[gentoo-user] Re: DNSSEC
Alan McKinnon gmail.com> writes: > My first spot of advice would be to use unbound as your caching servers - Yes, I'm going to play around with unbound first. > PowerDNS is a fine auth server. If it suits your needs I'd recommend you try > it first. I don't know about it's DNSSEC abilities or feature roadmap - it's > been a long time since I looked closely at it. Lack of ACLs is what killed > PowerDNS for us, I still feel sad about that Ok, I'll look into PowerDNS too. Research for a while. To the other posters, I might be rusty with DNS servers, but, certainly not security nor circuit nor interface monitoring... James
[gentoo-user] PPPoE config
I just started using PPPoE on Gentoo for the first time. Could my config be improved? config_net0="4.3.2.1/24" config_net1="1.2.3.4/24" config_ppp0="ppp" link_ppp0="net0" plugins_ppp0="pppoe" username_ppp0="user" password_ppp0="pass" pppd_ppp0=" defaultroute child-timeout 60 " Starting net.ppp0 could be a little cleaner: # /etc/init.d/net.ppp0 restart * /etc/init.d/net.ppp0 uses runscript, please convert to openrc-run. * Caching service dependencies ... [ ok ] * Stopping unbound ... [ ok ] * Unmounting network filesystems ... [ ok ] * Bringing down interface ppp0 * Stopping pppd on ppp0 [ ok ] * Bringing up interface ppp0 * Starting pppd in ppp0 ... [ ok ] * Backgrounding ... * WARNING: net.ppp0 has started, but is inactive * WARNING: netmount will start when net.ppp0 has started * WARNING: unbound will start when net.ppp0 has started - Grant
Re: [gentoo-user] ....Gentoo update killed Gentoo update?
* tu...@posteo.de [2017-10-04 05:04]: > On 10/04 02:26, tu...@posteo.de wrote: > > On 10/04 01:58, Ian Bloss wrote: > > > [...] > > > On Tue, Oct 3, 2017, 6:55 PM wrote: > > > > [...] > > > > > > > > I tried eix-sync this morning and got: > > > > > > > > /root>eix-sync > > > > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > > > > /usr/bin/eix-sync: line 24: ReadVar: command not found > > > > /usr/bin/eix-sync: line 25: ReadVar: command not found > > > > /usr/bin/eix-sync: line 26: ReadVar: command not found > > > > /usr/bin/eix-sync: line 27: ReadVar: command not found > > > > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > > > [1]4865 exit 1 eix-sync > > > > > > > > [...] > > [...] > > /root>eix-sync > > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > > /usr/bin/eix-sync: line 24: ReadVar: command not found > > /usr/bin/eix-sync: line 25: ReadVar: command not found > > /usr/bin/eix-sync: line 26: ReadVar: command not found > > /usr/bin/eix-sync: line 27: ReadVar: command not found > > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > [...] > > More on this: > /usr/bin/eix-test-obsolete: line 17: ReadGettext: command not found > /usr/bin/eix-test-obsolete: line 69: Push: command not found > /usr/bin/eix-test-obsolete: line 70: Push: command not found > /usr/bin/eix-test-obsolete: line 72: opt: unbound variable > > Seems to be a more common problem... The logic to use /usr/share/eix/eix-functions.sh from the /usr/bin/eix-* scripts is just broken. Use this for a quick fix until it's sorted out upstream: ln -nsf /usr/share/eix/eix-functions /usr/share/eix/eix-functions.sh Cheers, Wolfram
Re: [gentoo-user] ....Gentoo update killed Gentoo update?
On 10/04 02:26, tu...@posteo.de wrote: > On 10/04 01:58, Ian Bloss wrote: > > emerge --sync && emerge eix && eix-update > > > > On Tue, Oct 3, 2017, 6:55 PM wrote: > > > > > Hi, > > > > > > from my qlop -l output: > > > Tue Oct 3 05:16:48 2017 >>> dev-perl/CGI-Fast-2.120.0 > > > Tue Oct 3 05:17:09 2017 >>> net-dns/dnsmasq-2.78 > > > > > > Tue Oct 3 05:18:25 2017 >>> app-portage/eix-0.33.0 > > > > > > Tue Oct 3 05:26:47 2017 >>> sys-apps/openrc-0.32 > > > Tue Oct 3 05:27:54 2017 >>> media-radio/gpredict-1.3-r2 > > > > > > > > > I tried eix-sync this morning and got: > > > > > > /root>eix-sync > > > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > > > /usr/bin/eix-sync: line 24: ReadVar: command not found > > > /usr/bin/eix-sync: line 25: ReadVar: command not found > > > /usr/bin/eix-sync: line 26: ReadVar: command not found > > > /usr/bin/eix-sync: line 27: ReadVar: command not found > > > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > > [1]4865 exit 1 eix-sync > > > > > > > > > ...end of the show? > > > > > > How can I fix this? > > > > > > Cheers > > > Meino > > > > > > > > > > > > > > > > > > > >>> Calculating dependencies... done! > >>> Verifying ebuild manifests > >>> Emerging (1 of 1) app-portage/eix-0.33.0::gentoo > >>> Installing (1 of 1) app-portage/eix-0.33.0::gentoo > >>> Jobs: 1 of 1 complete Load avg: 2.08, 1.01, 0.59 > >>> Auto-cleaning packages... > > > /root>eix-sync > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > /usr/bin/eix-sync: line 24: ReadVar: command not found > /usr/bin/eix-sync: line 25: ReadVar: command not found > /usr/bin/eix-sync: line 26: ReadVar: command not found > /usr/bin/eix-sync: line 27: ReadVar: command not found > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > > H. > > Another fix available? > > Cheers > Meino > > > More on this: /usr/bin/eix-test-obsolete: line 17: ReadGettext: command not found /usr/bin/eix-test-obsolete: line 69: Push: command not found /usr/bin/eix-test-obsolete: line 70: Push: command not found /usr/bin/eix-test-obsolete: line 72: opt: unbound variable Seems to be a more common problem... Cheers Meino
Re: [gentoo-user] udev or Gentoo issue?
On Thu, May 15, 2014 at 8:18 AM, Grant wrote: > I have this: > > # dmesg | grep enp > [4.297862] systemd-udevd[659]: renamed network interface eth0 to > enp0s20u2u1 > [4.778289] systemd-udevd[660]: renamed network interface eth0 to > enp0s20u2u2 > [6.496193] ax88179_178a 3-2.1:1.0 enp0s20u2u1: ax88179 - Link status is: 1 > [7.905393] ax88179_178a 3-2.2:1.0 enp0s20u2u2: ax88179 - Link status is: 1 > # > > That doesn't tell us when the network initscripts tried and failed to > start but this from /var/log/messages/everything/current shows the > first time in the boot sequence that a dependent service failed to > start because of the networking failure so it should be before this: > > [kernel] [0.787433] serio: i8042 AUX port at 0x60,0x64 irq 12 > [/etc/init.d/unbound] ERROR: cannot start unbound as net.enp0s20u2u1 > would not start > [kernel] [0.792081] rtc_cmos 00:04: alarms up to one month, y3k, > 242 bytes nvram, hpet irqs > Yeah, so I think the kernel is detecting your network card after udev has already started. One interesting experiment would be to delay the boot process to allow the kernel additional time to detect devices. Adding rootdelay=10 to your kernel command line should do the trick, unless you are using some broken initramfs.
Re: [gentoo-user] Re: Disk usage during emerge
On Fri, Mar 9, 2012 at 12:38 AM, Bryan Gardiner wrote:
> On Thu, 08 Mar 2012 17:56:18 +0200
> Nikos Chantziaras wrote:
>
>> I discovered this nifty little tool recently that tells you if any
>> deleted files are currently being kept open by running processes:
>> "app-admin/checkrestart". I usually run it after world updates so I
>> can tell whether I need a restart or not.
>
> Because I'm too lazy to unkeyword and emerge it... Does this program
> show how much space is being used by deleted files? Or, is there a way
> to access more information about or even recover such a zombie file?
> lsof gives its inode number, but I have no idea how to access it from
> there.
I just ran it, here's the output:
Found 22 processes using old versions of upgraded files
(15 distinct programs)
(14 distinct packages)
Of these, 10 seem to contain init scripts which can be used to restart them:
The following packages seem to have init scripts that could be used
to restart them:
sys-apps/smartmontools:
5082/usr/sbin/smartd
sys-auth/consolekit:
4384/usr/sbin/console-kit-daemon
app-text/dictd:
4834/usr/sbin/dictd
sys-fs/mdadm:
3742/sbin/mdadm
net-dns/unbound:
4507/usr/sbin/unbound
net-print/cups:
4767/usr/sbin/cupsd
sys-apps/dbus:
4369/usr/bin/dbus-daemon
net-misc/ntp:
4975/usr/sbin/ntpd
net-fs/samba:
5015/usr/sbin/smbd
5045/usr/sbin/smbd
5021/usr/sbin/nmbd
app-crypt/ekeyd:
4851/usr/libexec/ekeyd
These are the init scripts:
/etc/init.d/smartd restart
/etc/init.d/consolekit restart
/etc/init.d/dictd restart
/etc/init.d/mdraid restart
/etc/init.d/mdadm restart
/etc/init.d/unbound restart
/etc/init.d/cupsd restart
/etc/init.d/dbus restart
/etc/init.d/ntpd restart
/etc/init.d/ntp-client restart
/etc/init.d/samba restart
/etc/init.d/ekey-egd-linux restart
/etc/init.d/ekeyd restart
These processes do not seem to have an associated init script to restart them:
sys-fs/udisks:
5357/usr/libexec/udisks-daemon
5350/usr/libexec/udisks-daemon
sys-apps/util-linux:
5223/sbin/agetty
5221/sbin/agetty
5222/sbin/agetty
5225/sbin/agetty
5224/sbin/agetty
27330 /sbin/agetty
sys-power/upower:
5327/usr/libexec/upowerd
sys-auth/polkit:
4467/usr/libexec/polkitd
[gentoo-user] Re: DNSSEC
Alan McKinnon gmail.com> writes: > My first spot of advice would be to use unbound as your caching servers - Did you experiment iwth ldns-utils (Set of utilities to simplify various dns(sec) tasks) ??? James
Re: [gentoo-user] Re: Disk usage during emerge
Okay that looks helpful. You just convinced me to install it :). That goes into a lot more depth than I'd imagined. Thanks! - Bryan On Fri, 9 Mar 2012 09:33:04 -0600 Paul Hartman wrote: > On Fri, Mar 9, 2012 at 12:38 AM, Bryan Gardiner > wrote: > > On Thu, 08 Mar 2012 17:56:18 +0200 > > Nikos Chantziaras wrote: > > > >> I discovered this nifty little tool recently that tells you if any > >> deleted files are currently being kept open by running processes: > >> "app-admin/checkrestart". I usually run it after world updates so > >> I can tell whether I need a restart or not. > > > > Because I'm too lazy to unkeyword and emerge it... Does this > > program show how much space is being used by deleted files? Or, is > > there a way to access more information about or even recover such a > > zombie file? lsof gives its inode number, but I have no idea how to > > access it from there. > > I just ran it, here's the output: > > Found 22 processes using old versions of upgraded files > (15 distinct programs) > (14 distinct packages) > > Of these, 10 seem to contain init scripts which can be used to > restart them: The following packages seem to have init scripts that > could be used to restart them: > sys-apps/smartmontools: > 5082/usr/sbin/smartd > sys-auth/consolekit: > 4384/usr/sbin/console-kit-daemon > app-text/dictd: > 4834/usr/sbin/dictd > sys-fs/mdadm: > 3742/sbin/mdadm > net-dns/unbound: > 4507/usr/sbin/unbound > net-print/cups: > 4767/usr/sbin/cupsd > sys-apps/dbus: > 4369/usr/bin/dbus-daemon > net-misc/ntp: > 4975/usr/sbin/ntpd > net-fs/samba: > 5015/usr/sbin/smbd > 5045/usr/sbin/smbd > 5021/usr/sbin/nmbd > app-crypt/ekeyd: > 4851/usr/libexec/ekeyd > > These are the init scripts: > /etc/init.d/smartd restart > /etc/init.d/consolekit restart > /etc/init.d/dictd restart > /etc/init.d/mdraid restart > /etc/init.d/mdadm restart > /etc/init.d/unbound restart > /etc/init.d/cupsd restart > /etc/init.d/dbus restart > /etc/init.d/ntpd restart > /etc/init.d/ntp-client restart > /etc/init.d/samba restart > /etc/init.d/ekey-egd-linux restart > /etc/init.d/ekeyd restart > > These processes do not seem to have an associated init script to > restart them: sys-fs/udisks: > 5357/usr/libexec/udisks-daemon > 5350/usr/libexec/udisks-daemon > sys-apps/util-linux: > 5223/sbin/agetty > 5221/sbin/agetty > 5222/sbin/agetty > 5225/sbin/agetty > 5224/sbin/agetty > 27330 /sbin/agetty > sys-power/upower: > 5327/usr/libexec/upowerd > sys-auth/polkit: > 4467/usr/libexec/polkitd >
Re: [gentoo-user] Re: DNSSEC
Apparently, though unproven, at 19:23 on Monday 08 November 2010, James did opine thusly: > > you can write a wiki page that helps others immensely. > > But just be informed upfront about what it's going to take. > > wink wink, nudge nudge. OK. > ;-) My first spot of advice would be to use unbound as your caching servers - it's stupendously bloody fast. It's free as in beer and free as in freedom, and also keeps up with cns which is neither (and costs an arm and a leg). Plus the developer is very responsive to bugs and features. unbound does the basics and does them well, there are aspects of DNS caching that it doesn't do (stuff that nobody bothers with anyway) Don't use bind as your auth server unless you like pain. That thing is a pig, and a temperamental one at that. It's saving grace is that it's a reference implementation and can always be relied upon to be extremely RFC-compliant. We use it, not because we like it, but because it has one killer feature we absolutely need - ACLs PowerDNS is a fine auth server. If it suits your needs I'd recommend you try it first. I don't know about it's DNSSEC abilities or feature roadmap - it's been a long time since I looked closely at it. Lack of ACLs is what killed PowerDNS for us, I still feel sad about that -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] udev or Gentoo issue?
>> I have this: >> >> # dmesg | grep enp >> [4.297862] systemd-udevd[659]: renamed network interface eth0 to >> enp0s20u2u1 >> [4.778289] systemd-udevd[660]: renamed network interface eth0 to >> enp0s20u2u2 >> [6.496193] ax88179_178a 3-2.1:1.0 enp0s20u2u1: ax88179 - Link status is: >> 1 >> [7.905393] ax88179_178a 3-2.2:1.0 enp0s20u2u2: ax88179 - Link status is: >> 1 >> # >> >> That doesn't tell us when the network initscripts tried and failed to >> start but this from /var/log/messages/everything/current shows the >> first time in the boot sequence that a dependent service failed to >> start because of the networking failure so it should be before this: >> >> [kernel] [0.787433] serio: i8042 AUX port at 0x60,0x64 irq 12 >> [/etc/init.d/unbound] ERROR: cannot start unbound as net.enp0s20u2u1 >> would not start >> [kernel] [0.792081] rtc_cmos 00:04: alarms up to one month, y3k, >> 242 bytes nvram, hpet irqs >> > > Yeah, so I think the kernel is detecting your network card after udev > has already started. > > One interesting experiment would be to delay the boot process to allow > the kernel additional time to detect devices. Adding rootdelay=10 to > your kernel command line should do the trick, unless you are using > some broken initramfs. I tried that and it works great which I think confirms our suspicions that the kernel is detecting my network cards after udev has already started. If I remove rootdelay=10 and I do this: # ln -s /dev/null /etc/udev/rules.d/90-network.rules the network interfaces fail to come up which is the same thing I've experienced with rc_hotplug="net.*". - Grant
Re: [gentoo-user] ....Gentoo update killed Gentoo update?
On 10/04 01:58, Ian Bloss wrote: > emerge --sync && emerge eix && eix-update > > On Tue, Oct 3, 2017, 6:55 PM wrote: > > > Hi, > > > > from my qlop -l output: > > Tue Oct 3 05:16:48 2017 >>> dev-perl/CGI-Fast-2.120.0 > > Tue Oct 3 05:17:09 2017 >>> net-dns/dnsmasq-2.78 > > > > Tue Oct 3 05:18:25 2017 >>> app-portage/eix-0.33.0 > > > > Tue Oct 3 05:26:47 2017 >>> sys-apps/openrc-0.32 > > Tue Oct 3 05:27:54 2017 >>> media-radio/gpredict-1.3-r2 > > > > > > I tried eix-sync this morning and got: > > > > /root>eix-sync > > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > > /usr/bin/eix-sync: line 24: ReadVar: command not found > > /usr/bin/eix-sync: line 25: ReadVar: command not found > > /usr/bin/eix-sync: line 26: ReadVar: command not found > > /usr/bin/eix-sync: line 27: ReadVar: command not found > > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > > [1]4865 exit 1 eix-sync > > > > > > ...end of the show? > > > > How can I fix this? > > > > Cheers > > Meino > > > > > > > > > > >>> Calculating dependencies... done! >>> Verifying ebuild manifests >>> Emerging (1 of 1) app-portage/eix-0.33.0::gentoo >>> Installing (1 of 1) app-portage/eix-0.33.0::gentoo >>> Jobs: 1 of 1 complete Load avg: 2.08, 1.01, 0.59 >>> Auto-cleaning packages... /root>eix-sync /usr/bin/eix-sync: line 22: ReadFunctions: command not found /usr/bin/eix-sync: line 24: ReadVar: command not found /usr/bin/eix-sync: line 25: ReadVar: command not found /usr/bin/eix-sync: line 26: ReadVar: command not found /usr/bin/eix-sync: line 27: ReadVar: command not found /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable H. Another fix available? Cheers Meino
Re: [gentoo-user] Re: DNSSEC
Apparently, though unproven, at 16:18 on Friday 12 November 2010, James did opine thusly: > Alan McKinnon gmail.com> writes: > > My first spot of advice would be to use unbound as your caching servers - > > Did you experiment iwth ldns-utils > (Set of utilities to simplify various dns(sec) tasks) ??? Nah, we don't need no stinkin' utilities. We got Perl :-) -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] udev or Gentoo issue?
On Sat, May 17, 2014 at 2:39 PM, Grant wrote: >>> I have this: >>> >>> # dmesg | grep enp >>> [4.297862] systemd-udevd[659]: renamed network interface eth0 to >>> enp0s20u2u1 >>> [4.778289] systemd-udevd[660]: renamed network interface eth0 to >>> enp0s20u2u2 >>> [6.496193] ax88179_178a 3-2.1:1.0 enp0s20u2u1: ax88179 - Link status >>> is: 1 >>> [7.905393] ax88179_178a 3-2.2:1.0 enp0s20u2u2: ax88179 - Link status >>> is: 1 >>> # >>> >>> That doesn't tell us when the network initscripts tried and failed to >>> start but this from /var/log/messages/everything/current shows the >>> first time in the boot sequence that a dependent service failed to >>> start because of the networking failure so it should be before this: >>> >>> [kernel] [0.787433] serio: i8042 AUX port at 0x60,0x64 irq 12 >>> [/etc/init.d/unbound] ERROR: cannot start unbound as net.enp0s20u2u1 >>> would not start >>> [kernel] [0.792081] rtc_cmos 00:04: alarms up to one month, y3k, >>> 242 bytes nvram, hpet irqs >>> >> >> Yeah, so I think the kernel is detecting your network card after udev >> has already started. >> >> One interesting experiment would be to delay the boot process to allow >> the kernel additional time to detect devices. Adding rootdelay=10 to >> your kernel command line should do the trick, unless you are using >> some broken initramfs. > > > I tried that and it works great which I think confirms our suspicions > that the kernel is detecting my network cards after udev has already > started. If I remove rootdelay=10 and I do this: > > # ln -s /dev/null /etc/udev/rules.d/90-network.rules > > the network interfaces fail to come up which is the same thing I've > experienced with rc_hotplug="net.*". > Yeah, so this is not solvable using service dependencies. You will either need to make that boot delay permanent, or rely on the hotplug functionality to start the net.en* services. In the latter case, you should remove them from the default runlevel. You may want to define rc_need="!net" to prevent init scripts that "need net" from automatically starting the net.* services. For most services this is fine, but it will obviously break things like ntpdate which actually need a usable network connection.
Re: [gentoo-user] [OT] opendns.org
On Fri, Jan 13, 2012 at 6:06 PM, walt wrote: > I just heard about opendns.org for the first time today, but their > website makes it seem that I'm the only person in the solar system > who's not already on the bandwagon. > > Anyone know if they are as wonderful as they sound? If you are using ISP DNS and it is slow, or hijacking domains like search engines, and if you like your DNS to be a content filter, then sure. :) Google DNS is similar thing. Personally I just run unbound on my PC and don't want it to block any look-ups anyway.
Re: [gentoo-user] Re: Best *SIMPLE* firewall?
On Wed, Feb 28, 2018 at 6:35 PM, Grant Edwards wrote: > On 2018-02-28, taii...@gmx.com wrote: > >> Is there a windows style application layer firewall? > > Can you describe what that means? (For the benefit of those of us that > aren't familiar with Windows.) I don't use Windows but on macOS it means that you can allow an application by name, without having to worry about possibly random ports. On my Mac: # /usr/libexec/ApplicationFirewall/socketfilterfw --listapps ALF: total number of apps = 2 1 : /Applications/Skype.app ( Allow incoming connections ) 2 : /usr/local/bin/unbound ( Block incoming connections ) #
Re: [gentoo-user] udev or Gentoo issue?
>>>> I have this: >>>> >>>> # dmesg | grep enp >>>> [4.297862] systemd-udevd[659]: renamed network interface eth0 to >>>> enp0s20u2u1 >>>> [4.778289] systemd-udevd[660]: renamed network interface eth0 to >>>> enp0s20u2u2 >>>> [6.496193] ax88179_178a 3-2.1:1.0 enp0s20u2u1: ax88179 - Link status >>>> is: 1 >>>> [7.905393] ax88179_178a 3-2.2:1.0 enp0s20u2u2: ax88179 - Link status >>>> is: 1 >>>> # >>>> >>>> That doesn't tell us when the network initscripts tried and failed to >>>> start but this from /var/log/messages/everything/current shows the >>>> first time in the boot sequence that a dependent service failed to >>>> start because of the networking failure so it should be before this: >>>> >>>> [kernel] [0.787433] serio: i8042 AUX port at 0x60,0x64 irq 12 >>>> [/etc/init.d/unbound] ERROR: cannot start unbound as net.enp0s20u2u1 >>>> would not start >>>> [kernel] [0.792081] rtc_cmos 00:04: alarms up to one month, y3k, >>>> 242 bytes nvram, hpet irqs >>>> >>> >>> Yeah, so I think the kernel is detecting your network card after udev >>> has already started. >>> >>> One interesting experiment would be to delay the boot process to allow >>> the kernel additional time to detect devices. Adding rootdelay=10 to >>> your kernel command line should do the trick, unless you are using >>> some broken initramfs. >> >> >> I tried that and it works great which I think confirms our suspicions >> that the kernel is detecting my network cards after udev has already >> started. If I remove rootdelay=10 and I do this: >> >> # ln -s /dev/null /etc/udev/rules.d/90-network.rules >> >> the network interfaces fail to come up which is the same thing I've >> experienced with rc_hotplug="net.*". >> > > Yeah, so this is not solvable using service dependencies. You will > either need to make that boot delay permanent, or rely on the hotplug > functionality to start the net.en* services. In the latter case, you > should remove them from the default runlevel. Was the 10-second boot delay based on anything in particular or can I try a lower delay like 5 seconds? It's tricky to get the machine back when I lose it otherwise I would just test it myself. Would it make sense for me to submit a feature request for network interfaces to wait until all USB devices have been initialized before starting (or something like that)? > You may want to define rc_need="!net" to prevent init scripts that > "need net" from automatically starting the net.* services. For most > services this is fine, but it will obviously break things like ntpdate > which actually need a usable network connection. I don't follow this. Doesn't hotplug need to be able to start the net.* services in order for that solution to work? - Grant
Re: [gentoo-user] Rasp-Pi-4 Gentoo servers
* james: > I'm thinking about setting up a pair of Rasp-Pi-4 as DNS servers with > 4GB of ram. Is that enough ram for a DNS server? For running the Nameservers, yes. Compiling Gentoo packages will likely put your SD-Card under stress, but that's just how it goes. My Model B Rev 2 of 2015 runs dnsmasq as DHCP server, NGINX, Postfix, Unbound and more for a bunch of clients in a LAN. It is quite nifty as a local DNS Resolver and DHCP server, because it is usually the fastest to boot after the occasional power outage. I would not use it as an Internet-facing production Mailserver, though, because that would generate a lot of I/O, which is not a Raspberry Pi strong suit. -Ralph
[gentoo-user] DNSSEC
Hello, Several times in the past, I have approached setting up DNS servers, only to get side-tracked. I'm making another stab as setting my DNS servers for my humble, small cidr (/29) block. Now it seems DNSSEC is all the rage, even at the root servers [1]. So what am i to choose to effect DNSSEC on gentoo? Hardware suggestions on low power (5-10 watts) (embedded) hardware with Gentoo are welcome. net-dns/unbound (portage) [2] bind9 (portage) nsd (?) opendnssec (sunrise overlay) ??? Googling and research has led me to reading quite a lot of interesting, but fragmented thoughts on the subject of DNSSEC and gentoo. Any discussion or guidance is appreciated. [1] http://www.root-dnssec.org/ [2] http://www.unbound.net/documentation/howto_anchor.html [3] https://svn.whyscream.net/whyscream-overlay/sunrise-dev/net-dns/ [4]http://gentoo-overlays.zugaina.org/sunrise/net-dns.html.en [] https://www.dnssec-tools.org/wiki/index.php/Tutorials
[gentoo-user] ....Gentoo update killed Gentoo update?
Hi, from my qlop -l output: Tue Oct 3 05:16:48 2017 >>> dev-perl/CGI-Fast-2.120.0 Tue Oct 3 05:17:09 2017 >>> net-dns/dnsmasq-2.78 Tue Oct 3 05:18:25 2017 >>> app-portage/eix-0.33.0 Tue Oct 3 05:26:47 2017 >>> sys-apps/openrc-0.32 Tue Oct 3 05:27:54 2017 >>> media-radio/gpredict-1.3-r2 I tried eix-sync this morning and got: /root>eix-sync /usr/bin/eix-sync: line 22: ReadFunctions: command not found /usr/bin/eix-sync: line 24: ReadVar: command not found /usr/bin/eix-sync: line 25: ReadVar: command not found /usr/bin/eix-sync: line 26: ReadVar: command not found /usr/bin/eix-sync: line 27: ReadVar: command not found /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable [1]4865 exit 1 eix-sync ...end of the show? How can I fix this? Cheers Meino
Re: [gentoo-user] Re: Secure DNS servers
On Mon, Jun 16, 2014 at 07:57:31PM +, James wrote: > Any guidance of those? When I have a choice, I go with nsd for authoritive and with unbound for recursive dns servers. Bind is also a popular alternative. > Anyone and Everyone is encouraged to "chime in" on dns server Try to seperate your authorative and recursive dns servers. Learn to use dig. On Mon, Jun 16, 2014 at 02:49:39PM -0400, Michael Orlitzky wrote: > iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED > \ > -j ACCEPT Careful with conntrack. It is OK for a home/hobby server. For a high volume dns server, you don't want to reach conntrack limits before you reach the limits of your dns software - which are usually much higher. A stateful firewall for a dns server is not always a good choice - do not make it easier to DoS. -- Eray Aslan
Re: [gentoo-user] system wants to emerge unstable package
On Mon, Jan 22, 2024 at 4:58 AM netfab wrote: > > Le 21/01/24 à 20:23, syscon edm a tapoté : > > Hm..., it still wants to emerge unstable version: > > > > emerge -atvq asterisk > > [ebuild U ] net-misc/asterisk-18.20.2 > > > > Please post the output of : > > $ emerge -pvt asterisk emerge -pvt asterisk These are the packages that would be merged, in reverse order: Calculating dependencies... done! Dependency resolution took 7.21 s (backtrack: 0/20). [ebuild U ~] net-misc/asterisk-18.20.2:0/18::gentoo [16.30.1:0/16::gentoo] USE="alsa bluetooth caps iconv mysql ssl vorbis -blocks -calendar -cluster -codec2 -curl (-dahdi) -debug -deprecated -doc -freetds -gtalk -http -ilbc -ldap -lua -newt -odbc -oss -pjproject -portaudio -postgres -radius (-selinux) -snmp -span -speex -srtp -static -statsd -syslog -systemd -unbound -xmpp" LUA_SINGLE_TARGET="lua5-1 -lua5-3 -lua5-4" VOICEMAIL_STORAGE="-imap -odbc (-file%*)" 27,782 KiB
Re: [gentoo-user] [OT] opendns.org
On Jan 14, 2012 7:28 AM, "Paul Hartman" wrote: > > On Fri, Jan 13, 2012 at 6:06 PM, walt wrote: > > I just heard about opendns.org for the first time today, but their > > website makes it seem that I'm the only person in the solar system > > who's not already on the bandwagon. > > > > Anyone know if they are as wonderful as they sound? > > If you are using ISP DNS and it is slow, or hijacking domains like > search engines, and if you like your DNS to be a content filter, then > sure. :) Google DNS is similar thing. > > Personally I just run unbound on my PC and don't want it to block any > look-ups anyway. > Or, in my case, all ISPs in my country are required to use a DNS server called "Nawala" that performs web censorship. And, as one would expect, that totally breaks DNSSEC. Not to mention making DNS resolves becoming very slow. So, I used Google DNS and the famous 4.2.2.[1-6] servers. Rgds,
Re: [gentoo-user] ....Gentoo update killed Gentoo update?
emerge --sync && emerge eix && eix-update On Tue, Oct 3, 2017, 6:55 PM wrote: > Hi, > > from my qlop -l output: > Tue Oct 3 05:16:48 2017 >>> dev-perl/CGI-Fast-2.120.0 > Tue Oct 3 05:17:09 2017 >>> net-dns/dnsmasq-2.78 > > Tue Oct 3 05:18:25 2017 >>> app-portage/eix-0.33.0 > > Tue Oct 3 05:26:47 2017 >>> sys-apps/openrc-0.32 > Tue Oct 3 05:27:54 2017 >>> media-radio/gpredict-1.3-r2 > > > I tried eix-sync this morning and got: > > /root>eix-sync > /usr/bin/eix-sync: line 22: ReadFunctions: command not found > /usr/bin/eix-sync: line 24: ReadVar: command not found > /usr/bin/eix-sync: line 25: ReadVar: command not found > /usr/bin/eix-sync: line 26: ReadVar: command not found > /usr/bin/eix-sync: line 27: ReadVar: command not found > /usr/bin/eix-sync: line 28: local_portage_configroot: unbound variable > [1]4865 exit 1 eix-sync > > > ...end of the show? > > How can I fix this? > > Cheers > Meino > > > > >
Re: [gentoo-user] new dhcpcd behaviour
On Sun, Dec 02, 2012 at 03:18:38PM -0500, Philip Webb wrote: > I updated to Openrc 0.11.6 yesterday & on waking the machine up today > & starting DHCP from a terminal (as I always do), > instead of a long list of interactions with the router > there's 1 line "dhcpcd[1035]: sending commands to master dhcpcd process". > There's also a new display in Gkrellm 'sit0', which is new to me. > > Everything is working, but can anyone explain the change ? > > Also, I have PPP installed (2.4.5-r3): do I still need this with DHCP ? > -- I suspect it's left over from pre-router days. My LAN has a Linux router with a simple (for now) setup using dhcp and unbound. However, the sit0 is IPV4 to IPV6. Check for CONFIG_IPV6 in your kernel ... it will probably go away when you don't have that, or ipv6 USE flags where you don't use them. -- Happy Penguin Computers >') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-user] hyperthreading
On Wednesday 14 December 2005 09:29, Nick Smith wrote: > its a server, i dont think i built ACPI into the kernel cause i didnt > need/want it, dont think that should make a difference. >From what I can see SMP functoinality seems to rely quite heavily on ACPI discovery. Having said that, lots of code in mpparse.c says it should just work like in previous versions. Is this the first time building this kernel version? What does 'dmesg | grep CPU' say? anything in /var/log/syslog.log? Have you added any extra patches to the kernel recently? -- The sounds of the nouns are mostly unbound. In town a noun might wear a gown, or further down, might dress a clown. A noun that's sound would never clown, but unsound nouns jump up and down. The sound of a noun could distrub the plowing, and then, my dear, you'd be put in the pound. But please don't let that get you down, the renown of your gown is the talk of the town. -- A. Nonnie Mouse -- gentoo-user@gentoo.org mailing list
[gentoo-user] Festival/Speechd/MBrola: Setting new voice?
Hi, I am currently playing around with speech synthesis and installed mbrola, speechd and festival. It works so far: I am getting the default english voice, which tells me what time it is. Then I was trying to follow some docs from the internet to install/activate different voices...no go. Even the simplest case -- the uncommenting of a prepared line -- in the /etc/festival/siteinit.scm from ;; If you want a voice different from the system installed default ;; uncomment the following line and change the name to the voice you ;; want ;; (set! voice_default 'voice_cmu_us_awb_arctic_hts) to ;; If you want a voice different from the system installed default ;; uncomment the following line and change the name to the voice you ;; want (set! voice_default 'voice_cmu_us_awb_arctic_hts) leads to an error message: SIOD ERROR: unbound variable : cmu_us_slt_arctic_hts Voive not installed? /usr/share/festival/voices/us/cmu_us_slt_arctic_hts No...it is there... Unfortunately I am no lisp-man... ;) I restarted festival/speechd ... no success ... same error. May be I miss some very fundamental thing here...but... What do I have to do, to get this beast talking to me ? Thank you very much in advance for any help! Best regards, mcc
Re: [gentoo-user] Re: [OT] Linus Torvalds on systemd
On 18/09/2014 10:07, Neil Bothwick wrote: > On Thu, 18 Sep 2014 07:19:21 +0200, Alan McKinnon wrote: > >>> Is systemd starting to encompass too much? I think so, but who cares? >>> If we want an init manager that reads systemd-like files but doesn't >>> do anything else (hostnamectl, logging, udev, etc.), I guess we'll >>> have to make one. >> >> or trim it back. Conceptually, it shouldn't be too hard to remove those >> extra services leaving only an init manager. >> >> Reading posts over the years (I don't use systemd) most of that stuff >> can be disabled by config in systemd anyway > > A lot of it is disabled by default anyway, you have to turn it on if you > want to use it. Otherwise it's just there. That's even better then. I'm mildly bemused by these systemd threads - so much emotion. Me, I don't have a dog in this fight so I can sit back and look at what's going on. Imagine the ISC-bind lovers going completely apeshit about unbound, thinking named is about to go away forever. That's what this looks like. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] DNS server packages
On 11/10/2015 04:13, James wrote: > Howdy, > > So I now have (5) statics and a fiber feed, with lots of room to grow. > > I need to setup DNS primary/secondary systems on gentoo. So right now I'm > looking for a suggested list of packages to install with Bind, iptables and > DNSSEC-tools as these (2) gentoo dns servers will only run the minimum > packages to operate securely? auth or cache? First of all, bind is a pain to use. Reason: it's actually a reference implementation that as usual got forced into production use. It's slower than it could be because it deals with every possible corner case per RFC. As an auth server (few queries) it's OK As a cache (many queries), there are better servers out there. I prefer unbound. > Also, what is the (nominal) minimum amount of RAM needed to keep all routes > in ram in these name servers? I don't understand. DNS servers don't keep routes in memory - routers do that. Perhaps you mean cached DNS records? DNS is light on RAM, there are only so many records typical users will look up. DNS caches not too long ago ran for years problem free with a puny few hundred MB. It's not something to be worried about. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Re: Secure DNS servers
On 17/06/2014 16:48, Eray Aslan wrote: > On Mon, Jun 16, 2014 at 07:57:31PM +, James wrote: >> Any guidance of those? > > When I have a choice, I go with nsd for authoritive and with unbound for > recursive dns servers. Bind is also a popular alternative. > >> Anyone and Everyone is encouraged to "chime in" on dns server > > Try to seperate your authorative and recursive dns servers. > > Learn to use dig. > > On Mon, Jun 16, 2014 at 02:49:39PM -0400, Michael Orlitzky wrote: >> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED >> \ >> -j ACCEPT > > Careful with conntrack. It is OK for a home/hobby server. For a high > volume dns server, you don't want to reach conntrack limits before you > reach the limits of your dns software - which are usually much higher. > A stateful firewall for a dns server is not always a good choice - do > not make it easier to DoS. > You could probably get away with it on an auth server as they tend to be lighter loaded than a caching server. But on a cache server - no ways at all. I watched big busy dns cache servers try to deal with FreeBSD stateful firewalls once, it was not a pretty sight :-) -- Alan McKinnon alan.mckin...@gmail.com
[gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
I have logsentry installed on my system which sends me hourly reports about possible hack attempts on my three boxes. I use ipkungfu for my firewall. I've stuck with the default configuration for ipkungfu, except for listing each of my machines in my LAN in the accepted_hosts.conf file. I also set ipkungfu to drop all offensive packets (not sure if that's the default or not.) Whenever I see someone trying the break in in the logsentry reports, I add their IP to the deny_hosts.conf file and restart ipkungfu so that the changes will take effect. I'm wondering why if these offending IPs in deny_hosts.conf are being stopped at the firewall I'm still seeing them fail to authenticate to my FTP and ssh servers? Also, I've always heard that you shouldn't have any ports open on your machine unless you have some server bound to that port because hackers can get in through unbound open ports. Is this true? If so, how does it work? What do they connect to if nothing's running on the port they're trying? I know the concept of a backdoor in a running program, but if no program is running on said port for them to connect to, how do they get in??? -Michael Sullivan- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Best caching dns server?
On Sat, 19 May 2012 07:45:56 +0530 Nilesh Govindrajan wrote: > Hi, > > Which is the best caching dns server? I'm presently using > pdns-recursor, which is quite good, but doesn't have option to set > minimum ttl (doesn't make sense, but some sites like twitter have > ridiculously low ttl of 30s). Also, it isn't able to save cached > entries to file so that it can be restored on next boot. Any option? You can use almost any cache you want... ... except bind We use unbound. Does the job, does it well, developer very responsive. But do not fiddle with TTLs, that breaks stuff in spectacular ways. Essentially, with the TTL the auth server is saying "We guarantee that you can treat this RR as valid for X amount of time and suffer no ill effects if you do" What you want to do is break that agreement, which is really not s good idea. > > I am keeping my box 24x7 on because it serves as dns on my small home > wifi, not acceptable to me, because network is almost off at night > (only phone) and I have my router as secondary dns. Just use Google's caches or OpenDNS. They do the job so much better than you ever could. Why reinvent the wheel? -- Alan McKinnnon alan.mckin...@gmail.com
Re: [gentoo-user] bind-9.7.1_p2 does not want to stop...
On 16. 11. 2010 20:47, Alan McKinnon wrote: Do you absolutely *have* to run bind? Aside from it being a 100% RFC-compliant reference server, it's a pig to run in real life. For an auth server, powerdns is very good. For a cache, unbound. Well, not *absolutely*, but I'm an old dog used to work with old tools like bind, sendmail, etc. I'm getting older with them... What you have here is common. Bind can't find, or can't deal with, it's PID file. Or it's just being stubborn. Check your config that the PID file is in the right place, usable and that it has the correct pid in it. Also check the init script for the same thing. To me pid seems to be in the right place. Nothing suspicious... Failing that, there's "kill -9", this won't break anything but might disconnect a client. Well, I could kill the process while working in terminal. But when I forget to do it and try to shutdown server, it hangs and waits. And *that* is a problem. I have to power it off, and next time when I boot up, I have to fsck all partitions... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] new dhcpcd behaviour
121202 Bruce Hill wrote: > On Sun, Dec 02, 2012 at 03:18:38PM -0500, Philip Webb wrote: >> I updated to Openrc 0.11.6 yesterday & on waking the machine up today >> & starting DHCP from a terminal (as I always do), >> instead of a long list of interactions with the router >> there's 1 line "dhcpcd[1035]: sending commands to master dhcpcd process". >> There's also a new display in Gkrellm 'sit0', which is new to me. >> Everything is working, but can anyone explain the change ? I spoke too soon (grimace)! > My LAN has a Linux router with a simple (for now) setup > using dhcp and unbound. However, the sit0 is IPV4 to IPV6. > Check for CONFIG_IPV6 in your kernel ... > it will probably go away when you don't have that > or ipv6 USE flags where you don't use them. For whatever reason, mail wasn't coming in : it was going out. I edited /etc/conf.d/netmount to comment 'dhcpcd' & now all's well : it was listed by 'etc-update', so I assumed it needed authorising -- the notes in the file are explicit -- , but I don't want DHCP running as a daemon. Also, the router connection is as before & 'sit0' has disappeared. >> Also, I have PPP installed (2.4.5-r3): do I still need this with DHCP ? >> -- I suspect it's left over from pre-router days. any advice ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] Rasp-Pi-4 Gentoo servers
I'm not too sure that running it as a mail server is impossible. Depending on your expected traffic level, it should be more than capable enough to do it. My current server is only a 1 core + 1 GB VPS, which is much more lax than a pi-4. Depending on what guides you follow you can definitely set it up as a mail server. But I am curious how you are planning to do this, unless you have a static ip + reverse DNS configured? --- Aisha blog.aisha.cc On 2020-02-27 10:11, Ralph Seichter wrote: * james: I'm thinking about setting up a pair of Rasp-Pi-4 as DNS servers with 4GB of ram. Is that enough ram for a DNS server? For running the Nameservers, yes. Compiling Gentoo packages will likely put your SD-Card under stress, but that's just how it goes. My Model B Rev 2 of 2015 runs dnsmasq as DHCP server, NGINX, Postfix, Unbound and more for a bunch of clients in a LAN. It is quite nifty as a local DNS Resolver and DHCP server, because it is usually the fastest to boot after the occasional power outage. I would not use it as an Internet-facing production Mailserver, though, because that would generate a lot of I/O, which is not a Raspberry Pi strong suit. -Ralph
Re: [gentoo-user] udev or Gentoo issue?
>>>>>>>> I'm having a problem starting the USB network interfaces properly on
>>>>>>>> one of my systems. I brought the problem to the udev list and they're
>>>>>>>> indicating that it's a Gentoo problem:
>>>>>>>>
>>>>>>>> https://www.mail-archive.com/systemd-devel@lists.freedesktop.org/msg18840.html
>>>>>>>>
>>>>>>>> Should I file a bug?
>>>>>>>>
>>>>>>>> - Grant
>>>>>>>>
>>>>>>> Like pointed out in the upstream thread, it's either wrongly built
>>>>>>> net-misc/dhcpcd (should be with USE="udev")
>>>>>>> and if not using dhcpcd, it might be a bug in net-misc/netifrc's
>>>>>>> /etc/init.d/net.lo depend() { } section --
>>>>>>> it's possible it's missing dependency that forces /etc/init.d/udev start
>>>>>>> first, specially if OpenRC is using parallel
>>>>>>> startup
>>>>>>>
>>>>>>> So not really a udev bug, rather a misconfiguration in dhcpcd USE flags
>>>>>>> OR bug in dependencies of netifrc's net.lo script
>>>>>> I'm starting two interfaces, one that uses dhcpcd and one that does
>>>>>> not. Both fail to start in the default runlevel until they are
>>>>>> hotplugged later. I do have dhcpcd built with USE=udev. The string
>>>>>> "udev" does not occur in /etc/init.d/net.lo so maybe that's the
>>>>>> problem? Please confirm that I should file a Gentoo bug for this.
>>>>>>
>>>>>> - Grant
>>>>>>
>>>>> Try adding 'after udev' to net.lo's depend() { } section and see if that
>>>>> helps, if it does, file a bug
>>>>> saying so.
>>>>
>>>> I added it like this and rebooted:
>>>>
>>>> depend()
>>>> {
>>>> after udev
>>>>
>>>> but the result was the same. I also have udev and udev-mount in the
>>>> sysinit runlevel.
>>>>
>>>>
>>>>> It was more of an educated guess than 100% accurate knowledge. I can't
>>>>> think of an another
>>>>> way to force netifrc to behave, since it's not coded in C, and it can't
>>>>> link to libudev, so...
>>>>>
>>>>> However since you say *both*, even the one with dhcpcd fail to start,
>>>>> before filing that bug,
>>>>> see if disabling netifrc hotplugging works:
>>>>>
>>>>> # ln -s /dev/null /etc/udev/rules.d/90-network.rules
>>>>
>>>> Will that disable interface renaming or hotplugging? The system with
>>>> the issue is remote and if the interfaces aren't renamed or if
>>>> hotplugging doesn't happen then I won't be able to access the system
>>>> for up to 24 hours. That's fine and I'm happy to test stuff like this
>>>> anyway but I don't think this particular test will be informative
>>>> because:
>>>
>>> It will disable the hotplugging, it means you *must* have the net.*
>>> stuff added
>>> to the default to runlevel yourself, like eg.
>>>
>>> # rc-update add net.foobar default
>>
>>
>> They're in the default runlevel:
>>
>> # rc-update|grep net.enp
>> net.enp0s20u2u1 | default
>> net.enp0s20u2u2 | default
>>
>> I can disable hotplugging with rc_hotplug in rc.conf. Hotplugging is
>> actually disabled by default there and my network interfaces won't
>> start automatically that way.
>>
>
> Does your kernel have timing info enabled? If so, it would be
> interesting to look at your dmesg output.
>
> My guess is that your kernel is taking a really long time (several
> seconds) to initialize your network cards.
I have this:
# dmesg | grep enp
[4.297862] systemd-udevd[659]: renamed network interface eth0 to enp0s20u2u1
[4.778289] systemd-udevd[660]: renamed network interface eth0 to enp0s20u2u2
[6.496193] ax88179_178a 3-2.1:1.0 enp0s20u2u1: ax88179 - Link status is: 1
[7.905393] ax88179_178a 3-2.2:1.0 enp0s20u2u2: ax88179 - Link status is: 1
#
That doesn't tell us when the network initscripts tried and failed to
start but this from /var/log/messages/everything/current shows the
first time in the boot sequence that a dependent service failed to
start because of the networking failure so it should be before this:
[kernel] [0.787433] serio: i8042 AUX port at 0x60,0x64 irq 12
[/etc/init.d/unbound] ERROR: cannot start unbound as net.enp0s20u2u1
would not start
[kernel] [0.792081] rtc_cmos 00:04: alarms up to one month, y3k,
242 bytes nvram, hpet irqs
- Grant
Re: [gentoo-user] [OT] opendns.org
On 14 January 2012 10:57, Pandu Poluan wrote: > > On Jan 14, 2012 7:28 AM, "Paul Hartman" > wrote: > > > > On Fri, Jan 13, 2012 at 6:06 PM, walt wrote: > > > I just heard about opendns.org for the first time today, but their > > > website makes it seem that I'm the only person in the solar system > > > who's not already on the bandwagon. > > > > > > Anyone know if they are as wonderful as they sound? > > > > If you are using ISP DNS and it is slow, or hijacking domains like > > search engines, and if you like your DNS to be a content filter, then > > sure. :) Google DNS is similar thing. > > > > Personally I just run unbound on my PC and don't want it to block any > > look-ups anyway. > > > > Or, in my case, all ISPs in my country are required to use a DNS server > called "Nawala" that performs web censorship. And, as one would expect, > that totally breaks DNSSEC. Not to mention making DNS resolves becoming > very slow. > > So, I used Google DNS and the famous 4.2.2.[1-6] servers. > > Rgds, > I am using OpenDNS in my Home Network, besides of going faster, I can block certains websites for my little brothers and in my work, we use it to prevent people to use IM and such things. I don't have problems with my ISP, nothing to complaint, but using OpenDNS seems to go a little bit faster. Anyway, you may want to take a look by yourself. Regards -- Carlos Sura.- www.carlossura.com
Re: [gentoo-user] DNS server packages
On Sunday, October 11, 2015 09:35:39 AM Alan McKinnon wrote: > On 11/10/2015 04:13, James wrote: > > Howdy, > > > > So I now have (5) statics and a fiber feed, with lots of room to grow. > > > > I need to setup DNS primary/secondary systems on gentoo. So right now I'm > > looking for a suggested list of packages to install with Bind, iptables > > and > > DNSSEC-tools as these (2) gentoo dns servers will only run the minimum > > packages to operate securely? > > auth or cache? > > First of all, bind is a pain to use. Reason: it's actually a reference > implementation that as usual got forced into production use. It's slower > than it could be because it deals with every possible corner case per RFC. > > As an auth server (few queries) it's OK > As a cache (many queries), there are better servers out there. I prefer > unbound. As it is related to this thread, which server would people recommend when the DNS records are to be found in a database? Reason I am asking: I want to set up a lab environment with VMs coming and going. These all need to have hostname/mac/ip stored and configured correctly. Till now, I basically preconfigured Bind and DHCPd for a bunch of them. I would prefer to be able to specify a hostname for this, but writing something that keeps changing the configuration and keeping it in-sync with a database is a bit overkill. Thanks, Joost
Re: [gentoo-user] Best caching dns server?
On Sat, May 19, 2012 at 10:06 PM, Alan McKinnon wrote: > On Sat, 19 May 2012 07:45:56 +0530 > Nilesh Govindrajan wrote: > >> Hi, >> >> Which is the best caching dns server? I'm presently using >> pdns-recursor, which is quite good, but doesn't have option to set >> minimum ttl (doesn't make sense, but some sites like twitter have >> ridiculously low ttl of 30s). Also, it isn't able to save cached >> entries to file so that it can be restored on next boot. Any option? > > You can use almost any cache you want... > > ... except bind > > We use unbound. Does the job, does it well, developer very responsive. > > But do not fiddle with TTLs, that breaks stuff in spectacular ways. > Essentially, with the TTL the auth server is saying "We guarantee that > you can treat this RR as valid for X amount of time and suffer no ill > effects if you do" > > What you want to do is break that agreement, which is really not s good > idea. > >> >> I am keeping my box 24x7 on because it serves as dns on my small home >> wifi, not acceptable to me, because network is almost off at night >> (only phone) and I have my router as secondary dns. > > Just use Google's caches or OpenDNS. They do the job so much better > than you ever could. Why reinvent the wheel? > > Slow connection. See my previous reply to the list. I'm using pdnsd, which can persist records and has every damn feature I wanted. -- Nilesh Govindarajan http://nileshgr.com
Re: [gentoo-user] bind-9.7.1_p2 does not want to stop...
Apparently, though unproven, at 21:17 on Tuesday 16 November 2010, Jarry did opine thusly: > Hi, > today I updated my bind from 9.4.3_p5 to 9.7.1_p2. I noticed > a few changes in configuration so first I did full backup, then > uninstalled 9.4.3_p5 first, removed all configuration files, > then emerged 9.7.1_p2, and configured it to run from chroot. > > named seems to start normally: > > # /etc/init.d/named start > * Starting chrooted named ... > * Mounting chroot dirs > * mounting /etc/bind to /chroot/dns/etc/bind > * mounting /var/bind to /chroot/dns/var/bind > * mounting /var/log/named to /chroot/dns/var/log/named [ ok ] > > The problem is, it runs forever, and does not want to stop: > > # /etc/init.d/named stop > * Stopping chrooted named ... > * Umounting chroot dirs > * Waiting until all named processes are stopped > > And there it hangs. I have been waiting for 15min, but nothing > happened and ps shows named is still running. I aborted with > ctrl+c and tried again, but still the same. I checked logs, > but did not find anything suspicious. So where is the problem? Do you absolutely *have* to run bind? Aside from it being a 100% RFC-compliant reference server, it's a pig to run in real life. For an auth server, powerdns is very good. For a cache, unbound. What you have here is common. Bind can't find, or can't deal with, it's PID file. Or it's just being stubborn. Check your config that the PID file is in the right place, usable and that it has the correct pid in it. Also check the init script for the same thing. Failing that, there's "kill -9", this won't break anything but might disconnect a client. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] gnunet dependency dnssec-root checksum fail for 7 yrs old IANA XML
On 170217-16:10+0100, Miroslav Rovis wrote: > I just posted in the wiki ... > https://wiki.gentoo.org/wiki/Overlay_Talk:Youbroketheinternet ... > So, fetching packages for the overlay: > http://youbroketheinternet.org/#overlay ... > all went fine, except for one exact file, as witnessed by the log in my > Overlay_Talk:Youbroketheinternet post of today: > ... > >>> Downloading 'http://data.iana.org/root-anchors/root-anchors.xml' > ... > and later: > ... > > /usr/portage/distfiles/root-anchors-20100715.xml._checksum_failure_.wxcel31j > ... ... > Or is it really still that the IANA changed that nearly 7 yrs old file? > > Can anybody: > > 1) alert the gnunet developers about this > > 2) suggest a solution for fixing this issue (w/o which can't emerge > gnunet) There's another file with failed checksum for gnunet: # cat /var/log/emerge-fetch.log >>> Downloading >>> 'http://192.168.2.4/gentoom//distfiles/root-anchors-20100715.xml' >>> Downloading 'http://192.168.2.4/gentoom/distfiles/root-anchors-20100715.xml' >>> Downloading 'http://data.iana.org/root-anchors/root-anchors.xml' !!! Couldn't download 'root-anchors-20100715.xml'. Aborting. >>> Downloading 'http://192.168.2.4/gentoom//distfiles/Kjqmt7v-20100715.csr' >>> Downloading 'http://192.168.2.4/gentoom/distfiles/Kjqmt7v-20100715.csr' >>> Downloading 'http://data.iana.org/root-anchors/Kjqmt7v.csr' !!! Couldn't download 'Kjqmt7v-20100715.csr'. Aborting. * unbound-1.6.0.tar.gz size ;-) ... [ ok ] * Python-3.5.2.tar.xz size ;-) ... [ ok ] * python-gentoo-patches-3.5.2-0.tar.xz size ;-) ... [ ok ] * gnutls-3.5.9.tar.xz size ;-) ... [ ok ] * libmicrohttpd-0.9.52.tar.gz size ;-) ... [ ok ] * automake-1.14.1.tar.xz size ;-) ... [ ok ] # # ls -l /var/log/emerge-fetch.log -rw-rw 1 portage portage 1046 2017-02-17 14:43 /var/log/emerge-fetch.log # ( but I checked and I fetched the packages before 14:35 --it's CET here, and I'm also sure that the emerge-fetch that I posted in the Wiki page was there when I posted it, and which was after 14:35 CET ... ) -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr signature.asc Description: Digital signature
Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
On Friday, 23 February 2007 3:15, Michael Sullivan wrote: > I have logsentry installed on my system which sends me hourly reports > about possible hack attempts on my three boxes. I use ipkungfu for my > firewall. I've stuck with the default configuration for ipkungfu, > except for listing each of my machines in my LAN in the > accepted_hosts.conf file. I also set ipkungfu to drop all offensive > packets (not sure if that's the default or not.) Whenever I see someone > trying the break in in the logsentry reports, I add their IP to the > deny_hosts.conf file and restart ipkungfu so that the changes will take > effect. I'm wondering why if these offending IPs in deny_hosts.conf are > being stopped at the firewall I'm still seeing them fail to authenticate > to my FTP and ssh servers? If you think you've setup your firewall to block these IPs and yet they are still able to access your machines, then it sounds like your firewall is misconfigured and isn't blocking the IPs. > Also, I've always heard that you shouldn't > have any ports open on your machine unless you have some server bound to > that port because hackers can get in through unbound open ports. Is > this true? I've never heard of this. All ports that you don't want accessible from the internet should be completely blocked by your firewall if you have it correctly configured. > If so, how does it work? What do they connect to if > nothing's running on the port they're trying? I know the concept of a > backdoor in a running program, but if no program is running on said port > for them to connect to, how do they get in??? They connect to nothing, they shouldn't be able to establish a connection. > -Michael Sullivan- -- Raymond Lewis Rebbeck -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] hyperthreading
On 12/13/05, Glenn Enright <[EMAIL PROTECTED]> wrote: > On Wednesday 14 December 2005 09:29, Nick Smith wrote: > > its a server, i dont think i built ACPI into the kernel cause i didnt > > need/want it, dont think that should make a difference. > > From what I can see SMP functoinality seems to rely quite heavily on ACPI > discovery. Having said that, lots of code in mpparse.c says it should just > work like in previous versions. > > Is this the first time building this kernel version? probably, i will try adding ACPI support and see what i get, thanks for the suggestions. > > What does 'dmesg | grep CPU' say? anything in /var/log/syslog.log? > mail ~ # dmesg | grep CPU Initializing CPU#0 CPU: After generic identify, caps: bfebfbff 4400 CPU: After vendor identify, caps: bfebfbff 4400 CPU: Trace cache: 12K uops, L1 D cache: 8K CPU: L2 cache: 512K CPU: Physical Processor ID: 0 CPU: After all inits, caps: bfebfbff 0080 4400 Intel machine check reporting enabled on CPU#0. CPU0: Intel P4/Xeon Extended MCE MSRs (12) available CPU0: Thermal monitoring enabled CPU0: Intel(R) Pentium(R) 4 CPU 2.80GHz stepping 09 Brought up 1 CPUs > Have you added any extra patches to the kernel recently? > nope > -- > The sounds of the nouns are mostly unbound. > In town a noun might wear a gown, > or further down, might dress a clown. > A noun that's sound would never clown, > but unsound nouns jump up and down. > The sound of a noun could distrub the plowing, > and then, my dear, you'd be put in the pound. > But please don't let that get you down, > the renown of your gown is the talk of the town. > -- A. Nonnie Mouse > > -- > gentoo-user@gentoo.org mailing list > > -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] DNS server packages
On 11/10/2015 10:18, J. Roeleveld wrote: > On Sunday, October 11, 2015 09:35:39 AM Alan McKinnon wrote: >> On 11/10/2015 04:13, James wrote: >>> Howdy, >>> >>> So I now have (5) statics and a fiber feed, with lots of room to grow. >>> >>> I need to setup DNS primary/secondary systems on gentoo. So right now I'm >>> looking for a suggested list of packages to install with Bind, iptables >>> and >>> DNSSEC-tools as these (2) gentoo dns servers will only run the minimum >>> packages to operate securely? >> >> auth or cache? >> >> First of all, bind is a pain to use. Reason: it's actually a reference >> implementation that as usual got forced into production use. It's slower >> than it could be because it deals with every possible corner case per RFC. >> >> As an auth server (few queries) it's OK >> As a cache (many queries), there are better servers out there. I prefer >> unbound. > > As it is related to this thread, which server would people recommend when the > DNS records are to be found in a database? > Reason I am asking: > I want to set up a lab environment with VMs coming and going. > These all need to have hostname/mac/ip stored and configured correctly. I don't understand. mac & IP go together in dhcp and arp hostname & IP go together in DNS & /etc/hosts hostname & mac & ip go together nowhere > Till now, I basically preconfigured Bind and DHCPd for a bunch of them. > I would prefer to be able to specify a hostname for this, but writing > something that keeps changing the configuration and keeping it in-sync with a > database is a bit overkill. arp updates when the host comes on-line dhcp & dns are separate from individual VMs, populating those services is part of provisioning them. Perhaps detail more what you are trying to accomplish? -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] DNS server packages
On Sunday, October 11, 2015 10:43:01 AM Alan McKinnon wrote: > On 11/10/2015 10:18, J. Roeleveld wrote: > > On Sunday, October 11, 2015 09:35:39 AM Alan McKinnon wrote: > >> On 11/10/2015 04:13, James wrote: > >>> Howdy, > >>> > >>> So I now have (5) statics and a fiber feed, with lots of room to grow. > >>> > >>> I need to setup DNS primary/secondary systems on gentoo. So right now > >>> I'm > >>> looking for a suggested list of packages to install with Bind, iptables > >>> and > >>> DNSSEC-tools as these (2) gentoo dns servers will only run the minimum > >>> packages to operate securely? > >> > >> auth or cache? > >> > >> First of all, bind is a pain to use. Reason: it's actually a reference > >> implementation that as usual got forced into production use. It's slower > >> than it could be because it deals with every possible corner case per > >> RFC. > >> > >> As an auth server (few queries) it's OK > >> As a cache (many queries), there are better servers out there. I prefer > >> unbound. > > > > As it is related to this thread, which server would people recommend when > > the DNS records are to be found in a database? > > Reason I am asking: > > I want to set up a lab environment with VMs coming and going. > > These all need to have hostname/mac/ip stored and configured correctly. > > I don't understand. > Perhaps detail more what you are trying to accomplish? What I do currently: Edit Bind zone-files and enter IP / Hostname combinations Edit DHCP config file and enter MAC / IP / Hostname combinations (And hope these actually match and not contain typos) What I want to do: In a database I have a table with the following fields: MAC, IP, Hostname, domain xx:xx:xx:xx:xx , 1.2.3.4 , vmobi1114node1 , vm1.lab.example.com I want the DNS server to use the IP, Hostname and domain fields for the resolving. I want the DHCP server to use all the fields for the DHCP assignments. -- Joost
Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
On Thursday 22 February 2007, Michael Sullivan wrote: > Also, I've always heard that you shouldn't > have any ports open on your machine unless you have some server bound > to that port because hackers can get in through unbound open ports. > Is this true? If so, how does it work? That sounds like something out of Hollywod, perhaps that atrocious movie called Hackers with Angelina Jolie in it. I fail to see how, in this universe, you can open a port and not have something listen on it. Let's face it: a process, or the kernel itself, asks to be informed about packets arriving for port X. What is port X? It's a number in the TCP/UDP packet so the receiving kernel knows which process to send the data to. If that process is not listening, the packets go ... nowhere. They don't have magic Gandalfs inside them that suddenly sprout up and do l33t h4x0r sh1t to your machine. Maybe there's some default behaviour the kernel applies to packets that are sent to hung/sleeping/absent processes. Maybe that default behaviour is such that there's a buffer overflow waiting to be exploited. Maybe... I think I wanna see the code and not some bullshit posted on an arb blog somewhere. You should be much more worried about vulnerabilities in known software that you don't really use that are running by default. By far the most common attack vector is weak user names and passwords accessed via ssh. Solution is a sensbile password policy, or allow ssh access only via keys. Then there's php, but I don't think you want to get me started on that... alan -- Optimists say the glass is half full, Pessimists say the glass is half empty, Developers say wtf is the glass twice as big as it needs to be? Alan McKinnon alan at linuxholdings dot co dot za +27 82, double three seven, one nine three five -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] DNSSEC
Apparently, though unproven, at 18:21 on Monday 08 November 2010, James did opine thusly: > Hello, > > Several times in the past, I have approached > setting up DNS servers, only to get side-tracked. > I'm making another stab as setting my DNS > servers for my humble, small cidr (/29) block. Don't take this the wrong way, but you probably don't want to go this route right now. Your questions and statements indicate that you do not know much about DNSSEC and probably not DNS itself either. DNS is not trivial, regardless of what anyone tells you. DNSSEC less so. This is a topic best left to groups that do it all day every day, the hobbyist approach isn't what you want. How do I know this? Well, I have 7 years of DNS support tickets I can trawl through :-) The number of mistakes made by clients, the number of silly requests they make and the sheer amount of misinformation about how DNS works is unbelievable. By contrast, there's no record of my team (who admin the servers) making any mistakes, ever. And the fellow who sits next to me (and signs off on my performance review) just signed the .za zone. I watched him, I know how non-trivial it is :-) Play with DNSSEC by all means if it intrigues you. If you get it right easily, you can write a wiki page that helps others immensely. But just be informed upfront about what it's going to take. > > Now it seems DNSSEC is all the rage, even > at the root servers [1]. > > So what am i to choose to effect DNSSEC on gentoo? > Hardware suggestions on low power (5-10 watts) (embedded) > hardware with Gentoo are welcome. > > net-dns/unbound (portage) [2] > bind9 (portage) > nsd (?) > opendnssec (sunrise overlay) > ??? > > Googling and research has led me to reading > quite a lot of interesting, but fragmented > thoughts on the subject of DNSSEC and gentoo. > > Any discussion or guidance is appreciated. > > [1] http://www.root-dnssec.org/ > [2] http://www.unbound.net/documentation/howto_anchor.html > [3] https://svn.whyscream.net/whyscream-overlay/sunrise-dev/net-dns/ > [4]http://gentoo-overlays.zugaina.org/sunrise/net-dns.html.en > > [] https://www.dnssec-tools.org/wiki/index.php/Tutorials -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] DNS server packages
On 11/10/15 16:43, Alan McKinnon wrote: > On 11/10/2015 10:18, J. Roeleveld wrote: >> On Sunday, October 11, 2015 09:35:39 AM Alan McKinnon wrote: >>> On 11/10/2015 04:13, James wrote: >>>> Howdy, >>>> >>>> So I now have (5) statics and a fiber feed, with lots of room to grow. >>>> >>>> I need to setup DNS primary/secondary systems on gentoo. So right now I'm >>>> looking for a suggested list of packages to install with Bind, iptables >>>> and >>>> DNSSEC-tools as these (2) gentoo dns servers will only run the minimum >>>> packages to operate securely? >>> >>> auth or cache? >>> >>> First of all, bind is a pain to use. Reason: it's actually a reference >>> implementation that as usual got forced into production use. It's slower >>> than it could be because it deals with every possible corner case per RFC. >>> >>> As an auth server (few queries) it's OK >>> As a cache (many queries), there are better servers out there. I prefer >>> unbound. >> >> As it is related to this thread, which server would people recommend when >> the >> DNS records are to be found in a database? >> Reason I am asking: >> I want to set up a lab environment with VMs coming and going. >> These all need to have hostname/mac/ip stored and configured correctly. > > I don't understand. > > mac & IP go together in dhcp and arp > hostname & IP go together in DNS & /etc/hosts > > hostname & mac & ip go together nowhere > > >> Till now, I basically preconfigured Bind and DHCPd for a bunch of them. >> I would prefer to be able to specify a hostname for this, but writing >> something that keeps changing the configuration and keeping it in-sync with >> a >> database is a bit overkill. > > arp updates when the host comes on-line > dhcp & dns are separate from individual VMs, populating those services > is part of provisioning them. > > Perhaps detail more what you are trying to accomplish? > > ISC dhcpd can update bind when a host requests an IP. One of many examples "http://askubuntu.com/questions/162265/how-to-setup-dhcp-server-and-dynamic-dns-with-bind"; BillK
Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
Actually, I'd be pretty interested in what you have to rant about PHP. I run apache with php_mod installed and have the http port open. Is there a security risk I should be aware of? Thanks On 2/22/07, Alan McKinnon <[EMAIL PROTECTED]> wrote: On Thursday 22 February 2007, Michael Sullivan wrote: > Also, I've always heard that you shouldn't > have any ports open on your machine unless you have some server bound > to that port because hackers can get in through unbound open ports. > Is this true? If so, how does it work? That sounds like something out of Hollywod, perhaps that atrocious movie called Hackers with Angelina Jolie in it. I fail to see how, in this universe, you can open a port and not have something listen on it. Let's face it: a process, or the kernel itself, asks to be informed about packets arriving for port X. What is port X? It's a number in the TCP/UDP packet so the receiving kernel knows which process to send the data to. If that process is not listening, the packets go ... nowhere. They don't have magic Gandalfs inside them that suddenly sprout up and do l33t h4x0r sh1t to your machine. Maybe there's some default behaviour the kernel applies to packets that are sent to hung/sleeping/absent processes. Maybe that default behaviour is such that there's a buffer overflow waiting to be exploited. Maybe... I think I wanna see the code and not some bullshit posted on an arb blog somewhere. You should be much more worried about vulnerabilities in known software that you don't really use that are running by default. By far the most common attack vector is weak user names and passwords accessed via ssh. Solution is a sensbile password policy, or allow ssh access only via keys. Then there's php, but I don't think you want to get me started on that... alan -- Optimists say the glass is half full, Pessimists say the glass is half empty, Developers say wtf is the glass twice as big as it needs to be? Alan McKinnon alan at linuxholdings dot co dot za +27 82, double three seven, one nine three five -- gentoo-user@gentoo.org mailing list -- -·=»Ðŧħ«=·-
[gentoo-user] svn-server setup (need it for gnunet in Air-Gap install)
The support question is at end. But I alsot thought it useful to relate my experience with installing Gnunet. I've successfully deployed installing from my Cgit-on-Apache served cloned git's, whichever that I need, as you can read in: Pale Moon Air-Gapped portage EAPI 6 Install https://marc.info/?l=gentoo-user&m=148750248005478&w=2 And I've almost but completed installing Gnunet ( if you're as poorly informed as I was, see: http://youbroketheinternet.org/#overlay https://wiki.gentoo.org/wiki/Overlay:Youbroketheinternet https://gnunet.org/node/2634 <-- not guarrantied to survive... ... Why? See: https://secure-os.org/pipermail/desktops/2017-February/000171.html where ng0, the author, writes in reply: > There is also: GNUnet for Gentoo on gnunet.org (and I'm not sure if the > tip needs to be updated as per: [[1]] That page is outdated and will be removed once we update gnunet.org to the new web framework. ) But here's more of my experience so far with installing gnunet, with this last hurdle to overcome left. Gnunet has a few requirements, it should be here: https://bugs.gentoo.org/show_bug.cgi?id=609740#c0 in the attachment: https://bugs.gentoo.org/attachment.cgi?id=464236 or, by the current packages: automake-1.14.1.tar.xz, gnurl-170218.tar, gnurl-git-170218.tar, gnutls-3.5.9.tar.xz, Kjqmt7v-20100715.csr, libmicrohttpd-0.9.52.tar.gz, Python-3.5.2.tar.xz, python-gentoo-patches-3.5.2-0.tar.xz, root-anchors-20100715.xml, unbound-1.6.0.tar.gz I have overcome the portage checksum fail issue for the dnssec-root, see: youbroketheinternet's gnunet dependency net-dns/dnssec-root-20150403 checksum fail https://bugs.gentoo.org/show_bug.cgi?id=609740 also: dependency net-dns/dnssec-root-20150403 checksum fails https://gnunet.org/bugs/view.php?id=4898 and: gnunet dependency dnssec-root checksum fail for 7 yrs old IANA XML https://lists.gt.net/gentoo/user/323337 and also I git clone'd gnurl to have it available locally for my Air-Gapped... All the above is solved. But gnunet is developed in Subversion, and I have to make a Subversion server now, and somehow pull from gnunet repo into my local, to have gnunet available for my Air-Gapped... I have searched, I have found this useful link (with further references), for setting up a Subversion server: How to set up a Subversion (SVN) server on GNU/Linux - Ubuntu https://stackoverflow.com/questions/60736/how-to-set-up-a-subversion-svn-server-on-gnu-linux-ubuntu But I was wondering if anybody knows of a more Gentoo-specific tutorial/tip/thread/topic/other about setting up a Subversion server? Regards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr signature.asc Description: Digital signature
Re: [gentoo-user] DNS server packages
On 11/10/2015 11:33, J. Roeleveld wrote: > On Sunday, October 11, 2015 10:43:01 AM Alan McKinnon wrote: >> On 11/10/2015 10:18, J. Roeleveld wrote: >>> On Sunday, October 11, 2015 09:35:39 AM Alan McKinnon wrote: >>>> On 11/10/2015 04:13, James wrote: >>>>> Howdy, >>>>> >>>>> So I now have (5) statics and a fiber feed, with lots of room to grow. >>>>> >>>>> I need to setup DNS primary/secondary systems on gentoo. So right now >>>>> I'm >>>>> looking for a suggested list of packages to install with Bind, iptables >>>>> and >>>>> DNSSEC-tools as these (2) gentoo dns servers will only run the minimum >>>>> packages to operate securely? >>>> >>>> auth or cache? >>>> >>>> First of all, bind is a pain to use. Reason: it's actually a reference >>>> implementation that as usual got forced into production use. It's slower >>>> than it could be because it deals with every possible corner case per >>>> RFC. >>>> >>>> As an auth server (few queries) it's OK >>>> As a cache (many queries), there are better servers out there. I prefer >>>> unbound. >>> >>> As it is related to this thread, which server would people recommend when >>> the DNS records are to be found in a database? >>> Reason I am asking: >>> I want to set up a lab environment with VMs coming and going. >>> These all need to have hostname/mac/ip stored and configured correctly. >> >> I don't understand. > > > >> Perhaps detail more what you are trying to accomplish? > > What I do currently: > > Edit Bind zone-files and enter IP / Hostname combinations > Edit DHCP config file and enter MAC / IP / Hostname combinations > (And hope these actually match and not contain typos) > > What I want to do: > > In a database I have a table with the following fields: > MAC, IP, Hostname, domain > xx:xx:xx:xx:xx , 1.2.3.4 , vmobi1114node1 , vm1.lab.example.com > > I want the DNS server to use the IP, Hostname and domain fields for the > resolving. > I want the DHCP server to use all the fields for the DHCP assignments. OK, that makes sense. You'd think all decent DNS and DHCP servers out there would support any old arb db backend (very useful, no?) but it seems not. I've gotten used to independently vi'ing two files and HUP/reload two daemons over the years :-) Bind can use a mysql backend, so can most auth servers. The only dhcp server easily available on gentoo seems to be dhcp from ISC which does not support mysql. But both support ldap, maybe you can use that? There's lots of ldap frontends so getting your info into it should be easy enough. You could also look into kea (https://www.isc.org/kea/), a better dhcp server from ISC. The blurb says it supports SQL backends. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Best caching dns server?
On Sun, 20 May 2012 06:15:42 +0530 Nilesh Govindrajan wrote: > On Sat, May 19, 2012 at 10:06 PM, Alan McKinnon > wrote: > > On Sat, 19 May 2012 07:45:56 +0530 > > Nilesh Govindrajan wrote: > > > >> Hi, > >> > >> Which is the best caching dns server? I'm presently using > >> pdns-recursor, which is quite good, but doesn't have option to set > >> minimum ttl (doesn't make sense, but some sites like twitter have > >> ridiculously low ttl of 30s). Also, it isn't able to save cached > >> entries to file so that it can be restored on next boot. Any > >> option? > > > > You can use almost any cache you want... > > > > ... except bind > > > > We use unbound. Does the job, does it well, developer very > > responsive. > > > > But do not fiddle with TTLs, that breaks stuff in spectacular ways. > > Essentially, with the TTL the auth server is saying "We guarantee > > that you can treat this RR as valid for X amount of time and suffer > > no ill effects if you do" > > > > What you want to do is break that agreement, which is really not s > > good idea. > > > >> > >> I am keeping my box 24x7 on because it serves as dns on my small > >> home wifi, not acceptable to me, because network is almost off at > >> night (only phone) and I have my router as secondary dns. > > > > Just use Google's caches or OpenDNS. They do the job so much better > > than you ever could. Why reinvent the wheel? > > > > > > Slow connection. See my previous reply to the list. I'm using pdnsd, > which can persist records and has every damn feature I wanted. > Fair enough, but consider this: If your connection is slow, the only thing you speeded up is the DNS lookups. Thereafter, everything else is still as slow as it ever was. And if you feel the need to speed up DNS lookups then the odds are very good that "everything else" is too slow i.e. not exactly usable. We get this a lot from our customers too, and the advise we give them is to look closely at their traffic throttling. In almost every case all UDP traffic has had the living crap throttled out of it somewhere by folk that don't really think things through, severely affecting dns and ntp as well as AV streaming. Throttled DNS rapidly gets out of hand, IIRC the last time we did some measurements it only takes around 5% of dns lookups to go wonky for the situation to rapidly spiral out of control - when dns fails the cache will try a TCP lookup and that's like wading through molasses. Our advice to customers is to first unthrottle dns and ntp completely, give it the highest possible priority (these are extremely light protocols and seldom show up on the radar when you do this), and see how that goes. It just seems to me that you *might* be trying a very unusual solution for a problem that is better handled one layer lower down. -- Alan McKinnnon alan.mckin...@gmail.com
Re: [gentoo-user] IPv6 not ready here; Hmmm
On Thursday 09 Jun 2011 02:25:43 Paul Hartman wrote: > My wireless router is running DD-WRT (which is a Linux distro). It is > running kernel 2.6.34 and has all the ipv6 modules enabled in the > kernel. Basically, it is setup by loading the "sit" module > (CONFIG_IPV6_SIT_6RD in kernel config). Then using the "ip" command to > create a sit tunnel and set up the routes for IPv6 traffic, and then > starts radvd (the IPv6 router advertisement daemon, think of it as a > kind of DHCP server for IPv6 addresses). The process should be exactly > the same on OpenWRT. Oh I see, that explains it! > > What does your /etc/resolv.conf show? > > $ cat /etc/resolv.conf > nameserver 127.0.0.1 > > (because I run net-dns/unbound on my local machine). For the other > computers/devices they use the DNS server which runs on the router, > 192.168.0.1 > > My ISP does offer DNS servers at actual IPv6 addresses, though I'm not > using them. So when a ipv6 query arrives at your local resolver (router) from one of your LAN machines on the 192.168.0.1 address, the router knows to send it down the tunnel to be resolved at the ISP's resolvers? > For Microsoft Windows (at least Windows 7), when it detects IPv6 > advertisement server on the local network, it will use it > automatically. When no IPv6 is detected, it uses Teredo instead. Maybe > your DNS servers don't return IPv6 addresses? Well, yes my router is ipv4 only and therefore it would not resolve ipv6 addresses. > On my wife's Windows 7 laptop, it just worked perfectly after I > enabled it on my router and her wifi reconnected. All tests on > test-ipv6.com pass except for the last DNS test. She can go to sites > like http://www.v6.facebook.com no problems. That's because Windows7 use toredo servers/relays to resolve and connect to ipv6 addresses. > BTW, Windows Vista and 7 generate randomized host IDs for public IPv6 > addresses, it's generally advised to disable that. You can do that by > running this at administrator cmd prompt: > netsh interface ipv6 set global randomizeidentifiers=disabled I was looking at the same in the Linux kernel scratching my head if I should enable this or not ... What does it do - not sure I understand what such temporary addresses are used for: IPv6: Privacy Extensions (RFC 3041) support CONFIG_IPV6_PRIVACY: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 support. With this option, additional periodically-altered pseudo-random global-scope unicast address(es) will be assigned to your interface(s). We use our standard pseudo-random algorithm to generate the randomized interface identifier, instead of one described in RFC 3041. By default the kernel does not generate temporary addresses. To use temporary addresses, do echo 2 >/proc/sys/net/ipv6/conf/all/use_tempaddr See for details. Symbol: IPV6_PRIVACY [=n] Type : boolean Prompt: IPv6: Privacy Extensions (RFC 3041) support Defined at net/ipv6/Kconfig:24 Depends on: NET [=y] && INET [=y] && IPV6 [=y] Location: -> Networking support (NET [=y]) -> Networking options -> TCP/IP networking (INET [=y]) -> The IPv6 protocol (IPV6 [=y]) -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: DNS server packages
Alan McKinnon gmail.com> writes: > > I need to setup DNS primary/secondary systems on gentoo. So right now > > I'm looking for a suggested list of packages to install with Bind, > > iptables and DNSSEC-tools as these (2) gentoo dns servers will only > > run the minimum packages to operate securely? > auth or cache? These are the (2) net facing primary and slave dns servers, just for the few domain names I willauthenticate. They'll be behind a firewall (iptables/dmz) with no internal zone information. Strictly auth, public facing, with DNSsec. The plan is to go slow with manual configuration and and slow add features like a database, as I roll out new auth-DNS servers on newer, embedded hardware (very small very low power, but lots of ram (2G)). So over time the scope will evolve. It's a manual approach to a refresher for me. Eventually one of the auth-dns-slaves will be an arm cluster for performance testing on mesos. (That's a ways off). So also, the iptables rules for such a setup will need to be revisited, dusting off what I use to use. Again, the importance is trying different packages and sniffing the results and examining log files (manually and with scripts) on a log host. So only ports 53 (public/routable net visible and port 22 from a select sets of private ips is all these will need. > First of all, bind is a pain to use. Reason: it's actually a reference > implementation that as usual got forced into production use. It's slower > than it could be because it deals with every possible corner case per RFC. > As an auth server (few queries) it's OK Bind is an old acquaintance of mine:: been a few years, hence the post. I may test/migrate to something else, later. > As a cache (many queries), there are better servers out there. I prefer > unbound. A Caching DNS server for internal usages is another project for another time. It will be totally isolated; still, good to know. > > Also, what is the (nominal) minimum amount of RAM needed to keep all > > routes in ram in these name servers? > I don't understand. DNS servers don't keep routes in memory - routers do > that. Perhaps you mean cached DNS records? > DNS is light on RAM, there are only so many records typical users will > look up. DNS caches not too long ago ran for years problem free with a > puny few hundred MB. It's not something to be worried about. There should be a way to keep all the responses for the zones info they server in ram? I know it often happens without intervention, but surely there are published methods to insure this info is kept "in ram" like bcachefs? Also flushing and ram usage status monitoring, as these auth dns servers will eventually migrate to low power embedded machines where keeping things in ram is critical to performance. 'eix -cC net-dns | grep auth'
Re: [gentoo-user] DNS server packages
On Sunday, October 11, 2015 02:48:23 PM Alan McKinnon wrote: > On 11/10/2015 11:33, J. Roeleveld wrote: > > On Sunday, October 11, 2015 10:43:01 AM Alan McKinnon wrote: > >> On 11/10/2015 10:18, J. Roeleveld wrote: > >>> On Sunday, October 11, 2015 09:35:39 AM Alan McKinnon wrote: > >>>> On 11/10/2015 04:13, James wrote: > >>>>> Howdy, > >>>>> > >>>>> So I now have (5) statics and a fiber feed, with lots of room to grow. > >>>>> > >>>>> I need to setup DNS primary/secondary systems on gentoo. So right now > >>>>> I'm > >>>>> looking for a suggested list of packages to install with Bind, > >>>>> iptables > >>>>> and > >>>>> DNSSEC-tools as these (2) gentoo dns servers will only run the minimum > >>>>> packages to operate securely? > >>>> > >>>> auth or cache? > >>>> > >>>> First of all, bind is a pain to use. Reason: it's actually a reference > >>>> implementation that as usual got forced into production use. It's > >>>> slower > >>>> than it could be because it deals with every possible corner case per > >>>> RFC. > >>>> > >>>> As an auth server (few queries) it's OK > >>>> As a cache (many queries), there are better servers out there. I prefer > >>>> unbound. > >>> > >>> As it is related to this thread, which server would people recommend > >>> when > >>> the DNS records are to be found in a database? > >>> Reason I am asking: > >>> I want to set up a lab environment with VMs coming and going. > >>> These all need to have hostname/mac/ip stored and configured correctly. > >> > >> I don't understand. > > > > > > > >> Perhaps detail more what you are trying to accomplish? > > > > What I do currently: > > > > Edit Bind zone-files and enter IP / Hostname combinations > > Edit DHCP config file and enter MAC / IP / Hostname combinations > > (And hope these actually match and not contain typos) > > > > What I want to do: > > > > In a database I have a table with the following fields: > > MAC, IP, Hostname, domain > > xx:xx:xx:xx:xx , 1.2.3.4 , vmobi1114node1 , vm1.lab.example.com > > > > I want the DNS server to use the IP, Hostname and domain fields for the > > resolving. > > I want the DHCP server to use all the fields for the DHCP assignments. > > OK, that makes sense. You'd think all decent DNS and DHCP servers out > there would support any old arb db backend (very useful, no?) but it > seems not. I've gotten used to independently vi'ing two files and > HUP/reload two daemons over the years :-) Same here. Works for the most part, but I'm not the only one using the system. Which means I prefer to have it easier to use and not end up having to do all the work myself. > Bind can use a mysql backend, so can most auth servers. Need to check how difficult/easy it is to make it listen to PostgreSQL. I'm not overly attached to Bind. Having a DNS server that's easier to configure and maintain would be appreciated. > The only dhcp > server easily available on gentoo seems to be dhcp from ISC which does > not support mysql. But both support ldap, maybe you can use that? > There's lots of ldap frontends so getting your info into it should be > easy enough. That's one option, but that would mean maintaining 2 databases. One with the config for the VMs and OpenLDAP. > You could also look into kea (https://www.isc.org/kea/), a better dhcp > server from ISC. The blurb says it supports SQL backends. I'll have a look at that one. -- Joost
Re: [gentoo-user] Re: DNS server packages
On 12/10/2015 19:43, James wrote: > Alan McKinnon gmail.com> writes: > > >>> I need to setup DNS primary/secondary systems on gentoo. So right now >>> I'm looking for a suggested list of packages to install with Bind, >>> iptables and DNSSEC-tools as these (2) gentoo dns servers will only >>> run the minimum packages to operate securely? >> auth or cache? > > These are the (2) net facing primary and slave dns servers, just for the > few domain names I willauthenticate. They'll be behind a firewall > (iptables/dmz) with no internal zone information. Strictly auth, public > facing, with DNSsec. The plan is to go slow with manual configuration and > and slow add features like a database, as I roll out new auth-DNS servers > on newer, embedded hardware (very small very low power, but lots of ram > (2G)). So over time the scope will evolve. It's a manual approach to a > refresher for me. Eventually one of the auth-dns-slaves will be an arm > cluster for performance testing on mesos. (That's a ways off). > > > So also, the iptables rules for such a setup will need to be revisited, > dusting off what I use to use. Again, the importance is trying different > packages and sniffing the results and examining log files (manually and with > scripts) on a log host. So only ports 53 (public/routable net visible > and port 22 from a select sets of private ips is all these will need. Then you need your chosen name server (bind), your chosen fw ruleset generators (iptables, maybe some other front end) and maybe fail2ban or one of it's friends if you find some port gets hammered. Block all ports except 53 and 22, send all logs to a remote syslogger and trawl through them to your heart's content. All very usual and normal. >> First of all, bind is a pain to use. Reason: it's actually a reference >> implementation that as usual got forced into production use. It's slower >> than it could be because it deals with every possible corner case per RFC. >> As an auth server (few queries) it's OK > > Bind is an old acquaintance of mine:: been a few years, hence the post. > I may test/migrate to something else, later. OK. For a few domains there's no benefit to using something other than what you already know. > >> As a cache (many queries), there are better servers out there. I prefer >> unbound. > > A Caching DNS server for internal usages is another project for another > time. It will be totally isolated; still, good to know. > > >>> Also, what is the (nominal) minimum amount of RAM needed to keep all >>> routes in ram in these name servers? >> I don't understand. DNS servers don't keep routes in memory - routers do >> that. Perhaps you mean cached DNS records? >> DNS is light on RAM, there are only so many records typical users will >> look up. DNS caches not too long ago ran for years problem free with a >> puny few hundred MB. It's not something to be worried about. > > There should be a way to keep all the responses for the zones info they > server in ram? I know it often happens without intervention, but surely > there are published methods to insure this info is kept "in ram" like > bcachefs? > > Also flushing and ram usage status monitoring, as these auth dns servers > will eventually migrate to low power embedded machines where keeping > things in ram is critical to performance. I can't help but feel you are worried about a problem that doesn't exist. It takes lots and lots and lots of zones to get above 1M disk space. How much ram do you think you need? DNS caches are resource intensive (the upper limit on what they cache is the internet) DNS auth servers are not (their upper limit is how many bytes in the zones) and they tend to idle most of the time. Well unless you do silly things like set all TTLs to 1 (or god forbid, 0) and your auth server becomes a cache > > 'eix -cC net-dns | grep auth' > Curiously, Are they better, more easily secured solutions? > > > It's been a hwile for me so a vetting of the packages is the first step > for this minimal, manual setup of the auth-dns servers for a few domain > names:: > > > Bind9, dnssec-tools, iptables:: any other packages relevant/germane > on a amd-default profile [1] ? Yes, that's about it. Add in all the other usual server stuff you like to use - monitoring, logging, notifications, mail, whatever -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] IPv6 not ready here; Hmmm
On Wed, Jun 8, 2011 at 5:04 PM, Mick wrote: > On Wednesday 08 Jun 2011 20:51:10 Paul Hartman wrote: >> >> Charter Communications cable internet: >> >> Test with IPv4 DNS record >> ok (0.580s) using ipv4 >> Test with IPv6 DNS record >> ok (0.268s) using ipv6 >> Test with Dual Stack DNS record >> ok (0.256s) using ipv6 >> Test for Dual Stack DNS and large packet >> ok (0.090s) using ipv6 >> Test IPv4 without DNS >> ok (0.148s) using ipv4 >> Test IPv6 without DNS >> ok (0.162s) using ipv6 >> Test IPv6 large packet >> ok (0.092s) using ipv6 >> Test if your ISP's DNS server uses IPv6 >> ok (0.316s) using ipv6 >> >> :) > > I find this rather confusing! Paul is your ISP offering native IPv6 and if > they do does your router speak ipv6? My ISP (Charter) does not offer native IPv6 yet, but they do offer a 6RD Border Relay. It is basically an IPv6 tunnel that runs over an IPv4 network, but the important part is that the tunnel server is running within my ISP's network. That means I get my full internet speed on IPv6 traffic! My wireless router is running DD-WRT (which is a Linux distro). It is running kernel 2.6.34 and has all the ipv6 modules enabled in the kernel. Basically, it is setup by loading the "sit" module (CONFIG_IPV6_SIT_6RD in kernel config). Then using the "ip" command to create a sit tunnel and set up the routes for IPv6 traffic, and then starts radvd (the IPv6 router advertisement daemon, think of it as a kind of DHCP server for IPv6 addresses). The process should be exactly the same on OpenWRT. After that, machines on my local network (including wifi) can get both IPv4 and IPv6 addresses from the router and can talk to the outside world on either network. (and then when you get to that point, you should create IPv6 firewall rules on the router and/or computers, or else risk leaving their entire network open to bad guys) > What does your /etc/resolv.conf show? $ cat /etc/resolv.conf nameserver 127.0.0.1 (because I run net-dns/unbound on my local machine). For the other computers/devices they use the DNS server which runs on the router, 192.168.0.1 My ISP does offer DNS servers at actual IPv6 addresses, though I'm not using them. > When I run this test I get: > > Test with IPv4 DNS record > ok (0.552s) using ipv4 > Test with IPv6 DNS record > bad (0.197s) > Test with Dual Stack DNS record > ok (0.558s) using ipv4 > Test for Dual Stack DNS and large packet > ok (0.239s) using ipv4 > Test IPv4 without DNS > ok (0.368s) using ipv4 > Test IPv6 without DNS > bad (0.022s) > Test IPv6 large packet > bad (0.025s) > Test if your ISP's DNS server uses IPv6 > ok (0.691s) using ipv4 For example all this stuff just works normally here: $ host ipv6.google.com ipv6.google.com is an alias for ipv6.l.google.com. ipv6.l.google.com has IPv6 address 2001:4860:800b::93 # traceroute6 ipv6.google.com traceroute to ipv6.l.google.com (2001:4860:800b::93) from 2602:100:xx:xx:xx:xx:xx:xx, 30 hops max, 24 byte packets 1 2602:100:xx:xx:1::1 (2602:100:xx:xx:1::1) 0.459 ms 0.383 ms 0.353 ms 2 * * * 3 2001:506:100:6c::1 (2001:506:100:6c::1) 11.29 ms 7.999 ms 7.773 ms 4 bbr01olvemo.tge0-3-0-4.mo.olve.charter.com (2001:506:100:23::1) 9.093 ms 7.715 ms 7.691 ms 5 bbr02chcgil.tge0-3-0-0.il.chcg.charter.com (2001:506:100:55::2) 33.981 ms 25.812 ms 23.573 ms 6 prr01chcgil.tge2-4.il.chcg.charter.com (2001:506:100:317::1) 16.862 ms 17.737 ms 16.46 ms 7 v201.core1.chi1.he.net (2001:470:0:114::1) 18.04 ms 17.368 ms 24.015 ms 8 * * * 9 2001:4860::1:0:92e (2001:4860::1:0:92e) 34.911 ms 18.025 ms 25.379 ms 10 2001:4860::8:0:281e (2001:4860::8:0:281e) 27.843 ms 28.74 ms 28.569 ms 11 2001:4860::2:0:7ef (2001:4860::2:0:7ef) 27.568 ms 28.365 ms 28.221 ms 12 2001:4860:0:1::83 (2001:4860:0:1::83) 27.586 ms 37.284 ms 35.649 ms 13 iw-in-x93.1e100.net (2001:4860:800b::93) 27.731 ms 27.647 ms 28.372 ms > From Windows7 I can ping ipv6 addresses (but not domain names) because it uses > Teredo, but from Linux I cannot. For Microsoft Windows (at least Windows 7), when it detects IPv6 advertisement server on the local network, it will use it automatically. When no IPv6 is detected, it uses Teredo instead. Maybe your DNS servers don't return IPv6 addresses? On my wife's Windows 7 laptop, it just worked perfectly after I enabled it on my router and her wifi reconnected. All tests on test-ipv6.com pass except for the last DNS test. She can go to sites like http://www.v6.facebook.com no problems. BTW, Windows Vista and 7 generate randomized host IDs for public IPv6 addresses, it's generally advised to disable that. You can do that by running this at administrator cmd prompt: netsh interface ipv6 set global randomizeidentifiers=disabled And now I'll try not to talk about Windows on this list again for the remainder of the year. ;) Hope that helps!
[gentoo-user] Problem compiling dev-lang/v8
out/x64.release/obj.target/cctest/test/cctest/test-
mark-compact.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
object-observe.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
parsing.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
platform-tls.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
profile-generator.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
random.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
regexp.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
reloc-info.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
serialize.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
sockets.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
spaces.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
strings.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
strtod.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
thread-termination.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
threads.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
unbound-queue.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
utils.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
version.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
weakmaps.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
assembler-x64.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
macro-assembler-x64.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-log-
stack-tracer.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-
platform-linux.o /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/tools/gyp/libv8_snapshot.a
/tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/tools/gyp/libv8_base.a -
Wl,--end-group
touch /tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out/x64.release/obj.target/build/All.stamp
make: Leaving directory `/tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9/out'
* Fallback PaX marking -m with scanelf
* out/x64.release/cctest
* out/x64.release/d8
* out/x64.release/shell
TYPEPAX FILE
ET_EXEC --mxe- out/x64.release/cctest
ET_EXEC --mxe- out/x64.release/d8
ET_EXEC --mxe- out/x64.release/shell
* XT PaX marking -me with setfattr
* out/x64.release/cctest
* out/x64.release/d8
* out/x64.release/shell
setfattr: out/x64.release/cctest: Operation not supported
setfattr: out/x64.release/d8: Operation not supported
setfattr: out/x64.release/shell: Operation not supported
* Failed to set XATTR_PAX markings -me for:
* out/x64.release/shell
* Executables may be killed by PaX kernels.
* ERROR: dev-lang/v8-3.16.14.9-r1 failed (compile phase):
* (no error message)
*
* Call stack:
* ebuild.sh, line 93: Called src_compile
* environment, line 2778: Called die
* The specific snippet of code:
* pax-mark m out/${mytarget}/{cctest,d8,shell} || die
*
* If you need support, post the output of `emerge --info '=dev-
lang/v8-3.16.14.9-r1'`,
* the complete build log and the output of `emerge -pqv '=dev-
lang/v8-3.16.14.9-r1'`.
* The complete build log is located at '/var/log/portage/dev-
lang:v8-3.16.14.9-r1:20130405-202806.log'.
* For convenience, a symlink to the build log is located at
'/tmp/portage/dev-lang/v8-3.16.14.9-r1/temp/build.log'.
* The ebuild environment file is located at '/tmp/portage/dev-
lang/v8-3.16.14.9-r1/temp/environment'.
* Working directory: '/tmp/portage/dev-lang/v8-3.16.14.9-
r1/work/v8-3.16.14.9'
* S: '/tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9'
>>> Failed to emerge dev-lang/v8-3.16.14.9-r1, Log file:
>>> '/var/log/portage/dev-lang:v8-3.16.14
Re: [gentoo-user] Problem compiling dev-lang/v8
ease/obj.target/cctest/test/cctest/test-lockers.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-log.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-mark-compact.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-object-observe.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-parsing.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-platform-tls.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-profile-generator.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-random.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-regexp.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-reloc-info.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-serialize.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-sockets.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-spaces.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-strings.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-strtod.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-thread-termination.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-threads.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-unbound-queue.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-utils.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-version.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-weakmaps.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-assembler-x64.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-macro-assembler-x64.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-log-stack-tracer.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/cctest/test/cctest/test-platform-linux.o
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/tools/gyp/libv8_snapshot.a
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/tools/gyp/libv8_base.a
> -Wl,--end-group
>
> touch
> /tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out/x64.release/obj.target/build/All.stamp
>
> make: Leaving directory
> `/tmp/portage/dev-lang/v8-3.16.14.9-r1/work/v8-3.16.14.9/out'
>
> * Fallback PaX marking -m with scanelf
>
> * out/x64.release/cctest
>
> * out/x64.release/d8
>
> * out/x64.release/shell
>
> TYPE PAX FILE
>
> ET_EXEC --mxe- out/x64.release/cctest
>
> ET_EXEC --mxe- out/x64.release/d8
>
> ET_EXEC --mxe- out/x64.release/shell
>
> * XT PaX marking -me with setfattr
>
> * out/x64.release/cctest
>
> * out/x64.release/d8
>
> * out/x64.release/shell
>
> setfattr: out/x64.release/cctest: Operation not supported
>
> setfattr: out/x64.release/d8: Operation not supported
>
> setfattr: out/x64.release/shell: Operation not supported
>
> * Failed to set XATTR_PAX markings -me for:
>
> * out/x64.release/shell
>
> * Executables may be killed by PaX kernels.
>
> * ERROR: dev-lang/v8-3.16.14.9-r1 failed (compile phase):
>
> * (no error message)
>
> *
>
> * Call stack:
>
> * ebuild.sh, line 93: Called src_compile
>
> * environment, line 2778: Called die
>
> * The specific snippet of code:
>
> * pax-mark m out/${mytarget}/{cctest,d8,shell} || die
>
> *
>
> * If you need support, post the output of `emerge --info
> '=dev-lang/v8-3.16.14.9-r1'`,
>
> * the complete build log and the output of `emerge -pqv
> '=dev-lang/v8-3.16.14.9-r1'`.
>
> * The complete build log is located at
> '/var/log/portage/dev-lang:v8-3.16.14.9-r1:2
Re: [gentoo-user] OT - Some miscellanous questions about hack attacks and dealing with them
On Fri, 2007-02-23 at 03:49 +1030, Raymond Lewis Rebbeck wrote: > On Friday, 23 February 2007 3:15, Michael Sullivan wrote: > > I have logsentry installed on my system which sends me hourly reports > > about possible hack attempts on my three boxes. I use ipkungfu for my > > firewall. I've stuck with the default configuration for ipkungfu, > > except for listing each of my machines in my LAN in the > > accepted_hosts.conf file. I also set ipkungfu to drop all offensive > > packets (not sure if that's the default or not.) Whenever I see someone > > trying the break in in the logsentry reports, I add their IP to the > > deny_hosts.conf file and restart ipkungfu so that the changes will take > > effect. I'm wondering why if these offending IPs in deny_hosts.conf are > > being stopped at the firewall I'm still seeing them fail to authenticate > > to my FTP and ssh servers? > > If you think you've setup your firewall to block these IPs and yet they are > still able to access your machines, then it sounds like your firewall is > misconfigured and isn't blocking the IPs. > > > Also, I've always heard that you shouldn't > > have any ports open on your machine unless you have some server bound to > > that port because hackers can get in through unbound open ports. Is > > this true? > > I've never heard of this. All ports that you don't want accessible from the > internet should be completely blocked by your firewall if you have it > correctly configured. > > > If so, how does it work? What do they connect to if > > nothing's running on the port they're trying? I know the concept of a > > backdoor in a running program, but if no program is running on said port > > for them to connect to, how do they get in??? > > They connect to nothing, they shouldn't be able to establish a connection. > > > -Michael Sullivan- > > > > -- > Raymond Lewis Rebbeck This is my /etc/ipkungfu/ipkungfu.conf file on catherine.espersunited.com . The comments have been removed for conciseness: EXT_NET="eth0" LOCAL_NET="127.0.0.1" ALLOWED_TCP_IN="21 22 25 80" ALLOWED_UDP_IN="" SUSPECT="DROP" KNOWN_BAD="DROP" PORT_SCAN="DROP" GET_IP="AUTO" DONT_DROP_IDENTD=1 WAIT_SECONDS=5 Is this not a correct configuration? Here is the output of ipkungfu -l: catherine ipkungfu # ipkungfu -l Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7098 2517K ACCEPT all -- anyany anywhere anywherestate RELATED,ESTABLISHED 0 0 LOGall -- lo any 0.0.0.1 anywhereLOG level warning prefix `IPKF IPKungFu (--init)' 0 0 DROP all -- eth0 any 124.1.149.222 anywhere 0 0 DROP all -- eth0 any 205.158.114.117.ptr.us.xo.net anywhere 0 0 DROP all -- eth0 any 222.90.206.62 anywhere 0 0 DROP all -- eth0 any 61.178.185.124 anywhere 0 0 DROP all -- eth0 any 65.98.76.197 anywhere 0 0 DROP all -- eth0 any 211.234.99.230 anywhere 0 0 DROP all -- eth0 any sd-2613.dedibox.fr anywhere 0 0 DROP all -- eth0 any 222.135.146.45 anywhere 0 0 DROP all -- eth0 any 210.75.200.104 anywhere 0 0 DROP all -- eth0 any 210.83.48.238 anywhere 0 0 DROP all -- eth0 any 69.149.231.150 anywhere 0 0 DROP all -- eth0 any 61.243.90.149 anywhere 0 0 DROP all -- eth0 any 222.62.149.99 anywhere 0 0 DROP all -- eth0 any 72.237.88.202.asianet.co.in anywhere 0 0 DROP all -- eth0 any 211.61.207.31 anywhere 0 0 DROP all -- eth0 any 212.14.53.4 anywhere 0 0 DROP all -- eth0 any 61-222-84-195.HINET-IP.hinet.net anywhere 0 0 DROP all -- eth0 any smtp.tvitatiba.com.br anywhere 0 0 DROP all -- eth0 any 91.25.73.211-savecom anywhere 0 0 DROP all -- eth0 any host150197.metrored.net.mx anywhere 0 0 DROP all -- eth0 any d5152C2AF.access.telenet.be anywhere 0 0 DROP all -- eth0 any 218.50.2.99 anywhere 0 0 DROP all -- eth0 any 210.97.242.17 anywhere 0 0 DROP all -- eth0 any
