Re: [gentoo-user] syslog-ng + automatic respawn of target programs
http://www.campin.net/syslog-ng/expanded-syslog-ng.conf look at the above link, it contains all functions syslog can have On 7/5/06, Richard Fish [EMAIL PROTECTED] wrote: On 7/4/06, Enrico Weigelt [EMAIL PROTECTED] wrote: Hi folks, could anyone give me a quick hint how to tell syslog-ng to automatically respawn target programs if they die From 'man syslog-ng.conf', I don't see where syslog-ng actually has the ability to spawn target programs in the first place.It can logto files, network sockets, or ttys.No mention of logging toprograms... -Richard--gentoo-user@gentoo.org mailing list -- VanThomas Blomme
[gentoo-user] example tomcat app package
Hi guys, What should I use as a base example package for a java application running under tomcat? Also, should it be a webapp to be used with webapp-config? Any information on this would be appreciated. Thanks. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] xorg-x11 7.0 does not work with nvidia-glx-1.0.7174-r5
On Jul 4, 2006, at 1:05 AM, Urs Schuetz wrote: Check whether you have /dev/nvidia[0..9] and /dev/nvidiactl. I don't have them. But the kernel module is loaded. I'll have a look at udev now. Philipp -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] xorg-x11 7.0 does not work with nvidia-glx-1.0.7174-r5
On Jul 3, 2006, at 11:08 PM, Daevid Vincent wrote: See attached. It may help. DÆVID -Original Message- From: Philipp Riegger [mailto:[EMAIL PROTECTED] Sent: Monday, July 03, 2006 10:40 AM To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] xorg-x11 7.0 does not work with nvidia-glx-1.0.7174-r5 Hi! Unfortunately i am forced to use nvidia-glx-1.0.7174-r5 because my graphic card is not supported by newer versions of the driver. I also use kernel 2.6.11 because of that. But now xorg does not seem to work with that driver: (EE) NVIDIA(0): Failed to load the NVIDIA kernel module! (EE) NVIDIA(0): *** Aborting *** (EE) Screen(s) found, but none have a usable configuration. Fatal server error: no screens found What can i do? I also tried to get it to work with nv instead of nvidia, but that does not work, too. I get some warnings but no errors. Philipp -- gentoo-user@gentoo.org mailing list From: Daevid Vincent [EMAIL PROTECTED] Date: May 23, 2006 4:29:42 AM GMT+02:00 To: gentoo-user@lists.gentoo.org Subject: RE: [gentoo-user] Modular Xorg 7 won't start with nVidia GeForce4 440 Go [SOLVED] Reply-To: gentoo-user@lists.gentoo.org I finally got this working it seems. These links were very helpful: http://bugs.gentoo.org/show_bug.cgi?id=90047 http://forums.gentoo.org/viewtopic-t-327623.html http://www.nvnews.net/vbulletin/showthread.php?t=49718highlight=glx +xorg+ge ntoo http://www.nvnews.net/vbulletin/search.php?searchid=464072 I can't recall the exact thing that solved it, but I suspect it was the nvidia/tls thing in the first post. I un/merged, un/masked, rm -rf so many things I can't remember anymore. But at the end of the day, I do have the latest nvidia drivers working in OpenGL glory on my Dell i8200 notebook GeForce 440 card. Glxgears gives me: 7630 frames in 5 seconds = 1526 FPS +/- Now if only I could figure out a way to get the video card to not share an IRQ with SEVEN other things including my eth0, wlan and usb amongst other things -- then it wouldn't studder. *sigh*. -Original Message- From: Daevid Vincent [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 12:58 PM To: gentoo-user@lists.gentoo.org Subject: RE: [gentoo-user] Modular Xorg 7 won't start with nVidia GeForce4 440 Go This should not be needed. The X server (actually, the nvidia module loaded in the X server) should create these automatically if they do not exist. From an strace of X on my system after removing the nvidiactl and nvidia0 device nodes: Okay. I removed them. Thanks. So what is causing X7 to crash is when I set: eselect opengl set nvidia If you comment out the line: Load glx in xorg.conf, do you still get the crash? No. X starts now. But glxgears segfaults. How are you starting the X server? Does it still crash if you run just X :0? I type startx. X :0 just gives me (as you probably already know) a checker-board backdrop and a cursor. Can't do anything else with it. Take the most recent version of nvidia-kernel and nvidia-glx (~x86) and take a look at /etc/modules.d/nvidia. There something about a module-option for notebook systems. Tried various ways with and without this option enabled. However, it says that's to solve hard lock ups. I don't have that problem. X starts, then just dies (if I have the wrong combination of eselect/glx). It's definitely related to OpenGL now... Tried rebooting after a few different option/tweaks just to be sure too. -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: Protecting my server against an individual
Grant wrote: I do log in via ssh (port 22 I think) and it's also a mail server. How can I check which ports are open? Does shorewall handle that? You know, you shouldn't be asking such questions, if you operate a server, which is accessible via the internet. But that's IMO. Anyway. netstat -tulpen on the server and nmap are your friends. Alexander Skwar -- The more laws and order are made prominent, the more thieves and robbers there will be. -- Lao Tsu -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
Ryan Tandy wrote: you're running a firewall of some kind (and you'd be crazy not to for any publically accessible box), Actually, I'd disagree. If only the necessary publicly accessible services are running on a box, what good should a firewal (I suppose you mean packet filter, like iptables) do? The only useful measure I can think about, is to do rate limiting. But what else? Alexander Skwar -- The more laws and order are made prominent, the more thieves and robbers there will be. -- Lao Tsu -- gentoo-user@gentoo.org mailing list
[gentoo-user] postfix + sasl
Hi, I'm trying to configure postfix + cyrus-sasl (with other things). I have a problem when I connect to local postfix: #telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 FQDN ESMTP Postfix EHLO localhost 250-FQDN 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250 8BITMIME I don't have the line 250-AUTH PLAIN, which refers to mech_list parameter specified in # cat /usr/lib/sasl2/smtp.conf pwcheck_method: auxprop mech_list: plain login And I get next error if I try to auth: AUTH PLAIN code64user/passwd 502 Error: command not implemented I've seen some doc which refers to this file in different path (/etc/sasl2/). I've also copied the file there, but I get same error. Anyway, sasl doc talks about /usr/lib/sals2 path. Could someone help me to fiond what I'm forgetting?¿ many thanks in advance. -- Arnau Bria http://blog.emergetux.net Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos no vamos a ganar ~Homer J. Simpson~ -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: example tomcat app package
Trenton Adams wrote: Hi guys, What should I use as a base example package for a java application running under tomcat? Also, should it be a webapp to be used with [...] As the only thing I am running under Tomcat is Cocoon-2.1.9 I would much appreciate Cocoon as a sample application too. :-) But, I know: It is too big and too complicated for a simple sample. :-( IMHO the most simple sample for Tomcat is the Administration Web Application [1] which is also quite useful for setting up Cocoon and other applications. [1]http://apache.dns4.com/tomcat/tomcat-5/v5.5.17/bin/apache-tomcat-5.5.17-admin.tar.gz -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] xorg-x11 7.0 does not work with nvidia-glx-1.0.7174-r5
I'm sorry, i did not want so send what i sent. On Jul 5, 2006, at 9:21 AM, Philipp Riegger wrote: On Jul 3, 2006, at 11:08 PM, Daevid Vincent wrote: I finally got this working it seems. These links were very helpful: http://bugs.gentoo.org/show_bug.cgi?id=90047 http://forums.gentoo.org/viewtopic-t-327623.html http://www.nvnews.net/vbulletin/showthread.php?t=49718highlight=glx +xorg+ge ntoo http://www.nvnews.net/vbulletin/search.php?searchid=464072 I can't recall the exact thing that solved it, but I suspect it was the nvidia/tls thing in the first post. I un/merged, un/masked, rm -rf so many things I can't remember anymore. But at the end of the day, I do have the Thanks for the links, but my problem is a different one. I cannot start X (no segfault or error), neither with nvidia, nor with nv. I have attached my Xorg.0.log. Philipp Xorg.0.log Description: Binary data
Re: [gentoo-user] xorg-x11 screwup
On Wed, 05 Jul 2006 15:37:24 +1200, Nick Rout wrote: If you have the disk space to spare, set FEATURES=buildpkg. Then reinstalling a package is as quick as with a binary distro. The further complication there is that in this hypothetical situation you are also likely to be changing some USE flags, and the prebuilt buildpkg packages may need in fact to be built again against a new set of libraries. Changed USE flags won't normally stop a program running. Re-emerging the previous version gets you working again in no time at all. you can then recompile if you wish, while still being able to use the computer. -- Neil Bothwick Not one shred of evidence supports the notion that life is serious. signature.asc Description: PGP signature
Re: [SOLVED - new xorg related?] Re: [gentoo-user] Whoa - .xsession-errors at 340MB in less than 24 hours!
John J. Foster wrote:
On Tue, Jul 04, 2006 at 02:21:26PM -0700, Donnie Berkholz wrote:
John J. Foster wrote:
On Mon, Jul 03, 2006 at 04:43:34PM -0400, John J. Foster wrote:
Warning: Cannot convert string
-bh-lucida-medium-r-normal-sans-*-140-*-*-p-*-iso8859-1 to type
FontStruct
Try installing the fonts it's complaining about, and add 'em to your
FontPath list in xorg.conf. This one looks like font-bh-100dpi or -75dpi.
Thanks alot Donnie, media-fonts/font-bh-75dpi did the trick. Out of
curiosity, how did you know which font package might be correct?
The font token starts with the foundry it's from -- bh. This translates
to bh in the package name. It's specified using the old core fonts setup
(the foo-blah-*-foo-140-*-etc), so I know it's probably a bitmap font,
meaning 75dpi or 100dpi. It's not lucidatypewriter but just lucida, so
I'm able to eliminate those font-bh-lucidatypewriter-* packages. That
just leaves font-bh-{100,75}dpi.
Thanks,
Donnie
signature.asc
Description: OpenPGP digital signature
Re: [gentoo-user] Re: example tomcat app package
I think you misunderstood what I was saying. I'm looking for an ebuild file for a tomcat application. On 7/5/06, Edwin Kapauni [EMAIL PROTECTED] wrote: Trenton Adams wrote: Hi guys, What should I use as a base example package for a java application running under tomcat? Also, should it be a webapp to be used with [...] As the only thing I am running under Tomcat is Cocoon-2.1.9 I would much appreciate Cocoon as a sample application too. :-) But, I know: It is too big and too complicated for a simple sample. :-( IMHO the most simple sample for Tomcat is the Administration Web Application [1] which is also quite useful for setting up Cocoon and other applications. [1]http://apache.dns4.com/tomcat/tomcat-5/v5.5.17/bin/apache-tomcat-5.5.17-admin.tar.gz -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
I would move ssh to a very high port number of your choice. Most ssh port scanners do not bother checking anything other than port 22, as it is too time consuming. I have not had any weird hits on my ssh port in years. It was hammered daily, even with attempted logins and such, with it running on port 22. Now, pretty much nothing. Why not use something like 65350 or some random high port like that? And yes, you probably shouldn't be asking these questions if you have an important linux computer on the internet. Because if it is important, you should know what you are doing before you put it on the internet. If on the other hand, you're just getting to know linux, and the computer is not all that important, then you should be asking these questions. On 7/5/06, Alexander Skwar [EMAIL PROTECTED] wrote: Ryan Tandy wrote: you're running a firewall of some kind (and you'd be crazy not to for any publically accessible box), Actually, I'd disagree. If only the necessary publicly accessible services are running on a box, what good should a firewal (I suppose you mean packet filter, like iptables) do? The only useful measure I can think about, is to do rate limiting. But what else? Alexander Skwar -- The more laws and order are made prominent, the more thieves and robbers there will be. -- Lao Tsu -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] postfix + sasl
On Wed, 5 Jul 2006 09:42:11 +0200 Arnau Bria wrote: Hi, I'm trying to configure postfix + cyrus-sasl (with other things). I have a problem when I connect to local postfix: [...] forget my question... I forgot to add sasl USE flag when I emerged postfix... now I see: EHLO localhost 250-FQDN 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250 8BITMIME Regards, Arnau -- Arnau Bria http://blog.emergetux.net Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos no vamos a ganar ~Homer J. Simpson~ -- gentoo-user@gentoo.org mailing list
[gentoo-user] histappend shell option
Hi guys, Where would I suggest a standard shell option to be incorporated into /etc/bash/bashrc? I can't stand it when I logout of multiple shells, and get only the history of the last one. Especially on root. So, I use the histappend shell option. shopt -s histappend Wouldn't it be good to incorporate this into the standard bash shell? -- gentoo-user@gentoo.org mailing list
[gentoo-user] automatic notification of changes in certain packages
Hi folks, i'd like to get automatic notification if something in an certain package changes, ie. package foo has been masked, unmasked, new version, ... Is there any service for that yet ? cu -- - Enrico Weigelt== metux IT service phone: +49 36207 519931 www: http://www.metux.de/ fax: +49 36207 519932 email: [EMAIL PROTECTED] cellphone: +49 174 7066481 - -- gentoo-user@gentoo.org mailing list
[gentoo-user] world favorites: pros and cons
Good afternoon, I would like to ask what advantages does one gain from (not) putting packages in the world file? I know the use of emerge --oneshot some-packages emerges packages without recording them in the world set. I also know that all the packages installed as dependencies don't get recorded in the world set either. I see only one advantage in this - the next time I do emerge --update world the checking for available updates would be faster because the world file doesn't contain all the packages that are actually emerged. BUT...What happens if there are critical updates for packages not listed in the world? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables wiki
james wrote:
Hello,
I'm attempting to follow this wiki to build a test firewall running iptables:
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies#QuickStart
Kernel is 'hardened' with netfilter et al activated.
It looks reasonable and is suppose to be up to date.
My nics are set up in /etc/conf.d/net
iface_eth0=192.168.2.20 broadcast 192.168.2.255 netmask 255.255.255.0
iface_eth1=192.168.3.11 broadcast 192.168.3.255 netmask 255.255.255.0
iface_eth2=snipped broadcast snipped netmask 255.255.255.252
routes_eth2=( default gw snipped )
All work fine.
port forwarding is enabled:
Rulesets get saved to /var/lib/iptables/rules-save
As specificed in /etc/conf.d/iptables
and
/etc/init.d/iptables is the script that launces iptables
plus rc-update add iptables default
I think all of this is correct(correct me if I'm wrong).
When I go to /etc/init to write my rules into firewall.sh
as specified in the aforementioned wiki I automatically get
this shoved into the script:
#!/sbin/runscript
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
}
start() {
}
stop() {
}
restart() {
}
curiously none of the example talk about this.
Is this the correct place to put my script(/etc/init.d/,
which is somewhat similar to the one suggested in the
wiki?
None of the examples I found googling discuss the details of where to put
the script, how to launch it and other such details. Any suggestion
are welcome. I have found lots of example scripts similar to my 3 nic
net/lan/dmz setup though.
Any suggestions are very welcome.
James
Actually IMHO gentoo has internal mechanism for dealing with iptables rules.
After you are ready and sure the rules work OK, you do:
1) /etc/init.d/iptables save
This would record your rules in /var/lib/iptables/rules-save as you
issued the command iptables-save /var/lib/iptables/rules-save ]
Then you put iptables in the init sequence so the rules are restored at
every system start:
2) rc-update add iptables default
This would do iptablebs-restore /var/lib/iptables/rules-save at
every boot.
3) Additionally you can set some parameters in /etc/conf.d/iptables
Hope This Helps
--
Best regards
Daniel
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On Wed, 05 Jul 2006 12:48:31 +0300, Daniel wrote: I know the use of emerge --oneshot some-packages emerges packages without recording them in the world set. I also know that all the packages installed as dependencies don't get recorded in the world set either. I see only one advantage in this - the next time I do emerge --update world the checking for available updates would be faster because the world file doesn't contain all the packages that are actually emerged. BUT...What happens if there are critical updates for packages not listed in the world? You won't see them, nor any updates to packages that are only dependencies of package not in world. In short, you break your system. The only time I use --oneshot for new installs is when trying a package to see if I want it. If I do, I add it to world with --noreplace. If I don't find it useful, my next emerge --depclean reminds me to remove it. -- Neil Bothwick Foolproof operation: No provision for adjustment. signature.asc Description: PGP signature
Re: [gentoo-user] world favorites: pros and cons
Daniel wrote: BUT...What happens if there are critical updates for packages not listed in the world? They won't get installed. That's why I always do emerge --deep --update (or rather: emerge -Duvat), as then packages which are installed to meet dependencies, will also get updated. But you'll still miss some packages this way - packages which aren't in the world file and which are also no dependency of *CURRENTLY* installed packages. Those are normally packages, which aren't used anymore and could be removed. I forgot how to find out, which packages that are. Alexander Skwar -- The more laws and order are made prominent, the more thieves and robbers there will be. -- Lao Tsu -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Neil Bothwick wrote: The only time I use --oneshot for new installs is when trying a package to see if I want it. If I do, I add it to world with --noreplace. If I don't find it useful, my next emerge --depclean reminds me to remove it. I use --oneshot, when the compilation of a package breks, which is a dependency of a package, that I want. Suppose, I want a and a needs b. Now b breaks. I fix it, so that b can be compiled. Then I'd do emerge -1 b. Another case, which hit me just recently: a needs b, but it needs b to be compiled with a specific flag. Now b is already installed, but a can't get installed. In this case, I'd modify my package.use for package b and again do a emerge -1 b. Alexander Skwar -- The more laws and order are made prominent, the more thieves and robbers there will be. -- Lao Tsu -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
Grant wrote: It has come to my attention that a particular person I know may be intent on attacking my server/website in any way possible. He doesn't know much about Linux but does know Windows. What kind of things should I lock down to protect my remote hosted server? I don't have time to get too crazy with security right now, but what kinds of simple tricks might this fellow learn by asking around on forums, etc? 1) Use firewall to block access to everything but the services you need to be accessible.(be very careful here so you DO NOT disable YOUR access) 2) Update your packages to their latest stable versions. 3) Check the configuration of your services - they should deny all functionality but the one you intended to provide. 4) Enable activity logging - this would help you find out the way somebody is trying to penetrate you system and give you opportunity to take counter measures. 5) Pray :) -- Best regards Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] xorg-x11 7.0 does not work with nvidia-glx-1.0.7174-r5
On Wed, 05 Jul 2006, Philipp Riegger wrote: On Jul 4, 2006, at 1:05 AM, Urs Schuetz wrote: Check whether you have /dev/nvidia[0..9] and /dev/nvidiactl. I don't have them. But the kernel module is loaded. I'll have a look at udev now. They are essential, you want them. From http://www.gentoo.org/doc/en/nvidia-guide.xml : Code Listing 3.2: Creating the nvidia device nodes # /sbin/NVmakedevices.sh If your /dev/nvidia devices are still missing every time you reboot, then it is most likely because udev is not automatically creating the proper device nodes. You can fix this by re-running NVmakedevices.sh, and then editing /etc/conf.d/rc as shown: Code Listing 3.3: Editing /etc/conf.d/rc RC_DEVICE_TARBALL=yes This will preserve your /dev/nvidia nodes even if you reboot. Urs -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] linux' IO performance sucks
� wrote: So about every 200MB (i guess the linux box writes the data into the cache in the RAM first) linux writes the harddisk. But during that time - during the time it writes that 200MB to disk, there is no chance for any other IO. I'm playing an mp3 from the very same fileserver. It stops playing, because the machine does answer the read-requests. Is this an IDE disk? Sounds like you don't have DMA enabled. Check with (e.g.) hdparm -d /dev/hda Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] linux' IO performance sucks
Sven Köhler wrote: Hi, sorry for the silly subject, but did you ever experience the following?: i have a fileserver, i copy a file to it - let's say 600MB. So about every 200MB (i guess the linux box writes the data into the cache in the RAM first) linux writes the harddisk. But during that time - during the time it writes that 200MB to disk, there is no chance for any other IO. I'm playing an mp3 from the very same fileserver. It stops playing, because the machine does answer the read-requests. So what's going on here? Why does Linux write so huge amounts of data to the disk? Why does Linux not stop writing for a while to fullfil the read-requests? And so on ... Any idea, on how to imrpove that? Perhaps a more often flush of buffers may help you in this situation. There are several parameters you can tweak to control your kernel behavior regarding this. You can put the following lines in your /etc/sysctl.conf file, replacing i,j,k and l with proper numbers. vm.dirty_expire_centisecs = i vm.dirty_writeback_centisecs = j vm.dirty_ratio = k vm.dirty_background_ratio = l The meaning of these parameters is descibed in the kernel documentation: /usr/src/linux/Documentation/filesystems/proc.txt /usr/src/linux/Documentation/sysctl/vm.txt You could also disable all write caching by issuing the command: hdparm -W0 /dev/your-physical-disk-name Hope This Helps --- Best regards Daniel -- gentoo-user@gentoo.org mailing list
Re: Re: [gentoo-user] Protecting my server against an individual
Alexander Skwar [EMAIL PROTECTED] wrote: you're running a firewall of some kind (and you'd be crazy not to for any publically accessible box), Actually, I'd disagree. If only the necessary publicly accessible services are running on a box, what good should a firewal (I suppose you mean packet filter, like iptables) do? The only useful measure I can think about, is to do rate limiting. But what else? Just to name a few: -permitting certain services for certain hosts (ip/mac based) -time/cpu-load based restriction on certain services -filtering malformed/fragmented packets -implementing port-knocking feature -statistical evaluation of traffic (ip/protocol/service based) etc. All of the above mentioned is probably possible to do using different method, but why not use iptables for it? Jarry -- Echte DSL-Flatrate dauerhaft für 0,- Euro*! Feel free mit GMX DSL! http://www.gmx.net/de/go/dsl -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On Wed, 05 Jul 2006 12:18:20 +0200, Alexander Skwar wrote: But you'll still miss some packages this way - packages which aren't in the world file and which are also no dependency of *CURRENTLY* installed packages. Those are normally packages, which aren't used anymore and could be removed. I forgot how to find out, which packages that are. emerge --depclean --pretend -- Neil Bothwick If Barbie is so popular, why do you have to buy her friends? signature.asc Description: PGP signature
Re: [gentoo-user] automatic notification of changes in certain packages
Oh man, that would be s sweet. I want that too. :-P On 7/5/06, Enrico Weigelt [EMAIL PROTECTED] wrote: Hi folks, i'd like to get automatic notification if something in an certain package changes, ie. package foo has been masked, unmasked, new version, ... Is there any service for that yet ? cu -- - Enrico Weigelt== metux IT service phone: +49 36207 519931 www: http://www.metux.de/ fax: +49 36207 519932 email: [EMAIL PROTECTED] cellphone: +49 174 7066481 - -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
Trenton Adams wrote: I would move ssh to a very high port number of your choice. Most ssh port scanners do not bother checking anything other than port 22, as it is too time consuming. I have not had any weird hits on my ssh port in years. It was hammered daily, even with attempted logins and such, with it running on port 22. Now, pretty much nothing. Why not use something like 65350 or some random high port like that? ACK. Good idea. One more thing though: I'd not use a strange port like 65350, but rather a port, which might be legitimately open. Suppose you've got a web server and DON'T use ssl. In this case, https (443) would be available. Or if you don't have a usenet server, you could use 119. Reason: It's normal that such ports are open. If I were a script kiddie, I wouldn't bother looking at normally open ports. But if there's something strange like 65350, I *would* look. And yes, you probably shouldn't be asking these questions if you have an important linux computer on the internet. Because if it is important, you should know what you are doing before you put it on the internet. If on the other hand, you're just getting to know linux, and the computer is not all that important, then you should be asking these questions. Yes, he *CERTAINLY* should be asking those questions - but he shouldn't have a server on the internet. Reason: It might be so, that the system is less secure than it ought to be and thus might be already part of a botnet or somesuch. And if it were part of a botnet, it might be used to attack other systems or to simply relay spams. Because of that, I find it somewhat irresponsible or at the very least questionable, when users with not so much knowledge operate servers. And it doesn't matter if all, if the system is important to the OP - it matters only, if it might be used to do things, which the OP doesn't want. Alexander Skwar -- The more laws and order are made prominent, the more thieves and robbers there will be. -- Lao Tsu -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Neil Bothwick wrote:
On Wed, 05 Jul 2006 12:18:20 +0200, Alexander Skwar wrote:
But you'll still miss some packages this way - packages which aren't
in the world file and which are also no dependency of *CURRENTLY*
installed packages. Those are normally packages, which aren't used
anymore and could be removed. I forgot how to find out, which packages
that are.
emerge --depclean --pretend
Your replies make me feel I haven't done wrong trying to put every
single package in the world set. Actually in my fear not to miss some
updates I use this script:
---
emerge -DuNpv package-name | cut -sf2 -d '/' |\
cut -f1 -d ' '|\
while read pkg;
do find /usr/portage/ -name ${pkg}.ebuild;
done | sed 's/\/usr\/portage\///g' |\
while read a;
do echo ${a%/*}; done |\
xargs -n1 emerge
---
This way all dependencies get individually emerged and therefore
recorded in the world file. Of course excluding some particular cases.
For example:
emerge xmms - pulls-in gtk+-1.2, while
emerge mozilla-firefox - pulls-in gtk+2.8.
So in this case the aforementioned script used with emerge xmms
mozilla-firefox will individually emerge only gtk+-2.8 and gtk+-1.2
would be emerged as dependency of xmms and won't get recorded in the
world set.
--
Best regards
Daniel
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] automatic notification of changes in certain packages
On Wednesday 5 July 2006 12:55, Trenton Adams wrote: Oh man, that would be s sweet. I want that too. :-P Subscribe to some of the rss feeds on packages.gentoo.org, and you'll find out which packages come out daily, almost in real time. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Daniel wrote:
Neil Bothwick wrote:
On Wed, 05 Jul 2006 12:18:20 +0200, Alexander Skwar wrote:
But you'll still miss some packages this way - packages which aren't
in the world file and which are also no dependency of *CURRENTLY*
installed packages. Those are normally packages, which aren't used
anymore and could be removed. I forgot how to find out, which packages
that are.
emerge --depclean --pretend
Your replies make me feel I haven't done wrong trying to put every
single package in the world set. Actually in my fear not to miss some
updates I use this script:
---
emerge -DuNpv package-name | cut -sf2 -d '/' |\
cut -f1 -d ' '|\
while read pkg;
do find /usr/portage/ -name ${pkg}.ebuild;
done | sed 's/\/usr\/portage\///g' |\
while read a;
do echo ${a%/*}; done |\
xargs -n1 emerge
---
This way all dependencies get individually emerged and therefore
recorded in the world file. Of course excluding some particular cases.
For example:
emerge xmms - pulls-in gtk+-1.2, while
emerge mozilla-firefox - pulls-in gtk+2.8.
So in this case the aforementioned script used with emerge xmms
mozilla-firefox will individually emerge only gtk+-2.8 and gtk+-1.2
would be emerged as dependency of xmms and won't get recorded in the
world set.
--
Best regards
Daniel
Hi,
In the contrary, i (at least) put in 'world' only things i emerge.
The reason - the world-file is smaller and eventually is scanned more
quickly.
Unless you also use -D|--deep option, which also scans the deps.
HTH.Rumen
--
gentoo-user@gentoo.org mailing list
[gentoo-user] P IV power managing error
Hi, I tried enabling the ACPI power management for my notebook by following the Gentoo documentation, but when I modprobe acpi I get the error: FATAL: Error inserting acpi_cpufreq (/lib/modules/2.6.17-gentoo/kernel/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.ko): No such device however I can successfully load the modules: ac battery fan thermal button processor What's wrong? Below some more infos. Ciao, Leo Kernel:2.6.17-gentoo), with settings: # # Power management options (ACPI, APM) # CONFIG_PM=y CONFIG_PM_LEGACY=y # CONFIG_PM_DEBUG is not set # # ACPI (Advanced Configuration and Power Interface) Support # CONFIG_ACPI=y CONFIG_ACPI_AC=m CONFIG_ACPI_BATTERY=m CONFIG_ACPI_BUTTON=m CONFIG_ACPI_VIDEO=m CONFIG_ACPI_HOTKEY=m CONFIG_ACPI_FAN=m CONFIG_ACPI_PROCESSOR=m CONFIG_ACPI_THERMAL=m CONFIG_ACPI_ASUS=m CONFIG_ACPI_IBM=m # CONFIG_ACPI_IBM_DOCK is not set CONFIG_ACPI_TOSHIBA=m # CONFIG_ACPI_CUSTOM_DSDT is not set CONFIG_ACPI_BLACKLIST_YEAR=0 # CONFIG_ACPI_DEBUG is not set CONFIG_ACPI_EC=y CONFIG_ACPI_POWER=y CONFIG_ACPI_SYSTEM=y CONFIG_X86_PM_TIMER=y # CONFIG_ACPI_CONTAINER is not set # # APM (Advanced Power Management) BIOS Support # CONFIG_APM=y # CONFIG_APM_IGNORE_USER_SUSPEND is not set # CONFIG_APM_DO_ENABLE is not set # CONFIG_APM_CPU_IDLE is not set CONFIG_APM_DISPLAY_BLANK=y CONFIG_APM_RTC_IS_GMT=y # CONFIG_APM_ALLOW_INTS is not set CONFIG_APM_REAL_MODE_POWER_OFF=y # # CPU Frequency scaling # CONFIG_CPU_FREQ=y CONFIG_CPU_FREQ_TABLE=m # CONFIG_CPU_FREQ_DEBUG is not set # CONFIG_CPU_FREQ_STAT is not set # CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE=y CONFIG_CPU_FREQ_GOV_PERFORMANCE=m CONFIG_CPU_FREQ_GOV_POWERSAVE=m CONFIG_CPU_FREQ_GOV_USERSPACE=y CONFIG_CPU_FREQ_GOV_ONDEMAND=m CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m # # CPUFreq processor drivers # CONFIG_X86_ACPI_CPUFREQ=m # CONFIG_X86_POWERNOW_K6 is not set # CONFIG_X86_POWERNOW_K7 is not set # CONFIG_X86_POWERNOW_K8 is not set # CONFIG_X86_GX_SUSPMOD is not set # CONFIG_X86_SPEEDSTEP_CENTRINO is not set # CONFIG_X86_SPEEDSTEP_ICH is not set # CONFIG_X86_SPEEDSTEP_SMI is not set CONFIG_X86_P4_CLOCKMOD=m # CONFIG_X86_CPUFREQ_NFORCE2 is not set # CONFIG_X86_LONGRUN is not set # # shared options # # CONFIG_X86_ACPI_CPUFREQ_PROC_INTF is not set CONFIG_X86_SPEEDSTEP_LIB=m processor pentium IV: # cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 3 model name : Intel(R) Pentium(R) 4 CPU 3.20GHz stepping: 4 cpu MHz : 3200.728 cache size : 1024 KB physical id : 0 siblings: 2 core id : 0 cpu cores : 1 fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pni monitor ds_cpl cid xtpr bogomips: 6405.97 processor : 1 vendor_id : GenuineIntel cpu family : 15 model : 3 model name : Intel(R) Pentium(R) 4 CPU 3.20GHz stepping: 4 cpu MHz : 3200.728 cache size : 1024 KB physical id : 0 siblings: 2 core id : 0 cpu cores : 1 fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pni monitor ds_cpl cid xtpr bogomips: 6400.76 # cpufreq-info cpufrequtils 001: cpufreq-info (C) Dominik Brodowski 2004-2006 Report errors and bugs to [EMAIL PROTECTED], please. analyzing CPU 0: no or unknown cpufreq driver is active on this CPU analyzing CPU 1: no or unknown cpufreq driver is active on this CPU __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- gentoo-user@gentoo.org mailing list
[gentoo-user] Xorg meta apps
I updated to the new xorg and discovered that a lot of applications (e.g. xcalc, xvidtune, etc.) were uninstalled when I unmerged the monolithic version, but were not reinstalled with the new meta. So, I thought of trying emerging them individually. However, they seem to be masked. Is this because they are not compatible with the new meta ebuild? What should I do? -- Regards, Mick -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
Alexander Skwar [EMAIL PROTECTED] wrote: ... If I were a script kiddie, I wouldn't bother looking at normally open ports. But if there's something strange like 65350, I *would* imho, if someone wants to attack your server, he will scan all ports and will try to find which apps are using them... Yes, he *CERTAINLY* should be asking those questions - but he shouldn't have a server on the internet. At least not before he knows answers and make use of them... Because of that, I find it somewhat irresponsible or at the very least questionable, when users with not so much knowledge operate servers. I would not restrict it to servers. There is a lot of home-users with broad-band connections, many of them never switch computer off and are running windows (or any badly configured OS). A few hundred of such zombies can make a very efficient botnet, able to kick down any victim-server using ddos/drdos attack... Jarry -- Feel free – 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail -- gentoo-user@gentoo.org mailing list
[gentoo-user] Samba install fails
Hi all, emerging samba results in the following error:- !!! ERROR: net-fs/samba-3.0.22-r2 failed. Call stack: ebuild.sh, line 1545: Called dyn_compile ebuild.sh, line 940: Called src_compile samba-3.0.22-r2.ebuild, line 104: Called econf '--with-fhs' '--sysconfdir=/etc/samba' '--localstatedir=/var' '--with -configdir=/etc/samba' '--with-libdir=/usr/lib/samba' '--with-swatdir=/usr /share/doc/samba-3.0.22-r2/swat' '--with-piddir=/var/run/samba' '--with -lockdir=/var/cache/samba' '--with-logfilebase=/var/log/samba' '--with- privatedir=/var/lib/samba/private' '--with-libsmbclient' '--without- spinlocks' '--with-acl-support' '--without-aio-support' '--without-a utomount' '--enable-cups' '--without-krb5' '--with-pam' '--with- pam_smbpass' '--with-python' '--without-quotas' '--without-sys- quotas' '--with-readline' '--with-smbmount' '--without-syslog' '-- with-expsam=mysql,' '--with-manpages-langs=en' '--without-ldapsam' ebuild.sh, line 541: Called die !!! econf failed I am using ~x86 Portage 2.1.1_pre2-r2 (default-linux/x86/2006.0, gcc-4.1.1/vanilla, glibc-2.4-r3, 2.6.17-gentoo-r1 i686) Paul -- This message has been sent using kmail with gentoo linux -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: Samba install fails
On Wednesday 05 July 2006 13:09, you wrote: Hi all, emerging samba results in the following error:- !!! ERROR: net-fs/samba-3.0.22-r2 failed. Call stack: ebuild.sh, line 1545: Called dyn_compile ebuild.sh, line 940: Called src_compile samba-3.0.22-r2.ebuild, line 104: Called econf '--with-fhs' '--sysconfdir=/etc/samba' '--localstatedir=/var' '--with -configdir=/etc/samba' '--with-libdir=/usr/lib/samba' '--with-swatdir=/usr /share/doc/samba-3.0.22-r2/swat' '--with-piddir=/var/run/samba' '--with -lockdir=/var/cache/samba' '--with-logfilebase=/var/log/samba' '--with- privatedir=/var/lib/samba/private' '--with-libsmbclient' '--without- spinlocks' '--with-acl-support' '--without-aio-support' '--without-a utomount' '--enable-cups' '--without-krb5' '--with-pam' '--with- pam_smbpass' '--with-python' '--without-quotas' '--without-sys- quotas' '--with-readline' '--with-smbmount' '--without-syslog' '-- with-expsam=mysql,' '--with-manpages-langs=en' '--without-ldapsam' ebuild.sh, line 541: Called die !!! econf failed I am using ~x86 Portage 2.1.1_pre2-r2 (default-linux/x86/2006.0, gcc-4.1.1/vanilla, glibc-2.4-r3, 2.6.17-gentoo-r1 i686) Paul Sorry to reply to my own post but I found a fix on the forums, it's now in the process of emerging. Paul -- This message has been sent using kmail with gentoo linux -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Neil Bothwick wrote: Now portage has no idea of which packages are there because you want them, which are there because they are dependencies of something you want and which are redundant cruft installed as a dependency of a package you no longer have installed. On your system, your packages, their dependencies and the cruft are all considered part of world. That is correct. What are the disadvantages besides the longer seeks for updates? I have no problem with the redundant cruft - when I want just to try some package I do emerge --pretend and record the list of dependencies it wants to pull-in. If I decide the package is not useful to me, I un-emerge not only the package, but also the dependencies it had pulled-in during its installation. -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Cannot access external network
Raj Swaminathan wrote: Hi, Im a gnu/linux newbie and have 2 problems 1. At boot, i get net-mount failed on eth0 and ifconfig does not list eth0. So i manually tried ifconfig eth0 up and eth0 is then listed. Next I am unable to ping machines not listed on /etc/hosts. My /etc/conf.d/net has entries for config_eth0 and routes_eth0 My /etc/resolv.conf however looks like this: # Generated by dhcpcd for interface eth1 nameserver mynameserver domain mydomain It seems to say eth1 . when it should say eth0? 2. When grub loads, the screen is all blurred and hazy and seems to get allright 10 seconds after the kernel starts loading. What should i do? Any help will be appreciated thanks ! raj It seems to me that you don't have the network start script(s) activated. Try executing: rc-update add net.eth0 default You should replace eth0 with the name of your link. The gentoo way to: - start a service is: /etc/init.d/service-name start For example: /etc/init.d/net.eth0 start - stop a service is: /etc/init.d/service-name stop For example: /etc/init.d/net.eth0 stop - make a service auto-start during boot is: rc-update add service-name run-level For example: rc-update add net.eth0 default - prevent a service from auto-starting during boot is: rc-update del service-name For example: rc-update del net.eth0 default -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Daniel Iliev wrote: I have no problem with the redundant cruft - when I want just to try some package I do emerge --pretend and record the list of dependencies it wants to pull-in. If I decide the package is not useful to me, I un-emerge not only the package, but also the dependencies it had pulled-in during its installation. That's risky! Suppose, you want to install a. a needs b. You keep a b installed. Later on, you decide to try c. c needs b as well. But as b is already installed, emerge -p c won't show b. You install c and do *NOT* write down, that c needs b, as you don't know that. Even more later on, you decide to deinstall a. According to what you wrote above and according to your documentation, you'll see that b got installed because of a and you'll remove b as well. Yet more later on, you find out, that c is broken and wonder why. The basic problem here is, that there's no way to see, which packages depend on a given package - at least I don't know how to find that out. What's required, is a way to be told, that packages a and c depend on b. Now, if you'd use the world file as it was supposed to be used, you'd remove a and could do a emerge --depclean --pretend. Doing so, the system would *NOT* show you package b, as it's still a dependency of c. Only after you remove c as well, b would show up in a depclean run. Alexander Skwar -- The more laws and order are made prominent, the more thieves and robbers there will be. -- Lao Tsu -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem w/ portage tmp on nfs
On Tue, 2006-07-04 at 16:06 -0300, Daniel da Veiga wrote: I have some portage stuff mounted with nfs, the only way for portage to work with those dirs was to set no_root_squash at /etc/exports at the host machine... I don't know why, even with full permissions, portage refused to work. Because even if portage is running as root on the local machine, portage won't run with root permission on the remote machine when accessing /usr/portage. The only way to do that is to tell the remote machine to grant root access *if* the client is running as root by using no_root_squash alan -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On Wed, 05 Jul 2006 15:43:53 +0300, Daniel Iliev wrote: That is correct. What are the disadvantages besides the longer seeks for updates? What longer seeks? --update only check one level of dependencies for updates, a few seconds at most. That's nothing compared with the time you could spend trying to fix a broken system. I have no problem with the redundant cruft - when I want just to try some package I do emerge --pretend and record the list of dependencies it wants to pull-in. If I decide the package is not useful to me, I un-emerge not only the package, but also the dependencies it had pulled-in during its installation. What if you installed something else with overlapping dependencies between merging and unmerging? You'll break it because you have removed its dependencies. The world file is part of how portage manages dependencies, pollute it with packages that should not be there and portage will not work as it should. -- Neil Bothwick Someone who thinks logically is a nice contrast to the real world. signature.asc Description: PGP signature
Re: [gentoo-user] Re: Samba install fails
Paul Stear wrote: Sorry to reply to my own post but I found a fix on the forums, it's now in the process of emerging. Care to point out, what the fix is? Or at least a pointer to the thread? This would benefit the list. Thanks, Alexander Skwar -- The more laws and order are made prominent, the more thieves and robbers there will be. -- Lao Tsu -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: Protecting my server against an individual
On Tue, 04 Jul 2006 18:56:02 -0400, Grant [EMAIL PROTECTED] wrote: It has come to my attention that a particular person I know may be intent on attacking my server/website in any way possible. He doesn't know much about Linux but does know Windows. What kind of things should I lock down to protect my remote hosted server? I don't have time to get too crazy with security right now, but what kinds of simple tricks might this fellow learn by asking around on forums, etc? A Windows guy has all of the techniques/tools that a 'nix guy has - he'll figure out what servers you have, which ports, which software, what vulnerabilities .. all of it. He'll even use some of the same tools (e.g. nmap). If your server is misconfigured (e.g allows root logon); if passwords are trivial; if software is out-of-date with known vulnerabilities; he could break in and deface the site; erase the OS; install a root kit and hide a key logger. Suggest that you shut this thing down 'til you have a security plan that you understand, and with which you are comfortable. If that is not possible, then implement the items mentioned earlier, and additionally assure: 1. that your passwords are at least 15 characters long with capitals and numerics. A repeated password is fine (e.g. gentoo becomes gEnt0*gEnt0*gEnt0*) 2. that you can easily and confidently restore your backups (you do have backups!?) 3. that you can tell if you've been hacked (e.g. samhain, tripwire). 4. And that your software is up to date. After that, you can look into IDS, Trojan scanning, chroot jails, hardening, and other things that servers under attack might consider. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Alexander, Neil thank you for pointing me out this problem. I think both of you refer to the same scenario and Alexander illustrated it with an example. For clarity I'll use the same letters to substitute package names in my next question. 1) I install a which pulls-in c 2) I *manually* install c. I install a 3) I Install b. b depends on c. b doesn't pull-in c because c is already *manually* installed along with a 4) I uninstall a 5) I *manually* uninstall c 6) b becomes broken because c is no longer in the system Lets investigate further: emerge --deep --update world will install c, won't it? emerge b or emerge c will solve the problem, won't it? It appears removing c is not as dangerous as it seems at first glance or I'm wrong? -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Xorg meta apps
On 7/5/06, Mick [EMAIL PROTECTED] wrote: I updated to the new xorg and discovered that a lot of applications(e.g. xcalc, xvidtune, etc.) were uninstalled when I unmerged themonolithic version, but were not reinstalled with the new meta.So, Ithought of trying emerging them individually.However, they seem to be masked.Is this because they are not compatible with the new metaebuild?What should I do?--Regards,Mick--gentoo-user@gentoo.org mailing list Mick,AFAIK, they are compatable. The one system that is running Xorg7(been playing games on my stable one too much recently) did not see that, then again i was using Xorg7 while it was still in p.maskCynyr
Re: [gentoo-user] world favorites: pros and cons
On Wed, 2006-07-05 at 15:16 +0200, Alexander Skwar wrote: The basic problem here is, that there's no way to see, which packages depend on a given package - at least I don't know how to find that out. equery depends given package name Not always 100% accurate though, as someone politely pointed out yesterday alan -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On Wed, 05 Jul 2006 17:29:16 +0300, Daniel Iliev wrote: 1) I install a which pulls-in c 2) I *manually* install c. I install a 3) I Install b. b depends on c. b doesn't pull-in c because c is already *manually* installed along with a 4) I uninstall a 5) I *manually* uninstall c 6) b becomes broken because c is no longer in the system Lets investigate further: emerge --deep --update world will install c, won't it? emerge b or emerge c will solve the problem, won't it? so you go to a lot of trouble to circumvent portage's dependency handling, then you rely on portage to fix things up after your break them. You need to keep lists of what you have merged and unmerged simply to compensate for having broken portage's own list for no good reason. What happens if you reboot after unmerging c, and its absence causes the system to fail to boot? What if you remove something that stops emerge working? Gentoo is all about choice, so you are free to choose to use it like this, just as you are free to do rm -fr /*. But don't expect someone to come up with a magic fix when things get screwed up. -- Neil Bothwick Isn't 'Criminal Lawyer' rather redundant? signature.asc Description: PGP signature
[gentoo-user] Re: iptables wiki
Daniel danny at ilievnet.com writes:
When I go to /etc/init to write my rules into firewall.sh
as specified in the aforementioned wiki I automatically get
this shoved into the script:
#!/sbin/runscript
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
}
start() {
}
stop() {
}
restart() {
}
curiously none of the example talk about this.
Is this the correct place to put my script(/etc/init.d/,
which is somewhat similar to the one suggested in the
wiki?
None of the examples I found googling discuss the details of where to put
the script, how to launch it and other such details. Any suggestion
are welcome. I have found lots of example scripts similar to my 3 nic
net/lan/dmz setup though.
Any suggestions are very welcome.
James
Actually IMHO gentoo has internal mechanism for dealing with iptables rules.
After you are ready and sure the rules work OK, you do:
1) /etc/init.d/iptables save
agreed, but only if I load the rules manually; i.e.
entering the rules via the command line such as
in D. Robbins doc:
http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls#Should_I_take_this_tutorial
This would record your rules in /var/lib/iptables/rules-save as you
issued the command iptables-save /var/lib/iptables/rules-save ]
This will work if one loads the rules manually at the command line.
Where do I put a scirpt of iptables command, so it is read the
rule sets generated and then saved into /var/lib/iptables/rules-save?
Then you put iptables in the init sequence so the rules are restored at
every system start:
Details on were to put the script and how best to 'loaded' into the boot
sequence via my script, is what is illusive.
[A] The best I can figure is
I put a script in /etc/, run it manually at the command line. The
ruleset will then be generated and saved into
/var/lib/iptables/rules-save. Upon reboot, the /etc/init.d/iptables
script reads the /var/lib/iptables/rules-save file.
After that if I want to modify the rules, I edit my script, run
my script manually, then issue:
iptables-save /var/lib/iptables/rules-save
and my modifications are in the file that gentoo checks natively.
If I want to then test the rules, without rebooting, I issue:
/etc/init.d/iptables stop
/etc/init.d/iptables start
2) rc-update add iptables default
This would do iptablebs-restore /var/lib/iptables/rules-save at
every boot.
yes, understood.
3) Additionally you can set some parameters in /etc/conf.d/iptables
understood.
What I'm looking for is the series of steps to
1. Where best to locate my script?
2. Insert (new) commands into the script.
3. convert new scrited commands into rulesets
4. Load rulesets into the /var/lib/iptables/rules-save
5. Restart the iptables/netfilter firewall
6. Test the (new) rulesset
7. Go to step 2 and repeat until a wonderful firewall results.
If what I work above [A] is correct then I just need some suggestions
as to where the scipt should be located under /etc/, for
consistentcy with gentoo mindsets.
If what I have written is incorrect, please correct with some detail?
PS: I'm not trying to be a pain, I just need to fully understand the
process on Gentoo.
James
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] syslog-ng + automatic respawn of target programs
On 7/4/06, thomas blomme [EMAIL PROTECTED] wrote: http://www.campin.net/syslog-ng/expanded-syslog-ng.conf look at the above link, it contains all functions syslog can have Ok. It is also in the documentation installed at /usr/share/doc/syslog-ng-*/html/. So I guess it is just an omission from the man page. Back to the OP's question, the syslog documentation seems to make it clear that it will not respawn the program to prevent DoS attacks. If you want this, you can create a shell script around the program you want to call, and handle any respawns there. A simple implementation might be: $program pid=$! while wait $pid; do $program pid=$! done Of course, it would be best to add in some type of abort mechanism in case $program starts dying unexpectedly, so you don't try to exec it 1000's of times per second. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] histappend shell option
On 7/5/06, Trenton Adams [EMAIL PROTECTED] wrote: Hi guys, Where would I suggest a standard shell option to be incorporated into /etc/bash/bashrc? bugs.gentoo.org would be the appropriate place. File it as an enhacement request. I can't stand it when I logout of multiple shells, and get only the history of the last one. Especially on root. So, I use the histappend shell option. shopt -s histappend Wouldn't it be good to incorporate this into the standard bash shell? I don't see any downside to this, although it seems like a fairly trivial thing for the user who wants this to add it to their .bashrc files. There might be some desire to keep the configuration as close to the $UPSTREAM defaults as possible. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Xorg meta apps
Mick wrote: I updated to the new xorg and discovered that a lot of applications (e.g. xcalc, xvidtune, etc.) were uninstalled when I unmerged the monolithic version, but were not reinstalled with the new meta. So, I thought of trying emerging them individually. However, they seem to be masked. Is this because they are not compatible with the new meta ebuild? What should I do? If there are apps you use that you need stabilized, please file a bug requesting this. We haven't stabilized everything because we're trying to get an idea of what people actually use. Thanks, Donnie signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Re: iptables wiki
On 7/5/06, James [EMAIL PROTECTED] wrote: 1) /etc/init.d/iptables save This will work if one loads the rules manually at the command line. Where do I put a scirpt of iptables command, so it is read the rule sets generated and then saved into /var/lib/iptables/rules-save? Anywhere you like. All that matters is that you run it so your iptables are setup like you want, then run /etc/init.d/iptables save followed by rc-update -a iptables default. After that if I want to modify the rules, I edit my script, run my script manually, then issue: iptables-save /var/lib/iptables/rules-save No, /etc/init.d/iptables save is the better choice. The file might move, or the format change, or something similar. If I want to then test the rules, without rebooting, I issue: /etc/init.d/iptables stop /etc/init.d/iptables start Not necessary. After running your script, the tables will be setup according to the script, and you can test away. You probably want your script to have the following at the top: iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP This flushes all rules, and resets the default policies, so that only the rules that you specify later take effect. Very useful for clearing out old artifacts of stuff... What I'm looking for is the series of steps to 1. Where best to locate my script? Mine is in ~/bin/. 2. Insert (new) commands into the script. $EDITOR 3. convert new scrited commands into rulesets 4. Load rulesets into the /var/lib/iptables/rules-save Don't do this. Run your script, and let /etc/init.d/iptables save do the work for you. 5. Restart the iptables/netfilter firewall If you flush/reset like I describe above, this is not necessary, just run your script. If what I work above [A] is correct then I just need some suggestions as to where the scipt should be located under /etc/, for consistentcy with gentoo mindsets. You can put it anywhere you like. I prefer ~/bin/ since there I know it is *not* something that Gentoo created. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables wiki
James wrote: What I'm looking for is the series of steps to 1. Where best to locate my script? 2. Insert (new) commands into the script. 3. convert new scrited commands into rulesets 4. Load rulesets into the /var/lib/iptables/rules-save 5. Restart the iptables/netfilter firewall 6. Test the (new) rulesset 7. Go to step 2 and repeat until a wonderful firewall results. If what I work above [A] is correct then I just need some suggestions as to where the scipt should be located under /etc/, for consistentcy with gentoo mindsets. If what I have written is incorrect, please correct with some detail? PS: I'm not trying to be a pain, I just need to fully understand the process on Gentoo. James You can search around for a script to run. I found one here: http://openchemist.net/linux/howto/files/theWall You can find others though that are more to your liking of course. What I did a long time ago is this. I found a script that did what I needed and downloaded it. I then put it in /sbin and made it executable. I ran the command to make sure it would work. After that I did a /etc/init.d/iptables save and from then on it has worked. I did have to change a setting when I started using samba then save it again but it is not to hard. Now figuring out the iptables command is another matter. It never has really made much sense to me. I just searched for a good script and ran it. Dale :-) :-) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On 7/5/06, Daniel Iliev [EMAIL PROTECTED] wrote: That is correct. What are the disadvantages besides the longer seeks for updates? Another disadvantage is that you defeat a big reason for having USE flags. For example, if you merge pkg A that USEs X to depend on pkg B, and you have X in your USE flag, the A will depend on B and pull it in as a dependancy. If you later take X out of your use flags, and do an emerge -DNuv world, the A no longer depends on B. But since it is still in your world file, portage will assume you want this package, and continue to compile updates for it with each new version. That can be a pretty huge waste of time. I have no problem with the redundant cruft - when I want just to try some package I do emerge --pretend and record the list of dependencies it wants to pull-in. If I decide the package is not useful to me, I un-emerge not only the package, but also the dependencies it had pulled-in during its installation. You're going through a lot of work to circumvent the dependancy tracking that is already built into portage. Why not just merge the top-level package, and if you don't like it, unmerge and use --depclean --pretend to figure out what can safely be removed? And I don't necessarily believe that having everything in world results in a significantly faster scan time than having only top-level packages there. I would like to see actual proof of this assertion. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
On 7/5/06, Alexander Skwar [EMAIL PROTECTED] wrote: Trenton Adams wrote: I would move ssh to a very high port number of your choice. Most ssh port scanners do not bother checking anything other than port 22, as it is too time consuming. I have not had any weird hits on my ssh port in years. It was hammered daily, even with attempted logins and such, with it running on port 22. Now, pretty much nothing. Why not use something like 65350 or some random high port like that? ACK. Good idea. One more thing though: I'd not use a strange port like 65350, but rather a port, which might be legitimately open. Suppose you've got a web server and DON'T use ssl. In this case, https (443) would be available. Or if you don't have a usenet server, you could use 119. Reason: It's normal that such ports are open. If I were a script kiddie, I wouldn't bother looking at normally open ports. But if there's something strange like 65350, I *would* look. I completely agree with Alexander. On my young (and stupid) days I would scan computers around my network for vulnerabilities, and open ports where known services run were only targeted by specific attacks. Trying to run (for example) a brute-force scan outside of 22, 23, 21 and other known ports were considered just waste of time. But as the OP stated that this guy would target his machine only, you can safely assume it won't be a non-assisted method. Few years later, as a lab administrator, I've learn that you may block whatever you want, but you gotta keep in mind that a server is there for serve. Those services are the targets of attacks, and thus, they're the real concerns. It doesn't matter how hard you implement a firewall if you left a SQL Inject hole in your web server, you must be more careful with what you OFFER than possible backdoors, I say that because nowadays most servers run behind router firewalls blocking traffic that is strange to the server, and those who don't have this usually implement some way to write rules about traffic (iptables for instance). So, keep an eye open for security on your services software (ssh, apache, dbs, etc). And yes, you probably shouldn't be asking these questions if you have an important linux computer on the internet. Because if it is important, you should know what you are doing before you put it on the internet. If on the other hand, you're just getting to know linux, and the computer is not all that important, then you should be asking these questions. Yes, he *CERTAINLY* should be asking those questions - but he shouldn't have a server on the internet. Reason: It might be so, that the system is less secure than it ought to be and thus might be already part of a botnet or somesuch. And if it were part of a botnet, it might be used to attack other systems or to simply relay spams. Because of that, I find it somewhat irresponsible or at the very least questionable, when users with not so much knowledge operate servers. And it doesn't matter if all, if the system is important to the OP - it matters only, if it might be used to do things, which the OP doesn't want. Again, I agree. But not only Servers, Desktops and any machine connected to the internet should have security, and people running this machines should have knowledge, but that is simply not the case, specially with people running windows (wich is 90% of the personal computers connected). All this computer power can be used (and has been) for botnets, hacker attacks, etc. Adaptative firewalls, service blocks, traffic control, every single way to try and stop this is encouraged and good. I think the OP is a step ahead by simply asking this questions. My tips: 1) Block everything that you do not need (least open ports, least risk). 2) Check what you have open for specific security holes. Keep logs, check them often, index them, make reports so you don't need to scroll every single line (try Cacti, it is awesome). 3) Think as a cracker, if you would try to break your server, what would you do? -- Daniel da Veiga Computer Operator - RS - Brazil -BEGIN GEEK CODE BLOCK- Version: 3.1 GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V- PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++ --END GEEK CODE BLOCK-- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
Alexander Skwar wrote: Ryan Tandy wrote: you're running a firewall of some kind (and you'd be crazy not to for any publically accessible box), Actually, I'd disagree. If only the necessary publicly accessible services are running on a box, what good should a firewal (I suppose you mean packet filter, like iptables) do? The only useful measure I can think about, is to do rate limiting. But what else? Alexander Skwar Point taken, and agreed with. I retract the crazy not to part; however, some netfilter/iptables features can be very handy in limiting access to said services (e.g. dropping all SSH connections not coming from your IP). I guess sometimes my Windows days do come back to haunt me... ;) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] P IV power managing error
On 7/5/06, Leonardo [EMAIL PROTECTED] wrote: FATAL: Error inserting acpi_cpufreq (/lib/modules/2.6.17-gentoo/kernel/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.ko): No such device however I can successfully load the modules: ac battery fan thermal button processor What's wrong? Below some more infos. Nothing is wrong, it just means that ACPI doesn't control the clock frequency of your CPU. Try using the p4-clockmod (?) driver instead. -Richard -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: iptables wiki
Dale teendale at vista-express.com writes: Now figuring out the iptables command is another matter. It never has really made much sense to me. I just searched for a good script and ran it. Well that I can help with. Get the book LINUX FIREWALLS Third Edition by Steve Suehring and Riboer L. Ziegler http://www.braingia.org/books/linuxfirewalls/ has some modern scripts Thanks for the information! James -- gentoo-user@gentoo.org mailing list
[gentoo-user] Big thanks to spyderous
Just want to give a big public Thank You to spyderous for hanging out in -user and helping out those who had/are having trouble with the modular-X upgrade. Cheers, -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Neil Bothwick wrote: so you go to a lot of trouble to circumvent portage's dependency handling, then you rely on portage to fix things up after your break them. You need to keep lists of what you have merged and unmerged simply to compensate for having broken portage's own list for no good reason. Well I don't have the feeling I go to a lot of trouble and I *absolutely don't circumvent portage's dependency handling* and I don't see anything broken in my system even it is about 2 years old. Keeping lists happens in very rare occasions. Testing a package means I install, look around and uninstall it. I'm not randomly emerging other stuff in the mean time. What happens if you reboot after unmerging c, and its absence causes the system to fail to boot? What if you remove something that stops emerge working? Highly unlikely. For two reasons: 1) How come that I was able to boot w/o the package in question in first place? :) 2) The kind of package you're talking about is listed in the system profile. If you try to remove such a package portage yells out a big fat warning. Gentoo is all about choice, so you are free to choose to use it like this, just as you are free to do rm -fr /*. But don't expect someone to come up with a magic fix when things get screwed up. Correct. And I triggered this discussion here about a different way of handling packages. A way that is not forbidden neither mentioned as inappropriate in the official documentation. So there shouldn't be anything wrong with it, right? I find your comparison involving rm -rf /* to be irrelevant. Using a system one way or another is not the same as making a human error. So far I haven't made the choice of doing rm -rf / but actually once I did cat /dev/zero /dev/hda instead of cat /dev/zero /dev/hda2 by mistake. In cases like this there's no package management system that could help, no matter if it is portage, apt, yast, swaret or whatever. Long live the...backups! :) Last but not least. When it comes to redundant packages in the system. What happens when you do (the right way?): 1) emerge a 2) a pulls-in b and c as dependencies 3) emerge -C a 4) a goes out but b and c stay there just to take place 5) emerge --depclean Well...The first thing one can see reads: *** WARNING *** --depclean is known to be broken. So you prefer to clean the system up using procedure that is known to be broken or you just leave useless packages to take space on your HDDs? It is my opinion that Gentoo's documentation and portage's behavior suggest leaving junk packages on your system. Which indeed is the right way? -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Xorg meta apps
On 05/07/06, Donnie Berkholz [EMAIL PROTECTED] wrote: Mick wrote: I updated to the new xorg and discovered that a lot of applications (e.g. xcalc, xvidtune, etc.) were uninstalled when I unmerged the monolithic version, but were not reinstalled with the new meta. So, I thought of trying emerging them individually. However, they seem to be masked. Is this because they are not compatible with the new meta ebuild? What should I do? If there are apps you use that you need stabilized, please file a bug requesting this. We haven't stabilized everything because we're trying to get an idea of what people actually use. Thanks. I will do so. I was just worried that the new xorg-meta ebuild may require different x-apps-meta ebuilds and that's why the old ebuilds are now masked. Is there perhaps a 'bucket' bug report that I should add to for this problem, or should I start a new one? -- Regards, Mick -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Richard Fish wrote: If you later take X out of your use flags, and do an emerge -DNuv world, the A no longer depends on B. But since it is still in your world file, portage will assume you want this package, and continue to compile updates for it with each new version. That can be a pretty huge waste of time. Thanks! Good point! --snip Why not just merge the top-level package, and if you don't like it, unmerge and use --depclean --pretend to figure out what can safely be removed? Because if I decide to keep it, all dependencies it pulls-in don't get updated until the top-level package starts depending on a different version of those packages. Actually this is the main reason I started this practice. emerge --depclean yells a big warning that it is broken. And I don't necessarily believe that having everything in world results in a significantly faster scan time than having only top-level packages there. I would like to see actual proof of this assertion. -Richard No, no! I'm saying just the opposite - the more packages you have recorded in the world list, the slower scanning you get. -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On 7/5/06, Daniel Iliev [EMAIL PROTECTED] wrote: Neil Bothwick wrote: Now portage has no idea of which packages are there because you want them, which are there because they are dependencies of something you want and which are redundant cruft installed as a dependency of a package you no longer have installed. On your system, your packages, their dependencies and the cruft are all considered part of world. That is correct. What are the disadvantages besides the longer seeks for updates? I have no problem with the redundant cruft - when I want just to try some package I do emerge --pretend and record the list of dependencies it wants to pull-in. If I decide the package is not useful to me, I un-emerge not only the package, but also the dependencies it had pulled-in during its installation. You're manually doying stuff that portage should do. This breaks portage system, gives you more trouble (because you have to manually undo stuff in order to not break your dependency list) and have turned the whole dependency check lists and ebuils dependency check useless. A emerge --update --deep world for you is a emerge world. You put some of the work of portage on your own hands, don't be surprised if that breaks something. -- Daniel da Veiga Computer Operator - RS - Brazil -BEGIN GEEK CODE BLOCK- Version: 3.1 GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V- PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++ --END GEEK CODE BLOCK-- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables wiki
James wrote: Dale teendale at vista-express.com writes: Now figuring out the iptables command is another matter. It never has really made much sense to me. I just searched for a good script and ran it. Well that I can help with. Get the book LINUX FIREWALLS Third Edition by Steve Suehring and Riboer L. Ziegler http://www.braingia.org/books/linuxfirewalls/ has some modern scripts Thanks for the information! James Yea, but I'm disabled and plus the bookstores around here don't carry anything Linux. So between me not having the money and nothing available locally, I have to depend on the net for stuff. I don't like to buy books online because I like to thumb through them first. Besides, I prefer finding someone's handy work and checking it out. One day, my light bulb will go off. Dale :-) :-) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Anyone using Yahoo as Postfix relay? (Name service error for name=smtp1.mail.vip.ukl.yahoo.com type=MX: Malformed name server reply)
Stroller wrote: Did you authenticate propery @smtp.mail.yahoo.co.uk ? I believe so. There's nothing in the logs to indicate that I haven't, and the user:pass in /etc/postfix/sasl_passwd is correct, In my case I noticed that sasl auth on relay doesn't seem to work unless I set the following in main.cf smtpd_sasl_auth_enable = no smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous broken_sasl_auth_clients = yes it's the smtp_sasl_auth_enable = yes line that is the most important. kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Big thanks to spyderous
On Wednesday 05 July 2006 12:51, Richard Fish wrote: Just want to give a big public Thank You to spyderous for hanging out in -user and helping out those who had/are having trouble with the modular-X upgrade. Indeed! -- When you walk across the fields with your mind pure and holy, then from all the stones, and all growing things, and all animals, the sparks of their soul come out and cling to you. And then they are purified, and become a holy fire in you. -- Ancient Hasidic Saying -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] P IV power managing error
--- Richard Fish [EMAIL PROTECTED] wrote: On 7/5/06, Leonardo [EMAIL PROTECTED] wrote: FATAL: Error inserting acpi_cpufreq (/lib/modules/2.6.17-gentoo/kernel/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.ko): No such device however I can successfully load the modules: ac battery fan thermal button processor What's wrong? Below some more infos. Nothing is wrong, it just means that ACPI doesn't control the clock frequency of your CPU. Try using the p4-clockmod (?) driver instead. -Richard Thanks Richard for the clarification, that works. (modprobe p4-clockmod) Ciao, Leo __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On 7/5/06, Daniel Iliev [EMAIL PROTECTED] wrote: Why not just merge the top-level package, and if you don't like it, unmerge and use --depclean --pretend to figure out what can safely be removed? Because if I decide to keep it, all dependencies it pulls-in don't get updated until the top-level package starts depending on a different version of those packages. Actually this is the main reason I started this practice. Not if you use --deep on your updates. Then dependancies are also considered for updates. Some people here will tell you that --deep is troublesome, but I am not one of them, and it seems like what you want to do. emerge --depclean yells a big warning that it is broken. There are 2 problems with --depclean: 1. it takes your current use flags into account, rather than those that were in effect at the time a package was merged. So if you modify USE flags, it can report things can be removed, when in reality that would break something. But if you do an emerge -DNvp world, and it doesn't report anything needing to be [re]merged, then this doesn't apply. 2. it can remove packages that you really do want. As an example, let's say you are programming something that uses the boost c++ library. If you were to remove everything in portage that depended on boost, and it wasn't in your world file, then depclean would want to remove it. The solution here is to add boost to your world file, since you want that no matter what else is installed. IMO neither of the above 'problems' are particularly serious, or a good reason to add every dependancy to world. And I don't necessarily believe that having everything in world results in a significantly faster scan time than having only top-level packages there. I would like to see actual proof of this assertion. No, no! I'm saying just the opposite - the more packages you have recorded in the world list, the slower scanning you get. Yeah, well, I don't necessarily believe the reverse either! :-) Regards, -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Daniel da Veiga wrote: You're manually doying stuff that portage should do. This breaks portage system, gives you more trouble (because you have to manually undo stuff in order to not break your dependency list) and have turned the whole dependency check lists and ebuils dependency check useless. A emerge --update --deep world for you is a emerge world. You put some of the work of portage on your own hands, don't be surprised if that breaks something. OK. I agree that my way makes emerge --update --deep world equal to emerge --update world. Then what is the original purpose of emerge --update world? -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables wiki
Have you tried kmyfirewall ? Steve On Wednesday 05 July 2006 12:27, Dale wrote: James wrote: Dale teendale at vista-express.com writes: Now figuring out the iptables command is another matter. It never has really made much sense to me. I just searched for a good script and ran it. Well that I can help with. Get the book LINUX FIREWALLS Third Edition by Steve Suehring and Riboer L. Ziegler http://www.braingia.org/books/linuxfirewalls/ has some modern scripts Thanks for the information! James Yea, but I'm disabled and plus the bookstores around here don't carry anything Linux. So between me not having the money and nothing available locally, I have to depend on the net for stuff. I don't like to buy books online because I like to thumb through them first. Besides, I prefer finding someone's handy work and checking it out. One day, my light bulb will go off. Dale :-) :-) -- Steve Wilson HOBI International, Inc. 7601 Ambassador Row, suite 101 Dallas, TX 75247 ph 214.951.0143 fx 214.951.0144 This email is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Copying, forwarding or distributing this message by persons or entities other than the addressee is prohibited. If you have received this email in error, please contact the sender immediately and delete the material from any computer. -- gentoo-user@gentoo.org mailing list
[gentoo-user] Re: iptables wiki
Richard Fish bigfish at asmallpond.org writes:
Where do I put a scirpt of iptables command, so it is read the
rule sets generated and then saved into /var/lib/iptables/rules-save?
Anywhere you like. All that matters is that you run it so your
iptables are setup like you want, then run /etc/init.d/iptables save
followed by rc-update -a iptables default.
After that if I want to modify the rules, I edit my script, run
my script manually, then issue:
iptables-save /var/lib/iptables/rules-save
No, /etc/init.d/iptables save is the better choice. The file might
move, or the format change, or something similar.
You probably want
your script to have the following at the top:
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
Yes I've seen these.
Should I start the script with the typical shebang?
#! /bin/sh
or I've seen this:
#!/sbin/runscript
???
This flushes all rules, and resets the default policies, so that only
the rules that you specify later take effect. Very useful for
clearing out old artifacts of stuff...
What I'm looking for is the series of steps to
1. Where best to locate my script?
Mine is in ~/bin/.
not /bin/ ?
interesting choice, under a user's dir.
/usr/local/bin/ might be appropriate too?
2. Insert (new) commands into the script.
$EDITOR
3. convert new scrited commands into rulesets
4. Load rulesets into the /var/lib/iptables/rules-save
Don't do this. Run your script, and let /etc/init.d/iptables save do
the work for you.
So my (edited) scipt issues new iptables commands
and the gentoo script converts these commands
into rulesets and stores them in /var/lib/iptables/rules-save?
5. Restart the iptables/netfilter firewall
If you flush/reset like I describe above, this is not necessary, just
run your script.
Yes those (4) lines go into my scipt, at the beginning.
Modified series of steps to use my own script
1. Put the my-firewall.sh scipt in /usr/local/bin/ with '700' permissions.
2. rc-update -a iptables default (issue once )
3. Insert (new) commands into the script then run my-firewall.sh.
4. run /etc/init.d/iptables save convert (new) script based
commands into rulesets and load .
5. Test the (new) scipt {rulesets}.
6. Go to step 3 and repeat until a wonderful firewall results.
Note, step 4 can be added to the end of my-firewall.sh to
combine steps 3 and 4?
correct if I missing anyting?
thanks,
James
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Richard Fish wrote: Not if you use --deep on your updates. Then dependancies are also considered for updates. Some people here will tell you that --deep is troublesome, but I am not one of them, and it seems like what you want to do. Then what is the purpose of: emerge --update world w/o --deep? There are 2 problems with --depclean: --snip IMO neither of the above 'problems' are particularly serious, or a good reason to add every dependancy to world. Well, this means that one has to manually handle things as well as in the way I deal with packages, right? ;-) No, no! I'm saying just the opposite - the more packages you have recorded in the world list, the slower scanning you get. Yeah, well, I don't necessarily believe the reverse either! :-) Well, I have a Pentium 2 @ 400MHz with 128MB RAM. I use it as a router and prefer not to even remember of its existence. :) Let's say once a week I update it, but it has only the base system plus iptables qmail and squid installed. My desktop is an Athlnon XP 1700+ (working at 1.9GHz), 512MB RAM. Compared to it, the router checks for updates about 2 times faster. I can't be precise, but if you insist I could do a time emerge -pvuDN world on both of them and send the results. The router world file has 90 lines, the desktop world file has 751 lines. ;-) -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
[gentoo-user] / becomes read only
List members - I have a Gentoo install running inside of a vmware ESX server virtual machine. I am having a very strange issue though. Every few days the root filesystem will become read only and the only way that I can fix it is to reboot or power down the virual machine. Does anyone have any ideas as to what might be causing this? I have searched through the logs and the only errors tha I see regarding my root device (/dev/sda3) seem to be coming from the FSCK that is done on reboot of the sever. Any suggestions would be greatly appreciated. Thanks, James -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] automatic notification of changes in certain packages
Hi folks, i'd like to get automatic notification if something in an certain package changes, ie. package foo has been masked, unmasked, new version, ... Is there any service for that yet ? cu -- - Enrico Weigelt== metux IT service phone: +49 36207 519931 www: http://www.metux.de/ fax: +49 36207 519932 email: [EMAIL PROTECTED] cellphone: +49 174 7066481 - -- gentoo-user@gentoo.org mailing list The depreciated gentoolkit program etcat had an option, versions, that listed all versions available for a package. Running that periodically should give you what you want. You might even customize it a little more by using a script to watch a particular version. I don't know whether the function has been picked up in a more modern program such as equery or not. I couldn't find it. etcat is still in /usr/share/doc/gentoolkit-0.2.2/depreciated/etcat/etcat Tony -- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] xorg-x11 7.0 does not work with nvidia-glx-1.0.7174-r5
On Jul 5, 2006, at 12:32 PM, Urs Schuetz wrote: Check whether you have /dev/nvidia[0..9] and /dev/nvidiactl. I don't have them. But the kernel module is loaded. I'll have a look at udev now. They are essential, you want them. From http://www.gentoo.org/doc/en/nvidia-guide.xml : Code Listing 3.2: Creating the nvidia device nodes # /sbin/NVmakedevices.sh If your /dev/nvidia devices are still missing every time you reboot, then it is most likely because udev is not automatically creating the proper device nodes. You can fix this by re-running NVmakedevices.sh, and then editing /etc/conf.d/rc as shown: Code Listing 3.3: Editing /etc/conf.d/rc RC_DEVICE_TARBALL=yes This will preserve your /dev/nvidia nodes even if you reboot. That solved my problem, thank you. I wonder why i never had problems with this before. Philipp -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On 7/5/06, Daniel Iliev [EMAIL PROTECTED] wrote: Daniel da Veiga wrote: You're manually doying stuff that portage should do. This breaks portage system, gives you more trouble (because you have to manually undo stuff in order to not break your dependency list) and have turned the whole dependency check lists and ebuils dependency check useless. A emerge --update --deep world for you is a emerge world. You put some of the work of portage on your own hands, don't be surprised if that breaks something. OK. I agree that my way makes emerge --update --deep world equal to emerge --update world. Then what is the original purpose of emerge --update world? I'll just quote the emerge man page, that is pretty clear there: --update (-u) Updates packages to the best version available, which may not always be the highest version number due to masking for testing and development. This will also update direct dependencies which may not be what you want. In general, use this option only in combination with the world or system target. Note the words DIRECT dependencies. So, your command emerge --update --deep world is in fact just emerge world, because every direct/indirect dependency is part of your world file. Your way made --update useless, because a simple emerge package would update the package. --deep (-D) When used in conjunction with --update, this flag forces emerge to consider the entire dependency tree of packages, instead of checking only the immediate dependencies of the packages. As an example, this catches updates in libraries that are not directly listed in the dependencies of a package. So, you way also made --deep useless. This flags are there because they mantain portage in a way that you can't easily break consistency by accident, and with that I mean libraries and indirect dependencies. I'm not arguing that your system WILL break by putting every single atom of package installed in world, I just say that you are going against portage evolution by doying its work, and that MAY cause problems. Also, the world file is a simple way to keep a package version (by removing it from world), for instance, I don't wanna upgrade mysql with my nightly emerge -uDN world, so, its not in my world file. Also note that indirect dependencies can be a pain, and packages may depend on a LOT of other packages, if you want an example, check emerge -euDt links -pv. You can check indirect dependencies! I just say there are quite a few, and portage knows how to deal with all this stuff (at least never proved me wrong). -- Daniel da Veiga Computer Operator - RS - Brazil -BEGIN GEEK CODE BLOCK- Version: 3.1 GCM/IT/P/O d-? s:- a? C++$ UBLA++ P+ L++ E--- W+++$ N o+ K- w O M- V- PS PE Y PGP- t+ 5 X+++ R+* tv b+ DI+++ D+ G+ e h+ r+ y++ --END GEEK CODE BLOCK-- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] bash wizardry needed: PATH and MANPATH grow and grow and grow
On Saturday 03 June 2006 16:11, znx [EMAIL PROTECTED] wrote about 'Re: [gentoo-user] bash wizardry needed: PATH and MANPATH grow and grow and grow': On 27/05/06, Kevin O'Gorman [EMAIL PROTECTED] wrote: Open to debate. I'd think it's not very dangerous at the *end* of the PATH. True, I have modified the script so that a . may enter the PATH (etc) only as the final entry. Also good point about ~/bin .. it is just as dangerous. Actually, it's not as dangerous. ~/bin is a well-known location that is (normally) only writable by the user themselves. '.' is a floating location, that may (from time to time) refer to a directory that is world-writable like /tmp, /var/tmp, or /dev/shm. Having '.' in your path allows arbitrary guest users to run programs with your permissions. Putting it at the end of your PATH prevents them from shadowing existing commands, but doesn't prevent them from taking advantage of typos. Having ~/bin or even just ~ in your PATH does not open this security hole unless you also make that directory world writable. -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgpBjHVSOnTtd.pgp Description: PGP signature
Re: [gentoo-user] world favorites: pros and cons
On 7/5/06, Daniel Iliev [EMAIL PROTECTED] wrote: Then what is the purpose of: emerge --update world w/o --deep? To update only the packages in world, without updating dependancies. As I think I mentioned, some people do not like using --deep, because they don't necessarily want to update all libraries to the latest available version for fear of introducing instability/bugs into their systems. So they *may* want to update to the latest firefox, but that doesn't mean they want the latest gtk+ libraries as well. Presumably they also monitor the GLSA channels to make sure they don't miss important security updates... Well, this means that one has to manually handle things as well as in the way I deal with packages, right? ;-) Well, yes, but only for the few things that you really care about, not the entire system. And why --depclean should always be run with --pretend first. Compared to it, the router checks for updates about 2 times faster. I can't be precise, but if you insist I could do a time emerge -pvuDN world on both of them and send the results. Ok, but that is for two completely different systems with different sets of packages installed. It doesn't tell us whether the time is a function of the total number of packages that are installed, or the number of things listed in world. The question is, if your athlon didn't have any dependancies in world, would the update check run faster or slower? I don't _actually_ care about the answer, I'm just pointing out that comparing the performance of systems with different sets of packages installed isn't a good way to test how the performance of portage relates to the size of the world file. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] / becomes read only
On 7/5/06, James Colby [EMAIL PROTECTED] wrote: I have a Gentoo install running inside of a vmware ESX server virtual machine. I am having a very strange issue though. Every few days the root filesystem will become read only and the only way that I can fix it is to reboot or power down the virual machine. Does anyone have any ideas as to what might be causing this? I have searched through the logs and the only errors tha I see regarding my root device (/dev/sda3) seem to be coming from the FSCK that is done on reboot of the sever. A disk timeout error could cause a filesystem to be remounted read-only. And if /var is on the same disk, you wouldn't necessarily see the errors (since, after all, it is now read-only!). I would start by making /var a separate filesystem if you haven't already. Heck, put it on a different virtual disk if you have to... -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables wiki
On 7/5/06, James [EMAIL PROTECTED] wrote:
or I've seen this:
#!/sbin/runscript
This is only for init scripts in /etc/init.d/. So no, don't use
this...use #!/bin/bash instead.
/usr/local/bin/ might be appropriate too?
Yeah, that would work also...
So my (edited) scipt issues new iptables commands
and the gentoo script converts these commands
into rulesets and stores them in /var/lib/iptables/rules-save?
Yep.
4. run /etc/init.d/iptables save convert (new) script based
commands into rulesets and load .
5. Test the (new) scipt {rulesets}.
6. Go to step 3 and repeat until a wonderful firewall results.
Note, step 4 can be added to the end of my-firewall.sh to
combine steps 3 and 4?
If you like. But in fact step 4 can be moved to step 7 (er, step 6
once you renumber stuff), since you don't really need to save anything
until you are happy with the results.
-Richard
--
gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Daniel da Veiga wrote: I'll just quote the emerge man page, that is pretty clear there: --snip Note the words DIRECT dependencies. So, your command emerge --update --deep world is in fact just emerge world, because every direct/indirect dependency is part of your world file. Your way made --update useless, because a simple emerge package would update the package. --snip So, you way also made --deep useless. This flags are there because they mantain portage in a way that you can't easily break consistency by accident, and with that I mean libraries and indirect dependencies. Yes, and I'll ask again what's the point of doing: emerge world or emerge --update world? If one doesn't use --deep not all the packages get updated. Thats what bothers me. Later on this mail you say that even you make emerge -iDN world on a daily basis. --snip Also, the world file is a simple way to keep a package version (by removing it from world), for instance, I don't wanna upgrade mysql with my nightly emerge -uDN world, so, its not in my world file. Nothing prevents me of doing the same thing, right? ;-) Also note that indirect dependencies can be a pain, and packages may depend on a LOT of other packages, if you want an example, check emerge -euDt links -pv. You can check indirect dependencies! I just say there are quite a few, and portage knows how to deal with all this stuff (at least never proved me wrong). Yes, and putting almost all of the packages in the world list does not prevent portage of doing its job. So who and why would use emerge world and emerge --update world ? -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
On Wed, 05 Jul 2006 19:53:42 +0300, Daniel Iliev wrote: Neil Bothwick wrote: What happens if you reboot after unmerging c, and its absence causes the system to fail to boot? What if you remove something that stops emerge working? Highly unlikely. For two reasons: 1) How come that I was able to boot w/o the package in question in first place? :) You did have the package. ??/i mentioned rebooting after removing it, so it was there before. 2) The kind of package you're talking about is listed in the system profile. If you try to remove such a package portage yells out a big fat warning. Not necessarily, it is possible to break things with non-system packages. Last but not least. When it comes to redundant packages in the system. What happens when you do (the right way?): 1) emerge a 2) a pulls-in b and c as dependencies 3) emerge -C a 4) a goes out but b and c stay there just to take place 5) emerge --depclean Well...The first thing one can see reads: *** WARNING *** --depclean is known to be broken. So you prefer to clean the system up using procedure that is known to be broken or you just leave useless packages to take space on your HDDs? That text is fairly old and hardly applies any more, at least in my experience. As Richard mentioned, it can fall over when USE flags have changed, but the rest of the earning, that you didn't quote, tells you to run emerge --update --newuse --deep before using it. If you do so, your USE flags will be consistent and it won't break things. I always use it with --ask anyway. It is my opinion that Gentoo's documentation and portage's behavior suggest leaving junk packages on your system. Which indeed is the right way? Only if you break the file it uses to determine which packages are junk. -- Neil Bothwick Good fortune will find you provided you left clear instructions. signature.asc Description: PGP signature
Re: [gentoo-user] Big thanks to spyderous
On Wed, Jul 05, 2006 at 09:51:43AM -0700, Richard Fish wrote: Just want to give a big public Thank You to spyderous for hanging out in -user and helping out those who had/are having trouble with the modular-X upgrade. ditto -- A lensatic compass weighted for the northern hemisphere will not work in the southern hemisphere, and vice versa. pgpIdMaLV4qv8.pgp Description: PGP signature
Re: [gentoo-user] / becomes read only
A disk timeout error could cause a filesystem to be remounted read-only. And if /var is on the same disk, you wouldn't necessarily see the errors (since, after all, it is now read-only!). I would start by making /var a separate filesystem if you haven't already. Heck, put it on a different virtual disk if you have to... -Richard -- Richard - Thanks for the suggestion. I have moved /var to a separate virtual disk. Hopefully this will give me some clue as to why the root filesystem keeps becoming read only. If it does turnout to be a disk timeout do you have any suggestions as how to fix the problem? Thanks, James -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] linux' IO performance sucks
On Wednesday 05 July 2006 12:43, Daniel wrote: You could also disable all write caching by issuing the command: hdparm -W0 /dev/your-physical-disk-name emm, no, That only deactivates the on-disk cache and has nothing to do with the kernel cachesbuffers. In fact, it has nothing to do with the kernel at all. Deactivating the cache might be a good thing in certain situations, but it usually just decreases performance. So it is usually a BAD THING(tm). -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Daniel wrote: Good afternoon, I would like to ask what advantages does one gain from (not) putting packages in the world file? I know the use of emerge --oneshot some-packages emerges packages without recording them in the world set. I also know that all the packages installed as dependencies don't get recorded in the world set either. I see only one advantage in this - the next time I do emerge --update world the checking for available updates would be faster because the world file doesn't contain all the packages that are actually emerged. BUT...What happens if there are critical updates for packages not listed in the world? I would like to thank everyone who took part in this low priority thread. I think its enough what we exchanged as thoughts, ideas and arguments so far. My suggestion is that if everyone agrees we should consider this topic closed. Of course its only my opinion and if somebody feels that he/she has to add something important the list is still open :) I would try to draw a fair general the conclusions from the thread: 1) Putting packages in the world file is unlikely to corrupt the system 2) Putting package dependencies in the world set leads to manual work without providing any advantages and may lead to problems 3) The best way to handle packages is to let portage do its job without external tweaking (wise!) :) 4) The best reason to put manually individual packages in world set is to protect them against removing with emerge --depclean 5) The best reason for manual removing individual packages from the world set is to prevent them from upgrading. I hope it's a fear conclusion. Thanks, guys. -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] world favorites: pros and cons
Daniel Iliev wrote: 5) The best reason for manual removing individual packages from the world set is to prevent them from upgrading. I wouldn't call that a good reason. /etc/portage is there for that kind of thing. If you remove a package from world, and nothing depends on it, then it'll get swept up next time you --depclean without remembering to put it back first. If you remove a package from world, and something depends on it, it'll get upgraded anyway next time you -u or -uD. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] linux' IO performance sucks
Hemmann, Volker Armin wrote: On Wednesday 05 July 2006 12:43, Daniel wrote: You could also disable all write caching by issuing the command: hdparm -W0 /dev/your-physical-disk-name emm, no, That only deactivates the on-disk cache and has nothing to do with the kernel cachesbuffers. In fact, it has nothing to do with the kernel at all. Deactivating the cache might be a good thing in certain situations, but it usually just decreases performance. So it is usually a BAD THING(tm). It's BAD THING(tm) theoretically. Actually I had to disable write cache to protect file systems against corruption during unexpected restarts. (For a week or so the eclectic power was very unstable during thunder storms). I didn't notice any performance hits. The on-disk cache is relatively veryo small (several MBs) that it wouldn't help at all in writing big files. If it's used as read cache while accessing directories with many files inside it has a great performance boost. It's just my observation. Everyone has to play with these setting until he/she gets the optimal results for the particular case. -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
Sorry to be a bit elementary, but if you're not colocating your box, and you don't often use SSH, you might want to consider disabling remote administrative things. All your Windoze friend will try to do is exploit MySQL to pop a DOS shell into your system. It's an older trick, however, it works marvelously. Coax SQL into leaving a DOS shell in your web directory, then you have total control. I haven't personally had any experience with it (never bothered to try and hack - not exciting or rewarding) but I did read a hacker paper which outlined that tactic. If you can't disable SSH for some reason, then limit MySQL access to localhost only. You'd have to use SSH/RDesktop to mess with your database, but I think that would close down a very big part of the Windoze zombie's main attack route. Also watch out for denial-of-service attacks. There's been a lot of those problem in the Silicon Valley Linux Users' Group, which I am a member of. Also, are you sure you're working with a real hacker. I met a real hacker at school once, and even with physical access to my laptop he couldn't crack it. Dumb Windows slave... Nonetheless, if you use PHP, you should also be extra-careful to strip potentially malicious things from web submit forms. If you can, what I'd do is try and get the guy's MAC Address or something and then totally block that off. That's send him away right quickly. I don't know enough to know if that'd be totally possible, but if the guy isn't terribly intelligent, that'll send him packing. Hope I could be of help there! -- == GCv3.12 == GCS d-(++) s+: a? C++ UL+ P+ L++ E--- W+(+++) N++ o? K? w--- O? M+ V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+ DI+++ D+ G e* h- !r !y = END GCv3.12 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
Lord Sauron wrote: If you can, what I'd do is try and get the guy's MAC Address or something and then totally block that off. That's send him away right quickly. I don't know enough to know if that'd be totally possible, but if the guy isn't terribly intelligent, that'll send him packing. net-analyzer/macchanger ;) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
On Wed, 5 Jul 2006, Ryan Tandy wrote: Lord Sauron wrote: If you can, what I'd do is try and get the guy's MAC Address or something and then totally block that off. That's send him away right quickly. I don't know enough to know if that'd be totally possible, but if the guy isn't terribly intelligent, that'll send him packing. net-analyzer/macchanger ;) What's this? Portage on Windows? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Protecting my server against an individual
Steven Susbauer wrote: On Wed, 5 Jul 2006, Ryan Tandy wrote: Lord Sauron wrote: If you can, what I'd do is try and get the guy's MAC Address or something and then totally block that off. That's send him away right quickly. I don't know enough to know if that'd be totally possible, but if the guy isn't terribly intelligent, that'll send him packing. net-analyzer/macchanger ;) What's this? Portage on Windows? More just to mention that there is such a thing out there. And if it exists for us, chances are he has a similar tool available. -- gentoo-user@gentoo.org mailing list
[gentoo-user] making sense of emerge --sync
Hi group, Following emerge --sync I was informed a new update was available and directed to a file /usr/portage/profiles/updates/2Q-2006 which contains the following: move net-wireless/madwifi-tools net-wireless/madwifi-ng-tools move net-wireless/madwifi-driver net-wireless/madwifi-ng move games-simulation/bcsdemo games-simulation/bcs-demo move media-libs/alut media-libs/freealut move games-strategy/dominions2-demo-bin games-strategy/dominions2-demo move dev-libs/pam_pkcs11 sys-auth/pam_pkcs11 move app-cdr/kio_burn app-cdr/konqburn slotmove =media-libs/libdc1394-1* 0 1 slotmove =media-libs/libdc1394-2* 0 2 move dev-embedded/sdcc-cvs dev-embedded/sdcc-svn move app-emulation/vmware-linux-tools app-emulation/vmware-workstation-tools move dev-lisp/mit-scheme dev-scheme/mit-scheme move dev-lisp/mzscheme dev-scheme/mzscheme move dev-lisp/guile-pg dev-scheme/guile-pg move dev-lisp/kawa dev-scheme/kawa move www-apps/nut sys-power/nut move media-tv/v4l-dvb-cvs media-tv/v4l-dvb-hg move sys-apps/pmtools sys-power/pmtools move app-crypt/gpg-agent app-crypt/gnupg move app-mobilephone/obexfs sys-fs/obexfs move app-i18n/scim-chinese app-i18n/scim-pinyin move games-fps/avp-cvs games-fps/avp move net-libs/nfsidmap net-libs/libnfsidmap move net-misc/resolvconf-gentoo net-dns/resolvconf-gentoo move x11-misc/matchbox-nest x11-misc/xoo move games-puzzle/pouetchess games-board/pouetchess move app-i18n/jless-iso254 app-i18n/jless move app-text/ghostscript-afpl app-text/ghostscript-gpl move sci-misc/camfr sci-physics/camfr move sci-misc/lightspeed sci-physics/lightspeed move sci-misc/mpb sci-physics/mpb move sci-misc/xfoil sci-physics/xfoil move sci-chemistry/abinit sci-physics/abinit move sci-libs/root sci-physics/root And this is what emerge -pvu portage says: Calculating dependencies ...done! [ebuild U ] sys-apps/sandbox-1.2.17 [1.2.12] 227 kB [ebuild U ] sys-devel/libperl-5.8.8-r1 [5.8.7] -berkdb +debug +gdbm -ithreads 9,886 kB [ebuild U ] dev-lang/perl-5.8.8-r2 [5.8.7-r3] -berkdb -build +debug -doc +gdbm -ithreads -perlsuid 0 kB [ebuild U ] dev-libs/openssl-0.9.7j [0.9.7i] -bindist -emacs -test +zlib 3,213 kB [ebuild N] perl-core/Test-Harness-2.56 -minimal 63 kB [ebuild U ] app-admin/perl-cleaner-1.04 [1.01] 5 kB [ebuild N] perl-core/PodParser-1.32 -minimal 91 kB [ebuild U ] sys-libs/ncurses-5.5-r2 [5.4-r6] -bootstrap -build +debug* -doc +gpm -minimal -nocxx -unicode 2,259 kB [ebuild U ] dev-lang/python-2.4.3-r1 [2.4.2] +X -berkdb* -bootstrap -build -doc +gdbm +ipv6 +ncurses -nocxx +readline +ssl -tcltk -ucs2 7,827 kB [ebuild U ] app-misc/pax-utils-0.1.13 [0.1.11-r1] -caps 52 kB [ebuild N] dev-python/pycrypto-2.0.1-r5 -bindist -gmp -test 150 kB [ebuild U ] sys-apps/portage-2.1-r1 [2.0.54-r1] -build -doc (-elibc_FreeBSD) +elibc_glibc -elibc_uclibc -linguas_pl (-selinux) -userland_Darwin +userland_GNU 282 kB Total size of downloads: 24,059 kB Now I'm too confused to even know what to ask about it:( Are those moves above another word for update? Is 2Q-2006 supposed to have anything to do with emerge -u portage? It doesn't look like it. But then what is it for? -Maxim __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] linux' IO performance sucks
This one is only to correct a BIG typo: eclectic power should be electric power (spelling checker + sleeping writer..) Sorry about that. Hemmann, Volker Armin wrote: On Wednesday 05 July 2006 12:43, Daniel wrote: You could also disable all write caching by issuing the command: hdparm -W0 /dev/your-physical-disk-name emm, no, That only deactivates the on-disk cache and has nothing to do with the kernel cachesbuffers. In fact, it has nothing to do with the kernel at all. Deactivating the cache might be a good thing in certain situations, but it usually just decreases performance. So it is usually a BAD THING(tm). -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Anyone using Yahoo as Postfix relay? (Name service error for name=smtp1.mail.vip.ukl.yahoo.com type=MX: Malformed name server reply)
* kashani [EMAIL PROTECTED] wrote: snip In my case I noticed that sasl auth on relay doesn't seem to work unless I set the following in main.cf smtpd_sasl_auth_enable = no ^ Are you sure you have to *disable* sasl auth on your (incoming) smtp server ? snip it's the smtp_sasl_auth_enable = yes line that is the most important. Of course. You have to tell him that he should (try to) authenticate itself at another server. cu -- - Enrico Weigelt== metux IT service - http://www.metux.de/ - Please visit the OpenSource QM Taskforce: http://wiki.metux.de/public/OpenSource_QM_Taskforce Patches / Fixes for a lot dozens of packages in dozens of versions: http://patches.metux.de/ - -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] / becomes read only
* James Colby [EMAIL PROTECTED] wrote: Thanks for the suggestion. I have moved /var to a separate virtual disk. Hopefully this will give me some clue as to why the root filesystem keeps becoming read only. If it does turnout to be a disk timeout do you have any suggestions as how to fix the problem? I also had an similar problem (on an physical machine) which I couldn't reproduce. It seemed that the disk itself became ro for some reason. Unmounting and mouting again didnt help. It told me the medium was ro, and so the fs got mounted ro, too. Maybe your logfiles can show anythin strange happened on the disk (may an temporary problem on the host disk). BTW: I've got some usermode-linux jail somewhere in the net, which randomly gets an ro root fs - I always have to ask the provider to fix it (no idea what he actually does). A few days ago, the problem occoured again, and my provider told me there was an hw problem and he has to change the broken hw. Maybe its the same kind of problem ? cu -- - Enrico Weigelt== metux IT service - http://www.metux.de/ - Please visit the OpenSource QM Taskforce: http://wiki.metux.de/public/OpenSource_QM_Taskforce Patches / Fixes for a lot dozens of packages in dozens of versions: http://patches.metux.de/ - -- gentoo-user@gentoo.org mailing list
[gentoo-user] ntpd problem: randomly refusing/dropping client requests
Hi folks, I've got an problem w/ ntpd: syncing w/ ntpdate against it fails from time to time. Sometimes just for a few minutes, sometimes longer. I know it will call itself stratum 16 (which is dropped by ntpdate) if it hasn't synchronized to a proper reference clock yet, so it will take some time after startup until its usable. But why are there such problems once ntp has been sychronized ? thx -- - Enrico Weigelt== metux IT service - http://www.metux.de/ - Please visit the OpenSource QM Taskforce: http://wiki.metux.de/public/OpenSource_QM_Taskforce Patches / Fixes for a lot dozens of packages in dozens of versions: http://patches.metux.de/ - -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables wiki
Steve Wilson wrote: Have you tried kmyfirewall ? Steve On Wednesday 05 July 2006 12:27, Dale wrote: I didn't know it existed actually. It would be so nice if there was somewhere we could go to find out about all this stuff. There is no telling how many programs are out there that we have no clue exists. That said, I use iptables and as long as it works . . . . . . . I'll check into it though. It may be a while. I'm getting married tomorrow and I'll be gone for a while, honeymoon ya know. ;-) Thanks Dale :-) :-) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] linux' IO performance sucks
Daniel Iliev wrote: This one is only to correct a BIG typo: eclectic power should be electric power (spelling checker + sleeping writer..) Sorry about that. You got a better excuse than me. My typing sucks. O_O Dale :-) :-) -- gentoo-user@gentoo.org mailing list
