Re: [leaf-user] Procedure for requesting an additional driver
I've built some drivers for people in the past, and I understand that it does quickly get overwhelming... if you need the driver built, shoot me a link to the source, I'll see if I can get it built this weekend. I'm out of town until Saturday evening, but will try to get to it Sunday. Also, once I'm done, I'll package up the full directory tree (include drivers source) and make that available to you, for future building purposes. Have a nice day! BTW, for anyone still operating in Houston, TX with the comming storm, my prayers are with you all. My dad is still at home, decided to ride it out this morning (apparently traffic is still a bitch) ... but at any rate, good luck this weekend! joey - Original Message - From: Bob Coffman Jr. - Info From Data [EMAIL PROTECTED] Date: Friday, September 23, 2005 8:12 am Subject: [leaf-user] Procedure for requesting an additional driver I'd like to ask that the VMWare VMXNET driver be added to Bering if possible. It seems I'm the only one asking for this, so I don't know if this is worthwhile or not. I've attempted the build on my own using the buildtoolbut rapidly got in over my head. I can get the freely available source for anyone willing to tackle this. Thanks - Bob Coffman --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Downloadit for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Time based blocking.
Would you be able to share a copy of said cron job... I think that would be useful to many... - Original Message - From: steve [EMAIL PROTECTED] Date: Thursday, September 22, 2005 9:55 am Subject: Re: [leaf-user] Time based blocking. My kids have a seperate computer with a seperate IP address. I just set up a cron job to drop/add the IP address at specific times/days. It keeps them from gaining access to the internet, while still allowing me to do any work that I need to. Hi, I just put my 13 son on his own computer behind my bering uclibc firwall. So naturally I'm trying to keep a lid on his internet usage:-) Besides (net nanny/cyber sitter) etc. I thought it might be useful to block his access to the internet after his bed time. Any ideas on how to do this? Any other suggestions would be much appreciated. Thanks, Glenn --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php --- - leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Downloadit for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] a lot of waste
Something that I would check on is to perform a speed test from someone like broadband reports, (www.broadbandreports.com) ... and see what your actual through put is. As for the overhead of roughly 10k, I would agree that its a bit excessive. I know from watching my performance monitor from the LEAF box, that I typically have approximately 2-3k of overhead traffic, typically lower. At any rate, I doubt that you have anything misconfigured on the router, and an easy way to check would be to remove the LEAF box as the culprit. Temporarily move your windows box (or a linux box, shouldn't matter) and test again, I doubt you'll see much improvement. I would challenge your ISP for a proper speedtest to ensure you're getting acceptable speeds. joey - Original Message - From: ochnap2 [EMAIL PROTECTED] Date: Saturday, September 10, 2005 12:19 pm Subject: [leaf-user] a lot of waste Hi, I don't know if my question is LEAF especific or some broader configuration issue. I don't have to much experience in this field, so I'm probably asking nonsense. If I really should RTFM, please also tell which one, I probably don't know which one also... :) Well, here it goes: Up to some time ago everything worked optimally (two or three months ago). At that time my ISP installed QOS in my node. They are a little local wireless ISP. I've probably been one of the first subscribers, so I guess the are up to some point learning while the build the infraestructure. I have a 256 kbits simmetric? connection, and even if it is wireless they give me an ethernet cable to connect to. I'm using LEAF Bering-uLibc 2.3 as my firewall/router. The problem is this: After they got the QOS running as they wanted, I started to have some serious performance problems. All the Linux machines in my local network had it's download speed cut by half, and the Windows machines by a 30%. All the time and downloading anything from any source. I called them but, after some time, they told me that everything was OK, and that no one besides me was (is) having such problems, so that I probably had my router or PCs misconfigured. I did nothing for some time because I had absolutelly no idea what to do or where to look, but yesterday I noticed this: I was downloading a huge file from a Windows machine and the speed was topping at 22 kbytes/sec, as usual lately. That particular machine has also a Kerio personal firewall installed, ...and the firewall was reporting that the raw download speed was ~32 kbytes!!!, not 22 kbytes as the Downloads windows of Firefox showed. So I assume the effective transported payload was 22 kbytes/sec, but the raw traffic as 32 kbytes/sec. This is a lot of waste to me... isn't it? So, finally, the questions are: - I didn't touch anything is the LEAF box, but I'm not getting the same performace as before the QOS thing. Could it be that they (my ISP) have something wrong? What should ask them for? - Could it be that only now surfaced a misconfiguration in my router? What could cause such a behavior? Should I post some of the conifguration files here? - Is there any test that could help me pinpoint the exact source of the problem? - Which FM should I read? Thanks a lot for any hint... och ___ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle PracticesAgile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf-- -- leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Port-forwarding ssh thru Dachstein
Well, let me first tell you that you can indeed run both SSHd servers, both on the FW, and the internal machine. here is how I've got mine configured, and I admit that it might not be the most efficient, but it works and I haven't had a problem: /etc/network.conf: EXTERN_TCP_PORTS=ip.add.re.ss_ssh EXTERN_PROTO0=24 ip.add.re.ss/32 INTERN_SSH_SERVER=192.168.3.204 # Internal SSH server to make available EXTERN_SSH_PORT=24 # External port to use for internal SSH access Thats it... Make sure that you configure your internal SSHd server to run on the alternate port, in my case 24. Then you can either connect directly to the firewall IP on port 24, which will forward it to the internal box, or you can connect directly to the firewall IP on port 22 (default) and get only to the firewall, and you could still run ssh as a client into the internal box. Telnet is DEFINATELY not something you want to put onto your FW box. Thats about it, let me know if you have any problems. - Original Message - From: Earl Wilson [EMAIL PROTECTED] Date: Friday, August 19, 2005 8:43 am Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein After reading this, I felt the need to explain further; the WinXP box that I use to remotely manage both the RH machine carrying the webserverand the fw itself, is located INSIDE my network. What I'm now trying to accomplish is the ability to remotely manage both from both INSIDE and OUTSIDE my internal network and also, BTW, I'm using a floppy distro, so space is limited. Though I'd rather not, it would be nice to add Telnet in place of ssh on the fw, ssh to it, and then piggyback via telnet to the rh machine, if whatI'm trying to do is not possible... Earl - Original Message - From: Earl Wilson [EMAIL PROTECTED] To: leaf-user@lists.sourceforge.net Sent: Friday, August 19, 2005 9:27 AM Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein Thanks to both of you for your help; well, I did add the 0/0_24 comment as suggested, but no luck, HOWEVER, I then REMOVED the sshd.lrp package, and was able to access the inside web server running on the redhat machine via ssh. Now the problem becomes how I manage my fw. Because of a lack of monitors, I remotely manage both the fw and the rh web server via ssh thru a WinXP box, so removal of the sshd.lrp package makes managingthe fw with out accessing it locally impossible. On the other hand, when I shut down the port forwading of ssh traffic: #INTERN_SSH_SERVER=192.168.1.200 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access I still am unable to ssh directly into the fw; instead, I'm getting a connection time out-message. In an ideal world, I'd like to: 1. ssh into either the fw or the rh machine remotely; 2. ssh into the fw, and piggyback -ssh from the fw into the rh machine Can anyone at least show me what I'm doing incorrectly to not be ableto remotely ssh into the fw? BTW, I didn't change the 0/0_22 or 0/0_24 comments from the EXTERN_TCP_PORTS= line Earl - Original Message - From: [EMAIL PROTECTED] To: M Lu [EMAIL PROTECTED] Cc: Earl Wilson [EMAIL PROTECTED]; leaf-user@lists.sourceforge.net Sent: Tuesday, August 16, 2005 11:22 AM Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein I think you are correct on the EXTERN_TCP_PORTS line, in fact I'm quite sure you are correct, however, instead of replacing the 0/0_22 line, it might be best to add 0/0_24, unless ssh directly the box is not needed, again Earl will need to answer that. Joey - Original Message - From: M Lu [EMAIL PROTECTED] Date: Tuesday, August 16, 2005 8:16 am Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein If Earl wants to use external port 24, then may be he should use EXTERN_TCP_PORTS=0/0_21 0/0_80 0/0_24 instead of EXTERN_TCP_PORTS=0/0_21 0/0_80 0/0_22 Anyway, Earl will figure the port usage. - Original Message - From: [EMAIL PROTECTED] To: M Lu [EMAIL PROTECTED] Cc: Earl Wilson [EMAIL PROTECTED]; leaf-user@lists.sourceforge.net Sent: Tuesday, August 16, 2005 9:04 AM Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein This allows an individual to SSH directly to the external IP address, using port 24, and Dachstein has an explicit rule to forward port 24 (ssh traffic only) to the internal_ssh_server ... actually works quite nicely, and is essentially the same thing as the DNAT under Shorewall, except that you don't have to change the SSHd server on the internal box to 24, you leave it as 22 (if I recall correctly). Sorry to throw in my 2 cents into the thread... joey - Original Message - From: M Lu
Re: [leaf-user] Port-forwarding ssh thru Dachstein
This allows an individual to SSH directly to the external IP address, using port 24, and Dachstein has an explicit rule to forward port 24 (ssh traffic only) to the internal_ssh_server ... actually works quite nicely, and is essentially the same thing as the DNAT under Shorewall, except that you don't have to change the SSHd server on the internal box to 24, you leave it as 22 (if I recall correctly). Sorry to throw in my 2 cents into the thread... joey - Original Message - From: M Lu [EMAIL PROTECTED] Date: Tuesday, August 16, 2005 7:30 am Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein I do not remember Dachstein very well but just wonder why you have EXTERN_SSH_PORT=24? Also I have seen some ISPs rejecting SSH traffic so consider that possibility too. You can test that by temporary portforwarding some other port (e.g. 80 as you know for sure 80 is allowed) to 22 and test SSH client with port 80. - Original Message - From: Earl Wilson [EMAIL PROTECTED] To: leaf-user@lists.sourceforge.net Sent: Monday, August 15, 2005 11:04 PM Subject: Fw: [leaf-user] Port-forwarding ssh thru Dachstein .. TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=0/0_21 0/0_80 0/0_22 (next 2 lines show open ports that are working w/no issues) INTERN_FTP_SERVER=192.168.1.4 # Internal FTP server to make available INTERN_WWW_SERVER=192.168.1.200 # Internal WWW server to make available INTERN_SSH_SERVER=192.168.1.200 # Internal SSH server to make available EXTERN_SSH_PORT=24 # External port to use for internal SSH access --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle PracticesAgile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf-- -- leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Port-forwarding ssh thru Dachstein
I think you are correct on the EXTERN_TCP_PORTS line, in fact I'm quite sure you are correct, however, instead of replacing the 0/0_22 line, it might be best to add 0/0_24, unless ssh directly the box is not needed, again Earl will need to answer that. Joey - Original Message - From: M Lu [EMAIL PROTECTED] Date: Tuesday, August 16, 2005 8:16 am Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein If Earl wants to use external port 24, then may be he should use EXTERN_TCP_PORTS=0/0_21 0/0_80 0/0_24 instead of EXTERN_TCP_PORTS=0/0_21 0/0_80 0/0_22 Anyway, Earl will figure the port usage. - Original Message - From: [EMAIL PROTECTED] To: M Lu [EMAIL PROTECTED] Cc: Earl Wilson [EMAIL PROTECTED]; leaf-user@lists.sourceforge.net Sent: Tuesday, August 16, 2005 9:04 AM Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein This allows an individual to SSH directly to the external IP address, using port 24, and Dachstein has an explicit rule to forward port 24 (ssh traffic only) to the internal_ssh_server ... actually works quite nicely, and is essentially the same thing as the DNAT under Shorewall, except that you don't have to change the SSHd server on the internal box to 24, you leave it as 22 (if I recall correctly). Sorry to throw in my 2 cents into the thread... joey - Original Message - From: M Lu [EMAIL PROTECTED] Date: Tuesday, August 16, 2005 7:30 am Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein I do not remember Dachstein very well but just wonder why you have EXTERN_SSH_PORT=24? Also I have seen some ISPs rejecting SSH traffic so consider that possibility too. You can test that by temporary portforwarding some other port (e.g. 80 as you know for sure 80 is allowed) to 22 and test SSH client with port 80. - Original Message - From: Earl Wilson [EMAIL PROTECTED] To: leaf-user@lists.sourceforge.net Sent: Monday, August 15, 2005 11:04 PM Subject: Fw: [leaf-user] Port-forwarding ssh thru Dachstein .. TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=0/0_21 0/0_80 0/0_22 (next 2 lines show open ports that are working w/no issues) INTERN_FTP_SERVER=192.168.1.4 # Internal FTP server to make available INTERN_WWW_SERVER=192.168.1.200 # Internal WWW server to make available INTERN_SSH_SERVER=192.168.1.200 # Internal SSH server to make available EXTERN_SSH_PORT=24 # External port to use for internal SSH access --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] WebGUI Scripts announcement
I checked this out today, and I must say that I'm fairly impressed. I have not yet had a chance to play with the webconf package for Bering, but I intend to. I'm looking forward to seeing this grow. Joey - Original Message - From: Darcy Parker (Home) [EMAIL PROTECTED] Date: Thursday, March 10, 2005 9:39 am Subject: [leaf-user] WebGUI Scripts announcement I REALLY like it. I manage several remote locations are are linked together using IPSEC on Bering uClibC 2.0 I would love to add this functionality to our system as I am upgrading to uClibC 2.2.2. I know that traditionally having access to Weblet over the net is not desirable and in this configuration would be just down right stupid due to the ability to modify the configurations. Three Questions - is the username and password done by https from the firewall or is this being served off the firewall or some other web sever. It does not look like a secure connection when I browse the example but it did request a user name and password to first log on. Second - I have tried several times to get the existing weblet to be accessible from the net but have had no luck. What needs to be changes in sh-http, weblet, shorewall rules to allow this. Third - Is there an new LRP package already done and where can it be found, does it have any other dependencies. Darcy Parker Thanks for your help. Message: 3 Date: Wed, 09 Mar 2005 15:42:21 -0800 From: Tom Eastep [EMAIL PROTECTED] To: LEAF leaf-user@lists.sourceforge.net Cc: [EMAIL PROTECTED] Subject: [leaf-user] [Fwd: [Shorewall-users] WebGUI Scripts announcement] This is my second attempt to forward this announcement to the Leaf User list -- the first one is being held for moderation and my experience with this list is that posts held for moderation sit for a week and then are rejected without comment -Tom Original Message Subject: [Shorewall-users] WebGUI Scripts announcement Date: Wed, 9 Mar 2005 16:25:58 +0100 From: Andrea Galmacci - awd [EMAIL PROTECTED] Reply-To: Mailing List for Shorewall Users [EMAIL PROTECTED] To: Shorewall Users Mailing List shorewall- [EMAIL PROTECTED] Dear Shorewall Users, having noticed that the request for a WebGUI is growing, after a very short conversation I've had with Tom, I'd like to let you all evaluate the Web interface to Shorewall I've written, integrating the original weblet package made available for the LRP project. -- -- Preamble Thank you Tom for every nice thing - Shorewall included - you have taugth and given us -- -- Features (or limitations: it depends on your point of view...) * the GUI is made of shell scripts -- no other programming language, no extra software to install (well, system utilities only) * runs on almost any httpd server - tested on many LRP specific servers such as sh-httpd (shell based as well), mini-httpd, thttpd, and - of course - apache * the web server doesn't need to be root in order to get write privileges to Shorewall files * .htaccess ready * edit Shorewall main configuration files, executes Shorewall commands (start, stop, restart, status, ...) * shows system/Shorewall logs * multi-language ready (english/italian) * IE/Firefox compatible Hosting system prerequisites (besides Shorewall specifics) * sudo utility (usually part of all distro, anyhow available at http://www.courtesan.com/sudo/) Curious enough? URL: http://62.110.196.251 User: awdwall Password: gogetit Any comments, critics, suggestions, opinions are more than welcome. Support Please don't even think I'll be able to react to your requests/bug reports as 'someone' ;-) else does (altough I'll try to do the best my competence - and the time available - will allow). I'm not a real guru and most of what I've done to make those script working - starting from the basic knowledgeof *nix - is self-taught so please put into consideration a good profusion of patience from your side -- this is my first open source experience. Actions What you'll play with is a stable 1.4.2 code installed over a Bering 1.2 distro an mounted on a embedded system -- activities are undergoing to move the code to a 'full' distro (now testing on a RH 9 with standard RPMs).I think that after Tom stated that Shorewall will remain pretty stable in terms of structure for a reasonable long period of time, there are good chaches to make the script compatible with the current release. Depending on the number of requests I will receive, the package will be made available to the Shorewall community under the GNU GPL license -- expectedrelease date: Mar 31, 2005 That's all, folks! Have a nice day, Andrea
[leaf-user] USB Webcam App?
Has anyone installed a webcam on their router? I want to setup a webcam that just takes a shot every so often and displays it on a webpage, live feed is optional, and I think resource heavy, but would be cool if its possible. Obviously this is just a fun item, and not a real need. Thanks for any input. Joey --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] release/renew IP
ifdown ppp0 # downs the interface ppp0 ifup ppp0# starts the interface ppp0 ping -c1 1.2.3.4 # I believe -c is for count ... which in this case, ping 1.2.3.4 one time hope this helps... joey - Original Message - From: Kevin Kloet [EMAIL PROTECTED] Date: Monday, January 31, 2005 10:45 am Subject: Re: [leaf-user] release/renew IP On Mon, 31 Jan 2005 17:33:29 +0100, Hans Ulrich Niedermann [EMAIL PROTECTED] wrote: Kevin Kloet [EMAIL PROTECTED] writes: I'm on a Bering uClibc 1.2 setup and I'm looking to find out what the command is to release and renew an IP on this router. My net connection is PPPoE. It does not appear that the dhclient command is available on this system and I have not been able to find an equivalent for this task. I'm hoping someone can let me know what command can be used and also illustrate the usage, as I'm unfamiliar with anything beyond dhclient and its usage. Ignoring the inaccurate description of the technical environment, I'd guess you are looking for # ifdown ppp0; ifup ppp0; ping -c1 1.2.3.4 Uli Thanks for the response. I really only know as much about linux as what I've had to learn for this router... I was hoping you could break down what the above series of commands does so I can understand what the process is. Really unsure about what 'ping -c1' is facilitating. Thanks again, any assistance I can get is greatly appreciated. --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive ReportingTool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl --- - leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: RE: [leaf-user] Shorewall Port Forwarding
Sorry for comming late to this thread, but I thought I'd add my 2 cents. Barry, from your earlier description of your setup, I have a question and a possibly suggestion. The Netgear device, I assume has atleast the one uplink port, which is what's tied into the LEAF box, from there, the Netgear hands out IP addresses to its wireless clients, sounds good enough there. If this is true, then the Netgear is acting as a 2nd firewall (think DMZ situation), and you have a couple of options. Not being inheritly familiar with the Netgear product, I think that you should be able to turn off the firewall function, and use it as a wired/wireless bridge device. Additionally, I assume that eth1 is plugged into a wired switch, which is where your PC is plugged into also, and are able to get an IP from. This being the case, you 'could' turn your LEAF box into a network switch as well, by using the bridging module and tools. This effectively puts the all of your wireless and wired clients on the same network (assuming that this is OK). From there, you would simply place a DNAT config under Shorewall, pointing to the 192.168.1.x of the game server. Pehaps I missed a step or two, but what you are doing isn't that dissimilar to what I am doing, except I don't have a wireless access point. Let me know if you have any questions. Joey - Original Message - From: Barry Baldwin [EMAIL PROTECTED] Date: Thursday, January 20, 2005 12:07 pm Subject: RE: [leaf-user] Shorewall Port Forwarding Thanks Tom and Huy for your responses. I tried changing my leaf box to forward port 6112 to 192.168.1.4 and then set the Netgear router to port forward 6112 to my game server (192.168.2.3). This didn't seem to work either. The FORWARD:REJECT errors went away though. :) I'm not sure what is meant by a 2 way router. Is that the same as port forwarding? Is the problem I'm having because the Netgear is a router? If the Netgearwas just a switch would what I have set up work? Would a better solution be to turn my leaf box into a wireless router and get rid of the Netgear? Thanks in advance, Barry -Original Message- From: Huy Bui [EMAIL PROTECTED] Sent: Friday, January 14, 2005 2:08 AM To: Barry Baldwin; Leaf-User (E-mail) Subject: Re: [leaf-user] Shorewall Port Forwarding Firstly I don't think your bering does not know the route to the Netgear. So it try to route anything for 192.168.2.0/24 through the default gateway which is eth0. Secondly your game PC is behind the netgear so it's is probalby being NATed by the netgear. I don't know much about the Netgear set up so you have to see if it can be set up as a 2 way router and then add a route on your bering to route anything for 192.168.2 to 192.168.1.4 i.e ip route add 192.168.2.0/24 via 192.168.1.2 dev eth1 hope this help Huy - Original Message - From: Barry Baldwin [EMAIL PROTECTED] To: Leaf-User (E-mail) leaf-user@lists.sourceforge.net Sent: Friday, January 14, 2005 2:03 AM Subject: [leaf-user] Shorewall Port Forwarding Hello all, I've setup a Bering uClibc system at home as a firewall. It came up and is working great. (By the way I tested it by going to www.hackerwatch.org/probe/ ) I'm now playing around with trying to allow one of my PC's behind the firewall to host an internet game ( Warcraft III). Here is the topology of my network. PPP0 dhcp / 192.168.1.254 192.168.1.4 / 192.168.2.1 192.168.2.3 Internet -- DSL Modem -- Bering FW box -- Netgear 4 port wireless router -- PC game server Sorry for the weak/non-existent ASCII art. + So basically I have a DSL line that goes into a DSL modem, + The modem goes to the Bering Firewall box which is a PPPoE connection + The Firewall goes to a wireless router( Netgear MR814) through eth1 with 4 ports. Eth1 on the FW is 192.168.1.254 the routers WAN interface IP is 192.168.1.4 + One of the wired ports goes to the PC game server. The Routers IP is 192.168.2.1 and the PC game servers IP is 192.168.2.3 The default gateway of my PC game server is set to the wireless router(192.168.2.1) To the shorewall rules configuration file I've added DNAT net loc:192.168.2.3 tcp 6112 DNAT net loc:192.168.2.3 udp 6112 #Wasn't sure if these were needed so I added them anyway. ACCEPT net fwtcp 6112 ACCEPT net fwudp 6112 ACCEPT loc fwtcp 6112 ACCEPT loc fwudp 6112 This doesn't work. From the FAQ on shorewall.net I did the following. iptables -t nat -Z to clear the counts then I attempted to host a game Then I did shorewall show nat to look at the counts. The counts are zero. If I join a game, then the counts increment and the
Re: [leaf-user] What's this guy trying?
port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen [EMAIL PROTECTED] wrote: Logged into a remote Dachstein box to check up on something else, and I see huge amounts of denied packets in /var/log/messages... Connection attempts from f.x: 10.131.224.1:3 - 62.243.222.62:1 ^^unknown^^ ^^my remote^^ I see a bunch of these from different IPs (that is, from port 3 to port 1)... dunno what to make of that, but then there's this guy: # grep 65.82.107.120 $_ | nl 1 Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x T=45 (#2) continues in 'bursts' to: ... 164 Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x T=45 (#2) is this some kind of DoS? Am I under attack, or is it just some misconfigured box? I nmapped the IP, and the only thing that came up was: Port State Service 1433/tcp openms-sql-s -so I'm guessing it's a zombie windows host... (?) TIA Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] block internet access except the email
trying using just the top level domain, IE yahoo.com and hotmail.com I haven't tried that, but its worth a shot. On Sun, 6 Oct 2002 17:04:35 -0700 (PDT) Liu Mei [EMAIL PROTECTED] wrote: Hi, If I only want to allow user to check their email on yahoo or hotmail, how should I setup the firewall? Simply using -d www.yahoo.com or -d www.hotmail.com in the rules doesn't work. I guess the reason is that the yahoo mail and hotmail use mutilple different IPs while redirecting the users to their emailbox. Any suggestion? Regards, Liumei __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] allowing internal connections w/o IPSec
offlist I was shown something further down in the network.conf that allows for a range of ports to be opened. However in the example it references tcp ports, rather than udp ports. Can I simply change the tcp/udp parameters and then also change the range of ports I'd like to open. I believe if I do something similar to the following I might be able to achieve what I want... INTERN_AUTOFW0=-A -r udp 1494 1594 -h 192.168.1.202 this would give me a 100 port range for the udp protocol. Starting with port 1494(ICA/Citrix) and ending at 1594 (+100 otherwise no significance). Am I understanding the supplied example correctly? joey On Thu, 15 Aug 2002 19:05:21 -0500 guitarlynn [EMAIL PROTECTED] wrote: On Thursday 15 August 2002 18:45, Joey Officer wrote: Unless I didn't restart the services proprerly (I'll show below, this is what I did) EXTERN_TCP_PORTS=remote.address/32_1494 EXTERN_UDP_PORTS=remote.address/32_1494 INTERN_ICA_SERVER=192.168.1.202 And then svi network reload from the remote host (we are using citrix in this scenario) citrix client is told to look at the external IP of the LRP box. This is where I am stuck... joey Have you portforwarded this port to the desired machine??? With the lines you have added, you are simply opening the ports to the firewall not sending the ports to a masq'ed machine. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] allowing internal connections w/o IPSec
still at home I read breifly over that part of the range of port addresses and made a modification or two. I changed the range and opened 100 udp ports starting at 1494-1594. Wiped out all the changes I had made, and ultimately started from scratch. A combination of the ipchains ACCEPT and an ipmasq rule that was given to me, and the various additions in the network.conf file, and a small matter of sheer luck, and BAM it worked. I finally got exactly the result I wanted. Now all I'll need to do is change the IP address to the machine that will really need this access. I still need to get proficient with the IP masq and chains so that I can turn it off when I don't want him messing around with my citrix server. I really appreciate everyone's help this evening, and I'll try to get a clearer picture of the changes/additions I made posted to the list to be informative to others.. going to bed know.. been an extremly long day... thanks again... joey On 15 Aug 2002 19:11:34 -0700 Stephen Lee [EMAIL PROTECTED] wrote: On Thu, 2002-08-15 at 18:59, [EMAIL PROTECTED] wrote: at home I read the same article on citrix's website, and it did occur that I might need to open multiple ports, although i don't know how to open a range... Second, the citrix ica client only gives an error saying basically a citrix connection could not be made, nothing relevant to any debugging. I am able to do the same thing within the IPSec gateway, which is fine for what I really want (just people behind the leaf boxes I setup). I am just stuck with this situation with the vendor of a software that we are about to start using. I'll need to leave an opening up so that they can get to it when an error occurs with their software. Kind of lost, this is my first attempt at port forwarding. I think the basic part (forwarding) appears to be working, as is apparent the the telnet results. There may be more to it on the UDP side. I'll have to contact citrix tomorrow I guess... thanks for the assistance, I'm,unfortunately, still not where I want to be, but perhaps tomorrow will be a better day. if you have any other thoughts, I'll still be working on this... Thanks again for all your help... joey Have a look at the INTERN_AUTOFW0 variable. There should be an example within the config file: #INTERN_AUTOFW0=-A -r tcp 2 20050 -h 192.168.1.1 Where 2 to 20050 is the range of ports. It's been awhile since I used this feature so you will have to ask the list for more help. Really gone for dinner this time. Stephen On 15 Aug 2002 18:35:33 -0700 Stephen Lee [EMAIL PROTECTED] wrote: A bunch of ideas or questions: Any more UDP denied messages? This is suppose to be simple - portforward 1494 to 192.168.1.202! Try rebooting the firewall I guess. I don't know Citrix but are you sure the client is setup correctly and what kind of error messages does it put out (if any)? I found this on the citrix website: The initial synchronization between the WinFrame client and the WinFrame server occurs over port 1494, but the actual WinFrame session occurs over a dynamically allocated port. For this reason, it might be necessary to allow connections over a range of TCP/IP ports through the given firewall. If required, these connections should be allowed only between the client and the server. That means you might have to open a bunch of ports above 1494. Gone for dinner. Good luck. Stephen On Thu, 2002-08-15 at 18:19, Joey Officer wrote: Did that, no change... Joey -Original Message- From: Stephen Lee [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 8:19 PM To: [EMAIL PROTECTED] Subject: RE: [leaf-user] allowing internal connections w/o IPSec On Thu, 2002-08-15 at 18:03, Joey Officer wrote: I checked my logs, and found that protocol 17 is being denied, which is UDP, so I am opening that in an attempt. Nothing else looks relevant... Joey According to the Citrix website you need UDP opened. http://www.citrix.com/support/solution/SOL00053.HTM Stephen -- [EMAIL PROTECTED] www.spl-linux.com -- [EMAIL PROTECTED] www.spl-linux.com --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] tftp and network.conf
I'm trying to get something working at work, and I need to be able to allow tftp and ultimately an x-server. first I assume that I can add a a few lines into the network.conf similar to the following EXTERN_UDP_PORTS=ip.ad.dr.es/32_tftp EXTERN_PROTO0=69 ip.ad.dr.es/32 I would presumably also need a line for the x-server, but I don't know of-hand what it is.. at any rate... does something like this work? joey ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html