Linux-Networking Digest #315, Volume #12 Sat, 21 Aug 99 15:13:40 EDT
Contents:
Re: sendmail relaying external mail (Bastian Blank)
Re: connect to www thru linux ("C. Costello")
squid + http-proxy from isp (Norbert Bous)
weird conflict b/w NIC and modem (Marc Dumontier)
Shopping cart need for my Linux Webserver (Accolan)
Re: Disallowing telnet access for one specific account ("YouDontKnowWho")
Re: 3com ISA cards and linux ("Kalkas")
Re: Appending a ext2 filesystem (Magnus Svensson)
Re: 3com ISA cards and linux ("Kalkas")
Re: Converting an NT server to Redhat 6.0 (Peter Caron)
Re: weird conflict b/w NIC and modem ("Phil")
restrict view of user ftp directories (Dennis)
Re: Disallowing telnet access for one specific account (DanH)
Re: Telnet problems (Frank v Waveren)
Re: ethernet switch (Richard Petty)
----------------------------------------------------------------------------
From: Bastian Blank <[EMAIL PROTECTED]>
Crossposted-To: comp.mail.sendmail,de.comp.os.unix.linux.misc,comp.os.linux.misc
Subject: Re: sendmail relaying external mail
Date: 21 Aug 1999 15:30:44 GMT
Mathias Fuerlinger <[EMAIL PROTECTED]> wrote:
> I'm running a Linux (suse) WebServer (apache 1.3.4)
> with 5 Virtual Domains.
> Everything works fine !
> From now on I want to take care about mail.
> Forwarding and receiving is no problem.
> Sending to the 5 'local' Domains is no problem.
> Sending Mail to Domains on WAN reports the following error-msg:
> RELAYING to host [EMAIL PROTECTED] not allowed.
> How can I solve this problem.
> (when I put ".com "in /etc/mail/relay-domains file, mail works fine even
> on WAN !
> but it can't be the solution to put .de, .net, .org .... etc.in the
> relay-domains file
> - any solutions ?)
das ist eine .newsuser-frage. du schreibst �ber ein mail-problem, ohne
eine angabe �ber den MTA. da ich aber sch�tze du benutzt sendmail, lese
erst einmal die docu durch.
bastian
--
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
ihr habt es geh�rt, also macht, was er sagt
------------------------------
From: "C. Costello" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: connect to www thru linux
Date: Sat, 21 Aug 1999 17:19:28 GMT
This site should help (if you haven't seen it already).
http://metalab.unc.edu/LDP/
I'm only about 13 hours new to Linux myself.
[EMAIL PROTECTED] wrote:
> 12 hrs new to linux.
> i can't figure out how to connect to the internet / www through linux.
> i'm using redhat 6.0.
> please help !
> Thanks
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
------------------------------
Date: Sat, 21 Aug 1999 12:55:26 +0200
From: Norbert Bous <[EMAIL PROTECTED]>
Subject: squid + http-proxy from isp
hi,
I need some advice in setting up squid 2.2. My isp required using his
proxy on port 8080 for http-protocol. Where in squid.conf could I set
this feature?
Thanks
--
(__)
Norbert B(ou)s
/-------\/
/ | || ICQ #39570981
* ||----||
^^ ^^
------------------------------
From: Marc Dumontier <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.hardware,comp.os.linux.setup,comp.os.linux.help
Subject: weird conflict b/w NIC and modem
Date: Sat, 21 Aug 1999 13:10:34 -0400
This is my problem:
when i'm using my modem I can't 'modprobe' my NIC.
when i've got my NIC loaded, I can't use the modem.
both devices are trying to use irq3.
i've tried the following:
modprobe ne.o io=0x280 irq=x (where x was all the irq's isapnp told me i
can use)
it loads it up ok -but- when i conifure it, it does not work. ONLY on
irq3 can i interact with the network.
Is there a way to get the modem to use a different irq?
or actually any way to fix this problem?
the modem is a USR 28.8 internal.. I don't have the docs for jumpers or
anything
the NIC is a ACERLan 10/100BaseT ISA
thanks in advance.
please send a cc of responses to [EMAIL PROTECTED]
------------------------------
From: Accolan <[EMAIL PROTECTED]>
Subject: Shopping cart need for my Linux Webserver
Date: Sat, 21 Aug 1999 16:39:58 GMT
I am looking for a commercial software package that will run on my
Linux Webserver. I have loaded Redhat Linux 6.0 and am running the
Apache webserver. I need the package to work with Perl 5.0 & MySQL,
allow multiple payment options, tie into a payment processor and I can
customize the package for many different clients with no licensing fees.
Any recommendations would be very appreciated !
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "YouDontKnowWho" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.security
Subject: Re: Disallowing telnet access for one specific account
Date: Sat, 21 Aug 1999 16:49:27 GMT
This is what I was referring to in a previous post (same thread).
My understanding of hosts.allow/deny is that you CAN check for a user
name, but identification depends on:
1. Whether or not the ident process can get anything from the remote
host. I assume it would deny access if it can't.
2. Whether or not the remote user is trying to login with the same
name he is logged in to the remote host.
As mentioned, you can be UserA on the remote host trying to login as
UserB on the local host. /etc/hosts.allow/deny would not help you
there (I assume, please correct me) because the ident would get a
different user name. The only way to stop the login is by doing
something locally. So you would stop that ACCOUNT from being used for
Telnet (or whatever). You do that by disabling that account from
being able to login, don't you? I realize that the user can login
using ANOTHER account and then SU, but, hey, that's ANOTHER account!
If I had the password to two accounts on your system, I could get in
too.
--
Principle of Minimum Access: "That which is not explicitly permitted
is denied."
ANNOUNCER: And now we return to our regularly scheduled, uncommonly
entertaining thread...
Dave Lugo wrote in message <[EMAIL PROTECTED]>...
>withheld wrote:
>>
>> But in a situation where IP is allocated to specific machines, and
where
>> users sit at specific machines, blocking the machine based on IP
has the
>> same effect as blocking the user
>
>Huh?
>
>The original poster wanted to block one user from being to telnet in
>to the box.
>
>You are correct about "where users sit at specific machines...", but
>that wasn't part of the original question. What if users aren't tied
>to a specific IP address?
>
>Using hosts.allow/deny to block based on _username_ is not secure -
It
>does an ident of the remote box. It does *not* stop remote user
>okayname from logging in as undesiredname. The checking occurs
before
>spawning telnetd/login. Please check the man page for more details.
>
>Using pam_access.so the username passed to login is checked.
>
>Did I miss something?
>
>Dave
>
>
>> Dave Lugo <[EMAIL PROTECTED]> wrote in message
>> news:[EMAIL PROTECTED]...
>> > yan seiner wrote:
>> > >
>> > > Firewalls have no idea who the user is. They only know where a
packet
>> > > came from, which way it came in, and where it is heading.
>> > >
>> > > You could block a specific IP, but that user could come in on a
>> > > different IP.
>> > >
>> > > Yan
>> > >
>> > > withheld wrote:
>> > > >
>> > > > how about using a firewall?/
>> > > > Cornel Popescu <[EMAIL PROTECTED]> wrote in message
>> > > > news:7p22do$grn$[EMAIL PROTECTED]...
>> > > > > In article <[EMAIL PROTECTED]>,
>> > > > > [EMAIL PROTECTED] (Robert Nichols) wrote:
>> > > > > > In article <[EMAIL PROTECTED]>,
>> > > > > > David <[EMAIL PROTECTED]> wrote:
>> > > > > > :We have a linux machine that acts as a gateway with a
DSL and an
>> FTP
>> > > > > > :server. There is ne specific account that only some
folks have
>> > > > > access
>> > > > > > :to. This account is obviously a generic account but in
order to
>> have
>> > > > > > :ftp access the shell has to be something such as bash.
Due to
>> the
>> > > > > > :generic nature of the account and the fact that it has a
shell, I
>> > > > > would
>> > > > > > :like to disable telnet access for just that one account
without
>> > > > > > :disabling telnet. Does anyone know how or if this is
possible?
>> > > > > >
>> > > > > > Pick an innocuous program like /bin/true and use that as
the
>> account's
>> > > > > > shell. Add /bin/true to the list of valid shells in
/etc/shells
>> to
>> > > > > make
>> > > > > > it acceptable to FTP. Anyone who logs into this account,
either
>> from
>> > > > > a
>> > > > > > terminal or via telnet, will just get logged right back
out again
>> when
>> > > > > > /bin/true exits.
>> > > > > How about using the following script as /bin/noshell:
>> > > > > #!/bin/sh
>> > > > > exec /usr/bin/passwd
>> > > > > --------
>> > > > > and add this to /etc/shells ? This would also allow them to
telnet
>> to
>> > > > > that host enter their old pass and change it ...
>> > > > >
>> > > > >
>> > > > >
>> > > > > Sent via Deja.com http://www.deja.com/
>> > > > > Share what you know. Learn what you don't.
>> >
>> >
>> > On a RedHat 5.1 box I have, I use pam_access.so (or such)
>> >
>> > I've got this in /etc/pam.d/login:
>> >
>> > account required /lib/security/pam_access.so
>> >
>> >
>> > And here are the comments in /etc/security/access.conf:
>> >
>> >
>> > # Login access control table.
>> > #
>> > # When someone logs in, the table is scanned for the first entry
that
>> > # matches the (user, host) combination, or, in case of
non-networked
>> > # logins, the first entry that matches the (user, tty)
combination. The
>> > # permissions field of that table entry determines whether the
login
>> > will
>> > # be accepted or refused.
>> > #
>> > # Format of the login access control table is three fields
separated by
>> > a
>> > # ":" character:
>> > #
>> > # permission : users : origins
>> > #
>> > # The first field should be a "+" (access granted) or "-" (access
>> > denied)
>> > # character.
>> > #
>> > # The second field should be a list of one or more login names,
group
>> > # names, or ALL (always matches). A pattern of the form user@host
is
>> > # matched when the login name matches the "user" part, and when
the
>> > # "host" part matches the local machine name.
>> > #
>> > # The third field should be a list of one or more tty names (for
>> > # non-networked logins), host names, domain names (begin with
"."), host
>> > # addresses, internet network numbers (end with "."), ALL (always
>> > # matches) or LOCAL (matches any string that does not contain a
"."
>> > # character).
>> > #
>> > # If you run NIS you can use @netgroupname in host or user
patterns;
>> > this
>> > # even works for @usergroup@@hostgroup patterns. Weird.
>> > #
>> > # The EXCEPT operator makes it possible to write very compact
rules.
>> > #
>> > # The group file is searched only when a name does not match that
of the
>> > # logged-in user. Both the user's primary group is matched, as
well as
>> > # groups in which users are explicitly listed.
>> > #
>> > #
>> >
>> >
>> > You can set things up to do exactly what you want.
>> >
>> > --
>> > --------------------------------------------------------
>> > Dave Lugo [EMAIL PROTECTED] LC Unit #260 TINLC
>> > Have you hugged your firewall today? No spam, thanks.
>
>--
>--------------------------------------------------------
>Dave Lugo [EMAIL PROTECTED] LC Unit #260 TINLC
>Have you hugged your firewall today? No spam, thanks.
------------------------------
From: "Kalkas" <[EMAIL PROTECTED]>
Crossposted-To:
at.linux,aus.computers.linux,be.comp.os.linux,comp.os.linux,comp.os.linux.advocacy,comp.os.linux.development.system,comp.os.linux.hardware,comp.os.linux.misc
Subject: Re: 3com ISA cards and linux
Date: Sat, 21 Aug 1999 18:18:24 +0200
Ronald Benedik <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Kalkas wrote:
> >
> > I have been seriously thinking to use Linux and stop using Windows 98. I
am
> > fascinated by Linux's stability and security.
> >
> > Therefore, I have seriously planing to install Linux and USE IT.
> >
> > However, it seems that it is not possible for me to use Linux, since I
use
> > cable modem with a 3com ISA card. More precisely, I use 3com EtherLink
III
> > ISA (3C509/3C509b) network interface card, and there are no drivers
which
> > will support my card in Linux.
> >
> > Did someone else have similar problems?
>
> > Regards,
> > Kalkas
>
> I'm using a 3c509b COMBO (PnP/ISA). It definately does work. There may
> be a problem with
> the 3c509 (not the b version) in dropping ip packets becaus of its tiny
> (4kb)
> buffer. This problem was solved in version b (8kb buffer). My Problem
> was one of dual
> boot configuration. Win95 puts the card in PnP mode and Linux doesn't
> like that.
> So my shutdown script for windoof puts the card back in non PnP mode and
> the card uses
> the same irq in linux and windoof, now everything works fine.
>
> for linux drivers check:
>
> http://cesdis.gsfc.nasa.gov/linux/drivers/3c509.html
Ronald,
Thank you for your answer.
I am studying the material (some manuals and HOWTO). I have not yet
installed Linux, since I do not dare to install it alone. I have a friend
who will help me with the installation.
Sincerely Yours,
Kalkas
------------------------------
From: Magnus Svensson <[EMAIL PROTECTED]>
Subject: Re: Appending a ext2 filesystem
Date: Sat, 21 Aug 1999 19:23:37 +0200
Reply-To: [EMAIL PROTECTED]
> >>Seriously, if anyone can name these tools, I'll be eternally grateful. :)
>
> md-tools
> Multi-Disk-HOWTO, chapter 9.3 Multiple devices
>
tnhx,
Apparently, it has been succeded by raidtools-0.90. It's included in RH6.
/Magnus Svensson
[EMAIL PROTECTED]
------------------------------
From: "Kalkas" <[EMAIL PROTECTED]>
Crossposted-To:
at.linux,aus.computers.linux,be.comp.os.linux,comp.os.linux,comp.os.linux.advocacy,comp.os.linux.development.system,comp.os.linux.hardware,comp.os.linux.misc
Subject: Re: 3com ISA cards and linux
Date: Sat, 21 Aug 1999 18:12:26 +0200
Stephen R. Savitzky <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Kalkas" <[EMAIL PROTECTED]> writes:
>
> > However, it seems that it is not possible for me to use Linux, since I
use
> > cable modem with a 3com ISA card. More precisely, I use 3com EtherLink
III
> > ISA (3C509/3C509b) network interface card, and there are no drivers
which
> > will support my card in Linux.
>
> Excuse me? I've been using 3C509's of all sorts with Linux for years.
> The driver most definitely exists, it's in the module
>
> /lib/modules/preferred/net/3c509.o
>
> source in
>
> /usr/src/linux/drivers/net/3c509.c
>
Thanks Steve!
That was good news indeed!
I also assume now that Linux should support my monitor and my audio card. My
audio card is Creative Sound Blaster PCI 128, and my monitor is MAG
InnoVision DX15F. Am I correct in my assumption?
Thank you for your help.
Sincerely Yours,
Aleksandar
------------------------------
From: Peter Caron <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.setup
Subject: Re: Converting an NT server to Redhat 6.0
Date: Sat, 21 Aug 1999 18:09:58 +0200
This is not only possible, but will offer many advatages.
Begin by reading the information available at http://www.samba.org.
Use the Samba version 2.0.3.8 or higher and implement it as a Primary Domain
Controller. It might be advisable to invest in a book (I suggest
<<Samba:Integrating UNIX and Windows>> by John Blair) or reading all the
relevant Samba Documentation on the above web site 'before' attempting this.
Another recommendation, if you are new to Samba is to use a GUI tool to setup
the smb.conf file. I suggest the Webmin package (http://www.webmin.com/webmin/).
This will help you setup all the parameters necessary to do what you wish.
I have my Linux boxes doing just about everything the NT servers used to do
(except crash of course) and with a noticable increase in performace.
Good luck.
Anonymous wrote:
> I would like to convert a Pentium 100mhx computer with Windows NT 4 server
> to redaht 6.0. Currently, i have 3 Windows 9x computers and another Redhat
> 6 client that connect to the server. The windows 9x machines login to the
> server, making sure only the right people con login. I have it using
> microsoft networking with the NT maching as a Domain Controller. All the 9x
> machine users must then have their login verified by the domain server to
> access windows. If I put redhat 6 on that computer, can I do anything
> similar to restrict access on the 9x machines (on the server side, i don't
> want to have to configure every computer if a new person comes or goes).
> Thanks for any help you can provide. Please e-mail me, since i have a
> rather slow newsserver, and don't check here often.
>
> Chris Casey
> [EMAIL PROTECTED]
------------------------------
From: "Phil" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.hardware,comp.os.linux.setup,comp.os.linux.help
Subject: Re: weird conflict b/w NIC and modem
Date: Sat, 21 Aug 1999 11:30:59 -0700
USR 28.8 Sportster - lay the card flat with the phone jacks to the upper
right and there are two sets of jumpers on the bottom right.
COM IRQ
XXXX X X X X X
1 2 3 4 2 3 4 5 7
DIP SWITCHES
Defaults
1 off Normal DTR operation - computer must provide DTR - drop DTR
= hang up
2 off Text result codes
3 on Enable result codes
4 off Echo keyboard commands
5 on Disable auto-answer
6 off Modem sends CD at connect 0- drops CD at disconnect
7 off Load Y or Y1 config on power up
8 on Enable AT command recognition
Hope this helps,
Phil
Marc Dumontier <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> This is my problem:
> when i'm using my modem I can't 'modprobe' my NIC.
> when i've got my NIC loaded, I can't use the modem.
>
> both devices are trying to use irq3.
>
> i've tried the following:
> modprobe ne.o io=0x280 irq=x (where x was all the irq's isapnp told me i
> can use)
>
> it loads it up ok -but- when i conifure it, it does not work. ONLY on
> irq3 can i interact with the network.
>
> Is there a way to get the modem to use a different irq?
> or actually any way to fix this problem?
>
> the modem is a USR 28.8 internal.. I don't have the docs for jumpers or
> anything
> the NIC is a ACERLan 10/100BaseT ISA
>
> thanks in advance.
> please send a cc of responses to [EMAIL PROTECTED]
>
>
------------------------------
From: [EMAIL PROTECTED] (Dennis)
Subject: restrict view of user ftp directories
Date: Sat, 21 Aug 1999 18:22:00 GMT
Hello,
I want to restricit the users who log in via ftp to only thier
directory. I don't want them to be able to chdir above their home
directory. Does anyone know how to do this. I know it can be done with
the /etc/ftpaccess and the use of guest but this would require an
entry for each user???
Thanks
Dennis
------------------------------
From: DanH <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.security
Subject: Re: Disallowing telnet access for one specific account
Date: Sat, 21 Aug 1999 14:34:14 -0400
YouDontKnowWho wrote:
>
> This is what I was referring to in a previous post (same thread).
>
> My understanding of hosts.allow/deny is that you CAN check for a user
> name, but identification depends on:
>
> 1. Whether or not the ident process can get anything from the remote
> host. I assume it would deny access if it can't.
> 2. Whether or not the remote user is trying to login with the same
> name he is logged in to the remote host.
>
> As mentioned, you can be UserA on the remote host trying to login as
> UserB on the local host. /etc/hosts.allow/deny would not help you
> there (I assume, please correct me) because the ident would get a
> different user name. The only way to stop the login is by doing
> something locally. So you would stop that ACCOUNT from being used for
> Telnet (or whatever). You do that by disabling that account from
> being able to login, don't you? I realize that the user can login
> using ANOTHER account and then SU, but, hey, that's ANOTHER account!
> If I had the password to two accounts on your system, I could get in
> too.
SHIT, SHIT, SHIT.
I feel dumb. There is a file that does EXACTLY what the original poster
(and the Subject of this thread) wants.
Open /etc/security/access.conf and put this line near the bottom, you'll
see where:
-:baduser:ALL EXCEPT LOCAL
Now this person can log in as anyone else and 'su - baduser' but cannot
log onto the box from anywhere but at the keyboard.
Dan
--
UNIX - Not just for vestal virgins anymore
Linux - Choice of a GNU generation
------------------------------
From: [EMAIL PROTECTED] (Frank v Waveren)
Subject: Re: Telnet problems
Date: Sat, 21 Aug 1999 17:11:38 GMT
check for the existance of an empty /etc/nologin file.
In article <[EMAIL PROTECTED]>,
Yury Donskoy <[EMAIL PROTECTED]> writes:
> Hi there,
>
> I'm having a weird problem with telnet which appears to have recently
> started, I believe after I went from RH 5.2 to Mandrake 6.0. The
> problem is this: telneting from a Win'98 box to my Linux server displays
> the 'issue.net' file, and then dies. I don't even get a 'Login:'
> prompt. But, if I telnet from the Linux box to itself using the box's
> own IP address, everything works correctly. Now, this network of mine,
> everything else works. Samba, FTP, etc. It all works, except for
> telnet. Does anyone have any suggestionss? hosts.allow is set
> correctly, and so is hosts.
>
> Thanks.
> Yury.
>
--
Frank v Waveren
[EMAIL PROTECTED]
ICQ# 10074100
------------------------------
From: [EMAIL PROTECTED] (Richard Petty)
Subject: Re: ethernet switch
Date: Sat, 21 Aug 1999 18:18:31 GMT
In article <[EMAIL PROTECTED]>, "Gary R. Skuse, Ph.D."
<[EMAIL PROTECTED]> wrote:
>This week I replaced the 10mbps hub in my network with a 10/100mbps
>switch and did't get the performance increase I expected. Traffic
>appears to be "bursty". For example I lose packets (10-25%) when I ping
>across the network and ftp transfers are jerky. Has anyone experienced
>this?
>
>FYI, my network consists of two linux boxes, one doing ip masquerading
>whilst attached to my ISP via modem, and several windows boxes. The
>performance I see is consistant regardless of which boxes are
>communicating. Can anyone suggest a way to eliminate the observed
>latencies?
Your network is fine -- probably as good as it can ever be.
Welcome to the Internet.
The problem is that the rest of the Internet can't measure up. As a matter
of fact, delay and poor throughput issues have been raised in the press
recently. Their spin was that a lot of companies are damaging their
reputation with consumers by putting up websites with poor connections to
the Internet, resulting in bad buyer experiences. I definitely agree. They
ought to can some of their graphics and Java professionals and direct
their funds to better connections.
I have a setup in my home that is almost identical to yours. I bought my
10/100 Ethernet switch for the incredible netork gaming sessions I host
about once a month. I just wanted to eliminate the network as a culprit to
any problems we might have.
Just the same, I seldom get more than about 250Kbps across the cable modem
from Road Runner's newsgroups, and my connection rates to the Internet
(outside of RR) are seldom much over 80Kbps and frequently much, much less
-- cable's performance was vastly oversold.
The jump from 10Mbps to 100Mbps rating is LOCALLY only. The Ethernet
switch's main forte -- moving data from one node to another on a complex
network -- doesn't apply in simple environments like ours. The switch
sends data to the appropriate, specific recipients only and doesn't
broadcast it to everyone as a mere hub does.
--Richard
--
Spam deterent: Remove the "bogus" part for a correct address.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
