Re: [Cooker] install report 8.2b3 , the martian invasion
On Tue Mar 05, 2002 at 09:38:16AM +, richard bown wrote: I also only make reference to the newbies here because everyone else seems to want to continually point out that Mandrake is for newbies, so those who want to use Mandrake as an expert (I guess) are stuck with some newbiezed software configured in a newbiezed way. (not that I believe Mandrake is just for newbies at all) Nor do I, but, and there's always a but, if you compare mandrake to the other distros ,ie redhat, Suse, (no personal experiance of slackware and debian) at the moment the install is easier and less likely to fail. Redhat dos'nt always detect the users harwdware, and suse's is a pain in the butt to install, keep changing the cd's every few mins !. Mandrake is not usually the first OS a newbie will try, its often the've tried redhat, screwed up the install, cant get something to run and end up with mdk on recommendation. Its at this point if some developer keeps putting his/her personal whims and locks out the very facilites the new user wants, the new user is just liable to give up and go back to winblows. So everyone loses ! less users , more attitude by the major s/w players that its not worth providing products for a OS that no-one uses,, WE ALL LOSE. If a developer wants to be a cyber-hermit, fine let them. It's their choice, but please don't ram it down the throats of everyone else by default. ie . rp_filters should not be turned on by default, only at the highest msec level, definatly not 2 or 3. Hmmm... not sure where this all came from... =) Let me just say that I do agree with you... by no means was I suggesting that we should make Mandrake harder to use or in any other way unattractive to newbies. My point was that Mandrake isn't *just* for newbies... if it was, we could probably fit everything on CD (how many newbies are going to learn emacs or vi, configure iplog, etc.) -- MandrakeSoft Security; http://www.mandrakesecure.net/ lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 42 days 17 hours 57 minutes. msg58826/pgp0.pgp Description: PGP signature
Re: [Cooker] install report 8.2b3 , the martian invasion
On Tue Mar 05, 2002 at 05:01:32AM -0800, David Walser wrote: Not to sound silly or anything, but apache is a web server... we build and configure it as web server. Our aim, with apache, is for it to be a web server. Now, I agree that there are probably a million and one uses for apache, but really... what you do with apache is your business, right? Just because you, and some people you know, use apache this way doesn't mean everyone uses it this way. I certainly never have. If I want a file manager, File *SERVER*. Did you even understand what I wrote? Tell me, what is a better, more portable file server on a heterogenous network when you don't admin all of the other client machines you use? Not NFS, not Samba, and don't even try FTP, now *THAT's* a security hole. http is a (relatively) secure file transfer protocol. And you don't know anyone that uses it that way? Been to http://sunsite.uio.no/pub/ lately? Hmmm... yes. Ok, I understand what you're saying. It still makes no difference to me. And no, I haven't been to http://sunsite.uio.no/pub/ lately... I tend to do my file transfers via FTP or rsync. I really dislike downloading files via HTTP. Anyways, this is a relatively useless discussion because I certainly am not going to change this behaviour in apache. If Jean-Michel thinks it is appropriate, he can make the change since he's the maintainer, but I hope he doesn't. You're entitled to your opinion... I'm entitled to mine. Thanks for your feedback. -- MandrakeSoft Security; http://www.mandrakesecure.net/ lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 42 days 17 hours 59 minutes. msg58830/pgp0.pgp Description: PGP signature
Re: [Cooker] install report 8.2b3 , the martian invasion
On Tue, 2002-03-05 at 05:50, Vincent Danen wrote: I also only make reference to the newbies here because everyone else seems to want to continually point out that Mandrake is for newbies, so those who want to use Mandrake as an expert (I guess) are stuck with some newbiezed software configured in a newbiezed way (not that I believe Mandrake is just for newbies at all) Nor do I, but, and there's always a but, if you compare mandrake to the other distros ,ie redhat, Suse, (no personal experiance of slackware and debian) at the moment the install is easier and less likely to fail Redhat dos'nt always detect the users harwdware, and suse's is a pain in the butt to install, keep changing the cd's every few mins ! Mandrake is not usually the first OS a newbie will try, its often the've tried redhat, screwed up the install, cant get something to run and end up with mdk on recommendation Its at this point if some developer keeps putting his/her personal whims and locks out the very facilites the new user wants, the new user is just liable to give up and go back to winblows So everyone loses ! less users , more attitude by the major s/w players that its not worth providing products for a OS that no-one uses,, WE ALL LOSE If a developer wants to be a cyber-hermit, fine let them It's their choice, but please don't ram it down the throats of everyone else by default ie rp_filters should not be turned on by default, only at the highest msec level, definatly not 2 or 3 br richard
Re: [Cooker] install report 8.2b3 , the martian invasion
--- Vincent Danen [EMAIL PROTECTED] wrote: Not to sound silly or anything, but apache is a web server... we build and configure it as web server. Our aim, with apache, is for it to be a web server. Now, I agree that there are probably a million and one uses for apache, but really... what you do with apache is your business, right? Just because you, and some people you know, use apache this way doesn't mean everyone uses it this way. I certainly never have. If I want a file manager, File *SERVER*. Did you even understand what I wrote? Tell me, what is a better, more portable file server on a heterogenous network when you don't admin all of the other client machines you use? Not NFS, not Samba, and don't even try FTP, now *THAT's* a security hole. http is a (relatively) secure file transfer protocol. And you don't know anyone that uses it that way? Been to http://sunsite.uio.no/pub/ lately? __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/
Re: [Cooker] install report 8.2b3 , the martian invasion
On Sat Mar 02, 2002 at 10:55:55PM -0800, David Walser wrote: No, not for me it's not that hard to turn on, but I remember the first time I used Apache, RH 5.2 days. All I had to do was install it, and it was fully functional, it was great! I didn't know anything about web servers at the time, I didn't know it would be that easy (thought I would have to configure it and stuff, not that that'd be too bad, I was configuring samba by hand back then). Now think about a total newbie. They install Mandrake, and Apache, and it's not functional. What to do? You even have to find the options in commonhttpd.conf which isn't even a standard thing. Sure it wasn't that *hard* for *me* to do, but it still took a while to figure it out. What are you talking about? Enabling Indexes by default somehow makes Apache work whereas having it off by default doesn't? Apache works just *fine* without Indexes. And because it is, potentially, a security hole (through inappropriate disclosure), the end user should be forced to enable it where appropriate... which is exactly the case. This has absolutely nothing to do with whether apache works or not out of the box. -- MandrakeSoft Security; http://www.mandrakesecure.net/ lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 40 days 19 hours 16 minutes. msg58358/pgp0.pgp Description: PGP signature
Re: [Cooker] install report 8.2b3 , the martian invasion
--- Vincent Danen [EMAIL PROTECTED] wrote: What are you talking about? Enabling Indexes by default somehow makes Apache work whereas having it off by default doesn't? Did it ever occur to you that people use Apache for more than serving websites? Especially desktop users on networks, your primary userbase? I haven't used floppies in all of college, I just stick files in my public_html directory and get them when I need them, I also use my webserver to get files to people I talk to on the 'net. Everybody Apache user I know (that use it on workstations) do the same things. Apache works just *fine* without Indexes. And because it is, potentially, a security hole (through inappropriate disclosure), the end user should be forced to enable it where appropriate... which is exactly the case. It is not a security hole, and it's a joke calling it one. If someone's gonna put files on a public webserver that they don't want people to get to, they should either have to disable Indexes themselves (I mean geez, this is a very small percentage of Apache users, why punish everybody else?) or use htaccess (which there's much more documentation on). This has absolutely nothing to do with whether apache works or not out of the box. It absolutely does depending on how you intend to use it. __ Do You Yahoo!? Yahoo! Sports - sign up for Fantasy Baseball http://sports.yahoo.com
Re: [Cooker] install report 8.2b3 , the martian invasion
On Mon Mar 04 15:50 -0700, Vincent Danen wrote: Apache works just *fine* without Indexes. And because it is, potentially, a security hole (through inappropriate disclosure), the end user should be forced to enable it where appropriate... which is exactly the case. Yes, but every case that I can think of where a security problem was caused by Indexes was in reality a case of putting a sensitive file in a web-accessible directory. The indexing itself is not a problem, imo. -- Levi Ramsey [EMAIL PROTECTED] [EMAIL PROTECTED] When it comes down to desperation, You make the best of your situation. Linux 2.4.17-20mdk 10:01pm up 7 days, 7:43, 16 users, load average: 0.24, 0.08, 0.02
Re: [Cooker] install report 8.2b3 , the martian invasion
On Mon Mar 04, 2002 at 10:08:08PM -0500, Levi Ramsey wrote: Apache works just *fine* without Indexes. And because it is, potentially, a security hole (through inappropriate disclosure), the end user should be forced to enable it where appropriate... which is exactly the case. Yes, but every case that I can think of where a security problem was caused by Indexes was in reality a case of putting a sensitive file in a web-accessible directory. The indexing itself is not a problem, imo. You're right. Think of it as security through obscurity. Not much, in terms of security, but it does add some extra protection, which can be useful for newbies who don't really know what they're doing. I also only make reference to the newbies here because everyone else seems to want to continually point out that Mandrake is for newbies, so those who want to use Mandrake as an expert (I guess) are stuck with some newbiezed software configured in a newbiezed way. (not that I believe Mandrake is just for newbies at all) -- MandrakeSoft Security; http://www.mandrakesecure.net/ lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 41 days 2 hours 5 minutes. msg58407/pgp0.pgp Description: PGP signature
Re: [Cooker] install report 8.2b3 , the martian invasion
On Mon Mar 04, 2002 at 06:44:06PM -0800, David Walser wrote: What are you talking about? Enabling Indexes by default somehow makes Apache work whereas having it off by default doesn't? Did it ever occur to you that people use Apache for more than serving websites? Especially desktop users on networks, your primary userbase? I haven't used floppies in all of college, I just stick files in my public_html directory and get them when I need them, I also use my webserver to get files to people I talk to on the 'net. Everybody Apache user I know (that use it on workstations) do the same things. Not to sound silly or anything, but apache is a web server... we build and configure it as web server. Our aim, with apache, is for it to be a web server. Now, I agree that there are probably a million and one uses for apache, but really... what you do with apache is your business, right? Just because you, and some people you know, use apache this way doesn't mean everyone uses it this way. I certainly never have. If I want a file manager, I'll use Nautilus, or Konqueror, or any other tool that was designed for that task. Since apache is a web server, when we deal with configuration issues, we think of it as a web server. Thus, configuration options suitable for a web server. Apache works just *fine* without Indexes. And because it is, potentially, a security hole (through inappropriate disclosure), the end user should be forced to enable it where appropriate... which is exactly the case. It is not a security hole, and it's a joke calling it one. If someone's gonna put files on a public webserver that they don't want people to get to, they should either have to disable Indexes themselves (I mean geez, this is a very small percentage of Apache users, why punish everybody else?) or use htaccess (which there's much more documentation on). Well, ok, perhaps security hole is not an appropriate phrase. Maybe security concern would be a better way to put it. However, as you stated before, we're looking at newbies here... newbies who may not know about .htaccess. In essence, we're helping protect the newbie apache admin. I don't think newbies will install the apache *web server* to act as a file manager.. if they're going to look for a file manager, I don't think they'll be as creative as you and will use a tool intended to be a file manager. As far as calling it punishing everyone else, that's just as laughable as me calling it a security hole. I hardly see this as punishment considering you must be savvy enough to make the necessary changes yourself. I really think that there is probably a low percentage of people who decide to take the apache web server and use it as the apache file manager. This has absolutely nothing to do with whether apache works or not out of the box. It absolutely does depending on how you intend to use it. Sure. And we intend for apache to be used as a web server and, again, we configure it as such. If you don't like that, I suppose you could contribute a apache-filemgr package. Besides, this really is a moot point since it likely will not be changing anytime soon. I guess you'll just have to live with that. Sorry. While we can't control what you use a software package for, we can certainly control how we package it. And we've deviced, since a long time ago, to package apache as a web server... if you choose to use it somehow else, then you must deal with reconfiguring it to suit your (nonstandard) needs. -- MandrakeSoft Security; http://www.mandrakesecure.net/ lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 41 days 1 hour 59 minutes. msg58409/pgp0.pgp Description: PGP signature
Re: [Cooker] install report 8.2b3 , the martian invasion
on the 'net. Everybody Apache user I know (that use it on workstations) do the same things. I agree that this will cause annoy more people than it will help .. imho Steven
Re: [Cooker] install report 8.2b3 , the martian invasion
Um, 'chkconfig iptables off'? rpm -e msec? Or, disable firewalling in the control center (it's under security)? On Sat, Mar 02, 2002 at 10:15:29PM +, richard bown alleged: Hi all I 've had to go back to 81 Whatever you have done with security is a disaster Telneting in to the public interface, ie the one connected to the internet,,impossible no matter what, and rules are loaded to iptables, all thats eeen is martin errors in the syslog I use xinetd for port redirection to another machine behind the firewall this did exactly the samemartian errors, and heres the worst bit afetr running for 10 hrs , all attempts to send mail and receive mail got connection refused errors, smtp, pop3,imap all the same, checked with the isp, 1 hr on the phone not at their end loaded 81 and mail again QED I dont know who is responsibe for the mandrake security MSEC and whatever, I suspect gated is being used, but nothing showed on a ps ax Whoever should realise that not every one want a system which can only work one way I need to be able to telnet, ssh from anywhere in the world This is absolutely USELESS to me if I can only use it from home Xinetd redirection works well under 81, so does bastille-firewall the same config scripts were used on 82, so again where is the backawrd or even in this case forward compatability Ok the 3d side is good, none of the problems with the later kernels on 81 In its currrent state 82b3 is a TOY not a working system, and as for comments like add to hostsallow on the remote machineshould'nt need to, it was fully functional before 82b3 you guys are so paranoid over security, this time you've gone far too far MSEC level 99 is not required I logged into a machine in the States, Seattle, and tried telneting to all the ports that are redirectedmartian errors tried port 22 ssh,,,martian errors it did manage to return a ping I also saw tcpdump being turned on and off with ipv4 errors If any one wants something on the networking side tested no problem If the ipip tunnels had'nt functioned, 82 would have been off in 1/2 hr interfaces that are labelled as internal fuctioned, as did lo external interfaces would not function Flushing iptables had no effect system in use 700MHzduron , 512M ram 10GB hd, kernels 2417-19mdk 2418-2mdk In its current state 82 could not be released as it cant be used as a server shame it looked good on the install, apart from the freeze when trying a live update, If a table of bug levels I'd put this one on Egyptian level BR Richard
Re: [Cooker] install report 8.2b3 , the martian invasion
On Sat, 2002-03-02 at 22:23, Garrick Staples wrote: Um, 'chkconfig iptables off'? rpm -e msec? Or, disable firewalling in the control center (it's under security)? No Garrick , I prefer to manually flush iptables, then just to make sure bastill-netfilter stop that opens it up like a barn door all this martian rubbish was not on 81 which worked regards richard On Sat, Mar 02, 2002 at 10:15:29PM +, richard bown alleged: Hi all I 've had to go back to 81 Whatever you have done with security is a disaster Telneting in to the public interface, ie the one connected to the internet,,impossible no matter what, and rules are loaded to iptables, all thats eeen is martin errors in the syslog I use xinetd for port redirection to another machine behind the firewall this did exactly the samemartian errors, and heres the worst bit afetr running for 10 hrs , all attempts to send mail and receive mail got connection refused errors, smtp, pop3,imap all the same, checked with the isp, 1 hr on the phone not at their end loaded 81 and mail again QED I dont know who is responsibe for the mandrake security MSEC and whatever, I suspect gated is being used, but nothing showed on a ps ax Whoever should realise that not every one want a system which can only work one way I need to be able to telnet, ssh from anywhere in the world This is absolutely USELESS to me if I can only use it from home Xinetd redirection works well under 81, so does bastille-firewall the same config scripts were used on 82, so again where is the backawrd or even in this case forward compatability Ok the 3d side is good, none of the problems with the later kernels on 81 In its currrent state 82b3 is a TOY not a working system, and as for comments like add to hostsallow on the remote machineshould'nt need to, it was fully functional before 82b3 you guys are so paranoid over security, this time you've gone far too far MSEC level 99 is not required I logged into a machine in the States, Seattle, and tried telneting to all the ports that are redirectedmartian errors tried port 22 ssh,,,martian errors it did manage to return a ping I also saw tcpdump being turned on and off with ipv4 errors If any one wants something on the networking side tested no problem If the ipip tunnels had'nt functioned, 82 would have been off in 1/2 hr interfaces that are labelled as internal fuctioned, as did lo external interfaces would not function Flushing iptables had no effect system in use 700MHzduron , 512M ram 10GB hd, kernels 2417-19mdk 2418-2mdk In its current state 82 could not be released as it cant be used as a server shame it looked good on the install, apart from the freeze when trying a live update, If a table of bug levels I'd put this one on Egyptian level BR Richard
Re: [Cooker] install report 8.2b3 , the martian invasion
On Sat, Mar 02, 2002 at 10:51:30PM +, richard bown alleged: On Sat, 2002-03-02 at 22:23, Garrick Staples wrote: Um, 'chkconfig iptables off'? rpm -e msec? Or, disable firewalling in the control center (it's under security)? No Garrick , I prefer to manually flush iptables, then just to make sure bastill-netfilter stop that opens it up like a barn door all this martian rubbish was not on 81 which worked regards richard Did you change the policies after flushing the tables? Or perhaps editing the bastille config file and setting things the way you want? As long as we're just debugging this beta OS humor me and just disable the firewalling see if that does what you want Then maybe provide the list with your findings, suggest some changes, etc But please leave the rants at the door thx On Sat, Mar 02, 2002 at 10:15:29PM +, richard bown alleged: Hi all I 've had to go back to 81 Whatever you have done with security is a disaster Telneting in to the public interface, ie the one connected to the internet,,impossible no matter what, and rules are loaded to iptables, all thats eeen is martin errors in the syslog I use xinetd for port redirection to another machine behind the firewall this did exactly the samemartian errors, and heres the worst bit afetr running for 10 hrs , all attempts to send mail and receive mail got connection refused errors, smtp, pop3,imap all the same, checked with the isp, 1 hr on the phone not at their end loaded 81 and mail again QED I dont know who is responsibe for the mandrake security MSEC and whatever, I suspect gated is being used, but nothing showed on a ps ax Whoever should realise that not every one want a system which can only work one way I need to be able to telnet, ssh from anywhere in the world This is absolutely USELESS to me if I can only use it from home Xinetd redirection works well under 81, so does bastille-firewall the same config scripts were used on 82, so again where is the backawrd or even in this case forward compatability Ok the 3d side is good, none of the problems with the later kernels on 81 In its currrent state 82b3 is a TOY not a working system, and as for comments like add to hostsallow on the remote machineshould'nt need to, it was fully functional before 82b3 you guys are so paranoid over security, this time you've gone far too far MSEC level 99 is not required I logged into a machine in the States, Seattle, and tried telneting to all the ports that are redirectedmartian errors tried port 22 ssh,,,martian errors it did manage to return a ping I also saw tcpdump being turned on and off with ipv4 errors If any one wants something on the networking side tested no problem If the ipip tunnels had'nt functioned, 82 would have been off in 1/2 hr interfaces that are labelled as internal fuctioned, as did lo external interfaces would not function Flushing iptables had no effect system in use 700MHzduron , 512M ram 10GB hd, kernels 2417-19mdk 2418-2mdk In its current state 82 could not be released as it cant be used as a server shame it looked good on the install, apart from the freeze when trying a live update, If a table of bug levels I'd put this one on Egyptian level BR Richard
Re: [Cooker] install report 8.2b3 , the martian invasion
On Sat, 2002-03-02 at 23:04, Garrick Staples wrote: On Sat, Mar 02, 2002 at 10:51:30PM +, richard bown alleged: On Sat, 2002-03-02 at 22:23, Garrick Staples wrote: Um, 'chkconfig iptables off'? rpm -e msec? Or, disable firewalling in the control center (it's under security)? No Garrick , I prefer to manually flush iptables, then just to make sure bastill-netfilter stop that opens it up like a barn door all this martian rubbish was not on 81 which worked regards richard Did you change the policies after flushing the tables? Or perhaps editing the bastille config file and setting things the way you want? No Garrick , setting bastille-netfilter to stop puts everthing to ACCEPT, which is verified by running iptables -L I have already given details of what was done,they are there to be read, as I said sorry its in english What Icant get through on this list is that if something works well on 81 kernel 217-2mdk , with the same version of iptables as in the iso images, it is reasonable to expect the same on the next version It is not as if I 'd taken something from MDK 70 and tried it ! Xinetd redirection works well on 81, and NO problems with iptables on accepting a connection on the port in question with xinetd redirection not working on 82, PREROUTING dnat was tried with iptables, with exactly the same effect martian errors shown in syslog what ever inteface is used to connect to the internet is locked out, and produces the same martian errors when a connection , whether telnet or SSH is attempted, outgoing connections are not effected, both telnet client and server were taken back to previous versions I've had to go back to MDK 81 due to a mail backlog as users were unable to gain access when I tried 82 and again in case it has'nt been understood with the same versions of iptables,and the same bastille and xinetd scripts richard As long as we're just debugging this beta OS humor me and just disable the firewalling see if that does what you want Then maybe provide the list with your findings, suggest some changes, etc But please leave the rants at the door thx On Sat, Mar 02, 2002 at 10:15:29PM +, richard bown alleged: Hi all I 've had to go back to 81 Whatever you have done with security is a disaster Telneting in to the public interface, ie the one connected to the internet,,impossible no matter what, and rules are loaded to iptables, all thats eeen is martin errors in the syslog I use xinetd for port redirection to another machine behind the firewall this did exactly the samemartian errors, and heres the worst bit afetr running for 10 hrs , all attempts to send mail and receive mail got connection refused errors, smtp, pop3,imap all the same, checked with the isp, 1 hr on the phone not at their end loaded 81 and mail again QED I dont know who is responsibe for the mandrake security MSEC and whatever, I suspect gated is being used, but nothing showed on a ps ax Whoever should realise that not every one want a system which can only work one way I need to be able to telnet, ssh from anywhere in the world This is absolutely USELESS to me if I can only use it from home Xinetd redirection works well under 81, so does bastille-firewall the same config scripts were used on 82, so again where is the backawrd or even in this case forward compatability Ok the 3d side is good, none of the problems with the later kernels on 81 In its currrent state 82b3 is a TOY not a working system, and as for comments like add to hostsallow on the remote machineshould'nt need to, it was fully functional before 82b3 you guys are so paranoid over security, this time you've gone far too far MSEC level 99 is not required I logged into a machine in the States, Seattle, and tried telneting to all the ports that are redirectedmartian errors tried port 22 ssh,,,martian errors it did manage to return a ping I also saw tcpdump being turned on and off with ipv4 errors If any one wants something on the networking side tested no problem If the ipip tunnels had'nt functioned, 82 would have been off in 1/2 hr interfaces that are labelled as internal fuctioned, as did lo external interfaces would not function Flushing iptables had no effect system in use 700MHzduron , 512M ram 10GB hd, kernels 2417-19mdk 2418-2mdk In its current state 82 could not be released as it cant be used as a server shame it looked good on the install, apart from the freeze when trying a live update, If a table of bug levels I'd put this one on Egyptian level BR Richard
RE: [Cooker] install report 8.2b3 , the martian invasion
Do you mean that you didn't dual boot so you have an instant way back? Who goes Beta in production? The inconvienence was delivered by yourself alone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of richard bown Sent: March 2, 2002 7:49 PM To: cooker Subject: Re: [Cooker] install report 8.2b3 , the martian invasion On Sat, 2002-03-02 at 23:04, Garrick Staples wrote: On Sat, Mar 02, 2002 at 10:51:30PM +, richard bown alleged: On Sat, 2002-03-02 at 22:23, Garrick Staples wrote: Um, 'chkconfig iptables off'? rpm -e msec? Or, disable firewalling in the control center (it's under security)? No Garrick , I prefer to manually flush iptables, then just to make sure bastill-netfilter stop that opens it up like a barn door. all this martian rubbish was not on 8.1 which worked regards richard Did you change the policies after flushing the tables? Or perhaps editing the bastille config file and setting things the way you want? No Garrick , setting bastille-netfilter to stop puts everthing to ACCEPT, which is verified by running iptables -L I have already given details of what was done,they are there to be read, as I said sorry its in english. What Icant get through on this list is that if something works well on 8.1 kernel 2.17-2mdk , with the same version of iptables as in the iso images, it is reasonable to expect the same on the next version. It is not as if I 'd taken something from MDK 7.0 and tried it ! Xinetd redirection works well on 8.1, and NO problems with iptables on accepting a connection on the port in question. with xinetd redirection not working on 8.2, PREROUTING dnat was tried with iptables, with exactly the same effect. martian errors shown in syslog. what ever inteface is used to connect to the internet is locked out, and produces the same martian errors when a connection , whether telnet or SSH is attempted, outgoing connections are not effected, both telnet client and server were taken back to previous versions I've had to go back to MDK 8.1 due to a mail backlog as users were unable to gain access when I tried 8.2. and again in case it has'nt been understood with the same versions of iptables,and the same bastille and xinetd scripts richard As long as we're just debugging this beta OS... humor me and just disable the firewalling... see if that does what you want. Then maybe provide the list with your findings, suggest some changes, etc. But please leave the rants at the door. thx. On Sat, Mar 02, 2002 at 10:15:29PM +, richard bown alleged: Hi all I 've had to go back to 8.1. Whatever you have done with security is a disaster. Telneting in to the public interface, ie the one connected to the internet,,impossible no matter what, and rules are loaded to iptables, all thats eeen is martin errors in the syslog. I use xinetd for port redirection to another machine behind the firewall. this did exactly the same...martian errors, and heres the worst bit afetr running for 10 hrs , all attempts to send mail and receive mail got connection refused errors, smtp, pop3,imap all the same, checked with the isp, 1 hr on the phone. not at their end. loaded 8.1 and mail again QED I dont know who is responsibe for the mandrake security MSEC and whatever, I suspect gated is being used, but nothing showed on a ps ax Whoever should realise that not every one want a system which can only work one way. I need to be able to telnet, ssh from anywhere in the world. This is absolutely USELESS to me if I can only use it from home. Xinetd redirection works well under 8.1, so does bastille-firewall the same config scripts were used on 8.2, so again where is the backawrd or even in this case forward compatability . Ok the 3d side is good, none of the problems with the later kernels on 8.1. In its currrent state 8.2b3 is a TOY not a working system, and as for comments like add to hosts.allow on the remote machine...should'nt need to, it was fully functional before 8.2b3 you guys are so paranoid over security, this time you've gone far too far MSEC level 99 is not required. I logged into a machine in the States, Seattle, and tried telneting to all the ports that are redirected...martian errors tried port 22 ssh,,,martian errors it did manage to return a ping. I also saw tcpdump being turned on and off with ipv4 errors. If any one wants something on the networking side tested no problem. If the ipip tunnels had'nt functioned, 8.2 would have been off in 1/2 hr. interfaces that are labelled as internal fuctioned, as did lo external interfaces would not function. Flushing iptables had no effect. system in use 700MHzduron , 512M ram 10GB hd, kernels 2.4.17-19mdk 2.4.18-2mdk.. In its current
Re: [Cooker] install report 8.2b3 , the martian invasion
I agree. Having Indexes turned off by default in Apache is a PAIN and is useful to almost nobody. --- richard bown [EMAIL PROTECTED] wrote: you guys are so paranoid over security, this time you've gone far too far MSEC level 99 is not required. __ Do You Yahoo!? Yahoo! Sports - sign up for Fantasy Baseball http://sports.yahoo.com
Re: [Cooker] install report 8.2b3 , the martian invasion
On Sat, Mar 02, 2002 at 10:42:40PM -0800, David Walser wrote: I agree. Having Indexes turned off by default in Apache is a PAIN and is useful to almost nobody. I don't think so. It's not that hard to turn on anyway. -- Ben Reser [EMAIL PROTECTED] http://ben.reser.org What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy? - Ghandi
Re: [Cooker] install report 8.2b3 , the martian invasion
No, not for me it's not that hard to turn on, but I remember the first time I used Apache, RH 5.2 days. All I had to do was install it, and it was fully functional, it was great! I didn't know anything about web servers at the time, I didn't know it would be that easy (thought I would have to configure it and stuff, not that that'd be too bad, I was configuring samba by hand back then). Now think about a total newbie. They install Mandrake, and Apache, and it's not functional. What to do? You even have to find the options in commonhttpd.conf which isn't even a standard thing. Sure it wasn't that *hard* for *me* to do, but it still took a while to figure it out. --- Ben Reser [EMAIL PROTECTED] wrote: On Sat, Mar 02, 2002 at 10:42:40PM -0800, David Walser wrote: I agree. Having Indexes turned off by default in Apache is a PAIN and is useful to almost nobody. I don't think so. It's not that hard to turn on anyway. -- Ben Reser [EMAIL PROTECTED] http://ben.reser.org What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy? - Ghandi __ Do You Yahoo!? Yahoo! Sports - sign up for Fantasy Baseball http://sports.yahoo.com
Re: [Cooker] install report 8.2b3 , the martian invasion
On Sat, Mar 02, 2002 at 10:55:55PM -0800, David Walser wrote: No, not for me it's not that hard to turn on, but I remember the first time I used Apache, RH 5.2 days. All I had to do was install it, and it was fully functional, it was great! I didn't know anything about web servers at the time, I didn't know it would be that easy (thought I would have to configure it and stuff, not that that'd be too bad, I was configuring samba by hand back then). Now think about a total newbie. They install Mandrake, and Apache, and it's not functional. What to do? You even have to find the options in commonhttpd.conf which isn't even a standard thing. Sure it wasn't that *hard* for *me* to do, but it still took a while to figure it out. You don't even have to touch commonhttpd.conf. echo 'Options Indexes' .htaccess Or any of the several other places you can turn it on. At any rate there is tons of documentation. Simple searches of the web would return information on how to do this. Various mailing lists (such as newbie@) could answer this. However, I really don't think most people use this functionality on average anyway. Most people put up index files. And those that don't generally are more sophisticated users that know how to turn it on anyway. The real reason for disabling this is to help protect (but not completly protect) the very newbies that you are trying to help. Many people do foolish things. Like putting their .htpasswd files in webaccessible locations or putting other files they wouldn't intend to have accessible to the web. With Indexes on globally by default these files are there for anyone to browse. Even if you give these files hard to guess names they are advertised as available to view. -- Ben Reser [EMAIL PROTECTED] http://ben.reser.org What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy? - Ghandi