Re: Configuring firewall
Greets,
On Sun, 18 Jan 2004, Chakravarthy Cuddapah wrote:
> I am new to debian. I was using RHL before. It was easy setting up
> firewall there (/etc/sysconfig/iptables). Could not do the same here. Can
> anyone please tell me how to do this in debian. I just want to keep open
> ports 53 and 22.
iptables is the same on rhl & debian.
The debian part is all about:
you setup the firewall,
and if you have finished, you save your settings with iptables-save to
/var/lib/iptables/active. After that, you clean your firewall, flush all
chains, and erase all chains that aren't mandatory. (iptables -F ;
iptables -X) After cleaning, you save this also as
/var/lib/iptables/inactive.
The default debian installation doesn't link /etc/init.d/iptables to the
runlevels, so you have to make an S99iptables symlink in rc2.d pointing
to /etc/init.d/iptables and the corresponding K01iptables in rc{0,6}.d
directories.
My /etc/default/iptables looks like:
iptables_command=iptables
enable_autosave=true
enable_save_counters=true
If these are done, reboot the machine, and you'll see that all your
rules get up after a successful boot.
Best regards,
--
SZALAY Attila / mrwas at cdata.hu / (20) 416 13 78
Re: Tracing silent crashes
Greets, On Sun, 18 Jan 2004, John Ackermann N8UR wrote: > Upon reboot things return to normal and there's no trace of anything in the > logs to indicate what the problem. > > I guess I have two questions -- does anyone recognize this problem, and is > there any way to capture more data that might give me a clue about what's > happening. The normal log files don't yield a clue. This could be, because the buffers don't get synced to the hdd, and therefore you'll see nothing. Try to do some logging over network, if it possible, or tell syslog to sync every write request. If you won't see the error message either, i can only think of a broken utp cable. Anyway, try to connect a display to that machine in these kind of situations :) Oh, never forgot to mention: upgrade your kernel to 2.4.24! People have revealed many and many security flaws in the kernel nowadays. Best regards, -- SZALAY Attila / mrwas at cdata.hu / (20) 416 13 78
Re: Configuring firewall
Greets,
On Sun, 18 Jan 2004, Chakravarthy Cuddapah wrote:
> I am new to debian. I was using RHL before. It was easy setting up
> firewall there (/etc/sysconfig/iptables). Could not do the same here. Can
> anyone please tell me how to do this in debian. I just want to keep open
> ports 53 and 22.
iptables is the same on rhl & debian.
The debian part is all about:
you setup the firewall,
and if you have finished, you save your settings with iptables-save to
/var/lib/iptables/active. After that, you clean your firewall, flush all
chains, and erase all chains that aren't mandatory. (iptables -F ;
iptables -X) After cleaning, you save this also as
/var/lib/iptables/inactive.
The default debian installation doesn't link /etc/init.d/iptables to the
runlevels, so you have to make an S99iptables symlink in rc2.d pointing
to /etc/init.d/iptables and the corresponding K01iptables in rc{0,6}.d
directories.
My /etc/default/iptables looks like:
iptables_command=iptables
enable_autosave=true
enable_save_counters=true
If these are done, reboot the machine, and you'll see that all your
rules get up after a successful boot.
Best regards,
--
SZALAY Attila / mrwas at cdata.hu / (20) 416 13 78
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tracing silent crashes
Greets, On Sun, 18 Jan 2004, John Ackermann N8UR wrote: > Upon reboot things return to normal and there's no trace of anything in the > logs to indicate what the problem. > > I guess I have two questions -- does anyone recognize this problem, and is > there any way to capture more data that might give me a clue about what's > happening. The normal log files don't yield a clue. This could be, because the buffers don't get synced to the hdd, and therefore you'll see nothing. Try to do some logging over network, if it possible, or tell syslog to sync every write request. If you won't see the error message either, i can only think of a broken utp cable. Anyway, try to connect a display to that machine in these kind of situations :) Oh, never forgot to mention: upgrade your kernel to 2.4.24! People have revealed many and many security flaws in the kernel nowadays. Best regards, -- SZALAY Attila / mrwas at cdata.hu / (20) 416 13 78 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chrooted sftp users?
On Fri, 30 Aug 2002, Peter Van Eynde wrote: > We've got a bunch of users that use ftp to a big server. (think hosted > websites) > > We want to upgrade those people to ssh, or better sftp. One feature of > proftpd we are missing is to "chroot" each user in their own tree, so > they can see only their file and cannot escape. How can we get this? Variation 1: ALL USERS will be chrooted: You put "DefaultRoot ~" in your proftpd.conf Variation 2: You make an anonymous session for your users, so users can be separated wether she wants to be chrooted or not. User username Group groupname Anonrequirepassword yes Hope it helped... ByeZ, Was -- SZALAY Attila / mrwas at cdata.hu / (20) 944 13 72 "Not having an updated virus protection on a Windoze box today, is like trying to cure human flue by eating popcorn."
Re: Analog ( + Report Magic)
On Sun, 16 Jun 2002, Martin WHEELER wrote: > OK, I give up. (Again.) You can't be nervous against a penguin... > What am I doing wrong in trying to run analog under current testing? The ownership and the restrictions are not what analog expects. If you run analog through a cgi script @ http, then the logfiles MUST have chmod 644 with any ownership, or have a 640 with at least chgrp www-data. > Analog is version 5.22. (Analog.cgi is root.root 755) > Apache's logs are root.adm 540. Root can run analog to produce HTML 540??? Do you have something shellscript or perl IN the logfiles to have them running? :) > I'm baffled. (It used to work great without any hand configuration. > Don't know what sent it agley like this. Documentation is not much > help.) My final aim is to get Report Magic processing the output of > analog, but so far the only HTML output I get is a nicely formatted and > chatty HTML page containing no data from the apache logs. What is going > wrong/not being done? Why can't my browser read the log files? if analog could read the logfiles, then your browser will show everything as you wanted ByeZ, Was -- SZALAY Attila / mrwas at cdata.hu / (20) 944 13 72 "Not having an updated virus protection on a Windoze box today, is like trying to cure human flue by eating popcorn." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Analog ( + Report Magic)
On Sun, 16 Jun 2002, Martin WHEELER wrote: > OK, I give up. (Again.) You can't be nervous against a penguin... > What am I doing wrong in trying to run analog under current testing? The ownership and the restrictions are not what analog expects. If you run analog through a cgi script @ http, then the logfiles MUST have chmod 644 with any ownership, or have a 640 with at least chgrp www-data. > Analog is version 5.22. (Analog.cgi is root.root 755) > Apache's logs are root.adm 540. Root can run analog to produce HTML 540??? Do you have something shellscript or perl IN the logfiles to have them running? :) > I'm baffled. (It used to work great without any hand configuration. > Don't know what sent it agley like this. Documentation is not much > help.) My final aim is to get Report Magic processing the output of > analog, but so far the only HTML output I get is a nicely formatted and > chatty HTML page containing no data from the apache logs. What is going > wrong/not being done? Why can't my browser read the log files? if analog could read the logfiles, then your browser will show everything as you wanted ByeZ, Was -- SZALAY Attila / mrwas at cdata.hu / (20) 944 13 72 "Not having an updated virus protection on a Windoze box today, is like trying to cure human flue by eating popcorn." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Designing a DMZ
Hi! On Mon, 27 May 2002, Craig wrote: > Can anyone point me in the direction of good > literature for designing a DMZ ?> As I remember, there was once a site called http://www.linuxguruz.org. There were pretty kind iptables documentations, and those had dmz figures, and docz. Search in the google for iptables + dmz and i think you'll have your answer. bstrgrds -- SZALAY Attila / mrwas at cdata.hu / (20) 944 13 72 "Not having an updated virus protection on a Windoze box today, is like trying to cure human flue by eating popcorn." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Designing a DMZ
Hi! On Mon, 27 May 2002, Craig wrote: > Can anyone point me in the direction of good > literature for designing a DMZ ?> As I remember, there was once a site called http://www.linuxguruz.org. There were pretty kind iptables documentations, and those had dmz figures, and docz. Search in the google for iptables + dmz and i think you'll have your answer. bstrgrds -- SZALAY Attila / mrwas at cdata.hu / (20) 944 13 72 "Not having an updated virus protection on a Windoze box today, is like trying to cure human flue by eating popcorn." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
