Linux-Networking Digest #87, Volume #12 Mon, 2 Aug 99 17:13:53 EDT
Contents:
Re: Multiport NIC ([EMAIL PROTECTED])
fetchmail arguments (Stefan Frings)
Running Bash with Perl ("Timbo")
Re: abit BP6 and ide (Vincent Fox)
Newbie - ipchains question? (ST)
Connecting to internet thru proxy ([EMAIL PROTECTED])
pop3 as root (Stefan Frings)
Re: NCPFS and Netware 4.11 (Gustin Kiffney)
Re: RH6.0 and Netatalk+asun (Bruno Harbulot)
Re: linux ypserv and securenets (Chris)
Re: dynamic ip and mail ("Andrew Taylor")
Network Performance for IPMasq routing (Steve Ledford)
Re: Program to find optimal MTU? (Floyd Davidson)
PAM error from rsh/rcp from cisco to red hat (lcs Mixmaster Remailer)
Re: can't ping host or host IP from host ? (Allen Wong)
Re: resolv.conf ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.os.linux.hardware
Subject: Re: Multiport NIC
Date: Mon, 02 Aug 1999 18:45:08 GMT
In article <7nte1e$686$[EMAIL PROTECTED]>,
"Michael Faurot" <[EMAIL PROTECTED]> wrote:
>
> I was looking at the Zynx cards awhile back and was wondering if
> they'll work okay with a 2.0.35 kernel running with RedHat v4.2?
>
They do work with this kernel. Most of the adapters will work with
the standard drivers included in RH4.2. For some models you have
to get a modified driver from the support web site, e.g.:
http://www.znyx.com/drivers/ZX346Q_drivers.htm
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Stefan Frings <[EMAIL PROTECTED]>
Date: Mon, 02 Aug 1999 19:18:17 GMT
Subject: fetchmail arguments
Hello,
What means 2>&1 if i call =84fetchmail =96a 2>&1=93 ?
------------------------------
From: "Timbo" <[EMAIL PROTECTED]>
Subject: Running Bash with Perl
Date: Mon, 2 Aug 1999 19:58:13 +0100
Greets,
I am having major problems running a bash command from my browser using cgi
and perl.
I have a Linux box on the Network and I want users to have access to a
button that connects them to the net via the isdn line we have installed.
The trouble is no matter which files I give access the, script won't connect
because of no permissions to ippp0. I am going wrong with permissions I know
but where. None of my users can execute bash commands either only root.
I am calling the connection script with 'system( blah blah )'.
Regards
Timbo
------------------------------
From: [EMAIL PROTECTED] (Vincent Fox)
Subject: Re: abit BP6 and ide
Date: 2 Aug 1999 18:53:05 GMT
In <7o4jpd$t4g$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>Has anyone used the ABIT BP6 motherboard with Linux? How well is it
>supported. Any recomendations on a second IDE controller that is well
>supported by linux? I want to set up a raid.
You have 2 regular IDE channels and 2 ATA/66 IDE channels
on the BP6. I guess you could get one of the Promise IDE
controllers to get even more, but isn't 4 enough?
One warning, stay away from the "Fasttrak", the Promise
RAID board, as it is like a WinModem, needs drivers that
are of course only available for Win9x/NT. Just get a
plain old IDE controller and Linux should be able to
recognize it okay.
--
"Who needs horror movies when we have Microsoft"?
-- Christine Comaford, PC Week, 27/9/95
------------------------------
From: [EMAIL PROTECTED] (ST)
Subject: Newbie - ipchains question?
Date: Sun, 01 Aug 1999 19:00:02 GMT
I just installed RH 6.0 on my system and before I connect to the big bad
internet I want to make sure nobody can mess with system. So, I finally
figured out that I have to set up ipchains to block certain connections,
etc. I have a couple of questions:
- Is there a list of setting already written that blocks just about
everything from coming in? I am basically just going to use the
connection to surf.
- In trying to make sure that the rules get set every time I know I need
to use a script like the one in the ipchains HOWTO, but I don't
understand how to "Make sure this is run early in the bootup procedure.
In my case (RH 6.0), I make a symbolic link called
`S39packetfilter' in the `/etc/rcS.d' directory (this will be run before
S40network)." Help???
Any help would be appreciated,
st
------------------------------
Subject: Connecting to internet thru proxy
From: [EMAIL PROTECTED]
Date: 2 Aug 99 15:22:08 EDT
hi all...
hi all
I have a Red Hat 6.0 box hooked up on a peer to peer network
This box has absolutely no internet access going to it. However, there is
another machine on my network that has a dedicated internet line (cable modem).
This box, however, happens to be a win 95 box. I know theres a method called
IP Masquarading to be able to hook up a linux box as a proxy server, but is
their any way that I can connect my linux box to the internet through this
win95 machine?
Any and all help would be appreciated
Thx....Mike U.
------------------------------
From: Stefan Frings <[EMAIL PROTECTED]>
Date: Mon, 02 Aug 1999 19:20:16 GMT
Subject: pop3 as root
Hello,
I like to read my root emails on my windows workstation but the pop3=20=
server does not allow this for root. How can I change this?
Bye
------------------------------
From: Gustin Kiffney <[EMAIL PROTECTED]>
Subject: Re: NCPFS and Netware 4.11
Date: Mon, 02 Aug 1999 19:59:21 GMT
[posted and mailed]
Does 'slist' show the OU-level server? Have you tried a simpler
ncpmount line? e.g, if 'server' is the OU server name, try
ncpmount -S server -U yourloginname -P password mnt/
I don't think ncpmount's support for NDS is very complete although
it does work. It's a good idea to unpack and inspect the ncpfs source
to see how much is really working now.
"Mike Andrews" <[EMAIL PROTECTED]> wrote:
> I am running a NetWare 4.11 network. I have a server in an
organizational
> unit and one in the root organization. I can mount the server in the
root
> just fine, when I run ncpmount with all the specified switches for the
> server in the OU in the tree, it says it cant find it. Does anybody
know
> how to configure this for NDS support?
>
> -Mike
>
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Bruno Harbulot <[EMAIL PROTECTED]>
Crossposted-To: comp.protocols.appletalk
Subject: Re: RH6.0 and Netatalk+asun
Date: Mon, 02 Aug 1999 20:16:00 +0200
Mark Bestel wrote:
>
> I am running a linux machine with RedHat 6 and the latest version of
> Netatalk with Appleshare IP support.
>
> There is a G3/350 connected to it via 100Mbit switch.
>
> The linux machine has a disk mirror which maxes out at around 5MB/second
> at the moment (needs tuning).
>
> The maximum transfer rate I can get with file transfers is 1.3MB per
> second. On a wintel machine with SAMBA, I can get at least 5MB/second
> and up to 9.8MB/sec when writing to a single disk.
>
> I am tearing my hair out trying to get some extra performance out of
> this config.
>
> Can anyone give me some pointers?
I had some speed problems with netatalk. I use a NE-2000 PCI compatible
card (10Mbits) on my Linux box and the Mac card is also 10Mbits. The
collision light on my hub couldn't stop blinking.
The trouble was, I think, the NE-2000 PCI card.
At the moment, the NE-2000 PCI card driver (for linux) is not able to
handle full-duplex.
But the EEPROM was set up to handle full-duplex. I used the win/dos
setup tool to change the settings (-> half-duplex).
Now it works fine. The speed is reasonable. There are no collision
anymore.
I don't know what kind of Ethernet card you have got, but you might
consider checking if its linux module is able to handle full-duplex, and
how your card is configured. If it worked with 10Mbits, it might work
with 100Mbits.
I didn't have that kind of problem with samba...
By the way, have you ever heard of setup tools for the Mac G3 ethernet
cards ?
Bruno Harbulot
[EMAIL PROTECTED]
(please remove "nospam" from the domain name if you answer by e-mail)
------------------------------
From: Chris <[EMAIL PROTECTED]>
Subject: Re: linux ypserv and securenets
Date: Mon, 02 Aug 1999 19:53:11 GMT
In article <7n2s9v$t9f$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Britt Bolen) wrote:
> Does the linux ypserv package ignore the /var/yp/securenets file?
>
> I'm unable to lock down ypserv to one subnet on one of my servers.
>
> I've got the file (copied from a Solaris machine where it works) and
> I can't for the life of me figure out why it is being ignored. It has
> just the single line
> 255.255.255.0 xxx.yyy.zzz.0
>
> The server is a standard RHLinux 6 machine, with all errata applied.
>
> thanks,
>
> B
>
>
=======================================================================
> Britt Bolen [EMAIL PROTECTED]
britt.bolen.com
>
Type ypserv --version
If on the end you get a little message that says "(with tcp wrapper)"
that means that it will ignore the securenets file. It then will pay
attention to the hosts.allow and hosts.deny files. If you d'loaded the
binary version, this is almost garunteed (sp?). If you d'loaded the
source, there is a setting that you can change. If in your hosts.deny
file, you block only ypbind, a machine will still bind to that NIS
server. It will then proceed to deny all requests for information, but
it is still bound. To deny the binding, you have to deny portmap
access. Good luck!
Chris
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Andrew Taylor" <[EMAIL PROTECTED]>
Subject: Re: dynamic ip and mail
Date: Mon, 2 Aug 1999 19:57:17 +0100
Check out masquerading for sendmail. You need things like
MASQUERADE_AS(Xearthlink.net) in your sendmail.cf file. My advice, read your
sendmail how-to.
Andy
cynique wrote in message ...
>Hi,
>I connect to my isp, earthlink.net, via dialup connection and everything
>works except when I send mail out I get:
>'<<< 501 <root@what I call my box>... Sender domain must exist'
>How can I rectify this without setting my domain as one that already
exists?
>What should I make my domain name? Thanks!
>
------------------------------
From: Steve Ledford <[EMAIL PROTECTED]>
Subject: Network Performance for IPMasq routing
Date: Mon, 02 Aug 1999 15:07:53 -0500
Reply-To: [EMAIL PROTECTED]
I've got a question about relative network performance on my Linux box.
I experimented with some traceroutes this weekend and I would like a
quantitavie evaluation before I invest a bunch of time in improving
something that I may not be able to improve.
My configuration is a Win95 box connected via 10BaseT to my Linux box,
which is a Cyrix P150, 128K cache, with 64MB RAM all vintage 1996. The
inbound card for my local network is a 3Com 3c905B and my outbound card
to my cable modem is a SMC Ultra. I do have some other services running
on the box such as X (but no one logged on), lpd, named so as to be a
caching nameserver, dhcpcd, some getty's as well as the basic K
processes as I have KDE installed.
The traceroutes showed about 1ms spent on getting to my Linux box, which
is about what I would expect, but then it is spending about 20-40ms,
with about 28ms on average, before it goes off to the cable itself.
Since this is the second entry in the traceroute, with the IP 24.93.43.1
which is my default gateway entry in my route tables on the Linux box, I
am pretty certain that this is the route time internal to my Linux box
to go from the 3com card to the SMC card. Correct?
Maybe I have high expectations but this seems really long! Is it just me
or is this just the way it is? Are there any optimizations that I should
do to the box to improve the performance? Back when it was just doing
dial on demand PPP, I never bothered with local route times because it
was not the bottleneck. Now with the cable, this route time is one of
the larger route times in the whole list and I want to fix it.
Just as a note, I tried turning off my named and using the settings from
the dhcpcd setting my resolv.conf and did not see any noticeable
improvements.
Please e-mail as well
------------------------------
From: [EMAIL PROTECTED] (Floyd Davidson)
Crossposted-To: comp.os.linux.misc
Subject: Re: Program to find optimal MTU?
Date: 2 Aug 1999 18:03:47 GMT
Reply-To: [EMAIL PROTECTED]
Clifford Kite <kite@NoSpam.%�inetport.com> wrote:
>Floyd Davidson ([EMAIL PROTECTED]) wrote:
>
>: Steve Snyder <[EMAIL PROTECTED]> wrote:
>: >Is there a program to identify the optimal MTU for a given interface
>: >under Linux v2.2.x? If so, where might I find it?
>
>: That would be impossible, because it depends on what you use the
>: link for as well as how fast it is and what the latency is.
>
>Yes, if "optimal" is defined that way. He may have meant Path MTU which
>is defined as the largest MTU that doesn't fragment packets on any host
>on the path. This is found through the Path MTU Discovery mentioned in
>other replies.
I would assume that if he meant Path MTU that he would have
mentioned Path MTU instead of asking about the optimal MTU for a
given interface, which indicates Link MTU. Path MTU certainly
would be appropriate if he is writing networked applications.
But he is more likely setting up pppd options.
>: For rough idea of what differences you might find, think in
>: terms of efficiency and timing for PPP packets. A PPP packet
>: has 40 bytes of overhead (addressing, etc.), so whatever the mtu
>: is set to, that amount minus 40 bytes is the actual payload.
>
>Actually it's the TCP-IP headers in IP packets riding on PPP that occupy
>the 40 bytes.
Actually... The TCP header is 20 bytes, the IPv4 header is 20
bytes and the PPP frame header is 4 bytes. However, no matter
how one looks at the distribution, the point is that there are
40 bytes of overhead per packet fed to the PPP interface (which
adds 4 more that I was ignoring).
>: For example, if you set the mtu to 128 there will be almost 1/3
>: of each packet that is overhead and does not contribute to data
>: transfer. If you do only large ftp transfers, that would cause a serious
>: increase in the time it takes to transfer each file.
>
>But if the other side accepts Van Jacobson header compression as a PPP
>link option then the header information can be reduced to as few as
>3 bytes.
There are other considerations too. The minimum reassembly
buffer size for IPv4 is 576 bytes. Also, while TCP has a Maximum
Segment Size (MSS) of up to 65535, it defaults to 536 (the 576
minimum buffer minus 40 bytes of overhead for IP and TCP
headers) if none is specified.
TCP applications restrict packets to the MSS size, but UDP do
not automatically limit packets in that manner.
It seems obvious where the common value of 576 for the MTU
derives its value from, and why that would be considered a
maximum setting for MTU. (The minimum link MTU for IPv4 is 68
bytes; however, with normal usage patterns that is not a
practical value.)
However, IPv6 has 40 byte headers (plus the 20 from TCP
headers). IPv6 has a minimum link MTU of 576.
The above suggests that in the immediate future, when IPv4 and
IPv6 are both commonly implemented, a MTU value of 576 will be
the best compromise to fit both versions?
Floyd
--
Floyd L. Davidson [EMAIL PROTECTED]
Ukpeagvik (Barrow, Alaska)
------------------------------
Date: 2 Aug 1999 20:20:01 -0000
From: lcs Mixmaster Remailer <[EMAIL PROTECTED]>
Subject: PAM error from rsh/rcp from cisco to red hat
Running rcp and rsh from cisco ios to red hat linux generates pam denied
log even though it works.
Well, I have tried and it's beat me. I am hopeful some one of greater
experience than myself can help me. I am grateful for all of those that
share their knowledge and experience here, and those of us who ask for
help here should express their thanx more often.
I have a cisco, running IOS Version 11.2(11)P, of which I am trying to
set up rcp and rsh to a linux box running Red Hat 5.2 and Kernal 2.2.4.
I actually have it working, however I get a PAM error in the logs
everytime that disturbs me. I have gone through several evolutions of
this, some of them didn't work at all, but cannot clean up the error. I
am not that sharp on PAM, but have studied it best I am able. I can see
NO reason why PAM logs the error from pam_rhost_auth. Then, having
denied authorazation, goes ahead and runs the command.
I am truly hopeful of some insight here. My goal is to clean up the
error and ensure a reasonably secure config, both cisco & linux. I
have documented the current state of everything, best I can and tried
to be complete. I have scrubbed the actual identity for all the
door-knob rattlers out there, but I have managed to keep the scrubbing
consistant so everthing is acurately reflected.
Starting with IOS fans, from the cisco router running-config:
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-username snafu
ip host linux 10.10.10.10
these are the config commands running under IOS, seems straight forward
enough. I have created users on linux for both the router name and the
user name. As I slugged my way thought the problem, it seems Cisco IOS
likes to use the hostname of the router (in this case "router") as the
default user for rcp and rsh. I had thought the remote-username command
changed that, but according to the logs, the hostname user is still
there. No sweat, create both users and give them the same home
directory.
from linux /etc/passwd:
router:x:501:102::/usr/home/snafu:/bin/ksh
snafu:x:502:102::/usr/home/snafu:/bin/ksh
ok, works good, lasts a long time. Next is the .rhosts file to be
placed in ~snafu, which is also ~router. What follows is where I left
it last. I have had individual entries for both users, one, the other,
and even all three. I have had plus signs and not. I have no host
equivelent or trusted hosts beyond this .rhosts file. I even triple
checked the ip address hoping I had fat fingers.
linux ~snafu/.rhosts:
10.10.10.1
I also went to /etc/pam.d to make sure that I made the .rhosts file
sufficent for both rsh and rlogin. This, I did actually learn, mostly
because I don't have much rlogin/rsh/rcp and had not needed to delve
into PAM that much.
/etc/pam.d/rsh:
auth sufficient /lib/security/pam_rhosts_auth.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so
/etc/pam.d/rlogin:
auth sufficient /lib/security/pam_rhosts_auth.so
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
The above is the state of the configurations and stuff I have done. Now,
I log into the router and actually do the dirty deed. For this I
ran rsh for date and pwd on the host linux from router.
rsh from router and Cisco IOS:
router#rsh linux date
Mon Aug 2 11:44:09 EDT 1999
router#rsh linux pwd
/usr/home/snafu
router#
Great. It works, maybe I can apply for my guru robes, but for this one
quirky little detail that I don't understand and shouldn't be there best
I can tell. The logs from the rsh session on linux.
/var/log/messages:
Aug 2 11:44:09 linux pam_rhosts_auth[6082]: denied to [EMAIL PROTECTED] as
router: access not allowed
Aug 2 11:44:09 linux PAM_pwdb[6082]: (rsh) session opened for user router by (uid=0)
Aug 2 11:44:14 linux pam_rhosts_auth[6084]: denied to [EMAIL PROTECTED] as
router: access not allowed
Aug 2 11:44:14 linux PAM_pwdb[6084]: (rsh) session opened for user router by (uid=0)
So now I am at the crux of the question(s). Why, is pam_rhosts_auth
denying a sufficent .rhosts entry when anybody that can log onto
router.foo.bar (10.10.10.1) should be able to rsh, rcp, and rlogin on
snafu's account without a password? router's account as well? Once denied,
why the hell is PAM_pwdb running the dam thing anyway??? I thought this
would be a BIG no no!!
Just for completeness, I try rcp as well. This is really the important
item for copying configuration files around anyway. I get the same thing.
>From Cisco IOS, rcp command:
router#copy running-config rcp
Remote host []? linux
Name of configuration file to write [router-confg]? test
Write file test on host 10.10.10.10? [confirm]
Building configuration...
Writing test ! [OK]
router#
It works, but checking linux's logs /var/log/messages:
Aug 2 11:47:15 linux pam_rhosts_auth[6085]: denied to [EMAIL PROTECTED] as snafu:
access not allowed
Aug 2 11:47:15 linux PAM_pwdb[6085]: (rsh) session opened for user snafu by (uid=0)
We have the same thing. OK, here the actual user is snafu, because the
remote-user command in running config is explicitly for rcp and not rsh.
But that isn't a big deal, is it? Both should work, anybody that logs
into the router should be able to work, shouldn't it? I guess the hint I haven't been
able to make use of is router is denied in both rcp and rsh, even when snafu and not
router is the user.
Double checking the file in ~snafu:
root@linux > ls -l ~snafu
total 4
-rw-r----- 1 root snafu 1487 Jul 27 14:47 router-confg
-rw-r----- 1 snafu snafu 1892 Aug 2 11:47 test
root@linux >
The file is actually there with a good touch date.
Well, I know it works. Maybe I ought to be happy, but I'm not. If it
were not a security issue and I didn't look at logs with "denied" in
them, I might be happy. I don't know if this is just what I should expect
from PAM or is Cisco IOS is doing something funny behind the scenes.
If anyone has some insight, experienced the problem, or even a couple of
good guesses as how to get rid of the evil "denied" logs and/or
straighten out my configuration, I would truly be appreciative of all
assistance.
Thank you for your time and efforts. I look forward to any replies that
may get posted.
If anyone has questoins beyond what I have posted, I will be pleased to
respond with the appropriate info.
------------------------------
From: Allen Wong <[EMAIL PROTECTED]>
Subject: Re: can't ping host or host IP from host ?
Date: Mon, 02 Aug 1999 13:19:24 -0700
Owen,
Hint:
/sbin/ifconfig lo0 up
Allen
--
Linux: If you're not careful, you might actually learn something.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: resolv.conf
Date: Mon, 02 Aug 1999 18:08:21 GMT
As a debugging aid, try running nslookup and then at the prompt enter
the name you are trying to lookup, and see what is output. This will
tell you if the server is running, if it can be reached, etc. This could
give some clues as to what is happening behind the scenes.
Artit J.
In article <XQ2p3.140$[EMAIL PROTECTED]>,
"Don Wahl" <[EMAIL PROTECTED]> wrote:
> > I can't seem to get a nameserver configured. I can ping the
nameserver
> from
>
> check nsswitch.conf to have
> ...
> hosts: files dns
>
> It didn't help, the name lookup still hangs for awhile and then fails.
>
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
