RE: [leaf-user] multiple static ip address router/firewall

[Peter Mueller]

 Andrew Nance wrote:
 | It is hard to estimate but somewhere around 750 Kbps to 1.5 
 Mbps total 
 | bandwidth.
 
 Almost anything fairly modern (ie: Pentium-class PCI based 
 system) should be able to handle this kind of bandwidth.  
 Even 486 based systems with EISA cards (should you actually 
 be able to find one) could probably move this much data 
 around.  Most of those 'black-box' routers from Linksys, 
 D-Link, et-al. will typically handle 3-5 MBits/s or more 
 fairly easily (remember, they're engineered to hook to cable 
 modems, and would look bad if they were a bottleneck).

A 486 can handle a T1 (1.5mbps) or E1 (2mbps) while encrypting with 3DES and
IPSEC.  A pentium-75mhz can encrypt ~10mpbs.  Both of these rates assume
decent NICs.  Most statistics for bandwidth include packets per second (PPS)
and the # of bits or bytes in those packets.

I think a WRAP can handle your load easily unless you are running some huge
amount of firewall rules and QOS.  In fact, I know so :) even though I don't
own one :(.  TomsHardware has a nice review :
http://www.tomsnetworking.com/Reviews-169-ProdID-WRAP1D2-3.php.   As you can
see 266mhz WRAP can do ~40mbps NAT, or ~3.5mpbs Ipsec/3DES.  This means it is
somewhere between a fast 486 and a pentium 75mhz in speed for encryption.  If
I remember correctly a Pentium 75mhz can only do 20-30mpbs NAT so apparently
the WRAP is faster for this kind of thing.

Regards,

P


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Image CF drive

[Peter Mueller]

 Does anyone know of any windows tools that can do a disk 
 image of a CF card?
 
 I have multiple identical CF cards I need to propagate a 
 uClibc install to, bootable portion and all. The only tools I 
 have found that work with CF cards so far have been for linux.

Disk Dump (for Windows) is the tool you want.  I guess ghost (commercial) or
similar would work, too.

http://uranus.it.swin.edu.au/~jn/linux/rawwrite/dd.htm

PS - your webconf issue looks like it is because the old mini_httpd is still
running.

Regards,

P


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] ide flash drive question

[Peter Mueller]

 syslinux -s c:  using syslinux.com (download from the net as 
 this is the DOS program not syslinux.exe

FYI I have never had much luck with syslinux and CF-IDE.  It sometimes worked
with windows boot disks, though.  I recommend the Dos 6.22 from
http://www.bootdisk.com/.

It will most likely not work the first time you try it, but fiddle with the
order and eventually you will get it.

(FYI - my syslinux trial was a year+ ago, maybe it is better now..)

Regards,

P


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Bering-uClibc packages in testing

[Peter Mueller]

 as you probably know there some packages in testing for 
 Bering-uClibc:

Is ethtool supposed to be in testing?  I think a lot of people use this..

Regards,

P


---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] RE: Some questions regarding LEAF on WRAP box

[Peter Mueller]

  Ã.Ãs8690Ã?ÃS®-VO««Ý¢´%puÂ¥`F...
 
 Yes, funny, the same thing happened to me some time ago. For unknown 
 reasons I had a line of garbage in leaf.cfg. It feels like IDE I/O is 
 shaky with CF's. Maybe one should have a look at hdparams. 
 Else it might 
 be possible that I did not correctly unmount the CF before 
 rebooting and 
 so the system had no chance to flush the buffers correctly and this 
 might be lethal when writing directly to the CF.

It's easy to destroy CF cards this way.  I went through two on my routers
before understanding that you need to unmount the card ASAP.

Regards,

P


---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Also need driver for Intel Pro 1000 MT

[Peter Mueller]

 Thanks, Erich.
 I did try the e1000 driver that came with bering 1.2 CD, but 
 it did not work. Yes, I will have one of my lab techs do this 
 to make sure it works... but could be a lab exercise for 
 students as well.
 
 Both the intel and realtek are source tar gz's so we will 
 compile on a 2.4.x system.

This is because Bering 1.2 has an old driver and Intel changed the chipset
enough to require a new version of the driver to come out.  The latest kernel
source or (better) Intel source will work fine.  Bering uClibC will also work
by default if you use later versions.

Note that if you are wanting to use a lot of that gigabit capability be sure
to use a 64-bit slot and the NAPI variant of the driver.  It might be easiest
to ask the uClibC 'krew' to do the NAPI part for you.  Or of course the
student route :).

Regards,

P


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Firewall failover

[Peter Mueller]

   We are investigating on firewall failover design. I have 
 searched the net and found that projects like LVS have it 
 mostly solved for their side but that netfilter lacks it.
 
   Of course, a simple failover of the firewall is available 
 using things like VRRP (KeepAlive software) but without state 
 syncronization, and that is preciselly the part we need to 
 investigate.
 
   Is this issue solved in netfilter? How? Any ideas? Does it 
 work with kernel 2.4?
 
   Bear in mind I'm not talking about ISP redundancy but the 
 firewall itself, if possible set as an active/active failover 
 solution.

http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/netfilter-ha/

You want ct_sync, or connection tracking syncronization.  I am not sure what
it's status really is, but I think it is in 'testing' or 'works for me'.

Regards,

P



---
SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate
online with coworkers and clients while avoiding the high cost of travel and
communications. There is no equipment to buy and you can meet as often as
you want. Try it free.http://ads.osdn.com/?ad_idt02alloc_id135op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Bering-uClibc Docs and IPSEC: FreeSwan or OpenSwan?

[Peter Mueller]

  Given that Bering* only runs on the 2.4 kernel and to my knowledge 
  does not include the backport of the Kernel 2.6 Native 
 IPSEC code, you 
  want the Kernel 2.4 docs (http://shorewall.net/IPSEC.htm) 
 regardless 
  of what  color your Swans are.
  
  -Tom
 
 Thanks Tom. I've been referencing that page already. It's 
 great for the configuration items. What about initial IPSEC 
 setup, though (i.e. generating keys, etc.). That's supposed 
 to be in the *Swan docs that are missing. What is everyone 
 else using? Am I the only one trying to survive on pre-built packages?

http://leaf.sourceforge.net/doc/guide/buipsec.html

Jacques's documentation is still relevant and nice :).  Bering-uClibC is
basically bering that's more up to date with a smaller compiler.

P


---
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r 

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Best 4-port NICs?

[Peter Mueller]

 I'd appreciate a recommendation from the list on which 4-port 
 NICs work best with the Bering uClibc distro?
 
 Any known problems using them with single-port NICs on the 
 same machine?

The situation is the same as with a normal distro.  uClibc uses modules;
therefore, you can insert commands just like with a regular distro.  Stay
away from Tulip based 4-port cards.  I have used Intel cards to good effect,
especially with newer machines.  Older servers sometimes have IRQ issues.

On 4 servers here we are using 2 dual 64bit 66mhz+ Intel gigabit adapters to
good effect.  It is important to get 64bit 66mhz+ cards if you want to push a
lot of bandwidth.

Regards,

P


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Best 4-port NICs?

[Peter Mueller]

 Intel: Intel(r) PRO/1000 MT Quad Port Server Adapter $337
 Osicom: FE-2404-TX - 10/100BTX PCI FAST ENET NIC $329
 D-Link: DFE-570TX 4 port 21143 card (avail only on eBay) $80

 I'm thinking the Intel NIC would be best, but after looking 
 at it on intel.com I'm not sure it'll fit in a PCI slot. It 
 looks like a PCI/X card.
 
 My next choice would be the Osicom card for 
 price/performance, but I've never heard of them before. They 
 say it's based on the Intel 82559 and list Linux as a 
 supported OS so it should work.
 Our firewall hardware platform uses a passive backplane 
 chassis with Cyber Research PIII-based single board 
 computers. I can't find the SBC documentation so I'm not sure 
 if it'll handle 64-bit PCI transfers. Even so, it shouldn't 
 be worse than 4 single port NICs.
 
 Which would you favor?

You didn't mention your bandwidth requirements.  I have heard the
DLINK-DFE570TX card works, but if I were you I'd prefer the Intel-base cards
that are new.  If price is an issue look at the DLINK.  Especially if you
have extra time.

Regards,

P


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] RE: [leaf-devel] Bering-uClibc: qmail ???

[Peter Mueller]

 I am very surprised that I cannot find qmail for Bering-uClibc.
 
 What am I missing?
 
 Can somebody, please, make a Bering-uClibc qmail.lrp ???

Try Bering package http://leaf.sourceforge.net/packages/glibc-2.0/qmail.lrp.
You will need to use at least
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/package
s/libc207.lrp?rev=HEADcontent-type=application/octet-stream (libc207) or
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/package
s/libc225.lrp?rev=HEADcontent-type=application/octet-stream (libc225) with
qmail to make it work.  Sorry, I don't know if it needs more libraries and
don't have time to test it.

Regards,

P


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Write error on CF

[Peter Mueller]

 Mar  3 10:26:46 phuoc kernel: hda: read_intr: status=0x59 { DriveReady
 SeekComplete DataRequest Error }
 Mar  3 10:26:46 phuoc kernel: hda: read_intr: error=0x40 {
 UncorrectableError }, LBAsect=13453, sector=13536
 Mar  3 10:26:46 phuoc kernel: end_request: I/O error, dev 03:01 (hda),
 sector 13536
 Mar  3 10:26:46 phuoc kernel: hda: read_intr: status=0x59 { DriveReady
 SeekComplete DataRequest Error }
 Mar  3 10:26:46 phuoc kernel: hda: read_intr: error=0x40 {
 UncorrectableError }, LBAsect=13569, sector=13537

Sometimes these errors stop me from booting because of DMA.  You can try
turning it off in syslinux.cfg.  Add these to the end of your syslinux.cfg.
(In my case I am using serial console, so I already have something.  If you
don't want serial console you can use the second example).
append console=ttyS0,19200 nodma=hda ide=nodma
append nodma=had ide=nodma

You will have to reboot after making these changes.

Regards,

P


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Write error on CF

[Peter Mueller]

 append console=ttyS0,19200 nodma=hda ide=nodma
 append nodma=had ide=nodma

Oops,

append nodma=had ide=nodma

Sorry for the extra mail.


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Cheap NICs or Expensive NICs?

[Peter Mueller]

 Quick question.
 What is this impact of cheap NICs (8139too, smc900, etc) 
 instead of expensive NICs (3c905)? For instance, when 
 building a NAT/firewall device to share xDSL or cable.

Cheaper NICs have a performance penalty, usually in interrupts.  Interrupts
limit the capability of your network and increase CPU load.  If you have a
Pentium 75mhz or faster then you should be OK for  20 megabits with cheaper
NICs.

 The information in this email is confidential and may be 
 legally privileged.  It is intended solely for the addressee. 
  Access to this email by anyone else is unauthorised.

unauthorized?
 ^
 If you are not the intended recipient, any disclosure, 
 copying, distribution or any action taken or omitted to be 
 taken in reliance on it is prohibited and may be unlawful.
 
 The contents of an attachment to this email may contain 
 software viruses that could damage your own computer systems. 
  Whilst The Spur Group of Companies has taken every 
 precaution to minimise the risk, we cannot accept liability 

minimize?
  ^
 for any damage that you sustain as a result of software viruses.

Lovely.  I'll be sure to be careful :)

Regards,

P


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Cheap NICs or Expensive NICs?

[Peter Mueller]

 BTW, a single PC has IIRC =400Kbps of throughput due to poor 
 memory mgmt between all the layers. This is without 
 customized reprogramming of the stack. 
 One link is
 http://www.ifip.or.at/con2000/icct2000/icct452.pdf
 that estimates 360Kbps on Linux.
 
 So cheap NICs might still be a solution if you have a small 
 number of PCs.

This paper is for really old kernels, stating the results don't apply for
new 2.2.0 kernel, only for 2.0.34.

You can still saturate a 100mbps network with very small packets at ~8kpps.
But your packets would have to be  ~120 bytes.  Anything approaching normal
packet size should be ok.

Regards,

P


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Compact Flash Boot Failure

[Peter Mueller]

Hi Brock,

 Has anyone had a problem like this?  I'd like to know if the 
 box could 
 be the problem before I take the time to replace this CF yet 
 again.  The 
 unit is in a remote location and is fairly mission-critical.  I can't 
 have this happen so regularly.

This has happened to me.   I am using LEAF Bering-uClibC with bgpd for 4
solid-state routers.  Unfortunately one of my routers seems to regularly chew
up its CF card.  I've switched the types of cards around in the system to no
effect.  My solution so far has been to back up the drive regularly and not
reboot, not exactly a nice solution.

I have not had the time to look into this matter properly, but a few ideas
that have come to mind are:
- Measure the voltage being given to the CF/IDE card.
- Measure the voltage the CF/IDE card is giving the CF.
- Check the cylinder count etc. on your IDE card, if possible.  Rumor has it
incorrect IDE setup can lead to this problem.
- Replace the CF/IDE and CF card.

I have used netcat and disk dump to good effect in backing up / restoring my
images.  Try:

(on destination) : nc -l -p port  | dd of=/dev/hda
(on original server) : dd if=/dev/hda | nc addr of other machine  port as
above 

Regards,

P


---
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] VPN Tunnel up but *no* traffic across connection?

[Peter Mueller]

 left=68.208.33.25
 leftsubnet=10.154.16.0/22

 rightsubnet=10.154.16.0/255.255.252.0

(If I'm reading this correctly..)
In left's view, 10.154.16.0/.252 is owned by left.  Ipsec routes get a lower
route priority than local interface routes.  Therefore, traffic won't bother
to traverse over IPSec.  Try changing the subnet range to something
different.

If this isn't the case, please post a simplified ascii map.

Regards,

P


---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] What is latest Freeswan for Bering 1.2?

[Peter Mueller]

 Dear List,
 I am wondering if there is any newer version such as Freeswan 
 2.06 in a
 .lrp that is available.  I am running Bering 1.2 (kernel 2.4.20).  The
 current version of freeswan is 1.99.6.2.

FreeSWAN is now OpenSWAN.  There are no updates for Bering.  For
Bering-uclibc though, you can get the latest openswan.

http://leaf.sourceforge.net/mod.php?mod=userpagemenu=91017page_id=51

Is there a feature you want that's available in 2.06 that isn't in 1.99?

Regards,

P


---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] LRP router failing? - the Last Chapter (STH)DSL line-quality info

[Peter Mueller]

 The replacement for the suspect FlowPoint 2200 DSL router 
 arrived today 
 from the ISP (an Efficient Networks 5851). I plugged it into the 
 network sans the crutch switch between the two routers, and 
 it worked 
 like a charm.  Hypothesis becomes history.

Glad its working!!  But let's go back to your ifconfig:

eth0  Link encap:Ethernet  HWaddr 00:10:4B:2C:90:9C
  inet addr:64.113.213.14  Bcast:64.113.213.15  Mask:255.255.255.252
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:1800 errors:0 dropped:0 overruns:0 frame:0
  TX packets:2184 errors:0 dropped:0 overruns:0 carrier:341
  Collisions:0
  Interrupt:9 Base address:0xff00

See the carrier errors (15.6%)?  For future use, carrier errors indicate
cable fault or low-layer problem related to that interface.FYI the
dumpfile looks normal.

Regards,

P


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] LRP router failing? - Alcatel SpeedTouchHome (STH)DSL line-quality info

[Peter Mueller]

 The bottom line to all of the above is that I'm more stumped 
 than ever and
 don't know what to do next. I suppose I'll try to replace the 
 eth0 NIC in
 the DachBox2 to try to eliminate the double fault 
 possibility. I actually
 tried to do that earlier today as well, but neither of the NICS worked
 after that. When I restored the NIC I'd removed, they worked again.

How are you doing the test with the Linux router?  Are you using a server
behind it?  Are you connecting the private interface at all?  Please make
sure the private end is disconnected and try again if it was connected.

If the private end was disconnected, run tcpdump on the public interface and
post the results here.  You can email me directly if the results are a file
too large to post on a mailing list.

 I don't know how to get the ISP to seriously consider the 
 possibility that
 their connection could be at fault. They simply don't see any 
 problem from their end.

That's not surprising.  It's hard enough to get most ISPs to do anything when
you can tell them exactly what's wrong.  If Apple is supported, call again
and open a new ticket.  Tell them you have tried two Macintoshes (make the
LEAF results Apple results).

 If possible, I'm more open than ever to any suggestion.

Can you post the results of ifconfig after some packet loss?  Also, if you
could post an ASCII map of your network that might tell us something.  IPs
are not necessary but it wouldn't hurt to double-check all these settings on
your own.  (This has bit me a few times with all sorts of strange results).

E.g.,

--
| DSL router | - IP x.y.z.a
--
   |
-- - eth0 x.y.z.b
|LEAF|
-- - eth1 a.b.c.z
   |
--
|xSWITCHx| - 16 port linksys (or whatever)
--
   |
--
|  Clients   |
--

Regards,

P


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] LRP router failing?

[Peter Mueller]

 I can do that on the one in Seattle, and on the remote router when I  
 get to Boise, Erich. I'll read up on tcpdump (never used it 
 before) and  
 give it a go. Thanks for the idea; I'm getting lots of input 
 on tools  
 I've never had to think about before, and that is why I came to this  
 forum for help.

E.g.,
tcpdump -i eth0 (or eth1) not port ssh
tcpdump -i eth0 net 192.168.0/24 and not proto \\icmp
tcpdump -i eth0 host 1.2.3.4 or host 5.6.7.8 and not port ssh

Protocols require double-escaping, for example ICMP above.  Windump is the
windows equivelant.

I think Ray is on the right track with spyware.  Be sure to check ifconfig
for transmission errors, too.

eth0  Link encap:Ethernet  HWaddr 00:C0:9F:3F:44:42  
  inet addr:1.2.3.21  Bcast:1.2.3.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
** This is what you are looking for **
  RX packets:54447768 errors:2 dropped:0 overruns:0 frame:1
 ^^
  TX packets:52184055 errors:0 dropped:0 overruns:0 carrier:0
 
  collisions:0 txqueuelen:1000 
**
  RX bytes:854678430 (815.0 Mb)  TX bytes:2033727102 (1939.5 Mb)
  Base address:0xece0 Memory:fe1e-fe20 

A few errors - 1 every million or so is usually fine.

P



---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] [offtopic] How to use QOS traffic shaping in Being U 2.2

[Peter Mueller]

 #tc class add dev $DEV parent 1:1 classid 1:20 htb rate 
 $[9*$UPLINK/10]kbit \
 tc class add dev $DEV parent 1:1 classid 1:20 htb rate `expr 
 9 \* $UPLINK / 10`kbit \
burst 6k prio 2
 
 possibly the same thing. I did not have any performance degradation

Does anyone have a script that will work on a T1 and/or a large ADSL line?
(Will this one)?  I need to get going on QoS at a few locations.  Any
scheduler is fine so long as it works.

Thanks much,

P


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering-uClibc_2.2-beta5 HDD Version Question

[Peter Mueller]

 However, I found some log (e.g. cron.log ) is missing.
 
 # df
 Filesystem   1k-blocks  Used Available Use% Mounted on
 /dev/root 8192  4284  3908  52% /
 tmpfs23392 0 23392   0% /tmp
 tmpfs   528000  9440518560   2% /var/log
 /dev/hda1   528000  9440518560   2% /var/log
 
 I think the cron.log was written to /var/log at tmpfs first, 
 then erased?
 after mount the hard disk.
 
 Question: How can I remove /var/log at tmpfs?

I don't see an entry for /var/log/ in /etc/fstab.  Perhaps this is configured
by leaf.cfg/syslinux.cfg; try entering log_size=0M.  I would test it but
all my routers are now in production..

KP, Erich: is this how one should use a real HD for logging instead of tmpfs?

P


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering-uClibc_2.2-beta5 HDD Version Question

[Peter Mueller]

  Question: How can I remove /var/log at tmpfs?
 
 I don't see an entry for /var/log/ in /etc/fstab.  Perhaps 
 this is configured
 by leaf.cfg/syslinux.cfg; try entering log_size=0M.  I 
 would test it but
 all my routers are now in production..

Hmm.. Actually a simpler solution would be using /var2 instead of /var for
your hard drive.  Why not leave /var alone since it is tmpfs?  If you don't
like the logistics you can symlink everything in /var2 to /var/log.

P


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] syst_size not working in leaf.cfg

[Peter Mueller]

 I'm using the Bering-uClibc_2.2-rc1  
 http://prdownloads.sourceforge.net/leaf/Bering-uClibc_2.2-rc1
 _img_bering-uclibc-1680.exe?download 
 floppy image. When I attempt to change the
 root file system size ( syst_size=12M ) in leaf.cfg I get an 
 error ( for 
 mount option 'size' )
 and the root file system gets sized at 4M, which causes 
 problems. I need 
 more than
 the 6M default root file system size.

I'm sure there's a better way, but I ran into something of the same problem.
I put the parameters into syslinux.cfg and that worked for me.  E.g.:

serial 0 19200
display syslinux.dpy
timeout 0
default bzimage initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0
syst_size=20M log_size=20M tmpfs_size=256M LEAFCFG=/dev/hda1:msdos


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Connecting to Exchange Server using VPN through Bering 2.0

[Peter Mueller]

   Our network at work has MS Remote Access Server (RAS) 
 running and I connect
 to the network using MS VPN connection from my WinXP box at 
 Home.  I am
 going through a Bering uClibC 2.0 LRP box and this works no problem.
 However, I can only make a single connection to the VPN.  A connection
 attempt from a second machine also behind the FW fails.  Is 
 this because of
 masquerading?  Is there anyway to establish a connection from a second
 machine behind the same firewall?

No, this is a problem with the PPTP protocol.  I have solved it with
poptop previously by using multiple external IPs.

P


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Harddisk: Device... deceased :P

[Peter Mueller]

 Hmmm... Maybe I should just go with CF/DOM or something else, 
 solid state,
 and set up a server to move the logs to $whenever, accepting 
 the fact that
 chips get worn out aftesr so-and-so-many rewrites...

Yes, this is what I would (have) done.  CF is badass, it boots so fast.

 I find it sort of ironic, having spent much time in order to 
 put the logs on
 disk (so they would survive powercuts etc), that those same 
 logs are now
 lost because the disk died... :P

Well why don't you set up a remote syslog server instead?

/etc/syslog.conf:
*.* @10.0.0.1

Then /etc/init.d/sysklogd restart.

On the remote server, you will need to allow firewall rules (if
necessary) and configure syslogd to accept remote logs.  This is done on
redhat via /etc/sysconfig/syslog:
SYSLOGD_OPTIONS=-m 0 -r
On other distributions you can probably modify the Sys-V script
directly.

P


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering-uClibc_2.2-beta5 HDD Version Question

[Peter Mueller]

 1. How to enable NumLock at startup

Check your BIOS.  AFAICT the LEAF distros won't have any tools like
setleds to do this.  Maybe you can ask nicely and KP or Eric will make
you a package.  It seems to be  10k.  Heck maybe busybox can do it..

 2. It is possible to put and keep all the log (/var/log) to HDD?

/etc/syslog.conf.  You will probably also want to add an entry to
/etc/fstab.  However, maybe what you really want is to turn on remote
syslogging to another server?

Regards,

P


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering and shorewall 2.0.x

[Peter Mueller]

 To upgrade to shorewall 2.0.x from version 1.4.2 on Bering, 
 is it possible to 
 install the new LRP on top of the existing one? Will it keep 
 my current configurations?

Not sure about shorewall, but local.lrp backs up anything in
/usr/local.  You can put copies of your configurations there, upgrade,
then restore when in doubt.

P


---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Using both OpenVPN and IPSec

[Peter Mueller]

 Can we use both OpenVPN and IPSec on one LEAF (Bearing uClib) 
 firewall?

Yes, assuming you have the space and horsepower.  IPSec works on
protocols 50 and 51, OpenVPN uses SSL.


---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] About BeringUclib 2.1.2

[Peter Mueller]

 OK
 the readme show
 LEAF Bering-uClibc Firewall - V2.1.1
 
 so I got the wrong version.
 
 Where can I download the correct version?

http://sourceforge.net/project/showfiles.php?group_id=13751package_id=6
7534


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149alloc_id66op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Leaf bering-uclibc 2.2beta2 CF-IDE update

[Peter Mueller]

 For modules pls look here:

http://sourceforge.net/project/showfiles.php?group_id=13751package_id=6
7534release_id=220334

Is there modules for the latest beta?  I need what I believe is ATP865 -
a SIIG PCI IDE card.  The Maxtor cards I wanted to use with the Promise
chipset turned out to suck.

My CF-IDE corruption did turn out to be the 64mb sandisk compact flash
cards - both of them.  I recommend that all CF-IDE users avoid this
size.  I am using the 256mb ultra II 256mb sandisk instead.  So far no
corruption.. (crossing fingers).

P


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149alloc_id66op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] CF-IDE help

[Peter Mueller]

Hello,

Does anyone know why my new both my new 64mb CF-IDE solutions don't seem
to want to work properly?  I can format the devices properly, syslinux
properly, but when I try to copy data over there is corruption and very
strange things happen.  For example, it looks like I copy all my LRPs
over properly but they don't actually copy.  I've tried this process
from both Linux and windows, with two completely different sets of
hardware.  I didn't run into this problem with my 256mb CF-IDE cards a
year ago.

Thanks much,

Peter Mueller
Operations Engineer
(408)235-1700 x125
[EMAIL PROTECTED]

Find travel deals from dozens of sites - with one search
Try SideStep - The traveler's search engine
www.sidestep.com


---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id%62alloc_ida84op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] CF-IDE help

[Peter Mueller]

 The only time I came across something like that was when I pulled 
 the CF out of the USB adapter before I had selected 'Eject' 
 in windows. Any possibility of something like that? 
 Regards,
 Dave.

Unfortunately no.  I have my CF-IDE adapters configured on secondary or
primary IDE on both systems.

Thanks,

P


---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id%62alloc_ida84op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Re: LEAF article

[Peter Mueller]

 Applied to all Linux servers, 20 Mbps is not even a 
 plausible rule of 
 thumb. I routinely see 60 Mbps on big (multi-gigabyte) LAN-to-LAN 
 transfers (ftp, scp, and samba) between pairs of Linux 
 servers (equipment 
 varies, but typically either a 1 GHz P3 or a 1.7 GHz Celeron, usually 
 cheap, flavor-of-the-week tulip NICs).

The 'rule of thumb' algorithm I was using is 5 megahertz = 1 megabit/sec.
Of course, once you top ~60-80mbps you start talking about interrupts and
64-bit slots and such.  Let's not really get into firewall rules.  Or what
happens to iptables when there are too many rules :)

  a T-1 has a top speed of 1.544 Mbps, making it hard 
 for me to 
 understand how a connection over it could test the throughput 
 limit of a 10 Mbps NIC, let alone a 100 Mbps NIC.

I was testing if a 100mhz machine could handle a T1 with 3DES encryption.
It could, even with compress=yes set :).  Unencrypted it got around 20mbps
over the LAN.  Sorry for not being more specific.

Cheers,

P


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Re: LEAF article

[Peter Mueller]

Hello Michelle,

 Am 2004-05-03 14:51:10, schrieb Peter Mueller:
 
 With good NICs (eepro100 etc.) and not too many iptables 
 rules you will max
 around 20mbit/sec.  A good rule of thumb is 5 cycles per 
 megabit.  This
 limit actually applies to all Linux servers, not just leaf.
 
 P
 
 Are you sure ?
 
 I run a HP Vectra XA 5/200mmx with 32 MB and have 4 x 3Com 
 3C905B and 2 x 3c509B. 
 
 I have one USB-Modem connected to the USB-Port and two other 
 Ethernet-Modem-Router to the two 3c509B. 
 
 The 10MBit Nics are for my publicnet, privatenet, securenet and 
 wavenet (Proxim Tsunami MP.11a).
 
 I can transfer without any problem around 5 MByte/Second between 
 the publicnet (ftp/web-server) and the privatenet (workstation)
 
 My old Router (LRP 2.9.4) had done around 30 MBits on a 486dx4/100
 with 5 nics 3c509B
 
 So I think, you can have realy more on a P1/100

It's a rule of thumb, not a book of law :-).  I did some testing for a T1
IPSEC gateway and had my results confirmed by the FreeSWAN performance guide
(http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/performance.html).
It is only my result from one machine, but it was confirmed by a fairly
popular project so I still feel confident that it is reasonable.

The bottom line is it depends on your PCI bus, network drivers, and
especially your network cards.  Also, firewall rules can play a part here.
I must admit I'm surprised to hear a 486 - admittedly one of the faster ones
- was able to get above 20mbit/s with ISA (3c509b) cards! Maybe there is
some truth to 3com cards using less CPU.  I have always preferred eepro100's
but maybe that was premature..

Cheers,

P


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] LEAF article

[Peter Mueller]

 1. What sort of throughput, for instance, could LEAF-Bering 
 theoretically
 provide on a Pentium 100 system with edo ram and with 10/100 
 nics, cables,
 and switch, assuming that all other systems connected have 
 unlimited speed?

With good NICs (eepro100 etc.) and not too many iptables rules you will max
around 20mbit/sec.  A good rule of thumb is 5 cycles per megabit.  This
limit actually applies to all Linux servers, not just leaf.

P


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] pptpd VPN Settings

[Peter Mueller]

 on a Win2000 machine.  If I telnet to my router on port 1723 from work
 it connects briefly which seems indicate neither my work network or my
 home ISP is blocking port 1723??  Does that sound right?  I have been
 told that my ISP doesn't block protocol 47 (GRE) but I'm not 
 absolutely

Put this in your syslog, touch /var/log/debug, then restart syslog.

# PPTP debug logging
#*.debug;mail.none   /var/log/debug

Put debug in your /etc/pptpd.conf.  Put debug in /etc/ppp/options.pptpd.
Restart pptpd.  Now try to connect and mail the logs back here.   You might
want to try [EMAIL PROTECTED] as well.

Cheers,

P


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] TCP DOS Vulnerability - Relevent to LEAF?

[Peter Mueller]

 Any way you could expand on this, Peter? (Or anyone else?)

Here is the thread on Quagga:
http://lists.quagga.net/pipermail/quagga-users/2004-April/001748.html

P


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] BGP

[Peter Mueller]

 I am also using bering-uclibc+quagga packeages for ospfd and bgp. 
 works great

Where is the Quagga package?  BTW if you want VRRP there is a keepalived
package available.  I am using one I made a long time ago, but I thought
someone else made a newer one with ipvs support, too..

 do bering/bering-uclibs support napi stright out of the box. 
 it's a looong time since i last looked at napi.

If you use the right kernel driver it is 'out of the box' with any kernel =
2.4.20.  For example, Intel gigabit cards with e1000 driver.  I have heard
that tg3 (bcm5700) is also not bad, so long as your kernel is very recent
(= 2.4.25?).

Caveats:
-Don't use SMP. (I think hyperthreading probably falls into this category).
-Use 64-bit cards.
-Use PCI-X.
-Get a nice big fast processor (  2ghz ).

References:
http://datatag.web.cern.ch/datatag/howto/tcp.html
ftp://robur.slu.se/pub/Linux/net-development/NAPI/README
ftp://robur.slu.se/pub/Linux/net-development/NAPI/NAPI_HOWTO.txt

Cheers,

P


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] TCP DOS Vulnerability - Relevent to LEAF?

[Peter Mueller]

 In the news, there's mention of a TCP vulnerability that may impact 
 LEAF. Apologies if this is not relevant to us.

This vulnerability is 3 years old.  Linux was patched even then, so LEAF is
ok :).

 details:
 http://www.us-cert.gov/cas/techalerts/TA04-111A.html

I checked with Zebra/Quagga folks about BGP; they said it is O/S dependant.
So LEAF and even Bering's bgpd.lrp are ok :)

Cheers,

P


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] BGP

[Peter Mueller]

 Is LEAF capable of BGP route propagation?
 
 I hear that there are packages that support BGP called:
 Zebra
 http://www.zebra.org/
 Quagga
 http://www.quagga.net/
 and
 BIRD
 http://bird.network.cz/
 
 Is one of these supported by LEAF?
 Are any of them recommended by anyone?

I am using the Bering bgpd.lrp package here.  It's been working fine for 1+
years.  Quagga is the less bug-ridden software but for BGP it doesn't really
matter.  I don't know what BIRD is.

 If I was comparing a LEAF, or other Linux based solution to either a 
 $2500, or a $10,000 cisco router based solution, would the LEAF/Linux 
 solution be comparable (in uptime+performance) to a cisco?

Yes.  I use CF-IDE flash  dual power.  Price/performance is much better.  A
p4 server with intel gigabit NICs and NAPI enabled will kick serious ass.

P


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Is my NIC the bottleneck?

[Peter Mueller]

Hello Peter,

Nice name ;-)

 Subject: [leaf-user] Is my NIC the bottleneck?
 
 pn] I'm still running E2B on a P166.  I have 768K
 SDSL, and my leaf box is connected to the DSL modem

I know it's already resolved, but I recommend using DSLReports's speed test
for this kind of thing.  Test a desktop from behind the LEAF server network,
then connect it directly to the DSL line and test again.  Using this method
you can see if there is a bottleneck in the router.  I usually run the test
3 times to get a nice average.

URL : http://www.dslreports.com/stest

P


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering 1.2 Throughput Test Results

[Peter Mueller]

 I did the test with the converted Bering-Contivity yesterday. 
 I ran the 
 VPN as AES then changed to 3DES and ran it again. AES was 6% 
 slower. Any ideas why this would be the case?

AES should be faster.  I remember seeing a few posts about this.  For
example, http://lists.freeswan.org/pipermail/users/2002-February/007771.html
indicates 89mbps with AES as opposed to 44mpbs with 3DES.Alternatively,
the creater of the patch for FreeSWAN indicated 'expect 3 to 2 performance'.

Are you sure you're not using double the keysize with your setup?  There has
to be some explanation.  AES _IS_ faster, at least on the 15 or so tunnels I
have created.

P


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering still active?

[Peter Mueller]

 Having installed, configured and put in place a Bering 
 firewall, I read
 more and more about the Bering derivative called Bering uClibc.
 
 The latest release was in January 2004 (unless I'm missing 
 something :-).
 
 Maybe I should have used this version instead?

If you are using Flash through CF-IDE then you should definitely use uclibc.
The reason is space is not an issue, so you can use the libc* plugins and
use ALL packages.  It is also much easier to create your own packages; you
can take your pick of compiler (uClibc, libc207, libc225) instead of being
forced to use libc207 and have a LEAF development box lying around and all
that jazz.

If you're not using flash, then make sure you can get the packages
(http://leaf.sourceforge.net/mod.php?mod=userpagemenu=10page_id=3) you
want.  I would make your decision based on the packages.  Having said that..
uClibc is definitely more active but Bering has a larger install base.

Cheers,

P


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Looking for a VPN Solution

[Peter Mueller]

 It has PPTP server built in and boots from a CD-ROM while the
 configuration is saved to a floppy.  There are some known 
 problems with some XP clients.

Are they using ppp-2.4.2x and poptop-1.1.4x?  The XP problems can be solved
via iptables clamps (clamp-mss-to-pmtu I believe), or using an ip-up hack.

P


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Which Distro for This Firewall/Router?

[Peter Mueller]

 I was going to model the entire project on VMware, but I found that
 VMware limits number of NICs to 3, too few for most of my routers. I

I don't think user-mode-linux has that built-in restriction.

http://user-mode-linux.sourceforge.net/


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] which VPN to use ?

[Peter Mueller]

 I have been using Bering (regular) very successfully for awhile here, 
 and I will need to be setting up a VPN to connect our office in Texas 
 with a newly opening office in Florida.  I will have full 
 control over both
 endpoints, and having interoperability between my VPN endpoints,
 and other companies is not an issue, nor do I foresee it being an 
 issue anytime soon.
 
 Question: What would be the best VPN package to use ?
 CIPE, IPSEC, something else ???  

IPSec.  Bridging separate networks together is IMO IPSec's strong point.
IPSec is also the most secure and uhm.. theoretically the most compatible.

 Also - We are considering using IP Telephony to tie together the
 phone systems.  The phone vendor recommends getting a 
 managed VPN from some provider to ensure quality phone conversations,
 I guess by maintaining and managing the bandwidth between the
 endpoints ... but I am not sure.  If we opt for this option, 

I think QOS and overcapable POPs on the same ISP would likely do the trick.
Get some latency and bandwidth specifications from the phone vendor.

Important question - it'd be spiffy to actually do this, but is your job on
the line if things go wrong?

Cheers,

P


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] LEAF HA using keepalived

[Peter Mueller]

 Funny you should ask.  I have keepalived 1.1.3 built out using the
 libc225 and it seems to be working.  All I did was compile the binary
 and move it into your kpalived.lrp package.  I did compile it 
 with ipvs
 enabled, and am getting ready to get back into testing it.  There was

Sweet!  Load-balancing  VRRP on CF-IDE disks, remote logging through
syslogd.  8-D. 

 I was not able to get it to compile against uclibc due to my lack of
 technical knowledge, but the only reason to do so would be to remove a
 couple lrps from boot, however using a 32mb CF disk made that a moot
 point.

Yes, I ran into the same problem.  The Keepalived developer, Alexandre, told
me this around the end of January:

The problem is the OpenSSL, libpopt, that use dynamic libs... We 
must find a way to compile statically OpenSSL libssl  libmd5 into 
Keepalived binary.

So -- Keepalived uses libbsl, libmd5, and libpopt.  Any uClibc guys want to
have some fun?

 There are a couple other things I have done with keepalived.  One of
 them was go in and change the /etc/init.d/keepalived script to look at

If I remember correctly there is another bug with the init script that
doesn't allow a restart to work properly.  Unfortunately it's been too long
since I've had to actually do any maintenance, so I can't say for sure if
this is still the case.  Does /etc/init.d/keepalived work ok for you?

 I am working on a doc on my personal time from notes to help out in
 actually compiling the kernel with to enable ipvs.  It is yet another
 project on my plate a little lower than some other things.

Ah, doh.  Well I'd be interested in helping out, if you're still looking for
help,  (If you can pry me away from my latest game craze Diablo II ;-).
People have made comments about LVS in a LEAF system, so there is definite
interest.

BTW does anyone know of a daemontools-like package for LEAF?

Cheers,

Peter


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Gigibit Nic driver

[Peter Mueller]

 Thanks.
 Does Bering-uClibc support this NIC? The closest module I 
 could find was
 this: (See link)
  

http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/2.4.20/kernel/
 drivers/net/e1000/e1000.o 

Yes, that is the one; this driver is from Intel and is supposed to be NAPI
by default.  I haven't tested NAPI in the kernel driver yet, you should
check that it is included.  You'll definitely want NAPI on a quad-gigabit
card.  (The driver should look like the e1000 driver from
ftp://robur.slu.se/pub/Linux/net-development/NAPI/ ).

BTW don't use 2.4.22; if you have to go  2.4.20 then use 2.4.23-pre kernel.

P



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] route external networks

[Peter Mueller]

 ip route add 192.168.0.0/16 dev eth0 scope link
 ip route add 172.16..0.0/16 dev eth1 scope link
 ip route add default via 192.168.202.2 dev eth0
 
 where should i put these commands so they can be executed 
 automatically?

/etc/init.d/networking in the start section might be easiest and most
appropriate, or you can make your own .lrp consisting of an rc.local-like
script run in your favorite modes (3 etc).

Cheers

Peter


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] pptp server

[Peter Mueller]

 I've seen that exists a pptpd.lrp package (in the Jaques 
 Nilo's page) por Bering (not uClibc). 
 I want to know if exists the same package for Bering uClibc 
 (compiled against uClibc 0.9.20).

Yes

 I've tried to compile myself poptop-1.1.4 with uClibc 0.9.20 
 but I couldn't. (problems with gettext)

It might be more economical to use libc225.lrp  Bering packages.  If you
have the time please do try to get uClibc versions running :D


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] ipsec.lrp - does it do plain old DES?

[Peter Mueller]

You have the right attitude, single-DES is crap.  However, ipsec.lrp does
support single-DES.  Superfreeswan includes additional encyrption algorithm
patches which Jacques includes.

RTM ;-) - http://leaf-project.org/devel/jnilo/bipack2.html

12.8. ipsec.lrp
This is the super-freeswan ipsec package. Refer to the Bering user's guide
for explanations.
Superfreeswan 1.99.6.2 is patched with the following patches: NAT-Traversal,
X509, ipsec_algs and port  protocols selector.
Current Bering version: 1.99.6.2

http://www.freeswan.ca/patches/

Hope that helps,

 Yes, I thought this would be the case.  I'll have to look 
 into this, but either way, a DES VPN is not secure, and I 
 think I'll just tell the guys at the remote end that they 
 have to supply a Linux box with DES support as I don't want 
 to be held responsible for implementing such an insecure VPN 
 solution.  :)
 
 Regards,
 HiltonT
 
 On Sun, 2003-07-06 at 15:19, M Lu wrote:
  Hi Hilton,
  
  Bering ipsec.lrp is actually Superfreeswan 1.99.6.2, and I believe 
  that
  FreeSWAN does not support single DES.
  
  M Lu.
  
  
  From: Hilton Travis [EMAIL PROTECTED]
  Reply-To: [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Subject: [leaf-user] ipsec.lrp - does it do plain old DES?
  Date: 06 Jul 2003 12:54:07 +1000
  
  Hi All,
  
  Does the behring ipsec.lrp module handle the insecure DES 
 protocol?  
  I have a need for a DES-based Linux router for a short 
 while, and if 
  this works, then I'll use it.  Unfortunately, the remote 
 end cannot 
  accept any secure IPSEC encryption protocols.  :(
 
 -- 
 Regards,
 
 HiltonT
 
 
 
 ---
 This SF.Net email sponsored by: Free pre-built ASP.NET sites 
 including Data Reports, E-commerce, Portals, and Forums are 
 available now. Download today and enter to win an XBOX or 
 Visual Studio .NET. 
 http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_06
1203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] ipsec.lrp - does it do plain old DES?

[Peter Mueller]

 On Tue, 2003-07-08 at 06:38, Peter Mueller wrote:
  You have the right attitude, single-DES is crap.
 
 You bet it is.  I cracked a 1DES key with a banana smoothie 
 in a whisker over 30 minutes last week.  :)

I used 5000 monkeys to crack it in 5 minutes, guess I got lucky..

  However, ipsec.lrp does support single-DES.
 
 Are you sure about this?  There's no mention of it anywhere, 
 and the FreeS/WAN docs say that by default 1DES support is 
 included for 3DES encryption, but unable to be used as a 
 protocol in its own right - for obvious reasons.

Oops -
http://leaf.sourceforge.net/devel/jnilo/manpages/README.ipsec_alg.txt

This link clearly states nothing at all about 1DES.  I guess you are right.

Sorry,

Peter


---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] RealTek nic problem

[Peter Mueller]

 In /etc/modules it appears to depend only on mii.o that I loaded.

Download the bering .config and try compiling the 8139 driver into the
kernel.  You could also try downloading Donald Becker's driver's from scyld
and patching that into your kernel.  (Like Lynn says, don't forget
pci-scan!)


---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] tcpdump for Bear-Uclibc-1.1

[Peter Mueller]

Hi,

 tcpdump running
  with multicasts only coming in the active-filter idle 
 time out works!
  with multicast and pings and ping replies coming in active-filter
never idle timeout occurs.
 ping   = icmp: echo request
 ping reply = icmp: echo reply
 
 I have tried expressions on tcpdump to show only the ping and ping
 reply, and have had multicast only work.
 
 tcpdump -i ppp0 'icmp[0] = 8 or icmp[0] = 0 '
 does show icmp: echo request and icmp: echo reply packets.
 
 tcpdump -i ppp0 'ether[0]  1 != 0'
  This shows the multicast packets.
 tcpdump -i ppp0 'ether[0]  1 != 0 or icmp[0] =8 or icmp[0] = 0 '
 only shows the ping request and ping reply packets
 so what happened to the multicast packets?
 
 I need what ever expression used in tcpdump to see the 
 multicast packets
 and ping request and reply to place on an active-filter statement!

http://www.tcpdump.org/#lists is probably the place you want to go.

P


---
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] debian question, /etc/network/interfaces

[Peter Mueller]

Hi all,

How do you force the duplex setting  speed on LRP?  It seems
/etc/network/interfaces is the key file, but the Debian man page
(http://www.fifi.org/cgi-bin/man2html/usr/share/man/man5/interfaces.5.gz#lbA
D) and LEAF user guide don't provide the answer.

Thanks for your help

P


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Squid

[Peter Mueller]

 Someone said me, that using a RAM as cache of a proxy reduces 
 the life of
 the RAM to two years. Is it true?

I don't see how this can be true.

 When I run squid en a Bering Box, it opens 18 squid and 5 dnsserver
 processes. Is it normal?
 23686 root   6352 S(squid)
  9198 root   6352 S(squid)
.
 29810 nobody 1632 S(dnsserver)
 22106 nobody 1476 S(dnsserver)

I think these are configurable in your .conf files.

Guys : I haven't used Squid on LRP before, but I know on my home box I set
it to run as user : squid.  Squid should definitely not be run as root...

P


---
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering Kernel Source?

[Peter Mueller]

Hi Nick,

 I've downloaded the source for kernel 2.4.20 from kernel.org.

great

 I'm assuming that using the config file that you pointed me to,
 adjusted so that the Math-Emulation flag is on, I should be able
 to build the kernel that I need?

mod it however you'd like, but be a little careful with the modules like
iptables (leave them the way they are unless you want to create a custom
modules.lrp).

 The patches that were in the 1.1 directory:
 
 bridge-nf-0.0.7-against-2.4.19.diff.gz
 grsecurity-1.9.9c-2.4.20.patch.gz
 helpers-2.4.20.patch.gz
 linux-2.4.19-openssl-0.9.6b-mppe.patch.gz

I didn't apply these to mine, but you might want them.  I know the
openssl-mppe patch is for PPTP functionality and the bridge-nf is some kind
of unusual bridging patch.  By looking at the source or using google you can
probably find out what the other two are fairly quickly.

 I assume that I apply all of these to the 2.4.20 source that I've
 obtained? Is that correct? I guess I'm a little confused as some
 of these patches appear to be for 2.4.19...

Usually when you see older versions in a CURRENT directory it means the
patches will apply cleanly to the current.  So in this case I would assume
the 2.4.19's will apply against 2.4.20.

 Once I've done all that, I'm also assuming that I can use the
 precompiled modules for 2.4.20 without having to worry about
 recompiling them too.

yes, AFAIK.  if you have problems you can always make modules and replace
the problem modules with ones from your specific build.

 Could someone let me know if I'm way off track here?

AFAIK you're ok.. you're pretty much doing what I did and it worked for me.
Hopefully we're not both off track. ;)

P


---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Disabling all logging

[Peter Mueller]

 I want disable all logging on my LRP box I have searched the 
 archives and
 found no reference for this.
 
 I am using the Bering 1.0 stable image.

Bering uses syslog.  I think you can just edit /etc/syslog.conf, save the
/etc/ .lrp image, then /etc/init.d/syslogd restart...

P


---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering Kernel Source?

[Peter Mueller]

Hi Nick,
 
 I'd like to try Bering, but only have a 486SX to try it out on,
 so I believe that I'll need to recompile the kernel.

I think this is correct, Bering is compiled for 486DX by default..

 The only sources that I can find are for 2.4.18, which was for
 Bering 1.0-RC1. Will this work with 1.1, or will I need to get
 the source for 2.4.20?

http://leaf.sourceforge.net/devel/jnilo/bering/latest/

specifically,
http://leaf.sourceforge.net/devel/jnilo/bering/latest/development/kernel/Ber
ing-2.4.20.config
and the packages from the image file are what you'll need.

 Not having tried it, can a 2.4 kernel be recompiled to work on
 a 486SX, or am I going to slam into a brick-wall straight away
 on that front?

I think you should be O.K. as long as you recompile your kernel.

Hope that helps,

Peter


---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering+uClibc and keepalived

[Peter Mueller]

Hi Charles,

 I am currently trying to get keepalived to run correctly but 
 running into a 
 small problem.  I keep getting the error:
 Starting Keepalived v1.0.0 (06/01/2003)
 Configuration is using : 22095
 Registering Kernel Netlink Reflector.
 VRRP_Instance(VI_1) provide at least one ip for the virtual server
 stopping keepalived v1.0.0 (06/01/2003)

Did you configure /etc/keepalived/keepalived.conf through the package
configuration subsystem or directly?  What kind of kernel  add on packages
are you running?  I modified my Bering kernel config with 686, SMP, IDE,
eepro, and tulip compiled into the kernel.  I didn't change anything else
and it worked.

If this doesn't help you might want to try temporarily removing shorwall.lrp
just to make certain it isn't it.  If it starts working after you remove it
I'm sure Tom or a shorewall expert can help you get it going.

FYI, I think I have almost the same config as the LRP package.  My logs are
attached below.  Notice the ip addr only show up with iproute2 commands..

Feb  7 15:21:08 firewall Keepalived: Terminating on signal
Feb  7 15:21:08 firewall Keepalived: Stopping Keepalived v1.0.0 (06/01,
2003) 
Feb  7 15:21:08 firewall Keepalived: VRRP_Instance(VI_1) removing protocol
VIPs.
Feb  7 15:21:08 firewall Keepalived: VRRP_Instance(VI_2) removing protocol
VIPs.
Feb  7 15:21:08 firewall Keepalived: Starting Keepalived v1.0.0 (06/01,
2003) 
Feb  7 15:21:08 firewall Keepalived: Configuration is using : 174779 Bytes
Feb  7 15:21:08 firewall Keepalived: Registering Kernel netlink reflector
Feb  7 15:21:08 firewall Keepalived: VRRP_Instance(VI_2) Entering BACKUP
STATE
Feb  7 15:21:08 firewall Keepalived: VRRP sockpool: [ifindex(3), proto(112),
fd(5)]
Feb  7 15:21:09 firewall Keepalived: VRRP_Instance(VI_1) Transition to
MASTER STATE
Feb  7 15:21:10 firewall Keepalived: VRRP_Instance(VI_1) Entering MASTER
STATE
Feb  7 15:21:10 firewall Keepalived: VRRP_Instance(VI_1) setting protocol
VIPs.
Feb  7 15:21:10 firewall Keepalived: VRRP_Instance(VI_1) Sending gratuitous
ARP on eth1
Feb  7 15:21:12 firewall Keepalived: VRRP_Instance(VI_2) Transition to
MASTER STATE
Feb  7 15:21:13 firewall Keepalived: VRRP_Instance(VI_2) Entering MASTER
STATE
Feb  7 15:21:13 firewall Keepalived: VRRP_Instance(VI_2) setting protocol
VIPs.
Feb  7 15:21:13 firewall Keepalived: VRRP_Instance(VI_2) Sending gratuitous
ARP on eth1

# ip addr show 
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:95:c5:d0:38 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.254/24 brd 10.0.0.255 scope global eth0
3: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:95:c5:d0:39 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
inet 192.168.1.6/32 scope global eth1
inet 192.168.1.7/32 scope global eth1
4: eth2: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 100
link/ether 00:c0:95:c5:d0:3a brd ff:ff:ff:ff:ff:ff
5: eth3: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 100
link/ether 00:c0:95:c5:d0:3b brd ff:ff:ff:ff:ff:ff
6: eth4: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 100
link/ether 00:d0:b7:a7:95:09 brd ff:ff:ff:ff:ff:ff
7: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop 
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

Hope that helps.

P


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] modules aren't loading at boot

[Peter Mueller]

Hi all,

What could be the reason why two modules might not load at boot?  When I
mount the media manually and lrpkg -i the .lrp's everything seems fine.  If
nobody has any ideas, how do I turn up logging so that I can at least have a
starting point of where I'm going wrong?

Thanks

P

# cat /mnt/syslinux.cfg 
display syslinux.dpy
timeout 0 
default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0
boot=/dev/hda1:msdos PKGPATH=/dev/hda1
LRP=root,etc,local,modules,iptables,iptutil,ncurses,bash,netstatn,nettools,n
tpdate,snarf,libc225,libm,libz,libpopt,libcrpto,libssl2,ssh,sshd,kpalived,ze
bra,bgpd


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

FW: [leaf-user] modules aren't loading at boot

[Peter Mueller]

Brad  Mohan,

 I think you mean packages.  Modules usually refers to
 the blah.o kernel modules that go in /lib/modules .

Yes, of course.  Sorry, it was a very late for me.

   http://leaf.sourceforge.net/devel/jnilo/bubooting.html#AEN1155
 
 and read about using a lrpkg.cfg file instead of PKGPATH.
 (Even though lrpkg.cfg is described in the CD-ROM booting docs,
 it's not boot-media specific.)

Sweet! fixed, it works!!  Thanks for the quick comments.  Might I suggest
that this 255-character limit section be put into the IDE-hd and other
media sections?

Thanks again

Peter


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] kpalived.lrp now available, [minor] update to bgpd.lrp and zebra.lrp

[Peter Mueller]

I have completed my high-availability package for .lrp systems,
kpalived.lrp, based on Alexandre Cassen's excellent open-source software.
Due to limitations in keepalived's code AFAIK it wouldn't compile on glibc
2.0.x.  This version was compiled on gcc 2.2.x system.  My LRP system is
Bering uClibc + libc225 and it works fine for me, YMMV.

FYI, It is very possible that keepalive might compile on a gcc 2.1.x or
uClibc system.  I'm unfortunately not a programmer nor did I have a 2.1.x or
2.0.x system lying around.  I didn't think tinkering with makefiles 
destroying existing machines was such was a good idea.  If you get it to
compile on one of those platforms (especially 2.0.x) please let me know!

I created a few packages to provide libraries that Keepalived needs.  You
need to download these and add them to your syslinux.cfg file in order for
kpalived.lrp to work.  Here's the list of files: (Sorry for the size.  I did
strip what I could, it's unfortunate that all these lib files are so damned
big and required)
http://download.sidestep.com/lrp/kpalived.lrp 33244
http://download.sidestep.com/lrp/libcrpto.lrp 342800
http://download.sidestep.com/lrp/libpopt.lrp 26598
http://download.sidestep.com/lrp/libssl2.lrp 81400
http://download.sidestep.com/lrp/libz.lrp 26766

I have also modified zebra  bgpd (by Eric Kiser -
www.eric.kiser.com/glacier.htm) to include /etc/init.d files.  The binaries
are still gcc 2.0.x.  Note : I needed to install an additional library in
order to make these function with Bering-uClibc.  I've listed it below.
http://download.sidestep.com/lrp/zebra.lrp 164145
http://download.sidestep.com/lrp/bgpd.lrp 57368
http://download.sidestep.com/lrp/libm.lrp 142068

Could someone please put these on the sourceforge or mirror page somewhere?
This is not my website and I'm able to provide these files only for a little
while, especially if there's too much usage.  FYI this is my first LRP so
please be gentle in your flames ;)

Thanks much,

Peter Mueller

kpalived.help
# cat /var/lib/lrpkg/kpalived.help 

###

Keepalived 1.0.0 *.lrp

This file was compiled and packaged for the LEAF Project. This package is
designed to simulate HSRP on Linux routers through the use of the program
Keepalived.  Please visit Keepalived.org for more information on this
software.

kpalived.lrp

For compile, package, and dependency information:

[EMAIL PROTECTED]

###
#   Keepalived 1.0.0 *.lrp information
#   Last Update:  2003-01-??  Peter Mueller
###

Keepalived 1.0.0

Mailing List Information:   http://www.keepalived.org/mailinglist.html
Documentation:  http://www.keepalived.org/documentation.html

Summary:Keepalived VRRPv2
Name:   Keepalived
Version:1.0.0
Source: keepalived.1.0.0.tar.gz
URL:http://www.keepalived.org
Copyright:  GPL
Description:

Keepalived is an excellent implementation of VRRP, the same protocol that
Cisco bases HSRP on.  This configuration of Keepalived is setup for use 
with the Zebra routing package for HA-linux routers running bgp v4.  It's
easy to modify for vanilla-HA or other routing packages.

I compiled Keepalived on a RH 7.2 x86-SMP-based system for use with
Bering-uClibc + libc225.  AFAIK Keepalived does not compile on gcc 2.0.x,
but it might compile on uClibc.  Please write me an email if you can get
it to work.

Please modify the keepalived.conf file with your own settings.  I'd rather
not get email from your routers :).

Best of luck,

Peter Mueller
[EMAIL PROTECTED]

###
#   keepalived 1.0.0 Information
#   Last Update:  2003-02-04  Peter Mueller
###

-Original Message-
From: Peter Mueller [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 31, 2003 5:29 PM
To: 'Charles Holbrook'; [EMAIL PROTECTED]
Subject: RE: [leaf-user] shorewall and keepalived


Hi Charles,

 I am just curious if anyone has used the shorewall package as well as 
 keepalived on the same system.  And how did you overcome the 
 issue of both 
 shorewall and keepalived wanting to do VRRP for the ip 
 addresses?  Just got 
 this dropped in my lap and not really sure how to proceed with this.

I am getting close to getting something working with LRP  keepalived.  I
was planning on posting both a keepalived LRP (using, as it turns out,
bering-uclibc + libc225 compat) and an image of my LRP when it's done, but
you're welcome to what I have in the meantime.  Just drop me a mail
off-list.

Peter


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http

RE: [leaf-user] distribution for flash + 2.4.20 + iptables (no shorewall)

[Peter Mueller]

Hi Tom  list,

 If you understand enough to create your own secure firewall 
 using iptables, 
 then I'm amazed that you feel the need to post on a mailing 
 list to learn 
 how to omit one small package (Shorewall) from a simple 
 floppy-based Linux 
 distribution (Bering). Nevertheless, I offer my (tongue in 
 cheek) help:

I read somewhere that Shorewall was not capable of being removed from
Bering.  Unfortunately I couldn't locate this post in a quick few minutes.
I checked the Bering documentation and didn't find a reference, therefore
I'm pretty sure this was found through Google (archive of this mailing
list?).  I hope knowing what was on my mind re:shorewall package you
understand where I was coming from a little more.

 a) Remove the shorewall package from syslinux.cfg
 b) Remove shorwall.lrp from your floppy/CF/IDE image.
 c) Develop your own .lrp package that is secure and easy to 
 configure in 
 the face of changing firewalling/gateway requirements.

I am thinking of using an lrp located at
http://leaf.sourceforge.net/devel/jnilo/bering/latest/contrib/; the iptables
save  restore functionality.  Does anyone know if this lrp provides an
init.d startup of old iptables rules?  If it doesn't I would imagine I'll
have to create a seperate iptstart.lrp or something similar.

 If you think that the above two steps are trivial, browse the 
 LEAF and 
 Shorewall list archives.

I am in process of creating/submitting a package that provides VRRP
functionality for LRP called Keepalived (http://www.keepalived.org/), so yes
I know lrp's aren't easy.  I'm sure Shorewall is great for most people, but
I'm looking for something to use in BGP linux routers booting off of
CF-IDE/flash media.

 h) Submit your package to 1000s of people on the internet 
 over a period of 
 12 to 18 months to validate its flexibility, usability and security.
 i) Use what you learn in that 12 to 18 month period to 
 improve your package 
 to make it more flexible, easier to use and more secure.

I'll submit what I have when I have completed it.  If people find it useful
and have suggestions I'll try to help in whatever way I can.  It would be
nice to have such fame that 1000's of people would download it but I bet the
only one that downloads it is me and a few other linux flash router people.
;)

 You're right -- it is so simple that I can't understand why anyone 
 struggles with learning shorewall on these systems... :-)

Lol.  Well it is very important for my company to use existing setups 
concepts where possible.  I looked at Shorewall and it doesn't seem to offer
any significant advantage for my company other than being pre-integrated
into LRP.  Why should I learn a new firewall system if we already have
iptables working and under the belt?  More importantly why should I create
documentation for the rest of the people here and then force them to learn
this system?  It seems that in my case Shorewall is a program that
introduces a very good potential for human error and adds complexity to a
project that doesn't need more complexity.  In this project KISS is my
motto.  Again, we're talking about in my case only.  I'm sure 99.% of
the people are different and Shorewall is good for them.

Thank you very much for your response  time!

Peter


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] distribution for flash + 2.4.20 + iptables (no shorewall)

[Peter Mueller]

Hi gang,

What would be the best distribution to use on a flash + 2.4.x system?  I
like Bering, but I am going to be setting up linux routers with BGP so I
don't want to experiment with learning shorewall on these systems.  Space is
not an issue as I have 256-mb flash cards.

Thanks much for your time,

Peter

PS - is there a way to turn off Shorewall or run my own iptables rules in
Bering?  That would be fine.


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html