Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams wrote: On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote: So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. It isn't. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. Why? Things will only work better. NAT is not some magic sauce, it is a *HACK*. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. Why? There is no reason. You are wrong, you do *NOT* need to continue that mapping. That mapping is pointless. No, it is not pointless. The first step in attacking any computer is finding the IP address. If that address is broadcast outside the firewall every time it talks to another computer, that step is simple. If it is hidden behind a firewall that does NAT, it becomes harder to find and that first step becomes much more difficult. Currently, the only IP address transmitted outside my firewall is the one assigned to that firewall by the Roadrunner DHCP server. None of the addresses inside are exposed. That is a level of protection I am not prepared to give up. I don't care how much you evangelists blab about the new improved sauce, I still see it as a solution in search of a problem. As far as I am concerned, NAT already solved the address space problem. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Not allowing the most popular OS on the network at all is another layer of protection. Keeping everything up to date is another. It is a well known and established process to keep my computers secure. But now you are taking away one of those layers without providing anything of equal strength to replace it. I fail to see how that is an improvement. However, it appears some of you are actually evangelists in disguise, and refuse to acknowledge any real concerns about this change. So it becomes pointless to continue the discussion. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Gavin Carr wrote: On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote: 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls. Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection. There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. I consider that information leakage to be very significant. It advertises the presence of another computer with explicit information on where to reach it. Regardless of the firewall, none of which are perfect, this increases the exposure of my systems in an adverse fashion. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
David Sommerseth wrote: On 06/12/10 15:29, Todd Rinaldo wrote: On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they? This can be a bit confusing, especially if you see this with IPv4 eyes. In IPv6, it basically is no such things as a private subnet (range). When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks. Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like: :::::/64 the '::' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The '' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536. And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses. (You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks) So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop. And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway. So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Ryan Wagoner wrote: On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell rmcco...@lightlink.com wrote: David Sommerseth wrote: On 06/12/10 15:29, Todd Rinaldo wrote: On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they? This can be a bit confusing, especially if you see this with IPv4 eyes. In IPv6, it basically is no such things as a private subnet (range). When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks. Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like: :::::/64 the '::' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The '' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536. And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses. (You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks) So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop. And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway. So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure. Bob McConnell N2SPP IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
David wrote: Folks I have been following the IPV6 comments. What concerns me with the loss of NAT are the following issues: 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. I just finished reviewing my firewall logs for last week. There are 127MiB with ipmon reports of rejected connection attempts. That's actually on the low side for any seven day period. I have some weeks that are half again that much. Somebody out there is pounding on that firewall pretty hard, trying to break in. I'm certain they don't have my best interests at heart. Most of the ports attacked are linked to well known services and worms on one particular OS, which I don't happen to have running on my network. But this log tells me that it is important to make it as difficult as possible for whomever is knocking on the door. I don't see that IPv6 helps improve that protection. In fact, it appears to eliminate some of the protection I have now. Somebody mentioned that NAT broke several protocols when it was introduced. That suggests those protocols needed to be fixed or replaced. In particular, FTP should have been trashed decades ago. It was designed when every system administrator could be held responsible for his actions or inaction. That requirement disappeared more than 20 years ago. Protocols that depended on it should have disappeared with it. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Leonard den Ottolander wrote: With the ever increasing complexity of software is there any software you trust? I know I don't. Are you running your Flash plugin in Mozilla as a different user than the one you logged into under X? Care to elaborate how to accomplish such a feat? Or can you provide any pointers? That one's easy, don't ever install the plugin, or anything else from Adobe. Second step, set NoScript to block everything and everyone. If any site has content that requires either of those, I will never see it. That's their loss, not mine. If they want me to see it they can make it available via the approved methods. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Marko Vojinovic wrote: On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote: On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennison j...@gerdesas.com wrote: You run it in Permissive mode, you deal with the exceptions as they arise while the software is running in its normal environment and while its running normally using any of the documented methods. You thoroughly test the application in such a manner and once you have ironed out any and all issues by putting together a custom policy, setting the right SElinux booleans, etc, you then enable Enforcing mode. There is really no reason that SElinux should have a negative impact on your application or server if you use Permissive first. You forgot take on becoming the SELinux integration manager for that project with every single update. Every single update? Update of what? Marko, You have completely missed his point. Every update of the application *his company* is writing to run on those CentOS servers. This has nothing to do with RedHat, CentOS, or any other FLOSS package. It is a management problem within his employer's organization. If the managers don't care to require the application be SE compliant, he will never be able to get the developers to deal with those issues. So for him it is already a lost battle. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
Marko Vojinovic wrote: On Sunday 28 November 2010 13:15:24 Bob McConnell wrote: Marko Vojinovic wrote: On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote: You forgot take on becoming the SELinux integration manager for that project with every single update. Every single update? Update of what? You have completely missed his point. Every update of the application *his company* is writing to run on those CentOS servers. This has nothing to do with RedHat, CentOS, or any other FLOSS package. It is a management problem within his employer's organization. If the managers don't care to require the application be SE compliant, he will never be able to get the developers to deal with those issues. So for him it is already a lost battle. Well, in that case he is dealing with a broken/badly coded app, and irresponsible managers and developers. It's a problem, yes, but this isn't a fault of SELinux, and advocating that SELinux is bad because some manager doesn't know about security is completely wrong IMHO. And supporting advice given to people on this list to turn off SELinux because some devs in some company don't do their job right is also completely wrong. Been there, done that. We had the same problems just a few years ago, managers with no concerns about security as long as everything worked. Our project leader was beside himself trying to get even rudimentary validation and sanitization into the code. Then it was decided that we needed to accept credit card transactions on the server. Suddenly the developers had to learn and apply the OWASP guidelines. Next there was PCI training and a flurry of activity to make all of our web based applications conform before the initial audit. But SE wasn't even discussed, nor was it ever required. It is still not enabled on any of our test or development servers. The only reason we ended up with it on the production servers was our switch from self-hosted to a managed hosting service who enabled it in the normal course of setting up their servers. Maybe we're just lucky, but we have never touched a line of code because of it. If Nico had to deal with lousy-coded software conflicting with SELinux, it doesn't mean that shutting down SELinux is a good idea for everyone (or anyone) else. Maybe not, but the risks should be evaluated on a case by case basis. I don't believe it can be considered a panacea either. Even with SE in full protected mode, a simple SQL injection flaw can still expose much of the sensitive data on your server. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] httpd RPM newer than 2.0.63 avail for CentOS 4.x?
Philip Amadeo Saeli wrote: Thank you all for the helpful and informative replies. However, I have some additional questions (interspersed below). For some background, the organization I'm doing this for is a significantly resource constrained, very small company, so I have been having to take carefully measured steps in upgrading their systems and bringing them into conformance. In all cases, the systems were set up by others prior to my time with them. In particular, it would better, given their constraints, if I could get their CentOS 4 system up to standards prior to migrating to a CentOS 5 system (which I'd already proposed to them). Even migrating to CentOS 5 doesn't, by itself, solve my problem (see comments below). * Bob McConnell rmcco...@lightlink.com [2010-11-07 07:50:42 -0500]: 4. Once you finish tweaking the configuration, test all of your software, web pages, etc. 6. Do a complete acceptance test on the production server. (We actually use a second Internet facing server for acceptance tests before committing changes to the production server.) How does one set up a test [web] server which has a number of sites, all secured via SSL certs which are bound to the domain, and hence the IP address, of the sites on the server? They do have a developmental server which uses one, company-issued SSL cert to secure all of the test sites. However, the Apache config for this is substantially different than that for the production server. It appears that I'd have to set up an additional, special testing DNS space with new IP addressess, or to enter them into the hosts file(s) of the web client test systems. Also, I would not be able to simply copy the httpd config file(s) from the production system to the test system due to having to have different IP addresses for each site. Or is there some other way to do this? I'm really stumped over this one. It's probably not necessary to use the same certificates, as long as those you use are the same type and format. When we need to test to that level, we actually set up our own CA to generate test certificates for internal use only. We're testing for the functionality, not the specific certificates. Having said that, most of our in-house testing is done without SSL. Even servers that are normally part of a VPN are only tested within a LAN rather than on the VPN. Most of that functionality comes from third party FLOSS applications, so we are rather confident that any problems will be fixed before we run across them. 7. Use YUM to update your test server at least once a week. 8. As soon as you finish testing all of the updates each week, use YUM to install them on the production server. (But don't ever do this on Friday. If you missed something, you don't want to have to work on the weekend.) 9. Subscribe to announcements and several security mailing lists to get advanced warning of any known issues that need to be patched immediately. 10. Start tracking RedHat/CentOS 6 release candidates ASAP. Officially, by PCI rules we have 30 days after release of an OS update to get it installed on Internet facing systems. So the auditors will give us one pass on their monthly validation cycle before they start to complain. This does give us some time to test for problems and correct them before updating the production servers. But this requires a test server that is configured exactly like the production server so we can make sure the updates won't break any of our applications before we will install them in production. We have one developer from each product team, one QA manager, one Support tech and an IT tech that track these issues and make sure our servers are up to date. As one of the developers in that group, I monitor CentOS announcements and two security lists, forwarding relevant messages to the entire group. There is a similar but larger group tracking Microsoft updates. In addition to CentOS and Apache, we also track updates to PHP, PostgreSQL and a couple dozen supporting packages and maintenance tools. Bob McConnell N2SPP Bob, your thoughtful, insightful, informative, and detailed reply is very helpful. Thanks! My biggest hangup WRT the above is exactly how to set up a test server that very closely mirrors the production server without needing to have to maintain significant configuration changes, esp WRT an SSL-secured web server. How close the mirror has to be is a question only you can answer. But you have to be practical. What are you actually testing? If you have your own software that is providing SSL and other system level capabilities, then yes, you need to include them on your test system. If you are looking at a mix of releases that are not in sync with each other, yes you may need to test a little more thoroughly. But in most cases you will likely be using software that is part of the OS distribution, or what other developers
Re: [CentOS] Addressing outgoing connections to a specific interface
Dotan Cohen wrote: On Sat, Nov 6, 2010 at 23:19, Bob McConnell rmcco...@lightlink.com wrote: To amplify this just a little bit, by the rules of IP routing, every machine must: A) Have a unique address. B) Be attached to the proper subnet for that address as defined by the local netmask. Once those are true, there exists a unique route between any two machines connected to the network, or the Internet. Both those conditions are met in this use case, however the machine in question is on two networks: |--Network1--|--Network2--| ACB A: router on the wireless network B: router on the wired network C: CentOS laptop Each router has a unique address on it's own network, as per spec. The laptop is connected to two networks, on two different interfaces. The networks were never designed to be connected, and in fact there is no connection between them. But by dual homing your laptop on the two subnets simultaneously, you are breaking those rules. Neither the subnets nor the host address are unique any longer from the laptop's perspective. It sees two identical subnets with different routes but cannot reliably determine which subnet any particular process is trying to reach. In fact, it may even try to send packets for one socket out the other port when the first port is busy, thinking it actually has multiple routes to the same subnet. Correct me if I'm wrong, but NAT is what C would do to let a computer on Network1 access a resource on Network2. C would be the gateway, rerouting packets between the two networks and correcting for address used on both sides. No, NAT would simply change the apparent addresses on Network2 to a space that doesn't conflict with Network1. C is the only common point and it should never be routing packets between those networks. However, I am not trying to create a gateway! In this case, C itself (as a workstation) needs to access resources on both networks. Yes, you are trying to create a gateway for your laptop. You need a router between C and one of the two networks with NAT capabilities so that your laptop will see a unique path to each subnet. i.e. |--Network1--|--wlan0-.-eth0--|--NAT--|--Network2--| A CB Now, this could be as simple as a cable router set up for a different LAN subnet, or it could be a VM on your laptop configured as a router. That would produce something more like this. |--Network1--|--wlan0-.-NAT--eth0--|--Network2--| A C B Nothing in Network2 has to change, but the NAT translates those addresses into a space that no longer conflicts with Network1. That restores the uniqueness requirements for your laptop. HTH, Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] httpd RPM newer than 2.0.63 avail for CentOS 4.x?
RedShift wrote: On 11/07/10 06:17, Philip Amadeo Saeli wrote: I'm maintaining an internet-facing web server which is now running httpd 2.0.63 (httpd-2.0.63-2.el4s1.centos.2) which is now neary 2.5 years old(!?!). I need to move to either 2.0.64 or 2.2.12 or later. However, I've been unable to find available RPMs for such releases for CentOS 4.x. I have to believe that others have these needs also. In light of this, how do others keep up with security upgrades for the httpd? I'm rather new to this aspect of things, so am still in the process of sorting things out in this regard. Any help would be appreciated. Thanks! --Phil Upgrade to the latest 5 release. It's not that easy to do that much of an upgrade. But since the EOL announcement for release 3 was posted recently, it definitely needs to be done. This is how I would proceed. 1. Backup all data and configuration info on that server. 2. Set up a test server with the current release (CentOS 5). 3. Restore all data and configuration info on the test server. Plan on spending time to rewrite configuration files to match current formats and settings. 4. Once you finish tweaking the configuration, test all of your software, web pages, etc. 5. When you are sure everything works, install the current OS on the production server, restore the data and reconfigure it to match the test server. 5. Do a complete acceptance test on the production server. (We actually use a second Internet facing server for acceptance tests before committing changes to the production server.) 7. Use YUM to update your test server at least once a week. 8. As soon as you finish testing all of the updates each week, use YUM to install them on the production server. (But don't ever do this on Friday. If you missed something, you don't want to have to work on the weekend.) 9. Subscribe to announcements and several security mailing lists to get advanced warning of any known issues that need to be patched immediately. 10. Start tracking RedHat/CentOS 6 release candidates ASAP. Officially, by PCI rules we have 30 days after release of an OS update to get it installed on Internet facing systems. So the auditors will give us one pass on their monthly validation cycle before they start to complain. This does give us some time to test for problems and correct them before updating the production servers. But this requires a test server that is configured exactly like the production server so we can make sure the updates won't break any of our applications before we will install them in production. We have one developer from each product team, one QA manager, one Support tech and an IT tech that track these issues and make sure our servers are up to date. As one of the developers in that group, I monitor CentOS announcements and two security lists, forwarding relevant messages to the entire group. There is a similar but larger group tracking Microsoft updates. In addition to CentOS and Apache, we also track updates to PHP, PostgreSQL and a couple dozen supporting packages and maintenance tools. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Addressing outgoing connections to a specific interface
Lamar Owen wrote: On Nov 6, 2010, at 4:05 PM, Dotan Cohen wrote: On Sat, Nov 6, 2010 at 20:51, Lamar Owen lo...@pari.edu wrote: But at the end you would access 192.168.1.1 and it would get translated to 192.168.0.1 at the eth0 point and wouldn't interfere with the wlan0 version of the 192.168.0.1 address. I'm not exactly 100% sure it can be done without an external NAT box, but a small external router that can do NAT would make it much easier. That is not what I am trying to do, I will try to rephrase: I have a laptop connected to two network interfaces: eth0 and wlan0. Each interface connects to a different LAN. Both LANs have machines on the 192.168.0.1 address that I must access via port 80 in a web browser. I don't need to access each one at the same time, but I do need to leave both interfaces up for other software running on this machine. CentOS 5.5, Dell Inspiron laptop. Right, I understood that. If you did a NAT you would access the WLAN one with its native 192.168.0.1, and the other one on eth0 with the translated (also RFC 1918) address, whatever you might have set that to. Now, I do realize that some routers will re-inject their IP address into URLs, and that might break things; fixable using DNS, but that's neither here nor there. And your machine itself needs access to both routers at the same time, whether you do or not, as you've described things, since one of those routers is the default gateway for the machine. I suppose that I need either: 1) An address system such as eth0:192.168.0.1 and wlan0:192.168.0.1 (syntax invented to illustrate idea, it doesn't really work!) -or- 2) A way to do something like this as a user without affecting other users: $ export INTERFACE=eth0 $ lynx 192.168.0.1 $ export INTERFACE=wlan0 $ lynx 192.168.0.1 2.5) The iptables -mowner --uid-owner rule might help you. (see http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#OWNERMATCH ) It has breakage as noted in the tutorial, however. Packet routing isn't designed to switch between multiple devices with the same address; the interface used isn't supposed to matter, in the eyes of the routing table (and in normal IP practice). Addresses are supposed to be unique, from the point of view of any given IP host, in other words. This is the problem NAT was invented to solve. Some routing protocols deal with this in ways, but, again, these protocols assume that if the address is the same, it's going to the same host. But you already knew all that.and I know you already knew all that. To amplify this just a little bit, by the rules of IP routing, every machine must: A) Have a unique address. B) Be attached to the proper subnet for that address as defined by the local netmask. Once those are true, there exists a unique route between any two machines connected to the network, or the Internet. Having said that, part of the 192.168 address block is unique in that it cannot be routed over the Internet. It doesn't exist anywhere as far as those routers are concerned. However, there is a way to map that block of local addresses to routeable addresses, called Network Address Translation (NAT). All you need is one router between the private block and the Internet that you can use to do that mapping. Most firewalls can handle that in their sleep. So what you need is a way to insert a router between your software and one of your devices with the duplicated address. That router would then translate the addresses in one of those subnets into a unique address that won't conflict with the other. Personally, I would probably use a VM with FreeBSD and/or m0n0wall. But I still wonder if you are unique in finding this address collision, or do others also have the same problem? If it is widespread, then it should be solved by the people managing those devices. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Memtest86+ running time
Jake Shipton wrote: On 03/11/10 22:03, Akemi Yagi wrote: On Wed, Nov 3, 2010 at 2:47 PM, Keith Roberts ke...@karsites.net wrote: I have run one full test and got no errors on the memory module. Is it worth keeping it running overnight, just to see if temperature changes will afect the test? I had a system that started crashing randomly. I ran memtest overnight (about 10 hrs) but it did not report any errors. Next time I extended the run to 18 hrs or so and finally saw errors. Replacing the RAM solved the crash problem. So, I would recommend running memtest for one full day. I agree. Usually, when systems crash due to possibly memory related errors I let them run testing for 24 hours, or if they have lots of memory possibly longer (48 hours) to allow all memory to be fully tested. :-) And make sure you button the cabinet back up, with all covers in place and put it back on the rack where it normally sits. Running this test with the case open or sitting in free air is a waste of time unless that is how the system usually operates. All memory testing has to be done under normal working conditions to get the maximum benefit. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Colour laser printer
Timothy Murphy wrote: Anyone got a recommendation for a cheap (but good) colour laser printer that runs under CentOS-5.5 ? HP CP1518ni Color Laserjet. So far it works well with CentOS, Slackware, Ubuntu and Mythdora. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Traffic shaping on CentOS
Emmanuel Noobadmin wrote: I've been trying to do traffic shaping on one of my public servers and after reading up, it seems like the way to do so is via tc/htb. However, most of the documentation seems at least half a decade old with nothing new recently. Furthermore, trying to get documentation on tc filters turned up a blank. man tc refers to a tc-filters (8) but trying to man that gives a no such page/section error. Googling on this seems to imply that the documentation was never created. The author also seems to have stop updating his blog/company site since 2007 based on the last login date on netherlabs.nl So I'm wondering is tc the current and recommended method for traffic shaping on CentOS or is there some newer method that has superceded it? I use DummyNet[1] for any traffic shaping and bottleneck testing I need. It is distributed as part of the FreeBSD system, although you may need to recompiled the kernel to enable it. Bob McConnell N2SPP [1] http://info.iet.unipi.it/~luigi/dummynet/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Strange Apache log entry
Emmanuel Noobadmin wrote: On 8/24/10, Keith Roberts ke...@karsites.net wrote: So bolting down PHP really tight should address these hacks? As others have mentioned, this is trying to take advantage of a poorly written PHP script that doesn't sanitize/check the input before using. However, you could possibly lock down PHP further to reduce the possibility of such apps working by using the disabled_function setting to disable the riskier functions which allow shell/command/file operations. Of course depending on how aggressive you are, it could lead to scripts breaking. The best way to attack this problem is to take a close look at the known issues and make sure your code doesn't expose any of them. Start by reading the OWASP[1] web site. Their annual Top Ten[2] list of vulnerabilities is a good place to start. They also have sample code snippets in a variety of languages to sanitize and validate input. We utilize both their recommendations and code in a number of our sites. It gives us a good start toward PCI compliance. Another excellent resource is the SANS-CWE Top 25 Most Dangerous Programming Errors[3]. This applies to all applications that have network access, not just web pages. The press release[4] explains what the list contains. Bob McConnell N2SPP [1] http://www.owasp.org/index.php/Main_Page [2] http://www.owasp.org/index.php/OWASP_Top_Ten_Project [3] http://www.sans.org/top25-software-errors/ [4] http://www.sans.org/top25-software-errors/press-release.php ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A proposed CentOS mailing list FAQ
Geoff Galitz wrote: Oops, some copyediting of my previous post and the addition of a managed services option to my FAQ suggestion follows: A couple more spelling errors to correct: are no guaruntees anything will be answered or answered in a give time guarantees Insert links to mailing lists and other resources approprate appropriate Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] boot process glitch due to missing 2nd disk
Stephen Harris wrote: On Tue, Jul 20, 2010 at 03:31:48PM -0400, m.r...@5-cent.us wrote: This is not a Dell-specific BIOS hack. Dear child, ask your folks about PCs. I think it was only this decade that PCs would actually boot This decade being the 2010s? :-) The calendar is '1' based. 2010 is the last year of the first decade in the 21st century. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gcc? (w/ a bit of vi vs. emacs)
m.r...@5-cent.us wrote: Ken wrote: On 05/03/2010 10:37 AM m.r...@5-cent.us wrote: someone wrote: Nobody's mentioned glade2-- or as its listed in the gnome menu, Glade snip Interesting. Yeah, it's so cool, I don't understand why there aren't a bazillion Linux GUI apps for everything. It makes creating GUI apps actually fun! For an editor I use emacs because I can use it for just about anything vi. from creating plain text, shell scripts, html docs, and C code. Emacs isn't just configurable, it's programmable. You can write code to add or change the functionality emacs provides. It's been around since the '60s and isn't likely to go away anytime in the next few decades. I could swear it had only been around since the eighties At any rate, yes, emacs, the windowing operating system masquerading as a programmers' editor mark we should take this to alt.religion.editors Yeah, I wish I had a nickel for every time I said emacs on a mailing list and someone came back vi. I'd own a paradise island somewhere. B-) I'd have had that island a decade or more ago. Just to earn myself another mythical nickel, I'll say: With emacs tramp-mode I can, in a local emacs window, open a file on any other machine in the world to which I have ssh access. This functionality has snip Of course, the one *I* want is brief. I think $$ome editor$ still advertise brief emulation mode. *How* many keystrokes is it to do column copy in emacs? YES, brief is the best editor I have ever used. There are several features like that I still miss. I actually have a couple of copies of it in the original boxes, but it only runs on xx-DOS or OS/2. I plan to use one of them on some 80386 based PC/104 boards I am getting ready to reactivate. It will fit nicely into the 2MB flash drive with DR-DOS. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS freeze when transmitting big files
m.r...@5-cent.us wrote: Niki wrote: JohnS a écrit : --- snip You should have better success with another 128MB of RAM.. snip I corrected that problem, and now it *looks* like everything's OK. But you're right. Another 128 MB RAM won't hurt. (My first computer, a single-board 8080, actually had 512 *bytes* of RAM, so it's just a matter of adapting to modern times :oD) *heh* I remember the first computer I owned, and my ex and a friend violated the warranty on the RadShack CoCo, opened it up, and doubled the memory for a birthday present. Then, I had 32K ram! (Are you sure you didn't mean 512K RAM?) Not unless it had some additional hardware assistance. The 8080 can only address 64K. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] https question
adrian kok wrote: Hi I have question about https I am using mozila to access gmail as https://mail.google.com/mail Why mozilla prompts me the alert box? You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party. How mozilla knows I have data not encrypted? ls https secured? Yes, the 's' at the end means it uses SSL to provide a secure connection. If you have elements on the page that have an http: prefix, then mozilla and other browsers will complain about it. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT?] recommendation for simple wiki S/W to run on centos 5.4?
Paul Bijnens wrote: On 2010-02-24 13:06, Robert P. J. Day wrote: any testimonials for some simple wiki software to run on centos 5.4 on an intranet? all i'm after is something uncomplicated that (ideally) yum installs, and that others can start using to start sharing useful info, nothing more. thoughts? I'm becoming a fan of dokuwiki (http://www.dokuwiki.org/). It stores the content in plain text files, so you can even use it to document how to fix a broken wikisetup. I'll add my vote for dokuwiki. It was simple to set up on RedHat, even with ACL to track updates. The software is all PHP, while the content is mostly text files. It has content management built in, so backing out inaccurate changes is simple. It does a nightly backup into compressed files in each directory. We had a nightly cron job that copied those to a second drive on the server, and copied that drive to a tape once a week. It may not be installable with yum, but installation consists of copying a tree of directories onto the web server. Take a good look at their collection of add-on features. They make it incredibly flexible. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Limiting bandwidth
Rajagopal Swaminathan wrote: Greetings, Scenario: Centos box with eth1 (10.0.0.0/24) and eth0 (192.168.0.0/24) segment on eth0 has access to full bandwidth of uplink Both are on 100mbps switches Requirements: bandwith on segment on eth1 needs to be throttled to different speeds - say 32, 64, 128kbps and the such. Required for application performance testing purposes. The best tool I have found for this is DummyNet, which is built into FreeBSD. It was created to test protocol designs then adapted for traffic management. However, I am not aware of any ports into Linux. http://info.iet.unipi.it/~luigi/dummynet/ http://cs.baylor.edu/~donahoo/tools/dummy/tutorial.htm Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to display laptop screen on LCD TV?
hce wrote: Hi, I am running CentOS 5.2 on Acer laptop, I try to display laptop screen on a LCD TV via VGA cable. It was fine while PC was booting in text mode, but as soon as I started X Window, the LCD TV has error Unsupported signal, adjust your PC out. How can I adjust or may be regenerate an xorg.conf for the LCD TV (Sony KDL-40V5500)? This is not an uncommon problem with flat panel displays, and is hardly limited to one distribution. Step one is to find out what resolutions, horizontal and vertical frequencies the internal display can handle. Step two is to find out what combinations the video chips can generate. Step three is finding out which combinations the TV can accept. Once you determine where all three sets overlap, you configure X to use the mutually acceptable options. You may end up with an unusable lowest common denominator doing this, so look into any multi-display options while you are collecting the data. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Browser related question
Rajagopal Swaminathan wrote: On Sat, Jan 30, 2010 at 12:58 AM, Agile Aspect agile.asp...@gmail.com wrote: If the client can't reach the site, then it should be clear the server won't be able to log the attempt. In fact this is exactly the condition I wanted to capture as unavailability window FWIW, I am approaching this with tcpdump tcpdump -s 0 -A -i eth0 -n -q - '(dst host mumble and dst port 80) and tcp[13] == 2' Basically checking for the SYN flag in the outgoing traffic. But it is generating too much data for my purposes. If you have X11 installed, use Wireshark to capture the data. If you don't, save the captured data into a file, then copy it to another computer where you can use Wireshark. Set the view filter for the specific IP addresses you are looking for. From above, it would be ip.addr eq mumble The view filter I used yesterday to examine one connection at work was ip.addr eq 10.3.1.66 and ip.addr eq 10.3.1.96 Remove the flags condition from the capture (tcp[13]) as it won't make any difference until the SYN packets get through and then it will only get in the way of seeing what happens next. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Adobe Acrobat Reader 9.3 - slightly OT
MHR wrote: On Sat, Jan 30, 2010 at 4:56 PM, JohnS jse...@gmail.com wrote: This only happens during the first load in a while - probably until the cache for its pages clear, or it may be going out on the web to check for updates, though this seems to take a long time. Check the settings for adobe because honestly I had to change mine! the cache settings i think for adobe reading pages ahead into memory. I wondered about that, but: 1) I haven't been able to find a setting for that in the 8+ versions of AR, and 2) this was a 2-page document - how could it be dead for 22 seconds just to read ahead one page? Put a network sniffer on it. That may be when it calls home to check for updates. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS port forwarding?
hadi motamedi wrote: Dear All I have my CentOS server at @172.16.17.100 and my remote network element at @ 172.16.17.110 and both ones have Internet access . I need to virtually put the remote network element on the same LAN as my CentOS server to be touched with . In my application , both the ip addresses are as invalid ones and I cannot change them . Can you please let me know if there is a settings on the CentOS server that can do the job or just the port forwarding on the attached gateway can be used ? The 172.16 address block is in the private network address space as defined by the IETF. No Internet router will recognize nor forward those addresses. Most likely, your remote network element is a firewall, or acts like one. You need to configure it to forward one or more of its external ports into your server. There are significant security issues that need to be evaluated before this is done, so you should get help from your ISP or a consultant. This is not a safe area for novices to play. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Problem with checkinstall
I installed checkinstall 1.6.2 on CentOS 5.4 VM (VMWare Server on WinXP). After getting the dependencies installed it compiled with no errors. But when I run it in its own source directory, I keep getting an error that I can't track down. The message is: install: cannot change ownership of '/usr/local/lib/installwatch.so': No such file or directory. But not only does the file exist, it has the correct permissions and creation time. I am running this as root. I did change the permissions on both make and install to 0755, but that did not help. The command line is: checkinstall -R --install=no Any suggestions? Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem with checkinstall
Fernando Gleiser wrote: - Original Message From: Bob McConnell rmcco...@lightlink.com To: CentOS mailing list centos@centos.org Sent: Thu, January 14, 2010 10:44:59 AM Subject: [CentOS] Problem with checkinstall I installed checkinstall 1.6.2 on CentOS 5.4 VM (VMWare Server on WinXP). After getting the dependencies installed it compiled with no errors. But when I run it in its own source directory, I keep getting an error that I can't track down. The message is: install: cannot change ownership of '/usr/local/lib/installwatch.so': No such file or directory. But not only does the file exist, it has the correct permissions and creation time. I am running this as root. I did change the permissions on both make and install to 0755, but that did not help. The command line is: Is SELinux enabled? it sounds like the typical SELinux-related problem. what does getenforce say? check the output of ls -lZ /usr/local/lib/ to get the file's context 'getenforce' returns Disabled 'ls -lZ /usr/local/lib/' returns drwxr-xr-x root root checkinstall -rwxr-xr-x root root installwatch.so 'ls -alZ' adds current and parent owned by root.root with context: system_u:object_r:lib_t:s0 . system_u:object_r:usr_t:s0 .. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Digest, Vol 60, Issue 13
Emanuel Machado wrote: Another issue to consider with SSDs is that they are based on Flash technology. Each flash cell can only be written on about 10,000 to 100,000 times or so (*), so if you're using extensive read/write on your server you will be impacted. SSD manufacturers go around this issue by giving some intelligence to the drive controllers, so that they minimize the per-cell usage (which means moving things around a bit internally, transparently to you), so in many cases you will not see any impact. However, I would be careful on what I run on it, and what services are enabled, maybe having another disk around for write intensive apps. No, you can write (append) as often as you like. It is the erase cycles that are limited. So the chip life depends on how often those files get deleted. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mkdir this . directory
Timo Schoeler wrote: Marko Vojinovic wrote: On Tuesday 29 December 2009 14:46:23 Anne Wilson wrote: On Tuesday 29 December 2009 13:59:43 Ugo Bellavance wrote: On 2009-12-28 18:49, adrian kok wrote: Hi I have this . folder under tmp It is a system-generated link to the current directory. Don't touch that. Thank heavens there's one sane person reading today. Obviously no-one else here was ever new to Linux. You mean new to the concept of files and directories? This is not Linux-only. The . and .. existed even in MS-DOS back in the 80's. And they still exist, actually. The problem is that today people working under Windows [7|Vista|XP] never get to open a terminal anymore, and various GUI's play smart with them and don't show the links to current and parent directories. Sure, but: Nobody's guilty *not* to have seen this stuff in her/his whole life just because she/he never looked at it. There may be multiple reasons for that, one of them may be a simple 'I was born in 1996 and never had the chance to work with CP/M'. ;) Never say never. You still have the opportunity to work with CP/M, either with custom built hardware or any of a number of good simulators currently available on Source Forge. There is still an active Usenet newsgroup on the topic (comp.os.cpm), with hardware being designed and new kits being sold. Almost all of the source code is now available at http://www.cpm.z80.de/. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mkdir this . directory
Marko Vojinovic wrote: On Tuesday 29 December 2009 18:21:01 John R Pierce wrote: Marko Vojinovic wrote: You mean new to the concept of files and directories? This is not Linux-only. The . and .. existed even in MS-DOS back in the 80's. having an actual . and .. file in a directory is a distinctly Unix practice. I was not trying to say that . and .. were *invented* in MS-DOS. I was just commenting that it is not Linux-specific (or Unix-specific). The point was that a newbie would encounter . and .. equally well on both Linux and Windows systems. The only difference is that Windows does not encourage the use of a terminal, unlike Linux. Therefore, the fact that someone is confused by the existence of . in some directory is mainly the fault of GUI-for-everything philosophy of Windows. MS-DOS 2.0 added subdirectories, I/O redirection, pipes, filters and a few other features copied from Unix. Of course they were mere shadows of the actual Unix features and lacked most of the standard capabilities, but it was a step in the right direction. It is one of the few steps in that direction Microsoft ever took. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Removable drive configuration
I have a box running CentOS 5.3 with two Dataport removable drive bays installed on the second IDE interface (/dev/hdc and hdd). I want to configure it so I can plug in and mount various drives at different times, including different size drives. So far it will only recognize the first drive I plug in, and only if I boot the box after inserting the drive. Is there any way to set it up so I can mount different size drives freely without having to reboot each time? Thank you, Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] College student printer for CentOS 5.4 x86_64?
Phil Savoie wrote: David McGuffey wrote: Oldest son came back from college and wants a printer for his Dell laptop. I built it with CentOS 5.3 x86_64 several months ago and will upgrade it to 5.4 The Cannon printer he now has (bought with the laptop and Vista through the university book store), doesn't seem to have linux drivers. I built the machine with Vista and CentOS in dual-boot, so he could manage his iTunes and use the printer under Vista. He does almost all his college work under CentOS. Most of his papers are submitted electronically, but occasionally he has to print one. What would the community recommend? His needs are simple...mostly BW papers. On rare occasions he needs to print a paper with color photos/graphs embedded. Not looking to spend a lot, just enough to satisfy the requirement. DaveM Hi Dave, I have 2 lasers one BW and the other colour. The BW printer is a Brother 5250DN (N for network) and a samsung CLP-310 also network capable. The samsung comes with linux drivers on a CD. Both are ery affordable and work well with linux. HP has several consumer level laser printers available, most of them with Postscript built in. I have a CP1518ni which I got at Sam's Club for US$289. No problems using it from Ubuntu, Slackware, Fedora or CentOS. Even with the 1/3 capacity toner cartridges it came with, it cost less than just the ink jet cartridges would have before we had to buy another set. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] An error message I don't recognize
I have recently been told I will have to maintain some CentOS servers at work. Since I have only been using Slackware for the last 16 years, I decided to install CentOS on one of my servers at home to get an idea of the differences. I installed CentOS 5.4 from CD with no problems, did a yum update, set up a couple of samba shares and started to copy over some files from one of my other servers. Everything looks ok, but I keep seeing this message on the active console. I have no idea where it comes from nor what it means. type=1400 audit(1260446462.444:9): avc: denied { getattr } for pid=2200 comm=smbd path=/proc/sys/fs/binfmt_misc dev=binfmt_misc ino=4348 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir What is it, what is triggering it and how do I fix it? Thanks, Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] An error message I don't recognize
Benjamin Franz wrote: Bob McConnell wrote: [...] Everything looks ok, but I keep seeing this message on the active console. I have no idea where it comes from nor what it means. type=1400 audit(1260446462.444:9): avc: denied { getattr } for pid=2200 comm=smbd path=/proc/sys/fs/binfmt_misc dev=binfmt_misc ino=4348 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir It's selinux. Thank you for that link. Looks like I have some reading to do. I do know they have it enabled on the production servers I will be duplicating, so I'll have to figure out whether we need it on the development and test servers or not. I also have a problem with syslogd. I added '-r' to SYSLOGD_OPTIONS in /etc/rc.d/init.d/syslog, but after a restart it still won't accept network traffic, and that flag doesn't show up in the command line in the 'ps ax' dump. What do I have to do to enable traffic into syslogd from my firewall and other servers? This machine will be replacing an older Slackware 7 server once I get the wrinkles worked out. Thank you, Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] An error message I don't recognize
Benjamin Franz wrote: Bob McConnell wrote: I also have a problem with syslogd. I added '-r' to SYSLOGD_OPTIONS in /etc/rc.d/init.d/syslog, but after a restart it still won't accept network traffic, and that flag doesn't show up in the command line in the 'ps ax' dump. What do I have to do to enable traffic into syslogd from my firewall and other servers? You need to edit /etc/sysconfig/syslog That is a general pattern for CentOS5 - look for options to be set in a file in the /etc/sysconfig directory. Thank you, I am now getting log records over the network. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP updates
Michael Kress wrote: Craig White wrote: and if enough people actually convinced the developers that 5.2.9-2.el5.centos were feasible, then they would probably move it into the 'Extras' repository. ... here's one trying to 'convince'! ;-) I'm using that package from c5-testing since a month or so and I encountered no problems. Regards Michael I'll go one further. We run commercial web sites on CentOS 5.3 which must also be PCI compliant. Because of the security issues, the auditors have been complaining for two months that we don't have PHP 5.2.11 installed yet, putting our PCI certification in jeopardy. When 5.2.12 is released, probably next month, we will have 30 days to get it installed. We are trying to figure out how to handle this issue short of having to compile PHP ourselves. That would violate the agreement we have with the hosting service. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos