Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Tom H
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell  wrote:
> Ryan Wagoner wrote:
>>
>> IPv6 is not broken by design. NAT was implemented to extend the time
>> until IPv4 exhaustion. A side effect was hiding the internal IPv4
>> address, which complicates a number of protocols like FTP and SIP. The
>> only downside I see is ISPs could try and charge based on the number
>> of IPv6 addresses being used.
>
> No, the downside is that each address used will be exposed to the world.
> I consider that a serious security flaw. Having my ISP know how many
> computers I have is a minor issue covered by the contract I have with
> them. But having all of those addresses exposed to Russian mobsters,
> terrorists, crackers and everyone else that knows how to capture packets
> is another matter altogether. If IPv6 exposes that information to the
> world, it is definitely unsafe to use.

As opposed to these "Russian mobsters, terrorists, crackers" looking
at the headers of your email above...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Tom H
On Mon, Dec 6, 2010 at 6:56 PM, Ryan Wagoner  wrote:
> On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell  wrote:
>> Ryan Wagoner wrote:
>>> On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell  
>>> wrote:
 David Sommerseth wrote:
> On 06/12/10 15:29, Todd Rinaldo wrote:
>> On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote:
>>
>>> On 05/12/10 14:21, Tom H wrote:
 On Sun, Dec 5, 2010 at 8:13 AM, RedShift  wrote:
> On 12/05/10 12:50, Rudi Ahlers wrote:
>> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm),
> Haven't switched yet, I have IPv6 at home using sixxs.
>
> I can't even figure out what address ranges are reserved for private 
> use, is there even such a concept in IPv6?
 I think that site-local ("fec0:: - fef::") is the ipv6
 more-or-less-equivalent of ipv4 private addresses.
>>> Yes, that's correct and it is deprecated.
>>> 
>>>
>>> With IPv6 there is plenty of addresses for everyone so you basically use
>>> your own assigned official IPv6 address space and setup your own private
>>> /64 net and block that subnet in your firewalls.
>>>
>>> Another thing, there is no NAT and it will not be implemented as we know
>>> it in IPv4.  To call NAT a security feature is also a faulty
>>> understanding.  As NAT only prevents access from outside to some
>>> computer inside a network which is NAT'ed.  This restriction and
>>> filtering is the task of the firewall anyway, which does the NAT anyway.
>>>
>>> NAT basically just breaks a lot of protocols and enforces complex
>>> firewalls which needs to understand a lot of different protocols to be
>>> able to do things correctly.  Which often do not work as well as it 
>>> could.
>>>
>> I've heard this before but It's always confused me. Admittedly I
>> haven't had a chance to look at the spec. If we're saying that
>> everyone's going to have the same private subnet, then we're saying
>> that all the private subnets are going to have to be NAT-ed
>> aren't they?
> This can be a bit confusing, especially if you see this with "IPv4
> eyes".  In IPv6, it basically is no such things as a private subnet 
> (range).
>
> When you contact your ISP to get a IPv6 subnet, they will most probably
> give you a /48 network.  That means you will have a IPv6 prefix which is
> unique.  That is a reference to all _your_ IPv6 networks.
>
> Then you will normally segment this /48 subnet into more /64 networks.
> A /48 subnet gives you 65536 /64 networks.  So the IPv6 prefix will be
> something like:
>
>    :::::/64
>
> the '::' part is the prefix your ISP will provide you, and
> this is the first 48bits of the IPv6 address.  The '' part is up to
> you to decide what will be, and that's the next 16 bits of the address
> scope.  So 48 + 16 = 64 bits.   And 2^16 = 65536.
>
> And this is all you need to know about IPv6 addressing.  Really!  That's
> it.  No network addresses, no broadcast addresses.  Just pure usable
> IPv6 addresses.
>
> (You may of course make even more subnets below /64, but that's usually
> not recommended at - especially with auto-configured networks)
>
> So then ... the next phase.  As everyone who gets a /48 nets should have
> it flexible enough to setup private networks, the firewall just needs to
> block completely in-going traffic to a /64 net defined by the admins as
> private.  It can further be decided if this /64 net should have access
> to IPv6 addresses outside this local network.  Again this is just a
> firewall rule and nothing more - allow or reject/drop.
>
> And then, the former proposed site-local subnet makes pretty much no
> sense, as IPv6 does not support NAT.  As this network would not be able
> to communicate across a router/firewall.  This subnet (fec0:: - fef::)
> should not be routed anywhere.  And without NAT, it can't escape the
> subnet at all anyway.
>
> So, spending one or two or 100s /64 subnets with public IPv6 addresses
> which is completely blocked in a firewall will serve exactly the same
> purpose as a site-local subnet.  But this /64 net may get access to the
> Internet *if* allowed by the firewall.  This is not possible with
> site-local at all.  And of course, this is without NAT in addition.
>
> I hope this made it a little bit clearer.
 Clear as mud. If I understand you correctly, I have to say that IPv6 is
 broken by design. I have a double handful of computers on my home
 network. Each of them needs access to the Internet to get updates to the
 OS and various applications. However, I do *NOT* want each and every one
 of them to show up as a unique addres

[CentOS] How to dump mails via HTTP

2010-12-07 Thread gigzbyte
Hello everyone!
How can i dump with human-readable format all e-mails sent and received 
via HTTP web-interface, for example, via aol.com or gmail.com - it's 
just examples, there's own mail service, but not under control. 
Connections to web-iface not secured with HTTPS, pure HTTP. In case of 
POP3/SMTP - i can successfully dump it with mailsnarf from dsniff rpm. 
Please, help with something!
Sorry, english is not my native language :-)

-- 

--
With regards,
Dmitry Lock
Network Engineer
Customer Support Service
PTC Center


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Christopher Chan
On Tuesday, December 07, 2010 11:08 AM, Todd Rinaldo wrote:
>
> On Dec 6, 2010, at 7:51 PM, Christopher Chan wrote:
>
>> On Tuesday, December 07, 2010 08:57 AM, David wrote:
>>> Folks
>>>
>>> I have been following the IPV6 comments.
>>>
>>> What concerns me with the loss of NAT are the following issues:
>>>
>>> 1) My friend from half-way around the world comes to visit.  He turns
>>> on his IPV6 enabled device (think Ipad), and wants to use my ISP's
>>> connection. What IP address does he get?  If it's his home address,
>>> that makes routing difficult.  If he dynamically gets one of "my" addresses
>>> a)  Did my ISP give me enough?
>>
>> Let's see...if you apply for ipv6, you get a /48 network or as David put
>> it, 65k worth of /64 subnets.
>>
>>> b)  Do I get charged by my ISP on a per-device basis?
>>
>> Heh, if they want to micromanage...
>
> I'm still waiting for the day I get a home ISP that doesn't nickel and dime 
> me. I agree that this is a potential concern. What's sad is that if they 
> decide to do this, there's little I can do about it since ipv6 doesn't 
> support NAT.
>
> Don't get me wrong. Now I've reviewed the spec, I agree NAT isn't required, 
> but unless all the end user ISPs turn into benevolent Oligopolies, it is a 
> potential issue.

Ah, I must pity you who have to live with what you've got in the United 
States being under the rule of these tyrants. You guys probably can only 
dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre 
connection for 30 or so USD/mnth. I hesitate to keep the chaps in 
Australia on the list to be pitied now that Telstra is being dismantled.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] CentOS 5.5 with MediaWiki

2010-12-07 Thread Clovis Tristao
Em 06-12-2010 15:55, Mathieu Baudier escreveu:
>> Also, there will soon be a MediaWiki 1.16 package in EPEL[1].  There is
> Good news!
>
> Actually my dependencies were probably from EPEL in that case, not RPMForge.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
How to solve this problem, rebuild the package php-xml to CentOS 5.5 ?

Cheers,

Clóvis

-- 
Clovis Tristao - UNICAMP/Faculdade de Engenharia Agricola
Administrador de Redes - Secao de Informatica (SINFO)
E-mail: clo...@feagri.unicamp.br http://www.feagri.unicamp.br
Fone(0xx19) 35211031-35211038-91173116 ou FAX(55xx19) 35211005/35211010

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 02:26, Les Mikesell wrote:
> On 12/6/10 6:27 PM, Brian Mathis wrote:
>> You are enjoying a side-effect of NAT by thinking it
>> is a firewall.
> 
> The other nice side-effect of NAT is that you get an effectively infinite 
> number 
> of addresses behind it without any pre-arrangement with anyone else.  Even if 
> ISPs hand out what they expect to reasonably-sized blocks, won't it be much 
> harder to deal with when you outgrow your allotment?  We've had the 
> opportunity 
> to move to ipv6 for ages but we haven't (in the US, anyway).  I think the 
> reason 
> is that most people like the way NAT works and don't really want a public 
> address on every device.

So you are afraid of out-growing from an assigned /48 net?  Let's do
some math here ... and I hope I get it right ...

IPv4:  aa:bb:cc:dd   that's 32 bit
IPv6:  ::::  this is 48 bits out of 128bits

In the IPv6 scenario, you have been assigned '::::' as your
IPv6 prefix by your ISP.

So that means that you have 128-48 bits available for your own
addressing scheme.  That is 80 bits you have absolutely full control
over.  Of course, it's recommended to have subnets no smaller than 64
bits.  So that makes it:

IPv6 /64 subnets:  :::::

That means you have 16 bits for subnets.  2^16 = 65536 subnets, each
with 64bit addressing.  And if my math doesn't fail me now, a 64 bit
addressing scheme is doubling the IPv4 address scope 32 times.

What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit
addressing scope.  from 32 to 34, you have you have 4 * 32 bit
addressing scope.  For each bit you add, you double what you had.

It is simply insanely many addresses.  And if you fear that ISPs or IANA
might run out of address spaces.  Remember that they have 48 bits to
play with, which is the IPv4 address scope doubled 16 times.

Of course some ISP's will probably just hand out /64 networks to most of
their customers (most probably to home users).  But that's another
story.  And a /64 network is possible but not so easy to subnet further,
and is also not recommended.


kind regards,

David Sommerseth

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote: 
> > So, spending one or two or 100s /64 subnets with public IPv6 addresses
> > which is completely blocked in a firewall will serve exactly the same
> > purpose as a site-local subnet.  But this /64 net may get access to the
> > Internet *if* allowed by the firewall.  This is not possible with
> > site-local at all.  And of course, this is without NAT in addition.
> > I hope this made it a little bit clearer.
> Clear as mud. If I understand you correctly, I have to say that IPv6 is 
> broken by design.

It isn't.

> I have a double handful of computers on my home 
> network. Each of them needs access to the Internet to get updates to the 
> OS and various applications. However, I do *NOT* want each and every one 
> of them to show up as a unique address outside of my network.

Why?  Things will only work better.  NAT is not some magic sauce, it is
a *HACK*.

> With IP4 
> and m0n0wall running as the NAT, they are all translated to the single 
> IP address that Roadrunner assigned to my Firewall. I need to continue 
> that mapping. 

Why?  There is no reason.  You are wrong, you do *NOT* need to "continue
that mapping".  That mapping is pointless.

> If IPv6 cannot do that, then I hope Time-Warner continues 
> to ignore it and stays with their current address structure.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: 
> > IPv6 is not broken by design. NAT was implemented to extend the time
> > until IPv4 exhaustion. A side effect was hiding the internal IPv4
> > address, which complicates a number of protocols like FTP and SIP. The
> > only downside I see is ISPs could try and charge based on the number
> > of IPv6 addresses being used.
> No, the downside is that each address used will be exposed to the world.

False.  That is *NOT* a downside.

NAT is *NOT* a magic sauce - install a firewall [which you probably
already have].  Problem solved.

> I consider that a serious security flaw. 

It is not.

> Having my ISP know how many 
> computers I have is a minor issue covered by the contract I have with 
> them. 

So you want to cheap on the legal contract you agreed to?

> But having all of those addresses exposed to Russian mobsters, 
> terrorists, crackers and everyone else that knows how to capture packets 
> is another matter altogether. If IPv6 exposes that information to the 
> world, it is definitely unsafe to use.

The "Russian mobsters" can already do that; if you think NAT is
protecting you from that then you are mistaken.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Mathieu Baudier
> >     b)  Do I get charged by my ISP on a per-device basis?
>
> Heh, if they want to micromanage...

This is no science fiction.
Some big providers in some countries limit the number of device that
can connect to internet. You have to register the MAC address of your
single PC (which, by the way, is expected to run Windows or MacOS)

In that case, a NAT router sending the MAC address expected by the
provider could have (maybe, possibly...) been very handy.
(I won't tell more, even though I have left the country and the
provider in question)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Christopher Chan
On Tuesday, December 07, 2010 07:23 PM, Mathieu Baudier wrote:
>>>  b)  Do I get charged by my ISP on a per-device basis?
>>
>> Heh, if they want to micromanage...
>
> This is no science fiction.

Never said it was.


> Some big providers in some countries limit the number of device that
> can connect to internet. You have to register the MAC address of your
> single PC (which, by the way, is expected to run Windows or MacOS)

Not news to me. Netvigator over here had single computer in its terms 
and conditions and single user/multiple user accounts. And only they had 
such terms but they never did try to enforce them. Not with all the 
competition around.


>
> In that case, a NAT router sending the MAC address expected by the
> provider could have (maybe, possibly...) been very handy.
> (I won't tell more, even though I have left the country and the
> provider in question)

/me does not care. Not sure about other folks though...do them a service :-p
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Mathieu Baudier
> /me does not care. Not sure about other folks though...do them a service :-p

In theory, a lot of residential routers (not provided by the ISP) will
allow to set the sent MAC address via their web interface.

And on a full fledged Linux OS:
ifconfig ethX hw ether MY:MA:CA:DD:RE:SS
(or something like that, see man ifconfig)

I just did not say whether I have ever tried in real...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Luigi Rosa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mathieu Baudier said the following on 07/12/10 12:23:

> Some big providers in some countries limit the number of device that
> can connect to internet. 

FastWeb does this in Italy.

They configure their router (to which you do NOT have access) giving the LAN
side a 192.168.x.x/24 but only the first 'n' IPs ('n' depends on how much you
pay) of the subnet are NATted.



Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

Biggest Black Hole ever Found in Nearby Galaxy.
EVERYBODY PAN..IC
--fark.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+IPkACgkQ3kWu7Tfl6ZTJkgCgk5Ze9QBWePuH0IHkFcIp/drk
ve8An1LO9CW88BE2+lH+U598H1OZunDt
=hWDc
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Scott Robbins
On Tue, Dec 07, 2010 at 12:23:08PM +0100, Mathieu Baudier wrote:
> > >     b)  Do I get charged by my ISP on a per-device basis?
> >
> > Heh, if they want to micromanage...
> 
> This is no science fiction.
> Some big providers in some countries limit the number of device that
> can connect to internet. You have to register the MAC address of your
> single PC (which, by the way, is expected to run Windows or MacOS)

In the old days (5-6 years ago?), you were being sneaky if you used a
router--this is in the US, with Roadrunner.  They acknowledged,
eventually, that it was common, and their terms of service specifically
allow it.  Verizon used to (don't know what they do now), provide a
modem-cum-wireless-router when you got their service---this was with
DSL, I assume they do the same with FIOS.



-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Anyanka: You trusting fool. How do you know the other world is 
any better than this? 
Giles: Because it has to be. 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Mogens Kjaer
On 12/07/2010 12:53 PM, Mathieu Baudier wrote:
...
> And on a full fledged Linux OS:
> ifconfig ethX hw ether MY:MA:CA:DD:RE:SS
> (or something like that, see man ifconfig)
>
> I just did not say whether I have ever tried in real...

You just add the following line to 
/etc/sysconfig/network-scripts/ifcfg-eth0:

MACADDR=MY:MA:CA:DD:RE:SS

It works.

Mogens

-- 
Mogens Kjaer, m...@lemo.dk
http://www.lemo.dk
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread John Thomas
Can a machine with only an IPV6 address communicate with a machine that only
has an IPV4 or are they separate?

-- 
Sincerely,
John Thomas
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 12:23, Mathieu Baudier wrote:
>>> b)  Do I get charged by my ISP on a per-device basis?
>>
>> Heh, if they want to micromanage...
> 
> This is no science fiction.
> Some big providers in some countries limit the number of device that
> can connect to internet. You have to register the MAC address of your
> single PC (which, by the way, is expected to run Windows or MacOS)

For a lot of people, it is always possible to vote with your wallet.

If a provider is too restrictive for you, choose another one.  I pay my
fees to the ISP I feel is worthy to have me as customer.  So if they
want my money, they must please me.  But I am also willing to pay a bit
more to a competitor who can fulfil my demands if my current provider
does not deliver according to the agreement and my expectations

Of course this is not possible in places where there are only one
option.  But then try to approach, if possible, other ISPs anyway, to
see what they can offer you.


kind regards,

David Sommerseth

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Gavin Carr
On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote:
>> 3) When I connect my IPV6 refrigerator with its automatic inventory
>> system tracking every RFID-enabled carrot I use, won't I be making my
>> shopping habits visible to all those annoying advertisers?  Or, in
>> other words, am I compromising my privacy?  Actually, although such
>> dissemination of information can be blocked by a correctly designed
>> firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by
>> " that comes with your ISP contract,
>> would err on the side of promiscuity.
>
>Why yes, yes you are giving up some of your privacy. And unless you have
>the time and are willing and able to learn how to configure firewalls
>for each device and application you use, or have the money to pay
>someone else you trust to do it for you, there is very little to protect
>you from the rest of the world.

That's at least overstated, and at worst complete FUD. Generic modems and
routers will be configured as they are now - with stateful firewalls
blocking all incoming traffic, except for streams initiated internally. 
Outgoing connections that would have worked before via NAT continue to
work, but without NAT. Stateful firewalls are still stateful firewalls.

Where are you giving up some of your privacy? The number of hosts on
your internal network? So allocate 256 ips (or 65k, if you like) to every
host and use a random ip from that set for every distinct service or 
outgoing connection.

There _is_ more information leakage with ipv6, in the sense that you are 
using a real ip from an internal machine on the connection. But the 
point is that the security benefit of that is largely illusory, security
by obscurity.

Cheers,
Gavin

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Steve Clark

On 12/07/2010 06:56 AM, Luigi Rosa wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mathieu Baudier said the following on 07/12/10 12:23:

   

Some big providers in some countries limit the number of device that
can connect to internet.
 

FastWeb does this in Italy.

They configure their router (to which you do NOT have access) giving the LAN
side a 192.168.x.x/24 but only the first 'n' IPs ('n' depends on how much you
pay) of the subnet are NATted.

   
That is easily defeated by putting a Linux box behind the provided 
router to do natting.




Ciao,
luigi

- -- 
/

+--[Luigi Rosa]--
\

Biggest Black Hole ever Found in Nearby Galaxy.
EVERYBODY PAN..IC
 --fark.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+IPkACgkQ3kWu7Tfl6ZTJkgCgk5Ze9QBWePuH0IHkFcIp/drk
ve8An1LO9CW88BE2+lH+U598H1OZunDt
=hWDc
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

   



--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Steve Clark

On 12/07/2010 05:13 AM, David Sommerseth wrote:

On 07/12/10 02:26, Les Mikesell wrote:
   

On 12/6/10 6:27 PM, Brian Mathis wrote:
 

You are enjoying a side-effect of NAT by thinking it
is a firewall.
   

The other nice side-effect of NAT is that you get an effectively infinite number
of addresses behind it without any pre-arrangement with anyone else.  Even if
ISPs hand out what they expect to reasonably-sized blocks, won't it be much
harder to deal with when you outgrow your allotment?  We've had the opportunity
to move to ipv6 for ages but we haven't (in the US, anyway).  I think the reason
is that most people like the way NAT works and don't really want a public
address on every device.
 

So you are afraid of out-growing from an assigned /48 net?  Let's do
some math here ... and I hope I get it right ...

IPv4:  aa:bb:cc:dd   that's 32 bit
IPv6:  ::::  this is 48 bits out of 128bits

In the IPv6 scenario, you have been assigned '::::' as your
IPv6 prefix by your ISP.

So that means that you have 128-48 bits available for your own
addressing scheme.  That is 80 bits you have absolutely full control
over.  Of course, it's recommended to have subnets no smaller than 64
bits.  So that makes it:

IPv6 /64 subnets:  :::::

That means you have 16 bits for subnets.  2^16 = 65536 subnets, each
with 64bit addressing.  And if my math doesn't fail me now, a 64 bit
addressing scheme is doubling the IPv4 address scope 32 times.

What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit
addressing scope.  from 32 to 34, you have you have 4 * 32 bit
addressing scope.  For each bit you add, you double what you had.

It is simply insanely many addresses.  And if you fear that ISPs or IANA
might run out of address spaces.  Remember that they have 48 bits to
play with, which is the IPv4 address scope doubled 16 times.

Of course some ISP's will probably just hand out /64 networks to most of
their customers (most probably to home users).  But that's another
story.  And a /64 network is possible but not so easy to subnet further,
and is also not recommended.


   
ISP's are supposed to hand out /48's so you can move to a new ISP 
without having to disrupt

your internal addressing.



kind regards,

David Sommerseth

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

   



--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 13:22, John Thomas wrote:
> Can a machine with only an IPV6 address communicate with a machine that
> only has an IPV4 or are they separate?

They are separated.  It's two different protocols, even though they are
similar in many aspects.

There are some projects trying to bridge that for single-stack IPv6
networks.  But I've concluded running dual-stack with both IPv4 and IPv6
is less error prone, as such a proxy solutions will not always work 100%
perfect.

The IPv4 addresses needs to be translated into a IPv6 addresses by a
local DNS service, and the proxy anyway need IPv4 access to reach the
IPv4 host.


David S.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] difference between cron and shell invocation.

2010-12-07 Thread James B. Byrne

I have a fairly involved root cron task that I moved verbatim from
another server. On the original server, this task ran without
problem.  On the new server, when this task runs via cron, which I
confirm is happening by looking in the cron log, no files are
transferred and no error is reported.  However, if I copy cron
command from roots crontab and paste it into a terminal session on
the new server then the task runs to completion and the files are
transferred.

This task involves sshfs, fuse, and rsync and employs pki
certificates for authentication.  The fact that it works from the
shell without alteration and yet not from cron is the issue.

Does anyone have any idea where I would start to track down what is
going on?



-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] difference between cron and shell invocation.

2010-12-07 Thread m . roth
James B. Byrne wrote:
>
> I have a fairly involved root cron task that I moved verbatim from
> another server. On the original server, this task ran without
> problem.  On the new server, when this task runs via cron, which I
> confirm is happening by looking in the cron log, no files are
> transferred and no error is reported.  However, if I copy cron
> command from roots crontab and paste it into a terminal session on
> the new server then the task runs to completion and the files are
> transferred.
>
> This task involves sshfs, fuse, and rsync and employs pki
> certificates for authentication.  The fact that it works from the
> shell without alteration and yet not from cron is the issue.
>
> Does anyone have any idea where I would start to track down what is
> going on?

Sure - it's pretty obvious that something in the environment is missing.
Try putting env in the cron job, or run the actual job as a shell script,
and in the script, put env and pipe that to a file, so that you can then
compare that with your env o/p as root.

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] difference between cron and shell invocation.

2010-12-07 Thread Tony Molloy
On Tuesday 07 December 2010 14:34:33 James B. Byrne wrote:
> I have a fairly involved root cron task that I moved verbatim from
> another server. On the original server, this task ran without
> problem.  On the new server, when this task runs via cron, which I
> confirm is happening by looking in the cron log, no files are
> transferred and no error is reported.  However, if I copy cron
> command from roots crontab and paste it into a terminal session on
> the new server then the task runs to completion and the files are
> transferred.
> 
> This task involves sshfs, fuse, and rsync and employs pki
> certificates for authentication.  The fact that it works from the
> shell without alteration and yet not from cron is the issue.
> 
> Does anyone have any idea where I would start to track down what is
> going on?

Check the paths in cron. They are not necessarly the same as the paths for the 
shell.

Tony
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] difference between cron and shell invocation.

2010-12-07 Thread Robert Heller
At Tue, 7 Dec 2010 09:34:33 -0500 (EST) CentOS mailing list  
wrote:

> 
> 
> I have a fairly involved root cron task that I moved verbatim from
> another server. On the original server, this task ran without
> problem.  On the new server, when this task runs via cron, which I
> confirm is happening by looking in the cron log, no files are
> transferred and no error is reported.  However, if I copy cron
> command from roots crontab and paste it into a terminal session on
> the new server then the task runs to completion and the files are
> transferred.
> 
> This task involves sshfs, fuse, and rsync and employs pki
> certificates for authentication.  The fact that it works from the
> shell without alteration and yet not from cron is the issue.
> 
> Does anyone have any idea where I would start to track down what is
> going on?

Things to check:

Environment issues: PATH, SHELL, etc.

I would put in calls to logger and/or echo to log what is going on. 
Adding a '-v' (verbose flag) to selected commands to generate additional
debug information can also help.

Is anything making use of stdin?

Does the script still work if you do something like from an interactive
shell?:

&1' to the
command in crontab prove enlightening?

> 
> 
> 

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] difference between cron and shell invocation.

2010-12-07 Thread James B. Byrne

On Tue, December 7, 2010 09:49, Brent L. Bates wrote:
>  If you aren't already doing so, use the full path to the
> commands you are

I have done as you suggest and that indeed has solved the problem. 
Thank you very much.

Regards,

-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Mon, 2010-12-06 at 19:26 -0600, Les Mikesell wrote: 
> On 12/6/10 6:27 PM, Brian Mathis wrote:
> > You are enjoying a side-effect of NAT by thinking it
> > is a firewall.
> The other nice side-effect of NAT is that you get an effectively infinite 
> number 
> of addresses behind it without any pre-arrangement with anyone else.  Even if 
> ISPs hand out what they expect to reasonably-sized blocks, won't it be much 
> harder to deal with when you outgrow your allotment?  We've had the 
> opportunity 
> to move to ipv6 for ages but we haven't (in the US, anyway).  I think the 
> reason 
> is that most people like the way NAT works and don't really want a public 
> address on every device.

Bogus.  The reason is that they haven't been pressured into adoption by
higher powers; so we will get into a nice scramble to migrate in a
pinch.

"most people" have no idea what NAT is, don't care, and shouldn't have
to care.

Some people's belief that NAT is some magic sauce that makes them more
secure [it does not] or provides them more flexibility [it does not]
than real addresses ... causes the people who understand networking to
have to spend time explaining that their love of NAT is misguided and
their beliefs about NAT are bogus.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams


> > 3) When I connect my IPV6 refrigerator with its automatic inventory 
> > system tracking every RFID-enabled carrot I use, won't I be making
> > my 
> > shopping habits visible to all those annoying advertisers?  Or, in 
> > other words, am I compromising my privacy?  Actually, although such 
> > dissemination of information can be blocked by a correctly designed 
> > firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored
> > by 
> > " that comes with your ISP contract, 
> > would err on the side of promiscuity 

> Set your refrigerator to fe80:0001:: and it's now only accessible on
> the local subnet.
> Quoting http://www.litech.org/~jeff/private/ipv6primer/html/
> Two prefixes are set aside for link-local and site-local addresses. 

site-local addresses are officially deprecated.

If you want a device to only be available locally - block the traffic
to/from that device.  Or block if from acquiring a public address and
leave it as link-local only [most people will, I think, just choose the
first options - like they do now when they want to block a device]. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Mon, 2010-12-06 at 20:55 -0500, Bob McConnell wrote: 
> David wrote:
> > Folks
> > I have been following the IPV6 comments.
> > What concerns me with the loss of NAT are the following issues
> > 3) When I connect my IPV6 refrigerator with its automatic inventory 
> > system tracking every RFID-enabled carrot I use, won't I be making my 
> > shopping habits visible to all those annoying advertisers?  Or, in 
> > other words, am I compromising my privacy?  Actually, although such 
> > dissemination of information can be blocked by a correctly designed 
> > firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by 
> > " that comes with your ISP contract, 
> > would err on the side of promiscuity.
> Why yes, yes you are giving up some of your privacy. And unless you have 
> the time and are willing and able to learn how to configure firewalls 
> for each device and application you use, or have the money to pay 
> someone else you trust to do it for you, there is very little to protect 
> you from the rest of the world.
> I just finished reviewing my firewall logs for last week. There are 
> 127MiB with ipmon reports of rejected connection attempts. That's 
> actually  on the low side for any seven day period. I have some weeks 
> that are half again that much. Somebody out there is pounding on that 
> firewall pretty hard, trying to break in. I'm certain they don't have my 
> best interests at heart. Most of the ports attacked are linked to well 
> known services and worms on one particular OS, which I don't happen to 
> have running on my network. But this log tells me that it is important 
> to make it as difficult as possible for whomever is knocking on the 
> door. I don't see that IPv6 helps improve that protection. In fact, it 
> appears to eliminate some of the protection I have now.

It does *NOT* help with that situation; nobody credible says it does.

It also does *NOT* "eliminate some of the protection I have now".

You apparently *believe* that NAT is about "protection"  You are wrong.

NAT [at best, and not really] adds obfuscation to the source /
destination.  Obfuscation is not security.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] CentOS 5.5 with MediaWiki

2010-12-07 Thread Ray Van Dolson
On Tue, Dec 07, 2010 at 07:41:24AM -0200, Clovis Tristao wrote:
> Em 06-12-2010 15:55, Mathieu Baudier escreveu:
> >> Also, there will soon be a MediaWiki 1.16 package in EPEL[1].  There is
> > Good news!
> >
> > Actually my dependencies were probably from EPEL in that case, not RPMForge.
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> How to solve this problem, rebuild the package php-xml to CentOS 5.5 ?
> 
> Cheers,
> 
> Clóvis

I guess I don't follow -- php-xml is already included in CentOS 5.5.

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Bob McConnell
Adam Tauno Williams wrote:
> On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote: 
>>> So, spending one or two or 100s /64 subnets with public IPv6 addresses
>>> which is completely blocked in a firewall will serve exactly the same
>>> purpose as a site-local subnet.  But this /64 net may get access to the
>>> Internet *if* allowed by the firewall.  This is not possible with
>>> site-local at all.  And of course, this is without NAT in addition.
>>> I hope this made it a little bit clearer.
>> Clear as mud. If I understand you correctly, I have to say that IPv6 is 
>> broken by design.
> 
> It isn't.
> 
>> I have a double handful of computers on my home 
>> network. Each of them needs access to the Internet to get updates to the 
>> OS and various applications. However, I do *NOT* want each and every one 
>> of them to show up as a unique address outside of my network.
> 
> Why?  Things will only work better.  NAT is not some magic sauce, it is
> a *HACK*.
> 
>> With IP4 
>> and m0n0wall running as the NAT, they are all translated to the single 
>> IP address that Roadrunner assigned to my Firewall. I need to continue 
>> that mapping. 
> 
> Why?  There is no reason.  You are wrong, you do *NOT* need to "continue
> that mapping".  That mapping is pointless.

No, it is not pointless. The first step in attacking any computer is 
finding the IP address. If that address is broadcast outside the 
firewall every time it talks to another computer, that step is simple. 
If it is hidden behind a firewall that does NAT, it becomes harder to 
find and that first step becomes much more difficult.

Currently, the only IP address transmitted outside my firewall is the 
one assigned to that firewall by the Roadrunner DHCP server. None of the 
addresses inside are exposed. That is a level of protection I am not 
prepared to give up. I don't care how much you evangelists blab about 
the new improved sauce, I still see it as a solution in search of a 
problem. As far as I am concerned, NAT already solved the address space 
problem.

Bob McConnell
N2SPP
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Lamar Owen
On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote:
> On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: 
> > No, the downside is that each address used will be exposed to the world.

> False.  That is *NOT* a downside.

In your opinion.  Others hold a different opinion.  While security through 
obscurity doesn't help in many circumstances, there are physical security 
controls that absolutely depend upon it, and work.  Physical lock and key, for 
one (the pinning must be kept obscure).  Physical combination locks, for 
another; they depend upon keeping the gates in the wheels obscure.  For that 
matter, any security that depends on any 'secret' is in essence a security 
through obscurity technique.  Port knocking is a security through obscurity 
technique (which works quite well).

And a NAT66 will be implemented, and people *will* NAT66 their self-assigned 
ULA addresses (which, unlike PA /48's are portable; the alternative is all end 
users wanting portability getting PI /48's, and the router ops are getting 
their selves in a knot thinking about the route table bloat that will cause) to 
whatever the PA du jour is.  

This *will* happen, and no amount of wishful thinking by 
transparent-Internet-idealogues is going to change it, since this is and will 
be the market demand.  Whether you and I like it or not, this is the direction 
things are going; we might as well get used to it.

You can read the NAT66 draft standard yourself at (one mirror) 
http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-mrw-nat66-00.txt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] difference between cron and shell invocation.

2010-12-07 Thread James B. Byrne
Question.  In a chained cron job like this:

sshfs  .  .  . && /usr/bin/rsync .  .  . | /bin/mail -s .  .  . && .
 .  .

Is there anyway to get a failure message from the first part to be
emailed or logged?

Given the resolution of this problem I gather that sshfs must not
have been found and therefore I would expect an error to be reported
somewhere.  The chained commands evidently interfered with the
propagation of this error which would have immediately identified
the source of the problem. Is it possible to get errors from the
individual parts of such chained commands forwarded to an email
address, or logged in the system log, or both?

-- 
***  E-Mail is NOT a SECURE channel  ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Tom H
On Tue, Dec 7, 2010 at 6:23 AM, Mathieu Baudier  wrote:
>> >     b)  Do I get charged by my ISP on a per-device basis?
>>
> This is no science fiction.
> Some big providers in some countries limit the number of device that
> can connect to internet. You have to register the MAC address of your
> single PC (which, by the way, is expected to run Windows or MacOS)
>
> In that case, a NAT router sending the MAC address expected by the
> provider could have (maybe, possibly...) been very handy.
> (I won't tell more, even though I have left the country and the
> provider in question)

I've had such a provider. This is why you can assign a MAC address to
a dsl router's WAN interface.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Bob McConnell
Adam Tauno Williams wrote:
> On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: 
>>> IPv6 is not broken by design. NAT was implemented to extend the time
>>> until IPv4 exhaustion. A side effect was hiding the internal IPv4
>>> address, which complicates a number of protocols like FTP and SIP. The
>>> only downside I see is ISPs could try and charge based on the number
>>> of IPv6 addresses being used.
>> No, the downside is that each address used will be exposed to the world.
> 
> False.  That is *NOT* a downside.
> 
> NAT is *NOT* a magic sauce - install a firewall [which you probably
> already have].  Problem solved.
> 
>> I consider that a serious security flaw. 
> 
> It is not.
> 
>> Having my ISP know how many 
>> computers I have is a minor issue covered by the contract I have with 
>> them. 
> 
> So you want to cheap on the legal contract you agreed to?

No, if they want too much money before I can install additional 
computers, I have several other choices, some of which will likely be 
less expensive. Currently, their TOS is not an issue.

>> But having all of those addresses exposed to Russian mobsters, 
>> terrorists, crackers and everyone else that knows how to capture packets 
>> is another matter altogether. If IPv6 exposes that information to the 
>> world, it is definitely unsafe to use.
> 
> The "Russian mobsters" can already do that; if you think NAT is
> protecting you from that then you are mistaken.

NAT hides the IP addresses of the computers inside my firewall. The only 
address exposed is the temporary address assigned to the firewall 
itself. That box can be run on the most secure OS I can find (currently 
one of the BSD's), and allows me to operate other systems behind it that 
aren't as well protected. This makes it significantly more difficult for 
those mobsters to penetrate my network.

Not allowing the most popular OS on the network at all is another layer 
of protection. Keeping everything up to date is another. It is a well 
known and established process to keep my computers secure. But now you 
are taking away one of those layers without providing anything of equal 
strength to replace it. I fail to see how that is an improvement. 
However, it appears some of you are actually evangelists in disguise, 
and refuse to acknowledge any real concerns about this change. So it 
becomes pointless to continue the discussion.

Bob McConnell
N2SPP
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Tom H
On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell  wrote:
> Adam Tauno Williams wrote:
>> On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
 IPv6 is not broken by design. NAT was implemented to extend the time
 until IPv4 exhaustion. A side effect was hiding the internal IPv4
 address, which complicates a number of protocols like FTP and SIP. The
 only downside I see is ISPs could try and charge based on the number
 of IPv6 addresses being used.
>>> No, the downside is that each address used will be exposed to the world.
>>
>> False.  That is *NOT* a downside.
>>
>> NAT is *NOT* a magic sauce - install a firewall [which you probably
>> already have].  Problem solved.
>>
>>> I consider that a serious security flaw.
>>
>> It is not.
>>
>>> Having my ISP know how many
>>> computers I have is a minor issue covered by the contract I have with
>>> them.
>>
>> So you want to cheap on the legal contract you agreed to?
>
> No, if they want too much money before I can install additional
> computers, I have several other choices, some of which will likely be
> less expensive. Currently, their TOS is not an issue.
>
>>> But having all of those addresses exposed to Russian mobsters,
>>> terrorists, crackers and everyone else that knows how to capture packets
>>> is another matter altogether. If IPv6 exposes that information to the
>>> world, it is definitely unsafe to use.
>>
>> The "Russian mobsters" can already do that; if you think NAT is
>> protecting you from that then you are mistaken.
>
> NAT hides the IP addresses of the computers inside my firewall. The only
> address exposed is the temporary address assigned to the firewall
> itself. That box can be run on the most secure OS I can find (currently
> one of the BSD's), and allows me to operate other systems behind it that
> aren't as well protected. This makes it significantly more difficult for
> those mobsters to penetrate my network.

Is 172.16.10.72 a private address of yours or of your ISP?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Benjamin Franz
On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>
> I agree, and would like to look at the AVC's to understand what could
> have broken the labeling

Well - since it happened again this morning, here you go. On further 
investigation in backups, I previously had the user account that I use 
for the FTP based update with its home directory set to a location 
inside the /var/www/html tree. Since that unknowingly passed this rule, 
it silently worked. It was changed to a /home/ based directory instead a 
while ago - tripping this rule. But not consistently: FTP appears to at 
least partially work outside the home tree even with the rule active.

I *really* dislike landmines when doing routine system tasks.



Dec  7 07:14:19 10.96.1.9 setroubleshoot: SELinux is preventing the ftp 
daemon from writing files outside the home directory (./upgrade). For 
complete SELinux messages. run sealert -l 
e7787694-644e-4e4e-9b45-bd86c7eb33ce


sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce

Summary:

SELinux is preventing the ftp daemon from writing files outside the home
directory (./upgrade).

Detailed Description:

SELinux has denied the ftp daemon write access to directories outside 
the home
directory (./upgrade). Someone has logged in via your ftp daemon and is 
trying
to create or write a file. If you only setup ftp to allow anonymous ftp, 
this
could signal a intrusion attempt.

Allowing Access:

If you do not want SELinux preventing ftp from writing files anywhere on the
system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P
allow_ftpd_full_access=1"

The following command will allow this access:

setsebool -P allow_ftpd_full_access=1

Additional Information:

Source Contextsystem_u:system_r:ftpd_t
Target Contextsystem_u:object_r:httpd_sys_content_t
Target Objects./upgrade [ dir ]
Sourcevsftpd
Source Path   /usr/sbin/vsftpd
Port 
Host  XX
Source RPM Packages   vsftpd-2.1.0-2
Target RPM Packages
Policy RPMselinux-policy-2.4.6-279.el5_5.2
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   allow_ftpd_full_access
Host Name X
Platform  Linux  2.6.18-194.26.1.el5 #1 SMP
   Tue Nov 9 12:54:40 EST 2010 i686 i686
Alert Count   17
First SeenThu Dec  2 12:10:14 2010
Last Seen Tue Dec  7 07:14:19 2010
Local ID  e7787694-644e-4e4e-9b45-bd86c7eb33ce
Line Numbers

Raw Audit Messages

host= type=AVC msg=audit(1291734859.344:6678): avc:  
denied  { write } for  pid=1018 comm="vsftpd" name="upgrade" dev=dm-5 
ino=1926503 scontext=system_u:system_r:ftpd_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

host= type=SYSCALL msg=audit(1291734859.344:6678): 
arch=4003 syscall=39 success=no exit=-13 a0=8e340d0 a1=1ff a2=802330 
a3=1 items=0 ppid=1014 pid=1018 auid=502 uid=502 gid=100 euid=502 
suid=502 fsuid=502 egid=100 sgid=100 fsgid=100 tty=(none) ses=1017 
comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0 
key=(null)


-- 
Benjamin Franz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread m . roth
Lamar Owen wrote:
> On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote:
>> On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
>> > No, the downside is that each address used will be exposed to the
>> world.
>
>> False.  That is *NOT* a downside.
>
> In your opinion.  Others hold a different opinion.  While security through
> obscurity doesn't help in many circumstances, there are physical security
> controls that absolutely depend upon it, and work.  Physical lock and key,
> for one (the pinning must be kept obscure).  Physical combination locks,
> for another; they depend upon keeping the gates in the wheels obscure.
> For that matter, any security that depends on any 'secret' is in essence a
> security through obscurity technique.  Port knocking is a security through
> obscurity technique (which works quite well).

Sorry, let me jump in here: how is a "hidden" IP address, whether it's
10.x, or 192.168.x, obscurity. Rather, AFAIK, trying to get there from
outside are unreachable, because the addresses are not valid on the 'Net
itself.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Tue, 2010-12-07 at 10:11 -0500, Lamar Owen wrote: 
> On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote:
> > On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: 
> > > No, the downside is that each address used will be exposed to the world.
> > False.  That is *NOT* a downside.
> In your opinion.  Others hold a different opinion. 

Others are wrong.  Check the RFCs and other papers.  

> While security through obscurity doesn't help in many circumstances,
> there are physical security controls that absolutely depend upon it,
> and work.

False analogy.

> And a NAT66 will be implemented, and people *will* NAT66 their 
> self-assigned ULA addresses (which, unlike PA /48's are portable; 
> the alternative is all end users wanting portability getting PI /48's, 
> and the router ops are getting their selves in a knot thinking about 
> the route table bloat that will cause) to whatever the PA du jour is.

But it isn't NAT.  Not like IPv4 NAT, so this doesn't do much to the
argument in defense of IPv4-style NAT.

IPv6 routing tables are significantly smaller - which is a large
advantage to IPv6.

> This *will* happen, and no amount of wishful thinking by t
> ransparent-Internet-idealogues is going to change it, since this 
> is and will be the market demand.  Whether you and I like it or not, 
> this is the direction things are going; we might as well get used to it.
> You can read the NAT66 draft standard yourself at (one mirror) 
> http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-mrw-nat66-00.txt

I'm certain some people will use it, and that there are legitimate uses.
But it doesn't, and won't, serve the same purpose as NAT does in IPv4.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] difference between cron and shell invocation.

2010-12-07 Thread Robert Heller
At Tue, 7 Dec 2010 10:21:27 -0500 (EST) CentOS mailing list  
wrote:

> 
> Question.  In a chained cron job like this:
> 
> sshfs  .  .  . && /usr/bin/rsync .  .  . | /bin/mail -s .  .  . && .
>  .  .
> 
> Is there anyway to get a failure message from the first part to be
> emailed or logged?
> 
> Given the resolution of this problem I gather that sshfs must not
> have been found and therefore I would expect an error to be reported
> somewhere.  The chained commands evidently interfered with the
> propagation of this error which would have immediately identified
> the source of the problem. Is it possible to get errors from the
> individual parts of such chained commands forwarded to an email
> address, or logged in the system log, or both?

It is probably easiest to create a shell script with all of the chaining
there and use shell script flow control to deal with mailing/logging
errors:

#!/bin/sh -e
sshfs  .  .  . 
/usr/bin/rsync .  .  . 2>&1 | /bin/mail -s .  .  . 
..

Or something like that (eg using '|| error-handling/reporting code'
instead of -e).

> 

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] difference between cron and shell invocation.

2010-12-07 Thread m . roth
James B. Byrne wrote:
> Question.  In a chained cron job like this:
>
> sshfs  .  .  . && /usr/bin/rsync .  .  . | /bin/mail -s .  .  . && .
>  .  .
>
> Is there anyway to get a failure message from the first part to be
> emailed or logged?
>
> Given the resolution of this problem I gather that sshfs must not
> have been found and therefore I would expect an error to be reported
> somewhere.  The chained commands evidently interfered with the
> propagation of this error which would have immediately identified
> the source of the problem. Is it possible to get errors from the
> individual parts of such chained commands forwarded to an email
> address, or logged in the system log, or both?
>
If you're going to get that complicated, why not just write a short shell
script, and run that via cron. Then you can set your environment
explicitly (as opposed to in your crontab, which some folks like to do).
Also, if you want logs from each piece, you could then break it up, and
dump/read stuff from temp files.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/07/2010 10:36 AM, Benjamin Franz wrote:
> On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>>
>> I agree, and would like to look at the AVC's to understand what could
>> have broken the labeling
> 
> Well - since it happened again this morning, here you go. On further 
> investigation in backups, I previously had the user account that I use 
> for the FTP based update with its home directory set to a location 
> inside the /var/www/html tree. Since that unknowingly passed this rule, 
> it silently worked. It was changed to a /home/ based directory instead a 
> while ago - tripping this rule. But not consistently: FTP appears to at 
> least partially work outside the home tree even with the rule active.
> 
> I *really* dislike landmines when doing routine system tasks.
> 
> 
> 
> Dec  7 07:14:19 10.96.1.9 setroubleshoot: SELinux is preventing the ftp 
> daemon from writing files outside the home directory (./upgrade). For 
> complete SELinux messages. run sealert -l 
> e7787694-644e-4e4e-9b45-bd86c7eb33ce
> 
> 
> sealert -l e7787694-644e-4e4e-9b45-bd86c7eb33ce
> 
> Summary:
> 
> SELinux is preventing the ftp daemon from writing files outside the home
> directory (./upgrade).
> 
> Detailed Description:
> 
> SELinux has denied the ftp daemon write access to directories outside 
> the home
> directory (./upgrade). Someone has logged in via your ftp daemon and is 
> trying
> to create or write a file. If you only setup ftp to allow anonymous ftp, 
> this
> could signal a intrusion attempt.
> 
> Allowing Access:
> 
> If you do not want SELinux preventing ftp from writing files anywhere on the
> system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P
> allow_ftpd_full_access=1"
> 
> The following command will allow this access:
> 
> setsebool -P allow_ftpd_full_access=1
> 
> Additional Information:
> 
> Source Contextsystem_u:system_r:ftpd_t
> Target Contextsystem_u:object_r:httpd_sys_content_t
> Target Objects./upgrade [ dir ]
> Sourcevsftpd
> Source Path   /usr/sbin/vsftpd
> Port 
> Host  XX
> Source RPM Packages   vsftpd-2.1.0-2
> Target RPM Packages
> Policy RPMselinux-policy-2.4.6-279.el5_5.2
> Selinux Enabled   True
> Policy Type   targeted
> MLS Enabled   True
> Enforcing ModeEnforcing
> Plugin Name   allow_ftpd_full_access
> Host Name X
> Platform  Linux  2.6.18-194.26.1.el5 #1 SMP
>Tue Nov 9 12:54:40 EST 2010 i686 i686
> Alert Count   17
> First SeenThu Dec  2 12:10:14 2010
> Last Seen Tue Dec  7 07:14:19 2010
> Local ID  e7787694-644e-4e4e-9b45-bd86c7eb33ce
> Line Numbers
> 
> Raw Audit Messages
> 
> host= type=AVC msg=audit(1291734859.344:6678): avc:  
> denied  { write } for  pid=1018 comm="vsftpd" name="upgrade" dev=dm-5 
> ino=1926503 scontext=system_u:system_r:ftpd_t:s0 
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
> 
> host= type=SYSCALL msg=audit(1291734859.344:6678): 
> arch=4003 syscall=39 success=no exit=-13 a0=8e340d0 a1=1ff a2=802330 
> a3=1 items=0 ppid=1014 pid=1018 auid=502 uid=502 gid=100 euid=502 
> suid=502 fsuid=502 egid=100 sgid=100 fsgid=100 tty=(none) ses=1017 
> comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0 
> key=(null)
> 
>
Where is the directory upgrade located.  SELinux is complaining about
the ftp site writing to a directory labeled as apache content
(httpd_sys_content_t.  The way we usually handle shared data between
"sharing domains" is to label the content public_content_rw_t.
The following man pages explain these labels.

man ftpd_selinux
man httpd_selinux



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+VdAACgkQrlYvE4MpobMQiACeI5mbC5rOqwxphNavqoomcOMn
fgEAniywRXmiDrnje2nC2vdrv+DGU56f
=qJ03
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Lamar Owen
On Tuesday, December 07, 2010 10:32:32 am Tom H wrote:
> Is 172.16.10.72 a private address of yours or of your ISP?

More to the point; do you have a route to his address?

Blackhole routing makes the best firewall in the world; you can't even attempt 
to hack an address to which your autonomous system (or your provider's 
autonomous system) has no route in the BGP routing tables.

You can't even reproducibly DoS his address, since he can probably acquire 
another inside global one fairly easily through DHCP.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote: 
> On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell  wrote:
> > Adam Tauno Williams wrote:
> >> On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
>  IPv6 is not broken by design. NAT was implemented to extend the time
>  until IPv4 exhaustion. A side effect was hiding the internal IPv4
>  address, which complicates a number of protocols like FTP and SIP. The
>  only downside I see is ISPs could try and charge based on the number
>  of IPv6 addresses being used.
> >>> No, the downside is that each address used will be exposed to the world.
> >> False.  That is *NOT* a downside.
> >> NAT is *NOT* a magic sauce - install a firewall [which you probably
> >> already have].  Problem solved.
> >>> I consider that a serious security flaw.
> >> It is not.
> >>> Having my ISP know how many
> >>> computers I have is a minor issue covered by the contract I have with
> >>> them.
> >> So you want to cheap on the legal contract you agreed to?
> > No, if they want too much money before I can install additional
> > computers, I have several other choices, some of which will likely be
> > less expensive. Currently, their TOS is not an issue
> >>> But having all of those addresses exposed to Russian mobsters,
> >>> terrorists, crackers and everyone else that knows how to capture packets
> >>> is another matter altogether. If IPv6 exposes that information to the
> >>> world, it is definitely unsafe to use.
> >> The "Russian mobsters" can already do that; if you think NAT is
> >> protecting you from that then you are mistaken.
> > NAT hides the IP addresses of the computers inside my firewall. The only
> > address exposed is the temporary address assigned to the firewall
> > itself. That box can be run on the most secure OS I can find (currently
> > one of the BSD's), and allows me to operate other systems behind it that
> > aren't as well protected. This makes it significantly more difficult for
> > those mobsters to penetrate my network.
> Is 172.16.10.72 a private address of yours or of your ISP?

+1

NAT isn't doing what Bob McConnell thinks it is.  Any "russian mobster"
can afford to hire a halfway decent hacker who will only laugh at the
obfuscation added by NAT.  Determining how many computers, and quite a
bit of detail about them, are behind a NAT is not hard.  You just watch
the traffic and these things reveal themselves.  Your traffic can be
compromised just as easily with or without NAT.  Very few actually
useful attacks on a host require direct access to the interface;
stateful firewalls made such vectors pretty useless a long time ago.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Bob McConnell
Gavin Carr wrote:
> On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote:
>>> 3) When I connect my IPV6 refrigerator with its automatic inventory
>>> system tracking every RFID-enabled carrot I use, won't I be making my
>>> shopping habits visible to all those annoying advertisers?  Or, in
>>> other words, am I compromising my privacy?  Actually, although such
>>> dissemination of information can be blocked by a correctly designed
>>> firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by
>>> " that comes with your ISP contract,
>>> would err on the side of promiscuity.
>> Why yes, yes you are giving up some of your privacy. And unless you have
>> the time and are willing and able to learn how to configure firewalls
>> for each device and application you use, or have the money to pay
>> someone else you trust to do it for you, there is very little to protect
>> you from the rest of the world.
> 
> That's at least overstated, and at worst complete FUD. Generic modems and
> routers will be configured as they are now - with stateful firewalls
> blocking all incoming traffic, except for streams initiated internally. 
> Outgoing connections that would have worked before via NAT continue to
> work, but without NAT. Stateful firewalls are still stateful firewalls.
> 
> Where are you giving up some of your privacy? The number of hosts on
> your internal network? So allocate 256 ips (or 65k, if you like) to every
> host and use a random ip from that set for every distinct service or 
> outgoing connection.
> 
> There _is_ more information leakage with ipv6, in the sense that you are 
> using a real ip from an internal machine on the connection. But the 
> point is that the security benefit of that is largely illusory, security
> by obscurity.

No, it is not FUD, it is a real concern by people with much to lose. 
Those of you evangelizing this new, and still unproven technology can't 
seem to recognize this simple fact.

I consider that information leakage to be very significant. It 
advertises the presence of another computer with explicit information on 
where to reach it. Regardless of the firewall, none of which are 
perfect, this increases the exposure of my systems in an adverse 
fashion. It increases my risk of being penetrated by someone I probably 
don't want rummaging around in my files. But I don't see any additional 
protection being offered to replace what is being taken away.

Bob McConnell
N2SPP
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] difference between cron and shell invocation.

2010-12-07 Thread Les Mikesell
On 12/7/10 9:21 AM, James B. Byrne wrote:
> Question.  In a chained cron job like this:
>
> sshfs  .  .  .&&  /usr/bin/rsync .  .  . | /bin/mail -s .  .  .&&  .
>   .  .
>
> Is there anyway to get a failure message from the first part to be
> emailed or logged?
>
> Given the resolution of this problem I gather that sshfs must not
> have been found and therefore I would expect an error to be reported
> somewhere.  The chained commands evidently interfered with the
> propagation of this error which would have immediately identified
> the source of the problem. Is it possible to get errors from the
> individual parts of such chained commands forwarded to an email
> address, or logged in the system log, or both?


Cron should default to mailing anything sent to stdout or stderr to the owner 
of 
the job if you don't redirect it elsewhere.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Benjamin Franz
On 12/07/2010 07:36 AM, Benjamin Franz wrote:
> On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>>
>> I agree, and would like to look at the AVC's to understand what could
>> have broken the labeling
>
> Well - since it happened again this morning, here you go. On further 
> investigation in backups, I previously had the user account that I use 
> for the FTP based update with its home directory set to a location 
> inside the /var/www/html tree. Since that unknowingly passed this 
> rule, it silently worked. It was changed to a /home/ based directory 
> instead a while ago - tripping this rule. But not consistently: FTP 
> appears to at least partially work outside the home tree even with the 
> rule active.
>
> I *really* dislike landmines when doing routine system tasks.
>


Ok. SELinux blew up something else that was previously working on that 
machine (yes - I've already done something to fix it for now. I don't 
need anyone saying 'well run sealert'. Been there - done that. Things 
are running now.)  This repeated time suckage is why people routinely 
turn it off.


sealert -l e6e017f5-9c2b-4e7b-895e-51a232042588

Summary:

SELinux is preventing the httpd from using potentially mislabeled files
/var/XX/misc/manage_clients/config.xml (var_t).

Detailed Description:

SELinux has denied the httpd access to potentially mislabeled files
/var/XX/misc/manage_clients/config.xml. This means that SELinux 
will not
allow httpd to use these files. Many third party apps install html files in
directories that SELinux policy cannot predict. These directories have to be
labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of
/var/XX/misc/manage_clients/config.xml so that the httpd daemon can
access it, you need to execute it using chcon -t httpd_sys_content_t
'/var/XX/misc/manage_clients/config.xml'. You can look at the
httpd_selinux man page for additional information.

Additional Information:

Source Contextsystem_u:system_r:httpd_t
Target Contextuser_u:object_r:var_t
Target Objects
/var/XX/misc/manage_clients/config.xml [
   file ]
Sourcehttpd
Source Path   /usr/sbin/httpd
Port 
Host  XX
Source RPM Packages   httpd-2.2.3-43.el5.centos.3
Target RPM Packages
Policy RPMselinux-policy-2.4.6-279.el5_5.2
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   httpd_bad_labels
Host Name XX
Platform  Linux XX 2.6.18-194.26.1.el5 #1 SMP
   Tue Nov 9 12:54:40 EST 2010 i686 i686
Alert Count   3
First SeenMon Apr 26 10:20:36 2010
Last Seen Tue Dec  7 07:38:17 2010
Local ID  e6e017f5-9c2b-4e7b-895e-51a232042588
Line Numbers

Raw Audit Messages

host=XX type=AVC msg=audit(1291736297.720:6786): avc:  denied  { 
getattr } for  pid=21363 comm="httpd" 
path="/var/XX/misc/manage_clients/config.xml" dev=dm-0 
ino=5355222 scontext=system_u:system_r:httpd_t:s0 
tcontext=user_u:object_r:var_t:s0 tclass=file

host=XX type=SYSCALL msg=audit(1291736297.720:6786): 
arch=4003 syscall=195 success=no exit=-13 a0=82e7380 a1=8297c68 
a2=296ff4 a3=82e7380 items=0 ppid=3398 pid=21363 auid=4294967295 uid=48 
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) 
ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" 
subj=system_u:system_r:httpd_t:s0 key=(null)




-- 
Benjamin Franz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Les Mikesell
On 12/7/10 9:07 AM, Adam Tauno Williams wrote:
>
> site-local addresses are officially deprecated.
>
> If you want a device to only be available locally - block the traffic
> to/from that device.

So security will depend on every connection owner having a high level of 
knowledge about ipv6 internals?   Is this being designed by people planning 
careers as consultants?

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Tue, 2010-12-07 at 10:49 -0500, Bob McConnell wrote: 
> > There _is_ more information leakage with ipv6, in the sense that you are 
> > using a real ip from an internal machine on the connection. But the 
> > point is that the security benefit of that is largely illusory, security
> > by obscurity.
> No, it is not FUD, 

It is FUD.

> it is a real concern by people with much to lose. 
> Those of you evangelizing this new, and still unproven technology can't 
> seem to recognize this simple fact.

Calling IPv6 "unproved" is absurd.  It is widely deployed and used
extensively.  Security is/was taken very seriously in the design. 

> I consider that information leakage to be very significant. 

You have a huge address pool - periodically change your address if you
feel that is significant.  That certainly adds more obfuscation than
IPv4 NAT ever did.

> It advertises the presence of another computer with explicit information on 
> where to reach it.

You already do that with every e-mail message and HTTP request.  Do you
obscure the User-Agent string in all your traffic?   (Your not using
Thunderbird 2.0.0.24 in X-Windows?) Because that information is just as
[if not more] valuable to a potential attacker than your firewalled
address.

> It increases my risk of being penetrated by someone I probably 
> don't want rummaging around in my files. But I don't see any additional 
> protection being offered to replace what is being taken away.

You are on a network - you can always disconnect the drive.  If you
really feel *NAT* is really that critical to hiding your data this seems
a very reasonable option.  Because NAT is providing only an extremely
trivial additive to security you feel you need.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] CentOS 5.5 on a new Mac Mini? no CD Driver?

2010-12-07 Thread Bob Arnold
On 12/6/10 3:54 PM, Jason T. Slack-Moehrle wrote:
> Hi All,
>
> I am attempting to install CentOS 5.5 64 bit on my new Mac Mini. I boot to 
> the CD and when I get to selecting where I am installing from (local cd, hard 
> disk, ftp, etc) I select Local CD and it cannot find a driver and wants me to 
> manually specify or use a driver disk.
>
> I ave no idea what drive is in this system.
>
> Can anyone point me in the right direction?
>
> -Jason
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
You need to install and use Apple's Boot Camp to make CentOS work on a 
Mac Mini. It will install a utility on the drive that will make the Mini 
look like an ordinary system instead of the Apple based hardware 
including standard drivers for the Cd/DVD and hard drives and network 
and sound support. I have an old single core Mac Mini running CentOS 5 
32 bit just fine.

One problem though is that I believe that Snow Leopard Server version 
does NOT come with Boot Camp. If so you'll need to get a version of Snow 
Leopard that does have Boot Camp available. I think the Standard version 
of Snow Leopard is about $30.00 from Apple.

If you need help I can be available via Skype to answer your questions.

Bob Arnold

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/07/2010 10:59 AM, Benjamin Franz wrote:
> On 12/07/2010 07:36 AM, Benjamin Franz wrote:
>> On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
>>>
>>> I agree, and would like to look at the AVC's to understand what could
>>> have broken the labeling
>>
>> Well - since it happened again this morning, here you go. On further 
>> investigation in backups, I previously had the user account that I use 
>> for the FTP based update with its home directory set to a location 
>> inside the /var/www/html tree. Since that unknowingly passed this 
>> rule, it silently worked. It was changed to a /home/ based directory 
>> instead a while ago - tripping this rule. But not consistently: FTP 
>> appears to at least partially work outside the home tree even with the 
>> rule active.
>>
>> I *really* dislike landmines when doing routine system tasks.
>>
> 
> 
> Ok. SELinux blew up something else that was previously working on that 
> machine (yes - I've already done something to fix it for now. I don't 
> need anyone saying 'well run sealert'. Been there - done that. Things 
> are running now.)  This repeated time suckage is why people routinely 
> turn it off.
> 
> 
> sealert -l e6e017f5-9c2b-4e7b-895e-51a232042588
> 
> Summary:
> 
> SELinux is preventing the httpd from using potentially mislabeled files
> /var/XX/misc/manage_clients/config.xml (var_t).
> 
> Detailed Description:
> 
> SELinux has denied the httpd access to potentially mislabeled files
> /var/XX/misc/manage_clients/config.xml. This means that SELinux 
> will not
> allow httpd to use these files. Many third party apps install html files in
> directories that SELinux policy cannot predict. These directories have to be
> labeled with a file context which httpd can access.
> 
> Allowing Access:
> 
> If you want to change the file context of
> /var/XX/misc/manage_clients/config.xml so that the httpd daemon can
> access it, you need to execute it using chcon -t httpd_sys_content_t
> '/var/XX/misc/manage_clients/config.xml'. You can look at the
> httpd_selinux man page for additional information.
> 
> Additional Information:
> 
> Source Contextsystem_u:system_r:httpd_t
> Target Contextuser_u:object_r:var_t
> Target Objects
> /var/XX/misc/manage_clients/config.xml [
>file ]
> Sourcehttpd
> Source Path   /usr/sbin/httpd
> Port 
> Host  XX
> Source RPM Packages   httpd-2.2.3-43.el5.centos.3
> Target RPM Packages
> Policy RPMselinux-policy-2.4.6-279.el5_5.2
> Selinux Enabled   True
> Policy Type   targeted
> MLS Enabled   True
> Enforcing ModeEnforcing
> Plugin Name   httpd_bad_labels
> Host Name XX
> Platform  Linux XX 2.6.18-194.26.1.el5 #1 SMP
>Tue Nov 9 12:54:40 EST 2010 i686 i686
> Alert Count   3
> First SeenMon Apr 26 10:20:36 2010
> Last Seen Tue Dec  7 07:38:17 2010
> Local ID  e6e017f5-9c2b-4e7b-895e-51a232042588
> Line Numbers
> 
> Raw Audit Messages
> 
> host=XX type=AVC msg=audit(1291736297.720:6786): avc:  denied  { 
> getattr } for  pid=21363 comm="httpd" 
> path="/var/XX/misc/manage_clients/config.xml" dev=dm-0 
> ino=5355222 scontext=system_u:system_r:httpd_t:s0 
> tcontext=user_u:object_r:var_t:s0 tclass=file
> 
> host=XX type=SYSCALL msg=audit(1291736297.720:6786): 
> arch=4003 syscall=195 success=no exit=-13 a0=82e7380 a1=8297c68 
> a2=296ff4 a3=82e7380 items=0 ppid=3398 pid=21363 auid=4294967295 uid=48 
> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) 
> ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" 
> subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> 
> 
> 

Yes SELinux and all MAC systems require that if the administrator puts
files in non default directories, then they have to have to be told.  In
the case of SELinux, this involves correcting the labeling.  DAC has
similar problems, in that you need to make sure the permission flags and
ownership is correct.  Of course admins have been dealing with DAC for
years so they understand it, and the number of UID/Permision
combinations is more limited then the amounts of labels that SELinux
presents.

I wrote this paper to try to explain what SELinux tends to complain about.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+XQsACgkQrlYvE4MpobNrgACfZduLdW/ISac6otm8SRO+c4Za
S0QAn3l00KRGtNmnaVAy4cFpL/jjrwuz
=7ega
-END PGP SIGNATURE-
___

Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Tue, 2010-12-07 at 10:01 -0600, Les Mikesell wrote: 
> On 12/7/10 9:07 AM, Adam Tauno Williams wrote:
> > site-local addresses are officially deprecated.
> > If you want a device to only be available locally - block the traffic
> > to/from that device.
> So security will depend on every connection owner having a high level of 
> knowledge about ipv6 internals?  

Yes.  Exactly like IPv4! (given that network security professionals have
existed for a long time)

Install a stateful firewall just like with IPv4!  Stateful firewalls
being things created by people "having a high level of knowledge
about ... internals".

Problem solved [for 99.44% of the population], just like IPv4!

And to add a nice sprinkling of obscurity - every time your computer
reboots [or interface resets] it generates a different ["random"] IPv6
address within your *HUGE* subnet.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Les Mikesell
On 12/7/10 9:04 AM, Adam Tauno Williams wrote:
>
>> The other nice side-effect of NAT is that you get an effectively infinite 
>> number
>> of addresses behind it without any pre-arrangement with anyone else.  Even if
>> ISPs hand out what they expect to reasonably-sized blocks, won't it be much
>> harder to deal with when you outgrow your allotment?  We've had the 
>> opportunity
>> to move to ipv6 for ages but we haven't (in the US, anyway).  I think the 
>> reason
>> is that most people like the way NAT works and don't really want a public
>> address on every device.
>
> Bogus.  The reason is that they haven't been pressured into adoption by
> higher powers; so we will get into a nice scramble to migrate in a
> pinch.

Agreed, but the reason that hasn't happened is that there's no visible benefit 
to the consumer.

> "most people" have no idea what NAT is, don't care, and shouldn't have
> to care.

Agreed again, but the reason is that the vast majority only want outbound 
client 
connections and they would be perfectly happy if application protocols adapted 
to client registration to some central registry for portability instead of ever 
assuming that a person or associated application had anything to do with any 
particular device or fixed address.  Compare the number of people who use an 
IM/chat application to the number who have directly reachable SIP endpoints 
without a forwarding service, for example.  There are good reasons for that.

> Some people's belief that NAT is some magic sauce that makes them more
> secure [it does not] or provides them more flexibility [it does not]
> than real addresses ... causes the people who understand networking to
> have to spend time explaining that their love of NAT is misguided and
> their beliefs about NAT are bogus.

If the ipv6 routers come with defaults that work the same as current NAT 
routers, people will be able to continue to misunderstand them happily. That 
is, 
permit outbound client connections from anything connected behind them without 
much regard to how many devices there are, and block everything else.

-- 
   Les Mikesell
 lesmikes...@gmail.com


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Tue, 2010-12-07 at 10:16 -0600, Les Mikesell wrote: 
> On 12/7/10 9:04 AM, Adam Tauno Williams wrote:
>> Some people's belief that NAT is some magic sauce that makes
themmore 
> > secure [it does not] or provides them more flexibility [it does not]
> > than real addresses ... causes the people who understand networking to
> > have to spend time explaining that their love of NAT is misguided and
> > their beliefs about NAT are bogus.
> If the ipv6 routers come with defaults that work the same as current NAT 
> routers, people will be able to continue to misunderstand them happily. That 
> is, 
> permit outbound client connections from anything connected behind them 
> without 
> much regard to how many devices there are, and block everything else.

And doesn't that sound like you just describe a firewall?

"permit outbound client connections from anything connected behind them
without  much regard to how many devices there are, and block everything
else" isn't NAT.  That's a router/firewall.  Happily IPv6 does that
exactly.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Tom H
On Tue, Dec 7, 2010 at 11:18 AM, Brunner, Brian T.
 wrote:
>
> Trim your quotes.

LOL

I was in a hurry... I think that this applies to all in this thread so
I hope that you've email everyone else...

Also, please keep your commands on-list; I only caught your email
because it was at the top of my spam directory when I was emptying it.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Tom H
On Tue, Dec 7, 2010 at 10:43 AM, Lamar Owen  wrote:
> On Tuesday, December 07, 2010 10:32:32 am Tom H wrote:
>> Is 172.16.10.72 a private address of yours or of your ISP?
>
> More to the point; do you have a route to his address?

I have a route to his dsl router, which, assuming that the ipv4 and
ipv6 firewalls are as good at allowing/disallowing access, makes his
current ipv4 and his future ipv6 addresses equally accessible.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Brunner, Brian T.

LOL twice, I'll top-post!  (I hate M$ Office, but I'm stuck with it)

I didn't want my whining (not commanding) archived for-frigging-ever, so
I sent it direct.

TBH I ran out of steam/indignation/angst after a few of the over-quoter
under-trimmers, so I didn't get all. 

> -Original Message-
> From: centos-boun...@centos.org 
> [mailto:centos-boun...@centos.org] On Behalf Of Tom H
> Sent: Tuesday, December 07, 2010 11:34 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
> 
> On Tue, Dec 7, 2010 at 11:18 AM, Brunner, Brian T.
>  wrote:
> >
> > Trim your quotes.
> 
> LOL
> 
> I was in a hurry... I think that this applies to all in this 
> thread so I hope that you've email everyone else...
> 
> Also, please keep your commands on-list; I only caught your 
> email because it was at the top of my spam directory when I 
> was emptying it.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
***
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
notify the system manager. This footnote also confirms that this
email message has been swept for the presence of computer viruses.
www.Hubbell.com - Hubbell Incorporated**

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Benjamin Franz
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>
> Yes SELinux and all MAC systems require that if the administrator puts
> files in non default directories, then they have to have to be told.  In
> the case of SELinux, this involves correcting the labeling.  DAC has
> similar problems, in that you need to make sure the permission flags and
> ownership is correct.  Of course admins have been dealing with DAC for
> years so they understand it, and the number of UID/Permision
> combinations is more limited then the amounts of labels that SELinux
> presents.
>
> I wrote this paper to try to explain what SELinux tends to complain about.
>
> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

The fact remains that as the old saw goes: Make it hard enough to do 
something and people will quit doing it.

SELinux remains *hard* for most non-default users. As the lead SE 
developer, things you find utterly routine and only slightly annoying 
are major roadblocks to many other people. You aren't the average user. 
You aren't even close to one. A *sophisticated* user will see the 
suggestion given by sealeart to run chcon, follow it, *and have no idea 
that a system relabel can screw it up again*. sealert doesn't even 
mention the issue! It is as if the person who wrote the sealert messages 
never considered that people would like things fixed permanently rather 
than just until the next SELinux update relabels the system.

I have 15 years experience running Linux servers. And I find SELinux 
damn annoying. I can work with it at need - but I'm generally pissed off 
when I find 'yet another SELinux issue'. My boss, who is the fallback 
admin here, would find it utterly opaque. He would have no idea where to 
even start looking for an SELinux issue.

The issue is similar to that of using passwords of more than 10 
characters composed of random mixed-case alphanumeric characters 
(ideally with special characters mixed in). Yes - they are provably more 
secure in a technical sense than virtually any easily remembered system. 
However *real people* have to use the passwords. And they will put the 
damn things on taped notes on the bottom of their laptop if you make 
them too hard (not conjectural - I've caught people here doing exactly 
that).

BTW: You have a typographical error on your semanage example. You don't 
have a closing ' character on the file_spec.

-- 
Benjamin Franz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Les Mikesell
On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
>
>>> Some people's belief that NAT is some magic sauce that makes
> themmore
>>> secure [it does not] or provides them more flexibility [it does not]
>>> than real addresses ... causes the people who understand networking to
>>> have to spend time explaining that their love of NAT is misguided and
>>> their beliefs about NAT are bogus.
>> If the ipv6 routers come with defaults that work the same as current NAT
>> routers, people will be able to continue to misunderstand them happily. That 
>> is,
>> permit outbound client connections from anything connected behind them 
>> without
>> much regard to how many devices there are, and block everything else.
>
> And doesn't that sound like you just describe a firewall?

It sounds like a complex setup for a firewall with dynamic entries to 
temporarily pass tcp and upd with different timeouts, where  1->many NAT 
doesn't 
have any other choice.  If you don't send outbound you don't get the nat table 
entry to forward anything back through it.

> "permit outbound client connections from anything connected behind them
> without  much regard to how many devices there are, and block everything
> else" isn't NAT.  That's a router/firewall.  Happily IPv6 does that
> exactly.

You didn't mention the number of devices - how does that play out when you 
exceed the number initially set up?

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Bowie Bailey
On 12/7/2010 11:36 AM, Tom H wrote:
>
> I have a route to his dsl router, which, assuming that the ipv4 and
> ipv6 firewalls are as good at allowing/disallowing access, makes his
> current ipv4 and his future ipv6 addresses equally accessible.

I've been following the NAT debate here and something occurred to me.

If you have an IPv4 network with NAT, an attacker doesn't need to know
your internal IPs.  All he needs is the IP to your router.  NAT will
nicely forward his packets along to whichever internal computer handles
the port.  With that one address, he can scan your entire network for
any services available to the Internet.

With an IPv6 network without NAT, an attacker would need to know the
specific IP of the computer he wants to attack.  There is no NAT to
forward along his SSH attack to the correct computer.  To scan your
network for vulnerabilities, he would have to scan every port on every
IP.  Even if he can come up with a list of the IPs that are in use, this
is still much more work than scanning a single (NATed) IP.

-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 16:49, Bob McConnell wrote:
> Gavin Carr wrote:
>> On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote:
 3) When I connect my IPV6 refrigerator with its automatic inventory
 system tracking every RFID-enabled carrot I use, won't I be making my
 shopping habits visible to all those annoying advertisers?  Or, in
 other words, am I compromising my privacy?  Actually, although such
 dissemination of information can be blocked by a correctly designed
 firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by
 " that comes with your ISP contract,
 would err on the side of promiscuity.
>>> Why yes, yes you are giving up some of your privacy. And unless you have
>>> the time and are willing and able to learn how to configure firewalls
>>> for each device and application you use, or have the money to pay
>>> someone else you trust to do it for you, there is very little to protect
>>> you from the rest of the world.
>>
>> That's at least overstated, and at worst complete FUD. Generic modems and
>> routers will be configured as they are now - with stateful firewalls
>> blocking all incoming traffic, except for streams initiated internally. 
>> Outgoing connections that would have worked before via NAT continue to
>> work, but without NAT. Stateful firewalls are still stateful firewalls.
>>
>> Where are you giving up some of your privacy? The number of hosts on
>> your internal network? So allocate 256 ips (or 65k, if you like) to every
>> host and use a random ip from that set for every distinct service or 
>> outgoing connection.
>>
>> There _is_ more information leakage with ipv6, in the sense that you are 
>> using a real ip from an internal machine on the connection. But the 
>> point is that the security benefit of that is largely illusory, security
>> by obscurity.
> 
> No, it is not FUD, it is a real concern by people with much to lose. 
> Those of you evangelizing this new, and still unproven technology can't 
> seem to recognize this simple fact.

This is FUD.  IPv6 has been talked about and worked on for about 15
years, the early talks about IPv6 started in the early 1990's.  It's
been implemented in most OSes over the last 10 years.  It's been
available to users for a long time.  But a reluctant market who is not
willing to change until it's absolutely needed have delayed the
implementation.  Now we're running out of IPv4 addresses pretty soon,
and system admins and network implementers begins to feel the heat.

  

Notice that the IETF IPv6 Working Group concluded their work Jun 2007.
For more information, also check out:

  

Based on the list of supporters, it also seems to quite proven.  I meet
every day more and more Internet services which provides both IPv4 and
IPv6 services.  IPv6 is in production many places already.  Did you know
that these sites already provide IPv6?

  
  
  

None of them are small.  A-Pressen, a Norwegian media group, is looking
into rolling out IPv6 to the vast majority of on-line newspapers.  That
IPv6 is unproven, is simply a false statement.

> I consider that information leakage to be very significant. It 
> advertises the presence of another computer with explicit information on 
> where to reach it. Regardless of the firewall, none of which are 
> perfect, this increases the exposure of my systems in an adverse 
> fashion. It increases my risk of being penetrated by someone I probably 
> don't want rummaging around in my files. But I don't see any additional 
> protection being offered to replace what is being taken away.

There is no more information leakage in IPv6 compared to IPv4.  In IPv4
and IPv6 you still have to use public IP addresses to communicate with
the rest of the world.  The only difference with IPv4 + NAT is that all
computers on the inside uses your firewalls public IP address.  That's
actually an even worse situation in my opinion.  As that tells an
attacker where your firewall is.  With IPv6, you can have your firewall
with whatever IPv6 address you want, and an attacker don't know if he is
hitting a firewall or the destination host.  Which means the attacker
will know *less* about the attack vector than with IPv4.

And due to the enormous address space IPv6 gives each single site, doing
a brute-force attack against more IP addresses will be a never-ending
story.  Try to double 4.294.967.296 32 times, and you'll have the number
of addresses available *only to you* in *one* /64 subnet.  If you then
even introduce IPv6 Privacy Extensions, which will randomise and change
the IPv6 address regularly, an attacker will shoot at a moving target.
Then put this "moving target" behind a firewall which doesn't provide
access from the outside to the inside (only from inside to outside), and
the attacker will not know if he hits or not.

(This is 

Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Luigi Rosa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Les Mikesell said the following on 07/12/10 17:01:

> So security will depend on every connection owner having a high level of 
> knowledge about ipv6 internals?   Is this being designed by people planning 
> careers as consultants?

A network protocol should not be designed to accommodate for the flaws of some 
OSes.

If an OS is full of bug and if certain OS installations out of the box cannot
survive longer than few hours exposed to a direct Internet connection, it's not
a failure of the network protocol, but is a failure of the OS.

Let's try not to build an infrastructure in a way to make easier to develop and
distribute bogous OSes


Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

Those who do not understand Unix are condemned to reinvent it, poorly.
--Henry Spencer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+a7IACgkQ3kWu7Tfl6ZTWqgCdG/gfNuVTqU8A+SFjh3ArJlwz
uCYAoIHECm9/yxXENF/fRsP1//kr4CYy
=tIoS
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 18:01, Les Mikesell wrote:
> On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
[...snip...]
>> "permit outbound client connections from anything connected behind them
>> without  much regard to how many devices there are, and block everything
>> else" isn't NAT.  That's a router/firewall.  Happily IPv6 does that
>> exactly.
> 
> You didn't mention the number of devices - how does that play out when you 
> exceed the number initially set up?

How many devices?  You mean exceeding the number of available inside a
IPv6 subnet?  I do hope you're kidding ... as for a /64 subnet we're
talking about 4.294.967.296 addresses doubled 32 times.


kind regards,

David Sommerseth

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Rudi Ahlers
On Tue, Dec 7, 2010 at 6:01 PM, Les Mikesell  wrote:
> On 12/7/10 9:07 AM, Adam Tauno Williams wrote:
>>
>> site-local addresses are officially deprecated.
>>
>> If you want a device to only be available locally - block the traffic
>> to/from that device.
>
> So security will depend on every connection owner having a high level of
> knowledge about ipv6 internals?   Is this being designed by people planning
> careers as consultants?
>
> --



Yes, I can see where you're coming from with this argument. We supply
ADSL to our clients and could offer them security on a network level.
I know some mobile operators already do this on their networks on
IPV4. Basically, if I want remote access to a machine connected to the
internet via their network I have to apply for permission to have the
security removed. The contract states that I know what I'm doing and
will take full responsibility for anything that goes wrong on my side.
They're basically covered legally (if one could call it that) if
something goes wrong with my connection.

We have some measures in place where we block, at a client's request,
all ports except 23, 25, 80, 110 and 443. So, I'm sure many other
ISP's could do the same thing?



-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] CentOS 5.5 on a new Mac Mini? no CD Driver?

2010-12-07 Thread Nataraj
You need to install and use Apple's Boot Camp to make CentOS work on a
> Mac Mini. It will install a utility on the drive that will make the Mini 
> look like an ordinary system instead of the Apple based hardware 
> including standard drivers for the Cd/DVD and hard drives and network 
> and sound support. I have an old single core Mac Mini running CentOS 5 
> 32 bit just fine.
>
> One problem though is that I believe that Snow Leopard Server version 
> does NOT come with Boot Camp. If so you'll need to get a version of Snow 
> Leopard that does have Boot Camp available. I think the Standard version 
> of Snow Leopard is about $30.00 from Apple.
>
> If you need help I can be available via Skype to answer your questions.
>
> Bob Arnold
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
Refit is commonly used to boot multiple OS's on the mac mini and is 
fairly easy to install (you can burn a CD of it and boot from that to 
test first). I've booted the Fedora14 liveCD on my mac mini and the disk 
drivers DO work. Also Ubuntu 10.04 LTS (lucid) has working drivers. I 
believe that grub2 can directly boot linux without bootcamp or refit, 
but may not be easy to setup.

For most of the livecd's you'll need to go to manually edit the grub 
command line and add "nomodeset reboot=pci". nomodeset may not be needed 
on the latest kernels. If you lose video, then you need it.

For all but the latest kernels you'll need to download broadcom tg3 
drivers from the broadcom website and compile them for the ethernet to 
work. Fedora14 has current broadcom drivers.

You may also need to download a driver for the wireless.

For sound you may need the following, or the equivalent for your 
distribution:
echo 'options snd-hda-intel model=mbp55' >> /etc/modprobe.d/alsa-base.conf

The real gotcha for the mac mini and all mac's is the GPT partition 
table. The major problem is that most of the gpt partitioning tools are 
still pretty flakey and turn on incorrect bits or in some other way set 
something in the partition table that some other program doesn't like. 
If you manage to do an install and it works the first time you are 
lucky, but once it fails you can pull your hair out trying to fix the 
partition table. This is definitely not recommended for the inexperienced.

I believe that Ubuntu 10.04.1 LTS (lucid), the standard live install CD 
(NOT the alternate install), might be your best bet for a trouble free 
installation. When you boot the livecd, you'll want to keep hitting keys 
as it's booting to force the grub menu's to come up. (in fedora14, just 
hit a space when you get the boot timeout message, then hit tab to edit 
the boot command line). After you enter your language, hit F6 and select 
'nomodeset' (space selects, escape exits this menu). Then use your arrow 
keys and move back on the boot line and add 'reboot=pci'. If you forget 
reboot=pci you can always power cycle to boot.

You'll also want the Nvidia drivers

I will be installing fedora14 at some point soon.

In general, linux on the Mac Mini is not an easy install though it can 
be done.

The following might be useful, though is not completely up to date:
https://help.ubuntu.com/community/Macmini4-1/Lucid

Nataraj



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Brunner, Brian T.

> The issue is similar to that of using passwords of more than 
> 10 characters composed of random mixed-case alphanumeric 
> characters (ideally with special characters mixed in). Yes - 
> they are provably more secure in a technical sense than 
> virtually any easily remembered system. 
> However *real people* have to use the passwords. And they 
> will put the damn things on taped notes on the bottom of 
> their laptop if you make them too hard (not conjectural - 
> I've caught people here doing exactly that).

My solution is to use complex passwords, and write them down wrong,
making my write-down a password hint, but not a password.
My task is to remember what is my transform from hint to fact: (examples
follow, choose your own)
1: Spell the 2 words in the password in English, but In the password use
g33kp3ak on one of the words and alternating case on the other.
2: The numbers and shifted-numbers (e.g. 2 and @ on my US keyboard) in
the password are swapped from the hint: the '@' in the hint is a 2 in
password ... Or are they NOT case-shifted but instead position-shifted
one to the right or left?  Once I have a simple transform memorized,
written password hints aren't much use to the on-site attacker who has
access to my machine.  Word-for-word transforms within context are also
possible

The hint of 1red9football;; becomes !ReD8f00tb411::

I think this meets the 'memorizable' need and strength-of-password need.

This is only vaguely a CentOS issue.  More to the CentOS point, IPv4
still words, so behind-the-firewall networks can still use it with utter
abandon.  Mapping internal IPv4 addresses to publicly-visible IPv6
addresses is a routing issue.  How good is Linux/RH/CentOS with
V6-to-V4-and-back address-type mapping?
***
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
notify the system manager. This footnote also confirms that this
email message has been swept for the presence of computer viruses.
www.Hubbell.com - Hubbell Incorporated**

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 16:45, Adam Tauno Williams wrote:
> On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote: 
>> On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell  
>> wrote:
>>> Adam Tauno Williams wrote:
 On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
>> IPv6 is not broken by design. NAT was implemented to extend the time
>> until IPv4 exhaustion. A side effect was hiding the internal IPv4
>> address, which complicates a number of protocols like FTP and SIP. The
>> only downside I see is ISPs could try and charge based on the number
>> of IPv6 addresses being used.
> No, the downside is that each address used will be exposed to the world.
 False.  That is *NOT* a downside.
 NAT is *NOT* a magic sauce - install a firewall [which you probably
 already have].  Problem solved.
> I consider that a serious security flaw.
 It is not.
> Having my ISP know how many
> computers I have is a minor issue covered by the contract I have with
> them.
 So you want to cheap on the legal contract you agreed to?
>>> No, if they want too much money before I can install additional
>>> computers, I have several other choices, some of which will likely be
>>> less expensive. Currently, their TOS is not an issue
> But having all of those addresses exposed to Russian mobsters,
> terrorists, crackers and everyone else that knows how to capture packets
> is another matter altogether. If IPv6 exposes that information to the
> world, it is definitely unsafe to use.
 The "Russian mobsters" can already do that; if you think NAT is
 protecting you from that then you are mistaken.
>>> NAT hides the IP addresses of the computers inside my firewall. The only
>>> address exposed is the temporary address assigned to the firewall
>>> itself. That box can be run on the most secure OS I can find (currently
>>> one of the BSD's), and allows me to operate other systems behind it that
>>> aren't as well protected. This makes it significantly more difficult for
>>> those mobsters to penetrate my network.
>> Is 172.16.10.72 a private address of yours or of your ISP?
> 
> +1
> 
> NAT isn't doing what Bob McConnell thinks it is.  Any "russian mobster"
> can afford to hire a halfway decent hacker who will only laugh at the
> obfuscation added by NAT.  Determining how many computers, and quite a
> bit of detail about them, are behind a NAT is not hard.  You just watch
> the traffic and these things reveal themselves.  Your traffic can be
> compromised just as easily with or without NAT.  Very few actually
> useful attacks on a host require direct access to the interface;
> stateful firewalls made such vectors pretty useless a long time ago.

You mean something along the way ... "Oh, this Bob uses 172.16.10.72 ...
let's run some traceroutes towards his gateway.  That could be
64.57.176.18, right?   Then we can just setup a direct route from us to
his 172.16.10.0/24 network.  Wait! Lets add 172.16.0.0/12, just to be
sure we hit the right path"


kind regards,

David Sommerseth


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] ntfs

2010-12-07 Thread Dag Wieers
On Sun, 5 Dec 2010, Ron Loftin wrote:

> On Sun, 2010-12-05 at 23:52 +0530, Ritika Garg wrote:
>
>> CentOS 5.5 is installed in the system. I installed the package
>> kmod-ntfs-2.1.27-3.el5.elrepo.x86_64.rpm
>> I mounted Seagate external hard disk. I am able to copy contents from
>> the hard disk to the system but not from the system to the hard disk.
>
> Yes.  If you go to this page on the ElRepo site:
>
> http://elrepo.org/tiki/kmod-ntfs
>
> and check the limitations you will see that this is the expected
> behavior.
>
> If you want full write capabilities with NTFS I suggest that you remove
> kmod-ntfs and instead use the fuse-ntfs-3g package from RPMForge.  That
> relies on DKMS ( which works well enough for me ) and has full
> read-write capabilities.

Just a small correction. Fuse filesystems do no longer need dkms installed 
since the fuse kernel-module is now part of RHEL5 since RHEL 5.4. So if 
people still have the dkms module installed and/or use ELRepo's fuse 
kernel module they can safely remove it :)

-- 
-- dag wieers, d...@wieers.com, http://dag.wieers.com/
-- dagit linux solutions, i...@dagit.net, http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] ntfs

2010-12-07 Thread Dag Wieers

On Mon, 6 Dec 2010, Niki Kovacs wrote:


Robert Heller a écrit :


Will FAT support the larger external disks, such as the .5TB and larger?



I read the replies to my previous posts, and I get your point, since I
didn't know about the various limitations. It's probably due to the fact
that we're 100% GNU/Linux here. I haven't booted Windows for work since
before the time Windows XP came out (around 2001). The only time I get
to "work" on Windows is usually to retrieve data before moving it to
CentOS. As far as external hard disks are concerned, they're all ext3
here. Whenever the odd non-Linux user has to exchange data with Linux
here, he or she has to use a Samba share.

So I admit my point of view is somewhat biased :o)


However one point you make is still valid. There is no alternative to NTFS 
nowadays if you need so share files between Windows and Linux. It is a 
shame there are not better Ext3/Ext4 drivers that integrate properly into 
Windows.


Something similar to ntfs-3g must be easier to write for ext3 on Windows 
(as the ext3 format is well-known).


--
-- dag wieers, d...@wieers.com, http://dag.wieers.com/
-- dagit linux solutions, i...@dagit.net, http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/07/2010 11:59 AM, Benjamin Franz wrote:
> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>>
>> Yes SELinux and all MAC systems require that if the administrator puts
>> files in non default directories, then they have to have to be told.  In
>> the case of SELinux, this involves correcting the labeling.  DAC has
>> similar problems, in that you need to make sure the permission flags and
>> ownership is correct.  Of course admins have been dealing with DAC for
>> years so they understand it, and the number of UID/Permision
>> combinations is more limited then the amounts of labels that SELinux
>> presents.
>>
>> I wrote this paper to try to explain what SELinux tends to complain about.
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
> 
> The fact remains that as the old saw goes: Make it hard enough to do 
> something and people will quit doing it.
> 
> SELinux remains *hard* for most non-default users. As the lead SE 
> developer, things you find utterly routine and only slightly annoying 
> are major roadblocks to many other people. You aren't the average user. 
> You aren't even close to one. A *sophisticated* user will see the 
> suggestion given by sealeart to run chcon, follow it, *and have no idea 
> that a system relabel can screw it up again*. sealert doesn't even 
> mention the issue! It is as if the person who wrote the sealert messages 
> never considered that people would like things fixed permanently rather 
> than just until the next SELinux update relabels the system.
> 
> I have 15 years experience running Linux servers. And I find SELinux 
> damn annoying. I can work with it at need - but I'm generally pissed off 
> when I find 'yet another SELinux issue'. My boss, who is the fallback 
> admin here, would find it utterly opaque. He would have no idea where to 
> even start looking for an SELinux issue.
> 
> The issue is similar to that of using passwords of more than 10 
> characters composed of random mixed-case alphanumeric characters 
> (ideally with special characters mixed in). Yes - they are provably more 
> secure in a technical sense than virtually any easily remembered system. 
> However *real people* have to use the passwords. And they will put the 
> damn things on taped notes on the bottom of their laptop if you make 
> them too hard (not conjectural - I've caught people here doing exactly 
> that).
> 
> BTW: You have a typographical error on your semanage example. You don't 
> have a closing ' character on the file_spec.
> 

I am not arguing that SELinux is easy, I am arguing that it is not
rocket science.  I have worked for a several years to try to make
SELinux easier to use, while making it more comprehensive and adding
tools like svirt and sandbox to give administrators more tools to secure
their systems.  We have fixed thousands of bugs in policy and
applications that were acting bad, so I have seen the problems people
have had with SELinux, I am encouraged  by the number of people who have
worked with SELinux and continue to leave SELinux enabled by default.
But I understand why SELinux is disabled on some machines.

RHEL6 SELinux usability compared to RHEL4 is light years better.  But
setting up security on a computer system is hard.  Then there is always
the battle between greater security versus decrease in usability as you
illustrate in your password example.

http://danwalsh.livejournal.com/2008/10/22/

We have a new version of setroubleshoot which will hopefully be far
easier to understand and will recommend the proper commands to setup
labeling versus using chcon.  We will hopefully be back porting this to
RHEl6.

Having people work with us to fix issues by reporting bugs, submitting
patches and any other help is greatly appreciated.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+b4sACgkQrlYvE4MpobMHGACfdfqoA25Hhyu7JnqkOTCpvuUN
URkAoOe5Zx8zvVh8wnU0a+GOghbRMbZu
=Ntj7
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Les Mikesell
On 12/7/10 11:19 AM, David Sommerseth wrote:
> On 07/12/10 18:01, Les Mikesell wrote:
>> On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
> [...snip...]
>>> "permit outbound client connections from anything connected behind them
>>> without  much regard to how many devices there are, and block everything
>>> else" isn't NAT.  That's a router/firewall.  Happily IPv6 does that
>>> exactly.
>>
>> You didn't mention the number of devices - how does that play out when you
>> exceed the number initially set up?
>
> How many devices?  You mean exceeding the number of available inside a
> IPv6 subnet?  I do hope you're kidding ... as for a /64 subnet we're
> talking about 4.294.967.296 addresses doubled 32 times.

Is that what people will automatically get in a home ISP connection?

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread m . roth
Brunner, Brian T. wrote:

> My solution is to use complex passwords, and write them down wrong,
> making my write-down a password hint, but not a password.
> My task is to remember what is my transform from hint to fact: (examples
> follow, choose your own)

Yeah, I use hints, too... but do *not* translate them at all. A hint is
just that, a hint. I might put a couple of letters and/or numbers in, to
remind myself of what the password is, but then block out the rest, such
as Bu-01

 mark, pulling brown paper bag over head before admitting to having
 written a lot of COBOL back in the day

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 18:10, Bowie Bailey wrote:
> On 12/7/2010 11:36 AM, Tom H wrote:
>>
>> I have a route to his dsl router, which, assuming that the ipv4 and
>> ipv6 firewalls are as good at allowing/disallowing access, makes his
>> current ipv4 and his future ipv6 addresses equally accessible.
> 
> I've been following the NAT debate here and something occurred to me.
> 
> If you have an IPv4 network with NAT, an attacker doesn't need to know
> your internal IPs.  All he needs is the IP to your router.  NAT will
> nicely forward his packets along to whichever internal computer handles
> the port.  With that one address, he can scan your entire network for
> any services available to the Internet.

To some degree, at least if the attacker breaks into the firewall.

But to use this approach without breaking into the firewall you would
need to forge network packets pretty well to be able to trick a firewall
to pass on packets from the outside to the inside, especially on
stateful packet inspection, where the firewall would know if the
connection is initiated from the inside or outside, and to which inside
client the connection belongs to.

> With an IPv6 network without NAT, an attacker would need to know the
> specific IP of the computer he wants to attack.  There is no NAT to
> forward along his SSH attack to the correct computer.  To scan your
> network for vulnerabilities, he would have to scan every port on every
> IP.  Even if he can come up with a list of the IPs that are in use, this
> is still much more work than scanning a single (NATed) IP.
> 

Bingo!  You have caught the point exactly!

An attacker will not know for sure if there is a firewall in between or
not.  Most probably he will presume so.  But he still don't know for
sure the IPv6 address of that firewall, or even if there are more
cascaded firewalls in front of a public IPv6 address.  Traceroute  might
give some clues, but if it's a strict firewall just dropping packages,
this can take a looong loong time.


kind regards,

David Sommerseth



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread m . roth
Daniel J Walsh wrote:
> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>>>
>>> Yes SELinux and all MAC systems require that if the administrator puts
>>> files in non default directories, then they have to have to be told.
>>> In the case of SELinux, this involves correcting the labeling.  DAC has

>>> I wrote this paper to try to explain what SELinux tends to complain
>>> about.
>>>
>>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
>>
>> The fact remains that as the old saw goes: Make it hard enough to do
>> something and people will quit doing it.
>>
>> SELinux remains *hard* for most non-default users. As the lead SE

>> I have 15 years experience running Linux servers. And I find SELinux

Ditto, and that's also Solaris and Tru-64.

>> damn annoying. I can work with it at need - but I'm generally pissed off
>> when I find 'yet another SELinux issue'. My boss, who is the fallback
>> admin here, would find it utterly opaque. He would have no idea where to
>> even start looking for an SELinux issue.

Yup.

> I am not arguing that SELinux is easy, I am arguing that it is not
> rocket science.  I have worked for a several years to try to make

If rocket science means very difficult and obscure, yes, it is.

> SELinux easier to use, while making it more comprehensive and adding
> tools like svirt and sandbox to give administrators more tools to secure
> their systems.  We have fixed thousands of bugs in policy and
> applications that were acting bad, so I have seen the problems people
> have had with SELinux, I am encouraged  by the number of people who have
> worked with SELinux and continue to leave SELinux enabled by default.
> But I understand why SELinux is disabled on some machines.

What have you done for folks who have third-party software, either F/OSS
or COTS, or in-house developed stuff, *none* of which was written with
selinux in mind, and is *not* going to be rewritten any time soon? You've
seen me on the selinux list, and I have yet to figure out why I see the
complaints about contexts, since they *appear* to be temp files, and I
don't know where they're located, or where the CGI scripts are that create
them are, and *all* of it's got the added complexity that some of that are
on NFS-mounted directories.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 18:39, Les Mikesell wrote:
> On 12/7/10 11:19 AM, David Sommerseth wrote:
>> On 07/12/10 18:01, Les Mikesell wrote:
>>> On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
>> [...snip...]
 "permit outbound client connections from anything connected behind them
 without  much regard to how many devices there are, and block everything
 else" isn't NAT.  That's a router/firewall.  Happily IPv6 does that
 exactly.
>>>
>>> You didn't mention the number of devices - how does that play out when you
>>> exceed the number initially set up?
>>
>> How many devices?  You mean exceeding the number of available inside a
>> IPv6 subnet?  I do hope you're kidding ... as for a /64 subnet we're
>> talking about 4.294.967.296 addresses doubled 32 times.
> 
> Is that what people will automatically get in a home ISP connection?

Yes.  Either a /64 subnet or more likely a /48 subnet, where a /48
subnet == 65536 /64 subnets.

And the 48 bits ISPs gives customers  corresponds to 281.474.976.710.656
/48 subnets.  Compare that number to IPv4 32 bits:
  4.294.967.296



Kind regards,

David Sommerseth

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Bowie Bailey
On 12/7/2010 12:43 PM, David Sommerseth wrote:
> On 07/12/10 18:10, Bowie Bailey wrote:
>> On 12/7/2010 11:36 AM, Tom H wrote:
>>> I have a route to his dsl router, which, assuming that the ipv4 and
>>> ipv6 firewalls are as good at allowing/disallowing access, makes his
>>> current ipv4 and his future ipv6 addresses equally accessible.
>> I've been following the NAT debate here and something occurred to me.
>>
>> If you have an IPv4 network with NAT, an attacker doesn't need to know
>> your internal IPs.  All he needs is the IP to your router.  NAT will
>> nicely forward his packets along to whichever internal computer handles
>> the port.  With that one address, he can scan your entire network for
>> any services available to the Internet.
> To some degree, at least if the attacker breaks into the firewall.
>
> But to use this approach without breaking into the firewall you would
> need to forge network packets pretty well to be able to trick a firewall
> to pass on packets from the outside to the inside, especially on
> stateful packet inspection, where the firewall would know if the
> connection is initiated from the inside or outside, and to which inside
> client the connection belongs to.

I wasn't referring to breaking into the firewall or forging packets.  I
was just referring to using the normal operation of the NAT to forward
(for example) an SSH attack to the computer on the network that accepts
SSH connections.

Stateful packet inspection works the same way regardless of whether or
not you have NAT or IPv6, so it is mostly irrelevant to this discussion.

-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:

 Yes SELinux and all MAC systems require that if the administrator puts
 files in non default directories, then they have to have to be told.
 In the case of SELinux, this involves correcting the labeling.  DAC has
> 
 I wrote this paper to try to explain what SELinux tends to complain
 about.

 http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
>>>
>>> The fact remains that as the old saw goes: Make it hard enough to do
>>> something and people will quit doing it.
>>>
>>> SELinux remains *hard* for most non-default users. As the lead SE
> 
>>> I have 15 years experience running Linux servers. And I find SELinux
> 
> Ditto, and that's also Solaris and Tru-64.
> 
>>> damn annoying. I can work with it at need - but I'm generally pissed off
>>> when I find 'yet another SELinux issue'. My boss, who is the fallback
>>> admin here, would find it utterly opaque. He would have no idea where to
>>> even start looking for an SELinux issue.
> 
> Yup.
> 
>> I am not arguing that SELinux is easy, I am arguing that it is not
>> rocket science.  I have worked for a several years to try to make
> 
> If rocket science means very difficult and obscure, yes, it is.
> 
>> SELinux easier to use, while making it more comprehensive and adding
>> tools like svirt and sandbox to give administrators more tools to secure
>> their systems.  We have fixed thousands of bugs in policy and
>> applications that were acting bad, so I have seen the problems people
>> have had with SELinux, I am encouraged  by the number of people who have
>> worked with SELinux and continue to leave SELinux enabled by default.
>> But I understand why SELinux is disabled on some machines.
> 
> What have you done for folks who have third-party software, either F/OSS
> or COTS, or in-house developed stuff, *none* of which was written with
> selinux in mind, and is *not* going to be rewritten any time soon? You've
> seen me on the selinux list, and I have yet to figure out why I see the
> complaints about contexts, since they *appear* to be temp files, and I
> don't know where they're located, or where the CGI scripts are that create
> them are, and *all* of it's got the added complexity that some of that are
> on NFS-mounted directories.
> 
>  mark
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

We have attempted to work with them, setup default labeling for them
when we know about the problems, embarrass them when they say you need
to disable SELInux.  Red Hat is working on new developer tools to help
third party developers work on RHEL systems.   I am not sure what else I
can do to get them to work with the security systems in place on RHEL.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+dIsACgkQrlYvE4MpobPOYgCfda4PZuY809Hatmg3EMMRwAYk
dJoAoNcTrfM7izAnsGZIf/INEIzSQCk9
=Y6L+
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread John R Pierce

> In your opinion.  Others hold a different opinion.  While security through 
> obscurity doesn't help in many circumstances, there are physical security 
> controls that absolutely depend upon it, and work.  Physical lock and key, 
> for one (the pinning must be kept obscure).  Physical combination locks, for 
> another; they depend upon keeping the gates in the wheels obscure.  For that 
> matter, any security that depends on any 'secret' is in essence a security 
> through obscurity technique.  Port knocking is a security through obscurity 
> technique (which works quite well).

you're talking about hiding the lock itself in a chinese puzzlebox, not 
hiding the tumblers inside the lock.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread m . roth
Daniel J Walsh wrote:
> On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
 On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
 
>> What have you done for folks who have third-party software, either F/OSS
>> or COTS, or in-house developed stuff, *none* of which was written with
>> selinux in mind, and is *not* going to be rewritten any time soon?
>> You've seen me on the selinux list, and I have yet to figure out why I
see the
>> complaints about contexts, since they *appear* to be temp files, and I
>> don't know where they're located, or where the CGI scripts are that
>> create them are, and *all* of it's got the added complexity that some
of that
>> are on NFS-mounted directories.
>
> We have attempted to work with them, setup default labeling for them
> when we know about the problems, embarrass them when they say you need
> to disable SELInux.  Red Hat is working on new developer tools to help
> third party developers work on RHEL systems.   I am not sure what else I
> can do to get them to work with the security systems in place on RHEL.

Ok, it's good to know you are thinking about that. How 'bout a tool, point
it at a directory, and it reports only the files/directories that are
default, or break policy, or that *might* suggest where there's a problem
(scripts in this directory will write default_t if they run anywhere but
/here/ohly/, etc?

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Les Mikesell
On 12/7/10 11:10 AM, Bowie Bailey wrote:

>> I have a route to his dsl router, which, assuming that the ipv4 and
>> ipv6 firewalls are as good at allowing/disallowing access, makes his
>> current ipv4 and his future ipv6 addresses equally accessible.
>
> I've been following the NAT debate here and something occurred to me.
>
> If you have an IPv4 network with NAT, an attacker doesn't need to know
> your internal IPs.  All he needs is the IP to your router.  NAT will
> nicely forward his packets along to whichever internal computer handles
> the port.

What port/computer would that be?  Most consumer routers default to not 
forwarding anything that is not related to prior outbound activity.

-- 
   Les Mikesell
lesmikes...@gmail.com


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread David Sommerseth
On 07/12/10 18:52, Bowie Bailey wrote:
> On 12/7/2010 12:43 PM, David Sommerseth wrote:
>> On 07/12/10 18:10, Bowie Bailey wrote:
>>> On 12/7/2010 11:36 AM, Tom H wrote:
 I have a route to his dsl router, which, assuming that the ipv4 and
 ipv6 firewalls are as good at allowing/disallowing access, makes his
 current ipv4 and his future ipv6 addresses equally accessible.
>>> I've been following the NAT debate here and something occurred to me.
>>>
>>> If you have an IPv4 network with NAT, an attacker doesn't need to know
>>> your internal IPs.  All he needs is the IP to your router.  NAT will
>>> nicely forward his packets along to whichever internal computer handles
>>> the port.  With that one address, he can scan your entire network for
>>> any services available to the Internet.
>> To some degree, at least if the attacker breaks into the firewall.
>>
>> But to use this approach without breaking into the firewall you would
>> need to forge network packets pretty well to be able to trick a firewall
>> to pass on packets from the outside to the inside, especially on
>> stateful packet inspection, where the firewall would know if the
>> connection is initiated from the inside or outside, and to which inside
>> client the connection belongs to.
> 
> I wasn't referring to breaking into the firewall or forging packets.  I
> was just referring to using the normal operation of the NAT to forward
> (for example) an SSH attack to the computer on the network that accepts
> SSH connections.

Ahh, well, yeah. With NAT, you will expose your single public IP address
no matter what, providing a good surface for starting an attack
immediately, no matter who is doing what on the inside.  Your public IP
address will be available in all kind of logs and mail headers - and
with more users on the inside using the Internet, the more likely it is
that someone will find your address interesting.

But that won't be much more different with IPv6, except that you spread
the attack surface over multiple IP addresses in a huge address scope.
But then by using the IPv6 Privacy Extensions, it will be more like
shooting on a moving target.  The public IP address being used today
might not be the same which was used yesterday, or even some hours ago.

However, if someone uses a public IPv6 address for SSH from the outside
world, that IPv6 address will need to be static and "known".  And a
static IPv6 address is still just as vulnerable for an attack as any
public IPv4 address.   But finding this IP address will be much more
difficult due to the different huge address scope, unless there's a DNS
pointer to it from www.my-own-cool-site.com.

> Stateful packet inspection works the same way regardless of whether or
> not you have NAT or IPv6, so it is mostly irrelevant to this discussion.

Absolutely true.


kind regards,

David Sommerseth

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Les Mikesell
On 12/7/10 11:53 AM, Daniel J Walsh wrote:
>
> We have attempted to work with them, setup default labeling for them
> when we know about the problems, embarrass them when they say you need
> to disable SELInux.  Red Hat is working on new developer tools to help
> third party developers work on RHEL systems.   I am not sure what else I
> can do to get them to work with the security systems in place on RHEL.

Ummm, get a standards body to ratify it...

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] display issue after installing centos 5.5 on hp probook 4420s

2010-12-07 Thread Agnello George
HI

I was just assigned a laptop with a pre install windows 7 in it. I decide to
dual boot this server with cent os 5.5 , i did a "linux text " at the boot
prompt as anaconda was not able to display the graphis screen ( it was
barely viable ) . The installation happened perfect , but when i start x
windows " startx" or init3 , i can barely see the display. I dont know where
the issue lies , what module do i need to load .The display is barely
visible .

Thanks for all the help !!

-- 
Regards
Agnello D'souza
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Paul Heinlein
On Tue, 7 Dec 2010, m.r...@5-cent.us wrote:

>> I am not arguing that SELinux is easy, I am arguing that it is not 
>> rocket science.  I have worked for a several years to try to make
>
> If rocket science means very difficult and obscure, yes, it is.

I've got to cry "foul" here. "Difficult and obscure" can be applied to 
just about any *nix command-line utility (or Windows registry hack, or 
Mac OpenDirectory tweak, ...).

I don't consider SELinux any more difficult to understand and manage 
than other Linux security-related controls like iptables or extended 
ACLs. That isn't to say that my mother-in-law would take to it, but 
I'd expect any sysadmin on my IT staff to be able to learn it.

In that sense, it's certainly not rocket science.

Daniel's other point concerns increased usability.

I've been using SELinux for a while now -- not always successfully, 
and I certainly do NOT consider myself an expert -- and it's quite 
apparent to me that the folks at Red Hat have unquestionably made it 
easier to use over that time.

It's apparently quite difficult to write policies for some 
applications (*cough* Nagios) that want to do a ton of things -- and 
third-party or in-house apps have a different set of challenges -- but 
I can't imagine anyone claiming that there hasn't been marked progress 
in SELinux usability over the CentOS 4 -> 5 life cycles.

-- 
Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Ben McGinnes
On 7/12/10 8:33 PM, Christopher Chan wrote:
> 
> Ah, I must pity you who have to live with what you've got in the United 
> States being under the rule of these tyrants. You guys probably can only 
> dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre 
> connection for 30 or so USD/mnth. I hesitate to keep the chaps in 
> Australia on the list to be pitied now that Telstra is being dismantled.

It's okay, soon we'll have a new monopoly to whinge about: NBN Co.  ;)

The real problem here is the quotas on broadband connections, although
that is in part due to the cost of hauling almost all the data
half-way around the globe.

The even more horrendous problem, which is so pervasive it affects
everyone, is the insistence on asymmetric connections.  Even when
Australia does get this fabled fibre-to-the-home, it still won't be
symmetric.  *sigh*


Regards,
Ben



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/07/2010 01:13 PM, m.r...@5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote:
>>> Daniel J Walsh wrote:
 On 12/07/2010 11:59 AM, Benjamin Franz wrote:
> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>  
>>> What have you done for folks who have third-party software, either F/OSS
>>> or COTS, or in-house developed stuff, *none* of which was written with
>>> selinux in mind, and is *not* going to be rewritten any time soon?
>>> You've seen me on the selinux list, and I have yet to figure out why I
> see the
>>> complaints about contexts, since they *appear* to be temp files, and I
>>> don't know where they're located, or where the CGI scripts are that
>>> create them are, and *all* of it's got the added complexity that some
> of that
>>> are on NFS-mounted directories.
>>
>> We have attempted to work with them, setup default labeling for them
>> when we know about the problems, embarrass them when they say you need
>> to disable SELInux.  Red Hat is working on new developer tools to help
>> third party developers work on RHEL systems.   I am not sure what else I
>> can do to get them to work with the security systems in place on RHEL.
> 
> Ok, it's good to know you are thinking about that. How 'bout a tool, point
> it at a directory, and it reports only the files/directories that are
> default, or break policy, or that *might* suggest where there's a problem
> (scripts in this directory will write default_t if they run anywhere but
> /here/ohly/, etc?
> 
> mark
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
I think you would need to further explain.  We can tell you what file
directory is mislabeled

# restorecon -R -N -v  PATH

We can tell which types have access to which types

seseach -A -s httpd_t -t default_t

Are you looking for something like

What access does /usr/bin/httpd have to /myweb/html?
What types does /usr/bin/httpd have write access to?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+jpEACgkQrlYvE4MpobM/ZwCg1eA8BXjjcevAUfPiMHVXyyvj
GAsAoIAroEzhxQEnhPb9Dnhinof1yV55
=/hYg
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Bowie Bailey
On 12/7/2010 1:13 PM, Les Mikesell wrote:
> On 12/7/10 11:10 AM, Bowie Bailey wrote:
>
>>> I have a route to his dsl router, which, assuming that the ipv4 and
>>> ipv6 firewalls are as good at allowing/disallowing access, makes his
>>> current ipv4 and his future ipv6 addresses equally accessible.
>> I've been following the NAT debate here and something occurred to me.
>>
>> If you have an IPv4 network with NAT, an attacker doesn't need to know
>> your internal IPs.  All he needs is the IP to your router.  NAT will
>> nicely forward his packets along to whichever internal computer handles
>> the port.
> What port/computer would that be?  Most consumer routers default to not 
> forwarding anything that is not related to prior outbound activity.

And is there any reason to believe that a consumer IPv6 router would
default any differently?  If nothing is being allowed through, there's
not much to be concerned about in either case.  Outside attacks are only
possible if the router/firewall allows the packets through.  I was
referring to a case where there are computers on the inside doing HTTP,
SSH, VPN, SMTP, etc.

If we are talking about a true consumer where there are no services on
the inside, then what does it matter whether the network is presented as
a NAT or a collection of different IP addresses?  If the firewall does
not allow any connections from the outside, who cares whether an
attacker knows your IP?

-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Ben McGinnes
On 8/12/10 4:12 AM, David Sommerseth wrote:
> On 07/12/10 16:49, Bob McConnell wrote:
>>
>> No, it is not FUD, it is a real concern by people with much to lose. 
>> Those of you evangelizing this new, and still unproven technology can't 
>> seem to recognize this simple fact.
> 
> This is FUD. 

Agreed, but I'm not adding more to the pro-IPv6 chorus, because it's
already being covered very well, both here and on NANOG (and
ipv6-ops).

> And due to the enormous address space IPv6 gives each single site,
> doing a brute-force attack against more IP addresses will be a
> never-ending story.  Try to double 4.294.967.296 32 times, and
> you'll have the number of addresses available *only to you* in *one*
> /64 subnet.

Anyone wanting a nice clear explanation of the numbers of IPv6 address
space:

http://www.ripe.net/info/info-services/addressing.html

> If you then even introduce IPv6 Privacy Extensions, which will
> randomise and change the IPv6 address regularly, an attacker will
> shoot at a moving target.  Then put this "moving target" behind a
> firewall which doesn't provide access from the outside to the inside
> (only from inside to outside), and the attacker will not know if he
> hits or not.

This coupled with statefull firewalling should cover everyone's needs.

No doubt there will still be people like Bob who will remain
unconvinced until everyone around them become the proof.  If they
really want to deliberately break things to retain their NAT-like
world, they can configure a single box with 6to4 and 4to6, give it a
/128 and then run their existing v4 NAT space behind that.  They'll
get very little sympathy when it breaks other things, though.


Regards,
Ben



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Lamar Owen
On Tuesday, December 07, 2010 12:26:30 pm David Sommerseth wrote:
> You mean something along the way ... "Oh, this Bob uses 172.16.10.72 ...
> let's run some traceroutes towards his gateway.  That could be
> 64.57.176.18, right?   Then we can just setup a direct route from us to
> his 172.16.10.0/24 network.  Wait! Lets add 172.16.0.0/12, just to be
> sure we hit the right path"

And if his or your or any ISP between you and him implements BCP38 properly the 
packets with a destination of the RFC1918 address will be blackholed and will 
never get there, even if you put a static source route to them.  You don't have 
a direct path to his router, at least not for routing purposes, since your 
packets are going to be inspected and routed by routers in between.  It does 
depend on some best current practices being implemented, though.  Like RFC1918 
bogon filtering at the AS boundary as part of the BGP session between AS 
routers.  And unless you are operating your own BGP border (I am at one site), 
you can't influence the AS path the packet will follow on the DFZ.

The basis for 'NAT security' is relying on the best practice of blackholing 
RFC1918 addresses on the DFZ router mesh. Not all AS's implement the policy 
properly, but enough do that trying to route (using essentially source routing) 
to an RFC1918 address will fail when it hits the DFZ, and virtually all 
inter-AS packets hit the DFZ at some point.  Source routing is blocked by most 
AS borders, so you can't 'hint' the routers in between that you have to pass 
traffic to 172.16.0.0/12 through that particular router; the DFZ is going to 
tell your hint to shove it.  But it does depend on the specific policies of 
each AS between you and the RFC1918-using target. 

The security for RFC1918, or for IPv6 ULA RFC4193 addresses relies not on NAT 
per se, but on the basic non-global-routability of the addresses in question on 
the default-free-zone.  NAT just allows you to use non-globally-routable 
addresses by translating to globally-routable ones.

About the only thing you could really do to gain direct access to his 
RFC1918-using network behind the NAT is to compromise his router and set up GRE 
(or similar) tunnels into it.

Further, what's to say his MUA isn't set to poison the mail headers this 
172.160.0.0/12 address came from?  That's relying on the mail headers; if I 
were to ssh to your server from behind a NAT I challenge you to determine the 
RFC1918 address I'm using.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Lamar Owen
On Tuesday, December 07, 2010 12:39:28 pm Les Mikesell wrote:
> > How many devices?  You mean exceeding the number of available inside a
> > IPv6 subnet?  I do hope you're kidding ... as for a /64 subnet we're
> > talking about 4.294.967.296 addresses doubled 32 times.
> 
> Is that what people will automatically get in a home ISP connection?

Abbreviations: PI = Provider Independent, PA = Provider Assigned, RIR = 
Regional Internet Registry, ARIN = American Registry of Internet Numbers, BGP = 
Border Gateway Protocol, AS = Autonomous System (the routing 'atom' at the BGP 
level), ASN = Autonomous System Number.

It will depend upon your provider if you get PA addresses; if you go straight 
to the RIR (ARIN for North America) and pay to get PI addresses you will get by 
default a /48; but then you have to get your provider to agree to advertise 
that /48 over BGP.  The IPv6 table has the potential to be vastly larger than 
the IPv4 table (the number of /48's in IPv6 is 65,536 times the total addresses 
in IPv4!)  One hopes providers will intelligently aggregate; until there is 
sane multihoming for enterprise endusers good aggregation is going to be 
elusive, since multihomed sites are going to desire PI space, which will 
fragment the routing tables.  IPv6 routing tables do require larger entries 
thanks to the four times larger address, after all, and with 32 bit ASN's the 
AS path for that table entry also doubles in size.

Having said that, most providers probably will give you one of a /48, /56, or 
/64.  There are plenty of addresses available, but if you ever have to renumber 
(like when changing providers) you'll want PI, or ULA with NAT66 to PA.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Lamar Owen
On Tuesday, December 07, 2010 03:31:15 pm Lamar Owen wrote:
> It will depend upon your provider if you get PA addresses;
Minor edit: 'The prefix size of your address block with depend upon your 
provider, if you get PA addresses by default from your provider;"

Sorry for the error.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread John R. Dennison
On Tue, Dec 07, 2010 at 11:51:16AM -0500, Brunner, Brian T. wrote:
> 
> LOL twice, I'll top-post!  (I hate M$ Office, but I'm stuck with it)

Really?  In blatant disregard for the published guidelines for
use on this and other centos.org mailing lists?  How very
sporting of you.

http://www.centos.org/modules/tinycontent/index.php?id=16



John
-- 
Normal is getting dressed in clothes that you buy for work and driving
through traffic in a car that you are still paying for -- in order to get
to the job you need to pay for the clothes and the car, and the house you
leave vacant all day so you can afford to live in it.

-- Ellen Goodman (1941-), American journalist and
   Pulitzer Prize-winning syndicated columnist





pgpEg1bCxeZak.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] display issue after installing centos 5.5 on hp probook 4420s

2010-12-07 Thread Keith Roberts
On Wed, 8 Dec 2010, Agnello George wrote:

> To: CentOS mailing list 
> From: Agnello George 
> Subject: [CentOS] display issue after installing centos 5.5 on hp probook
> 4420s
> 
> HI
>
> I was just assigned a laptop with a pre install windows 7 in it. I decide to
> dual boot this server with cent os 5.5 , i did a "linux text " at the boot
> prompt as anaconda was not able to display the graphis screen ( it was
> barely viable ) . The installation happened perfect , but when i start x
> windows " startx" or init3 , i can barely see the display. I dont know where
> the issue lies , what module do i need to load .The display is barely
> visible .
>
> Thanks for all the help !!

Are you running on the mains charger?

Is there some sort of key configuration on your laptop to 
adjust the brightness of the display?

Kind Regards,

Keith

-- 
In theory, theory and practice are the same;
in practice they are not.

This email was sent from my laptop with Centos 5.5
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] LVM change disk

2010-12-07 Thread muhammad panji
On Mon, Dec 6, 2010 at 9:23 PM, Adam Tauno Williams
 wrote:
> On Sat, 2010-12-04 at 10:29 -0800, John R Pierce wrote:
>> On 12/03/10 10:47 PM, muhammad panji wrote:
>> > Dear all,
>> > I have a 4,1TB Logical volume consist of four disks with size of 2TB,
>> > 1TB, 1TB, and 500GB. The LV currently full. I plan to change the 1Tb
>> > disks and 500Gb disks. I plan to remove one 1TB disk or the 500GB so
>> > that I can replace it with 2TB disk. most LVM tutorial ask to use
>> > pvmove to move phisical extent to the new disk. The problem is that I
>> > have no SATA port left so that I can't move PE to the new disk. How to
>> > migrate the data safely so that I can replace the disk? Thank you in
>> > advance
>
> Attach the drive to the system using a USB caddy.
> Do the the pvmove
> Remove the old physical volume from the volume group
> Shutdown
> Remove the drive from the caddy
> Install the drive into the system in place of the old drive.
> Boot.
Hi all,
Thanks for the reply. I know I didn't plan well when I setup for the
first time, even the PE size is 128MB so that I can only have a 8TB
LV.

I have moved around 1,3Tb data to another computers, is it save to
resize the LV filesystem and then resize the volume group so that I
can remove one of the disks? I plan to do more less like this tutorial
http://www.tcpdump.com/kb/os/linux/lvm-resizing-guide/shrink.html

After removing the disk, I can attach the new disks, add it to the VG
and then resize the LV and the filesystem.

Second alternative is to buy and use SATA-to-USB cable and do pvmove etc

The third is, I have similar machine that will be used to hold the
removed disk from the first machine. At the end the first machine will
have 4x 2Tb disks and the second machine will have 2x1Tb disks + 500Gb
disk. So I will attach the new disks to the second machine, move all
the data from the first machine, and remove the 2Tb disk from the
first machine and attach it to the second machine.

Any Suggestion which one is the best way to do this? Thank you in advance
regards,





-- 
-
Muhammad Panji
http://www.panji.web.id                         http://www.kurungsiku.com
http://sumodirjo.wordpress.com          http://www.kurungsiku.web.id

http://www.linuxbox.web.id
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Rob Kampen

Daniel J Walsh wrote:



I wrote this paper to try to explain what SELinux tends to complain about.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
I am having difficulty with the pdf file - both adobe and kpdf have 
problems with the pages with screen shots - any chance of a fix?

Paper is well writen and sheds light on the SElinux methodology.
TIA - Rob

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+XQsACgkQrlYvE4MpobNrgACfZduLdW/ISac6otm8SRO+c4Za
S0QAn3l00KRGtNmnaVAy4cFpL/jjrwuz
=7ega
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


<>___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux - way of the future or good idea but !!!

2010-12-07 Thread Les Mikesell
On 12/7/10 1:45 PM, Marko Vojinovic wrote:
>
> And it isn't really rocket science. It's just an extension to the existing
> classical permissions system --- it works in analogous way, just with greater
> flexibility and power. If you know how to understand and use file permissions,
> you will easily grasp all about SELinux.

No, it doesn't have much in common with the standard uid/gid based 
permissioning 
system.

> 5) disable SELinux and be ignorant about security.
>
> If you choose 5), feel free to also disable iptables, log in as root all the
> time, and make sure that the root password is clearly visible on the company
> website. Why bother with all that stuff, anyway? ;-)

I think you've missed the point that 'all that stuff' (being traditional unix 
security mechanisms) are not all that insecure.  It is only when you get them 
wrong that you need to fall back on selinux as a safety net.   And if you can't 
get the simple version right, how can you hope to do it right with something 
wildly more complicated?

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] display issue after installing centos 5.5 on hp probook 4420s

2010-12-07 Thread Nico Kadel-Garcia
On Tue, Dec 7, 2010 at 1:34 PM, Agnello George  wrote:
>
>
> HI
>
> I was just assigned a laptop with a pre install windows 7 in it. I decide to
> dual boot this server with cent os 5.5 , i did a "linux text " at the boot
> prompt as anaconda was not able to display the graphis screen ( it was
> barely viable ) . The installation happened perfect , but when i start x
> windows " startx" or init3 , i can barely see the display. I dont know where
> the issue lies , what module do i need to load .The display is barely
> visible .
>
> Thanks for all the help !!

Have you installed, and run "system-config-display"? Unless the
hardware was successfully configured at install time, which it
obviously was not due to the difficulties you had with the graphical
installation, your /etc/X11/xorg.conf or similar configuration files
are not well configured.

Find out the resolution of your laptop display screen, be sure to
select an LCD screeen of the matching size, and see how it goes. If
you have an NVidia chipset, you may need to install NVidia's drivers
for best performance, but this should get you started.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Nico Kadel-Garcia
On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams
 wrote:

> Bogus.  The reason is that they haven't been pressured into adoption by
> higher powers; so we will get into a nice scramble to migrate in a
> pinch.
>
> "most people" have no idea what NAT is, don't care, and shouldn't have
> to care.
>
> Some people's belief that NAT is some magic sauce that makes them more
> secure [it does not] or provides them more flexibility [it does not]
> than real addresses ... causes the people who understand networking to
> have to spend time explaining that their love of NAT is misguided and
> their beliefs about NAT are bogus.

*I'm* a fairly expert network person. (10base2, baby, I remember
crimping those cables!) Forcing people to specifically select the
services they wish to expose, rather than selecting what to cut off in
configuring a typical firewall, is basic policy automatically enforced
by NAT. It's especially helpful to ISP's, who *do not want* to try to
remember all those furshlugginer individual policies and find it far
simpler in routing and firewall terms to force all traffic to the NAT.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Ross Walker
On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia  wrote:

> On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams
>  wrote:
> 
>> Bogus.  The reason is that they haven't been pressured into adoption by
>> higher powers; so we will get into a nice scramble to migrate in a
>> pinch.
>> 
>> "most people" have no idea what NAT is, don't care, and shouldn't have
>> to care.
>> 
>> Some people's belief that NAT is some magic sauce that makes them more
>> secure [it does not] or provides them more flexibility [it does not]
>> than real addresses ... causes the people who understand networking to
>> have to spend time explaining that their love of NAT is misguided and
>> their beliefs about NAT are bogus.
> 
> *I'm* a fairly expert network person. (10base2, baby, I remember
> crimping those cables!) Forcing people to specifically select the
> services they wish to expose, rather than selecting what to cut off in
> configuring a typical firewall, is basic policy automatically enforced
> by NAT. It's especially helpful to ISP's, who *do not want* to try to
> remember all those furshlugginer individual policies and find it far
> simpler in routing and firewall terms to force all traffic to the NAT.

Does this mean I have to type in URLs like:

http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/

I can only image phonetically calling these off on a support call, I'd get half 
way through it and the other end would tell me to "forget it I'll wait until 
DNS is working again".

In fact with DNS problems we'd be pretty much crippled.

I'd use IPv6 if the addresses weren't so hard to remember.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Tony Schreiner

> Does this mean I have to type in URLs like:
>
> http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/
>
> I can only image phonetically calling these off on a support call, I'd get 
> half way through it and the other end would tell me to "forget it I'll wait 
> until DNS is working again".
>
> In fact with DNS problems we'd be pretty much crippled.
>
> I'd use IPv6 if the addresses weren't so hard to remember.
>
> -Ross
>

Well in fact I don't think that will even work with the present URL
rules. Just on a lark I clicked on your string, and my firefox
interpreted it as http://3ffe:1900. Unless there's a special http
protocol string for ipv6?

Tony
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?

2010-12-07 Thread Adam Tauno Williams
On Tue, 2010-12-07 at 20:37 -0500, Ross Walker wrote: 
> On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia  wrote:
> 
> > On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams
> >  wrote:
> > 
> >> Bogus.  The reason is that they haven't been pressured into adoption by
> >> higher powers; so we will get into a nice scramble to migrate in a
> >> pinch.
> >> 
> >> "most people" have no idea what NAT is, don't care, and shouldn't have
> >> to care.
> >> 
> >> Some people's belief that NAT is some magic sauce that makes them more
> >> secure [it does not] or provides them more flexibility [it does not]
> >> than real addresses ... causes the people who understand networking to
> >> have to spend time explaining that their love of NAT is misguided and
> >> their beliefs about NAT are bogus.
> > 
> > *I'm* a fairly expert network person. (10base2, baby, I remember
> > crimping those cables!) Forcing people to specifically select the
> > services they wish to expose, rather than selecting what to cut off in
> > configuring a typical firewall, is basic policy automatically enforced
> > by NAT. It's especially helpful to ISP's, who *do not want* to try to
> > remember all those furshlugginer individual policies and find it far
> > simpler in routing and firewall terms to force all traffic to the NAT.
> Does this mean I have to type in URLs like:
> http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/

Correct syntax for that is

http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/

if you want to specify the port it goes outside the brackets 

http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]:8080/ 

> I can only image phonetically calling these off on a support call, I'd
> get half way through it and the other end would tell me to "forget it
> I'll wait until DNS is working again".

You aren't crippled currently when DNS doesn't work?  Because e-mail,
Active Directory / Kerberos, and numerous other services just-don't-work
without functioning DNS anyway.  I'd say the network-minus-DNS is pretty
much irrelevant in the real world.

> In fact with DNS problems we'd be pretty much crippled.
> I'd use IPv6 if the addresses weren't so hard to remember.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


  1   2   >