Re: making Debian secure by default
On Thu, 2024-03-28 at 14:12 -0400, Lee wrote: > > Yes, it does. I was hoping for something simple but it's becoming > clear to me that there's no simple "make Debian secure for dummies" > checklist to follow. Making "Debian secure for dummies" and having a multi-user system at the same time does not sense, IMO. If you want to secure your Debian system, one of the easiest and most important steps is: Don't give anyone access who you do not trust. Having a true multi-user system that shields users from each other is much much harder, and certainly nothing "dummies" or beginners should even try. /ralph
Re: finger causing kernel seg fault
On Fri, 2024-03-15 at 09:12 +, Michael Grant wrote: > I use tmux on my server. tmux creates multiple pttys. When I run > finger, I see an error like this: > > $ finger > finger: /dev//pts/6: No such file or directory > > and in the log, I see: > > /var/log/syslog:Mar 15 05:06:18 strange kernel: [2740248.159942] > finger[1987858]: segfault at 1c ip 55b1c20baad5 sp I had similar problems in my Raspberry Pi running native Debian arm64, I have filed this bug about it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018879 /ralph
Re: very poor nfs performance
On Sat, 2024-03-09 at 13:54 +0100, hw wrote: > > NFS can be hard on network card drivers > IPv6 may be faster than IPv4 > the network cable might suck > the switch might suck or block stuff As iperf and other network protocols were confirmed to be fast by the OP it is very unlikely that it is a straight network problem. Yes, these effects do exist occasionally (weird interactions of higher level protocols and the low level stuff), but it is very rare. The cable that is so specifically broken to slow down NFS but not scp might exist, but it is very unlikely. /ralph
Re: very poor nfs performance
On Thu, 2024-03-07 at 10:13 +0100, Stefan K wrote: > Hello guys, > > I hope someone can help me with my problem. > Our NFS performance ist very bad, like ~20MB/s, mountoption looks > like that: Are both sides agreeing on MTU (using Jumbo frames or not)? Have you tested the network with iperf (or simiar), does this happen only with NFS or also with other network traffic? /ralph
Re: Commandline client to lookup MAC vendor
On Thu, 2024-03-07 at 09:52 +, Thomas Pircher wrote: > On 2024-03-07 09:37, Jonathan Dowland wrote: > > $ grep -i ^9009df /usr/share/nmap/nmap-mac-prefixes > > 9009DF Intel Corporate > > Alternatively, the ieee-data package also contains the OUI database: > > $ grep -i ^9009df /usr/share/ieee-data/oui.txt > 9009DF (base 16) Intel Corporate Thanks to the both of you. Any idea if one or the other is preferable or newer? /ralph
Commandline client to lookup MAC vendor
Hi! Several packages in Debian can somehow (either by embedding it or querying it from some common database) display the MAC Vendor information of network adapters (derived from hardware addresses). One example is nmap, that displays the device vendor when scanning. Is there some commandline tool doing this directly in Debian? I know that there are websites that offer this as a service, but sometimes a CLI is more convenient. Alternatively, and if this information is stored in some shared databases, can this be queried e.g. from a Pyhton script? If so, how? TIA /ralph
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
On Fri, 2024-02-23 at 20:10 +, Andy Smith wrote: > One more time: a successor to the Ethernet bonding driver already > exists and has for more than 10 years. That is the other thing I wanted to ask here, I have configured a LACP link aggregating interface more or less similar to what is described in the wiki, in my /etc/interfaces there is now: auto bond0 iface bond0 inet static address 10.0.16.2/24 bond-slaves en0 en1 bond-mode 4 bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-lacp-rate 1 bond-xmit-hash-policy layer3+4 which seems to work (I could not test throughput yet, because I am waiting for cables). If I do this, does "ifupdown" use "ifenslave" or does it use "ip link set" as described here: https://www.uni-koeln.de/~pbogusze/posts/LACP_configuration_using_iproute2.html behind the scenes? Is the wiki/documentation lagging the actual implementation? Is there a way to find out (other than removing ifenslave and seeing if it still works)? Should documentation in the wiki be updated? Also, above still(?) contains "bond-slaves en0 en1" so if this is a new implementation, is there still some terminology change to be expected? Or can I replace bond-slaves with something else in the current Debian bookworm? /ralph
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
On Fri, 2024-02-23 at 18:13 +0100, Mariusz Gronczewski wrote: > "Do what I say, discussion is not allowed because I don't want to > make a sensible arguments!" This certainly is not my position. I have no problem arguing this question, and I've got an opinion on it. I just think this mailing list probably is not the right place to argue this question. > "Damn those people using reason and questioning what I want, just do > what I say!" > For me it is more: "I know it is controversial, but I do not want to flood the list with the controversial part, that contains lots of personal opinions, political positioning, subjective aspects, but want to ask about the non-controversial, factual, part, that contains no political aspects and can be answered without opinion, purely with facts. I just want to know the current situation, I don't want to convince anybody here. /ralph
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
On Fri, 2024-02-23 at 11:07 +0100, Marco Moock wrote: > > Debian is mostly a collection of many packages that are packed in the > repo.Such changes are normally done upstream. I found e.g. this on upstream work on that topic: https://lore.kernel.org/netdev/e515b840-c6f1-bc07-9369-c95e35257...@solarflare.com/T/ but I must confess I have not dug into upstream kernel sources to find out if this has been accepted in the kernel, and if so from what version. > > I don't think that spending time on that is a valuable thing, there > are more important tasks like testing or adding functionality. I really don't want to argue any political arguments on the merits of removing master/slave, blacklist/whitelist, black hat/white hat here, but I think "it is some effort" or "it concerns only few people" is not the strongest argument. *If* one considers it the right thing to do, then some minor effort in comparable with other minor changes is not out of line. /ralph
Inclusive terminology (instead of master/slave) for network bonding/LACP
Hello! I know this is a loaded topic. I really don't want to discuss the political aspects of the "why", but just want to know the facts, i.e. how far this has been progressed in Debian. Is there anything planned to get "master/slave" terminology out of network bonding/LACP in Debian (or Linux kernel or whoever decides this terminology)? I know these things are slow to change, just wondering. https://wiki.debian.org/Bonding /ralph
Re: Package Identification Assistance
On Thu, 2024-02-15 at 20:33 -0500, Neal Heinecke wrote: > I need to identify the package responsible for creating the software > sources window. There is a minor bug/typo where the first tab reads > "Ubuntu Software" This could be synaptic? https://help.ubuntu.com/community/SynapticHowto Does the program have an "About" menu entry? /ralph
Using a Python script as a login shell
Hello fellow Debianites! I want do do a custom CLI for a project, and I am quite happy with the Python cmd module. Aside from having a practically un-googleable name it is very nice, and does a lot with very little code. So far, so good. But: If I write a Python script with this module, and expose it to the internet via SSH, will hell break loose? So far I've done the following: 1. Put my script in /usr/local/bin/turtle (the canonical example in the docs is something with turtle), you can see the sourcecode of my script here: https://pi.h5.or.at/mockturtle.txt This script does absolutely nothing sensible, you can try it out by doing a ssh -l admin probe.aisg.at from a IPv6 capable host (sorry, no IPv4). The password is "admin". Any and all suggestions on stuff that is stupid and crazy from a security standpoint in this script are very much appreciated! 2. Then I put /usr/local/bin/turtle in /etc/shells 3. I added a user "admin" that has /usr/local/bin/turtle as shell 4. I added following stanza to /etc/ssh/sshd_config Match User admin X11Forwarding no AllowTcpForwarding no ForceCommand /usr/local/bin/turtle 5. In the script I tried to catch the Ctrl-C signal, so the interpreter does not give out too obvious error messages (that show what is going on behind the scenes). Is this enough to harden this setup against escaping into a shell or the full python interpreter, to do something nasty? Or is it completely crazy, because theere is some way to abuse a setup like this, that I have not found yet? TIA Ralph
Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)
On Thu, 2024-02-08 at 15:36 +, Andy Smith wrote: > USB storage is for phones and cameras etc, not for serious > computing. Many people will disagree with that statement and say > they use it all the time and it is fine. I am clearly in the latter camp. This mail is delivered via a Raspberry Pi 4 that has a 500G USB SSD. Before the Pi4 I used a Pi3 and a Pi2 (I think) with USB disks (first rotating, then SSD). Probably for 5 years or so. Never had a problem (unlike with the SD cards I used before, SD cards always died on me from to many writes after a few months). > They will keep saying that > until it isn't fine, and then they'll be in a world of hurt. This is the same with any hard disk or SSD. If you buy the most expensive "enterprise" disk, with SAS or whatever, it still can break on the next day, taking all your data with you. Actually with USB disks, sometimes you can remove the USB controller, replace it in case of breakage, giving you more or less the same reliability as any "normal" disk. I've never had USB controllers break, though, so I do not care. I just take backups as with any other disk. > I learned not to go there a long time ago and have seen plenty of > reminders along the way from others' misfortunes to not ever go > there again myself. How does a breaking USB disk differ from a breaking SATA disk? /ralph
Re: Copy from Firefox and paste into Terminal with Vim
On Tue, 2024-02-06 at 21:31 +0700, Max Nikulin wrote: > is active in terminal, it is possible to hold [Shift] to get mouse > events handled by terminal instead of Vim or another application > running in terminal. I think pressing shift does not work here in e.g. gnome-terminal, because there paste is Shift-Ctrl-V and interpreted by gnome-terminal. Have not tried it though, vim taking care of the mouse is just nuts in my opinion ;) /ralph
Re: Copy from Firefox and paste into Terminal with Vim
On Mon, 2024-02-05 at 15:14 -0800, David Christensen wrote: > I am unable to determine if the problem is Firefox, Vim, or something > else. > > Comments or suggestions? As others have written, vim has changed copy+paste defaults some time ago. Some even call this changing defaults "they broke copy+paste" ;). One easy thing you might want to check is if this also happens in neovim. Neovim did not make this copy+paste change, and it might behave subtly different. It's quick to install and check. /ralph
Re: How can we change the keyboard layout? (was: what keyboard do you use?)
On Mon, 2024-02-05 at 21:06 +0100, hw wrote: > And what the hell is 'Strg' supposed to mean? "Strg" is short for "Steuerung", just the literal translation of "control". /ralph
Re: install Kernel and GRUB in chroot.
On Mon, 2024-02-05 at 17:40 +0700, Dmitry wrote: > > But secure boot is usually turned off. It is a standard advice during > Linux > installation. > Will probably be increasingly common though, I've got a Microsoft Surface Laptop that works fine with Debian, but if you switch off secure boot, it displays some big red scary warning screen before the bootloader. /ralph
Re: what keyboard do you use?
On Fri, 2024-02-02 at 20:25 -0500, Lee wrote: > I figure there's a high percentage of keyboard jockeys here so .. > which keyboard do you like and why? I like the flat style similar to what is in many notebooks. Current favourites are the Apple keyboards (expensive though, for what they are), the Microsoft Designer Compact Keyboard (stupid generic model name), that seems to have a problem for some that the electronics die prematurely, it might not be able to connect any longer after some time. Great if it works though, can often be gotten relatively cheaply for about half the normal price. Very minimal design, you can't take away much more from a keyboard: https://www.microsoft.com/en/accessories/products/keyboards/microsoft-designer-compact-keyboard?activetab=pivot:overviewtab And a new fascination of mine, the Logitech MX series, also kind of expensive, and with rather ugly design, but typing feels just wonderful. Of the cheaper ones, I like the Logitech k280e. Feels quite OK for the price, not on the level of the obove three though. Also large, clunky and heavy. I used to be a full layout (with keypad) person, but recently I began to like the smaller layouts. Takes up less space on the desk, only thing I miss are the full cursor keys. Easier to move around on the desk, which I do a lot. Keyboards are a product where preferences diverge a lot and are very personal. Fortunately there is lots of choice in the market currently. /ralph
Re: IPv6, ip token, NetworkManager and accept_ra
On Fri, 2024-02-02 at 15:31 +0100, Marco Moock wrote: > It should be if you enter "save" in the nmcli. Thanks, I did not realize this was possible. I probably will use nmcli more often in the future. Ralph
Re: IPv6, ip token, NetworkManager and accept_ra
On Fri, 2024-02-02 at 14:28 +0100, Marco Moock wrote: > In the past the default was to use EUI-64 and have the MAC address in > the address. If that is suitable for you (privacy!), use that. I basically don't care about the privacy aspect for now (it is more of a lab setup, and my IPv4 address is static, and its PTR resolves to something with my surname in it ;). At least at the moment I would prefer shorter IPv6 addresses than can be constructed from the MAC, even considering the possibility to "fake" the MAC to something with many zeroes, using historic/obsolete MAC vendor ids with zeroes in them etc., because identifying IPs at one glance seems very attractive to me. Right now I want as short/as memorable IPv6 addresses as possible. > Use the NetworkManager to configure that. > Automatic means using SLAAC (if available in the RA) and DHCPv6 (if > available in the RA). Thanks! > > But what is the correct way to do this "ip token set" with > > NetworkManager (or in spite of NetworkManager ;)? > > # nmcli c mod enp4s0 ipv6.addr-gen-mode eui64 > # nmcli c mod enp4s0 ipv6.token ::deca:fbad:c0:ffee This is not permanent, is it? What is the suggested way to make this survive a reboot in Debian? Thanks for your comprehensive reply! /ralph
IPv6, ip token, NetworkManager and accept_ra
Hi fellow Debian users! In my quest to advance the IPv6 preparedness of my home LAN I want to find a solution to use IP tokens on all my clients. IP tokens (keeping the host part of the IPv6 address static while getting the subnet part by SLAAC) seem very elegant to me, because it avoids DHCPv6 completely, and still makes mostly working DNS records possible. Opinions on SLAAC+IP tokens are welcome ;) One of my clients is a surface laptop running Debian sid, Gnome, NetworkManager and getting connection via WiFi. The first hickup with this is, that seemingly ra is disabled on my NetworkManager configured device wl0: root@surface:~# ip token set ::5fac dev wl0 Error: ipv6: Router advertisement is disabled on device. This can easily corrected with echo 1 > /proc/sys/net/ipv6/conf/wl0/accept_ra But: Is this a misconfiguration on my machine, or to be expected, when using NetworkManager? I am using the following settings in the GUI: IPv5: "Disable", IPv6 "Automatic". Do I risk messing up other stuff by manually setting this eg. with the help of /etc/sysctl.conf? After that ip token set ::5fac dev wl0 works just fine and I get a nice ip with the token part in it: 2: wl0: mtu 1450 qdisc noqueue state UP group default qlen 1000 link/ether 00:00:0f:00:00:00 brd ff:ff:ff:ff:ff:ff permaddr 6c:a1:00:20:ca:7b inet6 2a02:ab8:201:5b8::5fac/64 scope global dynamic mngtmpaddr proto kernel_ra valid_lft 86394sec preferred_lft 14394sec inet6 2a02:ab8:201:5b8:526a:2061:5984:24a/64 scope global dynamic noprefixroute valid_lft 86395sec preferred_lft 14395sec inet6 fe80::6e20:1d4b:4fa:e41f/64 scope link noprefixroute valid_lft forever preferred_lft forever But what is the correct way to do this "ip token set" with NetworkManager (or in spite of NetworkManager ;)? Should I use nmcli or something else? Is there maybe even a hidden Gnome GUI option? Any other comments on this maybe quixotic endavour are welcome ;) Thanks in advance, Ralph
Re: rsync --delete vs rsync --delete-after
On Fri, 2024-01-26 at 16:11 +0100, hw wrote: > I've never had issues with any UPS due to self tests. The batteries > need to be replaced when they are worn out. How often that is > required depends on the UPS and the conditions it is working in, > usually every 3--5 years. It was with some small to mid APC model, I think. We had about 1 to 2kW worth of servers on it, so it was not that small, definitely no consumer type. When I took over maintenance somebody had configured some sort of weekly or biweekly self-test, that switched over to battery, was supposed to run the battery down to 25% or similar, and then return to mains power/charging. Except once what the UPS considered 25% charge seemingly was not, and everything shut down instantly. > I rather spend the money on new batteries (EUR 40 last time after 5 > years) every couple years rather than spending thousands on replacing > the hardware when a power surge damages it which could have been > prevented by the UPS, and it's better to have the machines shut down > properly rather taking risks with potential data loss, regardless of > file systems and RAID setups in use. I think having hardware for "thousands" and having a UPS with that cheap batteries is not that common. In above company we certainly had hardware for thousands, but changing batteries cost hundreds of Euros, even with off-brand aftermarket parts. It also was complicated to order the right parts etc. > RAID isn't as complicated as you think. Hardware RAID is most > simple, > followed by btrfs, followed by mdadm. I have to disagree with that too. Some hardware RAIDs might be simple, but others are not. Tracking down the rebrandings of Adaptec, aquisitions and mergers, is a science by itself. As is finding and installing their Firmware and utilites. Are they still calles Avago, or something new again? Or all that BBU stuff: Tracking the state of battery backup units on the controller, and ordering and replacing the correct battery is also not really easy. Clearly enterprise IT type of stuff, keeping even knowledgeable people busy for hours, if you don't do it at scale and regularily. Also often Linux support is problematic. Yes, it will work, but sometimes certain utilities are not available or work as good as with Windows. On the other hand mdadm software RAID is well documented and painless. > > With hardware RAID I can instruct someone who has no idea what > they're > doing to replace a failed disk remotely. Same goes for btrfs and > mdadm, though it better be someone who isn't entirely clueless In fact this was my job for some time: Administering hardware RAID equipped servers, and instructing "remote hands" or customers to swap harddisks. It was not always easy, not always were the correct disks pulled, even though it was correctly labelled. Sometimes clueless people tried swapping by themselves, mixing stuff up. We also had one server with wrong labelling, for whatever reason. That was no fun ;) Now I won't dispute that RAID has its place in data centers and many other applications. I just doubt that it is the correct choice for many home users. > More importantly, the hassle involved in trying to recover from a > failed disk is ridiculously enormous without RAID and can get > expensive when hours of work were lost. With RAID, you don't even > notice unless you keep an eye on it, and when a disk has failed, you > simply order a replacement and plug it in. Yes, that can happen. But more often than not the scenario is like it is with most notebooks today. You send your notebook in for repair, and have to reinstall anyway. Happened to me. I backed up my Debian system, sent the device in for hardware repair, got it back with Windows 10 ;) And no, it was not the disk that was broken, but the touchpad. > > It's not like you could go to a hardware store around the corner and > get a new disk same or next day. Even if you have a store around, > they will need to order the disk, and that can, these days, take > weeks > or months or longer if it's a small store. For consumer hard disks? I just go to my favourite shop if I need a replacement, and they've got maybe 20 or 30 types of hard disk in stock, to be bought right away. Even more with SSDs. And I am in a smallish city, pop. 250.000. > That is simply wrong. RAID doesn't protect you from malware, and > nothing protects you from user error. If you have data losses from > malware and/or user error more often than from failed disks, you're > doing something majorly wrong. In my experience user error is the main source of data loss. By far. > This shows that you have no experience with RAID and is not an > argument. I've got years of experience with RAID, both in my personal use and with employers doing stuff on RAID for customers and internal services. In my experience RAID is a nice solution for data center type setups. RAID often is problematic for home users or even small offices. > Making backups
Re: rsync --delete vs rsync --delete-after
On Thu, 2024-01-18 at 13:09 +, Michael Kjörling wrote: > > Definitely agree that a solid backup regimen (including regular > automated backups; at least one off-site copy _at least_ of critical, > hot data; and planning for the contingency that you need to restore > that backup onto a brand new system without access to anything on > your > current system -- think "home burns down at night" or "burglar" > scenario) is the _first_ step, and one that a great deal of people > still fail at. Absolutely. I use a Raspberry Pi with an external USB drive for my off-site backups with Resitic. Seems to work fine for now, draws very little power, and the 4TB of a small 2.5" disk is plenty for my personal backups, when deduplicated. Still this setup probably is too complicated for many home users, where a cloud backup or similar makes more sense. > RAID is for uptime. If a week-long outage (to get replacement > hardware > and restore the most recent backup) and a day's worth of data loss is > largely inconsequential, as quite frankly it likely is for most home > users save for the cost of replacement hardware, For me the calculation is more or less "next workday to go to the local shop for a replacement hard drive" and a few hours to restore backups. Yes, if you depend on mail order, one week might be more realistic. Then I probably would keep a spare drive around even as a home user. > that's a very > different scenario from if that same outage costs $$€€¥¥ and could > destroy your livelihood; and consequently the choices made _should_ > likely be different. Of course. As soon as you have to pay several people's salaries needlessly while they sit around for access to their data, RAID makes more sense quickly. Still, it makes sense to think about what you can do yourself vs. what needs external work done, also because somebody external to repair a RAID might not show up all that quickly unless you've got some pre-negotiated contract. > _Mirrored backups_ makes very little sense to me. If a storage device > used for storage of backups fails prematurely, just toss it and get a > new one and make a new backup. Absolutely! Just make more backups, or more backups with different, independent strategies. As much as possible I try to do two independent systems (e.g. Restic doing time-based offsite backups, and a cron job doing a simple tar.gz file into some local drive or storage). /ralph
Re: nftables: Clamping mss size to lower mtu (on PPPoE connection does not work)
On Thu, 2024-01-18 at 12:51 +, Tixy wrote: > > I have the same options in the forward chain except that I haven't > qualified them with an interface name. Didn't occur to me that I > would > need to do that as there are only two networks my LAN and 'the > internet'. You probably don't need to, I just copied the example from the nftables wiki. For my setup it might in theory make a difference because maybe it could interfere with the use of jumbo frames on my lan, but as the machine in question is a lowly Rasbperry Pi 4, it is a rather theoretical aspect. Thanks for your reply, and confirming that the maxseg line is in principle looked sane. In looking at all the configuration again, I noticed something else: In testing I seemingly had set the mtu of the internal LAN interface en0 lower, to 1400. When I set that back to the ethernet default of 1500, my setup started working suddenly, with or without interface qualification in the maxseg (line/lines). It never occured that I broke the MTU on the LAN side. Oh well. Ralph -- I'll read the stackexchange links
Re: rsync --delete vs rsync --delete-after
Hello fellow Debian users, On Thu, 2024-01-18 at 12:18 +0100, hw wrote: > Always use an UPS. Here I have a somewhat contrarian view, I hope not to offend too much: For countries with stable electricity supplies (like Austria where I live) having a small UPS might actually lead to more problems instead of less, unless you are putting a lot of effort into it. Very often have I had problems with UPSes, e.g. batteries dying, the UPS going into some self test mode and inadvertedly shutting down, etc. I've had no external power outage in the last 5 or 10 years, but a UPS often needs at least one battery replacement during that time. Unless you have some sort of professional server rack and redundant 2 phase supply, in my opinion UPS make very little sense to the home or small office user. Also modern Linux systems with journalling filesystems will survive the occasional hard shutdown. Yes, I have pulled the plug out of running Linux boxes occasionally because I was too lazy to shut it down correctly and never had one break beyond the usual fsck on boot. > Always use redundancy to store data for a running system, like some > form of RAID. It won't hurt to use RAID for backups as well, though > I don't think that's required when you use it for the data you're > backing up. Here I also doubt if this is a wise suggestion for the typical home or small office user. RAID leads to lots and lots of complexity, that is often not needed in a home setup. I'd rather have a working backup setup with many independent copies before I even start thinking about RAID. Yes, disks can fail, but data loss often is due to user error and malware. RAID helps very little with the latter two causes of data loss. And all too often have I seen people mess up their complicated RAID setups, because they pulled the wrong disk when another one broke, or because they misinterpreted complicated error messages, creating unnecessary data loss out of user error by themselves. As a home/SOHO user, I'd rather have a working backup every few hours or every day than some RAID10 wonder that makes me lose more time on reading RAID documentation, and ordering spare drives (you've got one of those spares for each array, do you?) than is actually lost by not being able to restore to the exact last minute before a hard disk died. /ralph -- no UPS at home, using RAID1 md mirroring though
nftables: Clamping mss size to lower mtu (on PPPoE connection does not work)
Hello everybody, related question to what I asked a few days ago:
Since I touched my /etc/nftables.conf rules a few days ago to enable
IPv6 I've got IPv6 working completely (thanks again for your help with
suggesting logging packets), but I seemingly broke mss clamping for
IPv4 in doing so (or maybe this is an unrelated breakage? Unlikely).
Symptoms: There are two websites (https://ebanking.bawag.at/ and a the
profile subpage of the online paper derstandard.at (not accessible
without logging in) that just hang indefinitely on clients with
interface MTU set to the default 1500. If I lower the MTU to e.g.
1400 on the interface of the client, these pages load normally. These
two web pages seem to be IPv4 only (no record), I could be
overlooking something though, network dumps are very noisy, lots of
tracking cookies loaded etc. The derstandard.at one seems to do QUIC.
This happens on all clients (e.g. also on Android phones in my WiFi
behind this PPPoE gateway, unless I get the client to reduce the MTU.
So it seems clamping the mss on the NAT/PPPoE-Machine running Debian no
longer works. For this I use/used the follwing rules:
iifname "ppp0" tcp flags syn tcp option maxseg size set rt mtu;
oifname "ppp0" tcp flags syn tcp option maxseg size set rt mtu;
setting a specific mtu as a constant instead of "rt mtu" does not help
either.
ppp0 is my PPPoE interface:
14: ppp0: mtu 1460 qdisc
fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 94.136.7.154 peer 94.136.0.40/32 scope global ppp0
valid_lft forever preferred_lft forever
inet6 2a02:ab8:201:5b0::1/64 scope global dynamic mngtmpaddr
valid_lft forever preferred_lft forever
inet6 fe80::1 peer fe80::e25f:b9ff:fe1e:a100/128 scope link
valid_lft forever preferred_lft forever
Now I read the nftables wiki, which is where I got my maxseg rule from,
and under the heading "Interactions with conntrack" it says
"Keep in mind the interactions with conntrack, flows with mangled
traffic must be untracked. You can do this in a single rule:
nft add rule ip6 raw prerouting ip6 daddr fd00::1 ip6 daddr set fd00::2
notrack
https://wiki.nftables.org/wiki-nftables/index.php/Mangling_packet_headers
and I do not understand what is meant here. Do I need a rule like the
one mentioned in the nftables wiki, but for IPv4 instead of IPv6? Will
"untracking" break the stateful firewall and be a security problem?
Sadly there is not a lot of documentation and configuration examples to
google for this with respect to nftables (and not e.g.older iptables).
Is there a better explanation what is meant by "flows with mangled
traffic must be untracked"? Is this relevant to my situation at all?
Any help on how to debug this would be appreciated. There are lots of
tutorials on how to find the MTU of a connection by using "ping -M do -
s 1500" or similar, but very little dignosing more complex MTU
problems e.g. with web pages.
Also: Do I need the MSS clamp rule for IPv6, or is it unnecessary with
the different path MTU discovery included into the protocol on IPv6?
For now I have included these lines there too, it probably makes no
difference.
I've included the full nftables rules below. The Interfaces en2 and en3
are IPv6 DMZs seemingly unrelated to this problem here, my problematic
connections are all coming from the internal network behind en0.
Thanks in advance,
Ralph
#!/usr/sbin/nft -f
flush ruleset
table ip natfilter {
chain prerouting {
type nat hook prerouting priority -100;
policy accept;
}
chain postrouting {
type nat hook postrouting priority 100;
policy accept;
oifname "ppp0" counter snat to 94.136.7.154;
}
chain input {
type filter hook input priority 0;
policy drop;
ct state invalid counter drop;
ct state related,established counter accept;
iifname "lo" counter accept;
ip protocol icmp counter accept;
tcp dport 22 counter accept;
tcp dport 25 counter accept;
tcp dport 53 counter accept;
udp dport 53 counter accept;
tcp dport 80 counter accept;
tcp dport 143 counter accept;
tcp dport 443 counter accept;
}
chain forward {
type filter hook forward priority 0;
policy drop;
ct state related,established counter accept;
iifname "en0" counter accept;
iifname "ppp0" tcp flags syn tcp option maxseg size set
rt mtu;
oifname "ppp0" tcp flags syn tcp option maxseg size set
rt mtu;
}
}
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop
ct state
Re: nftables firewall question: matching udp in ipv6
On Fri, Jan 12, 2024 at 07:35:14PM +0100, Michel Verdier wrote: > meta l4proto udp log level info prefix "udp" accept Thanks for that, and thanks to Michael Kjörling, your replies really helped. I found log lines similar to: 2024-01-12T19:51:32.999346+01:00 pi kernel: [3401524.305759] ralphfilterudpIN=en2 OUT=en2 MAC=08:00:1e:02:00:02:6c:cf:39:00:42:f4:86:dd SRC=2a02:0ab8:redacted DST=2a00:63c1:redacted LEN=96 TC=0 HOPLIMIT=63 FLOWLBL=279176 PROTO=UDP SPT=40840 DPT=123 LEN=56 with interestingly IN and OUT interfaces the same en2 (=dmz). And to my surprise, I found a double IPv6 default route: default via fe80::e25f:b9ff:fe1e:a100 dev ppp0 proto ra metric 1024 expires 1791sec hoplimit 64 pref medium default via fe80::a00:1eff:fe01:0 dev en2 proto ra metric 1024 expires 1588sec hoplimit 64 pref medium Now I don't understand why pings/ICMP and tcp traffic seem to decide for the correct route via ppp0 and only udp sems to prefer the one via en2, but when I delete it, everything works. So while nftables might still contain some problematic stuff, at the core of my problem seems to be routing. I "only" have to find out what mechanism adds the lower, en2 default route within a few minutes, once I delete it. I ran "radvdump", but that only dumped the correct announcement my provider sends for the net over the PPPoE connection. Hm. Thanks everybody, of course hints on how to find out what's adding default routes would also be appreciated ;) Ralph
Re: nftables firewall question: matching udp in ipv6
On Fri, Jan 12, 2024 at 05:26:57PM +, Michael Kjörling wrote: > My suggestion would be to insert a "udp log" rule. (Pretty sure you > only need "udp", not "meta l4proto udp".) Thanks, I will try that. Yes "meta l4proto udp" might be cargo cult configuration ;) > That will give you a firehose of information which will include ports, > interfaces and other relevant information. You can then narrow it down > until it logs the traffic you want to accept, at which point you can > change the "log" action into an "accept" action. > > Note that forwarding and filtering can interact in non-intuitive ways. > You may need to add corresponding log rules to each relevant chain, > maybe with a prefix to tell them apart. Thanks a lot! Ralph
Re: nftables firewall question: matching udp in ipv6
On Fri, Jan 12, 2024 at 03:52:46PM +, Tom Furie wrote:
> other input/output rules that are interfering, but since you've abridged
> your ruleset we have no way of knowing.
Sorry, wanted to include the full rulest an forgot. I've still have left
off the "table ip nat" and "table ip filter" chains, I hope this is OK.
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
...
}
table ip filter {
...
}
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid
packets"
ct state {established, related} counter accept comment "accept
all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop
connections to loopback not coming from loopback"
meta l4proto ipv6-icmp counter accept comment "accept all ICMP
types"
tcp dport 22 counter accept comment "accept SSH"
tcp dport 25 counter accept comment "accept SMTP"
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
tcp dport 80 counter accept comment "accept HTTP"
tcp dport 443 counter accept comment "accept HTTPS"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
iifname ppp0 oifname en0 ct state established,related accept
iifname en0 oifname ppp0 accept
iifname en2 oifname ppp0 accept
iifname ppp0 oifname en2 accept
iifname en0 oifname en2 accept
iifname en2 oifname en0 ct state established,related accept
meta l4proto ipv6-icmp accept
}
}
Re: nftables firewall question: matching udp in ipv6
On Fri, Jan 12, 2024 at 03:52:46PM +, Tom Furie wrote: > Where is the DNS server the dmz host is resolving against? In your dmz, > your internal network, on the firewall machine, outside? You may have > other input/output rules that are interfering, but since you've abridged > your ruleset we have no way of knowing. I've tried this with the public Gooogle DNS 2001:4860:4860::. The behaviour seems consistent: If I try to resolve names over UDP with the first ruleset I posted, it fails. If I try DNS over TCP (by using nslookup with the "-vc" option, it works. Thanks, Ralph
nftables firewall question: matching udp in ipv6
Hello!
I am currently fighting with the following problem: I've got a system
that has 3 relevant interfaces: ppp0, en0 and en2, for external,
internal and dmz respectively.
The dmz is IPv6 only, a homelab testbed more or less.
I've got the follwing rules in /etc/nftables.conf for ipv6 (i am
abreviating the chain input, because i am only fighting with
forwarding):
table ip6 filter {
chain input {
...
}
chain forward {
type filter hook forward priority 0; policy drop;
iifname ppp0 oifname en0 ct state established,related accept
iifname en0 oifname ppp0 accept
iifname en2 oifname ppp0 accept
iifname ppp0 oifname en2 accept
iifname en0 oifname en2 accept
iifname en2 oifname en0 ct state established,related accept
meta l4proto ipv6-icmp accept
}
}
This "almost" works: I can do everything I want from my internal
network (connected to en0) towards the outside, and tcp connections
from and to the dmz also work. Ping works everywhere.
What does not work, and this puzzles me, is that UDP does not work.
E.g. if I lookup a DNS name in my dmz (connected to en2), I see no
udp packets if i start tcpdump on the external interface ppp0. I see
them entering on en2.
Why does UDP bevave differently from TCP here? Is this an nftables or
ipv6 specific gotcha?
If I insert the following rule at the bottom, everything starts to
work:
meta l4proto udp accept
but I don't know how to limit this over broad rule (so it does not
forward UDP to the internal network on en0, which I do not want).
trying e.g.
iifname en2 oifname ppp0 meta l4proto udp accept
iifname ppp0 oifname en0 meta l4proto udp accept
did not work either, ad behaved like my initial setup described on top.
Any hints for me?
TIA
Ralph
Status of ISC Stork (monitoring daemon to ISC Kea) in Debian
Hi everybody! Normally I am quite good at finding out if and why not something is packaged in Debian, but I have not found any information about ISC Stork, basically an optional accessory to ISC Kea. While migrating to Kea from ISC dhcpd, I noticed that this component is not packaged Or have I overlooked it? Now I am not sure it is useful at all to me, but out of curiosity, is it a licensing thing? Is it not that useful in practice? License seems to be a rather standard MPL. Anybody using Kea DHCP with opinion on Stork? Is it worth the bother to install the version from upstream manually? Liebe Grüße, Ralph Aichinger
Suggested way to ssh into obsolete devices (with old ssh crypto)?
Hi, everybody, as a bullseye user I am seeing messages like | Unable to negotiate with 10.0.17.52 port 22: no matching | key exchange method found. Their offer: diffie-hellman-group1-sha1 with increasing frequency, especially when trying to ssh into proprietary, obsolete stuff. Above comes from a Cisco 7941 IP phone I toy around with at home, with no expectation of security whatsoever, I might as well use telnet. Some algorithms can be activated by using e.g. -oKexAlgorithms=+diffie-hellman-group1-sha1 but I suppose it is only a question of time before some of this really old and insecure stuff is compiled out or removed from sources. It is also a bit difficult to find working combinations of keyexchange algorithms and ciphers for unknown older servers (a lot of trial and error?). What is the suggested way to work around that problem? Download ssh sources from 15 years ago, and build a "ssh-insecure" binary? What I do not want to do is change my "normal" configuration, e.g. add these algorithms to my normal .ssh/config. I suppose I am not the only one or first to have this problem, is there an elegant solution, that does not compromise security in the dominating normal case (ssh into modern servers)? Thanks in advance, Ralph
Re: The state of IPSec in Debian
On Thu, Oct 24, 2019 at 02:01:25PM -0400, Dan Ritter wrote: > StrongSwan used to be the best supported, but LibreSwan is now. > Things change. Thanks! This is the kind of information I was hoping for. > If you need solid VPN support and control all the endpoints, > Wireguard may be an even better choice -- if for no other reason > than debugging is much, much simpler. IPsec would be great if > it weren't for the need to debug connections... Yes, very much so, but unfortunately I do not have control of the opposite endpoint. I absolutely love Wireguard, it is by magnitudes simpler, without missing anything important to me. Thanks! /ralph -- - https://aisg.at ausserirdische sind gesund
Re: The state of IPSec in Debian
On Thu, Oct 24, 2019 at 05:32:51PM +0200, deb...@jherrero.org wrote: > El jue, 24-10-2019 a las 16:27 +0200, Ralph Aichinger escribió: > > Or am I completely wrong and should I use some other implementation? > > from > > https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages > | Users are encouraged to migrate to libreswan, which has broader > | protocol compatibility and is being actively maintained upstream. Thanks! This could be interpreted as: Who uses these obsoleted packages is best served with libreswan, but does this also hold for new installations starting from scratch with buster? I have e.g. looked at popcon stats and unless I am missing something StrongSwan is much more popular than LibreSwan. Or did I overlook something? LibreSwan has some RedHat backing(?), is there some kind of pull towards LibreSwan from StrongSwan? /ralph -- - https://aisg.at ausserirdische sind gesund
The state of IPSec in Debian
Hi! I am not a completely unexperienced user of Debian, but sometimes certain subsystems and choices still puzzle me. Right now this is IPSec. There used to be several implementations, but am I right that the only sensible one right now is Strongswan? https://wiki.debian.org/IPsec goes on about the "experimental" Linux 2.5 series and "now that Sarge is released", i.e. is woefully out of date, so much that I would call it confusing. Is there some more recent documentation on setting up an ipsec tunnel on Debian in 2019 (and not in 2009 ;) or should I just go by the StrongSwan docs, e.g. https://www.strongswan.org/testing/testresults/swanctl/net2net-psk/ ? Strongswan seems to have two configuration systems, the "deprecated" stroke plugin with ipsec.conf and the "preferred" vici plugin with "swanctl.conf". Should I use the "deprecated" stuff with Debian nevertheless? Or am I completely wrong and should I use some other implementation? TIA /ralph -- - https://aisg.at ausserirdische sind gesund
Bareos, dbconfig-common, PostgreSQL and PAM: no module specific data
(Sorry if this is a duplicate message, I tried to post this an hour or so ago, but saw nothing on the list.) I want to install bareos, the bacula derived backup software with a PostgreSQL/dbconfig setup on a sid/amd64 system. I am stuck at the following error: An error occurred while installing the database: │ │ Password for user bareos: psql: FATAL: password authentication failed │ for user bareos FATAL: password authentication failed for user │ bareos su: No module specific data is present I assume the No module specific data is present refers to PAM modules? Any hints on how to resolve that problem or diagnose it further? TIA /ralph -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150103160247.ga10...@pi.h5.or.at
Doubt about the release-fitness of a package (gfax)
I just tried to install gfax (in sid), and it crashed on me just as described in bug 651160. This has been reported in 2011, is tagged help, and seems to go nowhere. What is the right way to suggest that this package is not ready for release (I do think if I am not the only one experiencing the same crash it is probably a general thing, not something to do with my install), even though there is currently no RC bug filed? Add my findigns bug 651160, and set it to RC (is that considered rude if a non-developer does it)? Is it even possible (setting to RC)? Mail the maintainer? File another bug? I want to straddle the fine line between me me me-type severity inflation and a genuine feeling that this package should not end up in stable jessie in its current state. And I do not only want to ask about that one package, but what is the right thing to do as a user if one finds bugs like these. TIA /ralph -- http://www.flickr.com/photos/sooperkuh/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141109111252.ga1...@mail.pangea.at
Changing date format in /usr/bin/last
Hello! I had the problem today that I wanted to get some information out of my wtmp file about system usage, and I needed logins categorized by year. In Debian, last gives output like ralphpts/1monk Mon Nov 15 14:32 still logged in ralphpts/0monk Mon Nov 15 12:40 still logged in ab client48:0 client48 Mon Nov 15 12:26 - 13:22 (00:56) i.e. it does not show the year of the login. Of course you can always hack something together with Perl and Sys::Utmp, but ist there some way of doing this with last or some other common utility? TIA /ralph -- solved it in Perl for now, but I can't imagine this is the most elegant way to do it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
