Re: ipfilter
Hi, I put OpenBSD on my firewall box a few months ago specifically for ipfilter. As Phil Brutsche said the latest ipfilter port for Linux is for the 2.0.x kernels, which is too old. Pointless rambling.. I haven't looked back since moving for ipchains to ipfilter. My rules for ipchains were like 30 lines or more and the ipfilter rules are less than 10, mainly due to the fact that ipfilter is stateful (keeps track of how/when connections we're initiated) while ipchains is not. The nicest thing (among many) about ipfilter is I didn't have to open any ports at all to the network except what I wanted (because it is stateful). With ipchains I had to open 1024-65536 for general surfing. Within an hour or so of switching to ipfilter I started seeing attempts at certain high ports I had never seen blocked before. Unfortunately as far as I can tell netfilter won't be any different than ipchains, they just rewrote the code and changed the syntax. ...End pointless rambling Chris Schleifer P.S. I am by no means an expert on tcp or firewalls, so if I'm wrong someone correct me please. Bob Bernstein wrote: A thousand pardons if this has been a FAQ, but... Would someone be good enough to clue me in on the current status of the ipfilter package as far as Linux is concerned? I've farted around the net looking for stuff and I keep coming up dry. I seem to recall a kernel patch awhile back...? -- Bob Bernstein at http://www.ruptured-duck.com Esmond, R.I., USA -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: oracle 8i
Hi, It works great. There was nothing Red Hat specific as far as I could tell. There are a few tiny problems like the awk problem you discovered (just link /bin/awk to /usr/bin/awk) and their script oraenv didn't work until I'll fixed it. Also they install a few scripts in /usr/bin (oraenv, coraenv) without asking, which is annoying on Debian. Other than that it went well, unless I'm forgetting something. I didn't install it on a production machine and I also installed the standard edition, so your mileage may vary. Chris Schleifer Tiago Antao wrote: Hi! Does anybody has instaled oracle 8i ee in debian? I'd really prefer to install it in debian, but the docs talk about redhat only, and I'm a bit afraid of installing a production oracle on debian. I've already tried for development and tests, and had some problems (with awk and gmake), both solved. Does anybody has had other problems? thanks for any comments, Tiago -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: oracle 8.0.5 and glibc2.1 segfaults
Remco van 't Veer wrote: I sure hope 8i runs on potato. Can anybody confirm this? Regards, Remco Hi, It seems to work fine. Although I only installed it and haven't used it much at all yet. I did do some imports which went normally though. $ sqlplus SQL*Plus: Release 8.1.5.0.0 - Production on Wed Dec 29 17:15:48 1999 (c) Copyright 1999 Oracle Corporation. All rights reserved. Enter user-name: chris Enter password: Connected to: Oracle8i Release 8.1.5.0.0 - Production With the Java option PL/SQL Release 8.1.5.0.0 - Production SQL quit Disconnected from Oracle8i Release 8.1.5.0.0 - Production With the Java option PL/SQL Release 8.1.5.0.0 - Production $ cat /etc/debian_version potato Chris Schleifer
Netscape mail timezones
Hey, There was a thread a week or so ago trying to figure out why Netscape was always stamping GMT times on emails sent from it. I can't find an answer for the problem in the archives yet, and I don't remember there being one on the list. Anyway I found the answer today when this started to bother me (I wanted my boss to see the how late I work! ;-). It wasn't that hard to find, go to http://help.netscape.com/, type timezone in the search box, the answer is the first result returned. The answer is here: http://help.netscape.com/kb/consumer/991108-1.html Basically you need to set the shell variable TZ to your current timezone entry before you start Netscape. The Netscape solution on the link above doesn't apply to Debian though. What I did is add the line export TZ=`cat /etc/timezone` to my ~/.bash_profile, so it gets set whenever I log in. Hope that helps. Chris Schleifer
Re: ipchains and REDIRECT
Hi, I just had to do the same thing as you and had no problems. I am using a 2.2 kernel w/ ipchains and had to forward port 80. The IP Masquerade HOWTO was really helpful to me (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html). Chapter 6 explains exactly how to do port forwarding with 2.2 kernels (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#ss6.8). To summarize what the howto says about port forwarding, it looks like the commands to setup port forwarding have changed from 2.0 to 2.2 which is probably your problem. You don't want to use the REDIRECT rule for ipchains anymore, but a new tool called ipmasqadm to set up port forwarding. It looks like the command you would need is something like: /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.158.172.XXX 2401 -R 192.168.2.2 2401 I am just going off what I read just now in the howto and I really haven't looked at the details of your message so this may not be the only thing you need to do. I would definitely check out the howto for yourself as it's a pretty good one. Chris Schleifer P.S. This uses IPPORTFW which I have compiled into the kernel and you have as a module, this may make a difference. Jonathan Lupa wrote: Hi all, Ever since moving to the 2.2 kernels and switching to ipchains, I have not been able to get redirection working right, and I'm hoping someone can spot what I am doing wrong.. I have a gateway computer called sith, and two computers sitting behind it named rankor and fig. The ppp0 line is [207.158.172.XXX], and my goal is to expose the cvs server running on rankor to the world through port forwarding. (rankor == 192.168.2.2) sith's firewall rules script looks like this: #!/bin/sh export IPCHAINS=/sbin/ipchains if [ -x $IPCHAINS ]; then # Flush current ruleset and apply our default policies $IPCHAINS -F input $IPCHAINS -F output $IPCHAINS -F forward # We start out promiscuous... probably should fix this $IPCHAINS -P output ACCEP $IPCHAINS -P input ACCEPT $IPCHAINS -P forward REJECT # Setup masquerade - all traffic from 192.168.2.0 gets masq-forwarded. $IPCHAINS -A forward -p all -s 192.168.2.0/24 -j MASQ # Stop those evil hackers from seeing telnet passwords $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 telnet -j REJECT # I don't use NFS, you can be damned well sure I don't use this! $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 portmapper -j REJECT $IPCHAINS -A input -p udp -d 207.158.172.XXX/32 portmapper -j REJECT $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 nntp -j REJECT # Punch port 2401 to Rankor's cvs pserver... # $IPCHAINS -A input -b -p tcp -s 207.158.172.XXX/32 2401 -d # 192.168.2.2/32 2401 -j REDIRECT # $IPCHAINS -A input -b -p udp -s 207.158.172.XXX/32 2401 -d # 192.168.2.2/32 2401 -j REDIRECT $IPCHAINS -A input -p tcp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT $IPCHAINS -A input -p udp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT fi I've tried both the commented out version, and the live redirectcs, and neither seems to work. When I run a program on sith's 2401 port, it actually gets the hit (so it is falling through to the default input rule). Here is the networking portions my kernel (2.2.12) .config file, in case I missed something there... CONFIG_PACKET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_RTNETLINK=y CONFIG_NETLINK=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_NETLINK=y CONFIG_NETLINK_DEV=y CONFIG_IP_ALWAYS_DEFRAG=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_MASQUERADE_MOD=y CONFIG_IP_MASQUERADE_IPAUTOFW=m CONFIG_IP_MASQUERADE_IPPORTFW=m CONFIG_IP_MASQUERADE_MFW=m CONFIG_IP_ROUTER=y CONFIG_NET_IPIP=m CONFIG_SYN_COOKIES=y CONFIG_SKB_LARGE=y CONFIG_IPV6=m CONFIG_IPX=m CONFIG_IPX_INTERN=y CONFIG_SPX=m CONFIG_ATALK=m Thanks in advance for any help and/or pointers on firewalling better. I searched the archive before posting, but for some reason the cgi_bin script isn't working right and I can't access the articles which look like they are related...so apologies if this is just another boring rehash. =) Thanks, -Jonathan -- [EMAIL PROTECTED] GPG public key available from http://www.jamdata.net/~jjlupa/gpg.asc Part 1.2Type: application/pgp-signature
Re: ipchains and REDIRECT
Well now I'm confused I just looked a little more into this and it looks like you should be able to use the REDIRECT rule as long as you said yes to transparent proxy in the kernel config (according to the kernel help and man ipchains). Anyway I guess the best suggestion I can give after all is to take a look at the IP Masquerading and Ipchains HOWTOs. Chris Schleifer Chris Schleifer wrote: Hi, I just had to do the same thing as you and had no problems. I am using a 2.2 kernel w/ ipchains and had to forward port 80. The IP Masquerade HOWTO was really helpful to me (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html). Chapter 6 explains exactly how to do port forwarding with 2.2 kernels (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#ss6.8). To summarize what the howto says about port forwarding, it looks like the commands to setup port forwarding have changed from 2.0 to 2.2 which is probably your problem. You don't want to use the REDIRECT rule for ipchains anymore, but a new tool called ipmasqadm to set up port forwarding. It looks like the command you would need is something like: /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.158.172.XXX 2401 -R 192.168.2.2 2401 I am just going off what I read just now in the howto and I really haven't looked at the details of your message so this may not be the only thing you need to do. I would definitely check out the howto for yourself as it's a pretty good one. Chris Schleifer P.S. This uses IPPORTFW which I have compiled into the kernel and you have as a module, this may make a difference. Jonathan Lupa wrote: Hi all, Ever since moving to the 2.2 kernels and switching to ipchains, I have not been able to get redirection working right, and I'm hoping someone can spot what I am doing wrong.. I have a gateway computer called sith, and two computers sitting behind it named rankor and fig. The ppp0 line is [207.158.172.XXX], and my goal is to expose the cvs server running on rankor to the world through port forwarding. (rankor == 192.168.2.2) sith's firewall rules script looks like this: #!/bin/sh export IPCHAINS=/sbin/ipchains if [ -x $IPCHAINS ]; then # Flush current ruleset and apply our default policies $IPCHAINS -F input $IPCHAINS -F output $IPCHAINS -F forward # We start out promiscuous... probably should fix this $IPCHAINS -P output ACCEP $IPCHAINS -P input ACCEPT $IPCHAINS -P forward REJECT # Setup masquerade - all traffic from 192.168.2.0 gets masq-forwarded. $IPCHAINS -A forward -p all -s 192.168.2.0/24 -j MASQ # Stop those evil hackers from seeing telnet passwords $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 telnet -j REJECT # I don't use NFS, you can be damned well sure I don't use this! $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 portmapper -j REJECT $IPCHAINS -A input -p udp -d 207.158.172.XXX/32 portmapper -j REJECT $IPCHAINS -A input -p tcp -d 207.158.172.XXX/32 nntp -j REJECT # Punch port 2401 to Rankor's cvs pserver... # $IPCHAINS -A input -b -p tcp -s 207.158.172.XXX/32 2401 -d # 192.168.2.2/32 2401 -j REDIRECT # $IPCHAINS -A input -b -p udp -s 207.158.172.XXX/32 2401 -d # 192.168.2.2/32 2401 -j REDIRECT $IPCHAINS -A input -p tcp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT $IPCHAINS -A input -p udp -s 0.0.0.0/0 2401 -d 192.168.2.2/32 2401 -j REDIRECT fi I've tried both the commented out version, and the live redirectcs, and neither seems to work. When I run a program on sith's 2401 port, it actually gets the hit (so it is falling through to the default input rule). Here is the networking portions my kernel (2.2.12) .config file, in case I missed something there... CONFIG_PACKET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_RTNETLINK=y CONFIG_NETLINK=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_NETLINK=y CONFIG_NETLINK_DEV=y CONFIG_IP_ALWAYS_DEFRAG=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_MASQUERADE_MOD=y CONFIG_IP_MASQUERADE_IPAUTOFW=m CONFIG_IP_MASQUERADE_IPPORTFW=m CONFIG_IP_MASQUERADE_MFW=m CONFIG_IP_ROUTER=y CONFIG_NET_IPIP=m CONFIG_SYN_COOKIES=y CONFIG_SKB_LARGE=y CONFIG_IPV6=m CONFIG_IPX=m CONFIG_IPX_INTERN=y CONFIG_SPX=m CONFIG_ATALK=m Thanks in advance for any help and/or pointers on firewalling better. I searched the archive before posting, but for some reason the cgi_bin script isn't working right and I can't access the articles which look like they are related...so apologies if this is just another boring rehash. =) Thanks, -Jonathan
Re: ipchains and REDIRECT
Aargh, I'm really sorry to reply to myself twice. But I promise I'm done now ;-). I found the post linked to below on deja.com which explains it all. Basically REDIRECT is only for forwarding between ports on the _local_ machine. You need ipmasqadm to forward to another machine. The post: http://x42.deja.com/getdoc.xp?AN=548096449search=threadCONTEXT=943065968.1817182317HIT_CONTEXT=943065968.1817182317hitnum=3 Chris Schleifer
Re: UDP port 1025(Blackjack)
Hi, I don't know a lot about this stuff but I can help a little I think. When you are using a network, ports will get opened on your machine whenever you make a connection, this way the remote machine has somewhere to talk to. This is probably why you are seeing ports open during one scan and closed the next time. Nmap uses an internal database of service to port mapping. When it says Blackjack, it is just a guess as to what could be running on that port. You will see things like nmap telling you Back Orifice is running on a linux box because of this. Take whatever service nmap says with a grain of salt. You can also do 'grep 1025 /etc/services' to do a simple check for yourself. But the main thing I want to suggest is to not use nmap for scanning your machines. Use lsof instead (apt-get install lsof). Lsof is VERY cool and useful for many things. Install it, do 'lsof -i' as root, and it will show you exactly which ports are open, which process is using it, which user owns the process, and more. I run 'lsof -i' after every apt-get upgrade to quickly make sure it hasn't decided to add a server I don't want (happened last week with the changes to netstd in potato). Hope this helps, Chris Schleifer aphro wrote: During the process of closing non important ports on my new server i noticed it has port 1025(UDP) and the service is Blackjack according to nmap. Anyone know what this is? i dont see anything in the dpkg list for blackjack and its not on my machine at home, and its not on my main server. tia nate [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 10:51pm up 89 days, 10:24, 2 users, load average: 1.87, 1.81, 1.69 -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Sources of linux documentation
Hi, I don't know a thing about the debian-guide package and this answer seems obvious so forgive me if I'm offbase here. I see html.sty in the directory you listed but the permissions are wrong. Doing a 'chmod o+r html.sty' in that directory should fix your problem. Chris Schleifer Manuel Arenaz Silva wrote: I've tried some three times to get a book compressed in that bz2 format uncomperessed to a readable version. But no LaTex, TeX or LyX ever could read that stuff. Is there something in general wrong with that bz2 format or are there available some brand new TeX formats, which no Slink latex can read? In first place, you have to decompress the debian-guide.tar.bz2 file by using: tar -xvIf debian-guide.tar.bz2 This command generates following files: -rwxr-xr-x 1 1000 arenaz 55 Jun 10 21:02 clean.sh -rw-r--r-- 1 1000 arenaz 412100 Jul 1 18:16 coart.eps -rw-r--r-- 1 1000 arenaz 347507 Nov 3 12:26 debian-tutorial.tex -rw-r--r-- 1 1000 arenaz 27378 Jun 6 21:32 debian.cls -rw-r--r-- 1 1000 arenaz 8606 Jun 7 03:37 debian10.clo -rw-r--r-- 1 root root 1048 Nov 3 12:05 debian10.log -rw-r- 1 arenaz 340024367 Nov 3 12:11 html.sty drwxr-sr-x 2 1000 arenaz 1024 Jul 1 18:16 images -rwxr-xr-x 1 1000 arenaz258 Jun 11 17:39 remake.sh Now you can compile the file debian-tutorial.tex by using latex. In my linux box the compiling process stops because the file html.sty is not installed. Where can this file by obtained from? Is it available in any package? Thanks, Manuel Arenaz -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: restarting daemons
Hi, To turn off the sunrpc/portmap daemon (or whatever it's called) in potato you can just do an 'update-rc.d -f portmap remove', and '/etc/init.d/portmap stop'. Then it will be off and won't restart. If you ever want it to start up automatically again you'll have know it's priority in the rc?.d dirs though, as update-rc.d removes all the symlinks in those directories. If I remember right in slink you need to comment out several lines in /etc/init.d/netstd_init (netbase,netstd_misc... hmm not sure which), then restart that init.d file. BTW a much better way of seeing what services are listening for connections on your machine (as opposed to portscanning) is to get the package 'lsof' and do an 'lsof -i' as root. Hope that helps, Chris Schleifer Lev Lvovsky wrote: Hello, could someone please let me know how to restart all of the apache www daemons that are running so that it'll read the changes made in the httpd.conf file? 'apache restart' doesn't do anything is there a generally accepted way of doing this for all 'net daemons? also, i'm sruprised nobody knows how to shutoffthe sunrpc daemon (or at least that's what I believe it is when I portscan my machine)...any clues as to where I could find info on this? thank you!! -lev //sig: //Social graces are the packet headers of everyday life -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Last potato linuxlogo
Hi, Changelogs and bug reports are very helpful... I found this line in /usr/doc/linuxlogo/changelog.Debian.gz: * Added the original swirl files to the debian directory (Fixes #46588). The bug report link (http://www.debian.org/Bugs/db/46/46588.html) mentions the swirl is back in the source package. So it looks like a re-compile is needed in order to get it back. Chris Schleifer [EMAIL PROTECTED] wrote: Until this evening I had linuxlogo displaying the pretty debian swirl. However after the latest potato update I noticed this had changed to a pengouin, which looks very ugly on my screen (the default is squeezed because of the resolution, and the banner mode does not look nice because of my fonts). Is there some hidden option to have it display the debian logo again, or do i have to downgrade it? Thanks, -Lex Part 1.2Type: application/pgp-signature
Re: traceroute: icmp socket: Operation not permitted
There were problems with a version of the netstd package (3.07-8 I think) which was in potato a few days ago. You probably got this version when you upgraded. Try updating to the newest (3.07-9) version, it fixed this problem on mine. Chris Schleifer Phillip Deackes wrote: Today I tried to use traceroute and got the message: traceroute: icmp socket: Operation not permitted This has happened only recently. I tried running the command as root, but got the same message. It appears that this has happened since I last did apt-get dist-upgrade (I use unstable) *or* since I compiled and installed kernel 2.2.12 Any ideas? Thanks very much. -- Phillip Deackes Debian Linux (Potato) -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Gdm is evil!
Hi, Check /var/state/gdm/:0.log. If it says something like: AUDIT: Wed Aug 11 20:55:24 1999: 174 X: client 1 rejected from local host Xlib: connection to :0.0 refused by server Xlib: Client is not authorized to connect to Server Then check bug #42636 : http://www.debian.org/Bugs/db/42/42636.html It's probably the reason as this causes the exact same behavior for me that your getting. Chris Schleifer John Haggerty wrote: I have spent the past 5 hours bashing my brains out getting gdm to work on my system and it never will! I try to start it and it just displays a blank screen without the window popping up. I tried to do as the README.Debian said and to change the symlinksso that gdm and xdm are isolated in different runlevels. What I did was just to delete S99xdm (the symlink to /etc/init.d/xdm) so that it won't lock the system anymore however it still will not display anything I have installed all of the dependencies however it still hates me! The binary for the login interface program works but does nothing on it's own. I assume this is a problem with pam/config files. I looked at /etc/gdm/Init and say :0 and Default which together has only a single program called xsetroot and some rather cryptic arguments. This appears to be broken or what? Could someone please help me? Separate hype from hope on Wall Street. Visit http://www.streetforce.com -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
