RE: [leaf-user] CONNMARK in uClibc

2005-10-31 Thread Richard Amerman 
Tom, KP,

Thanks for the help last week.

I it turned out that indeed the CONNMARK.o module was not loading.

It turned out that I had two copies of the same file, one named
connmark.o the other CONNMARK.o

This was due to the known issue with extracting files in windows as I
used the CD ISO image to upgrade from a beta to rc1. I just copied over
the newer files to my CF card.

After your help I took a more close look at the files to find out the
error. I then copied over the right file and it loads fine now.

I have yet to setup and test my load balencing setup but shorewall and
lsmod both reported that the modules loaded fine.

Thanks for all your help!

Richard

 -Original Message-
 From: KP Kirchdoerfer [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, October 27, 2005 1:10 AM
 To: leaf-user@lists.sourceforge.net
 Subject: Re: [leaf-user] CONNMARK in uClibc
 
 
 Am Donnerstag, 27. Oktober 2005 00:21 schrieb Richard Amerman:
  Thanks Tom,
 
   -Original Message-
   From: Tom Eastep [mailto:[EMAIL PROTECTED]
  
   On Wednesday 26 October 2005 14:40, Richard Amerman wrote:
That command includes the following:
   
CONNMARK target v1.3.3 options:
  --set-mark value[/mask]   Set conntrack mark value
  --save-mark [--mask mask] Save the packet nfmark in
  
   the connection
  
  --restore-mark [--mask mask]  Restore saved nfmark value
  
   That confirms that the problem is definitely in the 
 kernel then. Try 
   this at a shell prompt:
  
   iptables -t mangle -N foo
 
  No output
 
   iptables -t mangle -A foo -j CONNMARK --save-mark
 
  Output:
  iptables: No chain/target/match by that name
 
   What error message is generated?
 
  No errors other than the output from the second command 
 (which may be 
  an error, but I do not know CONNMARK so don't know)
 
   What is the output of 'lsmod | grep CONNMARK' ?
 
  No Output
 
 Richard; 
 for whatever reason, you do not load the modules.
 
 I did a quick test with the ISO image and copied the connmark modules 
 to /lib/modules, added both to /etc/modules, ran 
 /etc/init.d/modutils and 
 both where loaded. shorewall and lsmod had the expected output.
 
 Make shure you do load the modules.
 kp
 
 
 ---
 This SF.Net email is sponsored by the JBoss Inc.
 Get Certified Today * Register for a JBoss Training Course
 Free Certification Exam for All Training Attendees Through 
 End of 2005 Visit http://www.jboss.com/services/certification 
 for more information
 --
 --
 leaf-user mailing list: leaf-user@lists.sourceforge.net 
 https://lists.sourceforge.net/lists/listinfo/l eaf-user
 
 Support Request -- http://leaf-project.org/
 
 


---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] CONNMARK in uClibc

2005-10-26 Thread Richard Amerman 

 The Extended MARK Target is irrelevant -- nothing in Shorewall
currently uses 
 it and detection and reporting of that capability are removed in
Shorewall 
 3.0.
 
 Does iptables -j CONNMARK --help display CONNMARK-related help? 
 
 -Tom
Tom: Thanks for the reply

That command includes the following:

CONNMARK target v1.3.3 options:
  --set-mark value[/mask]   Set conntrack mark value
  --save-mark [--mask mask] Save the packet nfmark in the connection
  --restore-mark [--mask mask]  Restore saved nfmark value

Richard

 -Original Message-
 From: Richard Amerman 
 Sent: Monday, October 24, 2005 2:46 PM
 To: leaf-user@lists.sourceforge.net
 Subject: [leaf-user] CONNMARK in uClibc
 
 
 I'm trying to use the Shorewall load balencing per: 
 http://www.shorewall.net/Shorewall_and_Routing.html#id2460800
 
 I can't get connmark to load properly.
 
 I have the rc1 build and made sure I have both the upper and 
 lower case ipt_connmark.o files, in my case, from the CD ISO.
 
 I have both connmark modules loaded (I assume, I see no
 kernel messages positive or negative)
 
 I tried them in either order.
 
 I'm loading them after all the other ipt_ modules.
 
 When I restart shorewall I still get:
 
 Extended MARK Target: Not available
 CONNMARK Target: Not available
 Connmark Match: Available
 


---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] CONNMARK in uClibc

2005-10-26 Thread Richard Amerman 
Thanks Tom,

 -Original Message-
 From: Tom Eastep [mailto:[EMAIL PROTECTED] 

 
 On Wednesday 26 October 2005 14:40, Richard Amerman wrote:
 
 
  That command includes the following:
 
  CONNMARK target v1.3.3 options:
--set-mark value[/mask]   Set conntrack mark value
--save-mark [--mask mask] Save the packet nfmark in 
 the connection
--restore-mark [--mask mask]  Restore saved nfmark value
 
 
 That confirms that the problem is definitely in the kernel 
 then. Try this at a 
 shell prompt:
 
 iptables -t mangle -N foo
No output

 iptables -t mangle -A foo -j CONNMARK --save-mark
Output:
iptables: No chain/target/match by that name

 
 What error message is generated?
No errors other than the output from the second command (which may be an
error, but I do not know CONNMARK so don't know)

 
 What is the output of 'lsmod | grep CONNMARK' ?
No Output

Thanks,

--Richard


---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] CONNMARK in uClibc

2005-10-24 Thread Richard Amerman 
I'm trying to use the Shorewall load balencing per:
http://www.shorewall.net/Shorewall_and_Routing.html#id2460800

I can't get connmark to load properly.

I have the rc1 build and made sure I have both the upper and
lower case ipt_connmark.o files, in my case, from the CD ISO.

I have both connmark modules loaded (I assume, I see no
kernel messages positive or negative)

I tried them in either order.

I'm loading them after all the other ipt_ modules.

When I restart shorewall I still get:

Extended MARK Target: Not available
CONNMARK Target: Not available
Connmark Match: Available

Any further ideas?



---
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Bering uClibc IPSEC VPN issues

2005-10-06 Thread Richard Amerman 
We have been running a leaf firewall for about 3 years or more. Most of
that time it has been a Bering 1.0 RCx of some kind (can't remember the
exact release).

We just upgraded to a new machine running Bering uClibc 2.3-rc1 from CF.
I built this image using primarily the uClibc ISO image as my basis.

It runs great with no issues other then the new VPN issue.

We have been connecting from PC's inside the firewall to a remote
location running Juniper networks NetScreen and until this week have had
no problems.

The problem is intermittent and can not be consistently reproduced, but
what is consistent is the lack of an issue when connecting from out side
the firewall or if you either reboot the firewall or do a shorewall
clear to flush things out.

We have spent days trying to figure out the issue and it does indeed
look like it is the firewall though we have no clear understanding of
the exact problem, or more importantly, the fix.

Does anyone have any pointers or ideas? Any known issues?

I have been searching the list archives but have not found anything
clear.

Thanks,

Richard Amerman
RBA International
703 Broadway, Suite 600
Vancouver, WA 98660
360-696-9272 x440
[EMAIL PROTECTED] 


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Bering uClibc IPSEC VPN issues

2005-10-06 Thread Richard Amerman 
One thing I forgot to mention is that we are using OpenVPN with our
firewall as  the terminating VPN server (works fantastic). Not sure if
it is possible for this configuration to intefer with Host (behind our
firewall) to remote VPN gateway communication but thought it would be
worth mentioning.

After reading this:
http://www.shorewall.net/VPNBasics.html

It maid me think this may be possible.

Richard

 -Original Message-
 From: Richard Amerman 
 
 We have been running a leaf firewall for about 3 years or 
 more. Most of that time it has been a Bering 1.0 RCx of some 
 kind (can't remember the exact release).
 
 We just upgraded to a new machine running Bering uClibc 
 2.3-rc1 from CF. I built this image using primarily the 
 uClibc ISO image as my basis.
 
 It runs great with no issues other then the new VPN issue.
 
 We have been connecting from PC's inside the firewall to a 
 remote location running Juniper networks NetScreen and until 
 this week have had no problems.
 
 The problem is intermittent and can not be consistently 
 reproduced, but what is consistent is the lack of an issue 
 when connecting from out side the firewall or if you either 
 reboot the firewall or do a shorewall clear to flush things out.
 
 We have spent days trying to figure out the issue and it does 
 indeed look like it is the firewall though we have no clear 
 understanding of the exact problem, or more importantly, the fix.
 
 Does anyone have any pointers or ideas? Any known issues?
 
 I have been searching the list archives but have not found 
 anything clear.


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Bering uClibc IPSEC VPN issues

2005-10-06 Thread Richard Amerman 
Thanks for the reply Arne,

 -Original Message-
 From: Arne Bernin [mailto:[EMAIL PROTECTED] 

 I do not really understand what your Problem is. Maybe you 
 could explain it a bit more... You have Problems after reboot 
 or you fix the problems with a reboot ? 
 You are using standard IPSEC for this connection (no nat-t) ? 
We are using the NetScreen-Remote client from behind our firewall to
connect to a remote NetScreen Firewall/VPN box at our hosting facility.

Was working fine.

 What exactly is going wrong ? Are you using masquerading ?
Everything is masqueraded behind the firewall so we are using Nat-T and
the NetScreen client does seem to be using this.

When things do not go OK some of the symptoms are that the firewall
still recognizes that there is a connection from the client in question
to the remote VPN box so no entry is written in the FW log (we have all
Policies logging for now to help troubleshoot). I have used Snort
(installed on the firewall) to sniff the traffic to the VPN client when
it is trying to connect and it is getting packets from the remote VPN
box but appears to be ignoring them.

This seems to me to be some case of Nat-T not working properly, the UDP
packets being munged in a way that is not working with the client, or
other similar issues. The problem is that sometimes it works for a while
then it doesn't for a bit. Very inconsistent.

Richard



---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

FW: [leaf-user] Bering uClibc IPSEC VPN issues

2005-10-06 Thread Richard Amerman 
 -Original Message-
 From: Arne Bernin [mailto:[EMAIL PROTECTED]

 you might want to use tcpdump for this  (well i never used
 snort for that, so i don't know if it is easy to use and gets 
 all traffic). If you save the tcpdump output somewhere you 
 can use ethereal (on windows or
 unix) to take a detailed look what is going on.

I can do this fairly easily with Snort. I did see that when looking at
the inside interface of the FW while a local client was trying to
connect to the VPN but failing, that all the UDP packets arriving to
that host from the remote VPN server were all from port 500. This was
using the simplest sniffer mode. Snort -v -i eth3 host 192.168.1.120



 
  This seems to me to be some case of Nat-T not working properly, the
  UDP packets being munged in a way that is not working with 
 the client,
  or other similar issues. The problem is that sometimes it
 works for a
  while then it doesn't for a bit. Very inconsistent.
  
 
 I have one suggestion, that might be the case, i am not sure.
 But i have a similar problem on a remote site and after 
 exploring it a bit, it seems that the masquerading/SNAT code 
 in the linux kernel has a bug when masquerading UDP packets. 
 This leads to some packets not properly masqueraded/SNATed 
 and this - could - be the problem you are experiencing. It 
 would be interesting to take a look with tcdpump on the 
 external interface if you run in this problem again. The 
 packets you will see there, should be already masqueraded, so 
 take a look at the IP adresses of the nat-t packets and 
 especially the port numbers. There may be a problem if the 
 nat-t ipsec packets do not come from port 500 on NetScreen side 
 This udp snat problem is already reported to the netfilter 
 team (bug id=390), you can take a look at it under 
 bugzilla.netfilter.org...

I'll take a closer look at this issue.

Thanks
 


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Bering uClibc IPSEC VPN issues

2005-10-06 Thread Richard Amerman 
Thanks for the pointer Eric,

I'm assuming that you indicate this as a possible solution to a high
level of trafic or high count of connections, but I doubt this would be
the problem for us.

We have only 20-30 computers behind this firewall which seems like a
fairly low number in the scheme of things.

I'll take a look at this though.

Thanks!

Richard

 -Original Message-
 From: Eric Spakman [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, October 06, 2005 1:13 PM
 To: Richard Amerman
 Cc: Arne Bernin; Leaf-User
 Subject: RE: [leaf-user] Bering uClibc IPSEC VPN issues
 
 
 Hello Richard,
 
 Not sure if this is your problem, but did you take a look at: 
 http://leaf.sourceforge.net/doc/guide/bucu-conntrack.html
 
 Eric
 
 
 
  Thanks for the reply Arne,
 
 
  -Original Message-
  From: Arne Bernin [mailto:[EMAIL PROTECTED]
 
 
  I do not really understand what your Problem is. Maybe you could 
  explain it a bit more... You have Problems after reboot or you fix 
  the problems with a reboot ? You are using standard IPSEC for this 
  connection (no nat-t) ?
  We are using the NetScreen-Remote client from behind our 
 firewall to 
  connect to a remote NetScreen Firewall/VPN box at our hosting 
  facility.
 
  Was working fine.
 
 
  What exactly is going wrong ? Are you using masquerading ?
 
  Everything is masqueraded behind the firewall so we are using Nat-T 
  and the NetScreen client does seem to be using this.
 
  When things do not go OK some of the symptoms are that the firewall 
  still recognizes that there is a connection from the client in 
  question to the remote VPN box so no entry is written in the FW log 
  (we have all Policies logging for now to help troubleshoot). I have 
  used Snort (installed on the firewall) to sniff the traffic 
 to the VPN 
  client when it is trying to connect and it is getting 
 packets from the 
  remote VPN box but appears to be ignoring them.
 
  This seems to me to be some case of Nat-T not working properly, the 
  UDP packets being munged in a way that is not working with 
 the client, 
  or other similar issues. The problem is that sometimes it 
 works for a 
  while then it doesn't for a bit. Very inconsistent.
 
  Richard
 
 
 
 
  ---
  This SF.Net email is sponsored by:
  Power Architecture Resource Center: Free content, downloads, 
  discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
  
 --
  --
  leaf-user mailing list: leaf-user@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/leaf-user
  Support Request -- http://leaf-project.org/
 
 
 
 
 
 


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Snort on uCllibc

2005-09-30 Thread Richard Amerman 
We have just upgraded our firewall from a 2+ year old Bering floppy on
an old 486 to a uClibc 2.3-rc1 box with CF.

Among other things I have setup Snort, the 2.2 version that came on the
ISO image for 2.3-rc1.

Q1: Does anyone have a more recent version of Snort available for
uClibc?

Q2: Does anyone running Snort on a Bering box have any pointers or tips
from their experience?

I only have it looking at the outside interface with tcp-dump and CSV
logging.

Thanks,

Richard Amerman


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Security and LEAF Bering UClibc

2005-08-03 Thread Richard Amerman 
Martin,

Thanks for the reply!

 -Original Message-
 From: Martin Hejl [mailto:[EMAIL PROTECTED] 
 
 I surely see your point (at my day job, I work with many 
 people where an SLA, or at least having a company to hold 
 responsible is the main issue).
 
 The company I work for (http://www.guh-software.de - no 
 advertising intended, just so you know which company I'm 
 talking about) is thinking about offering a subscription 
 based model for receiving timely security updates for leaf 
 Bering uClibc. The reason for that is that we're also looking 
 into the possibility of marketing hardware with Bering uClibc 
 installed, and for such a product, some sort of update 
 service would be mandatory anyway.
 
 It has not been decided yet if that will actually happen (I 
 guess it also depends on how much interest there is in such a 
 service).
 
 If you (or anybody else) are interested in such a service, 
 please contact me off-list for details on what exactly we're 
 thinking about, as well as the costs involved (it will not 
 cost a huge amount, but it will _definately_ not be offered 
 for free. 

I think that if you could justify going forward with your idea, or if
others came on board and something independent could be done, this would
be great. I think this is a situation where both the established free/OS
community side of LEAF and your business, and other similar businesses
can all win.

If you were to provide the Lip's in CVS and submit notification for each
update to a new list, then you could still offer a wonderful VA product
that keeps track of the modules used by a particular subscriber,
notifies them via email when one of there modules needs to be updated,
including a link to the file, and possibly even offering an automated
update mechinism that could be turned on using a special LRP you
provide, for each LRP the end user wants to keep up-to-date. OK, that
last bit may be a bit much, but the point I'm trying to make is that a
balance could be maintained between a base level that could benefit
everyone, and a pay level that anyone that has the $ could not afford to
be without (including possibly me).

This slightly higher level of service to the general LEAF community
would also make it more attractive for other LEAF developers to get
involved in this mini project so that the entire thing was not just on
the shoulders of one company.

Just some thoughts.

Richard Amerman


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Security and LEAF Bering UClibc

2005-08-03 Thread Richard Amerman 
Martin,

 -Original Message-
 From: Martin Hejl [mailto:[EMAIL PROTECTED] 

 I understand what you're saying - and I guess the framework 
 (scripts to handle the update proces) would surely make their 
 way into the Bering uClibc distro. At this point, I'm just 
 not sure if there's enough interest in the leaf userbase to 
 warrant spending business hours on this (I already spend much 
 of my spare time on Bering uClibc, but that's a different matter :-))
 
 As I said - nothing is set in stone at this point, we're 
 still in the decision making process, so we're surely open 
 for suggestions. In the end, it all comes down to the fact 
 that we need to make sure we're not putting in a lot of money 
 and resources into a project that will not at least create 
 some return over a reasonable amount of time. We're not a 
 huge corporation, so we can't pump huge amounts of cash into 
 a project that will not pay for itself at some point. If a 
 model where people pay for the premium service 
 (notification of updated packages, maybe even a push model 
 for some sort of auto-update - even though I have rather 
 strong reservations about updates being installed without the 
 administrator knowing about it) works even if the same 
 packages are published for free on the website, I don't see 
 why things couldn't be done that way.

I think your on track with the key point that it all depends on what the
interest would be. I have no doubts that it would be fairly easy to
create enough value added for a premium service that anyone with $ could
not live without. The question is just how many of these people are
there?

To put it another way, how many LEAF firewalls are deployed in
production by companies or other NGO's? I think that every one of these
entities would be hard pressed to not buy into such a service if it was
cheap and provided otherwise unavailable assurances that their LEAF
install is secure.

As to the service, I guess you would have to monitor one or more sources
that track security issues and other vulnerabilities in Linux programs
and match them up against what is included in each of one or more uClibc
versions to determine if any updated LRP's need to be created and
disseminated.

This service could also include notices of issues that may not require a
new LRP but may have to do with configuration settings that may be
insecure or cause issues.

Can anyone else out there respond with their interest

Richard


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Security and LEAF Bering UClibc

2005-08-01 Thread Richard Amerman 
I'm sure that this topic is not new but it is probably one that should be 
brought up regularly incase there are new options as to how to address the 
issue.

My company, and other companies I work with (and I'm very sure we are not alone 
in this) would find it extremely valuable if there was a system/process where 
all the core LRP's were monitored for security bulletins. When one of these 
bulletins were to be released it would trigger a process of updating the LRP 
ASAP and letting everyone on, what may be a new list, that the update was 
available, a LEAF errata per say.

I think that people, including us, would contribute $ to see this put together, 
while not making it any kind of premium service, but available to everyone. It 
could just be a voluntary donation thing, or/also involve one or more bounties. 
It would also be valuable if this task was taken on by something other than 
just an individual or group of individuals, but a business that has a large 
stake in things, or some organization with some structure. The idea on this is 
credibility and stability, not only in reality but from a perception standpoint.
(Translate, I have to show my boss something that he can put some faith in.)

What do you think? What kind of discussion has happened in the past on this 
topic? Or what am I missing that is already in place to take care of this? (and 
yes I will be searching the list archive to see what I can find, but we all 
know this is not as simple as it looks.)

Thanks!

Richard Amerman

 -Original Message-
 From: troy [mailto:[EMAIL PROTECTED] 


 How do you handle security patches for packages? For example, 
 if you were running a full Debian distro, a simple apt-get 
 update would insure that you pull down the latest security 
 patches... What is the approach to making sure UClibc is secure...?  


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] CF Card Issues

2005-07-29 Thread Richard Amerman 
I now have everything fixed and happy. 

Cpu,

What process do you use to set up your Lex systems? Have you been able
to get USB support or boot off of USB to work? The only thing that has
consistently worked for me is booting off of an IDE CDROM. This is great
and fast in the lab, but not a great option in the field. I would like
to be able to use USB as the solution to restore or do other maintenance
task.

Now that I have my CF card repartitioned and formatted with a clean
uClibc setup on it, everything is great. It looks like it was all due to
the lack of umounting before rebooting. I know that often I would backup
some changes and immediately reboot. I'm sure those were some of the
worse cases.

Thanks,

Richard Amerman

 -Original Message-
 From: cpu memhd [mailto:[EMAIL PROTECTED] 

 Auto, LBA, or CHS?
 
 Consider this:
 
 - Your controller is setup for Auto
 
 - Your CF is detected as LBA
 (even though it's = 512MB, all CFs are supposed to support LBA, my
 understanding)
 
 - Next day, your BIOS is having a bad-hair-day, CF is now 
 detected as CHS (but you don't notice the boot message! - 
 this can be due to BIOS or CF bugs... cabling, etc.)
 
 - You begin to experience problems with corruption, 
 strangeness/weirdness
 
 Could this be the problem? The question is, will the CF boot 
 with the wrong HD parameters, I believe the answer to this 
 is, yes, in some cases.
 
 I have a few Lex CV860s. They detect my Sandisk industrial's 
 as LBA. But my newer CV863A detect them as CHS. I hard set = 
 512MB CFs to CHS. Never a problem.


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] CF Card Issues

2005-07-27 Thread Richard Amerman 
I have a Lex NEO CV863A from Hacom. I bought my CF card based on
recommendations for Lexar on this page:
http://www.openbrick.org/openbrick/wiki/cf/view

I have a Lexar Media 512MB CF card p/n 2175 Rev A.

Everything was going very well, installed a uClibc system primarily
using the CD ISO on the CF card and the firewall was working fine,
though not in production yet.

Recently I made some Shorewall changes and backed them up but when I
rebooted the next time there was no shorewall. It turned out that the
shorwall.lrp file was corrupt.

When I try: tar zxvf shorwall.lrp
I get:  tar: Invalid gzip magic

Soon after I made a new folder called lrpbackup on the CF card. It shows
up though as lrpbacku
Also when I try ls in that folder my whole SSH session gets corrupted. I
also can not delete the folder or its contents.

Also when I now try to write to the CF card in this machine, everything
returns:
Cannot create directory `lrpb': Read-only file system

Now I know that I have multiple things that could be wrong, but since my
timeline is very short, I'm supposed to put this FW in production in a
few days, I'm pursuing them in parallel.

One possibility is that the CF card I bought is not ideal.
Another is that the Machine has an issue.
Another is that this CF card may be bad.

Some questions:
Does any one have any specific recommendations on a CF card?
Does anyone have an alternate LRP backup script that keeps backups kind
of like rotating logs (backing up the existing LRP to another folder and
renaming *.lrp.0 type thing)?
Is there anything in hdsupp.lrp to check the health of a drive, like
scandisk?

Any help, ideas, or shared experiences would be helpful.

I did call Hacom and the do use Lexar but mainly use Kingston  Elite Pro
CF cards now. I'm thinking of just buying two of them.

Thanks,

Richard Amerman
RBA International
703 Broadway, Suite 600
Vancouver, WA 98660
360-696-9272 x440
[EMAIL PROTECTED] 


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] CF Card Issues

2005-07-27 Thread Richard Amerman 
M Lu,

Thanks for the info, you may have just found my issue. I have regularly
been mounting my CF on a folder I create each time (/cf) so that I can
edit things like leaf.cfg and others. I never unmount it before
rebooting (did not know I needed to)!

Do you have your setup now configured to auto unmount your CF? Any
pointers on that?

Regardless, now I know what is likely the issue!

Thanks!

Richard

 -Original Message-
 From: M Lu [mailto:[EMAIL PROTECTED] 

 A couple of weeks ago I got a small file 'leaf.cfg' corrupted after 
 modifying it directly (mount /hda1 on /mnt). As other folks 
 here said that I 
 may forget to un-mount /mnt before rebooting. So now I always 
 checked to 
 make sure the CF is umounted before rebooting and so far no 
 more corruptions 
 eventhough I modified a lot a lot of things day after day 
 because of my new 
 setup.
 
 Do you think you may mount the CF somehow? Just check the 
 mountpoints before 
 rebooting. Maybe some script did that and you do not know about it.
 
 I use Lexar 64M. I also used Canon 32M and it was OK but very 
 short time so 
 I cannot say if its quality is good.
 
 Hope your CF is not bad. You probably can test its quality 
 inside another 
 machine.
 

 - Original Message - 
 From: Richard Amerman [EMAIL PROTECTED]

 
 
 I have a Lex NEO CV863A from Hacom. I bought my CF card based 
 on recommendations for Lexar on this page: 
 http://www.openbrick.org/openbrick/wiki/cf/view
 
 I have a Lexar Media 512MB CF card p/n 2175 Rev A.
 
 Everything was going very well, installed a uClibc system 
 primarily using the CD ISO on the CF card and the firewall 
 was working fine, though not in production yet.
 
 Recently I made some Shorewall changes and backed them up but 
 when I rebooted the next time there was no shorewall. It 
 turned out that the shorwall.lrp file was corrupt.
 
 When I try: tar zxvf shorwall.lrp
 I get: tar: Invalid gzip magic
 
 Soon after I made a new folder called lrpbackup on the CF 
 card. It shows up though as lrpbacku Also when I try ls in 
 that folder my whole SSH session gets corrupted. I also can 
 not delete the folder or its contents.
 
 Also when I now try to write to the CF card in this machine, 
 everything
 returns:
 Cannot create directory `lrpb': Read-only file system
 
 Now I know that I have multiple things that could be wrong, 
 but since my timeline is very short, I'm supposed to put this 
 FW in production in a few days, I'm pursuing them in parallel.
 
 One possibility is that the CF card I bought is not ideal. 
 Another is that the Machine has an issue. Another is that 
 this CF card may be bad.
 
 Some questions:
 Does any one have any specific recommendations on a CF card? 
 Does anyone have an alternate LRP backup script that keeps 
 backups kind of like rotating logs (backing up the existing 
 LRP to another folder and renaming *.lrp.0 type thing)? Is 
 there anything in hdsupp.lrp to check the health of a drive, 
 like scandisk?
 
 Any help, ideas, or shared experiences would be helpful.
 
 I did call Hacom and the do use Lexar but mainly use Kingston 
  Elite Pro CF cards now. I'm thinking of just buying two of them.
 
 Thanks,
 
 Richard Amerman


---
SF.Net email is Sponsored by the Better Software Conference  EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] CF Card Issues

2005-07-27 Thread Richard Amerman 
I just backed up all the files off that CF card, did a scandisk and it
looks like it fixed everything.

I now changed my /etc/init.d/reboot to umount my CF card before
rebooting.

Though I will plan on always unmounting the CF card when I do not need
it.

Richard
 -Original Message-
 From: M Lu [mailto:[EMAIL PROTECTED] 
 
 I do not know of the auto umount but you can alias 'reboot' 
 to 'cd ; umount /cf; halt' if you use reboot to reboot your machine.
 
 You are luckier than Peter.
 
 
 - Original Message - 
 From: Peter Mueller [EMAIL PROTECTED]
 
 It's easy to destroy CF cards this way.  I went through two 
 on my routers before understanding that you need to unmount 
 the card ASAP.
 



---
SF.Net email is Sponsored by the Better Software Conference  EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Problems with CF Backups

2005-07-26 Thread Richard Amerman 
Does anyone have lncurses.lrp for uClibc handy?

I can't find it anywhere. It appears that I need it for lrpstat.

If anyone else has any info on what IS needed to get lrpstat working in
the latest uClibc that would be great!

As further background, I'm trying to set up monitoring for cpu load,
interface usage, and environmental stats like temp and voltage (using
lm_sensors). If anyone has information or recommendations on this topic
I'm probably not the only one who would love to get the details.

If I get it nailed I'll put together a How-To on the topic.

I'm also looking to integrate some of this into webconf.

Thanks,

Richard

Richard Amerman
RBA International


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

RE: [leaf-user] Problems with CF setup

2005-07-25 Thread Richard Amerman 
If you use the CD image for the latest beta it includes the proper
version of initrd_ide_cd.lrp.

Just went through a full CF install myself in the past couple of weeks.

Works great, just have to be careful of where you get your packages and
modules. The CD image is a best source of all of it.

Richard

 -Original Message-
 From: Martin Hejl [mailto:[EMAIL PROTECTED] 
 If you followed the instructions to the letter, you're using 
 initrd_ide_cd.lrp from 
 http://cvs.sourceforge.net/viewcvs.py/leaf/bin/packages/uclibc
 -0.9/20/ , 
 which means you're all set as far as needing to load modules for IDE 
 (unless you're using some exotic IDE controller) - that is, 
 _if_ you're 
 using the 2.2.3 Bering uClibc image.
 
  I wish it was
  included in this procedure as to what modules are needed 
 and what is 
  the best method for me to transfer these modules from a 
 floppy to the 
  CF.
 Simply put initrd_ide_cd.lrp onto your CF (and rename it to 
 initrd.lrp 
 in the process) and you should be set.


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] lncurses.lrp and/or lrpstat help - uClibc

2005-07-22 Thread Richard Amerman 
Does anyone have lncurses.lrp for uClibc handy?

I can't find it anywhere. It appears that I need it for lrpstat.

If anyone else has any info on what IS needed to get lrpstat working in
the latest uClibc that would be great!

As further background, I'm trying to set up monitoring for cpu load,
interface usage, and environmental stats like temp and voltage (using
lm_sensors). If anyone has information or recommendations on this topic
I'm probably not the only one who would love to get the details.

If I get it nailed I'll put together a How-To on the topic.

I'm also looking to integrate some of this into webconf.

Thanks,

Richard


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Webconf issues

2005-07-14 Thread Richard Amerman 
I have been trying to get webconf working on a new uClibc box but can't
get anywhere. I did have weblet working but took that off and did
everything I could find online to setup webconf.

I'm on the latest beta.

Here is one thing I get:

Jul 14 12:23:03 RBAFW mini_httpd[10398]: socket :: - Address family not
supported by protocol
Jul 14 12:23:03 RBAFW mini_httpd[10398]: bind 0.0.0.0 - Address already
in use
Jul 14 12:23:03 RBAFW mini_httpd[10398]: can't bind to any address

Any ideas?

Richard Amerman


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Image CF drive

2005-07-14 Thread Richard Amerman 
Does anyone know of any windows tools that can do a disk image of a CF
card?

I have multiple identical CF cards I need to propagate a uClibc install
to, bootable portion and all. The only tools I have found that work with
CF cards so far have been for linux.

Thanks!

Richard Amerman


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] lm_sensors for Bering uClibc - Lex Neo CV863A from Hacom

2005-07-12 Thread Richard Amerman 
I have two new Lex Neo CV863A Boxes from Hacom that I'm setting up with
Bering uClibc.

These boxes include:

2 X PCMCIA slots
4 X 10/100 Nics
CF slot
1Ghz CPU
256MB DDR RAM
4 X USB

I have a Lexar 512MB card in each of these and, with only a half day of
banging my head, got LEAF set up on the CF card. I used the uClibc CD
ISO to do the work, including copying the entire contents of the CD as
my install once I had the card bootable.

It is going great, though duplicating the card will be a pain, wish
there was a tool to image a CF card easily in windows.

One thing I would very much like to do is monitor the health of these
boxes using something like lm_sensors. The only thing I have found about
this are two uClibc LEAF CVS entries regarding lmsensors.

Does anyone have any information on this?

Any other LexNeo LEAF users out there with info to share on their
experiences?

Thanks!

Richard Amerman


---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] LEAF at OSCON

2003-02-13 Thread Richard Amerman 
Are any LEAF participants attending OSCON this year?  If so, are any of you putting a 
proposal to do a presentation on LEAF?
 
If the answer to the second question is no, I will be submitting a proposal for either 
a 45min or 90min presentation by tomorow afternoon.
 
I have not been that involved with the project in the past few months, but enjoy 
giving presentations and can coordinate with team members to put together good 
coverage of topics.
 
I wish to give a basic overview of what LEAF is, how one might use it, an intro to 
some of the active distributions, and possible some view of the new 
config/web-management pieces we are working on.
 
Richard Amerman
áŠÄ…4Dޙ¨¥ŠË)¢{(­ç[ÈTD$‹èyúè™8ZÂך­ì¨º™Zžx§ƒ*.­g›Iêïz´žrêâ· 
¥‰É!z·­¢­hTD8ZÂגH¸.‰×š×âÛay©ìÁê춆¥—*.­$‹±ç.®+rŠË.zÈm¶ŸÿiÛ,¢êÜyú+éÞ·÷ 
‰¸§þ·Š·œ¶™m…¬4ÓnžžWš~ë®f¢–)à–+-•æŸºÇ«–+-²Ê.­ÇŸ¢¸ëa¶Úlÿùb²Û,¢êÜyú+éÞ·ùb²Û?–+-ŠwèþWš~ë­$Em¶Ÿÿ•æŸ¦º#yËh®鹿ݡÏݡɚ¨¯÷hr'uóÝa¶i

[leaf-user] Snort and Bering

2002-07-12 Thread Richard Amerman 

I want to add Snort to my 2 floppy Bering RC3 setup.  I found the package Charles has 
on his site but thought it prudent to check with the masses to see who might have set 
this up recently and where the latest package is (if it is not Charles's)

 

An additional note for any current LEAF snort users, I was planning on looking into 
setting up a weblet add-on to display info from snort.  If you are an experienced 
snort user and have time on your hands you might be able to help with this endeavor.
 
Thanks!
 
Richard Amerman
áŠËë^™¨¥ŠË)¢{(­ç[É8bžAžzAšv­±ÆŸ}è§zÛ!Š»l~éì¶ç߆ÛiÿûaŠy 
yé¢oì~Wš~ë®f¢–)à–+-•æŸºÇ«–+-²Ê.­ÇŸ¢¸ëa¶Úlÿùb²Û,¢êÜyú+éÞ·ùb²Û?–+-ŠwèþWš~ë­$Em¶Ÿÿ•æŸ¦º#yËh®鹿ݡÏݡɚ¨¯÷hr'uóÝa¶i

RE: [leaf-user] Weblet Dev Demo Update

2002-07-02 Thread Richard Amerman 

Good sugestion on the date time.

Not sure what you mean by with the hosts.allow.  It is suposed to allow everyone to 
the weblet for the demo.

Richard Amerman


-Original Message-
From:   Eyal Lebedinsky [mailto:[EMAIL PROTECTED]]
Sent:   Tue 7/2/2002 1:41 AM
To: Richard Amerman
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject:Re: [leaf-user] Weblet Dev Demo Update
Richard Amerman wrote:
 
 I have made some major modifications to the LEAF Weblet.  These have been posted to 
the Weblet Dev Demo site.
 Demo Site Location:
 207.202.227.167

One thing I have in my weblet, which I see is missing in the
above demo is a standard date/time at the top of each log file.
I find it very usefull to know how old the displayed page is.

And also, do fix your /etc/hosts.allow :-)

--
Eyal Lebedinsky ([EMAIL PROTECTED]) http://samba.org/eyal/





---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Weblet Dev Demo Update

2002-07-02 Thread Richard Amerman 

From: Steve Sobka [mailto:[EMAIL PROTECTED]] 
Sent: Tue 7/2/2002 8:02 AM 
How easy would it be to include lrpstat back in the weblet package?
(IIRC?) Dachstein had this as part of the weblet package, but it was removed
out of the Bering weblet package.
Or I should say, it's not in Bering 1.0-rc3.  Maybe if it's really large,
there could be two versions of your updated weblet package?

The URL for lrpstat is:  http://leaf.sourceforge.net/devel/hejl/

It's nice to see a quick MRTG stype graph on the status pages :-)

 

I'm very interested in this and other simalur options.  I would like (at least as a 
set of options) for the index page of the weblet bo be as much a dashboard as 
possible.  The idea being that at a glance as much information as possible can be 
gleened about the state of the firewall and it's trafic.  Graphics can alway do this 
much better than only words and numbers.  

I'm also interested in massaging the log contents a bit to make them more readable.  
The firewall logs are a good example.  This is all one of the reasons I abstracted the 
content and the rest of the page constructs so that it would be easy to place the 
components you want on your first page for a list of options.  I was planning on 
automating and abstracting this very process so that all a user had to do was pick a 
layout, pick the pieces, select their column, and set the order.  That should be easy. 
 This format should support the configuration project as well.  

Richard Amerman


†+,~w­zf¢–+,¦‰ì¢·o$áŠyyézW(™ëhç¤…æ¯zxm¶Ÿÿ¶§’ž‘ÊþÇåy§î±êæj)bž
b²Ù^iû¬z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ–+-²Ê.­ÇŸ¢¸ë–+-³ùb²Ø§~åy§î±êÒDP†Ûiÿù^iúk¢7œ¶Šàþ››ýÚýÚ™©Úêÿv‡w_=Öf

[leaf-user] Weblet Dev Demo Update

2002-07-01 Thread Richard Amerman 

I have made some major modifications to the LEAF Weblet.  These have been posted to 
the Weblet Dev Demo site. 
Demo Site Location:
207.202.227.167
 
Two of the major areas of change include:  
Major changes to the cgi files including a dynamic index page, new include structure, 
and new function files.
Link to weblet source at the botom of index page.
 
The full list of changes follows:
 
1 July 2002
converted index.html to index.cgi

added function for displaying uptime.  
Added the uptime using this function under the status indicators on the index page.
Created a weblet.structures file that includes the functions that were in the 
weblet.functions file that covered page structure.  Aded two new functions: t_head 
t_foot that finish ablstracting almost all of the structure.
Added two additional functions to weblet.structures that alow you to create a page 
with a single column, two columns like the index page, and three columns.
Created new master include file, weblet.include.
Abstracted the 5 content tables from the index page into seperate component files in 
/var/sh-www/content.
Abstracted the log/file display function into weblet.functions.
Added a source display option to the bottom of the index page.  You can use this to 
view the entire weblet content source.  Please use this in conjuctions with the web 
page to provide ideas, find bugs, make sugestions on how to make it better.
Abstracted the styles into a seperate CSS file.
Removed LRP from the titles.
Did additional CGI cleanup. (And probably made a few additional messes in the 
process!)

27 June 2002
Added a new list of all the configuration files on the left side of the index page.  I 
have included all the main networking files, modules file, ppp files, and all of 
shorewall.  I did this with a combination of index.html modification (including some 
cleanup, primarily with an added style entry above that took out all the remaining 
style info bellow) and some changes in the showlogs* cgi scripts.

made a change so that on the individual pages displaying either a config file or a 
log, the entire path is displayed at the top rather than just the file name. 

Added two new links, to the configuration file section, one that gives you a single 
page with all the major configuration files from /etc and another for all the 
Shorewall files.  Each combined config list uses a seperate cgi script.

added a new header function to weblet.functions that includes a page refresh;
this to be used with the index page and all pages (logs and the like) that should
refresh to be up to date

added a new styles function to the weblet.functions that contains all the css info

changed the header functions to use the new styles function

Richard Amerman
†+,~w­zf¢–+,¦‰ì¢·o$áŠyyézW(™ëhç¤…æ¯zxm¶Ÿÿ¶§’ž‘ÊþÇåy§î±êæj)bž
b²Ù^iû¬z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ–+-²Ê.­ÇŸ¢¸ë–+-³ùb²Ø§~åy§î±êÒDP†Ûiÿù^iúk¢7œ¶Šàþ››ýÚýÚ™©Úêÿv‡w_=Öf

RE: Software write-protect (Was: Re: [leaf-user] Floppies)

2002-06-30 Thread Richard Amerman 


From: Jeff Newmiller [mailto:[EMAIL PROTECTED]] 
Sent: Sat 6/29/2002 11:37 PM 

Absolutely disagree.  Rebooting is a waste of time.  If there is a way in,
rebooting does nothing to prevent repetition.  If there is not, rebooting
serves no purpose.  If you are faced with a break-in in-progress, you need
to disable external network access until the problem is rectified... not
reboot.
 
I do agree that it is not the most practicle option but you have to remember 
that I'm just talking in a realm of ideals.  IMO an ideal would be a system that had a 
boot time of a few seconds (flash of somesort) has physicaly write protected, sends 
all logging to another location and could recycle as often as seemed pruedent, even 
every hour.  Before each reboot it could even send a backup image file of the system 
puerly for investigitory usage to the logging server.  This might even be done using 
some sort of memory miror that was invisable to the system, a PCI card.

This satisfies all that we are talking about.  The key is a blend of realtime 
response and uptime.  If you are an entity with a 24/7 NOC it is all a diferent story, 
but for smaller businesses that have continuing activities but close their offices, 
this is a better extreme blend.  I'm by no means saying this is the only way to do it 
or the most practicle, or practicle at all!  Just a whatif extreem of ideals.


  Nothing is lost other
 than evidence, but it is more important to stop the crime rather than
 catch someone after the damage is done and with the logs safe you
 should have the most important information avialable.

Mostly true.  I don't know that what was logged will provide enough clues
as to the method of entry to close the hole, so I want the memory intact
if possible just in case.

Covered by the image backup above.  

All of this has me wishing to delv deeper into the actual system architecture 
of the Cisco PIX (the largest FW product I personaly have experience with)  I'm 
wondering how all these issues are dealt with in that level of product.  Of course 
that said, I now would prefer to have a LEAF box unless the scale was an issue.
 
I must also add to this descussion that I am no hard core security expert and 
while I feel comfortable working with musings and ideals, my first hand experience is 
more limited (PIX, Watchguard, Smaller Software FW's and now LEAF.
 
Richard Amerman

áŠËë^™¨¥ŠË)¢{(­ç[É8bžAžzEž•ÊzÚ 
yé!y«Þžm§ÿí†)äç¤r‰¿±ù^iû¬z¹šŠX§‚X¬¶Wš~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z´‘!¶ÚþWš~šèç-¢¸?¦æÿv‡?v‡jv z¿Ý¡È×Ïu†Ù¥

RE: Software write-protect (Was: Re: [leaf-user] Floppies)

2002-06-30 Thread Richard Amerman 


I would love to use Snort but feared that it was too  big. Is it reasonable?

An that thought has any one worked with alternitive floppy drives like 2MB drives or 
LS?

Richard Amerman

-Original Message-
From:   Mike Noyes [mailto:[EMAIL PROTECTED]]
Sent:   Sun 6/30/2002 7:07 AM
To: [EMAIL PROTECTED]
Cc: 
Subject:RE: Software write-protect (Was: Re: [leaf-user] Floppies)
On Sun, 2002-06-30 at 03:50, Erich Titl wrote:
 Agreed, but now we have to see how we can stop such a skillful attacker. 
 How can we protect the RAM disks from someone determined enough to upload 
 and execut code bytewise. Anyone can fingerprint the IP stack and scan our 
 system for loopholes. Some firewall products detect this and drop the IP of 
 the attacker immediately until reboot. Do we have such a feature?


Erich,
NIDS products PortSentry and Snort will do this. We have packages for
both available. However, they aren't installed by default on any of our
releases/branches.

PortSentry
http://www.psionic.com/products/portsentry.html

Snort
http://www.snort.org/

-- 
Mike Noyes [EMAIL PROTECTED]
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html






---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: Software write-protect (Was: Re: [leaf-user] Floppies)

2002-06-29 Thread Richard Amerman 

It seems to me that reguardless of what you do to write-protect the medium, you have 
to flush (restart) the system regularly to be the most secure.  This would idealy have 
to be done by some method that is both independant of the LEAF firewall itself and the 
systems it is protecting as these methods could be compromised.  If you had a simple 
hardware timer that recycled the power on the machine every night or on some schedule 
that makes sense this would work.
 
Now, of course, we are now playing in the land of the ideal, but when dealing with 
firewalls this should be an option.
 
Richard Amerman

-Original Message- 
From: Erich Titl [mailto:[EMAIL PROTECTED]] 
Sent: Sat 6/29/2002 2:08 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: Software write-protect (Was: Re: [leaf-user] Floppies)



Hi

I believe the security concerns are well understood. But if we have someone
on our doorstep with the ability Charles pointed out, of course he/she will
be able to place some malware on our ram disk. It is not as bad es having
an infected non volatile storage but I believe this attacker would be
clever enough to fool the poor firewall user and make him feel secure. So
even if we have write protected disks we probably would have to reboot
periodically or have some other (non foolproof) prevention for such a
scenario. Any thoughts ...

regards

Erich

Mike Noyes wrote the following at 19:14 29.06.2002:
On Sat, 2002-06-29 at 08:34, Mike Noyes wrote:
  On Sat, 2002-06-29 at 06:15, Manfred Schuler wrote:
   one reason for software write protection is that people using flash/hard
   disk at the moment have no other possibilities. And even if it is not
   perfect, it is better than nothing.

Manfred,
I forgot to mention SCSI as a solution for hard drives. SCSI drives have
had the ability to do hardware write-protect for many years.

  Manfred,
  There are alternatives to software write-protect. Current generation
  flash disks are capable of hardware write-protect. They use two
  different approaches:
 
  * Custom ATA controllers on the IDE compatible flash disk.
  ATA-Disk Module
  http://www.sst.com/products/58sm_lm.html
  ATA-Disk Chip Application Notes
  http://www.sst.com/superflash/pdf/222.pdf
  ATA-Disk Module Product Brief
  http://www.sst.com/ata_disk/admbrief.pdf
  ATA-Disk Module (Apacer)
  http://www.apacer.com/product/flash/index_adc_adm.html
 
  * A software and hardware combination that changes the write state
  of the flash disk in hardware.
  Secure Disk on Module (SDOM)
  http://www.pqi.com.tw/eng/ourproduct/sdom.htm

--
Mike Noyes [EMAIL PROTECTED]
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/



---
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


áŠËë^™¨¥ŠË)¢{(­ç[É8bžAžzCh#¥–z-~,r¢êÜ¢jnµêá¶ÚþØbžHzG(›û•æŸºÇ«™¨¥Šx%ŠËey§î±êåŠËl²‹«qç讧zØm¶›?þX¬¶Ë(º·~Šàzw­þX¬¶ÏåŠËbú?•æŸºÇ«I@Bm§ÿåy§é®ˆÞrÚ+ƒúno÷hs÷hrf§j«ýÚ‰Ý|÷Xmš

[leaf-user] A First LEAF Deployment THANKS

2002-06-29 Thread Richard Amerman 

  

Hi all!  It’s time to share!

 I have only been at this for a few weeks but as some of you may have noticed, I have 
been drawn in and hope to stay.  At first it was simply about replacing my existing 
Watchguard SOHO with something that had a few more capabilities.  I was looking at 
many Linux based setups, mostly things like Astro and Mandrake Security.  When I 
finally found LEAF somehow I knew I was on to something.  Regardless of what I did or 
found in larger systems I new I had to at least try a LEAF setup.

I have now deployed the new firewall in a single step, the only glitch were a few 
inbound Shorewall rules that had to be tweaked!  Everything worked, no problems, and 
it seems to perform much better.


This is what I deployed:
LEAF Bering 1.0 RC2 (I plan on updating soon to RC3 but did not have time now)
External modem for backup fail over (now done with an ifdown ifup manually but I have 
a script to automate it that is in progress)
Extensive rules for inbound traffic to various web servers, Exchange, SiteScope, VNC, 
others.

I am about to add ssh and VPN soon.
I also deployed my modified Weblet with a bunch of changes I have not yet deployed to 
the Weblet Dev Demo site.

 It has all been a great success and I thank you all for your support (much of it in 
the past, mining the list archives is a gold mine!)

 I look forward to working with all of you as I dig deeper into Weblet and other 
aspects of LEAF.  I tried to setup a dev VMWare image last night but it wasn’t until 
2AM I realized that it does not support the large floppy format.  It looks like it may 
be UML for me or just one of the small old boxes I have laying about.

 Thanks!

 Richard Amerman

†+,~w­zf¢–+,¦‰ì¢·o$áŠyyé
 Œ–Yèµø±Ê‹«r‰©º×«†ÛiÿûaŠy 
yé¢oì~Wš~ë®f¢–)à–+-•æŸºÇ«–+-²Ê.­ÇŸ¢¸ëa¶Úlÿùb²Û,¢êÜyú+éÞ·ùb²Û?–+-ŠwèþWš~ë­$Em¶Ÿÿ•æŸ¦º#yËh®鹿ݡÏݡɚ¨¯÷hr'uóÝa¶i

RE: Software write-protect (Was: Re: [leaf-user] Floppies)

2002-06-29 Thread Richard Amerman 

All logging should idealy be done off site using a syslog deamon.  The most important 
thing is not to have a breach and second to fix weaknesses.  In this situation 
flushing the memory IS the best solution to insure this, though it is not the only 
one, and would rarely be that practicle or worth the hastle.  Nothing is lost other 
than evidence, but it is more important to stop the crime rather than catch someone 
after the damage is done and with the logs safe you should have the most important 
information avialable.
 
Richard Amerman

-Original Message- 
From: Jeff Newmiller [mailto:[EMAIL PROTECTED]] 
Sent: Sat 6/29/2002 7:28 PM 
To: Richard Amerman 
Cc: [EMAIL PROTECTED] 
Subject: RE: Software write-protect (Was: Re: [leaf-user] Floppies)



On Sat, 29 Jun 2002, Richard Amerman wrote:

 It seems to me that reguardless of what you do to write-protect the
 medium, you have to flush (restart) the system regularly to be the
 most secure.  This would idealy have to be done by some method that is
 both independant of the LEAF firewall itself and the systems it is
 protecting as these methods could be compromised.  If you had a simple
 hardware timer that recycled the power on the machine every night or
 on some schedule that makes sense this would work.

I disagree.  Flushing ram flushes evidence of disturbances, and does
nothing to find or eliminate latent weaknesses.

---
Jeff NewmillerThe .   .  Go Live...
DCN:[EMAIL PROTECTED]Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---



áŠËë^™¨¥ŠË)¢{(­ç[É8bžAžzEž•ÊzÚ 
yé!y«Þžm§ÿí†)äç¤r‰¿±ù^iû¬z¹šŠX§‚X¬¶Wš~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z´‘!¶ÚþWš~šèç-¢¸?¦æÿv‡?v‡jv z¿Ý¡È×Ïu†Ù¥

RE: [leaf-user] Weblet

2002-06-26 Thread Richard Amerman 

I currently have a modification that has a new list of all the configuration files on 
the left side.  I have included all the main networking files, modules file, ppp 
files, and all of shorewall.
 
I did this with a combination of index.html modification (including some cleanup, 
primarily with an added style entry above that took out all the remaining style info 
bellow) and some changes in the showlogsx cgi scripts.
 
I also made a change so that on the individual pages displaying either a config file 
or a log, the entire path is displayed at the top rather than just the file name.  I'm 
not sure if this is a change for the masses or not.  I will need feedback.
 
I also plan on adding a single link to do a configuration dump.  This would involve a 
new cgi file, more than I will be tackling today! :-)
 
I plan on setting up a demo box outside our firewall that everyone can access to check 
out these changes.  I will let the list know when I have this set up.
 
Richard Amerman
 

-Original Message- 
From: Erich Titl [mailto:[EMAIL PROTECTED]] 
Sent: Wed 6/26/2002 1:31 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re:[leaf-user] Weblet



Lynn

[EMAIL PROTECTED] wrote the following at 20:36
26.06.2002:
Message: 6
From: guitarlynn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Weblet
Date: Tue, 25 Jun 2002 17:14:05 -0500

On Tuesday 25 June 2002 16:57, Richard Amerman wrote:
  Has anyone made any modifications to weblet that displays
  configuration files?

  How about adding authentication to weblet?

I'm starting some work on one for Dachstein, but I'm starting from
scratch on it. I think someone had come up with something that
worked with Bering in some form, but there was no link or email
left to get it (that I know of).

In any case, to do it securely there is a lot of additions and work
to create one. Mosquito only uses web-configuration it might
be worth a try.

I am playing around with weblet to get some kind of a web based
configuration. Authentication is certainly an issue there and I am very
interested in anything that should come up in that aspect.

Does anyone know why the

cgi-bin/whatever.cgi?parameter1=value1parameter2=value2

passing in weblet is disabled?

thanks

Erich

THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members!
JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


†+,~w­zf¢–+,¦‰ì¢·oZm·«w¢{fŠË-…âz÷§¶‡í…ëjÊ'J—œ‰©h}÷«~ŠÎH3fzfÞ®ÂZm·«
‰ßÛM6è6ÓmŠ{+-¢w‚:m§ÿðÃÚm·«r‰ßr‰¿¢Çg•æŸºÇ«™¨¥Šx%ŠËey§î±êåŠËl²‹«qç讧zØm¶›?þX¬¶Ë(º·~Šàzw­þX¬¶ÏåŠËbú?•æŸºÇ«I@Bm§ÿåy§é®ˆÞrÚ+ƒúno÷hs÷hrf§j«ýÚ‰Ý|÷Xmš

[leaf-user] Bering RC2 Boot Hang

2002-06-25 Thread Richard Amerman 

I was working on some changes to my Bering setup, adding serial consol support, when I 
ran into a problem.
 
I added serial.o and added serial 1 19200 1 to the top of my sysllinux.cfg file.
I also made the other changes in Charles's Serial Link HowTo.
 
When I rebooted my system now hangs at:]
LINUXRC:  Installing - root
 
I double checked my syslinux.cfg file and can not find anything.
 
Any ideas?
 
Thanks!
 
Richard Amerman
áŠËë^™¨¥ŠË)¢{(­ç[Ȗ›mêȝÀèžÙ¢²Ëaxƒ½éí¡ûazǚ²‰Ò¥çjZ}êߢ³’ٞ™·«°–›
‰ßÛM6è6ÓmŠ{+-¢w‚:m§ÿðÃÚm·«r‰ßr‰¿¢Çg•æŸºÇ«™¨¥Šx%ŠËey§î±êåŠËl²‹«qç讧zØm¶›?þX¬¶Ë(º·~Šàzw­þX¬¶ÏåŠËbú?•æŸºÇ«I@Bm§ÿåy§é®ˆÞrÚ+ƒúno÷hs÷hrf§j«ýÚ‰Ý|÷Xmš

[leaf-user] Shorewall 1.3.1

2002-06-14 Thread Richard Amerman 

Has anyone tried to use the Shorewall 1.3.1 lrp with Bering 1.0 rc2?
 
Richard Amerman
‰íš+,¶¶ÓM’¦¸§´ð’še‰Æ­Š‰Ãz÷¥¢—«°*'}êޝǀº¬·nvò)ËjÅ^«!¶Úýׯr‰ì¦¸§¶—,r‰¿iÚŠw^ÅÇ沋«qê,v{^ÆÙbžI^iû¬z¹šŠX§‚X¬¶Wš~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z´‘!¶ÚþWš~šèç-¢¸?¦æÿv‡?v‡jv z¿Ý¡È×Ïu†Ù¥

[leaf-user] (no subject)

2002-06-12 Thread Richard Amerman 

This might or might not be a bit off topic, but the machine I have been working on 
with my Bering setup is connected to a Belkin KVM switch.  Fairly often when I switch 
to another machine and then back to the Bering machine it looses the keyboard.  I have 
tried many things to get it back but always have to reboot (and as you may have 
guessed, I have been caught a couple of times with some un-backed up work!)

 

Any ideas?  I’m not sure if this has anything in particular to do with the LRP 
setup, Linux in general, or maybe just hardware.

 

Thanks!

 

Richard Amerman
©¢{(­ç[É8bžAžzF­†Ûiÿü0Á8bžAžzG(›ù^iû¬z¹šŠX§‚X¬¶Wš~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z´‘!¶ÚþWš~šèç-¢¸?¦æÿv‡?v‡jv z¿Ý¡È×Ïu†Ù¥

RE: [leaf-user] (no subject) (actualy -KVM-Bering-lost keyboard)

2002-06-12 Thread Richard Amerman 

I do indead as this was formerly (sigh) a W2K dev box.
 
I will give it a try, though I will be backing up before each switch.
 
Thanks!
 
Richard Amerman

-Original Message- 
From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] 
Sent: Wed 6/12/2002 10:33 AM 
To: Richard Amerman; [EMAIL PROTECTED] 
Cc: 
Subject: Re: [leaf-user] (no subject)



 This might or might not be a bit off topic, but the machine I have been
working on with my Bering setup is connected to a Belkin KVM switch.  Fairly
often when I switch to another machine and then back to the Bering machine
it looses the keyboard.  I have tried many things to get it back but always
have to reboot (and as you may have guessed, I have been caught a couple of
times with some un-backed up work!)

 Any ideas?  I’m not sure if this has anything in particular to do with the
LRP setup, Linux in general, or maybe just hardware.

Do you have the mouse hooked up?  I had problems like this with the mouse
hooked to the KVM when the mouse port was connected to the KVM as well as
the KB.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)




©¢{(­ç[É8bžAžzF­†Ûiÿü0Á8bžAžzG(›ù^iû¬z¹šŠX§‚X¬¶Wš~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z´‘!¶ÚþWš~šèç-¢¸?¦æÿv‡?v‡jv z¿Ý¡È×Ïu†Ù¥

[leaf-user] Bering - VPN - Pocket PC

2002-06-12 Thread Richard Amerman 

Has anyone had any luck getting Movian VPN for Pocket PC to work with FreeSwan on 
Bering?

 

My primary need is simply to get VPN to work between Pocket PC and Bering, Movian just 
looks like one of the best options.

 

Richard Amerman
Jš'²ŠÞu¼“†)äç¤jØm¶ŸÿÃ
†)äç¤r‰¿•æŸºÇ«™¨¥Šx%ŠËey§î±êåŠËl²‹«qç讧zØm¶›?þX¬¶Ë(º·~Šàzw­þX¬¶ÏåŠËbú?•æŸºÇ«I@Bm§ÿåy§é®ˆÞrÚ+ƒúno÷hs÷hrf§j«ýÚ‰Ý|÷Xmš

[leaf-user] Bering DSL + modem failover - default route

2002-06-11 Thread Richard Amerman 

As some of you may have noted I am working on a Bering configuration with a main 
external interface at eth0 of a DSL router and an additional external connection 
consisting of an external modem for redundant failover.

I have had no problem getting the modem to work and it looks like the firewall portion 
may not be too bad (knock on wood!) but I can’t seem to get past the existing 
defaultroute.

How does one change the defaultroute on the fly?  I have my pppd setup configured to 
set the ppp connection as the defaultroute.

pppd logs the following message:
not replacing existing default route to eth0

The only other negative sounding message is the following:

Cannot determine Ethernet address for proxy ARP

I also experimented with settings in the interfaces config file in the ppp0 
interface section.  The default is 
auto ppp0
iface ppp0 inet ppp
provider provider

I changed this to :
auto ppp0
iface ppp0 inet ppp
Address xxx.xxx.xxx.xxx
Masklen 27
Gateway xxx.xxx.xxx.xxx

I’m not sure this is appropriate but I could not find further documentation on this 
file to indicate whether I can use these settings with a ppp interface, and even if I 
can, that it is appropriate.

I also added a local:remote entry to the ppp options file and tried the -ip setting to 
force the use of these settings but the ppp connection was dropped with a message from 
the ISP to the effect of No network protocol running.

Any ideas?

I’m also working on a script to monitor the DSL connection and bring up the modem 
connection if it is determined as down.  When the DSL connection was restored for a 
given period of time then the modem would be disconnected.  This setup also depends on 
a secondary MX record pointing to the static ip for the modem connection so mail will 
still get through.

I am definitely working to set this up in the most ideal manor as It seems like this 
configuration would be useful to contribute.

Richard

 

.–ئŠYb¢pè–V«
‰©º×«{ޞÚ+ȸ¯yg›q«-ç-Š‰ìNîè6ÓM¡¶Úÿ
0rŒ©^Å©Ýz·(›÷•éÝj¹^iû¬z¹šŠX§‚X¬¶Wš~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z´‘!¶ÚþWš~šèç-¢¸?¦æÿv‡?v‡jv z¿Ý¡È×Ïu†Ù¥

RE: [leaf-user] Bering DSL + modem failover - default route

2002-06-11 Thread Richard Amerman 

George, good to hear from you!
 
We do apear to be working on the same thing, other than the T-1/DSL vs DSL/modem 
difference.  
 
I'm starting from the same scripts from the Detecting Disconnected Network thread.  
Right now I'm focusing on the routing issue and I need to get a bunch of shorewall 
rules set up.  Let me know if you make any progress on the script.  If I get anywhere 
on the routing issue I let you know stat.
 
We will have to keep the list posted on our efforts.  
 
I'm also very interested in contributing this configuration with solid documentation.  
I'm willing to do quite a bit if not all the documentation if we could both take good 
notes.  I'm not sure what form this would take, maybe a couple of scripts in addition 
to the configuration files, one to set up the needed cron job and any other safe 
configuration changes that can be automated, and the actual monitoring/interface 
change scripts.
 
Richard Amemran

-Original Message- 
From: George Luft [mailto:[EMAIL PROTECTED]] 
Sent: Tue 6/11/2002 12:01 PM 
To: [EMAIL PROTECTED] 
Cc: Richard Amerman 
Subject: RE: [leaf-user] Bering DSL + modem failover - default route



I wish you well in this endeavor, Richard.  I am trying to do basically the 
same thing.  I want to use static DSL as a backup to a T-1 (mainly to maintain 
connectivity to/from our mail server), and I keep bumping into the issue of the 
default gateway.

I think we'll end up using a script to test connectivity to various hosts as 
was discussed in the Detecting Disconnected Network thread.

Perhaps we can figure it out together... 

 -Original Message- 
 From: Richard Amerman [mailto:[EMAIL PROTECTED]] 
 Sent: Tuesday, June 11, 2002 2:43 PM 
 To: [EMAIL PROTECTED] 
 Subject: [leaf-user] Bering DSL + modem failover - default route 
 
 
 As some of you may have noted I am working on a Bering 
 configuration with a main external interface at eth0 of a DSL 
 router and an additional external connection consisting of an 
 external modem for redundant failover. 
 
 I have had no problem getting the modem to work and it looks 
 like the firewall portion may not be too bad (knock on wood!) 
 but I can’t seem to get past the existing defaultroute. 
 
 How does one change the defaultroute on the fly?  I have my 
 pppd setup configured to set the ppp connection as the defaultroute. 
 
 pppd logs the following message: 
 not replacing existing default route to eth0 
 
 The only other negative sounding message is the following: 
 
 Cannot determine Ethernet address for proxy ARP 
 
 I also experimented with settings in the interfaces config 
 file in the ppp0 interface section.  The default is 
 auto ppp0 
 iface ppp0 inet ppp 
 provider provider 
 
 I changed this to : 
 auto ppp0 
 iface ppp0 inet ppp 
 Address xxx.xxx.xxx.xxx 
 Masklen 27 
 Gateway xxx.xxx.xxx.xxx 
 
 I’m not sure this is appropriate but I could not find further 
 documentation on this file to indicate whether I can use 
 these settings with a ppp interface, and even if I can, that 
 it is appropriate. 
 
 I also added a local:remote entry to the ppp options file and 
 tried the -ip setting to force the use of these settings but 
 the ppp connection was dropped with a message from the ISP to 
 the effect of No network protocol running. 
 
 Any ideas? 
 
 I’m also working on a script to monitor the DSL connection 
 and bring up the modem connection if it is determined as 
 down.  When the DSL connection was restored for a given 
 period of time then the modem would be disconnected.  This 
 setup also depends on a secondary MX record pointing to the 
 static ip for the modem connection so mail will still get through. 
 
 I am definitely working to set this up in the most ideal 
 manor as It seems like this configuration would be useful to 
 contribute. 
 
 Richard 
 
  
 
 2mhà°¥*'ejz'   
yᜲ.r晴.m4晴m(汭ڕZഝrq^֫柺ǫx%ey壧αŊlqzmì ¶?Xí¬¶(~zwᜭ 
 Xb젝?ൕǫI@Bmy鮈r杭+no朲hshrfjå´«í¡‰|‶Xm 
 

º[bš)eŠ‰Ã¢YZ¬*¦ë^¬‰ïz{h¯â½åžmƬ´œ¶*'±8k¸ ÛM6†Ûiÿü0ÁÊ0jv¥{§uêÜ¢oÜjW§uªåy§î±êæj)bž 
 
b²Ù^iû¬z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ–+-²Ê.­ÇŸ¢¸ë–+-³ùb²Ø§~åy§î±êÒDP†Ûiÿù^iúk¢7œ¶Šàþ››ýÚýÚ™©Úêÿv‡w_=Öf

RE: [leaf-user] LEAF Bering- DSL with Modem fallback

2002-06-07 Thread Richard Amerman 

I have been combing the list archive for info and it seems clear the configuring at 
least Dachstein or other than Bering with two active external interfaces is indeed a 
daunting task.  Getting the two interfaces to work looks fairly easy, it is then all 
about the firewall.  

 

A fairly inelegant way of accomplishing this seems to be a second set of configuration 
files for the backup interface, some file replacement by the script, and restarting 
shorewall.

 

I’m wandering if there is anything specific to iptables and Bering in particular 
that would facilitate this entire process.

 

Thanks for any ideas or comments!  

 

I hope to come up with a solid configuration for this setup that I can contribute and 
document.  I have talked to a couple of friends who have been doing LEAF for a while 
and they are very excited at the prospect of this configuration.

 

Richard

-Original Message- 
From: Richard Amerman 
Sent: Wed 6/5/2002 7:37 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [leaf-user] LEAF Bering- DSL with Modem fallback



I’m in the process of configuring a Bering setup to replace our Watchguard 
SOHO.  A recent prolong outage of our DSL network has complicated the issue.  I need 
to set up my LEAF to use the DSL link on eth0, have a script check the connection at a 
regular interval, restart the network once in case that is the problem, bring up a 
modem connection with ppp and use that until the DSL connection is restored.



I have read the Detecting Disconnected Network thread and the scripts there 
cover some of the ground (Kiril, if you read this, your final script would be great to 
have!), I have the info on setting up the ppp/modem part, but the rest could use some 
help.



I’m primarily hoping that someone has done exactly this configuration.



Thanks



Richard

RBA International
+Mډzí½‰í·°*}ʝ n)jr riڊwƺxy'ʊqzX6~zwX6˝•IB'yrosrfjډX 

‰íš+,¶¶ÓM’¦¸§´ð’še‰Æ­Š‰Ãz÷¥¢—«°*'}êޝǀº¬·nvò)ËjÅ^«!¶Úýׯr‰ì¦¸§¶—,r‰¿iÚŠw^ÅÇæ•æŸºÇ«™¨¥Šx%ŠËey§î±êåŠËl²‹«qç讧zØm¶›?þX¬¶Ë(º·~Šàzw­þX¬¶ÏåŠËbú?•æŸºÇ«I@Bm§ÿåy§é®ˆÞrÚ+ƒúno÷hs÷hrf§j«ýÚ‰Ý|÷Xmš

RE: [leaf-user] LEAF Bering- DSL with Modem fallback

2002-06-07 Thread Richard Amerman 

I appreciate the reply Tom!

 

You have just caught me digging through your Shorewall site in search of hints on this 
very topic.  I have also just downloaded the Shorewall 1.3.1 lrp and was about to send 
a message to the LEAF list to see if anyone had tried using this version with the most 
recent Bering.

 

The reason I had not assumed that using the two external interfaces either 
simultaneously or in failover was automatically possible with Shorewall was due to a 
series of messages from the LEAF list archive that seemed to indicated (always with 
Dachstein or some other LEAF than Bering that use ipchains) the firewall part of this 
puzzle was either not do-able or problematic.  Sense I am fairly new to LEAF and 
Shorewall, I wanted to find information to build my confidence that this was possible 
before digging in too deep.

 

I must say I am becoming addicted to both the prospects my experiences to date of both 
LEAF Bering and Shorewall.  Coming from a Cisco PIX background this is refreshing!

 

Richard

-Original Message- 
From: Tom Eastep [mailto:[EMAIL PROTECTED]] 
Sent: Fri 6/7/2002 11:07 AM 
To: Richard Amerman 
Cc: [EMAIL PROTECTED] 
Subject: RE: [leaf-user] LEAF Bering- DSL with Modem fallback



On Fri, 7 Jun 2002, Richard Amerman wrote:

 I have been combing the list archive for info and it seems clear the
 configuring at least Dachstein or other than Bering with two active
 external interfaces is indeed a daunting task.  Getting the two
 interfaces to work looks fairly easy, it is then all about the firewall.

 

 A fairly inelegant way of accomplishing this seems to be a second set of
 configuration files for the backup interface, some file replacement by
 the script, and restarting shorewall.


Why don't you just define two external interaces to Shorewall to start
with? There should be no need to restart it.

-Tom
--
Tom Eastep\ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ [EMAIL PROTECTED]



‰íš+,¶¶ÓM’¦¸§´ð’še‰Æ­Š‰Ãz÷¥¢—«°*'}êޝǀº¬·nvò)ËjÅ^«!¶Úýׯr‰ì¦¸§¶—,r‰¿iÚŠw^ÅÇæ•æŸºÇ«™¨¥Šx%ŠËey§î±êåŠËl²‹«qç讧zØm¶›?þX¬¶Ë(º·~Šàzw­þX¬¶ÏåŠËbú?•æŸºÇ«I@Bm§ÿåy§é®ˆÞrÚ+ƒúno÷hs÷hrf§j«ýÚ‰Ý|÷Xmš

[leaf-user] LEAF Bering- DSL with Modem fallback

2002-06-05 Thread Richard Amerman 

I’m in the process of configuring a Bering setup to replace our Watchguard SOHO.  A 
recent prolong outage of our DSL network has complicated the issue.  I need to set up 
my LEAF to use the DSL link on eth0, have a script check the connection at a regular 
interval, restart the network once in case that is the problem, bring up a modem 
connection with ppp and use that until the DSL connection is restored.

 

I have read the Detecting Disconnected Network thread and the scripts there cover some 
of the ground (Kiril, if you read this, your final script would be great to have!), I 
have the info on setting up the ppp/modem part, but the rest could use some help.

 

I’m primarily hoping that someone has done exactly this configuration.

 

Thanks

 

Richard

RBA International
¢{fŠË-…í´Ód©®)í$€¦™bq«b¢pÞ½éh¥êì
‰ßz·§qà.‚ë-۝¼ŠrÚ±W jÈm¶ŸÿuëÜ¢{)®)í¥Ë¢oÚvŸâ×±qù¥y§î±êæj)bž
b²Ù^iû¬z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ–+-²Ê.­ÇŸ¢¸ë–+-³ùb²Ø§~åy§î±êÒDP†Ûiÿù^iúk¢7œ¶Šàþ››ýÚýÚ™©Úêÿv‡w_=Öf