[leaf-user] Question: how2 mingetty+uClibc 4 bering boot2root?

[William \(Andy\) Smith]

At our site, our equipment is physically secured behind locked doors. We are
using OpenSSH, so if we need to do remote maintenance, we do so with our
OpenSSH keys. If we need to do 'hands on' maintenance, we have the physical
key to get through the door and into the 'closet'. Usually, that isn't the
time we want to look up root passwords, so we've been implementing
mingetty's 'auto-boot' option and a root password scrambler that makes it
not possible to know what root's PW is at any given time, though we may
temporarily set it if needed. Cron auto-scrambles it later.

I'm looking for the most straight-forward way to get the auto-boot2root.
Perhaps the way to this is a uClibc version of mingetty with the auto-boot
patch. Perhaps the standard getty could be patched for this, or it has such
a patch I'm not aware of. Key to this 'boot2root' is having something like
'pwgen' to randomly create and 'chpasswd' to command-line enter a password.
I also don't know the interaction this will have with the lrcfg script.

1) If the objective is simple enough, is someone willing to create the .lrp
of uClibc compiled mingetty, pwgen and chpasswd programs? Or could someone
guide me through hacking the source to compile suitable for Bering uClibc?
I'm not a programmer, I know enough to build kernels and read comments in
source.

2) Could someone suggest a name for a 'auto-boot2root+scrambled-pw.lrp'
package? Or should this be broken into several packages that accomplish only
the required parts? Ideally, one should need only edit inittab to get the
--autoboot option of mingetty (or a modified getty) and insert a line in
bootmisc.sh (or other more appropriate file) to have the console boot to the
lrcfg menu with an unknowable password. And perhaps a third step to ensure
the password is changed every, say, 15 minutes on the quarter-hour.

3) Could someone suggest how to arrange the boot process so an unknowable
password doesn't conflict with lrcfg popping open on bootup? Or, perhaps,
tty0 should spew syslog/ ulog messages, tty1 should drop to prompt and tty2
should drop to lrcfg. But I'm not confident of my ability to make that
happen. Your suggestions towards this would be most welcome.

--Romaq




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Question: How do I manage two gateways for two internal machines?

[William \(Andy\) Smith]

I’m paying for a second IP with my Comcast account. Now, from their
point-of-view I should have my two Windows machines hooked up through a
straight hub into the back of the cable modem. From my point of view they
are out of their mind, plus I can’t set up an internal fileserver to share
between my two machines… a file server I explicitly do not want to share
with the world. And a test machine or two, or eight, none with ‘world’
access.

I want my personal machine and that of my fiancé to be presented to Comcast
through different interfaces. I have a physical eth2 if I find I can’t alias
eth0 to be the 2nd interface as well because of MAC identity, though I plan
to attempt it after I have eth2 working as I expect. Comcast will observe
her traffic and mine just as they would expect through the different
interfaces, so they can’t complain about me NAT’ing in violation of their
AUP. Any outbound not explicitly from those two machines will be in the
REJECT chain.

So much for my goal… but I do not grasp how to get there.

1) What is the best way to have our XP machines identify themselves to the
firewall?
2) How do I tell Shorewall to keep things straight? 

I plan to have the firewall cache DHCP and do Squid filtering of the web.
Blacklisting should apply to both. If I had a wish, Squid would pick which
outbound interface based upon which machine made the request. Same for DHCP.
Alas, one can’t have everything, but insight as to how to think of an
approach would be most welcome.

Thank you for your assistance.

--Romaq


William (Andy) Smith
[EMAIL PROTECTED]





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Re: Question: how2 mingetty+uClibc 4 bering boot2root?

[William \(Andy\) Smith]

It was pointed out to me (thank you sir!) that using OpenSSH and leaving
root without a password solves the problem, presuming there are no user
accounts. This is, in fact, my situation. The best solution to a problem is
a problem that turns out not to need solving at all. :)

If I have no non-root logins, and if I set up OpenSSH for no password
authentication/ key auth only... what are the liabilities of doing without a
password on root? I would presume if some exploit could crack the firewall
to gain access, a root password wouldn't make any difference. Is that a
false presumption?

--Romaq




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Suggestion for Bering-uClibc_2.0-stable_iso_bering-uclibc-iso.bin

[William \(Andy\) Smith]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

«Hace falta más Linux en la Red. Por un lado más instalaciones de Linux 
servirían como 'cortafuegos' ante las epidemias de virus de Windows. Como en 
la naturaleza, los monocultivos están mucho más expuestos a plagas que los 
ecosistemas complejos (*). Por otro lado es lógico que los gobiernos, y en 
especial aquellas de sus dependencias especialmente conscientes de los 
riesgos de seguridad, exijan la mayor transparencia en los programas que 
usan. Podemos utilizar complejos y costosos sistemas para asegurar la 
transparencia (como el GSP de Microsoft). También podemos llenar los 
ordenadores a rebosar con antivirus. Pero aumentar la penetración del 'Open 
Source' es más sencillo, barato y democrático. Necesitamos más Linux para que 
haya menos virus y los espías nos protejan mejor. 

Y en esta época preelectoral, ¿los partidos, qué dicen de todo esto?»

Fragment d'un article del bloc «Retiario» de José Cervera, a Navegante.com
http://breu.bulma.net/?l2295

(*) A les terres catalanes en sabiem de plagues, per mor de la Filoxera... ai, 
la memòria! :)

- -- 
Benjamí
http://bitassa.com



.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFAFBk6TA1R+FisWzsRAj2cAJ9WW



[leaf-user] vpn capability router,
hey poh

 
Re:[leaf-user] vpn capability router,
Doug Hite

[leaf-user] Suggestion for Bering-uClibc_2.0-stable_iso_bering-uclibc-iso.bin,
HELP ECSE Department

RE: [leaf-user] Suggestion for Bering-uClibc_2.0-stable_iso_bering-uclibc-iso.bin,
William \(Andy\) Smith

[leaf-user] vi problem,
M Lu







Re:[leaf-user] vpn capability router,
Doug Hite

Re:[leaf-user] vpn capability router,
chiew yock sang

Re:[leaf-user] vpn capability router,
Ray Olszewski



Re:[leaf-user] vpn capability router,
chiew yock sang

Re:[leaf-user] vpn capability router,
Doug Hite

 












 
<--  
Chronological
-->
  

 
  

 
  <--  
  Thread 
  -->  
  





  
  
  
  
  [EMAIL PROTECTED]">
  Reply via email to
  
  













[leaf-user] Suggestion for Bering-uClibc_2.0-stable_iso_bering-uclibc-iso.bin,
HELP ECSE Department

RE: [leaf-user] Suggestion for Bering-uClibc_2.0-stable_iso_bering-uclibc-iso.bin,
William \(Andy\) Smith

[leaf-user] vi problem,
M Lu
















 
<--  
Chronological
-->
  

 
  

 
  <--  
  Thread 
  -->  
  





  
  
  
  
  [EMAIL PROTECTED]">
  Reply via email to
  
  










 




<!--
google_ad_client = "pub-7266757337600734";
google_alternate_ad_url = "http://www.mail-archive.com/blank.png";
google_ad_width = 160;
google_ad_height = 600;
google_ad_format = "160x600_as";
google_ad_channel = "3243237953";
google_color_border = "CE9689";
google_color_bg = ["FF","ECE5DF"];
google_color_link = "006792";
google_color_url = "006792";
google_color_text = "00";
//-->







[leaf-user] vpn capability router
chiew yock sang


Re: [leaf-user] vpn capability router
Erich Titl



 

Re:[leaf-user] vpn capability router
Doug Hite


[leaf-user] vpn capability router
hey poh


Re:[leaf-user] vpn capability router
Doug Hite


[leaf-user] Suggestion for Bering-uClibc_2.0-stable_iso_bering-uclibc-iso.bin
HELP ECSE Department


RE: [leaf-user] Suggestion for Bering-uClibc_2.0-stable_iso_bering-uclibc-iso.bin
William \(Andy\) Smith


[leaf-user] vi problem
M Lu








Re:[leaf-user] vpn capability router
Doug Hite


Re:[leaf-user] vpn capability router
chiew yock sang


Re:[leaf-user] vpn capability router
Ray Olszewski




Re:[leaf-user] vpn capability router
chiew yock sang


Re:[leaf-user] vpn capability router
Doug Hite

 



 






  
  





Reply via email to



  
  





 
 

[leaf-user] PXE Boot for Bering uClibc current?

[William \(Andy\) Smith]

My goal:

I want to boot my firewall using a readonly floppy that is 'just enough' to
fetch everything else needed for for kicking off the current Bering-uClibc.

I have followed the directions on
http://leaf.sourceforge.net/doc/guide/bupxebooting.html but of course they
are not for Bering uClibc. This fouls the pxe.lrp package and making the
correct root.lrp and intrd.lrp. I think I have that fixed up, but I'll
confirm that in a moment.

On the 'boot client' side I followed the directions with rom-o-matic.net to
make an image for this card:

rtl8139:clone-rtl8139 -- [0x,0x8139]

That's the right card according to cat /proc/pci.

I can fetch the pxelinux.0 image from 'localhost' using the tftp client.
Where I *think* I'm going wrong is in fetching the rom-o-matic image. I just
get the .zdsk. It gets the DHCP address correctly, and it shows in the logs
as fetching the pxelinux.0 image, and then it returns an error saying the
image is bad.

Now, the directions presume I have a pxe bootable bios configuration. Is
anyone using the rom-o-matic style 'boot disks' that they can point me in
the right direction there? I'll cheerfully append syslog info and other
specifics as it makes sense, but my feel on this is that I'm not PXE enough
for the pxelinux.0 image to be received and responded to correctly.

--Romaq


William (Andy) Smith
[EMAIL PROTECTED]





---
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ISO Beta 5?

[William \(Andy\) Smith]

Is there a doc on the steps for me to take current Bering-uClibc 2.2-beta5
and generate an ISO out of it with the usual packages and such? Or would
someone mind generating one for me? I'd like to kick it around but burning
an ISO turns out easier than juggling the packages I want to fit on the
floppy.

Thanks!

--Romaq


William (Andy) Smith
[EMAIL PROTECTED]





---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Anyone using UML or Xen?

[William (Andy) Smith]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:leaf-user-
> [EMAIL PROTECTED] On Behalf Of Calvin Webster
> Sent: Wednesday, April 20, 2005 9:55 AM
> To: LEAF Users
> Subject: [leaf-user] Anyone using UML or Xen?

> Has anyone on the list successfully modeled a virtual WAN
> infrastructure, or at least built a functional LEAF router within UML or
> Xen? If so, I'd appreciate any suggestions you may have on the quickest
> way to setup this virtual WAN.

> I've been looking at 3 different virtualization methods to create VM's
> in which to design and test a set of LEAF routers. These will then be
> installed in flash drive or DOC on new hardware to replace routers in an
> existing WAN infrastructure. To be effective I'll need between 9 and 12
> VM's, 5 of which will be LEAF routers and the remainder test client
> hosts. The LEAF routers will require 6, 5, 5, 5, and 3 NICS. I'd prefer
> that none of them send traffic out on the "real" network during testing,
> but are capable of isolated interconnectivity.

I'm in a similar situation. This is my WISH, what I actually live with may
be quite a bit different.

I want to have two real hosts with 3 NICs each. Each host will boot up and
fetch an Xen Dom0 (host OS) that's as tiny as possible and 'just' sufficient
to fetch the DomU (guest OS) images over eth0

Next in the cycle, each host fetches a DomU LEAF image and have it give
hardware control of all three NICs to the LEAF image. Dom0 is then cut off
'real' interfaces. It has to accept what the firewall image allows.

Each LEAF image is able to act as an independent router so if one machine
goes down, the other will cheerfully act as a gateway. Our ISP will give us
a second gateway, and he suggests we use NetBSD for the firewall image. I'd
prefer LEAF, but it gets back to 'what I want' isn't necessarily 'what I
will live with."

Dom0 then loads in Bastion Network DomU's which will also have no network
access beyond what goes through the firewall.

1) The Dom0 host image would be booted via the internal net, so any hacks
that manage to get to it are reverted.

2) The firewall gets booted off the internal network, so hacks are again
lost.

3) The Bastion images can directly talk through the NIC allowed to them via
crossover cable between the hosts.

4) The Bastion images would also have LVMs 'local' on a hardware raid we
already have implemented. I'm planning to have the Bastions also boot from
the internal network for their binaries, and mount the RAIDs 'noexec'.

It's not that I want our hardware entirely impossible to hack, I just want
it to be rather difficult to do so.

Of the software you mentioned, I was able to get Xen up and working within a
day where UMLs were too much a pain. Xen also allows direct hardware
leasing, so I can give a particular domain all three PCI NICs. Patching the
OS was much less a big deal with Xen than with trying to get UML to work for
me. I understand Xen will have its patches incorporated into the next
release or two of Linux.

--Romaq





---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

[William (Andy) Smith]

I have successfully made a three interface setup with Bering uClibc
consisting of eth0 to Net, eth1 for our internal network and eth2 for the
DMZ. We are now moving from the office we had to a home-office where eth0 is
connected to our existing ISP by DSL plus we are adding Cable internet
connection to eth3.

1) I have verified that Comast and DSL work as links to the outside and as
expected.

2) The rules I had under the three card network will continue to apply.
Because we are using the same IP, we even get to keep our old IP addresses
for the DMZ.

3) Comcast is needed as bursty, high-speed outbound access where DSL
supplies fixed IP metered bandwidth.

4) I want the DMZ's default gateway to continue to be eth0.

5) I want eth1's default gateway to become eth3.

6) If eth1 happens to want to hit the DMZ, I want it to go directly to eth2
rather than out through the cable Internet and back through the DSL.

Would anyone be able to point me in the right direction?

Thanks!

--Romaq





---
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

[William (Andy) Smith]

I was given direction from Charles Steinkuehler on my question, but I am
still not clear on how to implement the routing rules in
/etc/network/interfaces, or what specific rules to set since my case is
slightly different from what is recommended at the documentation site.

I am looking at the following URL from what was suggested:

http://lartc.org/howto/lartc.rpdb.multiple-links.html

Going from their model, I have something more like this that I not only need
to set up, but test and verify it works on the wire before we down
production equipment and move it to a new location:

___
  +-+  /
  |Provider 1   | |
 ++ 66.114.33.64/30 +
 || gw 66.114.34.65 |   /
   +-+ ++ +-+  |
   |  DMZ via Prov.1 +-|eth2 eth0   | /
   | 66.114.34.92/30 | || |
   +-+ | Linux Router   | |Internet
   || |
   +-+ || \
   | Lcl NAT via Prv2| ||  |
   | 192.168.2.0/24  +-+eth1 eth3   |   \
   +-+ +-+--+ +-+\
 ||Provider 2   | |
 ++ 192.168.1.0/24  +--\
  | gw 192.168.1.254|   \___
  +-+

I note /etc/iproute2/rt_tables which on my machine has the following as a
default on my existing router:

#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
1  inr.ruhep

The only 'inbound' traffic from the net comes from Provider 1.to the DMZ.

I suspect I need to add tables to rt_tables, for which the following names
would be useful to match my shorewall names:

Eth0net
Eth1lcl
Eth2dmz
Eth3cbl

So am I correct to comment out 'inr.ruhep' and append the following to
rt_tables?

1  net
2  lcl
3  dmz
4  cbl

It then looks like I need to do the 'ip route add default via '
commands, and they should be in ifup. I have /etc/network/if-up.d with no
example scripts inside it. Their example also has commands for me to see
what the route tables look like. However I need the routes added as part of
LEAF on startup, and the 'show' commands are a separate issue of debugging
what I'm trying to accomplish.

For all their instructions, and my reading of
http://www.linuxhorizon.ro/iproute2.html I am still not clear *where* and
*how* to set up a script that will automatically send all traffic coming
over eth1 out eth3, excluding traffic directed at eth2's network. Their
example doesn't appear to refer to a 'dmz' situation, and I'm not clear if I
can put the route mapping in /etc/network/interfaces or
/etc/network/if-up.d, and how to format it.

What would you suggest for this case? I feel like my brain is trying to
climb up the down escalator.

It appears I do not need to change Shorewall unless I want special behavior,
such as 'outbound port 80 always goes out cbl interface'. I want no special
behavior until I am completely confident about this general behavior.

Thank you.

--Romaq





---
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

[William (Andy) Smith]

I was given direction from Charles Steinkuehler on my question, but I am
still not clear on how to implement the routing rules in
/etc/network/interfaces, or what specific rules to set since my case is
slightly different from what is recommended at the documentation site.

I am looking at the following URL from what was suggested:

http://lartc.org/howto/lartc.rpdb.multiple-links.html

Going from their model, I have something more like this that I not only need
to set up, but test and verify it works on the wire before we down
production equipment and move it to a new location:

___
  +-+  /
  |Provider 1   | |
 ++ 66.114.33.64/30 +
 || gw 66.114.34.65 |   /
   +-+ ++ +-+  |
   |  DMZ via Prov.1 +-|eth2 eth0   | /
   | 66.114.34.92/30 | || |
   +-+ | Linux Router   | |Internet
   || |
   +-+ || \
   | Lcl NAT via Prv2| ||  |
   | 192.168.2.0/24  +-+eth1 eth3   |   \
   +-+ +-+--+ +-+\
 ||Provider 2   | |
 ++ 192.168.1.0/24  +--\
  | gw 192.168.1.254|   \___
  +-+

I note /etc/iproute2/rt_tables which on my machine has the following as a
default on my existing router:

#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
1  inr.ruhep

The only 'inbound' traffic from the net comes from Provider 1.to the DMZ.

I suspect I need to add tables to rt_tables, for which the following names
would be useful to match my shorewall names:

Eth0net
Eth1lcl
Eth2dmz
Eth3cbl

So am I correct to comment out 'inr.ruhep' and append the following to
rt_tables?

1  net
2  lcl
3  dmz
4  cbl

It then looks like I need to do the 'ip route add default via '
commands, and they should be in ifup. I have /etc/network/if-up.d with no
example scripts inside it. Their example also has commands for me to see
what the route tables look like. However I need the routes added as part of
LEAF on startup, and the 'show' commands are a separate issue of debugging
what I'm trying to accomplish.

For all their instructions, and my reading of
http://www.linuxhorizon.ro/iproute2.html I am still not clear *where* and
*how* to set up a script that will automatically send all traffic coming
over eth1 out eth3, excluding traffic directed at eth2's network. Their
example doesn't appear to refer to a 'dmz' situation, and I'm not clear if I
can put the route mapping in /etc/network/interfaces or
/etc/network/if-up.d, and how to format it.

What would you suggest for this case? I feel like my brain is trying to
climb up the down escalator.

It appears I do not need to change Shorewall unless I want special behavior,
such as 'outbound port 80 always goes out cbl interface'. I want no special
behavior until I am completely confident about this general behavior.

Thank you.

--Romaq





---
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/