Re: Verisign does hijack 'country' domains !!!
> Am 2003-09-28 13:33:02, schrieb Mike Hommey: > >On Sunday 28 September 2003 12:22, Michelle Konzack wrote: > >> Hello All, > >> > >> Sice some hours I have tried to access some governement servers > >> without success all Servers are ending in .fr or .gov.fr > > > >http://chezmoicamarche.org/ > > No, ist Verisign !!! > ;-) > > >What is your ISP ? What are your DNS servers ? What is your mozilla > >configuration ? What is your favorite colour ? What is your Quest ? > > 1) www.wanadoo.fr > 2) 193.252.19.3 and 193.252.19.4 > 3) Woody stable 1.0 > 1.4 from backports.com > "Domain guessing" is deactivated because I hate it. > 4) white ;-) > 5) ??? Since som days I can not access my domaind anymore... > Including my Emploier (the french gov) > > My Network is working since month without any changes... > I have ask the support at wandoo.fr but I get only automated answers... > > Tomorrow I wil go to the general Agence of the French Telecom and will > ask somone (If I can find a competent person which are very rarly in FR) > > >Mike > > Greetings > Michelle Sehr geehrte Frau Michelle, ich habe ihre DNS servern geprüft, aber sie antworte nicht: $ host wendy.djo.tudelft.nl 193.252.19.3 Nameserver 193.252.19.3 not responding wendy.djo.tudelft.nl A record not found at 193.252.19.3, try again $ host wendy.djo.tudelft.nl 193.252.19.4 Nameserver 193.252.19.4 not responding wendy.djo.tudelft.nl A record not found at 193.252.19.4, try again Viellicht können Sie meine prüfen: $ host wendy.djo.tudelft.nl 130.237.105.18 wendy.djo.tudelft.nlA 130.161.129.121 $ host wendy.djo.tudelft.nl 192.5.36.36 wendy.djo.tudelft.nlA 130.161.129.121 oder nutsen eine eigene DNS server auf Ihre computer. Mit freudlichen Grüßen /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Netzwerk S-742 94 Östhammar +46 173 140 57 Rechner Schweden +46 70 511 97 84 Beratungen ---
Re: Verisign does hijack 'country' domains !!!
> Am 2003-09-28 13:33:02, schrieb Mike Hommey: > >On Sunday 28 September 2003 12:22, Michelle Konzack wrote: > >> Hello All, > >> > >> Sice some hours I have tried to access some governement servers > >> without success all Servers are ending in .fr or .gov.fr > > > >http://chezmoicamarche.org/ > > No, ist Verisign !!! > ;-) > > >What is your ISP ? What are your DNS servers ? What is your mozilla > >configuration ? What is your favorite colour ? What is your Quest ? > > 1) www.wanadoo.fr > 2) 193.252.19.3 and 193.252.19.4 > 3) Woody stable 1.0 > 1.4 from backports.com > "Domain guessing" is deactivated because I hate it. > 4) white ;-) > 5) ??? Since som days I can not access my domaind anymore... > Including my Emploier (the french gov) > > My Network is working since month without any changes... > I have ask the support at wandoo.fr but I get only automated answers... > > Tomorrow I wil go to the general Agence of the French Telecom and will > ask somone (If I can find a competent person which are very rarly in FR) > > >Mike > > Greetings > Michelle Sehr geehrte Frau Michelle, ich habe ihre DNS servern geprüft, aber sie antworte nicht: $ host wendy.djo.tudelft.nl 193.252.19.3 Nameserver 193.252.19.3 not responding wendy.djo.tudelft.nl A record not found at 193.252.19.3, try again $ host wendy.djo.tudelft.nl 193.252.19.4 Nameserver 193.252.19.4 not responding wendy.djo.tudelft.nl A record not found at 193.252.19.4, try again Viellicht können Sie meine prüfen: $ host wendy.djo.tudelft.nl 130.237.105.18 wendy.djo.tudelft.nlA 130.161.129.121 $ host wendy.djo.tudelft.nl 192.5.36.36 wendy.djo.tudelft.nlA 130.161.129.121 oder nutsen eine eigene DNS server auf Ihre computer. Mit freudlichen Grüßen /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Netzwerk S-742 94 Östhammar +46 173 140 57 Rechner Schweden +46 70 511 97 84 Beratungen --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: grsec patch over debian 2.4.20 kernel
> Hi folks, > > I got the last 2.4.20 kernel with apt-get install. I want to patch it > with grsec, but I met many times the follow message: > "Reversed (or previously applied) patch detected! Assume -R? [n]" > When I answered "yes" to all questions, the kernel compilation had failed. > I think grsec patch have conficts with already patched debian kernel > source, so is there any debian kernel sources with grsec applied? I don't > want to use plain (vanilla) kernel, because of its ptrace vulnerability. > Thanks in advance. > > --- Ted Bukov --- patch with -N to get rid of thoose questions. If some parts of the patch fails otherwise, look in the .rej file and resolv the failed parts by hand. Regards, /Karl ------- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting ---
Re: Debian Kernel's and FreeSwan
> First and foremost, as the issue will probably demonstrate I'm relative > to Linux, so bare with me. > Basically I am trying to get FreeSwan to run as server, but can't get > the patch to work. > All my system's are running debian 3.0r0, and kernel 2.4.18 (my own > make). > My System(s): > 1) HP Netserver LS 5/166: 2 Intel Pentium 166, 128 MB RAM, running > stable. > 2) Pentium III-550, 128 MB RAM, running unstable/testing > 3) Pentium 200 MMX , 64 MB RAM, running stable. > > For you freeswan people(this message was cross posted to freeswan and > debian mail lists). Debian has its own method of installing/making a > kernel, and although I can compile one with what I assume to be the > regular way, I'd prefer to do it the Debian way, and I am having > problems with that. > > Anyway I can succesfully complete and install a compiled kernel, but I > am only trying to add a freeswan patch, so I have no idea if it's just > my syntax or the specific package. > > I have the freeswan kernel patch, it exists in > /usr/src/kernel-patches/all/, aswell it exists in .../apply and > .../unpatch. > > I then proceed to the kernel build directory and type make-kpkg > --added-patches freeswan kernel_image, then install it dpkg -i > (filename). I have also tried 'set PATCH_THE_KERNEL=YES' also tried > sticking something akin to that in the .config file to know avail. I > have searched google, can't find the guide I had a long time ago (been > trying for a few months). Anyone have any ideas, or can point me towards > a guide, that will go STEP by STEP. > > Thanks, > > > Steve Ramage. ... Here is what I did (sort of). cd /usr/src apt-get install kernel-source-2.4.20 wget ftp://kalle.csb.ki.se/pub/linux/debian/pool/main/f/freeswan/freeswan_1.99-5_i386.deb wget ftp://kalle.csb.ki.se/pub/linux/debian/pool/main/f/freeswan/kernel-patch-freeswan-ext_1.99-5_all.deb wget ftp://kalle.csb.ki.se/pub/linux/kernel/people/hvr/testing/patch-int-2.4.20.1.gz wget ftp://kalle.csb.ki.se/pub/linux/kernel/people/hvr/testing/loop-jari-2.4.20.0.patch cd kernel-source-2.4.20 zcat ../patch-int-2.4.20.1..gz | patch -p1 patch -p1 < ../loop-jari-2.4.20.0.patch ../kernel-patches/all/apply/freeswan make-kpkg --config menuconfig --append_to_version -fw-1 kernel_image or PATCH_THE_KERNEL=YES make-kpkg --config menuconfig --append_to_version -fw-1 --added_patches freeswan kernel_image Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting ---
Re: Debian Kernel's and FreeSwan
You seem to have used the freeswan patch in testing. It has the choise to use an x86 optimised aes and a non optimised one. Don't choose booth, choosing both gives you this error. > Well continuing the problem, I have moved from the original one, > appended at the bottom. Now something else is wrong, basically the > following out put. I had to use 'export PATCH_THE_KERNEL=YES' (thanks > Kenneth). Now the kernel compile asks me a bunch of IPSEC questions and > then later it does this. I have done a make-kpkg clean, and a make dep, > on both systems. There doesn't seem to be anything wrong. I did download > the freestwan package. Is there anything else I need? > > Steve Ramage > > /usr/src/kernel-fermat/net/ipsec/ext/ipsec_ext_aes-opt.c(.text+0x9c): > multiple definition of `ipsec_aes_init' > ipsec_aes.o(.text+0x10c):/usr/src/kernel-fermat/net/ipsec/ext/ipsec_ext_ > aes.c: first defined here > ld: Warning: size of symbol `ipsec_aes_init' changed from 283 to 123 in > ipsec_aes-opt.o > ipsec_aes-opt.o: In function `AES_cbc_encrypt': > /usr/src/kernel-fermat/net/ipsec/ext/libaes-opt/aes_cbc.c:8: multiple > definition of `aes_encrypt' > ipsec_aes.o:/usr/src/kernel-fermat/net/ipsec/ext/libaes/aes_cbc.c:9: > first defined here > make[5]: *** [ipsec_ext_static.o] Error 1 > make[5]: Leaving directory `/usr/src/kernel-fermat/net/ipsec/ext' > make[4]: *** [ext/ipsec_ext_static.o] Error 2 > make[4]: Leaving directory `/usr/src/kernel-fermat/net/ipsec' > make[3]: *** [first_rule] Error 2 > make[3]: Leaving directory `/usr/src/kernel-fermat/net/ipsec' > make[2]: *** [_subdir_ipsec] Error 2 > make[2]: Leaving directory `/usr/src/kernel-fermat/net' > make[1]: *** [_dir_net] Error 2 > make[1]: Leaving directory `/usr/src/kernel-fermat' > make: *** [stamp-build] Error 2 > > -Original Message- > From: Steve Jr Ramage [mailto:[EMAIL PROTECTED] > Sent: April 5, 2003 05:36 > To: '[EMAIL PROTECTED]'; 'debian-security@lists.debian.org' > Subject: Debian Kernel's and FreeSwan > > > First and foremost, as the issue will probably demonstrate I'm relative > to Linux, so bare with me. ... > Steve Ramage. ... Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting ---
Re: Debian Kernel's and FreeSwan
> First and foremost, as the issue will probably demonstrate I'm relative > to Linux, so bare with me. > Basically I am trying to get FreeSwan to run as server, but can't get > the patch to work. > All my system's are running debian 3.0r0, and kernel 2.4.18 (my own > make). > My System(s): > 1) HP Netserver LS 5/166: 2 Intel Pentium 166, 128 MB RAM, running > stable. > 2) Pentium III-550, 128 MB RAM, running unstable/testing > 3) Pentium 200 MMX , 64 MB RAM, running stable. > > For you freeswan people(this message was cross posted to freeswan and > debian mail lists). Debian has its own method of installing/making a > kernel, and although I can compile one with what I assume to be the > regular way, I'd prefer to do it the Debian way, and I am having > problems with that. > > Anyway I can succesfully complete and install a compiled kernel, but I > am only trying to add a freeswan patch, so I have no idea if it's just > my syntax or the specific package. > > I have the freeswan kernel patch, it exists in > /usr/src/kernel-patches/all/, aswell it exists in .../apply and > .../unpatch. > > I then proceed to the kernel build directory and type make-kpkg > --added-patches freeswan kernel_image, then install it dpkg -i > (filename). I have also tried 'set PATCH_THE_KERNEL=YES' also tried > sticking something akin to that in the .config file to know avail. I > have searched google, can't find the guide I had a long time ago (been > trying for a few months). Anyone have any ideas, or can point me towards > a guide, that will go STEP by STEP. > > Thanks, > > > Steve Ramage. ... Here is what I did (sort of). cd /usr/src apt-get install kernel-source-2.4.20 wget ftp://kalle.csb.ki.se/pub/linux/debian/pool/main/f/freeswan/freeswan_1.99-5_i386.deb wget ftp://kalle.csb.ki.se/pub/linux/debian/pool/main/f/freeswan/kernel-patch-freeswan-ext_1.99-5_all.deb wget ftp://kalle.csb.ki.se/pub/linux/kernel/people/hvr/testing/patch-int-2.4.20.1.gz wget ftp://kalle.csb.ki.se/pub/linux/kernel/people/hvr/testing/loop-jari-2.4.20.0.patch cd kernel-source-2.4.20 zcat ../patch-int-2.4.20.1..gz | patch -p1 patch -p1 < ../loop-jari-2.4.20.0.patch ../kernel-patches/all/apply/freeswan make-kpkg --config menuconfig --append_to_version -fw-1 kernel_image or PATCH_THE_KERNEL=YES make-kpkg --config menuconfig --append_to_version -fw-1 --added_patches freeswan kernel_image Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian Kernel's and FreeSwan
You seem to have used the freeswan patch in testing. It has the choise to use an x86 optimised aes and a non optimised one. Don't choose booth, choosing both gives you this error. > Well continuing the problem, I have moved from the original one, > appended at the bottom. Now something else is wrong, basically the > following out put. I had to use 'export PATCH_THE_KERNEL=YES' (thanks > Kenneth). Now the kernel compile asks me a bunch of IPSEC questions and > then later it does this. I have done a make-kpkg clean, and a make dep, > on both systems. There doesn't seem to be anything wrong. I did download > the freestwan package. Is there anything else I need? > > Steve Ramage > > /usr/src/kernel-fermat/net/ipsec/ext/ipsec_ext_aes-opt.c(.text+0x9c): > multiple definition of `ipsec_aes_init' > ipsec_aes.o(.text+0x10c):/usr/src/kernel-fermat/net/ipsec/ext/ipsec_ext_ > aes.c: first defined here > ld: Warning: size of symbol `ipsec_aes_init' changed from 283 to 123 in > ipsec_aes-opt.o > ipsec_aes-opt.o: In function `AES_cbc_encrypt': > /usr/src/kernel-fermat/net/ipsec/ext/libaes-opt/aes_cbc.c:8: multiple > definition of `aes_encrypt' > ipsec_aes.o:/usr/src/kernel-fermat/net/ipsec/ext/libaes/aes_cbc.c:9: > first defined here > make[5]: *** [ipsec_ext_static.o] Error 1 > make[5]: Leaving directory `/usr/src/kernel-fermat/net/ipsec/ext' > make[4]: *** [ext/ipsec_ext_static.o] Error 2 > make[4]: Leaving directory `/usr/src/kernel-fermat/net/ipsec' > make[3]: *** [first_rule] Error 2 > make[3]: Leaving directory `/usr/src/kernel-fermat/net/ipsec' > make[2]: *** [_subdir_ipsec] Error 2 > make[2]: Leaving directory `/usr/src/kernel-fermat/net' > make[1]: *** [_dir_net] Error 2 > make[1]: Leaving directory `/usr/src/kernel-fermat' > make: *** [stamp-build] Error 2 > > -Original Message- > From: Steve Jr Ramage [mailto:[EMAIL PROTECTED] > Sent: April 5, 2003 05:36 > To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' > Subject: Debian Kernel's and FreeSwan > > > First and foremost, as the issue will probably demonstrate I'm relative > to Linux, so bare with me. ... > Steve Ramage. ... Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Stupid package installer wanted: uppity robots need not apply
> On Thu, Mar 13, 2003 at 12:09:17PM -0500, Burton Windle wrote: > > dpkg? > > > > dpkg -i filename.deb > > Not even close. For instance: > > PKGLIST="modutils- another+ another2+" > apt-get -y install $PKGLIST > > will fail. If you you do it at the lower level: > > PKGLIST1="modutils" > for $pkg in $PKGLIST1; do > dpkg --purge $pkg < yes > done > PKGLIST2="another.deb another2.deb" > for $pkg in $PKGLIST1; do You probably mean $PKGLIST2 here, as written it reinstalls modutils. > dpkg --install $pkg < yes > done > > will also fail to remove modutils. > > I've just been chatting with BDale and he suggested > I talk to people on debian-boot as there actually > is no current good hands-off option. > > -- > -- >IN MY NAME:Dale Amon, CEO/MD > No Mushroom clouds over Islandone Society > London and New York. www.islandone.org > -- If you are desperate you could always extract the package yourself and install it "by hand", but that is probably not what you wanted: $ ar -t mpage_2.5.3-1_i386.deb debian-binary control.tar.gz data.tar.gz $ ar -x mpage_2.5.3-1_i386.deb $ cat debian-binary 2.0 $ tar ztf control.tar.gz ./ ./md5sums ./control $ tar zxf control.tar.gz $ cat control Package: mpage Version: 2.5.3-1 Section: text Priority: optional Architecture: i386 ... $ cat md5sums 7892f5b1dd260b1ac7b55ec327ffb6dd usr/lib/mpage/CP850.PC ... f6f1f0f1975ee35e54b4ce0438a8053b usr/share/doc/mpage/changelog.Debian.gz $ tar ztf data.tar.gz ./ ./usr/ ./usr/lib/ ./usr/lib/mpage/ ./usr/lib/mpage/CP850.PC ... ./usr/share/doc/mpage/TODO.gz ./usr/share/doc/mpage/changelog.Debian.gz Dale Amon <[EMAIL PROTECTED]>, Thu, 13 Mar 2003 16:37:08 +: ... > No "add the following 10 switches to force that action". ... dpkg -i --force-all "$@" One switch to force that action. Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting ---
Re: Stupid package installer wanted: uppity robots need not apply
> On Thu, Mar 13, 2003 at 12:09:17PM -0500, Burton Windle wrote: > > dpkg? > > > > dpkg -i filename.deb > > Not even close. For instance: > > PKGLIST="modutils- another+ another2+" > apt-get -y install $PKGLIST > > will fail. If you you do it at the lower level: > > PKGLIST1="modutils" > for $pkg in $PKGLIST1; do > dpkg --purge $pkg < yes > done > PKGLIST2="another.deb another2.deb" > for $pkg in $PKGLIST1; do You probably mean $PKGLIST2 here, as written it reinstalls modutils. > dpkg --install $pkg < yes > done > > will also fail to remove modutils. > > I've just been chatting with BDale and he suggested > I talk to people on debian-boot as there actually > is no current good hands-off option. > > -- > -- >IN MY NAME:Dale Amon, CEO/MD > No Mushroom clouds over Islandone Society > London and New York. www.islandone.org > -- If you are desperate you could always extract the package yourself and install it "by hand", but that is probably not what you wanted: $ ar -t mpage_2.5.3-1_i386.deb debian-binary control.tar.gz data.tar.gz $ ar -x mpage_2.5.3-1_i386.deb $ cat debian-binary 2.0 $ tar ztf control.tar.gz ./ ./md5sums ./control $ tar zxf control.tar.gz $ cat control Package: mpage Version: 2.5.3-1 Section: text Priority: optional Architecture: i386 ... $ cat md5sums 7892f5b1dd260b1ac7b55ec327ffb6dd usr/lib/mpage/CP850.PC ... f6f1f0f1975ee35e54b4ce0438a8053b usr/share/doc/mpage/changelog.Debian.gz $ tar ztf data.tar.gz ./ ./usr/ ./usr/lib/ ./usr/lib/mpage/ ./usr/lib/mpage/CP850.PC ... ./usr/share/doc/mpage/TODO.gz ./usr/share/doc/mpage/changelog.Debian.gz Dale Amon <[EMAIL PROTECTED]>, Thu, 13 Mar 2003 16:37:08 +: ... > No "add the following 10 switches to force that action". ... dpkg -i --force-all "$@" One switch to force that action. Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
> It would be useful to have something that would take > an IP address range and return the minimum coverage > CIDR for that block (for use in feeding to iptables). > > For example, if I want to allow access for hosts > 1.2.3.1 - 1.2.3.4, I currently can allow them > individually or just allow the entire /24. But is > there any easier way to allow ip ranges in iptables, > short of doing each individual IP or generalizing to a > class boundary? Can ipsc do this easily? > > Thanks, > Josh ... I don't really have that, but attached program gives you the longest common prefix for a few ip's. $ ./ipnumber -p 192.168.93.3 192.168.93.2 192.168.93.1 192.168.93.0/30 (255.255.255.252) $ ./ipnumber -p 192.168.90.3 192.168.2.28 192.168.0.0/17 (255.255.128.0) Regards, /Karl ------- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting ------- /** Copyright: Karl Hammar, Aspö Data ** Copyright terms: GPL **/ #include #include #include #include #include #include #include #include /* int function return value: 0 == SUCCESS, else error */ /* * Ip numbers (or addresses, same thing differnet names) * are just 32 bit unsigned integers * the numbers we are used to (e.g. "192.168.1.3") * are only a way to present thoose ip numbers for humans. * That format is called dotted quad, since it consists of * four ("quad") numbers with dots between. * * Theese two routinges convert between the human and computer * way of seeing the ip numbers */ int dot2num( char *dotted_quad, uint32_t *num); /* len is length of dotted_quad buffer. * len >= INET_ADDRSTRLEN, see man inet_ntop */ int num2dot( uint32_t num, char *dotted_quad, size_t len); /* convert so can print/read binary numbers, sorry printf/scanf don't do this */ int str2num( char *str, uint32_t *num, char **ptr); /* the buffers length (len) must be at least 33 characters long (32 digits + one '\0') */ int num2str( uint32_t num, char *buffer, size_t buflen); /* to help routers, ip numbers are split in two parts: the first is a network prefix and the latter is computer (or host, well actually interface) number on that network It works like ip_address = network_number + computer_number_on_that_network You can compare it to a memory buffer, address (aka. ip number) = buffer_pointer (aka. network) + offset (aka. host number on that network) This helps routers since they don't have to store routes to all hosts they only have to keep records of networks. Also "network" is not necceserely the same thing as a LAN. Network is just all computers with some common top bits in their ip numbers (note: "common top bits" i.e. ALL bits before the split, and remember ip numbers is a simple unsigned integer) that you can reach if you go along a given route. Subnetting is really that simple! But the dotted quad format makes it hard see and understand. Why -- because the dot makes the split between network and host part hard to see. By counting number of bits in the prefix we get the prefix length, which is the same number as used in the cidr notation. Public example: hostnameip number as binary www.ibm.com 129.42.17.99 100100101011000101100011 www.ge.com 216.74.139.56 1101110010101000101100111000 common prefix 1 prefix length 1 Local example: calcit 192.168.93.1 11001010110111010001 hematit 192.168.93.2 11001010110111010010 granat 192.168.93.37 110010101101110100100101 common prefix 110010101101110100 prefix length 26 The bit positions where the prefix is, are called network bits, and the others (representing the host part) are called the host bits. The ip number with address 0 on a network is called the "network address" and it is that number which goes into the routing table along with the prefix length. Another related number is the broadcast address. It is useful on a ethernet LAN. The broadcast address is by convention the last address of a network. The network address is only meaningful for routing, i.e. in the IP-layer, and the broadcast address have the same meaning as the ip number. A given host accept packets to that address as destined to itself and have no meaning besides that and that all hosts on a given physical (or end) network should have the same broadcast address so you easily can address them all. So, the broadcast address do not have a meaning for all networks. To tell the world about a network, we
Re: Blocking sub-range of IP addresses
> It would be useful to have something that would take > an IP address range and return the minimum coverage > CIDR for that block (for use in feeding to iptables). > > For example, if I want to allow access for hosts > 1.2.3.1 - 1.2.3.4, I currently can allow them > individually or just allow the entire /24. But is > there any easier way to allow ip ranges in iptables, > short of doing each individual IP or generalizing to a > class boundary? Can ipsc do this easily? > > Thanks, > Josh ... I don't really have that, but attached program gives you the longest common prefix for a few ip's. $ ./ipnumber -p 192.168.93.3 192.168.93.2 192.168.93.1 192.168.93.0/30 (255.255.255.252) $ ./ipnumber -p 192.168.90.3 192.168.2.28 192.168.0.0/17 (255.255.128.0) Regards, /Karl ------- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting ------- /** Copyright: Karl Hammar, Aspö Data ** Copyright terms: GPL **/ #include #include #include #include #include #include #include #include /* int function return value: 0 == SUCCESS, else error */ /* * Ip numbers (or addresses, same thing differnet names) * are just 32 bit unsigned integers * the numbers we are used to (e.g. "192.168.1.3") * are only a way to present thoose ip numbers for humans. * That format is called dotted quad, since it consists of * four ("quad") numbers with dots between. * * Theese two routinges convert between the human and computer * way of seeing the ip numbers */ int dot2num( char *dotted_quad, uint32_t *num); /* len is length of dotted_quad buffer. * len >= INET_ADDRSTRLEN, see man inet_ntop */ int num2dot( uint32_t num, char *dotted_quad, size_t len); /* convert so can print/read binary numbers, sorry printf/scanf don't do this */ int str2num( char *str, uint32_t *num, char **ptr); /* the buffers length (len) must be at least 33 characters long (32 digits + one '\0') */ int num2str( uint32_t num, char *buffer, size_t buflen); /* to help routers, ip numbers are split in two parts: the first is a network prefix and the latter is computer (or host, well actually interface) number on that network It works like ip_address = network_number + computer_number_on_that_network You can compare it to a memory buffer, address (aka. ip number) = buffer_pointer (aka. network) + offset (aka. host number on that network) This helps routers since they don't have to store routes to all hosts they only have to keep records of networks. Also "network" is not necceserely the same thing as a LAN. Network is just all computers with some common top bits in their ip numbers (note: "common top bits" i.e. ALL bits before the split, and remember ip numbers is a simple unsigned integer) that you can reach if you go along a given route. Subnetting is really that simple! But the dotted quad format makes it hard see and understand. Why -- because the dot makes the split between network and host part hard to see. By counting number of bits in the prefix we get the prefix length, which is the same number as used in the cidr notation. Public example: hostnameip number as binary www.ibm.com 129.42.17.99 100100101011000101100011 www.ge.com 216.74.139.56 1101110010101000101100111000 common prefix 1 prefix length 1 Local example: calcit 192.168.93.1 11001010110111010001 hematit 192.168.93.2 11001010110111010010 granat 192.168.93.37 110010101101110100100101 common prefix 110010101101110100 prefix length 26 The bit positions where the prefix is, are called network bits, and the others (representing the host part) are called the host bits. The ip number with address 0 on a network is called the "network address" and it is that number which goes into the routing table along with the prefix length. Another related number is the broadcast address. It is useful on a ethernet LAN. The broadcast address is by convention the last address of a network. The network address is only meaningful for routing, i.e. in the IP-layer, and the broadcast address have the same meaning as the ip number. A given host accept packets to that address as destined to itself and have no meaning besides that and that all hosts on a given physical (or end) network should have the same broadcast address so you easily can address them all. So, the broadcast address do not have a meaning for all networks. To tell the world about a network, we
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
> > Towards the end of the Debian installation process, when you're asked > > whether you want to run tasksel or dselect, you can choose dselect > > and > > exit it before installing any packages. If you do that, you're left > > with a really minimal install. You might be able to base your work > > on > > this. > since this is the way I usually work and I've tried to build a debian > based thin client myself.I can say that woody base contains a lot > of packages which you really don't want/need on a thin client. > > Gr, > > Ivo van Dongen ... One way to do it is to have: # ls -l total 56 ... drwxr-xr-x 19 root root 4096 Oct 20 11:08 deb ... lrwxrwxrwx1 root root 33 Nov 30 2001 e2fs_stage1_5 -> ../grub-0.90/stage2/e2fs_stage1_5 lrwxrwxrwx1 root root 22 Nov 30 2001 grub -> ../grub-0.90/grub/grub -rw-r--r--1 root root 502 Oct 20 11:32 mkdisk ... drwxr-xr-x6 root root 4096 Nov 28 2001 add -rw-r--r--1 root root 2491 Oct 20 11:23 pkg.list drwxr-xr-x 19 root root 4096 Dec 4 2001 slim lrwxrwxrwx1 root root 26 Nov 30 2001 stage1 -> ../grub-0.90/stage1/stage1 lrwxrwxrwx1 root root 26 Nov 30 2001 stage2 -> ../grub-0.90/stage2/stage2 -rwxr-xr-x1 root root 573 Oct 20 11:11 trimming ... -rwxr-xr-x1 root root 800 Oct 20 11:17 updhostname... where "deb" is a minimal install of debian: # chroot deb dpkg --get-selections > pkg.list "add" is whatever custom things you want to add and "slim" is a generated trimmed down root of the thin clients. # du -s deb add slim 99304 deb 4352add 42092 slim you generate slim with trimming, and customize it to a specific client with updhostname..., and write to disk with mkdisk. Later you can update the clients with mirrordir (found with apt-get install mirrordir). Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340 +46 173 140 57Networks S-742 94 Östhammar +46 18 26 09 00 Computers Sweden +46 10 270 26 67 Consulting --- #!/bin/sh if [ $# = 0 ] then echo Usage: echo " mkdisk " exit 1 fi UNITID=$1 dd if=/dev/zero of=/dev/hdc count=50 sfdisk -uM /dev/hdc << EOF 0,30,L,* , ; EOF mkfs.ext2 /dev/hdc1 mkfs.ext2 /dev/hdc2 #mkswap/dev/hdc2 mount /dev/hdc1 mnt mkdir mnt/usr mount /dev/hdc2 mnt/usr cp -a current/* mnt chroot mnt updhostname... $1 $2 umount mnt/usr umount mnt ./grub --batch </dev/null 2>/dev/null root (hd2,0) install /boot/stage1 (hd2) /boot/stage2 p quit EOT #!/bin/sh IP=$1 HOST=$2 root=$3 if [ $? -ne 0 ] then cat < [] Synopsis: change hostname ip-number EOF exit 1 fi export LANG=C perl -pi.org -e "s/172\.16\.0\.1/$IP/"$root/etc/network/interfaces perl -pi.org -e "s/HOSTNAME/$HOSTNAME/" \ $root/etc/exim/exim.conf echo $HOSTNAME > $root/etc/hostname echo $HOSTNAME > $root/etc/mailname ALIAS=`echo $HOSTNAME | sed -e 's/\..*$//'` echo "$IP $HOSTNAME $ALIAS" >> $root/etc/hosts umask 022 rm $root/etc/ssh/ssh_host_*key ssh-keygen -t rsa1 -N '' -f $root/etc/ssh/ssh_host_key # >/dev/null ssh-keygen -t rsa -N '' -f $root/etc/ssh/ssh_host_rsa_key # >/dev/null ssh-keygen -t dsa -N '' -f $root/etc/ssh/ssh_host_dsa_key # >/dev/null #!/bin/sh rm -rf slim/* cp -a all/*slim cp -a add/*slim cd slim mv etc/cron.d/exim etc/cron.daily/0exim rm etc/cron.*/sysklogd rm etc/resolv.conf rm -rf lib/modules/* rm -rf var/lib/apt rm -rf var/lib/dpkg rm -rf var/cache/* rm -f var/spool/cron/crontabs/uucp cd usr #rm lib/gconv/??? cd share rm -rf unidata/* rm -rf man/* rm -rf doc/* rm -rf keymaps/{amiga,atari,mac,sun} rm -rf info/* find zoneinfo -type f | grep -v ^./zoneinfo/Europe/Stockholm | xargs rm rm -rf terminfo ln -s ../../etc/terminfo . cd locale ls | grep -v en$ | grep -v sv | xargs rm -rf adduser install adjtimexinstall apt install apt-utils install at install base-files install base-passwd install bashinstall bsdmainutilsinstall bsdutils
Re: System Accounts
Adam Spickler <[EMAIL PROTECTED]>: > Hello, > In /etc/passwd verify that they are actually loginable. Some > deamons/programs, etc need an account to run, but don't actually > need to login. This would be for security reasons, so you don't run > it as root, thus, making it harder for someone to exploit your > server and gain root access. > > -Adam > > On Mon, Oct 14, 2002 at 09:47:42AM -0400, R. Bradley Tilley wrote: > > Hello, > > > > I am experimenting with a Debian system to be used as a firewall/gateway. I > > am > > using Debian 3.0 with the 2.4.18 kernel. I did a basic install selecting > > the > > Unix server task. Just wondering why there are so many accounts with shell > > access installed by default? > > > > games, irc, news, gnats, lp, uucp, operator, backup, etc. > > > > For security reasons, I would like to remove these accounts, but I don't > > understand how the system uses them, or if it uses them at all. Can someone > > explain this? Also, what are the bare minimum accounts? > > > > Thank you, > > Brad ... Also, we use the login name <-> uid conversion present in /etc/passwd and the ability to control access to files by virtue of using different uid's for different purposes: # egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' passwd games:x:5:100:games:/usr/games:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh operator:x:37:37:Operator:/var:/bin/sh irc:x:39:39:ircd:/var:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh But the shell don't have to be a valid login shell. Setting the shell to /bin/false might help. mysql and sshd do run on my box: # grep false passwd identd:x:100:65534::/var/run/identd:/bin/false telnetd:x:102:102::/usr/lib/telnetd:/bin/false cvs:x:103:103::/home/cvsroot:/bin/false smmsp:x:105:105:Mail Submission Program,,,:/var/lib/sendmail:/bin/false oftpd:x:101:65534::/home/oftpd:/bin/false sshd:x:104:65534::/var/run/sshd:/bin/false mysql:x:106:106:MySQL Server:/var/lib/mysql:/bin/false dictd:x:107:107::/home/dictd:/bin/false And the account should be disabled like in: # egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' shadow games:*:11700:0:9:7::: lp:*:11700:0:9:7::: news:*:11700:0:9:7::: uucp:*:11700:0:9:7::: backup:*:11700:0:9:7::: operator:*:11700:0:9:7::: irc:*:11700:0:9:7::: gnats:*:11700:0:9:7::: Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340 +46 173 140 57Networks S-742 94 Östhammar +46 18 26 09 00 Computers Sweden +46 10 270 26 67 Consulting ---
Re: System Accounts
Adam Spickler <[EMAIL PROTECTED]>: > Hello, > In /etc/passwd verify that they are actually loginable. Some > deamons/programs, etc need an account to run, but don't actually > need to login. This would be for security reasons, so you don't run > it as root, thus, making it harder for someone to exploit your > server and gain root access. > > -Adam > > On Mon, Oct 14, 2002 at 09:47:42AM -0400, R. Bradley Tilley wrote: > > Hello, > > > > I am experimenting with a Debian system to be used as a firewall/gateway. I am > > using Debian 3.0 with the 2.4.18 kernel. I did a basic install selecting the > > Unix server task. Just wondering why there are so many accounts with shell > > access installed by default? > > > > games, irc, news, gnats, lp, uucp, operator, backup, etc. > > > > For security reasons, I would like to remove these accounts, but I don't > > understand how the system uses them, or if it uses them at all. Can someone > > explain this? Also, what are the bare minimum accounts? > > > > Thank you, > > Brad ... Also, we use the login name <-> uid conversion present in /etc/passwd and the ability to control access to files by virtue of using different uid's for different purposes: # egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' passwd games:x:5:100:games:/usr/games:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh operator:x:37:37:Operator:/var:/bin/sh irc:x:39:39:ircd:/var:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh But the shell don't have to be a valid login shell. Setting the shell to /bin/false might help. mysql and sshd do run on my box: # grep false passwd identd:x:100:65534::/var/run/identd:/bin/false telnetd:x:102:102::/usr/lib/telnetd:/bin/false cvs:x:103:103::/home/cvsroot:/bin/false smmsp:x:105:105:Mail Submission Program,,,:/var/lib/sendmail:/bin/false oftpd:x:101:65534::/home/oftpd:/bin/false sshd:x:104:65534::/var/run/sshd:/bin/false mysql:x:106:106:MySQL Server:/var/lib/mysql:/bin/false dictd:x:107:107::/home/dictd:/bin/false And the account should be disabled like in: # egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' shadow games:*:11700:0:9:7::: lp:*:11700:0:9:7::: news:*:11700:0:9:7::: uucp:*:11700:0:9:7::: backup:*:11700:0:9:7::: operator:*:11700:0:9:7::: irc:*:11700:0:9:7::: gnats:*:11700:0:9:7::: Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340 +46 173 140 57Networks S-742 94 Östhammar +46 18 26 09 00 Computers Sweden +46 10 270 26 67 Consulting --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet log
According to http://www.isi.edu/in-notes/iana/assignments/port-numbers cpq-wbem2301/tcp Compaq HTTP cpq-wbem2301/udp Compaq HTTP Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340 +46 173 140 57Networks S-742 94 Östhammar +46 10 270 26 67 Computers Sweden Consulting --- From: "David Priban" <[EMAIL PROTECTED]> Subject: Packet log Date: Tue, 27 Mar 2001 02:16:38 -0500 > I have been seeing a lot of these entries in my logs lately. > Could this be some sort of legitimate traffic triggering this ipchains rule? > Or is it just plain spoofing attempt by someone? > > Thanks David > > kernel: Packet log: input DENY eth1 PROTO=17 127.0.0.1:2301 > 255.255.255.255:2301 L=240 S=0x00 I=674 F=0x T=128 (#2) > kernel: Packet log: input DENY eth1 PROTO=17 127.0.0.1:2301 > 255.255.255.255:2301 L=40 S=0x00 I=801 F=0x T=128 (#2) > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet log
According to http://www.isi.edu/in-notes/iana/assignments/port-numbers cpq-wbem2301/tcp Compaq HTTP cpq-wbem2301/udp Compaq HTTP Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340 +46 173 140 57Networks S-742 94 Östhammar +46 10 270 26 67 Computers Sweden Consulting --- From: "David Priban" <[EMAIL PROTECTED]> Subject: Packet log Date: Tue, 27 Mar 2001 02:16:38 -0500 > I have been seeing a lot of these entries in my logs lately. > Could this be some sort of legitimate traffic triggering this ipchains rule? > Or is it just plain spoofing attempt by someone? > > Thanks David > > kernel: Packet log: input DENY eth1 PROTO=17 127.0.0.1:2301 > 255.255.255.255:2301 L=240 S=0x00 I=674 F=0x T=128 (#2) > kernel: Packet log: input DENY eth1 PROTO=17 127.0.0.1:2301 > 255.255.255.255:2301 L=40 S=0x00 I=801 F=0x T=128 (#2) > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]