[CentOS] RedHat 6.5 - ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system - NEW CRAZY BUG

2014-08-27 Thread News
Il 26/02/2013 19.24, News ha scritto:
 Il 25/02/2013 12.28, Simon Matter ha scritto:
 Hello to the list,
 I update a RedHat server from 6.3 to 6.4 and install the last shorewall
 rpm  4.5.13.0-1.el6, after this shorewall not start at boot and show the
 error ERROR: Your kernel/iptables do not include state match support. No
 version of Shorewall will run on this system, after the boot I can start
 shorewall by hand.

 Could it be a problem with SELinux?

 Simon

 What can I do?
 Thanks to everybody

 Amedeo

 Here from the shorewall newsletter...

 Simon you're magician!
 the update change the selinux's labels of iptables after reset this it's all 
 ok
 I think that when the people updates frome centos 6.3 to centos 6.4 the world 
 stopping
 Here is the commands:

 restorecon -Rv /sbin
 restorecon reset /sbin/iptables-multi-1.4.7 context 
 system_u:object_r:bin_t:s0-system_u:object_r:iptables_exec_t:s0
 restorecon reset /sbin/ip6tables-multi-1.4.7 context 
 system_u:object_r:bin_t:s0-system_u:object_r:iptables_exec_t:s0

 Thanks sooo much
 Amedeo

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

Hello to the list,

I start from here because there are some news, this is the story:

I upgrade one server from Centos 6.3 to 6.5 and come back out again the problem 
described above, so I use
restorecon -Rv /sbin
but there is not output, this was strange, I reboot the server and shorewall 
won't start again, i try some hacks but nothing.
So i tried to change selinux in permissive mode and shorewall START!!
I look at files:

ls -Z /sbin/ip*

and the surprise

-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /sbin/ip6tables-multi-1.4.7
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /sbin/iptables-multi-1.4.7

the selinux label was wrong so I look in the 
/etc/selinux/targeted/contexts/files/file_contexts file for the label

cat /etc/selinux/targeted/contexts/files/file_contexts | grep ip

and i don't find nothing, this was very very strange so I open manually the 
file and SURPRISE!!  what i find:

/sbin/ebtables  --  system_u:object_r:iptables_exec_t:s0
/sbin/ebtables-restore  --  system_u:object_r:iptables_exec_t:s0

look!! ebtables and not iptables. if i use 
restorecon -Rv /sbin did not work because the label was wrong.
I find the same problem in a server running RedHat 6.5 but had not come out 
because I had upgraded from 6.4 to 6.5

[FIX]
I relabel manually the two files with this commands:
chcon -t iptables_exec_t /sbin/iptables-multi-1.4.7
chcon -t iptables_exec_t /sbin/ip6tables-multi-1.4.7
but i hope that the /etc/selinux/targeted/contexts/files/file_contexts will 
updated soon.

I hope that this can help someone
Thanks
Amedeo

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] RESOLVED: Re: [Shorewall-users] RedHat 6.4 - ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

2013-02-26 Thread News
Il 25/02/2013 12.28, Simon Matter ha scritto:
 Hello to the list,
 I update a RedHat server from 6.3 to 6.4 and install the last shorewall
 rpm  4.5.13.0-1.el6, after this shorewall not start at boot and show the
 error ERROR: Your kernel/iptables do not include state match support. No
 version of Shorewall will run on this system, after the boot I can start
 shorewall by hand.

 Could it be a problem with SELinux?

 Simon

 What can I do?
 Thanks to everybody

 Amedeo

Here from the shorewall newsletter...

Simon you're magician!
the update change the selinux's labels of iptables after reset this it's all 
ok
I think that when the people updates frome centos 6.3 to centos 6.4 the world 
stopping
Here is the commands:

restorecon -Rv /sbin
restorecon reset /sbin/iptables-multi-1.4.7 context 
system_u:object_r:bin_t:s0-system_u:object_r:iptables_exec_t:s0
restorecon reset /sbin/ip6tables-multi-1.4.7 context 
system_u:object_r:bin_t:s0-system_u:object_r:iptables_exec_t:s0

Thanks sooo much
Amedeo

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Centos Firewall - router with virtual IP

2011-11-03 Thread News
Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
 Hi all,
 I haven't found anything in Google about this.

 I'm creating a firewall router with Centos with few virtual IP using iptables.

 May I ask for your experience?
 Is there any pitfall or bad side of using virtual IP for this purpose?
 I'm using few virtual IP to accommodate few subnets that go through
 this firewall/router.

 Thank you.
 Fajar.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


I use shorewall for this
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html

Amedeo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] OT: headless fanless silent 2 HDs micro server/pc...

2011-08-09 Thread News
Il 09/08/2011 16.57, John Doe ha scritto:
 Hey,

 A bit out of topic but I am looking for a micro server/pc if anyone knows a 
 descent one...
 I found many nice NAS but I would like to have full access to the OS (install 
 CentOS, etc).

 Dream one would be

 - Very quiet (fanless) since it will sit in my bedroom.
 - Headless
 - Small.
 - 2/3 HDs (2.5 are ok) for RAID1 (hardware RAID would be nice, and with BBC 
 even more).- 1 or 2 GB NICs
 - USB3 or ESATA would be nice...
 - Price would not be much of a problem (maybe no more than $1000 though).


 Random thoughts:
 - a shuttle PC with 2 HDs and a real RAID card (if it fits inside), but maybe 
 too noisy, no headless.
 - a mac mini server looks very nice (but max budget, need another Mac to 
 install, not sure if easy/possible to install CentOS).
 - some NAS were I could easily replace the OS (not on a flash chip).


 So if you know a nice one...


 Thx,
 JD

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


HP Microserver is very good for me, i have one and it's ok.

Amedeo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Limiting bandwidth

2010-02-20 Thread News
Il 20/02/2010 13.25, Bob McConnell ha scritto:
 Rajagopal Swaminathan wrote:
 Greetings,

 Scenario:
 Centos box with eth1 (10.0.0.0/24) and eth0 (192.168.0.0/24)
 segment on eth0 has access to full bandwidth of uplink
 Both are on 100mbps switches

 Requirements:
 bandwith on segment on eth1 needs to be throttled to different speeds - say
 32, 64, 128kbps and the such. Required for application performance testing
 purposes.

 The best tool I have found for this is DummyNet, which is built into
 FreeBSD. It was created to test protocol designs then adapted for
 traffic management. However, I am not aware of any ports into Linux.

http://info.iet.unipi.it/~luigi/dummynet/
http://cs.baylor.edu/~donahoo/tools/dummy/tutorial.htm

 Bob McConnell
 N2SPP
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


I try to use shorewall for this.
Amedeo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] /etc/ldap.conf pam_filter

2010-02-10 Thread News Listener
Hi Chris,
Thanks,
you mind, replace ldap auth with winbind auth ?

my  scene:
on one side 1 smb server pdc with ldap,
on the another side, 1 Xorg-Server with auth over ldap , the same from the 
first one (smb).
i need to permit only users membership_of Domain Users to login on the 
Xorg-Server
Thanks


Am 05.02.2010 12:45, schrieb Christoph Maser:
 Am Freitag, den 05.02.2010, 11:38 +0100 schrieb Nobody ist perfect:
 Hi,

 we use an openldap server / samba as domain controller for our
 windows/linux workstations. on a specific server, login should only
 be allowed, if the certain user is member of a group (let's call this
 group login). All the users in the domain are members of the group
 Domain Users. Therefore their primary gid is not the login-group's gid.
 How can I make the login depending on that login-group-membership?

 Thanks!

 Toby



 If you use winbind you can use require_membership_of=
 in/etc/security/pam_winbind.conf.

 Chris


 financial.com AG

 Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | 
 Germany
 Frankfurt branch office/Niederlassung Frankfurt: Messeturm | 
 Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany
 Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. 
 Yann Samson | Matthias Wiederwach
 Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden 
 (chairman/Vorsitzender)
 Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID 
 number/St.Nr.: DE205 370 553
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] RSync Issues

2009-10-11 Thread News Listener
man rsync

-i, --itemize-changes   output a change-summary for all updates
 --list-only list the files instead of copying them
 --ignore-existing   skip updating files that exist on receiver
-v, --verbose   increase verbosity

--existing, --ignore-non-existing
 This tells rsync to skip creating files (including directories) that do 
not exist yet on the destination. If this option is combined 
with the --ignore-existing option, no files will be updated (which can be 
useful if all you want to do is delete extraneous files).

 This option is a transfer rule, not an exclude, so it doesn't affect the 
data that goes into the file-lists, and thus it doesn't affect 
deletions. It just limits the files that the receiver requests to be 
transferred.

--ignore-existing
 This tells rsync to skip updating files that already exist on the 
destination (this does not ignore existing directories, or nothing 
would get done). See also --existing.

 This option is a transfer rule, not an exclude, so it doesn't affect the 
data that goes into the file-lists, and thus it doesn't affect 
deletions. It just limits the files that the receiver requests to be 
transferred.

 This option can be useful for those doing backups using the --link-dest 
option when they need to continue a backup run that got 
interrupted. Since a --link-dest run is copied into a new directory hierarchy 
(when it is used properly), using --ignore existing will 
ensure that the already-handled files don't get tweaked (which avoids a change 
in permissions on the hard-linked files). This does mean that 
this option is only looking at the existing files in the destination hierarchy 
itself.




ML schrieb:
 Hi All,
 
 Rsyncing to a USB drive. I am in single user mode.
 
 I am doing:
 
 rsync -avx --stats --progress --ignore-existing --exclude 'home/backup/ 
 data' / /mnt/sdb2/
 
 But I dont see if ignoring existing. A previous rsync stalled and now  
 it seems to be copying them again rather than ignoring them.
 
 Does anyone have thoughts?
 
 -ML

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Firewall in CentOS 5.1

2008-07-26 Thread News

Ray Leventhal ha scritto:

Robert Spangler wrote:

On Thursday 24 July 2008 03:34, Gopinath Achari wrote:

 
   Please suggest me a good firewall package for Cent OS 5.1 Server. 
This

 server is going to face to internet and will be accessed by the branch
 offices.

adding a late voice to this thread, I've used and enjoyed the cli of apf 
which acts as a front end for iptables


http://rfxnetworks.com/apf.php

no rpm of which I'm aware, but the install is non-intrusive and very simple

-Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



I use shorewall in some server from 5-6 yesars without problems.
http://www.shorewall.net/

Amedeo Fragai

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos