Linux-Networking Digest #684, Volume #11 Sat, 26 Jun 99 21:13:45 EDT
Contents:
Re: Can access internet, can't ping! ("Tim Barnes")
Re: Need advice on modem (John Westerdale)
Re: Cluster management - software?? ("Don Mills")
VMware Advisory ("Team Asylum")
Re: smb elections ("Don Mills")
Re: Why not C++ (John E. Davis)
Re: 192.168/16 vs. 10/8 ([EMAIL PROTECTED])
Re: FTP and IPchains\Masquerading (Barnaby DiAnni)
Re: Strange UUCP chat problem (Greg Andrews)
RH 6.0 and netatalk ("Mark")
Re: Internet Namespace ("Guo Quin")
configuring 2 eth cards (jyoung)
Re: SQUID-user level access?? ("Don Mills")
Re: FTP and IPchains\Masquerading ("Don Mills")
Re: NE2000 nic, how to turn off pnp ("Guo Quin")
Win98 can print but Debian can't! :( (Matt Thompson)
Re: 192.168/16 vs. 10/8 (Michael Fuhr)
----------------------------------------------------------------------------
From: "Tim Barnes" <[EMAIL PROTECTED]>
Subject: Re: Can access internet, can't ping!
Date: Sat, 26 Jun 1999 23:40:38 GMT
Bill:
Thanks for the note. I thought Wingate was supposed to do the address
translation. Netscape is working from the Linux machine (192.168.254.98)
through the HP (running NT, with internal and external IP addresses
connected by the Wingate software), so the address translation is taking
place at that level.
Wingate provides a specific proxy service for http; there's also one for
ftp. I'm beginning to think I need one for every type of protocol...?
tim.
Bill Unruh <[EMAIL PROTECTED]> wrote in message
news:7l3ag9$fll$[EMAIL PROTECTED]...
> In <lH9d3.24166$[EMAIL PROTECTED]> "Tim Barnes"
<[EMAIL PROTECTED]> writes:
> >All my machines have hard IP addresses in the 192.168.254.xxx range, and
the
> >HP has a single ethernet card with two IP addresses: the one given by
@home,
> >and one for the internal LAN.
>
> 192.168.x.y are illegal IP addresses. That is why you are allowed to
> assign them to your internal network without going through the IP
> addresses assigners. However, no such address can be addressed from
> anywhere on the net. Ie, no machine can return any packets to you since
> they have no idea where they go. (there are thousands of machines with
> the same IP address in the 192.168 range.)
> You MUST run IP Masquarading. I do not know if it exists for the HP OS.
> It certainly does for linux.
>
>
------------------------------
Crossposted-To: comp.os.linux.hardware,comp.os.linux.setup
From: John Westerdale <[EMAIL PROTECTED]>
Subject: Re: Need advice on modem
Date: Sat, 26 Jun 1999 21:20:33 GMT
I have a Viking 56K internal (ISA) modem running right now.
No complaints! (check box.... says DOS compatible!).
JDW
--
* mailto:[EMAIL PROTECTED] * Beer Food Unix *
------------------------------
From: "Don Mills" <dmills{nospam}@techcom.net>
Subject: Re: Cluster management - software??
Date: Sat, 26 Jun 1999 23:48:38 GMT
Tobias Anderberg <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
>
> >Does anyone know of centralized cluster management software for
> >a group of networked Linux boxes? We have a number of machines that I
> >would like to administer from a single centralized point. I've not seen
> >much in the way of Linux software for this purpose. Any ideas?
>
> www.beowulf.org
<rant>Ignore this idiot. Beowulf is a multiple processing cluster, not a
distributed server cluster or anything like what you are asking...why are
so many people not understanding that point? It seems like everytime the
word cluster and Linux are mentioned in the same conversation somebody
shouts out Beowulf when they should be shouting out Fake or LinuxDirector
or any of the other HA solutions people are working on. If you are a
nuclear physicist attempting to model blast effects from a 100 Megaton
weapon, yes by all means Beowulf is an awesome alternative to higher priced
options (Sun E10000, SGI Origin 2000) but if you are attempting to provide
load balanced or highly available services it will do NOTHING for you. And
especially to just put the URL with no explanation...thanks tobias for that
revelation</rant>
Now as for your question, it depends on what type of adminstration you want
to do...if you are asking is if there is a centralized server manager as
with NT server manager the answer is not as such. If you are looking to
manage user/groups across the enterprise then you have NIS, LDAP/PAM or
some other project like Ganymede. If you are looking to manage something
else, your options are limited. SAMBA boxes can be managed by the NT
server manager (if you can take using it)...for anything else you might be
stuck with SNMP if a MIB is included or you can hack one. At that point
you can use any SNMP compliant manager to run things (HP OpenView,
Unicenter, Scotty/TKined)...of course remote management is also what SSH
was designed for ;-)
--
Don Mills
CSA SCNA CCNA CCDA
Network Security Officer/WAN Engineer
VA Dept. of Social Services
[EMAIL PROTECTED]
------------------------------
From: "Team Asylum" <[EMAIL PROTECTED]>
Subject: VMware Advisory
Date: Sat, 26 Jun 1999 17:58:50 -0400
Team Asylum Security
Copyright (c) 1999 By CyberSpace 2000
http://www.cyberspace2000.com/security
Source: Seth L. [[EMAIL PROTECTED]]
Advisory Date: 06/21/99
Release Date: 06/28/99
[ Final Revision: 06/25/99 ]
Affected
========
VMware v1.0.1 and earlier for Linux.
Product Description
===================
VMware v1.0.1 is a software product by VMware, Inc. that creates a
virtual machine in which you can install multiple operating systems
without repartitioning or formatting your hard drive.
Vulnerability Summary
=====================
Team Asylum has found multiple buffer overflows existing in VMware v1.0.1
for Linux. Earlier versions also have the same buffer overflows.
VMware Inc. has been notified of these overflows and they have released
VMware v1.0.2 as a fix. Any local user can exploit these overflows to gain
root access.
Fix
---
All users are encouraged to upgrade to VMware v1.0.2. You may download
it directly off http://www.vmware.com.
Special Thanks
==============
Special thanks to VMware staff for responding quickly to our bug reports.
Within 3 days, they have managed to fix the overflows, as well as stop the
physical distribution of their v1.0.1 product. All customers who have
purchased VMware have been notified as of 06/25/99 12:00 midnight (PST)
about the new VMware v1.0.2 version.
------------------------------
From: "Don Mills" <dmills{nospam}@techcom.net>
Subject: Re: smb elections
Date: Sun, 27 Jun 1999 00:00:12 GMT
Robert Renhammar <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
> Hi !
>
> I'm setting up a Linux (Deb. 2.0) as an smb-server (with Samba). This
> machine is suppose to serve 3 old 486 with win95 and one new PII 450 w.
> WinNT. Now I whant Samba (on Linux) to be elected maser, and no other
> elections are to be made. Ho do I configur each macheen to act this way
> (including then Linux macheen) ?
>
> thanx !!
>
> \\Robert Rehammar
>
in smb.conf you need the lines:
local master = yes (This allows nmbd to participate in browser
elections)
preferred master = yes (This allows nmbd to advertise itself as a
preferred master
upon bootup which forces an election
that samba has
an advantage to win)
os level = 40 (NT Server is 33, this is high enough to make samba
win)
Note that the book these settings are from "SAMBA Integrating UNIX and
Windows" by John D. Blair kicks much butt, and advises that any NT machines
on the segment be allowed to win the browser elections...
--
Don Mills
CSA SCNA CCNA CCDA
Network Security Officer/WAN Engineer
VA Dept. of Social Services
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (John E. Davis)
Crossposted-To: comp.os.linux.development.apps,comp.os.linux.development.system
Subject: Re: Why not C++
Date: 26 Jun 1999 21:57:32 GMT
Reply-To: [EMAIL PROTECTED]
On 26 Jun 1999 11:10:23 -0700, Nathan Myers <[EMAIL PROTECTED]>
wrote:
>Classes are not a very powerful feature; you can emulate them pretty
>well in C. Exceptions are quite powerful, though of limited use.
You can emulate classes and inheritance but doing so requires ugly
preprocessor hacks that make the code less understandable. If you
know of another way, then please let me know.
>Far more powerful than either are templates.
I believe that these can also be emulated to a certain extent via the
preprocessor. But in all honesty, weren't C++ templates one of the
things to avoid when using g++ because of its buggy implementation? I
realise that egcs may have finally overcome this obstacle, but this
has only come about recently.
--
John E. Davis Center for Space Research/AXAF Science Center
617-258-8119 One Hampshire St., Building NE80-6019
http://space.mit.edu/~davis Cambridge, MA 02139-4307
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 192.168/16 vs. 10/8
Date: Sat, 26 Jun 1999 21:26:39 GMT
In article <7l19do$6bq$[EMAIL PROTECTED]>,
Todd Knarr <[EMAIL PROTECTED]> wrote:
> Laziness? New users ask someone who's already set up a real IP network
> for advice. The people they ask probably got a class C network number,
> and they use a class C private network number so they simply can take
> their configuration, change the network numbers and use it pretty much
> verbatim. This leads to more people knowing how to set up a class C
> private network, who pass this on to others, and so on.
But that only works for historical reasons -- there is no such thing as
a class C network any longer [they're now part of the /24 networks].
Some older ethernet cards cared what network class you were using, but
those haven't been on the market for many years. For most people, there
is absolutely no difference whatsoever between using 10.x.y/24 versus
192.168.z/24. Everything will "carry over" in exactly the same manner.
> For myself, it's philosophy. I use the smallest class of private
> network number likely to handle the needs of the network.
Networks aren't in "classes" any longer, and haven't been for roughly a
decade. 10.x.y/24 is the same as 192.168.z/24 in every conceivable way,
except that addresses from the first net are capable of being part of
much larger super-nets than those from the second.
> Home networks aren't likely to exceed 254 hosts, so class C fits.
Here you really mean /24 [not class C], and that doesn't preclude using
a /24 subnet of network 10.
> For a company I'd pick the 10 network and do real subnetting, since
> sooner or later they're going to need the address space ( assuming
> they don't go out of business first ).
I'd love to see the company that "needs" 16.7 million IP addresses. /8
networks are used so that detailed subnetting can occur, and for no
other reason. My problem is that most people limit themselves to a /24
subnet of a /16 network, which doesn't leave a whole lot of room for
fancy subnetting. Granted, a lot of people will never care about
learning about [ie playing around with] subnetting. However, that still
doesn't explain why 192.168.z/24 is used almost *exclusively*,
especially considering there are no benefits at all to using such a
network over something from 10/8 [or even 172.16/12].
> The class B private networks seem to be pretty much ignored.
That's an excellent point. 172.16/12 [which is what you mean -- "class
B" no longer exists] *is* almost completely ignored nowadays. A while
back, I posted about this as well. Now that you've brought it up, I'll
ask again: Does *anybody* use the 172.16/12 private network? ANYONE?
This whole phenomenon of using 192.168/16 almost exclusively, using 10/8
on rare occasions [most new companies, at least those I've dealt with,
use 192.168/16 and *not* 10/8], and _NEVER_ using 172.16/12 has me
completely baffled. This is _not_ how it was five or six years ago,
when .edu made up the bulk of the internet. I haven't seen a single
172.16/12 address since I stopped working at a University.
Of course, none of this is really a problem [the users of
poorly-designed networks are the ones who lose out -- they are, after
all, *private* networks, so it doesn't affect me in the slightest :)].
Nonetheless, it disturbs me that I can't find a good *reason* for it.
--
Bill Clark
Systems Architect
ISP Channel
http://neighborhood.ispchannel.com/
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
Date: Sat, 26 Jun 1999 14:26:03 -1000
From: Barnaby DiAnni <[EMAIL PROTECTED]>
Subject: Re: FTP and IPchains\Masquerading
Ian wrote:
> Hello I wonder if anyone can help me?
> I have been trying and failing to access a company ftp site that is
> not running on port 21 (the reasons for this are a paranoid IT
> Director who decided it would be best to keep our sensitive data as
> well hidden as possible).
> I am am running a small home network using a RH6 machine as my web
> gateway using ipchains\masquerading, everything else works ok just
> the ftp side is giving me hell. I get as far as the LIST -L command in
> my ftp client (Cuteftp) and it just hangs until I stop the process.
> Cute tells me it "couldnt build a data connection".
> Previously I had been running an NT4 machine with Sygate as the
> gateway and it worked fine after I added a rule for the port to the
> config file.
> I have tried adding the ip_masq_ftp module line also including a
> ports=ip_masq_ftp XXX line to my rc.firewall file but it makes no
> difference, it refuses to play ball.
> I'd hate to go back to using an NT Machine as my gateway but it seems
> I will have to.
> Is it an impossibilty or am I missing something obvious. Does NT4 win
> hands down on this occasion?
Ian ,
We can do this with Linux we just need more info. :-)
Are you using passive or active ftp client?
Are you able to connect and download from this site from your IP Masq
Linux box?
Have you tried to ftp with all your ipchains rules set to accept?
Are you able to connect to other ftp sites?
If you are using an active ftp connection then maybe the below can help.
You need to allow port 20 SYN packets through your IP Chains packet
filter.
This line in my IP chains script works for me.
$IPCHAINS -A input -i $ExtIF -p tcp -s 0/0 20 -d $ExtHostIP 1023: -j
ACCEPT
echo -n " ftp-client"
In english:
ipchains -A (add a rule) input (to the input chain) -i (interface)
$ExtIF
(variable for my eth0) -p tcp (protocol tcp) -s 0/0 (source IP =any)
20 (source port 20) -d (destination ip) $ExtHostIP (variable for my
external ip address)
1023: (syntax means destination port 1023 and above) -j ACCEPT ( let em
in ;)
If you are able to get to other ftp sites from a client behind your IP
Masq box then we
need to find out on what port this paranoid IT director is building his
ftp-data connections.
Barnaby
------------------------------
From: [EMAIL PROTECTED] (Greg Andrews)
Crossposted-To: comp.mail.uucp
Subject: Re: Strange UUCP chat problem
Date: 26 Jun 1999 17:16:50 -0700
Chris Huston <[EMAIL PROTECTED]> writes:
>I'm running into a very odd problem with Taylor UUCP version
>1.06.1-16...
>
>When executing UUCP with:
> "/sbin/uucico -f -r1 -s remote"
>the call fails with an error (in the error log) of "Chat script failed".
>
>Now, without making ANY changes to the system, I rerun uucico with
>debugging on
> "/sbin/uucico -f -r1 -s remote -x9"
>and it works fine... call succeeds with no problems... I added a "debug
>chat" line to /etc/uucp/config and calls succeed every time.
>
>Any ideas why this might happen? does uucp deal with the serial port
>differently when debugging?
>
Nope. However, the requirement to send debugging output to stderr
may slow down uucico's execution of the chat script.
Why don't you post the chat script (with login name and password
properly disguised), so we can see if it's vulnerable to timing
problems?
-Greg
------------------------------
From: "Mark" <[EMAIL PROTECTED]>
Subject: RH 6.0 and netatalk
Date: Sat, 26 Jun 1999 18:40:12 -0500
I recently upgraded from RH 5.2 to RH 6.0, I had netatalk installed, and had
my linux box running as a print server for my LAN, after the upgrade I ran
into a error when i tried to print from any of my mac's, the error prints
out on the page instead of my print job.
Error: /invalidfont in -dict- Operand stack: Courier-Bold --dict:12/25--
btw i am running netatalk-1.4b2+asun2.1.3-4 and I couldn't install the dev
package because of conflicts with the built in appletalk support in RH 6.0
I would appreciate any help, hopefully this issue has be resolved.
Mark Key
------------------------------
From: "Guo Quin" <[EMAIL PROTECTED]>
Subject: Re: Internet Namespace
Date: Sun, 27 Jun 1999 00:26:49 GMT
Hello.
Anybody has a name. Should it also be on internet and "FREE".
Kieu
Tore Fjellheim <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> This may seem as a simple question for some but...
>
> When using the Internet namespace, is it neccessary with an internet
> connection. Or is it just neccesary to have the correct headerfiles and
> so on.
>
> What is a namespace anyway. Is it just one way of saying the adress is
> like this and the protocol is this a.s.o.
>
> T.F.
>
------------------------------
From: jyoung <[EMAIL PROTECTED]>
Subject: configuring 2 eth cards
Date: Sat, 26 Jun 1999 19:20:44 -0500
I'm using 2 3com 3c503s . I've gotten it so that both are up and running
and can be pinged but when I reboot I lose the configuration for eth1.
I've written an append in lilo.conf and I have two aliases in the
conf.modules. I have a feeling I'm not writing my append statement
correctly does anyone know where I can get some more info regarding
this? Or better yet have the answer.
My append statement looks something like this: APPEND =
"reserve=0x300,32 ether=3,0x300,eth0 ether=5,0x310,eth1"
The alias's: eth0 3c503
eth1 3c503
options -o 3c503-0 io=0x300 irq=3
options -o 3c503-1 io=0x310 irq=5
Any help will be greatly appreciated. Oh along these lines Sometimes
some of my systems when I reboot them throw away my netmask and
broadcast addresses and use a default how can I stop this from
happening. Thank you.
John
------------------------------
From: "Don Mills" <dmills{nospam}@techcom.net>
Subject: Re: SQUID-user level access??
Date: Sun, 27 Jun 1999 00:28:01 GMT
SAGAR SRIVASTAVA <[EMAIL PROTECTED]> wrote in article
<7kirhi$[EMAIL PROTECTED]>...
> i'm running squid on REDHAT 5.2 for my LAN and anyone on the LAN can
access
> internet through my linux box. I tried access lists but they can provide
> only ip address restriction which is not adequate. Can anyone tell me how
to
> configure squid so that users should give passwords before they can
access
> internet through this proxy server.
Hmm...I would guess that if you are using TCP wrappers and you have some
scripting/programming skill you could write another wrapper type
script/program which when someone connected on the proxy port made an
authentication call then forwarded the call to Squid? It would surprise me
if TCP wrappers didn't have this already or someone had made a hack to do
it...
--
Don Mills
CSA SCNA CCNA CCDA
Network Security Officer/WAN Engineer
VA Dept. of Social Services
[EMAIL PROTECTED]
------------------------------
From: "Don Mills" <dmills{nospam}@techcom.net>
Subject: Re: FTP and IPchains\Masquerading
Date: Sat, 26 Jun 1999 23:02:58 GMT
> my ftp client (Cuteftp) and it just hangs until I stop the process.
> Cute tells me it "couldnt build a data connection".
Try setting your FTP client to PASV mode...
> I'd hate to go back to using an NT Machine as my gateway but it seems
> I will have to.
> Is it an impossibilty or am I missing something obvious. Does NT4 win
> hands down on this occasion?
Wrong newsgroup for that kind of drivel...
--
Don Mills
CSA SCNA CCNA CCDA
Network Security Officer/WAN Engineer
VA Dept. of Social Services
[EMAIL PROTECTED]
------------------------------
From: "Guo Quin" <[EMAIL PROTECTED]>
Subject: Re: NE2000 nic, how to turn off pnp
Date: Sun, 27 Jun 1999 00:35:13 GMT
Hello.
have you turn on EMM386.EXE in DOS ?
My case: without it, no NE clone in linux.
Kieu
<[EMAIL PROTECTED]> wrote in message news:7kta41$53o$[EMAIL PROTECTED]...
> I was given a machine that seems to have a Novell ne2000 isa pnp card
> inside, but I don't have any of the software that came with the card. It
> seems that I have to turn off pnp for this card to be recognized by
> linux. I have changed the jumper settings to a specific irq on the card
> itself but that does not seem to work, windows still picks it up as pnp.
> Is there any utility for dos that I can download that will let me turn
> off pnp for this card and assign it an irq? Is there any other way to do
> it? Thanks,
>
> gary
>
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Matt Thompson)
Crossposted-To: comp.os.linux.setup
Subject: Win98 can print but Debian can't! :(
Date: 27 Jun 1999 00:37:56 GMT
Hello,
I have a small LAN and am having problems printing from one Debian box
to the other. The workstation is igra and the server is doma. Here
is doma's /etc/hosts:
127.0.0.1 localhost
216.39.144.57 mail.mattyt.net mail
192.168.1.1 doma.mattyt.net doma
192.168.1.5 igra.mattyt.net igra
192.168.1.10 tpad.mattyt.net tpad
192.168.1.20 jay.mattyt.net jay
Here is doma's /etc/printcap:
lp|hpdj660c|HPDeskJet660C:\
:lp=/dev/lp1:sd=/var/spool/lpd/hpdj660c:\
:sh:pw#80:pl#66:px#1440:mx#0:\
:if=/etc/magicfilter/dj550c-filter:\
:af=/var/log/lp-acct:lf=/var/log/lp-errs:
Here is doma's /etc/hosts.lpd:
# /etc/hosts.lpd: list of hosts that are allowed to use the printing
# services of this machine. See lpd(8).
jay
igra
tpad
Here is igra's /etc/printcap:
lp|hpdj660|HPDeskJet660:\
:sd=/var/spool/lpd/hpdj660:\
:rm=doma.mattyt.net:\
:rp=HPDeskJet660C:\
:lp=/dev/null:\
:sh:
I can print from tpad (running Win98) just fine using Samba. Printing
from the command line on doma works fine. Printing as root on igra
works fine. The problem is printing as any normal user from igra to
doma. Here is what doma's /var/log/lpr.log says:
Jun 26 00:42:43 doma lpd[7076]: HPDeskJet660C: job could not be
printed
(cfA387igra.mattyt.net)
Jun 26 00:42:51 doma lpd[7079]: HPDeskJet660C: job could not be
printed
(cfA388igra.mattyt.net)
Jun 26 00:43:03 doma lpd[7081]: HPDeskJet660C: job could not be
printed
(cfA389igra.mattyt.net)
Any help would be greatly appreciated. :)
Cheers.....................
Matthew Thompson http://mattyt.net
[EMAIL PROTECTED] http://www.oz.net/~mattyt
--Someday, I'll have a web page.--
------------------------------
From: [EMAIL PROTECTED] (Michael Fuhr)
Subject: Re: 192.168/16 vs. 10/8
Date: 26 Jun 1999 18:55:54 -0600
[EMAIL PROTECTED] writes:
> In article <7l19do$6bq$[EMAIL PROTECTED]>,
> Todd Knarr <[EMAIL PROTECTED]> wrote:
>
> > The class B private networks seem to be pretty much ignored.
>
> That's an excellent point. 172.16/12 [which is what you mean -- "class
> B" no longer exists] *is* almost completely ignored nowadays. A while
> back, I posted about this as well. Now that you've brought it up, I'll
> ask again: Does *anybody* use the 172.16/12 private network? ANYONE?
I know of at least four large companies that use 172.16/12. At least
three of those also use 10/8, 192.168/16, and several public /16s.
It's a real joy when those companies start connecting their networks
and you end up using a lot of NAT to avoid conflicts with the private
addresses.
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
