Re: [gentoo-user] How to prevent a dns amplification attack
Am 29.03.2013 01:49, schrieb Peter Humphrey: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? -- Peter Like free and open DNS servers? ;-) Like the one i am talking about and was told it was unnessesary crap? Norman
Re: [gentoo-user] emul-linux-x86-libs blocking tons of X libs
On Fri, 29 Mar 2013 02:17:18 +, Mateusz Kowalczyk wrote: * These packages depend on emul-linux-x86-gtklibs: dev-util/android-sdk-update-manager-21 (amd64 ? app-emulation/emul-linux-x86-gtklibs) sys-devel/gcc-4.5.4 (multilib ? app-emulation/emul-linux-x86-gtklibs) sys-devel/gcc-4.6.3 (multilib ? app-emulation/emul-linux-x86-gtklibs) sys-devel/gcc-4.7.2-r1 (multilib ? app-emulation/emul-linux-x86-gtklibs) I have neither ‘amd64’ nor ‘multilib’ set which raises the question of how and why it got onto my system in the first place… I'm still somewhat wary of clobbering something that has ‘gcc’ in its depgraph… amd64 and multilib are set by your profile, which are you using? If you're worrind about removing a dep of gcc, which is reasonable, quickpkg it first. Then you can unmerge and still get it back without needing gcc. But before you do any of that, wait a few hours and sync again. That very often fixes these strange blockers. -- Neil Bothwick Suicidal twin kills sister by mistake! signature.asc Description: PGP signature
Re: [gentoo-user] Is 'MAKEOPTS=--jobs --load-average=5' silly?
On Thursday 28 Mar 2013 14:03:27 Peter Humphrey wrote: On Wednesday 27 March 2013 18:16:22 Walter Dnes wrote: OK, I'll go with... MAKEOPTS=-j2 --load-average=3 This box is an i5 with four single-threaded CPUs and I limit the average load to 8. Since emerge is running at niceness=3 the desktop remains responsive throughout. I used not to limit the load at all and KDE was still fine to work with. I sometimes think that with modern systems there's no need to impose limits of my own since the kernel can cope well by itself. In fact I'm going to remove the load limit and see how I get on. I've got a first generation i7 and this is what I have set up in my make.conf: MAKEOPTS=-j5 -l12.8 EMERGE_DEFAULT_OPTS=--quiet-build=n Why is -l set at 12.8 ... ? At some distant point in the past this made sense to me, but I have no idea how I arrived at it. Other than the cooling fan speeding up I have not noticed a problem with any ebuilds. Very rarely I might have used -j1 to complete a failing ebuild, but it was so long ago I can't even recall it. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Is 'MAKEOPTS=--jobs --load-average=5' silly?
On Fri, 29 Mar 2013 12:36:56 +, Mick wrote: I've got a first generation i7 and this is what I have set up in my make.conf: MAKEOPTS=-j5 -l12.8 EMERGE_DEFAULT_OPTS=--quiet-build=n n is the default for quiet-build if --jobs is set to 1, or unspecified. But using a higher value will give you faster updates. The MAKEOPTS setting has no effect during the preparation and installation stages of an ebuild, and with --jobs=1 that means your CPU spends a lot of time idling. -- Neil Bothwick This is as bad as it can get - but don't bet on it. signature.asc Description: PGP signature
Re: [gentoo-user] How to prevent a dns amplification attack
On 28/03/2013 22:53, Paul Hartman wrote: On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon alan.mckin...@gmail.com wrote: Or just use the ISP's DNS caches. In the vast majority of cases, the ISP knows how to do it right and the user does not. Generally true, though I've known people to choose not to use ISP caches owing to the ISP's implementation of things like '*' records, ISPs applying safety filters against some hostnames, and concerns about the persistence of ISP request logs. I get a few of those too every now and again. I know for sure in my case their fears are unfounded, but can't prove it. Those few (and they are few) can go ahead and deploy their own cache. I can't stop them, they are free to do it, they are also free to ignore my advice of they choose. In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. I'm part of Infra. If we sold you service like that, you wouldn't have to complain, the CTO would be round at my desk in a flash with his new career path plan for me. You know the plan, it's the cookie-cutter one that mentions burgers and flipping many times :-) Thanks for being one of the good guys. :) -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] How to prevent a dns amplification attack
On 29/03/2013 10:53, Norman Rieß wrote: That is just evil. Have you no alternative to this ISP? -- Peter Like free and open DNS servers? ;-) Like the one i am talking about and was told it was unnessesary crap? When you describe the service you DO get from your ISP, then we can see that rolling your own is the proper alternative for you. Unless your ISP block outbound port 53... If you were in Africa, I could give you an alternative but sadly I don't think you are in Africa -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/29/2013 09:27 AM, Alan McKinnon wrote: On 29/03/2013 10:53, Norman Rieß wrote: That is just evil. Have you no alternative to this ISP? -- Peter Like free and open DNS servers? ;-) Like the one i am talking about and was told it was unnessesary crap? When you describe the service you DO get from your ISP, then we can see that rolling your own is the proper alternative for you. Unless your ISP block outbound port 53... It'd be trivial enough for someone in a saner spot to privately offer him an allowed-clients entry in a DNS server listening on a non-standard port. Either way, it's still important he not allow just anybody to connect to his resolver. If you were in Africa, I could give you an alternative but sadly I don't think you are in Africa signature.asc Description: OpenPGP digital signature
[gentoo-user] ext4 inline data
Hi list! I noticed that beginning with kernel 3.8, ext4 can store small files entirely inside the inode. But I couldn't find much additional information: - Is the improvement automatically enabled? - Is the change backwards compatible? Can I still read such files with kernel 3.7? - Can current stable e2fsprogs (especially e2fsck) handle this? Thanks in advance! Florian Philipp signature.asc Description: OpenPGP digital signature
[gentoo-user] 4G Stick Huawei E3276
Greets!
I have a new and shiny Huawei E3276 stick here and want to test it with
my gentoo thinkpad running Gnome.
I managed to get some /dev/ttyUSB0 .. the device is usb_modeswitch-ed
automatically.
I also added the modules option and cdc_ncm to my kernel config and
the dmesg looks ok:
# lsmod
Module Size Used by
option 26697 0
usb_wwan6886 1 option
cdc_ncm 9365 0
usbserial 23426 2 option,usb_wwan
usbnet 19268 1 cdc_ncm
crc32c_intel 13975 0
i2c_i8018765 0
btusb 11699 0
[ 59.586159] usbcore: registered new interface driver usbserial
[ 59.586534] usbcore: registered new interface driver usbserial_generic
[ 59.586593] usbserial: USB Serial support registered for generic
[ 59.588309] usbcore: registered new interface driver option
[ 59.588632] usbserial: USB Serial support registered for GSM modem
(1-port)
[ 59.589143] usb 1-1.1: MAC-Address: 0c:5b:8f:27:9a:64
[ 59.589721] cdc_ncm 1-1.1:1.1 wwan0: register 'cdc_ncm' at
usb-:00:1a.0-1.1, Mobile Broadband Network Device, 0c:5b:8f:27:9a:64
[ 59.589814] option 1-1.1:1.0: GSM modem (1-port) converter detected
[ 59.590004] usb 1-1.1: GSM modem (1-port) converter now attached to
ttyUSB0
[ 59.590075] usbcore: registered new interface driver cdc_ncm
[ 59.595969] systemd-udevd[3717]: renamed network interface wwan0 to
wwp0s26u1u1i1
[ 60.577572] scsi 8:0:0:0: CD-ROMHUAWEI Mass Storage
2.31 PQ: 0 ANSI: 2
[ 60.577710] scsi 9:0:0:0: Direct-Access HUAWEI TF CARD Storage
2.31 PQ: 0 ANSI: 2
[ 60.580526] sr1: scsi-1 drive
[ 60.581510] sr 8:0:0:0: Attached scsi CD-ROM sr1
[ 60.589986] sd 9:0:0:0: [sdb] Attached SCSI removable disk
BUT: it doesn't show up in the networkmanager-GUI. No mobile broadband
anything.
[I] net-misc/networkmanager
Available versions: 0.9.4.0-r6 0.9.6.4 (~)0.9.6.4-r1
[M](~)0.9.7.995 [M](~)0.9.8.0 [M]** {avahi bluetooth
connection-sharing +consolekit dhclient +dhcpcd doc gnutls
+introspection modemmanager +nss +ppp resolvconf systemd test vala +wext
wimax KERNEL=linux}
Installed versions: 0.9.6.4-r1(11:30:45 26.03.2013)(bluetooth
dhcpcd introspection modemmanager nss ppp systemd wext -avahi
-connection-sharing -consolekit -dhclient -doc -gnutls -resolvconf -vala
-wimax KERNEL=linux)
Homepage:http://www.gnome.org/projects/NetworkManager/
Description: Universal network configuration daemon for
laptops, desktops, servers and virtualization hosts
# eix modemm
[I] net-misc/modemmanager
Available versions: 0.6.0.0 (~)0.6.0.0-r1 [M](~)0.7.990(0/1)
**(0/1) {doc policykit +qmi qmi-newest test}
Installed versions: 0.6.0.0-r1(11:04:49 26.03.2013)(policykit -doc
-test)
Homepage:
http://cgit.freedesktop.org/ModemManager/ModemManager/
Description: Modem and mobile broadband management libraries
Does anyone have a pointer for me how to get that working?
thanks!
Stefan
Re: [gentoo-user] 4G Stick Huawei E3276
forgot to add: lsusb: Bus 001 Device 006: ID 12d1:1506 Huawei Technologies Co., Ltd. E398 LTE/UMTS/GSM Modem/Networkcard it shows as E398 here but is labeled as E3276
Re: [gentoo-user] Re: abi_x86_32
On 03/28/2013 08:11 PM, Nikos Chantziaras wrote: On 28/03/13 20:39, Paul Hartman wrote: Like the forum post you linked says, instead of setting abi_x86_32 as a USE flag, what you can do in your make.conf is set: ABI_X86=64 32 (if you want to build both 32bit and 64bit) I think ABI_X86=32 is enough, since on AMD64 the 64 is always there implicitly. That was going to be my next question! By the way, I found this: $ cat /usr/portage/profiles/desc/abi_x86.desc # Copyright 2013-2013 Gentoo Foundation. # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/profiles/desc/abi_x86.desc,v 1.2 2013/02/27 23:22:19 mgorny Exp $ # This file contains descriptions of ABI_X86 USE_EXPAND flags. # Keep it sorted. Please do not add anything without prior discussion # on gentoo-dev. 32 - 32-bit (x86) libraries 64 - 64-bit (amd64) libraries x32 - x32 ABI libraries ...and searching for USE_EXPAND in http://devmanual.gentoo.org/general-concepts/use-flags/ shows that USE=abi_x86_32 and ABI_X86=32 have the same meaning, which was my other doubt. thanks!
Re: [gentoo-user] 4G Stick Huawei E3276
On Friday 29 Mar 2013 14:10:02 Stefan G. Weichinger wrote: Greets! I have a new and shiny Huawei E3276 stick here and want to test it with my gentoo thinkpad running Gnome. I managed to get some /dev/ttyUSB0 .. the device is usb_modeswitch-ed automatically. I also added the modules option and cdc_ncm to my kernel config and the dmesg looks ok: # lsmod Module Size Used by option 26697 0 usb_wwan6886 1 option cdc_ncm 9365 0 usbserial 23426 2 option,usb_wwan usbnet 19268 1 cdc_ncm crc32c_intel 13975 0 i2c_i8018765 0 btusb 11699 0 You're missing module 'qmi_wwan'. Trying adding this to your kernel and replug the device (or use modprobe -v qmi_wwan). PS. I don't have such a device to test here, so hope this will get you in the right ball park. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] 4G Stick Huawei E3276
Am 29.03.2013 16:05, schrieb Mick: You're missing module 'qmi_wwan'. Trying adding this to your kernel and replug the device (or use modprobe -v qmi_wwan). Should I rmmod the others before? I compiled and loaded that module ... no real difference to see ... still no mobile broadband offered. When I rmmod them all and plug in again, I get option loaded again. Should I remove this one from my .config? Even when I rmmod option, modprobe qmi_wwan and then plugin option gets loaded (and no mobile broadband in NM). Could it be related to our friend systemd which renames wwan0 to wwp0s26u1u1i1 according to dmesg? PS. I don't have such a device to test here, so hope this will get you in the right ball park. Thanks for your help ...
Re: [gentoo-user] cyrus-sasl necessary with localhost webmail?
On 28 March 2013, at 21:53, Grant wrote: I recently switched from Thunderbird to Roundcube (highly recommended), switched to the non-SSL courier daemon, and plugged the firewall hole since courier resides on the same system as my web server. Do I still need cyrus-sasl or will a webmail client authenticate directly with courier? Can anyone tell me if it's necessary to run cyrus-sasl between courier and a webmail client if they're on the same machine? I have a very old installation of net-mail/courier-imap I don't believe I have ever run cyrus-sasl on it. I have accessed this system via Squirrelmail, IMAP and (I think) IMAP-over-SSL. I find now that I have net-libs/courier-authlib installed. Things may have changed considerably since I installed this system, a long time ago, but there used to be two separate packages net-mail/courier-imap and mail-mta/courier. I think courier-imap was just the IMAP server, split off from the larger mail-mta/courier, which was the full package from upstream and which included some other stuff. Last time I looked at this, dovecot seemed superior to courier, and worked very well for me when I installed it for someone else. I was able to configure it with PAM, to authenticate via Samba from a windows domain controller. I remember the developer of dovecot as really helpful - I think I had a problem and he produced a patch which fixed it within 24 hours. I have it in mind to replace courier with dovecot when I get around to replacing my current mail server. Stroller.
Re: [gentoo-user] Is 'MAKEOPTS=--jobs --load-average=5' silly?
On 29 March 2013, at 03:36, Nilesh Govindrajan wrote: ... I can only imagine he was pointing out that you have a single CPU with four cores in it. You're right, of course. I should have said /cores/. Cores or CPUs.. in this context it's *almost*, __NOT EXACTLY__ same. Which is exactly what was so twitch inducing! Stroller.
[gentoo-user] Re: Is 'MAKEOPTS=--jobs --load-average=5' silly?
On Fri, 29 Mar 2013 16:54:37 + Stroller strol...@stellar.eclipse.co.uk wrote: On 29 March 2013, at 03:36, Nilesh Govindrajan wrote: ... I can only imagine he was pointing out that you have a single CPU with four cores in it. You're right, of course. I should have said /cores/. Cores or CPUs.. in this context it's *almost*, __NOT EXACTLY__ same. Which is exactly what was so twitch inducing! Whatever you do, don't read the first sentence at https://en.wikipedia.org/wiki/Multi-core_processor.
Re: [gentoo-user] Re: Is 'MAKEOPTS=--jobs --load-average=5' silly?
»Q« wrote: On Fri, 29 Mar 2013 16:54:37 + Stroller strol...@stellar.eclipse.co.uk wrote: On 29 March 2013, at 03:36, Nilesh Govindrajan wrote: ... I can only imagine he was pointing out that you have a single CPU with four cores in it. You're right, of course. I should have said /cores/. Cores or CPUs.. in this context it's *almost*, __NOT EXACTLY__ same. Which is exactly what was so twitch inducing! Whatever you do, don't read the first sentence at https://en.wikipedia.org/wiki/Multi-core_processor. Especially this FIRST part: A *multi-core processor* is a single computing https://en.wikipedia.org/wiki/Computing component . . . So, it is a SINGLE component. To me, CPUs means having more than one CPU component, such as dual CPUs or even quad CPUs which used to be fairly common. I have a single CPU computer. It has 4 cores but a single CPU. I hope to upgrade one day to a 8 core CPU. I'll still have a single CPU component installed tho. This is getting really funny. ROFL You can tell when the list is getting slow when we start parsing each word and each words meaning. ;-) Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: Is 'MAKEOPTS=--jobs --load-average=5' silly?
On 03/29/2013 01:46 PM, Dale wrote: »Q« wrote: On Fri, 29 Mar 2013 16:54:37 + Stroller strol...@stellar.eclipse.co.uk wrote: On 29 March 2013, at 03:36, Nilesh Govindrajan wrote: ... I can only imagine he was pointing out that you have a single CPU with four cores in it. You're right, of course. I should have said /cores/. Cores or CPUs.. in this context it's *almost*, __NOT EXACTLY__ same. Which is exactly what was so twitch inducing! Whatever you do, don't read the first sentence at https://en.wikipedia.org/wiki/Multi-core_processor. Especially this FIRST part: A *multi-core processor* is a single computing https://en.wikipedia.org/wiki/Computing component . . . So, it is a SINGLE component. To me, CPUs means having more than one CPU component, such as dual CPUs or even quad CPUs which used to be fairly common. I have a single CPU computer. It has 4 cores but a single CPU. I hope to upgrade one day to a 8 core CPU. I'll still have a single CPU component installed tho. This is getting really funny. ROFL You can tell when the list is getting slow when we start parsing each word and each words meaning. ;-) The list hasn't been slow all week. ^^ signature.asc Description: OpenPGP digital signature
[gentoo-user] iptables (not) started?
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:
* Saving iptables state ... [ ok ]
* Stopping firewall ... [ ok ]
I checked also /etc/init.d/iptables and I think it should
show some messages at start:
start() {
checkconfig || return 1
ebegin Loading ${iptables_name} state and starting firewall
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save}
eend $?
}
Can someone explain to me why this message is not printed?
Jarry
--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] iptables (not) started?
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:
* Saving iptables state ... [ ok ]
* Stopping firewall ... [ ok ]
I checked also /etc/init.d/iptables and I think it should
show some messages at start:
start() {
checkconfig || return 1
ebegin Loading ${iptables_name} state and starting firewall
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save}
eend $?
}
Can someone explain to me why this message is not printed?
Do you have some other script starting your iptables, rather than the vanilla
/etc/init.d/iptables?
Does '/etc/init.d/iptables status' show that it is running?
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
Re: [gentoo-user] 4G Stick Huawei E3276
On Friday 29 Mar 2013 15:23:41 Stefan G. Weichinger wrote: Am 29.03.2013 16:05, schrieb Mick: You're missing module 'qmi_wwan'. Trying adding this to your kernel and replug the device (or use modprobe -v qmi_wwan). Should I rmmod the others before? I compiled and loaded that module ... no real difference to see ... still no mobile broadband offered. When you say no real difference ... dmesg should show that the module is loading. /var/log/messages should show the same. ifconfig should show a new device has been activated. Yes? When I rmmod them all and plug in again, I get option loaded again. Should I remove this one from my .config? Even when I rmmod option, modprobe qmi_wwan and then plugin option gets loaded (and no mobile broadband in NM). I would get NM troubleshooted after the device is recognised by the kernel and the relevant modules are loaded. Could it be related to our friend systemd which renames wwan0 to wwp0s26u1u1i1 according to dmesg? I thought that this is a udev issue, rather than systemd. I don't know anything about systemd (not tried it yet) and on a stable Gentoo install you should be able to see the wwan0 device in ifconfig. PS. I should also say that I don't use NM on my machines ... so someone else should hopefully be able to help with NM issues. I use symlinks in /etc/init.d/ for my NICs. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] 4G Stick Huawei E3276
Am 29.03.2013 19:51, schrieb Mick: ifconfig should show a new device has been activated. Yes? see below ... When I rmmod them all and plug in again, I get option loaded again. Should I remove this one from my .config? Even when I rmmod option, modprobe qmi_wwan and then plugin option gets loaded (and no mobile broadband in NM). I would get NM troubleshooted after the device is recognised by the kernel and the relevant modules are loaded. Could it be related to our friend systemd which renames wwan0 to wwp0s26u1u1i1 according to dmesg? I thought that this is a udev issue, rather than systemd. Sure, udev. I don't know anything about systemd (not tried it yet) and on a stable Gentoo install you should be able to see the wwan0 device in ifconfig. I get no wwan0 but this: # ifconfig wwp0s26u1u2i1 wwp0s26u1u2i1: flags=4098BROADCAST,MULTICAST mtu 1500 ether 0c:5b:8f:27:9a:64 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Just read the posting by Diego Petteno on this issue: http://blog.flameeyes.eu/2013/03/predictably-non-persistent-names PS. I should also say that I don't use NM on my machines ... so someone else should hopefully be able to help with NM issues. I use symlinks in /etc/init.d/ for my NICs. NM sometimes is very comfortable on notebooks etc. ... so why not ... I don't know if NM *should* detect that fuzzy interface-name now ... maybe I should do some udev-rule to get wwan0 back? At least for a test. Stefan
Re: [gentoo-user] iptables (not) started?
On 29-Mar-13 19:43, Mick wrote:
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:
* Saving iptables state ... [ ok ]
* Stopping firewall ... [ ok ]
I checked also /etc/init.d/iptables and I think it should
show some messages at start:
start() {
checkconfig || return 1
ebegin Loading ${iptables_name} state and starting firewall
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save}
eend $?
}
Can someone explain to me why this message is not printed?
Do you have some other script starting your iptables, rather than the vanilla
/etc/init.d/iptables?
No.
Does '/etc/init.d/iptables status' show that it is running?
* status: started
I recorded screen with my video-camera to be sure I did not miss
some message. But I found no trace about iptables being started...
Jarry
--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] ext4 inline data
On Fri, Mar 29, 2013 at 8:48 AM, Florian Philipp li...@binarywings.net wrote: Hi list! I noticed that beginning with kernel 3.8, ext4 can store small files entirely inside the inode. But I couldn't find much additional information: - Is the improvement automatically enabled? I don't believe so. I think you need to explicitly enable the feature inline_data when you mkfs. - Is the change backwards compatible? Can I still read such files with kernel 3.7? It is defined as INCOMPAT_INLINE_DATA so an older kernel should refuse to mount it at all if it does not know how to handle this option. Depending on your partition layout, you may also need a boot loader which knows how to read inline data. I think there is a patch to enable it on grub2, not sure if it is included in mainline or not. - Can current stable e2fsprogs (especially e2fsck) handle this? I grepped sources of e2fsprogs 1.42.7 and it contains references to inline data, but manpages don't. mkfs looks like it might not support the inline_data option yet? So I'm not sure if things are quite ready for prime time... If you try, please let us know how it goes. :)
Re: [gentoo-user] 4G Stick Huawei E3276
On Friday 29 Mar 2013 19:01:15 Stefan G. Weichinger wrote: I get no wwan0 but this: # ifconfig wwp0s26u1u2i1 wwp0s26u1u2i1: flags=4098BROADCAST,MULTICAST mtu 1500 ether 0c:5b:8f:27:9a:64 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 If when you run ifconfig with no options you do not get wwan0 listed and NM likes the conventional device naming scheme, then I suggest you create a udev rule to achieve this and see if NM is happy thereafter. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] iptables (not) started?
On Mar 30, 2013 1:27 AM, Jarry mr.ja...@gmail.com wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages I expect: * Saving iptables state ... [ ok ] * Stopping firewall ... [ ok ] Slightly tangential to the subject, but related... I personally prefer *not* to automatically save iptables rules on shutdown. That way, if I made some stupid mistake, a reboot restores the system to the LKGC (Last Known Good Configuration)... Rgds, --
Re: [gentoo-user] ext4 inline data
On Mar 29, 2013 8:49 PM, Florian Philipp li...@binarywings.net wrote: Hi list! I noticed that beginning with kernel 3.8, ext4 can store small files entirely inside the inode. But I couldn't find much additional information: - Is the improvement automatically enabled? - Is the change backwards compatible? Can I still read such files with kernel 3.7? - Can current stable e2fsprogs (especially e2fsck) handle this? Thanks in advance! Florian Philipp My question would be: Will it introduce a significant advantage to my situation, so much so that I'm willing to live with the obvious drawbacks? Rgds, --
Re: [gentoo-user] iptables (not) started?
On Friday 29 Mar 2013 19:03:57 Jarry wrote:
On 29-Mar-13 19:43, Mick wrote:
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:
* Saving iptables state ... [ ok ]
* Stopping firewall ... [ ok ]
I checked also /etc/init.d/iptables and I think it should
show some messages at start:
start() {
checkconfig || return 1
ebegin Loading ${iptables_name} state and starting firewall
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save}
eend $?
}
Can someone explain to me why this message is not printed?
Do you have some other script starting your iptables, rather than the
vanilla /etc/init.d/iptables?
No.
Does '/etc/init.d/iptables status' show that it is running?
* status: started
I recorded screen with my video-camera to be sure I did not miss
some message. But I found no trace about iptables being started...
I have not set rc_logger in /etc/conf.d/iptables to know if it would make a
difference and can confirm that I can clearly see it on my boxen at boot time:
* Loading iptables state and starting firewall ...[ ok ]
Another thing to check is that it is in the default level:
$ eselect rc list | grep iptables
iptables default
I'm not sure if it would show up, or the message be suppressed if you add it
to the boot level.
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
Re: [gentoo-user] iptables (not) started?
On Friday 29 Mar 2013 19:34:39 Mick wrote:
On Friday 29 Mar 2013 19:03:57 Jarry wrote:
On 29-Mar-13 19:43, Mick wrote:
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:
* Saving iptables state ... [ ok ]
* Stopping firewall ... [ ok ]
I checked also /etc/init.d/iptables and I think it should
show some messages at start:
start() {
checkconfig || return 1
ebegin Loading ${iptables_name} state and starting firewall
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save}
eend $?
}
Can someone explain to me why this message is not printed?
Do you have some other script starting your iptables, rather than the
vanilla /etc/init.d/iptables?
No.
Does '/etc/init.d/iptables status' show that it is running?
* status: started
I recorded screen with my video-camera to be sure I did not miss
some message. But I found no trace about iptables being started...
I have not set rc_logger in /etc/conf.d/iptables to know if it would make a
difference and can confirm that I can clearly see it on my boxen at boot
time:
* Loading iptables state and starting firewall ... [ ok ]
Another thing to check is that it is in the default level:
$ eselect rc list | grep iptables
iptablesdefault
I'm not sure if it would show up, or the message be suppressed if you add
it to the boot level.
Just tested this - it does not suppress it in my machine if I set it to boot
level. Which makes me think ...
Why do wikis and the like suggest that iptables should be in default rather
than boot runlevel?
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
[gentoo-user] Change in iptables syntax fails to load rule
Hi All, A few months ago I got some errors about the match option in some iptables rules that I was running at the time. I modified these to remove match and add conntrack and all went well. Now I am trying to run this: /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT but it fails to load and it does not give me any particularly informative message: # /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT REDIRECT tcp opt -- in * out * 0.0.0.0/0 - 0.0.0.0/0 tcp dpt:1935 # /sbin/iptables -L -v -n | grep 1935 # Any idea how I should rewrite this rule? I was using it to redirect the output to rtmpsrv to capture the address of a rtmpe stream, but now it does not work. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] cyrus-sasl necessary with localhost webmail?
I recently switched from Thunderbird to Roundcube (highly recommended), switched to the non-SSL courier daemon, and plugged the firewall hole since courier resides on the same system as my web server. Do I still need cyrus-sasl or will a webmail client authenticate directly with courier? Can anyone tell me if it's necessary to run cyrus-sasl between courier and a webmail client if they're on the same machine? I have a very old installation of net-mail/courier-imap I don't believe I have ever run cyrus-sasl on it. I have accessed this system via Squirrelmail, IMAP and (I think) IMAP-over-SSL. Thanks Stroller. Do you run postfix or another MTA on that system? I'm wondering if I might need cyrus-sasl for postfix instead of courier. - Grant
Re: [gentoo-user] ext4 inline data
On Fri, Mar 29, 2013 at 2:20 PM, Pandu Poluan pa...@poluan.info wrote: My question would be: Will it introduce a significant advantage to my situation, so much so that I'm willing to live with the obvious drawbacks? Here are some benchmarks: http://permalink.gmane.org/gmane.comp.file-systems.ext4/34290
Re: [gentoo-user] Change in iptables syntax fails to load rule
On Mar 30, 2013 2:54 AM, Mick michaelkintz...@gmail.com wrote: Hi All, A few months ago I got some errors about the match option in some iptables rules that I was running at the time. I modified these to remove match and add conntrack and all went well. Now I am trying to run this: /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT but it fails to load and it does not give me any particularly informative message: # /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT REDIRECT tcp opt -- in * out * 0.0.0.0/0 - 0.0.0.0/0 tcp dpt:1935 # /sbin/iptables -L -v -n | grep 1935 # Any idea how I should rewrite this rule? I was using it to redirect the output to rtmpsrv to capture the address of a rtmpe stream, but now it does not work. -- Regards, Mick IIRC, iptables -L by default only dumps the filter table. Just use iptables-save and pipe the result through less (more info there; you can ensure that the rule gets inserted to the proper table and chain). Rgds, --
Re: [gentoo-user] iptables (not) started?
On Fri, 29 Mar 2013 19:44:14 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes care of that. -- Neil Bothwick Vuja De: the feeling that you've never been here before. signature.asc Description: PGP signature
Re: [gentoo-user] 4G Stick Huawei E3276
Am 29.03.2013 20:14, schrieb Mick: On Friday 29 Mar 2013 19:01:15 Stefan G. Weichinger wrote: I get no wwan0 but this: # ifconfig wwp0s26u1u2i1 wwp0s26u1u2i1: flags=4098BROADCAST,MULTICAST mtu 1500 ether 0c:5b:8f:27:9a:64 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 If when you run ifconfig with no options you do not get wwan0 listed and NM likes the conventional device naming scheme, then I suggest you create a udev rule to achieve this and see if NM is happy thereafter. I don't know about NM's preferences ... I just assume this could be the problem. Gotta dig up some udev-ruling for this, any quick pointers anyone? S
Re: [gentoo-user] Using Amazon Web Services with gentoo
Am 24.03.2013 21:12, schrieb Stefan G. Weichinger: Does anyone of you use the Amazon EC2 service with gentoo-based instances? The loud and wild echo says: no ? Interesting! ;-)
Re: [gentoo-user] 4G Stick Huawei E3276
Am 29.03.2013 22:03, schrieb Stefan G. Weichinger: I don't know about NM's preferences ... I just assume this could be the problem. Gotta dig up some udev-ruling for this, any quick pointers anyone? even easier: You can change the device name using ifrename from package wireless_tools. Now I have device wwan0 but still NM does not care about it. I really don't want to rant ... but ... you know. Stefan
[gentoo-user] OT:Courseware and client db software
Hello, I'm searching for courseware/client db/support software for online use which I need to meet this criteria: 1) possibility to lead courses for no more than 12 clients (with uploading of files - possibility to play audio and video files is welcome but not necessary) - I know moodle is reasonable for this 2) possibility to communicate with each client individually 3) writing notes about each client 4) security model of all mighty admin and not so powerful course leaders who can access clients and courses only of their own 5) creating of forms for clients Right now these task are done through e-mail which is clumsy and not so scalable. I have done some research but I wasn't successful so I kindly ask here. Have nice day S
Re: [gentoo-user] How to prevent a dns amplification attack
On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey pe...@humphrey.ukfsn.org wrote: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? Not really. I have a 100 megabit connection through the cable company; my only wired alternative is DSL (1.5 mbit for almost half the price I'm paying for 100mbit). Cellular or satellite are not viable options for me because of comparatively poor value, latency and miniscule data usage caps. In the USA, the local governments (cities and towns, etc.) are in control of regulating which utilities can use public land, and are entitled to compensation from those who use it. Cable companies negotiate rental of that space called a franchise fee so they can bury cables, etc. The franchise fee used to be a government-protected monopoly. In the 1980's, when cable television started booming, regional pockets of cable providers were built up thanks to these local monopolies allowing them to move into towns with no competition. For the sake of efficiency, cable companies would build out in adjacent towns and kept spreading and growing outward until at some point nearly everyone in the country had cable TV services available to them, with the exception of those living in rural areas which were not dense enough to justify the cost of laying cables, even when presented with a monopoly. It is no longer legal for local governments to award monopolies, but the damage has been done. What we have is essentially the cable TV infrastructure that was laid out during the decade when local cable monopolies were legal, and the cost of entry for a new player into the market now is so high that nobody ever bothers. End result for consumers is a lack of choice. There are some places where competition exists, but those places are pretty rare, in my experience. There are some other possible alternatives to cable internet and DSL, such as municipal wifi, mesh networks, powerline and FTTx, but none are available where I live. The service I receive from the cable company here is actually excellent, with the exception of the aforementioned DNS woes. Pretty much every major ISP in the US does DNS-hijacking and other shenanigans, so there's no avoiding the evilness. I believe the board members of major cable and telecom companies would sell their own mothers into slavery if it meant a rise in share prices or a larger bonus at the end of the year...
Re: [gentoo-user] Using Amazon Web Services with gentoo
On 30/03/13 05:23, Stefan G. Weichinger wrote: Am 24.03.2013 21:12, schrieb Stefan G. Weichinger: Does anyone of you use the Amazon EC2 service with gentoo-based instances? The loud and wild echo says: no ? Interesting! ;-) moriah ~ # esearch amazon [ Results for search key : amazon ] [ Applications found : 7 ] * app-admin/amazon-ec2-init [ Masked ] Latest version available: 20101127 Latest version installed: [ Not Installed ] Size of downloaded files: 0 kB Homepage:http://www.gentoo.org/ Description: Init script to setup Amazon EC2 instance parameters. License: GPL-2 * dev-perl/Net-Amazon Latest version available: 0.610.0 Latest version installed: [ Not Installed ] Size of downloaded files: 214 kB Homepage:http://search.cpan.org/dist/Net-Amazon/ Description: Net::Amazon - Framework for accessing amazon.com via SOAP and XML/HTTP License: || ( Artistic GPL-1 GPL-2 GPL-3 ) * dev-perl/Net-Amazon-S3 [ Masked ] Latest version available: 0.560.0 Latest version installed: [ Not Installed ] Size of downloaded files: 35 kB Homepage:http://search.cpan.org/dist/Net-Amazon-S3/ Description: Framework for accessing the Amazon S3 Simple Storage Service License: || ( Artistic GPL-1 GPL-2 GPL-3 )
Re: [gentoo-user] How to prevent a dns amplification attack
On 30/03/13 06:34, Paul Hartman wrote: On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey pe...@humphrey.ukfsn.org wrote: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? Not really. I have a 100 megabit connection through the cable company; my only wired alternative is DSL (1.5 mbit for almost half the price I'm paying for 100mbit). Cellular or satellite are not viable options for me because of comparatively poor value, latency and miniscule data usage caps. Can you do a tunnel to a cheap vsp instance that can access an external dns, and feed all your dns queries through it? Considering the problems with your existing setup, that looks attractive and you can have sane fallbacks if neccessary. I tried this to avoid the Australia Tax when online shopping overseas and the small additional latency didnt seem to be a problem. BillK
Re: [gentoo-user] How to prevent a dns amplification attack
On 03/29/2013 07:01 PM, William Kenworthy wrote: On 30/03/13 06:34, Paul Hartman wrote: On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey pe...@humphrey.ukfsn.org wrote: On Thursday 28 March 2013 20:53:49 Paul Hartman wrote: In my case, my ISP's DNS servers are slow (several seconds to reply), fail randomly when they should resolve, return an IP (which goes to their ad-laden helper website if you are using a web browser) when they should instead return nxdomain, and they have openly admitted to selling customer DNS lookup history to marketers for targeted advertising. That is just evil. Have you no alternative to this ISP? Not really. I have a 100 megabit connection through the cable company; my only wired alternative is DSL (1.5 mbit for almost half the price I'm paying for 100mbit). Cellular or satellite are not viable options for me because of comparatively poor value, latency and miniscule data usage caps. Can you do a tunnel to a cheap vsp instance that can access an external dns, and feed all your dns queries through it? Considering the problems with your existing setup, that looks attractive and you can have sane fallbacks if neccessary. I tried this to avoid the Australia Tax when online shopping overseas and the small additional latency didnt seem to be a problem. Doesn't even need to be that complicated. Set up a free tunnel with tunnelbroker.net, and use Hurricane Electric's provided IPv6 DNS servers. They run the tunnel service as a loss-leader, and if they're doing anything funky with their DNS data, I haven't heard about it. Chances are, the local ISP won't be filtering traffic flowing across a proto41 tunnel. (IPv6 packet as an IPv4 packet payload. It's called a proto41 tunnel because 41 is placed in the next protocol field in the IPv4 packet.) signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] iptables (not) started?
On Friday 29 Mar 2013 20:37:20 Neil Bothwick wrote: On Fri, 29 Mar 2013 19:44:14 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes care of that. I haven't seen anything in net.lo that waits for iptables and I seem to recall that the network interfaces are started before iptables is run, unless I start iptables at boot level. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] 4G Stick Huawei E3276
Am 29.03.2013 22:40, schrieb Stefan G. Weichinger: Am 29.03.2013 22:03, schrieb Stefan G. Weichinger: I don't know about NM's preferences ... I just assume this could be the problem. Gotta dig up some udev-ruling for this, any quick pointers anyone? even easier: You can change the device name using ifrename from package wireless_tools. Now I have device wwan0 but still NM does not care about it. I really don't want to rant ... but ... you know. Just an observation: Started a VM on my main workstation ... Windows XP inside of VMware Player. Not even KVM or something ... Connected that funny stick to that very VM ... and connected to funky internet on first try ... So what about that? UNIX/Linux runs what percentage of the internet? ok ok ... LTE is new linux has only a small percentage ... gentoo even less. I spent my whole afternoon trying to connect this very stick to the internet ... via 2 linuxes and 1 bsd not ONE connection. Right now I pull in an ISO at 1100kB/s, via that very stick, into an XP-VM. (seems I don't have LTE coverage here ... but some UMTS or so ) - Might be just plain ignorance by the provider. Not telling me access infos etc. My ADSL is slower. *sigh* Just a bit of feedback :-) S
Re: [gentoo-user] Change in iptables syntax fails to load rule
On Friday 29 Mar 2013 20:36:40 Pandu Poluan wrote: On Mar 30, 2013 2:54 AM, Mick michaelkintz...@gmail.com wrote: Hi All, A few months ago I got some errors about the match option in some iptables rules that I was running at the time. I modified these to remove match and add conntrack and all went well. Now I am trying to run this: /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT but it fails to load and it does not give me any particularly informative message: # /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT REDIRECT tcp opt -- in * out * 0.0.0.0/0 - 0.0.0.0/0 tcp dpt:1935 # /sbin/iptables -L -v -n | grep 1935 # Any idea how I should rewrite this rule? I was using it to redirect the output to rtmpsrv to capture the address of a rtmpe stream, but now it does not work. -- Regards, Mick IIRC, iptables -L by default only dumps the filter table. Just use iptables-save and pipe the result through less (more info there; you can ensure that the rule gets inserted to the proper table and chain). Hmm... the rule is saved, but searching for the port number does not bring up anything, hence I assumed that it is not accepted. Isn't a port number in this case '1935' interpreted as a search string on the shell? Quotes don't work. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] iptables (not) started?
On Fri, 29 Mar 2013 23:29:39 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes care of that. I haven't seen anything in net.lo that waits for iptables and I seem to recall that the network interfaces are started before iptables is run, unless I start iptables at boot level. The iptables init script contains before net. -- Neil Bothwick Advanced: (adj.) doesn't work yet, but it's pretty close. See: bug, glitch. signature.asc Description: PGP signature
Re: [gentoo-user] cyrus-sasl necessary with localhost webmail?
On 29 March 2013, at 20:05, Grant wrote: ... I have a very old installation of net-mail/courier-imap I don't believe I have ever run cyrus-sasl on it. I have accessed this system via Squirrelmail, IMAP and (I think) IMAP-over-SSL. Thanks Stroller. Do you run postfix or another MTA on that system? I'm wondering if I might need cyrus-sasl for postfix instead of courier. I do indeed run Postfix on it. Stroller.
Re: [gentoo-user] How to prevent a dns amplification attack
On Fri, Mar 29, 2013 at 05:34:41PM -0500, Paul Hartman wrote Pretty much every major ISP in the US does DNS-hijacking and other shenanigans, so there's no avoiding the evilness. The obvious questions is... do they hijack all port-53 queries? Depending on the answer, there are 2 different strategies to follow. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
[gentoo-user] Current Dells and UEFI/secureboot (or other showstoppers)?
The reason I'm asking is that I have 2 Dell desktops (production and hot backup) that are pushing 5 or 6 years of age, and I need to replace at least one. They simply can't keep up with HD video streams... * it could keep up with Youtube 480p videos fullscreen under ADSL 5 megabit service. The stream was the limit. * after the speed was bumped up, it could keep up with Youtube 720p videos fullscreen under ADSL 6 megabit service. The stream was the limit. The download still couldn't keep up with 1080p videos. * This week, I moved from legacy 6 GAS to FTTN 7. Unlike GAS, FTTN speeds are net, not gross. So my Speedtest.net results jumped from approx 5.1-5.2 megabits to 7.1-7.2 megabits, and it can keep up with 1080p streams. * The newer, more powerful, machine can play 1080p Youtube videos under Firefox in the large player, but the load is pegged at between 2.5 and 3. For a 2-core machine, that's bad. The leaner Midori can play the same video with a load between 1.7 and 2.1, which is pushing it. Going to fullscreen, it stutters noticably under Firefox. Midori can just barely keep up in fullscreen mode. * The machine can play NHL GameCenter Live at the slowest stream (400 kbits/sec). It doesn't even show the other options (800, 1600, and 3000) The 1080p video was http://www.youtube.com/watch?v=US3Px2sePWk Note that you have to manually select 1080p. The fmt= option doesn't seem to work anymore. The onboard Intel GPU is not the problem; it's the CPU trying to keep up with Flash. And before anyone asks... * I'm running Gentoo with full optimizations * I'm running ICEWM with no desktop environment; see my sig So I don't think there are any more optimizations to be had, other than a new PC. Assuming there are no showstoppers, I'll be buying another Dell. They seem to last for me. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
