[gentoo-user] [OT] Block multiple IP addresses; iptables or route...reject?
I have some doubts about massive "hosts" files for adblocking. I downloaded one that listed 13,148 sites. I fed them through a script that called "host" for each entry, and saved the output to a text file. The result was 1,059 addresses. Note that some adservers have multiple IP address entries for the same name. A back-of-the-envelope analysis is that close to 95% of the entries in the large host file are invalid, amd return "not found: 3(NXDOMAIN)". I'm not here to trash the people compiling the lists; the problem is that hosts files are the wrong tool for the job. Advertisers know about hosts files and deliberately generate random subdomain names with short lifetimes to invalidate the hosts files. Every week the sites are probably mostly renamed. Further analysis of the 1,059 addresses show 810 unique entries, i.e. 249 duplicates. It gets even better. 44 addresses show up in 52.84.146.xxx; I should probably block the entire /24 with one entry. There are multiple similar occurences, which could be aggregated into small CIDRs. So the number of blocking rules is greatly reduced. I'm not a deep networking expert. My question is whether I'm better off adding iptables reject/drop rules or "reject routes", e.g... route add -net 10.0.0.0 netmask 255.0.0.0 metric 1024 reject (an example from the "route" man page). iptables rules have to be duplicated coming and going to catch inbound and outbound traffic. A reject route only needs to be entered once. This excercise is intended to block web adservers, so another question is how web browsers react to route versus iptables blocking. While I'm at it (I did say I'm not an expert) is there another way to handle this? E.g. redirect "blocked CIDRs" via iptables or route to a local pixel image? Will that produce an immediate response by the web browser, versus timing out with "regular blocking"? -- Walter DnesI don't run "desktop environments"; I run useful applications
Re: [gentoo-user] ....Gentoo update killed Gentoo update?
* tu...@posteo.de[2017-10-04 05:04]: > On 10/04 02:26, tu...@posteo.de wrote: > > On 10/04 01:58, Ian Bloss wrote: > > > [...] > > > On Tue, Oct 3, 2017, 6:55 PM wrote: > > > > [...] > > > > > > > > I tried eix-sync this morning and got: > > > > > > > > /root>eix-sync > > > > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > > > > /usr/bin/eix-sync: line 24: ReadVar: command not found > > > > /usr/bin/eix-sync: line 25: ReadVar: command not found > > > > /usr/bin/eix-sync: line 26: ReadVar: command not found > > > > /usr/bin/eix-sync: line 27: ReadVar: command not found > > > > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > > > [1]4865 exit 1 eix-sync > > > > > > > > [...] > > [...] > > /root>eix-sync > > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > > /usr/bin/eix-sync: line 24: ReadVar: command not found > > /usr/bin/eix-sync: line 25: ReadVar: command not found > > /usr/bin/eix-sync: line 26: ReadVar: command not found > > /usr/bin/eix-sync: line 27: ReadVar: command not found > > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > [...] > > More on this: > /usr/bin/eix-test-obsolete: line 17: ReadGettext: command not found > /usr/bin/eix-test-obsolete: line 69: Push: command not found > /usr/bin/eix-test-obsolete: line 70: Push: command not found > /usr/bin/eix-test-obsolete: line 72: opt: unbound variable > > Seems to be a more common problem... The logic to use /usr/share/eix/eix-functions.sh from the /usr/bin/eix-* scripts is just broken. Use this for a quick fix until it's sorted out upstream: ln -nsf /usr/share/eix/eix-functions /usr/share/eix/eix-functions.sh Cheers, Wolfram
Re: [gentoo-user] ....Gentoo update killed Gentoo update?
On 10/04 02:26, tu...@posteo.de wrote: > On 10/04 01:58, Ian Bloss wrote: > > emerge --sync && emerge eix && eix-update > > > > On Tue, Oct 3, 2017, 6:55 PMwrote: > > > > > Hi, > > > > > > from my qlop -l output: > > > Tue Oct 3 05:16:48 2017 >>> dev-perl/CGI-Fast-2.120.0 > > > Tue Oct 3 05:17:09 2017 >>> net-dns/dnsmasq-2.78 > > > > > > Tue Oct 3 05:18:25 2017 >>> app-portage/eix-0.33.0 > > > > > > Tue Oct 3 05:26:47 2017 >>> sys-apps/openrc-0.32 > > > Tue Oct 3 05:27:54 2017 >>> media-radio/gpredict-1.3-r2 > > > > > > > > > I tried eix-sync this morning and got: > > > > > > /root>eix-sync > > > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > > > /usr/bin/eix-sync: line 24: ReadVar: command not found > > > /usr/bin/eix-sync: line 25: ReadVar: command not found > > > /usr/bin/eix-sync: line 26: ReadVar: command not found > > > /usr/bin/eix-sync: line 27: ReadVar: command not found > > > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > > [1]4865 exit 1 eix-sync > > > > > > > > > ...end of the show? > > > > > > How can I fix this? > > > > > > Cheers > > > Meino > > > > > > > > > > > > > > > > > > > >>> Calculating dependencies... done! > >>> Verifying ebuild manifests > >>> Emerging (1 of 1) app-portage/eix-0.33.0::gentoo > >>> Installing (1 of 1) app-portage/eix-0.33.0::gentoo > >>> Jobs: 1 of 1 complete Load avg: 2.08, 1.01, 0.59 > >>> Auto-cleaning packages... > > > /root>eix-sync > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > /usr/bin/eix-sync: line 24: ReadVar: command not found > /usr/bin/eix-sync: line 25: ReadVar: command not found > /usr/bin/eix-sync: line 26: ReadVar: command not found > /usr/bin/eix-sync: line 27: ReadVar: command not found > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > > H. > > Another fix available? > > Cheers > Meino > > > More on this: /usr/bin/eix-test-obsolete: line 17: ReadGettext: command not found /usr/bin/eix-test-obsolete: line 69: Push: command not found /usr/bin/eix-test-obsolete: line 70: Push: command not found /usr/bin/eix-test-obsolete: line 72: opt: unbound variable Seems to be a more common problem... Cheers Meino
Re: [gentoo-user] ....Gentoo update killed Gentoo update?
On 10/04 01:58, Ian Bloss wrote: > emerge --sync && emerge eix && eix-update > > On Tue, Oct 3, 2017, 6:55 PMwrote: > > > Hi, > > > > from my qlop -l output: > > Tue Oct 3 05:16:48 2017 >>> dev-perl/CGI-Fast-2.120.0 > > Tue Oct 3 05:17:09 2017 >>> net-dns/dnsmasq-2.78 > > > > Tue Oct 3 05:18:25 2017 >>> app-portage/eix-0.33.0 > > > > Tue Oct 3 05:26:47 2017 >>> sys-apps/openrc-0.32 > > Tue Oct 3 05:27:54 2017 >>> media-radio/gpredict-1.3-r2 > > > > > > I tried eix-sync this morning and got: > > > > /root>eix-sync > > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > > /usr/bin/eix-sync: line 24: ReadVar: command not found > > /usr/bin/eix-sync: line 25: ReadVar: command not found > > /usr/bin/eix-sync: line 26: ReadVar: command not found > > /usr/bin/eix-sync: line 27: ReadVar: command not found > > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > [1]4865 exit 1 eix-sync > > > > > > ...end of the show? > > > > How can I fix this? > > > > Cheers > > Meino > > > > > > > > > > >>> Calculating dependencies... done! >>> Verifying ebuild manifests >>> Emerging (1 of 1) app-portage/eix-0.33.0::gentoo >>> Installing (1 of 1) app-portage/eix-0.33.0::gentoo >>> Jobs: 1 of 1 complete Load avg: 2.08, 1.01, 0.59 >>> Auto-cleaning packages... /root>eix-sync /usr/bin/eix-sync: line 22: ReadFunctions: command not found /usr/bin/eix-sync: line 24: ReadVar: command not found /usr/bin/eix-sync: line 25: ReadVar: command not found /usr/bin/eix-sync: line 26: ReadVar: command not found /usr/bin/eix-sync: line 27: ReadVar: command not found /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable H. Another fix available? Cheers Meino
Re: [gentoo-user] ....Gentoo update killed Gentoo update?
emerge --sync && emerge eix && eix-update On Tue, Oct 3, 2017, 6:55 PMwrote: > Hi, > > from my qlop -l output: > Tue Oct 3 05:16:48 2017 >>> dev-perl/CGI-Fast-2.120.0 > Tue Oct 3 05:17:09 2017 >>> net-dns/dnsmasq-2.78 > > Tue Oct 3 05:18:25 2017 >>> app-portage/eix-0.33.0 > > Tue Oct 3 05:26:47 2017 >>> sys-apps/openrc-0.32 > Tue Oct 3 05:27:54 2017 >>> media-radio/gpredict-1.3-r2 > > > I tried eix-sync this morning and got: > > /root>eix-sync > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > /usr/bin/eix-sync: line 24: ReadVar: command not found > /usr/bin/eix-sync: line 25: ReadVar: command not found > /usr/bin/eix-sync: line 26: ReadVar: command not found > /usr/bin/eix-sync: line 27: ReadVar: command not found > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > [1]4865 exit 1 eix-sync > > > ...end of the show? > > How can I fix this? > > Cheers > Meino > > > > >
[gentoo-user] ....Gentoo update killed Gentoo update?
Hi, from my qlop -l output: Tue Oct 3 05:16:48 2017 >>> dev-perl/CGI-Fast-2.120.0 Tue Oct 3 05:17:09 2017 >>> net-dns/dnsmasq-2.78 Tue Oct 3 05:18:25 2017 >>> app-portage/eix-0.33.0 Tue Oct 3 05:26:47 2017 >>> sys-apps/openrc-0.32 Tue Oct 3 05:27:54 2017 >>> media-radio/gpredict-1.3-r2 I tried eix-sync this morning and got: /root>eix-sync /usr/bin/eix-sync: line 22: ReadFunctions: command not found /usr/bin/eix-sync: line 24: ReadVar: command not found /usr/bin/eix-sync: line 25: ReadVar: command not found /usr/bin/eix-sync: line 26: ReadVar: command not found /usr/bin/eix-sync: line 27: ReadVar: command not found /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable [1]4865 exit 1 eix-sync ...end of the show? How can I fix this? Cheers Meino
Re: [gentoo-user] Linode discontinuing Xen, migrating to KVM
On Tue, Oct 3, 2017 at 6:38 AM, Tanstaaflwrote: > On 10/2/2017, 11:52:21 PM, R0b0t1 wrote: >> As long as your kernel has the appropriate drivers (i.e. you didn't >> include only the virtualized Xen drivers and left most of the default >> options intact) it should boot under QEMU/KVM or even on a bare metal >> system. > > Hmmm, something else I just remembered when I noticed my production > server is running a 32 bit kernel... > > A long time ago, maybe 6 or 7 years, something weird happened when > Linode had some kind of problem (maybe it was another one of their > maintenance processes, I don't recall), I had a heck of a time getting > it back up, I finally had to do a full rebuild, and distinctly remember > changing to a 32 bit kernel during the process, but never changed back. > > Do I need to do a full system rebuild to change back to the 64 bit kernel? > It shouldn't matter. The virtual processor (just like a real one) starts up in 16 bit mode and is then set to 32 and then 64 bit mode by software. > Also, I haven't played with Linodes 'System Profiles' at all - I was > thinking I'd just create a new profile, add my Gentoo System Image and a > swap image to it, but assign the 64 bit kernel, then if it doesn't work, > switch back. Should I be able to do that without causing any problems to > the current/working profile? > I probably wouldn't use the Linode supplied configurations either, but it might be a good idea to run diff on yours and theirs to see what options are different. R0b0t1.
Re: [gentoo-user] Re: ephemeral keyword override?
On Tue, 3 Oct 2017 15:00:13 -0700, Ian Zimmerman wrote: > > > > > ACCEPT_KEYWORDS='<=some-cat/some-package- ~amd64' \ > > > > > USE='foo' emerge -p some-cat/some-package > > > > > > > > ACCEPT_KEYWORDS="~amd64" emerge somepkg > > > > You included the package atom on the env var, al la > > /etc/portage/package.* syntax, which you should have included only the > > setting. > > The difference is that in my hypothetical syntax, the unfiltering is > scoped _only_ to the specific package I am installing, and not to any of > the dependencies. I should have said so explicitly, sorry for that. The ACCEPT_KEYWORDS variable doesn't work like that, any more than USE does. It only contains the keywords to accept. To do what you want, use package.accept_keywords. -- Neil Bothwick Member, National Association For Tagline Assimilators (NAFTA) pgpTU927ikuBH.pgp Description: OpenPGP digital signature
[gentoo-user] Re: ephemeral keyword override?
On 2017-10-03 21:14, Neil Bothwick wrote: > > > > ACCEPT_KEYWORDS='<=some-cat/some-package- ~amd64' \ > > > > USE='foo' emerge -p some-cat/some-package > > > > > > ACCEPT_KEYWORDS="~amd64" emerge somepkg > > You included the package atom on the env var, al la > /etc/portage/package.* syntax, which you should have included only the > setting. The difference is that in my hypothetical syntax, the unfiltering is scoped _only_ to the specific package I am installing, and not to any of the dependencies. I should have said so explicitly, sorry for that. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
Re: [gentoo-user] Re: ephemeral keyword override?
On Tue, 3 Oct 2017 11:13:31 -0700, Ian Zimmerman wrote: > > > When I'm thinking about installing a package, I can say > > > > > > USE='foo' emerge -p some-cat/some-package > > > > > > to see what would happen, without changing any /etc files. Is > > > there a similar way to specify a keyword override, without changing > > > /etc/portage/package.accept_keywords? Something along the lines of > > > > > > ACCEPT_KEYWORDS='<=some-cat/some-package- ~amd64' \ > > > USE='foo' emerge -p some-cat/some-package > > > > ACCEPT_KEYWORDS="~amd64" emerge somepkg > > Thanks for the reply, I did learn something new from it. Nonetheless it > should be quite obvious that it does something different from what I was > "dreaming". You included the package atom on the env var, al la /etc/portage/package.* syntax, which you should have included only the setting. The trouble with setting this on the command line is that it will be changed on your next update. I prefer you have /etc/portage/package.* as directories, then I have a fail called temp in each that included the settings I am only trying out. When I have finished experimenting I can delete the file. -- Neil Bothwick "Do not handicap your children by making their lives easy." -- Robert Heinlein pgp3AZhHRbR0A.pgp Description: OpenPGP digital signature
Re: [gentoo-user] iputils - caps and filecaps USE flags?
> On 3 Oct 2017, at 20:17, Simon Thelenwrote: > > It is almost always better to enable both of these where possible since > it helps decrease the attack surface for the programs in question. Thanks, I'll do that. Stroller.
Re: [gentoo-user] Linode discontinuing Xen, migrating to KVM
On 10/03/2017 02:28 PM, Tanstaafl wrote: > On 10/3/2017, 1:27:45 AM, victor romanchukwrote: >> there are two files to change/check before migration >> >> * /etc/inittab :: console terminal (XEN PV domUs do use hvc console and >> KVM VM employ normal linux >> console) >> >> -c1:12345:/respawn:/sbin/agetty 38400 hvc0 linux >> +c1:12345:respawn:/sbin/agetty 38400 ttyS0 linux >> >> * /etc/fstab :: XEN PV do use xvdN volumes and KVM VM volume naming is >> canonical >> >> -/dev/xvdb none swap sw 0 0 >> +/dev/sdb none swap sw 0 0 >> >> the migration itself is automated; linode did it for me flawlessly: few >> minutes of downtime needed >> to convert images and to move them to different hardware (in my case) > Thanks - but I thought these were changed as part of the automated > process (from what I've read). > > Did you change yours manually? > I forgot it :) most likely it was performed by linode automation at least what I'm seeing now confirms that (both files were modified together): $ stat /etc/inittab /etc/fstab File: '/etc/inittab' Size: 1937 Blocks: 4 IO Block: 1024 regular file Device: 800h/2048d Inode: 102725 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-09-11 23:46:24.0 +0300 Modify: 2017-09-11 23:46:24.0 +0300 Change: 2017-09-11 23:46:24.0 +0300 Birth: - File: '/etc/fstab' Size: 1066 Blocks: 4 IO Block: 1024 regular file Device: 800h/2048d Inode: 102672 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-09-11 23:46:24.0 +0300 Modify: 2017-09-11 23:46:24.0 +0300 Change: 2017-09-11 23:46:24.0 +0300 Birth: - anyway I kept that in mind when preparing myself to switch to KVM: the configuration is unusual - 64bit kernel (supplied by linode) and 32bit userspace (minimalistic gentoo with very few packages and default x86 profile)
Re: [gentoo-user] iputils - caps and filecaps USE flags?
On 17-10-03 at 19:08, Stroller wrote: > Hello, > > On my Linode VM in /etc/portage/package.use I have: > > net-misc/iputils -caps -filecaps > > I have no recollection of setting these flags, but `genlop -iputils ` > gives an installation date 2 days after I signed up with Linode, which > tends to suggest I installed the package. Or perhaps it was part of > the original Linode Gentoo disk image, and I only updated iputils? > > The USE flag descriptions are meaningless to me and so I have no idea > why I might have set these flags, were it me who did so: > > caps - Use Linux capabilities library to control privilege > filecaps - Use Linux file capabilities to control privilege rather than > set*id (this is orthogonal to USE=caps which uses capabilities at runtime > e.g. lib cap) Capabilities are a method of providing programs with more or less specific "privileges" as an alternative to running the program as root/suid. The "caps" useflag controls these at runtime by allowing programs to drop capabilities that the program doesn't need so that if something happens it has the ability to break less things. The "filecaps" flag is the "equivalent" of the suid bit but for specific capabilities (so instead of providing ping with suid-root you can give it CAP_NET_RAW only). It is almost always better to enable both of these where possible since it helps decrease the attack surface for the programs in question. Read capabilities(7) for more information. -- Simon Thelen
[gentoo-user] Re: ephemeral keyword override?
On 2017-10-03 17:51, Neil Bothwick wrote: > > When I'm thinking about installing a package, I can say > > > > USE='foo' emerge -p some-cat/some-package > > > > to see what would happen, without changing any /etc files. Is there a > > similar way to specify a keyword override, without changing > > /etc/portage/package.accept_keywords? Something along the lines of > > > > ACCEPT_KEYWORDS='<=some-cat/some-package- ~amd64' \ > > USE='foo' emerge -p some-cat/some-package > > ACCEPT_KEYWORDS="~amd64" emerge somepkg Thanks for the reply, I did learn something new from it. Nonetheless it should be quite obvious that it does something different from what I was "dreaming". -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
[gentoo-user] iputils - caps and filecaps USE flags?
Hello, On my Linode VM in /etc/portage/package.use I have: net-misc/iputils -caps -filecaps I have no recollection of setting these flags, but `genlop -iputils ` gives an installation date 2 days after I signed up with Linode, which tends to suggest I installed the package. Or perhaps it was part of the original Linode Gentoo disk image, and I only updated iputils? The USE flag descriptions are meaningless to me and so I have no idea why I might have set these flags, were it me who did so: caps - Use Linux capabilities library to control privilege filecaps - Use Linux file capabilities to control privilege rather than set*id (this is orthogonal to USE=caps which uses capabilities at runtime e.g. lib cap) Can anyone possibly explain in simple terms what these USE flags do, and help identify what's best for me? Thanks in advance for any suggestions, Stroller.
Re: [gentoo-user] ephemeral keyword override?
On Tue, 3 Oct 2017 09:03:06 -0700, Ian Zimmerman wrote: > When I'm thinking about installing a package, I can say > > USE='foo' emerge -p some-cat/some-package > > to see what would happen, without changing any /etc files. Is there a > similar way to specify a keyword override, without changing > /etc/portage/package.accept_keywords? Something along the lines of > > ACCEPT_KEYWORDS='<=some-cat/some-package- ~amd64' \ > USE='foo' emerge -p some-cat/some-package ACCEPT_KEYWORDS="~amd64" emerge somepkg -- Neil Bothwick Growing old is mandatory; growing up is optional!! pgpPb_cTRWtML.pgp Description: OpenPGP digital signature
[gentoo-user] ephemeral keyword override?
When I'm thinking about installing a package, I can say USE='foo' emerge -p some-cat/some-package to see what would happen, without changing any /etc files. Is there a similar way to specify a keyword override, without changing /etc/portage/package.accept_keywords? Something along the lines of ACCEPT_KEYWORDS='<=some-cat/some-package- ~amd64' \ USE='foo' emerge -p some-cat/some-package or am I dreaming? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
Re: [gentoo-user] Linode discontinuing Xen, migrating to KVM
On 10/2/2017, 11:52:21 PM, R0b0t1wrote: > As long as your kernel has the appropriate drivers (i.e. you didn't > include only the virtualized Xen drivers and left most of the default > options intact) it should boot under QEMU/KVM or even on a bare metal > system. Hmmm, something else I just remembered when I noticed my production server is running a 32 bit kernel... A long time ago, maybe 6 or 7 years, something weird happened when Linode had some kind of problem (maybe it was another one of their maintenance processes, I don't recall), I had a heck of a time getting it back up, I finally had to do a full rebuild, and distinctly remember changing to a 32 bit kernel during the process, but never changed back. Do I need to do a full system rebuild to change back to the 64 bit kernel? Also, I haven't played with Linodes 'System Profiles' at all - I was thinking I'd just create a new profile, add my Gentoo System Image and a swap image to it, but assign the 64 bit kernel, then if it doesn't work, switch back. Should I be able to do that without causing any problems to the current/working profile?
Re: [gentoo-user] Linode discontinuing Xen, migrating to KVM
On 10/3/2017, 1:27:45 AM, victor romanchukwrote: > there are two files to change/check before migration > > * /etc/inittab :: console terminal (XEN PV domUs do use hvc console and KVM > VM employ normal linux > console) > > -c1:12345:/respawn:/sbin/agetty 38400 hvc0 linux > +c1:12345:respawn:/sbin/agetty 38400 ttyS0 linux > > * /etc/fstab :: XEN PV do use xvdN volumes and KVM VM volume naming is > canonical > > -/dev/xvdb none swap sw 0 0 > +/dev/sdb none swap sw 0 0 > > > the migration itself is automated; linode did it for me flawlessly: few > minutes of downtime needed > to convert images and to move them to different hardware (in my case) Thanks - but I thought these were changed as part of the automated process (from what I've read). Did you change yours manually?