Re: [gentoo-user] using lvm without a partition of type linux LVM
On Sunday 13 Oct 2013 00:07:56 Thanasis wrote: on 10/12/2013 05:40 PM gottl...@nyu.edu wrote the following: copy the lvm partitions to directories on an external disk (ext3) What command did you use for copying? You can use rsync, scp or (s)tar. Personally I prefer star with the copy option. Word of warning: check that the attributes and mod times are as you want them, especially with rsync which with the -a parameter preserves the source directory/machine ownership, rather than the expected destination defaults. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] using lvm without a partition of type linux LVM
Mick wrote: On Sunday 13 Oct 2013 00:07:56 Thanasis wrote: on 10/12/2013 05:40 PM gottl...@nyu.edu wrote the following: copy the lvm partitions to directories on an external disk (ext3) What command did you use for copying? You can use rsync, scp or (s)tar. Personally I prefer star with the copy option. Word of warning: check that the attributes and mod times are as you want them, especially with rsync which with the -a parameter preserves the source directory/machine ownership, rather than the expected destination defaults. When I do a copy on a setup like this, I just use cp -a. Add the v if you want to see what it is doing. I have used it many times and it works just fine. Clean and simple. If over a network or something tho, gets complicated pretty quick. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
[gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?)
5. You can't script iptables-restore! Well, actually you can script iptables-restore. For those who are interested: net-firewall/firewall-mv from the mv overlay (available over layman) now provides a separate firewall-scripted.sh which can be conveniently used for such scripting.
Re: [gentoo-user] Where to put advanced routing configuration?
On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky mich...@orlitzky.com wrote: 1. The iptables-restore syntax is uglier and harder to read. I don't get this - the syntax is *chain and then :tables (with optional counters) instead of -N, and then a bunch of rules, and then a COMMIT command (the only thing you don't get on the command line. What am I missing or how is this uglier?
Re: [gentoo-user] Network failed and weird error message
Dale wrote: Alan McKinnon wrote: Basically, it looks like you have a once-off event. Until it happens again, very little you can do wrt troubleshooting I agree. It ran for days with no problems that I saw. Sure is weird tho. I just wonder if something outside the puter happened and triggered something. Who knows. Dale :-) :-) Still no fix on the error message. Maybe it is hardware and related to this? I started having issues with the network again. This time, it wasn't just browsers. It would be other stuff like Pidgin and such. Generally restarting the network corrected the problem, after restarting the other programs too since they would hang up. Anyway, I got tired of this so I pulled a ethernet card from my junk drawer, pulled some hair out trying to find the dmfe driver in the kernel and got it working. Since moving away from the ethernet that is built into the mobo and to this card, not a issue yet. I have not had a single hiccup. So, as with my last rig, the ethernet port on the mobo just start to suck after a while it seems. :/ Now I just wish I could figure out this other USB issue. I suspect it could be a hardware issue. I may have to upgrade my rig after all and I don't really want to do that and may not be able to right away. Memory question. The mobo I have uses this: Support for DDR3 1666(OC)/1333/1066 MHz memory modules I have the 1666 on here. It was what was on sale. :-D The new mobo calls for this: DDR3 2000(OC)/1866/1600/1333/1066 Are the two compatible? Both are DDR3. Thanks. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
[gentoo-user] Gnat Compile Error
Hello, i try to install dev-lang/gnat-gcc but the configure phase break with the msg: checking for x86_64-pc-linux-gnu-gcc... /var/tmp/portage/dev-lang/gnat-gcc-4.5.4/work/usr/bin/gnatgcc checking for C compiler default output file name... configure: error: in `/var/tmp/portage/dev-lang/gnat-gcc-4.5.4/work/build': configure: error: C compiler cannot create executables See `config.log' for more details. * ERROR: dev-lang/gnat-gcc-4.5.4::gentoo failed (compile phase): * configure failed I try with diffrent Version and i try with dev-lang/gnat-gpl come the same. Other Programms can compile without error. Thanks for help Greetings Silvio [14:10:56][ Akku: 99% ][root@gentoomobile:/home/siefke]# emerge --info =dev-lang/gnat-gcc-4.5.4::gentoo Portage 2.2.1 (default/linux/amd64/13.0/desktop, gcc-4.6.3, glibc-2.15-r3, 3.11.3 x86_64) = System Settings = System uname: Linux-3.11.3-x86_64-Intel-R-_Atom-TM-_CPU_N550_@_1.50GHz-with-gentoo-2.2 KiB Mem: 1003604 total, 86348 free KiB Swap:2047996 total, 1963324 free Timestamp of tree: Sun, 13 Oct 2013 11:00:01 + ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p45 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.5-r2, 3.2.5-r2 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.10.3, 1.11.6, 1.13.4 sys-devel/binutils: 2.23.1 sys-devel/gcc:4.6.3, 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool:2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo multimedia sabayon hardened-dev pentoo ACCEPT_KEYWORDS=amd64 ACCEPT_LICENSE=* -@EULA CBUILD=x86_64-pc-linux-gnu CFLAGS=-O2 -march=atom -mtune=atom -mssse3 -mfpmath=sse -fomit-frame-pointer -pipe CHOST=x86_64-pc-linux-gnu CONFIG_PROTECT=/etc /usr/share/gnupg/qualified.txt CONFIG_PROTECT_MASK=/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo CXXFLAGS=-O2 -march=atom -mtune=atom -mssse3 -mfpmath=sse -fomit-frame-pointer -pipe DISTDIR=/usr/portage/distfiles FCFLAGS=-O2 -pipe FEATURES=assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync FFLAGS=-O2 -pipe GENTOO_MIRRORS=http://ftp.halifax.rwth-aachen.de/gentoo/; LANG=de_DE.UTF-8 LDFLAGS=-Wl,-O1 -Wl,--as-needed MAKEOPTS=-j3 PKGDIR=/usr/portage/packages PORTAGE_CONFIGROOT=/ PORTAGE_RSYNC_OPTS=--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages PORTAGE_TMPDIR=/var/tmp PORTDIR=/usr/portage PORTDIR_OVERLAY=/var/lib/layman/multimedia /var/lib/layman/sabayon /var/lib/layman/hardened-development /var/lib/layman/pentoo USE=X a52 aac acl acpi alsa amd64 berkdb bindist bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg lcms libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds python qt3support qt4 readline sdl session spell sse sse2 ssl startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vaapi vorbis wxwidgets x264 xcb xml xv xvid zlib ABI_X86=64 ALSA_CARDS=intel_hda APACHE2_MODULES=authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias CALLIGRA_FEATURES=kexi words flow plan sheets stage tables krita karbon braindump author CAMERAS=ptp2 COLLECTD_PLUGINS=df interface irq load memory rrdtool swap syslog ELIBC=glibc GPSD_PROTOCOLS=ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx INPUT_DEVICES=evdev void synaptics KERNEL=linux LCD_DEVICES=bayrad cfontz cfontz633
Re: [gentoo-user] Where to put advanced routing configuration?
On 10/13/2013 06:26 AM, shawn wilson wrote: On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky mich...@orlitzky.com wrote: 1. The iptables-restore syntax is uglier and harder to read. I don't get this - the syntax is *chain and then :tables (with optional counters) instead of -N, and then a bunch of rules, and then a COMMIT command (the only thing you don't get on the command line. What am I missing or how is this uglier? That's not the syntax, because there is no syntax, but let's forget that point anyway because it's subjective.
[gentoo-user] Re: Where to put advanced routing configuration?
shawn wilson ag4ve...@gmail.com wrote: On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky mich...@orlitzky.com wrote: 1. The iptables-restore syntax is uglier and harder to read. I don't get this - the syntax is [...] What am I missing or how is this uglier? Argument separation (e.g. if you have arguments with spaces); it seems to work most of the time if you quote into ... and escape backslash and doublequote signs inside with backslash (this is what the mentioned script of firewall-mv does), but there are cases where this is not accepted; e.g. quoting every word was not accepted. Since the format is undocumented, this is all ugly trial-and-error, and only the iptable maintainers know whether it remains the same in the next iptables release.
Re: [gentoo-user] scripted iptables-restore
On 10/13/2013 06:08 AM, Martin Vaeth wrote:
5. You can't script iptables-restore!
Well, actually you can script iptables-restore.
For those who are interested:
net-firewall/firewall-mv from the mv overlay
(available over layman) now provides a separate
firewall-scripted.sh
which can be conveniently used for such scripting.
You snipped the rest of my point =)
You can write a bash script that writes an iptables-restore script to
accomplish the same thing, but how much complexity are you willing to
add for next to no benefit?
If you have a million rules and you need to wipe/reload them all
frequently you're probably doing something wrong to begin with.
With bash, you can leverage all of the features of bash that everybody
already knows. You can read files, call shell commands, pipe between
them, etc. You can write bash functions to avoid repetitive commands.
You can write inline comments to explain what the rules do.
Something like,
# A function which sets up a static mapping between an external IP
# address and an internal one.
#
# USAGE: static_nat internal ip external ip
#
function static_nat() {
iptables -t nat -A PREROUTING -d ${2} -j DNAT --to ${1}
iptables -t nat -A POSTROUTING -s ${1} -j SNAT --to ${2}
}
can make your iptables script a lot cleaner, and it conveys your intent
better when the rule is created:
# Danny likes to torrent linux isos at work so he needs a public ip
static_nat 192.168.1.x 1.2.3.x
I'm not saying you can't do all of this with iptables-restore, just that
you're punishing yourself for little benefit if you do.
[gentoo-user] {OT} proper way to submit a kernel crash bug report?
I have a vmcore file from a kernel crash and I'm trying to figure out how to turn it into a bug report on kernel.org. What do they want to see? I've installed 'crash' but I get: # crash vmcore crash: namelist argument required or: crash /boot/kernel-3.10.15 vmcore crash: /boot/kernel-3.10.15: not a supported file format I'm not even sure they'll accept 'crash' analysis. - Grant
[gentoo-user] Re: scripted iptables-restore
Michael Orlitzky mich...@orlitzky.com wrote:
On 10/13/2013 06:08 AM, Martin Vaeth wrote:
5. You can't script iptables-restore!
Well, actually you can script iptables-restore.
For those who are interested:
net-firewall/firewall-mv from the mv overlay
(available over layman) now provides a separate
firewall-scripted.sh
which can be conveniently used for such scripting.
[...]
If you have a million rules and you need to wipe/reload them all
frequently you're probably doing something wrong to begin with.
I don't know how this is related with the discussion.
The main advantage of using iptables-restore is avoidance of
race conditions. A secondary advantage is a speed improvement;
in my case, the machine boots about 2 seconds faster which can
be a considerable advantage if you start virtual machines.
With bash [...]
(I would use a POSIX shell because it is considerably faster,
but this need not be discussed here.)
That's why I said that it can be scripted
(which was my motivation to write firewall-scripted.sh):
firewall-scripted.sh (or some similar script) gives you exactly
the same advantages, but without races, and faster.
In your example:
function static_nat() {
iptables -t nat -A PREROUTING -d ${2} -j DNAT --to ${1}
iptables -t nat -A POSTROUTING -s ${1} -j SNAT --to ${2}
}
Essentially, you just have to replace iptables by FwmvTables 4.
If you are too lazy to use a text editor or to replace iptables
by a variable (like $iptables) you can do this even by
defining the function:
iptables() {
FwmvTables 4 ${@}
}
Then you just put in front of your script the line
. firewall-scripted.sh
and in the end (or before you call exit):
FwmvSet 4
That's it...
I'm not saying you can't do all of this with iptables-restore, just that
you're punishing yourself for little benefit if you do.
*Using* firewall-scripted.sh is as convenient as using iptables directly
(you just replace one command and add two lines to your script).
Of course, the disadvantage is that some day firewall-scripted.sh might
break with iptables (and that maybe the script still has bugs...).
As I said, it would be better if something similar would be provided
by iptables itself. But the advantages are clear.
Re: [gentoo-user] Gnat Compile Error
On Sun, Oct 13, 2013 at 03:02:48PM +0200, Silvio Siefke wrote: Hello, i try to install dev-lang/gnat-gcc but the configure phase break with the msg: [...] * ERROR: dev-lang/gnat-gcc-4.5.4::gentoo failed (compile phase): --^ [...] Portage 2.2.1 (default/linux/amd64/13.0/desktop, gcc-4.6.3, glibc-2.15-r3, 3.11.3 x86_64) ---^ = System Settings = System uname: Linux-3.11.3-x86_64-Intel-R-_Atom-TM-_CPU_N550_@_1.50GHz-with-gentoo-2.2 [...] sys-devel/gcc:4.6.3, 4.7.3-r1 ^^^ [...] [14:10:56][ Akku: 99% ][root@gentoomobile:/home/siefke]# emerge -pqv =dev-lang/gnat-gcc-4.5.4::gentoo [ebuild N] dev-lang/gnat-gcc-4.5.4 USE=nls ---^^ You want to install gnat-gcc for a gcc version you don't have. You have gcc 4.6.3 and 4.7.3 installed (with 4.6.3 active). Unfortunately, my eix doesn't report me any gnat-gcc newer than 4.5. So I'm not sure how to proceed here apart from installing gcc-4.5.4, which is still in portage, but then of course you only have gnat in that old version. -- Gruß | Greetings | Qapla’ Please do not share anything from, with or about me with any Facebook service. Sent from my toilet. signature.asc Description: Digital signature
Re: [gentoo-user] using lvm without a partition of type linux LVM
On Sat, Oct 12 2013, thana...@asyr.hopto.org wrote: on 10/12/2013 05:40 PM gottl...@nyu.edu wrote the following: copy the lvm partitions to directories on an external disk (ext3) What command did you use for copying? cp -ax rsync not is on the minimal install. allan
Re: [gentoo-user] Re: scripted iptables-restore
On 10/13/2013 11:19 AM, Martin Vaeth wrote: [...] If you have a million rules and you need to wipe/reload them all frequently you're probably doing something wrong to begin with. I don't know how this is related with the discussion. The main advantage of using iptables-restore is avoidance of race conditions. A secondary advantage is a speed improvement; in my case, the machine boots about 2 seconds faster which can be a considerable advantage if you start virtual machines. I was just reiterating that there's not much benefit to save/restore if you're doing things properly (pontification alert!). I should say first of all that save/restore is perfect for reboots. If you're not *changing* anything, of course save/restore is better, and suffers none of the problems that I mentioned: you don't read it, the output is fed directly as input, no errors should occur... The bash script is used a couple times a year, and really is there to serve as the specification for what your firewall should do. For example, I'm rebuilding our MX today. I checked the config out of git, ran iptables-config (our script), ran /etc/init.d/iptables save, and the firewall is up and running. When will I run the script again? The next time I rebuild the server? That's certainly the last time I ran it. We have firewalls that change more often, but not so frequently that the speed would be a problem if it were 1000x slower. The MX firewall is actually updated many times per day and accumulates many rules, but they're inserted/deleted in-place by fail2ban, so a full wipe/reload doesn't occur. If you have frequently-changing permanent rules -- say, lots of static NAT entries going in/out for new employees -- then you should be doing insert/delete instead of a full reload just the same. But, add the rule to your iptables script (with a comment!) so that you have it on the record. Once every six months or so, run the thing to make sure nobody made a copy/paste error. Race conditions don't really seem that serious to me. Of course, if you're using iptables for both authorization and authentication, then you're already doing something wrong, and you should fix that instead of trying to make the broken thing run faster. But if not, who cares if you're vulnerable to a brute force attack for 2 seconds? If you're worried about that, implement a password policy. The firewall is the last layer of defense-in-depth; if the absence of a firewall gives you nightmares, the absence of a firewall is not your problem. All of security is a trade-off, and in my opinion, having human-friendly, easily-readable rules (with error checking) will prevent more problems over time than does eliminating the race condition.
Re: [gentoo-user] Network failed and weird error message
On Sunday 13 Oct 2013 13:26:31 Dale wrote: Dale wrote: Alan McKinnon wrote: Basically, it looks like you have a once-off event. Until it happens again, very little you can do wrt troubleshooting I agree. It ran for days with no problems that I saw. Sure is weird tho. I just wonder if something outside the puter happened and triggered something. Who knows. Dale :-) :-) Still no fix on the error message. Maybe it is hardware and related to this? I started having issues with the network again. This time, it wasn't just browsers. It would be other stuff like Pidgin and such. Generally restarting the network corrected the problem, after restarting the other programs too since they would hang up. Anyway, I got tired of this so I pulled a ethernet card from my junk drawer, pulled some hair out trying to find the dmfe driver in the kernel and got it working. Since moving away from the ethernet that is built into the mobo and to this card, not a issue yet. I have not had a single hiccup. So, as with my last rig, the ethernet port on the mobo just start to suck after a while it seems. :/ Now I just wish I could figure out this other USB issue. I suspect it could be a hardware issue. I may have to upgrade my rig after all and I don't really want to do that and may not be able to right away. Memory question. The mobo I have uses this: Support for DDR3 1666(OC)/1333/1066 MHz memory modules I have the 1666 on here. It was what was on sale. :-D The new mobo calls for this: DDR3 2000(OC)/1866/1600/1333/1066 Are the two compatible? Both are DDR3. Thanks. Dale :-) :-) They are, although the new MoBo memory can be overclocked higher. Bear in mind that some MoBos will complain if they are not fitted with identical memory modules. Somehow I happen to come across them each time ... :-( -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: scripted iptables-restore
Michael Orlitzky mich...@orlitzky.com wrote: [...] If you have a million rules and you need to wipe/reload them all frequently you're probably doing something wrong to begin with. I don't know how this is related with the discussion. The main advantage of using iptables-restore is avoidance of race conditions. A secondary advantage is a speed improvement; in my case, the machine boots about 2 seconds faster which can be a considerable advantage if you start virtual machines. I was just reiterating that there's not much benefit to save/restore if you're doing things properly (pontification alert!). For a laptop of a scientist like me this is not true at all - it must often be connected in a different environment with different local nets etc. Also for other things (like portknocking using the recent module) you need rather complex rules which are better rewritten by a script, especially if the length of a portknocking sequence changes. Like passwords, these sequences should better not stay the same for too long... Race conditions don't really seem that serious to me. Maybe, but I am not sure: There might be situations where it might be possible to keep a port open even when the rule is rewritten later on; then you need an open system only once... So, I could imagine that with some clever hacks an attacker might keep ports open and then do another attack later on. I am not an experienced hacker to know such attacks, but I know that races can be very subtle and provide attack vectors nobody has ever thought off. All of security is a trade-off, and in my opinion, having human-friendly, easily-readable rules (with error checking) It is easy to switch to one method for testing and then back when everything works: If you write $iptables ... throughout you just have to set iptables=iptables or iptables=FvwmTables 4 respectively. In fact, the firewall-mv script does this (with a different mechanism) depending on a commandline switch. Moreover, I observed that the error checking works with iptables-restore as well as with iptables: It shows you almost the same errors, including a line number. So the only difference is that you have to count the lines in the testing output instead of directly seeing the command...
Re: [gentoo-user] Re: scripted iptables-restore
On 14/10/13 04:07, Martin Vaeth wrote: Michael Orlitzky mich...@orlitzky.com wrote: [...] If you have a million rules and you need to wipe/reload them all frequently you're probably doing something wrong to begin with. I don't know how this is related with the discussion. The main advantage of using iptables-restore is avoidance of race conditions. A secondary advantage is a speed improvement; in my case, the machine boots about 2 seconds faster which can be a considerable advantage if you start virtual machines. I was just reiterating that there's not much benefit to save/restore if you're doing things properly (pontification alert!). For a laptop of a scientist like me this is not true at all - it must often be connected in a different environment with different local nets etc. Also for other things (like portknocking using the recent module) you need rather complex rules which are better rewritten by a script, especially if the length of a portknocking sequence changes. Like passwords, these sequences should better not stay the same for too long... ... If you are going to go to this bother ... why not use shorewall, create a custom configuration for each site (including any changes to services) and and have your script just copy them in and restart the various services including shorewall? I have a number of networks from hotspots to places where I need combinations of vpns, web servers and asterisk available for demonstrations in lecture theatres through to travelling and using hotel networks. The iptables save feature gets a bit difficult to use with complex setups and if you are doing something dynamic with the rules (fail2ban for instance) it can save inappropriate rules which need manual culling. I use a simple script with autosetup using network-manager (yuk, horrible thing!) to detect known gateways and trigger the script with that argument for either wifi or cable as appropriate (or setup for anonymous hotspot for unknown wifi, basic dhcp if unknown cable) - this is on a macbook air if that matters. BillK
Re: [gentoo-user] Network failed and weird error message
Mick wrote: On Sunday 13 Oct 2013 13:26:31 Dale wrote: Memory question. The mobo I have uses this: Support for DDR3 1666(OC)/1333/1066 MHz memory modules I have the 1666 on here. It was what was on sale. :-D The new mobo calls for this: DDR3 2000(OC)/1866/1600/1333/1066 Are the two compatible? Both are DDR3. Thanks. Dale :-) :-) They are, although the new MoBo memory can be overclocked higher. Bear in mind that some MoBos will complain if they are not fitted with identical memory modules. Somehow I happen to come across them each time ... :-( So I can buy the mobo and reuse the memory I have now? That will help a LOT right now. The new mobo will support twice the amount of ram but I can upgrade that and the CPU later on. The mobo I am looking at is this one: http://www.gigabyte.com/products/product-page.aspx?pid=4717#ov The mobo I currently have is here: http://www.gigabyte.com/products/product-page.aspx?pid=3320#sp I don't overclock so I'm not worried about that. I did it once with a old Abit mobo with a AMD 2500+ CPU but it just didn't make much difference. The memory I have is here: http://www.newegg.com/Product/Product.aspx?Item=N82E16820231313 It appears I looked at something wrong here. The one I have is the same as what the mobo calls for. I think??? I need to sleep more and I got to much stuff going on. :/ I wonder where I got the 1666 from?? It appears that I should be good to go with the new mobo. Use my old ram, upgrade with 8GB sticks as I can and they go on sale. In the end, I can have up to 32GBs of ram. Talk about putting some stuff on tmpfs. O_O I have always wanted to copy the tree to tmpfs and run time emerge -uvaDN world. Just to see how fast it will go. lol If anyone sees anything here that won't work, let me know soon. I plan to order this thing pretty soon. Given the USB issue, the ethernet having issues, I'm worried something else may start to break as well. :-( Thanks to all. Posting the question got me to see I made a boo boo somewhere about the memory speed. I think? Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: scripted iptables-restore
On 10/13/2013 04:07 PM, Martin Vaeth wrote: I was just reiterating that there's not much benefit to save/restore if you're doing things properly (pontification alert!). For a laptop of a scientist like me this is not true at all - it must often be connected in a different environment with different local nets etc. Sure, but do the rules change? Is there a better ruleset that accomplishes the same thing with fewer (or universal) rules? How many rules do you have at the location requiring the most rules? Most laptops should be OK with the following: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -p ALL -i lo -j ACCEPT iptables -A INPUT -p ALL -m conntrack \ --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -m conntrack \ --ctstate INVALID -j DROP ALLOWED_ICMP=0 3 4 8 11 12 for icmp_type in $ALLOWED_ICMP; do iptables -A INPUT -p icmp --icmp-type $icmp_type -j ACCEPT done And creative setups should only require a few more rules. This all takes under (1/10) of a second on my laptop. Also for other things (like portknocking using the recent module) you need rather complex rules which are better rewritten by a script, especially if the length of a portknocking sequence changes. Like passwords, these sequences should better not stay the same for too long... Port knocking is cute, but imparts no extra security. A better, secure way to achieve the same goal is with OpenVPN. And that doesn't require you to play games with your firewall. If you use your laptop at hotels, universities, and conferences, you'll have a much happier time connecting to OpenVPN on tcp/443 (which nobody can block) than you will trying to connect directly. Race conditions don't really seem that serious to me. Maybe, but I am not sure: There might be situations where it might be possible to keep a port open even when the rule is rewritten later on; then you need an open system only once... So, I could imagine that with some clever hacks an attacker might keep ports open and then do another attack later on. I am not an experienced hacker to know such attacks, but I know that races can be very subtle and provide attack vectors nobody has ever thought off. In this case, the absolute worst that could happen is that an attacker gains access to every open port on your system. While this is bad, it's not a clever new vulnerability: it's all of the old ones that were already there. If there are insecure daemons listening on public addresses, you should fix them instead of worrying about race conditions on the firewall. Otherwise, every machine on your LAN becomes an attack vector, and that's a much greater risk especially if your coworkers/friends use Windows. And if we're still talking about laptops, the LAN is usually anybody nearby.
Re: [gentoo-user] scripted iptables-restore
On Oct 13, 2013 9:15 PM, Michael Orlitzky mich...@orlitzky.com wrote:
On 10/13/2013 06:08 AM, Martin Vaeth wrote:
5. You can't script iptables-restore!
Well, actually you can script iptables-restore.
For those who are interested:
net-firewall/firewall-mv from the mv overlay
(available over layman) now provides a separate
firewall-scripted.sh
which can be conveniently used for such scripting.
You snipped the rest of my point =)
You can write a bash script that writes an iptables-restore script to
accomplish the same thing, but how much complexity are you willing to
add for next to no benefit?
If you have a million rules and you need to wipe/reload them all
frequently you're probably doing something wrong to begin with.
With bash, you can leverage all of the features of bash that everybody
already knows. You can read files, call shell commands, pipe between
them, etc. You can write bash functions to avoid repetitive commands.
You can write inline comments to explain what the rules do.
Something like,
# A function which sets up a static mapping between an external IP
# address and an internal one.
#
# USAGE: static_nat internal ip external ip
#
function static_nat() {
iptables -t nat -A PREROUTING -d ${2} -j DNAT --to ${1}
iptables -t nat -A POSTROUTING -s ${1} -j SNAT --to ${2}
}
can make your iptables script a lot cleaner, and it conveys your intent
better when the rule is created:
# Danny likes to torrent linux isos at work so he needs a public ip
static_nat 192.168.1.x 1.2.3.x
I'm not saying you can't do all of this with iptables-restore, just that
you're punishing yourself for little benefit if you do.
One benefit of being familiar with iptables-save and iptables-restore : you
can use iptables-apply.
Might save your sanity if you fat-fingered your iptables rule.
Just do `iptables-apply -t 180 ( preprocessor.sh new-rules.conf)`. Changes
are done atomically. After 180 seconds, if you don't indicate to
iptables-apply that the changes are proper, it atomically reverts the whole
netfilter tables.
bash scripts are powerful, but there might be unexpected cases that render
the netfilter tables to be wildly different from what you actually want.
The file format used by iptables-{save,restore,apply} is more like a
domain-specific language; less chance of partial mistakes. And it's atomic:
Either everything gets applied, or none gets applied (without clobbering
existing in-effect rules).
Rgds,
--
Re: [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?)
On Oct 13, 2013 5:09 PM, Martin Vaeth va...@mathematik.uni-wuerzburg.de wrote: 5. You can't script iptables-restore! Well, actually you can script iptables-restore. For those who are interested: net-firewall/firewall-mv from the mv overlay (available over layman) now provides a separate firewall-scripted.sh which can be conveniently used for such scripting. Thanks, Martin! I was about to create my own preprocessor, but I'll check out yours first. If it's what I had planned, may I contribute, too? Rgds, --
