Re: [Leaf-user] looking for Linux distribution just for LAN DHCP server (1 NIC)
Oh Baby you gonna love Linux once you know it and you'll Glue to Linux affter its easier than windows cause you know linux will run unless power cut off, with windows not even Bill Gates don't have clue what is going to happen in next minute I am not joking, listen to Znet Radio Upnet Joe - Original Message - From: Alan Tu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 28, 2002 11:31 AM Subject: [Leaf-user] looking for Linux distribution just for LAN DHCP server (1 NIC) Hi, I found out about LEAF from the Langa List and was attracted to it because it could do broadband routing on a computer, just by booting from a CD or floppy. Unfortunately, our family is glued to Windows, and we don't have time to learn to build/compile Linux, etc, but the LEAF instructions seemed easy (just burn an ISO image and do some configuring). My problem is, before we get broadband, we already have a home network (Windows boxes and now a Mac). We want a DHCP server to assign IP addresses, and I want to use a Linux distribution on a spare box to do so. Unfortunately, LEAF requires two NIC's because it is a full LAN/WAN router. I was wondering if there is a good distribution just as easy and small as LEAF that can just do DHCP serving over Ethernet? Thanks in advance. Regards, Alan Tu ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Under attack
Oh do you have any information ? nothing ? scary stuff hamm.. come-on you must have something.. even normal tcpdump -n will give you some kind of a picture from your public DMZ server what kind of service world or you get, give us some more details, config etc I am sure you have holls in your firewall rules else you are running Windows Box as your DMZ server while all the ports open heh.. Please give us more information Upnet Joe - Original Message - From: Greg Ford [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 18, 2002 6:38 AM Subject: [Leaf-user] Under attack Hi I'm running Dachstein 1.02. With a public IP DMZ plus some masqueraded workstations. We are connected via a shared 10/100 link to our ISP. Recently we've come under attack, but I can't figure out where or what by. The first I noticed was very high internet use reported by our ISP. 100 times our normal traffic. What's my best solution for tracing this traffic, I have run tried iptraf and snort, but I don't seem to be getting the data in a useful format. What I think I need is to find out: how much traffic is my firewall receiving (on the external port) how much is being transmitted which internal machines receive the most traffic, how much traffic is that Thanks in advance Greg Ford ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Routing Problem with Dachstien CD and ISDN - might help
Might help http://rr.sans.org/encryption/cisco_router.php
Upnet Joe
- Original Message -
From: Eric Wolzak [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, April 16, 2002 11:38 AM
Subject: Re: [Leaf-user] Routing Problem with Dachstien CD and ISDN
Hello Andrew, you wrote.
I have not done much with the dachstein -CD version, but I possibly
found a cause.
I don't have a dachstein running ( using Bering :) )
The main difference between your eigerstein and your dachstein
setup seems to be the route.
eigerstein
139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30
dachstein
139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30
The interface ippp0 is in eigerstein probably declared as
139.130.0.0./16 so will be the firewall rules connected to this
interface
In the dachstein version your firewall rules might be so that the
ippp0 is only 139.130.195.1
check that.
From the route itself you should be able to route through ippp0 as
the default route is directed in this direction.
The ippp0_MASKLEN is not set
eval local MASKLEN=\${$1_MASKLEN:-}
IMHO if you set ippp0_MASKLEN=16 then you should get the
same setup as before
Eric Wolzak
member of the Bering crew
---original message -
I have configured a DACHSTIEN CD firewall which I am using at home with
a
dialup system
and it works very well and now have several deployed around Australia on
remote sites for
the company I work for. The latter of these units are connected by
modem
to Bigpond
Direct and have proven themselves to be very reliable. My problem
occurs
when I updated
the main office firewall to DACHSTIEN CD. This firewall currently is
running Eigerstien
with 2 ISDN channels and working very reliably but I wanted to upgrade
to
take advantage
of the latest security features and additions.
On the Eigerstien version, the routes are:
# ip route
203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65
192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1
139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30
default dev ippp0 scope link
This has been working well. To get ISDN support for the DACHSTIEN CD
version, I found
the files where the devices are created and added the appropriate text
to
the files,
/var/lib/lrpkg/root.dev.mk /var/lib/lrpkg/root.dev.mod and
/var/lib/lrpkg/root.dev.own,
copying the exact text to each file that had been used in the Eigerstien
version I am
currently running. The interface devices were created in /dev and all
appear to run
correctly except for the routing when the firewall starts. The routes
on
this machine
are:
# ip route
139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30
203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65
192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1
default dev ippp0 scope link
The address 139.130.195.1 is the peer address of the box when connected
to
the Bigpond
Direct point of presence. The additions to the network.conf shown
below
were typed in
exactly as they were in the previous version, so this may be part of the
problem if some
of the functions act differently in the DACHSTIEN CD version. The
firewall, when
tested, dialled and connected both channels in multilink configuration
to
the ISP but is
only able to access ip addresses in the 139.130.0.0/16 address range.
These are only
within our ISP's internal network and therefore do not allow access to
the
internet at
large.
Any assistance would be greatly appreciated as I have been tearing my
hair
out for the
last three weeks in my attempt to find the problem myself.
Interfaces:
# Interfaces to start on boot go here - ie ppp0 eth0
# Do NOT include interfaces configured by dhcp!
IF_AUTO=ippp0 eth0 eth1
# List of all configured interfaces, manual start and boot start
IF_LIST=$IF_AUTO
Device settings:
###
# ISDN Link - the isdn.lrp is required for this to work. (External
Interface)
###
ippp0_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic.
ippp0_PTPADDR=139.130.195.1 # Their IP Address, again only if not
dynamic.
ippp0_MYMSN=38049800 # My telephone Number
ippp0_REMMSN=30073300 # Their telephone number (The ISP)
ippp0_IP_SPOOF=YES
ippp0_IP_KRNL_LOGMARTIANS=NO
# Simple QOS support, Options are same as ethernet above.
ippp0_FAIRQ=YES
ippp0_TXQLEN=64
ippp0_BNDWIDTH=64kbit # Device Bandwidth
ippp0_HNHL=3 # Queue Handle - must be unique
ippp0_IABURST=25 # Interactive Burst
ippp0_IARATE=30Kbit # Interactive Rate
ippp0_PXMTU=1500 # Physical MTU - includes Link
Re: [Leaf-user] Adding to syslinux.cfg on DCD
I don't know how to do it with WinImage... this is what I did ( I have a access to RedHat Linux machine) so mount -t msdos bootdisk.bin -o loop /mnt/lrpmnt cd /mnt/lrpmnt vi syslinux.cfg then rebuild the .iso image and burn Upnet Joe - Original Message - From: Kory Krofft [EMAIL PROTECTED] To: Charles Steinkuehler [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, April 11, 2002 10:06 PM Subject: Re: [Leaf-user] Adding to syslinux.cfg on DCD Thanks for the response Charles, I am planning to burn a new CD but I don't see where to edit syslinux.cfg to use when burning the new CD. I can copy it from a boot floppy but where do I have winimage put it to replace the current one on the ISO image? Thanks, Kory Charles Steinkuehler wrote: How do I edit syslinux.cfg on the DCD image? I have winimage and can view the ISO image but I don't see syslinux.cfg. I want to add the serial terminal redirect to it so I will see boot messages. You boot off a floppy (or other writable media), or you burn a new CD : ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: Fw: [Leaf-user] Compact Flash vs CD Rom
On Sat, 6 Apr 2002, Upnet Joe wrote: I have a LRP whis Flash Card, however i like to run my router with CD, cause its very easy.. look.almost Flash. CD running LEAF router, no need floppy at all I changed Charles's CD (in bootdisk.bin - root.lrp) linuxrc like this if [ -r $MNT/lrpkg.cfg ]; then ROOTMAP=`sed s/$CR\$// $MNT/lrpkg.cfg` else if [ -r $BOOTDIR/lrpkg.cfg ]; then #---this ROOTMAP=`sed s/$CR\$// $BOOTDIR/lrpkg.cfg`#--this else ROOTMAP=`sed 's/.*LRP=/\1/; s/ .*//1' /proc/cmdline` fi fi Created lrpkg.cfg in /boot tar -cvzf root.lrp insert root.lrp bootdisk.bin created new iso image now I can boot my router with cd no more Floppy, it'll read lrpkg.cfg file from /boot/ heh...plus I still have option to put Floppy if I want to change any thing, once everything in place ReBurn. CDRW burn with Nero (3min) isn't this secure / better than Flash ? That's it Upnet Joe. I've noticed a zillion posts to this list corncerning LEAF on CD-ROM. I curious why there seems to be so little interest in Compact Flash. There's actually quite a bit of interest in CF, and other forms of flash media. I suspect a couple issues are responsible for the substantially larger number of posts regarding CD-ROMs: 1) Like it or not, most folks first LEAF system is built from spare parts lying around, or perhaps an existing system pushed into temporary use as a trial LEAF system. In this environment, standard PC devices (like a floppy disk or CD-ROM boot) are the least path of resistance. 2) Due at least partly to the above, I think most help it's not working type posts come from new users who are following the path of least resistance, and booting with a floppy or CD. 3) It's not really that hard to migrate from a floppy or CD version of LEAF to running off a HDD, CF card, flash based IDE module, or pretty much anything else that looks like a HDD to linux, so I think there are a fair number of users running with flash that we simply never hear from on the list... 4) There are occasional flurries of posts regarding flash storage, especially with regards to write-protectable flash devices (which are hard to come by)...the latest have all been on the LEAF-developer list...perhaps you missed them? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
Why don't U use FreeSwan Ipsec...I just woke up hehe Upnet Joe - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Henning, Brian [EMAIL PROTECTED] Sent: Saturday, March 30, 2002 1:57 AM Subject: Re: [Leaf-user] ssh firewall Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever connects on my local windows box at port 80 to the other server on port 80. You have to just believe this until it makes sense. Also note the localhost is the name for ip address 127.0.0.1. Every networking host has this available to it. Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is using the same port numbers on both ends of the pipe or tunnel. Let's try this since I am putting off filling out my 1040 tax forms :} plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName Now use http://localhost:1040/ in the web browser. Once again I see the pages Apache is serving up to me
Re: [Leaf-user] I am Happy to tell you all
- Original Message - From: David McBride [EMAIL PROTECTED] To: 'Upali Weerasinghe' [EMAIL PROTECTED]; LEAF list (E-mail) [EMAIL PROTECTED] Sent: Tuesday, March 19, 2002 8:44 AM Subject: RE: [Leaf-user] I am Happy to tell you all I wanted to make sure I understood your post correctly. You are bonding the traffic to the internet into one single bandwidth?? Just as an example: takeing two DSL with 1.5 MBit and making it possible to get close to a 3.0 Yes it is... MBit download rate??? but your ISP must support this to work, normaly Cable modem can do this, I don't have a access to DSL I am sure you can do that with any type of ethernet connection, but your ISP must support this, (most Cable Modem connection dose this) bonding module normally use in High Speed network Cluster Upnet Joe Thanks, David [Leaf-user] I am Happy to tell you all Charles Steinkuehler's LEAF/LRP mixed Dachstein and EigerStein2BETA Router Firewall dhcpd dhclient dnscache weblet sshd ipsec VPN Pentium 125 with 128MB mem... 32MB IDE Flash Card from Lexmark Printer...heh 2 NICs attached to Internet using network bonding module... this is cool my Quake3 Exssive Server can handle 20 users...no single packet drop.. while doing other things like WEB, EMAIL, FTP, IPSEC VPN... i have 6 clients, doing all kind of yak napster..msn what not.. watch internet TV...oh boy... LRP is real busy , I love it.. i tried to do same thing with Linksys BEFSR41 Hardware Router no way however Linksys Router is good... but He can't beat LRP LRP is Linux he can do much more than Router thats why its fiton me... I would like to say Thanks to Linus Travoldus, Charles Steinkuehler, and all Linux Gurus...around the World... here is my network INTERNET-NoteBooks (Road Worrys) Web, Email, etc... all over the world | | SWITCH || LRP Router | | SWITCH-Clients here some out put from my router myrouter: -root- # uname -a Linux myrouter 2.2.19-3-LEAF #7 Sat Dec 1 14:00:22 CST 2001 i386 unknown myrouter: -root- # w 13:18:50 up 3 Days (76h), load average: 0.08 0.02 0.01 USER TTY PID TIMEON FROM root ttyp15051 63 192.168. myrouter: -root- # uptime 13:18:55 up 3 Days (76h), load average: 0.07 0.02 0.00 myrouter: -root- # ip r s 24.101.135.30 via 24.101.136.1 dev ipsec0 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 24.101.136.0/24 dev bond0 proto kernel scope link src 24.101.136.77 24.101.136.0/24 dev ipsec0 proto kernel scope link src 24.101.136.77 10.0.10.0/24 dev eth3 proto kernel scope link src 10.0.10.1 default via 24.101.136.1 dev eth0 # ps aux USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND daemon1240 0.0 1.0 1964 1288 ? S Mar 6 0:00 /usr/sbin/dnscache root 1 0.0 0.2 756 364 ? S Mar 6 0:07 init [2] root 2 0.0 0.0 0 0 ? SW Mar 6 0:00 (kflushd) root 3 0.0 0.0 0 0 ? SW Mar 6 0:00 (kupdate) root 4 0.0 0.0 0 0 ? SW Mar 6 0:00 (kswapd) root 5 0.0 0.0 0 0 ? SW Mar 6 0:00 (keventd) root 663 0.0 0.1 1100 248 ? S Mar 6 0:00 update root 898 0.0 0.3 816 468 ? S Mar 6 1:06 /sbin/syslogd -m 240 root 900 0.0 0.5 1068 680 ? S Mar 6 0:00 /sbin/klogd root 904 0.0 0.3 776 388 ? S Mar 6 0:00 /usr/sbin/inetd root 908 0.0 0.1 720 220 ? S Mar 6 0:00 /usr/sbin/watchdog root 911 0.0 0.3 800 440 ? S Mar 6 0:00 /usr/sbin/cron root 1231 0.0 0.4 936 536 ? S Mar 6 0:00 /usr/sbin/dhclient eth0 eth1 root 1241 0.0 0.3 784 396 1 S Mar 6 0:00 /sbin/getty 38400 tty1 root 2459 0.0 0.2 824 360 ? S Mar 7 0:00 sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes --d root 2460 0.0 0.2 756 352 ? S Mar 7 0:00 logger -p daemon.error -t ipsec__plutorun root 2464 0.0 0.2 824 360 ? S Mar 7 0:00 sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes --d root 2465 0.0 0.2 824 356 ? S Mar 7 0:00 sh /usr/local/lib/ipsec/_plutoload --load %search --start %search root 2468 0.0 0.2 824 360 ? S Mar 7 0:00 sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes --d root 2469 0.0 0.5 1236 700 ? S Mar 7 0:38 /usr/local/lib/ipsec/pluto --nofork --debug-none --uniqueids root 3217 0.0 0.4 964 572 ? S Mar 7 0:00 /usr/sbin/dhcpd eth2 root 5042 0.0 0.6 1224 836 ? S12:13 0:01 sshd -i root 5051 0.0 0.2 844 368 p1 S12:15 0:00 -sh root 5132 0.0 0.3 840 472 p1 R13:25 0:00 ps aux myrouter: -root- Networking is FUN if anyone wanna check me here is my webaddress
Re: [Leaf-user] ipsec errors
yes u gota problem Sir: now u do this: echo 1 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 /proc/sys/net/ipv4/conf/ipsec0/rp_filter then: ipsec setup --restart I don't know how u setup your /etc/ipsec.conf... if u have it auto=add line to your conn.. then ready to go.. u almost there... good luck Upnet Joe. - Original Message - from: joey officer [EMAIL PROTECTED] To: Charles Steinkuehler [EMAIL PROTECTED]; LRP Support [EMAIL PROTECTED] Sent: Saturday, March 09, 2002 11:21 AM Subject: Re: [Leaf-user] ipsec errors i did not find that specific line in the net ipfilter list command, however I did change the setting in the networ.conf file. however I still did not find that line in the above command. I got to thinking about the specific problem i'm having and thought I might try to give a little more information .. here goes the machines are mostly stock dachstein, running udhcpd (instead of dhcpd/dhclient), w/ slightly modified subnets. Both machines are routing as designed, and all machines can ping the other gateway, internet is working fine). Although the ip address for each gateway is dynamic, they have stayed the same for atleast the last 2 months, so I have based my works on the assumed fact that these IPs will stay the same for a while longer. At any rate, for testing purpose they have stayed the same. subnet-home--home-internet-office--subnet-of fice 192.168.3.0/2466.25.44.147-66.25.18.71192.168.1.0/24 IPSec loads without any noticable errors, except something out abour rp_filter should be 0, but reads 1 (or vice versa). If I understand correclty, once both machines are at this point I could ping the office subnet from the home subnet, and the opposite, however this does not work. So then I tried ' ipsec auto --up office ' .. and then this just hangs. sits for awhile (reading the logs says something about itializing office on MAIN). After a minute or so, I ctrl-break this and am unable to go any further. Thats about where I am .. and am stuck... joey - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; LRP Support [EMAIL PROTECTED] Sent: Friday, March 08, 2002 5:46 PM Subject: Re: [Leaf-user] ipsec errors Where do I check to see if protocol 50 packets are being allowed through? I'll be working more on it this weekend.. I'd really like to get this working so I'll try just about anything.. even possibly step/by/step support via phone (I'd beg someone to call my 800 number for a little assistance... The primary source is the output of net ipfilter list, which shows you exactly how your firewall rules are setup. You're looking for a line allowing protocol 50, preferrably with non-zero byte/packet counts: 1843 356K ACCEPT 50 -- 0xFF 0x00 eth0 snip You open protocol 50 traffic with the following in network.conf: EXTERN_PROTO0=50 0/0 Of course, you can change the 0/0 (the entire internet) to the address (or network) of your remote VPN link, if it's static. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Please Please Help me...!
OK before u jum into NASA Tech...do this ping your internal machine from LRP yes or no ? no = fix it (cables, config etc..) ping internet from your lrp/internal machine yes or no ? no fix it ping LRP from anywhere out side of your network yes or no ? no = fix it.. (allow www trafic with 0.0.0.0/0 your lrp and internal web_computer) if you have no way out... do this ipchains -P forward ACCEPT ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -F ipchains -A forward -j MASQ -s 10.0.0.0/8 -d 0/0 -i eth0 this time portforward by hand ipmasqadm portfw -a -P tcp -L 111.222.333.444 80 -R 10.24.33.150 80 if u want now do ipchains -P forward DENY goto a internet_cafe...fireup IE6/netscape of what every type your ip address http://111.222.333.444 remember you are not allowed to do that form your internal Network OK...Please remember... then u have to do by http://10.24.33.150 u know what I mean... thats it baby... once everything working don't drink beer...time to setup your firewall rules in /etc/ipfilter.conf be sure to check /etc/network.conf too... if u still have a problem...talk to Charles, James...like real teches...or hire me...heheheeh good luck.. Upnet Joe - Original Message - From: barwals [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 09, 2002 6:24 AM Subject: [Leaf-user] Please Please Help me...! Hi everybody, Please Please help me! I'm trying to do it since last One month but could not then only I have sent a mail to this mailing list. I 'm running the Dachstein LEAF firewall. I'm not able to forwarding the external traffice which is coming to my valid IPaddr (eth0) to my internal web server which is a windows 2000 server. I have allready gone through all the related mailing list archive but could not solve the problem and hence I'm writing to this list. The error I'm getting in my browser is Connection faild Connection timed out. My configuration is as follows. EXTERN_IP=111.222.333.444 EXTERN_IF =eth0 INTERNAL_IP=10.24.33.224 INTERNAL_IF =eth1 INT_NET = 10.0.0.0/8 IPFWDING_KERNEL= FILTER_ON IPALWAYSDEFRAG_KERNEL = YES CONFIG_HOSTNAME = YES CONFIG_HOSTSFILE = YES CONFIG_DNS = NO IPFILTER_SWITCH = firewall SNMP_BLOCK = YES EXTERN_DHCP = NO EXTERN_DHCP = NO EXTERN_TCP_PORT0=0/0 www 111.222.333.444 INTERN_SERVERS=tcp_111.222.333.444_www_10.24.33.150_www My IPCHAINS RULES looks like they are accepting the connection at 111.222.333.444. But could not find the solution. Could anybody help me in that regard. When I see in weblet through brouser I'm seeing this. but no byte(packet) in Chain port forward policy. :: Masqueraded Connections :: IP masquerading entries prot expire source destination ports tcp 0:58.64 10.24.33.150 203.163.160.2 80 2678 (80) Regards . Thanks. Sudhir Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy Music, Video, CD-ROM, Audio-Books and Music Accessories from http://www.planetm.co.in ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] MSN MESSENGER FT
need more info about your network...and What is your Client PC xp or w2k, 98 ... I notice on XP if you have Firewall protection enable...you can't send files... I know ManyNetwork use Hardware Router/Firewalls, users having problems with UP/down Loads files... however Hackers got no problem nadda... Upnet Joe - Original Message - From: Jim Van Eeckhoutte [EMAIL PROTECTED] To: , [EMAIL PROTECTED] Sent: Saturday, March 09, 2002 2:06 AM Subject: [Leaf-user] MSN MESSENGER FT I know this is a non leaf question but you guys might be my only hope. Im using MikroTik RouterOS which is usin input , forward, and output chains with src-nat and dest-nat. I have it set up usint masq and nat for internal services . Heres my question: I have tried everything to get file transfer (msmessenger) to work, I can receive files but cant send them. Can you guys shed some light on how this process could work. MikroTik response is somewhat limited. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Port forwarding problem....!
EXTERN_TCP_PORT0=0/0 www 111.222.333.444 I think this wrong not really sure EXTERN_TCP_PORTS=0/0_ssh 0/0_smtp 0/0_www 0/0_domain 0/0_https 0/0_pop-3 0/0_spop3 this is mine and it is working. How did you try to access your internal web server since you are firewall and MASQ your public connection you can't access your port-fw connection via public address (eth0) from internal Client.. only way you can access by your internal ip-address 10.24.33.129 or dns name map to that address ask someone to access 111.222.333.444 from out side your network... it should work Upnet Joe - Original Message - From: barwals [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 05, 2002 6:20 AM Subject: [Leaf-user] Port forwarding problem! Hi, I 'm running the Dachstein LEAF firewall. I'm not able to forwarding the external traffice which is coming to my valid IPaddr (eth0) to my internal web server which is a windows 2000 server. I have allready gone through all the related mailing list archive but could not solve the problem and hence I'm writing to this list. The error I'm getting in my browser is Connection faild Connection timed out. My configuration is as follows. EXTERN_IP=111.222.333.444 EXTERN_IF =eth0 INTERNAL_IP=10.24.33.224 INTERNAL_IF =eth1 INT_NET = 10.0.0.0/8 IPFWDING_KERNEL= FILTER_ON IPALWAYSDEFRAG_KERNEL = YES CONFIG_HOSTNAME = YES CONFIG_HOSTSFILE = YES CONFIG_DNS = NO IPFILTER_SWITCH = firewall SNMP_BLOCK = YES EXTERN_DHCP = NO EXTERN_DHCP = NO EXTERN_TCP_PORT0=0/0 www 111.222.333.444 INTERN_SERVERS=tcp_111.222.333.444_www_10.24.33.150_www My IPCHAINS RULES looks like they are accepting the connection at 111.222.333.444. But could not find the solution. Could anybody help me in that regard. Regards . Thanks. For your refrence I'm herewith attaching my ipchains output. -- - Chain input (policy DENY: 2 packets, 256 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 256 DENY udp -- 0xFF 0x00 eth0 165.165.8.1 0.0.0.0/0 * - 37 15 900 DENY udp -- 0xFF 0x00 eth0 165.165.8.1 0.0.0.0/0 * - 514 6 1065 DENY udp -- 0xFF 0x00 eth0 164.100.250.91 0.0.0.0/0 * - 631 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 111.222.333.444 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/010.0.0.0/8n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 138:139
