Re: [leaf-user] Multiple ISP redundancy
On Tue, 2009-01-20 at 13:02 -0600, Trev Peterson wrote: Hello, I'm trying to see if there is a config guide / example / howto for setting up bering uclibc (2.4.2) for multiple ISP connections with auto-failover should one link go down. I've checked leaf and shorewall documentation but I don't have a clear picture on how this should be done. If anyone knows of a guide to do this please reply with a link. Any information on how shorewall 3.0.9 interaction between routing and the shorewall multiple providers feature is also sought. I am considering using quagga (zebra) or some custom bash scripts that alter the routing table directly but am not sure how this will affect shorewall (NAT, interface selection, etc). Should I go with a custom script I will make it available once it is tested. Any help is appreciated. Thanks, quagga [1] is a suite, with it you can run rip, bgp, ospf, etc. usualy for peering with a ISP bgp is used. but this does require that your isp supports it. with quagga and the kernel compiled with multipath (they was last time i set up one) you can get multiple paths to the same prefix. a Different aproch that does not require the aid of your isp, is to configure 2 interfaces with separate routing tables. and a third main routingtable. [2] I also use a debian example [3] not sure if that is 100% bering compatible. you can then fail down the interface by pinging your isp's thru that spesific interface. And removeing the entry for that isp's interface in your main routingtable when it's down. [1] http://wiki.quagga.net/ [2] http://lartc.org/howto/lartc.rpdb.multiple-links.html [3] http://yellowpigs.net/computers/multiple_subnets Good luck Ronny Aasen -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] LEAF on hp R Class Server
On Thu, 2007-05-24 at 19:31 +0530, ram wrote: Hi I have some old HP R Class Server does this LEAF support this servers afraid not. I think your best bet would be debian's hppa arch. or properitary HP-UX if you have a lisence for it :) Most of the tools you'r familiar with from leaf is available in debian too. but you wont have the nice lrcfg meny to navigate the configfiles. Ronny Aasen - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Does Leaf works on VMWARE
On Sun, 2007-04-01 at 16:06 -0700, Andrew Nagy wrote: Hi iam using VMWARE Server but when i mount ISO image and try to install its says Boot error and hangs. ram - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ I get the same thing too, just Boot error and nothing else. I am using VMware Server 1.0.2. -- View this message in context: http://www.nabble.com/Does-Leaf-works-on-VMWARE-tf3138468.html#a9783140 Sent from the leaf-user mailing list archive at Nabble.com. i use it successfully. but i have to use a floopy.img for boot+config and the iso only for packages. i think vmware have problems with the isolinux used on the leaf cd or more commonly i use a tiny 30MB IDE HD .img file - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] openswan bering vs bering-uclibc
On Tue, 2006-06-27 at 13:34 +, Erich Titl wrote: Hi Folks sorry for chiming in just like that. The more the better :) Please consider that the implementation of *swan 1.x vs. *swan 2.x has major differences, especially in the field of oportunistic encryption. One would expect that the major components of freeswan remained the same especially the time consuming crypto stuff. IMHO the only real comparison for Bering uclibc would be to provide an old freeswan implementation. Being in the process of changing a substantial number of Bering boxes to a new Bering uClibc, most of then running freeswan, I am most interested in the numbers presented here. Ill post more numbers as they become available. Ronny Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] openswan bering vs bering-uclibc
On Tue, 2006-06-27 at 17:00 +0200, Cédric Schieli wrote: Hello Ronny, I have a similar setup to test for one of our customer : clients : Bering-uClibc with 2.4.20 kernel, Super FreeS/WAN 1.99.6.2, Soekris net4501 hardware (Elan 133Mhz/64 Mb RAM) hub : Bering-uClibc with 2.4.32 kernel, Openswan 2.4.5 (2.4.4 is buggy), P4 2GHz where did you locate this 2.4.5 lrp package ? or do you roll your own ? could you perhaps lend me this package ? :) There are ~70 clients connected, current hub is 2.4.20/1.99.6.2 and will be upgraded next month. My main task for this week is to test performance of this setup, so I'll post figures as soon as possible. Looking foreward to that :) Ronny Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] openswan bering vs bering-uclibc
On Wed, 2006-06-28 at 09:02 +0200, Eric Spakman wrote: Hello Ronny, Cedric, I did update the package and kernel module yesterday (but the package page is not updated yet). The location is: http://leaf.cvs.sourceforge.net/leaf/bin/packages/uclibc-0.9/20/ for the package, and: http://leaf.cvs.sourceforge.net/leaf/bin/bering-uclibc/packages/ for the kernel tarball with the new ipsec module. thanks to both of you for providing openswan 2.4.5 the good news is that it's better then openswan 2.4.4, but still a bit slower then freeswan. new openswan 2.4.5 test thru the tunnel [local ws]---[openswan]===(internett)===[freeswan][remote-ws] [ 3] 0.0-10.0 sec 7.37 MBytes 6.18 Mbits/sec [ 3] 0.0-10.0 sec 7.38 MBytes 6.16 Mbits/sec [ 3] 0.0-10.0 sec 7.31 MBytes 6.13 Mbits/sec [ 3] 0.0-10.0 sec 7.32 MBytes 6.14 Mbits/sec [ 3] 0.0-10.0 sec 7.37 MBytes 6.18 Mbits/sec [ 3] 0.0-10.0 sec 7.38 MBytes 6.18 Mbits/sec new openswan router test outside tunnel using dnat rule on remote router. varies a bit becouse of the remote usage and wireless [local ws]---[openswan_masq]---(internett)---[fw-DNAT]--[remote ws] [ 3] 0.0-10.0 sec 10.1 MBytes 8.45 Mbits/sec [ 3] 0.0-10.0 sec 9.39 MBytes 7.88 Mbits/sec [ 3] 0.0-10.0 sec 9.40 MBytes 7.86 Mbits/sec [ 3] 0.0-10.0 sec 9.70 MBytes 8.13 Mbits/sec [ 3] 0.0-10.0 sec 9.70 MBytes 8.12 Mbits/sec [ 3] 0.0-10.0 sec 9.74 MBytes 8.16 Mbits/sec [ 3] 0.0-10.0 sec 9.45 MBytes 7.93 Mbits/sec [ 3] 0.0-10.0 sec 9.46 MBytes 7.92 Mbits/sec this is my old setup freeswan vs freeswan [local ws]---[freeswan]===(internett)===[freeswan][remote-ws] [ 3] 0.0-10.0 sec 8.30 MBytes 6.96 Mbits/sec [ 3] 0.0-10.0 sec 8.59 MBytes 7.20 Mbits/sec [ 3] 0.0-10.0 sec 8.57 MBytes 7.18 Mbits/sec [ 3] 0.0-10.0 sec 8.72 MBytes 7.28 Mbits/sec [ 3] 0.0-10.0 sec 8.60 MBytes 7.21 Mbits/sec [ 3] 0.0-10.1 sec 7.56 MBytes 6.30 Mbits/sec test outside of the tunnel using the old freeswan router [local ws]---[freeswan_masq]---(internett)---[fw-DNAT]--[remote ws] [ 3] 0.0-10.0 sec 9.32 MBytes 7.82 Mbits/sec [ 3] 0.0-10.0 sec 9.33 MBytes 7.81 Mbits/sec [ 3] 0.0-10.0 sec 9.12 MBytes 7.65 Mbits/sec [ 3] 0.0-10.0 sec 9.13 MBytes 7.64 Mbits/sec [ 3] 0.0- 5.7 sec 5.34 MBytes 7.84 Mbits/sec [ 3] 0.0-10.0 sec 9.48 MBytes 7.95 Mbits/sec [ 3] 0.0-10.0 sec 9.48 MBytes 7.96 Mbits/sec my thougths 1. the main limit is the remote site's wireless internet conenctions, the local site have a 100mbit lan to the internett, same isp 2. the new router have a better truput outside of the tunnel, then old. 3. openswan have about ~1 mbit less thruput then freeswan. 4. but 2.4.5 seams better then 2.4.4 that had ~4-5 in truput. Ronny Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] openswan bering vs bering-uclibc
greetings
i have a working bering 2.4.18 FreeS/WAN 1.98b tunnel working nicely
between a hub and a few remotes working
now i am tring to replace the hub, becouse we want to use openvpn for some
roaming clients.
so i replace the 1 Ghz 128MB machine at the hub with a 2.4Ghz 256MB one
with bering uclibc 2.4.32 and openswan 2.4.4, much more powerfull
hardware.
all the tunnels comes back as expected and traffic flows. problem is that
the speed drops by ~half, and the previous usable link becomes almost
unusable for the applications.
is there any workaround for this ? is it becouse of the uclibc and it's
size before performance ? or may it be the kernels fault ?
basicaly what im asking is should i use bering instead of bering uclibc,
or would a custom kernel solve my issues ?
--
Ronny Aasen [EMAIL PROTECTED]
Hello Ronny,
This has nothing todo with uclibc and it's size before performance but
it's probably a configuration issue either in shorewall or openswan.
Do you see any strange messages in your logs or in the output of
shorewall hits?
Eric
thank you for the switft reply.
freeswan is the old bering 2.4.18 box, openswan is the new bering uclibc
2.4.32 box
i am testing with iperf:
freeswan to freeswan see 7-8 Mbits/sec that's close to max available
across the remote wireless link.
freeswan to openswan i see 3-4 Mbits/sec about half of what i expected.
i see nothing out of the ordinary in var/logs/*. shorewall hits shows
nothing that's from any of the internal networks or my public ip's. only
hits i see are from the background noise of the net.
my auth.log on the new openswan contains
Jun 27 06:14:55 ServNetgw pluto[305]: PgptoServ #26: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 27 06:14:55 ServNetgw pluto[305]: PgptoServ #26: Main mode peer ID
is ID_IPV4_ADDR: '217.17.211.148'
Jun 27 06:14:55 ServNetgw pluto[305]: PgptoServ #26: I did not send a
certificate because I do not have one.
Jun 27 06:14:55 ServNetgw pluto[305]: PgptoServ #26: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 27 06:14:55 ServNetgw pluto[305]: PgptoServ #26: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Jun 27 06:14:55 ServNetgw pluto[305]: PgptoServ #27: responding to
Quick Mode {msgid:1387871e}
Jun 27 06:14:55 ServNetgw pluto[305]: PgptoServ #27: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 27 06:14:55 ServNetgw pluto[305]: PgptoServ #27: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Jun 27 06:14:56 ServNetgw pluto[305]: PgptoServ #27: transition from
state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 27 06:14:56 ServNetgw pluto[305]: PgptoServ #27: STATE_QUICK_R2:
IPsec SA established {ESP=0xd9a690e6 0x85deba70 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
the freeswan box:
Jun 26 18:04:28 pgpGw pluto[20193]: pgp-to-test #3: initiating Main
Mode
Jun 26 18:04:28 pgpGw pluto[20193]: pgp-to-test #3: ignoring Vendor ID
payload
Jun 26 18:04:28 pgpGw pluto[20193]: pgp-to-test #3: ignoring Vendor ID
payload
Jun 26 18:04:28 pgpGw pluto[20193]: pgp-to-test #3: Peer ID is
ID_IPV4_ADDR: '217.17.211.4'
Jun 26 18:04:28 pgpGw pluto[20193]: pgp-to-test #3: ISAKMP SA
established
Jun 26 18:04:28 pgpGw pluto[20193]: pgp-to-test #4: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Jun 26 18:04:28 pgpGw pluto[20193]: pgp-to-test #4: sent QI2, IPsec SA
established
i read this as works as expected,
in shorewall zones i did
ipsec ipv4
i did _NOT_ do
ipsec ipsec
Since that gave me a error about policy match support in the kernel.
could this couse the slowdown ?
i configured the ipsec endpoints in tunnels as normal.
ipsec net 217.17.211.144
here is my freeswan config
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn pgp-to-test
left=217.17.211.148
leftsubnet=10.0.1.0/24
leftnexthop=217.17.211.129
right=217.17.211.4
rightsubnet=10.0.10.0/24
rightnexthop=217.17.211.1
auto=start
authby=secret
and my openswan config
version 2.0
config setup
plutodebug=none
klipsdebug=none
conn Pgp-to-test
left=217.17.211.148
leftsubnet=10.0.1.0/24
leftnexthop=217.17.211.129
right=217.17.211.4
rightsubnet=10.0.10.0/24
rightnexthop=217.17.211.1
auto=start
authby=secret
same config (- version 2.0) works fine in a freeswan to freeswan setup.
hope someone have a clue to what's cousing this.
thanks
--
Ronny Aasen [EMAIL PROTECTED]
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based
Re: [leaf-user] openswan bering vs bering-uclibc
typo in my last email the tunnels file do have a correct ip 217.17.211.148 Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] openswan bering vs bering-uclibc
On Tue, 2006-06-27 at 09:36 +0200, Eric Spakman wrote: Hi Ronny, thank you for the switft reply. freeswan is the old bering 2.4.18 box, openswan is the new bering uclibc 2.4.32 box i am testing with iperf: freeswan to freeswan see 7-8 Mbits/sec that's close to max available across the remote wireless link. freeswan to openswan i see 3-4 Mbits/sec about half of what i expected. i see nothing out of the ordinary in var/logs/*. shorewall hits shows nothing that's from any of the internal networks or my public ip's. only hits i see are from the background noise of the net. my auth.log on the new openswan contains snip i read this as works as expected, Me too ;) in shorewall zones i did ipsec ipv4 i did _NOT_ do ipsec ipsec Since that gave me a error about policy match support in the kernel. could this couse the slowdown ? I don't think so... snip same config (- version 2.0) works fine in a freeswan to freeswan setup. hope someone have a clue to what's cousing this. thanks Did you test the Bering-uClibc setup (openswan to freeswan) and the second Bering (freeswan to freeswan) setup on the same hardware? It could be a NIC issue. Someone else on the list with an openswan setup that can do some performance testing? Eric No i have not tested that since i can not remove the old hardware before this new box works. but i have tested iperf outside the tunnel (using a dnat rule in the remote shorewall) tru both the old and new hardware. and then the new box performs just as well, and often sligthly better then the old one. also tests on local ethernet shows ~99 mbit thruput thru both old and new box. i only notice the speed reduction when i go thru the openswan tunnel. i think that means it can't be a shorewall or nic issue, but perhaps a openswan issue. are there any difference in the default crypto performance 2.4.18 vs 2.4.32 or the crypto used in freeswan vs openswan ? i thougth both used 3des+md5 Ronny Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] openswan bering vs bering-uclibc
On Tue, 2006-06-27 at 10:18 +0200, Eric Spakman wrote: Hello Ronny, No i have not tested that since i can not remove the old hardware before this new box works. but i have tested iperf outside the tunnel (using a dnat rule in the remote shorewall) tru both the old and new hardware. and then the new box performs just as well, and often sligthly better then the old one. also tests on local ethernet shows ~99 mbit thruput thru both old and new box. i only notice the speed reduction when i go thru the openswan tunnel. i think that means it can't be a shorewall or nic issue, but perhaps a openswan issue. are there any difference in the default crypto performance 2.4.18 vs 2.4.32 or the crypto used in freeswan vs openswan ? i thougth both used 3des+md5 There are no differences in performance that I know of, also openswan is based on freeswan and uses the same underlying core. Maybe the old NIC has some sort of hardware crypto support (maybe I'm talking rubish here ;) same nics, same driver in the kernel :) thanks for all your help anyway, it's greatly apriciated. seams it wasn't a easy answer afterall :/ im going to configure a second openswan box and test openswan to openswan to see if there is a difference, since how it is now it's plain useless. Ronny Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] openswan bering vs bering-uclibc
greetings i have a working bering 2.4.18 FreeS/WAN 1.98b tunnel working nicely between a hub and a few remotes working now i am tring to replace the hub, becouse we want to use openvpn for some roaming clients. so i replace the 1 Ghz 128MB machine at the hub with a 2.4Ghz 256MB one with bering uclibc 2.4.32 and openswan 2.4.4, much more powerfull hardware. all the tunnels comes back as expected and traffic flows. problem is that the speed drops by ~half, and the previous usable link becomes almost unusable for the applications. is there any workaround for this ? is it becouse of the uclibc and it's size before performance ? or may it be the kernels fault ? basicaly what im asking is should i use bering instead of bering uclibc, or would a custom kernel solve my issues ? -- Ronny Aasen [EMAIL PROTECTED] Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] tc.lrp loading but can't create rules - still have probs
On Fri, 2005-09-02 at 10:16 -0500, [EMAIL PROTECTED] wrote: On Fri, 2005-09-02 at 08:14 -0500, [EMAIL PROTECTED] wrote: The reason I ask if I need more modules, is that it's obvious that all the traffic control stuff does not get automatically included with the tc.lrp package. If it did, the scripts that I developed on all the Redhat-based QoS boxes would work on LEAF (because these scripts use the tc command which is included with 2.4+ kernels). Instead, LEAF doesn't appear to know how to filter based on IP, which tells me that the traffic control stuff is not compiled into the kernel by default, thus requiring a module. is the cls_u32 module loaded on your leaf box ? firewall# lsmod Module Size Used byNot tainted sch_teql3020 0 (unused) sch_tbf 2208 0 (unused) sch_prio1824 0 (unused) cls_tcindex 3548 0 (unused) cls_route 3356 0 (unused) cls_fw 1972 0 (unused) cls_u32 3896 1 sch_cbq10456 1 ip_nat_h323 2044 0 (unused) ip_conntrack_h323 1880 1 softdog 1360 1 ipt_state272 13 ipt_helper 400 0 (unused) ipt_conntrack692 0 ipt_REDIRECT 480 0 (unused) ipt_MASQUERADE 1024 1 ip_nat_irc 1704 0 (unused) ip_nat_ftp 2152 0 (unused) iptable_nat14332 4 [ip_nat_h323 ipt_REDIRECT ipt_MASQUERADE ip_nat _irc ip_nat_ftp] ip_conntrack_irc2484 1 ip_conntrack_ftp3132 1 ip_conntrack 16516 3 [ip_nat_h323 ip_conntrack_h323 ipt_state ipt_he lper ipt_conntrack ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp] pppoe 6248 1 pppox756 1 [pppoe] ppp_synctty 4192 0 (unused) ppp_generic14608 3 [pppoe pppox ppp_synctty] n_hdlc 5448 0 (unused) slhc3844 0 [ppp_generic] 3c59x 23768 1 eepro100 16844 1 mii 1820 0 [eepro100] yes just like on redhat you must load the modules you need to use. the modules are in a separate tarball, i just copy the modules that i want to use over to my leaf using scp, add them in the modules list, and backup modules. on next boot they are loaded, and my scripts work. With regards -- Ronny Aasen Datapart AS --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Re: Wanted: easy way to see load over time
On Fri, 2005-08-05 at 11:46 -0400, kwon wrote: On 8/4/2005 14:26, Eric House wrote: Ok, so there seemed to be *some* interest in having a way for a LEAF box to display information about recent network activity over time. I've hacked together a prototype, and it's online. If anyone's interested, please take a look. What I've done runs on my LEAF box, though that's not where this is hosted: http://eehouse.org/cgi-bin/table.cgi Please let me know if this seems promising enough to be worthy of further work. Understand that it's buggy and incomplete! I think it does demonstrate where I'm headed though. BTW, I don't normally have port 80 open on this server. The above URL will probably break in a few days. Thanks, --Eric That really looks promising and what about a summary of attacks based on the shorewall log? Thanks, Kwon since i already display lots of data about my leaf-boxes i figured i could atlest mention how. i have about 10 leaf boxes running, some as firewall, some as router, some as bridges, some as IDS systems. on all of them i run net-snmp, and and collect snmp data and graph it using cricket, on a debian sarge webserver. This works, but can take quite some time to configure for each and every node. since they are not identical setups. If i was to do it over again now. I would have used a simpler solution, that dont involve meddeling in snmp space. i would just install the munin-node package. it can provide you with rrd graphs of all network traffic, load, cpu interupts etc etc etc. is rather low on cpu and load. If you want to graph attacks in logs you can use the loggrep module that's included. If you only run 1 leaf box, and want to show the result on Leaf box in question. you would also need the munin-server and a http server to display the result. the munin-node package is 897k in debian sarge, and the munin (server/collector) is 528k, this could probably be made much smaller. for a leaf box. an online munin example : http://www.linpro.no/projects/munin/example/ if you want summaries of logs you can use logcheck, and instead of the defaul of email you the results, you could have it show the data on a web page. or use munin loggrep if you want to make graphs from it. just my 2 cent. mvh Ronny Aasen --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] router and transparent bridge in same box
hello. i am trying to set up a router and a transparent tunnel point in the same box, on the same local network. the box is a bering 1.2 with shorewall and vtund the box has these interfaes zone ifcomment net eth0 connected to the internet with real ip loc eth1 connected to local net with ip (gw for the net) bru eth2 connected to local net without ip, but bridged to tap0 bru tap0 vtund ethernet tunnel tru internet to another box2 bru br0 bridge interface bridges together eth2 and tap0 now, the box function as a masqerading router for localnetwork normaly. the tunnel works as a bridge to another network, normaly. Remote computers get dhcp leases from server in localnetwork and have connectivity to localnetwork and server as expected. but the remote computers on local network can not connect to internet, with this box as the gateway if i split the functions into 1 tunnel/bridge and 1 router it works as expected. but with the increased cost of 1 box, and an additional real ip address. with tcpdump i can see packages going out the internet connected interfaces (eth0) but they do not become masqueraded. packages originating from the local side of the local net is masqueraded normaly i have tried most available options in the masqerading file to no use. if this is even possible, i guess there is some finer points in shorewall that keep eluding me thanks for your attention -- Ronny Aasen [EMAIL PROTECTED] datapart AS -- Ronny Aasen [EMAIL PROTECTED] --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] bridging tunnel
hello i need to do a bridging tunnel acrosss the internet, transparent to dhcp and similar broudcasts. i have done this with vtund, but it seamed to me to be a tad unstable, as it needed a restart now and then. what is the most stable tunneling solution available for lrp ? encryption is not needed. with regards -- Ronny Aasen [EMAIL PROTECTED] --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Ip_conntrack issue
you can disable the loading of the ip_conntrack helper modules, unfortunatly i think the main ip_conntrack is compiled into the kernel, (last time i checked), so you will still need to tweak the /proc/ settings to have a bigger contrack list. I tend to keep the shorewall ulog and iptables, but configure them as a host only firewall to protect the router itself. mvh Ronny Aasen On Sat, 2004-11-20 at 11:56, Eric Spakman wrote: Joe, If you are not doing any NAT, you can disable the loading of the conntrack module(s) in /etc/modules. If I understand it correctly and you do plain routing only (no firewalling), you can also remove iptables.lrp, ulogd.lrp and shorwall.lrp. Don't forget to set ip_forward=yes in /etc/network/options. Eric Spakman I've got an issue where my ip_conntrack table keeps getting pretty full. I increased the max so it's not too bad now, but it's still larger than I'd like and I believe its just wasting some memory. Looking at it, some of the entries have HUGE timeouts. I see that other people have seen this issue as well, but I'm still not sure how to fix it. I'm not doing any NAT, routing only. Isn't there a way to just turn off connection tracking? -- Joe Nelson Air Wired [EMAIL PROTECTED] http://www.airwired.net --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Ronny Aasen [EMAIL PROTECTED] --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My leaf crashed
On Thu, 2004-11-11 at 08:21, Erich Titl wrote: Al At 00:10 11.11.2004 -0500, ALParada wrote: I did backup root but never considered the memory issue. I'm using a 128 MB stick and allocating 10 MB to the system with 3 MB for the logs. I can't say I looked at the space thinking there must be plenty. I found one of the most frequent glitches I made was leaving the disk mounted when backing up root.lrp. As you can imagine this recursion eats up all available space. ditto, i allways used to do this. in the old releases i made a /mnt/disk /mnt/floppy and fstab entrys to match and made sure the /mnt was excluded in the root backups, to avoid doing this again. i think ??? maybee ??? the /mnt is included in the exclusion as default nowadays.. -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] beep.lrp question
i have a tencendy to put things into the /etc/init.d/rmnologin if it's just a 1 liner that needt to run at the end of the boot sequence. if it was more i'd make a separate /etc/init.d/beep, and add it to beep.lrp's file list to make it backup together with beep you can also do it with the 'up' statement in /etc/network/interfaces, but that is a bit before the box is ready, it needs to do shorewall and a few other things too mvh Ronny On Mon, 2004-11-01 at 01:16, Troy Aden wrote: Hello there. I have made a simple sh script to run beep for Bering Uclibc 2.2.2. I want the system to run the script to tell me when it is done booting. Can anyone please tell me where I need to go to do this? The how-to for beep.lrp is not very helpful in this regard? Thanks in advance! Troy --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] proc net entries in bering/bering-uclibc
i will add this and try it on a test box as soon as possible
and come back with a report.
(asap is not very soon i'm afraid)
mvh
Ronny Aasen
On Thu, 2004-10-28 at 10:35, Erich Titl wrote:
Ronny
bad code fragment in my first message due to cut and paste :-(
arp_table_adjust()
{
. /etc/network/options
echo adjusting arp table values...
echo adjusting the arp entry stale time...
[ X$gc_stale_time != X ] for i in `find /proc/sys/net/ipv4/neigh/ -name
gc_stale_time | grep -v /lo`
do
echo $gc_stale_time $i
done
[ X$default_gc_stale_time != X ] echo $default_gc_stale_time
/proc/sys/net/ipv4/neigh/default/gc_stale_time
echo adjusting the garbage collector interval
[ X$gc_interval != X ] echo $gc_interval
/proc/sys/net/ipv4/neigh/default/gc_interval
echo adjusting the arp table thresholds
[ X$gc_thresh1 != X ] echo $gc_thresh1
/proc/sys/net/ipv4/neigh/default/gc_thresh1
[ X$gc_thresh2 != X ] echo $gc_thresh2
/proc/sys/net/ipv4/neigh/default/gc_thresh2
[ X$gc_thresh3 != X ] echo $gc_thresh3
/proc/sys/net/ipv4/neigh/default/gc_thresh3
echo done...
}
Erich
THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
--
Ronny Aasen [EMAIL PROTECTED]
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] FYI LEAF box with many ports
On Thu, 2004-10-14 at 08:22, Erich Titl wrote: Hi folks Some time ago there was a thread about multi port. Well I set up such a beast yesterday with Bering 1.2, a NexGate NSA 1125. Here is the link to the HW. http://www.nexcom.com/0330/NexWeb/WebEN/ObjView.aspx?ObjID=Prod*1241 cheers Erich i have been wondering about such a box. how is it performance wise. 4 gig ports on a p4 is a bit suspicious, is it pci or pci-x ? have you performed any tests ? -- Ronny Aasen [EMAIL PROTECTED] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] RE: Bering and VMware - No network connectivity
i have this working useing bering-uclibc, i use pcnet32 (dont forget the mii module) on the vlance virtual nic only problem i had was that i was unable to boot on the virtual scsi harddrive, and had to boot using a virtual floppy image, and save my config and packages on the virtual scsi disk. the virtual bering is used as a firewall between the internett and the virtual servers running on the virtual lan. from what you write, i would guess that you need to uncomment the mii module also, (copy it over if you dont have it already) good luck Ronny Aasen On Sun, 2004-10-10 at 15:30, Paul Reynolds wrote: Hi Everyone, I am new to LEAF and am trying to get Bering working under VMware, but I am unable to get the networking component working. I have turned Shorewall and iptables off, to eliminate problems. (infact I deleted them from the syslinux.cfg file) I am using a static ip address and am unable to ping other machines on my network but I am able to ping the interface. My virtual network device is vlance - (thus I should be able to use the pcnet32 module). I copied across the pcnet32.o module from the Bering extra modules website. I have installed the module and uncommented the pcnet32 line in the modules file. I have backed everything up and restarted networking, but I am still unable to ping other machines on my network, I know the LAN details are correct as they work with other on another PC. Details: command: lsmod Modules Pages Used by pcnet32 13300 1 mmi 2092 0 [pcnet32] command: ip addr show 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0c:29:70:86:dc brd ff:ff:ff:ff:ff:ff inet 192.168.184.229/24 brd 192.168.184.255 scope global eth0 Note: VMware tools is not installed. Is there a guide to using Bering or and LEAF distro with VMware? Any help is much appreciated. Thanks RenO _ Searching for that dream home? Try http://ninemsn.realestate.com.au for all your property needs. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Ronny Aasen [EMAIL PROTECTED] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] proc net entries in bering/bering-uclibc
using bering and bering-uclibc, for routers not firewalls i keep running into the arp table limit and the ip_conntrack limit. the arp limit is noticed by the message 'neighbour table overflow' in dmsg, and fixed by echo 16 /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 256 /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 2048 /proc/sys/net/ipv4/neigh/default/gc_thresh3 more info at: http://www.rstack.net/tuning_proc_for_arp.html the ip_conntrack limit is noticed by 'ip_conntrack table full dropping packet' and fixed by something like echo 65000 /proc/sys/net/ipv4/ip_conntrack_max both of these limits make the box drop packets. so my question is. Can these entries be incorperated into the lrcfg meny somewhere. with a lot of the nice comments that we'v all come to love :) i have noticed most of these limits the hard way. By customers complaining about poor performance at the worst possible time (tm) or is there already such a system, and i am just to blind to spot it ? the network.options maybee ? -- Ronny Aasen [EMAIL PROTECTED] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] looking for a small telnet-like prg (Bering 1.0)
in bering uclibc there is the dropbear ssh server, that's quite small. i guess you could recompile that for regular bering or get someone with a propper envirnment to do it for you. Ronny Aasen On Thu, 2004-08-26 at 12:57, Henning Jebsen wrote: Hi folks, as said in the subject, I am searching for a tool like sshd or telnet to log into my (Bering 1.0 glibc)firewall. sshd uses too much memory, (since I installed sshd, every now-and-then the LEAF Box runs out of memory, killing essential processes...) The LEAF-Box only has 16 MB. (Can't upgrade to more memory). So I was searching for a telnet daemon for Bering 1.0. I could not find a package What I found was a telnet.lrp but thats a client, no daemon. Any suggestions ? All I need is a shell into the firewall Thanks a lot ! Greetings ! --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Ronny Aasen [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VNC port forward blocked by Shorewall
On Wed, 2004-08-18 at 10:16, Chris Lee wrote: Hi, I fail to connect VNC Server inside the intranet, which look like it blocked by Shorewall. Here is the log: Jan 1 08:00:00 8dgateway Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=10. 0.18.254 DST=10.0.18.1 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4609 DPT=5900 SEQ=1772649008 ACK=0 WINDOW=5840 SYN URGP=0 10.0.18.254 is the leaf server 10.0.18.1 is the VNC Server I want to connect I use PuTTY port forwarding and PuTTY Port fordward -- 203.198.x.x - leaf - 10.0.18.254 - 10.0.18.1 Any Hints? assuming eth1 is your loc internal network it seams to me like your ssh tunnel works, but you have shorewall configured to not allow leaf firewall access to your internal network, add something like ACCEPT $FW loc tcp 5900 in rules and 'shorewall restart' -- Ronny Aasen [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] VNC port forward blocked by Shorewall
On Wed, 2004-08-18 at 10:50, Chris Lee wrote: Dear Ronny, Thanks. It working now! Any hints for invalid log date? Regards, Chris Lee use date to check if your clock is correct, if it's not then do date MMDDhhmm (to set the system date) hwclock --systohc (to store the correct time in the system backup clock) then download and install the ntpsimpl.lrp package, and point it the closest ntp server to keep the box time synced for the future -- Ronny Aasen [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] hardware
maybee a question for the hardware list, but i dont subscribe to that one. have anyone used any of these as a leaf box, and how did it go ? http://www.ipc2u.de/servlet/comp?227852275222780 -- Ronny Aasen [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Shorewall Log Interpretation Question
On Sat, 2004-07-03 at 05:15, Stirling Westrup wrote: I understand most of the log messages I see from Shorewall, but I keep getting a bunch of this form: Dec 31 19:00:00 creaky Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= SRC=192.168.1.254 DST=192.168.1.17 LEN=241 TOS=00 PREC=0x00 TTL=64 ID=10067 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.1.17 My question is about the GATEWAY field. It doesn't show up in any of my other shorewall logs, and I couldn't find any docs on it. (YOU try googling for 'gateway'!) this is an ICMP redirect send from your firewall to .17 beeing blocked in your firewall rules. google for icmp type 5 code 1 icmp redirect is a method of remotely updating host's routing table to avoid sending redundant data on the segment, this is good or bad depending on your point of view :) http://www.qorbit.net/documents/icmp-redirects-are-bad.htm code=1 means it's a host error redirect. that means that the error is for a spesific host. gateway is what gateway is the best route for the spesific host/net (host in this case) basicaly your firewall tells .17 that the data it's trying to send should be sent to .17 instead. Now why .17 sends it to default gw in the first place i don't know, maybe .17 have 2 interfaces and lacks a route or maybe .17 don't have a loopback ? (insert other wild guess here) more info: http://www.networksorcery.com/enp/protocol/icmp/msg5.htm -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Please be kind to the Newbie!!
modified networking. shorewall restart if you have modified shorewall roules. etc. or you might reboot if you dont know what to restart to make it give effect. i tend to 1.make system change 2.test it by restarting the system affected, 3.then backup if everything still works. :) this way i can just reboot if i have somehow made a mess of things. good luck -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Just checking....
On Wed, 2004-06-30 at 19:15, Brad Klinghagen wrote: I took a further look at the Win2K workstation to see what was going on. There is no virus infecting the computer. I looked all over the computer, in the task manager, Services folder, event viewer, and no virus shows up. The virus software shows nothing for a long time. Web server is turned off. MSN Messenger hasn't even been used in weeks. The computer has only been used for web browsing, and local applications like Adobe PhotoShop,Illustrator, and Quicken. to remove adaware/spyware you need to run a sweeper, you will probably never spot it visualy (taskmanager/proccesslist) i tend to prefer adaware : http://lavasoft.element5.com/software/adaware/ spybot : http://www.spybot.info/ there are a lots of others good ones, install one, update it and run it, i bet you'll be suprised of how much crap a windows machine can gather on the internet. -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] bandwidth tracking
On Wed, 2004-06-30 at 04:08, ALParada wrote: I thought about that since I have Ethereal already installed in my PC. However, I believe it will only report on traffic local that PC. I have TCPDump already copied but I don't load it. I loaded it once and it had a small issue. I wasn't there so not really sure what happened. If anyone is using it successfully please let me know it's worth another try. i use tcpdump on bering and bering-uclibc, never had an issue with it, seams rock solid I did manage to mess it up once but that was becouse i filled the memory with a tcpdump that i didn't remember to terminate,so allways suply a -c n to stop tcpdump after n packets! Can't blame tcpdump for that :) other nice things are. netsnmp on bering + cricket/mrtg : can show you all kinds of stuff about your router. such as traffic, interupts, cpu load, icmp messages!. shorewall show: shows stats for various shorewall rules and i know there was a ntop package around, you can probably run it with the compat libs if you try to see the traffic with etheral/tcpdump on another pc, connect into the stream with a hub or a wiretap. not a switch. ohh and do look at the blinking lights :) good luck -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VMWare + 1.68MB floppies not working
On Tue, 2004-06-29 at 18:47, Ben Conrad wrote: Folks, I've got the latest VMWare Workstation (v4.5.2 6/11/04) running on WinXP and the Bering_1.2_img_bering-1680.exe written to a floppy. Every time I boot up the VM the LEAF boot up hangs well into the linux boot up at LINUXRC: Installing - root:. VMWare gives me a NOT_IMPLEMENTED F(554):3129 bugNr=1971 error and crashes the VM. I've read on the list that some people have this 1.68MB image working with no issues. Some people have had issues that were remedied in v4 of VMWare. This is what I have tried so far: - LEAF floppies for v1.1 and v1.2 - disable accelleration in the VM - removed the hard drive from the VM, disabled USB and Audio - Changed the floppy in the VM from 1.44 to 2.8 - the VM has 128MB of memory. - Guest OS in VMWare: Linux Other Linux. Does anybody have any suggestions? aye i never managed to get this to work either, the easiest to get going was the 1.44 mb floppy + cd version of bering-uclibc. worked ouf of the 'virtual' box. for some reason i coudn't manage to get the 'virtual' scsi harddrive to boot. but booting on the 1.44 floppy and putting packages and configs on the virtual scsi hd workes fine -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Just checking....
On Wed, 2004-06-30 at 01:16, Brad Klinghagen wrote: I just wanted to check to make sure I'm looking at the Shorewall logs correctly. Below, I've pasted a small sample of what I'm seeing in my log file. The particular IP address that begins with 66 is the source and 10.1.1.65 is the destination. Obviously the 10 IP address is within my LAN. The second to last column shows the destination port number that is trying to be used. This is only a small portion of the list, there are hundreds of listings, and the destination port number keeps changing, while the source port number stays at 80, and this source IP is always trying to get to the same destination. I am DROPing these packets and logging them because they are unwanted traffic. When I trace the public IP, there is no site there. In similar cases, sometimes there is a Microsoft IIS server there under construction. I did a 'dig -x 66.232.154.8,' and I got no answer as far as the owner of the IP address. Sometimes when I execute the 'dig -x' instruction, there will be some information, but usually the IP address is a client IP of an ISP (like Verizon, or Comcast). Is it right to assume that this traffic is a hacker using automated software trying to probe for weaknesses in my firewall or computer setup? Or is it something else completely, something much less sinister? Could this be some ad software, or something like it? If this isn't someone trying to get in, how can you tell in your log files. I've got a number of various entries of unwanted IP attempts to access my network; some I believe is just spurious traffic, but others look like concerted effort to get at my computers. The issue with this sample is I don't know how this person, or software is using the internal IP address of 10.1.1.65 because I'm using NAT (I suppose they stripped off the TCP/IP header, does that not suggest maliciousness?). Also, that IP address corresponds to the only Win2k computer in my whole network, and there is no other access attempts to any other internal computer. eth0 eth1 66.232.154.8 10.1.1.65TCP801986 Jun 26 07:28:43 eth0 eth1 66.232.154.8 10.1.1.65TCP801986 Jun 26 07:28:49 eth0 eth1 66.232.154.8 10.1.1.65TCP801986 Jun 26 07:28:49 eth0 eth1 66.232.154.8 10.1.1.65TCP801986 Jun 26 07:29:01 eth0 eth1 66.232.154.8 10.1.1.65TCP801986 Jun 26 07:29:26 eth0 eth1 66.232.154.8 10.1.1.65TCP801986 Jun 26 07:30:14 eth0 eth1 66.232.154.8 10.1.1.65TCP801986 Jun 26 07:30:44 eth0 eth1 66.232.154.8 10.1.1.65TCP802039 Jun 26 07:30:47 eth0 eth1 66.232.154.8 10.1.1.65TCP802039 Jun 26 07:30:48 eth0 eth1 66.232.154.8 10.1.1.65TCP802039 Jun 26 07:30:53 eth0 eth1 66.232.154.8 10.1.1.65TCP802039 Jun 26 07:30:54 eth0 eth1 66.232.154.8 10.1.1.65TCP802039 Jun 26 07:31:06 eth0 eth1 66.232.154.8 10.1.1.65TCP802039 Jun 26 07:31:30 eth0 eth1 66.232.154.8 10.1.1.65TCP802039 Jun 26 07:32:18 eth0 eth1 66.232.154.8 10.1.1.65TCP802039 does your log realy look like that ? always port the orginal since it's from port 80 i'd have 2 wild guesses 1. your w2k box has a virus, that do httpd requests and you see the responses beeing blocked in the firewall. 2 the remote iis is infected by one of the iss exploit viruses making it spew out packages seen a few of those lately. but that it would find your 1 w2k box must be a huge coincidence if you change the ip of the w2k and the packages dop in your log followes to the new ip, then i'd take the w2k off the net for a forencis. -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] to few interfaces
how do you guys cope with the issue of a regular pc only having 3-6 pci slots. i find myself needing more and more interfaces and would prefer not to have to set 2-3 boxes next to eatchother since rack space is an issue (cost) what are the best ways to get many interfaces in a as standard as possible box, while keeping performance up. i'v heard of 2 and 4 port pci cards. but they are hardly commonplace and makes spareparts an issue. i'v heard of motherboards with several pci busses ??? how will this performe? vlan on gigabit can make for several 100 mbit interfaces, but i'd rather keep vlan out of the routers if i can help it. im mostly using bering and bering-uclibc -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] CF-IDE help
On Thu, 2004-05-13 at 16:46, Peter Mueller wrote: The only time I came across something like that was when I pulled the CF out of the USB adapter before I had selected 'Eject' in windows. Any possibility of something like that? Regards, Dave. Unfortunately no. I have my CF-IDE adapters configured on secondary or primary IDE on both systems. i once had a cf-ide card... that woudnt reliably write data unless the extrernal power adapter was installed. reading and booting worked fine without. cant remember the brand tho mvh -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Shorewall
On Fri, 2004-05-07 at 05:30, Askari wrote: Hello All, I have a gateway connect to internet, use shorewall system. I use Bering Uclibc V 2.0, i need to protect some one in my LAN connect to internet using port 80. He can access websites only like yahoo.com and hotmail.com, how i set on shorewall ? Thank's Askari as jay said proxy is better for this, but it can be done in shorewall to in shorewall rules REJECT loc:~00-A0-C9-15-39-78 net tcp 80 ACCEPT loc:~00-A0-C9-15-39-78 net:www.yahoo.com tcp 80 ACCEPT loc:~00-A0-C9-15-39-78 net:www.whatever.com tcp 80 where 00-A0-C9-15-39-78 is the mac address of the network card of the user that needs restricting. can be replaced by ip address if that is more sensible in your network this only restricts port 80 keep in mind when using hostnames, that if dns is unavailable when you restart shorewall, the shorwall script will fail to avild, replace www.yahoo.com with the current ip of www.yahoo.com also if the same ip serves other sites then www.yahoo.com thru virtual hosting those sites will be available. (unlikly on such large sites) good luck -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] BGP
On Thu, 2004-04-22 at 02:04, Peter Mueller wrote: Is LEAF capable of BGP route propagation? I hear that there are packages that support BGP called: Zebra http://www.zebra.org/ Quagga http://www.quagga.net/ and BIRD http://bird.network.cz/ Is one of these supported by LEAF? Are any of them recommended by anyone? I am using the Bering bgpd.lrp package here. It's been working fine for 1+ years. Quagga is the less bug-ridden software but for BGP it doesn't really matter. I don't know what BIRD is. If I was comparing a LEAF, or other Linux based solution to either a $2500, or a $10,000 cisco router based solution, would the LEAF/Linux solution be comparable (in uptime+performance) to a cisco? Yes. I use CF-IDE flash dual power. Price/performance is much better. A p4 server with intel gigabit NICs and NAPI enabled will kick serious ass. do bering/bering-uclibs support napi stright out of the box. it's a looong time since i last looked at napi. I am also using bering-uclibc+quagga packeages for ospfd and bgp. works great mvh -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] VNC on Leaf
On Wed, 2004-04-14 at 12:43, Luis.F.Correia wrote: Hi! it is not practical nor secure to have that kind of stuff on a router/firewall. I had myself that same idea about a year ago, on the purpose of having only one tool for remote administration. However, i came to the conclusion that SSH based login is much more secure and easy to use. So: either use dropbear on Bering uClibc or just plain old serial port login... i think he meant to use leaf not as a router/firewall, but as a vnc thinklient. altho i think it's easier just to install featherlinux usbpen version on a usbpen or flashdisk and use that. (it have vnc and X included already) i have one with me allways :) mvh -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] nameresolution fail with multipath
On Wed, 2004-03-17 at 15:17, Ronny Aasen wrote: hello I am trying to set up an redundant multipath network looks something like this --- --- | gw1 |--| gw2 | -- DEFGW---| | | |-| Laptop | | |--| | -- --- --- and the routertable shows multipath routes now eveything works as expected i guess the laptop can browse the net and things seam ok the laptop and the gw's all use the same nameserver that sits in the DEFGW but following command fails on gw2 # nslookup www.vg.no [ip of any nameserver] and also every command that need nameresolution fail to work but if i cut one of the multipath links and wait for the ospfd to remove the multipath routes like this --- --- | gw1 |--| gw2 | -- DEFGW---| | | |-| Laptop | | |--| | -- --- --- or --- --- | gw1 |--| gw2 | -- DEFGW---| | | |-| Laptop | | |--| | -- --- --- then nameresolution function as expected in all 3 scenarioes i can ping the nameserver ok from all boxes. hope someone have a clue to give me :) seams turning off spoofprotect in /etc/network/options fixes this problem. yay! :) -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] nameresolution fail with multipath
hello I am trying to set up an redundant multipath network looks something like this --- --- | gw1 |--| gw2 | -- DEFGW---| | | |-| Laptop | | |--| | -- --- --- and the routertable shows multipath routes now eveything works as expected i guess the laptop can browse the net and things seam ok the laptop and the gw's all use the same nameserver that sits in the DEFGW but following command fails on gw2 # nslookup www.vg.no [ip of any nameserver] and also every command that need nameresolution fail to work but if i cut one of the multipath links and wait for the ospfd to remove the multipath routes like this --- --- | gw1 |--| gw2 | -- DEFGW---| | | |-| Laptop | | |--| | -- --- --- or --- --- | gw1 |--| gw2 | -- DEFGW---| | | |-| Laptop | | |--| | -- --- --- then nameresolution function as expected in all 3 scenarioes i can ping the nameserver ok from all boxes. hope someone have a clue to give me :) -- Ronny Aasen [EMAIL PROTECTED] datapart AS -- Ronny Aasen [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Could not mount backup device on usb pen drive
I have found a strange behavior when trying to backup packages using the shortcuts added when using custom destination in bering-uclic i boot from my regular boot media (floppy or ide). mount ls and umount a usb pen drive to verify it's working order. change destination for a package to sda1:msdos and backup package. everything works normaly when i now try to change destination for another package using the now created shortcut [2] sda1:msdos in the lrcfg menu. the backup show sda1 msdos as destination but when trying a backup i get 'Could not mount backup device' now. if i select shange destination, and instead of selecting [2] sda1 select [c] custom destination and enter sda1 and msdos it works. Now i am not a coder.. but i think the solution is to modify line 133 and 134 in /usr/sbin/lrcfg.back from: if ! `grep -q $DEV $FS $LRPKG/pkgpath.disks`;then echo $DEV $FS $LRPKG/pkgpath.disks to if ! `grep -q /dev/$DEV $FS $LRPKG/pkgpath.disks`;then echo /dev/$DEV $FS $LRPKG/pkgpath.disks i tested this and it works for my handydrive. -- Ronny Aasen [EMAIL PROTECTED] datapart AS -- Ronny Aasen [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] request for zebra/quagga binary packages compilation argument
hello This is a request to the maintainer for the quagga packages in bering-uclibc. i was wondering if it was possible to add --enable-multipath=0 to quagga.mk in future binary releases. I have successfully recompiled quagga packages with this argument since it is required for equal-cost-multiple-path operation. the kernel already support multiple path. if there is some sensible reason why it is not included allready.. then please forgive my ignorance. now i have a kickass leaf router with multihoming and multiple path redundancy/load balancing. HO HO HO mvh -- Ronny Aasen [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering only 6MB ramdrive?
On Thu, 2003-11-06 at 08:03, Dmitri Gofmekler wrote: Hello, Small question. How to increase / partition size (ramdrive size) in LRP Bering (1.2 version)? i tend to add syst_size=10M in syslinux.cfg file on the line that sais default linux etc etc mvh -- Ronny Aasen [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Firewall load and shorewall accounting questions.
On Tue, 2003-10-21 at 01:25, AdStar wrote: Hi all, I'm running a bering firewall in my production environment and have a couple of questions about the accounting side of things with shorewall and firewall load. How often are the counters reset, is it only on a shorewall restart (firewall reboot etc)? If I wanted to track traffic from a specific internal IP I gather I just add it to the source/destination as below? ACTION CHAIN SOURCE DESTINATION PROTO DEST PORT SRC PORT www1:COUNT - eth0 eth1:10.0.100.36 tcp 80 www1:COUNT - eth1:10.0.100.36 eth0 tcp - 80 DONE www1 How can I track how hard the firewall is working? When I say how hard, as in packet throughput, cpu load etc. What do I check for to know if I need to upgrade the CPU, or go to 1000/100 NIC's etc in the dachstein packages you will find packages named libdb.lrp and netsnmpd.lrp. these packages enable you'r bering to talk snmp you can then use mrtg or similar tool to draw grafs of you'r interfaces, cpu load, disk space, mem space etc etc. this works almost right out of the box. only problem i have is that i have no idea how to set a interface description, and make mrtg read it. mvh -- Ronny Aasen [EMAIL PROTECTED] --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] bering glibc vs uclibs
after the uclibc fork, is bering 1.2 (glibc) version still beeing developed. Or is it recomended to swap to uclibc. I ask becouse i notice packages (netsnmp) appering for uclibc, that i can't seam to find for bering-glibc i have not used uclibs bering due to the quote Trade-offs between speed and size were decided in the direction of size. size is not a problem for me, since i use flash disks (no patience for floppies). and i need all the speed i can get. -- Ronny Aasen [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering and MRTG [faked-from][sls]
On Wed, 2003-09-10 at 22:13, Charles Holbrook wrote: Packages are listed on leaf.sourceforge.net under the Bering-uClibc 1.x downloads. As far as configuring the snmpd.conf file you COULD use it straight out of the box with no modifications and it would work. There is a single tweak that you might want to do to allow a more robust walk of the snmp tree. Trace back your community name through the groups to it's persmissions, change that from system to .1 and that will allow you to walk all of the tree without having to specify anything in the snmpwalk command. I would however suggest making one change to the conf script and that is for the community name. the snmp package in the tarballs on leaf.sf.net. Is any of those compatible with regular Bering 1.2 (glibc) -- Ronny Aasen [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] reduce load on a bering box
On Tue, 2003-09-02 at 19:45, Robert Coffman - Info From Data Corporation wrote: I'm not sure I can help with this, but I'd love to know what hardware you are running this on. Actually, I'd love to hear anyone's input on the capacities of their Bering boxes, what they are doing with them, and what hardware they run on. - Bob Coffman well this was a emergency so i threw in whatever i had laying around. so this box is currently a duron 1200 mhz with 4 unex nicks (rtl based) it's the cheapest possible in norway atm :P it had 128 mb ram yesterday, but i increased it to 512mb donight. i increased the ram becouse of ip_conntrack. the default ip_conntrack_max on a 512 mb box is 32xxx i'v incresed it to 99 since i reach 32xxx in a few hours... and it handled the load quite nice. it's a bering1.2 and boots on a m-system iDOC (flashdisk with ide interface) highly recomended. since it's no moving parts. all my secondary routers (with tc and ospfd) are built on this mashine. but the traffic on these is not so high. my personal wish list for this box would be -ip_conntrack_timeout somewhere in proc -module the entire ip_conntrack so one could insmod in pre shorewall start and rmmod in post shorewall stop. (is this feasible at all ? ) it will probably be replaced with a p4 2.8ghz 512 gb ddr333 and 3c905 nics when the parts arrive. any tips on increasing thruput, packet forwarding rate, and reducing latency while keeping the box secure is apriciated. and if you have questions, just ask, this list as always helped me in the past :) -- Ronny Aasen [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] reduce load on a bering box
On Wed, 2003-09-03 at 09:02, S Mohan wrote: yes i know. i have removed the ip_conntrack helper modules there (no nat or masq), the point is that ip_conntrack is not a module it's in the kernel. mvh Ronny Aasen shorewall has a file for including modules that need to be loaded. It also has files/scripts executed before start and after stop. Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronny Aasen Sent: Wednesday, September 03, 2003 12:16 PM To: leaf Cc: Robert Coffman - Info From Data Corporation Subject: RE: [leaf-user] reduce load on a bering box On Tue, 2003-09-02 at 19:45, Robert Coffman - Info From Data Corporation wrote: I'm not sure I can help with this, but I'd love to know what hardware you are running this on. Actually, I'd love to hear anyone's input on the capacities of their Bering boxes, what they are doing with them, and what hardware they run on. - Bob Coffman well this was a emergency so i threw in whatever i had laying around. so this box is currently a duron 1200 mhz with 4 unex nicks (rtl based) it's the cheapest possible in norway atm :P it had 128 mb ram yesterday, but i increased it to 512mb donight. i increased the ram becouse of ip_conntrack. the default ip_conntrack_max on a 512 mb box is 32xxx i'v incresed it to 99 since i reach 32xxx in a few hours... and it handled the load quite nice. it's a bering1.2 and boots on a m-system iDOC (flashdisk with ide interface) highly recomended. since it's no moving parts. all my secondary routers (with tc and ospfd) are built on this mashine. but the traffic on these is not so high. my personal wish list for this box would be -ip_conntrack_timeout somewhere in proc -module the entire ip_conntrack so one could insmod in pre shorewall start and rmmod in post shorewall stop. (is this feasible at all ? ) it will probably be replaced with a p4 2.8ghz 512 gb ddr333 and 3c905 nics when the parts arrive. any tips on increasing thruput, packet forwarding rate, and reducing latency while keeping the box secure is apriciated. and if you have questions, just ask, this list as always helped me in the past :) -- Ronny Aasen [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Ronny Aasen [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] reduce load on a bering box
On Tue, 2003-09-02 at 19:19, Andres Alla wrote: On Tuesday 02 September 2003 14:33, Ronny Aasen wrote: [] i need to filter/firewall between the 4 nic's to avoid forwarding rfc1918 packets to default gw, and filter access to the router itself. evrything else is go Have you tried blackhole route instead of netfilter for rfc1918 addresses? Something like: # ip route add blackhole 192.168.0.0/16 Does anybody know why is this so seldom recommended, is there some serious shortcomings I am not aware of? this does sound very interesting.. i supose i can do this in zebra as a static route. as ip route 192.168.0/16 blackhole forinstance ? i am also interested in shortcomings before i implement this :) -- Ronny Aasen [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] reduce load on a bering box
hello due to unforseen circumstances. we had to replace a hp routerswitch with a linux bering router. this router now routes 4096 real addresses with some 2500-3000 computers some natted behind other firewalls) 4 nicks 100 mbit, with eth0 to a 20 mbit link to the internet. and runs zebra and ospfd but. i have noticed that if i have shorewall up, the load gets quite high, and i also have a few packetdrops. with shorewall down i have 0 load and no packet drops. i need to filter/firewall between the 4 nic's to avoid forwarding rfc1918 packets to default gw, and filter access to the router itself. evrything else is go i guess a few manual iptables entries is a solution, but a shorewall config to minimise load would be preferable. can the bering 1.2 kernel be optimized for better performance in such a situation ? any thoughts ? mvh Ronny Aasen -- Ronny Aasen [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] zebra and bering
On Wed, 2003-03-05 at 06:57, Eric B Kiser wrote: Good to hear :) this first setup will be 5 ospf linux bering zebra's running current hardware (3c905 nic's) most boxes is simple 2 intreface but one will be a 4 interface with 1 uplink, 1 connection to a large nationwide network (but no Inet), 1 ospf network and 1 regular network (default-gw) sonn after there will be cisco boxes, win-nt firewalls (fw-1, symantec raptor,etc ) and more 'alien' hardware also what is the latest lrp'd zebra version ? or do you ppl make you'r own ? mvh Ronny Aasen Most of the problems with OSPF seem to be misconfiguration at this point. There were problems with MD5 authentication which have been resolved and some hardware problems that had nothing to do with Zebra that have also been resolved. For configuration help check out this site: http://pilot.org.ua/zebra/ Here are the responses that I have received so far and a bit of research from the archives listed at the bottom... [Tim Bulger] Sorry, this isn't exactly what you're looking for, but I've been running zebra OSPF in VPN networks that span the globe since mid-2000 with no significant complaints. The zebra boxes coexist peaceably with Cisco, Foundry, Alcatel, Cabletron, possibly others. Hope this helps, Tim [Tim Bulger] [Stephane Bortzmeyer] If you want to do simple things, you'll probably have no problems. We are very happy with Zebra's OSPF. Things I noticed on that mailing list were often OS-specific: * some Linux drivers (Broadcom cards) have problems with multicast (and it is worse if you have VLANs), * BSD systems have problems with routing (the OSPF /32 route to itself being blindly followed, lack of a default route making BSD believe it cannot multicast, etc) [/Stephane Bortzmeyer] [Paul Cammidge] interestingly, a few people complained about problems with the broadcom network cards, and the latest linux kernel includes a fix for this driver. i dont know whether the fix is relates to the same problem. paul [/Paul Cammidge] [Tesfaye Tariku] Sorry you are in the XYZ comp. (:-) I think you need to look at variables that have impact on packet forwarding. If the iptables or ipchains is not setup to allow the input/output to forward packets to the intended systems, no matter how you setup the ospf, you will be confined in the same box, assuming that you haven't setup your box world accessible, which of course, your system may not last long. If you are sure that the setup of ospf is correct but its not doing as intended, look other variables - iptables (or ipchains), PAM (if pam enabled zebra setup exist in your system), SSH, SSL. You need to look at these variables, which have significant impact on packet i/o. At least it has a tendency to create unstability to the ospf system. I think the zebra/ospf on the beta phase showed great potential and I don't think I'm with you on that. You may need to look at your own ospf setup as well. Good luck TT [/Tesfaye Tariku] +++Here are some other posts that have appeared within the last couple of months. -ek [Jean-Francois Laforest] I've been running OSPF (with zebra) for 2 months now, and from what I noticed, there has been no problem whatsoever with MD5 authentication, but sometimes when a link dies, it takes a little while to see it back up. Other than that, it's rock solid. I have over 9 routers locally and we have over 20 routers on our VPN. I will ask around to see if others got problems, for me it runs fine on Linux and FreeBSD. Zebra also does work fine with cisco routers. [/Jean-Francois Laforest] [Paul Jakma] On Sun, 9 Feb 2003, Vladimir I. wrote: Hello All, It's been more than half a year since I was forced to move away from OSPF to RIPv2 due to bugs in Zebra's OSPF implementation. Has the situation improved? I understand that Zebra's official CVS sees very small change nowadays, however what about Paul Jakma's releases? Actually, a lot of those fixes are now in CVS. Plus others which were applied directly. My problem was that OSPF often didn't re-establish adjency after link failures (e.g., got stuck in various states before FULL). At least partly that was attributed to a bug in MD5 authentication, which AFAIK is resolved now. Should be, thanks to Greg Troxel. The other thing to try is (if using MD5): http://people.ie.alphyra.com/~paulj/zebra/2002/patches/zebra-ospfd-md5au th-seqnum.patch without it, if 2 routers were adjacent for x amount of time, then they will take x amount of time to reestablish adjacency should one ospfd be restarted. Anybody running Zebra's OSPF on a network with 5+ routers? Yes. http://people.ie.alphyra.com/~paulj/zebra/2002. There are a couple of Opaque LSA fixes in CVS too. regards, -- Paul Jakma [/Paul Jakma] [Stephane Bortzmeyer] On Sunday 9 February 2003, at 17 h 41, Vladimir I. [EMAIL PROTECTED] wrote: My
[leaf-user] hardware requirements bering router 100 mbit+
hello I have been using bering for adsl /wireless routing a long time, and it's as stable as a rock. But i am now going to setup a DMZ for services. this will be on a 100 mbit switched network and it might become a 1000 mbit switched network in a year or so. what i am wondering is. what kind of hardware will i need to saturate a 100 mbit switched network. using bering, 2 nics and no vpn or masquerading this is pure routing. btw: can bering support ospf protocol ? mvh Ronny Aasen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] hardware requirements bering router 100 mbit+
On Tue, 2003-02-18 at 15:07, Charles Steinkuehler wrote: Ronny Aasen wrote: what kind of hardware will i need to saturate a 100 mbit switched network. using bering, 2 nics and no vpn or masquerading this is pure routing. A decent pentium class system should be capable of saturating a couple 100 MBit links. You will need to use server class PCI NIC's (like the DEC based cards using the tulip driver, or the 3COM 3C905...I've heard good things about the Intel based cards as well, but haven't tried them personally). You'll also want a good PCI chipset (hard to quantify without getting into lots of low-level hardware details). As a general rule of thumb, processing a packet takes a fairly fixed amount of CPU, so if your saturated 100 Mbits of traffic is lots of small packets, you'll need more CPU than if the traffic is mainly large packets for bulk transfers. I think anything over a P133/166 should work fine, and something like a P-2 or P-3 system with a BX chipset (or better...anything with a 100 MHz FSB) would give you quite a bit of headroom. In other word i can't buy such prosessors anymore... I'v been using VIA's C3 a lot lately, since it don't need a cpu cooler, i guess i'll stick to that. and i have quite a lot of 3c905's around. Now i just need a fanless psu thx for the quick replies :) mvh Ronny Aasen Datapart AS --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] pppoe server on leaf ?
has anyone ever setup a working pppoe server on leaf ? what distribution did you use ? is there a pppoe.lrp package for a server installation ? mvh Ronny Aasen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] bering and x509
Hello After spending yesterday. messing with x509 certificates. reading docs and howtoos, i am at a dead end. i have made self signed sertificates. installed the ca and the host sertificates on bering and vpn client, and tweaked and tweaked ipsec.conf and secret files i wonder if anyone have a working example of ipsec.conf and ipsec.secrets using x509 keys.? the log states illegal certificate signature, but i have made the certificates by following the leaf bering user guide. any clues ? i use safenet softremote, and it works perfectly using shared secret. mvh Ronny Aasen Datapart AS --- Sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ipsec509 packages configuration
is there any partiqular reason why i don't find a ipsec entry under the lrcfg packagemanegement when using ipsec509.lrp from this location ? http://leaf.sourceforge.net/devel/jnilo/bering/update/freeswan-1.98b/ i thought that ipsec509.lrp under bering don't require ipsec.lrp ? mvh Ronny Aasen Datapart AS --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ipsec509 packages configuration
On Fri, 2002-08-30 at 14:40, Craig wrote: Hi Ronny, I think you have this backwards. From what I understand, you only need the IPSec.lrp and not the IPSec509.lrp unless you're planning to use SSH-Sentinel or the built-in Windows IPSec client, in which case you'll need the IPSec509.lrp to enable x.509 certificate support. To do this, load both ipsec.lrp *AND* ipsec509.lrp and make sure ipsec509 is listed *AFTER* ipsec in the lrpkg.cfg file, for everything to work properly. Here's a link you might find handy, too. http://www.natecarlson.com/include/showpage.php?cat=linuxpage=ipsec-x50 9 Did i forget to mention i am using bering rc3 where ipsec509 is (suposed to be) a standalone package.. also note its the 98b mvh Ronny Aasen Datapart AS --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] squidguard on bering rc3
Hello I have a working transparent squid proxy server. running on bering rc3. i was wondering if anyone have a working squidguard.lrp, or instructions /links for how to make squidguard work in lrp/bering enviroment. mvh Ronny Aasen --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problem with _startklips on [non ethernet]connections [Partial SUCCESS]
after testing i now have a sucessfull vpn connection
net as follows
subnet 192.168.40.0/24
|
|
192.168.40.254
bering gw rc3
ipsec 1.97
isdn dynamic ip
|
|
inet
|
|
194.248.214.187
bering rc3
ipsec 1.97
192.168.1.254
|
|
subnet 192.168.1.254/24
in order to run ipsec setup restart successfully you need to alter the
following in /lib/ipsec/_startklips
from:
eval `ip addr show $phys |
awk '$1 == inet $3 == brd {
print addr= $2
other = $4
if ($3 == brd)
print type=broadcast
else if ($3 == peer)
print type=pointopoint
else if (NF == 5) {
print type=
other = }
else
print type=unknown
print otheraddr= other
# print mask= $NF
gsub(/\//, , $0)
}'`
to:
eval `ip addr show $phys |
awk '$1 == inet {
print addr= $2
other = $4
if ($3 == brd)
print type=broadcast
else if ($3 == peer)
print type=peer
else if (NF == 5) {
print type=
other = }
else
print type=unknown
print otheraddr= other
# print mask= $NF
gsub(/\//, , $0)
}'`
left is the rw
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: none for (almost) none, all for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
authby=secret
# sample VPN connection
conn lefttoright
# Left security gateway, subnet behind it, next hop unknown.
left=%defaultroute
leftsubnet=192.168.40.0/24
# Right security gateway, subnet behind it, next hop toward left.
right=194.248.214.187
rightsubnet=192.168.1.0/24
rightnexthop=194.248.214.1
auto=route
My only problem now is that left dosn't find the correct secret
auth.log say:
#1: Can't authenticate: no preshared key found for `130.67.213.232' and
`194.248.214.187'. Attribute OAKLEY_AUTHENTICATION_METHOD
my ipsec.secrets:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
%any 194.248.214.187 : PSK 12345678
if i add a line saying
[current dynamic ip] 194.248.214.187 : PSK 12345678
it works as expected
i have tried replacing %any in ipsec.secrets with 0.0.0.0 and %defaultroute with no
luck.
i have tried replacing left=%defaultroute in ipsec.conf with left=%any but then ipsec
is unable to orient the connection and gives the no ipsecN found error
i am going to try out ipsec 1.98 now
mvh
Ronny Aasen
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] problem with _startklips on [non ethernet] connections
Hi again
I have setup a new bering box using isdn for external and 3com nic for
internal.
on this box i get the same error as on a adsl box
**console output while trying to restart ipsec**
isdnvpn: -root-
# ipsec setup restart
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: unable to determine address of `ippp0'
IANAC but i think some of the problem is in this passage in
/lib/ipsec/_startklips.
eval `ip addr show $phys |
awk '$1 == inet $3 == brd {
print addr= $2
other = $4
if ($3 == brd)
print type=broadcast
else if ($3 == peer)
print type=pointopoint
else if (NF == 5) {
print type=
other = }
else
print type=unknown
print otheraddr= other
# print mask= $NF
gsub(/\//, , $0)
}'`
if test
$addr =
then
echo unable to determine address of \`$phys'
exit 1
fi
'ip addr show ippp0' on my system shows
# ip addr show ippp0
8: ippp0: POINTOPOINT,NOARP,DYNAMIC,UP mtu 1500 qdisc pfifo_fast qlen
30
link/ppp
inet 130.67.214.178 peer 130.67.213.128/16 scope global ippp0
i have messed up my ipsec.lrp' so often now i almost bought a zywall,
luckily i got a hold of myself.
mvh
Ronny Aasen
**the barf**
isdnvpn
Thu Jul 18 13:18:07 UTC 2002
+ _ version
+
+ ipsec --version
Linux FreeS/WAN 1.98b
See `ipsec --copyright' for copyright information.
+ _ proc/version
+
+ cat /proc/version
Linux version 2.4.18 (root@debian) (gcc version 2.95.2 2220 (Debian GNU/Linux)) #4
Sun Jun 9 09:46:15 CEST 2002
+ _ proc/net/ipsec_eroute
+
+ sort +3 /proc/net/ipsec_eroute
sort: +3: No such file or directory
+ cat /proc/net/ipsec_eroute
+ _ ip/route
+
+ ip route
192.168.40.0/24 dev eth0 proto kernel scope link src 192.168.40.254
130.67.0.0/16 dev ippp0 proto kernel scope link src 130.67.214.178
default via 130.67.213.128 dev ippp0
+ _ proc/net/ipsec_spi
+
+ cat /proc/net/ipsec_spi
+ _ proc/net/ipsec_spigrp
+
+ cat /proc/net/ipsec_spigrp
+ _ proc/net/ipsec_tncfg
+
+ cat /proc/net/ipsec_tncfg
ipsec0 - NULL mtu=0(0) - 0
ipsec1 - NULL mtu=0(0) - 0
ipsec2 - NULL mtu=0(0) - 0
ipsec3 - NULL mtu=0(0) - 0
+ _ proc/net/pf_key
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbfFlags Type St
c31e80a0 11591 c31751e000 0 0 2 65535 3 1
+ _ proc/net/pf_key-star
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c31751e0 11591 c31e80a0
pf_key_registered: 3 c31751e0 11591 c31e80a0
pf_key_registered: 9 c31751e0 11591 c31e80a0
pf_key_registered:10 c31751e0 11591 c31e80a0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported:10 15 2 0 1 1
+ _ proc/sys/net/ipsec-star
+
+ cd /proc/sys/net/ipsec
+ egrep ^ icmp inbound_policy_check tos
icmp:1
inbound_policy_check:1
tos:1
+ _ ipsec/status
+
+ ipsec auto --status
000
000 rw-to-li1: 192.168.1.0/24===194.248.214.187---194.248.214.1...%any
000 rw-to-li1: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 rw-to-li1: policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ;
unrouted
000 rw-to-li1: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000
+ _ ip/address
+
+ ip addr
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3
Re: [leaf-user] problem with _startklips on bering rc3
On Fri, 2002-07-12 at 16:43, Chad Carr wrote:
On 12 Jul 2002 12:48:01 +0200
Ronny Aasen [EMAIL PROTECTED] wrote:
Hello
i have a a testing setup with ipsec between 3 linux bering firewalls and
a zywall 10 router, all on static ip address i also have roadwarrior
support from dhcp clients on isdn/modem line using windows 98/ssh
sentinel and windows 2000/xp (with the aid of vpn.ebootis.de)
my problem arises when i try to setup a lan-lan tunnel between my master
vpn bering firewall and a adsl gateway
{worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl
dynamic 880.212.112.*]{homelan}
I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet.
but running ipsec setup i expected the tunnel to come up
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.97...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: unable to determine address of `ppp0'
Is the above output the result of /etc/init.d/ipsec restart?
Can you post the output of ipsec barf?
Mon Jul 15 10:17:34 UTC 2002
+ _ version
+
+ ipsec --version
Linux FreeS/WAN 1.97
See `ipsec --copyright' for copyright information.
+ _ proc/version
+
+ cat /proc/version
Linux version 2.4.18 (root@debian) (gcc version 2.95.2 2220 (Debian GNU/Linux)) #4
Sun Jun 9 09:46:15 CEST 2002
+ _ proc/net/ipsec_eroute
+
+ sort +3 /proc/net/ipsec_eroute
sort: +3: No such file or directory
+ cat /proc/net/ipsec_eroute
+ _ proc/net/ipsec_spi
+
+ cat /proc/net/ipsec_spi
+ _ proc/net/ipsec_spigrp
+
+ cat /proc/net/ipsec_spigrp
+ _ ip/route
+
+ ip route
80.212.112.0 dev ppp0 proto kernel scope link src 80.212.112.52
192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.254
default via 80.212.112.0 dev ppp0
+ _ proc/net/ipsec_tncfg
+
+ cat /proc/net/ipsec_tncfg
ipsec0 - NULL mtu=0(0) - 0
ipsec1 - NULL mtu=0(0) - 0
ipsec2 - NULL mtu=0(0) - 0
ipsec3 - NULL mtu=0(0) - 0
+ _ proc/net/pf_key
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbfFlags Type St
c1820b40 32315 c1152d5000 0 0 2 65535 3 1
+ _ proc/net/pf_key-star
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c1152d50 32315 c1820b40
pf_key_registered: 3 c1152d50 32315 c1820b40
pf_key_registered: 9 c1152d50 32315 c1820b40
pf_key_registered:10 c1152d50 32315 c1820b40
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported:10 15 2 0 1 1
+ _ proc/sys/net/ipsec-star
+
+ cd /proc/sys/net/ipsec
+ egrep ^ icmp inbound_policy_check tos
icmp:1
inbound_policy_check:1
tos:1
+ _ ipsec/status
+
+ ipsec auto --status
000
000 rw-to-li1: 192.168.1.0/24===194.248.214.187---194.248.214.1...%any
000 rw-to-li1: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 rw-to-li1: policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ;
unrouted
000 rw-to-li1: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
+ _ ip/address
+
+ ip addr
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:7c:0a:1c brd ff:ff:ff:ff:ff:ff
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:7c:02:0a brd ff:ff:ff:ff:ff:ff
inet 192.168.20.254/24 brd 192.168.20.255 scope global eth1
5: ipsec0: NOARP mtu 0 qdisc noop qlen 10
link/ipip
6: ipsec1: NOARP mtu 0 qdisc noop qlen 10
link/ipip
7: ipsec2: NOARP mtu 0 qdisc noop qlen 10
link/ipip
8: ipsec3: NOARP mtu 0 qdisc noop qlen 10
link/ipip
9: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen 3
[leaf-user] problem with _startklips on bering rc3
Hello
i have a a testing setup with ipsec between 3 linux bering firewalls and
a zywall 10 router, all on static ip address i also have roadwarrior
support from dhcp clients on isdn/modem line using windows 98/ssh
sentinel and windows 2000/xp (with the aid of vpn.ebootis.de)
my problem arises when i try to setup a lan-lan tunnel between my master
vpn bering firewall and a adsl gateway
{worklan}[Bering1 static 194.248.214.187]{NET}[Bering2 adsl
dynamic 880.212.112.*]{homelan}
I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet.
but running ipsec setup i expected the tunnel to come up
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting FreeS/WAN IPsec 1.97...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: unable to determine address of `ppp0'
I have tried with interface=%defaultroute
and interface=ipsec0=ppp0
i use the latest bering rc3
# uname -a
Linux frodeadsl 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i586 unknown
# lrpkg -l
NameVersionDescription
===-==-==
initrd
V1.0-rc3
root
V1.0-rc3
etc
V1.0-rc3
local V1.0-rc3 Local package. This package does not
contain a
modules V1.0-rc3 Modules package. Contains kernel modules
and u
keyboard0.3Use this package to adjust the keyboard
settin
dhcpd 2.0pl5 dhcpd - Autoconfigure client
machines
shorwall1.3.1 Shoreline Firewall
(Shorewall)
ppp 2.4.1-pppoePPPd
Deamon
pppoe 3.3-1 pppoe add-on for
pppd
dnscache1.05a dnscache from djbdns (V1.05a) package
creates
mawk
1.3.3
ipsec 1.97 Freeswan
IPSEC
libz1.1.4 zlib compression library. Needed for
openssh
ssh 3.2.3p1OpenSSH ssh scp
programs.
sshd3.2.3p1OpenSSH sshd daemon.
# ip addr show
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:7c:0a:1c brd ff:ff:ff:ff:ff:ff
4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:7c:02:0a brd ff:ff:ff:ff:ff:ff
inet 192.168.20.254/24 brd 192.168.20.255 scope global eth1
9: ppp0: POINTOPOINT,MULTICAST,NOARP,UP mtu 1492 qdisc pfifo_fast qlen
3
link/ppp
inet 80.212.112.139 peer 80.212.112.0/32 scope global ppp0
126: ipsec0: NOARP mtu 0 qdisc noop qlen 10
link/ipip
127: ipsec1: NOARP mtu 0 qdisc noop qlen 10
link/ipip
128: ipsec2: NOARP mtu 0 qdisc noop qlen 10
link/ipip
129: ipsec3: NOARP mtu 0 qdisc noop qlen 10
link/ipip
---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
