Re: [gentoo-user] Re: LO 4.0 playing media with gstreamer-1.0.5 ?
On Saturday 09 Mar 2013 04:34:26 v...@ukr.net wrote: Hello! On Fri, 08 Mar 2013 18:00:02 -0800 walt w41...@gmail.com wrote: I've never had problems playing media files in loimpress, so I all I can do is guess. If you can play video files in LibreOffice-4.0.1.2, could you please tell me which related packages do you have installed? (like gst-plugins-libav, gstreamer and so on). And what USE-flags do you turn on for libreoffice? Have you tried starting loimpress from a bash prompt and looking for error messages as it tries to open a presentation file? I tried to launch Impress from the command line, but it does not give any error messages. When I open the built-in media player (tools - media player) and try to open some video or audio file in it, it just tells me that the format is not supported. Regards, Vladimir You may want to run loimpress --strace mypresentation.odp in a terminal, where mypresentation.odp is the file that has the media embedded in it and see if you find what's going wrong by fishing in the strace.log file created in your /home (run tail -f ~/strace.log). If the error is not obvious you could ask here for help to decipher the strace output and of course in the LO IRC channel or M/L . -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] auto-config of new gentoo-sources?
Mike Gilbert flop...@gentoo.org writes: On Fri, Feb 22, 2013 at 1:52 PM, Jarry mr.ja...@gmail.com wrote: So my question is: how is this possible? Is maybe .config file from the old sources-tree copied to new sources-tree? Or is the actual configuration of running kernel somehow detected and .config file generated? The latter. Have a look at DEFCONFIG_LIST init/Kconfig. So is it no longer necessary to run 'zcat /proc/config.gz .config' to transfer the current configuration as a 'seed' when installing a new kernel?
Re: [gentoo-user] auto-config of new gentoo-sources?
On Sat, Mar 9, 2013 at 2:39 PM, Graham Murray gra...@gmurray.org.uk wrote: Mike Gilbert flop...@gentoo.org writes: On Fri, Feb 22, 2013 at 1:52 PM, Jarry mr.ja...@gmail.com wrote: So my question is: how is this possible? Is maybe .config file from the old sources-tree copied to new sources-tree? Or is the actual configuration of running kernel somehow detected and .config file generated? The latter. Have a look at DEFCONFIG_LIST init/Kconfig. So is it no longer necessary to run 'zcat /proc/config.gz .config' to transfer the current configuration as a 'seed' when installing a new kernel? That is porting your existing config to new kernel. You can't miss the step, lol. If you have genkernel, the simplest one would be genkernel --kernel-config=/proc/config.gz -- Nilesh Govindrajan http://nileshgr.com
Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?
There is no reason to believe that IPv6 will result in an increased use of IPsec. Bull. The biggest barrier to IPsec use has been NAT! If an intermediate router has to rewrite the packet to change the apparent source and/or destination addresses, then the cryptographic signature will show it, and the packet will be correctly identified as having been tampered with! It's hardly difficult to get around that now is it. You are wrong the biggest barrier is that it is not desirable to do this as there are many reasons for firewalls to inspect incoming packets. I don't agree with things like central virus scanning especially by damn ISPs using crappy Huawei hardware, deep inspection traffic shaping rather than pure bandwidth usage tracking or active IDS myself but I do agree with scrubbing packets. With IPsec, NAT is unnecessary. (You can still use it if you need it...but please try to avoid it!) Actually it is no problem at all and is far better than some of the rubbish ipv6 encourages client apps to do. (See the links I sent in the other mail) Re DNS support for IPv6 Increased size of DNS responses due to larger addresses might be exploited for DDos attacks That's not even significant. Have you looked at the size of DNS responses? The increased size of the address pales in comparison to the amount of other data already stuffed into the packet. It's been ages since I looked at that link and longer addresses would certainly be needed anyway but certainly with DNSSEC again concocted by costly unthoughtful and unengaging groups who chose to ignore DJB and enable amplification attacks. His latest on the DNS security mess http://cr.yp.to/talks/2013.02.07/slides.pdf An attacker can connect to an IPv4-only network, and forge IPv6 Router Advertisement messages. (*) Again, this depends on them being on the same layer 2 network segment. The same class of attacks would be possible for any IPv4 successor that implemented either RAs or DHCP. Neither of which I use. As I said we would be here all day and that link wasn't as good as the one I was actually looking for. local NAT done right is no problem and actually a good thing and I have no issues playing games, running servers or anything else behind NAT. Global NAT works well enough but isn't a good thing and wouldn't exist if they had simply added more addresses quickly. The hardware uptake would have been no issue rather than a decade of pleads. We haven't even touched on the code yet and so all the vulnerable especially home hardware which yes often has vulnerable sps anyway but by no way just home hardware. The ipvshit links give an insight into the code complexity. Note OpenBSDs kernel which is very secure (unlike Linux whose primary goal is function) and has had just a few remote holes in well over a decade, one of which was in ipv6 and which I had avoided without down time because I won't and what's more shouldn't use ipv6 wherever possible and had actually removed it from the kernel all together. If I am Trolling rather than simply trying to make people aware then stating ipv6 is wonderful is Trolling just as much or more. Regards, Kc -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?
Lookup ipvshit I'll give you a hint. The guy who wrote most of the pf firewall that MAC OSX now uses as well as QNX, the latest version originating from OpenBSD and being far better than iptables has bought up lots of ipv4 just to stay away from ipvshit. Tried searching for it. You're going to have to provide some useful direct reference, because a basic search wasn't very illuminating. Perhaps Google doesn't approve of swear words?! http://marc.info/?l=openbsd-miscm=129666298029771w=2 http://marc.info/?l=openbsd-miscm=135325826302392w=2 -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
[gentoo-user] module-init-tools : masked opponent
Doing my usual Saturday system update, I saw a prominent msg telling me that 'module-init-tools' has been masked to use 'kmod' or 'modutils' -- the msgs vary -- to replace it. When I did so (both), Nvidia wouldn't start, even after remerging it. Back with 'module-init-tools' -- now in 'package.unmask' -- all is well. Does anyone know what's going on ? -- did I miss a 'news' item ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] module-init-tools : masked opponent
On 09/03/2013 15:07, Philip Webb wrote: Doing my usual Saturday system update, I saw a prominent msg telling me that 'module-init-tools' has been masked to use 'kmod' or 'modutils' -- the msgs vary -- to replace it. When I did so (both), Nvidia wouldn't start, even after remerging it. Back with 'module-init-tools' -- now in 'package.unmask' -- all is well. Does anyone know what's going on ? -- did I miss a 'news' item ? Did you reboot after the updates? My last nVidia card was 1 year ago but I always found they needed to be fully rebooted before loading the module would work right -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] module-init-tools : masked opponent
130309 Alan McKinnon wrote: On 09/03/2013 15:07, Philip Webb wrote: Doing my usual Saturday system update, I saw a prominent msg telling me that 'module-init-tools' has been masked to use 'kmod' or 'modutils' -- the msgs vary -- to replace it. When I did so (both), Nvidia wouldn't start, even after remerging it. Back with 'module-init-tools' -- now in 'package.unmask' -- all is well. Does anyone know what's going on ? -- did I miss a 'news' item ? Did you reboot after the updates? Of course : second nature (smile). -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] systemd-197-r1 starts gdm-3.6.2 SOLVED
Upgrading to systemd-198 and udev-198 magically enabled me to login via gdm again. Nice ... Stefan
Re: [gentoo-user] Frustration with attempt to fix out of date java ebuild [SOLVED]
On 08/03/13 17:42, Paul Hartman wrote: On Fri, Mar 8, 2013 at 10:27 AM, Matt Joyce mjo...@mttjocy.co.uk wrote: Ok, I really just do not get what on earth it thinks I'm doing wrong here, trying to install java firstly the ebuild in portage it appears is too old, it wants me to fetch a copy of 7u15 from a page that now only has 7u17 on it so fail there no problem just update it surely can't be that hard err right so created an up to date copy of the ebuild in my overlay directory except it wont create the manifest repeatedly tells me to put the file jre-7u17-linux-x64.tar.gz in /usr/portage/distfiles, great ok so... Like Alan said you should emerge --sync and portage has an u17 ebuild. Otherwise Oracle lets you download old versions from: http://www.oracle.com/technetwork/java/javase/archive-139210.html Thanks, odd it's supposed to be doing emerge-webrsync on a daily cronjob (Using that one because I have webrsync-gpg turned on) I should check the log see if something is stopping that happening. Thanks for pointing it out to me. signature.asc Description: OpenPGP digital signature
[gentoo-user] IO latency issues
Hi list! Whenever I do sequential IO for a long stretch of time (e.g. md5summing 40 GB), I'm experiencing high load (ca. 6 on a 4 CPU system) and temporary freezes of most applications. For example, switching between tabs in konsole sometimes takes more than 2 seconds. When doing this on an ext4 filesystem, the load seems to result from khugepaged and kswapd0 as well as some kworkers. I think I've had similar issues with NFS over wifi but I cannot test this now. Today I copied 60GB from my hard disk to an USB disk formatted with NTFS, issuing the copy command from KDE's dolphin. The freezes became so long it was impossible to work and then X11 locked up and had to be killed. I tried using a preemptive kernel but that didn't seem to help. blkio and cpu cgroups didn't help either. Ionice seems to be the only solution but while I'm okay with that, my dad won't be. Can anyone tell me what is causing this behavior? Throughput is good, by the way. That's why I don't suspect a driver issue. Thanks in advance! Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] IO latency issues
Am 09.03.2013 19:15, schrieb Florian Philipp: Hi list! Whenever I do sequential IO for a long stretch of time (e.g. md5summing 40 GB), I'm experiencing high load (ca. 6 on a 4 CPU system) and temporary freezes of most applications. For example, switching between tabs in konsole sometimes takes more than 2 seconds. When doing this on an ext4 filesystem, the load seems to result from khugepaged and kswapd0 as well as some kworkers. I think I've had similar issues with NFS over wifi but I cannot test this now. Today I copied 60GB from my hard disk to an USB disk formatted with NTFS, issuing the copy command from KDE's dolphin. The freezes became so long it was impossible to work and then X11 locked up and had to be killed. I tried using a preemptive kernel but that didn't seem to help. blkio and cpu cgroups didn't help either. Ionice seems to be the only solution but while I'm okay with that, my dad won't be. Can anyone tell me what is causing this behavior? Throughput is good, by the way. That's why I don't suspect a driver issue. Thanks in advance! Florian Philipp congratulation. You hit 'the bug'. Been around for ages, but for magical reasons kernel dev are unable to see or unable to do something about it. If you are using a vanilla kernel, posting on lkml might be the right thing to do.
[gentoo-user] Re: LO 4.0 playing media with gstreamer-1.0.5 ?
On 03/08/2013 08:34 PM, v...@ukr.net wrote: Hello! On Fri, 08 Mar 2013 18:00:02 -0800 walt w41...@gmail.com wrote: I've never had problems playing media files in loimpress, so I all I can do is guess. If you can play video files in LibreOffice-4.0.1.2, could you please tell me which related packages do you have installed? (like gst-plugins-libav, gstreamer and so on). And what USE-flags do you turn on for libreoffice? * Found these USE flags for app-office/libreoffice-4.0.1.2: U I + + bluetooth : Enables Bluetooth Support - - branding: Enable Gentoo specific branding + + cups: Add support for CUPS (Common Unix Printing System) + + dbus: Enable dbus support for anything that needs it (gpsd, gnomemeeting, etc) - - debug : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see http://www.gentoo.org/proj/en/qa/backtraces.xml + + eds : Enables support for Evolution-Data-Server (EDS) + + gnome : Adds GNOME support + + gstreamer : Adds support for media-libs/gstreamer (Streaming media) + + gtk : Adds support for x11-libs/gtk+ (The GIMP Toolkit) - - gtk3: Enable highly experimental gtk3 frontend + + java: Adds support for Java - - jemalloc: Use dev-libs/jemalloc for allocations - - kde : Adds support for KDE (K Desktop Environment) - - libreoffice_extensions_nlpsolver: LIBREOFFICE_EXTENSIONS option to build non-linear solver for calc + + libreoffice_extensions_presenter-minimizer : LIBREOFFICE_EXTENSIONS option to build presentation minimizer - - libreoffice_extensions_scripting-beanshell : LIBREOFFICE_EXTENSIONS option to build beanshell scripts parser - - libreoffice_extensions_scripting-javascript : LIBREOFFICE_EXTENSIONS option to build javascript scripts parser - - libreoffice_extensions_wiki-publisher : LIBREOFFICE_EXTENSIONS option to build mediawiki integration - - mysql : Adds mySQL Database support - - odk : Build the Office Development Kit + + opengl : Adds support for OpenGL (3D graphics) - - postgres: Adds support for the postgresql database + + python_single_target_python2_7 : Build for Python 2.7 only + + python_targets_python2_7: Build with Python 2.7 - - telepathy : Enable document colaboration features using telepathy communication framework. - - test: Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore + + vba : Enable support for VBA compatibility and ActiveX embedding + + webdav : Adds support for HTTP content adding via net-libs/neon Have you tried starting loimpress from a bash prompt and looking for error messages as it tries to open a presentation file? I tried to launch Impress from the command line, but it does not give any error messages. When I open the built-in media player (tools - media player) and try to open some video or audio file in it, it just tells me that the format is not supported. I get the same error but I've never used the built-in media player so I don't know if that's a problem or not. I have two versions of gstreamer and all of its plugins, which caused me some problems with rhythmbox a few months ago. I had to emerge all of the newest versions of the plugins to match the newer gstreamer. I don't know which version of gstreamer libreoffice is using. BTW I just upgraded lo to 4.0.1.2 and no one has sent me any power-point files recently so I really don't know yet if they would play properly or not.
Re: [gentoo-user] {OT} RAM apache MaxClients (rock a hard place)
I can probably dump a lot of apache config. I still need SSL on both servers even though only nginx faces the user? Perhaps you need Apache for certain pages otherwise this is simply a quick fix which is fair enough, we always like those at times but it sounds to me like you could have gained more by simply switching Apache for nginx or tuning your max. My apache processes run pretty heavy so raising MaxClients opens the potential for an OOM condition. I would love to completely switch to nginx from apache but I need apache for certain stuff. That is something I will look into in the future though. Running both is actually wasting a little memory though you may have gained over just Apache. I can say that before nginx, top was filled with relatively memory-laden apache processes and now there is only a short list. How web proxies with optional caches usually work such as OpenBSDs relayd is to keep track of requests perhaps using higher layer info and share the load among multiple web servers, perhaps adding headers to keep everything functional. nginx seems much faster than apache which I think is a good reason to switch over as much stuff as possible. - Grant
Re: [gentoo-user] Re: LO 4.0 playing media with gstreamer-1.0.5 ?
Hello! On Sat, 09 Mar 2013 10:46:04 -0800 walt w41...@gmail.com wrote: BTW I just upgraded lo to 4.0.1.2 and no one has sent me any power-point files recently so I really don't know yet if they would play properly or not. Could you please check if my sample presentation works on your system? There is a small video embedded into the slide. Here is a link http://ftp.wombat.org.ua/04-Sun-Activity.odp (740kB) Thank you! Vladimir - v_2e v...@ukr.net
Re: [gentoo-user] IO latency issues
I have try the BFQ patch outside of the kernel mainline, it works well. Maybe you would like to see: http://algo.ing.unimo.it/people/paolo/disk_sched/ Also there is a 15-minute demo of the performance of BFQ: http://youtu.be/J-e7LnJblm8 2013/3/10 Volker Armin Hemmann volkerar...@googlemail.com Am 09.03.2013 19:15, schrieb Florian Philipp: Hi list! Whenever I do sequential IO for a long stretch of time (e.g. md5summing 40 GB), I'm experiencing high load (ca. 6 on a 4 CPU system) and temporary freezes of most applications. For example, switching between tabs in konsole sometimes takes more than 2 seconds. When doing this on an ext4 filesystem, the load seems to result from khugepaged and kswapd0 as well as some kworkers. I think I've had similar issues with NFS over wifi but I cannot test this now. Today I copied 60GB from my hard disk to an USB disk formatted with NTFS, issuing the copy command from KDE's dolphin. The freezes became so long it was impossible to work and then X11 locked up and had to be killed. I tried using a preemptive kernel but that didn't seem to help. blkio and cpu cgroups didn't help either. Ionice seems to be the only solution but while I'm okay with that, my dad won't be. Can anyone tell me what is causing this behavior? Throughput is good, by the way. That's why I don't suspect a driver issue. Thanks in advance! Florian Philipp congratulation. You hit 'the bug'. Been around for ages, but for magical reasons kernel dev are unable to see or unable to do something about it. If you are using a vanilla kernel, posting on lkml might be the right thing to do. -- Best regards! Yu-yu Lin(林育宇) The Guangdong Key Laboratory of Information Security Technology (IST), School of Information Science and Technology, Sun Yat-sen (Zhongshan) University (中山大学), Guangzhou,P.R.China. Email: cosmo...@gmail.com cosmo...@gmail.com
[gentoo-user] Re: module-init-tools : masked opponent
On Sat, 9 Mar 2013 08:07:45 -0500 Philip Webb purs...@ca.inter.net wrote: Doing my usual Saturday system update, I saw a prominent msg telling me that 'module-init-tools' has been masked to use 'kmod' or 'modutils' -- the msgs vary -- to replace it. When I did so (both), Nvidia wouldn't start, even after remerging it. Back with 'module-init-tools' -- now in 'package.unmask' -- all is well. Does anyone know what's going on ? -- did I miss a 'news' item ? ISTR you start with USE=-*. When you built kmod, was it with the tools flag enabled? The virtual requires it, so probably you did, but I thought it was worth asking. I went with kmod because of what the masking comment for module-init-tools said, and I haven't noticed any trouble. I've got nvidia-drivers-310.32. I know, WFM doesn't help much. Sorry, and good luck!
Re: [gentoo-user] Re: module-init-tools : masked opponent
130309 »Q« wrote: 130309 Philip Webb purs...@ca.inter.net wrote: Doing my usual Saturday system update, I saw a prominent msg telling me that 'module-init-tools' has been masked to use 'kmod' or 'modutils' -- the msgs vary -- to replace it. When I did so (both), Nvidia wouldn't start, even after remerging it. Back with 'module-init-tools' -- now in 'package.unmask' -- all is well. Does anyone know what's going on ? -- did I miss a 'news' item ? ISTR you start with USE=-*. Yes I do need to remember to check the USE flags for sensitive pkgs. When you built kmod, was it with the tools flag enabled ? The virtual requires it. root:502 ~ emerge -pv kmod ... sys-apps/kmod-12-r1 USE=-debug -doc -lzma -static-libs -tools zlib ... Apparently not, so that's something to try. I went with kmod because of what the masking comment for module-init-tools said, and I haven't noticed any trouble. I've got nvidia-drivers-310.32. Same here. The actual Xorg error was can't find module Nvidia, so another question is whether it has to be listed somewhere for Kmod ? Thanks so far. It looks as if the change needs a 'news' msg. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
[gentoo-user] Re: module-init-tools : masked opponent
On Sat, 9 Mar 2013 21:22:23 -0500 Philip Webb purs...@ca.inter.net wrote: It looks as if the change needs a 'news' msg. If it turns out to be solved by the tools flag for kmod, I gotta disagree. I also use -* , but I don't think we should get news items whenever that's going to break something for us; we've effectively waived that expectation. I do, however, very much appreciate you and others posting heads-ups about possible breakage for us *- hardheads.
[gentoo-user] Re: module-init-tools : masked opponent
On Sat, 9 Mar 2013 21:02:02 -0600 »Q« boxc...@gmx.net wrote: On Sat, 9 Mar 2013 21:22:23 -0500 Philip Webb purs...@ca.inter.net wrote: It looks as if the change needs a 'news' msg. If it turns out to be solved by the tools flag for kmod, I gotta disagree. I also use -* , but I don't think we should get news items whenever that's going to break something for us; we've effectively waived that expectation. I do, however, very much appreciate you and others posting heads-ups about possible breakage for us *- hardheads. Also I'm sorry I didn't post a heads-up about setting this flag. I did notice it had to be done, but I didn't think it would bite anybody because virtual/modutils does depend on kmod[tools].
Re: [gentoo-user] {OT} RAM apache MaxClients (rock a hard place)
I can probably dump a lot of apache config. I still need SSL on both servers even though only nginx faces the user? You don't need SSL at both. Only nginx is enough. But to ensure nginx performs well at SSL, follow this - http://matt.io/entry/ur Thanks for the link. Which ssl_ciphers do you use? Which one does openssl show you're using? I have: ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH; and 'openssl s_client -host HOSTNAME -port 443' shows: Cipher: ECDHE-RSA-AES256-GCM-SHA384 I also get Verify return code: 20 (unable to get local issuer certificate) from that command but I'm guessing that's OK since I get the same when using www.google.com as the HOSTNAME. - Grant
Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?
On 03/09/2013 08:42 PM, Walter Dnes wrote: On Fri, Mar 08, 2013 at 07:41:13PM -0500, Michael Mol wrote The trouble with NAT is that it destroys peer-to-peer protocols. The first was FTP in Active mode. In its day, it was OK. Nowadays, we use passive mode. What's the problem? It also doesn't work under NAT, it's just broken in the other direction. SIP has been heavily damaged as well. Anyone who's used IRC is familiar with the problems NAT introduces to DCC. Every ADSL router-modem I've run into recently has port-forwarding. Anyone who's ever played video games online,... A *CLIENT* that can't operate from behind NAT is totally brain-dead. But you must have one non-NATed server for anything to work. I assume that's what was meant by it destroys peer-to-peer protocols. You have to draw an arbitrary distinction between machines that work together, servers, and ones that don't, clients. The problem will become more and more apparent as ipv4 space dries up and everyone becomes a client. Although ISPs will be more than happy to sell you a useful connection, for a premium. Un-NATed addresses are like, type-O blood. Imagine how much better off we'd be if we could get everyone to switch their blood to type-O. Might be less painful than the ipv6 transition, too =) or who's tried hosting a Teamspeak or Ventrillo server, has had NAT get in their way as well. Port-forwarding. Port forwarding can work, but only for one host when the ports are standardized. You can't forward e.g. port 443 to two hosts, so only one host behind the NAT can be accessible on 443. If you're using your NAT as a firewall for one box, then who cares. But you can't put more than one machine behind it and have everything still work.
Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?
On 10/03/2013 03:42, Walter Dnes wrote: On Fri, Mar 08, 2013 at 07:41:13PM -0500, Michael Mol wrote The trouble with NAT is that it destroys peer-to-peer protocols. The first was FTP in Active mode. In its day, it was OK. Nowadays, we use passive mode. What's the problem? SIP has been heavily damaged as well. Anyone who's used IRC is familiar with the problems NAT introduces to DCC. Every ADSL router-modem I've run into recently has port-forwarding. Anyone who's ever played video games online,... A *CLIENT* that can't operate from behind NAT is totally brain-dead. or who's tried hosting a Teamspeak or Ventrillo server, has had NAT get in their way as well. Port-forwarding. All those examples you give are much like a bunch of home machines sitting behind a NAT gateway onto the internet. That's actually OK and I reckon that is the intended use of NAT. Personally, I'd prefer all of my machines to have a public address but there's no chance in hell my NetOps colleagues are giving me that with my DSL connection. We have any years of experience now with consumer connections and the users that use them, these guys mostly can't admin a machine to save their lives, so NAT in their case is a good thing on balance. The true evil of NAT comes about when some clown starts implementing it on the network itself. I'm in city X, we have a large office in city Y, and most of the traffic Y-X goes through a *router* doing NAT. No-one knows anymore why this was originally done but we all know what it will take to undo it. To get our backend systems to work for client in city Y I have to put in the cursed any any firewall rules, and that sends our Risk fellows ballistic for good reason. But I have no choice, the network design essentially discarded all information as to who the client is, so now I must allow all of them. Any real-life network that grew organically over several years is always going to be rife with examples of fuck ups like this, always done in the name of expediency. I have lots of such examples, the above is only the first that came to mind. So whereas NAT behind a home router for IPv4 is good, in almost every other usage I've seen it is bad and really just a case of a solution used in places it never ever belonged. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] {OT} RAM apache MaxClients (rock a hard place)
On Sun, Mar 10, 2013 at 9:40 AM, Grant emailgr...@gmail.com wrote: I can probably dump a lot of apache config. I still need SSL on both servers even though only nginx faces the user? You don't need SSL at both. Only nginx is enough. But to ensure nginx performs well at SSL, follow this - http://matt.io/entry/ur Thanks for the link. Which ssl_ciphers do you use? Which one does openssl show you're using? I have: ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH; and 'openssl s_client -host HOSTNAME -port 443' shows: Cipher: ECDHE-RSA-AES256-GCM-SHA384 I also get Verify return code: 20 (unable to get local issuer certificate) from that command but I'm guessing that's OK since I get the same when using www.google.com as the HOSTNAME. - Grant I use exactly the one specified at the blog entry. I didn't test it with openssl, but seemed to play well with browsers [presently no ssl host on my server] -- Nilesh Govindrajan http://nileshgr.com
