[SLUG] Firefox woes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have noticed lately that firefox locks up quite a bit and needs to be killed and restarted. Is anyone else having this problem? (Ubuntu 7.10, firefox 2.0.0.11 and gnome 2.20.1) Heracles -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHn565ybPcBAs9CE8RAj0rAKCSBeXAPYtnc/QkjQOBeijRkSkwBACfZa6Y r7r9LGt/KYQZftJdWq+dkY4= =+I79 -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firefox woes
On Jan 29, 2008 1:46 PM, Heracles [EMAIL PROTECTED] wrote: I have noticed lately that firefox locks up quite a bit and needs to be killed and restarted. Is anyone else having this problem? (Ubuntu 7.10, firefox 2.0.0.11 and gnome 2.20.1) If I use flash, yes. Luckily, I utilize flashblock + noscript + adblockplus. This prevents Firefox for becoming deluged by horrible/malicious code. I probably have had my browser up for months at a time due to this. If I allow flash blindly, FF breaks nearly every browsing session if I am utilizing many tabs...hth -- Kristian Erik Hermansen Know something about everything and everything about something. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
Andre Kolodochka wrote: Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? What you should be able to do is configure OpenVPN to always assign the client the same IP address (I believe that is documented in OpenVPN sample conf file), then you could use iptables to restrict that client IP address access to the network... Fil -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firefox woes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Erik, That is probably the problem. I use flash and usually have several tabs open when I run 32bit Ubuntu. When I boot into 64bit Debian Etch I have no flash and no problems. Unfortunately I need flash for some things - hence the 32/64bit dual boot. Heracles Kristian Erik Hermansen wrote: | On Jan 29, 2008 1:46 PM, Heracles [EMAIL PROTECTED] wrote: | I have noticed lately that firefox locks up quite a bit and needs to be | killed and restarted. Is anyone else having this problem? (Ubuntu 7.10, | firefox 2.0.0.11 and gnome 2.20.1) | | If I use flash, yes. Luckily, I utilize flashblock + noscript + | adblockplus. This prevents Firefox for becoming deluged by | horrible/malicious code. I probably have had my browser up for months | at a time due to this. If I allow flash blindly, FF breaks nearly | every browsing session if I am utilizing many tabs...hth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHn7EFybPcBAs9CE8RAki1AJ9lL33cNIJIoiya9TYFcCJ6YzI5BQCdE6HL /MKMZVCQKsBNyuB7ZTCl+rY= =I64T -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Restricting access to certain IP addresses with OpenVPN
Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? Thanks in advance, -- Andre Kolodochka http://www.linkedin.com/in/andrek https://www.xing.com/profile/Andre_Kolodochka F: +61-2-9475-4774 | M: +61-408-282-138 Skype: kolodochka MSN: [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firefox woes
On Jan 29, 2008 3:04 PM, Heracles [EMAIL PROTECTED] wrote: That is probably the problem. I use flash and usually have several tabs open when I run 32bit Ubuntu. When I boot into 64bit Debian Etch I have no flash and no problems. Unfortunately I need flash for some things - hence the 32/64bit dual boot. You don't need to dual boot to get Flash! 64-bit can use flash if you install nspluginwrapper. You'll even see my name on the project page because I contributed a patch to the project :-) I think nspluginwrapper has made it into Ubuntu repos by now... http://gwenole.beauchesne.info/projects/nspluginwrapper/#news -- Kristian Erik Hermansen Know something about everything and everything about something. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: Firefox woes
You don't need to dual boot to get Flash! 64-bit can use flash if you install nspluginwrapper. You'll even see my name on the project page because I contributed a patch to the project :-) I think nspluginwrapper has made it into Ubuntu repos by now... http://gwenole.beauchesne.info/projects/nspluginwrapper/#news I tried the same thing and it wouldn't work for me on AMD64 with the 64-bit version of Etch. On Kubuntu 7.10 AMD64 I find that the attached script works. It will install 32-bit browsers on a 64-bit system. ff32-3in1-6.2.3.tar.gz. Use Google to find out there on the net. Haven't tried it on Etch but would like to get some feedback from people who have had a go at it. -- Richard www.sheflug.org.uk ff32-3in1-6.2.3.tar.gz Description: application/tgz -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firefox woes
This one time, at band camp, Heracles wrote: That is probably the problem. I use flash and usually have several tabs open when I run 32bit Ubuntu. When I boot into 64bit Debian Etch I have no flash and no problems. Unfortunately I need flash for some things - hence the 32/64bit dual boot. Flashblock has a whitelist for sites where you must use Flash, and you can click on the flash icon to load an individual flash control when needed. So you can whitelist youtube and for nearly everything else, just load the flash bits when you need it. It even makes MySpace pages load quickly, though it won't improve the standard eye-searing designs. -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Geeks need vacations too. http://engineer.openguides.org/ Women who seek to be equal with men lack ambition. - Timothy Leary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
On 30/01/2008, at 9:56 AM, Phil Scarratt wrote: What you should be able to do is configure OpenVPN to always assign the client the same IP address (I believe that is documented in OpenVPN sample conf file), then you could use iptables to restrict that client IP address access to the network... That's one way, the other way is learn-address. # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. learn-address /etc/openvpn/learn-script -- Michael Chesterton http://chesterton.id.au/blog/ http://barrang.com.au/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
A. On Wed, 2008-01-30 at 10:47 +1100, [EMAIL PROTECTED] wrote: Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? Thanks in advance, This is quite tricky, not easily answered: 1) openvpn hands out dhcp addresses, not the same one to the same client So you want your employees to access your local network when they get given address 1-to-n, but your customer to not access the network when he gets given 1-to-n. I can concieve of virtual hosts based on port number and an adsl router ... Multiple openvpn sessions based on port numbers ... Saying 'sorry too hard' ... Trusting your customer ... or else what are you doing playing with matches anyway Use a pptp vpn from your 'demo setup' to the customer. You don't care about his security. Cheers James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: Firefox woes
On Wed, 2008-01-30 at 10:47 +1100, [EMAIL PROTECTED] wrote: I have noticed lately that firefox locks up quite a bit and needs to be killed and restarted. Is anyone else having this problem? (Ubuntu 7.10, firefox 2.0.0.11 and gnome 2.20.1) Gee am I glad to hear this. shockhorrorgasp I've installed firefox32 on my amd64. It crashes often (usually with flash), but achieves the objective often enough. So it's not myfirefox32, its firefox. Wipes brow. James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Firefox woes
On Wed, 2008-01-30 at 10:47 +1100, [EMAIL PROTECTED] wrote: That is probably the problem. I use flash and usually have several tabs open when I run 32bit Ubuntu. When I boot into 64bit Debian Etch I have no flash and no problems. Unfortunately I need flash for some things - hence the 32/64bit dual boot. You don't need to dual boot to get Flash! 64-bit can use flash if you install nspluginwrapper. You'll even see my name on the project page because I contributed a patch to the project :-) I think nspluginwrapper has made it into Ubuntu repos by now... http://gwenole.beauchesne.info/projects/nspluginwrapper/#news Nothing great is ever achieved too easily or by too many ... The effort is greatly appreciated etc etc but it is like shaving with a rusty blade. Blood is inevidible (sorry 'bout the spelling) This works quite well http://ubuntuforums.org/showthread.php?t=202537 james -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
[EMAIL PROTECTED] wrote: Quoting Andre Kolodochka [EMAIL PROTECTED]: Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? I'm interested in achieving exactly that also within our project. The situation that we have is that our remote support people want to access the server and then go out to individual (possibly windows) workstations on the network. They can do that at the moment by opening vnc on the server and using the remote desktop client to go to the client machines. That is not ideal, but it does work. It would be really handy to be able to run some sort of script on the server to allow this to happen easily. It's really good to here that there is actually so much expertise in this area on the mailing list. I am myself trying to come up with an easy gui interface, maybe in python, just to select all the hosts that would be available in the remote site. Click one and open access. So I am interested in what others are doing here... You could simply use a web page that is dynamically updated (if needed) with info as to what machines are available on the network. Clicking on links could then open a vnc connection using the java applet that vnc comes with. This way, remote staff vpn in to the network - get access to the intranet page with all machines listed (maybe with some sort of authentication) and simply click to open a vnc session to that machine. Without giving it much thought, there are likely to be security issues though -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] HA Active/Passive Firewall - with TCP and NAT tracking
Hi all, I want to know if it is possible to share/track TCP/VPN(IPSEC)/NAT connections between 2 Linux hosts. At home I have a great Firewall. It runs LEAF Bering uClibc 3.X / OPENSWAN / OPENVPN. It is great. At work I have 2 Cisco PIX running in a failover mode Active/Passive, and those pix share VPN, TCP and NAT information, so that when they failover from the active to the passive node, no one notices. Is this possible to do in Linux? Thanks, Greg. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
Quoting Andre Kolodochka [EMAIL PROTECTED]: Hi sluggers, We have OpenVPN server running internally for employees to access our network from home. We have a request from a potential client to access some internal demo systems. They are happy to install and use OpenVPN client, however I won't be happy giving them the full access to our network. Hence the question. Is it possible to restrict access for certain users only to specific set of IP addresses? So everyone except this client will be able to use VPN to access everything on the network as usual and potential client will be able to access only boxes on those specific IP addresses? I'm interested in achieving exactly that also within our project. The situation that we have is that our remote support people want to access the server and then go out to individual (possibly windows) workstations on the network. They can do that at the moment by opening vnc on the server and using the remote desktop client to go to the client machines. That is not ideal, but it does work. It would be really handy to be able to run some sort of script on the server to allow this to happen easily. It's really good to here that there is actually so much expertise in this area on the mailing list. I am myself trying to come up with an easy gui interface, maybe in python, just to select all the hosts that would be available in the remote site. Click one and open access. So I am interested in what others are doing here... Regards David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] HA Active/Passive Firewall - with TCP and NAT tracking
On Wed, Jan 30, 2008 at 11:49:50AM +1100, Greg Cockburn wrote: Hi all, I want to know if it is possible to share/track TCP/VPN(IPSEC)/NAT connections between 2 Linux hosts. At home I have a great Firewall. It runs LEAF Bering uClibc 3.X / OPENSWAN / OPENVPN. It is great. At work I have 2 Cisco PIX running in a failover mode Active/Passive, and those pix share VPN, TCP and NAT information, so that when they failover from the active to the passive node, no one notices. Is this possible to do in Linux? I believe the netfilter guys have just recently released something to allow for the sharing of connection information between 2 linux box for HA of linux firewall's check outthe netfilter web site Thanks, Greg. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- I understand small business growth. I was one. - George W. Bush 02/19/2000 New York Daily News signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Restricting access to certain IP addresses with OpenVPN
On Wed, Jan 30, 2008 at 09:44:33AM +1100, Andre Kolodochka wrote:
Hi sluggers,
We have OpenVPN server running internally for employees to access our
network from home. We have a request from a potential client to access
some internal demo systems. They are happy to install and use OpenVPN
client, however I won't be happy giving them the full access to our
network.
Hence the question. Is it possible to restrict access for certain
users only to specific set of IP addresses? So everyone except this
client will be able to use VPN to access everything on the network as
usual and potential client will be able to access only boxes on those
specific IP addresses?
Thanks in advance,
the relevant lines from teh conf file
client-connect /etc/openvpn/sydlxfw01-up.sh
client-disconnect /etc/openvpn/sydlxfw01-down.sh
I have 1 script and use a sym link to give the above 2
#!/bin/sh
NM=$(basename $0)
if [ $NM = sydlxfw01-up.sh ]
then
IPACTION=replace
FWACTION=-I
fi
if [ $NM = sydlxfw01-down.sh ]
then
IPACTION=delete
FWACTION=-D
fi
iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -m state --state NEW
-j ACCEPT
if [ ${common_name}. = client4. ]
then
iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -j
REJECT
iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -d
192.168.11.10 -p tcp --dport 22 -j ACCEPT
fi
exit 0
You need to get the client names which you get from the certificate.
you will also need a chain in iptables which is linked to FORWARD where you can
add or remove rules - I preferr to do this on a seperate chain than the main
one
this way you can deny/restrict based on the certificate given out
--
Andre Kolodochka
http://www.linkedin.com/in/andrek
https://www.xing.com/profile/Andre_Kolodochka
F: +61-2-9475-4774 | M: +61-408-282-138
Skype: kolodochka
MSN: [EMAIL PROTECTED]
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
Part of the facts is understanding we have a problem, and part of the facts is
what you're going to do about it.
- George W. Bush
04/15/2005
Kirtland, OH
signature.asc
Description: Digital signature
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
