[Leaf-user] LRP routing exsplaination needed. (Dachstien)

[Troy Aden]

Currently we set up our routes and IP aliasing in init.d / network and
network config. They look like the following:
init.d /network configuration:
ip addr add 192.168.128.1/24 brd + dev eth2 label eth2 label eth2:extra_sub1
ip addr add 207.195.73.2/26 brd + dev eth2 label eth2 label eth2:extra_sub2
ip addr add 207.195.73.65/26 brd + dev eth2 label eth2 label eth2:extra_sub3
ip route add 192.168.129/24 via 192.168.131.2
ip route add 192.168.129.128/26 via 192.168.131.2
ip route add 207.195.73.128/26 via 192.168.131.2
ip route add 192.168.140/24 via 192.168.131.2
ip route add 192.168.132/24 via 192.168.131.2


This is the relevant info from network conf.
Network config:
eth0_IPADDR= 192.168.131.1
eth0_MASKLEN=24
eth0_BROADCAST=192.168.131.255
+++
eth1_IPADDR= 192.168.127.2
eth1_MASKLEN=24
eth1_BROADCAST=192.168.127.255
+++
eth2_IPADDR=207.195.73.65
eth2_MASKLEN=26
eth2_BROADCAST=207.195.73.127
eth2_IP_SHARED_MEDIA=YES



I would like to set up our routes in the network config. I need to
know how that is done. I would like to add my routes using eth2_ROUTES= and
add my addresses using eth2_IP_EXTRA_ADDRS= . The problem is that I don't
know how to do this. Can someone please explain how this would be done. In
the example they show the following:

eth2_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"  (What does the first ip
represent?)

eth2_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18"  (What does the first ip
represent?)


Please help.

Thx in advance.


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Routing exsplanation needed

[Troy Aden]

I sent this question directly to Charles Steinkuehler. I
feel a little silly for asking but can someone please show me how I would
enter the info in the init.d / network (Shown below) into
eth2_IP_EXTRA_ADDRS="??" and eth2_ROUTES="???". I am a bit of a newbie on
this setup. It would help me immensely if someone could show me how I enter
this info by showing me with the init.d info entered properly in the
eth2_IP_EXTRA_ADDRS="??" and eth2_ROUTES="???". 
I have never set up routes and multiple IP's on the same interface
before and I want to be sure I do it right. Thanks.


> Currently we set up our routes and IP aliasing in init.d / network
and
network config. They look like the following:

> 
ip addr add 192.168.128.1/24 brd + dev eth2 
> ip addr add 207.195.73.2/26 brd + dev eth2
ip addr add 207.195.73.65/26 brd + dev eth2
> ip route add 192.168.129/24 via 192.168.131.2
> ip route add 192.168.129.128/26 via 192.168.131.2
> ip route add 207.195.73.128/26 via 192.168.131.2
> ip route add 192.168.140/24 via 192.168.131.2
> ip route add 192.168.132/24 via 192.168.131.2
>
>
> This is the relevant info from network conf.
> Network config:
> eth0_IPADDR= 192.168.131.1
> eth0_MASKLEN$
> eth0_BROADCAST2.168.131.255
> +++
> eth1_IPADDR= 192.168.127.2
> eth1_MASKLEN$
> eth1_BROADCAST2.168.127.255
> +++
> eth2_IPADDR 7.195.73.65
> eth2_MASKLEN&
> eth2_BROADCAST 7.195.73.127
> eth2_IP_SHARED_MEDIA=YES
> 
>
> I would like to set up our routes in the network config. I need to
> know how that is done. I would like to add my routes using
eth2_ROUTES=
and
> add my addresses using eth2_IP_EXTRA_ADDRS= . The problem is that
I don't
> know how to do this. Can you please explain how this would be
done. In the
> example they show the following:
>
> eth2_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"  (What does the
first
ip
> represent?)

The first IP is an entry on the same subnet as the primary IP assigned to
the interface, so it doesn't need a network mask (inherited from the
existing settings).  The second entry assigns an IP on an entirely different
subnet, so a masklength is required to correctly generate a route to that
network, determine broadcast IP, etc...
> eth2_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18"  (What does the
first ip
> represent?)

A host route to ip 1.1.1.13 out dev eth2.  This is useful when running
proxy-arp, and you need to control via routing which IP's are on which side
of the router.  The second entry is a more typical static route...
> The KISS principle seems to be my goal here. I think this could be
> done allot simpler than the way we are currently doing it by using
the
> network config to add our routes and extra ip's I think once I
understand
> the proper syntax for the network config lines I will be far
better off.

Please use the leaf-user list for support questions...see the support page
on my website.
Details of exactly what happens can be determined by examining the if_up
procedure in /etc/network.conf.  You can use network.conf to configure
everything you're doing manually, except for labeling the extra interfaces,
which is currently not handled by the automatic scripts.
Basically, the scripts do an "ip address add" for each entry in
_IP_EXTRA_ADDRS, and an "ip route add" for every entry in
_ROUTES.
Charles Steinkuehler
http://lrp.steinkuehler.net  
http://c0wz.steinkuehler.net   (lrp.c0wz.com
mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Firewall is hindering ftp.

[Troy Aden]

When I attempt to ftp our server (192.139.75.6) it was taking up to
30 sec to connect. (It should take 2 sec) I turned on logging and this is
the output.

Nov 27 22:12:12 firewall kernel: Packet log: remote DENY eth0 PROTO=6
192.139.75.6:1083 192.139.75.156:113 L=60 S=0x00 I=19689 F=0x4000 T=63 SYN
(#10)

I went to http://www.echogent.com/cgi-bin/fwlog.pl
<http://www.echogent.com/cgi-bin/fwlog.pl>  and this is what it told me.
A TCP packet to this port (113) is associated with the ident service. If
you're running this service on your firewall or on your LAN, with the
intention of offering external access to it, then your firewall may be
mis-configured. If you're *not* running this service, and have no idea what
it is, it's likely someone trying to take advantage of your system in some
manner. You may want to investigate 192.139.75.6 further and see if there's
an Administrative Contact there whom you could email this packet log to. 
I am running Dachstein rc2. with Seawall 4.1. I have ftp_masq
enabled. Anyone have any ideas as to what is happening here?



Troy Aden
IT - Support/Training/Buyer 
WaveCom Electronics Inc.
202 Cardinal Cres. Saskatoon, SK  S7L 6H8
Phone: (306)955-7075 ext. 314
Fax: (306)955-7315
mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
http://www.wavecom.ca/ <http://www.wavecom.ca/> 


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] How to back up configuration to a floppy. (Dachstein CD with bootable floppy)

[Troy Aden]

Can someone please show me an example of the syntax for backing up
everything except log to a floppy. If I am shown an example it would be very
helpful. I am using the Dachstien CD and trying to backup my configuration.
I keep getting unexpected end of file errors.

Thanks.

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] DNS being blocked?

[Troy Aden]

    I
am running Dachstein rc2 with seawall version41 and dnscache. I noticed that
while browsing I was having slow load times. I turned on logging and I saw
this:

 

Nov 29 12:37:14 firewall kernel:
Packet log: remote DENY eth0 PROTO=17 192.36.148.17:53 192.139.75.156:48655
L=312 S=0x00 I=25620 F=0x4000 T=44 (#11)

 

  Can
someone please tell me what I have miss configured. Or at least tell me what is
happening.

 

    Thanks
in advance.

 

  Troy

 

  BTW. Thanks Tom for solving my ftp problems. You guys are
great!

RE: [Leaf-user] DNS being blocked?

[Troy Aden]

Yep. That was the problem. Thanks!

-Original Message-
From: Simon Bolduc [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, November 29, 2001 3:00 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Leaf-user] DNS being blocked?

Seawall is misconfigured - you don't need to add the IP addresses of your 
DNS servers within seawall which is what I suspect you have done.  Try 
setting the dnsservers variable to "" and see what happens...

S


>From: Troy Aden <[EMAIL PROTECTED]>
>To: "Leaf-User ([EMAIL PROTECTED])"  
><[EMAIL PROTECTED]>, "Linux-Router 
>([EMAIL PROTECTED])"  <[EMAIL PROTECTED]>, 
>"'Seawall-User ([EMAIL PROTECTED])"  
><[EMAIL PROTECTED]>
>Subject: [Leaf-user] DNS being blocked?
>Date: Thu, 29 Nov 2001 14:12:31 -0600
>
> I am running Dachstein rc2 with seawall version41 and 
>dnscache.
>I noticed that while browsing I was having slow load times. I turned on
>logging and I saw this:
>
>Nov 29 12:37:14 firewall kernel: Packet log: remote DENY eth0 PROTO=17
>192.36.148.17:53 192.139.75.156:48655 L=312 S=0x00 I=25620 F=0x4000 T=44
>(#11)
>
>   Can someone please tell me what I have miss configured. Or at least
>tell me what is happening.
>
> Thanks in advance.
>
>   Troy
>
>   BTW. Thanks Tom for solving my ftp problems. You guys are great!


_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] IPSec.lrp vs Cipe.lrp

[Troy Aden]

If you decide to switch to a dual floppy boot, this is a great site.
http://leaf.sourceforge.net/pub/doc/guide/install-eigerstein/eiger-mod-2disk
.html



 -Original Message-
From:   Simon Bolduc [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, December 05, 2001 1:27 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject:Re: [Leaf-user] IPSec.lrp vs Cipe.lrp

Well I can't see what else you can remove - except comments from the 
configuration files ;) but I doubt that is gonna do it.  You could always 
try using 1743K disks.  This is not recommended as it can lead to a lot of 
useless diskettes - and non booting systems, plus some floppy drives don't 
like them.  If you do go this route you may need to put the syslinux 
bootloader on the diskettes again as I have had problems using 1743K images 
without running syslinux on the disks again - it just gave me boot errors.  
Its available here...

http://syslinux.zytor.com/

Your other option is using a dual floppy boot.

S


>From: Pär Johansson <[EMAIL PROTECTED]>
>To: LEAF <[EMAIL PROTECTED]>
>Subject: [Leaf-user] IPSec.lrp vs Cipe.lrp
>Date: Wed, 5 Dec 2001 16:58:36 +0100
>
>Hi
>I want to setup four VPN tunnels from my office to four different homes.
>I have Dachstein running on each lokation, but I haven't got CD on
>any of them so I have to use disk version.
>My question is should I use IPSec 1.91 or Cipe? IPSec is hard to fit
>on Dachstein with SSH.
>Are there compability issues if I would like to connect a "Road
>Warrior" in the future?
>If I should go with IPSec how can I lose 20 k more from the disk? I
>have removed all modules I don't need, both dhcp packages,
>mkhostkeyfrom ssh and readme.txt.
>I like weblet and dnscache, don't want to lose them.
>
>
>TIA
>
>Pär Johansson
>--
>
>
>___
>Leaf-user mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/leaf-user


_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Getting Dachsein to work

[Troy Aden]

I was a complete LRP newbie and this website helped me immensely.
http://leaf.sourceforge.net/pub/doc/guide/install-eigerstein/eiger-contents.
html



 -Original Message-
From:   Charles Steinkuehler [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, December 06, 2001 7:57 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject:Re: [Leaf-user] Getting Dachsein to work

> I abandoned Eiger and now have attempted Dachstein.  I am a little
confused
> by the error message I am getting.
>
> "No subnet declaration for 'eth1' (0.0.0.0).  Please write a subnet
> declaration in your dhcpd.conf file for the network segment to which eht1
is
> attached."
>
> I've reviewed the file and am uncertain how to write this subnet
> declaration.  The help file suggests that I may need to edit
> /etc/init.d/dhcpcd as well.
>
> I've tried various changes to be sure that all the hardware is working.  I
> am at a loss for how to edit the files.
>
> I would appreciate any help I can get on this.  Thank you.

If you're just starting with a Dachstein image, this error indicates your
internal network card is not configured.  You probably need to load the
proper kernel module for your network card(s).  Edit /etc/modules to control
which modules to load.  If you're lucky, the module(s) you need will already
be on the disk.  If not, you'll have to download them and add them to your
floppy.

More detailed directions are available in the readme file on the floppy.
You can find out which kernel module your network cards require from section
4 of the linux Ethernet-HOWTO:
http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO.html

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] kernal appears to lack KLIPS??

[Troy Aden]

I am running Dachstein with Seawall, and the 1.91 IPSEC with
ipsec_masq uncommented. I also have the mawk and ifconfig modules. I keep
getting this message when I boot the system.: 
I would greatly appreciate it if anyone could give me any clues as
to what this message means and how to make it go away. 

Thanks in advance.

Troy 



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

[Troy Aden]

Hi I am working with Dachstein in a basic router setup. I would like
to know how to set up DHCP request forwarding between subnets so that we can
administer all of our subnets with one DHCP server. I will do my best to
draw this out. 


  -ROUTER-
Subnet 1 - 192.168.141.1
Subnet 2 - 192.168.142.1
Subnet 3 - 192.168.143.1

DHCP SERVER IS ON SUBNET 1. (192.168.141.252)
I want computers that are on the .142 and 143 subnets to (Obtain Ips from
the DHCP server on subnet 1) have their DHCP REQUESTS forwarded to the DHCP
SERVER ON SUBNET 1 (.141) 

How is this done? Can someone please help me out.

Thanks in advance.

Troy

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

[Troy Aden]

Thanks Richard. I was hoping for a little more of a "baby steps"
guide can you be a little more specific as to how I need to do this? Can you
provide me with an example configuration or a link to a how to? 

Thanks again.
Troy

-Original Message-
From: Richard Doyle [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 22, 2002 7:50 PM
To: Troy Aden
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

dhcrelay is your friend. See 
ftp://ftp.isc.org/isc/dhcp/dhcp-2.0pl5.tar.gz
(version 3 is much bigger).

-Richard

On Wed, 2002-05-22 at 17:34, Troy Aden wrote:
> 
>   Hi I am working with Dachstein in a basic router setup. I would like
> to know how to set up DHCP request forwarding between subnets so that we
can
> administer all of our subnets with one DHCP server. I will do my best to
> draw this out. 
> 
> 
>   -ROUTER-
>   Subnet 1 - 192.168.141.1
>   Subnet 2 - 192.168.142.1
>   Subnet 3 - 192.168.143.1
> 
> DHCP SERVER IS ON SUBNET 1. (192.168.141.252)
> I want computers that are on the .142 and 143 subnets to (Obtain Ips from
> the DHCP server on subnet 1) have their DHCP REQUESTS forwarded to the
DHCP
> SERVER ON SUBNET 1 (.141) 
> 
> How is this done? Can someone please help me out.
> 
>   Thanks in advance.
> 
>   Troy
> 
> ___
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
> 
> 


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

[Troy Aden]

Hi guys,

Have installed this package but I have a question about a message
that it displays when it is loading. 

Starting dhrelay on eth1 eth2 eth3 eth4 eth5
Route: not found
Route: not found
Route: not found
Route: not found
Route: not found
Route: not found
Why is it giving this "Route: not found" message? When I do an "IP
route" command I get the following:

192.168.145.0/24 dev eth5 proto kernel scope link src
192.168.145.1
192.168.144.0/24 dev eth4 proto kernel scope link src
192.168.144.1
192.168.133.0/24 dev eth0 proto kernel scope link src
192.168.133.1
192.168.143.0/24 dev eth3 proto kernel scope link src
192.168.143.1
192.168.142.0/24 dev eth2 proto kernel scope link src
192.168.142.1
192.168.141.0/24 dev eth2 proto kernel scope link src
192.168.141.1
default via 192.168.133.1 dev eth0

 Can someone please explain why I am getting this "Route: not found"
message? Why is it expecting a route?  Thanks 




 -Original Message-
From:   Mike Noyes [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 24, 2002 7:15 AM
To: [EMAIL PROTECTED]
Subject:Re: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

On Fri, 2002-05-24 at 04:28, Ed Tetz wrote:
> Hi Mike,
> 
> One last question, How would I have known (or should I have known) what
> kernel versions the packages are by looking at the CVS page?
>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/packages/glibc-2.0/d
> hcrelay.lrp
> 
> I didn't really see anything on that page or it's links that told me
> anything. Do I need software other than my web browser to tell the
> differences between the versions? Is there a separate index page that
would
> tell me the differences or would that normally be in the description (not
to
> slight you, as you have been doing great work on compiling everything into
> one place - I am impressed)?

Ed,
No. I didn't include the kernel information, because it's a guess on my
part. These packages from Koon Wong are three years old, and no one has
been able to contact him in over two years.

Once we get the initial creation of our packages tree done, updates and
corrections should commence. I wish the repository was in better shape,
but it's not currently. All we can do is try to improve it.

I'll revert the dhcrelay.lrp package to the 1.3 cvs version in the next
couple of days. My thanks to everyone that spotted this problem.

I don't know if you're subscribed to the leaf-devel list, but there was
a discussion of a new .desc file that would correct many of the package
information problems you're seeing. Kernel version is one of the
suggested fields.

> Sorry, I guess that was three questions :-)

No problem. I'm glad to help where and when I can. :-)

-- 
Mike Noyes <[EMAIL PROTECTED]>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

[Troy Aden]

Could you please send me a link to the dhcrelay.lrp package that you
use?

Troy Aden
IT - Support/Training/Buyer 
WaveCom Electronics Inc.
150 Cardinal Place Saskatoon, SK  S7L 6H7
Phone: (306)955-7075 ext. 314
Fax: (306)955-7315
mailto:[EMAIL PROTECTED]
http://www.wavecom.ca/

 -Original Message-
From:   Richard Doyle [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 24, 2002 11:28 AM
To: Troy Aden
Cc: 'Mike Noyes'; [EMAIL PROTECTED]
Subject:RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

I suspect the startup script in the dhcrelay package you used calls the
route command (I have no idea why it would do this), but your distro
doesn't provide "route."

I don't call route or ip in my dhcrelay startup script, so I can't tell
you how to fix it (if that is your problem), but look for a "route"
command and replace it with the equivalent "ip" command.

-Richard

On Fri, 2002-05-24 at 09:45, Troy Aden wrote:
>   Hi guys,
>   
>   Have installed this package but I have a question about a message
> that it displays when it is loading. 
> 
>   Starting dhrelay on eth1 eth2 eth3 eth4 eth5
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Why is it giving this "Route: not found" message? When I do an "IP
> route" command I get the following:
>   
>   192.168.145.0/24 dev eth5 proto kernel scope link src
> 192.168.145.1
>   192.168.144.0/24 dev eth4 proto kernel scope link src
> 192.168.144.1
>   192.168.133.0/24 dev eth0 proto kernel scope link src
> 192.168.133.1
>   192.168.143.0/24 dev eth3 proto kernel scope link src
> 192.168.143.1
>   192.168.142.0/24 dev eth2 proto kernel scope link src
> 192.168.142.1
>   192.168.141.0/24 dev eth2 proto kernel scope link src
> 192.168.141.1
>   default via 192.168.133.1 dev eth0
> 
>Can someone please explain why I am getting this "Route: not found"
> message? Why is it expecting a route?  Thanks 
>   
>   
> 
> 
>  -Original Message-
> From: Mike Noyes [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, May 24, 2002 7:15 AM
> To:   [EMAIL PROTECTED]
> Subject:  Re: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS
> 
> On Fri, 2002-05-24 at 04:28, Ed Tetz wrote:
> > Hi Mike,
> > 
> > One last question, How would I have known (or should I have known) what
> > kernel versions the packages are by looking at the CVS page?
> >
>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/packages/glibc-2.0/d
> > hcrelay.lrp
> > 
> > I didn't really see anything on that page or it's links that told me
> > anything. Do I need software other than my web browser to tell the
> > differences between the versions? Is there a separate index page that
> would
> > tell me the differences or would that normally be in the description
(not
> to
> > slight you, as you have been doing great work on compiling everything
into
> > one place - I am impressed)?
> 
> Ed,
> No. I didn't include the kernel information, because it's a guess on my
> part. These packages from Koon Wong are three years old, and no one has
> been able to contact him in over two years.
> 
> Once we get the initial creation of our packages tree done, updates and
> corrections should commence. I wish the repository was in better shape,
> but it's not currently. All we can do is try to improve it.
> 
> I'll revert the dhcrelay.lrp package to the 1.3 cvs version in the next
> couple of days. My thanks to everyone that spotted this problem.
> 
> I don't know if you're subscribed to the leaf-devel list, but there was
> a discussion of a new .desc file that would correct many of the package
> information problems you're seeing. Kernel version is one of the
> suggested fields.
> 
> > Sorry, I guess that was three questions :-)
> 
> No problem. I'm glad to help where and when I can. :-)
> 
> -- 
> Mike Noyes <[EMAIL PROTECTED]>
> http://sourceforge.net/users/mhnoyes/
> http://leaf-project.org/
> 
> 
> ___
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> 
> leaf-user mailing list: [EMAIL PROTECT

RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

[Troy Aden]

I found the source of the error in the startup script. But I do not
know have to solve it. This is what it looks like:
Case "$1" in
Start)
Echo starting dhcrelay on $ifs: "
For if in 'echo $ifs'; do
Route add -host 255.255.255.255 dev $if 
ix="-I $if "
i=$i$ix
done
/usr/sbin/dhcrelay -q -p $port $servers $I
;;
stop)
Can someone please help me correct this? Thanks in advance.

Troy


 -Original Message-
From:   Troy Aden [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 24, 2002 1:52 PM
To: 'Richard Doyle'
Cc: 'Mike Noyes'; [EMAIL PROTECTED]
Subject:RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

Could you please send me a link to the dhcrelay.lrp package that you
use?

Troy Aden
IT - Support/Training/Buyer 
WaveCom Electronics Inc.
150 Cardinal Place Saskatoon, SK  S7L 6H7
Phone: (306)955-7075 ext. 314
Fax: (306)955-7315
mailto:[EMAIL PROTECTED]
http://www.wavecom.ca/

 -Original Message-
From:   Richard Doyle [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 24, 2002 11:28 AM
To: Troy Aden
Cc: 'Mike Noyes'; [EMAIL PROTECTED]
Subject:RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

I suspect the startup script in the dhcrelay package you used calls the
route command (I have no idea why it would do this), but your distro
doesn't provide "route."

I don't call route or ip in my dhcrelay startup script, so I can't tell
you how to fix it (if that is your problem), but look for a "route"
command and replace it with the equivalent "ip" command.

-Richard

On Fri, 2002-05-24 at 09:45, Troy Aden wrote:
>   Hi guys,
>   
>   Have installed this package but I have a question about a message
> that it displays when it is loading. 
> 
>   Starting dhrelay on eth1 eth2 eth3 eth4 eth5
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Why is it giving this "Route: not found" message? When I do an "IP
> route" command I get the following:
>   
>   192.168.145.0/24 dev eth5 proto kernel scope link src
> 192.168.145.1
>   192.168.144.0/24 dev eth4 proto kernel scope link src
> 192.168.144.1
>   192.168.133.0/24 dev eth0 proto kernel scope link src
> 192.168.133.1
>   192.168.143.0/24 dev eth3 proto kernel scope link src
> 192.168.143.1
>   192.168.142.0/24 dev eth2 proto kernel scope link src
> 192.168.142.1
>   192.168.141.0/24 dev eth2 proto kernel scope link src
> 192.168.141.1
>   default via 192.168.133.1 dev eth0
> 
>Can someone please explain why I am getting this "Route: not found"
> message? Why is it expecting a route?  Thanks 
>   
>   
> 
> 
>  -Original Message-
> From: Mike Noyes [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, May 24, 2002 7:15 AM
> To:   [EMAIL PROTECTED]
> Subject:  Re: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS
> 
> On Fri, 2002-05-24 at 04:28, Ed Tetz wrote:
> > Hi Mike,
> > 
> > One last question, How would I have known (or should I have known) what
> > kernel versions the packages are by looking at the CVS page?
> >
>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/packages/glibc-2.0/d
> > hcrelay.lrp
> > 
> > I didn't really see anything on that page or it's links that told me
> > anything. Do I need software other than my web browser to tell the
> > differences between the versions? Is there a separate index page that
> would
> > tell me the differences or would that normally be in the description
(not
> to
> > slight you, as you have been doing great work on compiling everything
into
> > one place - I am impressed)?
> 
> Ed,
> No. I didn't include the kernel information, because it's a guess on my
> part. These packages from Koon Wong are three years old, and no one has
> been able to contact him in over two years.
> 
> Once we get the initial creation of our packages tree done, updates and
> corrections should commence. I wish the repository was in better shape,
> but it's not currently. All we can do is try to improve it.
> 
> I'll revert the dhcrelay.lrp package to the 1.3 cvs version in the next
> couple of days. My thanks to everyone that 

RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

[Troy Aden]

I did some digging and came up with this little nugget that has me
more confused than ever.
http://www.dhs.org/pipermail/systalk/1999-July/007592.html

"In order for dhcpd to work correctly with picky DHCP clients (e.g.,
Windows 95), it must be able to send packets with an IP destination
address of 255.255.255.255.  Unfortunately, Linux insists on changing
255.255.255.255 into the local subnet broadcast address (here, that's
192.5.5.223).  This results in a DHCP protocol violation, and while
many DHCP clients don't notice the problem, some (e.g., all Microsoft
DHCP clients) do.  Clients that have this problem will appear not to
see DHCPOFFER messages from the server.

It is possible to work around this problem on some versions of Linux
by creating a host route from your network interface address to
255.255.255.255.   The command you need to use to do this on Linux
varies from version to version.   The easiest version is:

route add -host 255.255.255.255 dev eth0"

Someone please help me out here. I have downloaded and tried every
version of dhcrelay from 1.1 to 1.4 and they all give the same error when
they load. 

Thanks in advance.



 -Original Message-----
From:   Troy Aden  
Sent:   Friday, May 24, 2002 2:53 PM
To: Troy Aden; 'Richard Doyle'
Cc: 'Mike Noyes'; [EMAIL PROTECTED]
Subject:RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

I found the source of the error in the startup script. But I do not
know have to solve it. This is what it looks like:
Case "$1" in
Start)
Echo starting dhcrelay on $ifs: "
For if in 'echo $ifs'; do
Route add -host 255.255.255.255 dev $if 
ix="-I $if "
i=$i$ix
done
/usr/sbin/dhcrelay -q -p $port $servers $I
;;
stop)
Can someone please help me correct this? Thanks in advance.

    Troy


 -Original Message-
From:   Troy Aden [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 24, 2002 1:52 PM
To: 'Richard Doyle'
Cc: 'Mike Noyes'; [EMAIL PROTECTED]
Subject:RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

Could you please send me a link to the dhcrelay.lrp package that you
use?

Troy Aden
IT - Support/Training/Buyer 
WaveCom Electronics Inc.
150 Cardinal Place Saskatoon, SK  S7L 6H7
Phone: (306)955-7075 ext. 314
Fax: (306)955-7315
mailto:[EMAIL PROTECTED]
http://www.wavecom.ca/

 -Original Message-
From:   Richard Doyle [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 24, 2002 11:28 AM
To: Troy Aden
Cc: 'Mike Noyes'; [EMAIL PROTECTED]
Subject:RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

I suspect the startup script in the dhcrelay package you used calls the
route command (I have no idea why it would do this), but your distro
doesn't provide "route."

I don't call route or ip in my dhcrelay startup script, so I can't tell
you how to fix it (if that is your problem), but look for a "route"
command and replace it with the equivalent "ip" command.

-Richard

On Fri, 2002-05-24 at 09:45, Troy Aden wrote:
>   Hi guys,
>   
>   Have installed this package but I have a question about a message
> that it displays when it is loading. 
> 
>   Starting dhrelay on eth1 eth2 eth3 eth4 eth5
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Route: not found
>   Why is it giving this "Route: not found" message? When I do an "IP
> route" command I get the following:
>   
>   192.168.145.0/24 dev eth5 proto kernel scope link src
> 192.168.145.1
>   192.168.144.0/24 dev eth4 proto kernel scope link src
> 192.168.144.1
>   192.168.133.0/24 dev eth0 proto kernel scope link src
> 192.168.133.1
>   192.168.143.0/24 dev eth3 proto kernel scope link src
> 192.168.143.1
>   192.168.142.0/24 dev eth2 proto kernel scope link src
> 192.168.142.1
>   192.168.141.0/24 dev eth2 proto kernel scope link src
> 192.168.141.1
>   default via 192.168.133.1 dev eth0
> 
>Can someone please explain why I am getting this "Route: not found"
> message? Why is it expecting a route?  Thanks 
>   
>   
> 
> 
>  -Original Message-
> From: Mike Noyes [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, May 24, 2002 7:15 AM
> To:   [EMAIL PROTECTED]
> Subject:  Re: [leaf-user] 

RE: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS

[Troy Aden]

Thank you! That was the problem. There is an interesting vulnerability with
using dhcrelay. If I use an app like udpflood.exe and flood port 67 on the
interface with the dhcp server (eth1 in this case) with udp traffic that
varies between 1 and 100 bytes I grind our entire network to a halt. My logs
instantly fill with messages like this:

May 24 20:25:46 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
131.51.22.73 
May 24 20:25:46 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:46 firewall last message repeated 13 times
May 24 20:25:46 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
170.86.27.94 
May 24 20:25:46 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 7 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
197.227.233.102 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 6 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
124.251.251.242 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 3 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
39.185.213.55 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 8 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
166.197.49.69 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 34 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
109.148.55.57 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 25 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
150.105.253.133 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 10 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
154.120.240.0 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 6 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
24.4.108.161 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 2 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
116.228.118.206 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 56 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
180.183.231.219 
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
249.100.252.155 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 16 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
90.28.104.60 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 35 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
148.74.194.1 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
233.53.69.172 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:47 firewall last message repeated 15 times
May 24 20:25:47 firewall dhcrelay: ignoring BOOTREQUEST with giaddr of
245.239.13.192 
May 24 20:25:47 firewall dhcrelay: Discarding packet with invalid hlen.
May 24 20:25:48 firewall last message repeated 25 times

Is there any way to prevent this from happening? Would this be considered a
bug? The bottom line for me is that it does work I just wanted to make sure
that everyone knew that it does have a potential weakness. Please correct me
if I am wrong.

Thank you! To all of you that helped me get this working. 

Troy

 -Original Message-
From:   guitarlynn [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 24, 2002 4:36 PM
To: [EMAIL PROTECTED]
Subject:Re: [leaf-user] DHCP REQUESTS FORWARDED BETWEEN SUBNETS


> It is possible to work around this problem on some versions of Linux
> by creating a host route from your network interface address to
> 255.255.255.255.   The command you need to use to do this on Linux
> varies from version to version.   The easiest version is:
>
> route add -host 255.255.255.255 dev eth0"
>
>   Someone please help me out here. I have downloaded and tried every
> version of dhcrelay from 1.1 to 1.4 and they all give the same error
> when they load.
>

Load the "ifconfig.lrp" package for the route command or change the
 script to take the iproute command(s).

[leaf-user] DFE-570-TX Too much work during interrupt

[Troy Aden]

I am running dhrelay. So it is getting hit with quite a few lease requests
being forwarded to our DHCP servers. About once a week when our leases get
renewed I get the following error. "Eth1 : Too much work during interrupt.
Csr5=0xF0630040." (This is the interface where our DHCP server resides)  I
am assuming that this is because the nic is being flooded on port 67 between
its' ports and it is dropping packets as a result. So far I have updated to
the most recent tulip driver (v0.93), and I have applied the following fix:
"echo "500 1000 2000" > /proc/sys/vm/freepages"
(Check link for details)
http://www.tux.org/hypermail/linux-tulip/2001-Nov/0053.html

This seemed to work but the problem has returned. Does anyone have any
suggestions?  Is there a way that I can increase the maximum work during the
interrupt? Is there a driver for this card that works properly? Can someone
point me to a link that will be helpful? 


Thanks in advance.

Troy






---
This sf.net email is sponsored by:ThinkGeek
Stuff, things, and much much more.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] DFE-570-TX Too much work during interrupt

[Troy Aden]

Is there one that is compiled for Dachstein? I do not have access to
a Linux box.

Thanks.


 -Original Message-
From:   Richard Doyle [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, July 09, 2002 12:37 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject:Re: [leaf-user] DFE-570-TX Too much work during interrupt

On Tue, 2002-07-09 at 09:56, Troy Aden wrote:
> I am running dhrelay. So it is getting hit with quite a few lease requests
> being forwarded to our DHCP servers. About once a week when our leases get
> renewed I get the following error. "Eth1 : Too much work during interrupt.
> Csr5=0xF0630040." (This is the interface where our DHCP server resides)  I
> am assuming that this is because the nic is being flooded on port 67
between
> its' ports and it is dropping packets as a result. So far I have updated
to
> the most recent tulip driver (v0.93), and I have applied the following
fix:
> "echo "500 1000 2000" > /proc/sys/vm/freepages"
> (Check link for details)
> http://www.tux.org/hypermail/linux-tulip/2001-Nov/0053.html
> 
> This seemed to work but the problem has returned. Does anyone have any
> suggestions?  Is there a way that I can increase the maximum work during
the
> interrupt? Is there a driver for this card that works properly? Can
someone
> point me to a link that will be helpful? 
> 
> 
>   Thanks in advance.
>   
>   Troy
> 

FWIW, the current version of the tulip driver at scyld
(ftp://ftp.scyld.com/pub/network/tulip.c) is 0.95. 


---
This sf.net email is sponsored by:ThinkGeek
Stuff, things, and much much more.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] 10.10.x.x network blocked by default?

[Troy Aden]

I am attempting to set up a Dachstein router to connect to a
DSL modem. The IP is in the 10.10.x.x range. I think that this may be the
reason that I can't get it to work. Is the 10.10.x.x network blocked by
default as a reserved network? Where do I go to stop this from being blocked
in Dachstein?


Thanks in advance.

Troy.


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Using ifconfig with Dachstein

[Troy Aden]

Is there a version of dhrelay.lrp and ifconfig.lrp that will work with
BERING? 

Thanks in advance.

 -Original Message-
From:   Erich Titl [mailto:[EMAIL PROTECTED]] 
Sent:   Monday, July 29, 2002 1:26 PM
To: [EMAIL PROTECTED]
Subject:Re: [leaf-user] Using ifconfig with Dachstein

Hi Craig

Craig wrote the following at 20:49 29.07.2002:
>Hi folks,
>Let me start over. I'm using the Dachstein 1.0.2 CD which, I see, has
>the ifconfig.lrp module already on it. How do I get the ifconfig module
>to load upon start-up??? Do I- a.)Simply edit an existing "config" file?
>(Which file, and how do I find/edit it?) b.)Need to create an lrpkg.cfg
>file (How do I do that?). Thank you.

b) is your friend

please read

http://lrp.steinkuehler.net/Packages/LRP-CD.htm

for all info about the CD distribution

cheers
Erich

THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code1

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code1

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] HOW TO ADD STATIC ROUTES TO BERING..

[Troy Aden]

I done a fair amount of digging and I can't find any documentation on haw to
add static routes to Bering. Can anyone tell me how to do it or point me to
the documentation. I am trying to add 4 static routes. 

Thanks in advance. 

Troy


---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] HOW TO ADD STATIC ROUTES TO BERING..

[Troy Aden]

Thanks for the link Kim. And thanks to all of you who replied to my post. I
love the is list. It was helpful but I guess I was not entirely clear on
what I need to know. Here is the situation. 
I have a router that was built with Dachstein. I am wanting to upgrade it to
Bering. The routes that were added to the Dachstein disro were added to the
/etc/init.d/network They read as follows:
IP ROUTE ADD 192.168.140.0/24 via 192.168.147.3
IP ROUTE ADD 192.168.144.0/24 via 192.168.147.2
IP ROUTE ADD 192.168.145.0/24 via 192.168.147.2
IP ROUTE ADD 192.168.146.0/24 via 192.168.147.2

What I need to know is where would I insert these into the Bering disro? I
have seen examples that start the command with an "up" option. But then they
say that I have to create a script in the map and then do a chmod on it to
make it executable? There has got to be an easier way. Since these routes do
NOT include the "dev" option they are automatically applied to the first
interface (eth0) right? 

Thanks in advance.

Troy


 -Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, July 31, 2002 12:21 AM
To: Troy Aden; Leaf-User (E-mail)
Subject:RE: [leaf-user] HOW TO ADD STATIC ROUTES TO BERING..

http://leaf.sourceforge.net/devel/ericw/ip-syntax.php

This should help you figure it out.
If you need more help just give a yell.

Kim Oppalfens

>-- Original Message --
>From: Troy Aden <[EMAIL PROTECTED]>
>To: "Leaf-User (E-mail)" <[EMAIL PROTECTED]>
>Subject: [leaf-user] HOW TO ADD STATIC ROUTES TO BERING..
>Date: Tue, 30 Jul 2002 21:10:27 -0600
>
>
>I done a fair amount of digging and I can't find any documentation on haw
>to
>add static routes to Bering. Can anyone tell me how to do it or point me
>to
>the documentation. I am trying to add 4 static routes. 
>
>Thanks in advance. 
>
>   Troy
>
>
>---
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>http://seeker.dice.com/seeker.epl?rel_code=31
>
>leaf-user mailing list: [EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/leaf-user
>SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] bering won't route private ip's

[Troy Aden]

How do you enable forwarding after shorewall is removed? I suspect
this is the reason I was having so many problems with my setup. Thanks.

Troy


 -Original Message-
From:   guitarlynn [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, August 29, 2002 9:39 AM
To: [EMAIL PROTECTED]
Subject:Re: [leaf-user] bering won't route private ip's

On Wednesday 28 August 2002 00:23, Tim Dinkins wrote:
 My
> problem is that when I clear all of the firewall rules and set all
> policies to accept on the Bering firewall/router I am not able to
> ping or connect to addresses in the private address space accept for
> the main firewall/gatteway with address 192.168.0.1.
> Routing table example
> 192.168.0.0 dev eth0 src 192.168.0.250
> 192.168.100.0 dev eth1 src 192.168.100.254
> default via 192.168.0.1
>
> Does anyone have any insight into this matter?  I would appreciate
> any help you can offer.

Have you removed shorewall and enabled forwarding?
-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Log files are broken

[Troy Aden]

I am not sure why this is happening but weblet on my Bering
box stops logging after about a day. It displays things like :
::messages.3.gz::

File not found: messages.3.gz 



::messages.2.gz::

File not readable: messages.2.gz 



::messages.1.gz::

File not readable: messages.1.gz 



::messages.0::

File not readable: messages.0 



::messages::

File not readable: messages 


 
Anyone know why is this happening? What do I need to do to fix it?

Troy


---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Log files are broken

[Troy Aden]

Thanks for the quick response. I find the first bug fix a little confusing
though. Here is what you sent me:

Bug N°1: /usr/bin/savelog does not work 

Symptom: the *.gz files in /var/log are not generated 

Fix: add the - sign in the $COMPRESS $newfile lign. 

Edit the original Bering rc3 /usr/bin/savelog file : 

Original file 
(...) 
   $COMPRESS $newfile  (what is the difference between this and the next
$COMPRESS ? Can you please give me the line # so I can find this more
quickly?)
(...) 
becomes 
(...) 
   $COMPRESS $newfile 
(...)

This is what I found. Is this the line that I change?

1 ) Network configuration
if [ -f "$newname.0" ]; then
if [ -z "$COMPRESS" ]; then
newfile="$newname.1"
mv "$newname.0" "$newfile"
else
newfile="$newname.1$DOT_Z"
$COMPRESS < $newname.0 > $newfile(here?)
rm -f $newname.0
#   $COMPRESS "$newname.0"
#   mv "$newname.0$DOT_Z" "$newfile"

Can you please describe the fix to me a little better as to where I need to
go and what I need to change. Sorry to be a pain. Thanks.

Troy Aden
IT - Support/Training/Buyer 
WaveCom Electronics Inc.
150 Cardinal Place Saskatoon, SK  S7L 6H7
Phone: (306)955-7075 ext. 314
Fax: (306)955-7315
mailto:[EMAIL PROTECTED]
http://www.vcom.com/

 -Original Message-
From:   Jacques Nilo [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, September 03, 2002 8:36 AM
To: Troy Aden; Leaf-User (E-mail)
Subject:Re: [leaf-user] Log files are broken

Please read:
http://leaf.sourceforge.net/article.php?sid=56

Jacques


> I am not sure why this is happening but weblet on my Bering
> box stops logging after about a day. It displays things like :
> ::messages.3.gz::
>
> File not found: messages.3.gz
>
>
>
> ::messages.2.gz::
>
> File not readable: messages.2.gz
>
>
>
> ::messages.1.gz::
>
> File not readable: messages.1.gz
>
>
>
> ::messages.0::
>
> File not readable: messages.0
>
>
>
> ::messages::
>
> File not readable: messages
>
>
>
> Anyone know why is this happening? What do I need to do to fix it?
>
> Troy
>
>
> ---
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> --
--
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Shorewall question

[Troy Aden]

I currently have a server running behind my Bering box. The rules that I
have set up in shorewall rules are as follows:

#Access to my web server

DNAT net loc:192.168.1.280

#Access to my webmin server

DNAT net loc:192.168.1.2:25000https

The problem seems to be with my webmin rule. I can access the server fine
remotely with https://x.y.z.x. But when I try and login the page proceeds to
sit until it times out. The weird thing that happens is that if I hit the
 button on my browser, my webmin is there and I can work with it.. I
am suspecting that I have entered the webmin rule incorrectly. Can anyone
help me out?  

Thanks in advance.

Troy Aden


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall question

[Troy Aden]

Just a footnote to this. I can connect within my LAN to the webmin
just fine so I am forced to conclude that it is a problem with my firewall
rules. Thanks.


 -Original Message-
From:   Troy Aden [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, September 27, 2002 1:30 PM
To: Leaf-User (E-mail)
Subject:[leaf-user] Shorewall question

I currently have a server running behind my Bering box. The rules that I
have set up in shorewall rules are as follows:

#Access to my web server

DNAT net loc:192.168.1.280

#Access to my webmin server

DNAT net loc:192.168.1.2:25000https

The problem seems to be with my webmin rule. I can access the server fine
remotely with https://x.y.z.x. But when I try and login the page proceeds to
sit until it times out. The weird thing that happens is that if I hit the
 button on my browser, my webmin is there and I can work with it.. I
am suspecting that I have entered the webmin rule incorrectly. Can anyone
help me out?  

Thanks in advance.

Troy Aden


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall question

[Troy Aden]

The client is in the 'net' zone. (remote computer) I am attempting to
connect to my webmin server at home from work and it is failing when I try
to login to webmin over ssl. Please note that if I allow the page to time
out then I hit the back button my page is there.  Why would this happen?
But... if I try to login to the webmin server from the 'loc' zone over ssl
it allows me to login without any problems. This all leads me to think that
I am missing something with how SSL is dealing with my firewall. I have
tested webmin one my loc network and remote network over a standard http
connection without any issues at all. It seems that ssl is having some sort
of problem with my ruleset. Perhaps all that I need is to add the
destination into my rule like you have shown below. 

Your thoughts...

 -Original Message-
From:   Tom Eastep [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, September 27, 2002 2:18 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject:Re: [leaf-user] Shorewall question

Troy Aden wrote:
>   Just a footnote to this. I can connect within my LAN to the webmin
> just fine so I am forced to conclude that it is a problem with my firewall
> rules. Thanks.

These sorts of problems can be associated with MTU discovery problems as 
well as rules -- is the client in the 'net' zone that you are trying to 
log in from on the same lan segment as your firewall or is it remote?

-Tom
-- 
Tom Eastep\ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ [EMAIL PROTECTED]


-Original Message-
From:   Tom Eastep [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, September 27, 2002 2:15 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject:    Re: [leaf-user] Shorewall question

Troy Aden wrote:
> I currently have a server running behind my Bering box. The rules that I
> have set up in shorewall rules are as follows:
> 
> #Access to my web server
> 
> DNAT net loc:192.168.1.280
> 
> #Access to my webmin server
> 
> DNAT net loc:192.168.1.2:25000https
> 
> The problem seems to be with my webmin rule. I can access the server fine
> remotely with https://x.y.z.x. But when I try and login the page proceeds
to
> sit until it times out. The weird thing that happens is that if I hit the
>  button on my browser, my webmin is there and I can work with it.. I
> am suspecting that I have entered the webmin rule incorrectly. Can anyone
> help me out?  
> 

I assume that the two rules are:

DNATnet loc:192.168.1.2 tcp 80
DNATnet loc:192.168.1.2:25000   tcp https

and that you have configured webmin to listen on port 25000 (as opposed to 
the default 1).

If that is the case then the second rule should work fine -- I just 
verified it with a similar rule on my setup:

DNATnet loc:192.168.1.5:1   tcp 8081 - 206.124.147.176

I specified an original IP address because I have several on my firewall 
external interface.

 From the net, I connected to http://206.124.146.176:8081 and was able to 
log into webmin normally.

-Tom
-- 
Tom Eastep\ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ [EMAIL PROTECTED]


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ifconfig Explanation please.

[Troy Aden]

This is the ifconfig output from one of our Bering routers. Please note all
of the errors on eth1 and eth2. Can someone please explain this to me? Am I
to interpret these errors as a router problem or is it indicating some
network device is barfing out erroneous data on that subnet? Any ideas would
be appreciated. Thanks!


loLink encap:Local Loopback  
  inet addr:127.0.0.1  Mask:255.0.0.0
  UP LOOPBACK RUNNING  MTU:16436  Metric:1
  RX packets:364 errors:0 dropped:0 overruns:0 frame:0
  TX packets:364 errors:0 dropped:0 overruns:0 carrier:0
  Collisions:0 

eth0  Link encap:Ethernet  HWaddr 00:80:C8:CF:C8:61  
  inet addr: 192.168.141.1  Bcast:192.168.141.255
Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:148190074 errors:1 dropped:0 overruns:0 frame:0
  TX packets:150696043 errors:20 dropped:0 overruns:0 carrier:20
  Collisions:0 
  Interrupt:10 Base address:0x8000 

eth1  Link encap:Ethernet  HWaddr 00:80:C8:CF:C8:62  
  inet addr:192.168.142.1  Bcast:192.168.142.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:311524321 errors:667269 dropped:4 overruns:0
frame:667268
  TX packets:244260637 errors:6 dropped:0 overruns:0 carrier:6
  Collisions:0 
  Interrupt:11 Base address:0xa000 

eth2  Link encap:Ethernet  HWaddr 00:80:C8:CF:C8:63  
  inet addr:192.168.143.1  Bcast:192.168.143.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:5742144 errors:691 dropped:0 overruns:0 frame:1381
  TX packets:8793908 errors:0 dropped:0 overruns:0 carrier:0
  Collisions:74307 
  Interrupt:9 Base address:0xc000 

eth3  Link encap:Ethernet  HWaddr 00:80:C8:CF:C8:64  
  inet addr:192.168.147.1  Bcast:192.168.147.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:363126921 errors:1 dropped:0 overruns:0 frame:0
  TX packets:421969990 errors:33 dropped:0 overruns:0 carrier:33
  Collisions:0 
  Interrupt:5 Base address:0xe000 
 

Troy


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] ifconfig Explanation please.

[Troy Aden]

Sorry for the lack of information. Here is the role of this router in our
network. 

Internet>
PC001  -eth0 FIREWALL BOX (Not this router) eth1 > switch
PC002  -eth0 BARE production ROUTER (This is the box I did the ifconfig
shown below) -> switch -->Windows clients 100 base-t network
-eth1 BARE production ROUTER (This is the box I did the ifconfig
shown below) -> switch  -->Windows clients 100 base-t network
-eth2 BARE production ROUTER (This is the box I did the ifconfig
shown below) -> switch  -->Windows clients 100 base-t network
-eth3 BARE production ROUTER (This is the box I did the ifconfig
shown below) -> backbone switch gateway to other router.

Here is my "ip route" output table just to make it a little clearer.

255.255.255.255 dev eth3  scope link 
255.255.255.255 dev eth2  scope link 
255.255.255.255 dev eth1  scope link 
255.255.255.255 dev eth0  scope link 
192.168.147.0/24 dev eth3  proto kernel  scope link  src 192.168.147.1 
192.168.146.0/24 via 192.168.147.2 dev eth3 
192.168.145.0/24 via 192.168.147.2 dev eth3 
192.168.144.0/24 via 192.168.147.2 dev eth3 
192.168.143.0/24 dev eth2  proto kernel  scope link  src 192.168.143.1 
192.168.142.0/24 dev eth1  proto kernel  scope link  src 192.168.142.1 
192.168.141.0/24 dev eth0  proto kernel  scope link  src 192.168.141.1 
192.168.140.0/24 via 192.168.147.3 dev eth3 
default via 192.168.147.4 dev eth3 



 -Original Message-
From:   Ray Olszewski [mailto:[EMAIL PROTECTED]] 
Sent:   Monday, October 07, 2002 2:01 PM
To: Troy Aden; Leaf-User (E-mail)
Subject:Re: [leaf-user] ifconfig Explanation  please.

With absolutely zero information about the underlying networks, one can 
only guess about numbers of this sort. But with that disclaimer, my gut 
reaction is that the error and collision counts are within the normal range 
for fairly busy LANs.

To be specific, here is my guess about what we are looking at--

1. eth0 is your Internet connection, and it links the Bering router to some 
dedicated device like a DSL or cable modem. Since this tiny "LAN" has only 
two clients on it, and the slow data rates associated with Internet access, 
it doesn't push even the limits of a 10 Mbps connection, let alone 100 
Mbps. Consequently, negligible error and collision counts.

2. eth1 is a busy LAN (as a user of the router), with many clients and a 
lot of local traffic as well (perhaps a lot of WinXX hosts with SMB 
mounts), pushing the 10 or 100 Mbps limit, so generating some errors. They 
are well below 1% of packets so no big deal, unless you are seeing other 
performance problems on this LAN (in which case they might be an early 
warning of an overloaded Ethernet). The errors here are (if I recall 
correctly how to interpret this output -- I can't readily find a reference 
to check -- can someone else PLEASE help here?) the results of collisions 
between a packet from a client to the router and some other packet on the
LAN.

3. eth2 is another LAN, but much less active (its RX traffic to the router 
is only about 2% of the volume seen on eth1), probably with way fewer 
clients than eth1. But traffic to the router is in bursts, creating 
collisions between RX and TX packets to/from the router. This may be your
DMZ.

3. eth3 is still another LAN, about as busy (as a user of the router) as 
eth1, but with less local traffic. As a result, the LAN does not press its 
10 or 100 Mbps limit much, and there are few errors.

All this is just a guess, of course. Other variables might be whether they 
are 10 MBbps or 100 Mbps LANs, whether they use hubs or switches, how much 
uptime the packet counts cover, and even it they use something other than 
UTP wiring.

If I'm way off in describing the characteristics of any of these LANs 
(well, at least eth1 and eth2), then you may have a problem. But we'll need 
to know more about the characteristics of the networks to suggest anything 
specific.

If anyone knows enough to correct my interpretation of what the error and 
collision numbers actually mean, I'd really welcome hearing from him or her 
... especially if the correction includes a reference to appropriate 
documentation.

At 01:08 PM 10/7/02 -0600, Troy Aden wrote:
>This is the ifconfig output from one of our Bering routers. Please note all
>of the errors on eth1 and eth2. Can someone please explain this to me? Am I
>to interpret these errors as a router problem or is it indicating some
>network device is barfing out erroneous data on that subnet? Any ideas
would
>be appreciated. Thanks!
>
>
>loLink encap:Local Loopback
>   inet addr:127.0.0.1  Mask:255.0.0.0
>   UP LOOPBACK RUNNING  MTU:16436  Metric:1
>   RX packets:364 errors:0 dropped:0 overruns:0 frame:0
>

[leaf-user] DMZ configuration problems

[Troy Aden]

This is my first attempt at setting up a DMZ so I am
admitting now that I probably got it all wrong. That said, I am hoping
someone on the list can point out where I have made my mistakes and point me
in the right direction. Here is what I am attempting to accomplish.


-> Internet-> eth0 Bering box using shorewall >
eth1 loc zone

---> eth2  dmz zone

GOAL IS: 
TO ALLOW ALL INTERNET TRAFFIC INTO MY DMZ
TO ALLOW DMZ ACCESS TO THE INTERNET (BUT TO LOG IT)
TO ALLOW LOC ZONE OPEN ACCESS TO DMZ
TO BLOCK ALL TRAFFIC FROM DMZ TO LOC ZONE and log it if it
tries to connect to loc zone.
TO ALLOW DNSCACHE AND DHCPD TO WORK FOR BOTH ZONES.

I thought I had it all working until I attempted to do an
ftp file transfer between my windoz systems on the loc zone to my Linux
server in the dmz zone. My transfer rate was terrible and FTP kept giving me
a "cannot connect to data socket error". Even attempting an ftp transfer
from a remote server was failing. Please keep in mind that this is my first
attempt at this and I have tried to follow the shorewall howto for setting
up three interfaces but I am pretty sure I goofed. PLEASE HELP! I have
included all the info that I think is pertinent but if you require more
please let me know and I will provide it. Thanks in advance. 

Troy









#
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#   ZONEShort name of the zone
#   DISPLAY Display name of the zone
#   COMMENTSComments about the zone
#
# $ is not permitted in this file.
#
#ZONE   DISPLAY COMMENTS
net Net Internet
loc Local   Local networks
dmz dmz Demiliterized networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE



#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
# Accept DNS connections from the firewall to the network
#
ACCEPT  fwnet   tcp 53
ACCEPT  fwnet   udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT  loc   fwtcp 22

# DENAT all my webserver from web
DNATnet   dmz:192.168.2.25  tcp -
DNATnet   dmz:192.168.2.25  udp -

# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT  loc   fwudp 53
ACCEPT  loc   fwtcp 80
ACCEPT  loc   fwudp 67
ACCEPT  loc   fwudp 68

# Bering specific rules:
# allow dmz to fw udp/53 for dnscache to work
# allow dmz to fw tcp/80 for weblet to work
#
ACCEPT  dmz   fwudp 53
ACCEPT  dmz   fwtcp 80
ACCEPT  dmz   fwudp 67
ACCEPT  dmz   fwudp 68

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE





#
# Shorewall 1.3 - Masquerade file
#
# /etc/shorewall/masq
#

##
#INTERFACE  SUBNET  ADDRESS
eth0eth1
eth0eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE




#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#

##
#ZONEINTERFACE  BROADCAST   OPTIONS
net eth0detect  dhcp,routefilter,norfc1918,noping
loc eth1detect  routestopped
dmz eth2detect  routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE





##
#  /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
#  match your setup
#
#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] 
#
#  This file should be placed in /etc/shorewall
#
#  (c) 1999,2000,2001,2002 - Tom Eastep ([EMAIL PROTECTED])

##
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw


# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set -this to "".
#

SUBSYSLOCK=/var/run/shorwall

# This is the directory where the firewall maintains state information while
# it is running
#

STATEDIR=/var/lib/shorewall

#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections

RE: [leaf-user] RE:DMZ configuration problems

[Troy Aden]

Your advice is well taken. I solved it last night. It was the eth2
NIC in the router. I replaced the NIC and everything worked. Thanks for the
help. This list is great!

Troy

-Original Message-
From:   Ray Olszewski [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, October 09, 2002 10:39 AM
To: troy; [EMAIL PROTECTED]
Subject:Re: [leaf-user] RE:DMZ configuration problems


I waited to reply in the hope that someone would offer better advice than I 
can.

Your first message mentioned two problems --- slow ftp transfers between 
the DMZ server and LAN clients, and inability to do ftp transfers from the 
Internet. This message mentions only the first problem; have you solved the 
second on your own?

I doubt slowness is the result of your firewall ruleset -- rulesets tend to 
be all or nothing with respect to passing packets -- but I should point out 
that your report listed only the first part of the actual ruleset (the 
input and forward chains, but not output or any of the custom chains), not 
the complete ruleset.

I am a bit puzzled by your description of the problem. If both LAN and DMZ 
are 100 Mbps 802.3 Ethernets, then I would expect transfers through a 
firewall to be at about 50 Mbps, not the 1440 Kbps you expect (or the 45 
Kbps you actually see).

With all of that said, here are some things to check:

1. Are you dropping a lot of packets at the interfaces? After one of these 
slow transfers, look at the output of "ip -s link show" and see if the 
packet counts suggest any problems.

2. Is the firewall processing the packets the way it should be? After one 
of the slow transfers, look at the firewall ruleset and see if any 
improbable rule is rejecting or denying a lot of packets. Since most of the 
actual firewall ruleset is missing, and I am not expert enough in Shorewall 
to deduce the ruleset from the config files, I can't tell how the LAN is 
accessing the DMZ via the firewall (mainly, what the actual eth1_fwd chain 
looks like, or the eth2_fwd chain that I presume also exists). So while I 
cannot think of a ruleset problem that would create the symptoms you 
describe, neither can I rule it out from what you've sent. Perhaps one of 
our Shrewall experts can comment here?

3. Is there a problem with the ftp *server* on the Linux host in the dmz? 
As I read your report, you've tested doing ftp downloads *from* the 
Internet *to* the DMZ, but not the other way around. (I'm not sure that 
this is what you mean, though, by "or my Linux server in the dmz zone", so 
I apologize if I've misread this part.) If you haven't tested this ... try 
"ftp localhost" from a shell login on the DMZ host, and se what the 
transfer rate is.

4. You say "truthfully that [ftp] is the only file tranfer protocol that I 
use between my Linux server in the dmz and my windows box in the loc zone 
so I can't say if it effects anything else." Do you make shell connections 
(with telnet or ssh) from the LAN to the DMZ host? If you do, the severity 
of problem you are seeing, if it applies to all traffic, should be 
observable with any process that displays a lot of output to the screen ... 
even something as simple as an "ls -l" of a very large directory. You 
really do need to determine somehow if this is an ftp-only problem or a 
general connectivity problem.

5. Are there any problems at the hardware level? I'm fishing here ... but, 
for example, might there be an IRQ or ioport conflict between the NICs that 
provide interfaces eth1 and eth2? This could manifest itself in traffic 
flakiness between LAN and DMZ, but not between either of them and the 
Internet (since only one of them would be under load).

If some of these questions turn up interesting results, and you want more 
help, please don't just answer the questions narrowly ... provide the 
background that is relevant to the answer.

At 11:16 PM 10/8/02 -0600, troy wrote:
>  As per the advice that I was given earlier today, I am hoping that this
>information will be more helpful in getting to the bottom of my problem.
>Please note that this configuration is slighly different than the one I 
>posted
>earlier. The differance being that I have NOT opened all internet traffic 
>to my
>DMZ. Instead I have chosen block all of the ports in my DMZ except the ones
I
>need for my server. Regardless of these changes, the problem still
persists.
>
>
>This is my first attempt at setting up a DMZ so I am
> > admitting now that I probably got it all wrong. That said, I am hoping
> > someone on the list can point out where I have made my mistakes and
point
>me in the right direction. Here is what I am attempting to accomplish.
>
>GOAL IS:
> >   TO ALLOW "specific" traffic from the INTERNET INTO MY DMZ
> >   TO ALLOW DMZ ACCESS TO THE INTERNET (BUT LOG IT)
> >   TO ALLOW LOC ZONE OPEN ACCESS TO DMZ AND THE INTERNET
> >   TO BLOCK ALL TRAFFIC FROM DMZ TO LOC ZONE and log it if it
> > tries to connec

[leaf-user] Shorewall question

[Troy Aden]

I have a quick shorewall question. 
How can I forward https connections to webmin on port 25000
and Apache SSL on port 443?
I am running a server behind shorewall. I need to enable
access to SSL on two different ports. I have setup rules to forward
connections that come in on https to port 25000 ,my webmin server. (Thanks
for the help on that Tom) But I also want to be able to DNAT SSL connections
on the standard port 443 to the same server. Here is the rule for webmin. 

>#DNAT to my SSL webmin server from web
>DNATnet   dmz:192.168.2.26:25000  tcp https -
>DNATnet   dmz:192.168.2.26:25000  tcp  25000

Thanks so much for all the help I have gotten so far! You
guys are great!

Troy




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] RE:DMZ configuration problems

[Troy Aden]

I am able to do everything over this connection. I don't understand what the
"carrier" error means. 
All that I can surmise from the fact that  all the "carrier" errors are
happening on the TX side of 
interface is that is the side of the eth2 NIC that is talking to the only
"none LNE100-TX" NIC in
my network. (my Linux server)
Or do I have it backwards? 
I know my cabling is good. I don't use a hub or switch. I use crossover
cables that I know are 
good. I am just going to switch that final NIC and see if my problems go
away. Here's to hoping!

Thanks again to all of you that have helped me out. Have a great weekend!!


Troy


 -Original Message-
From:   Ray Olszewski [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, October 11, 2002 11:30 AM
To: troy
Cc: [EMAIL PROTECTED]
Subject:RE: [leaf-user] RE:DMZ configuration problems

At 09:27 AM 10/11/02 -0600, troy wrote:
> It turned out that eth2 was a startek NIC. The rest of my NICs
>are Linksys LNE100-TX. I bought another LNE100-TX nad that fixed the
>problem. I am still getting some errors when I check eth2 but I think
>that is because the NIC in my Linux server in the dmz is not a Linksys
>LNE100-TX. Hopefully when I replace that NIC the errors will go away
>entirely. Here is the reading I get on eth2. (See below) I am not
>entirely sure what to make of it but I am hoping that the errors are
>caused by the NIC in my Linux server. Thanks for all the help guys!
>
>Troy
>
>eth2:  mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:04:5a:83:69:6a brd ff:ff:ff:ff:ff:ff
> RX: bytes  packets  errors  dropped overrun mcast
> 150248933  1331746  0   0   0   0
> TX: bytes  packets  errors  dropped carrier collsns
> 0  01957210 0   1957210 0

You say you are "still getting some errors when I check eth2"?

Some? The report above says that all TX packets failed due to "carrier" 
reasons. Are you able to do anything over this conenection?

I'm not clear on what ip reports as a "carrier" problem, but the name 
prompts me to look for a hardware problem ... bad NIC at one end or the 
other (as you've already surmised), bad cable, or bad hub/switch. (Or 
conceivably bad NIC-to-NIC handshaking if you're using a crossover cable 
rather thn a hub or switch.)

Does anyone actually know what the "carrier" designator means in this 
report? I'm only guessing, as I said.



--
---"Never tell me the odds!"
Ray Olszewski   -- Han Solo
Palo Alto, California, USA[EMAIL PROTECTED]

---



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] network restart command

[Troy Aden]

"svi networking restart" should do it.


 -Original Message-
From:   Charley King [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, October 15, 2002 1:35 PM
To: [EMAIL PROTECTED]
Subject:[leaf-user] network restart command

I am using Bering 1.0-rc3 and was wondering if there was a command to
restart the interfaces like 'service network restart' or something. Or
do the interfaces update after the file has been saved?
Thanks

Charley King


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] RE:DMZ configuration problems

[Troy Aden]

Just a quick FYI follow-up to this. I changed the NIC in my Linux server to
an LNE100-TX and all of the problems went away. 
The NIC in my Linux server was an old D-Link 10Base-T. Just in case anyone
else has this problem I hope this will be helpful. 
Thanks to all who helped me out. 
I am now getting transfers between my Windows box and Linux server at over
4500Kb/sec with no errors. :)


 -Original Message-
From:   Troy Aden [mailto:Troy.Aden@;WaveCom.CA] 
Sent:   Friday, October 11, 2002 2:35 PM
To: 'Ray Olszewski'; troy
Cc: [EMAIL PROTECTED]
Subject:RE: [leaf-user] RE:DMZ configuration problems

I am able to do everything over this connection. I don't understand what the
"carrier" error means. 
All that I can surmise from the fact that  all the "carrier" errors are
happening on the TX side of 
interface is that is the side of the eth2 NIC that is talking to the only
"none LNE100-TX" NIC in
my network. (my Linux server)
Or do I have it backwards? 
I know my cabling is good. I don't use a hub or switch. I use crossover
cables that I know are 
good. I am just going to switch that final NIC and see if my problems go
away. Here's to hoping!

Thanks again to all of you that have helped me out. Have a great weekend!!


Troy


 -Original Message-
From:   Ray Olszewski [mailto:ray@;comarre.com] 
Sent:   Friday, October 11, 2002 11:30 AM
To: troy
Cc: [EMAIL PROTECTED]
Subject:RE: [leaf-user] RE:DMZ configuration problems

At 09:27 AM 10/11/02 -0600, troy wrote:
> It turned out that eth2 was a startek NIC. The rest of my NICs
>are Linksys LNE100-TX. I bought another LNE100-TX nad that fixed the
>problem. I am still getting some errors when I check eth2 but I think
>that is because the NIC in my Linux server in the dmz is not a Linksys
>LNE100-TX. Hopefully when I replace that NIC the errors will go away
>entirely. Here is the reading I get on eth2. (See below) I am not
>entirely sure what to make of it but I am hoping that the errors are
>caused by the NIC in my Linux server. Thanks for all the help guys!
>
>Troy
>
>eth2:  mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:04:5a:83:69:6a brd ff:ff:ff:ff:ff:ff
> RX: bytes  packets  errors  dropped overrun mcast
> 150248933  1331746  0   0   0   0
> TX: bytes  packets  errors  dropped carrier collsns
> 0  01957210 0   1957210 0

You say you are "still getting some errors when I check eth2"?

Some? The report above says that all TX packets failed due to "carrier" 
reasons. Are you able to do anything over this conenection?

I'm not clear on what ip reports as a "carrier" problem, but the name 
prompts me to look for a hardware problem ... bad NIC at one end or the 
other (as you've already surmised), bad cable, or bad hub/switch. (Or 
conceivably bad NIC-to-NIC handshaking if you're using a crossover cable 
rather thn a hub or switch.)

Does anyone actually know what the "carrier" designator means in this 
report? I'm only guessing, as I said.



--
---"Never tell me the odds!"
Ray Olszewski   -- Han Solo
Palo Alto, California, USA[EMAIL PROTECTED]

---



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:
Access Your PC Securely with GoToMyPC. Try Free Now
https://www.gotomypc.com/s/OSND/DD

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] /var/lib/shorewall/functions does not exist

[Troy Aden]

Thanks for the quick response.
 My problem is occurring with the Bering rc4. I downloaded the image that
was just released.
I did not try to replace any existing files. I simply entered all of my
information into the
Configs. I am not sure if this is "upgrading" because I did not try and
retain any files from rc3. 
This is based on a clean install of Bering Rc4.
I found this link that alludes to the same problem that I am having.

http://www.google.ca/search?q=cache:7DlfPCFeJc4C:mail.shorewall.net/pipermai
l/shorewall-users/2002-July/001910.html+/var/lib/shorewall/functions+does+no
t+exist&hl=en&ie=UTF-8

It was basically concluded in this post that this was a Bering specific
problem with how it
 is backing up shorewall. I am not sure if this is a Bering bug or not. Any
ideas?

Troy



-Original Message-
From: Jacques Nilo [mailto:jnilo@;users.sourceforge.net]
Sent: Saturday, October 26, 2002 1:22 AM
To: troy; [EMAIL PROTECTED]
Subject: Re: [leaf-user] /var/lib/shorewall/functions does not exist

Le Samedi 26 Octobre 2002 07:23, troy a écrit :
What is the context ?
Are you upgrading from rc3 to rc4
If yes what shorewall files did you try to keep ?
Jacques
> I have done some reading and I know that others had this same issue with
> older versions of Bering/shorewall but I was unable to find a solution
> in any of the posts.
>
> I just entered all my configs into shorewall and backed up my changes.
> The first time that I attempted to back up everything using the "L"
> option, shorewall failed to back up. But the second try it backed up
> ok... The problem is when I reboot I get the following error and
> shorewall fails to load. If I look at the shorewall configs everything
> is there as it should be. I am not sure what happened here...
>
> >snip>
>
> /var/lib/shorewall/functions does not exist
> Terminated
>
> >snip>
>
> I know all of my configs are right because I copied them from my Bering
> rc3. (Which is working very well I might add. Thanks guys.)
>
> I was waiting for someone with a similar issue to ask the list for
> assistance but I guess I am alone here.
>
> Can anyone tell me what is happening here? Thanks in advance.
>
> Troy
>
>
>
>
> ---
> This SF.net email is sponsored by: ApacheCon, November 18-21 in
> Las Vegas (supported by COMDEX), the only Apache event to be
> fully supported by the ASF. http://www.apachecon.com
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] How to set-up Bering static addressing?

[Troy Aden]

 Ok you have to make changes in a couple places. If you do not want a
dynamic external IP you don't
 need "pump" or "dhclient" (I am not sure what you are using.). And if you
want to set all of your IPs 
Statically on your local network you will not need DHCPD either. (You can
keep it if you want and just
Set your local IPs statically. Your call.)
 So feel free to edit your syslinux.cfg to stop those
 from loading at boot.
  
Here is where you need to make the changes.

# /etc/network/interfaces -- configuration file for LEAF network
# J. Nilo, April 2002
#
# Loopback interface.
auto lo 
iface lo inet loopback

# Step 1: configure external interface
# uncomment/adjust one of the following 4 options
# Option 1.1 (default): eth0 / dynamic IP from pump/dhclient
auto eth0 (Comment this out)
iface eth0 inet dhcp (Comment this out)
#
# Option 1.2: eth0 / Fixed IP (assumed to be 1.2.3.4).
#   (broadcast/gateway optional)
#auto eth0 (Uncomment this)
#iface eth0 inet static (Uncomment this)
#   address 1.2.3.4 (Uncomment this)
#   masklen 24 (Uncomment this)
#   broadcast 1.2.3.255 (Uncomment this)
#   gateway 1.2.3.1 (Uncomment this)

>>>>>>>>>>>>>>>>>>>>>>>>snip>>>>>>>>>>>>>>>>>>>>

#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces

##
#ZONEINTERFACE  BROADCAST   OPTIONS
net eth0detect  dhcp,routefilter,norfc1918,noping
(Remove "dhcp" from this line.)
loc eth1detect  routestopped

Backup save reboot. (or do a "svi networking restart" then "shorewall
restart" if you don't want to wait.)

Hope this helps.

Troy  

 
-Original Message-
From: Craig [mailto:craigcaughlin@;attbi.com]
Sent: Saturday, October 26, 2002 10:26 AM
To: LEAF
Subject: RE: [leaf-user] How to set-up Bering static addressing?

Hi folks,
Yes, Troy.

-Original Message-
From: Troy Aden [mailto:Troy.Aden@;WaveCom.CA]
Sent: Saturday, October 26, 2002 9:23 AM
To: 'Craig'
Subject: RE: [leaf-user] How to set-up Bering static addressing?

Are you using Shorewall with Bering?
  
Troy

-Original Message-
From: Craig [mailto:craigcaughlin@;attbi.com]
Sent: Saturday, October 26, 2002 10:20 AM
To: LEAF
Subject: [leaf-user] How to set-up Bering static addressing?

Hi folks,
I know how to set up DHCP addressing on Bering, but how do I set up
static addressing? I want to assign Bering a static external address,
and use static addresses for the boxes on my LAN. Suggestions? Thank
you.

Craig




---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] /var/lib/shorewall/functions does not exist

[Troy Aden]

That is exactly right. Thanks for posting that. The error only
happened once and I 
did not write it down. (And I could not remember the exact text of
the error.)
 Are you also having the "/var/lib/shorewall/functions does not exist"
error?


-Original Message-
From: Shed. [mailto:shedii@;bellsouth.net]
Sent: Saturday, October 26, 2002 1:41 PM
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] /var/lib/shorewall/functions does not exist

I noticed the same error while backing up shorewall on rc4. This problem
was not present in rc3. This is error echo on each backup attempt:

Creating shorwall.lrp Please wait: |tar: var/lib/shorewall: No such file
or directory
tar: Error exit delayed from previous errors


Afterwards, a successful backup takes place.

Shed.


Troy Aden wrote:
> Thanks for the quick response.
>  My problem is occurring with the Bering rc4. I downloaded the image that
> was just released.
> I did not try to replace any existing files. I simply entered all of my
> information into the
> Configs. I am not sure if this is "upgrading" because I did not try and
> retain any files from rc3.
> This is based on a clean install of Bering Rc4.
> I found this link that alludes to the same problem that I am having.
>
>
http://www.google.ca/search?q=cache:7DlfPCFeJc4C:mail.shorewall.net/pipermai
>
l/shorewall-users/2002-July/001910.html+/var/lib/shorewall/functions+does+no
> t+exist&hl=en&ie=UTF-8
>
> It was basically concluded in this post that this was a Bering specific
> problem with how it
>  is backing up shorewall. I am not sure if this is a Bering bug or not.
Any
> ideas?
>
> Troy
>
>
>
> -Original Message-
> From: Jacques Nilo [mailto:jnilo@;users.sourceforge.net]
> Sent: Saturday, October 26, 2002 1:22 AM
> To: troy; [EMAIL PROTECTED]
> Subject: Re: [leaf-user] /var/lib/shorewall/functions does not exist
>
> Le Samedi 26 Octobre 2002 07:23, troy a écrit :
> What is the context ?
> Are you upgrading from rc3 to rc4
> If yes what shorewall files did you try to keep ?
> Jacques
>
>>I have done some reading and I know that others had this same issue with
>>older versions of Bering/shorewall but I was unable to find a solution
>>in any of the posts.
>>
>>I just entered all my configs into shorewall and backed up my changes.
>>The first time that I attempted to back up everything using the "L"
>>option, shorewall failed to back up. But the second try it backed up
>>ok... The problem is when I reboot I get the following error and
>>shorewall fails to load. If I look at the shorewall configs everything
>>is there as it should be. I am not sure what happened here...
>>
>>
>>>>>>>>>>>snip>>>>>>>>>>>>>
>>>>>>>>>>
>>/var/lib/shorewall/functions does not exist
>>Terminated
>>
>>
>>>>>>>>>>>snip>>>>>>>>>>>>>
>>>>>>>>>>
>>I know all of my configs are right because I copied them from my Bering
>>rc3. (Which is working very well I might add. Thanks guys.)
>>
>>I was waiting for someone with a similar issue to ask the list for
>>assistance but I guess I am alone here.
>>
>>Can anyone tell me what is happening here? Thanks in advance.
>>
>>Troy
>>
>>





---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] error backing up shorewall (rc4)

[Troy Aden]

I don't know if the two are related. I just made the assumption that
they were. 
The fact is that this only happened to me once. After that, when I retry the
backup, it 
succeeded without error.
 I got the "functions does not exist" error when I rebooted. 
I since have redone my install of rc4 three times and it keeps happening. I
must be doing
something wrong. (Although I have no idea what it could be.)
I have to admit I am a little surprised I am the only one reporting this
problem since it seems 
so repeatable. I am going to try again tonight and document every step I
take up to 
this failure. Hopefully, If I provide this information I may get shed some
light so the gurus 
can help me out. ;-)

Troy

-Original Message-
From: George Luft [mailto:GLuft@;clayton.com]
Sent: Monday, October 28, 2002 8:30 AM
To: [EMAIL PROTECTED]
Subject: [leaf-user] error backing up shorewall (rc4)

I get this same error message when backing up shorewall, yet it appears that
the backup is successful.  I have not encountered the "functions does not
exist" message. 

> Creating shorwall.lrp Please wait: |tar: var/lib/shorewall:
> No such file
> or directory
> tar: Error exit delayed from previous errors

This was a clean rc4 install to replace my Dachstein.  Otherwise it went
rather smoothly.

Are these two separate issues?

George Luft
Trumbull, CT

Many thanks to Jacques and Eric, Father Stein--and all the folks on the
leaf-user list!


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] How to set up bridging with Bering?

[Troy Aden]

Craig,  
I am not sure what you mean. Can you please provide more details? I Have a 
suspicion of what you are trying to do. But I need more information. Thanks.

Troy

-Original Message-
From: Craig [mailto:craigcaughlin@;attbi.com]
Sent: Monday, October 28, 2002 3:36 PM
To: LEAF
Subject: [leaf-user] How to set up bridging with Bering?

Hi folks,
What do I need to do to set up 2 Bering boxes to bridge 2 subnets? Is
there any info available (I've looked, but didn't find any)? I notice in
the /etc/network/interfaces file there's a Bridge entry that's commented
out, and a reference to more files. Thank you.

Craig




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Blocking domains with shorewall

[Troy Aden]

 I found the package (I spoke to soon sorry.)
At http://www.monkeynoodle.org/lrp/lrp/packages/servers/squid2.lrp
But when it loads it tells me I am missing a required
> Lib "libnsl.so.1". Does anyone know where I can get this
Lib for Bering leaf?

Thanks again. Sorry to bug the list.

Troy.

-Original Message-
From: troy [mailto:troy@;wavecomwireless.com] 
Sent: Wednesday, October 30, 2002 5:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [leaf-user] Blocking domains with shorewall


Is there a "squid.lrp" out there that will work with Bering RC4? I have done
some searching but to no avail. 
Thanks in advance.

Troy

-Original Message-
From: Tom Eastep [mailto:teastep@;shorewall.net] 
Sent: Wednesday, October 30, 2002 3:26 PM
To: troy
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Blocking domains with shorewall




troy wrote:
> Is there a way to block domains with shorewall?
> For example, if I wanted to deny the internal
> network access to "webshots.com" etc?
> 
No.

You want to use a user space proxy such as Squid for this type of 
name-based policing.

-Tom
-- 
Tom Eastep\ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ [EMAIL PROTECTED]





---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering log rotation - weblet view

[Troy Aden]

Read the Bering Erratta page. There is a couple fixes for that
there. 

Hope this helps.

Troy

-Original Message-
From: Luis.F.Correia [mailto:Luis.F.Correia@;seg-social.pt]
Sent: November 3, 2002 2:11 PM
To: [EMAIL PROTECTED]
Subject: [leaf-user] Bering log rotation - weblet view


Hi!

This must sound strange from me but I have left my router on for over a day,
which isn't normal for me (dial-up).
This morning when I turned my main PC on and went to take a look at the
messages, ppp.log and so on, I got the 'File not readable:kern.log' error.
What is this? 
Some kind of permissions issue?
Does it have to do with the log rotation?

I am using Bering V1.0-rc3.

Thanks!


---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Root Password

[Troy Aden]

Type "passwd" in the command prompt. (Follow the prompts. And be
sure to backup before you reboot.)

Hope this helps.

Troy


-Original Message-
From: Godfried Duodu [mailto:GDUODU@;dot.state.tx.us]
Sent: Tuesday, November 05, 2002 1:32 PM
To: [EMAIL PROTECTED]
Subject: [leaf-user] Root Password

How do I change the root password in Bering?



---
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering v1.0-stable released !

[Troy Aden]

I have to chime in here as well. I am most grateful for the efforts made
developing this. 
And the support that I have received on this list has been tremendous. (Even
when I am asking silly questions.)
I have used this package on our corporate network and several home networks
including my own.
It is a great package and I am taking every opportunity to tell everyone
about it.
Anyway, Thanks guys! Great Job! 

Troy

-Original Message-
From: Matt Russell [mailto:matt@;excal-inc.com]
Sent: Friday, November 15, 2002 3:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [leaf-user] Bering v1.0-stable released !

I agree. I think a lot of us take a lot (if not most) of what they do for
granted. I also think a lot of us are glad we didn't have to drop a few G's
on cisco hardware, not to mention the almost immediate help we get with any
question...


thanks!



-Original Message-
From: [EMAIL PROTECTED]
[mailto:leaf-user-admin@;lists.sourceforge.net]On Behalf Of Eric B Kiser
Sent: Thursday, November 14, 2002 9:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [leaf-user] Bering v1.0-stable released !


Great job guys, thanks for all your hard work.

Most respectfully,
Eric Kiser

-Original Message-
From: [EMAIL PROTECTED]
[mailto:leaf-user-admin@;lists.sourceforge.net]On Behalf Of Jacques Nilo
Sent: Thursday, November 14, 2002 5:53 PM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [leaf-user] Bering v1.0-stable released !


Finally, it's out. All the details are here:
http://leaf.sourceforge.net/article.php?sid=63

We will probably take a rest for a while :-)

Enjoy!

Jacques & Eric



---
This sf.net email is sponsored by: To learn the basics of securing
your web site with SSL, click here to get a FREE TRIAL of a Thawte
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This sf.net email is sponsored by: To learn the basics of securing
your web site with SSL, click here to get a FREE TRIAL of a Thawte
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This sf.net email is sponsored by: To learn the basics of securing
your web site with SSL, click here to get a FREE TRIAL of a Thawte
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IP Tables question

[Troy Aden]

Hi there I have a quick IP Tables question.

I have an SMTP server behind my firewall and I would like to deny all
outbound SMTP traffic "except" if it originates from my internal SMTP
server.
The current rule allows SMTP traffic outbound from any IP on the internal
network. (See below for the current rule.) Lets say that my internal SMTP
server is at IP: 192.168.1.67. What should the rules looks like? Can someone
help me out? I have gotten so used to working with Shorewall I can't
remember the proper syntax for a raw IP tables rule. :)

Currently I have these rules:
## SMTP 
# Allow SMTP outbound from internal network. 
iptables -A FORWARD -i ${OUTSIDE_DEVICE} -p tcp --sport 25 -m state --state
ESTABLISHED -j ACCEPT 
iptables -A FORWARD -o ${OUTSIDE_DEVICE} -p tcp --dport 25 -m state --state
NEW,ESTABLISHED -j ACCEPT

I need rules that allow SMTP outbound from 192.168.1.67 ONLY. (I would want
it to drop all SMTP traffic that is not originating from the SMTP server.)


Thanks in advance.

Troy


---
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] IP Tables question

[Troy Aden]

Can you please show me where I need to add -s 192.168.1.67? I am assuming
that I can't just tack it onto the end of the rule. Should it look like
this?

iptables -A FORWARD -i ${OUTSIDE_DEVICE} -p tcp --sport 25 -m state --state
ESTABLISHED -j ACCEPT -s 192.168.1.67
iptables -A FORWARD -o ${OUTSIDE_DEVICE} -p tcp --dport 25 -m state --state
NEW,ESTABLISHED -j ACCEPT -s 192.168.1.67

Please demonstrate how this rule should look. It is the syntax that throws
me off.

Sorry to be a bother. Thanks.




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 26, 2002 2:49 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: Re: [leaf-user] IP Tables question


Whoops, I didn't read the whole thing.
You would want to add:-s 192.168.1.67  to the outbound permit.





Troy Aden <[EMAIL PROTECTED]> on 11/26/2002 02:02:44 PM

To:   "Leaf-User (E-mail)" <[EMAIL PROTECTED]>
cc:(bcc: Phillip Watts/austin/Nlynx)

Subject:  [leaf-user] IP Tables question



Hi there I have a quick IP Tables question.

I have an SMTP server behind my firewall and I would like to deny all
outbound SMTP traffic "except" if it originates from my internal SMTP
server.
The current rule allows SMTP traffic outbound from any IP on the internal
network. (See below for the current rule.) Lets say that my internal SMTP
server is at IP: 192.168.1.67. What should the rules looks like? Can someone
help me out? I have gotten so used to working with Shorewall I can't
remember the proper syntax for a raw IP tables rule. :)

Currently I have these rules:
## SMTP
# Allow SMTP outbound from internal network.
iptables -A FORWARD -i ${OUTSIDE_DEVICE} -p tcp --sport 25 -m state --state
ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ${OUTSIDE_DEVICE} -p tcp --dport 25 -m state --state
NEW,ESTABLISHED -j ACCEPT

I need rules that allow SMTP outbound from 192.168.1.67 ONLY. (I would want
it to drop all SMTP traffic that is not originating from the SMTP server.)


Thanks in advance.

Troy


---
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IP Tables - allow X-Windows connections between internal and external machine

[Troy Aden]

I am attempting to translate an IPTABLES rule from another firewall into
shorewall. 
Can someone please show me how I need to enter this rule into the
/etc/shorewall/rules file?

# X-Windows forwarding 
iptables -A PREROUTING -t nat -s 128.x.x.x -d ${OUTSIDE_IP} -j DNAT --to
192.168.x.x
iptables -A FORWARD -d 192.168.x.x -o ${INSIDE_DEVICE} -j ACCEPT

This rule works. But I am not sure how to enter this with the proper syntax
into the Shorewall rules file.
Can someone please show me how the rule should be entered?

The 128.x.x.x is an external machine and the 192.168.x.x is an internal
machine.

The above rules looks to me like it is allowing all connections between
these two machines.

Thanks in advance.


Troy Aden


---
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] FloppyFW vs. Bering 1.0 /w shorewall 1.3.10

[Troy Aden]

I am wondering if anyone has ever compared these two packages. I am just
interested to know if anyone has a point by point comparison of the two
packages. I don't seem to be making any headway and any good points
regarding the security and functionality advantages of Bering vs. FloppyFW
would be most helpful. 

For information on floppyFW check this site.
 http://www.zelow.no/floppyfw/  


Thanks in advance.

Troy


---
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] FloppyFW vs. Bering 1.0 /w shorewall 1.3.10

[Troy Aden]

Thanks for the feedback. We have been using FloppyFW for 2 years now.
It is hard for me to do an objective comparison of the two packages because
I have been personally using Eigerstein, Dachstein and now Bering. So I have
grown 
very  accustomed and comfortable to the way it is structured. I am trying to
convince
our head sysadmin to switch from FloppyFW to Bering /w shorewall 1.3.10.
With no
success. (sigh) 

Here are the "advantages" of FloppyFW.
- you can edit your firewall rules with a Unix text editor on your windows
box. (something like NoteTab lite.)
- Some would see the "building your own ruleset" as an advantage. I do not.
I prefer to have a tested and proven ruleset to start with and then change
it as I see fit.
- Virtually all editing and configuration of FloppyFW can be done with the
text editor mentioned above. Because all of the configs are kept as a series
of .ini files.
- FloppyFW is a firewall. No more. No less. The packages available for it
are very limited.

The disadvantages are as follows:
- It uses an older version of iptables. Floppy-FW uses 1.2.5 shorewall uses
1.2.6a 
- You can't stop|start|restart the firewall without rebooting the box.
- When the firewall loads the rules. The rules scroll by very quickly and
you can't use shift-page-up to backup and see what went wrong. It only goes
about two screens up.
- If there is a dnscache app for FloppyFW I have not seen it. (The packages
available are very limited.)

I would have to concede that our sysadmin is right when he says that
FloppyFW is working for us so there is no reason to change. But I was hoping
that we could migrate to a package that is "in my opinion" far better. I
guess I will have to wait until we require IPSEC to make my move and propose
Bering /w shorewall again. I was hoping that someone on the list could
provide me with some irrefutable evidence that moving from FloppyFW to
Bering is a prudent move. But I guess you are right. It must just come down
to preference. 

If anyone has anything to add to this please let me know.

Thanks. 

Troy



 -Original Message-
From:   Lynn Avants [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, December 11, 2002 11:21 AM
To: Troy Aden
Cc: [EMAIL PROTECTED]
Subject:Re: [leaf-user] FloppyFW vs. Bering 1.0 /w shorewall 1.3.10

On Wednesday 11 December 2002 08:35 am, you wrote:
> I am wondering if anyone has ever compared these two packages. I am just
> interested to know if anyone has a point by point comparison of the two
> packages. I don't seem to be making any headway and any good points
> regarding the security and functionality advantages of Bering vs. FloppyFW
> would be most helpful.

Bering is ultimately more flexible and supports a ton of more
hardware/protocols. If your running a cable modem or dsl and
only want 2 interfaces with no DMZ or IPSEC and build your own
firewall ruleset, FloppyFW would seem to be a feasible option.
I can't compare the security since FloppyFW doesn't have a 
"default" ruleset. There's nothing wrong with this, it's just a matter
of preference.

I'd be interested if you would try it and send me your opinion of
FloppyFW. 
-- 
~Lynn Avants
Linux Embedded Firewall Project developer
http://leaf.sourceforge.net


---
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: Fw: [leaf-user] Umount, not UNmount, Duhhh!

[Troy Aden]

Don't be too hard on yourself. Everyone is a newbie at least once. ;-))  
(I have asked worse questions to this list and been very impressed how nice
everyone was to me.)



 -Original Message-
From:   Chris Low [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, January 09, 2003 2:09 PM
To: [EMAIL PROTECTED]
Subject:Re: Fw: [leaf-user] Umount, not UNmount, Duhhh!

Okay, I'm an idiot =)

Thanks for all the answers received and all your patience with an obvious 
newbie!

Chris



---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Supercharging Bering 1.0 for a large network.

[Troy Aden]

We are currently running 2 Bering 1.0 routers (each with 4 subnets / NICs)
on a network of about 300 systems. We have had no issues with Bering and are
very happy with it. The question is that we are looking at growing our
network significantly in the next year. (Doubling in size is a distinct
possibility.)  I am just wondering how many systems I can run off of these
two routers before I start getting worried that they can't keep up. I am
considering re-subnetting the company so that I can get around having a
limit of 253 hosts / NIC. 

Here are a few particulars of the hardware.

P133 and a P100 with 64 MB of RAM.
One router is running a 4 port NIC the other 4 3COM NICs.
They are both running DHCRelay so that DHCP requests can get forwarded to
our DHCP servers on one of our subnets.

Should I look at upgrading the RAM / CPU? At what point does this become
redundant? 
How can I prevent buffer overflow when traffic is high? Is there somewhere I
can go to increase the available memory?

Thanks in advance.


Troy


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] NIC support in Bering

[Troy Aden]

Is there any module support for these two NICs in Bering?
3C985B-SX
3C996-SX

I am searching the support list with no luck so far. 


Thanks in advance.

Troy


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Aliasing multiple subnets through a single NIC

[Troy Aden]

Can someone please point me to an example of how to do this with Bering.
I would like to alias a route to the .145 subnet on Router B from a new
router I am adding to our network.
Please help.
I currently have static routes added as per the description below:

>>.router A >>>
auto eth0
iface eth0 inet static  
address 192.168.141.1
masklen 24
broadcast 192.168.141.255
#   gateway 1.2.3.1

auto eth1
iface eth1 inet static  
address 192.168.142.1
masklen 24
broadcast 192.168.142.255
#   gateway 1.2.3.1

auto eth2
iface eth2 inet static  
address 192.168.143.1
masklen 24
broadcast 192.168.143.255
#   gateway 1.2.3.1

auto eth3
iface eth3 inet static  
address 192.168.147.1
masklen 24
broadcast 192.168.147.255
gateway 192.168.147.4

up ip route add 192.168.140.0/24 via 192.168.147.3 || true
up ip route add 192.168.144.0/24 via 192.168.147.2 || true
up ip route add 192.168.145.0/24 via 192.168.147.2 || true
up ip route add 192.168.146.0/24 via 192.168.147.2 || true


>>>
^
^
>>Router
B>
# /etc/network/interfaces -- configuration file for LEAF network
# J. Nilo, April 2002
#
# Loopback interface.
auto lo
iface lo inet loopback

# Step 1: configure external interface
# uncomment/adjust one of the following 4 options
# Option 1.1 (default): eth0 / dynamic IP from pump/dhclient
#auto eth0
#iface eth0 inet dhcp
#
# Option 1.2: eth0 / Fixed IP (assumed to be 1.2.3.4). 
#   (broadcast/gateway optional)
auto eth0
iface eth0 inet static  
address 192.168.147.2
masklen 24
broadcast 192.168.147.255
gateway 192.168.147.1

auto eth1
iface eth1 inet static  
address 192.168.144.1
masklen 24
broadcast 192.168.144.255
#   gateway 1.2.3.1

auto eth2
iface eth2 inet static  
address 192.168.145.1
masklen 24
broadcast 192.168.145.255
#   gateway 1.2.3.1

auto eth3
iface eth3 inet static  
address 192.168.146.1
masklen 24
broadcast 192.168.146.255
#   gateway 192.168.147.4



Thanks in advance.

Troy


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] E-mailing log files from Bering 1.0 final

[Troy Aden]

I must be missing something trivial in how I set this up. I
have confirmed that I can send mail from my Bering Box with
Mail -s "test"  (address) [enter] type message [ctrl-D]. The
problem is that even though I enter my e-mail address in the 
Lrp_MAIL_ADMIN field in the master LRP settings, it is not
sending me my log files.
I also entered a list of lrp ping hosts. I deliberately set
a bogus IP in there that I knew would fail. Insofar as this, it worked
great! 
I was sent an e-mail alert indicating a ping failure. So I
know that mail is set up fine. The whole problem is that it is not sending
me 
my log files. 
Here is what I would like it to e-mail me. 
I would like to be e-mailed if a particular IP hits my
firewall more than 10 times. I would also want to have the results of an
"ifconfig" command 
Sent to me once a week. How do I do this? Can anyone point
me in the right direction?

Thanks in advance.

Troy


---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] E-mailing log files from Bering 1.0 final

[Troy Aden]

Thank you so much! I appreciate the quick response. That should be enough to
get me started.
I actually do have "ifconfig" running on our Bering routers. I needed it so
that I could run DHRELAY. :)
Thanks again. This list is great.

Troy
 -Original Message-
From:   Jacques Nilo [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, February 19, 2003 2:15 PM
To: Troy Aden; Leaf-User (E-mail)
Subject:Re: [leaf-user] E-mailing log files from Bering 1.0 final

Le Mercredi 19 Février 2003 18:05, Troy Aden a écrit :
> I must be missing something trivial in how I set this up. I
> have confirmed that I can send mail from my Bering Box with
>   Mail -s "test"  (address) [enter] type message [ctrl-D]. The
> problem is that even though I enter my e-mail address in the
>   Lrp_MAIL_ADMIN field in the master LRP settings, it is not
> sending me my log files.
>   I also entered a list of lrp ping hosts. I deliberately set
> a bogus IP in there that I knew would fail. Insofar as this, it worked
> great!
>   I was sent an e-mail alert indicating a ping failure. So I
> know that mail is set up fine. The whole problem is that it is not sending
> me
>   my log files.
>   Here is what I would like it to e-mail me.
>   I would like to be e-mailed if a particular IP hits my
> firewall more than 10 times.
Troy: 
to mail the output of a given file just type:
cat filename | mail -s "My output file" [EMAIL PROTECTED]
To do that conditional of a given IP hit more than 10 times requires some 
shell programming.
Refers to /var/sh-www/cgi-bin/viewhits for some ideas about sorting

>  I would also want to have the results of an
> "ifconfig" command
>   Sent to me once a week. How do I do this? Can anyone point
> me in the right direction?
ifconfig does not exists in Bering :-)
In /etc/cron.weekly creates an executable file named sendip which will 
contain:

#!/bin/sh
ip addr show | mail -s "My Bering ifconfig output" [EMAIL PROTECTED]

That should do the trick
Jacques
>
>   Thanks in advance.
>
> Troy
>
>
> ---
> This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
> The most comprehensive and flexible code editor you can use.
> Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
> www.slickedit.com/sourceforge
> 
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] newbie question.

[Troy Aden]

Hello there. I have a quick newbie question here. I would just like to know
the 
CLI Command that I use to show the output below. I am assuming that it is
some variation of 
Ip addr . 

Thanks in advance.


What command will give me this output that I see in weblet?

1: lo:  mtu 16436 qdisc noqueue 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes  packets  errors  dropped overrun mcast   
93612   0   0   0   0  
TX: bytes  packets  errors  dropped carrier collsns 
93612   0   0   0   0  
2: dummy0:  mtu 1500 qdisc noop 
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
RX: bytes  packets  errors  dropped overrun mcast   
0  00   0   0   0  
TX: bytes  packets  errors  dropped carrier collsns 
0  00   0   0   0  
3: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:01:02:bf:93:54 brd ff:ff:ff:ff:ff:ff
RX: bytes  packets  errors  dropped overrun mcast   
56930223   943192   0   0   0   0  
TX: bytes  packets  errors  dropped carrier collsns 
215592 1956 0   0   0   12 
4: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:01:03:de:b2:25 brd ff:ff:ff:ff:ff:ff
RX: bytes  packets  errors  dropped overrun mcast   
907155 117560   0   0   0  
TX: bytes  packets  errors  dropped carrier collsns 
21208576348 0   0   0   0   


---
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] DMZ question Bering 1.1

[Troy Aden]

My set up is as follows:

Internet > eth0 -192.139.*.* - ISP's DNS resolves to
http://eros.myisp.com
Eth0 > eth1 =(LOC zone)- 192.168.1.26 LOC windows box
Eth0 ---> eth2 =(DMZ  zone)- 192.168.2.26 DMZ Linux server

I have my rule set set up so that my loc zone can connect to my DMZ. 
Now for my question:
Is there a way I can set this up so that I can connect from my loc zone
windows client
to my web server in my DMZ with http://eros.myisp.com
  as opposed to having to connect 
to it with http://192.168.2.26  ?
Am I missing something in my configuration? Or is this the way things should
be?
Please accept my apology if this is a silly question. :-)

Thanks in advance!

Troy


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] DMZ question Bering 1.1

[Troy Aden]

I am sorry. I was unclear. The real address is
http://eros.vcomrf.com 
You will get a password prompt.

Troy

 -Original Message-
From:   Ray Olszewski [mailto:[EMAIL PROTECTED] 
Sent:   Tuesday, February 25, 2003 12:51 PM
To: [EMAIL PROTECTED]
Subject:Re: [leaf-user] DMZ question Bering 1.1

At 12:11 PM 2/25/2003 -0600, Troy Aden wrote:
>My set up is as follows:
>
>Internet > eth0 -192.139.*.* - ISP's DNS resolves to
>http://eros.myisp.com
>Eth0 > eth1 =(LOC zone)- 192.168.1.26 LOC windows box
>Eth0 ---> eth2 =(DMZ  zone)- 192.168.2.26 DMZ Linux server
>
>I have my rule set set up so that my loc zone can connect to my DMZ.
>Now for my question:
>Is there a way I can set this up so that I can connect from my loc zone
>windows client
>to my web server in my DMZ with http://eros.myisp.com
><http://eros.myisp.com>  as opposed to having to connect
>to it with http://192.168.2.26 <http://192.168.2.26> ?
>Am I missing something in my configuration? Or is this the way things
should
>be?


Whether your LAN host "should be" able to connect to your DMZ Web server 
depsends on many things, involving both how you handle DNS and how your 
rules are set up. But before any of this matters, the 
URL  http://eros.myisp.com needs to be resolvable in and of itself ... 
which it is not, as of about 5 minutes ago, from here:

 [EMAIL PROTECTED]:~$ host eros.myisp.com
 eros.myisp.com does not exist, try again
 [EMAIL PROTECTED]:~$

Once that works, it is mainly a matter of making sure that your LAN clients 
resolve the address correctly to your secret external address. Someone 
expert in Shorewall can comment on any specific ruleset issues; I can tell 
you that my Linux-based router here (not Bering/Shorewall) has no 
difficulty doing what you want yours to do.





---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Interpreting "ip - link show" command output.

[Troy Aden]

Can anyone tell me what is happening to my eth2 interface shown below? 
It is indicating 396 errors. And it has the same amount under "carrier".
Can anyone give me an idea what this means or point me to a website that
Describes how to understand the output of the "ip - link show" command?

Thanks in advance

Troy




1: lo:  mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes  packets  errors  dropped overrun mcast
38306  409  0   0   0   0
TX: bytes  packets  errors  dropped carrier collsns
38306  409  0   0   0   0
2: dummy0:  mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
RX: bytes  packets  errors  dropped overrun mcast
0  00   0   0   0
TX: bytes  packets  errors  dropped carrier collsns
0  00   0   0   0
3: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:51:c2:3f brd ff:ff:ff:ff:ff:ff
RX: bytes  packets  errors  dropped overrun mcast
359688870  1227718  0   0   0   0
TX: bytes  packets  errors  dropped carrier collsns
1268959809 1677069  428 0   428 0
4: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:51:c1:91 brd ff:ff:ff:ff:ff:ff
RX: bytes  packets  errors  dropped overrun mcast
2355068941 2447518  0   0   0   0
TX: bytes  packets  errors  dropped carrier collsns
387039553  1692078  0   0   0   0
5: eth2:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:83:69:6a brd ff:ff:ff:ff:ff:ff
RX: bytes  packets  errors  dropped overrun mcast
40523718   520585   0   0   0   0
TX: bytes  packets  errors  dropped carrier collsns
1091789952 777003   396 0   396 0




---
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Load average

[Troy Aden]

Uptime:   8:09pm  up 20:15, load average: 0.20, 0.04, 0.01

When I go into weblet and look at the http://192.168.2.1/cgi-bin/viewsys I
see the line above at the top of the page. Can anyone tell me how to
interpret the "load average: 0.20, 0.04, 0.01" portion of this? I have no
idea what these numbers mean. If anyone could point me to somewhere that
explains these numbers that would be great.

Thanks in advance.

Troy


---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Load average

[Troy Aden]

Thanks for the quick response. :) 
In truth, I am just using weblet on our routers so that I have an easy way
to track the throughput on all of the interfaces. (Packet count/ collisions/
bytes in out.)
So I guess I loose nothing by ignoring these numbers. 
I am thinking of using the version of Weblet here.
 http://leaf.sourceforge.net/devel/cstein/files/packages/weblet.lrp 
Weblet V1.2.0
Includes Bandwidth monitor
Does this version already have Netstat installed? I am very interested in
trying this version out. Would I have any issues running this on Bering 1.2?

Thanks again.

Troy


-Original Message-
From: Ray Olszewski [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 10:02 AM
To: Leaf-User (E-mail)
Subject: Re: [leaf-user] Load average

At 09:40 AM 6/2/2003 -0600, Troy Aden wrote:
>Uptime:   8:09pm  up 20:15, load average: 0.20, 0.04, 0.01
>
>When I go into weblet and look at the http://192.168.2.1/cgi-bin/viewsys I
>see the line above at the top of the page. Can anyone tell me how to
>interpret the "load average: 0.20, 0.04, 0.01" portion of this? I have no
>idea what these numbers mean. If anyone could point me to somewhere that
>explains these numbers that would be great.

I wish I could. (I wish *anyone* could.)

These numbers are "explained" in the man page for "uptime". Unfortunatly,
the explanation there consists of the following: "the system load averages
for the past 1, 5, and 15 minutes". Helps a lot, eh?

My best understending of these numbers is that they report the average
number of processes waiting for some resource (that is, blocked) over the
past 1, 5, and 15 minutes. If my understanding is correct, these numbers
are in most instances not all that useful, and they are especially useless
for routers (which do most of their important work within the kernel ... an
old showboat fiddle with a Linux router was to show that it would continue
to route even after a "halt" command had executed (in those days, systems
didn't automatically power down)).

In most settings (single-purpose systems like routers, as well as
workstations and servers), I find CPU load (the percentages reported by
"top") a better indicator of system load. Since I don't use the weblet, I
don't know where (or even whether) it reports this information. If it does
not report it, perhaps it should.





---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Shorewall question

[Troy Aden]

My ASCI art is terrible so I will just try to describe this as best I can.

I am running a Jabber server in my DMZ (192.168.2.2) PORT 5224 is open in
shorewall to allow users to connect inbound. 
I am also running a windows client in my LOC zone. (192.168.1.2)
The problem occurs when I make an OUTBOUND VPN connection to my work from my
Windows box in my LOC zone. (I have the proper helper modules enabled and
VPN works fine.)
What happens when I make the connection to my work is that all my Jabber
clients connected from outside loose connectivity.
Can someone please explain to me how I could stop my firewall from dumping
all the inbound connections to my Jabber server when I make an outbound VPN
connection? Keep in mind, my windows box is in the LOC zone and my server is
in the DMZ. 

I am running Bering 1.2 on a cable modem connection with static IP 3 NIC
(net/loc/dmz) setup. If any of you require additional info, I would be happy
to provide it. 

Thanks in advance!

Troy


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall question

[Troy Aden]

Thanks Tom! 
That was the problem. 
All I had to do is go into my VPN settings and uncheck the "use gateway of
remote network" setting under TCP/IP and the problem went away. 
I love this list.
 
Troy

-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Monday, August 25, 2003 8:26 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: Re: [leaf-user] Shorewall question

On Mon, 25 Aug 2003, Troy Aden wrote:

> My ASCI art is terrible so I will just try to describe this as best I can.
>
> I am running a Jabber server in my DMZ (192.168.2.2) PORT 5224 is open in
> shorewall to allow users to connect inbound.
> I am also running a windows client in my LOC zone. (192.168.1.2)
> The problem occurs when I make an OUTBOUND VPN connection to my work from
my
> Windows box in my LOC zone. (I have the proper helper modules enabled and
> VPN works fine.)
> What happens when I make the connection to my work is that all my Jabber
> clients connected from outside loose connectivity.
> Can someone please explain to me how I could stop my firewall from dumping
> all the inbound connections to my Jabber server when I make an outbound
VPN
> connection? Keep in mind, my windows box is in the LOC zone and my server
is
> in the DMZ.
>
> I am running Bering 1.2 on a cable modem connection with static IP 3 NIC
> (net/loc/dmz) setup. If any of you require additional info, I would be
happy
> to provide it.
>

I'm betting that your problem has absolutely nothing to do with your
firewall but rather with the fact that your VPN setup is transferring the
default route to the VPN tunnel when you connect. You can try changing
that setting in your VPN client configuration but that change may limit
your ability to access hosts in your employer's intranet.

-Tom
--
Tom Eastep\ Shorewall - iptables made easy
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Shorewall redirect port 80--> port 443

[Troy Aden]

Hi there. I have a quick/silly Shorewall question.
I am running a web server behind my Bering 1.2 box and I would like to make
sure that all traffic that comes into my firewall at port 80 (http) gets
redirected to my internal server on port 443 (ssl).
Can someone please tell me how I could go about doing this?
Thanks in advance!


Troy


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering and MRTG [faked-from][sls]

[Troy Aden]

I am also interested in setting this up. Can you please provide links to
netsnmpd
(daemon)and netsnmpu (client) packages? Thanks!

Troy
-Original Message-
From: Roger E McClurg [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 10, 2003 11:32 AM
To: [EMAIL PROTECTED]; Stephen Pritchard
Subject: Re: [leaf-user] Bering and MRTG [faked-from][sls]

Stephen,

MRTG and Bering 1.2 work great together. I monitor a number of Bering
VPN/Routers with MRTG. It is simple. If you load both the netsnmpd
(daemon)and netsnmpu (client) packages you can test your snmp at the
Bering console. Snmpd.conf does not need much modification. Just make sure
you have a community name that will let you have access to everything you
want snmp to see. See my snippet from snmpd.conf below which allows snmp
to access everything defined in the mib:
#
#
# community configuration
#
# commName  readV   writeV
#
community publicxmini   -
community "your community name" all all


Verify that you can do an snmpwalk and get the data on the Bering box.
Once you can see the snmp data locally it's time to put MRTG to work.
Point MRTG at your Bering box with the correct community name and it will
be able to report on all network adapters including virtual adapters like
ipsec0.

Roger

>From: "Stephen Pritchard" <[EMAIL PROTECTED]>
>Reply-to: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Date: Tue, 9 Sep 2003 03:09:21 +1200
>Subject: [leaf-user] Bering and MRTG
>
>I would like to use our Linux based MRTG system to monitor the network
>traffic on a seperate LEAF Bering 1.2 system. I have looked at converting
>it to Bering culibc and using the snmpd package. Unfortunatley I cannot
>figure out how to configure the snmp daemons.
>
>Does any one have either some example Bering snmp configurations for
>monitor network traffic? or does anyone know another way of setting up
MRTG
>to monitor the Bering system?.
>
>Thanks
>
>-Stephen



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] VPN <--> VPN issues

[Troy Aden]

Hello all!
I am running into a strange VPN problem between our offices here and in a
second location. 
Here is the configuration.

(Site1) VPN client --> Firewall <--> Internet  <--> Firewall --> VPN client
(Site 2) -will not allow a second VPN connection to site 1! Why?

(I am terrible at ASCI art so I will do my best to explain.)

There are 2 sites. If a client at site 1 makes a VPN connection to site 2
all is well. And likewise if a client from site 2 makes a VPN connection to
site 1 all is well.
The problems start when a second client from site 2 attempts a VPN
connection to site 1 they can't do it. 

Does this sound to anyone like a firewall issue or a server configuration
issue?

I am hoping that this something that could be solved by using Bering 1.2
with shorewall.

We are running FloppyFW right now with Iptables rules to allow VPN inbound
and outbound at both locations. (But this package does not have any modules
to manage these connections ie. # 

>snip from Bering module
config>
Modules needed for PPTP connection
slhc
ppp_generic
ppp_async
ppp_mppe
snip from Bering module config


These modules are enabled on my Bering box. Would using these modules with
Bering solve this VPN problem? 

I would be happy to answer any questions to clarify this further if needed.

Thanks in advance!

Troy


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Newbie help with net-snmp.lrp

[Troy Aden]

I have searched the documentation and fought with how to properly set up
net-snmp on the latest Uclibc Bering image.


FIRST. MY SETUP.

>>
NameVersionDescription
===-==-=
=
initrd  V2.0 uClibc-0. LEAF Bering initial filesystem

rootV2.0 uClibc-0. Core LEAF Bering package

config  0.1config and backup system package

etc V2.0 uClibc-0.

local   V2.0 uClibc-0. LEAF Bering local package

modules V2.0 uClibc-0. Define & contain your LEAF Bering modules

iptables1.2.8  IP packet filter administration tools for
2.4.
shorwall1.4.5  Shoreline Firewall (Shorewall)

ulogd   1.00   The Netfilter Userspace Logging Daemon

dnscache1.05a  A fast & secure proxy DNS server, patched for

dropbear0.36   Dropbear is an SSH 2 server

libm   The libm Library

libsnmp 5.0.9  SNMP libraries needed for snmp packages or
pac
netsnmpd5.0.9  SNMP agent which binds to a port, awaits
reque
netstatn1.4$Id: README,v 1.8 2002/09/12 19:32:12 mardan
E
weblet  1.2.1-1LEAF status via a small web server  


PID  Uid VmSize Stat Command
1 root256 S   init [2]   
2 rootSW  [keventd]
3 rootSWN [ksoftirqd_CPU0]
4 rootSW  [kswapd]
5 rootSW  [bdflush]
6 rootSW  [kupdated]
31724 root280 S   /sbin/syslogd -m 240 
 2186 root240 S   /sbin/klogd 
 8271 root296 S   /usr/sbin/dropbear -p 22 -r
/etc/dropbear_rsa_host_ke
 8492 root140 S   /usr/sbin/watchdog 
17517 root280 S   /usr/sbin/inetd 
20557 root276 S   /usr/sbin/ulogd -d 
 7137 root   1256 S   [dnscache]
26427 root   1584 S   /usr/sbin/snmpd 
19569 root288 S   /usr/sbin/cron 
16864 root268 S   /sbin/getty 38400 tty1 
18876 root268 S   /sbin/getty 38400 tty2 
22101 root448 S   /usr/sbin/dropbear -p 22 -r
/etc/dropbear_rsa_host_ke
21211 root304 S   -sh 
13084 root304 S   /bin/sh /usr/sbin/lrcfg 
 4237 root324 S   /bin/sh /usr/sbin/lrcfg.confPackages
configuratio
  390 root324 S   /bin/sh /usr/sbin/lrcfg.confPackages
configuratio
25365 root320 S   /bin/sh /usr/sbin/lrcfg.confnetsnmpd
configuratio
24674 root292 S   /bin/sh /bin/edit /etc/snmp/snmpd.conf 
19576 root 40 S   /bin/e3ne /etc/snmp/snmpd.conf 
 7207 sh-httpd332 S   /bin/sh /usr/sbin/sh-httpd 
21917 sh-httpd304 S   /bin/sh /var/sh-www/cgi-bin/viewsys 
 4018 root192 S   [sleep]
18074 root240 S   [cat]
31058 sh-httpd308 S   /bin/sh /var/sh-www/cgi-bin/viewsys 
  151 root288 R   [ps]  



I am attempting to connect to my bering-Uclibc box with MRTG with the
following line: (See output)
C:\mrtg-2.10.0pre6\bin>perl cfgmaker [EMAIL PROTECTED] --global "WorkDir:
C:\
Inetpub\wwwroot\mrtg" --output My_firewall.cfg
--base: Get Device Info on [EMAIL PROTECTED]:
SNMP Error:
receiving response PDU: Unknown error
SNMPv1_Session (remote host: "192.168.1.254" [192.168.1.254].161)
  community: "public"
 request ID: 1981474209
PDU bufsize: 8000 bytes
timeout: 2s
retries: 5
backoff: 1)
SNMPWALK Problem for 1.3.6.1.2.1.1 on [EMAIL PROTECTED]::v4only
WARNING: Skipping [EMAIL PROTECTED]: as no info could be retreived

--base: Writing My_firewall.cfg



I am thinking that the problems I am having are stemming from me not
assigning the community name properly.
What it comes down to is I am hoping someone could please show me a working
snmpd.conf file showing clearly where I need to go to change the community
name.
For Example, Say I wanted to have a community name of "Test1" for a
read-only community name and "Test2" for a read / write community name. 
It would be of great help to me if someone could paste in a sample config
that is using these two variables. I am sure that would make it allot
clearer for me. But please if you post keep in mind that I have never gone
through a snmp setup before and I need the "newbisized" instructions.

On a side note, I wish that the documentation [for net-snmp] would be made
not only for a seasoned OR intermediate user but also for the poor user who
is going to be trying something for the first time.  A useful way to
accomplish this is to display a working config and lay out detailed
instructions on how to connect to the snmp daemon with MRTG.


I would be happy to provide any additional info if it would be of any help.

Here is my snmp.conf file. (Thanks in advance!)

[leaf-user] Shorewall firewall logs question

[Troy Aden]

I have a quick shorewall question.
I am receiving around 500 hits a day from bit torrent ports. (6881 - 6889).
These are flooding my firewall logs and I would like to stop logging hits on
these ports.
I would like to continue with logging the hits on any other ports however.
Is there a way to tell shorewall to simply DROP and not log these hits and
continue to log all the rest?
 
Just a word of warning to all of you considering using bit torrent, do not
open any ports to help to facilitate file sharing. (6881-6889)
Their servers will never leave you alone. It has been a week since I ran the
app and my firewall is still being pounded with requests. (500 to 800 hits a
day!)

Thanks in advance.

Troy


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall firewall logs question [sls]

[Troy Aden]

Sorry about that.
It took me all of 20 seconds to find the answer in the FAQ.

6b. DROP messages on port 10619 are flooding the logs with their connect
requests. Can i exclude these error messages for this port temporarily from
logging in Shorewall?
Temporarily add the following rule:
DROPnetfwudp10619

I will make sure to review the FAQ before I post another Shorewall question.


Again, my apologies.

Troy
-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Sunday, September 28, 2003 7:24 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: Re: [leaf-user] Shorewall firewall logs question [sls]

On Sun, 28 Sep 2003, Troy Aden wrote:

> I have a quick shorewall question.
> I am receiving around 500 hits a day from bit torrent ports. (6881 -
6889).
> These are flooding my firewall logs and I would like to stop logging hits
on
> these ports.
> I would like to continue with logging the hits on any other ports however.
> Is there a way to tell shorewall to simply DROP and not log these hits and
> continue to log all the rest?
>

Have you considered consulting the Shorewall FAQs?

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Routing for multiple uplinks for Bering 1.2- More Info [faked-from][sls]

[Troy Aden]

Here is what I have done on our Bering routers to add routes.

up ip route add 192.168. *.*/24 via 192.168.*.* || true
up ip route add 192.168. *.*/24 via 192.168. *.* || true
up ip route add 192.168. *.*/24 via 192.168. *.* || true
up ip route add 192.168. *.*/24 via 192.168. *.* || true

Hope this helps.

Troy


-Original Message-
From: Simon Chalk [mailto:[EMAIL PROTECTED]
Sent: Monday, September 29, 2003 8:39 AM
To: Leaf-User List
Subject: [leaf-user] Routing for multiple uplinks for Bering 1.2- More Info
[faked-from][sls]

Hi All,

Further to my first post.

I am adding all the ip route commands to /etc/network/interfaces

using

up ip route etc.etc
up ip rule add etc.etc

It appears that not all the commands are been loaded. I think it is the ip
rule add bit.

So my question is should I be using a different file, or is my syntax wrong.
Am I correct to prefix each command with up.

Regards,

Simon.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Simon Chalk
Sent: 29 September 2003 13:18
To: Leaf-User List
Subject: [leaf-user] Routing for multiple uplinks for Bering 1.2


Hi All,

I am trying to implement the split access configuration which will allow my
Bering 1.2 box to correctly route to two ISP's as described on the LARTC
site.

http://lartc.org/howto/lartc.rpdb.multiple-links.html

I have created two new entries in the /etc/iproute2/rt_tables file and
followed the instructions.

It appears not to be working, and the first thing I note is that I don't see
my new tables listed when I enter

ip rule show

I only see the default entries. Should I see these tables listed?

Should I be able to configure this in Bering, or do I need to enable some
other setting before attempting to follow the instructions.

Regards,

Simon.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Gigibit Nic driver

[Troy Aden]

Is there support for 3Com's 3c996BT for Bering-uClibc?
I see that there is support for the Dlink DGE-500T (ns83820).
But I am hoping that someone could tell me where I could find a bcm5700
driver for the 3com card detailed above.
Also has anyone ever heard of a 4-port Gigabit Ethernet card? And just as
importantly, if this card is out there does Bering-uClibc have a driver for
it.

Thanks in advance!

Troy


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Gigibit Nic driver

[Troy Aden]

Thanks.
Does Bering-uClibc support this NIC? The closest module I could find was
this: (See link)
 
http://leaf.sourceforge.net/devel/jnilo/bering/latest/modules/2.4.20/kernel/
drivers/net/e1000/e1000.o 

Troy
-Original Message-
From: Peter Mueller [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 01, 2003 3:28 PM
To: 'Troy Aden'; Leaf-User (E-mail)
Subject: RE: [leaf-user] Gigibit Nic driver

> ... Also has
> anyone ever heard of a 4-port Gigabit Ethernet card? And just
> as importantly, if this card is out there does Bering-uClibc
> have a driver for it.

Intel sells a quad-gigabit for the excellent i1000 line. 

http://www.intel.com/design/network/products/lan/controllers/ixf1104.htm
And to buy one.. (if you don't have a vendor)
http://www.cdw.com/shop/products/default.asp?EDC=475069

Peter


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] DHRelay.lrp for Bering Uclibc 2.0 RC1

[Troy Aden]

Is there a dhcrelay.lrp and netutils.lrp for Bering Uclibc 2.0 RC1?

If there is can someone please send me a link to them. 

Thanks in advance.

Troy


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] DHRelay.lrp for Bering Uclibc 2.0 RC1 [mx][sls]

[Troy Aden]

I know that the DHCRelay.lrp package require "ifconfig" to run. So I am
guessing that I will not need netutils. 

Thank you so much for doing this.

Troy. 

-Original Message-
From: Eric Spakman [mailto:[EMAIL PROTECTED] 
Sent: Sunday, October 05, 2003 12:13 PM
To: Leaf-User (E-mail); Troy Aden
Subject: Re: [leaf-user] DHRelay.lrp for Bering Uclibc 2.0 RC1 [mx][sls]

> Is there a dhcrelay.lrp and netutils.lrp for Bering Uclibc 2.0 RC1?
> 
> If there is can someone please send me a link to them. 
> 
> Thanks in advance.
> 
> Troy
> 
Troy,

I have add dhcrelay.lrp package to CVS, it will be visable tomorrow. 

Do you have any special need for the netutils package? The standard 
ip tools, included in the base image, are more powerfull than 
ifconfig/route. Netstat is already included in the base image.

Regards,
Eric Spakman
Member of the Bering-uClibc team


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] VPN shorewall options

[Troy Aden]

I am looking into the best way to set up a constant encrypted tunnel
connection between two sites. (An office here and another office at a remote
location.)
Before I dive headlong into this I was hoping that some LEAF users out there
might be able to give me some advice as to what is the best option for my
situation.
First of all, I want to use Bering Uclibc rc2. I want systems on Network one
and Network two to be able to browse to each other. I want the Bering box to
manage a constant connection between the two sites meaning that if the
connection is lost, the Bering box will bring the connection back up without
any user intervention. I would also like it if the firewalls could give
priority to the traffic using the tunnel connection.
I have read the shorewall docs and I think that IPSec could do this. (IPSec
Gateway on the Firewall System) But if anyone has any other suggestions as
to a better way to go about this please let me know.  Please keep in mind
that this will be my first attempt at this particular configuration so the
more basic the better. In my discussions so far someone suggested that SSH2
could also work for what I have in mind..

Thanks in advance!

Troy




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] VPN shorewall options

[Troy Aden]

Thanks for getting back to me. I have run into problems with one command in
the IPSec procedure. 

>>>>>>>>>>>>>>>Snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Make your ipsec server certificate

# openssl req -newkey rsa:2048 -keyout serverKey.pem -out serverReq.pem
# openssl ca -policy policy_anything -in serverReq.pem -days 1825 -out
serverCert.pem -notext
# openssl x509 -in serverCert.pem -outform DER -out x509cert.der
# fswcert -k serverKey.pem > ipsec.secrets

>>>>>>>>>>>>>>>>>Snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

The fswcert line gives me an error saying that the command is not found. I
did figure out that I need Freeswan installed on my Mandrake box. I did do
some searching and found an RPM for Freeswan on Mandrake Linux. But even
after running the RPM, I still can't use the fswcert command... 
Can anyone please tell me what I am missing here? Like I said, I am new to
this configuration and any help would be greatly appreciated. 

Thanks in advance.

Troy

-Original Message-
From: K.-P. Kirchdörfer [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003 1:28 PM
To: Troy Aden; Leaf-User (E-mail)
Subject: Re: [leaf-user] VPN shorewall options

Am Mittwoch, 12. November 2003 19:06 schrieb Troy Aden:
> I am looking into the best way to set up a constant encrypted tunnel
> connection between two sites. (An office here and another office at a
> remote location.)
> Before I dive headlong into this I was hoping that some LEAF users out
> there might be able to give me some advice as to what is the best option
> for my situation.
> First of all, I want to use Bering Uclibc rc2. I want systems on Network
> one and Network two to be able to browse to each other. I want the Bering
> box to manage a constant connection between the two sites meaning that if
> the connection is lost, the Bering box will bring the connection back up
> without any user intervention. I would also like it if the firewalls could
> give priority to the traffic using the tunnel connection.
> I have read the shorewall docs and I think that IPSec could do this.
(IPSec
> Gateway on the Firewall System) But if anyone has any other suggestions as
> to a better way to go about this please let me know.  Please keep in mind
> that this will be my first attempt at this particular configuration so the
> more basic the better. In my discussions so far someone suggested that
SSH2
> could also work for what I have in mind..

Troy;

You're right - IPSEC is what you want.

Given you have fixed ip addresses for you're routers you'll find a lot
documentation how to setup you're routers like Lynn Avants IPSec Howto:
http://leaf.sourceforge.net/devel/guitarlynn/

If you have dynamic IP, I wrote a mail to leaf-user a year ago describing
such
a solution.
kp


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] VPN shorewall options

[Troy Aden]

Hello yet again, 

Sorry to be a bother. 
I have searched the Freeswan docs for any reference to the fswcert command
with no luck. I need to know what command I should be using instead of the
fswcert command. I did find a reference to it here
http://cert.uni-stuttgart.de/archive/debian/security/2002/04/msg00160.html 
But that does not tell me much. Can anyone please tell me what command I
need to do to get past this step in the procedure? The procedure is posted
here: http://leaf.sourceforge.net/doc/guide/buipsec.html 
Again, I am sorry to have to be a bother but I am no guru by any stretch of
the imagination and I have to get this working in short order. I hope
someone can help me out.

Thanks in advance!

Troy


-Original Message-
From: Erich Titl [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003 5:02 PM
To: Troy Aden; Leaf-User (E-mail)
Subject: RE: [leaf-user] VPN shorewall options

Troy

At 21:35 13.11.2003, Troy Aden wrote:
>Thanks for getting back to me. I have run into problems with one command in
>the IPSec procedure.
>
> >>>>>>>>>>>>>>>Snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>Make your ipsec server certificate
>
># openssl req -newkey rsa:2048 -keyout serverKey.pem -out serverReq.pem
># openssl ca -policy policy_anything -in serverReq.pem -days 1825 -out
>serverCert.pem -notext
># openssl x509 -in serverCert.pem -outform DER -out x509cert.der
># fswcert -k serverKey.pem > ipsec.secrets
>
> >>>>>>>>>>>>>>>>>Snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>The fswcert line gives me an error saying that the command is not found.


With recent versions of freeSWan this is not needed anymore, please see the
FreeS/Wan docs for details.

HTH
Erich


THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16


---
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] VPN shorewall options

[Troy Aden]

I think there may be a bug in Bering-uClibc_2.0-rc2. I am currently still
working through this IPSec configuration and I discovered the following
warning when IPSec loads on boot up:

>>>>>>>>>snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>

/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0.

>>>>>>>>>>snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I did as I was asked in the procedure: 

>>>>>>>>>snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Important 
You must not turn on route filtering for any interfaces involved in ipsec.
The "Bering recommended" way to turn this off is to use the
/etc/network/options file and change the "spoofprotect" parameter to "no"

>>>>>>>>snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

But the only way I can set this value to zero is to manually go into
/proc/sys/net/ipv4/conf/eth0/rp_filter and set the value to zero. After I do
this and do a full backup of Bering (the "all Except log" 'L' option) and
reboot. The changes have not been backed up.

Can anyone please tell me how to back up the changes I make to
/proc/sys/net/ipv4/conf/eth0/rp_filter? 

Thanks in advance!


Troy 
-Original Message-
From: S Mohan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 18, 2003 2:42 AM
To: 'Troy Aden'
Subject: RE: [leaf-user] VPN shorewall options

Can you look up the VPN doc I've kept in my repository
http://leaf.sf.net/devel/mohansundaram ? Fswcert is no longer needed and
thus has been removed. FreeSwan can now read certificates as generated
by openssl without extraction by fswcert.

Warm regards
Mohan

On Monday, November 17, 2003 7:15 AM Troy Aden <> wrote:

: Hello yet again,
:
: Sorry to be a bother.
: I have searched the Freeswan docs for any reference to the fswcert
: command with no luck. I need to know what command I should be using
: instead of the fswcert command. I did find a reference to it here
:
http://cert.uni-stuttgart.de/archive/debian/security/2002/04/msg00160.ht
ml
: But that does not tell me much. Can anyone please tell me what
: command I need to do to get past this step in the procedure? The
: procedure is posted
: here: http://leaf.sourceforge.net/doc/guide/buipsec.html
: Again, I am sorry to have to be a bother but I am no guru by any
: stretch of the imagination and I have to get this working in short
: order. I hope someone can help me out. 
:
: Thanks in advance!
:
: Troy
:
:
: -Original Message-
: From: Erich Titl [mailto:[EMAIL PROTECTED]
: Sent: Thursday, November 13, 2003 5:02 PM
: To: Troy Aden; Leaf-User (E-mail)
: Subject: RE: [leaf-user] VPN shorewall options
:
: Troy
:
: At 21:35 13.11.2003, Troy Aden wrote:
:: Thanks for getting back to me. I have run into problems with one
:: command in the IPSec procedure.
::
: Snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
::
:: Make your ipsec server certificate
::
:: # openssl req -newkey rsa:2048 -keyout serverKey.pem -out
:: serverReq.pem # openssl ca -policy policy_anything -in serverReq.pem
:: -days 1825 -out serverCert.pem -notext # openssl x509 -in
:: serverCert.pem -outform DER -out x509cert.der # fswcert -k
:: serverKey.pem > ipsec.secrets
::
::: Snip>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
::
:: The fswcert line gives me an error saying that the command is not
:: found.
:
:
: With recent versions of freeSWan this is not needed anymore, please
: see the FreeS/Wan docs for details.
:
: HTH
: Erich
:
:
: THINK
: Püntenstrasse 39
: 8143 Stallikon
: mailto:[EMAIL PROTECTED]
: PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16
:
:
: ---
: This SF. Net email is sponsored by: GoToMyPC
: GoToMyPC is the fast, easy and secure way to access your computer
: from any Web browser or wireless device. Click here to Try it Free!
:
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target--
--
: leaf-user mailing list: [EMAIL PROTECTED]
: https://lists.sourceforge.net/lists/listinfo/leaf-user
: SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPSEC NAT traversal with shorewall HELP!

[Troy Aden]

Hello all,

I have posted earlier regarding setting up an IPSEC gateway with Bering
UCLIBC 2.0.
I am happy to report that I have successfully setup an IPSEC tunnel between
two routers (External interface only).

The next step is to setup IPSEC so that I can communicate from router A's
internal subnet to Router B's internal subnet.

ROUTER A Eth0 = 24.78.140.* --> Eth1 = 172.16.0.0/16

I want 172.16.0.0/16 network to be able to communicate with 192.168.1.0/24
network.

ROUTER B Eth0 = 139.142.224.* --> Eth1 = 192.168.1.0/24

Can anyone please tell me exactly what I need to do to get this working? I
will include all the relevant configs below. I realize that I may have
things way to open security wise so if anyone has any pointers on how I
should go about hardening this configuration please feel free to tell me.
For example, what exactly do I need to have in my shorewall/rules and
/policy files to allow IPSEC? (I suspect that my shorewall config is full of
unnecessary rules and policies.)
My goal with this configuration is to have two networks linked via IPSEC. I
would expect that all users from site A will be able to communicate with all
users on site B "transparently" meaning that for all intents and purposes
users on site A's internal network would be able to communicate with users
from site B's internal network as if they were on the same LAN. If I am off
base in how this works, please feel free to correct me.

Here is my working config: (I apologize in advance since there is a fair
amount here.)
Also, for the sake of saving space, I am only posting one half of the
connection in this post. The other half simply has the other routers
external IP entered in the /etc/shorewall/tunnels file and the IPs are
switched around in the /etc/ipsec.secrets file. I have also put in a bogus
secrets password to save space. :-))

Thanks in advance!



To start the tunnel
ipsec whack --initiate --name Victoria

To stop the tunnel
ipsec whack --terminate --name Victoria



>>>working configs for router -router
IPSEC>>>
SITE A SIDE

#
# Shorewall 1.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#   ZONEShort name of the zone (5 Characters or less in
length).
#   DISPLAY Display name of the zone
#   COMMENTSComments about the zone
#
#ZONE   DISPLAY COMMENTS
net Net Internet
loc Local   Local networks
vpn VPN Remote Networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


/etc/shorewall/interfaces


##
#ZONEINTERFACE  BROADCAST   OPTIONS
net eth0detect  routefilter,norfc1918,tcpflags
loc eth1detect
vpn ipsec0


/etc/shorewall/policy 


###
#SOURCE DESTPOLICY  LOG LEVEL   LIMIT:BURST
loc vpn ACCEPT
vpn loc ACCEPT
vpn fw  ACCEPT
net vpn ACCEPT
vpn net ACCEPT
fw  vpn ACCEPT
loc net ACCEPT
net loc REJECT  ULOG
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
net all DROPULOG
all all REJECT  ULOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


 /etc/shorewall/rules

#ACTION  SOURCE DESTPROTO   DESTSOURCE ORIGINAL
#   PORTPORT(S)DEST


#IPSEC RULES

ACCEPT  net fw  udp 500
ACCEPT  fw  net udp 500
ACCEPT  vpn fw  udp 500
ACCEPT  fw  vpn udp 500
ACCEPT  vpn loc udp 500
ACCEPT  loc vpn udp 500
ACCEPT  vpn net udp 500
ACCEPT  net vpn udp 500

ACCEPT  net fw  esp -
ACCEPT  fw  net esp -
ACCEPT  vpn fw  esp -
ACCEPT  fw  vpn esp -
ACCEPT  vpn loc esp -
ACCEPT  loc vpn esp -
ACCEPT  vpn net esp -
ACCEPT  net vpn esp -

ACCEPT  net fw  ah  -
ACCEPT  fw  net ah  -
ACCEPT  vpn fw  ah  -
ACCEPT  fw  vpn ah  -
ACCEPT  vpn loc ah  -
ACCEPT  loc vpn ah  -
ACCEPT  vpn net ah  -
ACCEPT  net vpn ah  -



#   Accept DNS connections from the firewall to the network
#
ACCEPT  

RE: [leaf-user] IPSEC NAT traversal with shorewall HELP!

[Troy Aden]

Thanks!
Ok I followed your procedure and I am getting this when I initiate the
tunnel from the Victoria side:

ipsec whack --initiate --name victoria
002 "victoria" #1: initiating Main Mode
104 "victoria" #1: STATE_MAIN_I1: initiate
106 "victoria" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "victoria" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "victoria" #1: Main mode peer ID is ID_IPV4_ADDR: '139.142.224.39'
002 "victoria" #1: ISAKMP SA established
004 "victoria" #1: STATE_MAIN_I4: ISAKMP SA established
002 "victoria" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
117 "victoria" #2: STATE_QUICK_I1: initiate
010 "victoria" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response


It never completes the tunnel. Can anyone please tell me what I am missing
here?

Thanks in advance!

Troy
-Original Message-
From: Lynn Avants [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 1:10 AM
To: Troy Aden; Leaf-User ([EMAIL PROTECTED])
Subject: Re: [leaf-user] IPSEC NAT traversal with shorewall HELP!

On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote:
[...]
> My goal with this configuration is to have two networks linked via IPSEC.
I
> would expect that all users from site A will be able to communicate with
> all users on site B "transparently" meaning that for all intents and
> purposes users on site A's internal network would be able to communicate
> with users from site B's internal network as if they were on the same LAN.
> If I am off base in how this works, please feel free to correct me.

DNS, WINS, and other forms of broadcast traffic will not work ideally across
the tunnel "transparently". For SMB networking, you'll likely have to link
PDC's and/or WIN servers on each subnet. There is some information on
this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt
--
~Lynn Avants
Linux Embedded Appliance Firewall Developer
http://leaf.sourceforge.net
http://guitarlynn.homelinux.org:81


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Shorewall questions

[Troy Aden]

I have a quick newbie shorewall question.
In setup I have several static routes from several internal routers going to
the shorewall box.

The external interface (eth0) has the external IP. But the internal
interface has to be able to recognize 8 separate subnets as internal IPs and
treat them as the local zone.
I suspect that I would have to make changes to the shorewall/interfaces file
and add all of these subnets to the eth1 interface. Can anyone confirm this
for me? Also I have reviewed the docs and I can't seem to find an example of
the appropriate syntax to make entries like this in the shorewall/interfaces
file. 

Thanks in advance.


Troy


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

[Troy Aden]

One more quick question.

We are running a PPTP server behind shorewall.
The default policy is
Loc net DROP

The rules are :
#Inbound VPN
DNATnet loc:{local PPTP server}  tcp  1723
DNATnet loc:{local PPTP server}  47   -

#Outbound VPN

ACCEPT  loc net tcp 1723
ACCEPT  loc net 47  -

The problem is that I have a user that is logged into our VPN from a remote
site. This user then came into work and is attempting to connect back into
his system at the remote location. The firewall is blocking him from doing
this.
Here is a snip from the logs.

loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP   (OS fingerprint)

Can anyone tell me if there is a way to allow this user to connect to his
system from our network?

Many thanks in advance!

Troy
-Original Message-
From: Troy Aden [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 11:37 AM
To: Leaf-User (E-mail)
Subject: [leaf-user] Shorewall questions

I have a quick newbie shorewall question.
In setup I have several static routes from several internal routers going to
the shorewall box.

The external interface (eth0) has the external IP. But the internal
interface has to be able to recognize 8 separate subnets as internal IPs and
treat them as the local zone.
I suspect that I would have to make changes to the shorewall/interfaces file
and add all of these subnets to the eth1 interface. Can anyone confirm this
for me? Also I have reviewed the docs and I can't seem to find an example of
the appropriate syntax to make entries like this in the shorewall/interfaces
file.

Thanks in advance.


Troy


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

[Troy Aden]

I made these changes to shorewall and rebooted. The result was all hosts
lost Internet access.

/ETC/shorewall/hosts 

#ZONE   HOST(S) OPTIONS
loc eth1:192.168.1.0/24
loc eth1:192.168.2.0/24
loc eth1:192.168.140.0/24
loc eth1:192.168.142.0/24
loc eth1:192.168.143.0/24
loc eth1:192.168.145.0/24
loc eth1:192.168.146.0/24
loc eth1:192.168.147.0/24
loc eth1:192.168.148.0/24

And then this:

/ETC/shorewall/Interfaces

#ZONEINTERFACE  BROADCAST   OPTIONS
net eth0142.165.207.162
routefilter,norfc1918,tcpflags 
loc eth1
192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255,
192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255
vpn ipsec0  

I watched shorewall load and it did show all of these networks as defining
the "loc" zone as I would expect. I am just not sure why we lost Internet
access after that point. Do I need to define these subnets as for example
"192.168.1.0/24,192.168.2.0/24...)

I think I may not have given all the information in my previous post. Here
are the relevant configs. (Some IPs have been altered to protect the
innocent)

IP ROUTE: 

192.168.147.0/24 dev eth1  proto kernel  scope link  src 192.168.147.4 
192.168.146.0/24 via 192.168.147.2 dev eth1 
192.168.145.0/24 via 192.168.147.2 dev eth1 
192.168.2.0/24 via 192.168.147.5 dev eth1 
192.168.1.0/24 via 192.168.147.5 dev eth1 
192.168.148.0/24 via 192.168.147.2 dev eth1 
10.10.26.0/24 via 142.165.207.254 dev ipsec0 
192.168.143.0/24 via 192.168.147.1 dev eth1 
192.168.142.0/24 via 192.168.147.1 dev eth1 
142.165.207.0/24 dev eth0  proto kernel  scope link  src 142.165.207.*
142.165.207.0/24 dev ipsec0  proto kernel  scope link  src 142.165.207.* 
192.168.140.0/24 via 192.168.147.3 dev eth1 
default via 142.165.207.254 dev eth0 


IP ADDR:

3: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0
4: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff
inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1
9: ipsec0:  mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0

/ETC/INTERFACES

auto eth0
iface eth0 inet static  
address 142.165.207.*
netmask 255.255.255.0
broadcast 142.165.207.255
gateway 142.165.207.254

# Step 2: configure  internal interface
# Default: eth1 / fixed IP = 192.168.1.254
auto eth1
iface eth1 inet static
address 192.168.147.4
netmask 255.255.255.0
broadcast 192.168.147.255

up ip route add 192.168.140.0/24 via 192.168.147.3 || true
up ip route add 192.168.142.0/24 via 192.168.147.1 || true
up ip route add 192.168.143.0/24 via 192.168.147.1 || true
up ip route add 192.168.1.0/24 via 192.168.147.5 || true
up ip route add 192.168.2.0/24 via 192.168.147.5 || true
up ip route add 192.168.145.0/24 via 192.168.147.2 || true
up ip route add 192.168.146.0/24 via 192.168.147.2 || true
up ip route add 192.168.148.0/24 via 192.168.147.2 || true


/etc/shorewall/masq

#INTERFACE  SUBNET  ADDRESS
eth0192.168.1.0/24  
eth0192.168.2.0/24  
eth0192.168.140.0/24  
eth0192.168.142.0/24  
eth0192.168.143.0/24  
eth0192.168.145.0/24  
eth0192.168.146.0/24  
eth0192.168.147.0/24  
eth0192.168.148.0/24   


Thanks in advance!

Troy 





-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 11:58 AM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: Re: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 09:36, Troy Aden wrote:
> I have a quick newbie shorewall question.
> In setup I have several static routes from several internal routers going
to
> the shorewall box.
>
> The external interface (eth0) has the external IP. But the internal
> interface has to be able to recognize 8 separate subnets as internal IPs
and
> treat them as the local zone.
> I suspect that I would have to make changes to the shorewall/interfaces
file
> and add all of these subnets to the eth1 interface. Can anyone confirm
this
> for me? Also I have reviewed the docs and I can't seem to find an example
of
> the appropriate syntax to make entries like this in the
shorewall/interfaces
> file.
>

You might take a look at:

http://www.shorewall.net/Multiple_Zon

RE: [leaf-user] Shorewall questions

[Troy Aden]

First of all, thanks for your quick responses to my silly questions. I am
sorry to take up your time.

With regards to the /etc/shorewall/hosts file, how should I have done it?
Please tell me the clean way it should have been done as opposed to the
messy way I have done it. 

I am sorry with regards to rebooting the Bering box, yes I know I did not
have to reboot but I had added those ip_conntrack_pptp.o and ip_nat_pptp.o
modules (that you recommended from my previous post) and I decided to reboot
to get them to load. I realize that all I needed to do was "shorewall
restart".

Thanks again!

Have a great day.

Troy



-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 2:49 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: RE: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 12:36, Troy Aden wrote:
> I made these changes to shorewall and rebooted.

WHY REBOOT?

>  The result was all hosts
> lost Internet access.

That's not a problem description that can be done much with.

>
> /ETC/shorewall/hosts
>
> #ZONE HOST(S) OPTIONS
> loc   eth1:192.168.1.0/24
> loc   eth1:192.168.2.0/24
> loc   eth1:192.168.140.0/24
> loc   eth1:192.168.142.0/24
> loc   eth1:192.168.143.0/24
> loc   eth1:192.168.145.0/24
> loc   eth1:192.168.146.0/24
> loc   eth1:192.168.147.0/24
> loc   eth1:192.168.148.0/24

And you are defining each subnet individually because?

>
> And then this:
>
> /ETC/shorewall/Interfaces
>
> #ZONE  INTERFACE  BROADCAST   OPTIONS
> net eth0142.165.207.162
> routefilter,norfc1918,tcpflags
> loc eth1
>
192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255,
> 192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255

With the above mess in the hosts file, you don't want "loc" in the zone
column there -- you want "-" since you are defining the zone entirely
through use of the hosts file.

> vpn   ipsec0 
>
> I watched shorewall load and it did show all of these networks as defining
> the "loc" zone as I would expect. I am just not sure why we lost Internet
> access after that point. Do I need to define these subnets as for example
> "192.168.1.0/24,192.168.2.0/24...)
>
> I think I may not have given all the information in my previous post. Here
> are the relevant configs. (Some IPs have been altered to protect the
> innocent)
>
> IP ROUTE:
>
> 192.168.147.0/24 dev eth1  proto kernel  scope link  src 192.168.147.4
> 192.168.146.0/24 via 192.168.147.2 dev eth1
> 192.168.145.0/24 via 192.168.147.2 dev eth1
> 192.168.2.0/24 via 192.168.147.5 dev eth1
> 192.168.1.0/24 via 192.168.147.5 dev eth1
> 192.168.148.0/24 via 192.168.147.2 dev eth1
> 10.10.26.0/24 via 142.165.207.254 dev ipsec0
> 192.168.143.0/24 via 192.168.147.1 dev eth1
> 192.168.142.0/24 via 192.168.147.1 dev eth1
> 142.165.207.0/24 dev eth0  proto kernel  scope link  src 142.165.207.*
> 142.165.207.0/24 dev ipsec0  proto kernel  scope link  src 142.165.207.*
> 192.168.140.0/24 via 192.168.147.3 dev eth1
> default via 142.165.207.254 dev eth0
>
>
> IP ADDR:
>
> 3: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
> inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0
> 4: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff
> inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1
> 9: ipsec0:  mtu 16260 qdisc pfifo_fast qlen 10
> link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
> inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0
>
> /ETC/INTERFACES
>
> auto eth0
> iface eth0 inet static 
>   address 142.165.207.*
>   netmask 255.255.255.0
>   broadcast 142.165.207.255
>   gateway 142.165.207.254
>  
> # Step 2: configure  internal interface
> # Default: eth1 / fixed IP = 192.168.1.254
> auto eth1
> iface eth1 inet static
>   address 192.168.147.4
>   netmask 255.255.255.0
>   broadcast 192.168.147.255
>
> up ip route add 192.168.140.0/24 via 192.168.147.3 || true
> up ip route add 192.168.142.0/24 via 192.168.147.1 || true
> up ip route add 192.168.143.0/24 via 192.168.147.1 || true
> up ip route add 192.168.1.0/24 via 192.168.147.5 || true
> up ip route add 192.168.2.0/24 via 192.168.147.5 || true
> up ip route add 192.168.145.0/24 via 192.168.147.2 || true
> up ip route add 192.168.146.0/24 via 192.168.147.2 || true
> up ip route add 192.168.148.0/24 via 192.168.147.2 || true
>
>
&

RE: [leaf-user] Shorewall questions

[Troy Aden]

I installed these modules from the modules archive as per your
recommendation below. I am assuming this is what you were referring to.
 "Bering_uClibc_2.0_modules_2.4.20.tar.gz"
\\2.4.20\kernel\net\ipv4\netfilter , ip_conntrack_pptp.o, ip_nat_pptp.o

I get the following error on reboot of the Bering router:

After ip_conntrack_pptp.o loads I see this message:
INSMOD: Unresolved symbol ip_ct_gre_keymap_add

After ip_nat_pptp.o loads I see this message:
INSMOD: Unresolved symbol ip_ct_gre_keymap_change

Can someone please tell me what is happening here?

Thanks!

Troy


-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 08, 2003 12:07 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: RE: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 09:59, Troy Aden wrote:
> One more quick question.
> 
> We are running a PPTP server behind shorewall.
> The default policy is
> Loc   net DROP
> 
> The rules are :
> #Inbound VPN
> DNAT  net loc:{local PPTP server}  tcp  1723
> DNAT  net loc:{local PPTP server}  47   -
> 
> #Outbound VPN
> 
> ACCEPTloc net tcp 1723
> ACCEPTloc net 47  -
> 
> The problem is that I have a user that is logged into our VPN from a
remote
> site. This user then came into work and is attempting to connect back into
> his system at the remote location. The firewall is blocking him from doing
> this.
> Here is a snip from the logs.
> 
> loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP   (OS fingerprint)
> 
> Can anyone tell me if there is a way to allow this user to connect to his
> system from our network?
> 

You would need to install the PPTP connection tracking and NAT support
from Netfilter Patch-O-Matic. Without that support, you can only have a
single active PPTP tunnel to any given remote system.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

[Troy Aden]

Ok I loaded the modules: (Listed in this order in the /lib/modules config
file)
ip_conntrack_proto_gre.o
ip_conntrack_pptp.o
ip_nat_proto_gre.o
ip_nat_pptp.o

Here are the rules that worked fine previously for pptp BEFORE I loaded
these modules.

#Allow VPN connections Outbound
ACCEPT  loc net tcp 1723
ACCEPT  loc net 47  -

#Allow VPN Inbound
DNATnet loc:192.168.169.24  tcp 1723
DNATnet loc:192.168.169.24  47  -

Here are the policies:

#SOURCE DESTPOLICY  LOG LEVEL   LIMIT:BURST
loc net DROPULOG
loc vpn ACCEPT
vpn loc ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
net all DROPULOG
all all REJECT  ULOG


Now I can't make a pptp connection to our VPN.

Can anyone PLEASE tell me why? Is there something that I am missing here? It
fails with error 721 "remote computer did not respond". It was working
before I loaded these modules. Why is it broken now?

Thanks in advance!

Troy

-Original Message-----
From: Troy Aden [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 8:58 PM
To: 'Tom Eastep'
Cc: Leaf-User (E-mail)
Subject: RE: [leaf-user] Shorewall questions

I installed these modules from the modules archive as per your
recommendation below. I am assuming this is what you were referring to.
 "Bering_uClibc_2.0_modules_2.4.20.tar.gz"
\\2.4.20\kernel\net\ipv4\netfilter , ip_conntrack_pptp.o, ip_nat_pptp.o

I get the following error on reboot of the Bering router:

After ip_conntrack_pptp.o loads I see this message:
INSMOD: Unresolved symbol ip_ct_gre_keymap_add

After ip_nat_pptp.o loads I see this message:
INSMOD: Unresolved symbol ip_ct_gre_keymap_change

Can someone please tell me what is happening here?

Thanks!

Troy


-Original Message-
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 12:07 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: RE: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 09:59, Troy Aden wrote:
> One more quick question.
>
> We are running a PPTP server behind shorewall.
> The default policy is
> Loc   net DROP
>
> The rules are :
> #Inbound VPN
> DNAT  net loc:{local PPTP server}  tcp  1723
> DNAT  net loc:{local PPTP server}  47   -
>
> #Outbound VPN
>
> ACCEPTloc net tcp 1723
> ACCEPTloc net 47  -
>
> The problem is that I have a user that is logged into our VPN from a
remote
> site. This user then came into work and is attempting to connect back into
> his system at the remote location. The firewall is blocking him from doing
> this.
> Here is a snip from the logs.
>
> loc2net DROP eth1 eth0 24.78.108.194 24.81.104.187 ICMP   (OS fingerprint)
>
> Can anyone tell me if there is a way to allow this user to connect to his
> system from our network?
>

You would need to install the PPTP connection tracking and NAT support
from Netfilter Patch-O-Matic. Without that support, you can only have a
single active PPTP tunnel to any given remote system.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] net fw and net to loc hits not being logged by shorewall. Why?

[Troy Aden]

###
#SOURCE DESTPOLICY  LOG LEVEL   LIMIT:BURST
loc net DROPULOG
loc loc ACCEPT
loc vpn ACCEPT
vpn loc ACCEPT
net loc REJECT  ULOG
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
net all DROPULOG
all all REJECT  ULOG

Can anyone tell me why any hits on my external interface are not being
logged? The loc to net hits are logging fine. But the net to all, all to
all, and net to loc are not being logged. Does it make any difference how my
rules are entered? For example, should the Inbound rules be after the
outbound? Or since I have a couple of rules set to DROP from the net zone,
should these rules be placed differently? I do want to DROP hits on port 80
and 113. Is this what has broken logging? Is there another way I should be
doing this?

This is my ruleset:

#ACTION  SOURCE DESTPROTO   DESTSOURCE ORIGINAL
#   PORTPORT(S)DEST
#   Accept DNS connections from the firewall to the network
#
ACCEPT  fw  net tcp 53
ACCEPT  fw  net udp 53

#VCOM INBOUND RULES

#DROP IDENT PORT Probes
DROPnet fw  tcp 113

#DROP hits on port 80
DROPnet fw  tcp 80
#Allow Mail inbound
DNATnet loc:192.168.167.50  tcp 25

#Allow VPN Inbound
DNATnet loc:192.168.167.50  tcp 1723
DNATnet loc:192.168.167.50  47  -

#IPSEC STUFF
ACCEPT  fw  net udp 500
ACCEPT  net fw  udp 500
ACCEPT  net fw  50  -
ACCEPT  fw  net 50  -
ACCEPT  net fw  51  -
ACCEPT  fw  net 51  -

#VCOM OUTBOUND RULES

#Allow SSH outbound (The second rule is for Eros administration)
ACCEPT  loc net tcp 22
ACCEPT  loc:192.168.162.233 net:139.142.29.176  tcp 6000

#Allow Jabber outbound
ACCEPT  loc net:139.142.29.176  tcp 5224

#Allow WWW and SSL Outbound
ACCEPT  loc net tcp http
ACCEPT  loc net tcp https

#Allow Telnet Outbound
ACCEPT  loc net tcp 23

#Allow FTP Outbound
ACCEPT  loc net tcp 21

#Allow MAIL outbound FROM EXCHANGE ONLY!!! Except POP3 (sigh)
ACCEPT  loc net tcp 25
ACCEPT  loc net tcp 110

#Allow VPN connections Outbound
ACCEPT  loc net tcp 1723
ACCEPT  loc net 47  -

#Allow access to Yourlink Servers
ACCEPT  loc net tcp 9728
ACCEPT  loc net tcp 8080

#Drop and don't log hits from loc to net on port 631
DROPloc net tcp 631

#
#   Allow Ping To And From Firewall Except net to fw!
#
ACCEPT  loc fw  icmp8
DROP  net fw  icmp-
ACCEPT  fw  loc icmp8
ACCEPT  fw  net icmp8
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT  loc   fwudp 53
ACCEPT  loc   netudp 53
ACCEPT  loc:192.168.162.233  fwtcp 80

Thanks in advance!

Troy


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Bering 1.2 Throughput Test Results

[Troy Aden]

I am sure this question is a silly one but here it goes.
How do I go about changing the Encryption algorithm in Freeswan IPSec?
I am using Bering Uclibc 2.0. I am using FreeSwan IPSec with PSK's for my
connections. I did not see anything in the procedures for changing the
encryption algorithms that this package uses. I am assuming that I would add
the module (ipsec_aes.o) to /lib/modules/. But can anyone please tell me the
command that I need to put in the IPSec config file to tell it specifically
what algorithm to use?  

Thanks in advance!

Troy

Here is what my config looks like:

config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls:  "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes



# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=132.125.107.155
rightsubnet=192.168.55.0/16
rightnexthop=132.125.107.254
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore

conn troy
left=139.145.45.166
leftsubnet=10.10.65.0/24
leftnexthop=139.145.45.129
auto=start

Here is what comes up when I start a connection:

ipsec whack --initiate --name test
002 "troy" #152: initiating Main Mode
104 "troy" #152: STATE_MAIN_I1: initiate
106 "troy" #152: STATE_MAIN_I2: sent MI2, expecting MR2
108 "troy" #152: STATE_MAIN_I3: sent MI3, expecting MR3
002 "troy" #152: Main mode peer ID is ID_IPV4_ADDR: '139.145.45.166'
002 "troy" #152: ISAKMP SA established
004 "troy" #152: STATE_MAIN_I4: ISAKMP SA established
002 "troy" #153: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
117 "troy" #153: STATE_QUICK_I1: initiate
002 "troy" #153: sent QI2, IPsec SA established
004 "troy" #153: STATE_QUICK_I2: sent QI2, IPsec SA established

-Original Message-
From: Roger E McClurg [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 14, 2004 7:13 AM
To: Charles Steinkuehler
Cc: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering 1.2 Throughput Test Results

My apologies. I should have looked before I asked. It is in the Bering
modules, right where it should be.

Roger

-=-=-=--=-=-=-=-=-=-=-=
Charles,

I'd love to run the tests. Where can I find the ipsec_aes.o module for
Bering 1.2?

Roger





Charles Steinkuehler 
04/13/2004 04:13 PM

To: Roger E McClurg/CEG/[EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject:Re: [leaf-user] Bering 1.2 Throughput Test Results


Roger E McClurg wrote:

> The next test was to FTP from the PC connected to the OpenBrick E to the

> PC connected to a 500 Mhz P III running Bering 1.2.  The transfer rate
was
> only 12.67 Mb/sec.  The 3DES IPSEC encryption was certainly taking it's
> toll.
>
> Next we replaced both Bering machines with Nortel Contivity 1500 VPN
> devices. The Contivity is a popular VPN concentrator for small branch
> offices. It was designed specifically for the purpose of a VPN
> concentrator. Imagine our surprise when the Contivity transfer rate was
> only 4.45 Mb/sec. The Bering boxes were running weblet, shorewall,
> dnscache, dhcpd, ssh, sshd, sftp, snmp, and snmpd in addition to IPSEC,
> and yet they were almost three times faster than commercial VPN
> concentrators.

If you want to have a bit more fun, switch your IPSec links to the new
AES (ipsec_aes.o) encryption algorithm.  Designed to be more friendly to
modern CPU's with wide registers and SIMD (Single Instruction Multiple
Data) instruction sets (3DES is optimized for hardware, and doesn't
translate nicely into a byte/word oriented general-purpose CPU
algorithm), you should see a substantial increase in your transfer rates.

3DES is usually not much of a bottleneck (even with the 'slow' Nortel
devices), as usually the upstream WAN link is substantially slower than
the potential CPU throughput when compressing, but if you've got fast
pipes, you'll notice a drastic difference by choosing an alternate
encryption scheme.

--
Charles Steinkuehler
[EMAIL PROTECTED]





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
--

RE: [leaf-user] Bering 1.2 Throughput Test Results

[Troy Aden]

I had no problems adding the aes module. 
I am not exactly sure what you did but I will tell you what I did and
hopefully it helps you out. :) 

1. First copy the ipsec_aes.o module from the Modules archive to a formatted
floppy. 
2. Mount the floppy in your Bering box with this command: mount -t msdos
/dev/fd0u1440 /mnt
3. Next, copy the module file to your modules directory with this command:
cp ipsec_~1.o /lib/modules/ [ENTER]
4. Change directory to / (cd /) and type "umount /mnt" [ENTER]
5. Change directory again to /lib/modules/ 
6. We need to change the name of the module back to ipsec_aes.o now with
this command: cp ipsec_~1.o ipsec_aes.o [ENTER]
7. Then chmod the file with 644 with this command: chmod 644 ipsec_aes.o
8. Almost there! Now type lrcfg [ENTER] and go into /etc/modules. Add
ipsec_aes to the list of entries there.
9. Lastly, go into your IPSec config file and add esp=aes to the connection
config. (Check where I put it below to give you an idea)
10. Back up your changes! :)

I hope this helped. I have a question of my own for the list. :)

Can you have multiple rightsubnet= or leftsubnet= in your ipsec config for a
single connection? I want to connect two networks that have multiple
subnets. Thus far I have gotten away with just putting entries like
172.16.0.0/16 connecting to 192.168.0.0/16. That solution is no longer
practical however and I am wondering if I can change it to multiple
leftsubnet/rightsubnet entries to reflect the actual networks that I am
linking. Can anyone tell me the syntax I would use to do this? :)

Thanks in advance!

Troy (Still a newbie after years of LEAF)



-Original Message-
From: J.Clark [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 15, 2004 8:52 AM
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Bering 1.2 Throughput Test Results

My question is how does one properly load this module?  I've tried loading
it from the modules package (/etc/modules) but when I try to restart ipsec
it fails becuase it can't unload the ipsec.o module due to the fact that it
is in use by the ipsec_aes.o module.

I'm sure I'm missing something here.  Should I replace the ipsec.o with
ipsec_aes.o or add a stub to the shutdown/restart script to remove unload
ipsec_aes.o first?

Dumb questions I'm sure but we all have to learn somehow =-)

- Original Message -
From: "Roger E McClurg" <[EMAIL PROTECTED]>
To: "Troy Aden" <[EMAIL PROTECTED]>
Cc: "Charles Steinkuehler" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, April 14, 2004 11:43 AM
Subject: RE: [leaf-user] Bering 1.2 Throughput Test Results


> Troy,
>
> It's not a dumb question. I just figured it out myself. In the connection
> defaults, or in the specific connection you want to use aes, just add
> esp=aes. Of course the ipsec-aes.o module must be loaded.
>
> Roger
>
>
>
>
>
> Troy Aden  @VCom.com>
> 04/14/2004 10:13 AM
>
> To: Roger E McClurg/CEG/[EMAIL PROTECTED], Charles Steinkuehler
> <[EMAIL PROTECTED]>
> cc: [EMAIL PROTECTED]
> Subject:RE: [leaf-user] Bering 1.2 Throughput Test Results
>
>
> I am sure this question is a silly one but here it goes.
> How do I go about changing the Encryption algorithm in Freeswan IPSec?
> I am using Bering Uclibc 2.0. I am using FreeSwan IPSec with PSK's for my
> connections. I did not see anything in the procedures for changing the
> encryption algorithms that this package uses. I am assuming that I would
> add
> the module (ipsec_aes.o) to /lib/modules/. But can anyone please tell me
> the
> command that I need to put in the IPSec config file to tell it
> specifically
> what algorithm to use?
>
> Thanks in advance!
>
> Troy
>
> Here is what my config looks like:
>
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to control startup
> actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
>
>
>
> # defaults for subsequent connection descriptions
> conn %default
> # How persistent to be in (re)keying negotiations (0 means very).
> keyingtries=0
> # RSA authentication with keys from DNS.
> authby=secret
> right=132.125.107.155
> rightsubnet=192.168.55.0/16
> rightnexthop=132.125.107.254
> esp=aes
pfs=yes
>

[leaf-user] port redirecting with shorewall

[Troy Aden]

Hello list. I have a question regarding a rule that used to work but since I
have upgraded shorewall it does not work anymore...
I am running Bering UCLIBC 2 with shorewall 1.4.5. The rule is as follows:

DNATnet loc:192.168.200.150:443 tcp 80

The purpose of this rule is to make sure that all hits from the net on port
80 are directed to the ssl port on a local server. This rule used to work
fine but I am not sure why it no longer is working. Conversely, if I set up
2 DNAT rules, one for http and one for https, I can access the server from
outside the firewall with no problems. Can anyone please tell me what I
could be missing here?

Thanks in advance!

Troy


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Microsoft L2TP/IPSec Server behind Shorewall

[Troy Aden]

Hello list, I can't seem to get a Microsoft L2TP/IPSec client to connect to
our L2TP/Ipsec VPN server. Is there something I am missing here? We are
DNAT'ing the two udp ports (1701 and 500) to our internal server but we have
no connectivity. Can anyone please tell me what we are missing here? Please
let me know if further information is required. Thanks in advance!


Untrusted-network---eth0(wireless) MASQ -eth1(internal) 



>>>
Interfaces:
#ZONEINTERFACE  BROADCAST   OPTIONS
wirelesseth0detect  dhcp
internaleth1detect  dhcp,nosmurfs

>>

MASQ:
eth1eth0-   udp 1701# L2TP
eth1eth0-   udp 500 # IP/SEC

>>>

Policy
fw  all ACCEPT  
internalfw  ACCEPT  
wirelessall DROPinfo
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT  info

>>

Rules
#ACTION  SOURCE DESTPROTO   DESTSOURCE ORIGINAL
$
#   PORTPORT(S)DEST
$
DNATall internal:{Internal IP}udp 1701-   # L2TP
DNATall internal: {Internal IP}   udp 500 -   # IP/SEC

>



Troy


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Microsoft L2TP/IPSec Server behind Shorewall

[Troy Aden]

Just a quick supplemental to this.: I have added a DNAT rule for ESP
protocol as well but still does not work.


-Original Message-
From: Troy Aden [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 19, 2004 12:09 PM
To: Leaf-User (E-mail)
Subject: [leaf-user] Microsoft L2TP/IPSec Server behind Shorewall

Hello list, I can't seem to get a Microsoft L2TP/IPSec client to connect to
our L2TP/Ipsec VPN server. Is there something I am missing here? We are
DNAT'ing the two udp ports (1701 and 500) to our internal server but we have
no connectivity. Can anyone please tell me what we are missing here? Please
let me know if further information is required. Thanks in advance!


Untrusted-network---eth0(wireless) MASQ -eth1(internal)



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Interfaces:
#ZONEINTERFACE  BROADCAST   OPTIONS
wirelesseth0detect  dhcp
internaleth1detect  dhcp,nosmurfs

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

MASQ:
eth1eth0-   udp 1701# L2TP
eth1eth0-   udp 500 # IP/SEC

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Policy
fw  all ACCEPT 
internalfw  ACCEPT 
wirelessall DROPinfo
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT  info

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Rules
#ACTION  SOURCE DESTPROTO   DESTSOURCE ORIGINAL
$
#   PORTPORT(S)DEST
$
DNATall internal:{Internal IP}udp 1701-   # L2TP
DNATall internal: {Internal IP}   udp 500 -   # IP/SEC

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>



Troy


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Bering-uClibc 2.2.2 Not avalible....?

[Troy Aden]

http://prdownloads.sourceforge.net/leaf/Bering-uClibc_2.2.2_img_bering-uclib
c-1680.exe?download 

I have tried to download it from every mirror and I keep getting "he mirror
you've selected, "url" does not currently have the file you requested. (This
is an error on our part which will be fixed)."
I their any way I could get this file? 

Thanks in advance!

Troy


---
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins003001msi/direct/01/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] tulip.o problems (Bering-uClibc 2.2.2)

[Troy Aden]

I am running the Bering-uClibc 2.2.2. 
The tulip.o module seems to not bee working. 
Do I have to load additional modules to make it work? 
Here are the errors I get on boot:
Tulip - Using /lib/modules ./tulip.o
Insmod: unresolved symbol CRC_Le
Insmod: unresolved symbol Bitreverse

Can anyone help me out here? 

Thanks in advance!

Troy


---
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins003001msi/direct/01/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] errors backing up ipsec (Bering-uClibc 2.2.2)

[Troy Aden]

First off thanks for the quick answers for the questions I have posted
previously! I got the firewall up and it runs very nicely.

However when I do a full backup I get the following errors:

Creating ipsec.lrp Please wait: /tar: etc/pgpcert.pgp: No such file or
directory
tar: Error exit delayed from previous errors
Back-up of ipsec complete
Creating lpthread.lrp Please wait: \tar: var/lib/lrpkg/libpthread.*: No such
file or directory
tar: Error exit delayed from previous errors
Back-up of lpthread complete

Can anyone please explain these to me? It looks like it is expecting some
files that do not exist. Should I be concerned about this?

Just a footnote:
I noticed that the version of IPSec that you have posted in the 2.2 Bering
Uclibc does not include "libm" as a package dependency. I need to load the
libm package for this version of IPSec to work so you may want to update
your links.
Here is a link:
http://leaf.sourceforge.net/mod.php?mod=userpage&menu=91017&page_id=51 
ipsec.lrp 
Openswan IPSEC
Homepage: http://www.openswan.org
Requires: mawk.lrp lpthread.lrp
LEAF Package by [EMAIL PROTECTED], 2004-09-23
Version: 1.0.7 

Again thanks for all the help so far. 
 
Troy


---
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins003001msi/direct/01/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] lpthread.lrp backup error (Bering Uclibc 2.2.2)

[Troy Aden]

I am getting the following error when I backup lpthread.lrp. Is this
something I should be concerned with?
Thanks in advance.

Creating lpthread.lrp Please wait: \tar: var/lib/lrpkg/libpthread.*: No such
file or directory
tar: Error exit delayed from previous errors
Back-up of lpthread complete

Troy


---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] beep.lrp question

[Troy Aden]

Hello there. I have made a simple sh script to run beep for Bering Uclibc
2.2.2. I want the system to run the script to tell me when it is done
booting. Can anyone please tell me where I need to go to do this? The how-to
for beep.lrp is not very helpful in this regard? 

Thanks in advance!

Troy


---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] ipsec subnet-to-subnet vpn

[Troy Aden]

his at boot but you may want to do it manually to test.

First do this: 'ipsec setup restart' {this will reload the ipsec.conf and
Pluto shared secrets file}

Now type: 'shorewall restart'

Ok I like to do a terminate statement first. : 'ipsec whack -terminate -name
example' { I always do this first just incase there is an existing tunnel}
Then try bring up the tunnel: 'ipsec whack -initiate -name example' {Those
are double dashes incase they come out garbled on your end}
If it worked you should see an output something like this:

002 " example" #32: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
122 " example" #32: STATE_QUICK_I1: initiate
002 " example" #32: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
002 " example" #32: sent QI2, IPsec SA established
004 " example" #32: STATE_QUICK_I2: sent QI2, IPsec SA established

Troy
-Original Message-
From: Scott A. Young [mailto:[EMAIL PROTECTED]
Sent: Sunday, October 31, 2004 7:14 PM
To: Troy Aden
Subject: RE: [leaf-user] ipsec subnet-to-subnet vpn

That would be perfect... Pre-shared-keys is where I'm starting as well.

Thanks,
Scott.


-
Scott Young
Network Integration Solutions Inc.
Phone: 780-461-3371
Fax: 780-465-7270
email: [EMAIL PROTECTED]
 

> -Original Message-
> From: Troy Aden [mailto:[EMAIL PROTECTED]
> Sent: Sunday, October 31, 2004 5:21 PM
> To: Scott A. Young
> Subject: RE: [leaf-user] ipsec subnet-to-subnet vpn
>
> I think I can help you out. I have a working config using
> pre-shared keys..
> Are you interested in this? If so, I will send it on.
>
> Troy
> -Original Message-
> From: Scott A. Young [mailto:[EMAIL PROTECTED]
> Sent: Sunday, October 31, 2004 5:49 PM
> To: [EMAIL PROTECTED]
> Subject: [leaf-user] ipsec subnet-to-subnet vpn
>
> Hi All,
>
> First of all, thanks to everyone involved with this project. 
> The support from the mailing list archives is great!
>
> I've been trying to get an ipsec vpn between two
> bering-uclibc v2.2.1 routers going.
>
> Before boring everyone with the details, I'm wondering if there is a
> definitive example of subet-to-subnet ipsec setup with
> shorewall.   I will
> post full deatils, as per instructions, but at this point, I
> think I just need a good example to work from.
>
> Both routers are the same, with the following .lrp's loaded:
> NameVersionDescription
> ===-==-===
> ==
> =
> initrd  V2.2.1 uClibc- LEAF Bering-uClibc initial
> filesystem   
> rootV2.2.1 uClibc- Core LEAF Bering-uClibc
> package 
> config  0.4Core config and backup system
> package   
> etc V2.2.1 uClibc-   
>  
> local   V2.2.1 uClibc- LEAF Bering local package 
>  
> iptables1.2.11 IP packet filter
> administration tools for
> 2.4.
> shorwall 
>  
> ulogd   1.02   The Netfilter Userspace
> Logging Daemon  
> dropbear0.43 Rev 2 Dropbear SSH 2 server and scp
> client
> ntpdate 4.1.0-8client for setting system time from NTP
> server
> ntpsimpl4.1.0-8NTP v4 daemon for simple
> systems from Debian
> sh-httpd1.2.5 Rev 3Small shell-based web server  
>  
> weblet  1.0.0 Rev 4http-server content   
>  
> lpthread0.9.20 The libpthread library
>  
> mawk1.3.3-9Mawk is an interpreter for the AWK
> Programming
> libm0.9.20 The libm library  
>  
> modules V2.2.1 uClibc- Define & contain your LEAF
> Bering modules   
> ipsec   1.0.7  Openswan IPSEC
>  
> dnsmasq 2.15 Rev 1 Dnsmasq is lightweight, easy
> to configure DNS
>
>
> TIA,
> Scott.
>
> ---
> Scott Young
> Network Integration Solutions Inc.
> Phone: 780-461-3371
> Fax: 780-465-7270
>
>
>
> ---
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
> --
> --
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-u

RE: [leaf-user] beep.lrp question

[Troy Aden]

Ok lets say I have a little Beep tune written. I call it beep_song and I
store it in /etc.
It looks like this: {I chmod'ed it +rx}
#!/bin/sh
beep -f 1000 -r 2 -n -r 5 -l 10 --new
beep -f 300.7 -r 3 -d 100 -l 400
beep -f 1000 -r 1 -n -r 5 -l 10 --new

So I can play the little beep tune by typing './beep_song'

This is where I am stumped. I want to use this beep tune when my system is
fully booted. I am assuming that I need to insert './etc/beep_song" in some
init script but I have no idea where. Can anyone help me out?

Thanks in advance!


Troy
-Original Message-
From: Bruce McNamara [mailto:[EMAIL PROTECTED]
Sent: Monday, November 01, 2004 12:45 AM
To: [EMAIL PROTECTED]
Cc: Troy Aden
Subject: Re: [leaf-user] beep.lrp question

I use Beep for indicating the interfaces are up etc..


/bin/beep -f 600 -n -f 900 -n -f1200 -n -f1800 -f 600 -n -f 900 -n -f1200 -
n -f1800 -f 600 -n -f 900 -n -f1200 -n -f1800

I found an article Simple Sounds for Linux
By Jay Link ( do a google an yee shal find...)

which I used as a rough guide

it said:

Usage is simple. Both programs take two arguments: the tonal frequency in
Hertz, and the duration in milliseconds. So, let's say you compiled
beep.c.direct into "beep". Here's all you'd need to do:

   beep 440 200

This will play a 440 Hz tone for 200 milliseconds, or a fifth of a second.

To play multiple notes, it's often necessary to insert a "rest" between
them, like so:

   beep 440 200
   beep 0 200
   beep 700 200


Note that the "spacer" note, or rest, plays at zero Hertz (i.e., it
doesn't play at all), but it continues for the same duration as the other
notes.

Using the beep program, it's easy to play simple melodies. Here are the
frequencies for some basic notes:

  262   C - "middle C"
  277   C#
  294   D
  311   D#
  330   E
  349   F
  370   F#
  392   G
  415   G#
  440   A
  466   A#
  494   B


To find the frequencies of subsequent notes, simply multiply the highest
note you know by 1.0595, and then round up or down as appropriate. For
example, 494 * 1.0595 = 523.393, or 523 Hz, which should be the "C" note
that's one octave above middle C.



> Subject: [leaf-user] beep.lrp question
>
> Hello there. I have made a simple sh script to run beep for Bering Uclibc
> 2.2.2. I want the system to run the script to tell me when it is done
> booting. Can anyone please tell me where I need to go to do this? The
> how-to for beep.lrp is not very helpful in this regard?
>
> Thanks in advance!
>
> Troy
>



Bruce McNamara - Managing Director
Professional System Integrators Ltd
P.O. Box 9767, Auckland, New Zealand
PH: +64 (021) 922 088  Fax: +64 (09) 629 0927
Email: [EMAIL PROTECTED]

 PSI - Help when you need IT


---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html