Re: [OT] Backup on DLT (recommandation)
Hello Michelle On 2005-01-08 Michelle Konzack wrote: > Because my old DAT is not more enough, I consider to buy a DLT with > 80-160 GByte. Because I have no experience with it, I like to here > some suggestions. My only problem is that my purse is very limited > to <=700 Euro. Why not take a couple of 180,- EUR external USB 2.0 harddisks with about 200GB each? Fast, also in restore, cheap and easy to manage. At least compared to DDS3 tapes the ones from Maxtor do not have a significant higher failure percentage (maybe combine exclusures and harddisc yourself to choose the harddisk brand, you trust the most). > Michelle bye, -christian- -- Of all the things I've lost, I miss my mind the most -nesmad -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Debian package differences from upstream
Hello On 2005-01-05 Mark Bucciarelli wrote: > [ Is debian-mentors the proper list for this type of packaging question? ] Better write a mail to the package maintainer which you can lookup with "dpkg -s courier-mta". > I've done apt-get source and poked around a bit but could not tell where > the Debian patches made to upstream live. "apt-get source" downloads three files, a .orig.tar.gz, a .diff.gz and a .dsc. The .diff.gz contains all changes, the Debian maintainer made. > Mark bye, -christian- pgpm75dzqngBV.pgp Description: PGP signature
Re: Legal aspects of greylisting in Europe
On 2004-12-05 David Schmitt wrote: > On Sat, Dec 04, 2004 at 11:00:16PM +0100, Christian Storch wrote: > > After the first message would be accepted within(!) the open window of > > suggested 1 - 4 hours after initial trial it should be > > whitelisted for about one month. > > So the effect would be, that succeeding messages fitting the triple would > > be relayed without any delay. > > > > By the way I see also no problem with actual laws in Europe. > > (But I'm also no lawyer! ;) > > Indeed the triple containing email addresses of both the sender and the > recipient are stored far longer than necessary for billing reasons or do > you bill by number of recieved messages? The (european? at least German) law says "until the end of the 6th month after the bill" to give time to complain against it. So that's far longer than the month or so for that the data will be stored by the greylisting daemon. > Hmm .. could one alternativly use the mails the user saved as a source > of whitelisting? We do rather encourage the users to retrieve and delete their mails on our servers to save disk storage and reduce the propability of data loss :) -christian- pgpcni04FmJiV.pgp Description: PGP signature
Re: Legal aspects of greylisting in Europe
Hello David On 2004-12-04 David Schmitt wrote: > Has anyone considered how greylisting should be viewed in the light of > european data-protection laws? Especially in Austria it would probably > conflict with the requirement to keep connectiondata no longer than > required for billing. "I am not a lawer", but according to German law, which should be very simillar, I see no problem. "Teledienstedatenschutzgesetz" says rougly translated in §6 (Usage Date): 1) the provider may collect/use/compute personal data without explicit agreement only in so far as it is neccessary to make the tele services available and billable... 6) the provider may store usage data ... at most until the end of the sixth month after sending the bill... So I would assume storing the greylist-triple it's neccessary (->1) for greylistd which is part of "the mail server". You need to collect the greylist tripels only until the mail has been received for the second and final time. Until then it's the same problem as with all those "relay denied" or "[EMAIL PROTECTED] user unknown" log messages that are all over the log file, which gets rotated away much sooner anyway. More problematic could be the fact that you delay the mail, maybe you have postal requirements that demands from you to deliver the mail as fast as you get it... at least you should tell your customers that their mails can be delayed for the price of (currently) much less spam. bye, -christian-
Re: Looking for a network sniffer that collects a used-ports list to help preparing a portfilter firewall script
Hello On 2004-11-12 martin f krafft wrote: > also sprach Christian Hammers <[EMAIL PROTECTED]> [2004.11.12.1538 +0100]: > > I remember a network sniffer that could be run e.g. over a week to > > collects a list of all used tcp/udp ports which could then be used > > as base for creating a firewall script for hosts. > > What an extraordinarily bad idea. You should know what you allow. The problem are those "customers". One has a firewall but forgot the password and wants to replace the whole thing. I can, of course, blame him, if he forgets to tell me of a script that fetches data on Port 12345 but it would be easier if I would catch that information and could ask him about this port. So it's just meant as a help. bye, -christian- pgp5sVJUiFS5H.pgp Description: PGP signature
Looking for a network sniffer that collects a used-ports list to help preparing a portfilter firewall script
Hello I remember a network sniffer that could be run e.g. over a week to collects a list of all used tcp/udp ports which could then be used as base for creating a firewall script for hosts. Does anybody know the name of this tool? bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Wiki's
Hello > Has anyone had BAD experiences with either of these two? or should I be using > something completely different... (Am NOT a PHP fan.) If you're planning something big try MediaWiki, the one the wikipedia.org sites use. It it's just your online shopping list QWikiWiki is small & enough. -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mysterious MySQL-connect
Hi On 2004-09-24 Andreas Vent-Schmidt wrote: > On the servers in questions are no customers - it's a dedicated system > for only one customer. All the web programming an so on is done only by > myself (well, I hope so ;-). But, there are some POP accounts and also > an smtpd (no ftpd). Do a "tcpdump -i any -n -l -s1500 port 3306" and if you're lucky you see from which port/ip the packets come (if the connect via tcp). Then on this other side see with "fuser -n tcp " which user did it. If it's a socket connection you might find at least the userid with "netstat -tanp"... BTW: You're using backports you said? Please note that I changed the scripts only recently (4.0.20-x) to log to syslog. Before that all messages went to the mostly ignored /var/log/mysql/mysql.err so you probably don't suffer from a "new" problem but just never noticed it before. bye, -christian- pgpSLQas6VW6d.pgp Description: PGP signature
Re: patch request
Hello On 2004-09-17 Wieslaw wrote: > I seek patch which makes possible making the virtual ervers. ... > I know how to make with ssh, ftp, apache, but not kernel :( What you are probably looking for is "user-mode-linux": You start a modified linux kernel for each virtual host you want to have and provide each with its own little filesystem which can even be stored in a single file using the loopback device driver. See user-mode-linux.sourceforce.net. bye, -christian- -- "Arp! Arp!" - the mating call of the lonely packet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Defining ISP?
Hello On 2004-09-14 shift wrote: > Using an optimized distrib on an SR2200 (dual PIII 1.4GHz Tualatin-S), > SCSI U160, I have better results on Mysql nemchmarks than with a > non-optimized SR2300-SKU0 dual xeon 3.0 1MB L3 cache and SCSI U320!! Sounds very unrealistic. Are you sure that it wasn't just a question of how much memory was available, using a different MySQL config or chosing the right kernel so that the dual procs were actually detected etc? bye, -christian- pgpTwzk64JGg3.pgp Description: PGP signature
Re: Defining ISP?
On 2004-09-14 shift wrote: > Thinking maybe of a an ISP specific install. Lighter and even more > secure. A minimalistic distribution... Most ISP will probably have different servers for the different services and on each of them they will start with a secure base install with as few software installed as possible and then just install apache/postfix/proftpd whatever they need and customize it. I don't see a big bonus in a special ISP distribution. A better integration of iptables firewalls, vlans or traffic shapers would be nice but that's nothing ISP specific. bye, -christian- P.S.: pbuilder is a nice tool to build minimal installations that you can just untar onto a new harddisk pgpegR2kKupp5.pgp Description: PGP signature
More than 1024 Apache / MySQL processes?
Hello On one host I have, at peak times, roughly 1000 simultanous Apache processes which serve MySQL intensive scripts that produce about the same number of MySQL instances. As 1000 connections are no longer sufficient, our customer demands a stronger server but I'm unsure if it's possible at all to have say 1500-2000 connections. Limitations I am aware of are: * [compiletime] /usr/include/bits/local_lim.h PTHREAD_THREADS_MAX (default 1024 in woody, 16484 since sarge) affectets at least MySQL * [compiletime] Apache HARD_SERVER_LIMIT (default 256) * [compiletime] MySQL suggests to lower the Thread Stack size * [runtime] ulimit "max user processes", "open files" * [runtime] /proc/sys/fs/file-max * [configuration] max_clients in Apache * [configuration] open_files_limix, max_connections, max_user_connections in MySQL Is there anything else? Has anybody ever tried it? My test machines sadly have not enough RAM to try it. bye, -christian- P.S.: And yes, better alternatives like clusters etc are already under consideration, too, but not so easy to implement :-) -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
IDS for high bandwidth?
Hello Has anybody here ideas or experience in building an Intrusion Detection System for a big network i.e. at least several hundred MBit/s with focus on detection of (D)DoS and worm attacks (e.g. sudden activity peaks towards one system or well known worm patterns from systems)? Last time I checked "snort", it seems it could only handle some ten MBit/s even on a good hardware so I wonder if such a thing can be implemented with a (or a cluster of?) PCs and free software at all. bye, -christian- P.S.: Recommendations for hardware appliances and non-free software are welcome, too, of course, but maybe per mail if they are too off-topic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: greylisting
Hi On 2004-07-20 Russell Coker wrote: > > Russel, if there are arguments against greylisting, I'd like to hear > > After the previous message explaining it I am all for greylisting! *grin* >> - server pools which don't send out the second try from the same IP. > This will still work eventually, it may just take more time. > How many such server pools are there? A collegue of mine just told me that the latest postgrey version can optionally shrink the mail servers IP address to a /24. This solves the problem and together with From: and To: it's still unique enough. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
What is GreyListing (was: Re: Christian Hammers...)
Hello On 2004-07-20 Russell Coker wrote: > (host mail3av.westend.com[212.117.79.67] said: 450 <[EMAIL PROTECTED]>: > Recipient address rejected: Greylisted for 300 seconds... (in reply to > RCPT TO > command)) [EMAIL PROTECTED] > > Christian's mail server is broken. Err, no. It's not a bug it's a feature :-) Called "greylisting". In opposide to normal black- and white-listing here postfix has an additional policy daemon that checks if the tripel "sending ip, from, to" is already in the database and if not, reply with a 450 aka "temporary(!) failure" code and take note of it. If it's a real mailserver and not a trojan-winXP-desktop then it will try it again in a couple of minutes. If it does the above tripel will be whitelisted for the next days/month/whatever. This mechnism has reduced our Spam amount drastically even on a mail account that had already SpamAssassin active. (It's installed at the ISP where I work and currently in beta testing. The nearby university already uses it with great effort. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Recommendations for redundant server esp. regarding shared storage?
Hello I'm looking for some good ideas how to design a redundant mail server (maily the POP3/IMAP and data storage and not the pure SMTP relay part). We already tried a combination of two server with mon, DRBD and NFS which was simply to complex and error prone i.e. we often had the case that one server did not shut down due to NFS mounts which were not visible or DRBD syncing way too slow. So this time it should be something simple that everybody can handle in a case of emergency like powerloss at night etc. As far as I can see the main question is - shared storage i.e. two computers and one external SCSI RAID or one external NFS RAID - separate storage i.e. each computer has it's own internal RAID and one standby is rsyncing the master server and waiting for maybe manual command to take over the IPs. Shared storage would be neat as we could do real load balancing on POP3/IMAP servers as well but has anybody a recommendation for a NFS (or something else?!) backend that is really reliable so that suddenly dead hosts causes no problem? (and of course which has a stable NFS, my last Arena RAID in '98 causes NFS errors itself on certain commands so we had to give it back :-() thanks in advance, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Odd postfix behavior]
Hello Roberto Sanchez <[EMAIL PROTECTED]> wrote: > I have postfix setup to only accept mail from my private subnet and > clients that authenticate with SMTP AUTH. However, since I am on a > Bellsouth dynamic IP, I have added a line to /etc/postfix/transport: > > aol.com smtp:[mail.bellsouth.net] > > This is so that my wife can email her dad (who absolutely refuses > to give up aol. I don't understand why you have to handle mails to aol.com differently. Does AOL block your IP but accepts the one from mail.bellsouth.net? Why not simply route any mail either via a "relay_host = mail.bellsouth.net" or via DNS without any further config? bye, -christian-
Re: [Fwd: Odd postfix behavior]
Hello Roberto Sanchez <[EMAIL PROTECTED]> wrote: > I have postfix setup to only accept mail from my private subnet and > clients that authenticate with SMTP AUTH. However, since I am on a > Bellsouth dynamic IP, I have added a line to /etc/postfix/transport: > > aol.com smtp:[mail.bellsouth.net] > > This is so that my wife can email her dad (who absolutely refuses > to give up aol. I don't understand why you have to handle mails to aol.com differently. Does AOL block your IP but accepts the one from mail.bellsouth.net? Why not simply route any mail either via a "relay_host = mail.bellsouth.net" or via DNS without any further config? bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How to calculate the memory req's of N apache instances?
Hello What is the best way to estimate the memory requirements of say 1200 Apache Instances on a server when they currently look like this and I do not expect great variability due to PHP doing mallocs or similar? AFAIK those numbers are roughly the memory that the parent process uses (which is why they are mostly identical) and in addition the amount each thread has allocated for its own. Can I simply subtract the parent memory in each line and sum up the results to have the real used memory? (currently I would guess from the "free" output and the number of threads running that each takes about 1M). root 7703 0.0 0.1 7508 2912 ?SFeb29 0:00 httpd httpd29431 0.0 0.2 8072 4768 ?S16:00 0:01 \_ httpd httpd29432 0.0 0.2 8696 5460 ?S16:00 0:01 \_ httpd httpd29433 0.0 0.2 8124 4784 ?S16:00 0:02 \_ httpd ... bye, -christian-
How to calculate the memory req's of N apache instances?
Hello What is the best way to estimate the memory requirements of say 1200 Apache Instances on a server when they currently look like this and I do not expect great variability due to PHP doing mallocs or similar? AFAIK those numbers are roughly the memory that the parent process uses (which is why they are mostly identical) and in addition the amount each thread has allocated for its own. Can I simply subtract the parent memory in each line and sum up the results to have the real used memory? (currently I would guess from the "free" output and the number of threads running that each takes about 1M). root 7703 0.0 0.1 7508 2912 ?SFeb29 0:00 httpd httpd29431 0.0 0.2 8072 4768 ?S16:00 0:01 \_ httpd httpd29432 0.0 0.2 8696 5460 ?S16:00 0:01 \_ httpd httpd29433 0.0 0.2 8124 4784 ?S16:00 0:02 \_ httpd ... bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CISCO netflow graphs on Linux
On Mon, Jan 26, 2004 at 11:46:39AM +0200, Craig Schneider wrote: > Can anyone recommend software to graph Cisco's netflow traffic on Debian If you plan to do more than just graph it, you could give nprobe a try, very nice software to store netflow traffic into a sql database from where you can use other software to graph or account the data. bye, -christian-
Re: CISCO netflow graphs on Linux
On Mon, Jan 26, 2004 at 11:46:39AM +0200, Craig Schneider wrote: > Can anyone recommend software to graph Cisco's netflow traffic on Debian If you plan to do more than just graph it, you could give nprobe a try, very nice software to store netflow traffic into a sql database from where you can use other software to graph or account the data. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
kernel: svc: bad direction 65549, dropping request
Hello I'm getting this error message for some hours now but have no clue why. The server is running Debian woody and there was no change in the config the last weeks. I already googled the web and learned that the message is originated by the kernel file "net/sunrpc/svc.c" and has been caused to others due to - compression on an ISDN line - IP address conflict on the LAN Both does not fit and I'm fearing a DoS/attack. As the computer is firewalled and both NFS server and client at once with NFS exported to just one other NIC which is currently disconnected, I'm not sure where to debug. tcpdump on the external NIC shows no strange/spoofed traffic which would indicate wrong iptable rules. Any hints? bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 ch@westend.comD-52064 Aachen Fax 0241/911879
kernel: svc: bad direction 65549, dropping request
Hello I'm getting this error message for some hours now but have no clue why. The server is running Debian woody and there was no change in the config the last weeks. I already googled the web and learned that the message is originated by the kernel file "net/sunrpc/svc.c" and has been caused to others due to - compression on an ISDN line - IP address conflict on the LAN Both does not fit and I'm fearing a DoS/attack. As the computer is firewalled and both NFS server and client at once with NFS exported to just one other NIC which is currently disconnected, I'm not sure where to debug. tcpdump on the external NIC shows no strange/spoofed traffic which would indicate wrong iptable rules. Any hints? bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: duplicating servers - remote backup to HD
On Sat, Dec 06, 2003 at 06:23:43PM -0500, George Georgalis wrote: > Sure, here's what I use for taking an image of a system. If you plan > rsync -av --progress --delete-excluded --numeric-ids \ > --exclude=**/cdrom/* \ You delete only the excluded files? What about e.g. mail spool files that are backuped once and then deleted on the master systen? With "--delete" they will be deleted on the backup host, too. Also, if you (or the one asking :-)) cares for bandwith, a --compress might be useful. And maybe --bwlimit=xxx if there's other activity on the net. Regarding the other comment suggesting tar: We use a combination: rsync to gather the data on a backup host (low bandwidth) and tar (with -g incremental) to copy them from there to external USB hard drive medias. bye, -christian-
Re: duplicating servers - remote backup to HD
On Sat, Dec 06, 2003 at 06:23:43PM -0500, George Georgalis wrote: > Sure, here's what I use for taking an image of a system. If you plan > rsync -av --progress --delete-excluded --numeric-ids \ > --exclude=**/cdrom/* \ You delete only the excluded files? What about e.g. mail spool files that are backuped once and then deleted on the master systen? With "--delete" they will be deleted on the backup host, too. Also, if you (or the one asking :-)) cares for bandwith, a --compress might be useful. And maybe --bwlimit=xxx if there's other activity on the net. Regarding the other comment suggesting tar: We use a combination: rsync to gather the data on a backup host (low bandwidth) and tar (with -g incremental) to copy them from there to external USB hard drive medias. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spec-ing/dimensioning a server?
On Tue, Nov 25, 2003 at 09:13:48AM -0700, Nate Duehr wrote: > Depending on how you're doing your backups, an inexpensive upgrade to a > CD-RW drive vs. the CD-R that's on your list might be useful. I > wouldn't fully trust CD-RW for backups, but it's handy to have to make > quick images of the filesystems or to dump a quick "just in case" > tarfile to. Some people also like the Mondo/Mindi type tools that shoot > images of the disk off to CD-RW's for a bare-metal recovery option. Suggestion: External USB2.0 IDE drives are availble for 200EUR for 200GB. This should be enough for most servers. They are very fast and can be removed for weekly rotating simply by unmounting and disconnecting. bye, -christian- -- When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. -- Larry Wall in the perl man page
Re: spec-ing/dimensioning a server?
On Tue, Nov 25, 2003 at 09:13:48AM -0700, Nate Duehr wrote: > Depending on how you're doing your backups, an inexpensive upgrade to a > CD-RW drive vs. the CD-R that's on your list might be useful. I > wouldn't fully trust CD-RW for backups, but it's handy to have to make > quick images of the filesystems or to dump a quick "just in case" > tarfile to. Some people also like the Mondo/Mindi type tools that shoot > images of the disk off to CD-RW's for a bare-metal recovery option. Suggestion: External USB2.0 IDE drives are availble for 200EUR for 200GB. This should be enough for most servers. They are very fast and can be removed for weekly rotating simply by unmounting and disconnecting. bye, -christian- -- When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. -- Larry Wall in the perl man page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Why is Linux sending icmp redirects...
Hello It seems that my linux router is sending icmp redirect messages to a host telling him that it should use a gateway which is not on the same ip subnet. According to http://www.faqs.org/rfcs/rfc792.html this is not valid and so I'm wondering. The problem occured when two hosts (.66.54 and .77.18) from two different ip networks were connected on the same vlan on my linux router (.66.53). During this time both were reachable from the internet but not from eachother. One of the hosts received the following in its logfile: (addresses slightly anonymized and reformatted to ease reading) Nov 12 07:23:46 xxx kernel: SuSE-FW-DROP-ICMP IN=eth2 OUT= MAC=00:00:c0:96:98:fa : 00:02:b3:96:57:d7 : 08:00 (dst:src verified) SRC=111.111.66.53 DST=111.111.66.54 LEN=124 TOS=0x00 PREC=0xC0 TTL=64 ID=14493 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=111.111.77.18 [SRC=111.111.66.54 DST=111.111.77.18 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=50043 PROTO=ESP SPI=0x3e3556b ] Any ideas? bye, -christian-
Why is Linux sending icmp redirects...
Hello It seems that my linux router is sending icmp redirect messages to a host telling him that it should use a gateway which is not on the same ip subnet. According to http://www.faqs.org/rfcs/rfc792.html this is not valid and so I'm wondering. The problem occured when two hosts (.66.54 and .77.18) from two different ip networks were connected on the same vlan on my linux router (.66.53). During this time both were reachable from the internet but not from eachother. One of the hosts received the following in its logfile: (addresses slightly anonymized and reformatted to ease reading) Nov 12 07:23:46 xxx kernel: SuSE-FW-DROP-ICMP IN=eth2 OUT= MAC=00:00:c0:96:98:fa : 00:02:b3:96:57:d7 : 08:00 (dst:src verified) SRC=111.111.66.53 DST=111.111.66.54 LEN=124 TOS=0x00 PREC=0xC0 TTL=64 ID=14493 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=111.111.77.18 [SRC=111.111.66.54 DST=111.111.77.18 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=50043 PROTO=ESP SPI=0x3e3556b ] Any ideas? bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Gated vs Zebra
On Mon, Sep 29, 2003 at 12:29:58AM +0300, kgb wrote: > Which software is more good Gated or Zebra? Maybe Quagga (www.quagga.net, available as Debian package in unstable)? It's the forked successor of the quite unmaintained Zebra. Like Zebra, too, it has a Cisco like command line language which will help you as you can use the Cisco docs and newsgroups. bye, -christian- -- They gave their lives to clean the gene pool. -Ken Leatherman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Postfix and SMTP-AUTH once again
On Mon, Aug 04, 2003 at 04:42:15PM +0200, Richard Stevens wrote: > I'm using debian testing and installed postfix and postfix-tls. I searched the > net and tried just about any howto and any suggestion I could find but it > just doesn't work. Hint: Run either unstable or stable. Testing has no support with security patches. > postfix/smtpd[7306]: fatal: no SASL authentication mechanisms It seems you've forgot to install the actual sasl plugins: [stable, probably more for unstable/testing] ii libsasl-modules-plain 1.5.27-3 Basic Pluggable Authentication Modules for SASL ii libsasl71.5.27-3 Authentication abstraction library. ii sasl-bin1.5.27-3 Programs for manipulating the SASL users database > Richard bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
A user-mode-linux / virtual networking / zebra HOWTO!
Hello I've played around a lot with user mode linux and virtual networking under linux because I wanted to learn OSPF and BGP but had only a single computer to play with. What I came up with was a working setup consisting of three virtual hosts that are interconnected over three virtual networks with each other. These virtual networks are totally independent so that Zebras OSPFd, arp and tcpdump won't see a difference to a normal switched ethernet. I wrote a little HOWTO about this. I guess that people on an isp list are interested in it (it's a good way to teach trainees) so give me feedback :-) http://www.lathspell.de/linux/uml/ bye, -christian- -- "Arp! Arp!" - the mating call of the lonely packet
A user-mode-linux / virtual networking / zebra HOWTO!
Hello I've played around a lot with user mode linux and virtual networking under linux because I wanted to learn OSPF and BGP but had only a single computer to play with. What I came up with was a working setup consisting of three virtual hosts that are interconnected over three virtual networks with each other. These virtual networks are totally independent so that Zebras OSPFd, arp and tcpdump won't see a difference to a normal switched ethernet. I wrote a little HOWTO about this. I guess that people on an isp list are interested in it (it's a good way to teach trainees) so give me feedback :-) http://www.lathspell.de/linux/uml/ bye, -christian- -- "Arp! Arp!" - the mating call of the lonely packet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ntop with Imagestream WANic
Hello On Wed, Jun 04, 2003 at 06:38:08PM -0400, Adam Henry wrote: > Has anyone had any luck using nTop to watch traffic over ImageStream > WAN Interface Cards? According to nTop, "on some Linux distributions, > the libpcap package is broken" [http://www.ntop.org/faq.txt]. Is this > the case with Debian 3.0? You should ask the ntop mailing list about that :-) > analyze the packets. I was told by the people at ISis that "tcpdump > doesn't export traffic", and that I would need to use nProbe to send > nTop netFlow formatted packets to make any sense out of it. Is this a > true statement? To export netflow traffic on Linux you need ntop or better nprobe. Nprobe is really great an stable, I can recommend it. AFAIK you have to pay a small amount for it but get it as open source C code. (I use it for a year or so on several routers but only FastEthernet) > Sincerely, > hank bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ntop with Imagestream WANic
Hello On Wed, Jun 04, 2003 at 06:38:08PM -0400, Adam Henry wrote: > Has anyone had any luck using nTop to watch traffic over ImageStream > WAN Interface Cards? According to nTop, "on some Linux distributions, > the libpcap package is broken" [http://www.ntop.org/faq.txt]. Is this > the case with Debian 3.0? You should ask the ntop mailing list about that :-) > analyze the packets. I was told by the people at ISis that "tcpdump > doesn't export traffic", and that I would need to use nProbe to send > nTop netFlow formatted packets to make any sense out of it. Is this a > true statement? To export netflow traffic on Linux you need ntop or better nprobe. Nprobe is really great an stable, I can recommend it. AFAIK you have to pay a small amount for it but get it as open source C code. (I use it for a year or so on several routers but only FastEthernet) > Sincerely, > hank bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 ch@westend.comD-52064 Aachen Fax 0241/911879
Re: Firewall on compac flash
On Fri, May 23, 2003 at 03:39:35PM +0200, Volker Tanger wrote: > Main problem with flash cards is the limited number of write cycles. > This may not be THAT much of a problem with config and even less with > the software. We also tried to use CompactFlash Cards (Apacer, SANdisk and SANdisk Ultra) and experienced a lot of problems. They had badblocks just like a normal disk, the Apacers severe problems with some BIOSes reaching from not beeing detected at all to detected but then disconnecting under Linux... If somebody knows a CF-Card / CF-IDE Adapter combination that is really IDE compatible (I know that's a horrible piece of standard) and worked reliable in production then I would really like to know about as CF cards are in principle the right thing for firewalls, routers etc. > One thing, though, often overseen: where do you put the logs? A firewall > without logs looses a *LOT* of its practical value. Remote logging with maybe a central host with logcheck installed is the better approach anyway. Maybe keeping the last day in a tmpfs style directory for convinience. bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 ch@westend.comD-52064 Aachen Fax 0241/911879
Re: Firewall on compac flash
On Fri, May 23, 2003 at 03:39:35PM +0200, Volker Tanger wrote: > Main problem with flash cards is the limited number of write cycles. > This may not be THAT much of a problem with config and even less with > the software. We also tried to use CompactFlash Cards (Apacer, SANdisk and SANdisk Ultra) and experienced a lot of problems. They had badblocks just like a normal disk, the Apacers severe problems with some BIOSes reaching from not beeing detected at all to detected but then disconnecting under Linux... If somebody knows a CF-Card / CF-IDE Adapter combination that is really IDE compatible (I know that's a horrible piece of standard) and worked reliable in production then I would really like to know about as CF cards are in principle the right thing for firewalls, routers etc. > One thing, though, often overseen: where do you put the logs? A firewall > without logs looses a *LOT* of its practical value. Remote logging with maybe a central host with logcheck installed is the better approach anyway. Maybe keeping the last day in a tmpfs style directory for convinience. bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SASL on QPOPPER 4.0.4
On Mon, May 19, 2003 at 08:40:34PM -0400, Gene Grimm wrote: > bad certificate > TLS/SSL Handshake failed: -1 > > Any suggestions on where to look to solve this error? Look at www.openssl.org. Esp. try openssl x509 -text -in my-cert.pem and see if the data inside makes sense. You can create self signed certificates with: openssl req -new -nodes -keyout test.key -out test.csr openssl req -x509 \ -days 365 \ -key test.key \ -in test.csr \ -out test.crt.self bye, -christian-
Re: Redundant email servers
On Mon, Mar 10, 2003 at 03:44:11PM -0800, Nate Campi wrote: > I'm sure I'm missing something here, but if there's duplicate POP/IMAP > servers and no syncing of actual mailboxes the contents will get out of > sync between them as users read their mail. How do you work aroud this > with your scheme? You could use drbd, the distributed block device. Works fine here. (Also this makes the ip takeover a bit harder!) bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 ch@westend.comD-52064 Aachen Fax 0241/911879
Re: Redundant email servers
On Mon, Mar 10, 2003 at 03:44:11PM -0800, Nate Campi wrote: > I'm sure I'm missing something here, but if there's duplicate POP/IMAP > servers and no syncing of actual mailboxes the contents will get out of > sync between them as users read their mail. How do you work aroud this > with your scheme? You could use drbd, the distributed block device. Works fine here. (Also this makes the ip takeover a bit harder!) bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Apache Virtual Hosts Chroot ?
Hello On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote: > - chrooting virtual hosts in apache ? We had great success with a tiny tool called sbox. All CGI/PHP requests are rewritten to "/cgi-bin/sbox?..." This sbox then looks to the files owner and changes it's uid to the one (if it's !=0). It also chroot's to the DocumentRoot. As PHP is run as CGI as well, everything except plain .html is executed with the uid of the ftp root's owner. This is by far the most secure (PHP-capable) setup I know. Except user-mode-linux maybe :) Some limitations: - .shtml and some .htaccess options are not allowed though, but you can live without. - PHP will be slower of course but fast hardware is cheap enough. bye, -christian- P.S.: Look at the archives, we had this discussion some times now..
Re: [d-security] Apache Virtual Hosts Chroot ?
Hello On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote: > - chrooting virtual hosts in apache ? We had great success with a tiny tool called sbox. All CGI/PHP requests are rewritten to "/cgi-bin/sbox?..." This sbox then looks to the files owner and changes it's uid to the one (if it's !=0). It also chroot's to the DocumentRoot. As PHP is run as CGI as well, everything except plain .html is executed with the uid of the ftp root's owner. This is by far the most secure (PHP-capable) setup I know. Except user-mode-linux maybe :) Some limitations: - .shtml and some .htaccess options are not allowed though, but you can live without. - PHP will be slower of course but fast hardware is cheap enough. bye, -christian- P.S.: Look at the archives, we had this discussion some times now.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Limit MySQL database sizes
On Fri, Jan 24, 2003 at 04:12:36AM +0800, Jason Lim wrote: > But then how do all those "commercial" control panels, like Cpanel, > H-sphere, and others, do their "MySQL quota"? I don't know those products. Do they have evaluation version or online docs that could be used to reverse engeneer what kind of method they use? I would be very interested to know how to limit my users in a clean way. Or do you have an URL/email from them? Maybe they just tell it us :) bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Strasse 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Limit MySQL database sizes
On Wed, Jan 22, 2003 at 02:39:34PM -0800, Jeremy Zawodny wrote: > > How can a "quota" be put on MySQL sizes? That is... in a similar fashion > > to the "commercial" control panels like Cpanel and such? > > > > Normal filesystem quotas don't work, since the database is owned by user > > "MySQL" and not the user him/herself. > > You can chown the data files and make sure they're group-writable. Oh, please NEVER use system quotas on mysql databases! This leads to severe data corruption as mysql has much data in cache that does not get written to disk once the quota is exceeded! As long as there's no way for a user to get the actual used size the only thing you can do is limiting him manually by some sort of mail remainder and extra fees. bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Strasse 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: monitoring load average
On Wed, Jan 08, 2003 at 08:45:58AM +0100, Javier wrote: > I think that "vmstat 5 2" and getting the last line could give you a > good result. BTW: I started to keep a vmstat 5 | logger -t vmstat: while true; do ps faxu|logger -t ps: ; sleep 15; done running and log the output with everything else to a seperate host who has logcheck and some other monitoring stuff installed. The ps line is quite interesting if the server crashes, if e.g. a server starts eating up all memory no minutely (cron granularity) run check is able to detect it. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: lsof +L1 - mysql.err.1 unlinked ...
Hello On Tue, Jan 07, 2003 at 11:25:18PM +0100, Christian Jaeger wrote: > >I have always these mysql.err.1 files not unlinked in all my > >mysqlservers, and only a mysqld restart resolve these (nor reload > >neither mysqladmin refresh doesn't unlink them). The err file is created by safe_mysqld to catch the output mysqld produces when it cannot start. As mysqld outputs to stderr on errors, too, everything is appended to that file in the nohup line, too. So there's currently the problem whether never to rotate it or to loose the errors messages. I change the behaviour of the Debian package to not rotating now. A better fix is coming hopefully, I already proposed some possible solutions to the [EMAIL PROTECTED] list (reopening the file in flush-logs or using syslog). bye, -christian- (maintainer of Debian mysql package) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IDE Hard Drive maintenance
On Tue, Jan 07, 2003 at 02:31:33PM +1100, Lauchlin Wilkinson wrote: > I was wondering what most people on the list did when it came to keeping > tabs on the health of IDE hard drives? I have a server in a remote Apart from that you should install sensors to monitor your systems temperature, logcheck to let it mail you any anomalies and the usual bigbrother/netsaint/mon to watch services. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: work but http://www.domain.com/file"> not work
On Tue, Dec 24, 2002 at 04:51:04AM -0700, eric lin wrote: > Do you know why in the html code to show photo by > http://12.34.56.78/photo.gif or jpg"> work but > http://www.domain.com/photo.gif or jpg"> not work? There are several web servers running on the host that has only one IP address. Web browsers are sending the hostname as HTTP option to identify the right one. It's called virtual hosting. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SCSI errors.
On Tue, Dec 10, 2002 at 11:03:25AM -0200, André Luís Lopes wrote: > Dec 8 04:24:54 intranet kernel: Info fld=0x23ee7f, Current sd08:31: sense > key Medium Error ... > Dec 9 06:29:29 intranet kernel: I/O error: dev 08:31, sector 2324328 For me those always were a sign of badblocks. If it's just one scsi disk or you can remove one raid disk a time, run "badblocks" over each disk to find the faulty (each disk that is behind /dev/sdb because 08:31 is /dev/sdb15). bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Story on IDE raids on tech-report.com & slashdot
Hi This might be of interest for the ones that discussed IDE raid in the past days in this list. IDE RAID Examined http://slashdot.org/article.pl?sid=02/12/04/2245253 http://tech-report.com/reviews/2002q4/ideraid/index.x?pg=1 bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
MySQL 4.x is in experimental! (was: Re: experience with mysql 4.x)
Hi On Sun, Dec 01, 2002 at 07:38:20AM -0800, Jeremy Zawodny wrote: > We've been using various builds of 4.0.x in production at work for a > few months now. It has worked very well. It is quite stable. After users keept on asking me for it, I finally uploaded the first 4.x package to experimental. It's upstream 4.0.5a. The package is not as clean as it should (Debian-wise) but useable. Please test :-) bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
open source workflow management for ISP needs?
Hello Can anybody recommend me an open source (for money or not) workflow and problem tracking system for Linux? I guess most ISPs have roughly the same tasks so this might be of general interest here. The system should be capable of handling - workflows (prepare line, configure router, visit customer) maybe even with different default users for each task - employees/users vs customers/others - single users as well as groups of users (marketing/tech/..) - priorities (low,medium,high) - classes (tech,marketing,support) - ticket numbers - resubmission after X days - quick handling via E-Mail possible - web interface for overview and more complicated changes - optional: reminder mails We're currently using the RUST ticket system with a lot of customizations (works quite well) but it lacks, like most of the standard bug tracking systems a workflow management. bye, -christian- -- Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bind patches are available at ISC
Hi For those of you who would not like to upgrade or wait for the DSA, here are the ISC patches for BIND 4 and 8: http://www.isc.org/products/BIND/patches/bind833.diff bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller
Bind patches are available at ISC
Hi For those of you who would not like to upgrade or wait for the DSA, here are the ISC patches for BIND 4 and 8: http://www.isc.org/products/BIND/patches/bind833.diff bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Problems with sync NFSv3
Hello I guess some of you have NFS mounted shares so I like to hear about your experiences. I'd like to use nfs-kernel-server with "sync" in /etc/exports but on my setup this is unbelievable slow. Trying to use sqwebmail on a 200 mail mailbox needed 30 instead of 3s and even a short time perl -e 'for (my($i)=0; $i<1000; $i++) {open(F,">t.$i");close(F);}' took me 5s on syncNFS instead of 0.5s local FS or at least 1s on asyncNFS. The network transfer itself only needs ~2MB but I see with vmstat, that the server writes about 40MB buffer-out. Why? Any ideas how to improve it? Does everybody else use async NFS? I thought as the latest NFS package even defaults to sync it is more recommended. Does anybody really understand how reliable async NFSv3 (not v2 there are told to be big differneces) in cases of server or client crashes is? I've heard about a client side cache that stores every write until it receives a commit-ok... bye, -christian- P.S.: The vmstat of the above perl skript: procs memoryswap io system cpu r b w swpd free buff cache si sobibo incs us sy id 0 0 0 26804 9684 187304 316504 0 0 0 0 10417 0 0 100 0 0 2 26804 8596 187304 316504 0 0 0 4484 1679 3704 6 6 88 0 0 2 26804 9656 187304 316504 0 0 0 8556 3213 7404 1 7 92 1 0 2 26804 9656 187312 316516 0 0 4 8160 3135 7096 0 8 92 0 0 2 26804 9596 187312 316516 0 0 0 8660 3244 7449 0 9 91 0 0 2 26804 7752 187312 316516 0 0 0 8216 3090 7093 9 10 81 0 0 0 26804 9376 187312 316516 0 0 0 6780 2579 5907 0 9 91 0 0 0 26804 9400 187312 316516 0 0 0 0 11434 0 0 100 -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller
Problems with sync NFSv3
Hello I guess some of you have NFS mounted shares so I like to hear about your experiences. I'd like to use nfs-kernel-server with "sync" in /etc/exports but on my setup this is unbelievable slow. Trying to use sqwebmail on a 200 mail mailbox needed 30 instead of 3s and even a short time perl -e 'for (my($i)=0; $i<1000; $i++) {open(F,">t.$i");close(F);}' took me 5s on syncNFS instead of 0.5s local FS or at least 1s on asyncNFS. The network transfer itself only needs ~2MB but I see with vmstat, that the server writes about 40MB buffer-out. Why? Any ideas how to improve it? Does everybody else use async NFS? I thought as the latest NFS package even defaults to sync it is more recommended. Does anybody really understand how reliable async NFSv3 (not v2 there are told to be big differneces) in cases of server or client crashes is? I've heard about a client side cache that stores every write until it receives a commit-ok... bye, -christian- P.S.: The vmstat of the above perl skript: procs memoryswap io system cpu r b w swpd free buff cache si sobibo incs us sy id 0 0 0 26804 9684 187304 316504 0 0 0 0 10417 0 0 100 0 0 2 26804 8596 187304 316504 0 0 0 4484 1679 3704 6 6 88 0 0 2 26804 9656 187304 316504 0 0 0 8556 3213 7404 1 7 92 1 0 2 26804 9656 187312 316516 0 0 4 8160 3135 7096 0 8 92 0 0 2 26804 9596 187312 316516 0 0 0 8660 3244 7449 0 9 91 0 0 2 26804 7752 187312 316516 0 0 0 8216 3090 7093 9 10 81 0 0 0 26804 9376 187312 316516 0 0 0 6780 2579 5907 0 9 91 0 0 0 26804 9400 187312 316516 0 0 0 0 11434 0 0 100 -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
UDP checksums fail with basic inetd services at high rates
Hi I have to prove the bit error rate of a network and wanted to simply send a couple of Gigs to the echo port of a remote computer and compare the /proc/net/snmp values for Udp:InErrors and Tcp:InErrs which, according to my information, count the incorrect tcp/udp checksums. Sadly while playing around with iperf[1] and sendip, I saw that the error numbers are raising with even 1/s when using more than say 100kbit in a normal switched FastEthernet. Does inErrors count something different/additional than header checksums? I would have expected some dropped packages due to congestion but not incorrect packages?! I tried inetd and xinetd on 2.4 kernels and even using the echo service of a cisco router. (the router reported no problems, just my linux host) bye, -christian- [1]: iperf --interval=10 --port=7 --udp --bandwidth=1M --num=1200M -c host -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller
Re: New approach with removable IDE RAID Backup (was: Tape Question)
Hi > > Why tape, buy a ATA (IDE) RAID controller that allowes hot swap and > > hot plugable devices (e.g. 3ware). Then setup a raid1 between two > > harddiscs. > > > > [...] On Wed, Aug 28, 2002 at 09:56:52AM +1000, Craig Sanders wrote: > 1. as well as the raid rebuild, you still need to rsync the new/changed > data to the raid array after a drive has been hot-swapped - and ideally, > that should be delayed until after the rebuild has completeddoes the > 3ware unit have tools for monitoring the progress/status of the rebuild? Yes, even logs to syslog through a 3ware daemon. > 2. what about off-site backup? or archiving? i think a tape drive is > still needed for these purposes. drives are too fragile to carry back > and forth between home and work every day, and still too expensive to > just sit one on the shelf for an archive Well, it sounds like waste but considering the price for a DLT drive (DDS3 is often too slow or too small) then its even cheaper to buy IDE drives. Carrying around IDE drives might be dangerous but I think they should be take no harm if one is careful. > archived data if the raid unit will rebuild it to the latest version as > soon as you plug it in?) My idea was, that the 3ware controller has at least 4 ports and my drive bay handles 3 drives in a high of 2 5.25" bays. So I could configure the raid to have 2 drives RAID1 and one drive just as-is. Plugging the drive into this bay would give me a /dev/sdb or so which I could use for restoring. Or, in this case one could use the BIOS utility or the 3ware daemon with web frontent (usable with lynx) to reconfigure the raid before inserting the restore drive as only drive in JBOD mode. As restores are not so common this could be ok. At least you can even have the possibility to boot from this drive (restoring from a tape is hard if you cannot boot anymore...) bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller
New approach with removable IDE RAID Backup (was: Tape Question)
Hi On Wed, Aug 21, 2002 at 04:14:09PM +1000, Craig Sanders wrote: > > I have a big size file about 33G in /home directory !!! and i wanna > > backup this file into tape device Why tape, buy a ATA (IDE) RAID controller that allowes hot swap and hot plugable devices (e.g. 3ware). Then setup a raid1 between two harddiscs. Whenever you like to do the backup simply mount that array, rsync /home to it and umount again. The next morning, exchange one of the discs agains a new one, the discs are your backup medium. The new disc will be rebuild automatically and be available for the next backup after a few hours. Sounds strange? Well never got the change to test it myself but it could work. Benefits: - Cheaper: RAID Controller (300¤) + Drive Bay (200¤) + 4 drives (100¤ pro 60GB) are about 900¤. This is more than competable with DAT/DDS3 and even more with DLT tape drives. - Faster and easier when restoring. Obviously, just mount it. - More capacity per medium. Splitting up across several media makes things complicated. Any comments? bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller
/usr/lib/sendmail replacement for chroot and localhost:25
Hi I'm looking for a "/usr/lib/sendmail -t" compatible script that just devlivers mails from PHP which runs in a chroot to a postfix daemon that listens on the web server. It seems I a cannot use the normal sendmail or postfix binaries as they are all splitted up to a user-mail-submission and a mail-transport-agent which would force me to have a daemon running that looks into (each!) chroot /var/spool/"mta-queue" for new mail. I tried a small sendmail replacement (ssmtp 2.50.6) but it seems to have some problems... bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
/usr/lib/sendmail replacement for chroot and localhost:25
Hi I'm looking for a "/usr/lib/sendmail -t" compatible script that just devlivers mails from PHP which runs in a chroot to a postfix daemon that listens on the web server. It seems I a cannot use the normal sendmail or postfix binaries as they are all splitted up to a user-mail-submission and a mail-transport-agent which would force me to have a daemon running that looks into (each!) chroot /var/spool/"mta-queue" for new mail. I tried a small sendmail replacement (ssmtp 2.50.6) but it seems to have some problems... bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: webmail
Hello On Sun, Jun 16, 2002 at 10:22:39PM +0100, Alexander Clouter wrote: > not all of them are debianized however recently in preparation of a big > service server I'm setting up soon I looked into webmail stuff and trawled > through *every* one on freshmeat :) Wow, great work! Useful would also be remarks about * how fast it is (does it "feel" sluggish?) * how good it deals with *big* multipart mime mails (people like to send 50MB Excel sheets via mail. Crashes some of those systems.. * activeness of development (sometimes noted). You could maybe add those fields and ask people visiting your web page for their experiences to complete them... anyways, please don't remove this page, I will surely need it soon :-)) bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SNAT does wrong port mapping?
Hello I have a host with two ethernet addresses A and B. From another host I try to connect to B over the interface from A to make snmp queries: -- -- client --- AB--- ---- Not the packets successfully are forwarded from the A interface to the B interface. The snmpd creates a reply packet but this then originates from the address of interface A! This is a problem for me because my Firewall doesn't find an established/related connection in it's conntrack table for it. I tried to SNAT the outgoing packets with: iptables -t nat -A POSTROUTING -p udp --sport 161 -j SNAT --to-source 10.0.0.42 but then either the srcport is changed to an arbitrary value causing the firewall to block the packet or, if I write "--to 10.0.0.42:161", there's no packet send, although the POSTROUTING rule count increases and /proc/net/ip_conntrack shows a seemingly correct entry: udp 17 29 src=212.117.68.10 dst=10.0.0.42 sport=51558 dport=161 [UNREPLIED] src=10.0.0.42 dst=212.117.68.10 sport=161 dport=51558 use=1 Does anybody have a clue about this? My goal was a host with many IPs (a router) which can be accessed by only one IP that is independend from any real interface connection and that makes connection with only this very same IP (important for ACLs on other hosts). -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re-post, with additional questions/infomation: Traffic monitoring/logging question
On Tue, Mar 05, 2002 at 10:50:26PM +0100, Auke Rensen wrote: > NTOP: > 1.) Does anyone know how to log and store the collected data? > 2.) Does anyone know how to insert specific source/destination rules? Take a look at the netflow/sflow exporting capabilities of ntop. It is almost compatible with the netflow exports of cisco routers. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premier Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
booting from CompactFlash Cards
Hello I plan to replace a Cisco by a Linux router and would like to use a "compact flash" card instead of a hard drive to minimize hardware outages. Can anybody recommend me a CompactFlash solution that allowes booting? As far as I learned those cards have build-in IDE adapters and are connected to the PC via a simple connector-adapter to a 40pin IDE cable. Sadly at least Verbatim do not think that their cards are able to present a correct "master boot record" to the BIOS although I can see no difference between requesting sector 0 on track 0 (MBR) and any other position. thanks, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
BGP4/OSPF routing daemon for Linux?
Hello I would like to replace a Cisco router by a Linux box and therefore need a stable(!) BGP4/OSPF routing daemon. Has anybody here ever used Zebra/MRTd/gated in production environment? thanks, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
BGP4/OSPF routing daemon for Linux?
Hello I would like to replace a Cisco router by a Linux box and therefore need a stable(!) BGP4/OSPF routing daemon. Has anybody here ever used Zebra/MRTd/gated in production environment? thanks, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Are partition tables device independant?
Hello Does anybody know if I can safely move a dd-dump from a whole disk to another including the partition table? Or is the internal representation using CHS information instead of just block numbers? bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
question regarding BIND and "zero ttl"
Hello One of our cron scripts regularily says > !!! hostname-xyz.westend.com A record has zero ttl on stderr. A prepended "killall -INT named" in the crontab shows that at this time there is no entry in the bind cache for this host because the 86400s of the TTL are expired and bind cleared it. So far so good, but why doesn't bind simply request the information from upstream. It has no forwarders installed and the authoritative hosts of course always say TTL 86400 (just checked both of them). Does anybody know a reason? We always get the error with this host with the "host_2331-1.deb" on "bind_1:8.2.4-1.deb". thanks, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: procmail
On Mon, Dec 17, 2001 at 09:46:33AM +1100, Craig Sanders wrote: > PS: there's no such thing as a BCC header in incoming mail. it is > stripped either by the user-agent when sending a message or, at the > latest, by the MTA when it receives the message. it can't be used to > sort mail because it doesn't exist. That's wrong according the the specs[1], although I've never seen an SMTP MUA/MTA that did actually show the Bcc receipients to each other. bye, -christian- [1] rfc822 4.5.3. BCC / RESENT-BCC Some systems may choose to include the text of the "Bcc" field only in the author(s)'s copy, while others may also include it in the text sent to all those indicated in the "Bcc" list. -- This is a test of the Emergency Broadcast System. If this had been an actual emergency, do you really think we'd stick around to tell you?
Re: procmail
On Mon, Dec 17, 2001 at 09:46:33AM +1100, Craig Sanders wrote: > PS: there's no such thing as a BCC header in incoming mail. it is > stripped either by the user-agent when sending a message or, at the > latest, by the MTA when it receives the message. it can't be used to > sort mail because it doesn't exist. That's wrong according the the specs[1], although I've never seen an SMTP MUA/MTA that did actually show the Bcc receipients to each other. bye, -christian- [1] rfc822 4.5.3. BCC / RESENT-BCC Some systems may choose to include the text of the "Bcc" field only in the author(s)'s copy, while others may also include it in the text sent to all those indicated in the "Bcc" list. -- This is a test of the Emergency Broadcast System. If this had been an actual emergency, do you really think we'd stick around to tell you? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: replicating, balanced web-server with *write* access?
On Sun, Nov 11, 2001 at 06:14:23PM +0100, Russell Coker wrote: > 1) Use rsync to transfer files, and for writes have some sort of database > push (EG use ssh to run a program on the primary server which does the > update). Then of course the data you read won't be as new as the data you've > written. Now I'll probably make one sleeping-failover server which rsyncs every five minutes and only comes to play if the main server goes down. > When designing for high availability I aim for minimum loss of service (not > necessarily minimum downtime). So if something goes wrong and 10% of the > functionality isn't available for a few hours it's often not such a big deal. But you often have problems like crashing systems when the tape is in use or the load gets too high. Then you want to examine the whole physical computer so a real downtime is needed. On the other hand you won't let anybody realize this so a immediate sync would be coll. But as you said that's impossible for now... bye, -christian-
Re: replicating, balanced web-server with *write* access?
On Sun, Nov 11, 2001 at 02:09:01PM +1100, Jeff Waugh wrote: > RAID on Network Block Devices. You get the benefits of RAID, but over a > number of different machines, perhaps even on different networks if the > topology allows for the performance requirements. Does it really allow writing in *both* directions? I mean both servers should be able to write to the same "filesystem" so they would have to mount each other as nbd... Else it would only be good for one-way failover service. > It's A CRAZY SCHEME, but it MIGHT JUST WORK! [1] yeah, that's what I want to have on my production servers > - Jeff thanks, -christian-
Re: replicating, balanced web-server with *write* access?
On Sun, Nov 11, 2001 at 02:09:01PM +1100, Jeff Waugh wrote: > RAID on Network Block Devices. You get the benefits of RAID, but over a > number of different machines, perhaps even on different networks if the > topology allows for the performance requirements. Does it really allow writing in *both* directions? I mean both servers should be able to write to the same "filesystem" so they would have to mount each other as nbd... Else it would only be good for one-way failover service. > It's A CRAZY SCHEME, but it MIGHT JUST WORK! [1] yeah, that's what I want to have on my production servers > - Jeff thanks, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
replicating, balanced web-server with *write* access?
Hi Much is written about High-Availability servers but I still didn't find a good solution how to build two load-balanced webservers _without_ connecting them both to one RAID (single point of failure). The problem with balancing between two servers is that the might host web-servers that could write a file on system A and then reading this file (status file or whatever) on system B immediately before e.g. rsync could transfer it. In the worst case writing/reading could happen for two different connection so that even connection based balancing wouldn't work. For now I have three ideas: 1. forget about load balancing and do one-way balancing i.e. having one primary and one minutely synced backup. In a case of a failure the backup would take over the service and even if there's a little loss it only occures at failures. 2. use network attached storage. To avoid another single point of failure you then would have to take two file servers and a protocol (NFS wont need) to realize this. Maybe at least IP takeover and forced reconnection NFS clients. 3. Forget about writing anything to disk - apart from FTP uploads everything will have to be written to database. But tell that your customers.. The ideal solution would be a network filesystem like www.inter-mezzo.org but it does not appear to be really mature and tested in real life conditions. So any idea? bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
replicating, balanced web-server with *write* access?
Hi Much is written about High-Availability servers but I still didn't find a good solution how to build two load-balanced webservers _without_ connecting them both to one RAID (single point of failure). The problem with balancing between two servers is that the might host web-servers that could write a file on system A and then reading this file (status file or whatever) on system B immediately before e.g. rsync could transfer it. In the worst case writing/reading could happen for two different connection so that even connection based balancing wouldn't work. For now I have three ideas: 1. forget about load balancing and do one-way balancing i.e. having one primary and one minutely synced backup. In a case of a failure the backup would take over the service and even if there's a little loss it only occures at failures. 2. use network attached storage. To avoid another single point of failure you then would have to take two file servers and a protocol (NFS wont need) to realize this. Maybe at least IP takeover and forced reconnection NFS clients. 3. Forget about writing anything to disk - apart from FTP uploads everything will have to be written to database. But tell that your customers.. The ideal solution would be a network filesystem like www.inter-mezzo.org but it does not appear to be really mature and tested in real life conditions. So any idea? bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Maildir with indixes
Hello Does anybody knows a Maildir variant that supports index databases to allow faster searching for e.g. subject/to/from headers? I'm looking for a way to store my old mail and archives and maildir seems to be the best fitting to search with grep/find but an index e.g. a berkeley db2 file that is in addition to the normal files would be better while staying compatible to "normal" maildir usage with mutt. bye, -christian- -- One of the main causes of the fall of the roman empire was that, lacking zero, they had no way to indicate successful termination of their C programs.
Maildir with indixes
Hello Does anybody knows a Maildir variant that supports index databases to allow faster searching for e.g. subject/to/from headers? I'm looking for a way to store my old mail and archives and maildir seems to be the best fitting to search with grep/find but an index e.g. a berkeley db2 file that is in addition to the normal files would be better while staying compatible to "normal" maildir usage with mutt. bye, -christian- -- One of the main causes of the fall of the roman empire was that, lacking zero, they had no way to indicate successful termination of their C programs. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Traffic account in debian
On Wed, Oct 03, 2001 at 11:22:24AM +1000, Mario Zuppini wrote: > Im desperately after an accounting / reporting tool for debian that > shall report every bit of traffic per IP through Try nacct, gives very much details and has a mysql backend. bye, -christian- -- "Very funny, Scotty. Now beam down my clothes." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Failover with MySQL
Hi [a bit late but never tell a thread dead...] On Fri, Aug 17, 2001 at 11:01:26AM +, Buisson Olivier wrote: > > > To be more understood: I would like to setup 2 mysql server. One is a > > > master and would take all requests. When it failed, the other server > > > takes the hand and respond to the requets. I've once installed this setup (although it's not yet in production) and it seems to work nice in once way i.e. you take care that the backup server never gets written to unless he's master because replication works only from master to slave and not the other way around. The config btw. is quite easy about two lines in every my.cnf and a "backup" user with proper rights and that's all. bye, -christian- -- PETA sues FermiLab for cruelty to Schrödinger's Cat; outcome uncertain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IP Accounting and 2.4
On Tue, Jul 03, 2001 at 05:44:42PM -0500, Chad C. Walstrom wrote: > I'm interested in finding out what others have done for IP accounting > for a large number of customers. (Rate limiting and traffic shaping We use CISCO and now have moved our accounting to CISCO's Netflow, i.e. the routers export a list of all connctions with their consumed bytes every x minutes (a lot of data..). But as you're using a linux router I would suggest you the net-acct package that's available as .deb, too. It does pretty much the same as netflow and should be the right thing for you. bye, -christian- -- You know you're a nerd when your os uptime is longer than you've ever had a girlfriend. ([EMAIL PROTECTED])
Re: IP Accounting and 2.4
On Tue, Jul 03, 2001 at 05:44:42PM -0500, Chad C. Walstrom wrote: > I'm interested in finding out what others have done for IP accounting > for a large number of customers. (Rate limiting and traffic shaping We use CISCO and now have moved our accounting to CISCO's Netflow, i.e. the routers export a list of all connctions with their consumed bytes every x minutes (a lot of data..). But as you're using a linux router I would suggest you the net-acct package that's available as .deb, too. It does pretty much the same as netflow and should be the right thing for you. bye, -christian- -- You know you're a nerd when your os uptime is longer than you've ever had a girlfriend. ([EMAIL PROTECTED]) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disk partition schemes
On Mon, Jul 02, 2001 at 03:12:31PM +0200, Russell Coker wrote: > If your root file system is at the start then it is unlikely to be large > enough to break any boot loaders. Recent boot loaders are very capable... fill it up to more than 512MB (was it that number?) and then compile a new kernel years later and it will be after that magical border ans thus unaccessable. > > * /var, as used for logs, can fill up completely if a program > > get mad and prevent other programs than just syslogd from working if > > it's on / > chgrp log /var/log/*log > Set quota for log group. Problem solved? I would assume that disc quota increase the load on a server. As we're talking about a heavily loaded server wich much disc IO (else this partitioning is not necessary) this would slowdown it, or not? > >From what I've seen LVM is much better at breaking data into pieces than > it is at putting them back together... I wanted to take over maintenance > of the LVM packages for Debian but couldn't because I couldn't get it > working with a recent kernel! I use 2.4.6-pre7 and use LVM,reiserfs and ext3 without problems. (maybe my kernel is just too recent...) bye, -christian- -- Real men don't take backups. They put their source on a public FTP-server and let the world mirror it. -- Linus Torvalds
Re: disk partition schemes
On Mon, Jul 02, 2001 at 03:12:31PM +0200, Russell Coker wrote: > If your root file system is at the start then it is unlikely to be large > enough to break any boot loaders. Recent boot loaders are very capable... fill it up to more than 512MB (was it that number?) and then compile a new kernel years later and it will be after that magical border ans thus unaccessable. > > * /var, as used for logs, can fill up completely if a program > > get mad and prevent other programs than just syslogd from working if > > it's on / > chgrp log /var/log/*log > Set quota for log group. Problem solved? I would assume that disc quota increase the load on a server. As we're talking about a heavily loaded server wich much disc IO (else this partitioning is not necessary) this would slowdown it, or not? > >From what I've seen LVM is much better at breaking data into pieces than > it is at putting them back together... I wanted to take over maintenance > of the LVM packages for Debian but couldn't because I couldn't get it > working with a recent kernel! I use 2.4.6-pre7 and use LVM,reiserfs and ext3 without problems. (maybe my kernel is just too recent...) bye, -christian- -- Real men don't take backups. They put their source on a public FTP-server and let the world mirror it. -- Linus Torvalds -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disk partition schemes
On Fri, Jun 15, 2001 at 10:13:33AM -0400, Kevin J. Menard, Jr. wrote: > Basically, I have 20 gigs of space to tinker with (well, there's really 40 > there, but I run a hardware RAID 10). I also have half a gig of SDRAM > (sure > this would matter with swap space). Now, I have no problem running fdisk > or > anything, but I wanted to get a feel for what people are doing for various > types of systems. Seperated partitions are usefull for the following reasons for me: * /boot because old bootloaders (and new?) have problems with bzImage files over a certan sector number, i.e. it should be at the start of your HDD. * /var, as used for logs, can fill up completely if a program get mad and prevent other programs than just syslogd from working if it's on / * /usr/local, /home etc can be on seperate partitions if your / is e.g. a standard system that's just copied from a CD image when installing a server or if you like to backup the partitions in differnet intervals. * generally as filesystems sometimes get corrupt it's good if at least some severs work. and you have a platform from which you can do a fsck (ever tried to fsck a root reiserfs? it cannot be done even if mounted only readonly (at least back somewhen)). Something I would suggest you, too is LVM. There you can partition your harddisc(s) in arbitrary pieces (physical extends), put them together in a big heap (volume group) and from this heap you can cut out your virtual discs (logical volumes) and resize them as needed no matter if they are physically in a line or scattered over all harddiscs. Of course this requires a filesystem that can adjust, too, only extending the (virtual) partition alone doesn't help. But reiserfs (AFAIK) and ext2/ext3 can do it. (well but keep in mind that this is not 10-year-approved technology so maybe not use it with your best paying customer..) bye, -christian- -- "Caution: Cape does not enable user to fly." (Batman Costume warning label)
Re: disk partition schemes
On Fri, Jun 15, 2001 at 10:13:33AM -0400, Kevin J. Menard, Jr. wrote: > Basically, I have 20 gigs of space to tinker with (well, there's really 40 > there, but I run a hardware RAID 10). I also have half a gig of SDRAM (sure > this would matter with swap space). Now, I have no problem running fdisk or > anything, but I wanted to get a feel for what people are doing for various > types of systems. Seperated partitions are usefull for the following reasons for me: * /boot because old bootloaders (and new?) have problems with bzImage files over a certan sector number, i.e. it should be at the start of your HDD. * /var, as used for logs, can fill up completely if a program get mad and prevent other programs than just syslogd from working if it's on / * /usr/local, /home etc can be on seperate partitions if your / is e.g. a standard system that's just copied from a CD image when installing a server or if you like to backup the partitions in differnet intervals. * generally as filesystems sometimes get corrupt it's good if at least some severs work. and you have a platform from which you can do a fsck (ever tried to fsck a root reiserfs? it cannot be done even if mounted only readonly (at least back somewhen)). Something I would suggest you, too is LVM. There you can partition your harddisc(s) in arbitrary pieces (physical extends), put them together in a big heap (volume group) and from this heap you can cut out your virtual discs (logical volumes) and resize them as needed no matter if they are physically in a line or scattered over all harddiscs. Of course this requires a filesystem that can adjust, too, only extending the (virtual) partition alone doesn't help. But reiserfs (AFAIK) and ext2/ext3 can do it. (well but keep in mind that this is not 10-year-approved technology so maybe not use it with your best paying customer..) bye, -christian- -- "Caution: Cape does not enable user to fly." (Batman Costume warning label) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SQL/LDAP Backend for DNS? (was: Web-Based DNS Frontend)
Hello Apropos, does anybody know a way to make BIND (>=8) use a SQL or LDAP server for storing any data? Text files are easy to edit by hand but I don't wan't to have the work to edit them :-) I have seen some nasty patches but none worked really nice. Any changes in the last months? bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
SQL/LDAP Backend for DNS? (was: Web-Based DNS Frontend)
Hello Apropos, does anybody know a way to make BIND (>=8) use a SQL or LDAP server for storing any data? Text files are easy to edit by hand but I don't wan't to have the work to edit them :-) I have seen some nasty patches but none worked really nice. Any changes in the last months? bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
network monitoring using graphs and status
Hello I have a simple problem but find no suitable programs and won't reinvent the wheel so I ask here for suggestions. I'l looking for a program to monitor our ISP network servers and routers that is capable of doing 1. checking different services (like mon, netsaint) 2. showing nice graphs of cpu load and disc-space and traffic (like MRTG) 3. produces HTML pages (like netsaint) 4. is free and extendible Sadly all recommended and found-on-the-web programs don't fullfill all my needs :-( MRTG was also not so suitable as it depends too strongly on traffic analyses and is incapable of showing e.g. three graphs in one picture and I like to have as much information on one HTML page. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which frontend for SNMP monitoring of server farms?
On Tue, Oct 31, 2000 at 08:34:11AM -0800, brian moore wrote: > I'm not sure why you'd use mon as a 'local watchdog'. Mon is quite > capable of monitoring remote machines. I've used mon for years and it Yes, but I wanted to have a local service who can restart daaemons if they are down. This is more elegant as trying to restart them remotely via ssh. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Which frontend for SNMP monitoring of server farms?
Hello Which tools would you recommend for monitoring CPU/disk/squid-,apache-load of several servers at an ISP? Up to now I only have little watchdog scripts that bark via SMS/mail when some critical situation occurs but I want to check once a day on a web page and see some statistics and nice green signs saying me that everything was ok in the last few weeks and which server must be upgraded in the next few month or where a temporary max-load/bottleneck occured. tkined and openNMS seems to be suitable for this (maybe with "mon" as local watchdog) but I wonder if they're ready for production use. (At least openNMS looks very alpha) thanks, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: High Availability.. (SQL server)
Hello Has anyone ever tried to make a webserver host with a mysql database (used for a session database that gets updated on every click) redundant by adding an exactly same computer and do DNS-load balancing? If there were no SQL database this would be no problem, two web-servers that access a shared NFS Raid for data. But you can't have two MySQL daemons access the same files and if you have only one SQL server for both web servers there is no redundancy. On the other side if you have two seperate mysql servers there is no synchronising between them, I know about that update-log method but when serving a couple of clients per second I doubt that the two servers syncronise fast enough to allow using a session-db (imaging first request on A, then second request on B but B's mysql server hasn't updated the mysql db and so the session information are lost). Any ideas? bye, -christian- -- Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MySQL search/replace. help please
On Thu, 07.09.00 18:59 +, t s a d i wrote: > hello gang! yo man! > what i need to do is to search out all occurences of the string > "www.olddomain.com" and change it to "www.mynewdomain.com". Well, I go the simple way for this problems: mysqldump --opt database table \ | sed 's/oldstring/newstring/g' \ | mysql database bye, -christian- -- Real programmers confuse Christmas and Halloween, because Dec 25 = Oct 31 !!!
Re: MySQL search/replace. help please
On Thu, 07.09.00 18:59 +, t s a d i wrote: > hello gang! yo man! > what i need to do is to search out all occurences of the string > "www.olddomain.com" and change it to "www.mynewdomain.com". Well, I go the simple way for this problems: mysqldump --opt database table \ | sed 's/oldstring/newstring/g' \ | mysql database bye, -christian- -- Real programmers confuse Christmas and Halloween, because Dec 25 = Oct 31 !!! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MySQL vs. Postgres
On Wed, 30.08.00 18:02 +0200, Dariush Pietrzak wrote: > Hmm, if you need fast why use sql server? you could use databases > in files. they're fast, simple etc. Which file based database system is faster than mysql? I tried Berkeley db3 (although with transaction code) and it was horrible slow! bye, -chrstian- -- You know you're a nerd when your os uptime is longer than you've ever had a girlfriend. ([EMAIL PROTECTED])
Re: MySQL vs. Postgres
On Wed, 30.08.00 18:02 +0200, Dariush Pietrzak wrote: > Hmm, if you need fast why use sql server? you could use databases > in files. they're fast, simple etc. Which file based database system is faster than mysql? I tried Berkeley db3 (although with transaction code) and it was horrible slow! bye, -chrstian- -- You know you're a nerd when your os uptime is longer than you've ever had a girlfriend. ([EMAIL PROTECTED]) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Routing
On Tue, 29.08.00 09:48 -0700, Kevin wrote: > I've got my network on 10.0.0.0/24. The gateway is 10.0.0.1 and the > bridge/router is on 10.0.0.1. I need to setup a static route in the > gateway that says anything for 10.1.1.0/24 should use 10.0.0.1 as > its next hop. From my view I can't do it with normal route as it > will only take an interface as the destination. Any ideas? You want this? route add -net 10.1.1.0 netmask 255.255.255.0 gw 10.0.0.1 bye, -christian- -- Did You know that MicroSoft was named after Bill Gates' penis ?
Re: Routing
On Tue, 29.08.00 09:48 -0700, Kevin wrote: > I've got my network on 10.0.0.0/24. The gateway is 10.0.0.1 and the > bridge/router is on 10.0.0.1. I need to setup a static route in the > gateway that says anything for 10.1.1.0/24 should use 10.0.0.1 as > its next hop. From my view I can't do it with normal route as it > will only take an interface as the destination. Any ideas? You want this? route add -net 10.1.1.0 netmask 255.255.255.0 gw 10.0.0.1 bye, -christian- -- Did You know that MicroSoft was named after Bill Gates' penis ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian and LDAP
On Tue, Aug 01, 2000 at 10:12:12PM +0200, Dariush Pietrzak wrote: > > > my users faster, and it's more straight-forward ( without using > > Are you sure that you used indices on your entries? > hmmm, what are indices and how can I use them? thought this :-) in slapd.conf (assuming you are using openldap): index dn,objectclass,o,ou,cn,radiuspassword,radiususername,radiusprofile Then whenever one of the above attributes get inserts (you have to reinsert your whole database at the first time!) the following file get build, leading to faster access of the objects: proxy:/var/lib/openldap# ll total 3715 drwxr-xr-x2 root root 1024 Apr 15 12:57 . drwxr-xr-x 10 root root 1024 Mar 27 16:24 .. -rw-r--r--1 root root5 Jul 27 15:38 NEXTID -rw---1 root root 290816 Jul 27 16:00 cn.dbb -rw---1 root root 1249280 Jul 27 16:00 dn.dbb ... > > their userbase because of a little typo in these very ugly openldap > > security rules :-( > duh? could you elaborate on that? I don't quite follow and understand > what could be the problem? No real problem just a bit work to check if one hasn't forgotten anything... > regards, Eyck bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 ch@westend.com Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified