RE: [leaf-user] dyndns
ETH0_IP=`find_first_interface_address eth0` I'm on Shorewall 2.0.10 and this is unsupported. What exactly is find_first_interface_address? A shell script? Can it be added to older versions of shorewall to support this? Thanks - Bob Coffman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] dyndns
Cancel the last message, I didn't read the docs accurately. - Bob Coffman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] CF Card Issues
I get the sense that all the grief I see people have with CF cards just isn't worth it. I'm only using old junky IDE drives (500MB to 4GB in size) to boot my shorewall systems. If one were to fail (I know they will at some point) I'll merely format a 100MB partition on another drive, syslinux it and copy the the LRPs etc from the backup made by SCP, install it and I'm back in business. The drives spin down after boot so there is little wear on them. Is anyone running CF with absolutely no issues?? - Bob Coffman --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Backing up LEAF disks over the network.
I don't think that the crypto stuff is _that_ hard on the CPU. My slowest LEAF machine is P75 and I notice no difference when backing up packages over SCP between that and other more capable machines. Of course that is over a broadband (cable) connection, I'm sure I could measure a difference if I were on a LAN. - Bob Coffman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Possible backup script issue (Bering-uClibc_2.3-beta4)
Actually, you *DO* have it loaded twice. Initrd is 'special', as it is the initial ramdisk loaded along with the kernel by the boot-loader Has this always been the case? I've had initrd in leaf.cfg from the get-go and in Bering 1.2 it was specified (although differently from other packages) in syslinux.cfg... Off to try removing it... - Bob Coffman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Possible backup script issue (Bering-uClibc_2.3-beta4)
AFAIK this has always been the case. I tried to recall this email but I replied to myself. You are, of course, quite correct, and I was mistaken that initrd was in the list. Thanks - Bob Coffman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] 3C905CX Network Card
Did you allow ICMP traffic to originate from your firewall? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James F Sent: Thursday, June 30, 2005 12:00 PM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] 3C905CX Network Card Using these cards with the 3c90 module, the cards are being detected and come up with no errors. The problem is that no traffic is coming back across these cards. When I ping from the LEAF machine and sniff the traffic, I see arp request being sent by the leaf box and answered by the other machine. But no icmp packets are being sent. Any ideas Thanks Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Network Configuration Ideas
Ok, since CPU asked. I didn't want to put this on list, because it isn't a Leaf question per se, however I'm struggling with what to do with this. In the simplest terms possible, I have a 4 subnet network, with each subnet at a different physical location. Location 1 has the internet connection, and the core server (read:Citrix) for all the other locations. Internet connectivity is via a proxy server on the location 1 subnet. I would like to eliminate the proxy, and replace it with Leaf with no proxy. The problem is, is that this would give anyone in Location 1 two routes off their network. The connections to the remote subnets are via T1 and they all connect to location 1 via a Cisco router which has no free connections. Must have goals: eliminate proxy server, provide one route off of the Location 1 subnet. Would like goals: Avoid having Leaf as failure point between subnet 1 and the remote subnets. Avoid purchasing a new Cisco router. Unfortunately, it seems that my best option would be to put another adapter in the Leaf router, and renumber subnet 1, so that everything converges at leaf on the old subnet 1 address. However, since I'm using old commodity hardware for that task, and internet connectivity is less important to the business than the connectivity between the locations, I would love to keep this from becoming a point of failure. Any ideas on what to do here? Or have I exhausted my options and I need to violate one of my would like goals? I don't know Cisco, but I suspect if I did I could make short work of this problem. - Bob Coffman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Network Configuration Ideas
Route 1: Via Leaf (or currently a Routefinder acting as a proxy) 10.0.0.250 - Internet Route 2: Via Cisco to the remote subnets - 10.0.0.1 - Remote subnets When you say you don't want LEAF as a single failure point, do you mean you don't want LEAF to be a NAT'ing firewall for you internet connection as well as performing the routing and/or tunnelling between your subnets? Exactly. As much as I know that Leaf is completely capable of performing this function, it just introduces another failure point to their network that I don't want. Thanks - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Neave Sent: Tuesday, June 28, 2005 9:06 AM To: Robert K Coffman Jr - Info From Data Corporation; leaf-user@lists.sourceforge.net Subject: RE: [leaf-user] Network Configuration Ideas Hi, When you say two routes, do you mean: 1: NATed behind the LEAF box. 2: Through a Citrix session. When you say you don't want LEAF as a single failure point, do you mean you don't want LEAF to be a NAT'ing firewall for you internet connection as well as performing the routing and/or tunnelling between your subnets? Regards, James. -Original Message- From: Robert K Coffman Jr - Info From Data Corporation [mailto:[EMAIL PROTECTED] Sent: 28 June 2005 13:57 To: leaf-user@lists.sourceforge.net Subject: [leaf-user] Network Configuration Ideas Ok, since CPU asked. I didn't want to put this on list, because it isn't a Leaf question per se, however I'm struggling with what to do with this. In the simplest terms possible, I have a 4 subnet network, with each subnet at a different physical location. Location 1 has the internet connection, and the core server (read:Citrix) for all the other locations. Internet connectivity is via a proxy server on the location 1 subnet. I would like to eliminate the proxy, and replace it with Leaf with no proxy. The problem is, is that this would give anyone in Location 1 two routes off their network. The connections to the remote subnets are via T1 and they all connect to location 1 via a Cisco router which has no free connections. Must have goals: eliminate proxy server, provide one route off of the Location 1 subnet. Would like goals: Avoid having Leaf as failure point between subnet 1 and the remote subnets. Avoid purchasing a new Cisco router. Unfortunately, it seems that my best option would be to put another adapter in the Leaf router, and renumber subnet 1, so that everything converges at leaf on the old subnet 1 address. However, since I'm using old commodity hardware for that task, and internet connectivity is less important to the business than the connectivity between the locations, I would love to keep this from becoming a point of failure. Any ideas on what to do here? Or have I exhausted my options and I need to violate one of my would like goals? I don't know Cisco, but I suspect if I did I could make short work of this problem. - Bob Coffman The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The contents of an attachment to this email may contain software viruses that could damage your own computer systems. Whilst The Spur Group of Companies has taken every precaution to minimise the risk, we cannot accept liability for any damage that you sustain as a result of software viruses. --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=ick leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Network Configuration Ideas
Right on! Thanks for taking time to understand this - Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Neave Sent: Tuesday, June 28, 2005 10:10 AM To: Robert K Coffman Jr - Info From Data Corporation; leaf-user@lists.sourceforge.net Subject: RE: [leaf-user] Network Configuration Ideas Er, Wait, is this what you mean? If there were two routers in subnet1, one to the internet (LEAF) and one to the other subnets (Cisco), then two routes would have to be added to the client machines and you don't want that (sounds nasty)? Whereas if you made the LEAF box route the traffic from subnet1 to subnet2 via the Cisco you would have 2 points of failure for traffic between the LEAF box and the Cisco. But this would give you one default route on the client boxes which is really what Windows likes. Now do I get you? Regards, James. -Original Message- From: Robert K Coffman Jr - Info From Data Corporation [mailto:[EMAIL PROTECTED] Sent: 28 June 2005 14:50 To: leaf-user@lists.sourceforge.net Subject: RE: [leaf-user] Network Configuration Ideas Route 1: Via Leaf (or currently a Routefinder acting as a proxy) 10.0.0.250 - Internet Route 2: Via Cisco to the remote subnets - 10.0.0.1 - Remote subnets When you say you don't want LEAF as a single failure point, do you mean you don't want LEAF to be a NAT'ing firewall for you internet connection as well as performing the routing and/or tunnelling between your subnets? Exactly. As much as I know that Leaf is completely capable of performing this function, it just introduces another failure point to their network that I don't want. Thanks - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Neave Sent: Tuesday, June 28, 2005 9:06 AM To: Robert K Coffman Jr - Info From Data Corporation; leaf-user@lists.sourceforge.net Subject: RE: [leaf-user] Network Configuration Ideas Hi, When you say two routes, do you mean: 1: NATed behind the LEAF box. 2: Through a Citrix session. When you say you don't want LEAF as a single failure point, do you mean you don't want LEAF to be a NAT'ing firewall for you internet connection as well as performing the routing and/or tunnelling between your subnets? Regards, James. -Original Message- From: Robert K Coffman Jr - Info From Data Corporation [mailto:[EMAIL PROTECTED] Sent: 28 June 2005 13:57 To: leaf-user@lists.sourceforge.net Subject: [leaf-user] Network Configuration Ideas Ok, since CPU asked. I didn't want to put this on list, because it isn't a Leaf question per se, however I'm struggling with what to do with this. In the simplest terms possible, I have a 4 subnet network, with each subnet at a different physical location. Location 1 has the internet connection, and the core server (read:Citrix) for all the other locations. Internet connectivity is via a proxy server on the location 1 subnet. I would like to eliminate the proxy, and replace it with Leaf with no proxy. The problem is, is that this would give anyone in Location 1 two routes off their network. The connections to the remote subnets are via T1 and they all connect to location 1 via a Cisco router which has no free connections. Must have goals: eliminate proxy server, provide one route off of the Location 1 subnet. Would like goals: Avoid having Leaf as failure point between subnet 1 and the remote subnets. Avoid purchasing a new Cisco router. Unfortunately, it seems that my best option would be to put another adapter in the Leaf router, and renumber subnet 1, so that everything converges at leaf on the old subnet 1 address. However, since I'm using old commodity hardware for that task, and internet connectivity is less important to the business than the connectivity between the locations, I would love to keep this from becoming a point of failure. Any ideas on what to do here? Or have I exhausted my options and I need to violate one of my would like goals? I don't know Cisco, but I suspect if I did I could make short work of this problem. - Bob Coffman The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The contents of an attachment to this email may contain software viruses that could damage your own computer systems. Whilst The Spur Group of Companies has taken every precaution to minimise the risk, we cannot accept liability for any damage that you sustain as a result of software viruses. --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get
RE: [leaf-user] [Slightly OT] ICMP et al
What version of Windows? One remote possibility: http://support.microsoft.com/kb/q244539/ - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erich Titl Sent: Tuesday, June 28, 2005 2:25 PM To: leaf-user-lists.sourceforge.net Subject: [leaf-user] [Slightly OT] ICMP et al Hi folks As the subject suggests, this is a bit off topic, but as a LEAF system is involved please excuse me. I am baffled by the behaviour of a M$ application (IIS) on a customer network. This network is a hub and spoke structure built with Bering glibc routers. Some of the locations use DSL, others cable modem. The spokes are IPSEc connections to the hub network. In The hub network there is a IIS server with a WEB application. A client system on one of the client networks requests a page (or rather a web based application) on the server. I can observe the normal packet flow between client and server untilthe server tries to send a packet of size 1452 bytes to the client (with DF bit set). I _believe_ IPSEC decides that this packet is too large to be passed to the other side so the Bering system sends an ICMP fragmentation needed package to the server with a size proposal of 1319 bytes. I would expect the server to reduce the packet size accordingly but helas it does not. Am I just naive to expect M$ to follow or is it compulsory only to respect ICMP? Thanks Erich --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Network Configuration Ideas
Thanks James and Charles for your excellent emails on this topic. You have solidified my feeling that the Cisco is the key to the whole scenario. I guess I'll have to approach it from that perspective. Its probably a good thing, since a) I know no Cisco and b) nobody knows the password to the Cisco. But I have a method to reset it. If I screw it up, hello new Leaf router! Thanks! - Bob Coffman --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
RE: [leaf-user] Beringuclibc 2.2.3 on Hard disk
A compact flash uses a lot less energy than a hard drive - especially since it is only needed for loading and backup. I write protect mine with software after boot up. Very true. No router should have a running HD in it. However with hdsupp you can spin the HD down after boot. I use the following script to accomplish this which I believe has been posted here before: #! /bin/sh # Script to spin down hard drive # /etc/init.d/spindown RCDLINKS=2,S98 # Spin it down then. /usr/sbin/hdparm -y /dev/hda exit 0 As far as securing this, I don't know that you can disable a HD until the next boot, so the flash drive has an advantage there. (Although if someone has gotten that far, couldn't they circumvent your write protection?) When running backups, or mounting /dev/hda1, it spins back up on its own. Remember to run this script when you are done backing up etc... - Bob Coffman --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393alloc_id=16281op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] RE: Privoxy Build
Ok, I setup the Bering uClibc build environment and attempted a compile on my own. It failed. The tail from the log follows: pcre/pcre.o pcre/pcreposix.o -lnsl cgi.o(.text+0x2c8): In function `dispatch_known_cgi': : undefined reference to `cgi_error_disabled' collect2: ld returned 1 exit status make[1]: *** [privoxy] Error 1 make[1]: Leaving directory `/home/bcoffman/src/bering-uclibc/buildtool/source/privoxy/privoxy-3.0.3-sta ble' make: *** [privoxy-3.0.3-stable/.build] Error 2 make: Leaving directory `/home/bcoffman/src/bering-uclibc/buildtool/source/privoxy' Anyone have any suggestions for this error? - Bob Coffman -Original Message- From: Robert K Coffman Jr - Info From Data Corporation [mailto:[EMAIL PROTECTED] Sent: Monday, April 25, 2005 9:40 AM To: Leaf-User Subject: Privoxy Build Hello. I'm taking a look at Privoxy on a uClibc 2.2.2 machine, as it appears as though it may solve a problem for me. However, in order to use it, I need it compiled with the following options: --disable-force, --disable-toggle and --disable-editor as per the configuration file. Unless there is another way to prevent these things from the Privoxy error page (toggle can be disabled from the config, but I don't see how force or the editor can be.) Has anyone built Privoxy with these options disabled? Thanks - Bob Coffman --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Extremely poor throughput
Can you be a bit more specific about the setup details? Are you trying to describe a setup like this eth0 - 10 (or 100) Mbps NIC connecting to the Internet eth1 - 10 (or 100) Mbps NIC connecting to LAN A (eth1, 192.168.1.0 network) eth2 - 10 (or 100) Mbps NIC connecting to LAN B (eth2, 192.168.3.0 network) ftp client on LAN A or B (from either net, same issue) ftp server is on the internet (for testing, my local office network, which is private network 192.168.2.0, ftp server is 192.168.2.3) I've removed norfc1918 from eth0 in the interfaces file for testing. Both local nets are MASQ'ed through eth0. LANs A and B have routes to each other (i.e., the router does NOT NAT this traffic, however I block traffic between them - see rules below.) ftp throughput is between 50 Kbps and 100 Kbps, depending on NICs tested? - range is actually around 40-120). ftp server actually does (not can easily) deliver 80 Mbps to an ftp client on local lan - correct. ftp: 131170400 bytes received in 11.69Seconds 11222.66Kbytes/sec I tested SCP from the firewall to my local network (ie connecting to eth0) and it was not fast, approximately 23Kbs (that's bits and forgive me for changing terms if i do it.) The total data transferred was 2.67 megabytes. After a slow transfer, what does ip -s link show report? Are there significant numbers of bad packets? Possibly, output follows from the post SCP transfer described above. Eth0 is plugged into a Netgear switch: 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 2152 16 0 0 0 0 TX: bytes packets errors dropped carrier collsns 2152 16 0 0 0 0 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 00 0 0 0 TX: bytes packets errors dropped carrier collsns 0 00 0 0 0 3: eth0: BROADCAST,MULTICAST,NOTRAILERS,UP mtu 1500 qdisc htb qlen 1000 link/ether 00:00:c0:98:d9:8f brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 223554 2573 0 0 0 58 TX: bytes packets errors dropped carrier collsns 31428344217 3 0 0 56 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:c0:ab:f5:9d brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 4228 46 0 0 0 2 TX: bytes packets errors dropped carrier collsns 60 10 0 0 0 5: eth2: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:c0:79:f4:9d brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 00 0 0 0 TX: bytes packets errors dropped carrier collsns 6480 054 0 0 0 During a slow transfer, what does top report about CPU load? If this is high ... is the router running unusually complex iptables (Shorewall) rulesets? (If yes, please report the details.) - No, CPU usage is very low. I think the rulesets are very simple, however I've posted them below just in case. Please note I've trimmed all comments except one, and I've removed an ACCEPT line that allows me to SSH from an internet . # /etc/shorewall/policy loc net ACCEPT loc3net ACCEPT loc loc3REJECT loc3loc REJECT net all DROPULOG all all REJECT ULOG # /etc/shorewall/rules ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 22 ACCEPT loc fw icmp8 ACCEPT loc3fw icmp8 ACCEPT net fw icmp8 ACCEPT fw loc icmp8 ACCEPT fw loc3icmp8 ACCEPT fw net icmp8 ACCEPT loc fw udp 53 ACCEPT loc3fw udp 53 ACCEPT loc fwtcp 80 ACCEPT loc fwtcp stat ACCEPT fwnet udp ntp ACCEPT loc fwudp ntp ACCEPT loc3 fwudp ntp ACCEPT fwnet:63.208.196.94 tcp www # Testing only, remove before installation! ACCEPT net fw
RE: [leaf-user] Extremely poor throughput
You did not tell us what is your Internet side. Do you happen to be on a pppoe connection? If so - did you setup CLAMPMSS=YES in Shorewall config? That will really slow things down if you didn't. Victor thanks for the reply. CLAMPMSS=No. Not using PPPOE. - Bob Coffman --- SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub to SourceForge.net Plus IDC's 2005 look-ahead and a copy of this survey Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Extremely poor throughput
Forgot to add details of FTP server and test client: FTP server is W2003/IIS. Test client is WinXP. I did reload the original Bering 1.2 config (which used 2 3c509 NICs in a straight 2 interface configuration) and got 2 Megabytes/sec using the FTP test. Hardware appears to be fine after all. - Bob Coffman --- SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub to SourceForge.net Plus IDC's 2005 look-ahead and a copy of this survey Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Extremely poor throughput - RESOLVED
Ray, I disabled the serial ports. If there was a winmodem in this box, I would remove it (or as my brother says, gank it outta there) since it is a router. I'll disable everything I can when I set one up. I happened to choose IRQ 3 for this card because I could set that by jumper, and therefore avoid finding the configuration software, booting to DOS and setting it that way. The other two cards (smc-ultra.o is the module) I did take the time to software configure. I was reviewing the configuration closely (ie verifying correct modules, etc) and realized that I was loading some packages this router did not require. The reason for that was I built it from my own router and modified through lrcfg to the specifications I needed for this application. I removed some packages that I had for OpenVPNz dependencies - no effect on throughput. Then I removed qos-htb and tc. Voila, the router, through 2 ancient ISA 10MB nics, was moving 597Kbs, more than enough for this application. I saw a line in the qos-htb config (prior to its removal) setting a cap at 120K -exactly what I got in my best case scenario yesterday. Its probably the default, since I haven't taken the time to learn exactly how traffic shaping works and as a result I ran into this problem. Thanks everyone for your help and I hope someone else benefits from this exercise. I've learned a few things along the way. - Bob Coffman --- SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub to SourceForge.net Plus IDC's 2005 look-ahead and a copy of this survey Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Extremely poor throughput
Just throwing this out there and see if anyone has any ideas. I have an old P75 with 2 PCI slots and 4 ISA slots. I've been using this as a Bering 1.2 router at a customer location. They asked me to add an additional NIC to it to support another office's internet connection. While I was at it, I upgraded them to Bering uclibc 2.2.2. I tested this router after it was completed, and got extremely bad throughput (around 50kbs from a local FTP server that can easily deliver 10MBs (that should be megabytes) per second. I moved some things around, eliminated a 10MB hub, tried various nics (3c59x/tulip in the PCI, smc-ultra/wd in the ISA slots) and found the best throughput I could get was around 100kbs, and that was using all ISA cards! My theory is that their is some sort of hardware problem with this machine which is limiting this. The slots are all on a riser card, and perhaps that thing is bad. I'm going to install as is, and inform the customer that we need to replace the hardware. Anyone have any alternative ideas why this thing is so slow? - Bob Coffman --- SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub to SourceForge.net Plus IDC's 2005 look-ahead and a copy of this survey Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Privoxy Build
Hello. I'm taking a look at Privoxy on a uClibc 2.2.2 machine, as it appears as though it may solve a problem for me. However, in order to use it, I need it compiled with the following options: --disable-force, --disable-toggle and --disable-editor as per the configuration file. Unless there is another way to prevent these things from the Privoxy error page (toggle can be disabled from the config, but I don't see how force or the editor can be.) Has anyone built Privoxy with these options disabled? Thanks - Bob Coffman --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] DNSMASQ Exiting?
Bering uClibc ver. 2.2.2 on VMWare. dnsmasq 2.16 Rev 1 I've noticed on a couple of occasions that DNSMASQ had stopped. The latest was this morning. I had restarted the host machine yesterday at 4:00PM and I can see in the logs DNSMASQ starting. This morning, I noticed Google taking a long time to come up, so I checked DNS and discovered it wasn't running on the firewall. I could not find anything in the logs indicating why it stopped. I use DNSMASQ for DNS resolution on my internal network, and it uses the DNS servers supplied by my ISP's DHCP server. I also have DNSMASQ set up to provide DHCP to one subnet. How do I debug this? - Bob Coffman --- This SF.net email is sponsored by Microsoft Mobile Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) Windows Mobile(tm) platforms, applications content. Register by 3/29 save $300 http://ads.osdn.com/?ad_id=6883alloc_id=15149op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] DNSMASQ Exiting?
The DNSMASQ maintainer contacted me regarding this. I'm using version 2.16 which he indicated had a crash bug in it and was no longer available. I see there is an updated package available (2.20). I'm switching now. Thanks! - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert K Coffman Jr - Info From Data Corporation Sent: Thursday, March 24, 2005 9:04 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] DNSMASQ Exiting? Bering uClibc ver. 2.2.2 on VMWare. dnsmasq 2.16 Rev 1 I've noticed on a couple of occasions that DNSMASQ had stopped. The latest was this morning. I had restarted the host machine yesterday at 4:00PM and I can see in the logs DNSMASQ starting. This morning, I noticed Google taking a long time to come up, so I checked DNS and discovered it wasn't running on the firewall. I could not find anything in the logs indicating why it stopped. I use DNSMASQ for DNS resolution on my internal network, and it uses the DNS servers supplied by my ISP's DHCP server. I also have DNSMASQ set up to provide DHCP to one subnet. How do I debug this? - Bob Coffman --- This SF.net email is sponsored by Microsoft Mobile Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) Windows Mobile(tm) platforms, applications content. Register by 3/29 save $300 http://ads.osdn.com/?ad_id=6883alloc_id=15149op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by Microsoft Mobile Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) Windows Mobile(tm) platforms, applications content. Register by 3/29 save $300 http://ads.osdn.com/?ad_id=6883alloc_id=15149op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Rack Mounted PCs for leaf
I've got an application where I'd like to use a rack mounted PC for a Bering uClibc firewall. Doesn't need to be fancy, I only need two NICS although a third would be nice (or a PCI slot.) I'd also like to get it shipped ASAP. Any recommendations? - Bob Coffman --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Cant connect to external https site
Tried IE 6.0.29 and Firefox 1.0. Both came up with an order status screen. Bering 2.2.2 - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lars Sent: Friday, March 11, 2005 5:34 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] Cant connect to external https site Came to my mind that anyone can test: Browse to http://www.elfa.se/en/ and press the button Order status at the bottom of the page. For me nothing comes up and the browser times out after a while. (You dont need an account at Elfa to test this) /Lars --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] VMWare VMXNET Driver
Has anyone compiled this for Bering? In my case I'm looking for one for uclibc 2.2.2 (and soon 2.2.3) Low priority, as the other NIC that VMWare emulates works fine, just wondering. - Bob Coffman --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] OPenvpn.lrp newbie
I'm not securing a wireless net, but I did use the following statement in the OpenVPN configuration file to set up the route between two private nets: route 192.168.12.0 255.255.255.0 10.1.0.1 route remotenet subnetmask gateway. HTH. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tibbs, Richard Sent: Tuesday, November 30, 2004 8:55 AM To: Livio R. Cc: [EMAIL PROTECTED] Subject: RE: [leaf-user] OPenvpn.lrp newbie Oops, Didn't know I had to supply the script...! Downloaded a couple of how-tos (openvpn howto, as well as a guide on shorewall's site. I also found a web page for something that I definitely want to do: secure my wireless network with openvpn. This page was http://slackerbit.ch/archives/2002/12/11/securing_wifi_with_openvpn.html . Only question I have is what the parameters are: The openvpn howto says route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 The wifi howto (link above) says route add default $1 Can anyone tell me what the parameters are and how many? Which of these is going to work ... ? TIA Rick. -Original Message- From: Livio R. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 30, 2004 6:01 AM To: Tibbs, Richard Subject: Re: [leaf-user] OPenvpn.lrp newbie replace up ./route-a.up with up /path/route-a.up if openvpn can't find the script, it will not be happy. also make sure you chmod +x the file. Livio AT Ravetto . Org Tibbs, Richard wrote: Dear list. I am experimenting with openvpn.lrp. I have loaded the following packages in addition to J. Nilos tun.o module. openvpn libssl libcrypt The firewall is otherwise functioning normally, I have web access, etc. In daemon.log, openvpn does fine until the ifconfig command fails Then openvpn exits. The relevant log lines are shown below and my openvpn.conf is included. Any help is appreciated. Rick Nov 29 17:30:48 firewall openvpn[16040]: Static Encrypt: HMAC KEY: xxx (RWT deleted it) Nov 29 17:30:48 firewall openvpn[16040]: Static Encrypt: HMAC size=20 block_size=64 Nov 29 17:30:48 firewall openvpn[16040]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Nov 29 17:30:48 firewall openvpn[16040]: Static Decrypt: CIPHER KEY: b267482e 60b9dc38 8a4d4c18 6f8fb390 Nov 29 17:30:48 firewall openvpn[16040]: Static Decrypt: CIPHER block_size=8 iv_size=8 Nov 29 17:30:48 firewall openvpn[16040]: Static Decrypt: Using 160 bit message digest 'SHA1' for HMAC authentication Nov 29 17:30:48 firewall openvpn[16040]: Static Decrypt: HMAC KEY: xx (RWT deleted it) Nov 29 17:30:48 firewall openvpn[16040]: Static Decrypt: HMAC size=20 block_size=64 Nov 29 17:30:48 firewall openvpn[16040]: MTU dynamic=1300 Nov 29 17:30:48 firewall openvpn[16040]: Data Channel MTU parms [ udp_mtu=1300 extra_frame=44 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MAX mtu_min=144 mtu_max=1300 mtu=1300 ]] Nov 29 17:30:48 firewall openvpn[16040]: TUN/TAP device tun0 opened Nov 29 17:30:48 firewall openvpn[16040]: /sbin/ifconfig tun0 10.1.1.1 pointopoint 10.1.10.2 mtu 1256 Nov 29 17:30:48 firewall openvpn[16040]: Linux ifconfig failed: could not execute shell command Nov 29 17:30:48 firewall openvpn[16040]: Exiting openvpn.conf == # Use a dynamic tun device. dev tun local my.pub.lic.IP # Our remote peer remote public IP address of laptop # 10.1.0.1 is our local VPN endpoint # 10.1.10.2 is our remote VPN endpoint ifconfig 10.1.1.1 10.1.10.2 up ./route-a.up # Our pre-shared static key secret static.key --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ --- - leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which
[leaf-user] Leaf Bering uClibc
Let me add my thanks and congratulations to the Bering uClibc developers. As good as Bering 1.2 was, it has definitely improved in the most recent uClibc incarnation. My first firewall conversion from 1.2 went extremely well, and I'm looking forward to converting the other 3 production systems I'm responsible for. It seems to me that the only ongoing maintenance this firewall will have is the shorewall bogons and rfc1918 files. The other two things I needed to have updated (NTP addresses and ISP DNS server addresses) are no longer an issue. Thanks again! - Bob Coffman --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Natsemi.o
I have not had luck with Bering uclibc -- some of my nics are natsemi, and I could not get a working natsemi.o. Is this really an issue? I've got several 1.2 boxes that I was planning on eventually moving to uclibc but this would be a showstopper. - Bob Coffman --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] WinSCP with Bering Uclibc 2.2.2 (Dropbear)
I had to disable the autostart of lrcfg to use WinSCP with Bering 1.2. Modify the .profile file in the user's to remark out the /usr/sbin/lrcfg line (ie. #/usr/sbin/lrcfg) You'll get an error message about groups that you can safely ignore. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Troy Aden Sent: Monday, November 08, 2004 2:52 PM To: Leaf-User (E-mail) Subject: [leaf-user] WinSCP with Bering Uclibc 2.2.2 (Dropbear) Hello list. I am trying to get WinSCP to connect to my Bering box running Dropbear. I know that I am being authenticated because I have tried it with a false password and gotten rejected. What happens is that it tells me starting the session and times out I am allowing shh port 22 to connect to my firewall and I can login with ssh (putty) just fine. Is there something I am missing in my Bering configs? I am assuming that others have used WinSCP to copy files to and from their Bering boxes so I am assuming that I am just missing something simple here. Maybe I have mis-configured WinSCP as well... Any pointers would be most appreciated. Thanks in advance! Troy --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] LRP router failing? - Alcatel SpeedTouchHome (STH)DSL line-quality info
Dale, If I am understanding correctly, you've confirmed: 1. The Win98 box doesn't drop packets ever (ie. their equipment works) 2. Your equipment works (connected the laptop to the DachBox via a crossover cable and dropped no packets from the laptop to the LEAF router or from the LEAF router to the laptop.) This smells like an autonegotiation problem between their equipment and yours. What NICs are in your machine? After you try another NIC, I would give another type of NIC a shot. - Bob Coffman --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] RE: Bering and VMware - No network connectivity
I have seen this working with Bering 1.2 on GSX (and Workstation.) /etc/modules #VMWare PCNET32 Cards mii pcnet32 The only problem I've seen with this configuration is port forwards to RDP targets (port 3389 I believe.) What I observed was after sending your credentials to the RDP host, the connection would drop. This occurred every time with VMWare Workstation. With GSX, it only occurs when connecting to the host machine (even though in both cases the host had a dedicated NIC.) It appears to me to be a problem with the VMWare bridge protocol. Same configuration ported to a physical machine works fine. Also, this booted from an IDE disk, which I'm not sure ESX supports. There was no need for the floppy boot that Ronny described below. Also, be sure to disable all non-essential networking components from your interfaces. For the configuration I described above, we disabled everything but the VMWare Bridge Protocol. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronny Aasen Sent: Monday, October 11, 2004 4:22 AM To: leaf Cc: Paul Reynolds Subject: Re: [leaf-user] RE: Bering and VMware - No network connectivity i have this working useing bering-uclibc, i use pcnet32 (dont forget the mii module) on the vlance virtual nic only problem i had was that i was unable to boot on the virtual scsi harddrive, and had to boot using a virtual floppy image, and save my config and packages on the virtual scsi disk. the virtual bering is used as a firewall between the internett and the virtual servers running on the virtual lan. from what you write, i would guess that you need to uncomment the mii module also, (copy it over if you dont have it already) good luck Ronny Aasen On Sun, 2004-10-10 at 15:30, Paul Reynolds wrote: Hi Everyone, I am new to LEAF and am trying to get Bering working under VMware, but I am unable to get the networking component working. I have turned Shorewall and iptables off, to eliminate problems. (infact I deleted them from the syslinux.cfg file) I am using a static ip address and am unable to ping other machines on my network but I am able to ping the interface. My virtual network device is vlance - (thus I should be able to use the pcnet32 module). I copied across the pcnet32.o module from the Bering extra modules website. I have installed the module and uncommented the pcnet32 line in the modules file. I have backed everything up and restarted networking, but I am still unable to ping other machines on my network, I know the LAN details are correct as they work with other on another PC. Details: command: lsmod Modules Pages Used by pcnet32 13300 1 mmi 2092 0 [pcnet32] command: ip addr show 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0c:29:70:86:dc brd ff:ff:ff:ff:ff:ff inet 192.168.184.229/24 brd 192.168.184.255 scope global eth0 Note: VMware tools is not installed. Is there a guide to using Bering or and LEAF distro with VMware? Any help is much appreciated. Thanks RenO _ Searching for that dream home? Try http://ninemsn.realestate.com.au for all your property needs. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Ronny Aasen [EMAIL PROTECTED] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give
[leaf-user] Linksys WMP54G
Nothing in the archives, anyone using a Linksys WMP54G with Bering (1.2 preferred but info on any version appreciated.) - Bob Coffman --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Updating DYNDNS - Solution
I'm using dyndns.org and ezipupdate on Bering 1.2 on several boxes - no problems so far. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Erich Titl Sent: Tuesday, October 05, 2004 8:45 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [leaf-user] Updating DYNDNS - Solution Bruce At 23:08 05.10.2004 +1300, Bruce McNamara wrote: I use dyndns as my provider. That's probably it, I am using zoneedit and hardly ever had a problem. Either dyndns changed it's request format ort they are plain and simply broken. They alway return a code 2xx which means success, even with wrong authentication. cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] again: DHCP and IPSEC lost default route
Erich, I'd be interested in the versions you are running. I'm on Bering 1.2 and I have a single IPSEC tunnel and am using DHCP for my external interface (cable modem.) I've never seen this happen. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Erich Titl Sent: Wednesday, September 29, 2004 6:41 AM To: [EMAIL PROTECTED] Subject: [leaf-user] again: DHCP and IPSEC lost default route Hi everybody I know there has been a thread on this issue, I am losing the default oute regularly on a link with dhcp and ipsec. Typically the default route is taken over by the ipsec interface when this occurs. The proposed solution was always `check the link`. Has anyone made progress in detecting _why_ this happens at all? thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] using ez-ipupdate behind NAT
Correct me if I'm wrong, and I've found this to be poorly documented, but can't ez-ipupdate handle this on its own? IE. from my own configuration file: max-interval=604800 I believe max-interval is in seconds, and I believe it does what you are trying to do. I'm on Bering 1.2 Clarification of this could help us both out. - Bob Coffman --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] DHCP NTL cable problem.
(DHCP clients normally write lease information in human-readable form somewhere; I forget where pump does it, but surely its man page tells you.) This information can be easily viewed in the daemon.log on a Bering router, which I use to verify that my ISP's DNS servers are correctly configured in dnscache. - Bob Coffman --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering-uClibc 2.1.3 ProxyARP and DMZ settings again
I set up one Bering 1.2 router with Proxyarp. I don't recall needing to add the IP addresses to the external interface. I just had to specify them in the proxyarp file. For the interface addressing I believe I followed Tom Eastep's recommendations. The client I built this for is dragging its feet on implementation so I can't get to it right now to send you the config, but I'll ask them to put it up this afternoon so I can take a look. From what I can tell, Proxyarp is what you want. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 9:59 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Bering-uClibc 2.1.3 ProxyARP and DMZ settings again THIs is round two since I didn't get any responses last time. I know you guys are busy but if you could just look through what I have so that I know I setup my firewall correctly. I really appreciate it. THanks in advance. I am a complete newbie to Linux and firewalling. I have only known windows operating systems up until now, so bear with me please. I have recently got my LAN working with LEAF but I am now having trouble setting up my DMZ. I have five (Cable Modem) static IP's: 24.227.166.194 thru 24.227.166.198. My default gateway is 24.227.166.193 with a netmask of 255.255.255.248. In this setup, 2 of my ip's won't be used. I have the cable modem going into eth0 of Bering-uClibc 2.1.3 machine. I have eth1 going to a wireless router/switch which serves my lan. Then I have eth2(trying to setup a dmz) which goes to a switch which goes to a web sever(24.227.166.197) {you can go there now if you want[not much to see yet], i thnk it is working now} and a media server{this server is down right now by choice} (24.227.166.198). Both run MS Server 2003 Enterprise Edition. Both sever's need their own port 80. I was reading Eastep's Shorwall setup for proxyARP and was trying to duplicate that but am having trouble. I am curious to know if you think Proxy ARP is the best way to go fo my setup? Safety and security? My setup is at home but I am running this for commercial use, so it has to be up and on line as much as possible. As I was writing this email I think I got proxyARP working on my LEAF. That's the second time that's happened to me. But if you could, check my settings to see if everything looks right (Blocking and Forwarding). Here are my current settings: In network Configuration: Interfaces File I have: auto eth0 iface eth0 inet static address 24.227.166.194 netmask 255.255.255.248 broadcast 24.227.166.255 gateway 24.227.166.193 up ip addr add 24.227.166.195/29 brd 24.227.166.255 dev eth0 label eth0:1 up ip addr add 24.227.166.196/29 brd 24.227.166.255 dev eth0 label eth0:2 #up ip addr add 24.227.166.197/29 brd 24.227.166.255 dev eth0 label eth0:3 #up ip addr add 24.227.166.198/29 brd 24.227.166.255 dev eth0 label eth0:4 If you notice here, I wasn't completely sure what to do, but this is how it reads right now. Like I said before these are my 5 static IP's. I am not trying to use *.195 and *.196. I just added them to this file in case I need them later (maybe DNAT, port forwarding) and it is interesting to watch their activity on the weblet log. I want to use *.197 and *.198 as my two DMZ addresses. After reading Tom Eastep's Shorewall setup guide ( for multiple ip addresses) I remarked the lines because he said not to add them (ProxyARP addresses) to my interfaces file. I guess this is what he meant, howver I am not sure if it was or not. Then further down on Step 2 (Configure internal interface) I have: auto eth1 iface eth1 inet static address 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255 Then further down on Step 3 (Configure DMZ) I have: auto eth2 iface eth2 inet static address 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255 Then on Network configuration - Resolv.comf I have my dns nameservers entered (Given to me by my Cable Modem ISP). Nameserver 24.93.40.62 Nameserver 24.93.40.63 Then in Packages Configuration: Shorewall I have: I made no changes to PARAMS file I changed Zones file to read: #Zone Display Comments net Net Intenet loc Local Local Networks dmz DMZ Demilitarized zone #last Line In Interfaces file it reads: #zone Interface broadcastoptions net eth0detect dhcp,routefilter,norfc1918 loc eth1detect dmz eth2detect #last Line I made no changes to Hosts file In Policy file it reads: #source det policy log limit:burst loc net accept net all dropulog all all reject ulog #last line In Rules it reads: #Action source destproto dest port souce port origanl dest accept
RE: [leaf-user] How to configure hdsupp in Bering uclibc?
Please read http://leaf.sourceforge.net/doc/guide/bubooting.html - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tibbs, Richard Sent: Wednesday, July 21, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: [leaf-user] How to configure hdsupp in Bering uclibc? Folks, I tried a floppy version of bering uclibc (2.1). I want a few more packages then will fit on the floppy, and the Aptiva won't boot from CD. Hdsupp loaded, but I find no config entry in lrcfg for it. (But I can back it up...?) Whadda ya do here? THX, Rick --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=ick leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall)
The first thing that came to mind to do this was to change the following in the shorewall policy file: all all REJECT ULOG to all all ACCEPT However this doesn't meet the requirement of getting rid of shorewall. Also, I don't know what the performance implications are of doing it this way versus eliminating Shorewall. Maybe someone can comment on that. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ben Conrad Sent: Thursday, July 15, 2004 5:59 PM To: [EMAIL PROTECTED] Subject: [leaf-user] Using LEAF (Bering-uClibc) as a router (no shorewall) Hello, I want to use LEAF as a simple router inside my internal networks. I don't need any firewalling or NAT. What is the best way to turn off all the Shorewall and IPTables configurations so that I can pass all traffic in/out of eth0 and eth1? I tried to rename /etc/rc2.d/S41shorewall and then backed up all the packages but on next boot the /etc/rc2.d/S41shorewall still exists! Thanks, Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] DShield.org
Anyone submitting their firewall logs to dshield.org, and if so, how are you doing it? - Bob Coffman --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering on a Compaq2266
I'd like to move my Bering 1.2 to this little box. Unfortunately as far as I can get is: Loading Linux ... [Sorry, no I didn't count exactly how many periods.] Boot failed: please change disks and press a key to continue. One thing to try is take a 1.44MB floppy, run syslinux on it, and put a copy of the kernel on there from the Bering disk. Then boot with it - that should tell you if its a floppy drive problem or if the kernel has a problem with your Cyrix chip... It will crash with no packages but at least you can see if you get past the boot failed message. If you succeed, throw another floppy drive in there or boot from CD as someone suggested. - Bob Coffman --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] dyndns, ez-ipupd (update hostname)
What is the impact of the max-interval= setting? I assume that while running as a daemon this is the longest it will go between update attempts, but it is poorly documented. - Bob Coffman --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] HDPARM
Roger, I set this up on one system so far (not using your .lrp) and it works great. You did it the right way and i'd like to add your lrp to my routers... Old hard drives are too cheap and plentiful, and its too easy to replace a failed drive not to take advantage of them. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger E McClurg Sent: Wednesday, April 07, 2004 4:23 PM To: [EMAIL PROTECTED] Subject: [leaf-user] HDPARM I created an hdparm.lrp package for Bering 1.2. It uses the 5.2 version of hdparm from RedHat 9.0. The package includes a script called spindown. Spindown will automatically put the HD into standby mode (hdparm -y) at the end of the boot process. I can send it to anyone interested, but if the developers think it is useful maybe one of them will agree to put it up on Sourceforge. Roger --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] hdsupp.lrp (or hdparm) for Bering 1.2
Looking for hdparm (or equivalent) for Bering 1.2. Need to be able to shut down the hard drive after the machine boots. Thanks in advance. - Bob Coffman --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Problem making Bering CD
The one I use to build CDROMs looks like this: display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 boot=/dev/cdrom:iso9660 PKGPATH=/dev/cdrom LRP=root, - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Luis.F.Correia Sent: Thursday, March 11, 2004 2:40 AM To: [EMAIL PROTECTED] Subject: RE: [leaf-user] Problem making Bering CD The line starting with 'default' must be in a single line and must not have more then 256 characters!!! Other from that, in the kernel messages, do you see it recognize the cdrom device? -Original Message- From: Mike Sussman [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 2:26 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Problem making Bering CD Folks, I need a little help getting my Bering CD going, if you please. I tried to follow Luis Correia's clear and excellent instructions for changing from a floppy Bering 1.2 system to a CD version. I must not really have followed the directions, because although everything seemed to work fine, it doesn't boot. The boot sequence goes fine until it tries to read the packages, and then tries going to the floppy instead of the CD. The boot messages look like (hand copy) Freeing unused kernel memory: 64k freed LINUXRC: Bering - Initrd - V1.2 Using /boot/lib/modules/cdrom.o Mounting a 6M TMPFS filesystem ... end_request: I/O error, dev 02:00 (floppy), sector 0 end_request: I/O error, dev 02:00 (floppy), sector 0 LINUXRC: Could not mount the boot device. Can't install packages Kernel panic: Attempted to kill init! The beginning of my isolinux.cfg file is: display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 boot=/dev/cdrom:iso9660 PKGPATH=/dev/cdrom:iso9660,/dev/fd0:msdos LRP=root, ... (line beginning with default is all one long line) This happened when there was no floppy at all in the drive. If I put a floppy without any packages on it into the drive, then I get additional errors complaining that it cannot find the packages on the floppy. OK, it sure looks like I have something wrong with PKGPATH= but I cannot see what. Is it possibly because I did not but a line break just before LRP= ? Is there something else I should know but do not? Thanks in advance for your help. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Public IPs in DMZ with Proxy Arp
Ray - thanks again. Forgive me if I was unclear. I've got 5 Bering firewalls in production but this one is bringing a lot of new concepts my way. This doesn't deal with my uncertainty about the old setup. Was the old router able to handle the address xxx.xxx.xxx.142 or not? Yes. That is, did it somehow (either as its own interface with port forwarding, or via proxy arp) make that address visible on the external interface, and could it route traffic going from the server using that address successfully? Apparently so. If it didn't, then I'm missing a piece of the puzzle, which is possible. I've not been on site where this firewall is installed, and I apologize to you for the boneheads on site if this is the case. Were the LAN servers we're talking about also plugged into this same switch? I suppose they must have been. Yes they were. With that physical setup, and knowing as little about the configuration of the prior router as we seem to, I would not assume it was routing traffic to and from the other public addresses; the ISP may have been reaching them directly, without firewalling. It may only have been NAT'ing whatever private-address IPs were used by workstations ... the physical setup you (sort of) describe could do this, while not offering any firewalling or routing whatsoever to the public-address servers. I never considered this, but this is probably exactly how it was working for the 27-30 public IPs (see below.) Even if you can't check the old router, can you check the old configurations of the servers? What did their routing tables look like? (If you feel you must conceal the actual addresses, please don't turn them into jabberwocky ... use some convention that lets us easily distinguish different hosts, gateway addresses, and netmasks.) Did they have the old router's internal IP address as their default gateway or the ISP gateway appropriate to each distinct network? ISP gateway appropriate to each distinct network, with the exception of the FTP server. It is configured as follows: Public address 2A9.2B8.2C3.1D2 mask 255.255.255.252 gw 2A9.2B8.2C3.1D1 internal 192.168.1.7 There is only one NIC in this box, and so apparently the old router did something (SNAT?) for this address. The other address range (the 26-30 addresses) are configured exactly as the external interface on the firewall, and are working in a proxy arp'ed DMZ. In fact, 26 is the firewall address. In the meantime, please figure out a way to conceal them that does not leave out information we need to know. Hopefully the above is better. I can say that all these addresses are public and routable - no upstream NAT. I'm still trying to get access to the old router. Thanks again for your help. - Bob Coffman --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Public IPs in DMZ with Proxy Arp
Tom, Thanks for your assistance. It is much appreciated. Question 3: There is a public IP address that has a different gateway than the block of IP addresses currently in the DMZ. If I use SNAT with that IP, is there any way to specify a different gateway? I'm struggling to understand this part so if this makes no sense please ignore it. TEYou're going to have to give us specifics before we can understand the question. Ok, the network setup is this: They have public IP addresses in the range xx.xx.xx.26-xx.xx.xx.30 with masklen 29 and gateway xx.xx.xx.25. These are now in the DMZ Additionally, they have a public IP address xxx.xxx.xxx.142 masklen 30 and gateway xxx.xxx.xxx.141. Apparently, with their old router (IPCHAINS based, but I don't have access to it) they had all these boxes sitting on their internal net and could reach them all externally or internally via the public IP. I'd like them all in the DMZ however I don't know how to deal with this 141 address. Thanks for any assistance. - Bob Coffman --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Public IPs in DMZ with Proxy Arp
Ray, Thanks for the response. Answers/comments inline: Offhand, I cannot think of a way to do what you want to do. Control of gateway addresses is a function of the routing table, not of ipchains or iptables. But perhaps I'm missing something. It might help if you clarified a couple of things in your most recent posting. First, when you say the old router could reach them all externally or internally via the public IP what is the the IP you mean? Do you mean all 6 addresses were reachable via (probably) proxy arp? Or do you only mean the servers had reachable services via port forwarding? Or something else? The machines I'm referring to had IPs in the same subnet(mask/gateway) as the external interface on the router. One thing I do know is that the old router had both interfaces plugged into the same switch, which is one of the things I'm trying to correct. Second, while I understand (though do not really sympathize with) your desire to keep the IP addresses themselves secret, we really do need to know the relationship between the xx.xx.xx in xx.xx.xx.25 and the xxx.xxx.xxx in xxx.xxx.xxx.141. Are they on the same /24, to be specific? Once I'm up and firewalled properly I'll be happy to publish them :) Not same /24. Where I have xx above, it indicates two actual digits, and for the other, three. Anyway, here are the specifics: xx.xx.xx.26-30 subnet mask 248 gw xx.xx.xx.25 xxx.xxx.xxx.142 subnet masklen 252 gw xxx.xxx.xxx.141 Traceroutes to both address types take same path to their destination. If so, it *might* work to cheat ... let the rotuer and *all* the servers use xx.xx.xx.25, or perhaps xxx.xxx.xxx.141, as their gateway. Incoming traffic will still (probably) flow through the separate gateways ... but IP-based routing is, by design, quite tolerant of using different routes in the different directions. (Actually, it might work to do this cheat even if the 2 networks are not part of the same /24; it depends on configuration decisions at the ISP's end.) Understood. I will try it. Am I correct in saying that both of these addresses have to reachable in 1 hop from the firewall?? If you try this, you will need a route on the router to xxx.xxx.xxx.141, so it can receive traffic from that gateway and acknowledge it. But it need not be a gateway entry, just an ordinary route. Ok. Finally, am I correct in inferring that these two external networks --- xx.xx.xx.24/29 and xxx.xxx.xxx.140/30 -- are on the same physical interface (eth0, I imagine) ... the same DSL or T1 or whatever? If they are on different interfaces, most of what I've said does not make sense for you ... and you'll have to give us those details to get good advice. They are on the same interface, same T1, which is what made it confusing to me. - Bob Coffman --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Public IPs in DMZ with Proxy Arp
I've been pouring through the docs and archives but can't seem to find the answer to these. I've got a setup similar to Tom's 3 interface example, but with public IPs in the DMZ and proxy arp set to allow access to them. Question 1: If I want to firewall all but the necessary public services from the DMZ machines, should I be using SNAT rather than proxy arp? I guess I don't understand how shorewall interacts with proxy arp'ed machines if at all. Question 2: If using proxy arp, should clients on the internal network be able to access the DMZ machines by their public IP? Question 3: There is a public IP address that has a different gateway than the block of IP addresses currently in the DMZ. If I use SNAT with that IP, is there any way to specify a different gateway? I'm struggling to understand this part so if this makes no sense please ignore it. I apologize if this is covered somewhere. I've read the setup guide, Lynn Avant's proxy arp howto, and a lot of docs on the shorewall site but I'm still unclear on these points. Thanks! - Bob Coffman --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Address block 82.0.0.0/8
There is an updated RFC1918 file at http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918 - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Giovanni Franza Sent: Thursday, February 05, 2004 10:32 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Address block 82.0.0.0/8 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, This is only an information. I'm using LEAF 1.0 stable. In shorewall RFC1918 listings ( menu 3, 6 ,18 ) i see that 82.0.0.0/7 is blacklisted. IANA has now assigned 82.0.0.0/8 to RIPE that has assigned some net numbers (For example 82.89 to telecom italia) so, with this row enabled some people are locked. I've simply commented out (quite raw, i know). Best regards Giovanni Franza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAImHvRMztRXa/wpIRAqXAAKCBLCt7cRcAOMQKYQIeGSGcsiS3iwCfWj2L 6Y0sbXyB0491pMhOMOmOcEE= =5WE5 -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering with Shorewall compromised ?
4 Bering 1.2 Firewalls in production, starting about a year ago and the latest went in this past summer. No compromises. I do have an interesting problem running Bering on VMWare. If anyone is interested I'll repost the details with new information. I'm not sure how to fix it as it appears to me to be a bug in VMWare bridged networking. The same configuration on a physical machine works fine - but running Bering on VMWare is a joy. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of franco segna Sent: Tuesday, December 23, 2003 3:21 AM To: Leaf-User Subject: [leaf-user] Bering with Shorewall compromised ? Hi all, for statistical purposes only I'd like to know if someone actually experienced compromissions or intrusions running Shorewall over Bering. I'm currently running five B/S floppy-based firewalls (frequently updated) followed by various NIDS. Due to the rather critical missions involved, all the logs are carefully being parsed every morning. After two years ADSL connections (statical IPs) to the Internet, with extensive VPNing, I have not one single evidence of compromission. Thanks for any answer and (if applicable) details Franco -- Franco Segna - [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Re: PPPoE without username and password
I didn't think of this when you first posted. My ISP limits each cable modem to pulling 1 or 2 addresses at a time. If you don't know what was going on, you would swear your DHCP client or NIC was malfunctioning... - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of and hansen Sent: Thursday, December 11, 2003 5:35 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Re: PPPoE without username and password Hello again I turned off my modem over night, and now it all runs perfect pump gets it´ address Thanks..! I was´t able to get an IP under win2000 on a third MAC address either so powering off the modem over night, released this DHCP trust Regards Lasse Yahoo! Mail (http://dk.mail.yahoo.com) - Gratis: 6 MB lagerplads, spamfilter og virusscan --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] dnscache
Nothing in your config sounds incorrect, but here is what I did: 1. change LRP box internal IP 2. Changed querying hosts IP (actually this may be the default, but I'm using a 192.168 address) to 192.168 3. I have logging disabled (its working so I don't need it.) 4. I have forwardonly enabled 5. Set my ISPs DNS servers (definitely double check this) 6. I added the following to shorewall rules: ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw udp 53 Try running NSLOOKUP to see if your machine is answering: NSLOOKUP server yourserversIP www.amazon.com Server: myreallyrockinrouter.mydomain.com Address: 192.168.2.1 Non-authoritative answer: Name:www.amazon.com Address: 207.171.181.16 Hope this helps. - Bob Coffman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of ALParada Sent: Thursday, November 06, 2003 8:36 PM To: [EMAIL PROTECTED] Subject: [leaf-user] dnscache Hello, I am running Bering with dnscache. Either I don't understand how a caching server works, or I missed something in the configuration. Dnscache is running because I verified it with ps aux. I however can't resolve any names. I changed the internal ip address under option1. Set option 4 to yes and option 5 with my isp DNS servers. I added an accept loc fw udp 53 under shorewall rules. I also allowed access to the net from the fw. What am I forgetting? Does dnscache need something like tinydns to work? There is also no /var/log/dnscache which I keep seeing references to. Any help would be appreciated. TIA --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html