/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */ Hey Everyone, Sorry for not sending this out sooner but I've been busy with the recent IP MASQ article in the August edition of "Linux Magazine" and a new BOOK called "Securing Linux: Step by Step" from SANS. The SANS doc will be out in December. Anyway.. Some serious changes in here folks. You gotta do sendmail at least. Ps. 247 people on the list now! Kinda low I think but thats ok. --David N 8/27/99 Minor changes.. *Sent Update* ------------------ N 8/26/99 Deleted section 44 since it was integrated into section 10. [Section 3] *C* There is a fragmentation bug in all 2.2.x linux kernels less than 2.2.11 that makes strong IPCHAINS rulesets worthless. Because of this, it is critical that you upgrade your kernel. [Section 5, 10] G Deleted [Section 44] and integrated it into [Section 10] N Added pointers to 2.2.x people that need port forwarding to read the IP-MASQ-HOWTO for full details. Currently, TrinityOS only covers 2.0.x's IPPORTFW tool. [Section 11] ------------------ N 8/25/99 Updated the TOC *C* Vastly updated the Sendmail section and moved up to 8.9.3. You might not beleive it but your domain might be an OPEN Relay though you -think- you FIXED it. I'm Serious.. go look at www.orbs.org. I was vunerable. [Section 25] ------------------- N 8/13/99 Removed the echo line from the NTP script so people wouldn't get emailed once every 15 minutes. Doh! Didn't have that on my box though it was in TrinityOS. [Section 26] ------------------ G 8/3/99 Added a cool little trick to find out what version and what features were compiled into your version of Sendmail. [Section 25] ------------------ N 8/1/99 Updated the distribution sections to reflect RH6, Slackware 4, and added a little blurb on Mandrake. [Section 6] ------------------ G 7/27/99 Added the .iso, .mp3, and .asf files to the /etc/bruxpat file to have Bru NOT compress those types of files. [Section 29] ------------------ G 7/19/99 I recently learned that BIND updates its "listening" interfaces every 60 seconds. Thus, if you bring up a PPP interface, BIND will start automatically answering queries on that PPP interfaces's IP address! This might not be a problem to you but I notices that after the PPP link was disconnected, named was still listening on that IP address though it was gone. Ack! I have now implimented the "listen-on" option to only allow BIND to listen on the external interface, the interal interface (if you have one), and localhost. [Section 24] ------------------ G 7/18/99 Updated the SSH section to make the recommendation to disable the ability to login as root. User's needing root priv's can SU in. [Section 30] ------------------ N 7/14/99 Removed the 2.2.x kernel config from the Future Features section. [Section 3] G I never realized this but its important to run ppp'd "make kernel" script before you compile the kernel so you get all the various compression codecs into the kernel. [Section 13] G Added "deflate 15,15" to the /etc/ppp/options file to enable the Gzip-based deflate compressor for PPPd. [Section 22] -------------------- G 7/13/99 Added the build-it script to aid in the compiling and installation of a new kernel [Section 12] N Updated the 2.0.x kernel config to reflect a kernel with the IPPORTFW and LooseUDP patches [Section 12] G Added a 2.2.x kernel config though it applies to different hardware than documented in TrinityOS (the 2.2.x kernel is running on a Dual P-90 box) [Section 12] ------------------ I 7/11/99 Fixed a typo in the IPCHAINS port that named the external interface's IP address variable "EXITIP" instead of the correct "EXTIP". The IPCHAINS ruleset is not v2.97. Thanks to [EMAIL PROTECTED] for the sharp eye. [Section 10] ------------------ N 7/7/99 Updated the hardware section and parition tables to reflect that /dev/hdb died and added /dev/sdb [Section 3] N Updated the RAID section to reflect that /dev/hdb is gone and replaced it with /dev/sdb [Section 31] ------------------ N 6/29/99 Updated the URL for PPPd [Section 5] ------------------ N 6/28/99 Change in the "Future Feature" section the logging of the UPS from 10 sections to 1 second increments [Section 3] N Added to the "Future Feature" section the rotation of UPS logs and the deletion of "LPR" and replacing it with "LPRng". [Section 3] N I was notified by [EMAIL PROTECTED] that the file permissions for /usr/bin/lpr were incorrectly set to 4750 instead of 4755 as shown in [Section 47]. I added a little NOTE to the changing of all the file permissions to let users know that the correct LPR setting of 4755 isn't the best for system security. The proper solution is to DELETE LPR and install LPRng. [Section 8] N I removed the note in the sendlogs area about providing a "multi-user" version of the sendlogs script. The reason I removed this is because too many people were complaining of having things they considered important filtered out. I also removed this offer because I will be putting up a Perl version of this script that will be a lot faster, more efficent, and flexible in the future. [Section 9] N I added some clarifications and copied the note from [Section 8] about LPR's file permissions into this section. [Section 47] ------------------ .----------------------------------------------------------------------------. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !---- ----! `----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----' _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
