Re: Debian GNU/Linux 2.2r3 vulnerabilities ?
Hi, On Thu, 25 Oct 2001, Petre Daniel wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: MD5 > > Heya, > I run a potato at home and i will set the computer at work > with potato as well.Since that will be a 24h internet connected > pc,i am wondering what are the 2.2 release 3 vulnerabilities for > the sistem installed from the cds without any online update. > Is the ssh package in potato vulnerable? > I'd appreciate it if you can give me some urls. > thx, > Dani, > hackers unsupport. > add security lines for apt as suggested before and if the box is going to work as a firewall of some kind upgrade to kernel 2.4 to use iptables (and install modutils-2.4!). Greetz, Sebastiaan -- NT is the OS of the future. The main engine is the 16-bit Subsystem (also called MS-DOS Subsystem). Above that, there is the windoze 95/98 16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT is a *real* 32-bit system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian GNU/Linux 2.2r3 vulnerabilities ?
On Thu, Oct 25, 2001 at 04:31:05AM +0200, Petre Daniel wrote: > I run a potato at home and i will set the computer at work > with potato as well.Since that will be a 24h internet connected > pc,i am wondering what are the 2.2 release 3 vulnerabilities for > the sistem installed from the cds without any online update. > Is the ssh package in potato vulnerable? OOps. You need security updates. This is bad!! Add following to /etc/apt/sources.list deb http://security.debian.org/ stable/updates main contrib non-free Then # apt-get -u upgrade -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki <[EMAIL PROTECTED]>, GnuPG-key: 1024D/D5DE453D + + My debian quick-reference, http://www.aokiconsulting.com/quick/+
Debian GNU/Linux 2.2r3 vulnerabilities ?
-BEGIN PGP SIGNED MESSAGE- Hash: MD5 Heya, I run a potato at home and i will set the computer at work with potato as well.Since that will be a 24h internet connected pc,i am wondering what are the 2.2 release 3 vulnerabilities for the sistem installed from the cds without any online update. Is the ssh package in potato vulnerable? I'd appreciate it if you can give me some urls. thx, Dani, hackers unsupport. -BEGIN PGP SIGNATURE- Version: 2.6 iQCVAwUAO9d5bcw1CXXrWGBbAQED7gQAmoKv0NVCTKa2MuEiPcVBHg27TMu58WCa IcmoCDe9BAgq9VDQUENPzlRiFceFQQkK1skoO0+sCn8I4SXu+cO2vdVuaPyHtdlg UpLpI5mx0BBYavLmQ1AmdUp0z4aTFkpMneTiXV1GEwvz6xzFXGRFqBkNbQGOnvvO bjMyDw60aT4= =wDVj -END PGP SIGNATURE- _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Re: Is ident secure?
On Thu, Oct 25, 2001 at 09:45:49AM +1000, Malcolm Herbert wrote: > ... don't know if it's happening to others, however I seem to be > receiving mail from the 'Is Ident secure' thread of earlier in September > (with the idiot who was subscribed and who wouldn't/couldn't unsubscribe > himself) ... is anyone else seeing this replay? I saw two posts myself. After looked at the headers, I think somebody's mailer was broken and backlogged the replies, and is only now clearing the backlog. Or perhaps it's something else, but unless they continue it doesn't really matter. -- Adam Olsen, aka Rhamphoryncus
Re[2]: FUCK YOU
Hello Nicolas, Sunday, September 02, 2001, 5:31:01 PM, you wrote: NMM> Hello Layne, NMM> if you have'nt subscribed, why do you think do you receive mails from NMM> debian-security?, maybe you're too stupid to remember but you receive a NMM> confirmation email before being added to a mailing lists, so shut up and NMM> unsubscribe *** ! hehehehe layne case was sometime ago ; -- Best regards, victormailto:[EMAIL PROTECTED]
Re: Debian GNU/Linux 2.2r3 vulnerabilities ?
On Thu, Oct 25, 2001 at 04:31:05AM +0200, Petre Daniel wrote: > I run a potato at home and i will set the computer at work > with potato as well.Since that will be a 24h internet connected > pc,i am wondering what are the 2.2 release 3 vulnerabilities for > the sistem installed from the cds without any online update. > Is the ssh package in potato vulnerable? OOps. You need security updates. This is bad!! Add following to /etc/apt/sources.list deb http://security.debian.org/ stable/updates main contrib non-free Then # apt-get -u upgrade -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki <[EMAIL PROTECTED]>, GnuPG-key: 1024D/D5DE453D + + My debian quick-reference, http://www.aokiconsulting.com/quick/+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is ident secure?
... don't know if it's happening to others, however I seem to be receiving mail from the 'Is Ident secure' thread of earlier in September (with the idiot who was subscribed and who wouldn't/couldn't unsubscribe himself) ... is anyone else seeing this replay? I have the original in my mailbox if anyone wants it for header trawling ... On Sun, Sep 02, 2001 at 11:38:01AM -0400, Nicolas M . M wrote: |do you know what the word sollicitors mean? i don't think so, you should |go to school you lil' brainless. |-- |"La bonne humeur est une vertue, | celle qui différencie l'humain de l'animal." | |-- |To UNSUBSCRIBE, email to [EMAIL PROTECTED] |with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] | -- Malcolm HerbertThis brain intentionally [EMAIL PROTECTED]left blank
Re: Connection problem
On Wed, Oct 24, 2001 at 02:35:51PM +0200, Emmanuel Lacour wrote: > Ok , to close this message (out of list topics), I just explain how I > solved my problem. > > A few days ago I was playing with ipsec and adsl pppoe. This was a mtu > problem so I played with clampmss fragicmp overridemtu in rp-pppoe and > ipsec.conf. > And I leaved pppoe.conf with a clampmss=no. > I set it to 1412 and now all works perfectly. what was it before, we have ours set to 1452. adsl uses a size of 1492 but you need to allow for a 40 byte tcp header (I think), which is where 1452 comes from. -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ pgpW0vDmNpNk6.pgp Description: PGP signature
Debian GNU/Linux 2.2r3 vulnerabilities ?
-BEGIN PGP SIGNED MESSAGE- Hash: MD5 Heya, I run a potato at home and i will set the computer at work with potato as well.Since that will be a 24h internet connected pc,i am wondering what are the 2.2 release 3 vulnerabilities for the sistem installed from the cds without any online update. Is the ssh package in potato vulnerable? I'd appreciate it if you can give me some urls. thx, Dani, hackers unsupport. -BEGIN PGP SIGNATURE- Version: 2.6 iQCVAwUAO9d5bcw1CXXrWGBbAQED7gQAmoKv0NVCTKa2MuEiPcVBHg27TMu58WCa IcmoCDe9BAgq9VDQUENPzlRiFceFQQkK1skoO0+sCn8I4SXu+cO2vdVuaPyHtdlg UpLpI5mx0BBYavLmQ1AmdUp0z4aTFkpMneTiXV1GEwvz6xzFXGRFqBkNbQGOnvvO bjMyDw60aT4= =wDVj -END PGP SIGNATURE- _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is ident secure?
On Thu, Oct 25, 2001 at 09:45:49AM +1000, Malcolm Herbert wrote: > ... don't know if it's happening to others, however I seem to be > receiving mail from the 'Is Ident secure' thread of earlier in September > (with the idiot who was subscribed and who wouldn't/couldn't unsubscribe > himself) ... is anyone else seeing this replay? I saw two posts myself. After looked at the headers, I think somebody's mailer was broken and backlogged the replies, and is only now clearing the backlog. Or perhaps it's something else, but unless they continue it doesn't really matter. -- Adam Olsen, aka Rhamphoryncus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is ident secure?
do you know what the word sollicitors mean? i don't think so, you should go to school you lil' brainless. -- "La bonne humeur est une vertue, celle qui différencie l'humain de l'animal."
Re: FUCK YOU
Hello Layne, if you have'nt subscribed, why do you think do you receive mails from debian-security?, maybe you're too stupid to remember but you receive a confirmation email before being added to a mailing lists, so shut up and unsubscribe *** ! -- "La bonne humeur est une vertue, celle qui différencie l'humain de l'animal."
Re[2]: FUCK YOU
Hello Nicolas, Sunday, September 02, 2001, 5:31:01 PM, you wrote: NMM> Hello Layne, NMM> if you have'nt subscribed, why do you think do you receive mails from NMM> debian-security?, maybe you're too stupid to remember but you receive a NMM> confirmation email before being added to a mailing lists, so shut up and NMM> unsubscribe *** ! hehehehe layne case was sometime ago ; -- Best regards, victormailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is ident secure?
... don't know if it's happening to others, however I seem to be receiving mail from the 'Is Ident secure' thread of earlier in September (with the idiot who was subscribed and who wouldn't/couldn't unsubscribe himself) ... is anyone else seeing this replay? I have the original in my mailbox if anyone wants it for header trawling ... On Sun, Sep 02, 2001 at 11:38:01AM -0400, Nicolas M . M wrote: |do you know what the word sollicitors mean? i don't think so, you should |go to school you lil' brainless. |-- |"La bonne humeur est une vertue, | celle qui différencie l'humain de l'animal." | |-- |To UNSUBSCRIBE, email to [EMAIL PROTECTED] |with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] | -- Malcolm HerbertThis brain intentionally [EMAIL PROTECTED]left blank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question about BugTraq and Debian-Security Mailing Lists
Hello eim, Wednesday, October 24, 2001, 7:58:15 PM, you wrote: e> Actually I'm subscribed to the famous bugtraq Mailing List e> and of course the Debian Security Mailing List. i dont think that buqtraq bugtraq@securityfocus.com ... i understand you refer that make a high volume, i recieve 9 mail at day normaly, in buqtracq sais bugs that can affect your debian like de php-nuke if you have it (there were a bug which you can do all) decide you but have the bugtraq which you have some bugs of all kind of systems, and you can only read the bugs that you want is ok ;) e> Bugtraq is a 'high volume' Mailing List which forwards to me e> many important mails about security in General and not only e> Debian Specific e> Because I really work only with Debian GNU/Linux as Linux Distribution e> many informations on Bugtraq, like SUN, MS Windows, MacOS, etc related e> Mails are not really important for me but I spend anyway bandwith for e> recieving them, I pay every 'single byte' on my connection. e> My question is: Is it convenient to subscirbe _only_ to the Debian e> Security Mailing List keeping in mind only security related to this e> Distribution and Server Platform, or are there maybe some 'important' e> informations on BugTraq which maybe will never be posted on the Debian e> Security List ? e> For now I think many Debian Developers and Users read everyday BugTraq, e> too, and may see if there are common problems which could affect e> also Debian Security, and post them in a second time here. e> I hope my ideas are right and thanks for any suggestions... e> Have fun, e> Ivo Marino -- Best regards, victormailto:[EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
Michael Robinson <[EMAIL PROTECTED]> writes: > FreeBSD does it for their ports tree. In fact, this has been a > matter of controversy, as the FreeBSD team issues a huge number of > security advisories for software that really has nothing to do with > FreeBSD. This has caused casual observers to erroneously believe > FreeBSD is less secure than other less carefully managed operating > system projects. I believe this would not be reasonable for the Debian distribution, but you could create a customized and secure Debian version where you do a source code audit before accepting any package. Or maybe it could be done with another APT tree? well, just my 2 cents patrice
Re: Question about BugTraq and Debian-Security Mailing Lists
mercoledì 24 ottobre 2001, alle 19:58, eim: : Actually I'm subscribed to the famous bugtraq Mailing List : and of course the Debian Security Mailing List. : : Bugtraq is a 'high volume' Mailing List which forwards to me : many important mails about security in General and not only : Debian Specific : : Because I really work only with Debian GNU/Linux as Linux Distribution : many informations on Bugtraq, like SUN, MS Windows, MacOS, etc related : Mails are not really important for me but I spend anyway bandwith for : recieving them, I pay every 'single byte' on my connection. : : My question is: Is it convenient to subscirbe _only_ to the Debian : Security Mailing List keeping in mind only security related to this : Distribution and Server Platform, or are there maybe some 'important' : informations on BugTraq which maybe will never be posted on the Debian : Security List ? : Dear Evo, I was subscribed to Buqtraq but I think it is not so usefull if you use only Debian (as I do). When I was repsonsible for the security of a mostly Windows NT based network I need Buqtraq. I think it is better to invest you time in reading security programming mailing-list (cannot remember the correct address) or security and firewall mailing lists where you can find general exploit advice. Look at security Focus web site. Regards Stefano -- Stefano Canepa e-mail: [EMAIL PROTECTED] To follow the path: look at the master, follow the master, walk with the master, see trough the master, become the master.
Re: Connection problem
On Wed, Oct 24, 2001 at 02:35:51PM +0200, Emmanuel Lacour wrote: > Ok , to close this message (out of list topics), I just explain how I > solved my problem. > > A few days ago I was playing with ipsec and adsl pppoe. This was a mtu > problem so I played with clampmss fragicmp overridemtu in rp-pppoe and > ipsec.conf. > And I leaved pppoe.conf with a clampmss=no. > I set it to 1412 and now all works perfectly. what was it before, we have ours set to 1452. adsl uses a size of 1492 but you need to allow for a 40 byte tcp header (I think), which is where 1452 comes from. -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ PGP signature
Re: Question about BugTraq and Debian-Security Mailing Lists
On Wed, 24 Oct 2001, eim wrote: > My question is: Is it convenient to subscirbe _only_ to the Debian > Security Mailing List keeping in mind only security related to this > Distribution and Server Platform, or are there maybe some 'important' > informations on BugTraq which maybe will never be posted on the Debian > Security List ? It has happened in the past that important information from bugtrack was never relayed to d-security, even if they did concern Debian. > For now I think many Debian Developers and Users read everyday BugTraq, > too, and may see if there are common problems which could affect > also Debian Security, and post them in a second time here. That has also happened in the past :-) and I think it is a very good idea. However, only _verified_ hazards should be relayed here, if at all possible. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Re: Is ident secure?
do you know what the word sollicitors mean? i don't think so, you should go to school you lil' brainless. -- "La bonne humeur est une vertue, celle qui différencie l'humain de l'animal." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FUCK YOU
Hello Layne, if you have'nt subscribed, why do you think do you receive mails from debian-security?, maybe you're too stupid to remember but you receive a confirmation email before being added to a mailing lists, so shut up and unsubscribe *** ! -- "La bonne humeur est une vertue, celle qui différencie l'humain de l'animal." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question about BugTraq and Debian-Security Mailing Lists
Hello eim, Wednesday, October 24, 2001, 7:58:15 PM, you wrote: e> Actually I'm subscribed to the famous bugtraq Mailing List e> and of course the Debian Security Mailing List. i dont think that buqtraq [EMAIL PROTECTED] ... i understand you refer that make a high volume, i recieve 9 mail at day normaly, in buqtracq sais bugs that can affect your debian like de php-nuke if you have it (there were a bug which you can do all) decide you but have the bugtraq which you have some bugs of all kind of systems, and you can only read the bugs that you want is ok ;) e> Bugtraq is a 'high volume' Mailing List which forwards to me e> many important mails about security in General and not only e> Debian Specific e> Because I really work only with Debian GNU/Linux as Linux Distribution e> many informations on Bugtraq, like SUN, MS Windows, MacOS, etc related e> Mails are not really important for me but I spend anyway bandwith for e> recieving them, I pay every 'single byte' on my connection. e> My question is: Is it convenient to subscirbe _only_ to the Debian e> Security Mailing List keeping in mind only security related to this e> Distribution and Server Platform, or are there maybe some 'important' e> informations on BugTraq which maybe will never be posted on the Debian e> Security List ? e> For now I think many Debian Developers and Users read everyday BugTraq, e> too, and may see if there are common problems which could affect e> also Debian Security, and post them in a second time here. e> I hope my ideas are right and thanks for any suggestions... e> Have fun, e> Ivo Marino -- Best regards, victormailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
Michael Robinson <[EMAIL PROTECTED]> writes: > FreeBSD does it for their ports tree. In fact, this has been a > matter of controversy, as the FreeBSD team issues a huge number of > security advisories for software that really has nothing to do with > FreeBSD. This has caused casual observers to erroneously believe > FreeBSD is less secure than other less carefully managed operating > system projects. I believe this would not be reasonable for the Debian distribution, but you could create a customized and secure Debian version where you do a source code audit before accepting any package. Or maybe it could be done with another APT tree? well, just my 2 cents patrice -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question about BugTraq and Debian-Security Mailing Lists
mercoledì 24 ottobre 2001, alle 19:58, eim: : Actually I'm subscribed to the famous bugtraq Mailing List : and of course the Debian Security Mailing List. : : Bugtraq is a 'high volume' Mailing List which forwards to me : many important mails about security in General and not only : Debian Specific : : Because I really work only with Debian GNU/Linux as Linux Distribution : many informations on Bugtraq, like SUN, MS Windows, MacOS, etc related : Mails are not really important for me but I spend anyway bandwith for : recieving them, I pay every 'single byte' on my connection. : : My question is: Is it convenient to subscirbe _only_ to the Debian : Security Mailing List keeping in mind only security related to this : Distribution and Server Platform, or are there maybe some 'important' : informations on BugTraq which maybe will never be posted on the Debian : Security List ? : Dear Evo, I was subscribed to Buqtraq but I think it is not so usefull if you use only Debian (as I do). When I was repsonsible for the security of a mostly Windows NT based network I need Buqtraq. I think it is better to invest you time in reading security programming mailing-list (cannot remember the correct address) or security and firewall mailing lists where you can find general exploit advice. Look at security Focus web site. Regards Stefano -- Stefano Canepa e-mail: [EMAIL PROTECTED] To follow the path: look at the master, follow the master, walk with the master, see trough the master, become the master. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Question about BugTraq and Debian-Security Mailing Lists
Actually I'm subscribed to the famous bugtraq Mailing List and of course the Debian Security Mailing List. Bugtraq is a 'high volume' Mailing List which forwards to me many important mails about security in General and not only Debian Specific Because I really work only with Debian GNU/Linux as Linux Distribution many informations on Bugtraq, like SUN, MS Windows, MacOS, etc related Mails are not really important for me but I spend anyway bandwith for recieving them, I pay every 'single byte' on my connection. My question is: Is it convenient to subscirbe _only_ to the Debian Security Mailing List keeping in mind only security related to this Distribution and Server Platform, or are there maybe some 'important' informations on BugTraq which maybe will never be posted on the Debian Security List ? For now I think many Debian Developers and Users read everyday BugTraq, too, and may see if there are common problems which could affect also Debian Security, and post them in a second time here. I hope my ideas are right and thanks for any suggestions... Have fun, Ivo Marino -- Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux DALnet #flex http://eimbox.org
Re: Question about BugTraq and Debian-Security Mailing Lists
On Wed, 24 Oct 2001, eim wrote: > My question is: Is it convenient to subscirbe _only_ to the Debian > Security Mailing List keeping in mind only security related to this > Distribution and Server Platform, or are there maybe some 'important' > informations on BugTraq which maybe will never be posted on the Debian > Security List ? It has happened in the past that important information from bugtrack was never relayed to d-security, even if they did concern Debian. > For now I think many Debian Developers and Users read everyday BugTraq, > too, and may see if there are common problems which could affect > also Debian Security, and post them in a second time here. That has also happened in the past :-) and I think it is a very good idea. However, only _verified_ hazards should be relayed here, if at all possible. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Related Question
Using kernel 2.2, I run a bridge, that handles packet filtering with ipchains. Patches are available here: http://www.ac2i.tzo.com/bridge_filter/ James wrote: > > That link might help... > http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html > > - James > > -Original Message- > From: Alson van der Meulen [mailto:[EMAIL PROTECTED] > Sent: Monday, October 22, 2001 1:31 PM > To: Debian Security List > Subject: Re: Firewall Related Question > > On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: > > I'd recommend the former (firewalling on each server). This will let you > > customize the firewall for that server alone, and spread the packet > > filtering load and logging. Also, with no access the Cisco box, you'd > > have to either MASQ or SNAT with proxy arps if you do insert a firewall > > into the packet path to get the traffic to cross the firewall. (The Cisco > > is going to assume that the subnet with the DMZ address space is still > > directly attached.) > With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice > IMO), put two ethernet cards in a box, one to cisco, second to switch > with Debian servers, no need for an IP address at the bridge, just > bridge and firewall. > > I'm not sure if Linux can do this, maybe there are some patches for > iptables to do it? > > > On Mon, 22 Oct 2001, James wrote: > > > > > Yes, you could definitely do a firewall on each server. > > > > > > Also, have you considered setting up a 4th machine between the Cisco and > 3 > > > servers? That could work also. You wouldn't make it a masq box, just > > > configure it to pass packets based on the rules. > > > > > > - James > > > > > > -Original Message- > > > From: Alson van der Meulen [mailto:[EMAIL PROTECTED] > > > Sent: Monday, October 22, 2001 6:58 AM > > > To: Debian Security List > > > Subject: Re: Firewall Related Question > > > > > > > > > On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: > > > > I've got some simple questions related to using a Firewall on > > > > some single pubblic Debian Boxes, I choose to post my questions > > > > here because I've always securitty in mind during the Developing > > > > time of my Network Services. > > > > > > > > Let me asume I've got a simple Network with 3 Pubblic Debian > > > > Servers and 1 Cisco Router (Internet Gateway). > > > > > > > > The router belongs to my Connection ISP so I can't configure it, > > > > but onlu use it for Internet connectivity. > > > > > > > > The 3 Debian Boxes are under my full control. > > > > > > > > The best way to protect my Debian Servers would be to install > > > > a Firewall on my Gateway (Cisco Router) but actually I can't, > > > > so my question is: Can I install a Firewall on each of my Debian > > > > Boxes to filter/block incoming and outgoing Network Traffic ? > > > > > > > > Is this a good choice ? or should I put another machine in my > > > > Network, between the Gateway and the Servers, which acts as Firewall ? > > > You can just configure a packet filter on all your servers, the main > > > disadvantage is that it's more difficult to administer > -- > ,---. > > Name: Alson van der Meulen < > > Personal:[EMAIL PROTECTED]< > > School: [EMAIL PROTECTED]< > `---' > I remember the last time I saw it do that... > - > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > Name: Linux > Bridge+Firewall Mini-HOWTO version 1.2.0.url >Linux Bridge+Firewall Mini-HOWTO version 1.2.0.urlType: unspecified > type (application/octet-stream) > Encoding: > quoted-printable J.R. Blain http://www.clockmedia.com/ -- Real programmers use chmod +x /dev/random and cross their fingers -- Comment found in a vi/emacs flamewar on slashdot.
Re: Intro - Design, Engineering, Manufacturing, and more
Dear All > Igoework.com is represented by a group that includes: Pardon me for wasting bandwidth but am I the only person who is getting a bounced multiple repeated message of this sort from the Debian security list ? Thank you -- Richard
Intro - Design, Engineering, Manufacturing, and more
Please allow us to introduce ourselves, Igoework.com is represented by a group that includes: - Talented engineers(Mechanical and Electrical) - Software solutions(CAD, FEA) - Manufacturing vendors (Castings, Sheet Metal, Plastics, SLA, etc) - Technical placement (Direct placement of talent) Our company has put together all these resources to bring you a complete integrated solution to all of your technical needs. Our engineers are experienced with Pro/Engineer and Solidworks suite of products. Also, our Electrical engineers are prepared to handle any type of project. In addition, we supervise the quality and delivery of all of our manufacturing from proven and qualified vendors. Our software and technical placement solutions will be introduced depending on your needs. More information is available from our website. We would appreciate your consideration or referral to any interested party. Please contact us at your convenience. Best Regards, Manuel Paez, President Igoework.com Inc. http://www.igoework.com Cell: 847-477-1367 Fax: 847-745-0348 Illinois, USA Confidentiality Note: This message is confidential and intended only for the use of the addressee(s) named above. It may contain legally privileged material. Dissemination, distribution or copying of this message, other than by such addressee(s), is strictly prohibited. If you have received this message in error, please immediately notify us by reply and delete this message and all its attachments.
Question about BugTraq and Debian-Security Mailing Lists
Actually I'm subscribed to the famous bugtraq Mailing List and of course the Debian Security Mailing List. Bugtraq is a 'high volume' Mailing List which forwards to me many important mails about security in General and not only Debian Specific Because I really work only with Debian GNU/Linux as Linux Distribution many informations on Bugtraq, like SUN, MS Windows, MacOS, etc related Mails are not really important for me but I spend anyway bandwith for recieving them, I pay every 'single byte' on my connection. My question is: Is it convenient to subscirbe _only_ to the Debian Security Mailing List keeping in mind only security related to this Distribution and Server Platform, or are there maybe some 'important' informations on BugTraq which maybe will never be posted on the Debian Security List ? For now I think many Debian Developers and Users read everyday BugTraq, too, and may see if there are common problems which could affect also Debian Security, and post them in a second time here. I hope my ideas are right and thanks for any suggestions... Have fun, Ivo Marino -- Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux DALnet #flex http://eimbox.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Related Question
Using kernel 2.2, I run a bridge, that handles packet filtering with ipchains. Patches are available here: http://www.ac2i.tzo.com/bridge_filter/ James wrote: > > That link might help... > http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html > > - James > > -Original Message- > From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 22, 2001 1:31 PM > To: Debian Security List > Subject: Re: Firewall Related Question > > On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: > > I'd recommend the former (firewalling on each server). This will let you > > customize the firewall for that server alone, and spread the packet > > filtering load and logging. Also, with no access the Cisco box, you'd > > have to either MASQ or SNAT with proxy arps if you do insert a firewall > > into the packet path to get the traffic to cross the firewall. (The Cisco > > is going to assume that the subnet with the DMZ address space is still > > directly attached.) > With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice > IMO), put two ethernet cards in a box, one to cisco, second to switch > with Debian servers, no need for an IP address at the bridge, just > bridge and firewall. > > I'm not sure if Linux can do this, maybe there are some patches for > iptables to do it? > > > On Mon, 22 Oct 2001, James wrote: > > > > > Yes, you could definitely do a firewall on each server. > > > > > > Also, have you considered setting up a 4th machine between the Cisco and > 3 > > > servers? That could work also. You wouldn't make it a masq box, just > > > configure it to pass packets based on the rules. > > > > > > - James > > > > > > -Original Message- > > > From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, October 22, 2001 6:58 AM > > > To: Debian Security List > > > Subject: Re: Firewall Related Question > > > > > > > > > On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: > > > > I've got some simple questions related to using a Firewall on > > > > some single pubblic Debian Boxes, I choose to post my questions > > > > here because I've always securitty in mind during the Developing > > > > time of my Network Services. > > > > > > > > Let me asume I've got a simple Network with 3 Pubblic Debian > > > > Servers and 1 Cisco Router (Internet Gateway). > > > > > > > > The router belongs to my Connection ISP so I can't configure it, > > > > but onlu use it for Internet connectivity. > > > > > > > > The 3 Debian Boxes are under my full control. > > > > > > > > The best way to protect my Debian Servers would be to install > > > > a Firewall on my Gateway (Cisco Router) but actually I can't, > > > > so my question is: Can I install a Firewall on each of my Debian > > > > Boxes to filter/block incoming and outgoing Network Traffic ? > > > > > > > > Is this a good choice ? or should I put another machine in my > > > > Network, between the Gateway and the Servers, which acts as Firewall ? > > > You can just configure a packet filter on all your servers, the main > > > disadvantage is that it's more difficult to administer > -- > ,---. > > Name: Alson van der Meulen < > > Personal:[EMAIL PROTECTED]< > > School: [EMAIL PROTECTED]< > `---' > I remember the last time I saw it do that... > - > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > Name: Linux Bridge+Firewall >Mini-HOWTO version 1.2.0.url >Linux Bridge+Firewall Mini-HOWTO version 1.2.0.urlType: unspecified type >(application/octet-stream) > Encoding: quoted-printable J.R. Blain http://www.clockmedia.com/ -- Real programmers use chmod +x /dev/random and cross their fingers -- Comment found in a vi/emacs flamewar on slashdot. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Intro - Design, Engineering, Manufacturing, and more
Dear All > Igoework.com is represented by a group that includes: Pardon me for wasting bandwidth but am I the only person who is getting a bounced multiple repeated message of this sort from the Debian security list ? Thank you -- Richard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Intro - Design, Engineering, Manufacturing, and more
Please allow us to introduce ourselves, Igoework.com is represented by a group that includes: - Talented engineers(Mechanical and Electrical) - Software solutions(CAD, FEA) - Manufacturing vendors (Castings, Sheet Metal, Plastics, SLA, etc) - Technical placement (Direct placement of talent) Our company has put together all these resources to bring you a complete integrated solution to all of your technical needs. Our engineers are experienced with Pro/Engineer and Solidworks suite of products. Also, our Electrical engineers are prepared to handle any type of project. In addition, we supervise the quality and delivery of all of our manufacturing from proven and qualified vendors. Our software and technical placement solutions will be introduced depending on your needs. More information is available from our website. We would appreciate your consideration or referral to any interested party. Please contact us at your convenience. Best Regards, Manuel Paez, President Igoework.com Inc. http://www.igoework.com Cell: 847-477-1367 Fax: 847-745-0348 Illinois, USA Confidentiality Note: This message is confidential and intended only for the use of the addressee(s) named above. It may contain legally privileged material. Dissemination, distribution or copying of this message, other than by such addressee(s), is strictly prohibited. If you have received this message in error, please immediately notify us by reply and delete this message and all its attachments. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Related Question
On Wed, Oct 24, 2001 at 01:36:10AM -0400, James wrote: > That link might help... > http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html Note also that until recently (kernel 2.0.25) the 3c509 driver could not be used for more than one card if used as a module. I have seen a patch floating around that fixes the oversight. It may be in the kernel when you read this. ... ipfwadm -I -l ipfwadm -O -l ipfwadm -F -l Looks like quite outdated to me, are there any more recent documents? (Not that I really have to setup such bridging firewall for now, but still...) -- ,---. > Name: Alson van der Meulen < > Personal:[EMAIL PROTECTED]< > School: [EMAIL PROTECTED]< `---' Do you smell something? -
Re: Connection problem
On Tue, Oct 23, 2001 at 12:09:36PM +0200, Emmanuel Lacour wrote: > Hi, > > It's maybe a little bit off topic, but I think someone in this list can > help me: > > I've got a firewall debian potato, kernel 2.2.17pre6, doing masquerading > and other rules over an adsl pppoe line. All worked perfectly but since > two weeks ( without doing any changes ) I'm unable to go to certain > sites. Tcpdump show me that the connection close in the middle. > Something like this: > > > 11:36:16.439327 a.b.c.26.https > d.e.f.36.62968: P > 1269:1340(71) ack 214 win 17307 (DF) > 11:36:16.495429 d.e.f.36.62969 > a.b.c.21.www: S > 10634093:10634093(0) win 8192 (DF) > 11:36:16.571944 d.e.f.36.62968 > a.b.c.26.https: . ack 1340 > win 7421 (DF) > 11:36:16.591005 a.b.c.21.www > d.e.f.36.62969: S > 3660606280:3660606280(0) ack 10634094 win 17520 1460,nop,nop,sackOK> (DF) > 11:36:16.591218 d.e.f.36.62969 > a.b.c.21.www: . ack 1 win > 8760 (DF) > 11:36:16.591569 d.e.f.36.62969 > a.b.c.21.www: P 1:267(266) -Snip-- Ok , to close this message (out of list topics), I just explain how I solved my problem. A few days ago I was playing with ipsec and adsl pppoe. This was a mtu problem so I played with clampmss fragicmp overridemtu in rp-pppoe and ipsec.conf. And I leaved pppoe.conf with a clampmss=no. I set it to 1412 and now all works perfectly. The end. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpiLhScogeEI.pgp Description: PGP signature
Re: Firewall Related Question
On Wed, Oct 24, 2001 at 01:36:10AM -0400, James wrote: > That link might help... > http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html Note also that until recently (kernel 2.0.25) the 3c509 driver could not be used for more than one card if used as a module. I have seen a patch floating around that fixes the oversight. It may be in the kernel when you read this. ... ipfwadm -I -l ipfwadm -O -l ipfwadm -F -l Looks like quite outdated to me, are there any more recent documents? (Not that I really have to setup such bridging firewall for now, but still...) -- ,---. > Name: Alson van der Meulen < > Personal:[EMAIL PROTECTED]< > School: [EMAIL PROTECTED]< `---' Do you smell something? - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
qmail ERR- authorization
I have problem with authorization qmail pop3 clients. I don't know why qmail-pop3 not authorize my users on all accounts. When we use client from WWW that is goot.
Re: Does Debian need to enforce a better Security policy for packages?
> > The alternative is the "ostrich" method of security management. > > What's that kind of method? I never heared about that name. It was once a widespread belief that the ostrich's method of "hiding" from predators was to bury it's head in the sand. This is obviously untrue, but the concept has worked its way into the english language. It's an idiom for dealing with problems by pretending they aren't there. I don't feel the metaphor was particularly valid in this case however. If you want an audited O/S, use OpenBSD, but be prepared for a very small distribution by Debian standards. And even OpenBSD don't audit every single line of code in every package - they audit "every critical software component". That word "critical" wouldn't be there if it didn't mean something. -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085
Re: Does Debian need to enforce a better Security policy for packages?
On 23/10/01, Michael Robinson wrote: > On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote: > > Do you know how difficult and time-consuming it really is to do a manual > > source code audit? Also the available programs for source code audits > > can only give you hints which parts of a program might be suspicious, but > > you still would have to verify everything by hand to be really sure. > FreeBSD does it for their ports tree. In fact, this has been a matter of Does what? Just look for some suspicous functions or code-fragments or do a full audiit for the whole source? > Yes, source-code audits are time-consuming. Time-consuming is different > from "not possible", however. Why the hell do you try to interpret into my previous e-Mail that I'm saying they would be "not possible"? Maybe you need to read it again, but it clearly states, that a full audit of the code for one package takes an enourmous account of time and that you also need quite lots of knowledge for such a task. And especially since we talked about having an audit _before_ having the package be included as a debian package into the archive, a full audit of all new packages would decrease the number of packages entering the archive and also take a very long time, since everyone here is a volunteer. Also you still have the problem left with about 8000 packages being already included in debian and having mostly never had a full audit. So for really auditing debian and ensuring that every malicous code is found and either removed or fixed, you would have to drop all packages and start with for example init and audit it. After that once if full audit, you can move on to for example login and so on, until you audited every package from the current number of packages completely. Until such an effort has been made to ensure, that there's currently no malicous code included in debian, a full audit of new packages would only be the tip of an iceberg. > The alternative is the "ostrich" method of security management. What's that kind of method? I never heared about that name. Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 pgp0U8rBFQHYh.pgp Description: PGP signature
Re: Connection problem
On Tue, Oct 23, 2001 at 12:09:36PM +0200, Emmanuel Lacour wrote: > Hi, > > It's maybe a little bit off topic, but I think someone in this list can > help me: > > I've got a firewall debian potato, kernel 2.2.17pre6, doing masquerading > and other rules over an adsl pppoe line. All worked perfectly but since > two weeks ( without doing any changes ) I'm unable to go to certain > sites. Tcpdump show me that the connection close in the middle. > Something like this: > > > 11:36:16.439327 a.b.c.26.https > d.e.f.36.62968: P > 1269:1340(71) ack 214 win 17307 (DF) > 11:36:16.495429 d.e.f.36.62969 > a.b.c.21.www: S > 10634093:10634093(0) win 8192 (DF) > 11:36:16.571944 d.e.f.36.62968 > a.b.c.26.https: . ack 1340 > win 7421 (DF) > 11:36:16.591005 a.b.c.21.www > d.e.f.36.62969: S > 3660606280:3660606280(0) ack 10634094 win 17520 1460,nop,nop,sackOK> (DF) > 11:36:16.591218 d.e.f.36.62969 > a.b.c.21.www: . ack 1 win > 8760 (DF) > 11:36:16.591569 d.e.f.36.62969 > a.b.c.21.www: P 1:267(266) -Snip-- Ok , to close this message (out of list topics), I just explain how I solved my problem. A few days ago I was playing with ipsec and adsl pppoe. This was a mtu problem so I played with clampmss fragicmp overridemtu in rp-pppoe and ipsec.conf. And I leaved pppoe.conf with a clampmss=no. I set it to 1412 and now all works perfectly. The end. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com PGP signature
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >On Wed, Oct 24, 2001 at 01:18:52AM +, Martin WHEELER wrote: >> On Tue, 23 Oct 2001, Ethan Benson wrote: >> > kernels are never upgraded automatically by apt, you have to do it >> > yourself: >> That's not quite true -- should you recompile your own kernel, and for >> whatever reason, NOT give that new kernel a debian-style name which >> conforms *exactly* to the debian naming conventions, you will be >> pestered for evermore with attempts by apt to 'upgrade' to the latest >> (plain vanilla) version. Watch out when dselect (and I assume apt) desides to upgrade a kernel image -- I just had the 2.2.19 kernel image upgraded on my testing box and it made the /vmlinuz link point to the 2.2.19 kernel, when it had been 2.4.9 before. Since the 2.4.9 needed initrd, I assume neither would have had trouble booting if I hadn't fixed things. (Fortunatly, I had a third kernel not using the links as the default to boot, and I noticed and fixed things up.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden
qmail ERR- authorization
I have problem with authorization qmail pop3 clients. I don't know why qmail-pop3 not authorize my users on all accounts. When we use client from WWW that is goot. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
> > The alternative is the "ostrich" method of security management. > > What's that kind of method? I never heared about that name. It was once a widespread belief that the ostrich's method of "hiding" from predators was to bury it's head in the sand. This is obviously untrue, but the concept has worked its way into the english language. It's an idiom for dealing with problems by pretending they aren't there. I don't feel the metaphor was particularly valid in this case however. If you want an audited O/S, use OpenBSD, but be prepared for a very small distribution by Debian standards. And even OpenBSD don't audit every single line of code in every package - they audit "every critical software component". That word "critical" wouldn't be there if it didn't mean something. -- Paul Haesler[EMAIL PROTECTED] ICQ: 124547085 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On 23/10/01, Michael Robinson wrote: > On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote: > > Do you know how difficult and time-consuming it really is to do a manual > > source code audit? Also the available programs for source code audits > > can only give you hints which parts of a program might be suspicious, but > > you still would have to verify everything by hand to be really sure. > FreeBSD does it for their ports tree. In fact, this has been a matter of Does what? Just look for some suspicous functions or code-fragments or do a full audiit for the whole source? > Yes, source-code audits are time-consuming. Time-consuming is different > from "not possible", however. Why the hell do you try to interpret into my previous e-Mail that I'm saying they would be "not possible"? Maybe you need to read it again, but it clearly states, that a full audit of the code for one package takes an enourmous account of time and that you also need quite lots of knowledge for such a task. And especially since we talked about having an audit _before_ having the package be included as a debian package into the archive, a full audit of all new packages would decrease the number of packages entering the archive and also take a very long time, since everyone here is a volunteer. Also you still have the problem left with about 8000 packages being already included in debian and having mostly never had a full audit. So for really auditing debian and ensuring that every malicous code is found and either removed or fixed, you would have to drop all packages and start with for example init and audit it. After that once if full audit, you can move on to for example login and so on, until you audited every package from the current number of packages completely. Until such an effort has been made to ensure, that there's currently no malicous code included in debian, a full audit of new packages would only be the tip of an iceberg. > The alternative is the "ostrich" method of security management. What's that kind of method? I never heared about that name. Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 PGP signature
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
On Wed, Oct 24, 2001 at 01:18:52AM +, Martin WHEELER wrote: > On Tue, 23 Oct 2001, Ethan Benson wrote: > > > kernels are never upgraded automatically by apt, you have to do it > > yourself: > > That's not quite true -- should you recompile your own kernel, and for > whatever reason, NOT give that new kernel a debian-style name which > conforms *exactly* to the debian naming conventions, you will be > pestered for evermore with attempts by apt to 'upgrade' to the latest > (plain vanilla) version. well yes, the reason kernel images are not automatically upgraded from r2 -> r3 is because its a different package r2: kernel-image-2.2.18 Version: 2.2.18-1 r3: kernel-image-2.2.19 Version: 2.2.19-1 different package so why would apt upgrade it. (and yes i know its actually a pre-something in r2, thats beside the point). if you create your own kernel-image-2.2.19 package and your version number is not greater then the debian one then yes apt will try to upgrade it like any other package, and this in fact occurs sometimes in unstable dists since the kernel version is the same, but a few debian revisions will be done (-2 -3 -4 etc), this very rarly to never effects the stable release since by the time a new stable is released a much newer kernel is available and used. its also possible the 2.2.19 images will get a backported security patch which would cause an automatic apt upgrade for anyone with the 2.2.19 image already installed. as for your custom kernel problem the solution is trivial: make-kpkg --revision=5:2.2.19-1 or --revision=5:2.2.19-`hostname`.1 is something i use. the 5: is an epoch which will make your version number always newwer then any debian version (unless a debian kernel somehow gets an epoch larger then 5, a very unlikly scenerio). one last point, if you never actually install a kernel-image package after you install a new system from boot-floppies apt will never upgrade you kernel, since boot-floppies don't install any kernel-image they simply untar the modules into /lib/modules and cp the vmlinux files to /boot and symlink it to / dpkg never knows about it. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpQxQRBWO2Ev.pgp Description: PGP signature
RE: Unidentified subject!
I've been told that usually means just a corrupt/damaged packet and shouldn't be much to worry about, unless you are getting lots of them (Might be an attack). - James -Original Message-From: sonam dukda [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 23, 2001 4:52 AMTo: debian-security@lists.debian.orgSubject: Unidentified subject! Hi! The message on our server is " IP-MASQ:reverse ICMP:failed checksum from 202.144.129.2!". What does this mean? Also the internet access has become very slow. We are connected at 64 Kbps leased line. sonam
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >On Wed, Oct 24, 2001 at 01:18:52AM +, Martin WHEELER wrote: >> On Tue, 23 Oct 2001, Ethan Benson wrote: >> > kernels are never upgraded automatically by apt, you have to do it >> > yourself: >> That's not quite true -- should you recompile your own kernel, and for >> whatever reason, NOT give that new kernel a debian-style name which >> conforms *exactly* to the debian naming conventions, you will be >> pestered for evermore with attempts by apt to 'upgrade' to the latest >> (plain vanilla) version. Watch out when dselect (and I assume apt) desides to upgrade a kernel image -- I just had the 2.2.19 kernel image upgraded on my testing box and it made the /vmlinuz link point to the 2.2.19 kernel, when it had been 2.4.9 before. Since the 2.4.9 needed initrd, I assume neither would have had trouble booting if I hadn't fixed things. (Fortunatly, I had a third kernel not using the links as the default to boot, and I noticed and fixed things up.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Firewall Related Question
That link might help... http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html - James -Original Message- From: Alson van der Meulen [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2001 1:31 PM To: Debian Security List Subject: Re: Firewall Related Question On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: > I'd recommend the former (firewalling on each server). This will let you > customize the firewall for that server alone, and spread the packet > filtering load and logging. Also, with no access the Cisco box, you'd > have to either MASQ or SNAT with proxy arps if you do insert a firewall > into the packet path to get the traffic to cross the firewall. (The Cisco > is going to assume that the subnet with the DMZ address space is still > directly attached.) With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice IMO), put two ethernet cards in a box, one to cisco, second to switch with Debian servers, no need for an IP address at the bridge, just bridge and firewall. I'm not sure if Linux can do this, maybe there are some patches for iptables to do it? > On Mon, 22 Oct 2001, James wrote: > > > Yes, you could definitely do a firewall on each server. > > > > Also, have you considered setting up a 4th machine between the Cisco and 3 > > servers? That could work also. You wouldn't make it a masq box, just > > configure it to pass packets based on the rules. > > > > - James > > > > -Original Message- > > From: Alson van der Meulen [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 22, 2001 6:58 AM > > To: Debian Security List > > Subject: Re: Firewall Related Question > > > > > > On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: > > > I've got some simple questions related to using a Firewall on > > > some single pubblic Debian Boxes, I choose to post my questions > > > here because I've always securitty in mind during the Developing > > > time of my Network Services. > > > > > > Let me asume I've got a simple Network with 3 Pubblic Debian > > > Servers and 1 Cisco Router (Internet Gateway). > > > > > > The router belongs to my Connection ISP so I can't configure it, > > > but onlu use it for Internet connectivity. > > > > > > The 3 Debian Boxes are under my full control. > > > > > > The best way to protect my Debian Servers would be to install > > > a Firewall on my Gateway (Cisco Router) but actually I can't, > > > so my question is: Can I install a Firewall on each of my Debian > > > Boxes to filter/block incoming and outgoing Network Traffic ? > > > > > > Is this a good choice ? or should I put another machine in my > > > Network, between the Gateway and the Servers, which acts as Firewall ? > > You can just configure a packet filter on all your servers, the main > > disadvantage is that it's more difficult to administer -- ,---. > Name: Alson van der Meulen < > Personal:[EMAIL PROTECTED]< > School: [EMAIL PROTECTED]< `---' I remember the last time I saw it do that... - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Linux Bridge+Firewall Mini-HOWTO version 1.2.0.url Description: Binary data
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
I would suggest adding the testing source to your /etc/apt/sources.list and grabbing kernel-source-2.2.19 (version 2.2.19.1-1 has the security patches in question). Edit /etc/apt/sources.list Add deb http://http.us.debian.org/debian/ testing main Save the file. apt-get update apt-get install kernel-source-2.2.19 Once you are done, you can take the testing source out. Unpack the source: cd /usr/src; tar xIvf kernel-source-2.2.19.tar.bz2 [if you are using a version of bzip2 later than what is in stable, you will need j instead of I] Configure your kernel as you usually would (make menuconfig, make xconfig, whatever). Install kernel-package: apt-get install kernel-package Use make-kpkg to build your kernel instead of doing it by hand. make-kpkg buildpackage [you can pass the --revision and --flavour arguments to make it appear as something other than Custom_1.00] Using make-kpkg takes out all of the inbetween steps and leaves you with a customized kernel-image-2.2.19. Go up to the parent directory and install your kernel image with dpkg. It will handle moving your old kernel to a vmlinuz.old link and your new kernel to a vmlinuz link. The default configuration of lilo knows how to handle them both and they will both be bootable should you need to revert to the old kernel. dpkg of course also handles the proper placement of modules and such as well. make-kpkg always seemed to be the best way to make your own kernel but stay debian-friendly to me. It makes a LOT of sense if you have a lot of boxes that are very similar in hardware. -nicole At 19:09 on Oct 23, eim combined all the right letters to say: > Actually I'm runnning Potato 2.2r2 on some Debian Boxes which > I've upgraded to 2.2r3, the Kernel which powers the system is > still 2.2.18pre21 while for the 2.2r3 Release of Potato it should > be version 2.2.19 > > So, correct me if I'm wrong but Debian Potato 2.2r3 comes out > with Kernel 2.2.19, right ? > > Well, if so, I want to upgrade from 2.2.18pre21 to 2.2.19, apply > the "new RAID Style" Patch and the latest security Patch. > > My question is this: Debian's 2.2.19 kernel-source package is > allready avaiable with the latest Kernel security patch or should > I download the patch form openwall.com and apply externaly ? > > Thank you for suggestions, > have a good work ! > > Ivo Marino >
