Re: why does a process gets killed?
On Thu, 10 Jan 2002, Imre Vida wrote: What could i do to figure out what is the problem? Watch the kernel log /var/log/syslog, or Check resource limits (umlilit -a, ulimit -Sa), or strace the process to see what happens. Walter
Re: iptables ruleset
On Thu, 03 Jan 2002, Martin A. Hansen wrote: any suggestions on how to set up a strong firewall rule set will be appreciated! I don't believe the standard ipmasq setup provides any form of firewalling. I have attached the script that I'm currently using. Feel free to use it if it suits you. A couple of notes: o I'm running this on an old 486. Ipmasq is by default set up so that it will reinitialize the iptable rules whenever a new interface is set up. This took to long on my computer, so I have disabled it. This means that my script needs to be able to work without knowing the IP address of my server. This isn't really a problem. o I deleted all the files from /etc/ipmasq/rules and installed the script as /etc/ipmasq/rules/A00doitall.rul mode 755. Yet another optimization for my old computer... o This need a 2.4 kernel o The script currently assumes that eth0 and ppp0 are internal, and that ppp1 and ippp* are external. You need to change the line starting with EXTERNAL= to change this and delete the line with ppp0 at the end if it is an external interface. o The script works with multiple external interfaces if needed. o My internal network uses 192.168.1.xxx. Search and replace if you use a different block. o I allow the following connections from the outside: TCP: ssh to the server gnutella and napster connections will be forwarded to a specific computer (192.168.1.8) in the private network UDP: two ports are open for replies to get DNS and ntpdate working. you need to configure bind to use 1053 as source port if you have it installed. ICMP: Incoming pings are blocked, everything else gets through (important!) o All the rules that log information should be rate-limited, but currently aren't. This could be used for a DoS attack. I'd be very interested to hear comments about the security of this setup. Walter # wh, 11.9.2001 # === Set variables and do sanity checks === PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin IPTABLES=/sbin/iptables EXTERNAL=`enumerate-if | grep -E '^(ippp|ppp1)'` if [ ! -e /proc/net/ip_forward -a ! -e /proc/sys/net/ipv4/ip_forward ]; then echo IP Forwarding has not been enabled in the kernel. exit 1 fi if [ ! -e /proc/net/ip_masquerade -a ! -e /proc/net/ip_tables_names ]; then echo IP Masquerade has not been enabled in the kernel. exit 1 fi # === Put everything to the default state first === echo 1 /proc/sys/net/ipv4/ip_forward #echo 1 /proc/sys/net/ipv4/ip_always_defrag $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -F PREROUTING $IPTABLES -t mangle -F OUTPUT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t nat -F PREROUTING $IPTABLES -t nat -F POSTROUTING $IPTABLES -t nat -F OUTPUT # === Allow everything over loopback and ppp0 === $IPTABLES -A INPUT -j ACCEPT -i lo $IPTABLES -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0 $IPTABLES -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0 $IPTABLES -A INPUT -j ACCEPT -i ppp0 # === Allow everything with correct IP in over eth0 === $IPTABLES -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32 $IPTABLES -A INPUT -j ACCEPT -i eth0 -s 192.168.1.0/24 $IPTABLES -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! tcp for i in $EXTERNAL; do # === Drop incoming packets with local addresses === $IPTABLES -A INPUT -j LOG -i $i -s 192.168.1.0/24 $IPTABLES -A INPUT -j DROP -i $i -s 192.168.1.0/24 # === Check everything else that comes in from the outside === # Allow TCP if initiated from the inside $IPTABLES -A INPUT -j ACCEPT -i $i --protocol tcp \! --syn # Allow incoming ssh, but log it $IPTABLES -A INPUT -j LOG -i $i --protocol tcp --destination-port ssh $IPTABLES -A INPUT -j ACCEPT -i $i --protocol tcp --destination-port ssh # Reject identd lookups: Gives better performance and prevents clutter in the logs $IPTABLES -A INPUT -j REJECT -i $i --protocol tcp --destination-port auth # Allow incoming UDP to port 1053. Bind is configured to use # 1053 as the source port for its queries $IPTABLES -A INPUT -j ACCEPT -i $i --protocol udp --destination-port 1053 # Allow incoming UTP to port 123. This is for ntpdate. $IPTABLES -A INPUT -j ACCEPT -i $i --protocol udp --destination-port 123 # Log other people's pings $IPTABLES -A INPUT -j LOG -i $i --protocol icmp --icmp-type echo-request # Allow ICMP but no pings $IPTABLES -A INPUT -j ACCEPT -i $i --protocol icmp --icmp-type \! echo-request # Everything else coming in is logged and denied # Masquerade packets to the outside $IPTABLES -t nat -A POSTROUTING -o $i -s 192.168.1.0/24 -j MASQUERADE $IPTABLES -A FORWARD -i eth0 -o $i -s
Re: mkisofs USELESS #!@!#@*
On Mon, 31 Dec 2001, Paul 'Baloo' Johnson wrote: On Tue, 1 Jan 2002, Penguin wrote: Anyone got an example command line for me to use mkisofs and cdrecord to get an ElTorito boot image thingo on a CD-R? If you can't figure it out, go apt-get install xcdroast and use the gui frontend. - /root is the directory where my boot image is, and is called tomsrtbt-1.7.361.ElTorito.288.img You've already got an isofs there. Why are you trying to use mkisofs here? This is a boot disk image. He wants to make a bootable CD-ROM. Walter
Re: auto-mounting /cdrom
On Sat, 29 Dec 2001, martin f krafft wrote: yo! i've seen it done before, but i can't remember how. i believe it was a gnome feature, but there's got to be a way to do this underneath any desktop environment... when i insert a CDROM, i want it to be available without having to mount. conversely, i always want to be able to just eject without umount. how can one enable this? any docs/links/howtos? I'm using the following: - I installed autofs. - I created a file /etc/auto.master with the following lines: (this sets the timeout to 4 seconds) /var/autofs/misc/etc/auto.misc timeout=4 - I created a file /etc/auto.misc with the following content: cd -fstype=iso9660,ro,nodev,nosuid :/dev/cdrom cdwriter-fstype=iso9660,ro,nodev,nosuid :/dev/cdwriter floppy -fstype=vfat,sync,nodev,nosuid,gid=25,umask=002,check=relaxed :/dev/fd0 zip -fstype=auto,sync,nodev,nosuid,gid=25,umask=002,check=relaxed :/dev/zip - create a link from /var/autofs/misc to /misc (for convenience...) - use /etc/init.d/autofs restart to restart the automounter - accessing /misc/cd, /misc/cdwriter, etc. will now mount the cd and you can access it. Walter
Re: Galeon and Java
On Sun, 23 Dec 2001, Sridhar M.A. wrote: After that I assumed that the pages that would not display earlier would come out properly. I was wrong :-( I tried the subscription page of www.pcquest.com for credit card transaction and contact us page of www.citibank.co.in. Both return blank pages after about a minute or so. The contact us page of www.citibank.co.in redirects to www.citibank.com and they have a broken router/firewall which blocks ECN. Try echo 0 /proc/sys/net/ipv4/tcp_ecn as root. Walter
Re: DVD player
Christian Schoenebeck schrieb am Monday, den 03. December 2001: Hi! Are there packages for viewing video DVDs? I haven't found some. You should consider adding deb http://marillat.free.fr/ unstable main to your /etc/apt/sources.list file. This server has plenty of DVD players and other related packages. After doing apt-get update you can browse the package list at /var/lib/apt/lists/marillat.free.fr_dists_unstable_main_binary-i386_Packages Walter
LILO splash screen
Now that the new LILO in woody can display splash screens, does anyone know where I could get suitable bitmaps? Walter
Re: LILO splash screen
On Mon, 12 Nov 2001, Benjamin Drieu wrote: Now that the new LILO in woody can display splash screens, does anyone know where I could get suitable bitmaps? Perhaps you will be happy with http://www.73lab.com/index.php?menu_item=4curr_lang=1page= The logos there seem to be for mandrake. Unfortunately, every distribution has its own, incompatible LILO splash screen patch. I made my own logo now. I used one of the SuSE pictures from http://www.heise.de/ct/ftp/projekte/splashscreen/default.shtml and converted them to 640x480 by adding black bars 40 pixels high above and below the picture (using gimp). I dithered it to 16 colors and saved it as a RLE-encoded bitmap. (I cannot redistribute the picture, Heise's policy doesn't allow this.) Using the fourth picture the following LILO parameters worked for me: install=/boot/boot-bmp.b bitmap=turbo.bmp bmp-table=500p,270p,1,10,200p bmp-colors=0,,;7,, bmp-timer=580p,450p;4,, Walter
Re: Second sending...
On Thu, 08 Nov 2001, Ian Millsom wrote: Its a rtl8139.. Now a lot of people will bag these cards, but they do the job. I have about 30 other machines all the same setup (processors/hdd/memory) differ, but the setup is the same and they all work fine. what is the system(s) hooked to? The system is plugged direct ethernet to the network. Not sending any special information, just brings up the interface. Basic task of the machine is a fileserver. Plugs into switch (Yes changed ports on switch) and serves files to the network. Are only incoming connections dead and outgoing connections still work? Have you checked if the IP address is assigned to another computer? Walter
Re: encrypted filesystem
On Fri, 26 Oct 2001, Adam Warner wrote: Most of the kernel patch problems may have been overcome. I don't think Jari's approach has ever caused data corruption. If you read through the archives you'll be up to speed with developments. I understand that sometimes if you upgrade your kernel to 2.4 with the International patch you can't access a volume generated with a 2.2 kernel! At the time I read that a solution had not been found. The old code used absolute disc sector numbers as an initialisation vector; the new code can be switched between using absolute end relative numbers. Using absolute numbers means that you cannot copy the encrypted filesystem to a different place. There seems to be another problem with the crypto patch and kernels =2.4.10: It simply doesn't work! (Probably because of the block device in page cache changes) Walter
Shift-Return
Whenever I press Shift-Return in less it displays ESCOM. This is annoying because to search for a string in a file, I need to press / + RETURN repeatedly to cycle through the places where the string was found. I have a german keyboard and to type / I need to press Shift. But if I hold down Shift too long less will not accept the return key but just display /ESCOM in the last line. How can I make less accept Shift-Return? TIA, Walter
If you have trouble with the new xfree86 in woody...
...and you cannot log in then comment out the use-ssh-agent in /etc/X11/Xsession.options This solved the problem for me. Walter
Re: Can I force ftp to use passive mode?
On Sat, 13 Oct 2001, Stan Brown wrote: I'm behind a firewall, that requires that ftp be run in passive mode. While this s easy enough to do with the -p option, I would like to be able to set some system wide configuration, or environmnet variable, so that all users get this as the default. You could just put alias ftp=ftp -p in /etc/bash.bashrc. Walter
Re: PDF::parse: cannot find pdf parser /usr/local/bin/acroread
On Wed, 10 Oct 2001, J.H.M. Dassen (Ray) wrote: On Wed, Oct 10, 2001 at 21:10:17 +0200, Walter Hofmann wrote: /etc/cron.daily/htdig: PDF::parse: cannot find pdf parser /usr/local/bin/acroread Looks like some perl script is misconfigured. But I cannot find a way to set the path for acroread. Where is it set? Most likely you can find out with dpkg -L htdig | grep -l acroread. I used dpkg -L htdig | xargs grep -l acroread. Now I know that the wrong path is hard-coded in each of the following binaries: /usr/lib/cgi-bin/htsearch /usr/bin/htfuzzy /usr/bin/htdig /usr/bin/htmerge /usr/bin/htnotify Does this mean I need to recompile htdig? (Given that I don't actually use it I'll probably just remove it. Should I file a bug report?) Walter
Re: qmail smtp
On Fri, 12 Oct 2001, Daniel Jones wrote: I have a file called S30qmail in /etc/rc2.d: /usr/local/bin/tcpserver 0 110 /var/qmail/bin/qmail-popup corwin.riddlemaster.org \ /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env /var/qmail/bin/qmail-smtpd The last line looks like it should be in /etc/inetd.conf, not in S30qmail. Walter
Re: SSH2 + HostbasedAuthentication
On Mon, 08 Oct 2001, Walter Hofmann wrote: I cannot use HostbasedAuthentication with ssh. ssh just keeps on asking for the password. Here is what I tried: [...] I solved this now. There were two errors: 1) You need to swich on HostbasedAuthentication in the _client_! The manual page is wrong, it is not on by default. 2) You have to set PreferredAuthentications so that HostbasedAuthentication is tried before asking for passwords. Walter
PDF::parse: cannot find pdf parser /usr/local/bin/acroread
I get the following error message in a mail from Anacron: /etc/cron.daily/htdig: PDF::parse: cannot find pdf parser /usr/local/bin/acroread Looks like some perl script is misconfigured. But I cannot find a way to set the path for acroread. Where is it set? Walter
Re: international characters in mutt
On Mon, 08 Oct 2001, Doug Hespe wrote: {{Mutt} {eval dsk_exec $tkdesk(cmd,xterm) -geometry 80x73+250+25 -e 'LANG=de_DE LC_MESSAGES=C mutt'}} I never used Tkdesk, but you could try ... -e /usr/bin/env 'LANG=de_DE LC_MESSAGES=C mutt' ... -e /bin/bash -c 'LANG=de_DE LC_MESSAGES=C mutt' the same with the ' around everything Walter
SSH2 + HostbasedAuthentication
I cannot use HostbasedAuthentication with ssh. ssh just keeps on asking for the password. Here is what I tried: I have SSH (OpenSSH_2.9p2) running with RhostsRSAAuthentication just fine -- users can log in from one computer to another without using a password or setting up and .ssh/authorized_keys file. But now the ssh in woody changed and protocol version two is the default so I want to make sure that HostbasedAuthentication is working as well. I set HostbasedAuthentication yes in /etc/ssh/sshd_config. I then added the public keys from the other hosts to /etc/ssh/ssh_known_hosts2 (by logging in to them and then copying my ~/.ssh/known_hosts2 file to /etc/ssh/ssh_known_hosts2). Now /etc/ssh/ssh_known_hosts2 contains: gandalf,192.168.1.2 ssh-rsa B3NzaC1yc2EBIwAAAIEA1zi/GNCWr0RAKwyI2dfo5ut4V/ixE/lXCoQo0gCq6KmAiUzW/bei+CcROrXIYd2D+GEZx5DzvkCZung/9dukffYMto9FVcYIShSnTi/c4k5d8utU6XWT2RfPfq85dcL+wGuTS/JzxL1M8r/pvskCjEzboeULGhdNF6cllqmPxSs= gandalf.local ssh-rsa B3NzaC1yc2EBIwAAAIEA1zi/GNCWr0RAKwyI2dfo5ut4V/ixE/lXCoQo0gCq6KmAiUzW/bei+CcROrXIYd2D+GEZx5DzvkCZung/9dukffYMto9FVcYIShSnTi/c4k5d8utU6XWT2RfPfq85dcL+wGuTS/JzxL1M8r/pvskCjEzboeULGhdNF6cllqmPxSs= But when I try to log in from gandalf to the computer in question ssh will still ask for the password. Here is the debug output from sshd: aragorn:/etc/ssh# sshd -d -e debug1: Seeding random number generator debug1: sshd version OpenSSH_2.9p2 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.2 port 1154 debug1: Client protocol version 2.0; client software version OpenSSH_2.9p2 debug1: match: OpenSSH_2.9p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.9p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client-server aes128-cbc hmac-md5 none debug1: kex: server-client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 139/256 debug1: bits set: 989/2049 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 995/2049 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user wh service ssh-connection method none debug1: attempt 0 failures 0 debug1: Starting up PAM with username wh debug1: PAM setting rhost to gandalf.local Failed none for wh from 192.168.1.2 port 1154 ssh2 [the client asks for the password now] [...] And from the client: [EMAIL PROTECTED]:~$ ssh -v aragorn.local OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to aragorn.local [192.168.1.8] port 22. debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/wh/.ssh/identity type 0 debug1: identity file /home/wh/.ssh/id_rsa type -1 debug1: identity file /home/wh/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2 debug1: match: OpenSSH_2.9p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 134/256 debug1: bits set: 1023/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'aragorn.local' is known and matches the RSA host key. debug1: Found key in /home/wh/.ssh/known_hosts2:2 debug1: bits set: 1026/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1:
Re: international characters in mutt
On Sat, 06 Oct 2001, Stig Brautaset wrote: I am having trouble getting mutt to show Norwegian characters (e.g. æ and ø). The strange thing is that they work all fine on the command line, and if I use more or less to view the mbox-file, they show up as they are supposed to. It is, in other words, only a problem in mutt. Exactly my problem. Try setting $LANG before you start mutt. I use LANG=de_DE mutt and it works fine (but mutt speaks german now, which I don't really like). Walter
Re: Network Stalls
On Tue, 18 Sep 2001, Vineet Kumar wrote: * Leigh ([EMAIL PROTECTED]) [010918 16:07]: I believe this is because of the Direcpc satellite and latency. The local network has no problems. Here is what will happen. I start a download of 100K or larger and the network will stall, however it is only that session that stalls, I can in another terminal continue to surf. I am currently doing a steady ping on a system on my network while stalled in dselect to only and update. If anyone can help with this please let me know, this is driving me crazy! I'm unfamiliar with this issue but from readings on this list, but this might be an ECN issue. This doesn't seem to be ECN-related. ECN problems happen independently of the download size. This could be a problem with failed path MTU discovery. Do you filter ICMP packets on this link? You can switch PMTU discovery off on your Linux box, but the problem seems to be in the downstream direction so this would not help. Try changing the MSS setting on the interface of the computer that initiates the connection: man route has the details on how to do this. Try to set this to something500. Walter
Re: Lookup during intensive IO
On Wed, 19 Sep 2001, Jose Manuel dos Santos Calhariz wrote: Coud this mean, it is enable by default? Check with hdparm /dev/hda Walter
apt-get message
Can someone explain the follwoing apt-get message to me? It seems to say that pppconfig need ppp version 2.3.7 or newer. Why doesn't it accept 2.4.1-4 then?? Thanks, Walter gandalf:~# apt-get install pppconfig Reading Package Lists... Done Building Dependency Tree... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. Since you only requested a single operation it is extremely likely that the package is simply not installable and a bug report against that package should be filed. The following information may help to resolve the situation: Sorry, but the following packages have unmet dependencies: pppconfig: Depends: ppp (= 2.3.7) but 2.4.1-4 is to be installed E: Sorry, broken packages gandalf:~# apt-get --version apt 0.5.3 for linux i386 compiled on Mar 7 2001 19:25:55 Supported Modules: *Ver: Standard .deb *Pkg: Debian dpkg interface (Priority 30) S.L: 'deb' Standard Debian binary tree S.L: 'deb-src' Standard Debian source tree Idx: Debian Source Index Idx: Debian Package Index Idx: Debian dpkg status file gandalf:~#
Re: apt-get message
On Fri, 31 Aug 2001, Walter Hofmann wrote: Sorry, but the following packages have unmet dependencies: pppconfig: Depends: ppp (= 2.3.7) but 2.4.1-4 is to be installed E: Sorry, broken packages I updated apt to version 0.5.4 (from Sid) and it works again. (But Reading Package Lists is slow now.) Walter
Re: magic sysrq key
On Thu, 23 Aug 2001, Noah Meyerhans wrote: Wouldn't you build a custom kernel soon after installation anyway? That's generally recommended. Is it? I used to do this, but now I try to avoid upgrading the kernel because right now everything is working fine and I don't want to mess with the packaging system. Has it always been the case that /proc/sys/kernel/sysrq could disable the magic sysrq key? This is new in 2.4, AFAIK. I've heard some consider the sysrq key a security hole, but if it can be disabled then there's no big deal. To press the SysRq key you need access to the keyboard. If you have access to the keyboard, you can do much worse things to the computer (like spilling coffee over it :) Walter
Re: 1 IP Address on 2 Network Interfaces
On Fri, 24 Aug 2001, Jochem Vaartjes wrote: before, but I can't figure out how to config such thing, any hints, help or suggestion?? I think the term for this is channel bonding. Maybe a search in the archives will help. Walter
magic sysrq key
Is there a way to enable the magic SysRq key without compiling a custom kernel? Why is it not built in the Debian kernel? If policy demands that it should be disabled by default then this could be done via proc during the boot process. Walter
Re: ssh refuses connections
On Tue, 21 Aug 2001, Jason Majors wrote: I have four machines: a firewall, an internal server, and two workstations. When I try an SSH connection from the firewall to the server, or from outside the firewall using its port forwarding to go to the server, I get the error: ssh_exchange_identification: Connection closed by remote host I had the same problem recently. It happened only when I've beed online via some ISP. The problem was that my internal network uses 192.168.1.1 as the IP for this machine, and the ISP in question set up an rDNS entry pointing to RFC1xxx. ssh was in paranoid mode and tried to resolve RFC1xxx but failed and denied the connection. You should check if nslookup 192.168.1.1 or host 192.168.1.1 gives a name which doesn't resolve to 192.168.1.1. Walter
Re: how do i extract a bullet from my foot (tar woes)
On Tue, 21 Aug 2001, Karsten M. Self wrote: I'm trying to remember a trick (probably in O'Reilly's _UNIX Power Tools_) for removing files by inode. Trying to remember what it was or in what context it worked. Unmount the filesystem, then do [EMAIL PROTECTED]:~ /sbin/debugfs debugfs 1.19, 13-Jul-2000 for EXT2 FS 0.5b, 95/08/09 debugfs: open -w /dev/device_with_file_system debugfs: clri 11 debugfs: quit [EMAIL PROTECTED]:~ /sbin/e2fsck -f /dev/device_with_file_system e2fsck 1.19, 13-Jul-2000 for EXT2 FS 0.5b, 95/08/09 Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Entry 'random name' in / (2) has deleted/unused inode 11. Cleary? yes ... Use the inode number of the file you want to clear instead of 11. Walter
Re: how do i extract a bullet from my foot (tar woes)
Viktor Rosenfeld schrieb am Dienstag, den 21. August 2001: but `rm ??remove-files` will also do the trick No, it gets globbed to rm --remove-files so this won't work. Walter
apt-get package priorities / installing KDE troubles
[SORRY, BUT THIS IS LONG] Hi, I'm running an up-to-date testing system and I would like to upgrade a minimum set of packages so that I can use KDE 2.2 without useing the rest of unstable. I read the other posts (especially the one about pinning packets) and the /etc/apt/preferences manual page, but I still get some odd effects. First I used apt-get dist-upgrade without unstable in the apt sources list to be up-to-date with testing. Here is what I did then: - I added unstable to /etc/apt/sources.list Now there is stable, testing and unstable in it, each with several lines about main/contrib/non-free, plus the security server. - I added the following to /etc/apt/preferences: Package: * Pin: release a=testing Pin-Priority: 777 Package: * Pin: release a=unstable Pin-Priority: 333 - I issued apt-get -u dist-upgrade expecting nothing to happen because my installation was up-to-date with testing and unstable had a lower priority. Alas, apt wanted top upgrade quite a number of packets: Reading Package Lists... Done Building Dependency Tree... Done Calculating Upgrade... Done The following packages will be REMOVED: artsbuilder kchart kde-designer kdebase kdebase-audiolibs kdict kdm kformula killustrator kivio knewsticker koffice koffice-libs konqueror koshell kpresenter krayon kscreensaver kspread kword libarts libarts-dev libarts-mpeglib libkmid libkonq3 libqt-dev mysql-client mysql-server noatun xemacs21-bin xemacs21-nomule xemacs21-support The following packages have been kept back kdebase-crypto kdebase-libs kdelibs3 kdelibs3-crypto konsole kscd kugar libqt2 libqutil1 mpeglib xemacs21 The following packages will be upgraded ash autoconf cddb cpp cpp-2.95 g++ g++-2.95 gcc gcc-2.95 gdb groff groff-base heimdal-lib kdeartwork-misc kdeartwork-theme-window kdebase-doc kdelibs3-doc kdewallpapers libelfg0 libg++2.8.1.3-glibc2.2 libmimelib1 libmng-dev libmng1 libqt3 libqxt0 libstdc++2.10-dev libstdc++2.10-glibc2.2 mesag3 pcmcia-cs procmail qt-doc 31 packages upgraded, 0 newly installed, 32 to remove and 11 not upgraded. Need to get 21.1MB of archives. After unpacking 98.8MB will be freed. - I don't understand this. Why is apt-get trying to upgrade the packages??? Is it what is described in apt_preferences(5) in the section INTERESTING EFFECTS? This is still strange, because this would not upgrade completely to unstable. Because if I remove /etc/apt/preferences completely much I get an error about unmet dependencies. I have no idea how the packages in the list above were selected. Does this mean that I need to set the testing priority to a number above 1000 to get around the downgrading barrier? But, if I do this, does this mean that once I upgraded to KDE 2.2 and I issue another apt-get -u dist-upgrade command apt will downgrade to the old KDE packages in testing? - Anyway, I tried setting the testing priority to . I started apt-get -u dist-upgrade again, still expecting nothing to be upgraded. But it was much worse: The following packages will be REMOVED: abbrowser ark artsbuilder docbook-stylesheets kab karm kcalc kcharselect kchart kcron kde-designer kdebase kdebase-audiolibs kdebase-crypto kdebase-libs kdelibs3 kdelibs3-crypto kdepasswd kdf kdict kdm kedit keystone kfind kformula kfract kghostview khexedit kiconedit killustrator kit kivio kjots kmail kmix knetload knewsticker knode knotes koffice koffice-libs konqueror konsole korganizer korn koshell kpackage kpaint kpilot kpixmap2bitmap kpm kpresenter krayon kreversi kruler kscd kscreensaver ksirc ksnapshot ksokoban kspread ksysctrl ksysv ktimemon kugar kuser kview kword libarts libarts-dev libarts-mpeglib libkmid libkonq3 libmimelib1 libqt-dev mysql-client mysql-server noatun pixie secpolicy The following NEW packages will be installed: libqt2-dev xemacs21-mule xemacs21-mulesupport The following packages will be upgraded kdeartwork-misc kdeartwork-theme-window libqt3 The following packages will be DOWNGRADED apmd ash cddb cpp freetype2 g++ g++-2.95 gcc gcc-2.95 gdb gnuplot groff groff-base heimdal-lib jade kdebase-doc kdelibs3-doc kdewallpapers ldso libelfg0 libg++2.8.1.3-glibc2.2 liblcms liblcms-dev libmng-dev libmng1 libqt2 libqutil1 libqxt0 libstdc++2.10-dev libstdc++2.10-glibc2.2 libttf2 mesag3 mpeglib pcmcia-cs prc-tools procmail qt-doc samba-common smbfs strace xemacs21 xemacs21-bin xemacs21-nomule xemacs21-support 3 packages upgraded, 3 newly installed, 44 downgraded, 80 to remove and 3 not upgraded. - So now it wants to remove halfs of my system and downgrade the other half??? Ugh. - Next try: I read apt_preferences(5) again and used the following in /etc/apt/preferences: Package: * Pin: release a=testing Pin-Priority: 777 Package: * Pin: release a=unstable Pin-Priority: 33 - This should put unstable below the automatic upgrade barrier. And so far, it worked. apt-get dist-upgrade would keep
Re: Exim behind dhcp/ipmasq
On Fri, 17 Aug 2001, Michael Abraham Shulman wrote: 451 rejected: temporarily unable to verify envelope sender address [EMAIL PROTECTED] SF checks if the host name of the sender resolves. It must resolve (or have an mail exchanger entry) because otherwise you cannot get bach delivery errors (bounces). Maybe your mailer sets the From: address correctly and fails to set the SMTP sender. What program do you use? If it send mail via sendmail, try to add the -f option to its command line: sendmail ... [EMAIL PROTECTED] ... Walter
Re: Exim behind dhcp/ipmasq
On Fri, 17 Aug 2001, Michael Abraham Shulman wrote: Thank you! I use exim and Mew (IM). I should have read your mail more closely. But it helped, at least. in ~/.im/Config appears to have fixed the SF problem. I don't expect this to fix the hotmail problem, though, since that was a different error message. I'll let you know if it does, but meanwhile, any ideas about that? This could be the same problem, but that's hard to say. It looked more like a problem with a broken connection. You said that the hotmail error message was about a closed connection after Exim sent HELO localhost. This could easily be a spam blocker at hotmail. SMTP says that the mailer should say HELO name or EHLO name as the first command, where name is the name of your machine. Maybe you shouldn't (externally) call your machine localhost. Search for localhost in the exim config file and change it to something reasonable. Walter
Re: [OT]-Mutt thread question
Eric Boo schrieb am Montag, den 06. August 2001: What's this * next to the arrow in some emails of a thread mean? Mutt displays * if the messages have the same subject header, but no References: header. This usually means that the sender has a broken mailer which doesn't include a References: header. Walter
Re: embarrassing X question
On Thu, 19 Jul 2001, Richard Black wrote: The xfree86 packages have been changed to not accept tcp connections at all by default. Check out the -nolisten option in your xserver manual page. Okay thanks! But...how do I use xauth? I have tried doing what what suggested in the man page ie variants of The both moset secure and most convenient way is to use ssh. Enable X tunnelling in the /etc/ssh/ssh_config file (set ForwardX11 to yes) and everything will be done for you---no need to set DISPLAY or use xauth or have the server listen on any tcp port. Just log in with ssh [EMAIL PROTECTED]. Walter
Re: InfraRed port in a Linux Laptop
On Tue, 17 Jul 2001, Pedro Quaresma de Almeida wrote: Hi I am trying to configure my InfraRed device without much sucess. I have a HP Omnobook XE3 with the 2.4.4 Kernel installed. I have read (tried to) the Linux InfraRed Howto, but it seems outdated, the tools have changed, some of the tools discribed seems not to exist... Can you help me? Thank you. Install the irda-* packets and edit /etc/irda.conf to point to the correct serial port (/dev/ttyS1 ?) This should usually be enough to get SIR (the slow one) running. If you need FIR then you need a kernel module for your particular IR device and things get complicated. Walter
Re: Off Topic: iptables, ping, traceroute
On Mon, 16 Jul 2001, John Patton wrote: On Mon, Jul 16, 2001 at 02:30:29PM -0500, William Jensen wrote: I've setup a fairly restrictive set of rules for iptables and have been, up to this point, extremely satisfied with its performance. However, I've recently started having some signifiant issues with my cable modem provider and they routinely want to ping and traceroute to my machine. This requires me to take down my firewall and wait for them to finish, then put it back up. I'd like to make, as part of my rule set, ping and traceroute able to get through. So far I've done this for my input chain for ping -A INPUT -p icmp -j ACCEPT For traceroute I've done this: -A INPUT -p ip -j ACCEPT These appear to work, however, am I overlooking something from a security point of view by allowing any icmp and ip's through? Is there a better way? You could further limit your rules by specifying the source address of you cable modem provider, something like: -A INPUT -p icmp -s provider.cable.net -j ACCEPT If William blocks all ICMP packets then I'm not suprised that he has connection problems. ICMP is there for a reason. In particular, if he blocks ICMP type destination-unreachable/fragmentation-needed then all his connections, which, at some point, run over a low MTU link will break sooner or later. This usually happens after the first big packet gets send over the connection. This is because blocking ICMP breaks PMTU discovery. Really, ICMP is there for a reason. Nobody should expect to get away with blocking it, unless they are accepting random connection hangs and similar problems. Walter
Re: Can't play audio CDs
On Sun, 15 Jul 2001, Joel Mayes wrote: Are you using ALSA sound drivers ? I can't get my CD to play at all under alsa drivers, but it work perfectly with kernel driver ( I've no idea why ) The alsa driver mute all mixers by default. Did you turn up the volume of the CD channel in the mixer? Walter