Linux-Misc Digest #881, Volume #25 Wed, 27 Sep 00 12:13:04 EDT
Contents:
Cannot connect with FTP ("Michael")
Re: Running NT4/2000 on linux (Christopher Browne)
Re: driver install problem (Eric)
minimal hw for playing streaming media? (Filippone)
partition commander? ("Samuel Irlapati")
Re: Partitioning..... (Eric)
KDE Sound Configuration ([EMAIL PROTECTED])
Screwed up LILO; can't boot Windows ("Brett W. Denner")
Re: linux ppc vs linux alpha vs linux x86? (bgeer)
Re: Where can I find a kernel? (Steve)
Re: "Tickling" with sound over net (Steve)
Re: DELL LATITUDE C600 and Red Hat compatibility issues (Steve)
Re: Gathering a recursive list of URLs? (Steve)
Re: hosed X font server? (Steve)
Re: help - apache DSO (Steve)
Re: Belkin UPS model F6C525-SER & Linux (Steve Wampler)
Re: where go get sshd ([EMAIL PROTECTED])
Re: where go get sshd (Bill Unruh)
Re: IP Masquerading ("Larry Clark")
Re: Screwed up LILO; can't boot Windows (Leonard Evens)
Re: BIND ACL Workarounds (was: Re: been hacked...have a question) (NAVARRO LOPEZ)
----------------------------------------------------------------------------
From: "Michael" <[EMAIL PROTECTED]>
Subject: Cannot connect with FTP
Date: Wed, 27 Sep 2000 14:09:23 GMT
Hi there -
I'm using RedHat 6.0. I try to connect from a Win2K box and the connection
takes forever...and then drops the connection. Here's what it looks like
from a Win2K box trying to ftp to my linux box...
C:\>ftp linux
Connected to linux. (long wait here...a couple of minutes)
Connection closed by remote host.
I can ftp to my linux box from my IBM AS/400 and it works fine. I also tried
ftping from the linux box back to itself - it connects (after a very long
time) and then seems to process fine.
Any ideas?
Thanks...
- Michael
------------------------------
From: [EMAIL PROTECTED] (Christopher Browne)
Crossposted-To: alt.os.linux
Subject: Re: Running NT4/2000 on linux
Reply-To: [EMAIL PROTECTED]
Date: Wed, 27 Sep 2000 14:18:53 GMT
In our last episode (Wed, 27 Sep 2000 14:15:21 +0100),
the artist formerly known as Rich Edwards said:
>Thanks for the reply - but I don't seem to have been very clear.
>What I mean is:
>Can I run linux on a machine (assuming I have all the correct drivers) then
>be able to run a NT4/2000 OS over the top or as a process or any other way.
Ah.
You might want to look a the product "VMWare," which is designed to
support doing that sort of thing.
--
[EMAIL PROTECTED] - <http://www.hex.net/~cbbrowne/lsf.html>
Rules of the Evil Overlord #123. "If I decide to hold a contest of
skill open to the general public, contestants will be required to
remove their hooded cloaks and shave their beards before entering."
<http://www.eviloverlord.com/>
------------------------------
From: Eric <[EMAIL PROTECTED]>
Subject: Re: driver install problem
Date: Wed, 27 Sep 2000 16:27:16 +0200
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
>
> I'm using Redhat6.1 and attempting to get a 3Com905b network
> card to work. There's no driver installed or availble in the
> distribution , so I downloaded one on mly windoze machine and put it
> on a floppy.
> I mounted the floppy with the command:
> mount -t vfat /dev/fd0 /mnt/floppy
> I did an ls /mnt/floppy, and got
> 3c90x0-1_0_0i_tar.tar
>
> At this point it seems I have a driver on the floppy. I them tried to
> unpack it with the command:
> tar -xvf 3c90x-1_0_0i_tar.tar
>
> My intent was to unpack it right on the floppy, but all I got was
> these error messages:
>
> tar: hmm, this doesn't look like a tar archive
> tar: Skipping to nest file header
> tar: Only read1052 bytes from archive 3c90x-1_0_0i_tar.tar
> tar: Error is not recoverable: exiting now
>
> Anyone have an idea what wrong? should I be unpacking it somewhere
> else?
Bad tarball, that's what's wrong. May have gotten corrupted during
download.
You could try to see if it's just a wrong name (might still be zipped).
mv 3c90x-1_0_0i_tar.tar 3c90x-1_0_0i_tar.tgz
tar zxvf 3c90x-1_0_0i_tar.tgz
If that fails too, you'll have to get a correct tarball. Make sure it
doesn't get unzipped/corrupted by your browser. These files are usually
ditributed with a tar.gz extension. Windows doesn't like these double
extensions, nor do certain browsers.
Eric
> Thanks in advance,
> jerbear
------------------------------
From: Filippone <[EMAIL PROTECTED]>
Subject: minimal hw for playing streaming media?
Date: Wed, 27 Sep 2000 14:17:17 GMT
I'd like to get an old Intel box and run it on Linux just for sake of
continously receiving streaming media off a permanent net connection.
I know Real Player is available for Linux. I have plenty of patience,
no hurry, a curiosity for cleaner OS's, and a feeling that my house
will attract gremlins if I leave a Windows box running unattended.
(Besides, it will crash anyway).
Questions:
I hear Linux is much less CPU hungry that Windows. How fast a machine
do I really need to do speeds up to, say, 56 or 100kbps audio or video?
Does anyone know what share of the streaming world is on Windows Media
Player, hence off limits to such a contraption?
Is this a crazy idea? Am I going to burn 6 manweeks before the thing
starts playing anything at all? I have plenty of procedural
intelligence, but no previous experience with this animal.
Any comment will be appreciated!
--
Filippone
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Samuel Irlapati" <[EMAIL PROTECTED]>
Crossposted-To: alt.os.linux
Subject: partition commander?
Date: Wed, 27 Sep 2000 09:53:52 -0400
Has anyone used partition commander here? I would like to know if you think
it is useful or not?
I have tried Partition magic 5.0 and it actually does not work on computer.
So I returned it but I am looking for other partition programs.
------------------------------
From: Eric <[EMAIL PROTECTED]>
Subject: Re: Partitioning.....
Date: Wed, 27 Sep 2000 16:32:54 +0200
Reply-To: [EMAIL PROTECTED]
The Jigsaw Man wrote:
>
> > 2. This varies a bit from distribution to distribution, but the install
> > process should give you the option to create one or more new partitions
> > (without affecting existing partitions), and to indicate which partition(s)
> > Linux should automatically mount.
>
> There is a request for me to select a partition, but then it expects me
> to have already partitioned the drive before that step. I'm using
> Linux-mandrake, V7.0, and the installer is running DrakX. I am given
> some options to play with the partition, but they all sound bad. I tried
> to resize from 7342MB to 6000MB, but it said somthing about "minimum
> partition size" and made no change.
Do you have any free space?
That means NON PARTITIONED SPACE, not just space in the windows FS.
Else you will need to create it. You can use FIPS.EXE for that or
Partition Magic (if you have it)
>
> > 3. As part of the install process, you will also be asked where to place
> > Lilo, the Linux Loader. Make sure you indicate "Linux partition" (whatever
> > your distribution calls it), and _not_ MBR (Master Boot Record).
>
> One of my documents said I had to have the kernal set before the 1203
> cylinder in order that BIOS can "see" it, but it was an older document.
> Is this still relevant if I want to only boot to Linux with a disk?
> (Win98 otherwise) If so, how can I assure it's placement?
>
> The Jigsaw Man
IIRC that's not an issue for mandrake 7.0, (you can choose to use GRUB
as bootloader eg.), but don't quote me on this. Anyhow I doubt you'll
have this problem anyway, since your HDD is only 7.5 GB (in LBA mode
1024 cyl. ~*G).
If you insist on booting linux from floppy (i really don't know why) you
will not ever have this problem, because a floppy never exceeds this
amount of cylinders :-)
Eric
------------------------------
From: [EMAIL PROTECTED]
Subject: KDE Sound Configuration
Date: Wed, 27 Sep 2000 14:33:02 GMT
I just posted a message about screen resolution and now I have another
question concerning Linux setup. I can't figure out how to setup the
sound card. I did it before, but I forgot. I guess I wasn't paying
much attention, thinking I'd never have to do it again. Thank You.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Brett W. Denner" <[EMAIL PROTECTED]>
Subject: Screwed up LILO; can't boot Windows
Date: Wed, 27 Sep 2000 14:35:27 GMT
I have a two-hard-disk computer with Win98 on the master disk and SuSE
Linux 6.4 on the secondary.
When I installed SuSE Linux, LILO was set up to boot Linux by default
and Windows as an option. I used SuSE YaST to try to adjust my LILO
configuration. Now, I can boot into Linux as an option, by when I try
to boot into Windows 98 (either by default or explicitly),
LILO won't boot into Windows.
Below is my LILO configuration file. Can anyone tell me what to look
for on my system to determine why Windows won't boot?
Thanks,
Brett
# LILO Konfigurations-Datei
# Start LILO global Section
# If you want to prevent console users to boot with init=/bin/bash,
# restrict usage of boot params by setting a passwd and using the
option
# restricted.
#password=bootpwd
#restricted
initrd=/boot/initrd
boot=/dev/hdf3
#compact # faster, but won't work on all systems.
linear
vga=normal
message=/boot/message
read-only
prompt
timeout=70
# End LILO global Section
#
other = /dev/hde1
label = windows
map-drive = 0x80
to = 0x81
map-drive = 0x81
to = 0x80
table = /dev/hde
#
image = /boot/vmlinuz
root = /dev/hdf3
label = linux
------------------------------
From: [EMAIL PROTECTED] (bgeer)
Crossposted-To: comp.os.linux.powerpc,comp.os.linux.alpha
Subject: Re: linux ppc vs linux alpha vs linux x86?
Date: 27 Sep 2000 09:01:23 -0600
Jeff Sturm <[EMAIL PROTECTED]> writes:
>I can tell you one thing: x86 blows at PIC. PIC is necessary for
>building ELF relocatable shared libraries.
Ok, so what's PIC?
My acronym converter offers these possiblilities:
PIC - Pilot In Command
PIC - Plastic-Insulated Cable
PIC - Primary Independent Carrier
--
<> Robert Geer & Donna Tomky | |||| |||| <>
<> [EMAIL PROTECTED] | == == Suddenly, == == <>
<> [EMAIL PROTECTED] | == == We feel enchanted! == == <>
<> Albuquerque, NM USA | |||| |||| <>
------------------------------
From: [EMAIL PROTECTED] (Steve)
Subject: Re: Where can I find a kernel?
Reply-To: [EMAIL PROTECTED]
Date: 27 Sep 2000 16:01:45 +0100
Doesn't sound like a kernel problem. Checkout man fstab and
man mount. At the command prompt do:
$ man fstab
and
$ man mount
>From what I remember you can't mount an FS that isn't described
in your "fstab". Don't bother with the Filesystems-HOWTO, it's
far to involved for what you're after, but the Win95-Linux.HOWTO
and other similar titles may be of some help.
In my distro the HOWTOs are in /usr/doc/HOWTO/ and
/usr/doc/HOWTO/mini/ if you don't have them you can get them from:
http://www.linuxdoc.org/HOWTO/
--
Cheers
Steve email mailto:[EMAIL PROTECTED]
%HAV-A-NICEDAY Error not enough coffee 0 pps.
web http://www.zeropps.uklinux.net/
or http://start.at/zero-pps
1:31pm up 36 days, 17:46, 2 users, load average: 2.01, 2.01, 2.00
------------------------------
From: [EMAIL PROTECTED] (Steve)
Subject: Re: "Tickling" with sound over net
Reply-To: [EMAIL PROTECTED]
Date: 27 Sep 2000 16:01:45 +0100
On Wed, 27 Sep 2000 10:25:06 +0200, Stefan Ke�ler wrote:
>Hi,
>
>I'm having problems running net audio-applications like
>RAT,voxilla,Netmeeting: The sound-card produces always a sort of
>tickling, which comes obviously from the network data packages. Does
>anybody know this problem or has an idea how to solve it?
Sounds like the bus interference problem, checkout previous posts
in this group.
--
Cheers
Steve email mailto:[EMAIL PROTECTED]
%HAV-A-NICEDAY Error not enough coffee 0 pps.
web http://www.zeropps.uklinux.net/
or http://start.at/zero-pps
1:31pm up 36 days, 17:46, 2 users, load average: 2.01, 2.01, 2.00
------------------------------
From: [EMAIL PROTECTED] (Steve)
Crossposted-To: comp.os.linux.setup
Subject: Re: DELL LATITUDE C600 and Red Hat compatibility issues
Reply-To: [EMAIL PROTECTED]
Date: 27 Sep 2000 16:01:46 +0100
On Tue, 26 Sep 2000 22:40:40 -0400, Evan Panagiotopoulos wrote:
>I am planning on buying that laptop. Any comments? I saw in
>http://www.redhat.com that the Xircom Ethernet adapter that Dell is
>offering is NOT compatible with Red Hat.
>
If it's not compatible with the OS you want then don't buy it, I would
have thought that this is obvious.
--
Cheers
Steve email mailto:[EMAIL PROTECTED]
%HAV-A-NICEDAY Error not enough coffee 0 pps.
web http://www.zeropps.uklinux.net/
or http://start.at/zero-pps
1:31pm up 36 days, 17:46, 2 users, load average: 2.01, 2.01, 2.00
------------------------------
From: [EMAIL PROTECTED] (Steve)
Subject: Re: Gathering a recursive list of URLs?
Reply-To: [EMAIL PROTECTED]
Date: 27 Sep 2000 16:01:46 +0100
On Wed, 27 Sep 2000 02:23:52 GMT, Shaun wrote:
>I need to create a complete recursive list of URLs for an entire
>website. That is, I need something that I can point to
>http://www.some.com/index.html, and have it follow the links recursively
>throughout the site and build a list of all the URLs. I don't actually
>want copies of the pages, just a list of their URLs.
Ok I found the following from the wget documentation:
`-nr'
`--dont-remove-listing'
Don't remove the temporary `.listing' files generated by FTP
retrievals. Normally, these files contain the raw directory
listings received from FTP servers. Not removing them can be
useful to access the full remote file list when running a mirror,
or for debugging purposes.
Don't know what your version of the docs say, but mine saya this:
Maybe useful.
`--spider'
When invoked with this option, Wget will behave as a Web "spider",
which means that it will not download the pages, just check that
they are there. You can use it to check your bookmarks, e.g. with:
wget --spider --force-html -i bookmarks.html
This feature needs much more work for Wget to get close to the
functionality of real WWW spiders.
I'd think you can get something together with wget.
--
Cheers
Steve email mailto:[EMAIL PROTECTED]
%HAV-A-NICEDAY Error not enough coffee 0 pps.
web http://www.zeropps.uklinux.net/
or http://start.at/zero-pps
1:31pm up 36 days, 17:46, 2 users, load average: 2.01, 2.01, 2.00
------------------------------
From: [EMAIL PROTECTED] (Steve)
Subject: Re: hosed X font server?
Reply-To: [EMAIL PROTECTED]
Date: 27 Sep 2000 16:01:47 +0100
Hi Bob
You could do a ps -e and see if the font server is running,
it'll either be xfs or xfstt, and maybe both.
If it's not running then you may need to go in as root to
start the forn server (I know that mine complains if I
try to start it as a user), then do startx, and if all
boes well, then as root execute /usr/sbin/setup and
make sure that it's running the font server on startup.
Hope some of this helps.
--
Cheers
Steve email mailto:[EMAIL PROTECTED]
%HAV-A-NICEDAY Error not enough coffee 0 pps.
web http://www.zeropps.uklinux.net/
or http://start.at/zero-pps
1:31pm up 36 days, 17:46, 2 users, load average: 2.01, 2.01, 2.00
------------------------------
From: [EMAIL PROTECTED] (Steve)
Subject: Re: help - apache DSO
Reply-To: [EMAIL PROTECTED]
Date: 27 Sep 2000 16:01:48 +0100
On Tue, 26 Sep 2000 17:30:07 -0400, segmentationfault wrote:
>Hi and thanks for reading,
>
>How do I compile apache with DSO support... I know how to compile apache
>with php4 and others but how do I activate DSO into apache ?
>yes I've been on http://www.apache.org/docs/dso.html so please don't point
>me there.
>this is the compile command I'm using to compile apache
>
>./configure --prefix=/usr/local/apache-1.3.12 --activate-module=src/modules/
>php4/libphp4.a --enable-module=php4 --enable-rule=SHARED_CORE
>
>do I have to add somehting in my ./configure command to have DSO support ?
It seem that you're compiling ok, but you need to load the shared
libraries for the modules that you want to run as shared, it told me
this at the url you gave (which I agree is complicated, but it's a
complicated subject). You load those shared modules in httpd.conf
as explained below (from the Apache docs:
LoadModule
Syntax: LoadModule module filename
Context: server config
Status: Base
Module: mod_so
The LoadModule directive links in the object file or library filename and
adds the module structure named module to
the list of active modules. Module is the name of the external variable of
type module in the file. Example (Unix):
LoadModule status_module modules/mod_status.so
Example (Windows):
LoadModule status_module modules/ApacheModuleStatus.dll
loads the named module from the modules subdirectory of the ServerRoot.
--
Cheers
Steve email mailto:[EMAIL PROTECTED]
%HAV-A-NICEDAY Error not enough coffee 0 pps.
web http://www.zeropps.uklinux.net/
or http://start.at/zero-pps
1:31pm up 36 days, 17:46, 2 users, load average: 2.01, 2.01, 2.00
------------------------------
From: Steve Wampler <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.hardware
Subject: Re: Belkin UPS model F6C525-SER & Linux
Date: Wed, 27 Sep 2000 07:52:06 -0700
David Steuber wrote:
>
> Steve Wampler <[EMAIL PROTECTED]> writes:
>
> ' Try http://www.exploits.org/nut
> '
> ' Let me know if it works for you - I haven't had much luck with
> ' my FC6525 [with this or with the linux drivers supplied by
> ' belkin], but may have a cabling problem.
>
> I found it, but haven't had a chance to build it yet. Other stuff
> came up. Hopefully this week I will build it.
>
> What is the nature of your problem?
>
> I figure if I can't get it to work within the return period, I'll just
> take the thing back and get a UPS that powerd works with.
>
Turns out I had to change the 'nut' code (trivial to do) to connect at 1200
buad instead of 2400 (yes, I know that Belkin says the 525 uses 2400
baud - go figure...). Now it's working fine - I'm even logging
UPS info into a postgresql database (more for grins than anything
else). Use the 'belkin' model driver, not the trust-425+625 one.
The drivers supplied by Belkin for Linux still don't work, and behave
so strangely I've tossed them [no source means no fix, sigh].
I haven't (yet) unplugged my system to see if the powerfail shutdown
works or not. Soon...
--
Steve Wampler- SOLIS Project, National Solar Observatory
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: where go get sshd
Date: Wed, 27 Sep 2000 15:14:21 GMT
In article <[EMAIL PROTECTED]>,
Art Haas <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] writes:
>
> > i'm looking for sshd, the daemon side of ssh.
> > where can i donwload it? rpm's prefered, source code ok.
> > thanks.
> >
>
> http://www.openssh.com
>
> --
> ###############################
> # Art Haas
> # (713) 689-2417
> ###############################
>
i can only find ssh, no sshd...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: where go get sshd
Date: 27 Sep 2000 15:20:44 GMT
In <8qss0v$qeh$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>i'm looking for sshd, the daemon side of ssh.
>where can i donwload it? rpm's prefered, source code ok.
>thanks.
www.openssh.org
ftp.sunet.se/pub/Linux/distributions/mandrake-crypto/RPMS/openss*
------------------------------
From: "Larry Clark" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.redhat,comp.os.linux.setup,comp.os.linux.networking
Subject: Re: IP Masquerading
Date: Wed, 27 Sep 2000 08:41:20 -0700
pardon me but instead of having all that mumbo jumbo in your rc.local file,
this is what I did. made a separate file called it FW, did a chmod 700 fw to
make it executable, then put a symlink in the rc3.d like the rest and then I
have the little boot up scenario with the green [ok] after it loads, sorry
but I like things clean.....
Tom Voltaggio <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> It is loaded as a module and my understanding is that I need
> Ipmasqadm to forward the specific ports that CuSeeme needs.
> No?
>
>
> Robert wrote:
> >
> > Hi,
> >
> > I don't know really, but do you have CUSEEME compiled into your kernel
or
> > loaded the module. Im using ipchains for masquerading and I need a
module
> > for CUSEEME. So maybe that helps....
> >
> > Robert
> >
> > Philippe BLATIERE <[EMAIL PROTECTED]> schrieb in im
> > Newsbeitrag: 01c02572$cc28cfa0$[EMAIL PROTECTED]
> > > Well, I am far from an expert but why do you use ipmasqadm : isn't
> > ipchains
> > > is sufficient ?
> > > Are you sure ipmasqadm and kernel 2.2 are ok together ?
> > > I ask you that question because CUSeeMe, that does not work, is used
with
> > > ipmasqadm
> > > And I know that ipfwadm does not work with kernel 2.2, may be the same
> > with
> > > ipmasqadm ?
> > > May be am I saying something stupid ... may be not !!! this is my
little
> > > help.
> > >
> > > Tom Voltaggio <[EMAIL PROTECTED]> a �crit dans l'article
> > > <[EMAIL PROTECTED]>...
> > > > ...
> > > > I am using Redhat 6.1 with kernel 2.2.12-20.
> > > > ...
> > > > # 1) Flush the rule tables.
> > > > /sbin/ipchains -F input
> > > > ...
> > > > # To forward incoming CUSeeMe ports
> > > > ipmasqadm autofw -A -r udp 7648 7648 -h 192.168.1.2
> > > > ...
> > > > Help!!!!
------------------------------
From: Leonard Evens <[EMAIL PROTECTED]>
Subject: Re: Screwed up LILO; can't boot Windows
Date: Wed, 27 Sep 2000 10:30:30 -0500
"Brett W. Denner" wrote:
>
> I have a two-hard-disk computer with Win98 on the master disk and SuSE
> Linux 6.4 on the secondary.
>
> When I installed SuSE Linux, LILO was set up to boot Linux by default
> and Windows as an option. I used SuSE YaST to try to adjust my LILO
> configuration. Now, I can boot into Linux as an option, by when I try
> to boot into Windows 98 (either by default or explicitly),
> LILO won't boot into Windows.
>
> Below is my LILO configuration file. Can anyone tell me what to look
> for on my system to determine why Windows won't boot?
>
> Thanks,
>
> Brett
>
> # LILO Konfigurations-Datei
> # Start LILO global Section
> # If you want to prevent console users to boot with init=/bin/bash,
> # restrict usage of boot params by setting a passwd and using the
> option
> # restricted.
> #password=bootpwd
> #restricted
> initrd=/boot/initrd
> boot=/dev/hdf3
> #compact # faster, but won't work on all systems.
> linear
> vga=normal
> message=/boot/message
> read-only
> prompt
> timeout=70
> # End LILO global Section
> #
> other = /dev/hde1
> label = windows
> map-drive = 0x80
> to = 0x81
> map-drive = 0x81
> to = 0x80
> table = /dev/hde
>
> #
> image = /boot/vmlinuz
> root = /dev/hdf3
> label = linux
I'm not famliar with Yast, and your disk designations are also
not familiar. But the lillo boot loader has to be on your
first disk. Is that /dev/hdf?
With Windows 98, it is usual to put lilo in the master boot record
of the first disk.
--
Leonard Evens [EMAIL PROTECTED] 847-491-5537
Dept. of Mathematics, Northwestern Univ., Evanston, IL 60208
------------------------------
From: NAVARRO LOPEZ <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.admin,comp.os.linux.help,comp.os.linux.security
Subject: Re: BIND ACL Workarounds (was: Re: been hacked...have a question)
Date: Wed, 27 Sep 2000 17:17:17 +0200
Hi MIchael:
As you yourself say, take this with a huge lump of salt:
MIchael Erskine wrote:
>
> Luke Vogel wrote:
> >
> > Grega Bremec wrote:
> > >
> > > ...and MIchael Erskine used the keyboard:
> > > >
> > > >One of the most important things you can do is ensure that DNS is set up
> > > >properly with ACL's in the /etc/named.conf file. That task is
> > > >non-trivial.
> >
> > I would like some clarification on this (ACL's) ... can anyone point me
> > at a good resource for sample configurations etc.
>
> Luke... take my comments with a huge lump of salt. Surely there is
> atleast
> one bind wizard in the group... unfortunatly he ain't me.
>
> Anyway, as to ACL's I think the big concern with access to bind
> (disregarding
> the possibility of overflows) is zone transfers. First you don't want
> anyone
> who does not NEED to do zone transfers to be able to do that. I don't
> BELIEVE
> it is terribly important who is allowed to query your server BUT you DO
> NOT
> want just anyone to be able to update a cache or download a domain. I
> am
> wide open to the world for queries but only allow zone transfers to one
> other server on the net. He inturn is set up the same way. Nobody is
> allowed
> to update my cache. If I need it I ask for it. It generates a bit more
> traffic but I know who I ask first and I hope he is still trustworthy.
> If he
> isn't my provider is going to be upset with me ;->
>
It is more than repeated that allowing zone transfers is a BAD thing,
though I'm unable to see why. Obviously I understand there's a secure
menace if one of your *internal* servers is convinced to transfer zone
data to the Internet, but why not allowing my *public* zones to be
transferred? After all, they are public, aren't they??? The most I can
see is a 'security through obscurity' issue here, not to call it plain
and simple FUD.
Different thing is what about caching and resolving by unauthorized
clients. At least, resolving can become kind of DoS if too much traffic
is involved (not to talk about possible buffer overflow due to frontier
conditions and all that stuff). About caching, well... If I understood
well, you don't want to cache so each time you can resolve by yourself:
to my opinion (not an expert one, anyway) it only leeds to increased
traffic, since either your resolver is "convinced" by a bogus server, or
it is not, but this seems independent on how many times you ask for
resolution (let's say a bogus root name server: it seems to me you will
be as confused asking -to the bogus server- for com root servers each
time you need one, or only asking it once!!
>
> I think the trick to understanding ACL's is to ensure you understand the
> difference between a query and a zone transfer. I am VERY sketchy on
> this
> I could be completely out of the ball park on all of this.
>
Yeah, but leaving appart all FUD, why do you need to be so sketchy?
> >
> > I did read an interesting paper from Craig Rowland of psionic (of
> > PortSentry HostSentry LogCheck fame) and he describes in reasonable
> > detail the steps to put named in a chrooted hole.
>
> That was interesting, wasn't that the paper where the author spoke to
> dual-homing and chrooting bind?
>
Using static libraries it is not such a difficult thing, but althouch
chrooting 'named' seems reasonable I feel comfortable enough most of the
times just running it as a non-privileged user.
> >
> > I'm wondering if it would be feasible to put other necessary daemons
> > (say sendmail and httpd) into a similar chrooted hole to enhance
> > security yet again?
>
Yes: obviously you can do it. I say "obviously" because there is at
least one very very easy way to chroot *any* application: run it on its
own box!!! Appart from this, everything can be chrooted (in the usual
sense), problem is if it will be on a reasonable cost (more on this
later)
> Ok, I have never needed to set up a chrooted environment BUT I believe
> you can chroot just about anything. I can not speak to whether that
> enhances security or not.
>
> One that I wanted to do was to chroot init from a running system. I
> thought one might be able to get a system up and running with networking
> turned off and then chroot a second init with networking running. That
> would make a "box in a box". I have NO IDEA if this is feasible but it
> would be one heck of a tool for building honeypots. I seem to have read
> something about someone doing that long ago to study a cracker.... but
> memory sometimes fails.
>
To my knowledge, building a honeypot or virtual OS support (ala wmware)
are the only reasonable needs to build a complete chrooted environment:
it can be done, but has no other virtues: you build a chrooted
environment either to protect external services or external data. If
the whole stuff is to be in the same jail, once serviceX is compromised,
all the other services and/or data within the same jail will be
compromised too, and in this case it will mean all the useful services
and data on the whole box. Again, the best you can do is use my
suggested 'easy chrooting environment' (Hey! I can even call it "The ECE
Strategy-TM" ;^D ): each critical service/bunch of data on its own box.
--
SALUD,
Jes�s
***
[EMAIL PROTECTED]
***
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.misc) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Misc Digest
******************************
