REJECT NFLOG(4)
kp
n Monday, October 6, 2014 11:09 AM, kp kirchdoerfer
kap...@users.sourceforge.net wrote: Hi;
Am Sonntag, 5. Oktober 2014, 13:12:40 schrieb cpu memhd:
Okay, I figured out the problem. I didn't realize this was ulogd v2, which
apparently has more dependencies
. Oktober 2014, 13:12:40 schrieb cpu memhd:
Okay, I figured out the problem. I didn't realize this was ulogd v2, which
apparently has more dependencies. But now shorewall isn't logging.
Just to be clear - are you really using 5.2-beta1?
I'm pretty shure there is no 5.2-beta1 release yet, so you
Okay, I figured out the problem. I didn't realize this was ulogd v2, which
apparently has more dependencies. But now shorewall isn't logging.
--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI
Hello,
Seems there might be a ulogd bug that prevents it from finding/loading plugins:
ulogd -v
Sat Oct 4 20:41:32 2014 7 ulogd.c:622 load_plugin:
'/usr/lib/ulogd/ulogd_inppkt_NFLOG.so': File not found
Sat Oct 4 20:41:32 2014 7 ulogd.c:622 load_plugin:
I've been testing the 2.6 kernel. Nice!
To the developers:
I don't think you're wasting your time. I very much appreciate your efforts (I
read that old thread). I think you should put TUNO on the main page, even if
it's alpha.
Some issues:
busybox 1.12.1:
insmod does not search
Hello,
This is something I ran into a long time ago. When ucbering 2.x went from
iptables 1.3.1 to 1.3.5, I noticed that shorewall went from:
Connection Tracking Match: Available
To:
Connection Tracking Match: Not available
I wasn't quite sure if this was a self inflicted wound since I
of iptables is very non-descriptive and
shows this error if you forgot to load a (dependant) kernel module.
Gordon
cpu memhd wrote:
Hello,
This is something I ran into a long time ago. When ucbering 2.x went
from
iptables 1.3.1 to 1.3.5, I noticed that shorewall went from
wrote:
cpu memhd wrote:
Hey Erich,
I haven't tried it. But I thought I should comment on the
architecture. It
uses the Xeon Blackford chipset, which uses FB-DIMMS, which run very
hot.
I have 4 DIMMS, 4GB RAM in one of my personal servers, a 5000V
Blackford
and the DIMMs seem
I'm not trying to be funny, but you should try to solve this problem with
a counselor instead. If your girlfriend is on myspace all the time then
you need to have a good talk with her. Sounds like there is a deeper
underling issue. Now if I wanted to do something like this, I suppose I'd
have a
The 1.3.0 version of pptpd produces lots of noise in the debug log. My log
today way 29MB all the same thing:
GRE: accepting #.
GRE: accepting #.
GRE: accepting #.
GRE: accepting #.
GRE: accepting #.
Looks like a bug (missing if (pptpctrl_debug)).
I used
Hey Erich,
I haven't tried it. But I thought I should comment on the architecture. It
uses the Xeon Blackford chipset, which uses FB-DIMMS, which run very hot.
I have 4 DIMMS, 4GB RAM in one of my personal servers, a 5000V Blackford
and the DIMMs seem to generate lots more heat than the CPU: a
Got the update. Logger is fixed, so is the /etc/hosts lookup problem.
Thanks!
-cpu
--- KP Kirchdoerfer [EMAIL PROTECTED] wrote:
On Wednesday 02 January 2008 04:14:59 cpu memhd wrote:
Thanks KP. Looks like I have a new problem:
Busybox won't configure my network interface
Thanks KP. Looks like I have a new problem:
Busybox won't configure my network interface:
Reconfiguring network interfaces: ifdown: don't seem to have all the
variables for eth0/inet
ifup: don't seem to have all the variables for eth0/inet
done.
This is only on the dhcp interface; the static
As of about two weeks ago busybox was updated and I'm trying to buld it,
but I'm getting these errors:
make[1]: Entering directory
`/src/bering-uclibc/buildtool/source/busybox/busybox-1.8.2'
scripts/kconfig/conf -s Config.in
.config:34:warning: trying to assign nonexistent symbol
Not too long ago a member of the list asked about this. Currently,
uc-bering doesn't support USB input. So I sent him my files: input.o,
hid.o, keybdev.o (my firewalls don't have PS2 ports, only USB).
Is there a technical reason for not supporting USB input? It seems so
simple. I'd like to
Not too long ago a member of the list asked about this. Currently,
uc-bering doesn't support USB input. So I sent him my files: input.o,
hid.o, keybdev.o (my firewalls don't have PS2 ports, only USB).
Is there a technical reason for not supporting USB input? It seems so
simple. I'd like to
Sounds great, Eric. Thanks! -cpu
--- Eric Spakman [EMAIL PROTECTED] wrote:
Hi Cpu,
The next beta of Bering-uClibc will have use a later version of busybox.
Hopefully all this issues will be solved by then.
Eric
Back in June I posted strange behavior by busybox/ping, but nothing
Yet another busybox issue. While this won't start a nuclear war or screw
up life support systems, I really like the 2.x reboot command with its
reassuring broadcast message:
Broadcast message from root (ttyp0) (Fri Oct 19 02:01:41 2007):
The system is going down for reboot NOW!
Yup. I rebooted
Back in June I posted strange behavior by busybox/ping, but nothing has
changed. I'd like to repost the problem (thoughts, anyone?):
---
3.1 busybox/ping behaves like ping6...
...when I ping anything in /etc/hosts
I've been using 3.1 for a while but just noticed this:
ping localhost
PING
Hello,
The newer logger in busybox in ucBering 3.1 doesn't work like the same as
2.x. Try this:
2.x:
firewall# logger 1234 5678
firewall# tail /var/log/messages
...
Oct 19 00:34:39 firewall root: 12345678
3.1:
firewall# logger 1234 5678
firewall# tail /var/log/messages
...
Oct 19
...when I ping anything in /etc/hosts
I've been using 3.1 for a while but just noticed this:
ping localhost
PING localhost (7f00:1:60ea:ffbf::): 56 data bytes
ping: can't create raw socket: Address family not supported by protocol
(ping something-else-in-/etc/hosts ... same as above)
This is
Hellp KP,
No ipv6 module that I can see.
-cpu
--- KP Kirchdoerfer [EMAIL PROTECTED] wrote:
On Saturday 23 June 2007 22:50:45 cpu memhd wrote:
...when I ping anything in /etc/hosts
I've been using 3.1 for a while but just noticed this:
ping localhost
PING localhost (7f00:1
I'll try it out. Thanks!
Eric Spakman wrote:
Hello Cpu,
I just commited iptables-1.3.5 to CVS, you may give that one a try.
Eric
With iptables 1.3.4, shorewall (2.4.7) reports connection tracking is
not available.
I checked /usr/share/shorewall/firewall and found this line:
qt
Eric,
Is, I don't think opensc is installed a good enough answer? :^).
From what I remember, there was a missing header file reported in the
logs. So I don't think it's installed.
-cpu
Eric Spakman wrote:
Hello Cpu,
I compiled openssh with the option enabled and disabled but with the
same
Hello Jim,
I doubt this will be added. You can get the patch from here:
http://ftp.die.net/pub/linux-kernel-tarpit/
What I did to get this working (actually, compiled--haven't really
tested)...
Step 1:
Download linux-2.4.18-tarpit.patch to ./source/linux/.
Step 2:
Edit
Hello Eric,
I'd get compile errors. This might explain it:
20050317
- (tim) [configure.ac] Bug 998. Make path for --with-opensc optional.
Make --without-opensc work.
- (tim) [configure.ac] portability changes on test statements. Some
shells
have problems with -a operator.
- (tim)
Hi Eric,
I'm not using openswan 2.4.4, I'm using 1.0.9. But I did look at the newer
_startklips and the line is the same. To me, this suggests it's making the
same assumptions about the interface. My guess is that it will work.
original 2.4.4
/usr/lib/ipsec/_startklips:
eval `ip addr show
Yup.
Eric Spakman wrote:
Hello Cpu,
Ok, thanks for reporting! If I understand correctly the
--without-opensc
Configure option is broken, removing the line will disable opensc
anyway.
Eric
Hello Eric,
I'd get compile errors. This might explain it:
20050317
- (tim) [configure.ac]
Eric,
Regarding openswan 2.x. It looks like one is supposed to use cryptoapi
instead of Juanjo's crypto algorithms. But there is no real info on how to
go from 1.x to 2.x. After getting stuck on SHA2_256 I gave up. Also, on
1.0.9 I made some modifications to ./pluto/kernel.c to allow for
Hmmm... Where/how do you set USE_EXTRACRYPTO?
-cpu
Eric Spakman wrote:
Hi Cpu,
Eric,
Regarding openswan 2.x. It looks like one is supposed to use cryptoapi
instead of Juanjo's crypto algorithms. But there is no real info on how
to
The cryptoapi stuff is optional and the other ciphers
Hello Arne,
I don't understand openswan 2.x. It doesn't have SHA2 (which I use).
Can't
modularize ciphers; no blowfish (missing usual ALGs). I tried using
cryptoapi's sha512 but that didn't work. I tried searching the openswan
mailing list, found a couple of similar concerns, but no answers.
With iptables 1.3.4, shorewall (2.4.7) reports connection tracking is
not
available.
I checked /usr/share/shorewall/firewall and found this line:
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
CONNTRACK_MATCH=Yes
Under 1.3.4 the above iptables command
...you get rid of this line in buildtool.mk:
--without-opensc
This appears to be an old problem not related to ucbering. I did not
save
my log messages so I can't report the errors, unfortunately.
-cpu
__
Do You Yahoo!?
Tired of spam? Yahoo!
ddparker wrote:
NEVER BACKUP PACKAGES WITH DESTINATION DEVICE (hda1) MOUNTED!
This will corrupt the CF disk.
Yikes. I had a problem with corruption only once, using DriveImage
under DOS. For several months, while testing Leaf, my CF would be
mounted 80% of the time. I've never experienced
Erich Titl wrote:
NEVER BACKUP PACKAGES WITH DESTINATION DEVICE (hda1) MOUNTED!
This
will corrupt the CF disk.
It is not really _that_ bad. The only package which is attempted is
root.lrp
and, of course, a backup of all packages (which includes root). Then
it is not
only hda1
I boot from the CF on the IDE controller. Haven't tried booting from
USB except into DOS, which works fine on the CV863A, but I believe I
had problems on the CV860A. Nonetheless, if you setup your CF as an HD
(connected to the CF connector on the motherboard, or IDE/CF
converter), it should work
Auto, LBA, or CHS?
Consider this:
- Your controller is setup for Auto
- Your CF is detected as LBA
(even though it's = 512MB, all CFs are supposed to support LBA, my
understanding)
- Next day, your BIOS is having a bad-hair-day, CF is now detected as
CHS
(but you don't notice the boot message!
Charles,
I use the svi command all the time. I added kernel support for the vga=
option a long time ago, w00t! My console is set at 30 lines. Though I
use putty mostly.
Regarding the scroll back function, do you know how to increase the
buffer size?
I should mention, I really don't use lrcfg
device.
sleep 2
fi
:)
cpu memhd wrote:
Charles,
I use the svi command all the time. I added kernel support for the
vga=
option a long time ago, w00t! My console is set at 30 lines. Though I
use putty mostly.
Regarding the scroll back function, do you know how
in leaf.cfg. Not that I didn't know unix used LFs, I
simply assumed that because syslinux.cfg didn't mind a CR+LF, why
should leaf.cfg? -cpu
Luis.F.Correia wrote:
Hi!
-Original Message-
From: cpu memhd [mailto:[EMAIL PROTECTED]
Sent: quarta-feira, 29 de Junho de 2005 5:26
To: leaf-user
Eric, I understand, but a small installation script could solve these
problems. -cpu
Eric Spakman wrote:
It would be nice if that was possible, but unfortuanatly like Luis
told, it's not that easy. For example, we don't know which device is
the bootdevice, hda1, hdb1, something else? In my case
Only 64 messages this month. Are less and less people using leaf, what
is going on with everyone? I have been slowley rolling out leaf boxes
to about 16 locations. I couldn't have asked for a better
firewall/router. I'd like to very much thank the leaf developers for
their continued efforts. -cpu
Hello James! If software is like fine art then nothing is finished
(perfected), only abandoned. There is always something to improve. But
in lots of ways, leaf does appear to be complete. The only thing
lacking perhaps, is better usability, not features. It seems that
upgrading a leaf box can be
Hello Cirian, which lex system do you have? Sorry it didnt work out. I
must admit, getting leaf to boot of an ide device was a pain for me.
Honestly, it took several days, lots of hours. Of course, once you
figure it out, it is much too easy. -cpu
ciprian niculescu wrote:
i coulndt get it to
I don't know how frequently LARTC is updated, but it looks like a work
in progress. Not to say it's bad, it is very good, just sometimes
incomplete. I briefly looked into multicast routing to setup broadcast
gre tunnels but quickly realized I was about to swim with sharks
(recompile kernel or
Hello Eric,
I know these packages exist and it is easy to setup. But there are
still too many steps envolved for the average n00b. Consider for a
moment, a prospective user: one must first decide which packages to
use:
dropbear/openssh? ipsec/openvpn? dhcpcd/dnsmasq?
shorwall.lrp/iptables.lrp
Hello,
What are you using padlock with, ipsec, openssl?
Padlock didn't speed up AES encryption as much as I expected. At least,
that was my initial observation with openswan.
Sadly to say, I lost (overwrote) my benchmarks so I can't say exactly
what the difference was. I will post my results
Eric, I did read that FAQ but I also read that latest versions of
libpcap should have that patch. Nevertheless, I'll look more into it
some more. Thanks. -cpu
__
Do you Yahoo!?
Yahoo! Small Business - Try our new Resources site
Does snort/uclibc-bering not support multiple interfaces? It seems that
it will only listen on a single interface per instance. I have modified
the init script arguments to look like this:
before:
-m 027 -D -c /etc/snort/snort.conf -l /var/log/snort -d -i $INTERFACE
after:
-m 027 -D -c
I'm having trouble deciding what to put in /etc/ipsec.conf, found
on
Really?? you don't say... :)
Try looking at it this way:
|- 172.16.0.100 (your PC)
|
|- 172.16.0.110 (your roomate's PC)
|
|
172.16.0.1 (eth1, your leaf router's
To be more specific, I am using suse 9 enterprise which uses a 2.6
kernel. It looks like suse 9.1 would be closer to enterprise 9.0.
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
Hello,
The documentation for freeswan/*swan (any that you may find on the net)
leaves much to be desired. And that is putting it mildly according to
some. There is lots of information, but typically hard follow.
One problem that I have is not being able to understand how it
routes/desides to
It's does not look like they're applied:
http://cvs.sourceforge.net/viewcvs.py/leaf/src/bering-uclibc/apps/linux/patches/
How about getting started with buildtool so you can incorporate those
patches into your own kernel?
http://leaf.sourceforge.net/doc/guide/buc-buildtool.html
Hello Jeremy,
I have two CV860As (Neo case). I also was faced with this question, to
buy the Intel NICs or the Realteks. I decided on the Realteks because
a) they are used in slews of embedded systems, like the Snapgears:
(http://www.cyberguard.com/products/firewall/SG_Family/), and b) the
Intels
Seems like the ipsec scripts rely heavily on ifconfig but that utility
is not available on bering-uclibc. There are lots of modifications to
make it work with the ip command. I was able to overcome this problem
by replacing this line in _startklips:
eval `ip addr show $phys primary | grep inet |
Observation: why is 'if test ! -f $ipsecversion' tested twice?
Conclusion: I have commented out 'if...insmod ipsec' and ipsec_aes.o is
now loaded/unloaded through prepluto=/postpluto= in ipsec.conf. -cpu
Erich Titl wrote:
cpu memhd wrote:
Using buildtool to build openswan for bering-uclibc 2.3 beta
Eric,
It looks like it's trying to load /lib/ipsec/ipsec (the shell script).
Does insmod default to the current directory? Perhaps the ipsec scripts
are being run from within /lib/ipsec.
Everywhere else it loads fine:
foobar# insmod ipsec
Using /lib/modules/ipsec.o
Here are some of the changes
Eric,
Thanks for the help. I followed your instructions in a previous post on
building the minimum packages after a kernel build: modules, initrd,
and root.lrp. ipsec was also built/packaged from the same kernel.
Today I tried beta 2.3:
1. Downloaded linux-2.4.29.upx (renamed to linux),
Using buildtool to build openswan for bering-uclibc 2.3 beta (kernel
2.4.29). Copy ipsec.lrp to LEAF box... everything seems normal except
ipsec does not load ipsec_aes.o like it used to before.
This becomes more of a problem when I want to:
svi ipsec stop (or restart) because it cannot unload
schrieb cpu memhd:
I tried both 2.4.26 and 2.4.29. I ended up compiling the latest
squid stable9 on a mandrake box and using the libc225.lrp + a gcc
library it was complaining about. In other words, no uClibc. Works
pretty good.
Ok. Seems it's related to gcc change (as you said before
Anyone know if it's possible to get smbmount out of the samba package?
I tried option --with-smbmount in buildtool.mk, then ./buildtool.pl -f
build samba but that didn't work.
__
Do you Yahoo!?
Yahoo! Small Business - Try our new resources
Kirchd,
I tried both 2.4.26 and 2.4.29. I ended up compiling the latest squid
stable9 on a mandrake box and using the libc225.lrp + a gcc library it
was complaining about. In other words, no uClibc. Works pretty good.
About the ticker problem. I guess it was pretty dumb of me to suggest
the
...trying to get a USB keyboard to work on a USB only system. I don't
give up that easily...After having problems trying to build sysvinit
with an older Mandrake distro I switched to Suse Enterprise 9. Now with
buildtool, I am able to produce all of the above modules with new
kernel and USB
Hi, thank you very much. That explains it. The question now is, what
core packages will I have to rebuild?
__
Do you Yahoo!?
All your favorites on one personal page Try My Yahoo!
http://my.yahoo.com
Thanks again. I was able to build package initrd, but not root or
modules:
- There is no modules package according to 'buildtool.pl describe'; how
do I build modules.lrp?
- I tried building root and it bombed out with an undefined reference
to crypt:
make[1]: Entering directory
How does one go about building a working kernel? I ran:
./buildtool.pl build kernel
I then tried booting both bzimage-2.4.26 and bzimage-2.4.26-upx and
both gave me oops/kernel panics after initializing the IDE controller
is seems.
./buildtool.pl describe says kgcc is required to build a
These modules are not part of the bering-uclibc distribution. What do I
need to do build them?
__
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com
---
This
Mike Noyes wrote:
On Wed, 2005-01-12 at 20:21, cpu memhd wrote:
didn't work for me is pretty hard to debug for anyone but you.
What is this supposed to mean?
cpu,
I believe it means, it's nearly impossible to tell what went wrong on
your side without better information.
Yes, I agree
run into I could probably help out
more. But I'm really just using the product. I have two leaf boxes in
production and more to come. -cpumemhd
Martin Hejl wrote:
cpu memhd wrote:
Excuse me. I can't help but notice a negative tone in your reply.
Maybe
I am mistaken. Please clarify:
Maybe
Hello,
Excuse me. I can't help but notice a negative tone in your reply. Maybe
I am mistaken. Please clarify:
Martin Hejl wrote:
cpu memhd wrote:
I had the same problem.
From the CVS help page:
http://www.leaf-project.org/doc/guide/buc-buildtool.html
This line didn't work for me:
cvs
I had the same problem.
From the CVS help page:
http://www.leaf-project.org/doc/guide/buc-buildtool.html
This line didn't work for me:
cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot/leaf login
But this one did:
cvs -z3 -d :pserver:[EMAIL PROTECTED]:/cvsroot/leaf \
co src/bering-uclibc/buildtool
I am trying to download the dnscache sources from the CVS repository
(using buildtool.pl), but it is not there. Being that I'm new to LEAF
and CVS, I don't know what to ask other than, is dnscache no longer a
part of bering-uclibc?
__
Do you
Thanks for the help.
Where can I find dnscache sources?
Luis.F.Correia wrote:
Hi!
-Original Message-
From: cpu memhd [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 28, 2004 8:52 PM
To: leaf-user@lists.sourceforge.net
Subject: [leaf-user] where are the dnscache sources?
I am trying
Anyone using mini_httpd with ssl support? I can't get this to work with
either weblet or webconf no matter what I do. I keep getting
'connection refused'. I have libssl and libcrpto.
Most current mhttpds.lrp at leaf-project.org is:
Version: 1.19 Rev 1 - 2004-02-11
But I have:
1.19 Rev 2 -
eh... here was my problem:
*cgipat=cgi-bin/**|plugins/**
cgipat=**.cgi
Brownie points for those who can guess why I used an asterisk instead
of a # for the above comment.
__
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
. There are lots of possibilities.
Patrick Benson wrote:
cpu memhd wrote:
Thanks everyone for the help. I will certainly look into your
suggestions. I wish I could elaborate more but I've been very busy.
Basically, I find myself typing the same information (IP address,
subnet, broadcast, etc) in many
Okay. I figured out an easy way to do this. I stuck this in my
/etc/init.d/rc, /etc/init.d/rcS (and /etc/profile) files:
. /etc/myenv
Putting a . (period) was necessary otherwise the variables don't
export to the proceeding scripts. Why this is important, I don't know,
still learning Linux.
Thanks everyone for the help. I will certainly look into your
suggestions. I wish I could elaborate more but I've been very busy.
Basically, I find myself typing the same information (IP address,
subnet, broadcast, etc) in many different places. I will be rolling out
about 20 leaf boxes. About 15
I asked this question before but received no replies, I will ask again,
if anyone knows
Is it possible to create environment variables in linux/unix like you
would in DOS using CONFIG.SYS or AUTOEXEC.BAT? That is, a variable that
is accessible to any subsequent running program?
I vaguely
Thanks everyone for the help, I appreciate it very much.
I think the reason it was updating too frequently is logically because
ez-ipupd is saving to the RAM disk, which gets recreated upon every
reboot. This of course means that EZ-IPUPD will update DynDNS every
time I reboot.
So, I created a
That's easy to answer: so many packages/so little time. The box is not
yet in production.
K.-P. Kirchdörfer wrote:
Am Montag, 6. Dezember 2004 10:58 schrieb cpu memhd:
Thanks everyone for the help, I appreciate it very much.
I think the reason it was updating too frequently is logically
As the topic says, I was blocked because of abuse:
The abuse system automatically blocks any hostname that repeatedly
tries to update a hostname from the same IP. This is done to conserve
bandwidth and prevent computers from updating every 5 minutes,
regardless of whether or not their IP address
Is there such a thing as global variables in Linux/Unix? To be more
specific, variables that are accessible to system processes, with out
having to login? If so, how/where do you set them?
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best
Do any of the crypto packages (IPsec, SS*, etc) make use of Via's
Padlock features found in Nehemiah C3 processors?
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Bering uClibc 2.2: are any of the packages sensitive to the order in
which they're placed?
__
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
Okay, I figured out a solution reading the DNSMASQ docs (I'm using
DNSMASQ with messy DHCP). I forgot exactly everything I did, but I'm
pretty sure this is it (sorry to take so long to respond):
First I modified the dnsmasq config, note the change below:
# Change this line if you want dns to get
86 matches
Mail list logo
