RE: [leaf-user] CONNMARK in uClibc
Tom, KP, Thanks for the help last week. I it turned out that indeed the CONNMARK.o module was not loading. It turned out that I had two copies of the same file, one named connmark.o the other CONNMARK.o This was due to the known issue with extracting files in windows as I used the CD ISO image to upgrade from a beta to rc1. I just copied over the newer files to my CF card. After your help I took a more close look at the files to find out the error. I then copied over the right file and it loads fine now. I have yet to setup and test my load balencing setup but shorewall and lsmod both reported that the modules loaded fine. Thanks for all your help! Richard -Original Message- From: KP Kirchdoerfer [mailto:[EMAIL PROTECTED] Sent: Thursday, October 27, 2005 1:10 AM To: leaf-user@lists.sourceforge.net Subject: Re: [leaf-user] CONNMARK in uClibc Am Donnerstag, 27. Oktober 2005 00:21 schrieb Richard Amerman: Thanks Tom, -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED] On Wednesday 26 October 2005 14:40, Richard Amerman wrote: That command includes the following: CONNMARK target v1.3.3 options: --set-mark value[/mask] Set conntrack mark value --save-mark [--mask mask] Save the packet nfmark in the connection --restore-mark [--mask mask] Restore saved nfmark value That confirms that the problem is definitely in the kernel then. Try this at a shell prompt: iptables -t mangle -N foo No output iptables -t mangle -A foo -j CONNMARK --save-mark Output: iptables: No chain/target/match by that name What error message is generated? No errors other than the output from the second command (which may be an error, but I do not know CONNMARK so don't know) What is the output of 'lsmod | grep CONNMARK' ? No Output Richard; for whatever reason, you do not load the modules. I did a quick test with the ISO image and copied the connmark modules to /lib/modules, added both to /etc/modules, ran /etc/init.d/modutils and both where loaded. shorewall and lsmod had the expected output. Make shure you do load the modules. kp --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information -- -- leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/l eaf-user Support Request -- http://leaf-project.org/ --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] CONNMARK in uClibc
The Extended MARK Target is irrelevant -- nothing in Shorewall currently uses it and detection and reporting of that capability are removed in Shorewall 3.0. Does iptables -j CONNMARK --help display CONNMARK-related help? -Tom Tom: Thanks for the reply That command includes the following: CONNMARK target v1.3.3 options: --set-mark value[/mask] Set conntrack mark value --save-mark [--mask mask] Save the packet nfmark in the connection --restore-mark [--mask mask] Restore saved nfmark value Richard -Original Message- From: Richard Amerman Sent: Monday, October 24, 2005 2:46 PM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] CONNMARK in uClibc I'm trying to use the Shorewall load balencing per: http://www.shorewall.net/Shorewall_and_Routing.html#id2460800 I can't get connmark to load properly. I have the rc1 build and made sure I have both the upper and lower case ipt_connmark.o files, in my case, from the CD ISO. I have both connmark modules loaded (I assume, I see no kernel messages positive or negative) I tried them in either order. I'm loading them after all the other ipt_ modules. When I restart shorewall I still get: Extended MARK Target: Not available CONNMARK Target: Not available Connmark Match: Available --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] CONNMARK in uClibc
Thanks Tom, -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED] On Wednesday 26 October 2005 14:40, Richard Amerman wrote: That command includes the following: CONNMARK target v1.3.3 options: --set-mark value[/mask] Set conntrack mark value --save-mark [--mask mask] Save the packet nfmark in the connection --restore-mark [--mask mask] Restore saved nfmark value That confirms that the problem is definitely in the kernel then. Try this at a shell prompt: iptables -t mangle -N foo No output iptables -t mangle -A foo -j CONNMARK --save-mark Output: iptables: No chain/target/match by that name What error message is generated? No errors other than the output from the second command (which may be an error, but I do not know CONNMARK so don't know) What is the output of 'lsmod | grep CONNMARK' ? No Output Thanks, --Richard --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] CONNMARK in uClibc
I'm trying to use the Shorewall load balencing per: http://www.shorewall.net/Shorewall_and_Routing.html#id2460800 I can't get connmark to load properly. I have the rc1 build and made sure I have both the upper and lower case ipt_connmark.o files, in my case, from the CD ISO. I have both connmark modules loaded (I assume, I see no kernel messages positive or negative) I tried them in either order. I'm loading them after all the other ipt_ modules. When I restart shorewall I still get: Extended MARK Target: Not available CONNMARK Target: Not available Connmark Match: Available Any further ideas? --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Bering uClibc IPSEC VPN issues
We have been running a leaf firewall for about 3 years or more. Most of that time it has been a Bering 1.0 RCx of some kind (can't remember the exact release). We just upgraded to a new machine running Bering uClibc 2.3-rc1 from CF. I built this image using primarily the uClibc ISO image as my basis. It runs great with no issues other then the new VPN issue. We have been connecting from PC's inside the firewall to a remote location running Juniper networks NetScreen and until this week have had no problems. The problem is intermittent and can not be consistently reproduced, but what is consistent is the lack of an issue when connecting from out side the firewall or if you either reboot the firewall or do a shorewall clear to flush things out. We have spent days trying to figure out the issue and it does indeed look like it is the firewall though we have no clear understanding of the exact problem, or more importantly, the fix. Does anyone have any pointers or ideas? Any known issues? I have been searching the list archives but have not found anything clear. Thanks, Richard Amerman RBA International 703 Broadway, Suite 600 Vancouver, WA 98660 360-696-9272 x440 [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Bering uClibc IPSEC VPN issues
One thing I forgot to mention is that we are using OpenVPN with our firewall as the terminating VPN server (works fantastic). Not sure if it is possible for this configuration to intefer with Host (behind our firewall) to remote VPN gateway communication but thought it would be worth mentioning. After reading this: http://www.shorewall.net/VPNBasics.html It maid me think this may be possible. Richard -Original Message- From: Richard Amerman We have been running a leaf firewall for about 3 years or more. Most of that time it has been a Bering 1.0 RCx of some kind (can't remember the exact release). We just upgraded to a new machine running Bering uClibc 2.3-rc1 from CF. I built this image using primarily the uClibc ISO image as my basis. It runs great with no issues other then the new VPN issue. We have been connecting from PC's inside the firewall to a remote location running Juniper networks NetScreen and until this week have had no problems. The problem is intermittent and can not be consistently reproduced, but what is consistent is the lack of an issue when connecting from out side the firewall or if you either reboot the firewall or do a shorewall clear to flush things out. We have spent days trying to figure out the issue and it does indeed look like it is the firewall though we have no clear understanding of the exact problem, or more importantly, the fix. Does anyone have any pointers or ideas? Any known issues? I have been searching the list archives but have not found anything clear. --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Bering uClibc IPSEC VPN issues
Thanks for the reply Arne, -Original Message- From: Arne Bernin [mailto:[EMAIL PROTECTED] I do not really understand what your Problem is. Maybe you could explain it a bit more... You have Problems after reboot or you fix the problems with a reboot ? You are using standard IPSEC for this connection (no nat-t) ? We are using the NetScreen-Remote client from behind our firewall to connect to a remote NetScreen Firewall/VPN box at our hosting facility. Was working fine. What exactly is going wrong ? Are you using masquerading ? Everything is masqueraded behind the firewall so we are using Nat-T and the NetScreen client does seem to be using this. When things do not go OK some of the symptoms are that the firewall still recognizes that there is a connection from the client in question to the remote VPN box so no entry is written in the FW log (we have all Policies logging for now to help troubleshoot). I have used Snort (installed on the firewall) to sniff the traffic to the VPN client when it is trying to connect and it is getting packets from the remote VPN box but appears to be ignoring them. This seems to me to be some case of Nat-T not working properly, the UDP packets being munged in a way that is not working with the client, or other similar issues. The problem is that sometimes it works for a while then it doesn't for a bit. Very inconsistent. Richard --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
FW: [leaf-user] Bering uClibc IPSEC VPN issues
-Original Message- From: Arne Bernin [mailto:[EMAIL PROTECTED] you might want to use tcpdump for this (well i never used snort for that, so i don't know if it is easy to use and gets all traffic). If you save the tcpdump output somewhere you can use ethereal (on windows or unix) to take a detailed look what is going on. I can do this fairly easily with Snort. I did see that when looking at the inside interface of the FW while a local client was trying to connect to the VPN but failing, that all the UDP packets arriving to that host from the remote VPN server were all from port 500. This was using the simplest sniffer mode. Snort -v -i eth3 host 192.168.1.120 This seems to me to be some case of Nat-T not working properly, the UDP packets being munged in a way that is not working with the client, or other similar issues. The problem is that sometimes it works for a while then it doesn't for a bit. Very inconsistent. I have one suggestion, that might be the case, i am not sure. But i have a similar problem on a remote site and after exploring it a bit, it seems that the masquerading/SNAT code in the linux kernel has a bug when masquerading UDP packets. This leads to some packets not properly masqueraded/SNATed and this - could - be the problem you are experiencing. It would be interesting to take a look with tcdpump on the external interface if you run in this problem again. The packets you will see there, should be already masqueraded, so take a look at the IP adresses of the nat-t packets and especially the port numbers. There may be a problem if the nat-t ipsec packets do not come from port 500 on NetScreen side This udp snat problem is already reported to the netfilter team (bug id=390), you can take a look at it under bugzilla.netfilter.org... I'll take a closer look at this issue. Thanks --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Bering uClibc IPSEC VPN issues
Thanks for the pointer Eric, I'm assuming that you indicate this as a possible solution to a high level of trafic or high count of connections, but I doubt this would be the problem for us. We have only 20-30 computers behind this firewall which seems like a fairly low number in the scheme of things. I'll take a look at this though. Thanks! Richard -Original Message- From: Eric Spakman [mailto:[EMAIL PROTECTED] Sent: Thursday, October 06, 2005 1:13 PM To: Richard Amerman Cc: Arne Bernin; Leaf-User Subject: RE: [leaf-user] Bering uClibc IPSEC VPN issues Hello Richard, Not sure if this is your problem, but did you take a look at: http://leaf.sourceforge.net/doc/guide/bucu-conntrack.html Eric Thanks for the reply Arne, -Original Message- From: Arne Bernin [mailto:[EMAIL PROTECTED] I do not really understand what your Problem is. Maybe you could explain it a bit more... You have Problems after reboot or you fix the problems with a reboot ? You are using standard IPSEC for this connection (no nat-t) ? We are using the NetScreen-Remote client from behind our firewall to connect to a remote NetScreen Firewall/VPN box at our hosting facility. Was working fine. What exactly is going wrong ? Are you using masquerading ? Everything is masqueraded behind the firewall so we are using Nat-T and the NetScreen client does seem to be using this. When things do not go OK some of the symptoms are that the firewall still recognizes that there is a connection from the client in question to the remote VPN box so no entry is written in the FW log (we have all Policies logging for now to help troubleshoot). I have used Snort (installed on the firewall) to sniff the traffic to the VPN client when it is trying to connect and it is getting packets from the remote VPN box but appears to be ignoring them. This seems to me to be some case of Nat-T not working properly, the UDP packets being munged in a way that is not working with the client, or other similar issues. The problem is that sometimes it works for a while then it doesn't for a bit. Very inconsistent. Richard --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl -- -- leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Snort on uCllibc
We have just upgraded our firewall from a 2+ year old Bering floppy on an old 486 to a uClibc 2.3-rc1 box with CF. Among other things I have setup Snort, the 2.2 version that came on the ISO image for 2.3-rc1. Q1: Does anyone have a more recent version of Snort available for uClibc? Q2: Does anyone running Snort on a Bering box have any pointers or tips from their experience? I only have it looking at the outside interface with tcp-dump and CSV logging. Thanks, Richard Amerman --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Security and LEAF Bering UClibc
Martin, Thanks for the reply! -Original Message- From: Martin Hejl [mailto:[EMAIL PROTECTED] I surely see your point (at my day job, I work with many people where an SLA, or at least having a company to hold responsible is the main issue). The company I work for (http://www.guh-software.de - no advertising intended, just so you know which company I'm talking about) is thinking about offering a subscription based model for receiving timely security updates for leaf Bering uClibc. The reason for that is that we're also looking into the possibility of marketing hardware with Bering uClibc installed, and for such a product, some sort of update service would be mandatory anyway. It has not been decided yet if that will actually happen (I guess it also depends on how much interest there is in such a service). If you (or anybody else) are interested in such a service, please contact me off-list for details on what exactly we're thinking about, as well as the costs involved (it will not cost a huge amount, but it will _definately_ not be offered for free. I think that if you could justify going forward with your idea, or if others came on board and something independent could be done, this would be great. I think this is a situation where both the established free/OS community side of LEAF and your business, and other similar businesses can all win. If you were to provide the Lip's in CVS and submit notification for each update to a new list, then you could still offer a wonderful VA product that keeps track of the modules used by a particular subscriber, notifies them via email when one of there modules needs to be updated, including a link to the file, and possibly even offering an automated update mechinism that could be turned on using a special LRP you provide, for each LRP the end user wants to keep up-to-date. OK, that last bit may be a bit much, but the point I'm trying to make is that a balance could be maintained between a base level that could benefit everyone, and a pay level that anyone that has the $ could not afford to be without (including possibly me). This slightly higher level of service to the general LEAF community would also make it more attractive for other LEAF developers to get involved in this mini project so that the entire thing was not just on the shoulders of one company. Just some thoughts. Richard Amerman --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Security and LEAF Bering UClibc
Martin, -Original Message- From: Martin Hejl [mailto:[EMAIL PROTECTED] I understand what you're saying - and I guess the framework (scripts to handle the update proces) would surely make their way into the Bering uClibc distro. At this point, I'm just not sure if there's enough interest in the leaf userbase to warrant spending business hours on this (I already spend much of my spare time on Bering uClibc, but that's a different matter :-)) As I said - nothing is set in stone at this point, we're still in the decision making process, so we're surely open for suggestions. In the end, it all comes down to the fact that we need to make sure we're not putting in a lot of money and resources into a project that will not at least create some return over a reasonable amount of time. We're not a huge corporation, so we can't pump huge amounts of cash into a project that will not pay for itself at some point. If a model where people pay for the premium service (notification of updated packages, maybe even a push model for some sort of auto-update - even though I have rather strong reservations about updates being installed without the administrator knowing about it) works even if the same packages are published for free on the website, I don't see why things couldn't be done that way. I think your on track with the key point that it all depends on what the interest would be. I have no doubts that it would be fairly easy to create enough value added for a premium service that anyone with $ could not live without. The question is just how many of these people are there? To put it another way, how many LEAF firewalls are deployed in production by companies or other NGO's? I think that every one of these entities would be hard pressed to not buy into such a service if it was cheap and provided otherwise unavailable assurances that their LEAF install is secure. As to the service, I guess you would have to monitor one or more sources that track security issues and other vulnerabilities in Linux programs and match them up against what is included in each of one or more uClibc versions to determine if any updated LRP's need to be created and disseminated. This service could also include notices of issues that may not require a new LRP but may have to do with configuration settings that may be insecure or cause issues. Can anyone else out there respond with their interest Richard --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Security and LEAF Bering UClibc
I'm sure that this topic is not new but it is probably one that should be brought up regularly incase there are new options as to how to address the issue. My company, and other companies I work with (and I'm very sure we are not alone in this) would find it extremely valuable if there was a system/process where all the core LRP's were monitored for security bulletins. When one of these bulletins were to be released it would trigger a process of updating the LRP ASAP and letting everyone on, what may be a new list, that the update was available, a LEAF errata per say. I think that people, including us, would contribute $ to see this put together, while not making it any kind of premium service, but available to everyone. It could just be a voluntary donation thing, or/also involve one or more bounties. It would also be valuable if this task was taken on by something other than just an individual or group of individuals, but a business that has a large stake in things, or some organization with some structure. The idea on this is credibility and stability, not only in reality but from a perception standpoint. (Translate, I have to show my boss something that he can put some faith in.) What do you think? What kind of discussion has happened in the past on this topic? Or what am I missing that is already in place to take care of this? (and yes I will be searching the list archive to see what I can find, but we all know this is not as simple as it looks.) Thanks! Richard Amerman -Original Message- From: troy [mailto:[EMAIL PROTECTED] How do you handle security patches for packages? For example, if you were running a full Debian distro, a simple apt-get update would insure that you pull down the latest security patches... What is the approach to making sure UClibc is secure...? --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] CF Card Issues
I now have everything fixed and happy. Cpu, What process do you use to set up your Lex systems? Have you been able to get USB support or boot off of USB to work? The only thing that has consistently worked for me is booting off of an IDE CDROM. This is great and fast in the lab, but not a great option in the field. I would like to be able to use USB as the solution to restore or do other maintenance task. Now that I have my CF card repartitioned and formatted with a clean uClibc setup on it, everything is great. It looks like it was all due to the lack of umounting before rebooting. I know that often I would backup some changes and immediately reboot. I'm sure those were some of the worse cases. Thanks, Richard Amerman -Original Message- From: cpu memhd [mailto:[EMAIL PROTECTED] Auto, LBA, or CHS? Consider this: - Your controller is setup for Auto - Your CF is detected as LBA (even though it's = 512MB, all CFs are supposed to support LBA, my understanding) - Next day, your BIOS is having a bad-hair-day, CF is now detected as CHS (but you don't notice the boot message! - this can be due to BIOS or CF bugs... cabling, etc.) - You begin to experience problems with corruption, strangeness/weirdness Could this be the problem? The question is, will the CF boot with the wrong HD parameters, I believe the answer to this is, yes, in some cases. I have a few Lex CV860s. They detect my Sandisk industrial's as LBA. But my newer CV863A detect them as CHS. I hard set = 512MB CFs to CHS. Never a problem. --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] CF Card Issues
I have a Lex NEO CV863A from Hacom. I bought my CF card based on recommendations for Lexar on this page: http://www.openbrick.org/openbrick/wiki/cf/view I have a Lexar Media 512MB CF card p/n 2175 Rev A. Everything was going very well, installed a uClibc system primarily using the CD ISO on the CF card and the firewall was working fine, though not in production yet. Recently I made some Shorewall changes and backed them up but when I rebooted the next time there was no shorewall. It turned out that the shorwall.lrp file was corrupt. When I try: tar zxvf shorwall.lrp I get: tar: Invalid gzip magic Soon after I made a new folder called lrpbackup on the CF card. It shows up though as lrpbacku Also when I try ls in that folder my whole SSH session gets corrupted. I also can not delete the folder or its contents. Also when I now try to write to the CF card in this machine, everything returns: Cannot create directory `lrpb': Read-only file system Now I know that I have multiple things that could be wrong, but since my timeline is very short, I'm supposed to put this FW in production in a few days, I'm pursuing them in parallel. One possibility is that the CF card I bought is not ideal. Another is that the Machine has an issue. Another is that this CF card may be bad. Some questions: Does any one have any specific recommendations on a CF card? Does anyone have an alternate LRP backup script that keeps backups kind of like rotating logs (backing up the existing LRP to another folder and renaming *.lrp.0 type thing)? Is there anything in hdsupp.lrp to check the health of a drive, like scandisk? Any help, ideas, or shared experiences would be helpful. I did call Hacom and the do use Lexar but mainly use Kingston Elite Pro CF cards now. I'm thinking of just buying two of them. Thanks, Richard Amerman RBA International 703 Broadway, Suite 600 Vancouver, WA 98660 360-696-9272 x440 [EMAIL PROTECTED] --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] CF Card Issues
M Lu, Thanks for the info, you may have just found my issue. I have regularly been mounting my CF on a folder I create each time (/cf) so that I can edit things like leaf.cfg and others. I never unmount it before rebooting (did not know I needed to)! Do you have your setup now configured to auto unmount your CF? Any pointers on that? Regardless, now I know what is likely the issue! Thanks! Richard -Original Message- From: M Lu [mailto:[EMAIL PROTECTED] A couple of weeks ago I got a small file 'leaf.cfg' corrupted after modifying it directly (mount /hda1 on /mnt). As other folks here said that I may forget to un-mount /mnt before rebooting. So now I always checked to make sure the CF is umounted before rebooting and so far no more corruptions eventhough I modified a lot a lot of things day after day because of my new setup. Do you think you may mount the CF somehow? Just check the mountpoints before rebooting. Maybe some script did that and you do not know about it. I use Lexar 64M. I also used Canon 32M and it was OK but very short time so I cannot say if its quality is good. Hope your CF is not bad. You probably can test its quality inside another machine. - Original Message - From: Richard Amerman [EMAIL PROTECTED] I have a Lex NEO CV863A from Hacom. I bought my CF card based on recommendations for Lexar on this page: http://www.openbrick.org/openbrick/wiki/cf/view I have a Lexar Media 512MB CF card p/n 2175 Rev A. Everything was going very well, installed a uClibc system primarily using the CD ISO on the CF card and the firewall was working fine, though not in production yet. Recently I made some Shorewall changes and backed them up but when I rebooted the next time there was no shorewall. It turned out that the shorwall.lrp file was corrupt. When I try: tar zxvf shorwall.lrp I get: tar: Invalid gzip magic Soon after I made a new folder called lrpbackup on the CF card. It shows up though as lrpbacku Also when I try ls in that folder my whole SSH session gets corrupted. I also can not delete the folder or its contents. Also when I now try to write to the CF card in this machine, everything returns: Cannot create directory `lrpb': Read-only file system Now I know that I have multiple things that could be wrong, but since my timeline is very short, I'm supposed to put this FW in production in a few days, I'm pursuing them in parallel. One possibility is that the CF card I bought is not ideal. Another is that the Machine has an issue. Another is that this CF card may be bad. Some questions: Does any one have any specific recommendations on a CF card? Does anyone have an alternate LRP backup script that keeps backups kind of like rotating logs (backing up the existing LRP to another folder and renaming *.lrp.0 type thing)? Is there anything in hdsupp.lrp to check the health of a drive, like scandisk? Any help, ideas, or shared experiences would be helpful. I did call Hacom and the do use Lexar but mainly use Kingston Elite Pro CF cards now. I'm thinking of just buying two of them. Thanks, Richard Amerman --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] CF Card Issues
I just backed up all the files off that CF card, did a scandisk and it looks like it fixed everything. I now changed my /etc/init.d/reboot to umount my CF card before rebooting. Though I will plan on always unmounting the CF card when I do not need it. Richard -Original Message- From: M Lu [mailto:[EMAIL PROTECTED] I do not know of the auto umount but you can alias 'reboot' to 'cd ; umount /cf; halt' if you use reboot to reboot your machine. You are luckier than Peter. - Original Message - From: Peter Mueller [EMAIL PROTECTED] It's easy to destroy CF cards this way. I went through two on my routers before understanding that you need to unmount the card ASAP. --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Problems with CF Backups
Does anyone have lncurses.lrp for uClibc handy? I can't find it anywhere. It appears that I need it for lrpstat. If anyone else has any info on what IS needed to get lrpstat working in the latest uClibc that would be great! As further background, I'm trying to set up monitoring for cpu load, interface usage, and environmental stats like temp and voltage (using lm_sensors). If anyone has information or recommendations on this topic I'm probably not the only one who would love to get the details. If I get it nailed I'll put together a How-To on the topic. I'm also looking to integrate some of this into webconf. Thanks, Richard Richard Amerman RBA International --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Problems with CF setup
If you use the CD image for the latest beta it includes the proper version of initrd_ide_cd.lrp. Just went through a full CF install myself in the past couple of weeks. Works great, just have to be careful of where you get your packages and modules. The CD image is a best source of all of it. Richard -Original Message- From: Martin Hejl [mailto:[EMAIL PROTECTED] If you followed the instructions to the letter, you're using initrd_ide_cd.lrp from http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc -0.9/20/ , which means you're all set as far as needing to load modules for IDE (unless you're using some exotic IDE controller) - that is, _if_ you're using the 2.2.3 Bering uClibc image. I wish it was included in this procedure as to what modules are needed and what is the best method for me to transfer these modules from a floppy to the CF. Simply put initrd_ide_cd.lrp onto your CF (and rename it to initrd.lrp in the process) and you should be set. --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] lncurses.lrp and/or lrpstat help - uClibc
Does anyone have lncurses.lrp for uClibc handy? I can't find it anywhere. It appears that I need it for lrpstat. If anyone else has any info on what IS needed to get lrpstat working in the latest uClibc that would be great! As further background, I'm trying to set up monitoring for cpu load, interface usage, and environmental stats like temp and voltage (using lm_sensors). If anyone has information or recommendations on this topic I'm probably not the only one who would love to get the details. If I get it nailed I'll put together a How-To on the topic. I'm also looking to integrate some of this into webconf. Thanks, Richard --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Webconf issues
I have been trying to get webconf working on a new uClibc box but can't get anywhere. I did have weblet working but took that off and did everything I could find online to setup webconf. I'm on the latest beta. Here is one thing I get: Jul 14 12:23:03 RBAFW mini_httpd[10398]: socket :: - Address family not supported by protocol Jul 14 12:23:03 RBAFW mini_httpd[10398]: bind 0.0.0.0 - Address already in use Jul 14 12:23:03 RBAFW mini_httpd[10398]: can't bind to any address Any ideas? Richard Amerman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Image CF drive
Does anyone know of any windows tools that can do a disk image of a CF card? I have multiple identical CF cards I need to propagate a uClibc install to, bootable portion and all. The only tools I have found that work with CF cards so far have been for linux. Thanks! Richard Amerman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] lm_sensors for Bering uClibc - Lex Neo CV863A from Hacom
I have two new Lex Neo CV863A Boxes from Hacom that I'm setting up with Bering uClibc. These boxes include: 2 X PCMCIA slots 4 X 10/100 Nics CF slot 1Ghz CPU 256MB DDR RAM 4 X USB I have a Lexar 512MB card in each of these and, with only a half day of banging my head, got LEAF set up on the CF card. I used the uClibc CD ISO to do the work, including copying the entire contents of the CD as my install once I had the card bootable. It is going great, though duplicating the card will be a pain, wish there was a tool to image a CF card easily in windows. One thing I would very much like to do is monitor the health of these boxes using something like lm_sensors. The only thing I have found about this are two uClibc LEAF CVS entries regarding lmsensors. Does anyone have any information on this? Any other LexNeo LEAF users out there with info to share on their experiences? Thanks! Richard Amerman --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] LEAF at OSCON
Are any LEAF participants attending OSCON this year? If so, are any of you putting a proposal to do a presentation on LEAF? If the answer to the second question is no, I will be submitting a proposal for either a 45min or 90min presentation by tomorow afternoon. I have not been that involved with the project in the past few months, but enjoy giving presentations and can coordinate with team members to put together good coverage of topics. I wish to give a basic overview of what LEAF is, how one might use it, an intro to some of the active distributions, and possible some view of the new config/web-management pieces we are working on. Richard Amerman áÄ 4DÞ¨¥Ë)¢{(ç[ÈTD$èyúè8ZÂ×쨺Zx§*.gIêïz´rêâ· ¥É!z·¢hTD8ZÂ×H¸.××âÛay©ìÁê춥*.$±ç.®+rË.zÈm¶ÿiÛ,¢êÜyú+éÞ·÷ ¸§þ··¶m ¬4ÓnW~ë®f¢)à+-æºÇ«+-²Ê.Ç¢¸ëa¶Úlÿùb²Û,¢êÜyú+éÞ·ùb²Û?+-wèþW~ë$Em¶ÿ榺#yËh®é¹¿Ý¡Ïݡɨ¯÷hr'uóÝa¶i
[leaf-user] Snort and Bering
I want to add Snort to my 2 floppy Bering RC3 setup. I found the package Charles has on his site but thought it prudent to check with the masses to see who might have set this up recently and where the latest package is (if it is not Charles's) An additional note for any current LEAF snort users, I was planning on looking into setting up a weblet add-on to display info from snort. If you are an experienced snort user and have time on your hands you might be able to help with this endeavor. Thanks! Richard Amerman áËë^¨¥Ë)¢{(ç[É8bAzAv±Æ}è§zÛ!»l~éì¶çßÛiÿûay yé¢oì~W~ë®f¢)à+-æºÇ«+-²Ê.Ç¢¸ëa¶Úlÿùb²Û,¢êÜyú+éÞ·ùb²Û?+-wèþW~ë$Em¶ÿ榺#yËh®é¹¿Ý¡Ïݡɨ¯÷hr'uóÝa¶i
RE: [leaf-user] Weblet Dev Demo Update
Good sugestion on the date time. Not sure what you mean by with the hosts.allow. It is suposed to allow everyone to the weblet for the demo. Richard Amerman -Original Message- From: Eyal Lebedinsky [mailto:[EMAIL PROTECTED]] Sent: Tue 7/2/2002 1:41 AM To: Richard Amerman Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject:Re: [leaf-user] Weblet Dev Demo Update Richard Amerman wrote: I have made some major modifications to the LEAF Weblet. These have been posted to the Weblet Dev Demo site. Demo Site Location: 207.202.227.167 One thing I have in my weblet, which I see is missing in the above demo is a standard date/time at the top of each log file. I find it very usefull to know how old the displayed page is. And also, do fix your /etc/hosts.allow :-) -- Eyal Lebedinsky ([EMAIL PROTECTED]) http://samba.org/eyal/ --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Weblet Dev Demo Update
From: Steve Sobka [mailto:[EMAIL PROTECTED]] Sent: Tue 7/2/2002 8:02 AM How easy would it be to include lrpstat back in the weblet package? (IIRC?) Dachstein had this as part of the weblet package, but it was removed out of the Bering weblet package. Or I should say, it's not in Bering 1.0-rc3. Maybe if it's really large, there could be two versions of your updated weblet package? The URL for lrpstat is: http://leaf.sourceforge.net/devel/hejl/ It's nice to see a quick MRTG stype graph on the status pages :-) I'm very interested in this and other simalur options. I would like (at least as a set of options) for the index page of the weblet bo be as much a dashboard as possible. The idea being that at a glance as much information as possible can be gleened about the state of the firewall and it's trafic. Graphics can alway do this much better than only words and numbers. I'm also interested in massaging the log contents a bit to make them more readable. The firewall logs are a good example. This is all one of the reasons I abstracted the content and the rest of the page constructs so that it would be easy to place the components you want on your first page for a list of options. I was planning on automating and abstracting this very process so that all a user had to do was pick a layout, pick the pieces, select their column, and set the order. That should be easy. This format should support the configuration project as well. Richard Amerman +,~wzf¢+,¦ì¢·o$áyyézW(ëhç¤ æ¯zxm¶ÿ¶§ÊþÇåy§î±êæj)b b²Ù^iû¬z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ+-²Ê.Ç¢¸ë+-³ùb²Ø§~åy§î±êÒDPÛiÿù^iúk¢7¶àþýÚýÚ©Úêÿvw_=Öf
[leaf-user] Weblet Dev Demo Update
I have made some major modifications to the LEAF Weblet. These have been posted to the Weblet Dev Demo site. Demo Site Location: 207.202.227.167 Two of the major areas of change include: Major changes to the cgi files including a dynamic index page, new include structure, and new function files. Link to weblet source at the botom of index page. The full list of changes follows: 1 July 2002 converted index.html to index.cgi added function for displaying uptime. Added the uptime using this function under the status indicators on the index page. Created a weblet.structures file that includes the functions that were in the weblet.functions file that covered page structure. Aded two new functions: t_head t_foot that finish ablstracting almost all of the structure. Added two additional functions to weblet.structures that alow you to create a page with a single column, two columns like the index page, and three columns. Created new master include file, weblet.include. Abstracted the 5 content tables from the index page into seperate component files in /var/sh-www/content. Abstracted the log/file display function into weblet.functions. Added a source display option to the bottom of the index page. You can use this to view the entire weblet content source. Please use this in conjuctions with the web page to provide ideas, find bugs, make sugestions on how to make it better. Abstracted the styles into a seperate CSS file. Removed LRP from the titles. Did additional CGI cleanup. (And probably made a few additional messes in the process!) 27 June 2002 Added a new list of all the configuration files on the left side of the index page. I have included all the main networking files, modules file, ppp files, and all of shorewall. I did this with a combination of index.html modification (including some cleanup, primarily with an added style entry above that took out all the remaining style info bellow) and some changes in the showlogs* cgi scripts. made a change so that on the individual pages displaying either a config file or a log, the entire path is displayed at the top rather than just the file name. Added two new links, to the configuration file section, one that gives you a single page with all the major configuration files from /etc and another for all the Shorewall files. Each combined config list uses a seperate cgi script. added a new header function to weblet.functions that includes a page refresh; this to be used with the index page and all pages (logs and the like) that should refresh to be up to date added a new styles function to the weblet.functions that contains all the css info changed the header functions to use the new styles function Richard Amerman +,~wzf¢+,¦ì¢·o$áyyézW(ëhç¤ æ¯zxm¶ÿ¶§ÊþÇåy§î±êæj)b b²Ù^iû¬z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ+-²Ê.Ç¢¸ë+-³ùb²Ø§~åy§î±êÒDPÛiÿù^iúk¢7¶àþýÚýÚ©Úêÿvw_=Öf
RE: Software write-protect (Was: Re: [leaf-user] Floppies)
From: Jeff Newmiller [mailto:[EMAIL PROTECTED]] Sent: Sat 6/29/2002 11:37 PM Absolutely disagree. Rebooting is a waste of time. If there is a way in, rebooting does nothing to prevent repetition. If there is not, rebooting serves no purpose. If you are faced with a break-in in-progress, you need to disable external network access until the problem is rectified... not reboot. I do agree that it is not the most practicle option but you have to remember that I'm just talking in a realm of ideals. IMO an ideal would be a system that had a boot time of a few seconds (flash of somesort) has physicaly write protected, sends all logging to another location and could recycle as often as seemed pruedent, even every hour. Before each reboot it could even send a backup image file of the system puerly for investigitory usage to the logging server. This might even be done using some sort of memory miror that was invisable to the system, a PCI card. This satisfies all that we are talking about. The key is a blend of realtime response and uptime. If you are an entity with a 24/7 NOC it is all a diferent story, but for smaller businesses that have continuing activities but close their offices, this is a better extreme blend. I'm by no means saying this is the only way to do it or the most practicle, or practicle at all! Just a whatif extreem of ideals. Nothing is lost other than evidence, but it is more important to stop the crime rather than catch someone after the damage is done and with the logs safe you should have the most important information avialable. Mostly true. I don't know that what was logged will provide enough clues as to the method of entry to close the hole, so I want the memory intact if possible just in case. Covered by the image backup above. All of this has me wishing to delv deeper into the actual system architecture of the Cisco PIX (the largest FW product I personaly have experience with) I'm wondering how all these issues are dealt with in that level of product. Of course that said, I now would prefer to have a LEAF box unless the scale was an issue. I must also add to this descussion that I am no hard core security expert and while I feel comfortable working with musings and ideals, my first hand experience is more limited (PIX, Watchguard, Smaller Software FW's and now LEAF. Richard Amerman áËë^¨¥Ë)¢{(ç[É8bAzEÊzÚ yé!y«Þm§ÿí)äç¤r¿±ù^iû¬z¹X§X¬¶W~ë®X¬¶Ë(º·~àzwÛi³ÿåËl²«qç讧zßåËlþX¬¶)ߣù^iû¬z´!¶ÚþW~èç-¢¸?¦æÿv?vjv z¿Ý¡È×ÏuÙ¥
RE: Software write-protect (Was: Re: [leaf-user] Floppies)
I would love to use Snort but feared that it was too big. Is it reasonable? An that thought has any one worked with alternitive floppy drives like 2MB drives or LS? Richard Amerman -Original Message- From: Mike Noyes [mailto:[EMAIL PROTECTED]] Sent: Sun 6/30/2002 7:07 AM To: [EMAIL PROTECTED] Cc: Subject:RE: Software write-protect (Was: Re: [leaf-user] Floppies) On Sun, 2002-06-30 at 03:50, Erich Titl wrote: Agreed, but now we have to see how we can stop such a skillful attacker. How can we protect the RAM disks from someone determined enough to upload and execut code bytewise. Anyone can fingerprint the IP stack and scan our system for loopholes. Some firewall products detect this and drop the IP of the attacker immediately until reboot. Do we have such a feature? Erich, NIDS products PortSentry and Snort will do this. We have packages for both available. However, they aren't installed by default on any of our releases/branches. PortSentry http://www.psionic.com/products/portsentry.html Snort http://www.snort.org/ -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: Software write-protect (Was: Re: [leaf-user] Floppies)
It seems to me that reguardless of what you do to write-protect the medium, you have to flush (restart) the system regularly to be the most secure. This would idealy have to be done by some method that is both independant of the LEAF firewall itself and the systems it is protecting as these methods could be compromised. If you had a simple hardware timer that recycled the power on the machine every night or on some schedule that makes sense this would work. Now, of course, we are now playing in the land of the ideal, but when dealing with firewalls this should be an option. Richard Amerman -Original Message- From: Erich Titl [mailto:[EMAIL PROTECTED]] Sent: Sat 6/29/2002 2:08 PM To: [EMAIL PROTECTED] Cc: Subject: Re: Software write-protect (Was: Re: [leaf-user] Floppies) Hi I believe the security concerns are well understood. But if we have someone on our doorstep with the ability Charles pointed out, of course he/she will be able to place some malware on our ram disk. It is not as bad es having an infected non volatile storage but I believe this attacker would be clever enough to fool the poor firewall user and make him feel secure. So even if we have write protected disks we probably would have to reboot periodically or have some other (non foolproof) prevention for such a scenario. Any thoughts ... regards Erich Mike Noyes wrote the following at 19:14 29.06.2002: On Sat, 2002-06-29 at 08:34, Mike Noyes wrote: On Sat, 2002-06-29 at 06:15, Manfred Schuler wrote: one reason for software write protection is that people using flash/hard disk at the moment have no other possibilities. And even if it is not perfect, it is better than nothing. Manfred, I forgot to mention SCSI as a solution for hard drives. SCSI drives have had the ability to do hardware write-protect for many years. Manfred, There are alternatives to software write-protect. Current generation flash disks are capable of hardware write-protect. They use two different approaches: * Custom ATA controllers on the IDE compatible flash disk. ATA-Disk Module http://www.sst.com/products/58sm_lm.html ATA-Disk Chip Application Notes http://www.sst.com/superflash/pdf/222.pdf ATA-Disk Module Product Brief http://www.sst.com/ata_disk/admbrief.pdf ATA-Disk Module (Apacer) http://www.apacer.com/product/flash/index_adc_adm.html * A software and hardware combination that changes the write state of the flash disk in hardware. Secure Disk on Module (SDOM) http://www.pqi.com.tw/eng/ourproduct/sdom.htm -- Mike Noyes [EMAIL PROTECTED] http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html áËë^¨¥Ë)¢{(ç[É8bAzCh#¥z-~,r¢êÜ¢jnµêá¶ÚþØbHzG(ûæºÇ«¨¥x%Ëey§î±êåËl²«qç讧zØm¶?þX¬¶Ë(º·~àzwþX¬¶ÏåËbú?æºÇ«I@Bm§ÿåy§é®ÞrÚ+úno÷hs÷hrf§j«ýÚÝ|÷Xm
[leaf-user] A First LEAF Deployment THANKS
Hi all! Itâs time to share! I have only been at this for a few weeks but as some of you may have noticed, I have been drawn in and hope to stay. At first it was simply about replacing my existing Watchguard SOHO with something that had a few more capabilities. I was looking at many Linux based setups, mostly things like Astro and Mandrake Security. When I finally found LEAF somehow I knew I was on to something. Regardless of what I did or found in larger systems I new I had to at least try a LEAF setup. I have now deployed the new firewall in a single step, the only glitch were a few inbound Shorewall rules that had to be tweaked! Everything worked, no problems, and it seems to perform much better. This is what I deployed: LEAF Bering 1.0 RC2 (I plan on updating soon to RC3 but did not have time now) External modem for backup fail over (now done with an ifdown ifup manually but I have a script to automate it that is in progress) Extensive rules for inbound traffic to various web servers, Exchange, SiteScope, VNC, others. I am about to add ssh and VPN soon. I also deployed my modified Weblet with a bunch of changes I have not yet deployed to the Weblet Dev Demo site. It has all been a great success and I thank you all for your support (much of it in the past, mining the list archives is a gold mine!) I look forward to working with all of you as I dig deeper into Weblet and other aspects of LEAF. I tried to setup a dev VMWare image last night but it wasnât until 2AM I realized that it does not support the large floppy format. It looks like it may be UML for me or just one of the small old boxes I have laying about. Thanks! Richard Amerman +,~wzf¢+,¦ì¢·o$áyyé Yèµø±Ê«r©º×«Ûiÿûay yé¢oì~W~ë®f¢)à+-æºÇ«+-²Ê.Ç¢¸ëa¶Úlÿùb²Û,¢êÜyú+éÞ·ùb²Û?+-wèþW~ë$Em¶ÿ榺#yËh®é¹¿Ý¡Ïݡɨ¯÷hr'uóÝa¶i
RE: Software write-protect (Was: Re: [leaf-user] Floppies)
All logging should idealy be done off site using a syslog deamon. The most important thing is not to have a breach and second to fix weaknesses. In this situation flushing the memory IS the best solution to insure this, though it is not the only one, and would rarely be that practicle or worth the hastle. Nothing is lost other than evidence, but it is more important to stop the crime rather than catch someone after the damage is done and with the logs safe you should have the most important information avialable. Richard Amerman -Original Message- From: Jeff Newmiller [mailto:[EMAIL PROTECTED]] Sent: Sat 6/29/2002 7:28 PM To: Richard Amerman Cc: [EMAIL PROTECTED] Subject: RE: Software write-protect (Was: Re: [leaf-user] Floppies) On Sat, 29 Jun 2002, Richard Amerman wrote: It seems to me that reguardless of what you do to write-protect the medium, you have to flush (restart) the system regularly to be the most secure. This would idealy have to be done by some method that is both independant of the LEAF firewall itself and the systems it is protecting as these methods could be compromised. If you had a simple hardware timer that recycled the power on the machine every night or on some schedule that makes sense this would work. I disagree. Flushing ram flushes evidence of disturbances, and does nothing to find or eliminate latent weaknesses. --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- áËë^¨¥Ë)¢{(ç[É8bAzEÊzÚ yé!y«Þm§ÿí)äç¤r¿±ù^iû¬z¹X§X¬¶W~ë®X¬¶Ë(º·~àzwÛi³ÿåËl²«qç讧zßåËlþX¬¶)ߣù^iû¬z´!¶ÚþW~èç-¢¸?¦æÿv?vjv z¿Ý¡È×ÏuÙ¥
RE: [leaf-user] Weblet
I currently have a modification that has a new list of all the configuration files on the left side. I have included all the main networking files, modules file, ppp files, and all of shorewall. I did this with a combination of index.html modification (including some cleanup, primarily with an added style entry above that took out all the remaining style info bellow) and some changes in the showlogsx cgi scripts. I also made a change so that on the individual pages displaying either a config file or a log, the entire path is displayed at the top rather than just the file name. I'm not sure if this is a change for the masses or not. I will need feedback. I also plan on adding a single link to do a configuration dump. This would involve a new cgi file, more than I will be tackling today! :-) I plan on setting up a demo box outside our firewall that everyone can access to check out these changes. I will let the list know when I have this set up. Richard Amerman -Original Message- From: Erich Titl [mailto:[EMAIL PROTECTED]] Sent: Wed 6/26/2002 1:31 PM To: [EMAIL PROTECTED] Cc: Subject: Re:[leaf-user] Weblet Lynn [EMAIL PROTECTED] wrote the following at 20:36 26.06.2002: Message: 6 From: guitarlynn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Weblet Date: Tue, 25 Jun 2002 17:14:05 -0500 On Tuesday 25 June 2002 16:57, Richard Amerman wrote: Has anyone made any modifications to weblet that displays configuration files? How about adding authentication to weblet? I'm starting some work on one for Dachstein, but I'm starting from scratch on it. I think someone had come up with something that worked with Bering in some form, but there was no link or email left to get it (that I know of). In any case, to do it securely there is a lot of additions and work to create one. Mosquito only uses web-configuration it might be worth a try. I am playing around with weblet to get some kind of a web based configuration. Authentication is certainly an issue there and I am very interested in anything that should come up in that aspect. Does anyone know why the cgi-bin/whatever.cgi?parameter1=value1parameter2=value2 passing in weblet is disabled? thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html +,~wzf¢+,¦ì¢·oZm·«w¢{fË- âz÷§¶í ëjÊ'J©h}÷«~ÎH3fzfÞ®ÂZm·« ßÛM6è6Óm{+-¢w:m§ÿðÃÚm·«rßr¿¢ÇgæºÇ«¨¥x%Ëey§î±êåËl²«qç讧zØm¶?þX¬¶Ë(º·~àzwþX¬¶ÏåËbú?æºÇ«I@Bm§ÿåy§é®ÞrÚ+úno÷hs÷hrf§j«ýÚÝ|÷Xm
[leaf-user] Bering RC2 Boot Hang
I was working on some changes to my Bering setup, adding serial consol support, when I ran into a problem. I added serial.o and added serial 1 19200 1 to the top of my sysllinux.cfg file. I also made the other changes in Charles's Serial Link HowTo. When I rebooted my system now hangs at:] LINUXRC: Installing - root I double checked my syslinux.cfg file and can not find anything. Any ideas? Thanks! Richard Amerman áËë^¨¥Ë)¢{(ç[ÈmêÈÀèÙ¢²Ëax½éí¡ûazDzҥçjZ}êߢ³Ù·«° ßÛM6è6Óm{+-¢w:m§ÿðÃÚm·«rßr¿¢ÇgæºÇ«¨¥x%Ëey§î±êåËl²«qç讧zØm¶?þX¬¶Ë(º·~àzwþX¬¶ÏåËbú?æºÇ«I@Bm§ÿåy§é®ÞrÚ+úno÷hs÷hrf§j«ýÚÝ|÷Xm
[leaf-user] Shorewall 1.3.1
Has anyone tried to use the Shorewall 1.3.1 lrp with Bering 1.0 rc2? Richard Amerman í+,¶¶ÓM¦¸§´ðeÆÃz÷¥¢«°*'}êÞǺ¬·nvò)ËjÅ^«!¶Úýׯr즸§¶,r¿iÚw^ÅÇ沫qê,v{^ÆÙbI^iû¬z¹X§X¬¶W~ë®X¬¶Ë(º·~àzwÛi³ÿåËl²«qç讧zßåËlþX¬¶)ߣù^iû¬z´!¶ÚþW~èç-¢¸?¦æÿv?vjv z¿Ý¡È×ÏuÙ¥
[leaf-user] (no subject)
This might or might not be a bit off topic, but the machine I have been working on with my Bering setup is connected to a Belkin KVM switch. Fairly often when I switch to another machine and then back to the Bering machine it looses the keyboard. I have tried many things to get it back but always have to reboot (and as you may have guessed, I have been caught a couple of times with some un-backed up work!) Any ideas? Iâm not sure if this has anything in particular to do with the LRP setup, Linux in general, or maybe just hardware. Thanks! Richard Amerman ©¢{(ç[É8bAzFÛiÿü0Á8bAzG(ù^iû¬z¹X§X¬¶W~ë®X¬¶Ë(º·~àzwÛi³ÿåËl²«qç讧zßåËlþX¬¶)ߣù^iû¬z´!¶ÚþW~èç-¢¸?¦æÿv?vjv z¿Ý¡È×ÏuÙ¥
RE: [leaf-user] (no subject) (actualy -KVM-Bering-lost keyboard)
I do indead as this was formerly (sigh) a W2K dev box. I will give it a try, though I will be backing up before each switch. Thanks! Richard Amerman -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Wed 6/12/2002 10:33 AM To: Richard Amerman; [EMAIL PROTECTED] Cc: Subject: Re: [leaf-user] (no subject) This might or might not be a bit off topic, but the machine I have been working on with my Bering setup is connected to a Belkin KVM switch. Fairly often when I switch to another machine and then back to the Bering machine it looses the keyboard. I have tried many things to get it back but always have to reboot (and as you may have guessed, I have been caught a couple of times with some un-backed up work!) Any ideas? Iâm not sure if this has anything in particular to do with the LRP setup, Linux in general, or maybe just hardware. Do you have the mouse hooked up? I had problems like this with the mouse hooked to the KVM when the mouse port was connected to the KVM as well as the KB. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ©¢{(ç[É8bAzFÛiÿü0Á8bAzG(ù^iû¬z¹X§X¬¶W~ë®X¬¶Ë(º·~àzwÛi³ÿåËl²«qç讧zßåËlþX¬¶)ߣù^iû¬z´!¶ÚþW~èç-¢¸?¦æÿv?vjv z¿Ý¡È×ÏuÙ¥
[leaf-user] Bering - VPN - Pocket PC
Has anyone had any luck getting Movian VPN for Pocket PC to work with FreeSwan on Bering? My primary need is simply to get VPN to work between Pocket PC and Bering, Movian just looks like one of the best options. Richard Amerman J'²Þu¼)äç¤jØm¶ÿà )äç¤r¿æºÇ«¨¥x%Ëey§î±êåËl²«qç讧zØm¶?þX¬¶Ë(º·~àzwþX¬¶ÏåËbú?æºÇ«I@Bm§ÿåy§é®ÞrÚ+úno÷hs÷hrf§j«ýÚÝ|÷Xm
[leaf-user] Bering DSL + modem failover - default route
As some of you may have noted I am working on a Bering configuration with a main external interface at eth0 of a DSL router and an additional external connection consisting of an external modem for redundant failover. I have had no problem getting the modem to work and it looks like the firewall portion may not be too bad (knock on wood!) but I canât seem to get past the existing defaultroute. How does one change the defaultroute on the fly? I have my pppd setup configured to set the ppp connection as the defaultroute. pppd logs the following message: not replacing existing default route to eth0 The only other negative sounding message is the following: Cannot determine Ethernet address for proxy ARP I also experimented with settings in the interfaces config file in the ppp0 interface section. The default is auto ppp0 iface ppp0 inet ppp provider provider I changed this to : auto ppp0 iface ppp0 inet ppp Address xxx.xxx.xxx.xxx Masklen 27 Gateway xxx.xxx.xxx.xxx Iâm not sure this is appropriate but I could not find further documentation on this file to indicate whether I can use these settings with a ppp interface, and even if I can, that it is appropriate. I also added a local:remote entry to the ppp options file and tried the -ip setting to force the use of these settings but the ppp connection was dropped with a message from the ISP to the effect of No network protocol running. Any ideas? Iâm also working on a script to monitor the DSL connection and bring up the modem connection if it is determined as down. When the DSL connection was restored for a given period of time then the modem would be disconnected. This setup also depends on a secondary MX record pointing to the static ip for the modem connection so mail will still get through. I am definitely working to set this up in the most ideal manor as It seems like this configuration would be useful to contribute. Richard .ئYb¢pèV« ©º×«{ÞÚ+ȸ¯ygq«-ç-ìNîè6ÓM¡¶Úÿ 0r©^Å©Ýz·(÷éÝj¹^iû¬z¹X§X¬¶W~ë®X¬¶Ë(º·~àzwÛi³ÿåËl²«qç讧zßåËlþX¬¶)ߣù^iû¬z´!¶ÚþW~èç-¢¸?¦æÿv?vjv z¿Ý¡È×ÏuÙ¥
RE: [leaf-user] Bering DSL + modem failover - default route
George, good to hear from you! We do apear to be working on the same thing, other than the T-1/DSL vs DSL/modem difference. I'm starting from the same scripts from the Detecting Disconnected Network thread. Right now I'm focusing on the routing issue and I need to get a bunch of shorewall rules set up. Let me know if you make any progress on the script. If I get anywhere on the routing issue I let you know stat. We will have to keep the list posted on our efforts. I'm also very interested in contributing this configuration with solid documentation. I'm willing to do quite a bit if not all the documentation if we could both take good notes. I'm not sure what form this would take, maybe a couple of scripts in addition to the configuration files, one to set up the needed cron job and any other safe configuration changes that can be automated, and the actual monitoring/interface change scripts. Richard Amemran -Original Message- From: George Luft [mailto:[EMAIL PROTECTED]] Sent: Tue 6/11/2002 12:01 PM To: [EMAIL PROTECTED] Cc: Richard Amerman Subject: RE: [leaf-user] Bering DSL + modem failover - default route I wish you well in this endeavor, Richard. I am trying to do basically the same thing. I want to use static DSL as a backup to a T-1 (mainly to maintain connectivity to/from our mail server), and I keep bumping into the issue of the default gateway. I think we'll end up using a script to test connectivity to various hosts as was discussed in the Detecting Disconnected Network thread. Perhaps we can figure it out together... -Original Message- From: Richard Amerman [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 2:43 PM To: [EMAIL PROTECTED] Subject: [leaf-user] Bering DSL + modem failover - default route As some of you may have noted I am working on a Bering configuration with a main external interface at eth0 of a DSL router and an additional external connection consisting of an external modem for redundant failover. I have had no problem getting the modem to work and it looks like the firewall portion may not be too bad (knock on wood!) but I canât seem to get past the existing defaultroute. How does one change the defaultroute on the fly? I have my pppd setup configured to set the ppp connection as the defaultroute. pppd logs the following message: not replacing existing default route to eth0 The only other negative sounding message is the following: Cannot determine Ethernet address for proxy ARP I also experimented with settings in the interfaces config file in the ppp0 interface section. The default is auto ppp0 iface ppp0 inet ppp provider provider I changed this to : auto ppp0 iface ppp0 inet ppp Address xxx.xxx.xxx.xxx Masklen 27 Gateway xxx.xxx.xxx.xxx Iâm not sure this is appropriate but I could not find further documentation on this file to indicate whether I can use these settings with a ppp interface, and even if I can, that it is appropriate. I also added a local:remote entry to the ppp options file and tried the -ip setting to force the use of these settings but the ppp connection was dropped with a message from the ISP to the effect of No network protocol running. Any ideas? Iâm also working on a script to monitor the DSL connection and bring up the modem connection if it is determined as down. When the DSL connection was restored for a given period of time then the modem would be disconnected. This setup also depends on a secondary MX record pointing to the static ip for the modem connection so mail will still get through. I am definitely working to set this up in the most ideal manor as It seems like this configuration would be useful to contribute. Richard 2mhà°¥*'ejz' yá².ræ´.m4æ´m(æ±ÚZà´rq^Ö«æºÇ«x%ey壧αÅlqzmì ¶?Xí¬¶(~zwá Xbì ?àµÇ«I@Bmyé®ræ+noæ²hshrfjå´«í¡|â¶Xm º[b)eâYZ¬*¦ë^¬ïz{h¯â½åmƬ´¶*'±8k¸ ÛM6Ûiÿü0ÁÊ0jv¥{§uêÜ¢oÜjW§uªåy§î±êæj)b b²Ù^iû¬z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ+-²Ê.Ç¢¸ë+-³ùb²Ø§~åy§î±êÒDPÛiÿù^iúk¢7¶àþýÚýÚ©Úêÿvw_=Öf
RE: [leaf-user] LEAF Bering- DSL with Modem fallback
I have been combing the list archive for info and it seems clear the configuring at least Dachstein or other than Bering with two active external interfaces is indeed a daunting task. Getting the two interfaces to work looks fairly easy, it is then all about the firewall. A fairly inelegant way of accomplishing this seems to be a second set of configuration files for the backup interface, some file replacement by the script, and restarting shorewall. Iâm wandering if there is anything specific to iptables and Bering in particular that would facilitate this entire process. Thanks for any ideas or comments! I hope to come up with a solid configuration for this setup that I can contribute and document. I have talked to a couple of friends who have been doing LEAF for a while and they are very excited at the prospect of this configuration. Richard -Original Message- From: Richard Amerman Sent: Wed 6/5/2002 7:37 PM To: [EMAIL PROTECTED] Cc: Subject: [leaf-user] LEAF Bering- DSL with Modem fallback Iâm in the process of configuring a Bering setup to replace our Watchguard SOHO. A recent prolong outage of our DSL network has complicated the issue. I need to set up my LEAF to use the DSL link on eth0, have a script check the connection at a regular interval, restart the network once in case that is the problem, bring up a modem connection with ppp and use that until the DSL connection is restored. I have read the Detecting Disconnected Network thread and the scripts there cover some of the ground (Kiril, if you read this, your final script would be great to have!), I have the info on setting up the ppp/modem part, but the rest could use some help. Iâm primarily hoping that someone has done exactly this configuration. Thanks Richard RBA International +MÚzí½í·°*}Ê n)jr riÚwƺxy'ÊqzX6~zwX6ËÂIB'yrosrfjÚX í+,¶¶ÓM¦¸§´ðeÆÃz÷¥¢«°*'}êÞǺ¬·nvò)ËjÅ^«!¶Úýׯr즸§¶,r¿iÚw^ÅÇææºÇ«¨¥x%Ëey§î±êåËl²«qç讧zØm¶?þX¬¶Ë(º·~àzwþX¬¶ÏåËbú?æºÇ«I@Bm§ÿåy§é®ÞrÚ+úno÷hs÷hrf§j«ýÚÝ|÷Xm
RE: [leaf-user] LEAF Bering- DSL with Modem fallback
I appreciate the reply Tom! You have just caught me digging through your Shorewall site in search of hints on this very topic. I have also just downloaded the Shorewall 1.3.1 lrp and was about to send a message to the LEAF list to see if anyone had tried using this version with the most recent Bering. The reason I had not assumed that using the two external interfaces either simultaneously or in failover was automatically possible with Shorewall was due to a series of messages from the LEAF list archive that seemed to indicated (always with Dachstein or some other LEAF than Bering that use ipchains) the firewall part of this puzzle was either not do-able or problematic. Sense I am fairly new to LEAF and Shorewall, I wanted to find information to build my confidence that this was possible before digging in too deep. I must say I am becoming addicted to both the prospects my experiences to date of both LEAF Bering and Shorewall. Coming from a Cisco PIX background this is refreshing! Richard -Original Message- From: Tom Eastep [mailto:[EMAIL PROTECTED]] Sent: Fri 6/7/2002 11:07 AM To: Richard Amerman Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] LEAF Bering- DSL with Modem fallback On Fri, 7 Jun 2002, Richard Amerman wrote: I have been combing the list archive for info and it seems clear the configuring at least Dachstein or other than Bering with two active external interfaces is indeed a daunting task. Getting the two interfaces to work looks fairly easy, it is then all about the firewall. A fairly inelegant way of accomplishing this seems to be a second set of configuration files for the backup interface, some file replacement by the script, and restarting shorewall. Why don't you just define two external interaces to Shorewall to start with? There should be no need to restart it. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] í+,¶¶ÓM¦¸§´ðeÆÃz÷¥¢«°*'}êÞǺ¬·nvò)ËjÅ^«!¶Úýׯr즸§¶,r¿iÚw^ÅÇææºÇ«¨¥x%Ëey§î±êåËl²«qç讧zØm¶?þX¬¶Ë(º·~àzwþX¬¶ÏåËbú?æºÇ«I@Bm§ÿåy§é®ÞrÚ+úno÷hs÷hrf§j«ýÚÝ|÷Xm
[leaf-user] LEAF Bering- DSL with Modem fallback
Iâm in the process of configuring a Bering setup to replace our Watchguard SOHO. A recent prolong outage of our DSL network has complicated the issue. I need to set up my LEAF to use the DSL link on eth0, have a script check the connection at a regular interval, restart the network once in case that is the problem, bring up a modem connection with ppp and use that until the DSL connection is restored. I have read the Detecting Disconnected Network thread and the scripts there cover some of the ground (Kiril, if you read this, your final script would be great to have!), I have the info on setting up the ppp/modem part, but the rest could use some help. Iâm primarily hoping that someone has done exactly this configuration. Thanks Richard RBA International ¢{fË- í´Ód©®)í$¦bq«b¢pÞ½éh¥êì ßz·§qà.ë-Û¼rÚ±W jÈm¶ÿuëÜ¢{)®)í¥Ë¢oÚvâ×±qù¥y§î±êæj)b b²Ù^iû¬z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ+-²Ê.Ç¢¸ë+-³ùb²Ø§~åy§î±êÒDPÛiÿù^iúk¢7¶àþýÚýÚ©Úêÿvw_=Öf