Re: [gentoo-user] Looking for help with Shorewall
John Jolet wrote: Jerry wrote: I am setting up gentoo on another computer and cannot get shorewall to start properly. I had used another version of shorewall previously but cannot get 3.0.4 to work. I have read and tried to follow the instruction in /usr/share/doc/shorewall-3.0.4/Samples/one-interface but no success. I have dialup modem, one other computer connected via eth0. If root runs 'which ip' the response is '/sbin/ip'. /etc/shorewall/zones: #ZONE TYPEOPTIONS IN OUT OPTIONS OPTIONS net ipv4- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net ppp0- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/policy: #SOURCE DESTPOLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net all DROPinfo # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules: has all rules commented out to try to make the startup as simple as possible. When I run shorewall start: [EMAIL PROTECTED]:/etc/shorewall # shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Starting Shorewall... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available Determining Zones... IPv4 Zones: net Firewall Zone: fw Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... net Zone: ppp0:0.0.0.0/0 Processing /etc/shorewall/init ... Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... ..Expanding Macro /usr/share/shorewall/macro.Auth... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.SMB... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... ..End Macro Pre-processing /usr/share/shorewall/action.Reject... Pre-processing /usr/share/shorewall/action.Limit... Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed Processing /etc/shorewall/stop ... iptables: No chain/target/match by that name iptables: No chain/target/match by that name IP Forwarding Enabled Processing /etc/shorewall/stopped ... Terminated [EMAIL PROTECTED]:/etc/shorewall # shorewall status Shorewall-3.0.4 Status at backup - Thu May 18 16:30:45 UTC 2006 Shorewall is stopped State:Stopped (Thu May 18 16:28:59 UTC 2006) Now I cannot connect to the internet through the modem nor ssh to the other computer. I was able to do both before running shorewall start. [EMAIL PROTECTED]:/etc/shorewall # /etc/init.d/iptables stop * Saving iptables state ...[ ok ] * Stopping firewall ...[ ok ] [EMAIL PROTECTED]:/etc/shorewall # ssh main Password: Now I can ssh and connect to the internet. What am I doing wrong? Any advice appreciated. Jerry to get your access back, issue shorewall clear the problem on start is that you don't have those capabilities listed activated in your kernel I figured out which capabilites I needed in the kernel and now shorewall starts without complaining. thanks john. jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Looking for help with Shorewall
Ryan Tandy wrote: Jerry wrote: [EMAIL PROTECTED]:/etc/shorewall # shorewall start Any particular reason why you're running that instead of /etc/init.d/shorewall start? Thats is what the docs suggested as the start command. Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available Hmmm... looks like you're missing a few fairly necessary components. Might want to add a bit more to your iptables configuration in your kernel config, or have some fun with modprobe. I rebuilt the kernel with more iptables modules and shorewall works fine. iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed This is caused by the line Connection Tracking Match: Not available - you need to build in to your kernel or modprobe the conntrack module. Now I cannot connect to the internet through the modem nor ssh to the other computer. I was able to do both before running shorewall start. shorewall clearor/etc/init.d/shorewall clear [EMAIL PROTECTED]:/etc/shorewall # /etc/init.d/iptables stop * Saving iptables state ...[ ok ] * Stopping firewall ...[ ok ] You don't need to have iptables running for shorewall to work (I know I don't). delta ~ # /etc/init.d/shorewall status * status: started delta ~ # /etc/init.d/iptables status * status: stopped HTH. Ryan Thanks for the help ryan. jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Looking for help with Shorewall
Uwe Thiem wrote: On 18 May 2006 17:38, Jerry wrote: Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available What am I doing wrong? Any advice appreciated. You haven't configured your kernel for firewalling. Uwe Reconfigurred the kernel and all is fine. thanks uwe. jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Confused about latest gentoo-sources
Willie Wong wrote: Do you have gentoolkit installed? If so, run # equery list -p gentoo-sources It'd be good to know if you are missing the ebuild or if it is masked somehow. W Results of equery: backup:~ $ equery list -p gentoo-sources [ Searching for package 'gentoo-sources' in all categories among: ] * installed packages [I--] [ ] sys-kernel/gentoo-sources-2.4.31-r1 (2.4.31-r1) [I--] [M ] sys-kernel/gentoo-sources-2.6.11-r3 (2.6.11-r3) [I--] [M ] sys-kernel/gentoo-sources-2.6.12-r9 (2.6.12-r9) [I--] [M ] sys-kernel/gentoo-sources-2.6.12-r10 (2.6.12-r10) [I--] [M ] sys-kernel/gentoo-sources-2.6.14-r2 (2.6.14-r2) * Portage tree (/usr/portage) [-P-] [M~] sys-kernel/gentoo-sources-2.4.32-r2 (2.4.32-r2) [-P-] [M~] sys-kernel/gentoo-sources-2.6.14-r7 (2.6.14-r7) [-P-] [M~] sys-kernel/gentoo-sources-2.6.15 (2.6.15) I do have gentoo-sources-2.6.12-r10 installed and running. I never had a 2.4 kernel installed on this system. Thanks for your help. Jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] advice on security and keyloggers
Richard Fish wrote: On 12/9/05, Jerry Turba [EMAIL PROTECTED] wrote: Should I be safe if I keep up on updates and the glsa? As long as your X configuration is reasonably secure, yes. But if you do something silly like run xhost +, then any remote user can connect to your X server with xev and log keystrokes. Generally though if you stick with the default configuration, keep current with security updates, and avoid running services you don't need, you have nothing to worry about. -Richard Thanks Dale and Richard for the info. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] advice on security and keyloggers
Dale wrote: Jerry Turba wrote: I've heard a lot lately about software keyloggers that can be installed on a computer while surfing the net, and how big a security problem they have become. What is the Linux/Gentoo approach to block keyloggers? I do not run any antivirus or anti spyware programs (I don't even network with Windows) only Shorewall. Are keyloggers a form of a virus and do not present a great danger to Linux? Should I be safe if I keep up on updates and the glsa? Thanks for any info. I would assume that you would have to install the keylogger on Linux, if you wanted it. Linux is not like windoze. It is a bit hard to install something and you not know it. I get emails with viruses all the time and I click on them, I have never got any infection though. Basically, if you type in emerge keylogger then it will get installed. If you do not do that, I wouldn't be worried about it. Linux, even in a basic setup is just not going to run a windoze program or install a windoze virus. I seem to recall reading somewhere that 99.99% of viruses are for windoze. The only one you have to really worry about on Linux is a rootkit, unless you have a very very old setup. If you have wine or some other windoze emulator thingy, then you may can get it then but from what I have read it is confined to the wine part and does not affect Linux itself. All that is based on what I have read. I don't have windoze here, I don't run Wine either. I wouldn't buy a computer that has windoze on it. If someone gives me wone that does have windoze on it, I format the drive and install Linux. Dale :-) My system is very similar to yours; no windows, no emulators, etc. I wasn't sure what kind of program the keyloggers were; virus or rootkit. Of course I would not intentionally install a keylogger or rootkit. I wanted to know what other thought about keyloggers since I rarely see them discussed in Linux groups. Thanks for the confirmation that I don't have to worry about them. -- gentoo-user@gentoo.org mailing list
[gentoo-user] advice on security and keyloggers
I've heard a lot lately about software keyloggers that can be installed on a computer while surfing the net, and how big a security problem they have become. What is the Linux/Gentoo approach to block keyloggers? I do not run any antivirus or anti spyware programs (I don't even network with Windows) only Shorewall. Are keyloggers a form of a virus and do not present a great danger to Linux? Should I be safe if I keep up on updates and the glsa? Thanks for any info. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Yikes, what have I done 3 1 seconds beeps on boot
Harry Putnam wrote: I've been tinkering around with installing a new hdd for the last 1/2 hr or so, suddenly on shutdown I hear 3 beeps come from the computer I'm working on. Attempts to reboot bring 3 1 second beeps now too. One by one, I've disconnected each drive, beginning with the one I've been tinkering with. There are currently 3 HDD and 2 cdroms in there. What led to this situation: I had disconnected both cdroms and connected the new hdd on that controller as single master. Booted up without problems. The new drive appeared in dmesg but fdisk knew nothing about it. I've been using Lilo lately and I noticed a line in lilo.conf that told the kernel some bad info since I had disconnected cdroms and installed the new drive: (On the kernel line amongst other things) `hdc=ide-scsi' That was the same device noted in dmesg as belonging to the new drive. hdc: WDC WD3000JB-00KFA0, ATA DISK drive I removed that from lilo.conf and reran lilo then shutdown. As mach was shutting down I heard those three beeps. Now I get the beeps when I try to boot and no bootsky. Its an intel D850MV mobo and on intel pages it tells me 3 beeps mean a memory problem. Just in case, I removed and reseated the memory cards, also tried booting with first one then the other mem card (2 256 cards). No change in beeps. I even tried booting without any installed... I'm not sure if that would invoke the beeps anyway, but I did hear them. Its been my experience thru life that usually, in fact nearly always, if you have trouble with something after working on it, its very very likely to be something you just did or had your hands on. I'm still wanting to believe this is something simple I did with the drive. However after disconnecting all drives ribbon and power source, I still hear the beeps, and don't get past that. The websites of the bios makers will have the meaning of their beep codes. There were only 3 and now 2 bios makers I believe. I seem to remember vaguely that 3 beeps indicates ram or video card problem. Did you check that they are in their slots securely? It is easy to slightly dislodge something? This is only a shot in the dark and hope it helps. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] How to work with etc-updates.
Thanks everyone for your help. I will try using Marks rules and start using dispatch-conf to be able to roll back any changes that don't seem to work. Jerry Mark Knecht wrote: On 8/30/05, Jerry Turba [EMAIL PROTECTED] wrote: As I understand the process etc-update lists new configuration files provided by the program authors. I have tried to define some rules for myself to determine how to handle these new files. 1. If I made a change to a file I will never allow the new config file to overwrite the old file. I know one person who operated like this but I didn't agree. I think that you have to (eventually) do the update. The developers change things in these files also. If you don't change you don't get the updates, or things (possibly) don't get activated. 2. If the new config file is a new default file I will accept the new file. 3. I will never change a file that is program code, (I am not a programmer). Are these rules sane? What kind of problems could I run into doing this? What would be some better rules to use? I have tried dispatch-conf but I still have to make the same decisions. Am I missing something? My rules are: 1) The update was put there for a reason. 2) If it's a file in /etc/initd then I update it automatically. 3) If it's a file in /etc/conf.d then I update it very carefully. 4) If it's a file in /etc/, /etc/X11, or elsewhere the I update it very carefully but possibly not right now. 5) Anything else, I go slow. Maybe I look for messages from others on this list having problems before I do something. My experience is that rules 2 3 account for 80-90% of the updates. Cheers, Mark -- gentoo-user@gentoo.org mailing list
[gentoo-user] How to work with etc-updates.
As I understand the process etc-update lists new configuration files provided by the program authors. I have tried to define some rules for myself to determine how to handle these new files. 1. If I made a change to a file I will never allow the new config file to overwrite the old file. 2. If the new config file is a new default file I will accept the new file. 3. I will never change a file that is program code, (I am not a programmer). Are these rules sane? What kind of problems could I run into doing this? What would be some better rules to use? I have tried dispatch-conf but I still have to make the same decisions. Am I missing something? Thanks for any advice. Jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Get rid of PAM?
Willie Wong wrote: On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote: On another gentoo newsgroup I made a comment about deleting pam because I believed it was causing a problem with logins to KDE. I was severely PAM has been known to cause pain and suffering at unexpected times. 1. Could someone explain why pam would not be needed? Is relying on permissions, passwords, and firewall adequate? Which problems may result for using pam? PAM is pluggable authentication module. It deals with passwords and permissions. It is useful because it provides a unified framework for dealing with such things, i.e., programs can do authentications/permissions without worrying about the implementation. With PAM, you can do cool tricks like implementing biometrics for an entire system without having to resort to adding support for biometrics for every single service. With that said, if you are only running home computers with no servers open to the outside world, you should only have a minimal number of programs that use authentication: login, or perhaps an ssh daemon that only opens to the intranet. You don't necessarily need PAM. The biggest problem I've heard is PAM creating a permissions hell in /dev. But usually that's due to bad configuration between PAM and udev. If done right, PAM shouldn't cause problems. But, for me, I decided to remove PAM after the following happened: One day, I ran emerge --update world. That included a PAM update. Two nights later, a power failure in my dorm power cycled the computer. The morning the day after, I cannot login on the Console. For no good reason whatsoever, console login always tells me it failed. BUT... I can still ssh to my box and login correctly. After some digging around in the logs, it seems that some things moved around in the PAM world and one particular module was renamed (or removed?). But one of the modules that used it, the one that is called when I try to login on the console, was not updated. So everytime I try to login, the module executes to the point where the missing module is, craps out, and tells me I can't login. For months after that, I was extremely careful whenever I update ANYTHING that has to do with authentication, and ALWAYS checked the PAM directories to make sure the modules are sane. Eventually I just got rid of it altogether. 2. I already have pam installed. What is the cleanest way to remove it without having any residual hiccoughs. http://gentoo-wiki.com/HOWTO_Remove_PAM Follow it exactly. If you miss a step, you might have to whip out a liveCD the next time your reboot to get into your systems. The above link also contains a link to a thread on the forums discussing the pros and cons of PAM. Though I think in this particular thread the signal to noise ratio is rather low. W Thanks Willie and Marco for the ideas. I got the HOWTO and will read it and try it out. I wasn't aware that there was a gentoo wiki. Looks like lots of info there that I need to read. Thanks for the help. Jerry -- gentoo-user@gentoo.org mailing list
[gentoo-user] Get rid of PAM?
I have been using Linux for a couple years but am a newbie to Gentoo. I am very concerned about the security of an OS. It is one of the reasons I switched to Linux. On another gentoo newsgroup I made a comment about deleting pam because I believed it was causing a problem with logins to KDE. I was severely reprimanded for such a careless attitude towards security. I am a home user and may have anywhere from 1-3 computers on my home network. I do not run any servers open to the net. I have read a couple comments in this newsgroup about how pam is not needed for a user such as myself and in fact can cause problems. 1. Could someone explain why pam would not be needed? Is relying on permissions, passwords, and firewall adequate? Which problems may result for using pam? 2. I already have pam installed. What is the cleanest way to remove it without having any residual hiccoughs. Thanks for taking the time to answer some basic newbie questions. BTW I have been very impressed by the way people in this ng take the time to answer questions and treat each other with respect. Jerry -- gentoo-user@gentoo.org mailing list
[gentoo-user] Help with pppconfig
I used the Gentoo install CD and installed the stage 3 tarball. The reboot went fine and I can log in purely console mode. I have only a dialup internet connection but I cannot connect to the internet via the dialup on Gentoo. I did emerge 2 files (that emerge -s pppconfig suggested); pppconfig-2.3.9 and dialog-1.0-20040731.orig.tar.gz. When I run pppconfig as root and click on Create a connection, I get the error message: Internal error: no such thing as *** err [lib/liblow.c(329)]: /dev/gpmctl: No such file or directory Create, at /usr/sbin/pppconfig.real line 555. I don't understand what the error message means. I tried to use MAKEDEV to create /dev/gpmctl but it said it didn't know how to make it. I can't make much progress with the install until I get the dialup modem working. Thanks for any help Jerry -- gentoo-user@gentoo.org mailing list