Re: [Vyatta-users] Impressions on Glendale

2008-02-27 Thread An-Cheng Huang 
Brandon Bennett wrote:
> Great to hear that you are planning on providing customization to
> vbash.  It is not a bad shell, it just seems odd to combine bash with
> my router configuration.  I was afraid of tab-completion issues and
> accedental commands being ran (or overlapping)

Hi Brandon,

If your concern is that the Unix commands will get in the way of the Vyatta 
commands when you are in the shell, you can try logging in as an "admin"-level 
non-root user (e.g., the default "vyatta" user). The auto-completion and help 
text for admin-level users are limited to the Vyatta command only, so you don't 
need to worry about accidentally tab-completing a Unix command. Of course, an 
admin-level user still has the flexibility to enter a Unix command directly on 
the command line and run it.

On the other hand, if you log in as an "operator"-level user, you'll see that 
only the Vyatta commands are available, i.e., the user can only see and run 
Vyatta operational commands on the command line. Therefore, operator-level 
users don't need to worry about accidentally running Unix commands, either.

Going forward, we plan to provide more flexibility. For example, it's probably 
useful to have another level that can run all Vyatta commands (like "admin") 
but cannot see/run Unix commands on the command line (like "operator"). 
Eventually, we will probably want to allow customizable levels such that, for 
example, you can set up a user level that can configure all routing protocols 
but not the VPN features.

An-Cheng
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale Remote Access with L2TP and Certs

2008-02-22 Thread An-Cheng Huang 
Hi Paul,

So far Debian hasn't packaged openl2tp yet, but if openl2tp works with 
openswan, maybe we can look into that option in the future. Thanks for the info!

An-Cheng

Paul Wakeman wrote:
> You could use openl2tp instead of xl2tpd. I've used this on debian for
> months with openswan and it works well. Multiple L2TP/IPsec clients
> behind NAT works. Openl2tp's config files are different to xl2tpd -
> openl2tp comes with its own cli with command completion etc.
> 
> -paul
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale Remote Access with L2TP and Certs

2008-02-22 Thread An-Cheng Huang 
Hi Adrian,

You're right that xl2tpd fixed both issues. However, the email you mentioned 
said the fixes were for "openswan's new KLIPS code". The manpage for 
"xl2tpd.conf" says essentially the same thing:

...allows tracking of multiple clients using the
same internal NATed IP address, and allows tracking of  multiple
clients behind the same NAT router Currently, this only works with
Openswan  KLIPS  in "mast" mode.

Since we are using Openswan with NETKEY, it probably still won't work in the 
current setup.

An-Cheng

Adrian F. Dimcev wrote:
> Hi An-Cheng,
> Yesterday I was reading the xelerance xl2tpd change log:
> http://www.xelerance.com/software/xl2tpd/CHANGES
> And I was under the impression that both issues you've mentioned are fixed.
> v1.1.05 references these changes.
> In this mail, Paul Wouters, also mentions the same things:
> http://lists.virus.org/users-openswan-0611/msg00054.html
> Best,
> Adrian
> 
> An-Cheng wrote:
>  > Yes, according to the following Web page, Openswan only supports
>  >1 client behind the same NAT device.
>  > http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
>  >In fact, another Openswan limitation (also according to the page)
>  >is that no two NATed clients can use the same "private IP", i.e.,
>  >one of them won't be able to connect if both happen to use the same
>  >private IP (even though they are behind different NAT devices).
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale Remote Access with L2TP and Certs

2008-02-21 Thread An-Cheng Huang 
Hi Adrian,

Thanks for your feedback! I'll try to address the issues you observed below.

Adrian F. Dimcev wrote:
> I've setup L2TP/IPsec with certificates(IKE authentication).
> Build a quick CA with OpenSSL and issue some certificates(public key 
> 1024 bits). One to Glendale and two to clients(Windows clients).
> VPN_Clients---NAT_Device---Glendale---Internal Network
> I can successfully connect with one VPN Client behind same NAT device at 
> a time.

Yes, according to the following Web page, Openswan only supports 1 client 
behind the same NAT device.

  http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

(search for "multiple clients" on the page to find the relevant text.) In fact, 
another Openswan limitation (also according to the page) is that no two NATed 
clients can use the same "private IP", i.e., one of them won't be able to 
connect if both happen to use the same private IP (even though they are behind 
different NAT devices).

> With PPTP on the other side I can successfully connect with two VPN 
> Clients behind same NAT device at a time.

Yes, PPTP works in this scenario.

> Same thing with the rest "set vpn l2tp remote-access ipsec-settings 
> authentication x509" commands(server-cert-file...).
> I've started all over again with a fresh install and this time I 
> indicate the cdrom as the location of the cert files.
> All went fine and Glendale copies itself the certificates to the 
> required locations.
> Very nice!
> However, if I unmount the cd, after some modifications to the 
> configuration, I hit "commit" and Glendale complains that cert files 
> cannot be found(on the location of the cdrom).

You are right that currently the configuration assumes those X.509 files are 
placed at locations that are persistent across reboots. Right now I can think 
of two possible improvements.

(1) Make the X.509 settings "optional", and if they are not configured, we use 
the files at the default locations (/etc/ipsec.d/...).

(2) Instead of having configuration commands for X.509 settings, we can have an 
operational command to "import" the X.509 files, i.e., the user will import the 
files first and then configure the L2TP/IPsec VPN to use X.509 authentication.

An-Cheng
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale Remote Access L2TP outside-nexthop

2008-02-20 Thread An-Cheng Huang 
Hi Adrian,

Yes, you are right that such a setup is not currently supported. Looks like it 
will require defining two different "connections" in Openswan configuration and 
also making sure the L2TP server can serve clients from both. Maybe we can look 
into extending the configuration syntax to allow multiple "instances".

An-Cheng

Adrian F. Dimcev wrote:
> Hi An-Cheng,
> Thanks for your answer.
> One thing comes on my mind right now:
> Allow me to draw a simple and maybe common situation:
> Say Glendale has three interfaces: External, Internal and a so-called 
> "Wireless DMZ".
> Although it's a little bit archaic, some people prefer to secure their 
> WLANs using VPN.
> Thus they create an anonymous DMZ where they place an AP.
> Then they "VPN into" the Internal network from this wireless DMZ.
> There might be certain situations where this would be a convenient 
> solution(say some schools network designs).
> So we need to enable "vpn l2tp" on two interfaces: External and Wireless 
> DMZ.
> The wireless clients are directly connected(%direct) while the road 
> warriors are not.
> Looking at Glendale, currently it seems that this is not doable.
> Thanks,
> Adrian
> 
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale Remote Access L2TP outside-nexthop

2008-02-20 Thread An-Cheng Huang 
Hi Adrian,

You're exactly right on the issues you pointed out.

(1) Requiring some "vpn ipsec" parameters for "vpn l2tp" is a bit inconvenient, 
and, as you said, it may mislead users to think that the IKE/ESP settings in 
"vpn ipsec" will also apply to "vpn l2tp" (they don't). The main issue here is 
interoperability with site-to-site VPN. The "ipsec-interfaces", 
"nat-traversal", and "nat-networks" parameters from "vpn ipsec" (required for 
"vpn l2tp") belong to the "global" IPsec configuration for Openswan, so setting 
them in "vpn l2tp" may change the site-to-site behavior as well, which may not 
be desirable.

(2) The "outside-nexthop" parameter is sort of redundant. It corresponds to the 
"leftnexthop" parameter in the Openswan connection configuration. The problem 
here is that if "leftnexthop" is not set, it defaults to "right", which won't 
work unless the client is directly connected. We could set it to 
"%defaultroute" by default, but that will require changing the global IPsec 
configuration, which, again, may change the site-to-site behavior. The current 
approach is to let the user configure it (using "outside-nexthop"). I'll 
investigate further to see if we can simplify this.

Thanks for playing with the remote access VPN feature! Let us know if you find 
other issues.

An-Cheng

Adrian F. Dimcev wrote:
> So why do I need this "outside-nexthop" since I already have specified a 
> default route through 192.168.30.1 ?
> Since my experience shows that there are problems with NAT devices, I've 
> always done my first tests connected directly to the external interface 
> of the VPN server. With pre-shared keys. Then with certificates. After I 
> know that the VPN server is properly configured, I "move" along the path.

> In the beta docs, page 664,  "If the authentication mode is pre-shared 
> secret, you must configure the secret using the vpn
> pptp remote-access outside-address  command (see page 697)." 
> statement does not appear to be correct, neither the command.

> It would be nice to do all the L2TP/IPsec configuration from the "vpn 
> l2tp" node. Without using the "vpn ipsec" node. To make a clear 
> distinction between site-to-site and remote access.
> The "vpn ipsec" node gives the "feeling" that the L2TP/IPsec IKE MM and 
> QM settings are supposed to be editable(customize the proposals from the 
> CLI). Bu it does not appears to be so.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale First Impressions

2008-02-14 Thread An-Cheng Huang 
An-Cheng Huang wrote:
> The fix is a one-line change to the default '?' binding, and I've just been 
> waiting for a decision on this...

Ok, it's in Glendale now. '?' now defaults to "help" (i.e., the 
"possible-completions" binding).

An-Cheng
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale First Impressions

2008-02-14 Thread An-Cheng Huang 
Robert Bays wrote:
> Nick Davey wrote:
>> - I don't mind the new CLI, however I REALLY miss the ? and the space 
>> auto completion. If there is any way we can work to getting that back I 
>> would be over the moon. I know there has been some discussion about 
>> this, but I figured I'd voice my opinion as well, as late as it is.
> I've talked with An-Cheng about ? help.  I think we agreed that he would 
> set it up that ? would bind to help by default, but that it could be 
> turned on or off on a per user basis.  I need to follow up with him on 
> that.

The fix is a one-line change to the default '?' binding, and I've just been 
waiting for a decision on this...

An-Cheng
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale source

2008-02-09 Thread An-Cheng Huang 
I just tried cloning linux-vyatta.git and ofr.git using my home DSL connection, 
and both worked ok. However, I remember that we did see some similar problems 
when testing our PPPOE implementation over an external DSL connection. So maybe 
there's some deeper problem...

An-Cheng

Aubrey Wells wrote:
> hmm.. I get the same thing when i try to clone VC2 
> (http://suva.vyatta.com/ofr.git)
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> On Feb 9, 2008, at 11:43 PM, Aubrey Wells wrote:
>> Hmm... I'm not too familiar with git, so I may be doing something
>> wrong, but I keep getting this:
>>
>> vyatta-build:~/glendale# git-clone http://git.vyatta.com/linux-vyatta.git
>> error: Couldn't get 
>> http://git.vyatta.com/linux-vyatta.git/refs/heads/glendale
>>  for heads/glendale
>> The requested URL returned error: 404
>> error: Could not interpret heads/glendale as something to pull
>> vyatta-build:~/glendale#
>>
>> Oh, and sorry for cluttering up users, i meant to post this to hackers
>> but address auto-complete tricked me. :-)
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale source

2008-02-09 Thread An-Cheng Huang 
Hi Aubrey,

The glendale kernel source is available here:

For browsing:
http://git.vyatta.com/git/?p=linux-vyatta.git;a=summary

For cloning:
http://git.vyatta.com/linux-vyatta.git

Note that you'll need to switch to the glendale branch after cloning it.

An-Cheng

Aubrey Wells wrote:
> I'm mainly interested in downloading the kernel sources if possible.
> *
> --*
> *Aubrey Wells*
> /Senior Engineer/
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com 
> 
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread An-Cheng Huang 
ound them.  Does this
>>>>>>>> matter?  Can
>>>>>>>> anyone please give any suggestions?
>>>>>>>>
>>>>>>>> Thanks alot,
>>>>>>>> Nate
>>>>>>>>
>>>>>>>> My domain is:
>>>>>>>> www.nombyte.com
>>>>>>>>
>>>>>>>> The IP is:
>>>>>>>> 71.62.193.105
>>>>>>>>
>>>>>>>> Full Nat is:
>>>>>>>>
>>>>>>>> nat {
>>>>>>>>  rule 1 {
>>>>>>>>  type: "destination"
>>>>>>>>  inbound-interface: "eth0"
>>>>>>>>  protocols: "tcp"
>>>>>>>>  source {
>>>>>>>>  network: "0.0.0.0/0"
>>>>>>>>  }
>>>>>>>>  destination {
>>>>>>>>  address: "71.62.193.105"
>>>>>>>>  port-name http
>>>>>>>>  }
>>>>>>>>  inside-address {
>>>>>>>>  address: 192.168.0.105
>>>>>>>>  }
>>>>>>>>  }
>>>>>>>>  rule 2 {
>>>>>>>>  type: "masquerade"
>>>>>>>>  outbound-interface: "eth0"
>>>>>>>>  protocols: "all"
>>>>>>>>  source {
>>>>>>>>  network: "192.168.0.0/24"
>>>>>>>>  }
>>>>>>>>  destination {
>>>>>>>>  network: "0.0.0.0/0"
>>>>>>>>  }
>>>>>>>>  }
>>>>>>>>  rule 3 {
>>>>>>>>  type: "masquerade"
>>>>>>>>  outbound-interface: "eth0"
>>>>>>>>  protocols: "all"
>>>>>>>>  source {
>>>>>>>>  network: "192.168.1.0/24"
>>>>>>>>  }
>>>>>>>>  destination {
>>>>>>>>  network: "0.0.0.0/0"
>>>>>>>>  }
>>>>>>>>  }
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>>>>>>>>> Here's what I use to port-forward ssh; just adjust for address
>>>>>>>>> (where
>>>>>>>>> destination address is the public IP) and change it to http.
>>>>>>>>>
>>>>>>>>>  rule 2 {
>>>>>>>>>  type: "destination"
>>>>>>>>>  inbound-interface: "eth0"
>>>>>>>>>  protocols: "tcp"
>>>>>>>>>  source {
>>>>>>>>>  network: 0.0.0.0/0
>>>>>>>>>  }
>>>>>>>>>  destination {
>>>>>>>>>  address: 1.2.3.4
>>>>>>>>>  port-name ssh
>>>>>>>>>  }
>>>>>>>>>  inside-address {
>>>>>>>>>  address: 10.0.0.30
>>>>>>>>>  }
>>>>>>>>>  }
>>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>> Justin
>>>>>>>>>
>>>>>>>>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]>
>>>>>>>>> wrote:
>>>>>>>>>> Can someone please help me get this worked out?
>>>>>>>>>> Nate
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>&g

Re: [Vyatta-users] glendale problems my 1st view

2008-01-29 Thread An-Cheng Huang 
Stephen Hemminger wrote:
> I vote for #1 as well, but:
> Sounds like a release note, no matter what is decided.
> 
> Is there way to enable/disable this?
> 

To use the '?' key for help, you can change the key binding using the following 
shell command:

  bind '"?": possible-completions'

To restore the original binding:

  bind '"?": self-insert'
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

2008-01-29 Thread An-Cheng Huang 
Note also that if the '?' key is bound to auto-completion, the user can still 
input the '?' character using the readline escape sequence (i.e., in this case 
"Ctrl-v ?"). So basically it came down to a choice between these:

(1) Keep '?' key as help. To input a '?' character, prefix it with "Ctrl-v".
(2) Use some other key sequence for help. A '?' character can be entered 
directly.

At that time, (2) was deemed more acceptable than (1), so we currently have (2).

An-Cheng

An-Cheng Huang wrote:
> That was the first thing I tried when we started implementing the help 
> system. The problem is when the user actually wants to input a '?' character, 
> how do we rebind the '?' key back to the actual character? I also tried to 
> rebind the key after seeing a quote (assuming '?' characters can only appear 
> in quotes), etc., etc. In the end, this is a limitation in the readline 
> library (which is used by bash for command line input). We _could_ change 
> readline, I suppose, somewhere down the road.
> 
> An-Cheng

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

2008-01-29 Thread An-Cheng Huang 
In case people don't know about this: instead of '?', a user can get the help 
text using either of the following two key sequences: "Alt =" or "Alt ?". 
(These are the default key bindings for "possible-completions" in 
readline/bash.)

An-Cheng Huang wrote:
> That was the first thing I tried when we started implementing the help 
> system. The problem is when the user actually wants to input a '?' character, 
> how do we rebind the '?' key back to the actual character? I also tried to 
> rebind the key after seeing a quote (assuming '?' characters can only appear 
> in quotes), etc., etc. In the end, this is a limitation in the readline 
> library (which is used by bash for command line input). We _could_ change 
> readline, I suppose, somewhere down the road.
> 
> An-Cheng
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

2008-01-29 Thread An-Cheng Huang 
Stig Thormodsrud wrote:
>>> #3 - I agree, please bring back my beloved ?! Its an automatic reflex
> to
>>> hit ? whenever I'm in a router. I end up hitting it 3 or 4 times
> before
>> I
>>> realize that its echoing the char to the screen rather than activating
>>> help.
>>>
>> Has anyone explored using ~/.inputrc to rebind the ? character to
>> something
>> for auto-completion?  It might be possible, to do
>>
>> $if Bash
>> "?": "C-IC-I"
>> $endif
> 
> Good call Stephen.  I just tried:
> 
> $if Bash
> "?": "\C-i"
> $endif
> 
> Maybe we won't have to give up the "?".
> 
> stig

That was the first thing I tried when we started implementing the help system. 
The problem is when the user actually wants to input a '?' character, how do we 
rebind the '?' key back to the actual character? I also tried to rebind the key 
after seeing a quote (assuming '?' characters can only appear in quotes), etc., 
etc. In the end, this is a limitation in the readline library (which is used by 
bash for command line input). We _could_ change readline, I suppose, somewhere 
down the road.

An-Cheng
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Starting to get really frustrated... GRRR :D

2008-01-28 Thread An-Cheng Huang 
Hi Nate,

The "inside-address" is the internal (private) IP address of your Web server, 
which in your case is 192.168.0.105. The "destination address" should actually 
be the public IP address that outside clients will use to access your server, 
so usually this is the public IP address of your router.

An-Cheng

Nathan McBride wrote:
> I went and looked at the old docs.  I thought I set them up correctly
> but aparently I didn't.  I'll im trying to do is to get people on the
> internet to view the website on my comp (192.168.0.105).  The only
> difference that i noticed when I tried to commit the example in the old
> docs was that vc3 requires an 'inside-address'.  Could someone please
> help me correct this to get it working?
> 
> rule 3 {
> type: "destination"
> inbound-interface: "eth0"
> protocols: "tcp"
> destination {
> address: "192.168.0.105"
> port-name http
> }
> inside-address {
> address: 192.168.0.105 <-- didn't know what to put here
> exactly...
> }
> }
> 
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] NAT problem

2008-01-23 Thread An-Cheng Huang 
Hi Alexc,

In your source NAT rules, you should set the "source address" *instead of* the 
"inside-address". For example, for rule 10, you should do "set service nat rule 
10 source address 10.10.1.1" instead of setting the "inside-address". Let me 
know if this does what you want. Thanks!

An-Cheng

Alexc wrote:
> Hi,
> Sounds like vyatta vc3 has a problem with NAT, I want to map not routed
> IPs to real ones with static one-to-one NAT, I did according to manual
> butr all packets go out with single IP. 
> Please look at config and iptables output below, did I make any error
> in configuration?
> 
> service {
> nat {
> rule 10 {
> type: "source"
> inbound-interface: "vif30"
> outbound-interface: "eth1"
> inside-address {
> address: 10.10.1.1
> }
> outside-address {
> address: 194.90.41.4
> }
> }
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Basic Rip help and nat translation question

2008-01-10 Thread An-Cheng Huang 
Hi Aaron,

For NAT translations, there is an enhancement request for a show command that 
displays the information you want. You can see some more details in bugzilla:

https://bugzilla.vyatta.com/show_bug.cgi?id=522

An-Cheng

[EMAIL PROTECTED] wrote:
> In addition, on a standard cisco router I can run this: > show ip nat 
> trans . How do I see all the differnent translations on a vyatta box 
> going out to the world?
>  
> Thanks in advance,
> Aaron
> 
> 
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Setting up Firewall Rules

2007-12-08 Thread An-Cheng Huang 
Hi Todd,

The firewall rules are evaluated in sequence, and there is an implicit "deny 
everything" rule at the end of each rule set. So you can add whatever you want 
to allow to a rule set, and anything else will be dropped by the implicit rule 
at the end. Hope this helps.

An-Cheng

[EMAIL PROTECTED] wrote:
> I wasn’t sure, but when setting up firewall rules, would it be best to 
> set a rule #1 to deny everything, then start rules at like #10 to open 
> say port 80 for destination xyz source 0.0.0.0/0?  Or does vyatta deny 
> everything by default?
> 
>  
> 
> Todd Worden
> 
> Software Developer
> 
>  
> 
> Growing Technologies
> 
> P: 434-296-1500
> 
> E: [EMAIL PROTECTED] 
> 
> 
>  
> 
> 
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Error: 102 Command failed TCP/UDP Protocol must be specified

2007-11-29 Thread An-Cheng Huang 
Hi Alain,

The reason that TCP/UDP is required for your rule 35 is that you specified 
"port" in that rule, which is only meaningful for TCP/UDP in this context. The 
SNAT rule 39 accepts protocols "all" because it doesn't have "port". Hope this 
helps.

An-Cheng

Alain Kelder wrote:
> Hello, 
> 
> I'm trying to set protocols to "all" for a "destination" NAT rule. But Vyatta 
> complains that it wants either TCP or UDP. However, in this awesome how-to, 
> they did just that: 
> http://www.openmaniak.com/vyatta_case6.php#ancre-configurations
> 
> Here's what I tried:
> 
> [EMAIL PROTECTED] edit service nat rule 35
> [edit service/nat/rule/35]
> [EMAIL PROTECTED] set protocols all
> [edit service/nat/rule/35]
> [EMAIL PROTECTED] commit
> [edit service/nat/rule/35]
> Commit Failed
> 102 Command failed TCP/UDP Protocol must be specified
> 
> What's weird is that 'tab' (auto complete) shows "all" as an option:
> 
> [EMAIL PROTECTED] set protocols
> `protocols' is ambiguous.
> Possible completions:
>   <[Enter]>Execute this command
>   all  Perform NAT on all protocol traffic
>   icmp Perform NAT on ICMP traffic only
>   tcp  Perform NAT on TCP traffic only
>   udp  Perform NAT on UDP traffic only
> 
> 
> I'm able to set protocols to "udp" or "tcp", but not "all". What I'd like is 
> this:
> 
> rule 35 {
> type: "destination"
> translation-type: "static"
> inbound-interface: "eth0"
>>   protocols: "all"
> source {
> network: 0.0.0.0/0
> }
> destination {
> address: 65.xx.xx.xx
> port-number 53
> }
> inside-address {
> address: 10.10.3.20
> }
> }
> 
> Interestingly, Vyatta accepts "all" for a "source" NAT rule:
> 
> rule 39 {
> type: "source"
> translation-type: "static"
> outbound-interface: "eth0"
>>   protocols: "all"
> source {
> address: 10.10.3.20
> }
> destination {
> network: 0.0.0.0/0
> }
> outside-address {
> address: 65.xx.xx.xx
> }
> }
> 
> Any ideas?  Thanks a bunch in advance..  I'm at a loss!
> 
> [EMAIL PROTECTED]> show version
> Version:VC2
> Built by:   [EMAIL PROTECTED]
> Built on:   200702080056 -- Thu Feb  8 00:56:19 UTC 2007
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] bidirectional NAT and firewall rules.

2007-11-20 Thread An-Cheng Huang 
Hi Rob,

Each firewall rule set has an "implicit" default drop rule at the end. As a 
result, for the public_port_forwarding rule set, any packets not matching rules 
10 and 20 (i.e., non-PPTP packets) are dropped by the default drop rule. So the 
problem is probably that the returning packets of the SNATed outgoing 
connections are also dropped this way.

You might want to try adding something like the following to the rule set to 
allow the returning SNATed traffic.

  rule 30 {
protocol: "tcp"
state {
  established: "enable"
  new: "disable"
  related: "enable"
  invalid: "disable"
}
action: "accept"
  }

You can also add more restrictions to match the SNAT rules, for example.

An-Cheng

Rob Shepherd wrote:
> When I then try and apply the said firewall rule to this interface, the 
> "state" 
> of any SNAT behaviour isn't maintained.  I.e. outgoing connection state 
> tracking, to permit the  forwarding of returning internet packets from 
> connections originating from an internal network.
> 
> Am I just missing some "state" keywords?
> 
>> firewall {
>> name "public_port_forwarding" { 
>> description: "Port forwarding config for customer equipment"  // 
>> PERMIT PPTP VPN in from INTERNET
>> rule 10 { // 
>> placed on External IN
>> description: "Permit PPTP Control"// 
>> BREAKS SNAT outgoing
>> protocol: "tcp"
>> action: "accept"
>> log: "disable"
>> destination {
>> address: "10.30.2.15"
>> port-number 1723
>> }
>> }
>> rule 20 { 
>> description: "Permit PPTP Data"
>> protocol: "gre"
>> action: "accept"
>> log: "disable"
>> destination {
>> address: "10.30.2.15"
>> }
>> }
>> }
> 
> Thanks and kindest regards
> 
> Rob
> 
> 
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] NAT Firewall Configuration

2007-11-10 Thread An-Cheng Huang 
Hi Gene,

For the first part of your question, I assume that you already have NAT 
working, and you just want to block incoming connections from the Internet and 
allow the NATed connections (those from your internal network) to go out.

If that is the case, one solution is to allow "established" and "related" 
(these refer to the TCP connection states) traffic coming in on the external 
(Internet-facing) interface and drop any other incoming traffic. You can first 
create a rule set similar to the following.

firewall {
name "from-external" {
rule 10 {
protocol: "tcp"
state {
established: "enable"
new: "disable"
related: "enable"
invalid: "disable"
}
action: "accept"
}
}
}

Note that each rule set by default drops packets that do not match any rules in 
the set, so in this case, any packets that are not "established" or "related" 
TCP traffic will be dropped.

Then you need to apply this rule set to the incoming traffic on the external 
interface, say, "eth0", as follows.

interfaces {
ethernet eth0 {
...
firewall {
in {
name: "from-external"
}
}
}
}

Of course, the above example only provides the basic functionality, and you 
will need to modify the rules according to your requirements.

An-Cheng

Gene Cooper wrote:
> I want to implement a simple NAT Internet firewall function, similar to 
> $50 boxes purchased anywhere.  I also want to firewall internal 
> (192.168.x.0/24) networks from each other.
> 
> I found that simply enabling NAT doesn't seem to block any traffic.  I 
> can ping internal network hosts from the external gateway with a (temp) 
> route in place pointing to the VOFR.  This surprised me as I always 
> thought NAT would block (new) external traffic of itself.
> 
> OK, so I need a firewall.  Out of all the documentation, there are no 
> Internet NAT firewall examples that look appropriate for this most 
> common of applications.  Am I missing something?  If so, please point me 
> in the right direction and I'll tuck my tail and leave quietly.
> 
> Otherwise, can someone share their NAT Internet gateway/firewall 
> configuration with me?  I would be very, very thankful.
> 
> As for firewalling the internal nets from each other, I came up with 
> this, but not being a firewall expert makes me doubt whether this is 
> acceptable (it seems to work with rudimentary testing).  Can somebody 
> tell me if this is acceptable or the wrong way to do this?
> 
> Basically, it blocks traffic to various private address ranges and 
> allows everything else.  I applied this firewall to all the internal 
> interfaces (in).
> 
> [EMAIL PROTECTED] show firewall
>  name "lan-to-lan" {
>  description: "Block Internal LAN Interaction"
>  rule 10 {
>  description: "Block 192.168.x.x Networks"
>  action: "reject"
>  source {
>  network: "192.168.0.0/16"
>  }
>  destination {
>  network: "192.168.0.0/16"
>  }
>  }
>  rule 20 {
>  description: "Block 172.16.x.x Networks"
>  action: "reject"
>  source {
>  network: "192.168.0.0/16"
>  }
>  destination {
>  network: "172.16.0.0/12"
>  }
>  }
>  rule 30 {
>  description: "Block 10.x.x.x Networks"
>  action: "reject"
>  source {
>  network: "192.168.0.0/16"
>  }
>  destination {
>  network: "10.0.0.0/8"
>  }
>  }
>  rule 40 {
>  description: "Allow All Traffic Not Previously Blocked"
>  action: "accept"
>  source {
>  network: "0.0.0.0/0"
>  }
>  destination {
>  network: "0.0.0.0/0"
>  }
>  }
>  }
> 
> Thanks very much in advance for _any_ comments.
> 
> G
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Can't connect to SMTP Host

2007-11-08 Thread An-Cheng Huang 
Hi Alex,

Finally found it:

http://mailman.vyatta.com/pipermail/vyatta-users/2007-August/001741.html

Actually, I used Thunderbird's search functionality, so it was much easier than 
going through the archives. :)

You're right that we should probably provide a search function for the mailing 
lists.

An-Cheng

Alex Lee wrote:
> 
> On a side note, is there an easy way to search the mailing list 
> archives. I could only find the archives split by months and I had to 
> look at each page separately.
> 
> Thanks for the info.
> 
> Alex
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Can't connect to SMTP Host

2007-11-08 Thread An-Cheng Huang 
If I remember correctly, this issue was discussed on this mailing list a couple 
months back, and the "dual NAT" solution was posted. You might want to try 
doing a search with the terms "internal" and "DNS".

An-Cheng

Alex Lee wrote:
>> I created a NAT Rule that forwards all traffic on port 25 from the
>> external ip address of xx.xx.xx.xx to the internal ip address of
>> 10.10.30.xxx on port 25. My problem is that all workstations on the
>> internal network 10.10.30.X connect resolve mail.domain.com to port 25
>> on the external ip address.
>>
>> Using a external email client out side the network from a remote client
>> works with out issues. All the clients on the internal network have to
>> be configures to connect to the server directly by using the internal ip
>> addresss for that server in the smtp settings on their client. Any
>> suggestions?
>>
> 
> I saw the responses from Justin and Alain, but thought this was an 
> interesting question.  Is there not a way to NAT so that the external 
> address gets translated into the internal address when coming from the 
> internal network?  I am sure we are doing this on our Checkpoint firewall. 
>   Isn't this called Dual NAT?  Just wondering.  Thanks,
> 
> Alex
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] DHCP/NAT/Firewall rules

2007-10-02 Thread An-Cheng Huang 
Hi Tony,

You should be able to put the allowed ports in the destination 
port-number/portname fields in the DNAT rule. This  way, only packets with 
those destination ports will be DNATed and be able to access the 10.1.1.2 
server.

An-Cheng

Tony Cratz wrote:
>   I have set-up my OFR to use DHCP with an internal address
>   space of 10.1.1.0/24. My OFR will receive my 71.159.206.0/29
>   on the IP of 71.140.62.22.
> 
>   So I'm using NAT to map 71.159.206.2 to 10.1.1.2 (as a
>   bi-directional NAT).
> 
>   Now I want to have some rules (firewall?) to allow only a
>   few ports to connect to the 71.159.206.2 (10.1.1.2) system
>   such as SMTP, SSH, FTP, HTTP and a few others.
> 
>   The question I have is should these rules be defined as
>   Firewall rules or as NAT rules?
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall rules

2007-09-17 Thread An-Cheng Huang 
Hi Tony,

The firewall configuration syntax only allows 1 source address within each 
rule, so for your example you can specify 3 rules, one for each IP address you 
want to block.

An-Cheng

Tony Cratz wrote:
> Hello:
> 
>   I'm new to Vyatta any before I start to do an install and
>   screw myself I would like a question answered.
> 
>   In setting up a firewall rule I would like to reject all
>   connections from the IP addresses of (as an example)
>   216.239.32.10, 66.218.71.63, 192.18.99.5
>   Is the following possible or do I need to break the source
>   out them into different source sections?
> 
>   rule 1 {
>   action "reject"
>   source {
>   address: 216.239.32.10
>   address: 66.218.71.63
>   address: 192.18.99.5
>   }
>   }
> 
> 
>   Tony
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Drop packets on port N

2007-08-29 Thread An-Cheng Huang 
Hi Jacobo,

If you set any source/destination ports in a rule, you must also set the 
"protocol" to either "tcp" or "udp". Otherwise the commit will fail with an 
error message indicating the problem.

An-Cheng

Jacobo Pereira wrote:
> Hi,
> 
> If I set a rule on my firewall to drop packets for destination 
> port-number N, it will drop TCP and UDP traffic ?
> 
> 
> Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: 
>  
> mail, news, photos & more.
> 
> 
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question

2007-08-29 Thread An-Cheng Huang 
Hi Jacobo,

In your example, (2) is the behavior that will result from the rules. To get 
your desired behavior, one solution will be to add a first rule that accepts 
all packets from address 10.0.0.50, and then add a second rule that drop all 
packets from network 10.0.0.0/8.

Another possibility is to add a first rule that accepts all packets from 
network "!10.0.0.0/8", and then add a second rule that drops all packets from 
address "!10.0.0.50". This can be used if you want to do some further filtering 
on packets from 10.0.0.50.

An-Cheng

Jacobo Pereira wrote:
> My fellow Vyattans...
> 
> Hello, I am not capable to do a test of this right now, so I'm going to 
> ask.
> 
> If I set a firewall instance and the first rule is to drop all packets 
> coming from network 10.0.0.0/8, and the second rule is to accept packets 
> coming from address 10.0.0.50..   
> 
> What would happen?
> 
> 1) The firewall will drop all packets coming from network 10.0.0.0/8 
> except for those coming from address 10.0.0.50/8
> 
> 2) The firewall will drop all packets coming from network 10.0.0.0/8.
> 
> If the answer is option 2...
> How do I block every packet coming from a network BUT those coming from 
> an specific address?
> 
> If this cannot be done..., then what is the point of setting a rule for 
> accept packets?
> 
> Jacobo
> 
> 
> 
> Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge 
> to 
> see what's on, when.
> 
> 
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] User and Password Management

2007-08-27 Thread An-Cheng Huang 
Hi Daren,

1) There are several possibilities. First, make sure you are not logged in as 
'vyatta' (can't delete a logged-in user). Secondly, even if you are not logged 
in as vyatta, if you have logged in as vyatta and then logged out, sometimes 
the system still shows vyatta as logged in (and thus deleting it will fail), so 
you might want to reboot the box, log in as root, and then delete vyatta. 
Finally, earlier versions have a problem where deleting a user fails 
intermittently, which has been corrected now.

2) Yes, the plaintext gets encrypted on commit, and the plaintext should be 
cleared. However, in some cases, the plaintext is still displayed afterwards. 
See the following bug:

https://bugzilla.vyatta.com/show_bug.cgi?id=745

A workaround now is to manually delete the plaintext if this happens.

3) At the moment, all users created have the same access.

Hope this helps.

An-Cheng

Daren Tay wrote:
> Hi guys,
> 
> 1) How do i remove the default user 'vyatta'?
> I keep getting commit fail
> 
> 2) For root password,  I just change it but i realise i have to change it 
> using the "plaintext" option
> On commit it will encrypt... is it normal?
> 
> Also, after I commit, the plaintext password is still viewable in "show 
> system login"
> 
> why so?
> 
> 
> Lastly, how do I create users with different access rights?
> Or I can't?
> 
> Thanks!
> Daren
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] NAT (range of addresses)

2007-08-13 Thread An-Cheng Huang 
Hi Jacobo,

It depends on your specific needs, but in most cases, you don't need to 
configure those extra IP addresses on any interfaces as long as any packets 
with those addresses as the destination will be routed back to your router.

An-Cheng

Jacobo Pereira wrote:
> In the outside address field... i use a network with subnet mask of 29 
> bits, that means 8 IP addresses...
> If instead of a network i would have used an individual address, that 
> address would have been the public address of the router at eth0.
> 
> My question was "if I use a network (a range of addresses)" as the 
> outside-address, do all of these addresses have to be configured in the 
> same interface??
> 
> as in:
> 
> set interface ethernet eth0 address 200.50.0.1 prefix-length 29
> set interface ethernet eth0 address 200.50.0.2 prefix-length 29
> set interface ethernet eth0 address 200.50.0.3 prefix-length 29
> set interface ethernet eth0 address 200.50.0.4 prefix-length 29
> set interface ethernet eth0 address 200.50.0.5 prefix-length 29
> set interface ethernet eth0 address 200.50.0.6 prefix-length 29
> set interface ethernet eth0 address 200.50.0.7 prefix-length 29
> set interface ethernet eth0 address 200.50.0.8 prefix-length 29
> 
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] NAT issue (no translation-type)

2007-08-10 Thread An-Cheng Huang 
Hi Keun,

The network setup and the source NAT rule look fine. I can think of a few 
things that you might want to try.

1. After committing the source NAT rule, go to the Linux shell and do a 
'iptables -t nat -L -vn' to list the NAT rules in the iptables. If the 
corresponding source NAT rule is not in iptables, then it may be a problem with 
the CLI.

2. While lan_host is sending packets to wan_host ('ping' should be sufficient 
since the source NAT rule has protocol "all"), try to capture packets on each 
interface on vyatta2. If the packets from lan_host to wan_host are not going 
into vyatta2's eth0 and coming out of vyatta2's eth1, then it may be a network 
issue.

3. While lan_host is sending packets to wan_host, look at the output of 
'iptables -t nat -L -vn'. If NAT is working correctly, then the source NAT 
rule's counter should go up as packets from lan_host to wan_host pass through 
the router.

4. Depending on the version of the code you downloaded/built, there may be 
NOTRACK rules in the "raw" table. Do a 'iptables -t raw -L -vn' and you should 
see either no rules at all, or the rules should result in all packets being 
"ACCEPT"ed (since you enabled NAT). If packets are actually going to the 
NOTRACK target, then that's probably why NAT is not functioning. (You can look 
at the counters while lan_host is sending packets to determine where the 
packets are going.)

Hope this helps.

An-Cheng

Keun Lee wrote:
> The network setup is as follows. The WAN side has a single
> host 'wan_host' for testing purpose. wan_host will be
> replaced by a T1 or DSL modem.
> 
> 
> 
> eth1  eth0
>+---+ +-+  +--+
>|  wan_host |-| vyatta2 |--| lan_host |
>+---+ +-+  +--+
>  ^ ^  ^
>  | |192.168.254.22
>   216.135.138.219/29   |
> 192.168.254.200/24
> 
> 
> I want the packets from lan_host to wan_host masquaraded by vyatta2.
> The nat rules are:
> 
> nat {
> rule 1 {
> type: "source"
> outbound-interface: "eth1"
> protocols: "all"
> source {
> network: 192.168.254.0/24
> }
> outside-address {
> address: 216.135.138.219
> }
> }
> rule 5 {
> type: "destination"
> inbound-interface: "eth1"
> protocols: "tcp"
> source {
> network: 0.0.0.0/0
> }
> destination {
> address: 216.135.138.219
> port-name https
> }
> inside-address {
> address: 192.168.254.209
> }
> }
>  more port forwarding rules follow ...
> 
> To test the NAT:
> 
> @lan_host (192.168.254.22):  telnet wan_host http
> 
> @wan_host: tcpdump -i eth0
> ...IP 192.168.254.22.42767 > 216.135.138.217.www: ..
> 
> I expected that the source address 192.168.254.22 would be
> translated to 216.135.138.219, but there was no translation.
> 
> Hope this helps.   --Keun
> 
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] NAT issue (no translation-type)

2007-08-10 Thread An-Cheng Huang 
Hi Keun,

The "translation-type" command has been removed in the 2.2 release (currently 
in 
testing) to simplify NAT configuration. If the commit succeeded, but NAT is not 
functioning, then there may be other problems. Can you provide some more 
details 
(e.g., network setup)? Thanks!

An-Cheng

Keun Lee wrote:
> I downloaded and built vyatta recently and started the configuration.
> When I tried to configure the NAT service, it did not recognize the
> "translation-type" command and refused to set it.
> The "commit" succeeded without setting the translation-type.
> Of course, the router did not perform NAT at all.
> Anyone seen this problem?  --Keun
> 
> 
> [EMAIL PROTECTED]> show version
> Built by:   [EMAIL PROTECTED]
> Built on:   Wed Jul 25 00:11:01 UTC 2007
> Build ID:   ---200707250011
> 
> 
> [EMAIL PROTECTED] set service nat rule 1 translation-type 
> ERROR: path "service nat rule 1 translation-type" is not valid.
> 
> 
> [EMAIL PROTECTED] set service nat rule 1 
> `1' is ambiguous.
> Possible completions:
>   <[Enter]>Execute this command
>   destination  NAT destination parameters
>   inbound-interfaceInbound interface of NAT traffic
>   inside-address   Inside NAT IP (used by destination NAT only)
>   outbound-interface   Outbound interface for NAT traffic
>   outside-address  Outside NAT IP (used by source NAT only)
>   protocolsProtocol to NAT (this can be a protocol name in ...
>   source   NAT source parameters
>   type Source or destination
>   {Enter text on multiple lines
> 
> [EMAIL PROTECTED] show service nat rule 1
> type: "source"
> outbound-interface: "eth1"
> protocols: "all"
> source {
> network: 192.168.254.0/24
> }
> outside-address {
> address: 216.135.138.219
> }
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Vyatta wont start xorpsh....

2007-07-14 Thread An-Cheng Huang 
Hi Jacobo,

The message means that xorp_rtrmgr (the router manager) fails for some reason, 
so xorpsh cannot start. When this happens, there might be some messages in 
/var/log/messages indicating the reason. Could you take a look there and post 
anything you find in the file? Thanks!

An-Cheng

Jacobo Pereira wrote:
> Hi,
> 
> I have been asking for an error vyatta has given me many times... when I 
> try to run xorpsh... "Waiting for xorp_rtrmgr..."  Nobody could ever 
> tell me anything about it. I though there was some hardware issues or 
> something, with the computers I was using... but now it happened 
> again!!  on a virtual machine!!! what is this?? The only thing I have 
> done is connect the VM to the internet once to download the updates, and 
> now I was using the VM again just to document things. It wasn't even 
> working as a router. Then my whole REAL machine shutted down cause the 
> power supply is kinda broken.. Well...  the thing is that when i 
> rebooted, the VM wouldn't start xorpsh.
> 
> 
> 
> Welcome to Vyatta – vyatta tty1
> 
> vyatta login: vyatta
> 
> Password:
> 
> Linux localhost 2.6.20 #1 Wed Jul 14 14:45:02 PDT 2007 i686
> 
> Welcome to Vyatta.
> 
>   This system is open-source software. The exact distribution terms for
>   each module comprising the full system are described in the individual
>   files in /usr/share/doc/*/copyright.
> 
> Waiting for xorp_rtrmgr...
> 
> 
> Welcome to Vyatta - vyatta tty1
> 
> vyatta login: root
> 
> Password:
> 
> Linux localhost 2.6.20 #1 Wed Jul 14 14:45:02 PDT 2007 i686
> 
> Welcome to Vyatta.
> 
>   This system is open-source software. The exact distribution terms for
>   each module comprising the full system are described in the individual
>   files in /usr/share/doc/*/copyright.
>   vyatta:~# xorpsh
>   Waiting for xorp_rtrmgr...
>   vyatta:~#
> 
> 
> As I said, this has happened before... and the only solution I have 
> found, is NO solution, so I have to reinstall all over again.
> 
> Can anyone help with this?
> 
> Jacobo
> 
> 
> Shape Yahoo! in your own image. Join our Network Research Panel today! 
> 
>  
> 
> 
> 
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users