaf distro. thanks for saying this. the gumption factor was pretty low this morning! :) pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] dachstein cd 1.0.2: keyboard and cdrom errors
during kernel bootup, i get the following error: AT keyboard timed out Is keyboard present? the connection is good, the keyboard works when i go into bios, and it also works with a configured eigerstein LRP floppy that i have. the machine in question is a very old pentium 66. a few days ago, i tried out 1.0.1 (before i knew about 1.0.2), and it kind of worked with that. kind of meaning that sometimes it did, and sometimes it timed out. this is pretty consistant. when i insert the dachstein cd and boot floppy in any other machine in the house, the keyboard works fine. i've been configuring it on another machine in the meantime, but eventually, i'd like to use dachstein on my firewall. also, when linuxrc does its stuff (loading the .lrp files), i get many, many non-fatal errors that look like: cdrom_decode_status { DriveReady SeekComplete error } eventually, it works after printing ATAPI reset complete this isn't fatal -- everything eventually gets loaded, but it takes a very long time. note that the errors don't appear when the modules are loading. any words of wisdom? pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user