Re: Simple iptables table doesn't let me forward X windows

[Jason]

On Sat, Jan 20, 2018 at 07:30:09PM +, Joe wrote:
> On Sat, 20 Jan 2018 12:13:12 -0600
> Jason  wrote:
> 
> > Hi,
> > 
> > I am trying to setup (what should be) a simple iptables table between
> > two machines on a local network, both with static IP addresses. The
> > machine I want to set up the iptables on is a headless server which I
> > access using ssh. I want to cut off all communications except with the
> > machine I ssh from. What I did works except when I try to run a GUI
> > program on the server to display locally, after a pause I get
> > something like:
> > 
> > Geany: cannot open display
> > or
> > xterm: Xt error: Can't open display: localhost:10.0
> > 
> > both of which work before I run the iptables commands.
> 
> OK, that leaves little doubt that it's a firewall issue.
> 
> > 
> > Here's what I did (000.000.000.000 is substituted for actual IP
> > address of client machine):
> > 
> > $ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT
> > $ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT
> > $ sudo iptables -P INPUT DROP
> > $ sudo iptables -P OUTPUT DROP
> > 
> > I also tried to add
> > 
> > $ sudo iptables -A INPUT -i lo -j ACCEPT
> 
> You'll also want a lo ACCEPT in the OUTPUT chain.
Which fixed my problem, see my reply to Pascal.
> 
> > 
> > without success.
> > 
> > What do I need to do to get X forwarding to work?
> > 
> 
> Others may know the exact answer in this case. I'll make couple of
> suggestions for future iptables issues.
> 
> 1. Take one of the very basic firewall scripts (there are many around)
> that works statefully i.e. allows everything out, accepts established
> and related state replies, drops invalid packets, accepts lo in and out.
> Start from there, check your X forwarding works, then add IP address
> restrictions as required one by one. When it breaks, you know exactly
> what did it.
> 
> 2. Use -j LOG targets with various --log-prefix values in various
> places to understand what's going on, generally what's being dropped
> by mistake. When you finish with them, comment them out but leave them
> there for future use. Tailor them by address and/or port to look for
> specific issues. In your existing case:
> 
> iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT dropped:"
> 
> just before the actual DROP judgement, and another for OUTPUT. It will
> generate a lot of stuff quite quickly, so comment it once you have some
> logs to examine. It's amazing what really obvious things you can
> overlook with a firewall, and this will identify them fairly quickly.
> It's a much less tedious job than using a packet capture application,
> which is massive overkill for simple networking problems.
> 
> 3. You may be doing this without telling us here, but when you have a
> script to make your firewall, put in initialisation commands first, to
> remove any existing rules, and set overall DROP defaults in case your
> main iptables logic takes a wrong turn. You'll want at least the -F and
> -X iptables options for filter, nat and mangle tables. If you haven't
> disabled IPv6 altogether, you'll also need corresponding ip6tables
> commands, as IPv6 is wide open by default.
> 

I'm learning.

Thanks for responding!
-- 
Jason

Re: Simple iptables table doesn't let me forward X windows

[Jason]

On Sat, Jan 20, 2018 at 07:58:27PM +0100, Pascal Hambourg wrote:
> Le 20/01/2018 à 19:13, Jason a écrit :
> >
> >I am trying to setup (what should be) a simple iptables table
> 
> I don't think so. In iptables, "tables" are preexisting data structures
> containing chains, and chains contain rules that you create. The set of
> rules in these chains and tables is called, well, a ruleset.

Thanks for the clarification. This is my first experience using
iptables and my knowledge of it is elementary at best.

> 
> >between
> >two machines on a local network, both with static IP addresses.
> 
> Nonsense. A ruleset is set up on one machine, not between two machines.

I had thought after I wrote it that the wording probably wasn't correct.

> 
> >The machine I want to set up the iptables on
> 
> As I wrote : on one machine.
> 
> >is a headless server which I
> >access using ssh. I want to cut off all communications except with the
> >machine I ssh from.
> 
> I guess you use X tunnelling with ssh -X or -Y ?

Yes, with -X.

> >What I did works except when I try to run a GUI
> >program on the server to display locally, after a pause I get
> >something like:
> >
> > Geany: cannot open display
> >or
> > xterm: Xt error: Can't open display: localhost:10.0
> >
> >both of which work before I run the iptables commands.
> >
> >Here's what I did (000.000.000.000 is substituted for actual IP
> >address of client machine):
> 
> You really should not use that kind of address for substitution. 0.0.0.0 has
> a special meaning. You could use addresses in 192.0.2.0/24 which are
> reserved for examples and documentation instead.

Okay, making a note of it.

> >$ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT
> >$ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT
> >$ sudo iptables -P INPUT DROP
> >$ sudo iptables -P OUTPUT DROP
> >
> >I also tried to add
> >
> >$ sudo iptables -A INPUT -i lo -j ACCEPT
> >
> >without success.
> >
> >What do I need to do to get X forwarding to work?
> 
> Add
> 
> iptables -A OUTPUT -o lo -j ACCEPT

That works, thanks a lot Pascal!
> 
> Note that this ruleset allows much more than just SSH and X forwarding
> between the two machines.

Which is fine in this case.
Thanks again!

-- 
Jason

Re: Iptables at boot

[Mark Fletcher]

On Sun, Jan 21, 2018 at 02:02:07AM +0100, Dejan Jocic wrote:
> On 20-01-18, Jacques Rodary wrote:
> > Hi
> > How can I start iptables at boot. I don't find  an equivalent to  " service
> > iptables start" with systemd and does'nt know how to create a new
> > iptables.service. The manpages aren't quite clear for me. Thanks for any
> > help.
> >   Jacques
> > 
> 
> There are two options. One would be to learn to write systemd service
> units. There are many tutorials on net for how to write those with
> examples. Other would be to install iptables-persistent package. You can
> find more about using iptables-persistent package if you google it, you
> will surly run on few quick howtos.
> 
> 

To get you started [addressing the OP], here is the service file I use:

[Unit]
Description=Load Iptables Rules
ConditionFileIsExecutable=/etc/systemd/scripts/iptables
After=network.target

[Service]
Type=forking
ExecStart=/etc/systemd/scripts/iptables
TimeoutSec=0
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

This goes in /lib/systemd/system/iptables.service and assumes your 
iptables commands are in a script which is called iptables, is 
executable, and is located in /etc/systemd/scripts

I must point out there may be Debian policies of which I am not aware 
about where the files should ideally go; I lifted this configuration 
from a non-Debian box. There is nothing about it that will _not work_ on 
Debian, but there may be a preferred Debian location for such files, 
which hopefully my contribution will encourage someone knowledgable to 
add.

then to run it once, as root:
systemctl start iptables

and to set it up so it runs at boot, as root:
systemctl enable iptables

HTH

Mark

Re: Iptables at boot

[Dejan Jocic]

On 20-01-18, Jacques Rodary wrote:
> Hi
> How can I start iptables at boot. I don't find  an equivalent to  " service
> iptables start" with systemd and does'nt know how to create a new
> iptables.service. The manpages aren't quite clear for me. Thanks for any
> help.
>   Jacques
> 

There are two options. One would be to learn to write systemd service
units. There are many tutorials on net for how to write those with
examples. Other would be to install iptables-persistent package. You can
find more about using iptables-persistent package if you google it, you
will surly run on few quick howtos.

Iptables at boot

[Jacques Rodary]

Hi
How can I start iptables at boot. I don't find  an equivalent to  " 
service iptables start" with systemd and does'nt know how to create a 
new iptables.service. The manpages aren't quite clear for me. Thanks for 
any help.

  Jacques

Re: Configuring WebHTTrack as I WANT

[davidson]

On Sat, 20 Jan 2018, Richard Owlett wrote:

Caveat: I know nothing about seamonkey, and I have never used
httrack/webhttrack.


WebHTTrack insists on using Firefox as the User Interface.


Are you certain webhttrack isn't just using x-www-browser, which
happens to be set, via the links in your /etc/alternatives directory,
to firefox?

What does the following tell you?

 $ update-alternatives --display x-www-browser


That *VERY* annoying as I use SeaMonkey > 99.9% of the time.


If in fact firefox is the currently selected alternative for
x-www-browser, you can choose another one (interactively) with

 # update-alternatives --config x-www-browser

If seamonkey is not presently one of the available alternatives for
x-www-browser, you can register it as an alternative like so[1]:

 # update-alternatives --install /usr/bin/x-www-browser x-www-browser 
/path/to/seamonkey 20

If you do in fact need to register seamonkey as an alternative for
x-www-browser, and if you have a seamonkey man page installed, you'll
probably want to register its man page too. You could extend the
command above like so, to accomplish this:

 # update-alternatives --install /usr/bin/x-www-browser x-www-browser
   /path/to/seamonkey 20 --slave
   /usr/share/man/man1/x-www-browser.1.gz x-www-browser.1.gz
   /path/to/man-page/for/seamonkey.1.gz

You will need to replace /path/to/seamonkey, in the above commands,
with the path to your seamonkey program,

 $ type -P seamonkey # print path to seamonkey executable

and replace /path/to/man-page/for/seamonkey.1.gz with the appropriate
path to the man page file:

 $ man -w seamonkey # display the path to seamonkey's man page

I went to the website  and did not find anything even 
somewhat relevant.


I attempted to edit usr/bin/webhttrack without benefit.
Searching suggest these locations for possible edits.

Contains:
at line 6:  BROWSEREXE=""
edited to:  BROWSEREXE="seamonkey"

at line 7:	SRCHBROWSEREXE="x-www-browser www-browser iceape mozilla 
firefox ...
edited to:	SRCHBROWSEREXE="x-www-browser www-browser iceape mozilla 
seamonkey firefox ...


My line of questioning/suggestions above was inspired by the prominent
position of "x-www-browser" in the list immediately above.

Lastly, regarding the change below, does a *directory*
/usr/bin/seamonkey/ exist on your system? Looks a little weird to
me. (Not that I would know.)


at line 20: SRCHPATH="$BINWD /usr/local/bin /usr/share/bin /usr/bin  ...
edited to:	SRCHPATH="$BINWD /usr/bin/seamonkey/ /usr/local/bin 
/usr/share/bin /usr/bin ...


Good luck with your project.

NOTES

1. "20" is a priority. Relatively high numbers mean relatively high
priority. Replace it with whatever numeric priority you fancy. But
note that with "update-alternatives --config" you can manually select
any alternative, regardless of its priority.

Re: Radiotray fails in stretch

[Eike Lantzsch]

On Saturday, January 20, 2018 9:36:20 PM -03 deloptes wrote:
> Eike Lantzsch wrote:
> > And that's it. I don't have any experience with radiotray and have no
> > suggestions.
> > Is it still maintaned?
> > For now I'm going to deinstall it again. No time nor energy to
> > investigate.
> 
> looks like a shit program to me - just wondering how it got it into debian
> packages.
> When I read first this post I was thinking there is an app for controlling
> radio receiver but it turns out it is online radio - WTF! online radio is
> not a radio like terrestrial broadcast. Each online radio offers nowdays a
> HTML5 stream, which can be automatically played by any HTML5 compatible
> browser.
> 
> correct me if I am wrong
> 
> regards

No, I think you're right either way.
kind regards and have a nice day

Re: Simple iptables table doesn't let me forward X windows

[deloptes]

Joe wrote:

> OK, that leaves little doubt that it's a firewall issue.

usually xauth missing or wrong xauth

people do upgrade, then just press yes and pile up mess over mess and then
come here to ask for help.

it's fun

regards

Re: Radiotray fails in stretch

[deloptes]

Eike Lantzsch wrote:

> And that's it. I don't have any experience with radiotray and have no
> suggestions.
> Is it still maintaned?
> For now I'm going to deinstall it again. No time nor energy to
> investigate.

looks like a shit program to me - just wondering how it got it into debian
packages.
When I read first this post I was thinking there is an app for controlling
radio receiver but it turns out it is online radio - WTF! online radio is
not a radio like terrestrial broadcast. Each online radio offers nowdays a
HTML5 stream, which can be automatically played by any HTML5 compatible
browser.

correct me if I am wrong

regards

Re: Network setup by installer

[Brian]

On Sat 20 Jan 2018 at 12:18:45 -0600, David Wright wrote:

> On Fri 19 Jan 2018 at 15:21:31 (+), Brian wrote:
> > On Fri 19 Jan 2018 at 08:27:22 -0600, David Wright wrote:
> > 
> > > With wireless, there's no real equivalent to the wire
> > > being connected. Even when installed and configured with
> > > wireless, rebooting doesn't automatically bring up a
> > > network; you need to type ifup.
> > 
> > I'm not fine with this. Given a WAP and a passphrase ifupdown connects
> > automatically here. Perhaps I'm misunderstanding you.
> 
> Yes, sorry, I misremembered, as it was a while since I'd done
> a wireless installation. Here's the results of doing one just
> now. It wasn't so much the ifup that was needed as populating
> /etc/network/interfaces itself.

Thanks for looking into this. It did provide me with an incentive (I'm
no network expert) to spend part of this afternoon plugging every
wireless adaptor I possess in and out, in and out  :) to refresh
what my recollection was. It gets a bit more complicated when there is
a wired interface too, but I'm not going to go there.

> $ cat /etc/network/interfaces 
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
> 
> source /etc/network/interfaces.d/*
> 
> # The loopback network interface
> auto lo
> iface lo inet loopback

Just for reference: d-i provides this stanza but there is really no need
for it (on i386 and amd64, anyway). It does no harm but ifupdown handles
setting up the lo interface all by itself without anything in /e/n/i.

-- 
Brian.

Re: Radiotray fails in stretch

[Eike Lantzsch]

On Saturday, January 20, 2018 5:20:02 PM -03 tony wrote:
> I recently upgraded my jessie laptop to stretch, in accordance with the
> published instructions.
> 
> All seems to have gone well, so far, except for one item: Radiotray will
> not run. There is an old bug report against it (814628), which mentions
> dependency issues, but the maintainer reckons it's fixed. My symptoms
> are identical to those in the bug report.
> 
> Does anyone have any suggestions, please?

I just tried it with Stretch. It installs OK and obviously doesn't have any 
dependency problems. Starting it just puts an icon into the tray. On clicking 
onto it it asks if you want to run it in a tray or. ..
After answering the question (checkbox) it sits in the tray as a grayed-out 
icon which is from then on autistic.

Error messages on startup:
01:~$ radiotray
/usr/lib/python2.7/dist-packages/radiotray/XmlDataProvider.py:23: PyGIWarning: 
Gtk was imported without specifying a version first. Use 
gi.require_version('Gtk', '3.0') before import to ensure that the right 
version gets loaded.
  from gi.repository import Gtk
/usr/lib/python2.7/dist-packages/radiotray/AudioPlayerGStreamer.py:64: 
FutureWarning: The behavior of this method will change in future versions. Use 
specific 'len(elem)' or 'elem is not None' test instead.
  if(cfg_provider._settingExists("buffer_size")):
/usr/lib/python2.7/dist-packages/radiotray/SysTray.py:100: PyGIWarning: 
AppIndicator3 was imported without specifying a version first. Use 
gi.require_version('AppIndicator3', '0.1') before import to ensure that the 
right version gets loaded.
  from gi.repository import AppIndicator3

(radiotray:8813): Gtk-WARNING **: Theme parsing error: gtk.css:68:35: The 
style property GtkButton:child-displacement-x is deprecated and shouldn't be 
used anymore. It will be removed in a future version

(radiotray:8813): Gtk-WARNING **: Theme parsing error: gtk.css:69:35: The 
style property GtkButton:child-displacement-y is deprecated and shouldn't be 
used anymore. It will be removed in a future version

(radiotray:8813): Gtk-WARNING **: Theme parsing error: gtk.css:73:46: The 
style property GtkScrolledWindow:scrollbars-within-bevel is deprecated and 
shouldn't be used anymore. It will be removed in a future version
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
Sleep Timer, Stops playing after a predefined time, SleepTimerPlugin.py, Carlos 
Ribeiro
StationSwitcher, Allows cycling through stations, StationSwitcherPlugin.py, 
Mark F
HelloWorld, This is a test plugin, HelloWorld.py, Carlos Ribeiro
started
Notifications, Shows message notifications on the desktop, 
NotificationPlugin.py, 
Carlos Ribeiro
/usr/share/radiotray/plugins/NotificationPlugin.py:25: PyGIWarning: Notify was 
imported without specifying a version first. Use gi.require_version('Notify', 
'0.7') before import to ensure that the right version gets loaded.
  from gi.repository import Notify
Mate Media Keys, Controls Radio Tray through keyboard multimedia keys, 
MateMediaKeysPlugin.py, Ken
Gnome Media Keys, Controls Radio Tray through keyboard multimedia keys, 
GnomeMediaKeysPlugin.py, Carlos Ribeiro
History, Shows song history, HistoryPlugin.py, Carlos Ribeiro

And that's it. I don't have any experience with radiotray and have no 
suggestions.
Is it still maintaned?
For now I'm going to deinstall it again. No time nor energy to investigate.

Re: Simple iptables table doesn't let me forward X windows

[Joe]

On Sat, 20 Jan 2018 12:13:12 -0600
Jason  wrote:

> Hi,
> 
> I am trying to setup (what should be) a simple iptables table between
> two machines on a local network, both with static IP addresses. The
> machine I want to set up the iptables on is a headless server which I
> access using ssh. I want to cut off all communications except with the
> machine I ssh from. What I did works except when I try to run a GUI
> program on the server to display locally, after a pause I get
> something like:
> 
>   Geany: cannot open display
> or
>   xterm: Xt error: Can't open display: localhost:10.0
> 
> both of which work before I run the iptables commands.

OK, that leaves little doubt that it's a firewall issue.

> 
> Here's what I did (000.000.000.000 is substituted for actual IP
> address of client machine):
> 
> $ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT
> $ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT
> $ sudo iptables -P INPUT DROP
> $ sudo iptables -P OUTPUT DROP
> 
> I also tried to add
> 
> $ sudo iptables -A INPUT -i lo -j ACCEPT

You'll also want a lo ACCEPT in the OUTPUT chain.

> 
> without success.
> 
> What do I need to do to get X forwarding to work?
> 

Others may know the exact answer in this case. I'll make couple of
suggestions for future iptables issues.

1. Take one of the very basic firewall scripts (there are many around)
that works statefully i.e. allows everything out, accepts established
and related state replies, drops invalid packets, accepts lo in and out.
Start from there, check your X forwarding works, then add IP address
restrictions as required one by one. When it breaks, you know exactly
what did it.

2. Use -j LOG targets with various --log-prefix values in various
places to understand what's going on, generally what's being dropped
by mistake. When you finish with them, comment them out but leave them
there for future use. Tailor them by address and/or port to look for
specific issues. In your existing case:

iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT dropped:"

just before the actual DROP judgement, and another for OUTPUT. It will
generate a lot of stuff quite quickly, so comment it once you have some
logs to examine. It's amazing what really obvious things you can
overlook with a firewall, and this will identify them fairly quickly.
It's a much less tedious job than using a packet capture application,
which is massive overkill for simple networking problems.

3. You may be doing this without telling us here, but when you have a
script to make your firewall, put in initialisation commands first, to
remove any existing rules, and set overall DROP defaults in case your
main iptables logic takes a wrong turn. You'll want at least the -F and
-X iptables options for filter, nat and mangle tables. If you haven't
disabled IPv6 altogether, you'll also need corresponding ip6tables
commands, as IPv6 is wide open by default.

-- 
Joe

Re: exim4 on Debian stretch

[David Wright]

On Sat 20 Jan 2018 at 18:59:34 (+), Brian wrote:
> On Fri 19 Jan 2018 at 18:07:49 +, J.W. Foster wrote:
> 
> >  David this is the file you requested. any help is much appreciated.
> 
> [Snipped and rearranged]
> > 
> > dc_eximconfig_configtype='internet'
> > dc_other_hostnames=mydomain.net'
> > dc_local_interfaces='127.0.0.1;192.168.xx.xx'
> > dc_readhost=''
> > dc_relay_domains=''
> > dc_minimaldns='false'
> > dc_relay_nets=''
> > dc_smarthost=''
> > CFILEMODE='644'
> > dc_use_split_config='true'
> > dc_hide_mailname=''
> > dc_mailname_in_oh='true'
> > dc_localdelivery='mail_spool'
> 
> Very acceptable, although I would have dc_local_interfaces as the
> default presented by 'dpkg-reconfigure exim4-config' while getting the
> server working reliably.
> 
> I would also completely revert everything you have done with exim by
> purging it and starting again. All those bits t-machine recommends need
> testing one by one by restarting exim4 after every change. I note
> 
>  Jan 17 07:24:34 myserver exim4[18538]:   option "AND" unknown
> 
> and "AND" occurs in some of the advice given in your link,

Yes. I hadn't looked at that web page until today. My guess was
based on what was being set in the locality of that line number.

However, I'm running exim4 and it appears that we won't even have
the same version installed if these instructions are being followed.

Paul's comment (there) would suggest that great care is needed
with such a complicated setup. It looks as if it's easy for
database *commands* to get accidentally passed to exim rather than
the database's data.

In view of "Any suggestions for what to do with exim4 to get it
restarted. I do not know what the error messeges here are
referencing. Im very inexperienced with setting up email.",
Adam's closing comment is probably worth revisiting.

Cheers,
David.

Re: exim4 on Debian stretch

[Brian]

On Fri 19 Jan 2018 at 18:07:49 +, J.W. Foster wrote:

>  David this is the file you requested. any help is much appreciated.

[Snipped and rearranged]
> 
> dc_eximconfig_configtype='internet'
> dc_other_hostnames=mydomain.net'
> dc_local_interfaces='127.0.0.1;192.168.xx.xx'
> dc_readhost=''
> dc_relay_domains=''
> dc_minimaldns='false'
> dc_relay_nets=''
> dc_smarthost=''
> CFILEMODE='644'
> dc_use_split_config='true'
> dc_hide_mailname=''
> dc_mailname_in_oh='true'
> dc_localdelivery='mail_spool'

Very acceptable, although I would have dc_local_interfaces as the
default presented by 'dpkg-reconfigure exim4-config' while getting the
server working reliably.

I would also completely revert everything you have done with exim by
purging it and starting again. All those bits t-machine recommends need
testing one by one by restarting exim4 after every change. I note

 Jan 17 07:24:34 myserver exim4[18538]:   option "AND" unknown

and "AND" occurs in some of the advice given in your link,

-- 
Brian.

Re: Simple iptables table doesn't let me forward X windows

[Pascal Hambourg]

Le 20/01/2018 à 19:13, Jason a écrit :


I am trying to setup (what should be) a simple iptables table


I don't think so. In iptables, "tables" are preexisting data structures 
containing chains, and chains contain rules that you create. The set of 
rules in these chains and tables is called, well, a ruleset.



between
two machines on a local network, both with static IP addresses.


Nonsense. A ruleset is set up on one machine, not between two machines.


The machine I want to set up the iptables on


As I wrote : on one machine.


is a headless server which I
access using ssh. I want to cut off all communications except with the
machine I ssh from.


I guess you use X tunnelling with ssh -X or -Y ?


What I did works except when I try to run a GUI
program on the server to display locally, after a pause I get
something like:

Geany: cannot open display
or
xterm: Xt error: Can't open display: localhost:10.0

both of which work before I run the iptables commands.

Here's what I did (000.000.000.000 is substituted for actual IP
address of client machine):


You really should not use that kind of address for substitution. 0.0.0.0 
has a special meaning. You could use addresses in 192.0.2.0/24 which 
are reserved for examples and documentation instead.



$ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT
$ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT
$ sudo iptables -P INPUT DROP
$ sudo iptables -P OUTPUT DROP

I also tried to add

$ sudo iptables -A INPUT -i lo -j ACCEPT

without success.

What do I need to do to get X forwarding to work?


Add

iptables -A OUTPUT -o lo -j ACCEPT

Note that this ruleset allows much more than just SSH and X forwarding 
between the two machines.

Re: Network setup by installer

[David Wright]

On Fri 19 Jan 2018 at 15:21:31 (+), Brian wrote:
> On Fri 19 Jan 2018 at 08:27:22 -0600, David Wright wrote:
> 
> > On Fri 19 Jan 2018 at 22:10:39 (+0900), Mark Fletcher wrote:
> > > On Fri, Jan 19, 2018 at 06:43:10AM +0100, john doe wrote:
> > > > On 1/19/2018 12:45 AM, Mark Fletcher wrote:
> > > > > Hello the list
> > > > > 
> > > > > Can anyone point me at documentation of how the installer sets up
> > > > > network interfaces, out of the several ways there are to do it?
> > > > > 
> > > > > I've done a couple of installs of Stretch, one when it was still 
> > > > > testing
> > > > > and one recently, on different hardware that both had both wired and
> > > > > wireless network interfaces. In both cases I chose to install using 
> > > > > the
> > > > > wired interface even though for normal usage the computer will use the
> > > > > wireless interface. The result in both cases was a machine that had 
> > > > > its
> > > > > wired interface configured but not its wireless one.
> > 
> > Yes, AIUI it doesn't try to read our minds but assumes the
> > installation methid is what will be used. And with a wired
> > interface configured, if you reboot with a wire connected,
> > the system will bring it up.
> 
> I'm fine with that.
> 
> > With wireless, there's no real equivalent to the wire
> > being connected. Even when installed and configured with
> > wireless, rebooting doesn't automatically bring up a
> > network; you need to type ifup.
> 
> I'm not fine with this. Given a WAP and a passphrase ifupdown connects
> automatically here. Perhaps I'm misunderstanding you.

Yes, sorry, I misremembered, as it was a while since I'd done
a wireless installation. Here's the results of doing one just
now. It wasn't so much the ifup that was needed as populating
/etc/network/interfaces itself.

$ cat /etc/network/interfaces 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback
$ 

Cheers,
David.

Simple iptables table doesn't let me forward X windows

[Jason]

Hi,

I am trying to setup (what should be) a simple iptables table between
two machines on a local network, both with static IP addresses. The
machine I want to set up the iptables on is a headless server which I
access using ssh. I want to cut off all communications except with the
machine I ssh from. What I did works except when I try to run a GUI
program on the server to display locally, after a pause I get
something like:

Geany: cannot open display
or
xterm: Xt error: Can't open display: localhost:10.0

both of which work before I run the iptables commands.

Here's what I did (000.000.000.000 is substituted for actual IP
address of client machine):

$ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT
$ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT
$ sudo iptables -P INPUT DROP
$ sudo iptables -P OUTPUT DROP

I also tried to add

$ sudo iptables -A INPUT -i lo -j ACCEPT

without success.

What do I need to do to get X forwarding to work?

Thanks!
-- 
Jason

Configuring WebHTTrack as I WANT

[Richard Owlett]

WebHTTrack insists on using Firefox as the User Interface.
That *VERY* annoying as I use SeaMonkey > 99.9% of the time.
I went to the website  and did not find anything 
even somewhat relevant.


I attempted to edit usr/bin/webhttrack without benefit.
Searching suggest these locations for possible edits.

Contains:
at line 6:  BROWSEREXE=""
edited to:  BROWSEREXE="seamonkey"

at line 7:	SRCHBROWSEREXE="x-www-browser www-browser iceape mozilla 
firefox ...
edited to:	SRCHBROWSEREXE="x-www-browser www-browser iceape mozilla 
seamonkey firefox ...


at line 20: SRCHPATH="$BINWD /usr/local/bin /usr/share/bin /usr/bin  ...
edited to:	SRCHPATH="$BINWD /usr/bin/seamonkey/ /usr/local/bin 
/usr/share/bin /usr/bin ...



SRCHPATH="$BINWD /usr/local/bin /usr/share/bin /usr/bin  ...
SRCHPATH="$BINWD /usr/bin/seamonkey/ /usr/local/bin /usr/share/bin 
/usr/bin ...


I used its Windows incarnation years ago and was happy with it.
Suggestions for having it use SeaMonkey for its UI?
Suggestions for an alternative?

TIA

Radiotray fails in stretch

[tony]

I recently upgraded my jessie laptop to stretch, in accordance with the
published instructions.

All seems to have gone well, so far, except for one item: Radiotray will
not run. There is an old bug report against it (814628), which mentions
dependency issues, but the maintainer reckons it's fixed. My symptoms
are identical to those in the bug report.

Does anyone have any suggestions, please?

Re: What is Synaptic trying to tell me?

[David Wright]

On Sat 20 Jan 2018 at 07:13:28 (-0600), Richard Owlett wrote:
> On 01/18/2018 06:59 PM, David Wright wrote:

> >Packages are normally held back when upgrading them would involve
> >removing a package or installing a new one, and that is forbidden
> >by the upgrade method you're using.
> >
> >So, for example, apt-get dist-upgrade was recently needed to upgrade
> >linux-image against Meltdown because a new package was being
> >installed. (Substitute "apt-get dist-upgrade" accordingly.)
> 
> I don't understand the point you were trying convey saying
> *(Substitute "apt-get dist-upgrade" accordingly.)* when having just
> said "for example, apt-get dist-upgrade was recently needed".

I speak "apt-get", but I'm not a polyglot so you will have to
permute these:

apt aptitude synaptic get update upgrade dist safe full and lastly "-"

into your favourite command with suitable arguments by means of
diligent comparison of their man pages.

> >BTW when installing a kernel image (and related packages), you should
> >select the least specific generic package (like linux-image-686-pae)
> >rather than the versioned one. Because the new kernel was a new
> >package (-4 → -5), it wouldn't be seen as an upgrade except as a
> >dependency of the generic package.
> >
> 
> I habitually use "expert install" for historical (hysterical ;) reasons.
> I've been in the habit of accepting the suggested kernel.
> But I've yet to find a reference listing the kernels offered and
> their features.

In this screen, which you will have encountered, you should install
the middle line unless you have particular reason not to:

  ┌───┤ [?] Install the base system
  ├───┐   
  │
  │   
  │ The list shows the available kernels. Please choose one of them in
  order to make the│   
  │ system bootable from the hard drive.
  │   
  │
  │   
  │ Kernel to install:
  │   
  │
  │   
  │linux-image-4.9.0-4-amd64
  │   
  │linux-image-amd64
  │   
  │none
  │   
  │
  │   
  │ 
  │   
  │
  │   
  
└─┘
   

On an older PC, you might have a more important choice to make:

  ┌─┤ [?] Install the base system
  ├─┐   
  │
  │   
  │ The list shows the available kernels. Please choose one of them in
  order to │   
  │ make the system bootable from the hard drive.
  │   
  │
  │   
  │ Kernel to install:
  │   
  │
  │   
  │   linux-image-4.9.0-2-686
  │   
  │   linux-image-586
  │   
  │   linux-image-686
  │   
  │   none
  │   
  │
  │   
  │ 
  │   
  │
  │   
  
└─┘
   

At various times in the past there have been options like -486 and
-pae according to the CPU's features. IIRC all 686 kernels now
assume -pae, so this old laptop has to use:

$ uname -r
3.16.0-5-586
$ 

Cheers,
David.

Re: What is Synaptic trying to tell me?

[Richard Owlett]

On 01/20/2018 08:08 AM, Curt wrote:

On 2018-01-20, Richard Owlett  wrote:

On 01/18/2018 10:32 PM, songbird wrote:

Richard Owlett wrote:
...

This is the *FIRST* time I have attempted to investigate what is being
held back.

Please educate me ;/


check your settings -> preferences...>

songbird




I went there. I did not spot what you wanted me to notice :{
Thanks for trying.



  Synaptic Package Manager provides two methods for marking packages for
  upgrade:
  
  Default Upgrade

  The default upgrade method marks upgrades of installed packages only. If
  the later version of a package depends on not installed packages or
  conflicts with an already installed package, the upgrade will not be
  marked.
  
  Smart Upgrade (Dist-Upgrade)

  The smart upgrade method tries to resolve package conflicts
  intelligently. This includes installing additional required packages and
  preferring packages with higher priority.
  Smart upgrade is also known as dist-upgrade in the console tool apt-get.

Maybe that is what the songbird is tweeting about.

  Settings/Preferences/General/System Upgrade/Always Ask--Default
  Upgrade--Smart Upgrade



I don't know.
Synaptic is currently set to "Smart Upgrade".
I don't recall having changed anything.
I've just changed it to "Always Ask". I prefer to forced to think first 
rather than "repent at leisure" ;/

Re: looking for drawing program to inscribe a square in a circle and label items

[Chris Ramsden]

On 20/01/18 03:50, Dan Hitt wrote:
> I'm looking for a gui drawing program that will let me, for example,
> draw a circle, inscribe a square in the circle, connect the opposite
> edges of the square with line segments, draw the diagonals of the
> square, and label the vertices, edges, and regions of the figure.
>
> So, something like xfig, except that it should have geometrically
> describable grouping or linking options.  (You can glue objects
> together with xfig, but afaik not link them loosely, like through a
> point of tangency.)
>
> I.e., if i draw two primitives (like a square and a circle), then it
> should be possible to demand that they stay tangent, or that the
> corners of the square be on the cricle (inscription), and these
> relations will continue to hold if one primitive or the other is
> resized or scaled or moved (and the relations should be recorded as
> some kind of constraints in the file format).
>
> Maybe some kind of svg editor is capable of doing this?
>
> Anyhow, tia for any pointers.
>
> dan
>
Inkscape?

-- 
Chris

Re: looking for drawing program to inscribe a square in a circle and label items

[rhkramer]

On Friday, January 19, 2018 10:50:11 PM Dan Hitt wrote:
> So, something like xfig, except that it should have geometrically
> describable grouping or linking options.  (You can glue objects
> together with xfig, but afaik not link them loosely, like through a
> point of tangency.)
> 
> I.e., if i draw two primitives (like a square and a circle), then it
> should be possible to demand that they stay tangent, or that the
> corners of the square be on the cricle (inscription), and these
> relations will continue to hold if one primitive or the other is
> resized or scaled or moved (and the relations should be recorded as
> some kind of constraints in the file format).
> 
> Maybe some kind of svg editor is capable of doing this?

(I'm not familiar with xfig, maybe it is somewhat like Visio / dia?)

I don't know if dia is capable of all you want or not, but I mention it just 
because it is the Linux drawing tool that I am slightly familiar with, use 
(very rarely), and I think of as (a partial?) equivalent of Visio.  (I used to 
use Visio (Windows only, afaik) for quite a few things, since then I've had 
much less need for drawing things (or avoided drawing the things I should have 
;-).

Anyway, I am subscribed to a dia mail list and see some of the discussions 
about various problems.

If I wanted to do what you described in Visio, I'd proceed something like this 
(forgetting some of the Visio terms for things)--for example, for the square 
inscribed in a circle:

Create a "template" (mcow (my choice of words)) starting with a circle.

Create connection points on the circle at 0, 90, 180, and 270 degrees.

(That might be all I put in the template, or I might include line segments 
connecting the various points to make the square, diagonals, and so forth.  If 
I want to connect the midpoints of the square with other line segments, I'd 
include connection points at the midpoints of the lines in the template (which 
obviously means I'd include the lines making the square in the template).

Then I would use the template to create an "instance" (again, MCOW) of that 
object which I could place anywhere on the drawing and resize as desired.

For the square tangent to the circle, I'd do something similar, as a template, 
create a square, put a connection point at the midpoint of one of the sides, 
add a circle with a connection point, connect the circle to the square at the 
connection points.  Then create an instance of that template and place it on 
the drawing.

(If the tangent point should be elsewhere on the side of the square, I'd put 
the connection point there--if it needs to vary the position, I'd have to 
understand how it should vary and think some more.)

I'm fairly sure all of this could be done in Visio.  I'm not as sure about 
dia--a recent thread on the dia list talked about some difficulty connecting 
two 
lines together, but at least one workaround was suggested..

Re: What is Synaptic trying to tell me?

[Curt]

On 2018-01-20, Richard Owlett  wrote:
> On 01/18/2018 10:32 PM, songbird wrote:
>> Richard Owlett wrote:
>> ...
>>> This is the *FIRST* time I have attempted to investigate what is being
>>> held back.
>>>
>>> Please educate me ;/
>> 
>>check your settings -> preferences...> 
>> 
>>songbird
>> 
>> 
>
> I went there. I did not spot what you wanted me to notice :{
> Thanks for trying.
>

 Synaptic Package Manager provides two methods for marking packages for
 upgrade:
 
 Default Upgrade
 The default upgrade method marks upgrades of installed packages only. If
 the later version of a package depends on not installed packages or
 conflicts with an already installed package, the upgrade will not be
 marked.
 
 Smart Upgrade (Dist-Upgrade)
 The smart upgrade method tries to resolve package conflicts
 intelligently. This includes installing additional required packages and
 preferring packages with higher priority.
 Smart upgrade is also known as dist-upgrade in the console tool apt-get.

Maybe that is what the songbird is tweeting about.

 Settings/Preferences/General/System Upgrade/Always Ask--Default
 Upgrade--Smart Upgrade

-- 
“True terror is to wake up one morning and discover that your high school class
is running the country.” – Kurt Vonnegut

Re: HTTPS - Your connection is not private - ERR_CERT_AUTHORITY_INVALID

[Joe]

I tried:

apt remove ca-certificates

and then:

apt install ca-certificates

But the problem persists..

I'd follow your suggest.
I've backed up, some scripts and openbox configurations.

Now I'm ready to do a reinstall from scratch.

Anyway, before that, I'd like to try to remove all "non-jessie"
packages installed, to obtain a "pure" Jessie system.

Is there a way with apt or aptitude to achieve that goal?
Thank a lot for your reply Dave!!!   :D

On Sat, Jan 20, 2018 at 2:01 PM, Dave Sherohman  wrote:
>> Now, when I open chromium or midori, I receive the error in the message 
>> subject.
>> Any https url is not opened and a warning page is displayed instead.
>>
>> What could be the problem?
>
> Sounds like the root CA (Certification Authority) certificates aren't
> installed, making it impossible to establish trust in the individual
> site certificates.
>
>> And How to solve?
>
> First thing I'd try would be reinstalling the ca-certificates package.
>
> (Well, actually, the first thing I'd consider would be copying all
> important data to another location, then either restore a backup or
> reinstall the system, because it sounds like the problem it encountered
> is having widespread effects, so you're likely to encounter further
> weird problems like this in the future.  But I assume that, in this
> case, neither of those is a viable option, so you're stuck with playing
> whack-a-mole as broken things are discovered.)
>
> --
> Dave Sherohman
>

Re: What is Synaptic trying to tell me?

[Richard Owlett]

On 01/18/2018 10:32 PM, songbird wrote:

Richard Owlett wrote:
...

This is the *FIRST* time I have attempted to investigate what is being
held back.

Please educate me ;/


   check your settings -> preferences...> 


   songbird




I went there. I did not spot what you wanted me to notice :{
Thanks for trying.

Re: What is Synaptic trying to tell me?

[Richard Owlett]

On 01/18/2018 06:59 PM, David Wright wrote:

On Thu 18 Jan 2018 at 15:13:12 (-0600), Richard Owlett wrote:

I've been exploring the idea of downloading several packages.
When I select "apply" it routinely says "1 package will be held back
and not upgraded" in the lower half of a screen titled "Summary (as
superuser)".

In both the upper and lower half of that screen I can discover what
packages will be downloaded I can click appropriately and be
informed that a list of packages will be downloaded. They are always
what I wanted/expected. So far, so good ;/

Today I got curious.
In the lower half of the screen I clicked the button labeled "Show
Details". It listed *ONLY* the expected/intended files.

In the upper half of the screen I observed that clicking on the ">"
labeled "To be installed" I observed the same files as listed in
response to "Show Details".

*HOWEVER* when clicking on the ">" labeled "Unchanged" it listed
"linux-image-686-pae". Why? Less than 2 weeks ago I chose to install
the i386 flavor of current point release of Stretch. I was using
"Expert Install" and IIRC that was the default.

For years I've gotten the "1 package will be held back and not
upgraded" message. That response is obviously release independent.
Previous installs have been from purchased DVD sets.

This is the *FIRST* time I have attempted to investigate what is
being held back.

Please educate me ;/


Packages are normally held back when upgrading them would involve
removing a package or installing a new one, and that is forbidden
by the upgrade method you're using.

So, for example, apt-get dist-upgrade was recently needed to upgrade
linux-image against Meltdown because a new package was being
installed. (Substitute "apt-get dist-upgrade" accordingly.)


I don't understand the point you were trying convey saying
*(Substitute "apt-get dist-upgrade" accordingly.)* when having just said 
"for example, apt-get dist-upgrade was recently needed".


I've just done:
  apt-get update
  apt-get dist-upgrade
which I believe is what you intended.



BTW when installing a kernel image (and related packages), you should
select the least specific generic package (like linux-image-686-pae)
rather than the versioned one. Because the new kernel was a new
package (-4 → -5), it wouldn't be seen as an upgrade except as a
dependency of the generic package.



I habitually use "expert install" for historical (hysterical ;) reasons.
I've been in the habit of accepting the suggested kernel.
But I've yet to find a reference listing the kernels offered and their 
features.
Part of my reasoning for using "expert install" almost from the first is 
that it makes me aware of what happens behind the scene.


Thank you.




Cheers,
David.

Re: HTTPS - Your connection is not private - ERR_CERT_AUTHORITY_INVALID

[Dave Sherohman]

> Now, when I open chromium or midori, I receive the error in the message 
> subject.
> Any https url is not opened and a warning page is displayed instead.
> 
> What could be the problem?

Sounds like the root CA (Certification Authority) certificates aren't
installed, making it impossible to establish trust in the individual
site certificates.

> And How to solve?

First thing I'd try would be reinstalling the ca-certificates package.

(Well, actually, the first thing I'd consider would be copying all
important data to another location, then either restore a backup or
reinstall the system, because it sounds like the problem it encountered
is having widespread effects, so you're likely to encounter further
weird problems like this in the future.  But I assume that, in this
case, neither of those is a viable option, so you're stuck with playing
whack-a-mole as broken things are discovered.)

-- 
Dave Sherohman

Re: Network setup by installer

[Brian]

On Fri 19 Jan 2018 at 19:09:27 +, Brian wrote:

> On Sat 20 Jan 2018 at 03:25:00 +0900, Mark Fletcher wrote:
> 
> > To get out of the situation I'm in on those two machines, I just need to 
> > hand-craft the interfaces file to something like what you have above, 
> > with appropriate device, ssid and WPA password values substituted. For 
> > these PARTICULAR systems, firmware doesn't seem to be a problem.
> 
> That's about it. The transferring of the interfaces file takes place in
> a late_command. I've not tried it myself but it should work and I intend
> to have a go tomorrow.

The location of the files you provide will be different from mine.
interfaces could also have stanzas for all the wireless devices; only
one of them is going to be brought up anyway. This works for me:

d-i preseed/late_command string \
  cp /hd-media/files/interfaces /target/etc/network/interfaces; \
  mkdir /target/lib/firmware;   \
  cp /hd-media/files/zd1211/ /target/lib/firmware;  \
  in-target apt-get -y install wpasupplicant;

The technique just replaces installing over a wireless link from the
start. I've been wondering why you chose not to do that and avoid the
extra work.

-- 
Brian.

Re: looking for drawing program to inscribe a square in a circle and label items

[Curt]

On 2018-01-20, David Wright  wrote:
> On Fri 19 Jan 2018 at 19:50:11 (-0800), Dan Hitt wrote:
>> Anyhow, tia for any pointers.
>
> geogebra looks promising and is in Debian.

It's even on line, apparently, for a test run (pretty clean interface),
or even a veritable run (though you must create an account to save your
work) in your browser.

https://www.geogebra.org/classic


> Cheers,
> David.
>
>


-- 
“True terror is to wake up one morning and discover that your high school class
is running the country.” – Kurt Vonnegut