Re: [Leaf-user] Bering Firewall without NAT
I had to do something similar recently, and I'm still amazed at how uncommon it seems to be -- there are not many examples around. I can't speak to Bering-specific configurations, as I have only used Shorewall on Red Hat and SuSE minimal installations, but I assume it is Shorewall that will take the lead in your scenario. The secret for Shorewall is the proxyarp file, since Proxy-arp must be used to do what you are looking to do. Getting the proxyarp file configured can be a bit time-consuming, as it must explicitly list each IP address for which it will proxy, plus a few other configuration parameters. To assist with this task, I created a short Perl script, that you can find here: http://www.optimumnetworks.com/PAconfig . A few other tips: 1. Assign an RFC1918 address to your internal interface, like 192.168.0.1 2. Create a host route to your default gateway, specifying the external NIC by device name, i.e.: route add -host DefGWIP dev ethX. Create the init file per Shorewall docs, and put your route command there. 3. Create host routes for any host NOT behind your firewall, but in the same network space as the external interface -- via the external interface. Since you are using legal addresses, your configs need to expressly indicate these hosts are on THAT side of eth1, those hosts are on THAT side of eth0. 4. Control arp caches --- the single most blindingly frustrating hair-pulling make-you-think-you've-gone-insane part of Proxy-arp. If you can flush a device with a command, do it; if not power cycle any arp-caching devices (bridges/swithes/routers) within your control --- or be prepared to wait an undefined amount of time before all entries expire in the arp caches you can't control. ISP's upstream router on bridged DSL comes to mind... This is the part that really complicates troubleshooting, since you ALWAYS want your system up NOW, when you've rolled the dice by taking an entire subnet down. If you have a smaller piece of the network you can isolate as a test zone, it will give you more breathing room to get comfortable with your configs, and the behavior of Proxy-arp. Resist the temptation to go back and make guesses in your configs --- since you are more likely to move from the right answer to the wrong one, due to a stuck arp entry somewhere. 5. See http://www.optimumnetworks.com/proxyarp.txt for an example of a real Shorewall proxyarp config file. Notice I generated the entire /25 subnet, then commented out special-purpose addresses near the bottom. 6. All other Shorewall configs are standard. Good luck! Dan Optimum Networks, Inc. www.optimumnetworks.com - Original Message - From: Jonathan Monk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 22, 2002 3:43 AM Subject: [Leaf-user] Bering Firewall without NAT Hi, I was wondering if anyone had any idea about using Bering/Shorewall without using Masqurading or NAT. We are at a University so we already have all the machines on our network assigned to real addresses. I dont really want to change all of them to private addresses but I am having problems in configuring Bering Shorewall to do this. Currently we have a gateway 134.36.22.1 and our main switch connects to that and its all very straight forward. Our plan was to add the firewall between the gateway and the switch i.e. Gateway Firewall Ext Firewall Int Switch Hosts 134.36.22.1 134.36.22.2 134.36.22.5 * 134.36.22.??? gw=134.36.22.1 gw=134.36.22.5 We also need to enable access to our webserver for ssh, www and ftp access. I was planning on doing this either via a separate zone/hosts or via rule exceptions in Shorewall. I have a pair of machines that I have connected to the firewall so I can try things but the only way I have go anything to work was adding static routes on the firewall and even then I couldnt get very far as I was still running NAT. My test setup worked well with NAT using private addresses. Bering was straightforward to setup in this case. (Kudos to the authors) Unfortunately I suspect my knowledge of TCP/IP has sort of run its course at this point and I am a bit stuck for what to try next. I was considering trying to chuck out the NAT kernel modules and set it up as a bridge but the example configuration also used NAT Cheers, Jonathan -- Dr Jonathan Monk, Dundee Satellite Receiving Station University of Dundee, Dundee, DD1 4HN tel: 44 (0)1382 344409 fax: 44 (0)1382 345415 e-mail [EMAIL PROTECTED] http://www.sat.dundee.ac.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user - Original Message - From: Jonathan Monk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 22, 2002 3:43 AM Subject: [Leaf-user] Bering Firewall without NAT Hi, I was wondering if anyone had any idea about using Bering/Shorewall without using Masqurading or NAT. We are at a
[Leaf-user] libz on Dach-CD
Hi All, Am I correct in assuming that Dachstein-CD will use the libz.lrp from the floppy if I copy it there, rather than the one burned onto the CD? I am also assuming J. Nilo's updated libz is suitable for this use -- is that the case? Thanks, Dan -- Optimum Networks, Inc. Small Business IT Services Serving Minneapolis/St. Paul Metro ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] libz on Dach-CD
Just for clarification, if my system boots from the CD, it will still give precedence to the libz.lrp from the floppy? Thanks again, Dan - Original Message - From: Charles Steinkuehler [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Scott C. Best [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, March 21, 2002 4:47 PM Subject: Re: [Leaf-user] libz on Dach-CD Longer answer: If you have a libz.lrp on your boot= device (typically the floppy), Dachstein CD will unzip this *LAST*, over-writing any pre-existing files, assuming you haven't over-ridden the default search order for the package in question (details on this behavior are in the CD README file). ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec on a floppy? managing packages in Windows?
If your hardware isn't too old, changing media is really the way to go. If your system's BIOS can support a bootable CD, that is unquestionably the way to go. I switched from a single-floppy Eiger box to a Dachstein-CD setup (with IPSec), and the flexibility is incredible. It's definitely worth consideration. As far as trimming space goes, it sounds like you've been pretty thorough --- you just can't get 10 lbs of corn in 5 lb sack ;) Dan Quoting Christopher Holmes [EMAIL PROTECTED]: I'm running Dachstein trying to fit the freeswain IPSEC pacakges onto my floppy, but don't have enough room. I've moved up to 1722K format removed modules that I'm not using (dhclient, some ip-masq stuff, ethernet card drivers) but I'm still falling about 75K short. Any ideas where else I can trim some space? I've poked through the pacakges can't find anything else that can be removed or that's big enough to make a difference. Also, I can unzip the package files with winzip. Anyone know a good way to re-pacakage them under windows 2K? I don't have a full linux box up yet, and my Dachstein box is in the grimy basement where I'd prefer not to be spending a lot of time. My other option is to move to a different media, but I'd prefer not to do that either. Thanks, Chris ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec on a floppy? managing packages in Windows?
Perhaps I should have been clearer :) My intent was to say that if it boots from the CD, you are a lot better off when loading packages, as the load time is significantly faster than a floppy. That's what makes it unquestionably the way to go. Non-bootable CDs work, and give you the additional capacity, but less boost in load speed -- if that is important to you, as it is to me. Dan Quoting Michael D. Schleif [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: If your hardware isn't too old, changing media is really the way to go. If your system's BIOS can support a bootable CD, that is unquestionably the way to go. I switched from a single-floppy Eiger box to a Dachstein-CD setup (with IPSec), and the flexibility is incredible. It's definitely worth consideration. As far as trimming space goes, it sounds like you've been pretty thorough --- you just can't get 10 lbs of corn in 5 lb sack ;) Actually, DCD does *not* require a bootable cdrom. One of my systems boots off of the floppy and then gets *all* of its packages off of the cdrom. This scheme leaves little room for subsequent backups on floppy; but, the partial backup schema saves alot of butt, in this regard. HTH ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
What distribution are you using? What IP addresses are you using for your external interface? Quoting [EMAIL PROTECTED]: While sifting through docs I found this error which I have been receiving, while trying to ping any internet IP from the LRP box: sendto(): operation not permitted It says that this is the result of incorrect setup of the Firewall rules. Where can I find some documentation on setting up a set of Firewall rules that will give me at least minimal access to the net (www email for now). At least if I can get that working I can slowly work through the rest. My main problem is right now, to test out the router I have to switch my cable modem to it. Once that is done, it makes it difficult (currently impossible) to do any research on problems as they come up. Again, your help is greatly appreciated. Sincerely, Justin Pease N u a n c e N i n e Web Usability, Development and Design www.nuance9.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
A couple of things are happening. First, it seems that your Dach box is not obtaining a proper address from your ISP. If your address used to be 24.116.x.x, you should be seeing something similar now. Since it is getting assigned a 10.x.x.x address, the ipfilter code is generating the operation not permitted message --- as Dachstein disallows RFC 1918 addresses (of which the 10.x.x.x is). Since these are reserved for the private side of networks, the external interface will reject everything if an illegal address is configured on that interface. The thing to track down is why the external interface is not obtaining the proper IP from your ISP. That is outside of my experience, since I have always used static IPs. I'd recommend you walk very carefully thru the network.conf, paying close attention to the sections involving dynamic external IPs. A good step-by-step procedure for setting it up can be found at: http://www.pigtail.net/LRP/ --- about half way down the page is where the fun begins... Also note, some ISPs restrict your connection to a specific MAC address. If your ISP does that, it may be rejecting your attempt to obtain a DHCP lease. If that is the case, you will have to notify your ISP to give the MAC of your intended external NIC. I recall somewhere that some systems have trick for spoofing the MAC address, so you don't have to involve the ISP. Unfortunately, I haven't seen that approach in action, and I don't know if or how it would work. Good luck, Dan Quoting [EMAIL PROTECTED]: I am using the most recent DachStein Floppy based distro. The current install appears to have setup 10.x.x.x IP addresses for the external NIC (eth0). This seems strange to me, as in the past the ISP DHCP assigned IP was 24.116.x.x. Thanks. Justin On 13 Jan 2002 at 20:02, [EMAIL PROTECTED] wrote: What distribution are you using? What IP addresses are you using for your external interface? Quoting [EMAIL PROTECTED]: While sifting through docs I found this error which I have been receiving, while trying to ping any internet IP from the LRP box: sendto(): operation not permitted It says that this is the result of incorrect setup of the Firewall rules. Where can I find some documentation on setting up a set of Firewall rules that will give me at least minimal access to the net (www email for now). At least if I can get that working I can slowly work through the rest. My main problem is right now, to test out the router I have to switch my cable modem to it. Once that is done, it makes it difficult (currently impossible) to do any research on problems as they come up. Again, your help is greatly appreciated. Sincerely, Justin Pease N u a n c e N i n e Web Usability, Development and Design www.nuance9.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user Sincerely, Justin Pease N u a n c e N i n e Web Usability, Development and Design www.nuance9.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Telstra ADSL PPPoE guide needed!
On another board to which I subscribe, they are tossing around this link http://www.synapticserver.com/bpalogin_2howto.html Supposedly, it has the low-down on your system. It is not specific to LEAF, but should at least tell you how Linux in general needs to talk to that ISP's system. Good luck, Dan PS: See how icky html messages come across? In unix-oriented circles, html email really, really frowned upon. Friendly tip ;) Quoting Stewart Adey [EMAIL PROTECTED]: htmldiv style='background-color:'DIV PBRHi, I'm running Telstra ADSL and i want to route my internet to 30-40 computers. Does anyone have an image already customized for this kind of setup?nbsp; Thank you very much in Advance, Stewart Adey.nbsp; By the way, Telstra uses their own customized program as a user name/password login system.nbsp; (A href=http://bpalogin.sourceforge.net;http://bpalogin.sourceforge.net/A)(A href=http://www.2dex.com/lrp/bpalogin.lrp;www.2dex.com/lrp/bpalogin.lrp/A) BR/P/DIV DIV/DIVBRBRBR DIVnbsp;/DIV DIV/DIV/divbr clear=allhrGet your FREE download of MSN Explorer at a href='http://go.msn.com/bql/hmtag_etl_EN.asp'http://explorer.msn.com/a.br/ html ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein-CD v1.0.2 as a router only (no firewall)
eth0 on Dachstein will not route private IP addresses without the folloing change, quoted from a recent reply from Charles on a related question: [this behavior is controlled by]The stopMartians () procedure of /etc/ipfilter.conf. You can comment out the private IP blocks in this procedure if you want to send/recieve from reserved private IP addresses on your external interface. HTH, Dan Quoting Kenneth Hadley [EMAIL PROTECTED]: - Original Message - From: guitarlynn [EMAIL PROTECTED] To: Kenneth Hadley [EMAIL PROTECTED] Sent: Saturday, January 12, 2002 1:49 PM Subject: Re: [Leaf-user] Dachstein-CD v1.0.2 as a router only (no firewall) On Saturday 12 January 2002 14:52, Kenneth Hadley wrote: If having some limited success in getting Dachstein 1.02 to run as just a router between to private networks, 192.168.1.0 and 192.168.2.0, with 192.168.2.0 being a expansion to the 192.168.1.0 network which is just about full. Some of the options on my Dachstein box: IPFILTER_SWITCH=router Does anyone have any thoughts on what I might have configured wrong? Change IPFILTER_SWITCH=none The router option still has some ip spoofing and RFC blocking, but setting it to none leaves a straight-through router w/o any protection if I understand things right hopefully I do! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! I'm guessing the my problems are related to some of the filter's too but unfortunately changing IPFILTER_SWITCH to none completely kills all traffic between 192.168.1.0 and 192.168.2.0 Worth a shot Thanks though! -Kenneth Hadley ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Forwarding broadcast traffic?
As taken from the man page of dhcp-options, DHCP2 supports: 'option www-server [address-list]' As I understand it, this lists the Web servers available to the client, and is primarily useful for defining proxy Web servers that a client must use. ...and: 'option smtp-server [address-list]' Which from my reading are said to be useful to Windows clients --- but I have yet to test this. Also important to determine: does the dhcpd, as packaged in LRP support the full command set? I'll take a look at this, and report back what I find. Dan Quoting Richard Doyle [EMAIL PROTECTED]: You might want to check the dhcp server mailing list: http://www.isc.org/services/public/lists/dhcp-lists.html. Dhcpd 3 lets you define arbitrary options, but I don't know whether that will suffice. AFAIK dhcpd 3 has not been lrp'd; it is much bigger than dhcpd 2. -Richard Microsofts new dhcp server now supports setting internet explorers proxy address through dhcp, is there any linux dhcp server which already supports this? If thats a yes is there an lrp package for it. And yes I know they don't follow the official RFC by doing that but hey it would be practical in my environment and I am pretty much affraid that this will be the argument to go back to a windows based dhcp server otherwise. Kim ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Observations on DCD/IPSec Setup Documentation
After yanking several handfulls of hair from my head, I finally got my VPN lab fully functional and tested. Thanks to all those here who helped. I am in the process of documenting the process I used --- skipping all the false starts, dead-ends, and hand-wringing ;-) I'll be interested in the opinions of list members on how this works out. It is intended to be very similar to Richard Lohmans very fine baby-steps documentation -- kind of cookbook style, with no assumptions built in. Anyone interested in participating, please let me know. One key observation that I'd like clarification on: Routing Non-routable Addresses in Dachstein. I followed a rough lab setup I found on the 'net, that used generic Red Hat boxes for each tunnel endpoint, with a dual NIC Red Hat box between them doing vanilla ip forwarding. I followed the diagrams to the letter so I couldn't get lost, but in the end, nothing worked. It appears to me that using the author's private IPs on eth0 of a DCD box just doesn't work. DCD seems to be enforcing the non-routable rule. I changed all my 172.16 networks to 174.16 networks, and the floodgates opened up. Questions: 1. Is my observation correct? Is the LRP/DCD code enforcing the non-routable rule? 2. Where does this code live/how can it be deactivated or reconfigured? Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Forwarding broadcast traffic?
Building off of Charles' comment: If you *are* looking to enable subnet-to- subnet browsing of Windows shares, Samba does the trick without much heartache at all. I have an SME/e-smith box on one end of my VPN lab setup, and a remote machine on the other end. The remote-end clients simply have the IP address of the SME box (default configured as a Master) in the WINS server configuration of the Windows IP configuration. The remote clients report themselves to the Master, and it in turn re-advertises their existence to the local subnet. So all Windows clients on a 10.1.2.0/24 network can see all Windows clients thru the tunnel on a 192.168.1.0/24 subnet (and vice versa), thru an intervening 174.16.1.0/24 simulated internet. Works slick. If you want a braindead-easy Samba server (and really a complete drop-in Linux replacement for NT server) see the details at www.e-smith.org. It's open source and freely distributed, with commercial support if desired. My primary fileserver runs 2 60 GB disk RAID 1, on a P100 throw-away. Free. And I mean, braindead easy... Dan Quoting Ed Zahurak [EMAIL PROTECTED]: Is it possible to configure a set of LRP/LEAF routers to forward broadcast traffic accross a vpn link between the two subnets? If so, how would I go about configuring the boxes to take the traffic? Thanks, Ed Z. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Completely Routable Subnet
Hi all, I am not sure really how to describe what I am after, but I'll try to sketch it. In a situation in which a network needs to have broad compatibility with multi- vendor VPN solutions (from clients sites to home office, and vice versa), it appears that fully routable, legal IP addresses will be required. One client in particular declares that NAT will not work with its aggressive mode system, and cannot be made to. The systems on the local subnet need to be able to communicate as a full workgroup, sharing files and printers. The VPN connections need to be intiated from both external locations coming in, and from internal hosts going out. As I understand it, systems in a DMZ in Eiger/Dachstein cannot be made to communicate with each other without routing tweaks --- so I'm assuming this won't do the trick. Here are my questions: 1. Is it still true that some systems absolutely cannot be made to work with NAT? 2. Anyone care to comment on the security and adminstration issues with managing a network of routable addresses from behind a LEAF box? 3. Are there any architectural tricks that can be used to create VPN gateways that allow full access into a private network from only one trusted host outside --- and is this a good idea? 4. Are there example configs around where a LEAF distro has been setup to do such things? Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] need help with port forwarding
Quoting Peter Jay Salzman [EMAIL PROTECTED]: once the lock was opened, she came screaming down the isle, rushed the altar and now the deed is done. i'm running a fully operational dachstein cd firewall. Aye! She's a randy lass, that one ;) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Ping Problem
Ray Charles, Thanks for the direction. I will take a gander back thru the configs, and probably start over with a clean floppy if it doesn't jump out at me. Likely I nicked the code somewhere when I was changing the 192.168.1 references. It'll be another learning experience :) Dan Quoting Ray Olszewski [EMAIL PROTECTED]: I've not seen that particular error from sendto: before, but Charles' suggestions are probably the right place to start (even though routing problems normally generate a different ping error). One thing, though: if your hosts are numbered 209.98.58.241, 209.98.58.244, and 209.98.58.246, then they are on network 209.98.58.240/29, NOT 209.98.58.0/29. When checking your setup, you might look for errors associated with this misspecification (assuming it wasn't just a typo in your e-mail). At 05:03 PM 1/3/02 -0600, [EMAIL PROTECTED] wrote: [...] ...The system at .246 can't ping anything in 209.98.58.0/29 --- getting instead: # ping 209.98.58.241 PING 209.98.58.241 (209.98.58.241): 56 data bytes ping: sendto: Invalid argument This system, .246, can ping PAST the router, out to hosts on the internet, and the hosts on the 192.168.2.0/24 subnet behind it can get thru .246 and access the internet. Something in my configs just seems to be hosing the ping command for my external network on this box. [...] -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] need help with port forwarding
Do you have the corresponding ports *open* in the EXTERN_TCP_PORTS section? If not, the forwarding rules are inside waiting for a bride that's locked out of the church ;) Also, since it looks like you have re-numbered your network from the default (changed 192.168.1 to 192.168.0) you should have a stroll back thru your configs, to make sure you have changed every instance of 192.168.1. Dan Quoting Peter Jay Salzman [EMAIL PROTECTED]: i'm using dachstein 1.0.2 on a home network firewall. everything seems hunky dory: network cards are both recognized and configured correctly masquerading works on the internal machines everyone can ping everyone, both inside and out. the last hurdle is port forwarding -- it looks ok, but isn't working (i'm not receiving mail, and i can't telnet to the smtp port from a remote machine). note that the internal server that handles mail, ftp and apache is satan.diablo.net (192.168.0.2). the firewall is mephisto.diablo.net (eth0: 64.164.47.8 eth1: 192.168.0.1). modules: ip_masq_user3708 0 (unused) ip_masq_portfw 2416 4 ip_masq_ftp 3576 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_autofw 2476 0 (unused) rtl813910856 1 tulip 32424 1 pci-scan2300 0 [rtl8139 tulip] isofs 17692 0 ide-cd 22672 0 cdrom 26712 0 [ide-cd] forwarded ports: # ipmasqadm portfw -l prot localaddrrediraddr lportrport pcnt pref TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net satan.diablo.localnet 24 ssh 10 10 TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net satan.diablo.localnet smtp smtp 10 10 TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net satan.diablo.localnet www www 10 10 TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net satan.diablo.localnet ftp ftp 10 10 here are the relevent variables i've set. i'm wondering what the difference between them is. they look to do the same thing to me: INTERN_SERVERS=tcp_${EXTERN_IP}_ftp_192.168.0.2_ftp tcp_${EXTERN_IP}_smtp_192.168.0.2_smtp # These lines use the primary external IP address...if you need to # port-forward # an aliased IP address, use the INTERN_SERVERS setting above INTERN_FTP_SERVER=192.168.0.2 # Internal FTP server to make available INTERN_WWW_SERVER=192.168.0.2 # Internal WWW server to make available INTERN_SMTP_SERVER=192.168.0.2 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.0.2 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.0.2 # Internal IMAP server to make available INTERN_SSH_SERVER=192.168.0.2 # Internal SSH server to make available EXTERN_SSH_PORT=24 # External port to use for internal SSH i'm looking at this, and i can't see anything that's wrong. the output of ipmasqadm looks compelling. it LOOKS like it should be working. help! any advice? what exactly is the difference between INTERN_SERVERS and INTER_.*_SERVER? i'm not too sure what an aliased IP address is. does that refer to a masqueraded ip address (like 192.168.0.2)? any help greatly appreciated. i've been staring at this for far too long. :) pete -- PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D PGP Public Key: finger [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: modules are unavailable
This is an excellent How-to --- one I plan to base my upcoming docs off of --- IF it ever comes back on line. I have tried accessing it for the last few days, and it comes up dead Dan Quoting Greg Morgan [EMAIL PROTECTED]: One more idea is to use some of the other documentation. Take a look at http://nw-hoosier.dyndns.org/rlohman/linux/firewall/index.html. Don't forget to wonder around leaf.sourceforge.net. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways same private networks ???
On the topic of re-numbering networks: I have recently installed DachCD, and noticed the comments in network.conf for eth1 specify DO NOT CHANGE. I assume this is due to some hard-coded instances of this explicit IP, rather than a variable. I noticed in the weblet config, 192.168.1.254 is given explicitly. Where might I find a resource listing all script reconfigs necessary to re- number the private network? I tried a search through the LEAF archives, but couldn't find anything that nailed it. I am also looking at an IPSec tunnel between two sites, and I'd like to have a clean from scratch start on it. Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways same private networks ???
Charles, I will poke around in the places you mentioned, and document what I find. I also caught part of a November thread in which there was talk of formalizing some beginner-level doc for the CD distro --- did that ever come about? If not, I could be talked into it --- I'm an infinitely qualified beginner :) That kind of stuff helps cement my own knowledge, and if the doc helps people, it's icing on the cake. If someone has already done it, I won't try to reinvent, though... Dan Quoting Charles Steinkuehler [EMAIL PROTECTED]: On the topic of re-numbering networks: I have recently installed DachCD, and noticed the comments in network.conf for eth1 specify DO NOT CHANGE. I assume this is due to some hard-coded instances of this explicit IP, rather than a variable. I noticed in the weblet config, 192.168.1.254 is given explicitly. Where might I find a resource listing all script reconfigs necessary to re- number the private network? I tried a search through the LEAF archives, but couldn't find anything that nailed it. I am also looking at an IPSec tunnel between two sites, and I'd like to have a clean from scratch start on it. There's no complete list...perhaps you could take notes and start one? Off the top of my head, you will need to edit/re-configure the following files/services if you change the internal network settings: - /etc/network.conf - /etc/hosts.allow - weblet - dhcpd - dnscache There may be others...if you could take notes on exactly what files/settings require changing, I'll add it to the documentation. Thanks, and good luck! Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Network Card Problem
Well, it seems like you could *try* copying the working 3c5x9.o file to the LEAF disk --- but with kernel differences it may not work. Another thing you might try is the preconfigured modules.lrp for the 3c5x9 from www.pigtail.net/LRP. In my experience, Nicholas does a great job of testing these modules and keeping them current. Although I haven't seen him contribute in this forum, he does maintain an extensive library of modules, and he'd probably respond to an email if you sent him a query. Best of luck, Dan Quoting Patrick Nixon [EMAIL PROTECTED]: Hello All, I briefly mentioned a few weeks ago a problem I'm having with a specific network card, however, no one had any solid advice and I wasn't sure what the exact problem was so I'm reposting with a bit more information I hope. NIC: 3Com 3C920 Integrated network Card (lists as a 3c905C-TX in some systems) System: Dell Optiplex GX150 Problem: Despite a successful loading of the module 3c59x.o I am unable to receive any data over the network interface. from netstat -i I can see that it's transmitting, just not receiving properly. I have RedHat 7.2 with Kernel 2.4.3-7 running on an identical system, with a 'different' 3c59x.o module and that system is happyhappy. Ideas/suggestions/whathaveyous? --Pat ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Changing Internal Address References for IPSec
Quoting Charles Steinkuehler [EMAIL PROTECTED]: There's no complete list...perhaps you could take notes and start one? Off the top of my head, you will need to edit/re-configure the following files/services if you change the internal network settings: - /etc/network.conf - /etc/hosts.allow - weblet - dhcpd - dnscache There may be others...if you could take notes on exactly what files/settings require changing, I'll add it to the documentation. OK, sanity check this: I did an rsync of the entire running config, so I could play with the directory structure on a full distro. I ran 'rgrep -rnB 192.168.1 ./* ref.txt' against the directory, and got back: ./dhcpd.conf:Line 4 ./dhcpd.conf:Line 5 ./dhcpd.conf:Line 7 ./dhcpd.conf:Line 8 ./hosts: Line 2: ./hosts.allow:Line 9 ./network.conf:Line 133 ./network.conf:Line 164 ./network.conf:Line 349 ./network.conf:Line 350 ./network.conf:Line 372 ./network.conf:Line 376 ./network.conf:Line 377 ./network.conf:Line 378 ./network.conf:Line 379 ./network.conf:Line 380 ./network.conf:Line 381 ./network.conf:Line 389 ./network.conf:Line 620 ./sh-httpd.conf:Line 2 ./sh-httpd.conf:Line 3 ./sh-httpd.conf:Line 7 No mention in my output of anything in dnscache. I also poked around in there manually, and didn't find anything. Does this approach sound accurate and complete? Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] VPN Architecture Options
Hi all, I have a client with an interesting situation, regarding VPN needs. They are a small database consulting group, who need secure remote access across a variety of scenarios: 1. Sitting in their US office, accessing multi-vendor VPN systems at major corporations. 2. Sitting at the customer site, accessing their own US office LAN: a. using their own laptops (Linux and Windows) b. using borrowed machines (Linux and Windows) on the customers' LAN 3. One employee in Australia needs to: a. do all of the above, for both the US office and US customers b. have the local AU LAN securely access the US LAN, Windows shares and all c. Have his laptop access local Australia customers Given the nature of IPSec, it seems NAT'd addresses can't be relied upon in all scenarios. This tends to indicate we would be better off running routable addresses on the LANs in questions --- but are the risks of that manageable? They own a /25 subnet, but I'm not sure we want to expose the entire range to the Internet. Having read some about FreeS/WAN, I am still confused on what it takes to connect from a roaming laptop --- with a varying IP. Most of the instructions tend to be focused on gateway-to-gateway connections, not laptop-to-gateway -- and almost all doc uses non-routable IPs in the examples. Any pointers to configuring a single-address client to FreeS/WAN on LRP would be helpful. Has anyone used LRP routers in this varied a scenario? Any recommendations on VPN clients for roaming connections, both for Windows and Linux laptops? Any wisdom, advice, pointers? :) Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user