Re: [leaf-user] 54g Wireless
Huy Bui, There are only a few 54g cards supported in Linux. There are lots of in expensive 54g cards that are supported by NDISWrapper and their Winblowz drivers though. Check out http://ndiswrapper.sourceforge.net for more info. Good Luck, Steve -Original Message- From: Mike Noyes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 02 Apr 2004 08:08:02 -0800 Subject: Re: [leaf-user] 54g Wireless On Fri, 2004-04-02 at 02:43, Huy Bui wrote: I am looking for a couple of PCI wireless card that support 54g to use with leaf. Any of you using or can recommend one. Especially if one that i can get here in the UK Huy, This list may provide you with the information you want. WLAN Adapter Chipset Directory http://www.linux-wlan.org/docs/wlan_adapters.html.gz -- Mike Noyes mhnoyes at users.sourceforge.net http://sourceforge.net/users/mhnoyes/ SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click --- - leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bearing 1.1 winimage problems UPDATE
Adrian, As Jaques already mentioned check your space. I was able to recreate your issue based on not having enough space on the diskette to fit the ide-* modules. After removing ppp.lrp pppoe.lrp and pump.lrp ( I have static IP addresses, don't remove if you need dhcp client support ). I had plenty of room for the ide modules and no more supposed bad sectors. Best, Steve On Mon, 2003-02-17 at 12:12, Adrian Wooster wrote: First of all - I want to support all the other comments on 1.1 release. I'm a huge fan and have a growing base of customers who love it. So on that basis I'm hopefully this is not a trivial finger issues on my part. My head is getting scrambled at this point, but I can't see that I'm doing anything wrong. Excited that 1.1 became available that same day that I needed to build new Baring system from scratch I quickly downloaded the winimage and started to successfully create disks. All went well until I tried to back-up the packages I'd altered. On every occasion it claimed the disks had got sector problems on just about every sector. Just to check, I've retried this operation several times with no problems with 1.0 on the same machine using the same batch of blank disks, but can replicate the problem every time with the 1.1 image. I've even redownloaded the image from multiple mirrors. I'm trying to load CD ROM support to load additional lrps from bigger medium. At this stage, all I'm doing is: $ mount -t msdos /dev/fd0 /mnt $ cp /mnt/*.o /boot/lib/modules/. $ umount /mnt $ lrcfg Option 3.2 to edit initrd modules file Nothing new is run at this stage, just simple used everyday commands. Returning to the backup package screen and attempting to back-up anything screws the floppy with sector errors everywhere. Help please. Adrian --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
Chris,
Ray covered everything but Weblet.
For Weblet you seem to have everything except the /etc/hosts.allow file
changed. Check and make sure that it has 10.10.10. in there too.
Best,
Steve
On Mon, 2003-02-03 at 16:17, Chris Low wrote:
Okay, my dhcpd file now reads as follows:
subnet 10.10.10.0 netmask 255.255.255.0 {
option routers 10.10.10.254;
option domain-name esimail.org;
option domain-name-servers 127.0.0.1;
range 10.10.10.1 10.10.10.199;
}
I made the newbie mistake of thinking option meant optional so I hadn't
changed them previously. (per Charles)
Switched eth1_IPADDR=10.10.10.1 to eth1_IPADDR=10.10.10.254 (per Lynn)
and checked the things Ray asked about:
the masq rule reads:
0 0 MASQ all -- 0xFF 0x00 eth0 10.10.10.0/24 0.0.0.0/0 n/a
and cat /proc/sys/net/ipv4/ip_forward does return a 1
Now everything seems to work correctly! (Ping, web access, and SSH at
least--I haven't put our Exchange server behind the firewall yet since
there are other users in the office.) I am so thankful for your help
through this.
Three more question before I go though:
1) Since the ISP's router is set to route incoming mail to our exchange
server at it's current address (192.168.1.2) all I should have to do is
assign that server a new static IP (something along the lines of
10.10.10.200) and let the ISP know about this change, right?
2) It looks like our ISP's router is set to renew nonstatic ip addresses
every 27000 seconds (7.5 hours). I know this affects the ip address for
eth0, will that affect anything else behind the firewall? Basically I'm
wondering if this is okay to leave as-is or should I try to assign eth0 a
static ip.
3) How do I enable the weblet application? I changed the settings in the
weblet package: SERVER_NAME and SERVER_ADDR to both be 10.10.10.254 to
match the eth1 address. I also changed the CLIENT_ADDR to 10.10.10. but so
far I've been unable to access is from the internal NT box.
Thanks again,
Chris
---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering Multiple Internal Networks
Everyone, I'm trying to create a configuration where I have multiple internal networks on eth1. My Bering interfaces are assigned and there but when I use any other network other than the first network, traffic cannot be handled. Bering interfaces (Exerpt -- Complete interfaces file at http://leaf.netvantix.com/012303/beringinterf.txt ) # Option 1.2: eth0 / Fixed IP (assumed to be 1.2.3.4). # (broadcast/gateway optional) auto eth0 iface eth0 inet static address 65.114.249.131 masklen 24 broadcast 65.114.249.255 gateway 65.114.249.1 snip # Step 2: configure internal interface # Default: eth1 / fixed IP = 192.168.1.254 auto eth1 iface eth1 inet static address 10.20.30.254 masklen 24 broadcast 10.20.30.255 up ip add add 10.20.30.1/24 broadcast 10.20.30.255 dev eth1 up ip add add 10.1.1.1/24 broadcast 10.1.1.255 dev eth1 up ip add add 10.1.2.1/24 broadcast 10.1.2.255 dev eth1 up ip add add 10.1.3.1/24 broadcast 10.1.3.255 dev eth1 up ip add add 10.1.4.1/24 broadcast 10.1.4.255 dev eth1 up ip add add 10.1.5.1/24 broadcast 10.1.5.255 dev eth1 up ip add add 10.1.6.1/24 broadcast 10.1.6.255 dev eth1 up ip add add 10.1.7.1/24 broadcast 10.1.7.255 dev eth1 up ip add add 10.1.8.1/24 broadcast 10.1.8.255 dev eth1 up ip add add 10.4.8.1/24 broadcast 10.4.8.255 dev eth1 up ip add add 10.4.8.254/24 broadcast 10.4.8.255 dev eth1 down ip add del 10.20.30.1/24 dev eth1 down ip add del 10.1.1.1/24 dev eth1 down ip add del 10.1.2.1/24 dev eth1 down ip add del 10.1.3.1/24 dev eth1 down ip add del 10.1.4.1/24 dev eth1 down ip add del 10.1.5.1/24 dev eth1 down ip add del 10.1.6.1/24 dev eth1 down ip add del 10.1.7.1/24 dev eth1 down ip add del 10.1.8.1/24 dev eth1 down ip add del 10.4.8.1/24 dev eth1 down ip add del 10.4.8.254/24 dev eth1 I don't want the traffic to be able to bridge from any of the networks to each other, only out through the fw to the net and back. So I have not installed bridge.lrp. Is bridge.lrp still required? When I do a shorewall status I see [UNREPLIED] on any traffic from these other networks. See http://leaf.netvantix.com/012303/swstatus.txt for details. All other configuration and output files can be seen at http://leaf.netvantix.com/012303/ Any comments suggestions would be greatly appreciated. TIA, Steve --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] -=Off-Topic=- Bill Gates quote
Everyone, I snipped this from a rather lengthy e-mail I received, supposedly from Bill Gates himself, on the M$ TechNet channel. snip A year ago, I challenged Microsoft's 50,000 employees to build a Trustworthy Computing environment for customers so that computing is as reliable as the electricity that powers our homes and businesses today. To meet Microsoft's goal of creating products that combine the best of innovation and predictability, we are focusing on four specific areas: security, privacy, reliability and business integrity. Over the past year, we have made significant progress on all these fronts. In particular, I'd like to report on the advances we've made and the challenges we still face in the security area. As a subscriber to Executive Emails from Microsoft, I hope you will find this information helpful. /endsnip So in reading between the lines here, is Bill actually admitting that M$ has not ever created a stable Trustworthy Computing environment? I think so... :) Steve --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Load Balancing/Sharing two broadband connections
Charles, I went back through my archives and couldn't find the outcome of your search for the holy grail of Load Balancing/Sharing two broadband connections for outside connectivity. What was the outcome of your quest? Is it possible? What is required to accomplish this monumental task? TIA, Steve --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Anyone willing to share a Bering image with idesupport ?
David, I made a stock Bering image for you including ide support, I had to remove the ppp.lrp package to get enough room. You can download it at http://www.netvantix.com/leaf/images/bering_1_0_stable_ide.imz Since you primarily use windoze I created the image with WinImage for your convenience. I did not modify the syslinux.cfg to boot from /dev/hda1 just in case you want to boot from the Bering disk the first time. Best, Steve On Thu, 2003-01-16 at 10:12, David Ondzes wrote: Does anyone have a Bering image with ide support included in it ? My target hardware doesn't have a floppy drive or cdrom and I do not have any real linux machines. I use VMWare to do any linux related work and unforunetly VMWare doesn't support 1.68 size floppies. If I could get a Bering image with ide then I would just dd it to my CF card and I would be good to go. --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Netmeeting and IP Telephony behind Dachstein
Roger,
Here is a quote from one of Charles's earlier posts on the subject
I don't work a lot with h323, but I think you need the following:
1) Make sure you're loading the ip_masq_h323.o module in /etc/modules
2) To be able to recieve calls, you need to port-forward some ports from
the firewall to the internal system you want to be able to recieve
calls. With Dachstein, you'll want something like:
INTERN_SERVERS=tcp_${EXTERN_IP}_1720_10.31.32.67_1720
tcp_${EXTERN_IP}_1503_10.31.32.67_1503
More information can be found on various linux masquerading pages, and
the home-page of the h323 masquerading patch:
http://www.coritel.it/projects/nat/index.html
You might also want to check into running a proxy...either a socks proxy
(if supported by your h323 client), or a h323 proxy, like openh323proxy:
http://openh323proxy.sourceforge.net/
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
Best,
Steve
On Wed, 2003-01-15 at 10:12, Roger E McClurg wrote:
I got Netmeeting working fine using the ip_masq_h323 module and the proper
firewall and port forwarding rules. H.323 telephony still is
unidirectional (outbound only). A document from Micro$oft says that
inbound telephony requires the dynamic forwarding of random UDP ports
between 1024 and 65535. Not something we can easily do with Dachstein.
Has anyone gotten H.323 IP telephony working through Dachstein (or any of
the mountains)? If so, how did you do it?
---
This SF.NET email is sponsored by: Take your first step towards giving
your online business a competitive advantage. Test-drive a Thawte SSL
certificate - our easy online guide will show you how. Click here to get
started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
---
This SF.NET email is sponsored by: Thawte.com
Understand how to protect your customers personal information by implementing
SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Drivers for 3C509B
With the older ISA cards there was generally a dos based utility to set the IRQ and Resource address. You will need to set both the IRQ and resource address for both cards manually via this utility, but make sure that they are different. Then set the module to use the same IRQ and resources. Best, Steve On Fri, 2003-01-10 at 12:58, Henning, Brian wrote: could it be that your BIOS is set to PNP... make sure that is turned off... -Original Message- From: M Lu [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 1:54 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [leaf-user] Drivers for 3C509B Maybe you need to tell it the IRQ explicitly. Also make sure there is no confilict using diagnostics DOS 3COM prog. On my Bering systems (2.4.20 kernel), here is what I have: # ISA ethernet cards #3c509 - eth0 3c509 irq=5 And that was also same when the system was in Daschstein. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 10, 2003 11:37 AM Subject: [leaf-user] Drivers for 3C509B I posted a few weeks ago about a problem I was having getting Bering to recognize my NICs. I was using the wrong module! (stupid me.. ) Anyway, I loaded the 3c509.o module from Jacqes site using the 2.4.20 version and am still having trouble. Are there any oher needed modules? Both NICs are ISA and I've configured them using the DOS config progam from 3Com. Is there any thing I'm missing? When I try to insmod I am getting an error message. If I input ip addr show I only get back feedback for my loopback and dummy device. Your input is appreciated. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Some time off
Thanks a million! On Mon, 2003-01-06 at 17:21, Tom Eastep wrote: Until further notice, I will not be involved in Shorewall development or support. I'm simply burned out and have no more to give... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline,\ http://shorewall.sf.net Washington USA \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Some time off
Tom, I'll bang my head on it for a while, twitch my mustache a few million times and drink alot of Dr. Pepper. Mohan has offered his assistance also. I've been where you are and slowly coming back. Enjoy yourself and let us know if there is anything we can do for you! Take care and thanks again! Best, Steve On Mon, 2003-01-06 at 19:32, Tom Eastep wrote: If you don't get your problem solved, let me know -- I don't want to leave you hanging... -Tom --On Monday, January 06, 2003 7:02 PM -0700 Steve Fink [EMAIL PROTECTED] wrote: Thanks a million! On Mon, 2003-01-06 at 17:21, Tom Eastep wrote: Until further notice, I will not be involved in Shorewall development or support. I'm simply burned out and have no more to give... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline,\ http://shorewall.sf.net Washington USA \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering IPSEC Configuration
-- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 0 0 TOStcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 3 120 TOStcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 3 134 TOStcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOStcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOStcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 tcp 6 94 TIME_WAIT src=10.4.8.143 dst=209.197.104.111 sport=2907 dport=80 src=209.197.104.111 dst=65.114.249.131 sport=80 dport=2907 [ASSURED] use=1 tcp 6 94 TIME_WAIT src=10.4.8.143 dst=216.208.64.13 sport=2901 dport=80 src=216.208.64.13 dst=65.114.249.131 sport=80 dport=2901 [ASSURED] use=1 tcp 6 94 TIME_WAIT src=10.4.8.143 dst=64.12.152.18 sport=2897 dport=80 src=64.12.152.18 dst=65.114.249.131 sport=80 dport=2897 [ASSURED] use=1 tcp 6 79 TIME_WAIT src=10.4.8.143 dst=66.39.116.193 sport=2903 dport=80 src=66.39.116.193 dst=65.114.249.131 sport=80 dport=2903 [ASSURED] use=1 tcp 6 79 TIME_WAIT src=10.4.8.143 dst=209.197.104.111 sport=2906 dport=80 src=209.197.104.111 dst=65.114.249.131 sport=80 dport=2906 [ASSURED] use=1 tcp 6 117 TIME_WAIT src=10.4.8.143 dst=66.39.116.193 sport=2905 dport=80 src=66.39.116.193 dst=65.114.249.131 sport=80 dport=2905 [ASSURED] use=1 tcp 6 79 TIME_WAIT src=10.4.8.143 dst=209.68.36.74 sport=2904 dport=80 src=209.68.36.74 dst=65.114.249.131 sport=80 dport=2904 [ASSURED] use=1 tcp 6 64 TIME_WAIT src=10.4.8.143 dst=207.200.91.216 sport=2898 dport=80 src=207.200.91.216 dst=65.114.249.131 sport=80 dport=2898 [ASSURED] use=1 tcp 6 4 TIME_WAIT src=10.4.8.143 dst=209.197.104.111 sport=2896 dport=80 src=209.197.104.111 dst=65.114.249.131 sport=80 dport=2896 [ASSURED] use=1 udp 17 27 src=10.4.8.143 dst=65.114.248.4 sport=2908 dport=53 [UNREPLIED] src=65.114.248.4 dst=65.114.249.131 sport=53 dport=2908 use=1 udp 17 28 src=10.4.8.143 dst=65.114.248.5 sport=2908 dport=53 [UNREPLIED] src=65.114.248.5 dst=65.114.249.131 sport=53 dport=2908 use=1 tcp 6 109 TIME_WAIT src=10.4.8.143 dst=216.208.64.13 sport=2902 dport=80 src=216.208.64.13 dst=65.114.249.131 sport=80 dport=2902 [ASSURED] use=1 tcp 6 9 TIME_WAIT src=10.4.8.143 dst=129.128.5.191 sport=2862 dport=21 src=129.128.5.191 dst=65.114.249.131 sport=21 dport=2862 [ASSURED] use=1 Thanks! Steve On Wed, 2003-01-01 at 16:51, Tom Eastep wrote: --On Wednesday, January 01, 2003 4:27 PM -0700 Steve Fink [EMAIL PROTECTED] wrote: I tried to determine whether or not the ports were open in Shorewall but an iptables -C INPUT -p udp -s 65.114.248.6/24 -d 65.114.249.131:500, only gives me a Will be implemented real soon ;) And it wouldn't have told you anything anyway since Shorewall is a little smarter than to place ALL input rules in the INPUT chain where they have to be executed sequentially. Nevertheless, from the iptables -L -n -v later (In the future, please post the output of shorewall status -- it's much more complete): Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 140 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 51 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW 6459 258K net2allah -- * * 0.0.0.0/0 0.0.0.0/0 So Protocols 50 and 51 are open as is UDP 500. If the remote host is behind a NAT firewall however, you should have defined your tunnel type as 'ipsecnat' so that Shorewall wouldn't insist on SPT=500. Similarly: Chain fw2net (1 references) pkts bytes target prot opt in out source destination 280 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 51 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 all2allah -- * * 0.0.0.0/0 0.0.0.0/0 So UDP port 500 is open on output
[leaf-user] Bering IPSEC Configuration
Everyone, After much hair pulling, blood-pressure raising, mustache twitching I am trying to configure Bering in a Road Warrior configuration using ( I shudder to admit ) Win2k clients. I've gone through Chad Carr's instructions about 10 times and various docs from both www.freeswan.org and freeswan.ca the Win2k/XP box says Negotiating IP Security when trying to ping and I see nothing in an ipsec barf that would lead me to believe there is even a connection being attempted. I tried to determine whether or not the ports were open in Shorewall but an iptables -C INPUT -p udp -s 65.114.248.6/24 -d 65.114.249.131:500, only gives me a Will be implemented real soon ;) so I scanned the Bering box with nmap and got Here are the outputs nmap --- # nmap (V. 3.00) scan initiated Wed Jan 1 23:00:31 2003 as: nmap -sS -vv -oN scan.txt 65.114.249.131 Interesting ports on (65.114.249.131): (The 1599 ports scanned but not shown below are in state: filtered) Port State Service 113/tcpclosed auth 135/tcpclosed loc-srv # Nmap run completed at Wed Jan 1 23:03:24 2003 -- 1 IP address (1 host up) scanned in 173 seconds ipsec barf diablo Wed Jan 1 15:55:44 UTC 2003 + _ version + + ipsec --version Linux FreeS/WAN 1.99 See `ipsec --copyright' for copyright information. + _ proc/version + + cat /proc/version Linux version 2.4.18 (root@uml_woody) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Sun Nov 10 17:40:20 UTC 2002 + _ proc/net/ipsec_eroute + + sort +3 /proc/net/ipsec_eroute sort: +3: No such file or directory + cat /proc/net/ipsec_eroute + _ ip/route + + ip route 65.114.249.0/24 dev eth0 proto kernel scope link src 65.114.249.131 65.114.249.0/24 dev ipsec0 proto kernel scope link src 65.114.249.131 10.4.8.0/24 dev eth1 proto kernel scope link src 10.4.8.254 default via 65.114.249.1 dev eth0 + _ proc/net/ipsec_spi + + cat /proc/net/ipsec_spi + _ proc/net/ipsec_spigrp + + cat /proc/net/ipsec_spigrp + _ proc/net/ipsec_tncfg + + cat /proc/net/ipsec_tncfg ipsec0 - eth0 mtu=16260(1500) - 1500 ipsec1 - NULL mtu=0(0) - 0 ipsec2 - NULL mtu=0(0) - 0 ipsec3 - NULL mtu=0(0) - 0 + _ proc/net/pf_key + + cat /proc/net/pf_key sock pid socket next prev e n p sndbfFlags Type St c113ab00 11177 cf0000 0 0 2 65535 3 1 + _ proc/net/pf_key-star + + cd /proc/net + egrep ^ pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 cf00 11177 c113ab00 pf_key_registered: 3 cf00 11177 c113ab00 pf_key_registered: 9 cf00 11177 c113ab00 pf_key_registered:10 cf00 11177 c113ab00 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported:10 15 2 0 1 1 + _ proc/sys/net/ipsec-star + + cd /proc/sys/net/ipsec + egrep ^ icmp inbound_policy_check tos icmp:1 inbound_policy_check:1 tos:1 + _ ipsec/status + + ipsec auto --status 000 interface ipsec0/eth0 65.114.249.131 000 000 w2k-road-warriors: 10.4.8.0/24===65.114.249.131...%any 000 w2k-road-warriors: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 w2k-road-warriors: policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; unrouted 000 w2k-road-warriors: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 000 + _ ip/address + + ip addr 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:24:da:7d:e9 brd ff:ff:ff:ff:ff:ff inet 65.114.249.131/24 brd 65.114.249.255 scope global eth0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:24:b5:31:62 brd ff:ff:ff:ff:ff:ff inet 10.4.8.254/24 brd 10.4.8.255 scope global eth1 13: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10
Re: [leaf-user] Win2K DNS Problem.
Kory, As a general fix running DNSCache on your LEAF box should solve this problem. Win2k will request the lookup from the DNSCache and receive an answer. This also should cause the LEAF box to fire your internet connection. Be sure to only have the LEAF box's IP as your DNS server in Win2k, otherwise the fix will only work half the time. Best, Steve -Original Message- From: Kory Krofft [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Date: Fri, 27 Dec 2002 10:05:40 -0500 Subject: Re: [leaf-user] Win2K DNS Problem. Andrew, I agree that the problem is most likely Win2K. I am on a cable modem so the internet is readily available at all times. All the other machines on the network (Win98 or Linux) resolve IPs almost instantly. I guess this may not be the best place to look for help on a Win2K issue but I get the feeling that many of the subscribers here are sys admins that might have dealt with this at one time or another. I have searched Technet but it could still be there and I just have't found it yet. Thanks for the suggestion, Kory Andrew G.Gray wrote: Kory, Your problem would appear to be a Win2k/XP one where the system detects that the address is not available and will not try to resolve the FQDN to an address again for the period you have mentioned. You could try something like ipconfig /flushdns or, as I have found, ensure that the internet is connected before opening a browser window. I normally ping a known address on the internet to cause Dachstien to dial before opening any application which will require dns info from the net. I have seen somewhere where the feature can be turned off but have not been able to find it again so that I can turn it off on my system here either. M$ Technet may have the answer somewhere. Andrew Gray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kory Krofft Sent: Wednesday, 25 Dec 2002 06:07 To: [EMAIL PROTECTED] Subject: [leaf-user] Win2K DNS Problem. Happy Holidays all! I am back with a slightly off topic problem that I am hoping someone here has seen before. I posted to the alt.os.win2000 ng but got no help. I recently upgraded my computer to Win2K. Once completed I find that when I open any browser I get host not found errors for any websites I try to view for about a minute or so then things start to work and after 3 or 4 minutes everything works fine. The network information is: 6 clients on small network 4 are win98SE one RH 8.0 and one Win2k. Firewall is a pentium 225 with Bering RC3 with DNScache. All the clients access the internet flawlessly except for the Win2K box. It is configured with the primary dns as the internal i'face on the firewall as it should be. The firewall logs show nothing for the time period when the connections fail. Any suggestions will be gratefully accepted. Thank you, Kory Krofft --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf --- - leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf --- - leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering ip address problems
Craig, Please follow these exact steps listed in the following URL to give us more information to assist you further, http://leaf.sourceforge.net/mod.php?mod=userpagemenu=11page_id=4 In order to see if dhcpd is running type ps x (without quotes) into the command line of your leaf boxen. Once you give us the info listed above, we will be able to provide detailed instructions. Thanks in advance, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Craig Sent: Thursday, August 15, 2002 3:00 PM To: LEAF Subject: [leaf-user] Bering ip address problems Hello Ray, O.K., let me try to be more specific, and answer you in the order of your questions. Yes, when I say most of the time, it's just that. It does work sometimes and assign addresses to the LAN, but most of the time it doesn't. You asked Is dhcpd running in the process list when lease-assignment fails? I don't know how to tell. I'm trying to learn Linux and Bering as best I can (I've taken a college course, also), so please bear with me. If you tell me how to give you more info, I'd be happy to do so. Is dhcpd logging anything meaningful about these failures? I don't know how to tell. Do you get any dhcpd-related errors reported during boot/init? No, not that I can see. Are the Dachstein and Bering setups using the same internal LAN network addresses? Yes, whatever is provided by default. Are the internal hosts running any firewalling software (what OSs are involved, BTW)? None at all, and the OS's are W2K Professional and XP Professional. If you assign a suitable IP address to an internal host by hand, can it reliably communicate with and through the Bering router? I'll try that. I'm just puzzled at what might be different about Dachstein, which works perfectly, and Bering which seems to be so fussy. In both instances I have done almost the bare minimum to get them running. I have uncommented the correct driver, changed the passwords, and changed the firewall's name. That's it. I haven't modified anything else. As I said, if you want more info, I'd be happy to provide it. Please just let me know how I can do so. I am happy to learn. Thank you. Craig --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Serial port problem. Checked Howto/Faq/List Archive.
Jerry, With the limited info available, my best guess would be that you do not have a kernel with Serial Port support compiled in. Check the Dachstein ftp site for a kernel with serial port support. If this is not the problem please follow the guidelines for providing us info to assist you further... http://leaf.sourceforge.net/mod.php?mod=userpagemenu=11page_id=4 Best of luck, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of jerry falwell Sent: Sunday, June 30, 2002 3:04 PM To: [EMAIL PROTECTED] Subject: [leaf-user] Serial port problem. Checked Howto/Faq/List Archive. I am attempting to run a Dachstein image on a system that will eventually not have a keyboard and monitor. I'm actually having great fun with it this weekend, but there is one thing I can't seem to resolve without help. Following the Howto's and FAQ's, I run into a problem almost immediately. When I type the example echo from the guides, # echo Hello World /dev/ttyS0 I get in return cannot create /dev/ttyS0: error 19 The device is in fact there when I do an ls, which is reaffirmed by my later actions (please see below). I went ahead and took the other steps except attempting to get the boot messages to show up on ttyS0 (which I am not expecting to do. read that thread too). I examined all the related mailing list threads, and acted on the advice there as well. Specifically, I did the following: -placed a copy of serial.o in /boot/lib/modules -edited /boot/etc/modules and added serial -edited the inittab serial line example to say T0:23:respawn:/sbin/getty -L ttyS0 19200 vt100 -added ttyS0 to the securetty file. -attached another computer with a terminal emulator to com1 via a null modem connector and serial cable. -backed up all my changes and confirmed that they were still there after I rebooted. -added console=tty0 console=ttyS0,19200n8 to the append line in syslinux.cfg -at one point added the following serial 0 19200 0 to the top of my syslinux.cfg file too. That caused the DF logo and initial info to show up on the terminal, so I know the cable connection and baud rate is fine. But it stops there (no prompt). It also caused an Unknown keyword in syslinux.cfg. error, so I removed it. needless to say, I get the Id T0 respawning too fast... message too. But I believe this is a result of the first error 19 issue I mentioned. Any help on what appears to be the last issue I have managing this system by serial connection would be extremely appreciated. Kris Bravo __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] ip_masq*
Brian, All of these modules are to add service functionality to your router for IP Masq'd connetions. If you wish to use ipmasqadm portfw and autofw then uncomment the corresponding module. If you wish your clients to be able to use services such as IRC, ICQ, FTP (recommended), etc... Then uncomment the corresponding module. Best, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Henning, Brian Sent: Thursday, June 20, 2002 8:54 AM To: leaf (E-mail) Subject: [leaf-user] ip_masq* Hello- Of the following which ones are necessary for my router to work properly. I can only see two that I may need 'ip_masq_autofw' and 'ip_masq_portfw'. do I need any of the others? thanks, brian ip_masq_autofw ip_masq_portfw ip_masq_cuseeme ip_masq_mfw ip_masq_ftp ip_masq_user ip_masq_vdolive ip_masq_irc --- Bringing you mounds of caffeinated joy http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- Bringing you mounds of caffeinated joy http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Using syslinux to initialise an IDE disk.
Dave, It sounds like the Windoze boot disk you are using is not a plain vanilla boot disk and launches something after booting, ie IDE drivers, RAM Disk, etc. From a Windoze 98 machine format a diskette and check the Copy System Files check box. Then copy fdisk.exe and format.com from C:\WINDOWS\COMMAND\ to the diskette. Then try SysLinux again. SysLinux steps for DOM. 1. Boot system under Windoze boot disk. 2. run fdisk make the partition 3. format c: 4. reboot 5. lock c: ( I've seen some annomalies if this command is not done from A:\ ) 6. syslinux c: ( also from A:\ ) 7. copy all files from your Bering diskette to your fresh DOM, making sure NOT to overwrite ldlinux.sys 8. remove diskettes and reboot. NOTE: Your DOM will only work if you have a Bering kernel with IDE compiled in. Best of luck, Steve - Original Message - From: Dave Anderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 13, 2002 8:51 AM Subject: [leaf-user] Using syslinux to initialise an IDE disk. I am installing a diskonmodule in my LEAF Bering firewall. All is going well, and I have Bering recognising the disk through the ide modules, however, I'm having real difficulty getting syslinux on. I've tried a dos boot disk with syslinux 1.72. That wouldn't work, as even after 'lock c:' I'm still getting 'cannot get exclusive lock on disk' (with no option to ignore) I tried three different Linux rescue disks (the system has no CD-ROM), including Bering itself, with the syslinux.lrp package (I think from Oxygen) All gave the same result - segmentation fault (maybe to do with glib versions I guess) Should I maybe use LILO? (Any tips about what should go in the lilo.conf for Bering?) Or does someone know of a syslinux version or setup that will work for me? Many thanks Dave ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [Leaf-user] internal NAT question
Tony, The use of ipmasqadm portfw allows the packets to pass untouched by ipchains. Steve -Original Message- From: Tony [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 5:09 PM To: Steve Fink; LEAF-List Subject: RE: [Leaf-user] internal NAT question Would not the ipchains/iptables rules be applied? Could you not say forward only traffic from external_ip/32 to internal_server/32 port 3389 or whatever and essentially say, yeah, this port is open but only for this one client on the internet? All others would be rejected/denied. Or am I mistaken, and that port forwarding bypasses all rules. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Friday, April 26, 2002 3:55 PM To: LEAF-List Subject: RE: [Leaf-user] internal NAT question Phillip, The security implications are the same as having that port on that machine exposed directly to the internet. Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] internal NAT question
Group, Sorry for the unintentional curtness of this post I'm a bit decaffinated. Humbly, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Saturday, April 27, 2002 10:22 AM To: Tony; LEAF-List Subject: RE: [Leaf-user] internal NAT question Tony, The use of ipmasqadm portfw allows the packets to pass untouched by ipchains. Steve -Original Message- From: Tony [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 5:09 PM To: Steve Fink; LEAF-List Subject: RE: [Leaf-user] internal NAT question Would not the ipchains/iptables rules be applied? Could you not say forward only traffic from external_ip/32 to internal_server/32 port 3389 or whatever and essentially say, yeah, this port is open but only for this one client on the internet? All others would be rejected/denied. Or am I mistaken, and that port forwarding bypasses all rules. Thanks, Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Friday, April 26, 2002 3:55 PM To: LEAF-List Subject: RE: [Leaf-user] internal NAT question Phillip, The security implications are the same as having that port on that machine exposed directly to the internet. Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] internal NAT question
Phillip, The security implications are the same as having that port on that machine exposed directly to the internet. Example: Portforwarding port 3389 ( Terminal Server ) from the firewall to port 3389 on a NT/2000 system behind the firewall. Terminal Server is totally exposed, it's like taking a pipe and tunneling all communications on port 3389 to the NT/2000 system. So if there is a vulnerability in Terminal Server ( which there is ) then Terminal Server is suceptable to this vulnerability, despite the fact that you have the firewall in place. During a scan of your firewall ( with port forwarding enabled on port 3389 ) you would see that port 3389 was open and accepting connections. So you would know that there was a Terminal Server connection there, but the TCP/IP signature and timing would look like a Linux box. Opening a Terminal Server connection to the box would bring up a Terminal Server login screen to a potential intruder. Then he/she could attempt to gain access using any other information that could be gleened from the scan, and possibly guess usernames/passwords etc, or use a known Terminal Server vulnerability to gain access. So in short, port forwarding is creating a tunnel from your firewall into the internal system. Any traffic directed at your firewall on that port will be transferred directly to the internal system. Hope this helps, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 26, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] internal NAT question I have situations in which my vpn router is a peer to a proxy server. The proxy server is the default gateway for the servers behind it. Therefore I use NAT on the internal interface to force traffic to the servers back through the router. This is approximately the same thing as port forwarding. Does anyone know of any security implications in this? Thanx. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ip_masq_ipsec.o for bering
Eric, I'm not a Bering user but the tasks you need to accomplish are simple. There are two ways ( in short ) to use IPSEC server and client. The IPSEC server requires the kernel be able to handle the IPSEC packets directly through either compiling IPSEC into the kernel or having IPSEC as a loadable module. The second IPSEC client (which is the one you want to do) is simply passed through your MASQ'd/NAT'd firewall/router/Bering/LEAF boxen. This requires an ip masq module, after perusing the Bering ftp site and the recently updated package list, I do not see where the ip_masq_ipsec.o module is available for Bering, it may be named ip_conntrack_ipsec.o or something of the sort, but it would have to be ip_x_ipsec.o the ip_conntrack_ftp.o and ip_conntrack_irc.o allow ftp and irc connections to pass through the box to allow these services for the client PC's. For the purpose you require you might have to drop in a Dachstein disk. The ip_masq_ipsec.o module is included by default. Best, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 10:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Respectfully, Eric -Original Message- From: joey officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 10:05 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering ahh.. I think I understand know.. so you need to have the packets passed through on the home machine so that you can make the connection to work. I understand now. There was another post earlier that mentioned the nameing difference for the Bering ipsec.o files. You might look there. I'm not familiar at all w/ Bering, but I'll be glad to assist you by looking as well, and if necessary, maybe I or someone else can compile this for you. joey At Tuesday, 23 April 2002, Eric B Kiser [EMAIL PROTECTED] wrote: Joey, Thanks for the quick reply. Here is what I am looking at... [1] I have to use IPSec client software on an NT4.0 machine from inside my network to make a connection to the company firewall/IPSec server to be able to gain remote access into my company. Since we are unable to do both pass-through and termination I am forced to set this box up to do pass-through only. [2] I am planning on setting up a second box inside my network to act as an IPSec server so that I can connect to my lab while on the road. I hope this helped to explain it a little better. Regards, Eric -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 4:54 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Are you sure that you need the ip_masq_ipsec.o file. I think that this is only needed if you have an internal ipsec server. In my case I run the ipsec server (I'm sure as does everyone else) on the actual gateway server / leaf server... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] ip_masq_ipsec.o for bering Hello All, I need to be able to make an IPSec connection through my Bering 1.0-rc1 firewall. If I understand correctly I will need the ip_masq_ipsec. o module to be able to do this. I have been unable to find the ip_masq_ipsec. o for Bering. I have already searched through all of the files in the modules section online and did not come across it. Is it already compiled in to the kernel or is it somewhere else or have I just missed it? Thanks in advance, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing
RE: [Leaf-user] ip_masq_ipsec.o for bering
Yes, I am definetly referring to using a Dachstein diskette. ;-) Steve -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 24, 2002 8:08 AM To: Steve Fink; Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Unless you are referring to changing over to using Dachstein, I don't believe the modules will work for the Bering distribution. Surely though someone else here is running a separate IPSec server (non-gateway) that they too would need a Bering version of the ip_x_ipsec.o module to be compile for Bering. A simple task would be to track down the maintainer of the Bering dist. and ask them if there is already a module compiled, or if we should see compiling a complete set of modules for the Bering kernel base. Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Wednesday, April 24, 2002 7:56 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Eric, I'm not a Bering user but the tasks you need to accomplish are simple. There are two ways ( in short ) to use IPSEC server and client. The IPSEC server requires the kernel be able to handle the IPSEC packets directly through either compiling IPSEC into the kernel or having IPSEC as a loadable module. The second IPSEC client (which is the one you want to do) is simply passed through your MASQ'd/NAT'd firewall/router/Bering/LEAF boxen. This requires an ip masq module, after perusing the Bering ftp site and the recently updated package list, I do not see where the ip_masq_ipsec.o module is available for Bering, it may be named ip_conntrack_ipsec.o or something of the sort, but it would have to be ip_x_ipsec.o the ip_conntrack_ftp.o and ip_conntrack_irc.o allow ftp and irc connections to pass through the box to allow these services for the client PC's. For the purpose you require you might have to drop in a Dachstein disk. The ip_masq_ipsec.o module is included by default. Best, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 10:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Respectfully, Eric -Original Message- From: joey officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 10:05 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering ahh.. I think I understand know.. so you need to have the packets passed through on the home machine so that you can make the connection to work. I understand now. There was another post earlier that mentioned the nameing difference for the Bering ipsec.o files. You might look there. I'm not familiar at all w/ Bering, but I'll be glad to assist you by looking as well, and if necessary, maybe I or someone else can compile this for you. joey At Tuesday, 23 April 2002, Eric B Kiser [EMAIL PROTECTED] wrote: Joey, Thanks for the quick reply. Here is what I am looking at... [1] I have to use IPSec client software on an NT4.0 machine from inside my network to make a connection to the company firewall/IPSec server to be able to gain remote access into my company. Since we are unable to do both pass-through and termination I am forced to set this box up to do pass-through only. [2] I am planning on setting up a second box inside my network to act as an IPSec server so that I can connect to my lab while on the road. I hope this helped to explain it a little better. Regards, Eric -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 4:54 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Are you sure that you need the ip_masq_ipsec.o file. I think that this is only needed if you have an internal ipsec server. In my case I run the ipsec server (I'm sure as does everyone else) on the actual gateway server / leaf server
[Leaf-user] Nagasaki Disk On Module Update
Group, Here is the latest in the Nagasaki saga... All communications left in tact intentionally... Steve - Dear Steve, Our newest design DOM's protected function is hardware mode. We will send our utility to you , you can install this utility on your linux major program. That will become hardware protected function . Please let me know how many capacity that you need? Regards Andy - Original Message - From: Steve Fink To: Andy Chen Sent: Saturday, April 20, 2002 12:51 AM Subject: RE: Disk On Module Password Andy, How does the write protect version work? Is it write protect version software or hardware protected? Thanks, Steve -Original Message- From: Andy Chen [mailto:[EMAIL PROTECTED]] Sent: Friday, April 19, 2002 2:23 AM To: Steve Fink Cc: [EMAIL PROTECTED] Subject: Re: Disk On Module Password Dear Steve, We can offer our protect version of DOM on April 26~27. The first version is 40 pin vertical type DOM. The price will be increase 15~20%. Please confirm. We can offer the follows capacity of protect DOM: 4MB 16MB 32MB 64MB We will not offer write protect's program to any customer, please confirm, thanks. Regards Andy - Original Message - From: Steve Fink To: andy Sent: Tuesday, April 02, 2002 11:17 PM Subject: RE: Disk On Module Password Andy, Thank you for your prompt reply. I am currently using three Nagasaki DOM's in my firewalls. They work great! The firewall boots in about 14 seconds, extremely fast! I want to set a password on the DOM itself so if the firewall is penetrated by an outside source, they cannot write to the DOM. The scenario is this I create my software and put it onto the DOM then set the password, so it cannot be written to without entering the password. The utility could work much the same way, the first time the password is set the utility assumes the person running the utility is the owner and sets the password. Then every subsequent time it needs to be written to the same utility has to be used to unlock the DOM. The utility can check the DOM and verify that the user has authorization to modify the DOM based on the password and then unlock the DOM for writing. Then files are written to the DOM and then the utility is re-run and the DOM locked again. Any assistance would be much appreciated, Thanks in advance, Steve -Original Message- From: andy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 2:44 AM To: Steve Fink Cc: [EMAIL PROTECTED] Subject: Re: Disk On Module Password Dear Steve, Please enter into BIOS setting, there have a User password that you can setting. If you ask our if our DOM can setting password or security function , I have some questions are as follows: 1. What kinds of password or security function that you want to use?? More detail is great. 2. Do you ever use another company's DOM have this function ? What is the brand? 3. We can do a easy security for you, but you need to send it back to us. 4. We can not offer this utility to our customer, because if we offer this utility to customer , the security is do not make a sence. If you need anything else, please contact with me, thanks. Regards Andy - Original Message - From: Steve Fink To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, April 02, 2002 4:47 PM Subject: Disk On Module Password Dear Sales, I attempted to fill out the form on your website for support, unfortunately it does not complete the process. Could you please forward this message to support? Thank you. Dear Support, I own three Disk On Modules. I was reading the technical pdf for the product and can see where it is possible to set a password on the DOM. Is there a utility to set this password? Or how would one go about setting the password? Thanks in advance, Steve Fink ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Changes for new Dachstein release
Charles et al, If I may I'd like to request that this functionality be added to Charles' network.conf scripts. My configuration currently is as follows: eth0 external-ip1 external-ip2 eth1 10.1.1.1/24 10.1.2.1/24 10.1.3.1/24 10.1.4.1/24 10.1.5.1/24 10.1.6.1/24 10.1.7.1/24 10.1.8.1/24 10.1.9.1/24 10.1.10.1/24 10.4.8.1/24 10.4.8.254/24 Dachstein currently adds the routes for the additional IP's on eth1 but does not add any additional chains. The 10.4.8.0/24 class is my network, I have all of my machines on this network. And I assign the other 10.1.x.x's to different sites and networks. Then they cannot connect to each other. Then if I need to get to one of these networks I just go in and write the chain to allow my packets to go to their network. I currently have these modifications to the forward chain in /etc/ipchains.forward. ipchains --no-warnings -I forward 1 -s 10.4.8.0/24 -d 10.4.8.0/24 -j ACCEPT ipchains --no-warnings -I forward 2 -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT ipchains --no-warnings -I forward 3 -s 10.1.2.0/24 -d 10.1.2.0/24 -j ACCEPT ipchains --no-warnings -I forward 4 -s 10.1.3.0/24 -d 10.1.3.0/24 -j ACCEPT ipchains --no-warnings -I forward 5 -s 10.1.4.0/24 -d 10.1.4.0/24 -j ACCEPT ipchains --no-warnings -I forward 6 -s 10.1.5.0/24 -d 10.1.5.0/24 -j ACCEPT ipchains --no-warnings -I forward 7 -s 10.1.6.0/24 -d 10.1.6.0/24 -j ACCEPT ipchains --no-warnings -I forward 8 -s 10.1.7.0/24 -d 10.1.7.0/24 -j ACCEPT ipchains --no-warnings -I forward 9 -s 10.1.8.0/24 -d 10.1.8.0/24 -j ACCEPT ipchains --no-warnings -I forward 10 -s 10.4.8.0/24 -d 10.1.1.0/24 -j ACCEPT ipchains --no-warnings -I forward 11 -s 10.4.8.0/24 -d 0/0 -j MASQ ipchains --no-warnings -I forward 12 -s 10.1.1.0/24 -d 0/0 -j MASQ ipchains --no-warnings -I forward 13 -s 10.1.2.0/24 -d 0/0 -j MASQ ipchains --no-warnings -I forward 14 -s 10.1.3.0/24 -d 0/0 -j MASQ ipchains --no-warnings -I forward 15 -s 10.1.4.0/24 -d 0/0 -j MASQ ipchains --no-warnings -I forward 16 -s 10.1.5.0/24 -d 0/0 -j MASQ ipchains --no-warnings -I forward 17 -s 10.1.6.0/24 -d 0/0 -j MASQ ipchains --no-warnings -I forward 18 -s 10.1.7.0/24 -d 0/0 -j MASQ ipchains --no-warnings -I forward 19 -s 10.1.8.0/24 -d 0/0 -j MASQ What this does for me. I have a WiLAN that spans the whole city. I'm using Cabletron AP's and cards. I've run into the hidden transmitter issue with WiLAN and solved it by bouncing all the packets off the Dachstein boxen. So ( not to drag this out anymore ) if the scripts accomodated adding of secondary IP's to the chains automatically I wouldn't have to customize my ipchains.forward as much. I also would like to request that the ipmasqadm ipautofw source ipautofw.so be included or available. I haven't had time to locate all of the required libraries to compile this option. The purpose for this is so I can tunnel all traffic from eth0's second external-ip directly to a server located within the network. Yes I know this makes a potential security hole but the requirement is still there for one of my locations. It's just a quick and dirty fix. Many Thanks to you and everyone who has made Dachstein the LEAF distro that it is! Best, Steve PS Dachstein rocks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Friday, April 05, 2002 8:07 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] Changes for new Dachstein release It looks like it's getting to be time for a new Dachstein release. There are a number of minor bugs to fix in the system scripts, and (more importantly) security updates to some of the packages on the CD (SNMP and libz). My current ToDo list consists of the following. Please post if you think something else should be added to this list, or are willing to try your hand at implementing some of the listed changes. -- TODO -- - Support multiple mount points in space-check multicron script (currently, only the root partition is checked) - Fix ping check e-mail functionality - Fix package not found bug in /linuxrc (duplicates appear in package list if a package is not found) - Fix updatetime() in /etc/multicron-p - Fix mount.back dev = POSIXness bug - Add example lrpkg.cfg to CD Contents - Add example pkgpath.cfg to CD Contents - Alter weblet disk-checking script to ignore CD-ROM (always 100%
RE: [Leaf-user] Dachstein, Bearing, and DHCP
Frank, The primary reason a Network Administrator uses DHCP is LAZYness, ;-) instead of having to go around and hard set every client on a network, when you have 200+ clients it's a whole lot easier to allow the client to gain their IP address automatically. There are a few other reasons too... If you make configuration changes to the network ie new gateway IP or new DNS's these changes can happen dynamically at the client machine. It is mostly just a tool to make life easier, it is not required and in somecases ( like yours ) assigning 5 IP's to 5 machines and walking away is easier than going through the trouble of getting DHCP set up ( which really isn't too hard ). Either way you want to go is the right answer for you. Take care, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 08, 2002 1:24 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] Dachstein, Bearing, and DHCP Greetings, For three years I used an old 486 running RH 5.2 as a router box. It was hooked to a cable modem one side and my local network on the other. It also ran as a file server under Samba, and used Apache to provide a web site for the local network only. Recently I graduated to Dachstein on a floppy because of hard disk failure on the old 486. Besides, I did not get that much use out of the web site or the file server. I have run Dachstein for several weeks. Very happy with it. I setup all my local network machines to work off DHCP. Last week I tried Bearing. It worked fine for about a day, then (when the previous lease expired?) my windows98 machine was assigned a local network address in the 169.-.-. range. The standard Bearing release evidently does not support DHCP for the local network. I forgot to go back and reconfigure the win machine not to use DHCP. Evidently, if windows is configured for DHCP and does not find a DHCP server, it auto assigns IP addresses. Just another of those 'special' features that is not well documented and causes confusion. So now I have a question. What is the advantage of using DHCP on a small local network? I only have five computers on the network. Would I be better off to manually assign IP numbers? The only reason I used DHCP on the local network was because Dachstein provided it. I did not select DHCP because I thought I needed it. However, it did work and was convenient. Are there better reasons to use DHCP on a local network? Thanks in advance, Frank Kamp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user Sponsored by http://www.ThinkGeek.com/
RE: [Leaf-user] mail server?
Antken, Attached are most of the posts regarding Samba. The problem with running mail on a LEAF system is space. The idea is to keep things streamlined and small. So storing mail on a ramdisk would take alot of ram. You'd have to modify your ramdisk size or put a hard drive into the box to allow for storage, which poses security risks of someone penetrating your firewall and placing a trojan onto the hard drive. Best solution is running a mail server behind the firewall with ports 25 and 110 port forwarded to the mail server. That way the only exposure to the mail server is those specific ports. Always bearing in mind that if the mail daemons you choose have security holes these could be utilized to penetrate your network. Best of luck, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ant Ken Sent: Friday, April 05, 2002 4:44 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] mail server? hello all, are there any mail server packages avalible for the lrp system? if you need it, i am running the Dachstein image. while i am on the subject of packages does the Dachstein image have a samba package avalible? i have noticed this issue on the recent lists but have deleted them by mistake - ooops! thanks in advance to any one that replys antken ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Compact Flash vs CD Rom
Dale, Should be close to the same boot time. The throughput on the CF to IDE should be right at the max speed of the IDE bus. I just retimed my boot speed, after adding dhcpd and all the ip_masq modules except IPSEC I'm at 21 seconds. Still alot faster than a floppy. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dale Mirenda Sent: Friday, April 05, 2002 4:20 PM To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Compact Flash vs CD Rom Any idea how the speed of these devices would compare to the DOM's Steve Fink is using? In an earlier post, he reports a boot time of about 14 seconds. Dale Mirenda From: Charles Steinkuehler [EMAIL PROTECTED] Date: Fri, 5 Apr 2002 17:05:26 -0600 To: Peter Nosko [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Leaf-user] Compact Flash vs CD Rom Any of the standard CF to IDE adaptors should work with these devices... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) pn] It's about time. Anyone know of an IDE interface for these? --- Charles Steinkuehler [EMAIL PROTECTED] wrote: It is now - here's 2 links http://www.embedone.com/e-main4flashmemory1.htm http://www.quantum.com.pl/produkty_Flash_Com.html Great links...I especially like the second, which indicates it's running on a QNX based web-server. Now that's commitment to the embedded marketplace :) Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Flash Write Protect
Matt, The tech doc on the Nagasaki DOM's that I have shows a set password command available. I'm in communication with the manufacturer, they do not currently have a utility available to the public to set this password, but where there's a will there's a way. I will check with some other Linuxheads I know and see what we can do... Essentially we just need to create a utility to set the password. Then if the password on the DOM is already set the utility authenticates a new session against the password on the DOM if it doesn't match it fails, if it does match the DOM is unlocked and can be written to. More to come, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Schalit Sent: Monday, April 01, 2002 5:10 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Flash Write Protect [EMAIL PROTECTED] wrote: I gotcha. Roger that. I swapped the subject line to be more reflective of the discussion. Hope that's ok. My problem is I'm always wanting to do updates remotely and wouldn't want users to have to flip a switch or God forbid reboot. Flipping a switch shouldn't be harder than flipping the write protect tab on a floppy. The problem is that putting the switch remotely onto the case, like wiring the turbo switch on an AT computer to handle the write protect, would create noise problems. That's one of the solutions being investigated. We've had a grand total of one EE comment on this offline, who proposed a solution. Jeff Newmiller also suggested a case mounted switch is not as desireable one on the ADM circuit board, for the same reasons. The problem is getting acess to an internal switch. Opening the case is a small hassle, especially for users and frequent updates. I'm a little surprised to hear you modify your config remotely that often, but that's just because I don't know your application, not because it's strange to do so. I don't think rebooting is required in this situation. But a compact flash can be pulled after booting to ramdisk without harm. That's pretty write protected. Problem is to get access to it again you'll have to power down. Ok. A case mounted socket for a Flash would be similar to how a floppy is case mounted. But if you have to power down I thought PC-Cards could be hot swapped. I haven't messed with them in Linux yet, though. I thought the same was true for CF chips. Is this not incorrect? I would be more interested in a heavily software protected mount, dd, etc. If these commands were 400 and could only be accessed via a very secure sudo like thingy. I mean even root could not get to then without getiing past security. Maybe that's impossible ??? Anything software is not the holy grail because it can be circumvented with time and skill. Or so goes the argument. Oh yeah, if you want to solder, break into your IDE cable and run the write enable thru a switch (don't ask me). If you're clever you might even not bring the drive down. That would be cool. You can search google going back a long way and read up on the whole history of IDE and how write protect is not in the specification. Attempts to modify the IDE cable and it's signals is not a possible solution from what I've read and my amateur analysis. I don't quite understand what you're suggestion would be from that one paragraph. If you're referring to using the IOW and IOR strobes, that's what I'm claiming isn't possible. IDE write protect is a new concept that exists only because CF and PC-Card manufacturer have built that into their controllers that exists on their circuit boards. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] can I run simple Samba server on a LEAF machine? or something similar,
Gary, The main purpose behind LEAF is to provide firewalling security and a secure gateway to the internet for more than one machine. Samba follows MS's topologies in order to provide the service(s) to MS Networked Computers. Samba is more secure than an actual MS file server but yet it still poses some security risks. Therefore... The act of putting Samba on a LEAF box would pose some security risk. I do not believe there are any LRP/LEAF packages available to add Samba. Setting up a small Samba server inside your network parallel to your LEAF system makes a whole lot more sense. Take care, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gary Dodge Sent: Tuesday, April 02, 2002 11:37 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] can I run simple Samba server on a LEAF machine? or something similar, can I run simple Samba server on a LEAF machine? or something similar, I need just a simple file share or server, no passwords or security. and to handle a 120 or 160 gig ide drive thanks for any ideas out there ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] DachsteinCD security questions
Dale, At the Dachstein command prompt: firewall#passwd Enter new password: Re-Enter new password: That should take care of that... As far as telnet goes... If you have all telnet ports closed to the outside world and are only using telnet through the VPN tunnel then you shouldn't pose a security risk to any of the machines behind the firewall. Congrats! On the first time set-up! Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dale Mirenda Sent: Wednesday, March 27, 2002 4:05 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] DachsteinCD security questions I've just succeeded in setting up my first Linux-based VPN using DachsteinCD. I greatly appreciate the high quality of the Dachstein package and the (passive) help I got from browsing archives of this list. At this point, I have two security-related questions: 1. How can I apply a password to the root login that takes you to lrcfg at bootup? Without password protection, anyone with access to the console could get into the configuration data. 2. If I use telnet to access my remote firewalls only through the VPN, do I create a security problem? Should I use ssh for this instead of vanilla telnet? Thanks for your help, both future and past. Dale Mirenda ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Disk Difficulties
Jacques et al, I too had difficulty with needing more space than one diskette would handle and making a ton of coasters was painful too. So I went on to try 850mb hard drives and such... But this seemed a bit wasteful, 2mb of data on a 850mb hard drive. I then found some IDE Disk-On-Modules. They're awesome! I originally purchased two Nagasaki 8mb modules ( http://www.nagasaki.com.tw/DOM.htm purchasable here http://www.bwi.com/scripts/site/site_category.php3/id/188 )and put them into my IDE port on the motherboard. At first I didn't know exactly how to get things going on them but it's really simple. Items needed: 1- LRP system (CPU, MEM, MOBO, etc.) 1- Disk On Module ( duh! ) 1- Windows 98 Boot disk ( not a Startup Disk, just a plain old boot disk ) 1- Syslinux Disk w/ syslinux.com ( for DOS ). http://freshmeat.net/redir/syslinux/10177/url_tgz/syslinux-1.67.tar.gz Step 1) Boot using the Win 98 boot disk fdisk format the DOM Step 2) Reboot Step 3) typelock c:Enter at the command prompt Step 4) Insert syslinux disk and typesyslinux this will take a few seconds and then drop you to a command prompt again. Step 5) Insert your working LRP disk 1 and typecopy *.* c: it will begin the copy DO NOT overwrite ldlinux.sys or you're toast. Step 6) Insert disk 2 ( assuming you have two ) and do the same command copy *.* Step 7) Insert disk 1 again and hit reset, we will now boot up to your LRP firewall Step 8) Hit q to exit lrcfg and get to the command prompt in your LRP firewall Step 9) Type mount -t msdos /dev/hda1 /mnt Step 10) Type edit /mnt/syslinux.cfg change any reference to /dev/fd0 or /dev/fd0u1680 to /dev/hda1 Ctrl+q to exit y to save. Step 11) Type umount /mnt Step 12) Hit Reset Your new DOM LRP system should boot in about 14 seconds, or at least mine does and I've got about every package under the sun... Steve ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Missing ipfwd source file.
I need the file ipfwd.so from /usr/lib/ipmasqadm for kernel 2.2.19-3 if anyone could send it to me. I tried to compile it myself but can't get it to link properly on my Red Hat 7.2 boxen to compile. Thanks, Steve ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
