Re: NTP Server
Raffaele Sandrini wrote: Hi Is there a simple way to set up a NTP Server on Debian? I tried the ntp (and the ntp-simple | ntp-reclock) package but it seemed that this was only a client ntp daemon. It hasn't to be very acurate... just a time server wich LAN clients can ntpdate to. The ntp and ntp-simple packages are actually what you're looking for. The client NTP daemon can handle time syncronozation requests for your local LAN as well as keep the time synchronized on the host it's running on. Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian potato's SSH not affected by SSH bug?
nate wrote: i sent a message to bugtraq a couple minutes ago asking the people on the list if any other versions were tested. hoping that it gets approved, usually takes a few hours or a day to make it through. but the way I read the advisory debian potato's SSH should not be vulnerable to this bug. which would be great news to me. the advisory only mentions openssh 3.0 and up being possibly affected. no mention of any other versions being vulnerable or not vulnerable, and no mention of any other versions that were tested. so i'm keepin my hopes up and my firewalls tight in the meantime ! No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134. Note that the upgraded openssh packages require update openssl packages; it looks like the new openssl packages will co-exist with the older version that shipped with potato, but I no longer have any potato systems so YMMV. Phil ps: it's great to be back on debian-user once again! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] sql database webmail?
On Wed, 2001-08-22 at 21:21, Eric Boo wrote: Hi all, I would like to ask, which GPL/BSD licensed web mail program out there stores info in an SQL database? Most do. IMP is fairly nice: http://www.horde.org/imp Most importantly, it must store the user and password in the database and not touch the /etc/passwd Most webmail systems just use the IMAP/POP3 daemon to do authentication. If you have your IMAP/POP3 daemons set to use a SQL database IMP (for example) will naturally follow. -- Phil
Re: [OT] sql database webmail?
A long time ago, in a galaxy far, far way, someone said... Sorry, but I do not quite understand. If I use imapd with SQL database support (what's a good one that does this?), don't I still need to create user accounts on the system so the smtp server can deliver to the user directory (or some other location). Depending on the SMTP server you use querying a SQL database for user account information is trivial. I'm actually looking for a web mail that does its own user account management. Does such a thing exist? IMP doesn't. Correct. IMP uses whatever usernames and passwords are used by the IMAP server. If your IMAP and SMTP servers use a SQL database for the user accounts IMP will naturally follow. Phil
Re: Why so big(2)
A long time ago, in a galaxy far, far way, someone said... | nfs-common install | nfs-server install I assume that portmap is also installed if these are present. Remove it, too. Especially on a firewall. portmap, unfortunately, isn't removable on a potato system. Trying to remove it would break dependencies in the netbase package. Next best thing would be to not have it running. Another alternative would be to build your own netbase package that doesn't have that issue, but it's up to you to decide if the effort to do so is worth it. | xfree86-common install | xlib6g install | xlibs install These are arguable. You really don't need (and therefor shouldn't have) an X server on a firewall, but it can be useful to have the ability to run X apps remotely. Yep - Ethereal sure is a nice packet sniffer :) Phil
Re: forgot root password on head- and keyboardless machine *blush*
A long time ago, in a galaxy far, far way, someone said... Seriously, I've seen LOTS of fuses blow by just hot-plugging the keyboard. I don't know whether modern boards are more robust with this respect, but I doubt it. I find that it's heavily dependent on the quality of the motherboard in question. My home server (file, mail, web, ldap, what ever the hell I want it to do today :) doesn't care - it's got a Asus P2B. tux.creighton.edu (with some no-name SMP motherboard from Taiwan - I swear it's the last time I buy one of *those*), OTOH, raises holy hell when I try to try to hotplug a PS/2 keyboard. All hail USB! Phil
Re: PLIP and Windows
A long time ago, in a galaxy far, far way, someone said... Is PLIP compatible with parallel port Direct Cable Connection in Windows (i.e., can it be used to network a computer running Linux to one running Windows?) Unfortunately not. I know of no PLIP implementation that works with 32-bit Windows, and I've looked long and hard. And I assure you, you aren't the first person to ask this question :) Unfortunately the only way to network a Windows machine a Linux machine, without falling back to ethernet, token ring, or similar technologies, is to use the serial port :( Any caveats? You mean PLIP caveats? It's heavily dependent on CPU speeds; I've gotten an upwards of 30kb/sec between a 450MHz PII a 120MHz Pentium. I have several computers networked via 10base2 and would like to add a notebook to these, but I have only seen pcmcia cards for 10baseT/100baseT. You can get hubs of eBay that have RJ-45 BNC connectors. You can also get on eBay you'll likely find a PCMCIA ethernet card that has both RJ-45 BNC connectors. Phil
Re: DriveStatusError BadCRC on hda
A long time ago, in a galaxy far, far way, someone said... What kernel is this? If you're using 2.4.x or 2.2.x with Andre Hedrick's IDE patches this is done automatically. It's 2.4.7 (from kernel.org) hdparm /dev/hda /dev/hda: multcount= 0 (off) I/O support = 1 (32-bit) unmaskirq= 1 (on) using_dma= 1 (on) keepsettings = 0 (off) nowerr = 0 (off) readonly = 0 (off) readahead= 8 (on) geometry = 50800/16/63, sectors = 117266688, start = 0 Do you refer to the I/O 32-bit support thing? (i.e. 32 bits are translated to 66mhz 16 bits on the cable?) No - having 32-bit I/O support enabled can help some, but it's not what you're looing for. You're looking for what it says for the using_dma flag. You can also run hdparm -t /dev/hda as root - with UMDA66 you should see results somewhere in the vicinity of 25-30 MB/sec. Phil
Re: DriveStatusError BadCRC on hda
A long time ago, in a galaxy far, far way, someone said... Hello I've seen some messages in the system log and am wondering what to do with them: You may want to consider replacing the IDE cable. The CRC errors make me suspicious that it may be bad. The sector not found errors may be a side effect of data corruption pointed out by the CRC errors. [...] hda: 117266688 sectors (60041 MB) w/1902KiB Cache, CHS=116336/16/63, UDMA(66) BTW: should/could I switch to UDMA/66Mhz or is this done automatically? It looks like it's done automatically on your computer. What kernel is this? If you're using 2.4.x or 2.2.x with Andre Hedrick's IDE patches this is done automatically. If you have the hdparm package installed you can check this with hdparm /dev/hda as root. Example output on one of my PII systems running kernel 2.4.9 would be: /dev/hda: multcount= 16 (on) I/O support = 0 (default 16-bit) unmaskirq= 0 (off) using_dma= 1 (on) keepsettings = 0 (off) nowerr = 0 (off) readonly = 0 (off) readahead= 8 (on) geometry = 8374/16/63, sectors = 8440992, start = 0 BTW II: I also see in dmesg the following - does this really mean there is only 256k L2 cache?? Even my G3 macintosh from 2 years ago has 1 MB !! This is a 800Mhz Athlon. This is an Athlon Thunderbird, correct? Then, yes it it has only a 256kb L2 cache. There are lots of reasons why a 2 year old G3 Mac has a 1 meg cache and the Athlon has a 256k cache, all of which are irrelevent given the difference between the CPU architectures. Phil
Re: DriveStatusError BadCRC on hda
A long time ago, in a galaxy far, far way, someone said... There are lots of reasons why a 2 year old G3 Mac has a 1 meg cache and the Athlon has a 256k cache, all of which are irrelevent given the difference between the CPU architectures. Um, that shoudl read: There are lots of reasons why a 2 year old G3 Mac has a 1 meg cache and the Athlon has a 256k cache, all of which are totally dependent on the difference between the CPU architectures. Kinda like the can't compare clock speed across CPU architectures argument. Phil
Re: exim
A long time ago, in a galaxy far, far way, someone said... Under Sid, exim is failing with IPv6 socket creation failed: Invalid argument when started via /etc/init.d/exim start or from command line as follows. Let me guess: You're running Exim 3.32, compiled with IPv6 support (which is the Debian default), on a system that doesn't have support for IPv6. It's a known issue with Exim 3.32; expect a 3.33 to be released Real Soon Now (tm) that doesn't have that problem. In the meantime, there are 3 ways to get around this problem: 1) setup your computer for IPv6 2) downgrade to Exim 3.31 3) Compile Exim 3.32 without IPv6 support Phil
Re: syslog reports weird routing problems?
A long time ago, in a galaxy far, far way, someone said... Something's weird..whenever I log into a console and connect to the internet I get this: (from syslog and messages too) continuously while I am connected to the internet LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=36242 PROTO=2 Aug 13 22:52:28 wats kernel: IN=ppp0 OUT= MAC= SRC=209.247.5.159 DST=224.0.0.1 It's not quite a routing problem - the host at 209.247.5.159 is sending multicast packets. Phil
Re: Server/Gateway Linux Box
A long time ago, in a galaxy far, far way, someone said... Hi, I'm building a Linux box that will serve as a server and gateway to split internet access from a cable modem to numerous machines (some Linux, some Winblows.) I'm putting in 2 network cards and a dual-processor motherboard with 2 Pentium II processors. That's a bit much but if you insist... What do I need to do to set it up to perform IP Masquerading, man ipchains and how do I turn on dual-processing support in Linux? Do I just compile in Symmetric multiprocessing support into the kernel? Correct. Also, how do I set up file sharing so that every machine on my network can access the files on any other? http://www.samba.org Phil
Re: uw-imapd and maildirs
On 09 Aug 2001 23:27:49 -0400, Jaldhar H. Vyas wrote: I'm working on fixing up the maildir support in UW imapd 2001 and I need some advice from people who use the maildir format for mailboxes. What should the name of the INBOX be? $HOME/Mailbox ? $HOME/Maildir ? ...something else? Most systems expect and use ~/Maildir. It should, at a minimum, be compatible with mutt, qmail and courier-imap, all of which use ~/Maildir. -- Phil
Re: [Way OT] SunOS question
A long time ago, in a galaxy far, far way, someone said... There's a Sun Sparcstation at work that I would like to use virtual terminals on, if it's even possible. So, is it ?? What do you mean by virtual terminals? Like Alt+F1...Alt+Fn on Linux? Dude, you need to ask that on a Sun mailing list. http://www.sunhelp.org 'uname -a' tells me this: SunOS fred 4.1.3 1 sun4m Good god that's old. Phil
Re: Need Help on EXIM
A long time ago, in a galaxy far, far way, someone said...
I'm running Debian 2.2/unstable with imapd and exim. Both are running
and I am able to read my mails. But I am not able to send mails
because I am not allowed to relay... I would appreciate a quick 'n
dirty howto from someone on the list, because it is very hard to read
man's and other pages besides work and a girl friend! ;o)
Szenario: My uptime is 24/7; the server is also the local intranet
router for my windows clients. I have three users who want to access
exim from the local intranet.
You need to set the host_accept_relay parameter in exim.conf to contain
your local network. An SMTP AUTH configuration (see below) will also
work.
Beside this, there are about 4 users (all regular unix-users), who
should have the possibility to access exim from the internet. Each
user should be allowed to send whereever he/she wants to; but I do not
like to set up an spam-over-this-server exim...
You need SMTP AUTH - the mail client sends their username and password to
the mail server. If the authentication information was correct they're
allowed to relay through. If these 4 people have static (ie unchanging
over long periods of time) IP numbers you can also use host_accept_relay
(above) to let them relay mail.
The quick and dirty way to do this would be:
In the global section add:
host_accept_relay = /etc/exim/host-relay
host_auth_accept_relay = *
auth_always_advertise = false
exim_user = root
And add this to the very end of the config file, after the rewrite
section:
end
##
# AUTHENTICATOR CONFIGURATION #
##
plain:
driver = plaintext
public_name = PLAIN
server_set_id = $2
server_condition = ${if pam{$2:$3}{1}{0}}
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if pam{$1:$2}{1}{0}}
server_set_id = $1
end
Phil
Re: iptables log random access attempts to my server. why?
On 05 Aug 2001 13:56:57 +0200, Martin F. Krafft wrote: hi all, recently, i installed a new server in a server farm, but since it isn't ready for production yet, it's only running ssh, everything else is turned off and blocked with iptables en plus. the ip address is new and unknown [1] since i haven't published it yet. i get connection attempts every 10 minutes or so by random IP addresses (i.e. ones that i wouldn't have anything to do with), iptables log them as I would ignore these connect attempts. I don't know if you've noticed but the Windows Code Red worm is still going around with a new worm (using the same exploit, but a new worm) that's been named CodeRed II. Without knowing what the connection attempt was trying to do the connection attempt can be explained away by either the worms or someone mistyping an IP number. -- Phil
Re: Linux player for Sorenson video
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I downloaded a QuickTime (tm) .mov-ie from Apple's movie trailers sites. Is there any way to play them under GNU/Linux? Not directly. I thought the non-free xanim could do it. Nope it won't. Apparently Sorenson won't allow Apple to release the specs (and won't release the specs themselves) for a non Windows/MacOS decoder to be written. A number of alternatives are possible (VMware, Win4Lin, Wine) but I've not looked into any of them. But it seems I've just put a good two-hour+ download to waste. Unfortunately you did :( - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7atrP/ZTSZFDeHPwRAhPbAKCzgnY8K4r5yL651nsQ6N5dxqLE9ACgnS1c frjH7XaeZB7oPuN66qLgggY= =6txt -END PGP SIGNATURE-
Re: [OT] Network speed ... again
On 03 Aug 2001 23:04:14 -0500, Hall Stevenson wrote: I was wondering what real-world speeds are of a 100base-t network really are. Not more than 7 megabytes per second. That's with high quality switches patch cables and ethernet cards, though (tulip- based cards CAT 5 wiring Cisco Catalyst switches). 4 megabytes per second is easy on my home network - I have (mostly) cheap Realtek-8139 ethernet cards cheap switches. The patch cables are good though :) I've got (3) machines here at home, connected to one another via a Linksys router/switch. It uses the switch for the LAN side and it's rated at 100mb/s (or is it mB/s ??). It's the little b (mb/s). Think bits vs Bytes All network cards are also rated for 100mb/s. The lights on the switch indicate that they're connecting at that speed also. Ok Now, between my machine and my file server, I just got done transfering files and saw the speed stabilize at around 15mb/s. 1.5 megabytes per second? That's awfully slow... I've read that on a 10base-T network, getting 5mb/s is good, Depends on the ethernet card the rest of the network. My PowerMacs (also running Debian) all use their on-board 10mbit ethernet regularly get 8-9mbit regularly. On the other hand the PCI 10mbit cards in some of my PCs have trouble hitting 7mbit but do 5-6mbit pretty regularly. so I assume 50mb/s is good on my network. It would be ok. I just did a time trial firewall-file server (both with Realtek 8139 ethernet cards) I got 40mbit/s. I can more than double that by transferring between my file server workstation; the workstation has a Linksys v2 ethernet card. *Much* nicer card than the Realteks... Of course, I'm nowhere near that. Is there anything I can configure differently ?? Make sure that the switch and the ethernet port on the PC agree what speed duplex to talk at. Even disagreeing on the duplex can cause the speed problem you see. There are other things as well (rsize wsize == 8192 when you mount) that can be done to tune NFS performance. I'm using NFS to share disk space. You shoudln't expect full speed with NFS. There's alot of adminitrative overhead involved with each NFS mount. 2.4.x also seems to have some sort of performance problem doing NFS writes... FTP seems to be a pretty good indicator of speed. My machine has an AMD 450mhz processor and 128mb RAM. The filesystem is EXT3 and the kernel is 2.4.7. On the server, it's got a Pentium 233MMX and 64mb RAM. It's filesystem is ReiserFS. It's running Mandrake 8 (unsure of kernel -- it's 2.4.x). Neither should make a difference... unless the kernel on the Mandrake system is fairly old. Early releases of 2.4.x had interaction problems between reiserfs nfs that IIRC led speed degradation. Try again with either 2.4.6 or 2.4.7 on the server. Phil
Re: Getting CPU model and speed without rebooting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I want to get the CPU's model and speed without rebooting. /proc/cpuinfo (to me anyway) is useless. Unless someone knows how to convert: vendor_id : GenuineIntel cpu family : 6 model : 8 model name : Pentium III (Coppermine) To a PIII/450? It say's PIII in the model name :) On most (all?) CPUs with MMX divide the BogoMIPS by 2 to get the approx. clock frequency. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7X9B2/ZTSZFDeHPwRAngRAJ9D8K2hi99caFCH4m9zS00Y5kH9aACfRP+F pc/AxB4kuMvPVEyfY6fH7n0= =/fdr -END PGP SIGNATURE-
Re: Promise IDE ATA-100 controller on ASUS A7V133
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I have an ASUS A7V133 with PDC20265 on-board IDE as well as the standard on-board VIA controller. I am trying to install Debian potato 2.2r3. I need to get it to install from the on-board Promise IDE controller. I tried using the boot: parameter with these parameters, which I retrieved from Windows 98 device manager resources: The default Debian kernel doesn't support this hard drive controller. You need to use the pre-compiled idepci kernel (it's on the CD somplace), or install with the idepci floppies to be able to use this card. Also, if this is a IDE RAID card Linux won't be able to see the second port on the controller card. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7YJb2/ZTSZFDeHPwRAlJRAKDXvbTnzh3y9W/ALAoL+TUBUENWMgCguEKI tVlJoIfKRYN9RmnIf8HlKIM= =I3Pn -END PGP SIGNATURE-
Re: Promise IDE ATA-100 controller on ASUS A7V133
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Oh okay. Yeah the website says there are many kernels in the potato distribution. Among the most recent 2.2.19 kernels are the following: kernel-image-2.2.19-idepci 2.2.19-2 kernel-image-2.2.19pre17-idepci 2.2.19pre17-3 Weird, why'd they bother including 2.2.19pre17? No idea. So do I just install these like regular deb packages right? correct. And then if Linux boots and sees my ide2, I'll have to update fstab with hde instead of hda. Close. I would do a test boot off a floppy with the installation disk before you make any changes. If it works, *then* you: * edit fstab * edit lilo.conf * run lilo * make the hardware change Do you know how I can get ide-pci floppies to install with? I have them here: http://tux.creighton.edu/debian/dists/potato/main/disks-i386/current/images-1.44/idepci You also may want to try the /udma66 floppies as well. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7YJ5H/ZTSZFDeHPwRAhSXAKCSed/Qu9Xn8Lu9sdoYV4i8SWMQ/QCgsVTS rNtCTvbEgi/qsaN8Ihvh/fw= =aVB0 -END PGP SIGNATURE-
DNS software DJ Bernstein Re: Starting a GPL'ed Blackhole Service to Replace MAPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Yes I did. I usually consider the options for a DNS server to be: Windows (bletch) Oh, I assumed we were talking Free Software :) Oh we are. I was trying to demonstrate the availabilty of non-BIND DNS software. Like I said: outside of BIND djbdns there isn't much that's not crappy, proprietary, or both. [...] dents? Yes, that was it ... I've heard rumors that it's dead, so I assume it's dead. Well, with no new releases in two years no mailing list activity in 18 months... [...] They work for me. Did you turn on JavaScript in Konqueror? No ... new to Konqueror. Thanks :) No prob :) [...] Agreed (though I think some of what Bernstein says is twisted and presented by his foes out of context). However, there's no denying that he's tough to deal with. I'll post the URL if you want to investigate for yourself. Please do - it's hard to find anything on his website. He doesn't place any restrictions on use or modifying the code. He does place a restriction on redistributing modified code, which I find odd given his rant about software licenses :) Yes, that's what gets most people. Should DJ Bernstein abandon djbdns like he did with qmail the djbdns users in the world would be in a world of hurt, trying to get (potentially) incompatible patches sorted out. Oh, no, wait, they already do... (I just found djbdns.org) To be frank, I think the real reasons djb software is not included in Debian and other distributions is because 1) people don't like him, and 2) FHS/FSSTND arguments. (For more FHS arguments. check out the debian-devel archives over the past few weeks :) I think this one extends into the source modification - for some reason DJ Berstein likes to put his config files (that's a very loose description) in weird places like under /var; symlinks can't take care of all of them, so the source has to be modified. Yay! We agree on something! :) Possibly even more than one thing :) :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Xl0//ZTSZFDeHPwRArbNAKC3qtc7SAjKxI/YGaqL1ky37WlmswCdFwig I0k6PJryh+5rXWLlLah5OA4= =enSk -END PGP SIGNATURE-
Re: Port 6346 scans ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I have a large supply of connection attempts to port 6346? Anybody have a clue about these? DOS attack (several per second)? Or some other 'sploit? I couldn't find any reference to this port via CERT. (seems whomever has given up for now...) TCP port 6346 is used by the Gnutella person-to-person file sharing software. The most likely reasons why you're getting these connections would be: * Someone who once had your IP number ran Gnutella * Someone mistyped an IP number in their Gnutella client Whether you want to call it a DoS attack is up to you :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD4DBQE7XQXV/ZTSZFDeHPwRAgD4AJdBVdbrVLQV2hJAPOSCr2KwHQcqAJ9/2E4S NWD7Lt4TAbx3lskmq6fa+Q== =hbgQ -END PGP SIGNATURE-
Re: Starting a GPL'ed Blackhole Service to Replace MAPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Isn't that like swatting a fly with a sledgehammer? In a way it's either that or use non-free (in the GPL sense) software that has gratuitous (and sometimes incompatible) extensions to the DNS spec. I'd at least check into one of the other free DNS servers before using BIND. Show us an alternative that's 1) ready for production use 2) is not djbdns. (Personally I use djbdns; it's rock solid and easy to set up. It's free to use, I just can't distribute patched binaries and call it djbdns). BIND 9 here :) PS: no flames intended, I just feel stronly about this - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Xcmy/ZTSZFDeHPwRArwkAJ9DFq7yS/wZhQx1D9bzeXiSgldQlgCgygaq XRgsrtrOry6ULFRG7+NdvLI= =2THB -END PGP SIGNATURE-
Re: Starting a GPL'ed Blackhole Service to Replace MAPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I'd have appreciated it if you'd included the text below *before* your comment ... I in no way said the choice was between BIND9 or djbdns. You said that. Yes I did. I usually consider the options for a DNS server to be: Windows (bletch) BIND djbdns Everything else I've seen is dead (like dents), still in the experimental stages (like maradns), geared towards a single purpose (like pdnsd) or cost prohibitive - for example, the only decent MacOS DNS server I've heard of costs $350 USD... I could setup 3 or 4 Linux DNS servers for that! (using BIND 9, of course :) I hear over and over again that djbdns violates the spec ... as far as I've seen, this is not true: djbdns tends to follow the RFC but often violates common practice as established by BIND. That could be it. I hear it over and over as well, but I could be thinking of qmail :) BTW, check out who's been extensively involved with BIND. Check out who's been extensively involved with MAPS. Hmmm ... Secondary, I think. IIRC Vixie hasn't been involved with BIND coding for years. Show us an alternative that's It's *my* job to do this? :) I didn't say it was *yours* :) Anyone was free to answer http://www.maradns.org says the authoritative server is beta quality; I've heard others say it works fine. I cannot speak about its reliability since I haven't used it yet. Already packaged. apt-cache search is your friend. Umm... it's not an official Debian potato package. I'll need to look at it, though. Besides, the term beta quality lowers it's status in my eyes. I usually don't look at someing until it's 1.0 (or really close). It's... unusual zone file format will also be a problem for some people. http://sourceforge.net/projects/customdns/ is something I'd like to look at, though its readiness has got to be suspect :) Downloading it now ... It's java geared towards a specific purpose. The java thing kills it right there :) I know I've heard of at least one more project but I can't find it on Sourceforge. dents? (BTW, why does Sourceforge use Javascript links? They don't work in Konquerer ...) They work for me. Did you turn on JavaScript in Konqueror? 2) is not djbdns. I think I need to clarify. When most people ask for an alternative to BIND they get told djbdns. Therefore I was asking for an alternative to BIND that wan't djbdns because I already knew about it. In my opinion this boils down to a religious issue: Among us geeks what doesn't :) some hate Dan Bernstein (and by extension his software), It doesn't help that DJ Berstein has an abrasive personality that tends to abandon his software when he's lost interest in it rather than pass it on to someone. His licensing doesn't help the issue any. and I hate BIND because it's a massive bloated buggy pile of crap. It works pretty well once you get past the root exploit in it once a year or so (BIND 8.2.2-P7 doesn't necessarily count - that's just a DoS). I don't think either of us will convince the other that he is incorrect :) Yay! We agree on something! :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Xei5/ZTSZFDeHPwRArWMAJ4jRgfx6BmzPqUAfmXPPouEFfeg0wCgmOvm X3eOX7X52hjDaUfzRSDdzUs= =qecG -END PGP SIGNATURE-
Re: ipchains for the firewall challenged
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi all, I'm playing around with ipchains, but I'm just not getting the example given in the IPCHAINS-HOWTO. It's based on a system that's forwarding packets, but I'm not doing that. All I have is a single box connected to the world with a cable modem connected to eth0. It doesn't seem to be that difficult, and I'm feeling really stupid for not being able to figure it out. I think what has me confused is the HOWTO author's use of user-defined chains and then compounding the difficulty is that he has set up most (all?) jumps from the forward chain. Are there any docs for the simple minded? I've searched on Google and have found a lot of examples pertaining to forwarding. Thanks in advance for any direction on this. I'm not a big fan of it but pmfirewall is a popular starting point for people new to setting up firewalls. It can be found at http://freshmeat.net - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7WoBn/ZTSZFDeHPwRAkXxAJ4pKiKZXnxvgtY66BLYBM4pvVPuzwCfRB3K q2HGbDLyf4pUUZZZy1+FNb8= =rFqu -END PGP SIGNATURE-
Re: ipchains for the firewall challenged
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... If I may ask, why do you not like it? The rules it produces are long and complex - that makes it hard to figure out if you did something wrong while configuring the firewall. Is there something functionally wrong with it? Once you have it working, no. Is it that the user is placing trust in someone else for securing a system? That's another one. Are you a nuts-and-bolts, do-it-yourself kind of guy? How'd you guess? :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7W0Ay/ZTSZFDeHPwRAto9AJ0d9FqQsniLMMppur9PebvqviQYYQCfSFjV yAbFX0jcH6juO/hBB8xKS78= =A5Sm -END PGP SIGNATURE-
Re: asp visual basic on linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... You might try asp2php, which is supposed to convert visual basic asp to php. My opinion is that php is superior to asp in almost every respect. That's a highly subjective statement, but it's also one I have to agree with. I've done web programming with ASP, PHP, and perl (cgi scripts, never used mod_perl); out of all of them PHP is *much* easier to use. And PHP scripts very successfully run nearly unchanged across many, many web server hardware platforms. Try *that* with ASP... - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7V6+k/ZTSZFDeHPwRAnCzAJ0X31scNZVQH5IsHhDKHUtBLVKLKACePo9w ebBsmTcoSG5VFl1vAKguTFk= =XIvi -END PGP SIGNATURE-
Re: IPTABLES
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... How do i get iptables to log packets that it DROPs? No way directly. When I need log packets I use two nearly identical iptables statements, like so when I block outgoing NetBIOS packets: iptables -A OUTPUT -p tcp --dport 137:139 -j LOG iptables -A OUTPUT -p tcp --dport 137:139 -j DENY iptables -A OUTPUT -p udp --dport 137:139 -j LOG iptables -A OUTPUT -p udp --dport 137:139 -j DENY - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7V7Be/ZTSZFDeHPwRArooAJ0eMJr+Z+OzZvAA7NyGD0ILm4pyeQCfZVxx SRE9XROc4evt2ujARf3fALI= =bGCn -END PGP SIGNATURE-
Re: Am I being attacked?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... The answer is probably yes, but do the following indicate script-kiddie probes? They are directed at portmap, lpr, and nmbd. I don't know why the ones on the smtp port were rejected. The .184 system is my router. Attacked is a strong word for what you're seeing. This is all basically a set of port scans of people looking for holes on 216.15.108.184. They are all normal on today's internet, and (IMO) not something to worry about unless the thing has been hacked. Some of those can also be explained away as: * A mistyped hostname or IP number * Someone or something relying on old info; you'll probably never know if someone else had a mail server at 216.15.108.184 at one point in time, for example BTW, if this concerns you, you haven't seen the crap the firewall at work gets - there isn't enough time in the day for me to track them all down and try to complain. BTW2: if you're *really* worried about someone trying something you might want to consider snort - it's a IDS system based off a packet sniffer. It'll help you tell the difference between someone just doing a connect() sweep and someone who's making an effort go get in. Packet log: input DENY eth0 PROTO=6 216.103.219.35:17956 216.15.108.184:111 L=40 S=0x00 I=3466 F=0x T=108 SYN (#10) Packet log: input DENY eth0 PROTO=6 202.66.169.18:4439 216.15.108.184:515 L=60 S=0x00 I=43201 F=0x4000 T=47 SYN (#10) Packet log: input DENY eth0 PROTO=17 216.187.75.24:137 216.15.108.184:137 L=78 S=0x00 I=18430 F=0x T=114 (#10) Packet log: input DENY eth0 PROTO=17 216.187.75.24:137 216.15.108.184:137 L=78 S=0x00 I=18686 F=0x T=114 (#10) Packet log: input DENY eth0 PROTO=17 216.187.75.24:137 216.15.108.184:137 L=78 S=0x00 I=18942 F=0x T=114 (#10) Packet log: input DENY eth0 PROTO=6 210.101.105.16:3546 216.15.108.184:111 L=60 S=0x00 I=13241 F=0x4000 T=47 SYN (#10) Packet log: input DENY eth0 PROTO=6 4.60.161.230:1054 216.15.108.184:25 L=48 S=0x00 I=57801 F=0x4000 T=110 SYN (#10) Packet log: input DENY eth0 PROTO=6 4.60.161.230:1054 216.15.108.184:25 L=48 S=0x00 I=57847 F=0x4000 T=110 SYN (#10) Packet log: input DENY eth0 PROTO=6 4.60.161.230:1054 216.15.108.184:25 L=48 S=0x00 I=57880 F=0x4000 T=110 SYN (#10) Packet log: input DENY eth0 PROTO=6 209.10.200.83:2151 216.15.108.184:111 L=60 S=0x00 I=14138 F=0x4000 T=56 SYN (#10) Packet log: input DENY eth0 PROTO=6 210.178.232.1:4935 216.15.108.184:111 L=60 S=0x00 I=38311 F=0x4000 T=41 SYN (#10) Packet log: input DENY eth0 PROTO=6 64.65.56.45:1274 216.15.108.184:515 L=60 S=0x00 I=146 F=0x4000 T=46 SYN (#10) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Vcqf/ZTSZFDeHPwRAviRAJ96H1H64VBVnjaqKT/zGMekgyqAuACgsGep CwvMki/+xi4grNj2GYjor3g= =V2/9 -END PGP SIGNATURE-
Re: Am I being attacked?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Phil Brutsche [EMAIL PROTECTED] writes: This is all basically a set of port scans of people looking for holes on 216.15.108.184. They are all normal on today's internet, and (IMO) not something to worry about unless the thing has been hacked. I still send a note to [EMAIL PROTECTED] in these cases (try whois IP-ADDRESS). The ISPs have been very receptive to my reports. I gave up a short while ago, mostly because all these scans were one-time deals and I didn't want to waste my time writing notes. I have better things to do with my time, like mess with LDAP :) I used to do the same thing for spam a *long* time ago, but obviously not any more. I have the luxury of running my own mail server, so I just manually blacklist the offending IP and be done with it :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Vf4o/ZTSZFDeHPwRAoYHAKDEsjKvn5ZAte+oX/CLZSRUOueg/QCfcflx 8U0+LpFmmCdxoz8qCrKgSPo= =ug3l -END PGP SIGNATURE-
Re: Email Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Does anyone have recommendations on how and what to use to set this up? Exim. You don't need to learn black magic to get it to work right :) Sendmail 8.10 and higher can do it but you need to learn black magic to get it to work right in the config file before you need to learn black magic to get SASL to work right. Postfix also uses SASL for SMTP AUTH and needs some of the same black magic. I've been unimpressed with SASL, if case you haven't figured it out yet :) Why not stick with Exim - you're already using it :) I have some sample configurations for you to look at if you need them. Any clues about what would work using ldap authenication rather than shadow passwords would be helpful as well. Anything that can auth via PAM can use the pam_ldap module. Exim can talk to the ldap directory natively if it's compiled correctly; that's also the Debian default. Verizon/Bell Atlantic just screwed 50,000 of their 950,000 ISP customers because as of late last week they are only allowed to use 4 of verizons domains. A few of those screwed verizon customers are also users of our freenet ccil.org. I would like to setup smtp authenication on one of the old 133 mhz machines so that these long time ccil users can continue to use other ISP's and maintain ccil.org as their email address. Worthy cause! However, you need to hope that Verizon doens't DNAT outgoing connections on port 25 to their own mail servers. Putting a second copy of Exim at, say, port 26 would fix that. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Tz8G/ZTSZFDeHPwRAl7IAJ95nMTvdTHo4sG/4XYWMwHUUp99QwCdGT+k Hvt1M2wBcQH7vO+aim3nmQA= =ZDxJ -END PGP SIGNATURE-
Re: Exim as a LAN mail server [possibly-OT]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
Howdy folks,
I'm setting up a small (2-3 workstations, one server, all debian)
network at home, and I'm trying to implement an idea that I had
for the mail system. My apologies if it's too offtopic.
If you want to figure out how to do it with Debian it's not off-topic :)
The scenario is:
I have several email addresses, [EMAIL PROTECTED], [EMAIL PROTECTED] and
[EMAIL PROTECTED] At the moment, I use fetchmail to pull all
my email from these three accounts onto my box.
Cool
This is nice, except that each account has to send messages through a
different SMTP server.
Are you *sure* they have to? Most ISPs that I've run accross will relay
for you because you're coming from an IP number on their network,
irregardless of the sender in the SMTP envelope. Some even go above and
beyond that and require your email client to log-in to their mail server
with a username and password before any sort of relaying will take place.
My idea is to set up the network server as a smarthost(?).
That is the correct term.
All the other machines on the network would just send all their
(non-local) mail to it, and it would send these messages via the
appropriate SMTP server. Basically, the server would have a little
table (or whatever) like this:
#from addresssmtp server
[EMAIL PROTECTED]mail.isp1.com
[EMAIL PROTECTED]smtp.mailhost.com
[EMAIL PROTECTED] smtp.university.edu
and would relay(?) messages to the correct SMTP server depending on
the From: header in the message.
I think using the appropriate SMTP server as a smarthost based on the
From: header would be a better description. There's nothing wrong with a
smarthost using s smarthost :)
Firstly, is this a good idea?
That's up to you to decide.
Would it horribly violate some basic RFC and bring a thousand years of
darkness upon our planet?
I'm not aware of one. If there is the world would have ended long ago.
Can Exim do it, or do I need to switch MTAs (perhaps even to that
mythical beast, Sendmail)?
When compared to sendmail, postfix and qmail (*especially* qmail) there is
very little exim *can't* do.
The server will be on a ppp/dial-on-demand link, so I can't just set
up my own 'proper' domain and mail system.
You don't even need a proper domain to have a proper mail system. In
fact, a proper mail system is exactly what you seek.
Secondly, where would I find out about this sort of thing?
If not here then the exim-users mailing list would be a good place to
look. There's subscription information on the exim.org web page.
Is it an Exim issue, a Debian issue or a generic mail issue?
Generic mail
I've tried to read through the Exim documentation but it is quite
dense (for me anyway) and I don't really know all that much about how
SMTP works.
I'm not surprised - the Exim documentation assumes that you are familiar
with the workings of SMTP.
I've been using Linux for a couple of years now (Debian for one of
those) and I am willing to go and RTFM, if only I could find the right
FM to read. It does sound vaguely related to the re-write features of
Exim, but I could not find any sort of documentation for the
not-stupid-yet-quite-clueless user.
Well, since you're willing to read the FM, I think I can give some hints.
* You need a custom router (this is what exim calls the stanzas that
define what to do with non-local addresses).
* Read Chapter 9: String Expansion. Take note of the ${extract...}
operator, the $header_header name expansion item, and the ${lookup...}
operator.
* Read Chapter 28: The domainlist router. Taking note of the route_list
option.
I'm not going to have a chance to play with this until later tonight; I'd
like to hear about it if you get the problem licked before I do.
- --
- --
Phil Brutsche [EMAIL PROTECTED]
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine
iD8DBQE7T32G/ZTSZFDeHPwRAkqVAKCUuAuyeAsgewd2ZrBwHt+gW6KWggCgsbHD
ohcswajT9C8dPsB5N6DmJEs=
=MG5A
-END PGP SIGNATURE-
Re: Swap fscked in 2.4.5?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... [trouble with the vm in 2.4.5] I'm told that this is a bug in the 2.4 series Correct does anyone know if upgrading to 2.4.6 will help this problem at all? I don't know if 2.4.6 has totally fixed the problem or not but in my experience it's much better in this regard. If not, are there any other workarounds? Add more swap. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7ThZb/ZTSZFDeHPwRAscMAKCYlWuLaL40rrABSqZBG5RIoAJfJQCgzzkH +xgSXk84kr1dVSnOIGhA5yc= =4BG0 -END PGP SIGNATURE-
Re: sysadmin won't allow linux - PLEASE HELP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... can't you install a cygwin version into your homedirectory??? If the university computers there are anything like the one at my university, there is no such thing. The only way to do it in that case is to ask whoever maintains the computers (at Creighton it's Client Services) to install it. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Tj/9/ZTSZFDeHPwRAjieAKDd1MrCOtZJoDI5iyRKw8H8dzXn9gCdFTRE s+IOrDnr67fK6+FEpwAb7p8= =2T8C -END PGP SIGNATURE-
Re: multihomed linux box - dual t1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... how does that work though? the rest of the world has to know how to route to you..without that information i cant imagine a thing in the world you can do on a server to advertise you :) It works very easily. Linux policy routing works on the basis of multiple routing tables; when you make the connection to 10.0.0.2, and the packet makes the return trip, the kernel routing code looks and says ooh! packets coming from 10.0.0.2 goes through routing table number 1, and on it goes through routing table number 1. The whole time the world *does* know how to route to you. All policy routing does is decide which gateway the packet is going to go out through based on rules defined by the network administrator. In the case of my example, the packets returning from 10.0.0.2 *always* use go out through 10.0.0.1 based on the fact that they're returning from 10.0.0.2. Policy routing can take some getting used to - but, like anything else, is very simple once you've gotten the hang of it. i can't believe this is such a difficult routing thing for the kernel to do..the metrics should work but they don't. from the docs i see that the kernel ignores it. That seems to be the case - I'll have to try it out tomorrow as well. (it says 2.0.x kernels used it) I don't think the 2.0.x kernels had the rp_filter facility. maybe if i switched to a 2.0 kernel it would work ;) Maybe, just maybe... ill try that networking option you mentioned though. i wont be able to unplug that other t1 till i get back to the office tomorrow though. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SokD/ZTSZFDeHPwRAmvBAJ9liz5+v+0gzY/ctHi/vE9tetOGxgCfT1sN MCkdcT9V6MuGR7HqmKje6kw= =cRTf -END PGP SIGNATURE-
Re: multihomed linux box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Generally BGP is the way to do it. BGP is outta the question for me..i asked cisco about that a couple months ago and they said 128MB was minimum for BGP on routers. And that's not even a full BGP feed :) A full feed if closer to 135 - 140 MB my routers have 8MB each .. And in another post you said you only have 2500s. I think the only thing slower is an AccessPro (a 2501 on an ISA card). From what I hear you need at least a 3640 or so for BGP. And you won't come close to getting even a partial feed if you have less than a /24. yeah thats what it looks like. so hopefully i can find something other then routed. GNU Zebra :) i dont want to enable rip, this should be a very basic routing thing. its not like it needs to be dynamic its either gateway A or B if A is down. not very complicated!! No it's not. But sometimes devices dedicated to a certain task (a Cisco, in this case) can do a better job at something than a general- purpose device (a PC running Linux, in this case). Oh, and I have good news: in my *limited* testing, your trick with the metrics works fine: I remotely disabled one of the internet connections at work, and the Linux firewall *automatically* switched over to use one of the other internet connections. Thanks to the magic of policy routing I sayed in contact with the firewall the whole time :) I do, however, have rp_filter turned off (ie I have spoofprotect=no in /etc/network/options). I'm still going to play with it some more tomorrow. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Soyd/ZTSZFDeHPwRAhlVAKCP6Stb+lLAF7fDkjAOXulGh7R9TACeKOCG Wi6VxERBRnkXLePlZCEz1GI= =hDRx -END PGP SIGNATURE-
Re: ext2 filesystem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi All, I'm looking for a filesystem to put on a some-what embedded system. I was considering ext2 but IIRC there is a minimum 4K file size. Does anyone know if that really is the limit (I also remember that you can resize the sectors on an ext2 filesystem but I don't know if these two are connected). 4k is just the default blocksize - it can be set to be as small as 1k. mke2fs -b 1024 other parameters See man mke2fs for more information on other parameters. Also if anyone has recommendations for a RAM based filesystem I'd love to hear them too. There are a couple of them available in the 2.4.x series; never used any of them however. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7S4oH/ZTSZFDeHPwRAli7AKCp97/oGdHwnB+w7sENqcqVQaLnMQCgt5X7 T0egNcBGRBbk3PPAuk/VefY= =ls8X -END PGP SIGNATURE-
Re: multihomed linux box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... hi. i have this setup on 2 machines Machine A \ eth0 --- Switch -- Router A(65.xxx.xx.x.x) -- Internet \ eth1 -- Switch -- Router B (63.xx.x.x.x.x) -- Internet Machine B \ eth0 -- Switch -- Router A (65.xx.x.x.x.x) -- internet \ eth1 -- Switch -- Router B (63.xx.x.x.x) -- internet what i can't figure out is how to get it so if one route fails it will take the other. Generally BGP is the way to do it. However, unless you have a /24- sized address space assigned by ICANN or whoever does it these days people won't even talk to you. i have routed installed but im not sure if it will do what i want. I think it can but only if your routers send out RIP packets :) If they don't, can't, or whatever then routed obviously won't work. what i have: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw MY_GATEWAY metric 0 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw ALT_GATEWAY metric 1 so i ssh to a machien it shows me comming from MY_GATEWAY's ip network. so i unplug the router, and try to ssh. nothing. try to ping using -i, nothing. once i remove the route to MY_GATEWAY i can ping/ssh again. each interface has a different IP address. its not really multihomed in the sense that to the outside world i have 1 ip address and it can be reached through either provider (2 different T1 providers) i just want failover route setup. For incoming traffic (ie redundancy for a mail server) or outgoing traffic? If you want redundancy for outgoing traffic I would think your trick with routes above would work. But they don't... unless you forgot a step. Try setting spoofprotect=no in /etc/network/options, reboot, and try again. If *that* doesn't work, I'm sorry to say that you're out of luck :( Anything else you can come up with is a pure hack and prone to failure. Incoming traffic is much easier :) Install the iproute2 package and read the Advanced Routing HOWTO, particularly the bit about policy routing. [...] oh and im running debian 2.2r3/linux.2.2.19 on 1 machine and debian testing(a month or so old) with 2.2.19 on the other. maybe there is another 'routing daemon' that i could use? GNU Zebra but it needs RIP (which you can't get) or BGP to work. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SlID/ZTSZFDeHPwRAhhIAJsGjgYPTe8tuh4Ljlwrsx5/sJFBkwCeILn1 zIE07nEMKIHBZ5/KuvdjBPA= =Btfd -END PGP SIGNATURE-
Re: multihomed linux box - dual t1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... hi ya... think theres lot's of folks with dual t1... Or dual DSL, or DSL + Cable modem, or dual DSL + Cable modem (like I have at work). for outgoing traffic... think the routing and metrics might work.. Exactly. for incoming traffic... we'd need all kidns of whacky work arounds or an autonmous ip# routable by either isp... No workarounds. Policy routing :) Like so: Environment: eth0: 192.168.1.2/24; gateway 192.168.1.1 eth1: 10.0.0.2/24; gateway 10.0.0.1 Special magic: ip rule add from 192.168.1.2 lookup 1 ip rule add from 10.0.0.2 lookup 2 ip route add to default via 10.0.0.1 metric 0 ip route add to default via 192.168.1.1 metric 1 ip route add table 1 to 192.168.1.0/24 via eth0 ip route add table 1 to 10.0.0.2/24 via eth1 ip route add table 1 to default via 192.168.1.1 ip route add table 2 to 192.168.1.0/24 via eth0 ip route add table 2 to 10.0.0.2/24 via eth1 ip route add table 2 to default via 10.0.0.2 This all assumes that the Linux box is alone it's little world, without some sort of Masquerading going on. More magical incantations are needed if there is. The ip ... lines work with both the 2.2.x and 2.4.x kernels. And yes, an IP number space routable by more than 1 ISP will work to :) - who's writing this howto ??? A number of people involved in the development of Linux's networking abilities. The web page for it is at http://ds9a.nl/2.4Routing/; I know it says 2.4 in the link but experience tells me that alot of it works with 2.2.x. -- UUnet also has a backup dark t1 that they provide ...for a minimal fee ... so that even if the primary t1 goes dow... you have a backup and the world does not know about your fiber being cut by the bozo and his backhoe down the street You still need a method to tell the world to use that T1... like BGP. - not sure if the same ISP can be up if their other wire went down... ( or router or hubb or 110v power etc ) If the T1 goes through the same ISP I think you've lost a good portion of your redundancy... - pacbell ( SF bay area ) had a major fiber ring outage about a month ago where the main fiber was cut late one afternoon ... Exactly for this reason :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SnIV/ZTSZFDeHPwRAhfkAKCKHjSpsIBWTf+5E7Ty8QsbQnn+0ACeL0/b p1EeqUUHkGcC+Jjc55Xx7zM= =p3zL -END PGP SIGNATURE-
Re: file transfer via serial link to windows box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Does anyone know what simple small program I can uses to transfer files from the notebook to the desktop. All you need on the Windows side is HyperTerminal; on the Debian system you need the lrzsz package. The first step is to get to the point where you can log into the Debian system via one of the serial ports. The second step - transfering the file to the Debian system - is much easier: run rz from the command line and then use HyperTerminal to send the file you want to transfer via ZModem. ppp is not an option, since I have no way of getting the windows install files onto the notebook for it's dial-up networking PLIP is no good, since I don't have a parallel cable, and it's not so terrible, that I'm going to go and buy one :) I wasn't aware that Win 9x/NT/2k could do PLIP (Win 3.x can do it with the Crynwr packet drivers). so whatever softeware needed on the windows box needs to be small and not need anything fancy on the windows side And chances are the only software you need is already on the Windows box :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SJSp/ZTSZFDeHPwRAltwAKCHbMFgfdabgzEkNexUqxDERoW5+gCfdnlf Zwl5xT2Z/Te+MNUlfsQMbKQ= =Rm3e -END PGP SIGNATURE-
Re: security report
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Dear Debian People, I got the following security audit of a machine I recently installed Debian 2.2r3 on. This looks like output from nessus. Take everything it reports with a grain of salt. I have run apt-get update and apt-get upgrade on it. The most serious problem appears to be with ssh. What should I do about this, if anything? Should I upgrade to a more recent version of ssh from testing? The current version of Openssh1.is at 1.2.3-9.3 and the most recent version is 2.9. IIRC the biggest problem with OpenSSH is that the protocol isn't the greatest. There's a reason the package version is 1.2.3-9.3 - there have been a number of security-related uploads since Potato was released. It also can't tell the difference between SSH 1.2.9 and OpenSSH 1.2.9, which is why it told you about the security hole. In any case, I thought security vulnerabilities were supposed to be fixed in stable. They are. If you find one I think the people on the debian security team would like to know about it. And does anyone have thoughts about the other warnings reported? For the most part nessus is crying wolf. You may want to disable the daytime service in /etc/inetd.conf, however. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7QKEm/ZTSZFDeHPwRAoaoAKDgAhVdVMHzLKId9SKTgdnBxPJoWwCeKT5i 4o26P208OyPvwO+8eB5UzX4= =/4ss -END PGP SIGNATURE-
Re: [users] Re: mail server question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... and i propose postfix. then again, i would happily like to hear why exim is better (or not). Exim (in my experience): * is easier to configure * is much more flexible it looks to me as if exim is a newcomer and The other way around actually - Exim 1.x easily dates back to 1996 and (in my understanding) is derived from another MTA (smail, to be precise) that dates back to the late 1980s or the eary 1990s. Postfix, in comparison, didn't even see the light of day (outside of IBM, that is) until eary 1998 :) in as such, i don't see how it can possibly get close to postfix, which is excellent!!! It's been my experience that exim handily beats postfix, especially in the ways you can mix match database directory service lookups. But yes, postfix is very nice :) By my count it's light-years ahead of the (non-exim/non-postfix) competition (aka sendmail qmail). i would be happy to provide you with a dynamic dns name and mail exchange relay; that plus ETRN solves my troubles with dynamic IP connections... Fetchmail works wonders in such situations. There's good, old-fashioned UUCP as well :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Pn9e/ZTSZFDeHPwRAoW4AJ9b2CDi7ge+c1BeDCQUswG4sS97TgCdHCRP 3ffLdq5r53i5qQZS2DiSRJs= =cP95 -END PGP SIGNATURE-
Re: exim problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Symptoms: 1) exim is churning away with 20-40% cpu usage and load between 1 and 2 on an otherwise unladen machine 2) my exim logs are growing huge; tail -f shows several new entriers per second saying message frozen [...] Anyone know what's going on? Frozen messages are those that could not be delivered and require human intervention to get them out of the queue. Exim will very easily to what you describe if you have a massive number (on the order of tens of thousands) of frozen messages in the queue. The next step is to find out why those messages froze, and fix the problem. For future reference, you can run /usr/sbin/exiwhat as root to find out what Exim is doing. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7PLn4/ZTSZFDeHPwRAgAcAKCSSh2hkzyzRF5qP7IxXEHlp/4XywCeKUWM Tc6BLlybVT+2AqbC7XQTSZs= =7HIQ -END PGP SIGNATURE-
Re: Promise hard disk controllers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Does anyone know of a Linux driver for the Promise FastTrak TX2 hard disk controller card ? There isn't one that I'm aware of. A '.o' binary is offered which is supposed to run on RedHat 7.0, but I don't know how to use it with Debian. That binary driver should not be trusted - it's been known to cause data corruption. When I put the binary into /lib/modules and load it, I get an error which says that the driver was compiled with an older kernel and won't run. That's not surprising - it's built for the 2.2.16 included with RH7.0 :) You could force the loading of the module with insmod -f modulename, however. There is no access to source provided by Promise to rebuild it for the new kernel. Help! Oh! I see it's a FastTrak. Return it (if you can) and get an Ultra100 (non-TX2) off eBay - if you choose not to use the very dangerous Promise-provided driver the FastTraks don't work worth a crap as a RAID controller with non-Windows operating systems. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7N7Ky/ZTSZFDeHPwRApiCAKDVGPQeY6eyekv1IfdUxvhqFsanNQCeITVm z/MSAwnI9nnl6NH71/j6Rkk= =4bEw -END PGP SIGNATURE-
Re: telnet client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi All, I'm looking for a telnet client for windows 9x that provides me with: 1. Properly working keyboard (including F1 to F10) 2. SSL (would be a BIG BIG plus) 3. Color (well, eugm.. would-be-nice) Does anyone have a good idea? (prefferably in the form of an URL..) Not many Windows email clients support SSL... but there are a number of SSH clients. SecureCRT (http://www.vandyke.com) is *very* good, but isn't free. There's also PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/), is also good, but I'm not sure about the function key support. Some people like TerraTerm. There's a large list of freeware/shareware telnet clients at http://binary.tucows.com/term95.html (TerraTerm is listed there as well). - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7NlGU/ZTSZFDeHPwRAgLoAJ0Yjww0I9XILZX479pqes0KVikCFQCfWwT9 y08CNmVPnhy6bZdRi5wTHf8= =1m1g -END PGP SIGNATURE-
Re: Exim and *outgoing* AUTH?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Greetings- Telocity, in its infinite wisdom, has decided to use SMTP AUTH instead of originating IP to verify SMTP clients. This presents problems for me, since I have exim pointing at smtp.telocity.com. Furthermore, it doesn't reject messages outright (that would be too simple and standards-based). Instead, it just accepts them and silently eats them, so I didn't know until I innocently asked my father-in-law if he'd received a message I sent him. Arrgh. Anyway Is there a way to configure exim (running in smarthost mode) to use SMTP AUTH for outgoing mail? I'm currently running: Yes. The authentication rules are defined in the very last section of the file, after the rewrite configuration. AUTH PLAIN (what Netscape and most non-MS email clients use to authenticate) would look something like this: telocity: driver = plaintext public_name = PLAIN client_send = ^username^password AUTH LOGIN (what Outlook OE use, as well as a few others) would look something like this: telocity: driver = plaintext public_name = LOGIN client_send = : username : password Afterwards, you would put authenticate_hosts = 64.98.119.186 in the remote_smtp transport. However, this assumes that the Telocity SMTP server (smtp.telocity.com) is standards compliant... which they aren't. Telneting to port 25 on smtp.telocity.com: $ telnet smtp.telocity.com smtp Trying 64.98.119.186... Connected to dsl.telocity.com.criticalpath.net. Escape character is '^]'. 220 smtp.telocity.com ESMTP CPMTA-3_5_0_4 - NO UCE ehlo kaitain.obix.com 250-smtp.telocity.com Hi. 250-PIPELINING 250-AUTH=LOGIN 250 8BITMIME quit 221 smtp.telocity.com closing connection See the AUTH=LOGIN in the response to my EHLO? The equal sign should be a space. That's a Microsoft-ism. Very few transport agents and user agents support AUTH=LOGIN; the ones that do have . These include: Most corporate messaging systems Various MS *Windows* email clients (the Mac email clients are written by a different group within MS and are much better than the Windows equivalents IMO) One of the qmail SMTP AUTH patches Whatever the hell Telocity uses One solution would be to ask a kind soul to relay for you based on SMTP AUTH. rant Why can't a single reasonably-priced DSL service seem go get it right? There are perfectly good internet standards for dealing with these sorts of things, and they feel they have to reinvent the wheel -- and make it square to boot! /rant rant That would require intelligence among the decision-makers at Telocity. If they're like alot of other corporations, they are (pardon my language) clueless twits who don't know squat about what they're doing. These folks are also the reason why most defaced web sites are Windows... and the security whole isn't in Windows. /rant - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7M7Fu/ZTSZFDeHPwRAsrCAJ9a+V5r4hsyf5d5/eq3MdBwTVV6agCfUGUz h9x9K9HjfU01auWrexvpbuI= =tw1y -END PGP SIGNATURE-
Re: Exim and *outgoing* AUTH?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... So, what you're telling me, it seems, is that I'm out of luck because Telocity says AUTH=LOGIN where a sensible system would say AUTH LOGIN. Correct. It seems like that could be hacked in code (he says innocently); Someone at one point wrote some patches for exim to be able to understand AUTH=LOGIN; I'll see if I can dig them out :) any way of simply forcing exim to use LOGIN authentication, regardless of what it finds from EHLO? Not that I'm aware of. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7M7W+/ZTSZFDeHPwRApbeAKCUAk+/USWQtbQAZFrQevkoy5mRjgCfUgSP RXfCjMEoGD30Ddc72UEJgCI= =wTUG -END PGP SIGNATURE-
Re: Lilo and Win2k
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I am trying to get my dualboot machine to work properly. using Lilo, i can boot linux, which occupies /dev/hda When i tried to get it to boot Win2k, which occupies /dev/hdb, it came up with something about NTDLTR or something like that. How can i get it to boot win2k? In your current configuration, you don't. Windows *must* be on /dev/hda someplace. Easiest thing to do is switch /dev/hda and /dev/hdb and work out the boot loader. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7GWFc/ZTSZFDeHPwRAnYGAKDapNrt/MhezZ//e3L1o0kAbPmSUwCgqaxI w7k5nnxqd9Ym9rnAtlIdQXk= =YAxX -END PGP SIGNATURE-
Re: swap vs. RAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Anyone able to explain why the 2.4 kernel prefers swap instead of free RAM ??? It's a known problem that the kernel developers are trying to fix. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7Fk3P/ZTSZFDeHPwRAnwnAKDHB2Mh43iT4JJf3IiaatfbYPi4jgCdHS1E mpG+JFg2lU3Kp/GwHejKk8s= =eyiw -END PGP SIGNATURE-
Re: [users] i386 or PowerPc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... is that a serious question??? the pentium has nothing to say against the G4. period. moreover, CISC is just pittyful compared to RISC. Irrelevant with today's modern CPUs like the PIII. The G3, G4, PII, PIII CPUs all take the best properties of RISC CISC. then again, unless you are talking absolutely high volume, there is nothing of big computational cost that your server will do, so i'd assume a pentium would work just as fine. however, if you have the means, go for the G4! No, go for the PIII, especially if you're going to run Linux - ix86 systems are simply better supported than powermacs. That can be a big deal if you're going to run software available only as a binary. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7Dcy7/ZTSZFDeHPwRAgauAKChfZAYTND16YC+nZE9VHwv/g3pvACgwR1b qO9NLRrC3VOQy8eWjpSTo0w= =yS8m -END PGP SIGNATURE-
Re: Small LAN problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Thanks for your assurances. Unfortunately, I am without a hub, so a crossover cable is my only option. If the cable was made incorrectly, then that would account for at least some of my troubles -- could you point me to some literature describing how a xover cable is made, or else explain the process on list? I would appreciate it. I always understood a crossover cable to be a cable that routed pin 1 to pin 8, pin 2 to pin 7, etc. For some crossover cables, perhaps. But recall that TP ethernet only uses 2 pairs of wires - at least some of the signals are going to places where they're not being listened for. http://www.pin-outs.com/datasheet_72.htm has the pinout you're looking for. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7Bghx/ZTSZFDeHPwRAl8DAKCgB+YKCEve61svjjkOr3IFPiVSrwCfbo3k yaZfp3eYVH7P+M6ZRGLFvlM= =JR1u -END PGP SIGNATURE-
Re: Disable bootps/netbios
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi! I discovered something weird :) When doing a 'nmap -v localhost' I see; PortState Protocol Service 21 opentcpftp 22 opentcpssh 25 opentcpsmtp 80 opentcphttp 110 opentcppop-3 And that's just what I want :) but when I do it remotely is see something else; 21 opentcpftp 22 opentcpssh 25 opentcpsmtp 67 filteredtcpbootps 80 opentcphttp 110 opentcppop-3 137 filteredtcpnetbios-ns 138 filteredtcpnetbios-dgm 139 filteredtcpnetbios-ssn That is an artifact of someone blocking TCP ports 67, 137, 138 and 139 upstream from your system. If you were running DHCP Samba you would see them in the output of ps aux as well as the portscan of localhost. I have NO nfs or samba server running or installed on my system. I disabled portmap with an exit 0 @ the beginning of the script in /ect/init.d/portmap because I simply don't need it. The second nmap listing shows no sign of NFS - bootps is used for bootp and dhcp servers. The only thing I want to do is Serve http files and deliver mail, do some ftp and ssh and that's it :) I know questions are ALWAYS good and never stupid...but also for a new kid on the block? :-) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7BX7K/ZTSZFDeHPwRAltEAKCoj9X2r82jaR4yPsQgOki7+BDjowCguNi0 fJBv5dcEswZwFzQ+RDIOJFY= =4CkD -END PGP SIGNATURE-
Re: dual NICs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... You can not have 1 NIC with 2 IPs simply not possible, Perfectly possible. The mail server at work has 3 IPs. One of the ethernet ports on the firewall has 2 IPs. Think IP aliases (the old more established way): ifconfig eth0 ifconfig eth0:0 ifconfig eth0:1 as well as primary/secondary/tertiary/whatever addresses on each interface (the new way): ip addr add ip number 1/24 bcast broadcast 1 dev eth0 ip addr add ip number 2/24 bcast broadcast 2 dev eth0 ip addr add ip number 3/24 bcast broadcast 3 dev eth0 i think u can buy network cards with upto 4 ports that all act alone, or something similar... I've used Dlink's 4 port cards (they're really 4 individual ethernet adapters on a single card, each with it's own IRQ IO port, as well as some glue to make the card look like a totally separate PCI bus), and I hear Adaptec an Intel make them as well. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7AemF/ZTSZFDeHPwRAowKAKDaQVBaowXnIcNc32pu7qy8Ko0TuQCfQC24 UwRnbZGsnKcbFCL9ldoSBUA= =2Un3 -END PGP SIGNATURE-
Re: Samba 2.2.0 and Debian 2.2r3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi all.. Unstable has Samba 2.2.0 but it requires a newer version of libc than is supplied with 2.2r3. I'm a bit anxious about upgrading lib6 so I got the sources and compiled Samba under 2.2r3. It compiled fine. Anyone know of any issues to be aware of? Yes: It's almost too damn new. Unless you need the capabilities Samba 2.2.x has over Samba 2.0.9, you should be running Samba 2.0.9 until the 2.2.x tree has seen more testing (unless, of course, you've been testing it yourself for a while). Beyond that... it works great on the systems I have at home. The ability to change file permissions from the Windows GUI rocks :) I really need the new Samba in an attempt at ditching a few NT Servers! You'll thank yourself. One of the most problematic boxes at work is the WinNT file server... - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6/GcO/ZTSZFDeHPwRAjJsAKCUcfRpmAsjcY/uMdAF616Opiub9gCfRw8r Urf0yh1uhogS549JmAE2MpI= =qcnm -END PGP SIGNATURE-
Re: IDE raid - which is better ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi, I am putting together a workstation which will have raid. I found the following vendors which have ide raid controllers: www.promise.com (fastrack100) www.3ware.com(escalade 3w-6200) I will be doing raid 0 (striping) strictly for performance. Does anyone have experience with these cards or any other cards? Any recommendations/comments welcome. Avoid the Promise FastTrak for RAID under anything except Windows. It's driver, besided being totally closed-source and RedHat specific, has been known to cause data corruption, and have huge performance pentalties (poor locking etc). Note, however, that the non-RAID Promise cards totally rock :) I've never used one of the 3ware cards, but I've heard good things about them. My opinion is that you should simply use one of the non-RAID cards with Linux's native software RAID0 or RAID1 code. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6+d94/ZTSZFDeHPwRApiGAKC5xTQL8XHmvRBO5NaSOPiGkMYJngCeOPnS Ie+QZK71BX/VqEFapk1ELW4= =woIc -END PGP SIGNATURE-
Re: Debian on a NeXt and HP workstations ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Is it possible to run Debian (or any other Linux dist. for that matter) on a NeXt workstation ? No. The processor isn't a problem (it's just a motorola 680x0 processor) but the rest of the system (memory controller, DMA, drive access, among other things) were seriously lacking in the kernel. Don't expect to be able to do anything related to putting Linux on it until there's good kernel support. What about on an HP 712/100mhz Workstation ? Ditto. What about running any of the BSD family of OSes on either of these two systems ? NetBSD might work on the HP; not likely on the NeXT. Ditto with OpenBSD. If it's not a PC or an Alpha don't even think about FreeBSD. The best operating systems for them will be the ones they came from the factory with (or rather, a couple revisions behind the latest that'll run on it). That means the latest NeXTStep/OpenStep you can find, or find a kind soul to provide you with HP-UX media (OpenStep runs on HP hardware). - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE67JCz/ZTSZFDeHPwRAvsiAKDLYbYam9Tl9hA9i4+3PRrr9v/ZsgCfcZX6 sI6uNum1SF3pm+mA+cslC10= =2PIL -END PGP SIGNATURE-
Re: How to move from Netscape localmail to maildir's?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I am in the process of moving my mbox files, used in Netscape for Win local storage, to Maildir format. Any ideas? thoughts? Connect NS to a Maildir-aware imap server I tried using NS to copy all the local folders to the imap server but NS keeps crashing. Use either pine or mutt to do it - they both can read NS mail folders natively and talk to IMAP servers just fine. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE64Mx6/ZTSZFDeHPwRAqzOAKCsxQ445vwIYAMt1E7/nZ+ztZw1NgCgkoFb 7KAQALDbHeoH/nWCqomTWY8= =K77I -END PGP SIGNATURE-
Re: iptables and domain services...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I am trying to set up a firewall on my server and am having trouble with one of my iptables rules. I can set up all the rules that I like, but I can't seem to get this one to work: # iptables -A INPUT -p udp --dport 53 -j ACCEPT (or the OUTPUT equivelent) So you're running a DNS server? When I add this to my INPUT chain, and I type: iptables -L It waits for 10 - 15 seconds to display the first rule, then 10 - 15 seconds for the second rule...etc etc etc. I have a LOT of rules. When I add this to my OUTPUT (and only the OUTPUT) chain, when I type: iptables -L it displays all my INPUT, and FORWARD rules instantly, but then pauses on the first OUTPUT rule like it does on the INPUT chain. iptables is just trying to resolve the ip numbers in your rules. iptables -L -n will change that. I have no trouble if I set the policy of the chain in question to ACCEPT, I have no trouble. Am I missing something? I NEED to let domain into my box. What am I doing wrong? If the policy on the INPUT chain is DROP or REJECT try making this the first rule in your INPUT chain: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT You should run iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT if you don't clear your INPUT chain first. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE630uH/ZTSZFDeHPwRAmRbAJ9zd4PKGBlVk5MfrkwjHjKNCbfRegCg1yiD zRnSY0LTdFxkUfyH/TNXZuk= =1yCH -END PGP SIGNATURE-
Re: iptables and domain services...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... iptables -A INPUT -p UDP --source-port domain -j ACCEPT Huh? That is completely untrue. If that was the case then any program that wished to lookup hosts in the DNS would need to be run as root (ordinary users don't have access to port 53, remember). Perfectly true. With DNS, the query goes to port 53; the response comes from port 53 on that same DNS server. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE630xY/ZTSZFDeHPwRArGuAJ4mClDFUVSGzfPNJhQfwWnrwpPMtACgi7IM 92h5J3w/MK8tCiypwq/rcKQ= =A1h+ -END PGP SIGNATURE-
Re: firewall log messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Packet log: input REJECT eth0 PROTO=17 65.6.x.x:513 65.255.255.255:513 L=160 S=0x00 I=20143 F=0x T=64 (#5) 24.7.73.5 sent an invalid ICMP error to a broadcast. 24.7.73.5 sent an invalid ICMP error to a broadcast. where the 65.6.x.x is my address. Why are these coming? Someone broadcasted them :) Are they warning me of something important? and if not, can I send them to a log instead of my console? I wouldn't worry about the blocked UDP packet. The ICMP messages are because a... weird system is spewing garbage. VMS is one such system :) Harmless, but annoying and ugly if you look at the raw logs often. Putting net.ipv4.icmp_ignore_bogus_error_responses = 1 into /etc/sysctl.conf and rebooting should make the messages go away. Running sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 as root will make that change immediate. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6302U/ZTSZFDeHPwRAiqvAJ9fC3QWuKzF2VNAu4ToX9yzUuLTJACfUgoJ hbULABRDQDUgP2vaQA5eghg= =Tz1n -END PGP SIGNATURE-
Re: full duplex ethernet ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... That could be, although these are brand new Netgear cards (EA201 or something like that). Even these days, automatic negotiation is problematic. If this is a managed switch, it would be easier to force the port to the desired speed rather than try to get the card switch to autonegotiate. *Especially* if the ethernet card is a 3com and the switch is a Cisco. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE635Tq/ZTSZFDeHPwRAiUSAKCJ340Q81Tinu+XZGyQ2UzYYsIYjgCeK59j UaKfYvF1TLxNhRgOe2A2JVA= =8eKV -END PGP SIGNATURE-
Re: Exim PAM SMTP Authentication, help!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
Hi,
I'm trying Exim to authenticate users for mail relay using the SMTP
AUTH interface. I've recompiled the Debian Exim 3.12-10 source package
with the standard/default settings and only added the TCP Wrappers and
PAM support. The exim and eximon packages generated successfully and
installed fine. Only what else should I do know to allow exim to use
PAM? I've set up the fixed_plain and fixed_login entries in the conf
file with the server_condition for fixed_login (which is what Outlook
uses) as follows:
server_condition = \
${if pam {$1:$2}{yes}{no}}
The authentication log returns the following error when I try to
authenticate:
PAM_unix[24311]: authentication failure; (uid=8) - **unknown** for exim
service
I've set up an exim config file in the /etc/pam.d/ dir with auth and
account required. From the above (and the spec.txt file in the exim
docs) it looks like it expects an exim user with UID 8 to initialise
the PAM service, but mail is already specified as the UID 8 GID 8 and
I don't know what'll break if I rename mail to exim. Is it possible to
create a user alias ? i.e. exim and mail is really the same user, same
passwd etc ?
The problem isn't the in the name of the user that exim runs as, it's the
UID. To be able to authenticate against the information in /etc/shadow
exim must run as root.
Put
exim_user = root
in exim.conf, restart exim, and try again.
Also am I approaching this PAM authentication right?
For the most part.
- --
- --
Phil Brutsche [EMAIL PROTECTED]
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE60x/p/ZTSZFDeHPwRArnyAJ4hBSbnGQ+MyGJ3vl8Om1uXKROblQCdGHPz
QfhF1AwaBP+zoMxIojNZETA=
=QTyE
-END PGP SIGNATURE-
RE: Exim PAM SMTP Authentication, help!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... But isn't that a bad thing(tm) ? It can be. Surely you must be able to get a simple yes no on auth out of PAM with it rather doing things as root? Sure, PAM works fine without exim running as root - I've had exim authenticate off SQL databases via PAM, with exim running as the user mail. But exim *must* run as root to be able to authenticate using the system passwords in /etc/shadow. I know of no way around it, except for making /etc/shadow world readable, which is even more dangerous than having exim run as root. There is another way to do it, but it requires knowledge of perl, exim compiled with perl support, and a small program to handle the PAM authentication. You can skip the perl part if you can find a way to get exim run an external program directly for authentication, but I don't know right off hand if there's a way to do that. I'd prefer not running Exim as root to prevent any possible exploits ... Understandable, but sometimes unavoidable. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE60zoV/ZTSZFDeHPwRAkNbAKCg/V8xnlyNmmDnzk3lp4CvYh3JIQCghog0 3B+SWFD91O1bE6clBSdpXDg= =Rbax -END PGP SIGNATURE-
Re: Exim PAM SMTP Authentication, help!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Why is this? It would seem that unix_chkpwd would be able to do this, and afaik, pam_unix uses it automatically. At least, it did on RHL. unix_chkpwd only authenticates the calling uid. It won't work for general use ie for exim to authenticate. Am I missing something in the way Debian stuff is set up? Hmmm... it looks like it may only let you auth against the id calling it, which would explain the difficulty. Though a similar program should be written to do the same, so other programs can run without root. And one has. Hence my suggestion to use the perl capabilities of exim, so that such a program can be used for authentication. I can make the sources available under the GPL, if you like. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE600os/ZTSZFDeHPwRAokoAKCfKn/eG5Mxryqz11QdI79T8p0RogCgkLVy ZJrCjB1Xhy0Ce6YX1ZA2mPw= =BNo4 -END PGP SIGNATURE-
Re: ?!: 2.4 kernels, modules_install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi gang! It seems the behavior of make modules_install has changed radically with linux 2.4. Or is it just me? No, the make modules_install behavior changed. Read Documentation/Changes from the kernel source tree for the recommended package versions for use with 2.4.x. Any ideas? Install the modutils from testing (I don't know what version that is right off hand). I've been using modutils 2.4.2 from unstable - I put the .deb I've been using on my machines at http://tux.creighton.edu/~pbrutsch/modutils_2.4.2-1.potato.1_i386.deb - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6vnrm/ZTSZFDeHPwRAqhoAJ92NvFMmiIrc73NXZW+IY8HhEBDLACgvSVg sHX/Aa56I8WIFZp5NZYmVXE= =5jin -END PGP SIGNATURE-
Re: confused on CIPE tunneling, please help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... How do I set the follwing up for my network Office A outside ip: 62.xxx.xxx.2 isp gateway: 62.xxx.xxx.1 lan interface: 192.168.1.1 inside ip's: 192.168.1.0/24 Office B outside ip: 64.xxx.xxx.129 isp gateway 64.xxx.xxx.128 lan interface: 192.168.0.1 inside ip's: 192.168.0.0/24 This is an example, but help me plug my own numbers in: Next, you start the CIPE-daemon on each machine: [EMAIL PROTECTED] ciped-cb me=10.0.0.1:6789 peer=10.0.0.2:6543 ipaddr=10.0.1.1 ptpaddr=10.0.1.2 [EMAIL PROTECTED] ciped-cb peer=10.0.0.1:6789 me=10.0.0.2:6543 ptpaddr=10.0.1.1 ipaddr=10.0.1.2 The values for me and peer need to be the *public* ip numbers. The command lines should look like this: for host A: ciped-cb me=62.xxx.xxx.2:6789 peer=64.xxx.xxx.129:6543 ipaddr=10.0.1.1 ptpaddr=10.0.1.2 for host b: ciped-cb me=64.xxx.xxx.129:6543 peer=62.xxx.xxx.2:6789 ipaddr=10.0.1.2 ptpaddr=10.0.1.1 And don't forget to specify your encryption keys. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6t5z//ZTSZFDeHPwRAjyLAJwJT66XwkxR0hAdC610ICCo8MZebQCZAZRW BPKF3HSAwlYL9VdyQOTNoew= =GQ1I -END PGP SIGNATURE-
Re: Hi Phil, getting close
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... || Network A eth0=62.xxx.xxx.2 eth1=192.168.1.1 dhcp=192.168.1.0/24 from 192.168.1.100 to 192.168.1.200 servers in network are static... || so for host a I entered: ciped-cb me=62.xxx.xxx.2:6789 peer=64.xxx.xxx.129:6543 ipaddr=192.168.1.1 ptpaddr=192.168.0.1 You can't have the IP of one end of the VPN be the same as the IP of one of the ethernet adapters. || Netwirk B eth0=64.xxx.xxx.129 eth1=192.168.0.1 dhcp=192.168.0.1/24 from 192.168.0.100 to 192.168.0.120 servers in network static... || for host b: ciped-cb me=64.xxx.xxx.129:6543 peer=62.xxx.xxx.2:6789 ipaddr=192.168.0.1 ptpaddr=192.168.1.1 Ditto. after each command line is enetered in each machine..cipcb0 appears in ifconfig on one machine. The other one panics and drops the network or route. Have to reboot it. It shouldn't crash like that (it should give you an error instead) but *why* it crashed is understandable. Chain input (policy ACCEPT): Chain forward (policy DENY): target prot opt sourcedestination ports MASQ all -- 192.168.1.0/24 anywhere n/a Chain output (policy ACCEPT): And don't forget to specify your encryption keys. I noticed that /etc/cipe doesn't exist. I created it, and placed a file called options with a duplicate key on both machines. BEFORE I ran the cipe-cb commands You have 2 problems 1) The IP numbers you chose for the VPN are the same as the IP numbers of the ethernet interfaces. That's not good. Since you use 192.168.1.1 as the internal interface of one firewall, and 192.168.0.1 as the internal interface of the other firewall, you can not use those IP numbers for the VPN. For my vpn, the LANs have the IP number ranges 192.168.0/24, 192.168.1/24, and so on. The VPN endpoints have IP numbers in the 192.168.254/24 range. One end looks line this: eth0: Internet connection - 24.22.x.y eth1: Internal connection - 192.168.0.1 cipcb0: VPN endpoint - 192.168.254.1 route added to get to 192.168.1/24 using 192.168.254.2 as a gateway The other looks like this: eth0: Internet connection - 147.134.x.y eth0: Internal connection - 192.168.1.1 cipcb0: VPN endpoint - 192.168.254.2 route added to get to 192.168.0/24 using 192.168.254.1 as a gateway 2) You're ipchains rules aren't quite right - you're blocking packets that you're trying to forward over the VPN. On both firewalls you need to add ipchains -A FORWARD -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT for the packets to get through to each vpn. Is that right. I am really sorry to bother u, I am new to cipe but not to debian, I am sure my kernel and modules are running fine, just need a good KICK in the right direction. I can feel that i am close. Any reason why one machine would freeze, and do i have everything kinda close, or should I give up? It's very close. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6t9ph/ZTSZFDeHPwRAuuJAKDNjxf4YCgpEcTkiEYfLyQTrmLpFQCePYkn 8Ybu3fKAiGnzetpMohRhycQ= =FKlr -END PGP SIGNATURE-
Re: Hdparm and 2.4 kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Even more generally you shouldn't need to use hdparm with 2.4.x kernels. 2.4.x has much better IDE support. I get much better benchmark results with DMA set on. Yes you will but you still don't need hdparm to set DMA mode. Kernel 2.4 is *very* good at doing that automatically, provided you have your kernel compiled right. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6tiyR/ZTSZFDeHPwRApKHAJ0cn7Z/lzYX/vKe43n76ExzEtdH5gCZATo5 GxyUliX3oDWfTlQ5qlpLQ0I= =GHr2 -END PGP SIGNATURE-
Re: Hdparm and 2.4 kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I'm having trouble using hdparm (versions 3.6 and 4.1) on a Debian Potato system. When I do: hdparm -d1 /dev/hda The message is: HDIO_SET_DMA failed: Operation not permitted. Does anybody have any suggesstions why? The same hardware worked with DMA under Linux on Mandrake 7.0 (LX chipset + Maxtor disk drive) Even compiling my own version of hdparm doesn't help. Generally you need to be root to use hdparm. Even more generally you shouldn't need to use hdparm with 2.4.x kernels. 2.4.x has much better IDE support. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6tGpK/ZTSZFDeHPwRAl1lAJ4jDRHK60VO8O/7GdCFgdarFo6qbwCeIuQA z1O9xIx5WS3VBQcfHMN1DAE= =O6v5 -END PGP SIGNATURE-
Re: Linux Network Security: POP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Having a cable modem I'm concerned with the fact that when I use email my password is sent in clear text over the network. I've heard that there were other services that could be used instead of POP but i'm not sure if that can be used here if my provider doesnt support it. If your provider doesn't support it you're pretty much SOL. For my email I use my providers POP server. For sending email I also use their server. Though in the past I used sendmail, can someone tell me the advantages of using one over the other? Disadvantage of using sendmail: these days sending email direct from a dial-up line is frowned upon. On the other hand, sendmail can be configured to simply cache the connection going to an upstream mail server. Advantage: better control over your own email. Also, if there any way I can encrypt the passwords being sent without the provider taking any needed steps to enable me to do so? If your provider isn't using a Unix-type system with ssh installed, or doesn't have SSL-enabled IMAP, SMTP, and POP daemons, your stuck. You should try to contact your ISP - they may be willing to consider setting something up. Especially the SSL-enabled daemons - Windows supports that better than making a vpn with ssh. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6tNLH/ZTSZFDeHPwRAov8AKCVA3n2Ogu0+apY314W8GPeY4obWQCfdTnZ 62qWIHDuUewnyl4QbwAp8uE= =j0cj -END PGP SIGNATURE-
Re: Linux Network Security: POP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... unless they changed something in the last year or so, come to alaska and get GCI's cable modems, i have personally seen where every packet sent across the network is happily deposited into my friends lan. (this was a while ago though) No, Nathan's right - the DOCSIS units don't allow much sniffing to go on. On my own cable modem all I see is my own traffic and alot of ARP traffic. though in many cases you don't need to do any sniffing since they also bridge unrouteable protocols like appletalk and netbios, simply hook up a mac or windows box and go poking around all the hundreds of wide open shares. or run your neighbors appletalk printer out of paper... (or did they do something about this too?) Some are starting to do something about it. I've heard that @Home is starting to block NetBIOS/TCP traffic; I'm sure it's not a big step to block non-IP/IPv6 traffic from there. well when you ask GCI if they could please route mail worth a damn they say `im sorry that cannot be done' ;-) same thing with `can you please avoid regular week long failures of your network?' Work around the breakage :) Ask someone you know trust to relay your mail for you over ssh or ssl/tls-enabled daemons. clueful isp? wuahahahahahaHAHAHHAHAHAHAHHAHAH those are as extinct as the dinosoars. :/ Aren't they (a clueful ISP) one of those nearly mythical creatures only fabled to exist, like a unicorn? BTW, I find that all the clue drains from the ISPs and accumulates at the one or two universities present in each large city :) using your isp's mail service runs you the risk of having very large quantities of your mail simply dropped in the bit bucket without you ever knowing about it. my isp recently added murphy.debian.org to thier silent bitbucket list, i cannot be sure they don't have more machines on such a thing. (it was hard enough to convince them that i KNEW they were throwing away mail, they tried to just blow me off, when i started talking about having no such problems getting the mail from another machine out of state they decided to fix the problem rather then risk me coming down thier to lart them personally) There's an unwritten rule that if something breaks they don't do anything about it until someone yells loud enough or it affects their entire netowrk. ;) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6tVqf/ZTSZFDeHPwRAjbdAJ9UF1Slcu+Ja4L7fgmRLIcKgDei+gCeP5Jk IFW4xE0reYpJmpFJJtM6ffo= =L4Ox -END PGP SIGNATURE-
Re: CIPE requirements
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I have a box w/ 2.2r2 installed w/ stock 2.2.14 kernel. I download the cipe.tar and unzipped. Ran ./configure and got the message that there is no suitable configured kernel include tree found. What does that mean? Do i need to install a kernel-image from deselect or comiple my own kernel in /usr/src? No As long as you're running the idepci 2.2.18 kernel you can use the module in the archive http://tux.creighton.edu/~pbrutsch/cipe.tar.gz I don't know if you got my last message; here it is again: Date: Wed, 14 Mar 2001 23:27:45 -0600 (CST) From: Phil Brutsche [EMAIL PROTECTED] To: Nick [EMAIL PROTECTED] Subject: Re: need pptp tunnel for win nethood ADVISE! A long time ago, in a galaxy far, far way, someone said... I have a box w/ 2.2r2 installed w/ stock 2.2.14 kernel. I download the cipe.tar and unzipped. Ran ./configure and got the message that there is no suitable configured kernel include tree found. What does that mean? You need a properly configured kernel source tree in /usr/src/linux These are (approximately) the steps I performed: apt-get install kernel-source-2.2.18pre21 kernel-patch-2.2.18pre21-ide cd /usr/src/ tar xvfI kernel-source-2.2.18pre21.tar.bz2 tar xvfz path to cipe source archive/cipe-1.5.1.tar.gz bzip2 -dc kernel-patches/i386/2.2.18pre21/ide.bz2 | patch -p0 cd linux cp /boot/config-2.2.18pre21-idepci .config make menuconfig (exit immediately, saving changes) make dep cd ../cipe-1.5.1 ./configure make make install You should have a /usr/local/sbin/ciped-cb, a /lib/modules/2.2.18pre21-idepci/misc/cipcb.o, and the directory structure /etc/cipe/. There are examples on the web site and in the cipe source tree on how to configure it. Oh, and I strongly recommend that you *not* use 2.2.14 - it has some security holes and (iirc) disk curruption issues. I would also avoid both 2.2.17 and 2.2.18 - 2.2.17 has performance problems, and they both have problems with their VM sybsystems. My problem is, I am using a AV7 asus board w/ ata100 promise embedded. The only kernel I can get to work is the 2.2.18pre21-idepci Ah... Download http://tux.creighton.edu/~pbrutsch/cipe.tar.gz and extract it into your root directory. The archive contains the kernel module compiled against 2.2.18pre21-idepci, the user-level portion of the vpn software, and the directory structure /etc/cipe/, which is where the cipe daemon expects the config files to be. Then just do modprobe cipcb as root. The kernel module loads fine on my machine. The user-level program ciped-cb is under /usr/local/sbin. Once you've created the options file for the vpn, just run it on each firewall. Provided you have all the little details right (file permissions on /etc/cipe/ and the files underneath it are right, holes in your ipchains to the the ciped-cb daemons talk through, etc) you'll have yourself a vpn. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6spvZ/ZTSZFDeHPwRAoTtAJ4/o9z1Qk6zf98WVtFpF+D3/I+TCgCgrlTC 3v3ehK74nLUeUY6Aa9jC7fs= =KzLn -END PGP SIGNATURE-
Re: kmod and NAT broken in 2.4.1?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... 1) kmod shows no signs of working, though I did compile with this option on. modprobe is able to load the necessary modules. No idea 'bout that one - kmod just worked for me 2) iptables NAT facility doesn't seem to work. I have a line iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source x.y.z.q where eth1 is connected to my DSL (static IP) and x.y.z.q is the address assigned me. When I trace a ping to x.y.z.1 from a local machine (running NT 4) it looks as if traffic on my router machine flows from eth0 (local subnet) to eth1 and then back to eth1, but that's the end of it. ping works from the router machine. With 2.4 such things don't work (trying to contact the external interface of the firewall via an interal machine). Beyond that it should work just fine. Do packets not get sent out eth1? - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6sOzu/ZTSZFDeHPwRAk12AKCXXTqKbSSojo0ZGmz/rOPRS+sw0gCdGNOa TkiqPrx0V55teMkD40SbNvE= =vzy0 -END PGP SIGNATURE-
Re: Functionality simular to FreeBSD's jails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... No. chroot is not safe enough. I want to create virtual boxes in which I can give root rights to other people and I want to be sure that they can't break other boxes. The closest Linux comes to FreeBSD's jail functionality is User-Mode Linux. The home page is http://user-mode-linux.sourceforge.net/. What it is is a port of the 2.4.x Linux kernel to run as a user-level application. It creates a virtual machine with its own root file system, root password, and so on. The applications running in the virtual machine (eg BIND) have no way of knowing that they are running in a virtual machine. If the application in the VM gets hacked, all the attacker gets to is the simulated root, and has *no* access to the host machine (rather, as much access as the administrator gives the vm). Network access goes over a simulated lan on the host machine using Linux's ethernet tap functionality. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6sQQ0/ZTSZFDeHPwRAvasAJsH/jheWQl6MTNJbb9gTvPcxtXO4wCfQKNy /POH7VXL5sqhWtGd2WbI4ac= =6Io3 -END PGP SIGNATURE-
Re: kmod and NAT broken in 2.4.1?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I don't think I was trying to contact the external interface, but we may be using that word differently. My router has a card eth1 with address x.y.z.q, used both by me and the outside world (my external interface). I am trying to pick x.y.z.1 on the DSL provider's network. The packets do go out eth1 and back in, but they don't make the final return trip to eth0. Ah... Do this as root and try again: sysctl -w net.ipv4.ip_forward=1 In /etc/network/options there is the line ip_forward=no Changing that to ip_forward=yes will cause Debian perform the sysctl ... line above at boot. If it still doesn't work, there's still another possibility: /etc/network/options has the line spoofprotect=yes You may need to change that to spoofprotect=no and reboot (or for VAR in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $VAR; done as root if you don't want to reboot). Turning off rp_filter is important if you're doing policy routing with Linux (it doesn't look like you are). - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6sQq8/ZTSZFDeHPwRAocRAKDcO0evKYx02kesJgoi/imWwYoGTwCgjWmr Tey467YJXlKNLqoRHWGzHjE= =OJCu -END PGP SIGNATURE-
Re: need pptp tunnel for win nethood ADVISE!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... hello list, I hope everyone is doing well. Here is my qusetion for today, this applies to MCSE's and CCNA's Well, not necessarily... I know MCSEs and CCNAs that would be totally lost on your question :) It is possible to tunnel the Network Neighborhood on a single domain in the following situation: a main office is connected to a remote office through DSL on both ends, using linux as the router, NAT, firewall on both ends. If Linux is at both ends that makes it *so* easy. Things get interesting if one of the ends is, oh, a Cisco. Or (shudder) a Windows firewall. [..] What makes this possible VPN, VLAN maybe.eh.anyone?? Special hardware, Frame-relay. If you just need to connect two lans, a VPN is exactly what you need (a vlan is something else entirely). On Linux, there are generally 6 (well, *I* can only think of 6 :) ways to do this. 1) IPsec - http://www.freeswan.org 2) MS' dreaded PPTP - http://poptop.lineo.com 3) vpnd - http://sunsite.auc.dk/vpnd/ 4) cipe - http://sites.inka.de/~W1011/devel/cipe.html 5) vtun - http://vtun.sourceforge.net/ 6) ppp over ssh Of them, I've played with 2, 3, 4, and 6. #1 (ipsec) is actually a generic method of encrypting communication between two hosts. Once you have it working, it's very simple to get a vpn going. IPsec is especially useful if you ever want to use internet appliances like a NetScreen or a Cisco PIX to make a third vpn. Keep in mind, though, that the FreeSWAN people don't have any patches for the 2.4.x kernel series. #2 (pptp) is IMO really a bad choice (poor encryption AND mismanagement of the encryption keys :( ); you should implement it if and only if you need Windows clients to dial into one or both of your lans. It doesn't sound like that will apply here. #3 (vpnd) requires no kernel alterations, but can add quite a bit of latency. It is a small 60k executable, and 2 config files (a pre-shared key, and the config file specifying IP #s and what not). It required no kernel modifications. #4 (cipe) is currently my favorite. It's just about as small and as simple to configure and vpnd, but has lower latency. It has a kernel helper module. #5 (vtun) appears to be very similar to cipe, but I've never used it. vtun and cipe have very similar capabilities and feature sets. #6 (ppp over ssh) is a fairly simple to configure method of encrypting ppp traffic - you establish the ssh session, then push the ppp data (just a bunch of characters) over that link. It does incur quite a bit of overhead, however. Oh, and the fact that you need to do this for a Windows environment doesn't matter much, as long as all the traffic being moved is something over IP. If fact, you would configure Windows just as you would if your WAN was implemented with dedicated telco hardware. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ryqV/ZTSZFDeHPwRApgwAJ9fBjtaMkztuyhz3hyHDWKT5YH/jACgjm+5 7RrNt6+sBtFJ2C50eoBHwvI= =PtQr -END PGP SIGNATURE-
Re: goin from 2.4.2 to 2.2.xx again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... hi. last week my boss saw something on linuxtoday and he installed 2.4.2 on a new server(not yet in production). now im going to downgrade it back to 2.2.xx. my Q is -- is it better to just remove the packages related to 2.4.2 and reinstall the 2.2. packages or is the dpkg --force-downgrade workable? I would remove the 2.4.x version then install the 2.2.x version ie: dpkg --force-depends --purge (or maybe --erase) modutils apt-get install modutils Just make sure you have potato entries in sources.list. FYI there is really only 1 package (in my experience, at least) that will need to be added/upgraded for 2.4.x to work: modutils And, depending on the needs of the host: iptables ppp On most of my servers only modutils will need to be/has been updated to the modutils-2.4.x. i haven't checked which packages were updated and am uncertain(yet) as to if i can just remove them and replace them without breaking some things inbetween(maybe they are vital or something). i would be doing this over a network as the server is about 5000 miles away. Who said anything about packages? Just build a 2.2 kernel for the thing, put the needed files in a tarball, scp, extract, lilo (or whatever bootloader you use), reboot. he got the packages from a recent post by someone who made an apt archive for 2.4. eventually i will use 2.4 but probably won't start testing it for another 3-6 months at the earliest. Good idea. Start testing with 2.4.3 :) 2.4.2 is great but has problems with loopback filesystems. That's what I would do, at least - however, I'm not as... conservative as you are. ideally i want to be able to remove all of the 2.4.x related packages, purge them and install 2.2.x related packages. even if the 2.4.x packages work with 2.2.x i'd much rather stick with potato's revs as i have no need for the 2.4.x specific stuff (and who knows maybe i will want to boot a 2.0.x kernel :/) Blasphemy! :) Especially since 2.0.x kernels have trouble booting (or even working) on a lot of modern hardware (ie Athlon) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6rlWD/ZTSZFDeHPwRAj1WAJ0UTW3Fec36uPOL7AT53P80qm7gkgCfUfaX 1FsHllm7I21zGmh3iWtDbG4= =S0I9 -END PGP SIGNATURE-
Re: Moving redhat - debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... We are going to move one of our production servers from redhat (basically 6.1 upgraded to 6.2) to debian (potato 2.2r2). It works as a samba server (over 120 accounts, printing included as well) and oracle server. I know there shouldn't be any (big) problems but does anybody did something like that ? Any experience ? Clues ? Oracle likely won't work anymore. Beyond that it's just learning the differences between Debian RedHat. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6qlsz/ZTSZFDeHPwRAlO8AKCxsvnxiqgdbNm40bAIvIGGJ/XWPACgtDHt uiHN8OG0bWLHLdPiQTNWfwc= =IKUa -END PGP SIGNATURE-
Re: tulip and kernel 2.4.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I recently compiled kernel 2.4.2 and am having a difficult time getting the tulip driver module to load. The module loads fine using kernel 2.2.18 (from /etc/modules) without passing any parameter arguments. However, even when I try to load the module using irq and io values, it fails to load. Not surprising - the tulip driver was almost totally rewritten for 2.4.x and I'm sure there are still some cases where it doesn't work like the 2.2.x driver did. I checked ifconfig and it told me that my ethernet card has a base address: 0x7000 and an interrupt of 10. When I type modprobe tulip io=0x7000 irq=10 it says that this is an invalid io_parm. Not needed with PCI cards; since tulip cards are pci only, tulip.o doesn't know what io= and irq= mean. I do not know if it helps, but it also says that the MMIO region unavailable, aborting. That means that the card was detected but the driver couldn't use the resources the PCI bus set the card for. Tried moving the card to a different PCI slot? If anyone has any ideas about what the problem might be, I would appreciate it. I combed the archives back through december and could not find any advice for a similar problem. Posting the dmesg output after a failed driver load would be a great place to start :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6pyfZ/ZTSZFDeHPwRAmSQAKDielaLiThDCw2bPTmocWXOSAyJnACg3J9B T8LpPbX9Q0yQVk53EZovviw= =wh2c -END PGP SIGNATURE-
Re: rc.local equivalent
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... A couple of days ago someone asked the question that was in the back of my mind, but I don't recall seeing the answer/s. In Red Hat and some other Red Hat like distributions the path sequence /etc/rc.d/init.d/rc.local can be used to execute your custom scripts and/or start daemons at boot time, that is they are run out of rc.local The person was asking what/where is the place where one does this kind of thing in Debian? Debian doesn't have one. I usually make /etc/rc.local manually and make /etc/rc2.d/S99rc.local a symlink to that. I cannot find /etc/rc.d There is an /etc/rc.boot and a /etc/init.d If I wanted to start the printer daemon at boot time where would I put the following lpd start You can also use rc3.d to start the lpd daemon in the Red Hat way of doing things - is this the answer? Basically RedHat tends to use the nonstandard runlevel 3 (ie /etc/rc.d/rc3.d, or /etc/rc3.d if you're using RH 7.x) while Debian defaults to the standard runlevel 2 (ie /etc/rc2.d). standard or nonstandard in this case being compared to other Unix implementations that use the SysV init (ie Irix, Solaris, HP-UX, etc). This appears to be an area where things are done differently in Red Hat versus Debian One of them. Basically everyting under /etc/rc.d on RedHat is under /etc on Debian. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6pqts/ZTSZFDeHPwRAicYAKC9YqFvgvmlGxfBC3XRx/UIB54NNwCeLwZv /ocTfr25L5vAW8QcTZc2fIA= =W3+K -END PGP SIGNATURE-
Re: DNS caching only name server: 1 simple question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I've recently learned how-to configure BIND as an DNS caching-only server. So far the DNS caching server configuration of BIND has proven to be awesome!! That combined with a few TCP/IP tweaks in the /proc filesystem and this Penguin flys :-D :) Throughout my testing I've only encountered one problem. Perhaps some of you might have some advice on it. [cacheing dns setup] The problem that I am encountering is that whenever I reboot, my ISP's DHCP server re-assigns the nameserver IP addresses, even though the IP's of my ISP's DNS servers are static!! This in affect re-writes the /etc/resolv.conf file to: nameserver 199.185.220.36 nameserver 199.185.220.52 nameserver 199.80.55.1 You didn't mention how you connect to the internet, but it sounds like you have a cable modem and get your IP/DNS info via DHCP. All you really need to do is tell your DHCP client to override the DNS servers provided by your ISP. I don't know how to do this with pump; I use dhclient. I got it to work by putting supersede domain-name-servers 127.0.0.1; in /etc/dhclient.conf. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6pwpN/ZTSZFDeHPwRAucEAJ9kjbMgi24PdhjLgLFD8uJEISWT5wCeKr6o +lxhME3D91lXhQN4oUFmpQo= =rbMi -END PGP SIGNATURE-
Re: potato and kernel 2.4.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I have a fresh installation of Debian 2.2r2(Potato) with kernel 2.2.18pre21. I compiled and installed kernel 2.4.1 (following the instructions given in kernel-package) It installed fine.. but when i boot it , it can't find any modules! the mods are installed in /lib/modules/2.4.1 How can i get 2.4.1 to work with potato? You need the modutils from woody to be able to use 2.4.x on potato. Some others may need to be updated; which depends on your particular requirements. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6oT/4/ZTSZFDeHPwRAqVBAJ9YXikGZ7rZaE6XyDstzzwYIINyeACfcAy9 LuUaW52ekiIlgDXlgROcBfg= =oEm8 -END PGP SIGNATURE-
Re: HELP! VM?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hello everyone... Right back from work, seeing that our file / print server running Debian 2.2r1 lately is, like, DOS'ing itself frequently each day while filling the local tty same as the log files with error messages like VM: do_try_to_free_pages failed for process-name For what I already know about Linux kernel, I assume that VM == virtual memory management, and I also more or less understood this paging thing... My question: *Why* is this happening, where to lay my hands on to get this fixed? Is it a problem of my system RAM, of the swap partition or of system kernel on this rather strange system motherboard (some older system out of a former server by Acer )? It's sort of annoying, this thing, since each time the system is spitting out those messages, the server is not available for any network or local request... Any help, hints or whatever would be kindly appreciated. :) This is a known problem with kernels 2.2.17 and 2.2.18. The solution is to use a different kernel revision. I've had very good results with 2.2.16 (which theoretically has the do_try_to_free_pages problem, but has never manifested itself), and the 2.2.19 prereleases (2.2.19pre14 is current) have an actual fix for the problem. It's reported that 2.2.19 will be official this week. I've also had good luck with the new 2.4.x series of kernels. Keep in mind that 2.4.x is not officially supported on Debian 2.2, thus Debian 2.2 will need a few updates for 2.4.x to work correctly. If you decide to go with 2.4.x, go with 2.4.2 as there are security disk corruption problems fixed in that release. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6nTUj/ZTSZFDeHPwRAvkDAJ4xegj7xP9ZEPF24RcfEAFbf+tiJQCggMEa STbp36Oep3rVP2gAj3hxq94= =wSqh -END PGP SIGNATURE-
Re: D-Link DFE-530TX Probs W. 2.4.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I just compiled a 2.4.2 kernel. The compile went fine. Ran lilo, rebooted...everything looking good. The big problem is that my NIC (a D-Link DFE-530TX) doesn't work. I would like to elaborate on doesn't work, but I'm afraid I can't. I did cat /proc/pci and the NIC was listed there. I noticed that it was sharing IRQ 10 with my USB controller, but I was told by someone in #debian on IRC that it wouldn't be an issue because I have USB disabled in my kernel. On PCI devices sharing interrupts is generally not an issue, although it can hurt performance. Some OSs (Windows) don't like it. tux.creighton.edu has the NIC and the USB controller sharing IRQ 19 (it's a SMP system - on PCs they tend to go up to 24 IRQs rather than only 16) and he doesn't even notice. My workstation at home has PCI sound and USB on IRQ 12, and my G400 ethernet on IRQ 11 (umm that must be why remote X11 goes slow...)... The driver that I have compiled into my kernel is via-rhine. I am sure this is the right driver. This NIC has been used under win 95, 98 redhat 6.1 and debian. I have tried a couple times to get this NIC to work with kernels I have built, but it never does. It would help if you could give us any kernel messages you get. More specifically, *how* do you know it doesn't work? Another thing that might be important is that this is a revision A board. I've heard that rev B boards had some issues. Wouldn't know - don't have any via-rhine cards. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6mJbq/ZTSZFDeHPwRAlH8AKDg+tiCdHf7ksSvsFz/PAKj137sGQCeIBBA dlVQAn9n/V06ov46AepV4Y0= =Q4Oe -END PGP SIGNATURE-
Re: rpm dependencies problem (yes, rpm!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi, I'm trying to install a software-package on Debian potato. It's Novell NDS 8.5. Unfortunately, Novell's NDS stuff probably won't run on Debian. Yes, you can debianize the .rpms, but the installer depends on glibc versions of stuff like termcap (which debian only provides in libc5 form, a recompile might work) and libcurses (which could probably be taken care of by a symlink). IIRC, of course :) For all I know I could be getting all that mixed up with iPlanet's (formerly Netscape's) directory server. I'll be honest: I wouldn't trust any of that Enterprise stuff to run on any distribution other than the one it was built for: RedHat 6.x. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6lZup/ZTSZFDeHPwRAt+vAJ9ptOkJxb6KUXOvb0N6N2hkw79uHACgo0OO yez9UMbgrBoOCLSNHGy24AI= =5py+ -END PGP SIGNATURE-
Re: sudo strangeness
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Nope, still no password prompt This is strange... The line you're looking for is: rvf ALL=PASSWD: ALL If that doesn't work, something really is odd. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6kwZu/ZTSZFDeHPwRAjbgAJ0VptFJayVO8mu91FK8pqdXDvoK5ACgiCQU M1IAD6tTUNEVsUuN5DABa2E= =Pz0H -END PGP SIGNATURE-
Re: Upgrade from 2.2.0 to 2.2.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Should there be an urgency to upgrade to 2.2r2 if you just using debian 2.2 R0 as a workstation with samba. I am the only Linux workstation on the Lan so I am behind a firewall. So? Doesn't mean someone on a Windows/Mac system on your LAN won't be able to exploit anything. I can't program yet execpt for Hello World in Java, C, and HTML (meaning I am very limited). I mainly use Netscape Gftp and Staroffice5.2 I have the 2.4.1 kernel installed and My system COOKS. This is a question i'm asking because I am a realitively new and eager. I have a habit of trying things, and crippling my Systems. I would say go for it. The upgrade is painless. I find it unlikely that you'll cripple your system. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6isAY/ZTSZFDeHPwRAvtwAJ459NtlYRxZvuqoFBMN1w/O5EWWJACfcXRp Kzsbud1uWgKC4ZW1f0zizlc= =eZ/j -END PGP SIGNATURE-
Re: another quick question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Simple answer, remove the cable to the speaker from you're computers motherboard. That's one way of doing it, but there may be other issues that would cause problems (Debian on a computer he doesn't own ie a system a work, voiding warranty, etc). But I don't know if it can be done with software afaik it can't man setterm In particular, setterm -bfreq 0 should do it. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ftHm/ZTSZFDeHPwRAnwiAKCBgIhYrMMRQnTdptaom/+nji4iCQCgvqjz LbCpzHVuWUcAhnw52G265OU= =HZ6E -END PGP SIGNATURE-
Re: Cannot get iptables to work in 2.4.1 and compiling question.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi, I get the error command not found when I type iptables. I know I compiled every net option in the kernel (choosed y). What am I doing wrong? Not much to go on, I know First, and hopefully most obvious question: is iptables installed? Also what does make modules do, does it create an image like make bzImage? No. I have 2 comps running linux at home: a 1Ghz t-bird and a p166. Compiling on the p166 is painfully long. A P1-166 isn't that slow - I used to marvel at how fast one of those things was :) I would like to compile everything on the 1Ghz and then transfer the bzImage and the modules image (if there is one, following make modules) to the p166 and make modules_install there. Is that possible? Or would I need to make dep on both comps, make bzImage on the 1ghz, transfer the image and make modlues and make modules_install on the p166? What I usually do it make a kernel for the lowest common denominator (for the P166) with the features each computer needs *at boot time* to get the root fs, and take care of everything else with loadable modules. I usually copy over the bzImage, and make a tar of /lib/modules/kernelversion, copy the tar to the other computer, and extract the modules in the right place.. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6eLzc/ZTSZFDeHPwRAhM4AJ92IWFY3LkwP6rQeBqOnZNO7SCe8gCeO8MH OVtz6FJB9VOAv8svnNU8nBQ= =831N -END PGP SIGNATURE-
Re: Server Hardware?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi Say I have 3 debian servers one for samba one as a web server and one as a squid proxy... If money is a little bit of a concern ... what is the best type of hardware to use? For example which make of CPU? Depends. I would tend to go with an AMD Athlon just on the price/performance ratio, but, presently, if you need a multi-cpu system you don't have any choice but to do with Intel (SMP Athlon motherboards aren't anywhere on the market yet, afaik).. It depends on how big you need to go. Which Motherboard? Depends on the CPU and the details of the computer (ie 1 vs 2 cpus, AMD vs Intel CPUs, memory type, form factor of enclosure, etc). Does scsi make a differnce? Usually it does. Depending on how big of a server it's going to be you may be able to get away with IDE, especially if there's only 1 HD in the server. Is 3com the best for nics? Some will argue with that. But 3com cards tend to be very good. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6dvRs/ZTSZFDeHPwRAjKhAJ4yJZO6uF1J+4IojGJ6r1QZIpMaGwCfei9p 6O7sajHgv8ZxSFZ/+GToHp0= =yCrV -END PGP SIGNATURE-
Re: Converting from Exim to qmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I've been using Exim on my Debian boxes for awhile, but would like to convert over to QMail (in Potato) in the process of doing a major server upgrade. Right now I have Exim and QPopper doing the following: 1 - Providing primary MX service for several domains 2 - Handling outgoing mail for the local LAN 3 - QPopper for POP3 service internally and externally 4 - Occasional local MUA usage on server (some Mutt, mostly Pine) 5 - Mail spool is NFS-mounted Are there any pitfalls to watch out for as far as the above are concerned with Qmail? Also, does a simple Howto exist which I could use as a guide to Qmail configuration in the above described situation? Points 1 and 2 are simple; just about any MTA in existence can handle that (although I will question the vast majority of Windows MTA offerings :) Points 3 and 5 are contradictory. Standard unix mail spools (which Qpopper serves mail from) have corruption problems on NFS. If the mail spool *must* be NFS-mounted, you should convert the mail spools to Maildir. Mutt can read Maildirs just fine, but Pine cannot (at least, without being patched), which causes problems with point 4. Point 4 can be taken care of with courier-imap. The courier-imap package will serve Maildirs over IMAP beautifully, and version 1.3 of courier-imap (unfortunately it's not packaged for Debian) has a pop3 daemon that can serve from Maildirs. This, btw, is how I handle Maildirs with Pine. With courier-imap you'll also gain support for IMAP and POP3 over SSL; you'll have to pay Eudora if you want those capabilities in Qpopper :) Most of the documentation you'll need for Qmail can be found at http://www.qmail.org, and under /usr/share/doc/qmail once you get it compiled and installed. What, btw, is your rationale for switching from Exim to Qmail? - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6c0ei/ZTSZFDeHPwRAkwgAKCiLAy0gQhekcSpKYwDpsP+kYW7TgCdEi7y UigjfbVw7CKB5zHCiYgtOiY= =k3Vw -END PGP SIGNATURE-
Re: RPC services - bind to 1 ip?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... I've been dealing with this for a long time, and was curious if anyone knows if it's possible. I want to force all RPC services to listen only on 1 interface, it is VERY VERY difficult to firewall them as they apparently choose random ports everytime they load which means i have to spend 30 minutes running nmap both TCP and UDP ports 1-65535 and verifying what ports are open with lsof and netstat and firewall the rpc ones accordingly. this procedure works but it gets old after a while :) so i wanna know if i can force rpc services to bind to 1 interface, or force them to use the same ports everytime(even if i restart NFS it uses new ports) the rpcs: rpc.mountd, rpc.statd are the worst offenders for me.. sunrpc is good and happily sits on port 111 ... luckily i don't reboot often but sometimes i need to reload the /etc/exports file ..maybe i can do this without reloading the nfs services..but that still doesn't solve the problem as a whole :) i don't think its possible to run rpcs from xinetd ..but if it is i'd like to know how. There isn't a way that I know of to force the rpc services to bind specific IPs. If you find one I'd like to hear about it :) What I usually end up doing is setup a good default-deny firewall to keep things clean. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ckN//ZTSZFDeHPwRAuMqAKDHf+ePaYS5Mfa79bDNdJ5zmwre2gCgy2VI F8+Tqr0KoUGh1owuVOjSbaI= =Orag -END PGP SIGNATURE-
Re: ping must be run as root?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi, when i try to run ping (on a fresh Debian 2.2 install) as a non-root user i get ping must be run as root. What is the reason? I think this has something to do with pam, but i found nothing related to ping in pam's configs. It has nothing to do with PAM. ping needs to run as root to be able to create a raw socket to send the ICMP packets out through. The ping variant installed Debian 2.2 drops root priviledge after the raw socket is created. If you wan't to run ping as non-root, you need to make it suid-root. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6bnHc/ZTSZFDeHPwRAkTuAJ4rDKFhnE7gB1B7YVHOcAU9HwhjfACgkMUF EvpQQPRQasU63WoT+Xcl6KM= =9l4d -END PGP SIGNATURE-
RE: [OT] Re: Perlscript
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... It's worth noting that $response-write(blah); is perfectly legal plain ol' perl too. What does perlscript do that perl doesn't? Nothing. PerlScript exists as an ActiveX plugin on Windows, so that you can use it as a replacement for VBScript (ie write .asp pages for IIS and not drive yourself to insanity with VisualBasic :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6batP/ZTSZFDeHPwRAoCyAKC/i3eFfLtssC4cF88ED+/Q8TzshgCfbiEy zwNPmWSRW3x7b8JVBo07iis= =UMSc -END PGP SIGNATURE-
Re: IMAP MUA and filtering
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Phil == Phil Brutsche [EMAIL PROTECTED] writes: Phil I think it's less it's a dumb IMAP server and more it's a Phil dumb email client that doesn't let you set your mailbox Phil path (netscape calls it the mail server directory). I think you misunderstood me. Perhaps. Otherwise, please tell me how do I create a sub-folder called January under the sub-folder 1999, under the folder Sent-Mail using courier-imap? Depends on the mail client. It should Just Work, however it's done. It does for me, at least. I'm using courier-imap 1.0-2, compiled from woody sources, btw. In any case, you have: Sent-Mail | --1999 and you want to add January to the mix, under 1999. First, assume you're using a GUI mail client. Second, ight click on 1999, and a pop-up window asks you for the name of the new folder. Enter the name (January), press OK. You end up with: Sent-Mail | --1999 | --January Simple. Those basic directions work with Netscape/Mozilla, OE and XFMail. I don't remember how to do it with anything else off hand. Whether or not it'll work also depends greatly on the IMAP server software. What email client do you consider not-dumb? Well, among the ones I've looked at... non-dumb: Pine Outlook Express Outlook Pegasus Eudora Mutt Evolution dumb: Netscape/Mozilla (dosn't always respect a non-standard mailbox folder path with some mail servers) Balsa (only supports single imap folders) Spruce (ditto) XFMail (same reason as Netscape, although it seems broken in other ways too) There's very likely something I'm missing in both lists. There's very likely going to be some dissent as to which mail client goes in which list :) All of them I have tried represent the folders in the same way: as subfolders of INBOX. It's the mail client not respecting the mailbox folder path. I don't know what else to say. With everything I've tried, all my mail folders are shown as subfolders of INBOX until I tweak the config a little (usually by going into the mail client config and telling it that the mail folders are store relative to INBOX.). This is as described in the courier-imap FAQ I quoted in my previous E-Mail. Yep, sure is. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6a969/ZTSZFDeHPwRAifGAKCn4SZ3kw8mQUoLSssgsVX8spDTVwCfUEhO IkaKFd9VqjACKnTqAcl0LC0= =7vOs -END PGP SIGNATURE-
Re: IMAP MUA and filtering
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Phil == Phil Brutsche [EMAIL PROTECTED] writes: Phil I don't know what else to say. With everything I've tried, Phil all my mail folders are shown as subfolders of INBOX until I Phil tweak the config a little (usually by going into the mail Phil client config and telling it that the mail folders are store Phil relative to INBOX.). Oh... I see: you can work around the problem by telling it to enter the INBOX folder, and display subfolders of INBOX (what is the proper way to do this in mutt?) I don't know; I'm not a regular user of mutt. I've heard it's possible, though. I consider this a work around, because I assume this prevents the client from looking at other top level folders, eg. folders under the top level of shared (which is also supported by courier-imap as well as INBOX). Um... it probably would. But again, it depends on the mail client. Pine, for example, wouldn't have any trouble - it supports user-definable collections of folders (IMAP NNTP), and specifiying different folder hierarchies (ie shared. and INBOX.) on the same server is fairly painless. I don't think subfolders are allowed. However, it seems to be possible with your setup, so maybe I am doing something wrong, or you have a newer version of courier-imap then me. Actually, I have a newer version of courier-imap: ii courier-imap 1.0-2 IMAP daemon with PAM and Maildir support Probably makes all the difference in the world. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6bEnS/ZTSZFDeHPwRAm6aAKCJmtIM+pBMMt9/avJz/FegMGQmlQCfXo20 G34xlgMtw0jptB415OGO3+U= =WTe0 -END PGP SIGNATURE-
RE: Debian is safer than this ? I REALLY HOPE SO !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... WELL, i'm might have been somewhat too eager to spark a discussion ... the thing i'm wondering/confused about is that the 'worm' infects only redhat systems, according to this article at least ... strange eh ? I don't have many details on the worm. Its possible it relies on a combination of programs. I've not had a chance to investigate. *I* know my systems aren't vulnerable - I'm running non-vunlerable versions, not running those programs at all, or it's all behind a restrictive firewall anyway :) i only now had the time to read the securityfocus report, and yes indeed all linux's with these versions are vulnerable. anyway, good to know i turned of my machine this morning :) Great way to not get your computer hacked :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6Zx/Z/ZTSZFDeHPwRAp4AAKDhJorjbPqH/ECwU1E1werwRQyhTACfSp1N ir+Rzzda6MHKAHsp/joo/OU= =sTye -END PGP SIGNATURE-
Re: 2.4.0 and shared memory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Hi all, I am using Potato with 2.4.0 right now. I have noticed that 'free' command now reports 0 shared memory and 0 swap usage. With kernel 2.2.18, it used to report few megabytes of shared memory. My box has half a gig of RAM, but when I was using 2.2.18 kernel, the system used at least some swap space, especially after I ran one of my memory hungry Fortran programs or after creating a CD image. But now it's 0 no matter. Has anyone else noticed this behavior? This is normal for 2.4. Some fields in /proc/meminfo (which 'free' uses to gather it's information) are not longer used, thus read 0 (totally removing those unused fields will totally break 'free'). 'free' just doesn't know that those fields are used any more. 2.4 also totally re-did the VM subsystem, and moves unused stuff to swap much less often. Primarily because the VM subsystem is more efficient. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ZwX8/ZTSZFDeHPwRAgNsAJ42tEafjwdQdBkU30uAk4vhO9NN6wCfWYHt N/6hEfbXVNvGeqxdnGvXIA8= =+mUb -END PGP SIGNATURE-
