Re: [gentoo-user] CUPS error when printing from GTK+ print dialog
Morten Holt writes: When I try to print from a program using the GTK+ print dialog, e.g. Firefox og Evince, i get the following line: Request from localhost using invalid Host: field ::1 [...] The problem seems to have startet after a recent upgrade of CUPS. I hope anybody has an idea on how I can solve this rather annoying issue. I think IPV6 is the default for CUPS now. Try changing the Listen localhost:631 line in cups.conf to Listen 127.0.0.1:631. Restart CUPS and see if it works now. Wonko
Re: [gentoo-user] Confusing persistent sync problem
Wyatt Epp schrieb: Evening, Lately, for at least a few months, actually, I've been completely unable to sync normally. I'll get the following sort of thing three times from three different servers. [...] receiving incremental file list timed out rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(544) [receiver=3.0.5] Retrying... I imagine it must be on my end, but I can't for the life of me figure out what it is. Not at my desk, but I seem to recall the syslog was empty as well. Has anyone run into this or, more importantly, a solution for this? Try to increase the timeout. Add the following line to /etc/make.conf PORTAGE_RSYNC_INITIAL_TIMEOUT=60 signature.asc Description: OpenPGP digital signature
[gentoo-user] Support of Radeon graphics cards
Hi all, i would like to buy a new computer, but i need (of course) to use gentoo. furthermore i would buy a Radeon HD 4850 or Radeon HD 4870. How are these cards supported by gentoo and does everything work fine according to ati-drivers ebuild? i need the 3d support due to some molecular modeling software. my current graphics card is a nvidia and is well supported. please, share your experiences. thank you very much in advance. kind regards, der Max -- __ Maximilian Bräutigam http://www.chemie.uni-jena.de/jcf/ __ Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a
Re: [gentoo-user] Re: nvidia-drivers-180.51 on amd64
On Friday 24 April 2009 01:59:59 walt wrote: Whenever I have the same problem it's because I've done a 'make clean' or equivalent in /usr/src/linux, or more likely because a newer version of the kernel sources has been installed but I haven't yet built the newer kernel. It's possible that both the kernel sources and nvidia-drivers were updated about the same time, and when that happens the nvidia-drivers will be compiled immediately whereas the new kernel won't be compiled until you decide to go do it yourself. (Meanwhile, nvidia-drivers has crapped out.) Yes, but those don't apply here. I had, as I said, a current kernel source directory (by which I mean I had compiled the currently running kernel in it) and was installing the latest version of nvidia. I hadn't done anything in the source tree since compiling the kernel, so it should have Just Worked. -- Rgds Peter
Re: [gentoo-user] Building a test system
On Friday 24 April 2009 12:14:50 Peter Humphrey wrote: Hello list, I want to install Gentoo on a spare partition as a testbed. It would have KDE4 and be ~amd64 throughout. My question is when to set ACCEPT_KEYWORDS - whether to do it at the earliest possible stage in installing, or build an amd64 system and only then add ~amd64 to make.conf. Which is the better option? Do it at the earliest possible opportunity. Otherwise you will emmerge world and update to a current stable system, then amend ACCEPT_KEYWORDS and update to a current unstable system, effectively rendering the first emerge world as completely useless. Don't listen to people who will tell you c...@p like starting with stable lets you find problems and fix them first. This is nonsense as once you start going unstable there is no going back, or at least no easy way to go back. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Confusing persistent sync problem
On Fri, Apr 24, 2009 at 4:36 AM, Florian Philipp li...@f_philipp.fastmail.net wrote: Try to increase the timeout. Add the following line to /etc/make.conf PORTAGE_RSYNC_INITIAL_TIMEOUT=60 Oh come on, seriously? I'm rolling over here; it never occurred to me that the whacked-out QoS we get in Columbus could be the culprit at all! So yeah, thanks a bunch; I was a touch worried that I'd gotten us banned or something. ;) Cheers, Wyatt
[gentoo-user] Building a test system
Hello list, I want to install Gentoo on a spare partition as a testbed. It would have KDE4 and be ~amd64 throughout. My question is when to set ACCEPT_KEYWORDS - whether to do it at the earliest possible stage in installing, or build an amd64 system and only then add ~amd64 to make.conf. Which is the better option? -- Rgds Peter
Re: [gentoo-user] Re: No sound over HDMI with SB600, 9800GT
2009/4/22 Strake strake...@gmail.com: Thanks, but the video works flawlessly, and the TV works fine with audio and video over HDMI from cable boxen, PS3s, etc. Do you use Gnome ? It has a sound test utility which can test HDMI audio output. If there is sound in test utility. Try to upgrade mplayer, it had a bug fixed in HDMI audio. Anyhow, thanks, and I'll keep trying. On Mon, Apr 13, 2009 at 11:38 PM, James wirel...@tampabay.rr.com wrote: Strake strake888 at gmail.com writes: I have an MSI K9A2 Platinum motherboard (SB600 chipset with ALC888 Azalia audio) with an Asus EN9800GT video card. HDMI video, as well as analog audio works fine. However, there is no sound over HDMI. I am using alsa 1.0.18, kernel 2.6.24, with the snd_hda_intel driver. Hello, You might have multiple issues, depending on what (if any) other new hardware you are using and have not previously been successful using with HDMI. Just a stab in the dark, but, do some research on HDCP (HIGH-BANDWIDTH DIGITAL CONTENT PROTECTION) and make sure that's not your issue, nor related to your equipment configuration. That is, if you are outputting HDMI based audio and video from a computer and trying to make it all happy with a 1080p TV/monitor/audio type of setup Somehow find a way to test each component and make sure it's working. You may need to fiddle with the setting of the HDMI receiving device, or contact the manufacture and find out if the device employs HDCP, it can be turned off, or any other ideas the manufacture may have. Being you are a pioneer in this area, you might want to track down a 'HDMI Bus Analyzer' or a friend that has one: http://www.lecroy.com/tm/Options/Software/SDA-HDMI/default.asp good hunting and good luck! hth, James -- MFD
Re: [gentoo-user] Building a test system
On Fri, 24 Apr 2009 11:14:50 +0100, Peter Humphrey wrote: I want to install Gentoo on a spare partition as a testbed. It would have KDE4 and be ~amd64 throughout. My question is when to set ACCEPT_KEYWORDS - whether to do it at the earliest possible stage in installing, or build an amd64 system and only then add ~amd64 to make.conf. Set it as soon as possible; ideally during the initial installation but right after the first boot at the latest. Then do emerge -uavDN world before you touch anything else. Doing it straight after the stage 3 unpack means you won't have to install, configure and compile a stable kernel, then repeat the whole process when you switch keywords. The same applies to changing USE flags. -- Neil Bothwick Facts are stubborn, but statistics are more pliable signature.asc Description: PGP signature
[gentoo-user] Re: Building a test system
Alan McKinnon alan.mckinnon at gmail.com writes: Friday's Humorous! This is nonsense as once you start going unstable there is no going back, or at least no easy way to go back. Where was this wisdom, when I was a young lad? lol, James
[gentoo-user] Re: KDE4 has holes since updating Qt
Paul Hartman paul.hartman+gentoo at gmail.com writes: . Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Perhaps qlist -I -C atom or equery list | grep atom just guessing hth, James
[gentoo-user] Re: telephony
Simon turner25 at gmail.com writes: i'm looking for suggestions and guidance. Hardware farts like myself, like to cheat. Sure you can do it all in software, if you have the time. Here's a very easy way to cheat, but, you'll need to use a (soldering) iron. http://www.tjnet.com/ Go on, expand your horizons and make a web page on how you did it with (hardware plus) gentoo so the rest of us lazy bums can be cool, just like you hth, James
Re: [gentoo-user] KDE4 has holes since updating Qt
On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay.
Re: [gentoo-user] KDE4 has holes since updating Qt
On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. Okay, I'll check for it. Maybe I didn't do anything wrong after all. :) Thanks for the info!
Re: [gentoo-user] KDE4 has holes since updating Qt
On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. I can't seem to find how to install/enable the qt-copy patches. I use kde-testing and qting-edge overlays. Am I missing something obvious?
[gentoo-user] X-forwarding fails with Invalid MIT-MAGIC-COOKIE-1 key
X-forwarding used to work for me but I haven't used it in a while and now I get: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. Xlib: connection to localhost:10.0 refused by server Xlib: Invalid MIT-MAGIC-COOKIE-1 key Cannot open display: I have: # cat /etc/ssh/sshd_config | grep X11Forwarding X11Forwarding yes Does anyone know how to fix this? - Grant
Re: [gentoo-user] KDE4 has holes since updating Qt
On Fri, Apr 24, 2009 at 9:51 AM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. I can't seem to find how to install/enable the qt-copy patches. I use kde-testing and qting-edge overlays. Am I missing something obvious? To answer my own question: yes. :) I read the documention in qting-edge overlay and now it makes sense. I probably should have used the qt-kde-live set all along, I've been using the generic Qt packages. Thanks
[gentoo-user] Is this firewall safe?
Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- eth0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- eth0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- eth0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- eth0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- eth0 any anywhere anywhereLOG level warning prefix `INPUT ' 179 ACCEPT all -- wlan0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- wlan0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- wlan0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- wlan0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- wlan0 any anywhere anywhereLOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- anylo anywhere anywhere 0 0 LOGall -- anyeth0anywhere anywhereLOG level warning prefix `OUTPUT ' 152 LOGall -- anywlan0 anywhere anywhereLOG level warning prefix `OUTPUT '
Re: [gentoo-user] Is this firewall safe?
Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- eth0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- eth0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- eth0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- eth0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- eth0 any anywhere anywhereLOG level warning prefix `INPUT ' 179 ACCEPT all -- wlan0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- wlan0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- wlan0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- wlan0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- wlan0 any anywhere anywhereLOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- anylo anywhere anywhere 0 0 LOGall -- anyeth0anywhere anywhereLOG level warning prefix `OUTPUT ' 152 LOGall -- anywlan0 anywhere anywhereLOG level warning prefix `OUTPUT ' It all depends on what you're trying to do. My internet facing boxes have a default OUTPUT policy of DROP and I only allow certain traffic off of the box (helps protect me from unauthorized services). Also, you're dropping bootps (same ports as dhcp) on udp so I don't think you can get a dhcp address like that. If you're running any services you won't be able to talk to them (ssh). Turn off forwarding in the kernel config (via /etc/sysctl.conf) as well. It also took me a few runs to figure out the firewall config (due to the rules and formatting). The last two output rules can be combined into one. Have 1 log line at the bottom of your tables and that will take care of that. Clean and short configs will help immensely when things don't work. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Is this firewall safe?
Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Hi Marco, Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt inout source destination ACCEPT all -- loany anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOGall -- any any anywhere anywhere LOG level warning prefix `INPUT ' Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- anylo anywhere anywhere ACCEPT all -- anyany anywhere anywhere state RELATED,ESTABLISHED LOGall -- anyany anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Hope that helps. Chris
Re: [gentoo-user] Is this firewall safe?
Just a thought: http://www.fwbuilder.org/ I like how it looks a lot like checkpoint's policy manager. HTH, Hazen. On Fri, Apr 24, 2009 at 1:00 PM, Chris Frederick cdf...@cdf123.net wrote: Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Hi Marco, Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt inout source destination ACCEPT all -- loany anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOGall -- any any anywhere anywhere LOG level warning prefix `INPUT ' Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- anylo anywhere anywhere ACCEPT all -- anyany anywhere anywhere state RELATED,ESTABLISHED LOGall -- anyany anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Hope that helps. Chris -- Hazen Valliant-Saunders IT/IS Consultant (613) 355-5977
Re: [gentoo-user] Is this firewall safe?
On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. While all that is correct, I would also consider it bad network behavior (no offense intended). It feels like security through obscurity. It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. Probably it will never be a problem for you, but it could be a problem for a network administrator. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) On a (not so) different topic: If you're going to make your firewall more complex (more services, or other stuff), I'd suggest to use a widely used firewall script. That is more secure than writing your own firewall configuration, because in the long run it will be better maintainable (and they often also do smart stuff(TM) ;) My recommendation is net-firewall/shorewall. It has a well balanced abstraction/granularity-ratio, and the produced iptable-rules are still readable :) Bye, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Building a test system
On Friday 24 April 2009 12:04:09 Neil Bothwick wrote: On Fri, 24 Apr 2009 11:14:50 +0100, Peter Humphrey wrote: I want to install Gentoo on a spare partition as a testbed. It would have KDE4 and be ~amd64 throughout. My question is when to set ACCEPT_KEYWORDS - whether to do it at the earliest possible stage in installing, or build an amd64 system and only then add ~amd64 to make.conf. Set it as soon as possible; ideally during the initial installation but right after the first boot at the latest. Then do emerge -uavDN world before you touch anything else. Doing it straight after the stage 3 unpack means you won't have to install, configure and compile a stable kernel, then repeat the whole process when you switch keywords. The same applies to changing USE flags. Thanks Neil, and Alan too. -- Rgds Peter
Re: [gentoo-user] Support of Radeon graphics cards
On Fri, 2009-04-24 at 11:02 +0200, Maximilian Bräutigam wrote: Hi all, i would like to buy a new computer, but i need (of course) to use gentoo. furthermore i would buy a Radeon HD 4850 or Radeon HD 4870. How are these cards supported by gentoo and does everything work fine according to ati-drivers ebuild? i need the 3d support due to some molecular modeling software. my current graphics card is a nvidia and is well supported. please, share your experiences. thank you very much in advance. kind regards, der Max According to ATI (AMD) https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux/catalyst_94_linux.pdf these grafics cards are supported by their closed source drivers. You'll need these for proper 3D. Gentoo has support for them in x11-drivers/ati-drivers. http://www.gentoo.org/doc/en/ati-faq.xml I have a Radeon HD 3400 (mobility) and the driver works very well. 3D is good, 2D is not half as good as the OSS drivers (radeon and radeonhd), but works too. In my case suspend to ram and to disk (using tuxonice) both work well on the primary display, on the secondary display I get wrong colors after resume. It's safe to say: Gentoo has proper ATI-support :) Bye, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Is this firewall safe?
On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin freak4u...@gmail.com wrote: Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 REJECT tcp -- eth0 any anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- eth0 any anywhere anywhere reject-with icmp-port-unreachable 0 0 DROP udp -- eth0 any anywhere anywhere udp spt:bootps 0 0 LOG all -- eth0 any anywhere anywhere LOG level warning prefix `INPUT ' 1 79 ACCEPT all -- wlan0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 REJECT tcp -- wlan0 any anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- wlan0 any anywhere anywhere reject-with icmp-port-unreachable 0 0 DROP udp -- wlan0 any anywhere anywhere udp spt:bootps 0 0 LOG all -- wlan0 any anywhere anywhere LOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `FORWARD ' 0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any lo anywhere anywhere 0 0 LOG all -- any eth0 anywhere anywhere LOG level warning prefix `OUTPUT ' 1 52 LOG all -- any wlan0 anywhere anywhere LOG level warning prefix `OUTPUT ' It all depends on what you're trying to do. My internet facing boxes have a default OUTPUT policy of DROP and I only allow certain traffic off of the box (helps protect me from unauthorized services). Also, you're dropping bootps (same ports as dhcp) on udp so I don't think you can get a dhcp address like that. If you're running any services you won't be able to talk to them (ssh). Turn off forwarding in the kernel config (via /etc/sysctl.conf) as well. I am dropping bootps to not have my log file flooding due to the DHCP server in my wireless router (as suggested in www.novell.com/coolsolutions/feature/18139.html). As it seems I still get a dynamic ip from it. So far, I am not running any services that have to be exposed to the outside. It also took me a few runs to figure out the firewall config (due to the rules and formatting). The last two output rules can be combined into one. Have 1 log line at the bottom of your tables and that will take care of that. Clean and short configs will help immensely when things don't work. Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks... Talking about the 1 log line at the bottom you mean I should configure it to not specify an interface (eth0, wlan0)? Thanks!
Re: [gentoo-user] Is this firewall safe?
On Fri, Apr 24, 2009 at 5:00 PM, Chris Frederick cdf...@cdf123.net wrote: Marco wrote: [...] Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. My thought here was to be able to perform some network maintanance task using wireshark. I ave forwarding disabled normally and I could just 'echo 1 /proc/sys/net/ipv4/ip_forward' to have it enabled. Is there anything unsafe about this setup? I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I was following http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml in section 'Handling rejection' of the article. I guess this is kind of a philosophical question here... I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt in out source destination ACCEPT all -- lo any anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOG all -- any any anywhere anywhere LOG level warning prefix `INPUT ' So basically not distinguishing between the external interfaces (eth0, wlan0)? Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- any lo anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOG all -- any any anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. That makes sense! After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Kind of paranoid, yes ;-) [...] Thanks for the tips! -- Regards, Marco
Re: [gentoo-user] Is this firewall safe?
On Fri, Apr 24, 2009 at 5:05 PM, Hazen Valliant-Saunders haze...@gmail.com wrote: Just a thought: http://www.fwbuilder.org/ I've seen fwbuilder already. I thought since I only need a simple firewall, I probably make the thing worse if I don't really know how to use the tool. And learning iptables is a good thing I guess. In case I'd have to set up some servers, I would of course reconsider fwbuilder. -- Regards, Marco
Re: [gentoo-user] Is this firewall safe?
Hello again, I took your considerations into account and changes my setting. Could you please have look again to the output of 'iptables -L -v' (in the attachment for better formating)? Thanks a lot! -- Best regards, Marco Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 30 18812 ACCEPT all -- !loany anywhere anywhere state RELATED,ESTABLISHED 0 0 REJECT tcp -- !loany anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- !loany anywhere anywhere reject-with icmp-port-unreachable 0 0 LOGall -- !loany anywhere anywhere LOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOGall -- anyany anywhere anywhere LOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 33 packets, 6039 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- anylo anywhere anywhere 33 6039 LOGall -- any!lo anywhere anywhere LOG level warning prefix `OUTPUT '
Re: [gentoo-user] telephony
On Thu, 23 Apr 2009 19:08:48 +0100 Stroller strol...@stellar.eclipse.co.uk wrote: [...] If you want Asterisk to answer your conventional POTS phone line then you can use an X100P card which you can buy for c £17. AIUI this is basically a modem based on a certain chipset that Digium have written drivers for. They have unequivocally dropped support for these cheap cards. They suck anyway, but this isn't to say you can't play with one I still do, after all. At one time Digium sold this hardware at quite a premium, but people realised that other models would work just as well, and Asterisk (who are sponsored by / part of Digium) has been very fair about supporting these clones in the codebase. Indeed, mine is a clone, and they are equally unconcerned about my problems with it. '-) They're obviously not supported if you buy an official support package, and IIRC I have seen posters on the Asterisk mailing list being snobby and refusing to help posters using the clones because it's not supporting the developers. This may be true, but I believe it's more because the cards, as every one will tell you straight up (unless they are selling you the card, of course) are of poor quality and design. I don't know how well the X100P works, or if there are any gotyas to look out for, but I'm pretty sure plenty of people are using them. Yep. There are driver issues, voltage/signalling problems... and in the end, even if working, they won't sound good. There's a reason they are, like, $10 on Ebay. Basically, they are decent winmodems (if such a thing is possible)... that they can be used for telephony is a fluke. A couple of friends of mine (who I considered going into IT consulting with) implemented Asterisk after I mentioned it to them and I'm sure they've used the X100P; I think those lads have deployed Asterisk for customers since. Yep. Definitely a way to get your hands dirty. By the time you figure out what you need to know to get a decent answering machine with your new toy, you can go buy real hardware and make telephony appliances. Meanwhile, anyone likely to be of any real help while you experiment, is doing just that, and has no interest in watching/helping you suffer, from what I've gathered. My time figuring out the first glitch between my card and the (sort of) supporting driver would have been saved/paid for by buying a real FXO/FXS card initially. I didn't do that, but you, or the OP, still can. And, finally, if I want to ever *use* this experiment in the real world, I'll have to replace the X100p with a decent sounding device anyway. Cheers, -- |\ /|| | ~ ~ | \/ ||---| `|` ? ||ichael | |iggins\^ / michael.higgins[at]evolone[dot]org
Re: [gentoo-user] Is this firewall safe?
On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder dan...@admin-box.com wrote: On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: [...] While all that is correct, I would also consider it bad network behavior (no offense intended). So you consider my 'reject-with' settings to be good practice? It feels like security through obscurity. It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. I was not really sure how to configure ICMP (ping) correctly. Any input appreciated! Probably it will never be a problem for you, but it could be a problem for a network administrator. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) You mean as the default policy? On a (not so) different topic: If you're going to make your firewall more complex (more services, or other stuff), I'd suggest to use a widely used firewall script. That is more secure than writing your own firewall configuration, because in the long run it will be better maintainable (and they often also do smart stuff(TM) ;) My recommendation is net-firewall/shorewall. It has a well balanced abstraction/granularity-ratio, and the produced iptable-rules are still readable :) This is considered to be my learning example. Later I will definitely consider using shorewall (learning one thing at a time). Thanks! -- Regards, Marco
Re: [gentoo-user] X-forwarding fails with Invalid MIT-MAGIC-COOKIE-1 key
On Fri, Apr 24, 2009 at 11:01 AM, Grant emailgr...@gmail.com wrote: X-forwarding used to work for me but I haven't used it in a while and now I get: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. Xlib: connection to localhost:10.0 refused by server Xlib: Invalid MIT-MAGIC-COOKIE-1 key Cannot open display: Ah, I had this problem for months; it was driving me crazy! I don't remember the specifics, but it had to to with some wankery of glibc not working properly with xauth. I'm pretty sure the fix is to update to =sys-libs/glibc-2.9_p20081201-r2 or regress glibc back a few ticks. Regards, Wyatt
Re: [gentoo-user] Is this firewall safe?
On Fri, 2009-04-24 at 18:40 +, Marco wrote: On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder dan...@admin-box.com wrote: On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: [...] While all that is correct, I would also consider it bad network behavior (no offense intended). So you consider my 'reject-with' settings to be good practice? Yes :) It feels like security through obscurity. It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. I was not really sure how to configure ICMP (ping) correctly. Any input appreciated! That is really difficult, because ICMP is a family of lots of protocols, from which ping is just one. Others are important too, like telling routers/hosts about network congestion, and so on... I don't feel competent enough to give directions. I do always allow ping, as this is needed in a server environment to check for uptime, but your case may be different. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) You mean as the default policy? Yes, and also everywhere you use DROP. It's just, that you'll have to wait less for timeouts, when connecting to a closed port. If you decide to go with DROP, then you could make it globally switchable in your script, to change between testing and production environment/situation. Bye, Daniel signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] telephony
On 24 Apr 2009, at 19:38, Michael Higgins wrote: On Thu, 23 Apr 2009 19:08:48 +0100 Stroller strol...@stellar.eclipse.co.uk wrote: [...] If you want Asterisk to answer your conventional POTS phone line then you can use an X100P card which you can buy for c £17. AIUI this is basically a modem based on a certain chipset that Digium have written drivers for. They have unequivocally dropped support for these cheap cards. They suck anyway, but this isn't to say you can't play with one I still do, after all. ... This may be true, but I believe it's more because the cards, as every one will tell you straight up (unless they are selling you the card, of course) are of poor quality and design. Yep. There are driver issues, voltage/signalling problems... and in the end, even if working, they won't sound good. There's a reason they are, like, $10 on Ebay. Basically, they are decent winmodems (if such a thing is possible)... that they can be used for telephony is a fluke. ... My time figuring out the first glitch between my card and the (sort of) supporting driver would have been saved/paid for by buying a real FXO/FXS card initially. Hi Michael, Many thanks for your comments. How much is one looking at for a real FXO/FXS card? I'm not sure the difference between FXO FXS - just want something to convert my home phone line for use with Asterisk or similar. Don't bother giving me model numbers or anything like that - I can do my own research I'm sure the situation will have changed by the time I get around to deploying. Just interested in a labb-park figure, as the little Irish girl said. Stroller.
Re: [gentoo-user] telephony
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stroller wrote: On 24 Apr 2009, at 19:38, Michael Higgins wrote: On Thu, 23 Apr 2009 19:08:48 +0100 Stroller strol...@stellar.eclipse.co.uk wrote: [...] If you want Asterisk to answer your conventional POTS phone line then you can use an X100P card which you can buy for c £17. AIUI this is basically a modem based on a certain chipset that Digium have written drivers for. They have unequivocally dropped support for these cheap cards. They suck anyway, but this isn't to say you can't play with one I still do, after all. ... This may be true, but I believe it's more because the cards, as every one will tell you straight up (unless they are selling you the card, of course) are of poor quality and design. Yep. There are driver issues, voltage/signalling problems... and in the end, even if working, they won't sound good. There's a reason they are, like, $10 on Ebay. Basically, they are decent winmodems (if such a thing is possible)... that they can be used for telephony is a fluke. ... My time figuring out the first glitch between my card and the (sort of) supporting driver would have been saved/paid for by buying a real FXO/FXS card initially. Hi Michael, Many thanks for your comments. How much is one looking at for a real FXO/FXS card? I'm not sure the difference between FXO FXS - just want something to convert my home phone line for use with Asterisk or similar. Don't bother giving me model numbers or anything like that - I can do my own research I'm sure the situation will have changed by the time I get around to deploying. Just interested in a labb-park figure, as the little Irish girl said. You seem to want to know the difference, FXO vs FXS. If I got this wrong, just delete it. FXS is meant to interface to a telephone set, so it gives talk battery and (as needed) ringing current. FXO is meant to interface to a line from a telco switch, so it accepts battery (if the circuit it's hooked up to doesn't give talk battery, you have no circuit) and expects to be rung into, so it detects ringing battery. Most of the time, both FXO's and FXS's offer options to operate in loop start (regular POTS) or ground start mode. Write me if you need more on that last. Options like reverse battery aren't usually offered in FXO/FXS cards. You usually have to give a FXS card your own source of ringing battery, not FXO, because an FXO is expecting to have ringing battery sent to it (from the telco switch it's connected to) to begin with. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknyJcMACgkQz62J6PPcoOkDCQCgkZDtKOBXKvU+QT0Byyg4UWCN YvMAnRwS2MKrVjpGV23kscQzbWfQwMPV =n5oK -END PGP SIGNATURE-
Re: [gentoo-user] Is this firewall safe?
Daniel Troeder wrote: On Fri, 2009-04-24 at 18:40 +, Marco wrote: On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder dan...@admin-box.com wrote: On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: [...] While all that is correct, I would also consider it bad network behavior (no offense intended). So you consider my 'reject-with' settings to be good practice? Yes :) I'll have to agree and disagree with Daniel on this point. I agree that it is bad network behavior, but the people we are trying to keep out don't stick to using good network behavior, so why should we? There's a number of dirty tricks people use to circumvent firewalls/networks, and I strongly believe that it is better to hide your presence as best as you can on a network. Now I'm also keeping in mind that you are on a laptop with no remote services. If you start allowing services, then that will change things. If clients are going to be connection to you for certain services, you should be more accommodating to them and play nice with the network where possible. This is more of a personal preference thing. It feels like security through obscurity. I agree that it is security through obscurity, but that's not a bad thing. Relying on security through obscurity for protection is a bad thing, but adding a layer of obscurity over a defense in depth strategy is not. It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. On a server level, yes. But this is a client with no active/accessible services. A server shouldn't rely on ICMP from a client, but the ICMP packets from the server will be picked up by the RELATED flag on the second rule, allowing the client to see the ICMP error from the server. I was not really sure how to configure ICMP (ping) correctly. Any input appreciated! That is really difficult, because ICMP is a family of lots of protocols, from which ping is just one. Others are important too, like telling routers/hosts about network congestion, and so on... I don't feel competent enough to give directions. I do always allow ping, as this is needed in a server environment to check for uptime, but your case may be different. I agree with Daniel again. Unless you know what you are doing, blocking ICMP is just going to cause problems. And I would argue that iptables is not the tool to use, even if you know what you are doing. If you really want to filter your ICMP packets, look to /proc/sys/net/ipv4/. The kernel will give you some nice options that are a lot safer that an iptables rule. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) You mean as the default policy? Yes, and also everywhere you use DROP. It's just, that you'll have to wait less for timeouts, when connecting to a closed port. segway I would recommend running nmap in crontab if you want to scan your network (look up ndiff on nmap's website). /segway If you decide to go with DROP, then you could make it globally switchable in your script, to change between testing and production environment/situation. This is great advice. You may not benefit much from it now with this small script, but as it grows, you really want to keep this in mind. If you modularize your tables, you can turn them on and off with a single insert/delete rather than trying to insert/delete large blocks from the rules, or worse, reloading the whole rule set. Chris P.S. Daniel, no offense taken. I enjoy these debates, it helps us think differently and learn new tricks. If we are not challenged once in a while we get complacent, and that's typically when we start making mistakes.
[gentoo-user] eselect usage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have a machine which I hadn't used in about 3 months, so yesterday I began with an emerge --sync and then updated system. I got a message tellimg me I had to read an eselect message from gentoo, but no matter how I play with it, I can't get eselect to accept anything at all regarding gentoo. There isn't any such module, nor any news item at all available. If anyone recognizes the message from emerge about eselect, could you give me a command line that will report what it is that emerge is asking me to read? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknyMaoACgkQz62J6PPcoOktkgCfS5dyxs8nngYfKvydq/+yH85J dBIAoIybMarZkR3yrRt7AvhUVvtVJ35U =nbt4 -END PGP SIGNATURE-
Re: [gentoo-user] eselect usage
On Freitag 24 April 2009, Chuck Robey wrote: I have a machine which I hadn't used in about 3 months, so yesterday I began with an emerge --sync and then updated system. I got a message tellimg me I had to read an eselect message from gentoo, but no matter how I play with it, I can't get eselect to accept anything at all regarding gentoo. There isn't any such module, nor any news item at all available. If anyone recognizes the message from emerge about eselect, could you give me a command line that will report what it is that emerge is asking me to read? elesect news
Re: [gentoo-user] eselect usage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Armin Hemmann wrote: On Freitag 24 April 2009, Chuck Robey wrote: I have a machine which I hadn't used in about 3 months, so yesterday I began with an emerge --sync and then updated system. I got a message tellimg me I had to read an eselect message from gentoo, but no matter how I play with it, I can't get eselect to accept anything at all regarding gentoo. There isn't any such module, nor any news item at all available. If anyone recognizes the message from emerge about eselect, could you give me a command line that will report what it is that emerge is asking me to read? elesect news well, I had already tried eselect news, it only reports back that there are 0 items to read. Seeing as emerge is telling me I need to read the eselect news, it seems likely that I'm still doing something wrong, or maybe that my configuration is wrong. Maybe things will improve after I finish updating all the /etc/ files. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknyM9EACgkQz62J6PPcoOn9pgCgnO3oj5nZc2fnyCwsCiWsFkA3 1goAnjaeArOghEXOkCwgZrcCO14iMXqz =BU47 -END PGP SIGNATURE-
Re: [gentoo-user] eselect usage
Chuck Robey wrote: Volker Armin Hemmann wrote: On Freitag 24 April 2009, Chuck Robey wrote: I have a machine which I hadn't used in about 3 months, so yesterday I began with an emerge --sync and then updated system. I got a message tellimg me I had to read an eselect message from gentoo, but no matter how I play with it, I can't get eselect to accept anything at all regarding gentoo. There isn't any such module, nor any news item at all available. If anyone recognizes the message from emerge about eselect, could you give me a command line that will report what it is that emerge is asking me to read? elesect news well, I had already tried eselect news, it only reports back that there are 0 items to read. Seeing as emerge is telling me I need to read the eselect news, it seems likely that I'm still doing something wrong, or maybe that my configuration is wrong. Maybe things will improve after I finish updating all the /etc/ files. This is what you have to do - I struggled a bit with this too. eselect news list This will report back any news items. On my system, the following is returned: eselect news list Unread news items: (none found) Read news items: 2009-04-06-x_server-1_5 Migration to X.org Server 1.5 Then, on my system I do: eselect news read 2009-04-06-x_server-1_5 The following is returned: penguinchick ~ # eselect news read 2009-04-06-x_server-1_5 2009-04-06-x_server-1_5 Title Migration to X.org Server 1.5 Author Remi Cardona r...@gentoo.org Author Christian Faulhammer fa...@gentoo.org Posted 2009-04-06 Revision 1 A lot of changes regarding device recognition and use by the X server have been introduced in the 1.5 update. As that version is going stable on all architectures, users should read the upgrade guide [0] before actually updating the package. [0] http://www.gentoo.org/proj/en/desktop/x/x11/xorg-server-1.5-upgrade-guide.xml HTH Colleen -- Registered Linux User #411143 with the Linux Counter, http://counter.li.org
Re: [gentoo-user] Re: Building a test system
On Fri, 24 Apr 2009 13:21:52 + (UTC), James wrote: Where was this wisdom, when I was a young lad? You ignored it because you knew everything at that age :) -- Neil Bothwick Reality is for people who can't handle Star Trek signature.asc Description: PGP signature
Re: [gentoo-user] eselect usage
On Freitag 24 April 2009, Chuck Robey wrote: Volker Armin Hemmann wrote: On Freitag 24 April 2009, Chuck Robey wrote: I have a machine which I hadn't used in about 3 months, so yesterday I began with an emerge --sync and then updated system. I got a message tellimg me I had to read an eselect message from gentoo, but no matter how I play with it, I can't get eselect to accept anything at all regarding gentoo. There isn't any such module, nor any news item at all available. If anyone recognizes the message from emerge about eselect, could you give me a command line that will report what it is that emerge is asking me to read? elesect news well, I had already tried eselect news, it only reports back that there are 0 items to read. Seeing as emerge is telling me I need to read the eselect news, it seems likely that I'm still doing something wrong, or maybe that my configuration is wrong. Maybe things will improve after I finish updating all the /etc/ files. afair it only tells about the new feature. If there is a news message it looks like this: eselect news list Unread news items: (none found) Read news items: 2009-04-18-java-config-wrapper-0.16 Generation 1 Java Setup Deprecated
Re: [gentoo-user] KDE4 has holes since updating Qt [SOLVED]
On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. Dear Volker Armin, THANK YOU for this tip. Now that I'm using qt-live-kde set with qt-copy USE flag, not only did it fix the problem I had with holes, but it also fixed performance in nxserver tremendously. KDE apps ever since KDE4, especially Akregator and Konqueror, used to have CRAZY redraws, and now they operate perfectly. It's a nice bonus. :) Thanks again.
Re: [gentoo-user] KDE4 has holes since updating Qt [Oops - NOT SOLVED]
On Fri, Apr 24, 2009 at 6:51 PM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. Dear Volker Armin, THANK YOU for this tip. Now that I'm using qt-live-kde set with qt-copy USE flag, not only did it fix the problem I had with holes, but it also fixed performance in nxserver tremendously. KDE apps ever since KDE4, especially Akregator and Konqueror, used to have CRAZY redraws, and now they operate perfectly. It's a nice bonus. :) Thanks again. I wrote too soon. Not solved! The kicker menu works now, but other things like Alt-F2 or the taskbar thumbnails are still only showing up as an outline... :(
Re: [gentoo-user] KDE4 has holes since updating Qt [SOLVED]
On Samstag 25 April 2009, Paul Hartman wrote: On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. Dear Volker Armin, THANK YOU for this tip. Now that I'm using qt-live-kde set with qt-copy USE flag, not only did it fix the problem I had with holes, but it also fixed performance in nxserver tremendously. KDE apps ever since KDE4, especially Akregator and Konqueror, used to have CRAZY redraws, and now they operate perfectly. It's a nice bonus. :) Thanks again. you are welcome - and thank the guys who work on the overlay - qt-copy always was the best qt for optimal kde experience. Now it is easy to install it ;)
Re: [gentoo-user] KDE4 has holes since updating Qt [Oops - NOT SOLVED]
On Samstag 25 April 2009, Paul Hartman wrote: On Fri, Apr 24, 2009 at 6:51 PM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. Dear Volker Armin, THANK YOU for this tip. Now that I'm using qt-live-kde set with qt-copy USE flag, not only did it fix the problem I had with holes, but it also fixed performance in nxserver tremendously. KDE apps ever since KDE4, especially Akregator and Konqueror, used to have CRAZY redraws, and now they operate perfectly. It's a nice bonus. :) Thanks again. I wrote too soon. Not solved! The kicker menu works now, but other things like Alt-F2 or the taskbar thumbnails are still only showing up as an outline... :( strange - haven't seen that in a while. Which kde version exactly? and could you give the useflags you used for qt? (I hope not raster...)
Re: [gentoo-user] KDE4 has holes since updating Qt [Oops - NOT SOLVED]
On Fri, Apr 24, 2009 at 7:23 PM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Samstag 25 April 2009, Paul Hartman wrote: On Fri, Apr 24, 2009 at 6:51 PM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. Dear Volker Armin, THANK YOU for this tip. Now that I'm using qt-live-kde set with qt-copy USE flag, not only did it fix the problem I had with holes, but it also fixed performance in nxserver tremendously. KDE apps ever since KDE4, especially Akregator and Konqueror, used to have CRAZY redraws, and now they operate perfectly. It's a nice bonus. :) Thanks again. I wrote too soon. Not solved! The kicker menu works now, but other things like Alt-F2 or the taskbar thumbnails are still only showing up as an outline... :( strange - haven't seen that in a while. Which kde version exactly? and could you give the useflags you used for qt? (I hope not raster...) Hi, I'm using KDE 4.2.2, kde-testing and qting-edge, ~amd64 system. I will also mention the problem (outlines with no content) happens regardless of whether desktop effects are on or off. I remember this problem from a long time ago (KDE 4.0 era) but can't remember why... Here are my Qt USE flags (no raster :): $ emerge -vp @qt-all-live-kde These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] x11-libs/qt-core-4.5. USE=glib iconv qt-copy qt3support ssl -custom-cxxflags -debug -doc -pch 0 kB [1] [ebuild R ] x11-libs/qt-sql-4.5. USE=iconv mysql qt-copy qt3support sqlite -custom-cxxflags -debug (-firebird) -odbc -pch -postgres 0 kB [1] [ebuild R ] x11-libs/qt-script-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-dbus-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-test-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-xmlpatterns-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-gui-4.5. USE=accessibility cups dbus glib gtkstyle mng qt-copy qt3support tiff -custom-cxxflags -debug -nas -nis -pch -raster -xinerama 0 kB [1] [ebuild R ] x11-libs/qt-qt3support-4.5. USE=accessibility qt-copy -custom-cxxflags -debug -pch -phonon 0 kB [1] [ebuild R ] x11-libs/qt-webkit-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-svg-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-opengl-4.5. USE=qt-copy qt3support -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-assistant-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] Total: 12 packages (12 reinstalls), Size of downloads: 0 kB Portage tree and overlays: [0] /usr/portage [1] /usr/local/portage/layman/qting-edge And my kdelibs: $ emerge -vp kdelibs These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] kde-base/kdelibs-4.2.2-r2 USE=acl alsa bzip2 fam mmx nls openexr opengl semantic-desktop spell sse sse2 ssl zeroconf -3dnow (-altivec) -bindist -debug -doc -jpeg2k -kdeprefix -kerberos -test 0 kB [1] Total: 1 package (1 reinstall), Size of downloads: 0 kB Portage tree and overlays: [0] /usr/portage [1] /usr/local/portage/layman/kde-testing Thanks Paul
Re: [gentoo-user] KDE4 has holes since updating Qt [Oops - NOT SOLVED]
On Samstag 25 April 2009, Paul Hartman wrote: On Fri, Apr 24, 2009 at 7:23 PM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Samstag 25 April 2009, Paul Hartman wrote: On Fri, Apr 24, 2009 at 6:51 PM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. Dear Volker Armin, THANK YOU for this tip. Now that I'm using qt-live-kde set with qt-copy USE flag, not only did it fix the problem I had with holes, but it also fixed performance in nxserver tremendously. KDE apps ever since KDE4, especially Akregator and Konqueror, used to have CRAZY redraws, and now they operate perfectly. It's a nice bonus. :) Thanks again. I wrote too soon. Not solved! The kicker menu works now, but other things like Alt-F2 or the taskbar thumbnails are still only showing up as an outline... :( strange - haven't seen that in a while. Which kde version exactly? and could you give the useflags you used for qt? (I hope not raster...) Hi, I'm using KDE 4.2.2, kde-testing and qting-edge, ~amd64 system. I will also mention the problem (outlines with no content) happens regardless of whether desktop effects are on or off. I remember this problem from a long time ago (KDE 4.0 era) but can't remember why... Here are my Qt USE flags (no raster :): $ emerge -vp @qt-all-live-kde These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] x11-libs/qt-core-4.5. USE=glib iconv qt-copy qt3support ssl -custom-cxxflags -debug -doc -pch 0 kB [1] [ebuild R ] x11-libs/qt-sql-4.5. USE=iconv mysql qt-copy qt3support sqlite -custom-cxxflags -debug (-firebird) -odbc -pch -postgres 0 kB [1] [ebuild R ] x11-libs/qt-script-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-dbus-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-test-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-xmlpatterns-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-gui-4.5. USE=accessibility cups dbus glib gtkstyle mng qt-copy qt3support tiff -custom-cxxflags -debug -nas -nis -pch -raster -xinerama 0 kB [1] [ebuild R ] x11-libs/qt-qt3support-4.5. USE=accessibility qt-copy -custom-cxxflags -debug -pch -phonon 0 kB [1] [ebuild R ] x11-libs/qt-webkit-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-svg-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-opengl-4.5. USE=qt-copy qt3support -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-assistant-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] Total: 12 packages (12 reinstalls), Size of downloads: 0 kB Portage tree and overlays: [0] /usr/portage [1] /usr/local/portage/layman/qting-edge And my kdelibs: $ emerge -vp kdelibs These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] kde-base/kdelibs-4.2.2-r2 USE=acl alsa bzip2 fam mmx nls openexr opengl semantic-desktop spell sse sse2 ssl zeroconf -3dnow (-altivec) -bindist -debug -doc -jpeg2k -kdeprefix -kerberos -test 0 kB [1] Total: 1 package (1 reinstall), Size of downloads: 0 kB Portage tree and overlays: [0] /usr/portage [1] /usr/local/portage/layman/kde-testing Thanks Paul what about PyQt4?
Re: [gentoo-user] KDE4 has holes since updating Qt [Oops - NOT SOLVED]
On Fri, Apr 24, 2009 at 8:19 PM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Samstag 25 April 2009, Paul Hartman wrote: On Fri, Apr 24, 2009 at 7:23 PM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Samstag 25 April 2009, Paul Hartman wrote: On Fri, Apr 24, 2009 at 6:51 PM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Fri, Apr 24, 2009 at 8:41 AM, Volker Armin Hemmann volkerar...@googlemail.com wrote: On Freitag 24 April 2009, Paul Hartman wrote: Hi, I updated Qt earlier today, and rebuilt kdelibs, PyQt4, qt-opengl, and all of my qt-related themes, but apparently I've missed something because there are still holes: outlines of buttons or windows with no content. The most important of which is the Kicker menu. I can change it to classic mode and use it, but when I set it to kicker mode it's just an outline. This happened to me a long time ago and I can't remember what I had to rebuild to fix it. I'm sure I am just missing something easy. Also, is there a command that can scan my system and tell me which programs need to be rebuild after a Qt update? I seem to go through this every time. :) Thanks, Paul there is a big, fat bug in qt-4.5.1. AFAIK it is fixed in their svn and in kde's qt-copy version. You might want to try this versions from the qting-edge overlay. Dear Volker Armin, THANK YOU for this tip. Now that I'm using qt-live-kde set with qt-copy USE flag, not only did it fix the problem I had with holes, but it also fixed performance in nxserver tremendously. KDE apps ever since KDE4, especially Akregator and Konqueror, used to have CRAZY redraws, and now they operate perfectly. It's a nice bonus. :) Thanks again. I wrote too soon. Not solved! The kicker menu works now, but other things like Alt-F2 or the taskbar thumbnails are still only showing up as an outline... :( strange - haven't seen that in a while. Which kde version exactly? and could you give the useflags you used for qt? (I hope not raster...) Hi, I'm using KDE 4.2.2, kde-testing and qting-edge, ~amd64 system. I will also mention the problem (outlines with no content) happens regardless of whether desktop effects are on or off. I remember this problem from a long time ago (KDE 4.0 era) but can't remember why... Here are my Qt USE flags (no raster :): $ emerge -vp @qt-all-live-kde These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] x11-libs/qt-core-4.5. USE=glib iconv qt-copy qt3support ssl -custom-cxxflags -debug -doc -pch 0 kB [1] [ebuild R ] x11-libs/qt-sql-4.5. USE=iconv mysql qt-copy qt3support sqlite -custom-cxxflags -debug (-firebird) -odbc -pch -postgres 0 kB [1] [ebuild R ] x11-libs/qt-script-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-dbus-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-test-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-xmlpatterns-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-gui-4.5. USE=accessibility cups dbus glib gtkstyle mng qt-copy qt3support tiff -custom-cxxflags -debug -nas -nis -pch -raster -xinerama 0 kB [1] [ebuild R ] x11-libs/qt-qt3support-4.5. USE=accessibility qt-copy -custom-cxxflags -debug -pch -phonon 0 kB [1] [ebuild R ] x11-libs/qt-webkit-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-svg-4.5. USE=iconv qt-copy -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-opengl-4.5. USE=qt-copy qt3support -custom-cxxflags -debug -pch 0 kB [1] [ebuild R ] x11-libs/qt-assistant-4.5. USE=qt-copy -custom-cxxflags -debug -pch 0 kB [1] Total: 12 packages (12 reinstalls), Size of downloads: 0 kB Portage tree and overlays: [0] /usr/portage [1] /usr/local/portage/layman/qting-edge And my kdelibs: $ emerge -vp kdelibs These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] kde-base/kdelibs-4.2.2-r2 USE=acl alsa bzip2 fam mmx nls openexr opengl semantic-desktop spell sse sse2 ssl zeroconf -3dnow (-altivec) -bindist -debug -doc -jpeg2k -kdeprefix -kerberos -test 0 kB [1] Total: 1 package (1 reinstall), Size of downloads: 0 kB Portage tree and overlays: [0] /usr/portage [1] /usr/local/portage/layman/kde-testing Thanks Paul what about PyQt4? dev-python/PyQt4-4.4.5_pre20090208-r1 USE=X dbus opengl qt3support svg webkit -debug -doc -examples
[gentoo-user] Re: Building a test system
Neil Bothwick neil at digimed.co.uk writes: Where was this wisdom, when I was a young lad? You ignored it because you knew everything at that age :) For you to know that, I must have not been alone James