Re: OpenWest 2014 Electronic kit
On 3/22/2015 12:45 PM, Brian J. Rogers wrote: Does anyone have a video or a guide with images for each step for the Electronic kit that was given away at last year's OpenWest conference? On a similar note, does anyone have the code that was applied to the controller? And is the controller compatible with the Arduino IDE? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Money management software
Chris Wood wrote: youneedabudget.com has an awesome tool from a usage stand point. Does YNAB have capabilities for direct importing from banks? The only information I could find talked about having to download the transactions first, before you could import them... Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: PLUG Server Moving Tomorrow
Ryan Simpkins wrote: The C7 Orem facility (old Tier4 datacenter in the Canyon Park Tech Center) is shutting down at the end of the month. You too, huh? The 2 week notice did not make our day! /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: comcast and kbyu
Merrill Oveson wrote: I'm a Comcast analog subscriber. I get channels 2 thru 25 essentially. A month or two ago, I noticed that channel 11 went off the air. I recently called to have them fix it. I thought it was some kind of glitch. It wasn't. Channel 11, I was told, was now only broadcast digitally. Thank you for the information. We also were curious where channel 11 went. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: testing, staging, deployment processes
Lonnie Olson wrote: a branch is fairly expensive in SVN as it requires a complete copy of the code base. With a large code base and frequent (daily+) releases, these tags can make your repository become quite unwieldy. This is often why many agile developers prefer other version control systems. SVN uses cheap copies and are *not* expensive: When you copy a directory, you don't need to worry about the repository growing huge---Subversion doesn't actually duplicate any data. Instead, it creates a new directory entry that points to an /existing/ tree. If you're an experienced Unix user, you'll recognize this as the same concept behind a hard link. As further changes are made to files and directories beneath the copied directory, Subversion continues to employ this hard link concept where it can. It duplicates data only when it is necessary to disambiguate different versions of objects. This is why you'll often hear Subversion users talk about cheap copies. It doesn't matter how large the directory is---it takes a very tiny, constant amount of time and space to make a copy of it. In fact, this feature is the basis of how commits work in Subversion: each revision is a cheap copy of the previous revision, with a few items lazily changed within [http://svnbook.red-bean.com/en/1.5/svn.branchmerge.using.html] /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Smurf Tube, 1-1/4 or bigger for Home Theater (New Home) - ENT
Lars Rasmussen wrote: Any recommendations on where to locally purchase Smurf Tube? Is that what electricians actually call this? I believe the official name is ENT: Thin walled PVC corrugated tubing technically called Electrical Nonmetallic Tubing or ENT. [1] I have also seen it called Flex Conduit, or Flex Tubing. The Blue Smurf Tubing name is a fun name sometimes used, but a bit of a misnomer as they come in other colors too. [1] http://www.acehardwareoutlet.com/productdetails.aspx?sku=3032190source=GoogleBase Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Presentation help?
Stuart Jansen wrote: Will there be cake? The cake is a lie /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Presentation help?
Matthew Walker wrote: On Mon, April 4, 2011 2:43 pm, Kenneth Burgener wrote: Stuart Jansen wrote: Will there be cake? The cake is a lie Good to know there's someone with less restraint than myself. ;) April 21, 2011 is only two weeks away :-) /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
How do I scp files between SSH public key targets?
Hi, I have setup my network with public keys, which works great, but how do I copy files between two target systems? My desktop has my private key, and I have several target systems with a copy of my public key. I can ssh into any of the targets without issue, but if I try to scp files between two targets, it fails as the targets do not have my private key. Is there a mechanism to forward the established authentication though a connection? Is this what ssh-agent is for? Any suggestions? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: How do I scp files between SSH public key targets?
Matthew Walker wrote: On Mon, March 7, 2011 11:24 am, Ryan Byrd wrote: you need agent forwarding: http://unixwiz.net/techtips/ssh-agent-forwarding.html#fwd Yep, this is what you need. You need to enable the daemons to allow agent forwarding, and then you need to tell your client to do it as well. The simplest way on the client side is to put 'ForwardAgent yes' in ~/.ssh/config on all the machines in question. Excellent! That worked perfectly. Thank you. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Git - determine branch remote source
Thank you everyone for your responses. Andrew McNabb wrote: There might be a better way, but you could always do: git config branch.master.remote to show the remote associated with the branch master. Hi, this did indeed report which remote branch was created from, but it did not report which branch on the remote it was from. Nathan Blackham wrote: I always look in the .git/config file in the repo. It has all config for that repo including the remote location. This does work, I just thought there would be an official method that didn't involve messing with the underlying git file system. Dennis Muhlestein wrote: You could type: git remote -v show This shows the remotes. What I am looking for is if I branch one of those remotes, how do I tell which remote and remote branch the local branch was created from. I think I found the answer though. There is a command ls-remote. This appears to show the current checked out local branch's remote URL (not the remote's local name) and the remote branch. Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Minecraft - stargate
Matthew Walker wrote: Updated the gallery with a shot of the current interior, showing the progress I'm making on building the 'floating' platform and basement. https://picasaweb.google.com/lh/photo/UgjNwvpHqg4C-_jyNO5TOg?feat=directlink Is this on single player, or a public server? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Minecraft
Jonathan Duncan wrote: So, who is in charge of the plug.org Minecraft server? Jonathan I believe Ryan Simpkins is. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Minecraft
Jonathan Duncan wrote: So, who is in charge of the plug.org Minecraft server? Jonathan Here is the original invite to PLUG: (note 216.194.126.66 is plug.org) Ryan Simpkins on 2010.09.22 wrote: Tonight around 8:30pm-ish (mountain) goozbach and I will be playing multiplayer Minecraft. It is a closed source game, but you can run it in Linux. We will have a multiplayer server up at 216.194.126.66. All fellow pluggers/game enthusiasts are welcome to join. This will be just a fun/social type of thing, as well as experimenting with the alpha multiplayer server. For those unaware of what it is: http://www.minecraft.net/ If you are new, you may want to look up some tutorial vids on YouTube so you aren't totally lost. Don't underestimate it by how it looks. If you like nethack, you may like this one. Log in to minecraft (plug.org in multiplayer) to tour the most epic minecraft tux ever devised, thanks to TodPunk. He is also building a series of interactive logic gates. Boolean algebra experts wanted. http://plug.org/mc_tux.png -Ryan /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Minecraft - Sauerbraten?
Steven Morrey wrote: Ok, so this is probably going to sound stupid, but how is minecraft different from say saurbraten? They look to be very similar in overall concept even if the art is different. I could be wrong, but from what I can tell Sauerbraten (http://sauerbraten.org/) is a fast first person shooter. Minecraft is not. Minecraft is more like Legos. As far as I can tell the only similarity is they can both be played on Linux, Mac and Windows. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Git - determine branch remote source
Hi, While we are on the subject of Git... How does one determine the source remote (and branch) for a local branch? The reason I ask is that the default action (if you don't specify a remote) for a push and pull is to use the remote attached to the current branch. It would also just be nice to know where the code came from, if you have forgotten. git clone git://[remote1] git remote add myremote git://[remote2] git fetch myremote git checkout -b mybranch myremote/master ?? check source of branch ?? The command 'git remote' shows the following: origin myremote The command 'git branch -a' shows: master * mybranch remotes/origin/HEAD - origin/master remotes/origin/master remotes/myremote/master So if I just came back from a long night, and wasn't sure, what command do I use to determine which remote (and branch) is mybranch sourced from? I did notice that .git/config does show everything I want, including the remote (and branch) that this branch was sourced from, but I am sure that is cheating, and not Git kosher. Is there a Git command, something to the effect like 'git show branch mybranch' that would show myremote/master or even git://[remote2]/master? Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux Gaming? - Minecraft
Eric Olsen wrote: Sorry if I've missed someone else suggesting this, but Minecraft. -Eric I second that suggestion! Both the client and server work on Linux, Mac and Windows. Minecraft Download http://www.minecraft.net/download.jsp You are able to play single player free, but there is a small one time fee (*€14.95* Euro) if you wish to play multiplayer. - Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux Gaming? - Minecraft - plug.org
Kenneth Burgener wrote: Both the client and server work on Linux, Mac and Windows. Minecraft Download http://www.minecraft.net/download.jsp You are able to play single player free, but there is a small one time fee (*EUR14.95* Euro) if you wish to play multiplayer. I forgot to mention that PLUG has their own Minecraft server. Connect to plug.org. - Kennet /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: scripting languages
Alex Esplin wrote: While it's true that you can write clean, easy-to-understand and maintain code in Perl, it takes more effort to do so than in Python. While it's also true that you can script anything in Python that you can in Perl, sometimes Perl's backtick (``) operator and built-in regex capabilities make it a lower-friction interface to automating system scripts. I agree with Alex on the power of Perl. I like to think of the transition like this: (depending on the size of script I need) Bash - Perl - Python If the admin script is simple, I prefer to write the script in Bash. With all of the nice linux tools already written, and used daily (grep, awk, sed, cut, find), this is an easy choice. A bash script can be whipped up in a matter of minutes, and is usually just a way to batch or automate string of command lines that I could run manually. If the script need is a bit more complicated and needs a little more power, I prefer Perl. A lot of good Linux tools are written in Perl, so this would be good to know anyway. Perls terse syntax, powerful regular expressions, and CPAN are hard to beat. If the script is turning into a full fledged program, Perl can do it, but I see more and more larger projects moving to Python. Python is a bit wordy for me, and stringing several external commands is more complicated (very simple in bash an Perl), but Python does have good readability and vast libraries, and is becoming the popular choice. By the way, this transition logical also works for web development. I like PHP for easy of use and quick development time. I like Perl for sys admin stuff, but I would never use it for web development (even though PHP is descended from Perl). For large enterprise applications, Java and other tools may be more appropriate. Of course, your mileage may vary. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Bringing in the Sheep: the FireSheep firestorm
Lonnie Olson wrote: No way. You need to go the opposite direction. No walls, loincloths, and promiscuous data sharing. Privacy is bad. Everyone should share all data. No need for passwords, just a big un-authenticated cloud of society's data. Signed, The Hippy communist. I agree. Please begin by sharing your credit card number. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: iptables
Date: 10/21/2010 6:35 AM From: Stuart Jansen sjan...@buscaluz.org Here's what I would do based on your current rules: *filter :INPUT DROP [1783:108550] :FORWARD DROP [0:0] :OUTPUT ACCEPT [133532:10424922] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 5/sec -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ... I am always confused why the RELATED,ESTABLISHED rule is not the first entry on the list (Red Hat's defaults don't make sense to me). It would seem to me that established traffic (99.999% of traffic) should be accepted as quickly as possible. Why make EVERY packet you receive be matched against the loop back and icmp? This is the one modification I would make: *filter :INPUT DROP [1783:108550] :FORWARD DROP [0:0] :OUTPUT ACCEPT [133532:10424922] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 5/sec -j ACCEPT -A INPUT -p icmp -j ACCEPT ... Is there a logical reason why not to have it this way? Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: iptables
Date: 10/21/2010 7:45 AM From: Wade Preston Shearer wadeshearer.li...@me.com Wade Preston Shearer wrote: On 21 Oct 2010, at 6:35, Stuart Jansen wrote: As long as you're already using one stateful rule, might as well make the others stateful too. In other words replace: -A INPUT -p tcp -m tcp --dport X -j ACCEPT with -A INPUT -p tcp -m state --state NEW -m tcp --dport X -j ACCEPT Here's what I would do based on your current rules: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state -m tcp --dport 80 -j ACCEPT I dropped it in and tried to restart iptables but received an error: Applying iptables firewall rules: iptables-restore v1.3.5: Bad state `-m' Error occurred at line: 9 That would be because it should read -m state --state NEW. The state is missing. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Certification
Von Fugal wrote: There was a thread a while back that talked about certifications. I gather LPI is not a good one? RHC[TE] are good. Why are vendor neutral certifications such as LPI and Security+ considered no good? The vendor specific certifications (e.g. RHCT, Cisco, MCSE) may fetch a higher price, but I would think also having the vendor neutral certifications help broaden your opportunities. Why lock your self into only one vendor? I would also think that having these less costly certs is also good certification preparation for some of the ridiculously expensive certs. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Apache Concurrent users
Thara wrote: Tnx for the great info. Is mod_status already loaded as defualt modules in apache? or do i need to compile it? My CentOS 5 apache package had this precompiled in. I only needed to enable it: LoadModule status_module modules/mod_status.so # # ExtendedStatus controls whether Apache will generate full status # information (ExtendedStatus On) or just basic information (ExtendedStatus # Off) when the server-status handler is called. The default is Off. # #ExtendedStatus On # # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the .example.com to match your domain to enable. # #Location /server-status #SetHandler server-status #Order deny,allow #Deny from all #Allow from .example.com #/Location /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Apache Concurrent users
Thara wrote: Guys, how do i check my concurrent users logging on my webserver? can you give me some tips on how to tweak my apache to accomodate 500 concurrent users, I'm using centos 5.0 and apache 2.0 for webserver. tnx Hi, From my understanding, Apache has no concept of users or sessions. These are handled by higher level modules, such as PHP, Perl, Python, Ruby, etc. So the follow up question would be, what module are you using for user sessions? From the Apache viewpoint, connections are what are important. This quick command will tell you how many concurrent connections you currently have (a user/host may have more than one): netstat -ant | grep ESTABLISHED | grep :80 | wc - The following Apache module provides all sorts of useful Apache statistics. http://httpd.apache.org/docs/2.0/mod/mod_status.html Statistics include: * The number of worker serving requests * The number of idle worker * The status of each worker, the number of requests that worker has performed and the total number of bytes served by the worker (*) * A total number of accesses and byte count served (*) * The time the server was started/restarted and the time it has been running for * Averages giving the number of requests per second, the number of bytes served per second and the average number of bytes per request (*) * The current percentage CPU used by each worker and in total by Apache (*) * The current hosts and requests being processed (*) Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: SCO finished
On 6/11/2010 11:34 AM, Merrill Oveson wrote: Here's the latest: http://arstechnica.com/tech-policy/news/2010/06/scowned-no-new-trial-novell-can-shut-down-ibm-lawsuit.ars The SCO sign on their building, in Lindon, was taken down a few weeks ago. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: A new line of arm-based plug computers
On 4/5/2010 1:35 PM, Michael Torrie wrote: Over the last few months several people have talked about embedded linux systems. If you want to play with a very affordable, extremely powerful, embedded linux system, check out these: http://www.globalscaletechnologies.com/c-4-guruplugs.aspx I'm wondering if the guruplug server plus would make a nice little router. Hi, I ordered one of the GuruPlugs April 21st (almost a full month ago) and still have not received it. Did anyone else order one, and have you received yours yet? Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Linux group of groups?
Hi, Basic question, but can you have Linux based groups that are made up of groups? I have one group that is made up of about 23 users (ie. group1=bob,joe,mark) and another group made up of about 15 users (group2=sue,aaron,joe,mike). I then want to setup another group that has all of these users, but would rather not have to manually list all 23+15 users for group3. Is there a method of specifying group1 and group2 (ie. grou...@group1,@group2)? Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux group of groups?
On 5/5/2010 3:04 PM, Steve Meyers wrote: On 5/5/10 2:45 PM, Kenneth Burgener wrote: Basic question, but can you have Linux based groups that are made up of groups? The only way that I'm aware of to do that is through pam_ldap. Thanks. I went the opposite direction to fulfill my need. I enabled ACLs on the file system, which allows one to assign more than one group permissions to a folder. Go ACLs! Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Another Group Question
On 5/5/2010 4:13 PM, Joseph Hall wrote: But I still wonder, can I block specific users from using chgrp? This is on a RHEL 5.3 box, FWIW. We ran into a similar problem, and ended up with a cron job that would routinely go through the data store and correct ownership and permissions. I am also interested to hear if there is a better solution. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: A new line of arm-based plug computers
On 4/5/2010 4:56 PM, Michael Torrie wrote: I'm pretty sure these plugs come with a mini USB serial port console that works pretty well. Linux has a drive that sees it as a USB serial device. Also the development version have a jtag interface, although I don't know how that works (maybe requires the jtag adapter device?). If the picture is accurate, the miniusb serial device is next to the SD slot. I added the GuruPlug Pro (2x network interfaces) to my shopping cart, and when I went to check out it recommended I also get the GuruPlug JTAG Board (https://www.globalscaletechnologies.com/p-28-guruplug-jtag.aspx). Is this board required to flash the GuruPlug Pro, or can the GuruPlug Pro have Linux written to the storage through the USB interface? Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: A new line of arm-based plug computers
On 4/5/2010 1:35 PM, Michael Torrie wrote: Over the last few months several people have talked about embedded linux systems. If you want to play with a very affordable, extremely powerful, embedded linux system, check out these: http://www.globalscaletechnologies.com/c-4-guruplugs.aspx I'm wondering if the guruplug server plus would make a nice little router. Nice! At 5W I think I will replace my home firewall (tower) with the GuruPlug Server Plus version (two Ethernet ports). How would one go about installing Linux on one of these devices? I see that it does not have a VGA or serial interface. Is there software the comes with it for a USB terminal interface? Would a USB CD-ROM work with this device, or is a PXE installation going to be needed, or will the OS have to be somehow prewritten to the minisd card?? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
XO fiber connection lost at 90th South
Today around noon our office XO fiber connection was lost. From what I am being told, there was a break in the connection around 90th south in Salt Lake and a good portion of central Utah was lost. Anyone else experiencing this loss of connectivity today? How far were people affected? Anyone have more information about what happened? The fiber connection feeding the Lindon office, and a good portion of central Utah, was cut. The ISP is working through the night to refeed the fiber and restore connectivity. Just curious, Ken /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
PLUG Meeting tonight - map to Omniture
Hi, The plug.org's meeting is being held tonight at Omniture. The Meeting details link to Plug's Omniture page (http://www.plug.org/omniture) for more information. The Omniture Map link goes to a generic contact page. Could the link be maybe be updated to point directly to the map page (http://www.omniture.com/en/contact/map/orem). This might help others as well. Thanks /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: ISP Recommendations - Digis?
On 2/5/2010 11:48 PM, Ryan Simpkins wrote: From my node it is even worse. So, RapidWave beats digis to plug because they are both in C7. It is a ~10ms round-trip. That, and the fact that Sterling Jacobson used to frequent the list, has me leaning that way. Matt, my Comcast connection is about the same as yours. From my Comcast: --- plug.org ping statistics --- 338 packets transmitted, 338 received, 0% packet loss, time 341609ms rtt min/avg/max/mdev = 33.883/34.681/35.521/0.569 ms From our C7 servers: --- plug.org ping statistics --- 142 packets transmitted, 142 received, 0% packet loss, time 141064ms rtt min/avg/max/mdev = 2.543/3.355/3.993/0.529 ms Huh. I didn't know that plug.org was hosted at C7. Neat. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: System comes to a halt on heavy disk I/O
On 2/1/2010 9:03 AM, Charles Curley wrote: When I run fairly disk intensive tasks, like copying tens of gigabytes to this machine, it slows to a crawl. Disk I/O slows down by two orders of magnitude. Linux tends to use disk cache as much as possible, so until you start performing disk operations that fill all of the available RAM for the disk cache, things will appear snappier. While you are performing your disk operations, try watching 'vmstat 2' under the 'wa' (IO wait) to see what percentage of the CPU time is being spent waiting for IO. This number should remain as close to zero as possible. If the IO queue is so backed up that things aren't being handled prompty, then you will quickly notice IO based apps will begin to crawl. Adding more RAM usually helps with IO issues, as more of the disk can be cached to RAM. Also check 'smartctl -a /dev/sda' and check to see if the error rate is increasing rapidly. If the disk is spending it's time recovering from failures, this would decrease the throughput, and also indicates that the drive is probably going bad. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Serial Port Expansion Card for Linux?
On 1/12/2010 7:16 PM, Kenneth Burgener wrote: SIIG Four 16650 serial port I/O card with 4-port (DB9) http://www.newegg.com/Product/Product.aspx?Item=N82E16815150141 Here is one that actually lists Linux as a supported OS, and it includes 8 ports: http://store.era-ele.com/8port-db9pin-rs232-serial-pci-controller-card-p-126.html I couldn't find a brand name, a website, or anything that would indicate which Kernel version their driver is for, though. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Serial Port Expansion Card for Linux?
On 1/13/2010 8:43 AM, Matt Nelson wrote: Depending on your budget you might just want to get a few of these: http://www.newegg.com/Product/Product.aspx?Item=N82E16812101118cm_re=usb_to_serial-_-12-101-118-_-Product we have used quite a few of these in our datacenter with newer servers that don't natively have serial ports and they have worked great. I love the price, and I think we have plenty of free USB ports to spare. I see in the comments that it is recognized by Linux out of the box. Great! Thank you for the suggestion. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Serial Port Expansion Card for Linux?
On 1/13/2010 12:29 PM, Lonnie Olson wrote: Have you considered a simple Terminal Server? Much easier to deal with for these oops emergencies. Examples. http://www.perle.com/products/Terminal-Server.shtml This would be an excellent solution, but I take it that by the fact that they don't give a price quote online, it is very expensive? Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Serial Port Expansion Card for Linux?
Hi, Has anyone successfully used a serial port expansion card with Linux (specifically Red Hat)? What brand and model did you use? I have several network (ie. cisco, brocade, netgear) devices that have serial management interfaces that I would like to manage with a Linux server (in an emergency). I was thinking something like this would work great, if it would be correctly recognized by Linux: SIIG Four 16650 serial port I/O card with 4-port (DB9) http://www.newegg.com/Product/Product.aspx?Item=N82E16815150141 Suggestions, ideas? Thank you, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: SparkFun Free Day
On 1/7/2010 10:24 AM, Matthew Walker wrote: $38,788.01. Eek. Going up fast. Starting checkout process now. Order is /just/ over $100. :) Getting the Arduino starter kit, plus the Ethernet Shield. NOI was in the middle of checkout, when I was notified that the $100,000 has been reached! So close... /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Extending a subnet
Hi fellow PLUGers, Hopefully a quick basic Network Management question: I have a private network behind a NAT switch with a 10.0.0.0 network address and a 255.255.255.0 subnet mask. I wish to expand the subnet to 255.255.0.0. If on the NAT switch I were to just expand out the subnet, would it break anything? My expectation is the current servers would continue to function as is. I could then add new servers, with the expectation that they wouldn't be able to speak to servers with the old subnet mask, until updated. I could then slowly update the old configured servers as needed. All servers would then continue to work as expected, and will continue to have Internet access. Would this break anything else? Or is my expectation correct? Thank you, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Extending a subnet
On 10/4/2009 1:32 AM, Mike Lovell wrote: you might want to do a tcp dump on the network and see if much traffic is going to the broadcast address and then try to figure out if traffic to the broadcast breaking will cause application problems. The traffic tcpdump shows are: * directed TCP and UDP traffic * arp requests packets * 802.1d packets - spanning tree * UDP NBT broadcast packets (ports 137,138) * UDP rwhod broadcast packet (port 513) Arp is lower level then IP, right? It is sent to all ports of the switch, not to the IP broadcast address, right? 802.1d is also lower level then IP, right? Will 802.1d spanning tree be broken by this change? And yes, we have several switches on this one subnet. This network is a test network, and not a production network. So as long as the only problem will be communication between the old configured servers, and the new configured servers, this is acceptable. All of the systems need to be able to access the Internet, and systems within the old config need to be able to speak to other systems within the old config. Is there anything else I should check? Thank you for your help, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
What does the opposition to Net Neutrality want?
Hi fellow PLUG members, A friend and I were discussing Net Neutrality and wanted to research the topic a bit more. The more I read about Net Neutrality the less I feel I actually know what the issue is. I believe what the proponents want are: * fair bandwidth for all * no destination/source discrimination * no data discrimination * no tired service Does this correctly sum up the wants? I have seen numerous threads all touting the brilliance and benefits of Net Neutrality. Net Neutrality has become a banner for great Internet ideology, but it begs the question, what does the opposition actually want to change? From what I can tell the opposition wants to solve some fundamental problems, mostly revolving around resource allocation (ie. bandwidth hogs). Overuse tends to happen with any perceived unlimited resource, utility or service. The problem is these resources, utilities and services are never unlimited in reality. I can sympathize with this, which leads me to wonder if the opposition to Net Neutrality may have some valid issues that need to be resolved. Regarding fair bandwidth for all. If everyone were a good net citizen and shared the bandwidth respectfully, I would agree with fair bandwidth. Unfortunately, there is a problem of bandwidth hogs. For example, if 10 people on the block all use an ISP, and 1 user is a bandwidth hog, consistently slowing down the 9 other connections, and the ISP wants to manage their network by limiting the one bandwidth hog, is this an okay practice? Me being one of the other 9 would really like to not have the 1 slow my connection down. This is what Comcast did with the torrent problem. Should Comcast not be allowed to manage their networks to keep the 9 other people happy? Regarding destination/source and tired service discrimination. Don't we already have this in place. The more you pay the higher the bandwidth you get. This works the same way on both ends of the connection. Is Net Neutrality advocates pushing to make all Internet free, or one price for all? Regarding data discrimination. This leads to the realm of Quality of Service. Certain traffic needs to have better QoS to work properly. Web traffic, Games and VoIP need low latency, but push through relativity low bandwidth traffic. File serving doesn't is not as greatly affected by, but needs higher bandwidth. Should ISPs not be able manage their network to give Web Traffic, VoIP and Games a higher QoS? Is there a critical point about Net Neutrality I am missing? Please educate me if I am incorrect. Thank you, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: apache mod_proxy error
My thoughts... On 9/23/2009 10:09 PM, William Attwood wrote: [Wed Sep 23 21:42:25 2009] [error] [client xx.xx.xx.xx] proxy: DNS lookup failure for: web1. domain.com returned by /file.php Is the web1.domain.com actually having to be resolved by a DNS server? Maybe the DNS server is being overloaded. Try putting the web1.domain.com in the /etc/hosts file. [Wed Sep 23 21:42:47 2009] [error] (70007)The timeout specified has expired: proxy: HTTP: attempt to connect to 10.3.1.30:80 (web1. domain.com) failed [Wed Sep 23 21:42:47 2009] [error] ap_proxy_connect_backend disabling worker for (web1. domain.com) This would seem to imply that your web1 server did not respond to the proxy in a timley manner. Is your web1 server overloaded? Do you have a buggy, or overloaded, application that is having difficulties in responding within 300 seconds? What is the your ProxyTimeout directive set to? If ProxyTimeout is not set, what is your Apache TimeOut value set to? The other possibility, if you are getting a lot of traffic, is you have hit some of the default connection limits. Which version of apache are you running? Which distribution are you using and which kernel version? What are your max file descriptors set to: (includes sockets) /sbin/sysctl fs.file-max What are your current file descriptor limit set to: (includes sockets) ulimit -n Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: I.T. Resource Manager - Logins, Passwords, Servers, etc
On 8/27/2009 11:44 AM, William Attwood wrote: I'm trying to find a good utility that will manage data for servers, data centers, store files, encrypt passwords, etc. Is there a good overall I.T. utility, or a swiss army knife of tools that are available to maintain this? I'm getting tired of my spreadsheets with numerous tabs, and KeePass for passwords. What do you use? gpg is your friend. My favorite method is a basic bash script that: 1. asks for a password 2. gpg decrypt a password file 3. opens password file via vi 4. allow me to edit 5. upon save and close, gpg re-encrypts the password file. Simple but efficient. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: I.T. Resource Manager - Logins, Passwords, Servers, etc
On 8/27/2009 3:38 PM, Byron Clark wrote: So, even simpler and more secure is a snippet like this in your .vimrc: if has(autocmd) gpg encrypted files if exists($KEY) autocmd BufNewFile,BufReadPre *.gpg :set secure viminfo= noswapfile nobackup nowritebackup \history=0 binary autocmd BufReadPost *.gpg :%!gpg -d 2/dev/null autocmd BufWritePre *.gpg :%!gpg -e -r $KEY 2/dev/null autocmd BufWritePost *.gpg u endif endif Thanks Byron, this is much easier to use than the bash script I was using before. Just a few pointers to those who would like to use script above: 1. First, remove the backslash ( \) from the 4th line. Vim complains until you remove this. 2. set the $KEY to your email address of your gpg key, and make sure you 'export' it, or vim will not see it. Placing export key...@email.com in your ~/.bash_profile will do the trick 3. You will need to have pre-created your gpg private/public keys. You can do this by executing gpg --gen-key and following the prompts. The email address you use here will be the same you set the $KEY variable to. 4. You can create a new password/secure file by simply editing the file to be created vim newfile.gpg. Make sure the new file has the .gpg extension or the code above will not work. When vim loads it will ask you for your private key password. Once you enter your password, your password file will load. You can then edit the file, save and quit, and the password file will be re-encrypted. 5. This also has the added benefit of being able to edit, via vim, any encrypted .gpg file that has your public key associated with the file on the fly. Thanks again, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Apache Tuning - HTTPS
On 8/19/2009 1:49 PM, William Attwood wrote: I ran across KeepAlive, and enabled it. I then did more `ab` testing with -k to take advantage of the change. I am now able, on the same server, to handle 1,000 concurrent HTTPS requests, 100,000 total requests, and do it all in under 50ms per request. # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to Off to deactivate. # KeepAlive On Hello, New connections are relatively expensive, especially when you are requesting very small items like html, css, or javascript files. KeepAlive makes it so multiple items can be requested in one single connection. This setting is also affected by the MaxKeepAliveRequests 100 setting. This would mean, for example: Example 50 items (under the 100 max per connection) on a page to be requested: * With KeepAlive On this equates to 1 new expensive connection being created. * With KeepAlive Off this equates to 50 new expensive connections being created. This becomes more obvious with your example of 1,000 concurrent connections: * With KeepAlive On this equates to 1,000 new connections being created. * With KeepAlive Off this equates to 1,000 x 50 items = 50,000 new connections being created. Summary: 50,000 connections verses 1,000 connections overhead just to pass the same data through. The overhead is due because when building a new connection there is a lot of hurdles to pass: * Creating a TCP/IP socket * Firewall rules are generally always about new connections so this is a delay point * Apache has to receive the socket request * Apache then has to assign a worker to perform the request All of this is avoided for the multiple items on a single KeepAlive request. So if this has such a benefit why is it disabled by default? Good question. Almost every performance tuning apache documentation I have seen indicates this as the first item to turn on. Maybe it is simply a paranoid design decision, as a connection that can be forced to stay open for a longer time period consumes more resources. You may be able to now push more traffic through, but the system now more open to be overloaded with. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux MD problem
On 7/8/2009 10:40 AM, Mike Lovell wrote: I also took a look at the md superblock on the devices. sd{u,v,w}1 look like they are fine. sdx1 looks funky. It shows that sdx1 is active but that 1 other disks is removed and the other 2 are as faulty. It looks like maybe the information on sdx1 got messed up while the others are fine. mdadm --assemble /dev/md0 --force --uuid=[UUID_from_previous_command] I am about to try an mdadm --assemble command to see if it helps. Mike, If what you are assuming is true, and sdx1 is the faulty drive, then maybe you should try reassemble the array with all the drives besides sdx1: mdadm --stop /dev/md0 mdadm --assemble /dev/md0 /dev/sdu1 /dev/sdv1 /dev/sdw1 --run Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux MD problem
On 7/8/2009 11:22 AM, Kenneth Burgener wrote: mdadm --stop /dev/md0 mdadm --assemble /dev/md0 /dev/sdu1 /dev/sdv1 /dev/sdw1 --run Mike, By the way, if you are wanting to play around with mdadm without actually using real drives you can setup a few virtual devices and play with mdadm to your hearts content without destroying real disks: dd if=/dev/zero of=/root/vd1 bs=1M count=100 # create virtual disk 1 dd if=/dev/zero of=/root/vd2 bs=1M count=100 # create virtual disk 2 dd if=/dev/zero of=/root/vd3 bs=1M count=100 # create virtual disk 3 dd if=/dev/zero of=/root/vd4 bs=1M count=100 # create virtual disk 4 losetup -a # show currently used loop devices losetup /dev/loop1 /root/vd1 # use an unused loop device losetup /dev/loop2 /root/vd2 # use an unused loop device losetup /dev/loop3 /root/vd3 # use an unused loop device losetup /dev/loop4 /root/vd4 # use an unused loop device mdadm --create /dev/md2 --level raid10 --raid-devices 4 /dev/loop[1234] # create md devices (use unused /dev/md?) mkfs.ext3 /dev/md2 # format as ext3 mount /dev/md2 /mnt/md2 # mount if you want now you can fail virtual disks, stop array, reassemble, fail disks, etc to your hearts content. # example rebuild with one less disk: mdadm --stop /dev/md2 mdadm --assemble /dev/md2 /dev/loop[123] When you are done, to clean up: umount /dev/md2 # if mounted mdadm --stop /dev/md2 losetup -d /dev/loop1 losetup -d /dev/loop2 losetup -d /dev/loop3 losetup -d /dev/loop4 rm /root/vd1 rm /root/vd2 rm /root/vd3 rm /root/vd4 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux MD problem
On 7/7/2009 1:03 PM, Mike Lovell wrote: I have a machine that has 4 disks in a raid 10 using md. [ 28.575149] md: raid10 personality registered for level 10 [ 28.610827] md: md0 stopped. [ 28.688678] md: bindsdu1 [ 28.688981] md: bindsdv1 [ 28.689269] md: bindsdw1 [ 28.689566] md: bindsdx1 Are you able to boot into the OS? What does 'cat /proc/mdstat' show? What does 'mdadm --examine /dev/sdu1' (or sdv,sdw,sdx) show? Normally if only one disk has failed, the array should be able to activate, but in a degraded state. For some reason your system thinks that sdu, sdv, sdw are all in an invalid state, which means there are not enough devices to reassemble the array. I haven't seen the non-fresh error before. This could simply mean it avoided assembling the array due to some sort of minor out of date, or out of sequence issue. As a last resort you could try to forcefully reassemble the array (no guarantees): mdadm --examine /dev/sdu1 | grep -i uuid # copy and paste the uuid into the following mdadm --assemble /dev/md0 --force --uuid=[UUID_from_previous_command] Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: UUG Meeting: Parking?
On 7/2/2009 11:59 AM, Andrew McNabb wrote: We would like to announce the next UUG meeting: Introduction to Linux Kernel Development - Thursday, July 9 - 7:00 pm - Room 230 Tanner Building For those who are not BYU students, where might we park? Is the parking in front of the Tanner Building free to park in after 7pm? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
95th Percentile Bandwidth Monitoring
Many data centers bill on the 95th percentile. Might anyone have a suggestion for a good 95th percentile bandwidth monitoring tool? I would prefer one that will take 5 minute snapshots and dump the bit rates to a database (the 5 minute interval would also closely match the interval to which data centers sample bit rates). This would enable me to programmatically trigger other events. My firewalls are all Linux based iptables systems (fronted with Shorewall). I would like to be able monitor our data usage, to make sure we keep our 95th percentile at an acceptable level so we don't break the bank. I would like to eventually have an automated script that will trigger, if our usage is high for the month, and throttle our bandwidth down. I thought about screen scraping the reports the data centers generate, but I ran into a few snags. One data center has a reporting tool, but it is too full of ajax to make screen scraping a viable option. The other data center does not have an online reporting tool, but will generate reports on demand. I then found a list of many Linux based bandwidth monitoring tools, but they all work like top and are not any good at giving me sampled data at any interval. Then I thought about screen scraping TX/RX bytes from ifconfig, but I found out that the counters rolls over and the output is not very consistent, which made screen scraping very ugly. I next found vnstat has a timed traffic monitor, which I ran ever 5 minutes for 5 seconds, screen scraped the kB/s, which gave gave me more what I was looking for, but I still think it is a pretty ugly hack. I am really hoping to find a tool that will output what I am looking for in such a way that I don't have to screen scrape it. I also would like to generate reports, so I looked at Cacti, but this appears to need to be pointed to an SNMP source. I saw a few mentions of running an SNMP service on the Linux server. Would that get me the bit rates I am looking for? Any suggestions? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Need help decrypting word doc
On 5/19/2009 6:05 AM, Jared W. Robinson wrote: My grandmother has been working on an obituary for my grandfather (who is still with us), but somehow it got encrypted, and she doesn't know what the password is. I'm looking for someone who can decrypt it for me. Jared Robinson It appears that cracking the password from a word document has to be done through brute force [1]. No quick fix here. If you are determined to go the route of trying to crack the password by brute force, here are some programs I have seen others suggest that may work: * WordLocksmith (www.intertek.org.uk/downloads/word.html, $7) * Word Password (www.lastbit.com/word/default. asp, $39) * Advanced Office Password Recovery (pr.openwall.net/microsoft-word, $49) Kenneth [1] http://www.gmayor.com/Remove_Password.htm /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Oracle to purchase Sun Microsystems?
On 5/17/2009 11:38 PM, Stuart Jansen wrote: The code is GPL. Trademark may require a new name, but the code can be forked if necessary. This topic has also been beaten to death online. Here's one of the more recent commentaries: http://kirkwylie.blogspot.com/2009/05/how-many-times-can-monty-sell-mysql.html Oh, I thought it was a dual license that didn't include GPL. So if worse comes to worse, MySQL can be forked, away from Oracle, under GPL abilities? Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Oracle to purchase Sun Microsystems?
I was reading an article (Oracle: SELECT * FROM Sun [1]) discussing Oracle's acquisition of Sun Microsystems [2]. The article speculates on the effect this could have on various Sun backed projects such as MySQL, Java, Solaris, and OpenOffice. Oracle Database is a direct competitor with MySQL. Do you think Oracle will continue to support MySQL, or will it will morph into an Oracle Express Edition? Do you think the acquisition will have a positive or negative impact on these important projects? Kenneth [1] http://lwn.net/Articles/329223/ - Oracle: SELECT * FROM Sun [LWN.net] [2] http://www.sun.com/third-party/global/oracle/index.jsp - Oracle to Buy Sun /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: is the serial number on the motherboard unique
On 5/12/2009 10:22 PM, Frank Sorenson wrote: How about using: dmidecode -s system-uuid The -s system-uuid shortcut only appears to be available on non red-hat based dmidecode versions. The UUID can still be returned by greping for 'uuid': /usr/sbin/dmidecode | grep -i uuid Many of my systems still do not have a UUID value though: Product Name: A8N-SLI DELUXE UUID: E05FA41B-043D-DB11-ACF1-C0733C807344 Product Name: SE7525RP2 UUID: 77B3D4FA-5379-0010-8437-000E0C3BBD6C Product Name: A7N266VM UUID: Not Settable Product Name: CUV4X-C UUID: Not Settable Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Two or more webs at home - multiple SSL hosts
On 4/22/2009 5:26 PM, Michael Torrie wrote: One technique I use to provide SSL access for a couple of different virtual hosts is to use different ports. domain A would be https://A.domain:1443, domain B could be https://B.domain:2443. Not super clean, but it works pretty well, especially if you're direction traffic to SSL from a non-ssl page to begin with. Another method of hosting multiple SSL sites from one IP address is to use a wildcard certificate. This works especially well with subdomain sites (ie *.example.com). If you are only using the SSL to encrypt the traffic to your personal sites, you could even go as far as creating a self signed top level domain wildcard certificate (ie *). Then *any* domain your personal server hosts can use this same SSL certificate on the same IP address. The one downfall of a self signed certificate is users are prompted initially that the CA is not recognized, but if this is for a personal or family site, this is usually an acceptable trade off. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Redirect SSH on a single IP
On 4/20/2009 1:38 PM, Richard Esplin wrote: Current Attempts: ${IPTABLES} -t nat -A PREROUTING -i ${IFACE_EXT} -p tcp --dport 2022 -j REDIRECT --to 22 This works as long as I add port 22 to the above ACCEPT statement, but that would defeat the purpose. ${IPTABLES} -t nat -I PREROUTING -i {IFACE_EXT} -p tcp --dport 2022 -j DNAT --to ${IPADDRE_INT}:22 This looks to me like it should work, but the port still reports as being closed. I think you are only missing the ACCEPT on the FORWARD table: /sbin/iptables -t nat -A *PREROUTING* -p tcp -i eth0 --dport -j *DNAT* --to 10.10.10.3:22 /sbin/iptables -A *FORWARD* -p tcp -i eth0 -d 10.10.10.3 --dport 22 -j *ACCEPT* This is what I have and it works. kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
How does one add a port forward to an openSSH live connection?
The putty ssh client is an awesome tool. I also love the fact that putty has a Linux, Windows and Mac client, so I can use it from most any environment. One of the features I love is the ability to add a port forward from a live connection. This way I can keep my currently forwarded applications running, without having to kill everything then reconnect. Can openSSH add a port forward to a live connection? I found that I can create the initial port forward with: # local forward $ ssh [host] -L port:host:hostport # remote forward $ ssh [host] -R port:host:hostport Once I have made the connection, is there a way to signal the ssh process to add an additional port forward, similar to Putty? The other feature I found, in Putty, is the session keep alive feature, which you can also specify time between keep alives. As far as openSSH, I found a TCPKeepAlive option, but I am not sure this does the same thing as the session keep alive, and I don't see an option to specify the time between keep alives. Thanks you, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: How does one add a port forward to an openSSH live connection?
On 2/23/2009 8:45 AM, Doran L. Barton wrote: On Monday 23 February 2009 08:32:50 Kenneth Burgener wrote: The putty ssh client is an awesome tool. I also love the fact that putty has a Linux, Windows and Mac client, so I can use it from most any environment. One of the features I love is the ability to add a port forward from a live connection. This way I can keep my currently forwarded applications running, without having to kill everything then reconnect. Can openSSH add a port forward to a live connection? Yes. You have to issue the escape character which, unless you've changed it, is ~ (preceded by a newline) and then C. This will give you a command-line at which you can type -L or -K commands. This is all documented in the ssh man page. That's it! Thanks Doran, Jake and Nicholas. And sure enough it is in the SSH under Escape Characters, but not under the TCP Forwarding section I had read. I think they should make reference to this powerful ability in the TCP Forwarding section, don't you? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: SSH keep alive
On 2/23/2009 8:48 AM, Nicholas Leippe wrote: The other feature I found, in Putty, is the session keep alive feature, which you can also specify time between keep alives. As far as openSSH, I found a TCPKeepAlive option, but I am not sure this does the same thing as the session keep alive, and I don't see an option to specify the time between keep alives. Yes, this is the keep alive. You may or may not want this feature, however. If it is enabled, yes, it will send out keep alive packets so that any router nat forwarding tables are refreshed. However, it has the side effect that if it fails to receive a keep alive packet it will assume that the connection is gone for good and close it on you. I usually turn it off entirely so that my ssh connections do not notice any temporary network outages. The interval is specified by the server in sshd_config as ClientAliveInterval and/or by the client in ssh_config as ServerAliveInterval. See man sshd_config(5) and ssh_config(5). Without the keep alive, doesn't the SSH connection automatically terminate after so many minutes? Is the auto terminate a function of a NAT router in the path, or is that a client or server option? I just want my connection to stay open indefinitely, so if keep alives are not the way to go about, is there a better way? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Gig-E not a copper hand off??
If one has the following line written in a contract with a data center, what would this indicate to you? Bandwidth: 100mbps (burstable to 1Gbps) Type of Connection: Gig-E To me this would indicate I would have a copper Gigabit Ethernet hand off. Would you think differently? If you arrived at the data center, on the day of installation, and found that you were only provided a Single Mode 1310nm Fiber Connector, would you be surprised, or does Gig-E somehow translate to a fiber hand off? Please educate me if I am somehow misinformed. Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Gig-E not a copper hand off??
On 2/18/2009 5:12 PM, Jared Smith wrote: To me, it wouldn't indicate anything regarding whether it was copper or fiber (and which style of fiber connectors). In fact, if anything, I'd err on the side of expecting it to be fiber, not copper. -Jared Okay, thanks for the education, and I will update my assumptions for the future. Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Smoke 'em if you got 'em
On 1/16/2009 9:31 PM, Stuart Jansen wrote: Looks like Seagate has been shipping drives with bad firmware. If you have recent Seagate or Maxtor drives, probably want to check out the article. If your thinking about buying drives, probably want to wait until the bad drives get sold off. http://techreport.com/discussions.x/16246 http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=207931 Thanks for the heads up. I have 3 x 1TB Seagate drives on my home file server (model ST31000340AS). I contacted the support, and they said the updated firmware for these drives won't be available till next week. He did mention that even if the disks do experience this problem, the data won't be affected, just the controller. If needed free data recovery is an option with this issue. Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Recovering files from a failing external disk drive
On 1/12/2009 11:22 AM, Stuart Jansen wrote: I've never had to deal with this problem personally. A friend, Joseph Hall, had good luck with PhotoRec. http://www.cgsecurity.org/wiki/PhotoRec That is amazing!! PhotoRec actually did a wonderful job or restoring files from the dd image. The one downside is the filenames are all trashed, but I think my sister-in-law will be ecstatic to get anything. Thanks for the suggestion. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Utah Open Source Conference 2009?
On 1/10/2009 5:12 PM, Doran L. Barton wrote: The Provo Linux Users' Group (PLUG) appears to maintain a mailing list for UTOSC: http://plug.org/mailman/listinfo/utosc These are unrelated to UTOSC.com, the site for the Utah Open Source Conference. Any one know when and where the Uutah Open Source Conference will be held in 2009?? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: SSH within local network
Joshua Lutes wrote: I can ssh over the internet, but I can't ssh just within my local network to 192.168.2.x. I'm not sure what I need to do to be able to just use my local network, which I think will be much, much faster. It sounds like one of two possibilities: 1. a firewall issue 2. ssh server is not installed, or enabled. Which distributions are you running? Is either of them Ubuntu? Last time I installed Ubuntu 8.10, the ssh client was installed, but the ssh server was not, by default. If that is the case then: $ sudo apt-get install openssh-server You can see if there are any firewall rules by checking iptables: $ sudo iptables --list KEnneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Today is election day!
On 11/4/2008 10:43 AM, Hans Fugal wrote: And don't forget to vote SUPERDELL for governor! http://www.superdellforgovernor.com/ I love how he has kept his Donate page active on his website, and is proud to say he has raised a total of $12.02! /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: moving linux around
On 10/28/2008 1:41 PM, Andres Gonzalez wrote: Thanks for your responses guys. I feel better about trying it. -Andres Sorry for the late response. My experience has been that you should have little if any troubles swapping out the motherboard. kudzu (detects and configures new and/or changed hardware on a system) and udev (dynamic device management) usually do a really good job of making changes like this seamless. There are usually only a few rare issues that I run into with changes like this, all of which are fixable... Graphics. For example, if you switch from a system with an nVidia graphics card, to one with ATI, your X server will have issues, and need to be reconfigured. Udev configurations. Udev will tend to toss out old configurations, and provide you with a new default configuration for new found hardware. What does this mean for you? If you configured your network card with a static IP address, this configuration will be swapped out for the default dhcp configuration. The same thing would go for any other peripherals such as scanners, etc. This is the most common issue people run into when throwing around virtual machine images. Booting (as mentioned earlier). If your disk is not placed back in the same order as it was prior, you will need to update Grub to reflect this. This could mean updating the MBR to point to the new location of your boot partition, changing the root (hd0,1) in the grub.conf, and changing the kernel root=... parameters. Modules. This is the one place that I one might possibly have the most troubles with. If you have new hardware, which needs drivers not provided by the default installation, you will of course need to install them. Also check the modprobe configuration files under /etc/, as old items may need to be removed, and new items may need to be added (or possibly un-blacklisted). There are line items here that are added during installation, such as sound and Ethernet. If it works right, the new hardware should be detected and added, and hopefully there should be no conflicts between the old and new. If there is, just clean out the old. Most of the time a system switch is pretty seamless, and if not, all the problems are solvable with a bootable repair disk (such as Knoppix, or most distro's repair CD). Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Q6600 quad core computer $411
On 7/19/2008 9:10 PM, info wrote: Orem store has some, but they haven't lowered it down as much yet. They are selling it for $560 (which still isn't bad, but not as good as $411). They will probably lower them down soon. They had 3 in stock as of this evening. How does Walmart get away with selling the whole system for $400? The processor alone runs about $200 (http://www.newegg.com/Product/ProductList.aspx?Submit=ENEDEPA=0Description=Q6600x=0y=0) /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: linux hardware compatibility list
On 7/15/2008 11:57 AM, Kyle Waters wrote: I'm thinking I want to go with ati chipset for both mb and graphics, with an amd processor. I'm not doing anything high end and am only looking at $1000 for the Is there anything I should avoid? Kyle I would start by avoiding ATI. I have always found that nVidia Linux support has always been better. Especially in the MythTV realm. Most standard components (monitor, CD, DVD, mouse, keyboard, hard drives, mother boards, network cards) work out of the box. The few components that I have had issues with in the past were wireless cards, and external peripherals (ie scanners, cameras, etc). I would check the HCL for those components. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: UTOSC Registration Codes
On 7/2/2008 2:27 AM, Ryan Simpkins wrote: Please register for the Utah Open Source Conference. You can get an early-bird special for $35. You must register by August 7th to get the discount. So please do not delay. http://2008.utosc.com You can get the code by logging in to your plug.org account (or signing up for one), then browsing this page: http://plug.org/node/123 Hopefully this works. *crosses fingers* -Ryan The discount worked for me! Thanks. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: PLUG-Announce Call For Help
On 7/2/2008 11:01 AM, Levi Pearson wrote: I think that sounds like a reasonable idea. Speaking of which, I've got a bunch of old/broken computer gear that needs to be properly disposed of, and I'm not sure what to do with it. Any suggestions for proper disposal in Utah County? Computer Recyclers (MAS) will take most computer equipment (except CRT monitors) for free, and sometime you will get credit too. CostCo I believe also has a recycling program, and I think they do accept CRT monitors. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: NEWS: Firefox 3 will be released June 17th
On 6/12/2008 10:38 AM, Kenneth Burgener wrote: Firefox 3 will be released June 17th: http://developer.mozilla.org/devnews/index.php/2008/06/11/coming-tuesday-june-17th-firefox-3/ Just a reminder, for those who were waiting, Firefox 3 will be released today at 12pm central time. (1.5 hours from now) Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Looking for laptop
On 6/17/2008 10:54 AM, Matthew Walker wrote: My old laptop has started to give up the ghost, so I'm in the market for a new/used machine. I'm not looking for anything cutting edge. I just want a functional laptop that runs Linux well, and has a decent battery life. (1.5 hours minimum). Does anyone have anything they'd be interested in selling? My price range is flexible, but the lower the better, of course. I was planning to spend $200-$250 on it, but that's negotiable. Trade is also possible, if you need something coded in Perl or (checks asbestos underwear) PHP. At a price range of $200-250 you are obviously not going to get something new. There are several laptops for sell on ebay within this price range, but they are all used, which means the battery life will probably be at it's end, so you will want to order a replacement battery so you can get the 1.5 hours you are looking for. The thing to remember about lithium ion batteries are excellent at energy density, holding their charge (low self discharge) and recharging (no memory effect). The downfall of lithium batteries is their shelf life. They begin dieing the day they are manufactured, even if not used, so the older the battery the higher the chance of it being at the end of its life. You could probably find something like this laptop [1] which closed at about $200, plus $30 for shipping, and $60-$100 for a replacement battery, which would bring you to a price range of about $290-$330. [1] http://cgi.ebay.com/WIRELESS-DELL-LAPTOP-LATITUDE-WiFi-LAPTOPS-COMPUTER-NR_W0QQitemZ160251778327QQihZ006QQcategoryZ177QQssPageNameZWDVWQQrdZ1QQcmdZViewItem Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
NEWS: Firefox 3 will be released June 17th
Firefox 3 will be released June 17th: http://developer.mozilla.org/devnews/index.php/2008/06/11/coming-tuesday-june-17th-firefox-3/ Help set a Guinness World Record with Firefox: http://www.spreadfirefox.com/en-US/worldrecord/ Curious, will the PLUG be hosting a Firefox 3 release party? http://mozillaparty.com Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Comcast issues
Is anyone else having issues with their Comcast Internet today? As in random issues connecting out to various services (ie. messenger) and web sites, or unable to remotely connect into their home network via SSH, HTTP, HTTPS, Rdesktop, VNC, etc? I tried connecting from work, to home, through our Qwest DSL lines, with no success. My in-laws have a server at their house, and also have Comcast. I can connect from their home server to my home network with no problems, and vice a versa, which I would assume means the problem is not the internal Comcast network, but either Comcat border network, or a peering network (ie. Qwest)? I tried calling Comcast support only to be told the wait time was greater than 30 minutes. I would take this to mean other people are having issues as well. Has anyone heard any news about problems? Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: OT - Gas to hit 4.00 - Vote for Ron Paul - dropping out?
On 6/11/2008 9:20 PM, Von Fugal wrote: Perhaps I'm just jaded, but, honestly - what, specifically, can I do? *** Vote for Ron Paul *** You knew that was coming, didn't you? ;) Von Fugal I agree, but we might not get that chance. I heard news on the radio today that Ron Paul is planning on dropping out of the race today. Can anyone else confirm this? I tried finding the notice on ronpaul2008.com, but only could find this: Ron Paul to Make Major Announcement Tonight (June 12, 2008) http://www.ronpaul2008.com/press-releases/340/ron-paul-to-make-major-announcement-tonight This leads me to believe the news on the radio was speculation only. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: OT - Gas to hit 4.00
On 6/11/2008 2:11 PM, Kimball Larsen wrote: This is a thoughtful and thought-provoking response. One item that does come to mind is an interesting (to me) question: Should we have a societal meltdown, which would go first - internet based infrastructure or real-world infrastructure. In other words, which do you think we would lose first - internet access or grocery stores with food on the shelves? snarky You can take the food (I've got/can produce lots more), but don't take my intertubes... /snarky -- Kimball I would assume it would be a fairly close tie. I heard once that grocery stores carry about 1, maybe 2 days worth of food. But it only takes a hot summer to have rolling blackouts that take down the whole eastern half of the continent. I think we have a fragile economy, and a fragile infrastructure, but I also think we are robust enough to pull through on most disasters. We have came back as a country through a great depression, world wars, recessions, several wars, corrupt politicians, hurricane flooded states, terroristic attack (9/11), and full eastern rolling electrical blackouts. I think as long as we stick together as a country we could probably survive many more disasters as well. My fear is we will eventually come to a point where we will not stick together as a country. I see us being ripped apart internally by a civil war compounded by either a natural disaster, or terroristic attack. I see our country becoming more and more polarized each year (this can be seen in such things as a 50%/50% split in presidential elections). Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Major Gmail annoyance and the list
Michael Torrie wrote: Does anyone know of a way of working around this major bug? This doesn't just happen with Internet mailing lists. Try sending yourself an email. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Major Gmail annoyance and the list
Alex Esplin wrote: On Fri, Feb 22, 2008 at 1:15 PM, Kenneth Burgener [EMAIL PROTECTED] wrote: Michael Torrie wrote: Does anyone know of a way of working around this major bug? This doesn't just happen with Internet mailing lists. Try sending yourself an email. Is this an issue in mail clients? Because in the web interface when I send myself an email it just shows up in my inbox. It is a POP3 problem (and I assume IMAP as well?) with Google. From the comments I see online, they assume that since you sent the email you don't need a copy downloaded to your inbox, since you can find it in your sent box. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
[OT] Fun news - total lunar eclipse tomorrow night
Fun news - total lunar eclipse tomorrow night If you missed the lunar eclipse last March here's your chance to see the show again. Wednesday the moon begins its transit across Earth's shadow at 7:43 and this time it will be high in the night sky. [1] [1] http://www.dailyherald.com/story/?id=137831src=110 [2] http://www.ksl.com/?nid=148sid=2691620 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Apache dynamic module infected
Has anyone heard about this Apache exploit? Supposedly there is a mass infection using Apache's dynamic module. Mass host hack bigger than first thought, hits 10,000 sites Some hacked Apache servers reinfected even after clean-up and Linux reinstall http://tinyurl.com/28obnf http://tinyurl.com/22clxe Is this for real or is this merely a isolated problem blow out of proportion to cause FUD? If this is for real, the articles did not explain how you can detect if you were infected, or how to disable Apache's dynamic module. Is there a dynamic module module or is it referring to any module that is loaded by the LoadModule directive? If the later is the case than any site hosting SSL or PHP or any number of other items would be disabled. I am hoping the former is the case and there is some mysterious dynamic module module to be disabled. Any ideas? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: IronKey
Jonathan Duncan wrote: I thought this might be interesting to people on this list. Pretty cool little USB drive: http://bluesun7.com/jonathan/?p=77 Jonathan Great idea. Currently only supported on Windows though. Linux drivers are in alpha release, so there may be better support soon. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: I got/gave Linux for Xmas?
Jon Gale wrote: The Asus EeePC is the coolest little device I have played with in years. I haven't had much time for hacking/tinkering, but so far I'm very impressed. Can you play a DVD on the EeePC? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Myth trade
Brandon Beattie wrote: Redline AN-80i, 15ms latency, 50 miles, 90Mb ethernet speed (140 wireless speed), 5.4Ghz band. I've used other Redline equipment in the past and it's pretty reliable. --Brandon I am curious, how much would a pair cost? All of the sites I visited either said call for more information, or fill out this form for more information? This would seem to imply they are very pricey? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Unable to freeze zone - Bind DNS - problem with views?
Josh Hansen wrote: Try 'rndc freeze t0e.org in internal' You need to specify both the class and the view when using rndc with views enabled. Thank you! *blush* Wow, one little word can make all the difference. None of the documents or google references, that I could find, seem to use the view configuration, so I couldn't find any examples. Adding the in keyword fixed everything. Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Unable to freeze zone - Bind DNS - problem with views?
I am experiencing some weird errors when I attempt to freeze a DNS zone: [EMAIL PROTECTED] ~]# rndc freeze rndc: 'freeze' failed: unexpected end of input [EMAIL PROTECTED] ~]# rndc freeze t0e.org rndc: 'freeze' failed: not found [EMAIL PROTECTED] ~]# rndc freeze t0e.org internal rndc: 'freeze' failed: unknown class/type Usage: [EMAIL PROTECTED] ~]# rndc ... freeze zone [class [view]] Suspend updates to a dynamic zone. I am using bind and dhcpd for my local network. My OS is CentOS 5. I have frozen zones before fine. The only difference I can think of is instead of using some sample zone files off of the internet, I am using the ones provided with bind, and they use views. I can query the DNS server fine, I can even do dynamic updates from DHCP clients. The only strange issue I run into is I am no longer able to freeze the zones, so I can update the zones, without breaking the dynamic updates. I used the sample named.conf file, and made the following modifications (see attached): 1. options: listen-on 2. view localhost-resolver: my zones 3. view internal: my zones, commented out sample zones 4. include rndc key file 5. view external: commented all out I am also using the following files: cp /usr/share/doc/bind-9.3.3/sample/etc/named.conf /etc/named.conf cp /usr/share/doc/bind-9.3.3/sample/etc/named.root.hints cp /usr/share/doc/bind-9.3.3/sample/etc/named.rfc1912.zones /etc/named.rfc1912.zones cp /usr/share/doc/bind-9.3.3/sample/etc/rndc.conf /etc/rndc.key chown root:named /etc/named* cat /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/named.root chown root:named /var/named/named.root Any thoughts or ideas as to what can be done to correct this? Thanks in advance, Kenneth // // Sample named.conf BIND DNS server 'named' configuration file // for the Red Hat BIND distribution. // // See the BIND Administrator's Reference Manual (ARM) for details, in: // file:///usr/share/doc/bind-*/arm/Bv9ARM.html // Also see the BIND Configuration GUI : /usr/bin/system-config-bind and // its manual. // options { /* make named use port 53 for the source of all queries, to allow * firewalls to block all ports except 53: */ query-sourceport 53; query-source-v6 port 53; // Put files that named is allowed to write in the data/ directory: directory /var/named; // the default dump-file data/cache_dump.db; statistics-file data/named_stats.txt; memstatistics-file data/named_mem_stats.txt; listen-on { 127.0.0.1; 10.10.10.1; }; }; logging { /* If you want to enable debugging, eg. using the 'rndc trace' command, * named will try to write the 'named.run' file in the $directory (/var/named). * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ channel default_debug { file data/named.run; severity dynamic; }; }; // // All BIND 9 zones are in a view, which allow different zones to be served // to different types of client addresses, and for options to be set for groups // of zones. // // By default, if named.conf contains no view clauses, all zones are in the // default view, which matches all clients. // // If named.conf contains any view clause, then all zones MUST be in a view; // so it is recommended to start off using views to avoid having to restructure // your configuration files in the future. // view localhost_resolver { /* This view sets up named to be a localhost resolver ( caching only nameserver ). * If all you want is a caching-only nameserver, then you need only define this view: */ match-clients { localhost; }; match-destinations { localhost; }; recursion yes; # all views must contain the root hints zone: include /etc/named.root.hints; /* these are zones that contain definitions for all the localhost * names and addresses, as recommended in RFC1912 - these names should * ONLY be served to localhost clients: */ include /etc/named.rfc1912.zones; zone t0e.org IN { type master; file t0e.org.zone; allow-update { key rndckey; }; notify yes; }; zone 10.10.10.in-addr.arpa { type master; file t0e.org.rev; allow-update { key rndckey; }; notify yes; }; }; view internal { /* This view will contain zones you want to serve only to internal clients that connect via your directly attached LAN interfaces - localnets . */ match-clients { localnets; }; match-destinations { localnets; }; recursion yes; // all views must contain the root hints zone:
Re: Iptables breaks a working VoIP phone?
Kenneth Burgener wrote: Hello. I made a switch in my firewall device, and now my Broadvoice VoIP connection is having some issues. Just wanted to do a quick follow up on this issue. I was able to resolve the issue, after some discussion on the shorewall lists. The cause of the problem happened to be the iptables modules ip_nat_sip and ip_conntrack_sip. I assume the purpose of the modules are to help a dump sip device work with NAT. The problem is, I assume again, that Broadvoice had configured the Sipura ATA device to work with NAT out of the box, so the two were conflicting. After disabling the modules, my phone now works wonderfully. No port forwarding necessary at all. Thanks all who gave suggestions and ideas. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: RAID Partition Restore
Brandon Stout wrote: I have 2 SATA drives using RAID 1 (striping - all files get written to both drives for faster writing). I believe RAID 1 is mirroring, and RAID 0 is striping. [1] If you are using RAID 1, mirroring the two drives, the the maximum disk capacity would be the capacity of one of the drives. So if you had 332 GB available then you probably were using RAID 0 striping, which is a misnomer as there is no redundancy with RAID 0. Furthermore you are using the cheap SATA BIOS RAID which, in my opinion, is worse then standard software RAID as you are relying on a RAID setup that is only standard to your motherboard. At least with an OS fronting the software RAID you can generally get away with moving it to another like machine running the same OS, or at least restoring it from another like machine. As far as restoring, yes you probably can restore your partitions, but probably not without the help of a data recovery service, or some forensic tools. Now as a suggestions, you may want to look at doing RAID 1 mirroring for your OS partition, maybe a RAID 1 mirror for a data partition, and a RAID 0 striping partition as a temporary space partition if you feel the performance gain is worth the risk. Most people get a 3rd disk and use RAID 5 as you get good disk capacity, and decent performance. Its all about compromise. Oh and switch to Linux :-) [1] http://en.wikipedia.org/wiki/RAID#Standard_RAID_levels /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Iptables breaks a working VoIP phone?
Dave Smith wrote: Have you run Wireshark on the phone-side to see what the traffic looks like in both scenarios (1, with the Linksys router, and 2, with the Linux firewall?) My network is setup like this: Internet - Comcast Modem - Linux Firewall - Network Switch - Sipura SPA 2100 ATA - All analog phones in house The Switch should not be broadcasting all traffic to anything other than the source destination interface ports. This would leave the Linux Firewall as the only place I can gather network data. So I wouldn't be able to do any network monitoring with the Linksys router swapped out for the Network Switch. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Iptables breaks a working VoIP phone?
Corey Edwards wrote: At that point, RTP begins to flow between the two IP addresses specified. This is where NAT becomes a problem. If the endpoints aren't aware of NAT (which is its design), they will specify their internal addresses and the return packets will be silently discarded by some router's egress filters. This is one reason why NAT sucks. You can trick it using connection tracking and SIP transformations. Or a tool like STUN to tell the endpoint what its routeable address actually is. Or a proxy which knows how to filter out the RFC1918 addresses and put in the correct values. As I have been reading about it, I saw one comment made by someone else that seem to indicate that the Linksys is doing some sort of SIP proxy. Is there a Linux SIP proxy that can pick up on SIP traffic and just magically do it's stuff, similar to the Linksys? I have no way of configuring the Sipura, so what ever the solution is, it will have to be transparent to the Sipura device. The Sipura is setup to sent all traffic to the default gateway, which happens to of course be either the Linksys router or the Linux firewall. Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Iptables breaks a working VoIP phone?
Corey Edwards wrote: ...I'm doubtful that a proxy is required. Clearly removing NAT is the best solution, but then again I'm a NAT-hating bigot so don't take my word for it. How does one go about removing NAT considering most ISPs (including mine) include only one IP address? To add even 5 addresses, which will not cover all of my computers, costs a significant increase, almost double (at which point I would just drop the VoIP phone, and switch to their digital voice phone), and to get 15 addresses would be unheard of. As I was discussing with a coworker, there are ideal perfect solutions, and then there is reality. Unfortunately, my budget resides in the later. :-) As far as SER and OpenSER, would I conceptually install these upon the firewall, and they will magically intercept the SIP traffic and make it work, or does the Sipra box have to be aware of the proxy? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Iptables breaks a working VoIP phone?
Shane Hathaway wrote: iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -d '!' 10.10.10.0/24 -j MASQUERADE I have configured the machine to use masquerading, since the comcast IP address is dynamic, and all of my internal machines can access the Internet, so I think I am good on this step. Once you've done that, machines on your LAN should be able to contact the Internet through your firewall. At the same time, assuming you have no other rules, no Internet machine should have the ability to initiate a connection with a machine in your LAN (unless someone at your ISP spoofs a 10.10.10.x destination address). Check. 2. If you can not reconfigure your SIP ATA, the ATA is probably registering with your upstream provider using an internal IP address rather than the external IP address. You need the conntrack_sip module to make your router edit the SIP stream. lsmod shows a conntrack_sip loaded, so I assume it somehow magically detects SIP traffic, or is there something more I need for the configuration? 3. You should only use DNAT rules if you want to run Internet servers. If you have a web server at address 10.10.10.2, the DNAT rule might look like: Check. iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --destination-port 80 -j DNAT --to-destination 10.10.10.2 DNAT is appropriate for running an Asterisk server, but is not normally required for a SIP phone. Shane This is basically the thought process I have gone through trying to figure out why this setup is not working, which is why I am frustrated that it is not working, as everything appears to be configured as needed. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Iptables breaks a working VoIP phone?
Hello. I made a switch in my firewall device, and now my Broadvoice VoIP connection is having some issues. A little history... Up till today I have been using a Sipura SPA-2100 VoIP ATA device with BroadVoice, with no problems. I have been using a Linksys WRT54G Wireless-G Broadband Router. I did not have ANY special settings (no port forwarding, or port triggering) configured in the Linksys router to have my VoIP connection work. It just worked. Today I decided I wanted to setup a Linux firewall box using iptables (shorewall frontend) to replace the Linksys router. I use a similar Linux firewall setup at work with no problems. I know the first point that will be made is the cause of the problem is the NAT. Well of course it is, but how come the NAT configuration with the Linksys router worked, and the Linux firewall doesn't? Symptoms: 1. As it initially stood, I can make a call inbound or outbound to my cell phone, and either phone rings. 2. If I dial out from my home phone to my cell phone I can hear audio from my cell phone on the home phone speaker, but not the other way. 3. If I dial in from my cell phone, I cannot hear audio from either direction. As I mentioned I am fronting iptables with shorewall (to make the configuration easier). I attempted to add the following rules to see if that would improve the situation, as I saw this mentioned on some article found by google: # Allow IAX2, SIP and RTP To Firewall DNAT net lan:10.10.10.225udp 4569,5060,1:2 This did not help or change the symptoms described above. I also tried these rules: # FORWARD **ALL** TRAFFIC DNATnet lan:10.10.10.225udp 0:65535 DNATnet lan:10.10.10.225tcp 0:65535 But the same symptoms continued. On a side note, SSH, HTTP, HTTPS, POP, SMTP, ETC... all forward to their respective servers fine with their respective ports forwarded. The only service I am struggling is the one I had zero configuration with before. I don't know if this will help with my question, but I do have sip connection tracking modules loaded. I didn't load them manually, so either they came with the CentOS 5 install, or loaded with the shorewall configuration. [EMAIL PROTECTED] shorewall]# lsmod | grep sip ip_nat_sip 8129 0 ip_conntrack_sip 11313 1 ip_nat_sip ip_nat 20973 12 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,iptable_nat ip_conntrack 53153 24 ipt_MASQUERADE,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_sip,ip_conntrack_pptp,ip_conntrack_netbios_ns,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_amanda,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,ip_nat Any ideas? Thanks in advance, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Iptables breaks a working VoIP phone?
Gabriel Gunderson wrote: In general, I agree with this. But whatever you use, make sure iptables has a debugging mode where everything is logged before dropped. It's likely you will be able to look at your logs, see what is being dropped, and make changes to fix it. Good luck. Gabe I have dropped packets being logged, and I can see the source/destination IP and port of an occasional packet being lost. I am not sure the packets I am seeing a from the direct phone call or some sort of ping VoIP traffic. When I put in the rules where it would forward ALL TCP/UDP traffic to the Sipra box, these logs would no longer appear, but the phone calls were still broken. The weekend is over and my wife wishes to have a working phone, so I switched back to the Linksys router, and the phone began to work like magic again. I am still determined to get the Linux firewall working, as I can do so much more with the Linux firewall. The only two thoughts I have as to what could be the problem are: 1. The Linksys does some sort of special NAT. The shorewall configuration has both options for NAT and masquerading, and I am using the masquerading option. I assume this is just a 1 to many NAT, where the NAT option is a 1 to 1 translation of NAT. I assume since I only have one IP address, that the Linksys would be doing the masquerading NAT that I have shorewall configured for. 2. Connection tracking. I know with FTP you had to have a special connection tracking module, which is why I brought up that I had the sip-tracking module loaded. I am wondering if it is not working right, but I am not sure there are any configuration options, or even if I have iptables/shorewall setup correctly to indicate this is SIP traffic. Thoughts? Thanks, Kenneth /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Iptables breaks a working VoIP phone?
Kenneth Burgener wrote: Hello. I made a switch in my firewall device, and now my Broadvoice VoIP connection is having some issues. I don't know if this will help with my question, but I do have sip connection tracking modules loaded. I didn't load them manually, so either they came with the CentOS 5 install, or loaded with the shorewall configuration. [EMAIL PROTECTED] shorewall]# lsmod | grep sip ip_nat_sip 8129 0 ip_conntrack_sip 11313 1 ip_nat_sip ip_nat 20973 12 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,iptable_nat ip_conntrack 53153 24 ipt_MASQUERADE,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_sip,ip_conntrack_pptp,ip_conntrack_netbios_ns,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_amanda,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,ip_nat /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: NAT evil scourge?
Corey Edwards wrote: On Tue, 2007-10-16 at 10:49 -0500, Andrew McNabb wrote: On Tue, Oct 16, 2007 at 08:58:59AM -0600, Michael L Torrie wrote: If I was designing the BYU network, I would have made public address translate to private addresses, and split the DNS. That way the world would see servers on the 128.187. addresses, but the same servers from within the byu network would see the 10.x addresses. That makes routing a lot more sane. That's the way we did it in the CS Department, and although it works pretty well, it's still a headache. If I were designing the BYU network, I would give everything 128.187 addresses, and I would use a novel tool called a firewall to limit outside access to private machines. I guess that makes me a heretic. Heretic, maybe, but it also makes you sane. NAT is an evil scourge upon our Internet and I long for the day it is eradicated. Corey Out of curiosity why do you claim NAT is an evil scourge? The only downside I could see for NAT is slightly more configuration for the network administrator (and possible port mapping exhaustion on a large network). The benefits of NAT all seem to be benefits: -Provides a basic firewall mechanism by it's very nature -Reduce the number of needed public IP addresses -Easy to setup by most home users, as it is now build into all DSL/Cable modem routers I haven't found many articles for or against NAT, but I may be looking in the wrong place. One article I found said NAT is not so bad: Why NAT Isn’t As Bad As You Thought [1]. The one claim I have found is it breaks the direct peer to peer connection. I think to geeks and corporations this may be a concern, but to the average home owner I think not having joe hacker have direct access to my grandmothers computer outweighs this concern. What are your concerns? Kenneth [1]http://www.circleid.com/posts/why_nat_isnt_as_bad_as_you_thought/ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: IDS/IPS and File Integrity Monitory Systems
Kenneth Burgener wrote: I am hoping someone on the PLUG might be able to help point me in the right direction. For your production servers (running Linux of course :-), which software do you use for: 1. Intrusion detection (IDS) or intrusion prevention (IDP) 2. File integrity monitoring Open source would be preferred, but not a requirement. I have been suggested such things as Tripwire, Snort, etc. What software do you find works best for you? Something that would work on CentOS (RHEL clone) would be preferred. Any suggestions? Just wondering if anyone else might have other suggestions, or if OSSEC is the only good option? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */