Re: Bandwidth... compression... saving $$?
On Tue, 2002-09-03 at 04:37, Jason Lim wrote: > Any ideas on how this tunnelling could be made completely transparent (or > as transparent as possible)? > Well, I've done something like this with ssh tunnels and mangling the DNS locally. Basically, set up a compressed ssh tunnel using the -L option, listening on the service's normal port, and change the resolved IP address of the destination to the IP address of the ssh tunnel (if you're testing on your local machine, this would be 127.0.0.1). Once you're finished testing, you can even use iptables to redirect traffic to the ssh tunnels. However, the biggest problem I found was that when ssh disconnects, it doesn't automatically reconnect. I guess some magic scripting would get around that easily enough, but that's when I dropped the whole idea over a year ago. The other (potential) problem is getting ssh access to a machine close enough to the destination to make it worthwhile. I guess it's easy if you have root on the target machines (this IS -isp, after all ;-). Other potential problems have already been discussed in this thread (support, etc). > I'm sure if this could be worked out, a lot of us here in Australia would > be pretty happy :-) > Sure, it would make us happy, however most have accepted it as the price of doing business on the Internet in Australia. *shrug* If you can't afford it, why are you using it? -- Joel Michael| Phone: +61 7 3367 3555 Systems Administrator | Fax: +61 7 3367 3544 WorldHosting.org Pty. Ltd. | Mobile: +61 408 336 728 http://www.worldhosting.org/| Email: [EMAIL PROTECTED]
Re: web log analysis
On Thu, 2002-08-22 at 10:47, Russell Coker wrote: > A client needs a program that does similar things to webalizer, but also > allows breaking everything completely by day at least (and preferrably by > hour too). > > Doing it the way webalizer does (static web pages and gifs) probably won't > scale too well for such use, so something based on a database will probably > be best. > > Also ideally it should handle multiple virtual hosts. > > Any ideas? > is Analog + Report Magic (http://www.reportmagic.org/) kind of what you're looking for? If so, 'apt-get install rmagic' should take care of the installation for you. -- Joel Michael| Phone: +61 7 3367 3555 Systems Administrator | Fax: +61 7 3367 3544 WorldHosting.org Pty. Ltd. | Mobile: +61 408 336 728 http://www.worldhosting.org/| Email: [EMAIL PROTECTED]
Re: Mail question
On Thu, 2002-07-18 at 16:50, Craig wrote: > Hi Fellows > > Has anyone succeeded in setting up a multi-user mailbox that > exchange 2000 retrieves mail from using exim ?> I am having > the problem that when exchange retrieves the messages, its > resending them again which causes the recipients of the > original mail to receive duplicates. > > Any suggestions would be welcomed. > I've seen this happen with exchange pop'ing mail off a qmail+vpopmail server. I eventually (after a few hundred MB of email, which the client paid for in their data traffic charges) figured out that the original sender sent an email to a local alias, the local alias expanded and got delivered to our server, then the exchange server retrieved the email and didn't know who the To: address was, so it re-sent the email to the To: address, which was an alias on someone else's server, which expanded the alias... (you get the idea, looping message!) I'd suggest a very large hammer aimed at the exchange box, or the admin of said exchange box ;-) -- Joel Michael| Phone: +61 7 3367 3555 Systems Administrator | Fax: +61 7 3367 3544 WorldHosting.org Pty. Ltd. | Mobile: +61 408 336 728 http://www.worldhosting.org/| Email: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail question
On Thu, 2002-07-18 at 16:50, Craig wrote: > Hi Fellows > > Has anyone succeeded in setting up a multi-user mailbox that > exchange 2000 retrieves mail from using exim ?> I am having > the problem that when exchange retrieves the messages, its > resending them again which causes the recipients of the > original mail to receive duplicates. > > Any suggestions would be welcomed. > I've seen this happen with exchange pop'ing mail off a qmail+vpopmail server. I eventually (after a few hundred MB of email, which the client paid for in their data traffic charges) figured out that the original sender sent an email to a local alias, the local alias expanded and got delivered to our server, then the exchange server retrieved the email and didn't know who the To: address was, so it re-sent the email to the To: address, which was an alias on someone else's server, which expanded the alias... (you get the idea, looping message!) I'd suggest a very large hammer aimed at the exchange box, or the admin of said exchange box ;-) -- Joel Michael| Phone: +61 7 3367 3555 Systems Administrator | Fax: +61 7 3367 3544 WorldHosting.org Pty. Ltd. | Mobile: +61 408 336 728 http://www.worldhosting.org/| Email: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: "transparent" firewall possible?
On Mon, 2002-02-04 at 22:13, Joel Michael wrote: > I got this information off a web site that's bookmarked on my work > computer, if you want I'll dig up the URL tomorrow. > well, the URL is http://www.sjdjweis.com/linux/proxyarp/ for those that are interested. Cheers, -- Joel Michael Systems Administrator Worldhosting.org Pty. Ltd. Ph: +61 7 3367 3555 Fax: +61 7 3367 3544 Mobile: +61 408 336 728
Re: "transparent" firewall possible?
On Mon, 2002-02-04 at 22:13, Joel Michael wrote: > I got this information off a web site that's bookmarked on my work > computer, if you want I'll dig up the URL tomorrow. > well, the URL is http://www.sjdjweis.com/linux/proxyarp/ for those that are interested. Cheers, -- Joel Michael Systems Administrator Worldhosting.org Pty. Ltd. Ph: +61 7 3367 3555 Fax: +61 7 3367 3544 Mobile: +61 408 336 728 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: "transparent" firewall possible?
On Mon, 2002-02-04 at 20:17, Jason Lim wrote: > Probably someone has done all this in the past, and in fact I have found a > distro that *sounds* like it does this, but it is a weird heavily > customized Redhat, and I would perfer to stick with the Debian that we all > love. > I'm doing something similar to this using proxy arp and a single IP address on the network, with a Debian box running a 2.4 kernel. The steps I took are roughly as follows: configure both NICs with the same IP address. For convenience, use the highest IP address in your netblock. Assuming your netblock is 192.168.0.0/24, the firewall's IP is 192.168.0.254, and the default gateway is 192.168.0.1, run the following: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp ip route del 192.168.0.0/24 dev eth0 ip route del 192.168.0.0/24 dev eth1 ip route add 192.168.0.1 dev eth0 ip route add 192.168.0.0/24 dev eth1 echo 1 > /proc/sys/net/ipv4/ip_forward before you do that, you'll want to do some firewalling. You'll need to use the FORWARD table for your rules going to the hosts you're protecting. I personally find it easier to make a pile of rules in your FORWARD table jumping to per-IP chains, e.g: iptables -N fw_2 iptables -A fw_2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A fw_2 -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A fw_2 -j LOG iptables -A fw_2 -j DROP iptables -A FORWARD -d 192.168.0.2 -j fw_2 and so on, for your firewall rules. Don't forget the INPUT and OUTPUT chains to catch things going directly to your firewall. I got this information off a web site that's bookmarked on my work computer, if you want I'll dig up the URL tomorrow. Anyway, hope that helps!
Re: "transparent" firewall possible?
On Mon, 2002-02-04 at 20:17, Jason Lim wrote: > Probably someone has done all this in the past, and in fact I have found a > distro that *sounds* like it does this, but it is a weird heavily > customized Redhat, and I would perfer to stick with the Debian that we all > love. > I'm doing something similar to this using proxy arp and a single IP address on the network, with a Debian box running a 2.4 kernel. The steps I took are roughly as follows: configure both NICs with the same IP address. For convenience, use the highest IP address in your netblock. Assuming your netblock is 192.168.0.0/24, the firewall's IP is 192.168.0.254, and the default gateway is 192.168.0.1, run the following: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp ip route del 192.168.0.0/24 dev eth0 ip route del 192.168.0.0/24 dev eth1 ip route add 192.168.0.1 dev eth0 ip route add 192.168.0.0/24 dev eth1 echo 1 > /proc/sys/net/ipv4/ip_forward before you do that, you'll want to do some firewalling. You'll need to use the FORWARD table for your rules going to the hosts you're protecting. I personally find it easier to make a pile of rules in your FORWARD table jumping to per-IP chains, e.g: iptables -N fw_2 iptables -A fw_2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A fw_2 -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A fw_2 -j LOG iptables -A fw_2 -j DROP iptables -A FORWARD -d 192.168.0.2 -j fw_2 and so on, for your firewall rules. Don't forget the INPUT and OUTPUT chains to catch things going directly to your firewall. I got this information off a web site that's bookmarked on my work computer, if you want I'll dig up the URL tomorrow. Anyway, hope that helps! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: > how about setting the user's shell to /bin/true. this allows ftp, but no > login shell. so it may work for scp as well. > This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. -- Joel Michael Systems Administrator Worldhosting.org Pty. Ltd.
Re: Fwd: scp, no ssh
On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: > how about setting the user's shell to /bin/true. this allows ftp, but no > login shell. so it may work for scp as well. > This is true, but you can still (probably) use ssh to execute commands, like /bin/sh, and effectively get a shell. -- Joel Michael Systems Administrator Worldhosting.org Pty. Ltd. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]