[gentoo-user] Re: abi_x86_32

[Nikos Chantziaras]

On 29/03/13 16:21, Raffaele BELARDI wrote:

By the way, I found this:

$ cat /usr/portage/profiles/desc/abi_x86.desc
[...]
32 - 32-bit (x86) libraries
64 - 64-bit (amd64) libraries
x32 - x32 ABI libraries

...and searching for USE_EXPAND in
http://devmanual.gentoo.org/general-concepts/use-flags/ shows that
USE="abi_x86_32" and ABI_X86="32" have the same meaning, which was my
other doubt.


It's just a way to provide a default but still be able to override it if 
needed.  Putting ABI_X86="32" in your make.conf will enable abi_x86_32 
for all ebuilds, but you can disable it for individual ebuilds by using 
-abi_x86_32 in package.use.

[gentoo-user] Current Dells and UEFI/secureboot (or other showstoppers)?

[Walter Dnes]

  The reason I'm asking is that I have 2 Dell desktops ("production" and
"hot backup") that are pushing 5 or 6 years of age, and I need to
replace at least one.  They simply can't keep up with HD video
streams...
* it could keep up with Youtube 480p videos fullscreen under ADSL 5
  megabit service.  The stream was the limit.
* after the speed was bumped up, it could keep up with Youtube 720p
  videos fullscreen under ADSL 6 megabit service.  The stream was
  the limit.  The download still couldn't keep up with 1080p videos.
* This week, I moved from "legacy 6 GAS" to "FTTN 7".  Unlike GAS, FTTN
  speeds are net, not gross.  So my Speedtest.net results jumped from
  approx 5.1-5.2 megabits to 7.1-7.2 megabits, and it can keep up with
  1080p streams.
* The "newer", more powerful, machine can play 1080p Youtube videos
  under Firefox in the "large player", but the load is pegged at between
  2.5 and 3.  For a 2-core machine, that's bad.  The leaner Midori can
  play the same video with a load between 1.7 and 2.1, which is pushing
  it.  Going to fullscreen, it stutters noticably under Firefox.  Midori
  can just barely keep up in fullscreen mode.
* The machine can play NHL GameCenter Live at the slowest stream
  (400 kbits/sec).  It doesn't even show the other options (800, 1600,
  and 3000)

  The 1080p video was http://www.youtube.com/watch?v=US3Px2sePWk  Note
that you have to manually select 1080p.  The "fmt=" option doesn't seem
to work anymore.

  The onboard Intel GPU is not the problem; it's the CPU trying to keep
up with Flash.  And before anyone asks...
* I'm running Gentoo with full optimizations
* I'm running ICEWM with no "desktop environment"; see my sig
So I don't think there are any more optimizations to be had, other than
a new PC.  Assuming there are no showstoppers, I'll be buying another
Dell.  They seem to last for me.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] How to prevent a dns amplification attack

[Walter Dnes]

On Fri, Mar 29, 2013 at 05:34:41PM -0500, Paul Hartman wrote
> 
> Pretty much every major ISP in the US does DNS-hijacking and other
> shenanigans, so there's no avoiding the evilness.

  The obvious questions is... do they hijack all port-53 queries?
Depending on the answer, there are 2 different strategies to follow.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] cyrus-sasl necessary with localhost webmail?

[Stroller]

On 29 March 2013, at 20:05, Grant wrote:
>> ...
>> I have a very old installation of net-mail/courier-imap
>> 
>> I don't believe I have ever run cyrus-sasl on it. I have accessed this 
>> system via Squirrelmail, IMAP and (I think) IMAP-over-SSL.
> 
> Thanks Stroller.  Do you run postfix or another MTA on that system?
> I'm wondering if I might need cyrus-sasl for postfix instead of
> courier.

I do indeed run Postfix on it. 

Stroller.

Re: [gentoo-user] iptables (not) started?

[Neil Bothwick]

On Fri, 29 Mar 2013 23:29:39 +, Mick wrote:

> > > Why do wikis and the like suggest that iptables should be in default
> > > rather than boot runlevel?  
> > 
> > Why not? There's no need to start it especially early, as long as it
> > is running before the network comes up, and the init script takes
> > care of that.  
> 
> I haven't seen anything in net.lo that waits for iptables and I seem to
> recall that the network interfaces are started before iptables is run,
> unless I start iptables at boot level.

The iptables init script contains "before net".


-- 
Neil Bothwick

Advanced: (adj.) doesn't work yet, but it's pretty close. See: bug,
glitch.


signature.asc
Description: PGP signature

Re: [gentoo-user] Change in iptables syntax fails to load rule

[Mick]

On Friday 29 Mar 2013 20:36:40 Pandu Poluan wrote:
> On Mar 30, 2013 2:54 AM, "Mick"  wrote:
> > Hi All,
> > 
> > A few months ago I got some errors about the match option in some
> > iptables rules that I was running at the time.  I modified these to
> > remove match
> 
> and
> 
> > add conntrack and all went well.
> > 
> > 
> > Now I am trying to run this:
> > 
> > /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT
> > 
> > but it fails to load and it does not give me any particularly informative
> > message:
> > 
> > # /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT
> > REDIRECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:1935
> > 
> > # /sbin/iptables -L -v -n | grep 1935
> > #
> > 
> > Any idea how I should rewrite this rule?  I was using it to redirect the
> > output to rtmpsrv to capture the address of a rtmpe stream, but now it
> > does not work.
> > --
> > Regards,
> > Mick
> 
> IIRC, iptables -L by default only dumps the "filter" table.
> 
> Just use iptables-save and pipe the result through less (more info there;
> you can ensure that the rule gets inserted to the proper table and chain).

Hmm... the rule is saved, but searching for the port number does not bring up 
anything, hence I assumed that it is not accepted.

Isn't a port number in this case '1935' interpreted as a search string on the 
shell?  Quotes don't work.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] 4G Stick Huawei E3276

[Stefan G. Weichinger]

Am 29.03.2013 22:40, schrieb Stefan G. Weichinger:
> Am 29.03.2013 22:03, schrieb Stefan G. Weichinger:
>> I don't know about NM's preferences ... I just assume this could be
>> the problem.
>>
>> Gotta dig up some udev-ruling for this, any quick pointers anyone?
> 
> even "easier":
> 
> You can change the device name using ifrename from package wireless_tools.
> 
> Now I have device wwan0 but still NM does not care about it.
> 
> I really don't want to rant ... but ... you know.

Just an observation:

Started a VM on my main workstation ... Windows XP inside of VMware Player.
Not even KVM or something ...

Connected that funny stick to that very VM ... and connected to funky
internet on first try ...

So what about that?

UNIX/Linux runs what percentage of the internet?

ok ok ...

LTE is new

linux has only a small percentage ...

gentoo even less.

I spent my whole afternoon trying to connect this very stick to the
internet ...

via 2 linuxes and 1 bsd  not  ONE connection.

Right now I pull in an ISO at >1100kB/s, via that very stick, into an XP-VM.

(seems I don't have LTE coverage here ... but some UMTS or so )

-

Might be just plain ignorance by the provider. Not telling me access
infos etc.

My ADSL is slower.

*sigh*

Just a bit of feedback :-)

S

Re: [gentoo-user] iptables (not) started?

[Mick]

On Friday 29 Mar 2013 20:37:20 Neil Bothwick wrote:
> On Fri, 29 Mar 2013 19:44:14 +, Mick wrote:
> > Why do wikis and the like suggest that iptables should be in default
> > rather than boot runlevel?
> 
> Why not? There's no need to start it especially early, as long as it is
> running before the network comes up, and the init script takes care of
> that.

I haven't seen anything in net.lo that waits for iptables and I seem to recall 
that the network interfaces are started before iptables is run, unless I start 
iptables at boot level.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

On 03/29/2013 07:01 PM, William Kenworthy wrote:
> On 30/03/13 06:34, Paul Hartman wrote:
>> On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey
>>  wrote:
>>> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
>>>
 In my case, my ISP's DNS servers are slow (several seconds to reply),
 fail randomly when they should resolve, return an IP (which goes to
 their ad-laden "helper" website if you are using a web browser) when
 they should instead return nxdomain, and they have openly admitted to
 selling customer DNS lookup history to marketers for targeted
 advertising.
>>>
>>>
>>>
>>> That is just evil. Have you no alternative to this ISP?
>>
>> Not really.
>>
>> I have a 100 megabit connection through the cable company; my only
>> wired alternative is DSL (1.5 mbit for almost half the price I'm
>> paying for 100mbit). Cellular or satellite are not viable options for
>> me because of comparatively poor value, latency and miniscule data
>> usage caps.
>>
> 
> Can you do a tunnel to a cheap vsp instance that can access an external
> dns, and feed all your dns queries through it?  Considering the problems
> with your existing setup, that looks attractive and you can have sane
> fallbacks if neccessary.
> 
> I tried this to avoid the "Australia Tax" when online shopping overseas
> and the small additional latency didnt seem to be a problem.

Doesn't even need to be that complicated.

Set up a free tunnel with tunnelbroker.net, and use Hurricane Electric's
provided IPv6 DNS servers. They run the tunnel service as a loss-leader,
and if they're doing anything funky with their DNS data, I haven't heard
about it.

Chances are, the local ISP won't be filtering traffic flowing across a
proto41 tunnel. (IPv6 packet as an IPv4 packet payload. It's called a
proto41 tunnel because 41 is placed in the "next protocol" field in the
IPv4 packet.)




signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] How to prevent a dns amplification attack

[William Kenworthy]

On 30/03/13 06:34, Paul Hartman wrote:
> On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey
>  wrote:
>> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
>>
>>> In my case, my ISP's DNS servers are slow (several seconds to reply),
>>> fail randomly when they should resolve, return an IP (which goes to
>>> their ad-laden "helper" website if you are using a web browser) when
>>> they should instead return nxdomain, and they have openly admitted to
>>> selling customer DNS lookup history to marketers for targeted
>>> advertising.
>>
>>
>>
>> That is just evil. Have you no alternative to this ISP?
> 
> Not really.
> 
> I have a 100 megabit connection through the cable company; my only
> wired alternative is DSL (1.5 mbit for almost half the price I'm
> paying for 100mbit). Cellular or satellite are not viable options for
> me because of comparatively poor value, latency and miniscule data
> usage caps.
> 

Can you do a tunnel to a cheap vsp instance that can access an external
dns, and feed all your dns queries through it?  Considering the problems
with your existing setup, that looks attractive and you can have sane
fallbacks if neccessary.

I tried this to avoid the "Australia Tax" when online shopping overseas
and the small additional latency didnt seem to be a problem.

BillK

Re: [gentoo-user] Using Amazon Web Services with gentoo

[William Kenworthy]

On 30/03/13 05:23, Stefan G. Weichinger wrote:
> Am 24.03.2013 21:12, schrieb Stefan G. Weichinger:
>>
>> Does anyone of you use the Amazon EC2 service with gentoo-based instances?
> 
> The loud and wild echo says: no  ?
> 
> Interesting!
> 
> ;-)
> 
> 
moriah ~ # esearch amazon
[ Results for search key : amazon ]
[ Applications found : 7 ]

*  app-admin/amazon-ec2-init [ Masked ]
  Latest version available: 20101127
  Latest version installed: [ Not Installed ]
  Size of downloaded files: 0 kB
  Homepage:http://www.gentoo.org/
  Description: Init script to setup Amazon EC2 instance parameters.
  License: GPL-2

*  dev-perl/Net-Amazon
  Latest version available: 0.610.0
  Latest version installed: [ Not Installed ]
  Size of downloaded files: 214 kB
  Homepage:http://search.cpan.org/dist/Net-Amazon/
  Description: Net::Amazon - Framework for accessing amazon.com via
SOAP and XML/HTTP
  License: || ( Artistic GPL-1 GPL-2 GPL-3 )

*  dev-perl/Net-Amazon-S3 [ Masked ]
  Latest version available: 0.560.0
  Latest version installed: [ Not Installed ]
  Size of downloaded files: 35 kB
  Homepage:http://search.cpan.org/dist/Net-Amazon-S3/
  Description: Framework for accessing the Amazon S3 Simple Storage
Service
  License: || ( Artistic GPL-1 GPL-2 GPL-3 )

Re: [gentoo-user] How to prevent a dns amplification attack

[Paul Hartman]

On Thu, Mar 28, 2013 at 7:49 PM, Peter Humphrey
 wrote:
> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
>
>> In my case, my ISP's DNS servers are slow (several seconds to reply),
>> fail randomly when they should resolve, return an IP (which goes to
>> their ad-laden "helper" website if you are using a web browser) when
>> they should instead return nxdomain, and they have openly admitted to
>> selling customer DNS lookup history to marketers for targeted
>> advertising.
>
>
>
> That is just evil. Have you no alternative to this ISP?

Not really.

I have a 100 megabit connection through the cable company; my only
wired alternative is DSL (1.5 mbit for almost half the price I'm
paying for 100mbit). Cellular or satellite are not viable options for
me because of comparatively poor value, latency and miniscule data
usage caps.

In the USA, the local governments (cities and towns, etc.) are in
control of regulating which utilities can use public land, and are
entitled to compensation from those who use it. Cable companies
negotiate rental of that space called a "franchise fee" so they can
bury cables, etc.

The franchise fee used to be a government-protected monopoly. In the
1980's, when cable television started booming, regional pockets of
cable providers were built up thanks to these local monopolies
allowing them to move into towns with no competition. For the sake of
efficiency, cable companies would build out in adjacent towns and kept
spreading and growing outward until at some point nearly everyone in
the country had cable TV services available to them, with the
exception of those living in rural areas which were not dense enough
to justify the cost of laying cables, even when presented with a
monopoly.

It is no longer legal for local governments to award monopolies, but
the damage has been done. What we have is essentially the cable TV
infrastructure that was laid out during the decade when local cable
monopolies were legal, and the cost of entry for a new player into the
market now is so high that nobody ever bothers. End result for
consumers is a lack of choice. There are some places where competition
exists, but those places are pretty rare, in my experience.

There are some other possible alternatives to cable internet and DSL,
such as municipal wifi, mesh networks, powerline and FTTx, but none
are available where I live.

The service I receive from the cable company here is actually
excellent, with the exception of the aforementioned DNS woes.

Pretty much every major ISP in the US does DNS-hijacking and other
shenanigans, so there's no avoiding the evilness. I believe the board
members of major cable and telecom companies would sell their own
mothers into slavery if it meant a rise in share prices or a larger
bonus at the end of the year...

[gentoo-user] OT:Courseware and client db software

[Samuraiii samuraiii]

Hello,

I'm searching for courseware/client db/support software for online use
which I need to meet this criteria:
1) possibility to lead courses for no more than 12 clients (with
uploading of files - possibility to play audio and video files is
welcome but not necessary) - I know  moodle is reasonable for this
2) possibility to communicate with each client individually
3) writing notes about each client
4) security model of all mighty admin and not so powerful course
leaders who can access clients and courses only of their own
5) creating of forms for clients

Right now these task are done through e-mail which is clumsy and not
so scalable.

I have done some research but I wasn't successful so I kindly ask here.

Have nice day
S

Re: [gentoo-user] 4G Stick Huawei E3276

[Stefan G. Weichinger]

Am 29.03.2013 22:03, schrieb Stefan G. Weichinger:
> I don't know about NM's preferences ... I just assume this could be
> the problem.
> 
> Gotta dig up some udev-ruling for this, any quick pointers anyone?

even "easier":

You can change the device name using ifrename from package wireless_tools.

Now I have device wwan0 but still NM does not care about it.

I really don't want to rant ... but ... you know.

Stefan

Re: [gentoo-user] Using Amazon Web Services with gentoo

[Stefan G. Weichinger]

Am 24.03.2013 21:12, schrieb Stefan G. Weichinger:
> 
> Does anyone of you use the Amazon EC2 service with gentoo-based instances?

The loud and wild echo says: no  ?

Interesting!

;-)

Re: [gentoo-user] 4G Stick Huawei E3276

[Stefan G. Weichinger]

Am 29.03.2013 20:14, schrieb Mick:
> On Friday 29 Mar 2013 19:01:15 Stefan G. Weichinger wrote:
> 
>> I get no wwan0 but this:
>> 
>> # ifconfig wwp0s26u1u2i1 wwp0s26u1u2i1:
>> flags=4098  mtu 1500 ether 0c:5b:8f:27:9a:64
>> txqueuelen 1000  (Ethernet) RX packets 0  bytes 0 (0.0 B) RX
>> errors 0  dropped 0  overruns 0  frame 0 TX packets 0  bytes 0
>> (0.0 B) TX errors 0  dropped 0 overruns 0  carrier 0  collisions
>> 0
> 
> If when you run ifconfig with no options you do not get wwan0
> listed and NM likes the conventional device naming scheme, then I
> suggest you create a udev rule to achieve this and see if NM is
> happy thereafter.

I don't know about NM's preferences ... I just assume this could be
the problem.

Gotta dig up some udev-ruling for this, any quick pointers anyone?

S

Re: [gentoo-user] iptables (not) started?

[Neil Bothwick]

On Fri, 29 Mar 2013 19:44:14 +, Mick wrote:

> Why do wikis and the like suggest that iptables should be in default
> rather than boot runlevel?

Why not? There's no need to start it especially early, as long as it is
running before the network comes up, and the init script takes care of
that.


-- 
Neil Bothwick

Vuja De: the feeling that you've never been here before.


signature.asc
Description: PGP signature

Re: [gentoo-user] Change in iptables syntax fails to load rule

[Pandu Poluan]

On Mar 30, 2013 2:54 AM, "Mick"  wrote:
>
> Hi All,
>
> A few months ago I got some errors about the match option in some iptables
> rules that I was running at the time.  I modified these to remove match
and
> add conntrack and all went well.
>
>
> Now I am trying to run this:
>
> /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT
>
> but it fails to load and it does not give me any particularly informative
> message:
>
> # /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT
> REDIRECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:1935
>
> # /sbin/iptables -L -v -n | grep 1935
> #
>
> Any idea how I should rewrite this rule?  I was using it to redirect the
> output to rtmpsrv to capture the address of a rtmpe stream, but now it
does
> not work.
> --
> Regards,
> Mick

IIRC, iptables -L by default only dumps the "filter" table.

Just use iptables-save and pipe the result through less (more info there;
you can ensure that the rule gets inserted to the proper table and chain).

Rgds,
--

Re: [gentoo-user] ext4 inline data

[Paul Hartman]

On Fri, Mar 29, 2013 at 2:20 PM, Pandu Poluan  wrote:
> My question would be: Will it introduce a significant advantage to my
> situation, so much so that I'm willing to live with the obvious drawbacks?

Here are some benchmarks:

http://permalink.gmane.org/gmane.comp.file-systems.ext4/34290

Re: [gentoo-user] cyrus-sasl necessary with localhost webmail?

[Grant]

>>> I recently switched from Thunderbird to Roundcube (highly
>>> recommended), switched to the non-SSL courier daemon, and plugged the
>>> firewall hole since courier resides on the same system as my web
>>> server.  Do I still need cyrus-sasl or will a webmail client
>>> authenticate directly with courier?
>>
>> Can anyone tell me if it's necessary to run cyrus-sasl between courier
>> and a webmail client if they're on the same machine?
>
> I have a very old installation of net-mail/courier-imap
>
> I don't believe I have ever run cyrus-sasl on it. I have accessed this system 
> via Squirrelmail, IMAP and (I think) IMAP-over-SSL.

Thanks Stroller.  Do you run postfix or another MTA on that system?
I'm wondering if I might need cyrus-sasl for postfix instead of
courier.

- Grant

[gentoo-user] Change in iptables syntax fails to load rule

[Mick]

Hi All,

A few months ago I got some errors about the match option in some iptables 
rules that I was running at the time.  I modified these to remove match and 
add conntrack and all went well.


Now I am trying to run this:

/sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT

but it fails to load and it does not give me any particularly informative 
message:

# /sbin/iptables -t nat -A OUTPUT -v -p tcp --dport 1935 -j REDIRECT
REDIRECT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:1935

# /sbin/iptables -L -v -n | grep 1935
#

Any idea how I should rewrite this rule?  I was using it to redirect the 
output to rtmpsrv to capture the address of a rtmpe stream, but now it does 
not work.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

[Mick]

On Friday 29 Mar 2013 19:34:39 Mick wrote:
> On Friday 29 Mar 2013 19:03:57 Jarry wrote:
> > On 29-Mar-13 19:43, Mick wrote:
> > > On Friday 29 Mar 2013 18:25:11 Jarry wrote:
> > >> Hi Gentoo-users,
> > >> 
> > >> I noticed one thing on my server: during boot-up no message
> > >> about firewall being started is printed on console. I always
> > >> have to check manually if iptables-rules have been loaded.
> > >> Strange thing, when doing shutdown, I see messages I expect:
> > >> 
> > >> * Saving iptables state ...  [ ok ]
> > >> * Stopping firewall ...  [ ok ]
> > >> 
> > >> I checked also /etc/init.d/iptables and I think it should
> > >> show some messages at start:
> > >> 
> > >> start() {
> > >> checkconfig || return 1
> > >> ebegin "Loading ${iptables_name} state and starting firewall"
> > >> ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
> > >> eend $?
> > >> }
> > >> 
> > >> Can someone explain to me why this message is not printed?
> > > 
> > > Do you have some other script starting your iptables, rather than the
> > > vanilla /etc/init.d/iptables?
> > 
> > No.
> > 
> > > Does '/etc/init.d/iptables status' show that it is running?
> > 
> > * status: started
> > 
> > I recorded screen with my video-camera to be sure I did not miss
> > some message. But I found no trace about iptables being started...
> 
> I have not set rc_logger in /etc/conf.d/iptables to know if it would make a
> difference and can confirm that I can clearly see it on my boxen at boot
> time:
> 
>   * Loading iptables state and starting firewall ...  [ ok ]
> 
> 
> Another thing to check is that it is in the default level:
> 
> $ eselect rc list | grep iptables
>   iptablesdefault
> 
> I'm not sure if it would show up, or the message be suppressed if you add
> it to the boot level.

Just tested this - it does not suppress it in my machine if I set it to boot 
level.  Which makes me think ...

Why do wikis and the like suggest that iptables should be in default rather 
than boot runlevel?
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

[Mick]

On Friday 29 Mar 2013 19:03:57 Jarry wrote:
> On 29-Mar-13 19:43, Mick wrote:
> > On Friday 29 Mar 2013 18:25:11 Jarry wrote:
> >> Hi Gentoo-users,
> >> 
> >> I noticed one thing on my server: during boot-up no message
> >> about firewall being started is printed on console. I always
> >> have to check manually if iptables-rules have been loaded.
> >> Strange thing, when doing shutdown, I see messages I expect:
> >> 
> >> * Saving iptables state ...  [ ok ]
> >> * Stopping firewall ...  [ ok ]
> >> 
> >> I checked also /etc/init.d/iptables and I think it should
> >> show some messages at start:
> >> 
> >> start() {
> >> checkconfig || return 1
> >> ebegin "Loading ${iptables_name} state and starting firewall"
> >> ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
> >> eend $?
> >> }
> >> 
> >> Can someone explain to me why this message is not printed?
> > 
> > Do you have some other script starting your iptables, rather than the
> > vanilla /etc/init.d/iptables?
> 
> No.
> 
> > Does '/etc/init.d/iptables status' show that it is running?
> 
> * status: started
> 
> I recorded screen with my video-camera to be sure I did not miss
> some message. But I found no trace about iptables being started...

I have not set rc_logger in /etc/conf.d/iptables to know if it would make a 
difference and can confirm that I can clearly see it on my boxen at boot time:

  * Loading iptables state and starting firewall ...[ ok ]


Another thing to check is that it is in the default level:

$ eselect rc list | grep iptables
  iptables  default

I'm not sure if it would show up, or the message be suppressed if you add it 
to the boot level.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] ext4 inline data

[Pandu Poluan]

On Mar 29, 2013 8:49 PM, "Florian Philipp"  wrote:
>
> Hi list!
>
> I noticed that beginning with kernel 3.8, ext4 can store small files
> entirely inside the inode. But I couldn't find much additional
information:
>
> - Is the improvement automatically enabled?
>
> - Is the change backwards compatible? Can I still read such files with
> kernel 3.7?
>
> - Can current stable e2fsprogs (especially e2fsck) handle this?
>
> Thanks in advance!
> Florian Philipp
>

My question would be: Will it introduce a significant advantage to my
situation, so much so that I'm willing to live with the obvious drawbacks?

Rgds,
--

Re: [gentoo-user] iptables (not) started?

[Pandu Poluan]

On Mar 30, 2013 1:27 AM, "Jarry"  wrote:
>
> Hi Gentoo-users,
>
> I noticed one thing on my server: during boot-up no message
> about firewall being started is printed on console. I always
> have to check manually if iptables-rules have been loaded.
> Strange thing, when doing shutdown, I see messages I expect:
>
> * Saving iptables state ...  [ ok ]
> * Stopping firewall ...  [ ok ]

Slightly tangential to the subject, but related...

I personally prefer *not* to automatically save iptables rules on shutdown.

That way, if I made some stupid mistake, a reboot restores the system to
the "LKGC" (Last Known Good Configuration)...

Rgds,
--

Re: [gentoo-user] 4G Stick Huawei E3276

[Mick]

On Friday 29 Mar 2013 19:01:15 Stefan G. Weichinger wrote:

> I get no wwan0 but this:
> 
> # ifconfig wwp0s26u1u2i1
> wwp0s26u1u2i1: flags=4098  mtu 1500
> ether 0c:5b:8f:27:9a:64  txqueuelen 1000  (Ethernet)
> RX packets 0  bytes 0 (0.0 B)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 0  bytes 0 (0.0 B)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

If when you run ifconfig with no options you do not get wwan0 listed and NM 
likes the conventional device naming scheme, then I suggest you create a udev 
rule to achieve this and see if NM is happy thereafter.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] ext4 inline data

[Paul Hartman]

On Fri, Mar 29, 2013 at 8:48 AM, Florian Philipp  wrote:
> Hi list!
>
> I noticed that beginning with kernel 3.8, ext4 can store small files
> entirely inside the inode. But I couldn't find much additional information:
>
> - Is the improvement automatically enabled?

I don't believe so. I think you need to explicitly enable the feature
inline_data when you mkfs.

> - Is the change backwards compatible? Can I still read such files with
> kernel 3.7?

It is defined as INCOMPAT_INLINE_DATA so an older kernel should refuse
to mount it at all if it does not know how to handle this option.

Depending on your partition layout, you may also need a boot loader
which knows how to read inline data. I think there is a patch to
enable it on grub2, not sure if it is included in mainline or not.

> - Can current stable e2fsprogs (especially e2fsck) handle this?

I grepped sources of e2fsprogs 1.42.7 and it contains references to
inline data, but manpages don't. mkfs looks like it might not support
the inline_data option yet? So I'm not sure if things are quite ready
for "prime time"... If you try, please let us know how it goes. :)

Re: [gentoo-user] iptables (not) started?

[Jarry]

On 29-Mar-13 19:43, Mick wrote:

On Friday 29 Mar 2013 18:25:11 Jarry wrote:

Hi Gentoo-users,

I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:

* Saving iptables state ...  [ ok ]
* Stopping firewall ...  [ ok ]

I checked also /etc/init.d/iptables and I think it should
show some messages at start:

start() {
checkconfig || return 1
ebegin "Loading ${iptables_name} state and starting firewall"
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
eend $?
}

Can someone explain to me why this message is not printed?


Do you have some other script starting your iptables, rather than the vanilla
/etc/init.d/iptables?


No.


Does '/etc/init.d/iptables status' show that it is running?


* status: started

I recorded screen with my video-camera to be sure I did not miss
some message. But I found no trace about iptables being started...

Jarry
--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] 4G Stick Huawei E3276

[Stefan G. Weichinger]

Am 29.03.2013 19:51, schrieb Mick:

> ifconfig should show a new device has been activated.
> 
> Yes?

see below ...

>> When I rmmod them all and plug in again, I get "option" loaded
>> again. Should I remove this one from my .config?
>> 
>> Even when I rmmod option, modprobe qmi_wwan and then plugin
>> "option" gets loaded (and no "mobile broadband" in NM).
> 
> I would get NM troubleshooted after the device is recognised by the
> kernel and the relevant modules are loaded.
> 
> 
>> Could it be related to our friend systemd which renames "wwan0"
>> to "wwp0s26u1u1i1" according to dmesg?
> 
> I thought that this is a udev issue, rather than systemd.


Sure, udev.

I don't know
> anything about systemd (not tried it yet) and on a stable Gentoo
> install you should be able to see the wwan0 device in ifconfig.

I get no wwan0 but this:

# ifconfig wwp0s26u1u2i1
wwp0s26u1u2i1: flags=4098  mtu 1500
ether 0c:5b:8f:27:9a:64  txqueuelen 1000  (Ethernet)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 0  bytes 0 (0.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Just read the posting by Diego Petteno on this issue:

http://blog.flameeyes.eu/2013/03/predictably-non-persistent-names

> PS. I should also say that I don't use NM on my machines ... so
> someone else should hopefully be able to help with NM issues.  I
> use symlinks in /etc/init.d/ for my NICs.

NM sometimes is very comfortable on notebooks etc. ... so why not ...

I don't know if NM *should* detect that fuzzy interface-name now ...
maybe I should do some udev-rule to get wwan0 back? At least for a test.

Stefan

Re: [gentoo-user] 4G Stick Huawei E3276

[Mick]

On Friday 29 Mar 2013 15:23:41 Stefan G. Weichinger wrote:
> Am 29.03.2013 16:05, schrieb Mick:
> > You're missing module 'qmi_wwan'.
> > 
> > Trying adding this to your kernel and replug the device (or use
> > modprobe -v qmi_wwan).
> 
> Should I rmmod the others before?
> 
> I compiled and loaded that module ... no real difference to see ...
> still no mobile broadband offered.

When you say no real difference ... dmesg should show that the module is 
loading.  /var/log/messages should show the same.

ifconfig should show a new device has been activated.

Yes?


> When I rmmod them all and plug in again, I get "option" loaded again.
> Should I remove this one from my .config?
> 
> Even when I rmmod option, modprobe qmi_wwan and then plugin "option"
> gets loaded (and no "mobile broadband" in NM).

I would get NM troubleshooted after the device is recognised by the kernel and 
the relevant modules are loaded.


> Could it be related to our friend systemd which renames "wwan0" to
> "wwp0s26u1u1i1" according to dmesg?

I thought that this is a udev issue, rather than systemd.  I don't know 
anything about systemd (not tried it yet) and on a stable Gentoo install you 
should be able to see the wwan0 device in ifconfig.

PS. I should also say that I don't use NM on my machines ... so someone else 
should hopefully be able to help with NM issues.  I use symlinks in 
/etc/init.d/ for my NICs.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

[Mick]

On Friday 29 Mar 2013 18:25:11 Jarry wrote:
> Hi Gentoo-users,
> 
> I noticed one thing on my server: during boot-up no message
> about firewall being started is printed on console. I always
> have to check manually if iptables-rules have been loaded.
> Strange thing, when doing shutdown, I see messages I expect:
> 
> * Saving iptables state ...  [ ok ]
> * Stopping firewall ...  [ ok ]
> 
> I checked also /etc/init.d/iptables and I think it should
> show some messages at start:
> 
> start() {
> checkconfig || return 1
> ebegin "Loading ${iptables_name} state and starting firewall"
> ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
> eend $?
> }
> 
> Can someone explain to me why this message is not printed?

Do you have some other script starting your iptables, rather than the vanilla 
/etc/init.d/iptables?

Does '/etc/init.d/iptables status' show that it is running?
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

[gentoo-user] iptables (not) started?

[Jarry]

Hi Gentoo-users,

I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:

* Saving iptables state ...  [ ok ]
* Stopping firewall ...  [ ok ]

I checked also /etc/init.d/iptables and I think it should
show some messages at start:

start() {
checkconfig || return 1
ebegin "Loading ${iptables_name} state and starting firewall"
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
eend $?
}

Can someone explain to me why this message is not printed?

Jarry
--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] Re: Is 'MAKEOPTS="--jobs --load-average=5"' silly?

[Michael Mol]

On 03/29/2013 01:46 PM, Dale wrote:
> »Q« wrote:
>> On Fri, 29 Mar 2013 16:54:37 +
>> Stroller  wrote:
>>
>>> On 29 March 2013, at 03:36, Nilesh Govindrajan wrote:
> ...
>> I can only imagine he was pointing out that you have a single CPU
>> with four cores in it.
> You're right, of course. I should have said /cores/.
 Cores or CPUs.. in this context it's *almost*, __NOT EXACTLY__ same.
>>> Which is exactly what was so twitch inducing! 
>> Whatever you do, don't read the first sentence at
>> .
>>
>>
>>
> 
> Especially this FIRST part:
> 
> "A *multi-core processor* is a single computing
>  component . . ."
> 
> So, it is a SINGLE component.  To me, CPUs means having more than one
> CPU component, such as dual CPUs or even quad CPUs which used to be
> fairly common. 
> 
> I have a single CPU computer.  It has 4 cores but a single CPU.  I hope
> to upgrade one day to a 8 core CPU.  I'll still have a single CPU
> component installed tho. 
> 
> This is getting really funny.  ROFL  You can tell when the list is
> getting slow when we start parsing each word and each words meaning.  ;-) 

The list hasn't been slow all week. ^^



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] Re: Is 'MAKEOPTS="--jobs --load-average=5"' silly?

[Dale]

»Q« wrote:
> On Fri, 29 Mar 2013 16:54:37 +
> Stroller  wrote:
>
>> On 29 March 2013, at 03:36, Nilesh Govindrajan wrote:
 ...
> I can only imagine he was pointing out that you have a single CPU
> with four cores in it.
 You're right, of course. I should have said /cores/.
>>> Cores or CPUs.. in this context it's *almost*, __NOT EXACTLY__ same.
>> Which is exactly what was so twitch inducing! 
> Whatever you do, don't read the first sentence at
> .
>
>
>

Especially this FIRST part:

"A *multi-core processor* is a single computing
 component . . ."

So, it is a SINGLE component.  To me, CPUs means having more than one
CPU component, such as dual CPUs or even quad CPUs which used to be
fairly common. 

I have a single CPU computer.  It has 4 cores but a single CPU.  I hope
to upgrade one day to a 8 core CPU.  I'll still have a single CPU
component installed tho. 

This is getting really funny.  ROFL  You can tell when the list is
getting slow when we start parsing each word and each words meaning.  ;-) 

Dale 

:-)  :-) 

-- 
I am only responsible for what I said ... Not for what you understood or how 
you interpreted my words!

[gentoo-user] Re: Is 'MAKEOPTS="--jobs --load-average=5"' silly?

[»Q«]

On Fri, 29 Mar 2013 16:54:37 +
Stroller  wrote:

> 
> On 29 March 2013, at 03:36, Nilesh Govindrajan wrote:
> >> ...
> >>> I can only imagine he was pointing out that you have a single CPU
> >>> with four cores in it.
> >> 
> >> You're right, of course. I should have said /cores/.
> > 
> > Cores or CPUs.. in this context it's *almost*, __NOT EXACTLY__ same.
> 
> Which is exactly what was so twitch inducing! 

Whatever you do, don't read the first sentence at
.

Re: [gentoo-user] Is 'MAKEOPTS="--jobs --load-average=5"' silly?

[Stroller]

On 29 March 2013, at 03:36, Nilesh Govindrajan wrote:
>> ...
>>> I can only imagine he was pointing out that you have a single CPU with four 
>>> cores in it.
>> 
>> You're right, of course. I should have said /cores/.
> 
> Cores or CPUs.. in this context it's *almost*, __NOT EXACTLY__ same.

Which is exactly what was so twitch inducing! 

Stroller.

Re: [gentoo-user] cyrus-sasl necessary with localhost webmail?

[Stroller]

On 28 March 2013, at 21:53, Grant wrote:

>> I recently switched from Thunderbird to Roundcube (highly
>> recommended), switched to the non-SSL courier daemon, and plugged the
>> firewall hole since courier resides on the same system as my web
>> server.  Do I still need cyrus-sasl or will a webmail client
>> authenticate directly with courier?
> 
> Can anyone tell me if it's necessary to run cyrus-sasl between courier
> and a webmail client if they're on the same machine?

I have a very old installation of net-mail/courier-imap 

I don't believe I have ever run cyrus-sasl on it. I have accessed this system 
via Squirrelmail, IMAP and (I think) IMAP-over-SSL.

I find now that I have net-libs/courier-authlib installed.

Things may have changed considerably since I installed this system, a long time 
ago, but there used to be two separate packages net-mail/courier-imap and 
mail-mta/courier. I think courier-imap was just the IMAP server, split off from 
the larger mail-mta/courier, which was the full package from upstream and which 
included some other stuff.

Last time I looked at this, dovecot seemed superior to courier, and worked very 
well for me when I installed it for someone else. I was able to configure it 
with PAM, to authenticate via Samba from a windows domain controller. I 
remember the developer of dovecot as really helpful - I think I had a problem 
and he produced a patch which fixed it within 24 hours.

I have it in mind to replace courier with dovecot when I get around to 
replacing my current mail server.

Stroller.

Re: [gentoo-user] 4G Stick Huawei E3276

[Stefan G. Weichinger]

Am 29.03.2013 16:05, schrieb Mick:

> You're missing module 'qmi_wwan'.
> 
> Trying adding this to your kernel and replug the device (or use
> modprobe -v qmi_wwan).

Should I rmmod the others before?

I compiled and loaded that module ... no real difference to see ...
still no mobile broadband offered.

When I rmmod them all and plug in again, I get "option" loaded again.
Should I remove this one from my .config?

Even when I rmmod option, modprobe qmi_wwan and then plugin "option"
gets loaded (and no "mobile broadband" in NM).

Could it be related to our friend systemd which renames "wwan0" to
"wwp0s26u1u1i1" according to dmesg?

> PS.  I don't have such a device to test here, so hope this will get
> you in the right ball park.

Thanks for your help ...

Re: [gentoo-user] 4G Stick Huawei E3276

[Mick]

On Friday 29 Mar 2013 14:10:02 Stefan G. Weichinger wrote:
> Greets!
> 
> I have a new and shiny Huawei E3276 stick here and want to test it with
> my gentoo thinkpad running Gnome.
> 
> I managed to get some /dev/ttyUSB0 .. the device is usb_modeswitch-ed
> automatically.
> 
> I also added the modules "option" and "cdc_ncm" to my kernel config and
> the dmesg looks ok:
> 
> # lsmod
> Module  Size  Used by
> option 26697  0
> usb_wwan6886  1 option
> cdc_ncm 9365  0
> usbserial  23426  2 option,usb_wwan
> usbnet 19268  1 cdc_ncm
> crc32c_intel   13975  0
> i2c_i8018765  0
> btusb  11699  0

You're missing module 'qmi_wwan'.

Trying adding this to your kernel and replug the device (or use modprobe -v 
qmi_wwan).

PS.  I don't have such a device to test here, so hope this will get you in the 
right ball park.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Re: abi_x86_32

[Raffaele BELARDI]

On 03/28/2013 08:11 PM, Nikos Chantziaras wrote:
> On 28/03/13 20:39, Paul Hartman wrote:
>> Like the forum post you linked says, instead of setting abi_x86_32 as
>> a USE flag, what you can do in your make.conf is set:
>>
>> ABI_X86="64 32"
>>
>> (if you want to build both 32bit and 64bit)
> 
> I think ABI_X86="32" is enough, since on AMD64 the "64" is always there 
> implicitly.
> 

That was going to be my next question!
By the way, I found this:

$ cat /usr/portage/profiles/desc/abi_x86.desc

# Copyright 2013-2013 Gentoo Foundation.
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/profiles/desc/abi_x86.desc,v 1.2
2013/02/27 23:22:19 mgorny Exp $

# This file contains descriptions of ABI_X86 USE_EXPAND flags.

# Keep it sorted. Please do not add anything without prior discussion
# on gentoo-dev.
32 - 32-bit (x86) libraries
64 - 64-bit (amd64) libraries
x32 - x32 ABI libraries

...and searching for USE_EXPAND in
http://devmanual.gentoo.org/general-concepts/use-flags/ shows that
USE="abi_x86_32" and ABI_X86="32" have the same meaning, which was my
other doubt.

thanks!

Re: [gentoo-user] 4G Stick Huawei E3276

[Stefan G. Weichinger]

forgot to add:

lsusb:

Bus 001 Device 006: ID 12d1:1506 Huawei Technologies Co., Ltd. E398
LTE/UMTS/GSM Modem/Networkcard

it shows as E398 here but is labeled as E3276

[gentoo-user] 4G Stick Huawei E3276

[Stefan G. Weichinger]

Greets!

I have a new and shiny Huawei E3276 stick here and want to test it with
my gentoo thinkpad running Gnome.

I managed to get some /dev/ttyUSB0 .. the device is usb_modeswitch-ed
automatically.

I also added the modules "option" and "cdc_ncm" to my kernel config and
the dmesg looks ok:

# lsmod
Module  Size  Used by
option 26697  0
usb_wwan6886  1 option
cdc_ncm 9365  0
usbserial  23426  2 option,usb_wwan
usbnet 19268  1 cdc_ncm
crc32c_intel   13975  0
i2c_i8018765  0
btusb  11699  0

[   59.586159] usbcore: registered new interface driver usbserial
[   59.586534] usbcore: registered new interface driver usbserial_generic
[   59.586593] usbserial: USB Serial support registered for generic
[   59.588309] usbcore: registered new interface driver option
[   59.588632] usbserial: USB Serial support registered for GSM modem
(1-port)
[   59.589143] usb 1-1.1: MAC-Address: 0c:5b:8f:27:9a:64
[   59.589721] cdc_ncm 1-1.1:1.1 wwan0: register 'cdc_ncm' at
usb-:00:1a.0-1.1, Mobile Broadband Network Device, 0c:5b:8f:27:9a:64
[   59.589814] option 1-1.1:1.0: GSM modem (1-port) converter detected
[   59.590004] usb 1-1.1: GSM modem (1-port) converter now attached to
ttyUSB0
[   59.590075] usbcore: registered new interface driver cdc_ncm
[   59.595969] systemd-udevd[3717]: renamed network interface wwan0 to
wwp0s26u1u1i1
[   60.577572] scsi 8:0:0:0: CD-ROMHUAWEI   Mass Storage
 2.31 PQ: 0 ANSI: 2
[   60.577710] scsi 9:0:0:0: Direct-Access HUAWEI   TF CARD Storage
 2.31 PQ: 0 ANSI: 2
[   60.580526] sr1: scsi-1 drive
[   60.581510] sr 8:0:0:0: Attached scsi CD-ROM sr1
[   60.589986] sd 9:0:0:0: [sdb] Attached SCSI removable disk


BUT: it doesn't show up in the networkmanager-GUI. No "mobile broadband"
anything.

[I] net-misc/networkmanager
 Available versions:  0.9.4.0-r6 0.9.6.4 (~)0.9.6.4-r1
[M](~)0.9.7.995 [M](~)0.9.8.0 [M]** {avahi bluetooth
connection-sharing +consolekit dhclient +dhcpcd doc gnutls
+introspection modemmanager +nss +ppp resolvconf systemd test vala +wext
wimax KERNEL="linux"}
 Installed versions:  0.9.6.4-r1(11:30:45 26.03.2013)(bluetooth
dhcpcd introspection modemmanager nss ppp systemd wext -avahi
-connection-sharing -consolekit -dhclient -doc -gnutls -resolvconf -vala
-wimax KERNEL="linux")
 Homepage:http://www.gnome.org/projects/NetworkManager/
 Description: Universal network configuration daemon for
laptops, desktops, servers and virtualization hosts

# eix modemm
[I] net-misc/modemmanager
 Available versions:  0.6.0.0 (~)0.6.0.0-r1 [M](~)0.7.990(0/1)
**(0/1) {doc policykit +qmi qmi-newest test}
 Installed versions:  0.6.0.0-r1(11:04:49 26.03.2013)(policykit -doc
-test)
 Homepage:
http://cgit.freedesktop.org/ModemManager/ModemManager/
 Description: Modem and mobile broadband management libraries


Does anyone have a pointer for me how to get that working?

thanks!

Stefan

[gentoo-user] ext4 inline data

[Florian Philipp]

Hi list!

I noticed that beginning with kernel 3.8, ext4 can store small files
entirely inside the inode. But I couldn't find much additional information:

- Is the improvement automatically enabled?

- Is the change backwards compatible? Can I still read such files with
kernel 3.7?

- Can current stable e2fsprogs (especially e2fsck) handle this?

Thanks in advance!
Florian Philipp



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] How to prevent a dns amplification attack

[Michael Mol]

On 03/29/2013 09:27 AM, Alan McKinnon wrote:
> On 29/03/2013 10:53, Norman Rieß wrote:
>>> That is just evil. Have you no alternative to this ISP?

  

 -- 

 Peter

  

>> Like free and open DNS servers? ;-) Like the one i am talking about and
>> was told it was unnessesary crap?
> 
> 
> When you describe the service you DO get from your ISP, then we can see
> that rolling your own is the proper alternative for you. Unless your ISP
> block outbound port 53...

It'd be trivial enough for someone in a saner spot to privately offer
him an allowed-clients entry in a DNS server listening on a non-standard
port.

Either way, it's still important he not allow just anybody to connect to
his resolver.

> 
> If you were in Africa, I could give you an alternative but sadly I don't
> think you are in Africa
> 




signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] How to prevent a dns amplification attack

[Alan McKinnon]

On 29/03/2013 10:53, Norman Rieß wrote:
>> That is just evil. Have you no alternative to this ISP?
>> > 
>> >  
>> > 
>> > -- 
>> > 
>> > Peter
>> > 
>> >  
>> > 
> Like free and open DNS servers? ;-) Like the one i am talking about and
> was told it was unnessesary crap?


When you describe the service you DO get from your ISP, then we can see
that rolling your own is the proper alternative for you. Unless your ISP
block outbound port 53...

If you were in Africa, I could give you an alternative but sadly I don't
think you are in Africa

-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] How to prevent a dns amplification attack

[Alan McKinnon]

On 28/03/2013 22:53, Paul Hartman wrote:
> On Thu, Mar 28, 2013 at 3:02 PM, Alan McKinnon  
> wrote:
 Or just use the ISP's DNS caches. In the vast majority of cases, the ISP
 knows how to do it right and the user does not.
>>>
>>> Generally true, though I've known people to choose not to use ISP caches
>>> owing to the ISP's implementation of things like '*' records, ISPs
>>> applying safety filters against some hostnames, and concerns about the
>>> persistence of ISP request logs.
>>
>> I get a few of those too every now and again. I know for sure in my case
>> their fears are unfounded, but can't prove it. Those few (and they are
>> few) can go ahead and deploy their own cache. I can't stop them, they
>> are free to do it, they are also free to ignore my advice of they choose.
> 
> In my case, my ISP's DNS servers are slow (several seconds to reply),
> fail randomly when they should resolve, return an IP (which goes to
> their ad-laden "helper" website if you are using a web browser) when
> they should instead return nxdomain, and they have openly admitted to
> selling customer DNS lookup history to marketers for targeted
> advertising.

I'm part of Infra. If we sold you service like that, you wouldn't have
to complain, the CTO would be round at my desk in a flash  with his new
career path plan for me.

You know the plan, it's the cookie-cutter one that mentions "burgers"
and "flipping" many times

:-)


> 
> Thanks for being one of the good guys. :)
> 


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] Is 'MAKEOPTS="--jobs --load-average=5"' silly?

[Neil Bothwick]

On Fri, 29 Mar 2013 12:36:56 +, Mick wrote:

> I've got a first generation i7 and this is what I have set up in my
> make.conf:
> 
>   MAKEOPTS="-j5 -l12.8"
>   EMERGE_DEFAULT_OPTS="--quiet-build=n"

n is the default for quiet-build if --jobs is set to 1, or unspecified.
But using a higher value will give you faster updates. The MAKEOPTS
setting has no effect during the preparation and installation stages of
an ebuild, and with --jobs=1 that means your CPU spends a lot of time
idling.


-- 
Neil Bothwick

This is as bad as it can get - but don't bet on it.


signature.asc
Description: PGP signature

Re: [gentoo-user] Is 'MAKEOPTS="--jobs --load-average=5"' silly?

[Mick]

On Thursday 28 Mar 2013 14:03:27 Peter Humphrey wrote:
> On Wednesday 27 March 2013 18:16:22 Walter Dnes wrote:
> >   OK, I'll go with...
> > 
> > MAKEOPTS="-j2 --load-average=3"
> 
> This box is an i5 with four single-threaded CPUs and I limit the average
> load to 8. Since emerge is running at niceness=3 the desktop remains
> responsive throughout. I used not to limit the load at all and KDE was
> still fine to work with. I sometimes think that with modern systems
> there's no need to impose limits of my own since the kernel can cope well
> by itself.
> 
> In fact I'm going to remove the load limit and see how I get on.

I've got a first generation i7 and this is what I have set up in my make.conf:

  MAKEOPTS="-j5 -l12.8"
  EMERGE_DEFAULT_OPTS="--quiet-build=n"

Why is -l set at 12.8 ... ?  At some distant point in the past this made sense 
to me, but I have no idea how I arrived at it.  Other than the cooling fan 
speeding up I have not noticed a problem with any ebuilds.  Very rarely I 
might have used -j1 to complete a failing ebuild, but it was so long ago I 
can't even recall it.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] emul-linux-x86-libs blocking tons of X libs

[Neil Bothwick]

On Fri, 29 Mar 2013 02:17:18 +, Mateusz Kowalczyk wrote:

> >  * These packages depend on emul-linux-x86-gtklibs:
> > dev-util/android-sdk-update-manager-21 (amd64 ?
> > app-emulation/emul-linux-x86-gtklibs) sys-devel/gcc-4.5.4 (multilib ?
> > app-emulation/emul-linux-x86-gtklibs) sys-devel/gcc-4.6.3 (multilib ?
> > app-emulation/emul-linux-x86-gtklibs) sys-devel/gcc-4.7.2-r1
> > (multilib ? app-emulation/emul-linux-x86-gtklibs)  
> 
> 
> I have neither ‘amd64’ nor ‘multilib’ set which raises the question of
> how and why it got onto my system in the first place… I'm still
> somewhat wary of clobbering something that has ‘gcc’ in its depgraph…

amd64 and multilib are set by your profile, which are you using?

If you're worrind about removing a dep of gcc, which is reasonable,
quickpkg it first. Then you can unmerge and still get it back without
needing gcc.

But before you do any of that, wait a few hours and sync again. That very
often fixes these strange blockers.


-- 
Neil Bothwick

Suicidal twin kills sister by mistake!


signature.asc
Description: PGP signature

Re: [gentoo-user] How to prevent a dns amplification attack

[Norman Rieß]

Am 29.03.2013 01:49, schrieb Peter Humphrey:
> On Thursday 28 March 2013 20:53:49 Paul Hartman wrote:
> 
>  
> 
>> In my case, my ISP's DNS servers are slow (several seconds to reply),
> 
>> fail randomly when they should resolve, return an IP (which goes to
> 
>> their ad-laden "helper" website if you are using a web browser) when
> 
>> they should instead return nxdomain, and they have openly admitted to
> 
>> selling customer DNS lookup history to marketers for targeted
> 
>> advertising.
> 
>  
> 
> That is just evil. Have you no alternative to this ISP?
> 
>  
> 
> -- 
> 
> Peter
> 
>  
> 

Like free and open DNS servers? ;-) Like the one i am talking about and
was told it was unnessesary crap?

Norman