Re: [gentoo-user] gcc 4 and 3.4 in parallel

[Hans-Werner Hilse]

Hi,

On Mon, 27 Jun 2005 19:33:25 +0200
Philip Lawatsch <[EMAIL PROTECTED]> wrote:

> > LDPATH. Have a look at /etc/env.d/05gcc.
> 
> Hm, strange enough, this never shows up in my environment. Neither with
> gcc3 or gcc4 profiles.

Aaargh, my fault. This is used by env-update and gets - *grep, grep,
grep* - written by it to /etc/ld.so.conf.

After reading "man ld.so" I remember the LD_LIBRARY_PATH environment
variable ;-)

You've got to set it to the corresponding dir in /usr/... (that LD_PATH
setting).

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Cannot route dynamic dns name internally

[Hans-Werner Hilse]

Hi,

On Mon, 27 Jun 2005 13:09:44 -0400
Travis Osterman <[EMAIL PROTECTED]> wrote:

> My only concern is that while this will
> work for my web server, it appears as though I would have to put all
> my service-providing machines on different subnets and have rules for
> each of them ... am I understanding that correctly?

Hm, depends on the service. But I think fairly all could be placed in
the same "DMZ" subnet. Only DNS-dependent access between the machines
in the DMZ using the "external" DNS name wouldn't work. But clean
design of the services should not allow to let such a situation arise.

> Also, sadly, my
> webserver is doubling as a samba server right now and I'm not overly
> optimistic that windows will see it on the different subnet.

OK, i agree. Probably setting up two networks on the webserver as well
could easily solve this. I tend to now call our "DMZ" just "virtual
other subnet" as there's no clear rule between them.

so we have three networks:
- WAN (ppp0)
- LAN (eth1/192.168.1.x)
- "virtual other subnet" (eth1/192.168.3.x)

where the last share the medium.

The webserver/samba machine should listen on 192.168.3.x for webserver
requests and should serve Samba on the 192.168.1.x address. But it
would work if both services listen on both addresses as well.

> Is there a way to check and see is local traffic is (terminally)
> destined for ppp0 and set up a chain to filter by port and reroute
> that traffic to the appropriate lan computer?

Hm, local traffic destined for ppp0 would show up on nat/POSTROUTING.

> Could dnsmasq point
> my-dynamic-name.no-ip.com to the address of eth1 instead of ppp0 to
> make the routing easier (bypassing NAT)?

Yes, of course. dnsmasq could answer with the _real_ IP address of the
webserver. But if all services are to be distributed from the router to
various other machines instead of (in the LAN) their real IPs, that
wouldn't work as only one IP address can be answered by dnsmasq for one
specific domain name. That's actually the problem's core (translated
freely from German). You want to separate the traffic from the virtual
service provider identified by the domain name transparently to other
machines. So you will not only have to provide the way to the real
machines hidden behind the router but also the way back. With the
iptables approach only, the packets would even be sent back to the
requesting machines. But there they wont (probably, maybe another
network pro could be more clear on this? But I think we've lost most of
the readers down here;-) ) be recognized as correct answers, I think,
and such being dropped (because the request was made to $Router_Machine
and the answer comes back from $Real_Service).

Another possibility would be to setup proxy servers on the Router. But
that scales far worser with the number of services. OTOH, this is
needed if the service itself is not routable.

> I'm still really green at network design issues, but this is a
> fasinating problem to me.  Thanks for your input so far.

Well, it also is to me. Never thought that much on such issues before.
Actually, the approach via routing to a "virtual other subnet" came to
my mind when I finished a reply using only one additional rule in
iptables. Only then I thought about the answers from the servers.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] gcc 4 and 3.4 in parallel

[Hans-Werner Hilse]

Hi,

On Mon, 27 Jun 2005 19:01:01 +0200
Philip Lawatsch <[EMAIL PROTECTED]> wrote:

> Now I simply emerged gcc4 (its slotted) and then as my user I did export
> the variables a
> 
> gcc-config -E x86_64-pc-linux-gnu-4.0.1-pre20050616
> 
> printed out.
> 
> This way I successfully compiled and linked my programm with gcc4.
> 
> Now my problem is that I can't execute it.
> [...]
> So my querstion now is what else gets changed by gcc-config, and is
> there a chance to have the 3.4 gcc profile selected but still run
> programs compiled with gcc 4?

LDPATH. Have a look at /etc/env.d/05gcc.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Cannot route dynamic dns name internally

[Hans-Werner Hilse]

Hi,

On Mon, 27 Jun 2005 11:20:53 -0400
Travis Osterman <[EMAIL PROTECTED]> wrote:

> I cut all port forwarding rules but port 80 and all mac filtering less
> one and commented as such to keep the length down.  Thanks again for
> any suggestions.

I'll comment below...

> *nat
> # [...]
> # snipped other DNAT
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 
> 192.168.1.20
> -A PREROUTING -i ppp0 -p udp -m udp --dport 80 -j DNAT --to-destination 
> 192.168.1.20

Never heard of http-via-udp... But the problem will show up here:
The PREROUTING should apply also for packets coming from eth1 (LAN).
Otherwise they'll hit the router's own tcp stack - where there's
supposedly no http and such the connection would be resetted.


The problem atm seems to be, pointed out:

1. both external clients and internal clients can correctly resolve
http://my-dynamic-name.no-ip.com to the ppp0's IP.
2.a. external clients' requests hit the router coming from ppp0
2.b. internal clients' requests hit the router coming from eth1
3. nat/PREROUTING:
3.a. The packets from 2.a. get rewritten to dst 192.168.1.20
3.b. The other ones don't get rewritten
4. Routing is performed (filter/FORWARD, nat/POSTROUTING):
4.a. The packets from 2.a. will get routed to 192.168.1.20 and leave
  the router if allowed by nat/OUTPUT. (it is) WWW server does its job
  then.
4.b. The packets from 2.b. will hit the router's tcp stack if
  allowed by filter/INPUT (it is). They'll get RSTed if there's no
  open port 80.

Well, and we have some more problems. Your actual POSTROUTING chain
only MASQUERADEs packets leaving through ppp0. With this, and the new
rules, www packets from the LAN would get destination rewritten on the
router and being routed there. The source address will still be set to
the original source address. So the router would answer to that
address. Problem here is the client: It expects an answer from the
router's IP. So the web server's reply gets dropped at the client.

To overcome this, you can setup routing on the web server to generally
send packets via the router. I'd suggest placing it in a different
subnet, e.g. 192.168.3./24, and have the router use an address in that
range to. A little of a DMZ on the LAN wire (not suggested, but not
different from you current solution).

To-Do:

- on the webserver: configure address to 192.168.3.20
- on the router:
- configure a second address for eth1 in /etc/conf.d/net (192.168.3.1 assumed 
here)
- modify iptables settings:

You need to insert a new rule like the ones above but also for "-i
eth1". You'll further need to specify "-d EXTERNAL_IP" (well, of course
with that IP instead) to not get all connections to a www port
rewritten to that destination. I'd suggest using a new chain for this
that you can flush in a script and just place a new rule there if the
IP changes.

e.g. global skript on boot up:

iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT 
--to-destination 192.168.3.20
iptables -t nat -N internalwww
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j internalwww

and e.g. in your dhcp-script:

iptables -t nat -F internalwww
iptables -t nat -A internalwww -d $EXTERNAL_IP -j DNAT --to-destination 
192.168.3.20



-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Cannot route dynamic dns name internally

[Hans-Werner Hilse]

Hi,

On Sun, 26 Jun 2005 23:08:35 -0400
Travis Osterman <[EMAIL PROTECTED]> wrote:

> http://my-dynamic-name.no-ip.com from inside my network returns:
> "connection was refused when attempting to contact
> my-dynamic-name.no-ip.com."
> 
> I'm not sure whether this is an iptables issue or dns (or something
> else) which makes the problem hard to google for.  Any leads, tips, or
> ideas would be much appreciated.

1.: routing should tend to do the "short cut" here and never spit out
the packets on the WAN side. That's default, AFAIK.
2.: that means that iptables shouldn't block incoming packets (INPUT
queue) for the WAN address coming from the LAN interface.
3.: a FORWARD rule may also be needed to allow this, I'm not sure here.

You could post your iptables-save output here to allow us to give more
specific hints...

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ip forwarding question

[Hans-Werner Hilse]

Hi,

On Wed, 22 Jun 2005 22:50:18 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> > Note that this should be better done in the ppp-connect script rather
> > than here. The iptables should be set up at boot time, I'd suggest. So
> > you're not imposing a (rather short) open firewall situation. In fact,
> > iptables doesn't care if interfaces are already available when setting
> > up routes.
> 
> But is it ok if I keep /bin/echo 1 > /proc/sys/net/ipv4/ip_forward in
> my iptables rule? I have never used ppp-connect script. At home I use
> rp-pppoe.

Well, I didn't meant any specific script, but in your case it would be
some script called by rp-pppoe (I'm not using any ppp(oe) thingies
myself).

> > > #echo -e "   - Allowing access to the SSH server"
> > > $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
> > >
> > > #echo -e "   - Allowing access to the HTTP server"
> > > $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
> > 
> > Not needed, as all respective packets will get rewritten to 192.168.0.2
> > and will never hit the INPUT table. That doesn't include packets from
> > internal LAN, see respective rule below.
> Do you mean about dport22 and dport80 both? Or only about dport80?

Only port 80. If those packets hit the nat PREROUTING chain, they'll
get rewritten to destination 192.168.0.2 and therefore aren't hitting
the INPUT chain.

> > > # block out all other Internet access on $EXTIF
> > > $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
> 
> > Hm, you may switch that to a simple
> > $IPTABLES -P INPUT DROP
> $IPTABLES -P INPUT DROP stopped internet connection

You may want to allow all incoming traffic that's been already
established by inserting a rule like
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
but I'd strongly suggest to set the general INPUT policy to DROP. Well,
actually, this should be done carefully to not interrupt other IP based
communication, especially ICMP. But this should be covered by above
mentioned rule.

> > [from here use proposed parts below, I'll continue commenting]
> > 
> > > $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
> > 
> > ?!? This would drop all requests from ppp0, especially the ones to the
> > www port...
> You mean I can leave it as it is?

No, you should remove it. As said, it's definately interrupting all
"NEW" communication, reagrdless if it is to the www port or not. This
should be covered by  "DROP" policy for the "FORWARD" chain.

...

> My iptables rule with taking into account your comments became:
> 
> #!/bin/bash
> IPTABLES='/sbin/iptables'
> 
> # Set interface values
> EXTIF='ppp0'
> INTIF1='eth0'
> 
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

Again, note that at this point ppp0 must be _up_. But if it wasn't, you
would have outgoing connection, either, so I guess it's issued after
connecting and everything is well.
 
> # flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> 
> # enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT

again, I think, you should add RELATED here.

> $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: "
> $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: "

hm, both optional and the text of the log message may be wrong as the
packet may be accepted later, so better remove those...

> # block out all other Internet access on $EXTIF
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

that last one should be removed, the first one too, but you'd need to
insert above mentioned line and the DROP policy for the INPUT chain.

> $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -d 192.168.0.2 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCE$

this should, of course, read "ACCEPT".

> $IPTABLES -P FORWARD DROP
> 
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT
> --to 192.168.0.2
> 
> --
> Unfortunately, I'm still unable to see my web page from LAN, when I
> try to access my domain.com... :(

Try to start with removing those both "DROP" rules and then refine
until everything works with the INPUT chain set to DROP policy.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ip forwarding question

[Hans-Werner Hilse]

Hi,

I'm gonna comment your script below...

On Tue, 21 Jun 2005 22:13:48 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> The iptables scripts as follows:
> -
> #!/bin/bash
> IPTABLES='/sbin/iptables'
> 
> # Set interface values
> EXTIF='ppp0'
> INTIF1='eth0'
> 
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

Note that this should be better done in the ppp-connect script rather
than here. The iptables should be set up at boot time, I'd suggest. So
you're not imposing a (rather short) open firewall situation. In fact,
iptables doesn't care if interfaces are already available when setting
up routes.

> # flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> 
> # enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

this is OK as it only alters outgoing traffic to ppp0.
 
> # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT

Hm, you may want to add "RELATED" to that state list...

> #echo -e "   - Allowing access to the SSH server"
> $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
> 
> #echo -e "   - Allowing access to the HTTP server"
> $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

Not needed, as all respective packets will get rewritten to 192.168.0.2
and will never hit the INPUT table. That doesn't include packets from
internal LAN, see respective rule below.

> # block out all other Internet access on $EXTIF
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP

Hm, you may switch that to a simple
$IPTABLES -P INPUT DROP
At least, the state matching is completely unneccessary here. SSH would
already be accepted at this point.

[from here use proposed parts below, I'll continue commenting]

> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

?!? This would drop all requests from ppp0, especially the ones to the
www port...

> $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: "
> $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: "

will (almost) never hit, because packets _are_ dropped already.

> $IPTABLES -A FORWARD -i ppp0 -d 192.168.0.2 -p tcp --dport 80 -m state
> --state NEW,RELATED,ESTABLISHED -j ACCEPT

and thus this cannot match, either.


so from above [...] marked point, the approach would be

$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -d 192.168.0.2 \
  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -P FORWARD DROP

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
  -j DNAT --to 192.168.0.2

This will alter the destination IP and let FORWARD rules apply.

Note that any Logging entries must be inserted before the respective
ACCEPTs or DROPs.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ip forwarding question

[Hans-Werner Hilse]

Hi,

On Tue, 21 Jun 2005 21:22:35 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> On 6/21/05, Kurt Guenther <[EMAIL PROTECTED]> wrote:
> > 
> > As root do:
> > 
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > 
> > where eth0 is your outward facing port to your router. I've used ppp0 with 
> > a dial up connection, and that works too.
> > 
> > --Kurt
> > 
> Thanks, but I already have this script in my iptable rules.
> My router works for PC in LAN.

The rule mentioned by Kurt is not needed. In fact, you'd loose IP
information on 192.168.0.2 which would see the packets coming from
192.168.0.1 if you issued that rule. (you told it to masquerade) Would
make web server logging rather complex ;-) and you'd need to do this
stateful to have the correct target addresses written when the replies
are sent (which would go to 192.168.0.1, initially).

Instead, only rewriting the target address is needed (if you don't have
ill firewalls in your local LAN). But that rule is actually present.

So I suggest removing the above mentioned rule. Well, it maybe breaks
all other kind of stuff, too. I don't think Kurt really meant "-o eth0"
here...

And by all means, get a tcpdump on ppp0 and eth0, the most relevant
being eth0.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Odd Ethereal Error

[Hans-Werner Hilse]

Hi,

On Tue, 21 Jun 2005 08:53:43 -0400
fire-eyes <[EMAIL PROTECTED]> wrote:

> I've run into a strange ethereal error. I use system A to log into
> system B, via ssh -Y, then run ethereal from there. It shows up on
> system A.
> 
> This has worked fine for a while, but now as you'll see in the
> screenshot, the buttons along the top are missing their graphics, and
> where you usually have IP's and hostnames in the black area, and lines
> connecting them, well, it's hard to describe.
> 
> http://fire-eyes.org/gal/view_photo.php?full=1&set_albumName=screenshots&id=etherape_error_01

Well, it's "forbidden" for me (not the php, but the actual image).

Anyway, guessing from your description: do you have a pseudocolor
visual on A? You may want to try changing to TrueColor. It's configured
by the "Visual" directive in the Display section of your xorg.conf. In
all other cases colors will be mapped, which can go wrong. But
PseudoColor is usually used on 8 bit color only...

Also, you may want to check the RgbPath in the Files section.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ip forwarding question

[Hans-Werner Hilse]

Hi,

On Tue, 21 Jun 2005 20:16:21 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> I have to PCs.
> 1st one used as a router.

Well, I think then you've already set up forwarding, like Kurt G.
mentioned.

> On 2nd PC I have web server installed and would like to setup ip forwarding 
> to the 2nd PC.
> 
> In my iptables rule script I added the line:
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to 
> 192.168.0.2 
> 
> Where 192.168.0.2  is the ip address of the 2nd PC.
> 
> But is seems not correct.

You have to explain this. Why doesn't it seem to be correct?
A few ideas:
- the FORWARD queue must also allow new connections from the outside (-
i ppp0) to 192.168.0.2 (because PREROUTING modifies the packet before
FORWARD sees it, it's not 192.168.0.1 here)
- 192.168.0.2 must have proper routes configured to answer back via the
Router,
- the router must allow that packets are leaving the 192.168.0/24 net
to any address.
- your configuration probably won't work when you're using conntrack
for the forwarding rules at the moment. You may want to issue (see my
first point, too):
$IPTABLES -A FORWARD -i ppp0 -d 192.168.0.2 -p tcp --dport 80 -m state \
--state NEW,RELATED,ESTABLISHED -j ACCEPT

if you didn't already.

otherwise insert a few LOG rules and see what's going on. Are the
packets hitting the web server?

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: /etc/shadow syntax

[Hans-Gunther Borrmann]

On Monday 06 June 2005 18:54, Hans Hvelplund Odborg wrote:
> Zac Medico wrote:
> >Did you see man 5 shadow?
>
> yes
> man 5 shadow (this all there is about the password field):
> The password field must be filled. The encryped password consists of 13 to
> 24 characters from the 64 character alphabet a thru z, A thru Z, 0 thru 9,
> interpreted.
>
> > I've used freenx
> > successfully with no need to touch /etc/shadow.
>
> Me too. I just started wondering what the difference was

This information seems to be outdated. My root passwort in /etc/shadow 
consists of more then 30 characters and also contains other characters then 
those in the 64 character set mentioned.
-- 

Hans-Gunther Borrmann <[EMAIL PROTECTED]>
Rechenzentrum der Universitaet Freiburg
Hermann-Herder-Str. 10, D79104 FREIBURG
Tel.: +49 761/203-4652
Fax:  +49 761/203-4643

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Re: foomatic build(rebuild) broken

[Hans Hvelplund Odborg]

Stoian Ivanov wrote:

> Nope this is not the case:
> [EMAIL PROTECTED] ~ # grep MAKEOPTS /etc/make.conf
> MAKEOPTS="-j1"
> [EMAIL PROTECTED] ~ #

That option does not mean that you can not start emerge in parallel.
Is says that emerge should tell each instance of make to not compile in
parallel. Which is not the same.

What i meant is that you start emerge on one console and then before it is
finished start emerge on another as well.

>> I think this may happen if you're emerging in parallel (e.g. emerge
started on 
>> two consoles)
But since your college is having the same problem you propably aren't
runninng emerge twice.

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Re: /etc/shadow syntax

[Hans Hvelplund Odborg]

Zac Medico wrote:
>Did you see man 5 shadow?  
yes
man 5 shadow (this all there is about the password field):
The password field must be filled. The encryped password consists of 13 to
24 characters from the 64 character alphabet a thru z, A thru Z, 0 thru 9,
interpreted.


> I've used freenx
> successfully with no need to touch /etc/shadow.
Me too. I just started wondering what the difference was

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: /etc/shadow syntax

[Hans Hvelplund Odborg]

Michael Kjorling wrote:
> The given password is encrypted, and then compared to whatever is in
> the password field in /etc/shadow (or /etc/passwd). If they match, the
> password is valid. So entering anything that cannot be valid into the
> password field means that no password will be valid.
> 
> Whether you choose to use x, !, !!, * or some other variant is up to
> you. Yes, "x" works in this case too since it is too short to be a
> salt followed by an encrypted password.
I don't mean to be rude or anything, but I've seen many answers like this on 
different mailinglist archives and everyone seems to have an opinion of their 
own regarding this. So I'd like to see documentation of some sort.

Example where ! is different from *:
http://lists.debian.org/debian-user/2005/03/msg04197.html

My original interest for this was sparked from gentoo.forums.org, where som 
people write that changing ! into * in /etc/shadow helped them solve problems 
with freenx. Which implies that * and ! does not mean the same.

This is why I'd like to find some kind of more less official documentation.
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: foomatic build(rebuild) broken

[Hans Hvelplund Odborg]

I think this may happen if you're emerging in parallel (e.g. emerge started on 
two consoles)
Stoian Ivanov wrote:

> [EMAIL PROTECTED] ~ # emerge -a foomatic-db-engine
> 
> These are the packages that I would merge, in order:
> 
> Calculating dependencies ...done!
> [ebuild   R   ] net-print/foomatic-db-engine-3.0.2
> 
> Do you want me to merge these packages? [Yes/No]
 emerge (1 of 1) net-print/foomatic-db-engine-3.0.2 to /
 md5 files   ;-) foomatic-db-engine-3.0.2.ebuild
 md5 files   ;-) foomatic-db-engine-3.0.0.20031018.ebuild
 md5 files   ;-) foomatic-db-engine-3.0.1.ebuild
 md5 files   ;-) foomatic-db-engine-3.0.0.ebuild
 md5 files   ;-) files/digest-foomatic-db-engine-3.0.0
 md5 files   ;-) files/digest-foomatic-db-engine-3.0.1
 md5 files   ;-) files/digest-foomatic-db-engine-3.0.2
 md5 files   ;-) files/perl-module-3.0.1.diff
 md5 files   ;-) files/digest-foomatic-db-engine-3.0.0.20031018
 md5 files   ;-) files/perl-module.diff
 md5 src_uri ;-) foomatic-db-engine-3.0.2.tar.gz
 Unpacking source...
 Unpacking foomatic-db-engine-3.0.2.tar.gz to
 /var/tmp/portage/foomatic-db-engine-3.0.2/work Source unpacked.
>  * Applying perl-module-3.0.1.diff ...
>   
>  [ ok ]
> ./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man
> --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
> --localstatedir=/var/lib --build=i686-pc-linux-gnu creating cache
> ./config.cache checking for gcc... gcc checking whether the C compiler
> (gcc -O3 -march=athlon-xp -fomit-frame-pointer -pipe ) works... yes
> checking whether the C compiler (gcc -O3 -march=athlon-xp
> -fomit-frame-pointer -pipe ) is a cross-compiler... no checking whether we
> are using GNU C... yes checking whether gcc accepts -g... yes checking for
> a BSD compatible install... /bin/install -c checking whether ln -s
> works... yes checking whether make sets ${MAKE}... yes
> checking for xml2-config... /usr/bin/xml2-config
> checking for dirent.h that defines DIR... yes
> checking for opendir in -ldir... no
> checking how to run the C preprocessor... gcc -E
> checking for ANSI C header files... yes
> checking for working const... yes
> checking for strdup... yes
> checking for strspn... yes
> checking for strstr... yes
> checking for xmlParseFile... no
> checking for xmlCreatePushParserCtxt... no
> checking for xmlParseChunk... no
> checking for xmlFreeParserCtxt... no
> checking for xmlFreeDoc... no
> checking for xmlDocGetRootElement... no
> checking for xmlNodeListGetString... no
> checking for file... /usr/bin/file
> checking for cat... /usr/bin/cat
> checking for gs... /usr/bin/gs
> checking for a2ps... A2PS_NOT_FOUND
> checking for wget... /usr/bin/wget
> checking for curl... /usr/bin/curl
> checking for printf... /usr/bin/printf
> checking GhostScript check... no
> GS /usr/bin/gs
> checking how to redirect GhostScript output to fd 3... ACCESS DENIED   
> open_wr:   /dev/fd/3 ./configure: line 1763: /dev/fd/3: Permission denied
> using |/usr/bin/cat >&3
> checking for perl... /usr/bin/perl
> Checking whether Perl will find libraries installed under /usr... yes
> checking for bash... /bin/bash
> checking for lpd/... no
> checking for lp-errs... no
> checking for lpd... no
> checking for printcap... /etc/printcap
> checking for lpd.conf... no
> checking for lpr-lpd... no
> checking for lpr-lprng... no
> checking for lpr-lpr... no
> checking for lpr... /usr/bin/lpr
> checking for lpq-lpd... no
> checking for lpq-lprng... no
> checking for lpq-lpr... no
> checking for lpq... /usr/bin/lpq
> checking for lprm-lpd... no
> checking for lprm-lprng... no
> checking for lprm-lpr... no
> checking for lprm... /usr/bin/lprm
> checking for lpc-lpd... no
> checking for lpc-lprng... no
> checking for lpc-lpr... no
> checking for lpc... no
> checking for checkpc... no
> checking for cups/... /etc/cups
> checking for lpadmin... /usr/sbin/lpadmin
> checking for lpstat... /usr/bin/lpstat
> checking for cups/model/... /usr/share/cups/model
> checking for cups/filter/... /usr/lib/cups/filter
> checking for cups/backend/... /usr/lib/cups/backend
> checking for cups/printers.conf... /etc/cups/printers.conf
> checking for lpr-cups... no
> checking for lpr... /usr/bin/lpr
> checking for lpq-cups... no
> checking for lpq... /usr/bin/lpq
> checking for lprm-cups... no
> checking for lprm... /usr/bin/lprm
> checking for lpc-cups... no
> checking for lpc... no
> checking for lp-cups... no
> checking for lp... /usr/bin/lp
> checking for cancel-cups... no
> checking for cancel... /usr/bin/cancel
> checking for enable-cups... no
> checking for enable... /usr/bin/enable
> checking for disable-cups... no
> checking for disable... /usr/bin/disable
> checking for accept-cups... no
> checking for accept... no
> checking for reject-cups... no
> checking for reject... no
> checking for lpmove... no

[gentoo-user] /etc/shadow syntax

[Hans Hvelplund Odborg]

I can't seem to find any official documentation on /etc/shadow syntax.
Searching google I find loads of conflicting explantions of the meaning of
x,!,!!,* in the password field.

man 5 shadow only says:
The password field must be filled. The encryped password consists of 13 to
24 characters from the 64 character alphabet a thru z, A thru Z, 0 thru 9,
interpreted.

At this point i'm getting pretty frustrated search for documentation. So
what is it? And how did you find out?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Software suspend

[Hans-Werner Hilse]

Hi,

On Fri, 27 May 2005 10:51:21 -0700
Pingveno <[EMAIL PROTECTED]> wrote:

> I just remerged hibernate-script and ran it (after saving everything :P 
> ). The one problem: I have to shut down X11 because the nvidia driver 
> has to be unloaded before hibernation is started. This is, of course, 
> with software suspend (vs. software suspend 2). Does SS2 contain a 
> workaround that would be worth the upgrade?

Did you try to enable just switching to console before hibernating?
There's a configuration entry in hibernate.conf (at the bottom).

I found all suspend implementations being very similar (with the
exception of ACPI standby, which works only in "light" mode - S3 - for
me). So I'd guess it won't work much better with SS2.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Question about ARPing

[Hans-Werner Hilse]

Hi,

On Fri, 27 May 2005 13:45:33 +0200
Martin Tedjawardhana <[EMAIL PROTECTED]> wrote:

> So why is eth0 responding to 192.168.0.1  arping 
> although it does not have that address? How can I remedy this? How can I 
> block arping?

read about the arp_filter sysctl in
KERNELSOURCE/Documentation/networking/ip-sysctl.txt

and then do

echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter

for a short switch to check and afterwards enter the sysctl to your 
/etc/sysctl.conf


HWH

-- 
Nieders. Staats- und Universitätsbibliothek Göttingen   Projekt ProPrint
http://www.proprint-service.de|Tel.:(+49/0)551 39 - 25 23 (neu!)

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Software suspend

[Hans-Werner Hilse]

Hi,

On Thu, 26 May 2005 22:43:32 -0700
Pingveno <[EMAIL PROTECTED]> wrote:

> I'm trying to get software suspend to work on my computer. While 
> configuring my kernel, I added in support for software suspend aka 
> hibernate. Alas, I have no idea what command to run to suspend the computer.

# emerge hibernate-script
# nano /etc/hibernate/hibernate.conf

this script works for different suspend mechanisms.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [OT] Bad performance with external USB disk

[Hans-Werner Hilse]

Hi,

On Fri, 27 May 2005 01:50:26 +0100
Jan Drugowitsch <[EMAIL PROTECTED]> wrote:

> On 5/26/05, Hans-Werner Hilse <[EMAIL PROTECTED]> wrote:
> > Do you use the usb-storage driver or the usb block device drive (which
> > mentions things like "slow" and "cpu-hungry" and "unstable" in the
> > kernel config option's help page)? Could you C&P the relevant parts
> > from the kernel logs when the drivers are loaded (USB host adapter and
> > device)?
> 
> Here's the kernel log message:
> May 27 01:51:06 rpc-jd224 usb 4-4: new high speed USB device using
> ehci_hcd and address 6
> May 27 01:51:06 rpc-jd224 uba: device 6 capacity nsec 312581808 bsize 512

Yep, this is the slow, polling driver (that OTOH does work with more
devices, AFAIK). Just disabling it (it's in "block devices" kernel
config) as Richard mentioned should solve this. You definately want usb-
storage here, bringing up a SCSI compatibility layer. The disk will
then be recognized as sda instead of uba. CPU usage should drop because
the driver handles the timing issues in a different way, I think.

HTH,

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [OT] Bad performance with external USB disk

[Hans-Werner Hilse]

Hi,

On Thu, 26 May 2005 09:35:13 +0100
Jan Drugowitsch <[EMAIL PROTECTED]> wrote:

> I've got an external USB 2.0 HD with two fat32 partitions (I have to
> use fat32 to make them work with windows). What troubles with me with
> drive is that in windows I get the expected transfer speed, but in
> linux it just won't get faster than 1Mb/s.

Do you use the usb-storage driver or the usb block device drive (which
mentions things like "slow" and "cpu-hungry" and "unstable" in the
kernel config option's help page)? Could you C&P the relevant parts
from the kernel logs when the drivers are loaded (USB host adapter and
device)?

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: driver CardBus bridge Texas Instruments PCI1211 SOLVED

[Hans-Werner Hilse]

Hi,

On Sat, 21 May 2005 22:31:28 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> Even now, pcmcia card works, there is no info in lspci.

Then it's not cardbus but 16 bit. cardctl can tell, i think. Only
cardbus is usually transparently mapped onto the PCI bus.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Emerge -C doesn't clean up /etc/ config files

[Hans-Gunther Borrmann]

On Thursday 28 April 2005 11:55, Ow Mun Heng wrote:
> On Thu, 2005-04-28 at 10:41 +0100, Edward Catmur wrote:
> > On Thu, 2005-04-28 at 16:25 +0800, Ow Mun Heng wrote:
> > > Is this a feature or a bug? It seems that emerge -C will not remove any
> > > altered files from /etc/ once it has been changed.
> > >
> > > This really leaves some cruft in my /etc/ Is this due to config-protect
> > > or is it something else??
> >
> > No, portage will not remove any files that have been changed (actually,
> > had their mtime altered) wherever on the filesystem they reside.
>
> Which is what I would expect. But it doesn't seem to the case for me.
>
> I installed synergy and then removed it but the conf file was still
> around.
>
> Maybe there's something I'm not doing??
>
> > This is a feature.
>

from "emerge --help config":

In addition to protecting overwritten files, Portage will not delete any files
from a protected directory when a package is unmerged.  While this may be a
little bit untidy, it does prevent potentially valuable config files from 
being deleted, which is of paramount importance.
-- 

Hans-Gunther Borrmann <[EMAIL PROTECTED]>
Rechenzentrum der Universitaet Freiburg
Hermann-Herder-Str. 10, D79104 FREIBURG
Tel.: +49 761/203-4652
Fax:  +49 761/203-4643

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] problem with setting up home router

[Hans-Werner Hilse]

Hi,

On Thu, 21 Apr 2005 22:38:25 +0600 "askar ..." <[EMAIL PROTECTED]> wrote:

> 11) # iptables -F
> # iptables -t nat -F
> # iptables -I INPUT 1 -i eth0 -j ACCEPT
> # iptables -I INPUT 1 -i lo -j ACCEPT
> # iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT
> # iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT
> # iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT
> # iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
> # iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP
> # iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP
> # iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
> # iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT

FORWARD doesn't see those as destinated to 192.168.0.0/16, i guess. I'd
rather use "state" module and write them as follows:

iptables -A FORWARD -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
-j ACCEPT 

iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED \
-j ACCEPT

I guess you've also set FORWARD's policy to DROP/REJECT?

> # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> # echo 1 > /proc/sys/net/ipv4/ip_forward
> # for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ;
> # done

You could use /proc/sys/net/ipv4/conf/all here...


HTH,

Hans-Werner

-- 
This message is made of 100% recycled bits and bytes!
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: /etc/resolv.conf and return mail

[Hans-Werner Hilse]

Hi,

On Tue, 12 Apr 2005 07:14:05 -0700 (PDT) Michael Sullivan
<[EMAIL PROTECTED]> wrote:

> The error message is "Warning:  Could Not Send Message
> For Past Four Hours".  It says that it could not
> connect to the server it's trying to deliver the mail
> to and that it will keep trying for the next week.  I
> am using my own mail server.  I do not wish to use
> CableOne's smtp server because I consider them to be
> incompetent.

You'll have to use some kind of relay. Because:
- you can ping by name to the outside mail server, so network
connectivity and DNS setup is OK.
- you cannot telnet its port 25, so this is administratively prohibited.
Same thing applies for your mail server.

You wont be able to do anything against it on your own side, except for
writing harsh emails to your ISP... Only exception would be a
misconfigured firewall on your side, but i don't suspect so.

Well, and luckily they didn't block incoming SMTP, that's at least
something;-) Maybe you have some internet server at hand that you could
use to set up your own outgoing relay server? It could listen on a port
!= 25.

HWH
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] /etc/resolv.conf and return mail

[Hans-Werner Hilse]

Hi,

On Tue, 12 Apr 2005 06:09:31 -0700 (PDT)
Michael Sullivan <[EMAIL PROTECTED]> wrote:

> My mail
> server attempts to deliver the outgoing email, but
> returns the mail to the user who sent it with an error
> message.  The interesting thing is that I can ping the
> address of the recipient mail servers at Yahoo and
> Gmail, but I cannot telnet to their port 25.  I don't
> know if this is my problem or theirs, and if it is
> theirs I don't know how to notify them of it. 

Does not sound like a DNS issue. I suspect your ISP has activated new
filter rules denying access to outside servers' port 25. Maybe they had
a few spammers on their net... I'd bet they tell you to ask their smtp
for relaying if you ask their support. That shouldn't be too hard to
setup on your mail server. Maybe they insist in using SMTP-Auth for
additional security when a non-local mail address is used as envelope
from.

HWH
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: intercept browser traffic

[Hans-Werner Hilse]

Hi,

On Tue, 12 Apr 2005 14:23:58 +0200
Antoine <[EMAIL PROTECTED]> wrote:

> btw, it is in https, but seeing as it is my browser I want to spy on,
> isn't that OK?

technically, it is not. You could intercept network traffic at the link
level and even simulate the remote host and its correct address but
you'd need to gain the key and cert of the remote server to make your
solution fully transparent. Usually, you don't have the key.

If it's not intended to be fully transparent, it's no problem to use
any custom certificate for that or even do https only from proxy to
remote server and use plain http to the proxy. Simple network sniffers
won't work here, the traffic would be encrypted.

Seems that "ssldump" can do the fully transparent decryption of ssl
connections. For the proxy-solution with a new certificate have a look
at the famous "dsniff" package and read about "webmitm". This will be
of interest:

http://monkey.org/~dugsong/dsniff/faq.html#How%20do%20I%20sniff%20/%20hijack%20HTTPS%20/%20SSH%20connections

HWH
--
gentoo-user@gentoo.org mailing list