Re: VLC missing from Debian Testing repository!
On Sat, Aug 04, 2007 at 02:45:30AM +0530, Masatran, R. Deepak wrote: > * Franck Joncourt <[EMAIL PROTECTED]> 2007-08-03 > > On Fri, Aug 03, 2007 at 11:08:16PM +0530, Masatran, R. Deepak wrote: > > > I am looking for VLC. Aptitude is unable to locate it, so I looked at the > > > website. I find that it is present in Stable, Unstable, and OldStable, but > > > not in Testing <http://packages.debian.org/vlc>! > > > > http://packages.qa.debian.org/v/vlc.html > > Is there some temporary solution to install it on Debian Testing? You may want to get it from : http://snapshot.debian.net/ or from unstable or stable : => man apt_preferences may help you. -- Franck Joncourt http://www.debian.org - http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: VLC missing from Debian Testing repository!
On Fri, Aug 03, 2007 at 11:08:16PM +0530, Masatran, R. Deepak wrote: > I am looking for VLC. Aptitude is unable to locate it, so I looked at the > website. I find that it is present in Stable, Unstable, and OldStable, but > not in Testing <http://packages.debian.org/vlc>! > More information on this page : http://packages.qa.debian.org/v/vlc.html -- Franck Joncourt http://www.debian.org - http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: SSH daemon doesn't accept incoming connections
Maybe there is something around : > > debug1: An invalid name was supplied > > A parameter was malformed > > Validation error wrong username. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: how to use dpkg to list some packages
On Tue, May 08, 2007 at 02:02:03PM +0200, Maik Beckmann wrote: > Am Dienstag, 8. Mai 2007 13:24:37 schrieb Jörg-Volker Peetz: > > Serena Cantor wrote: > > > I use sarge, your command does not work. > > > > Sorry, that's my typo. It must be > > aptitude search !~i~sdoc > > -- > > this results in: > $ aptitude search !~i~sdoc > bash: !~i~sdoc: event not found > but > $ aptitude search \!~i~sdoc > works. > dpkg -l | grep -i my_package ? -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Closed Ports problem
> 2007/5/7, Franck Joncourt <[EMAIL PROTECTED]>: > >On Mon, May 07, 2007 at 11:30:52AM -0300, Lucas Prado Melo wrote: > >> My computer is running Debian Etch. At the beginning, everything was > >> fine but after I'd tried to change my proxy configurations some ports > >> seemed to be closed. Iceweasel and other internet browsers are working > >> fine, but I can't play wesnoth over the internet or use aMsn, Gaim and > >> MLDonkey. I still can use sftp and telnet. > >> I didn't have installed any firewall... > >> What can I do to fix it? > >> > >> Ps: The proxy configurations may be not related to the problem. > >> > > > >What about the MTU value ? > >You can get it from the ifconfig command. > > > >Mine : > > > >bond0 Lien encap:Ethernet HWaddr 00:17:31:A3:FF:31 > > inet adr:192.168.0.1 Bcast:192.168.0.255 > > Masque:255.255.255.0 > > adr inet6: fe80::217:31ff:fea3:ff31/64 Scope:Lien > > UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 > > RX packets:21042 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:21580 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 lg file transmission:0 > > RX bytes:2621709 (2.5 MiB) TX bytes:18100026 (17.2 MiB) > > > >So 1500 here. > > On Mon, May 07, 2007 at 10:56:07PM -0300, Lucas Prado Melo wrote: > Take a look at the output of my ifconfig output > > eth0 Link encap:Ethernet HWaddr 00:0D:87:A0:0B:00 > inet addr:192.168.1.126 Bcast:192.168.1.127 Mask:255.255.255.252 > inet6 addr: fe80::20d:87ff:fea0:b00/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:1630 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2973 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:595487 (581.5 KiB) TX bytes:439844 (429.5 KiB) > Interrupt:185 Base address:0xe800 > > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:8 errors:0 dropped:0 overruns:0 frame:0 > TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:560 (560.0 b) TX bytes:560 (560.0 b) > It may be a stupid question, but are you sure your proxy can work on those special ports (wesnoth, amsn, gaim ...) ? -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Closed Ports problem
On Mon, May 07, 2007 at 11:30:52AM -0300, Lucas Prado Melo wrote: > My computer is running Debian Etch. At the beginning, everything was > fine but after I'd tried to change my proxy configurations some ports > seemed to be closed. Iceweasel and other internet browsers are working > fine, but I can't play wesnoth over the internet or use aMsn, Gaim and > MLDonkey. I still can use sftp and telnet. > I didn't have installed any firewall... > What can I do to fix it? > > Ps: The proxy configurations may be not related to the problem. > What about the MTU value ? You can get it from the ifconfig command. Mine : bond0 Lien encap:Ethernet HWaddr 00:17:31:A3:FF:31 inet adr:192.168.0.1 Bcast:192.168.0.255 Masque:255.255.255.0 adr inet6: fe80::217:31ff:fea3:ff31/64 Scope:Lien UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:21042 errors:0 dropped:0 overruns:0 frame:0 TX packets:21580 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 RX bytes:2621709 (2.5 MiB) TX bytes:18100026 (17.2 MiB) So 1500 here. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: [OT] Favoured Firewall
On Thu, Apr 26, 2007 at 05:30:03PM -0500, Sam Leon wrote: > > Michael Dominok wrote: > > Am Mittwoch, den 25.04.2007, 15:05 -0400 schrieb Celejar: > > Well, on this list our (including me) favorite firewall is Shorewall, > > Well, is it? Mine's IPCop, though. > > I have used smoothwall for 3 years now. I think I might change to pfsense > soon though. It has native multi wan support with load balancing and fall > over. > An iptables script, just beacause it helps me to understand how things work. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: iptables not behaving the way I expected
On Sun, Apr 22, 2007 at 10:38:42PM -0400, Jim Hyslop wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Franck Joncourt wrote: > > I do not think the same way you do. If you are not running any servers, > > except ssh > > I never said that. I said that ssh is the only port forwarded from the > firewall to the machine. The machine is used internally for various > services (intranet, CVS, DHCP, and a few others). > H... does that mean I should really set up two machines, one in a > DMZ for my ssh services, and the other for my internal services? It is up to you ! I should say I am a bit paranoiac about security :p! > > ? I control traffic for the OUTPUT chain to prevent some backdoors, if > > there is one, from causing damages to my computer by bypassing normal > > authentication. > > I think I see where you're coming from. I should set up my input and > output chains to deny everything by default, and explicitly allow > outgoing connections on whatever services the machine needs or provides. > Is that what you're getting at? Yes, this is exactly what I was thinking of when I wrote the first email. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: (root) AUTH (crontab command not allowed)
On Wed, Apr 25, 2007 at 01:35:36AM +0200, Kay Smarczewski wrote: > On Sun, Apr 15, 2007 at 11:06:41AM +0200, Franck Joncourt wrote: > > On Sat, Apr 14, 2007 at 10:41:16AM +0200, Kay Smarczewski wrote: > > > On Fri, Apr 13, 2007 at 07:02:09PM +0200, Franck Joncourt wrote: > > > > > > > > According to the manpage, root overrides the rights you put in both > > > > /etc/cron.allow and /etc/cron.deny. > > > > > > > > So, have you tried just to remove root from those files, and see what > > > > happened ? > > > /etc/cron.deny doesn't exist. so from this file there should be no > > > "danger". > > > since if have removed root from cron.allow all goes the right way. > > > > > > but i don't understand that fact: if i add root to cron.allow i > > > will explicitly grant executing crontab commands to root. > > > if i don't add it to the file, access for root is granted by > > > default. > > > > > > so i think it should not matter if which way i go, should it? > > > > I see your point, but it would not have come to my mind to add root to > > /etc/cron.allow, or as for example, to /etc/shutdown.allow. > Ok. > > I get still the messages. But it seems from an weekly executed command. > Isn't there a way to see which command is not allowed to run? > It may seem quite simple, but what about enabling your weekly scripts one by one in the /etc/cron.weekly/ directory ? This is the only thing I have in mind right now. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: iptables not behaving the way I expected
On Fri, Apr 20, 2007 at 11:41:28PM -0400, Jim Hyslop wrote: > > You have defined ethLRZ, haven't you ? > > I have no idea. I just entered the rules as found in the blog. I assumed > 'LRZ' was simply a place-holder for the actual interface number, as the > iptables man page examples use '-i eth0' and not '-i ethLRZ'. > I just googled ethLRZ, and other than the original blog and this thread, > found nothing. The man page doesn't mention it either. So, what is it, > and how do I know if it's defined? > This is the name of your interface connected to Internet. I suppose ethLRZ was a variable containing the name of this interface. You should replace it by the one you use. > > You may have forgotten to set your default policy. According to what you > > wrote, your default policy is ACCEPT for INPUT, FORWARD, and OUTPUT > > chains. This is not safe, since you accept all incoming and outgoing > > traffic. > > Well, I hope I don't sound cavalier about this, but until I added the > above rules, I wasn't even running iptables. The machine is behind a > hardware firewall, on a home network. I do not know anything about hardware firewall, but I think it is not a bad point to set up a firewall on your machine, as well. > Only the ssh port is open on the > firewall. The ssh daemon is configured only to accept public key > authentication. What else can I do on the input side? > On the output side, I really can't think of any rules that would make > sense. What IP addresses would I block access to? > > The machine isn't configured to forward anything, so that's not (or > shouldn't be) an issue. I do not think the same way you do. If you are not running any servers, except ssh, why other ports should be opened for *NEW* incoming traffic ? I control traffic for the OUTPUT chain to prevent some backdoors, if there is one, from causing damages to my computer by bypassing normal authentication. If you want to read more about iptables : http://iptables-tutorial.frozentux.net/iptables-tutorial.html -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: iptables not behaving the way I expected
On Fri, Apr 20, 2007 at 10:35:23PM +0200, Franck Joncourt wrote: > > These are the rules I use for my ftp server, and it works fine : > > iptables -A lan_in_new -p tcp --syn --dport 21 -m recent \ > --set--name ftp_hits_list2 > iptables -A wan_in_new -p tcp --syn --dport 21 -m recent --rcheck \ > --seconds 300 --hitcount 4 --name ftp_hits_list2 -j reject_all oups ! not 'wan_in_new' but 'lan_in_new' Taken from an old release :p! > iptables -A lan_in_new -p tcp --syn --dport 21 -j ACCEPT > -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: iptables not behaving the way I expected
On Thu, Apr 19, 2007 at 09:18:45PM -0700, John L Fjellstad wrote: > Jim Hyslop <[EMAIL PROTECTED]> writes: > > Hello, all > > I've set my SSH to accept only public key authorization, and forwarded > port 22 from the Big Bad Internet to my Debian box. Predictably, I'm > being hit by a lot of dictionary attempts to log in. A while back, > someone posted a link in this list to a blog that gave an Iptables > recipe to limit connections to 5 per minute per IP address. So, I issued > the commands: > > iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \ > -m recent --set --name SSH > > iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \ > -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH \ > -j DROP > These are the rules I use for my ftp server, and it works fine : iptables -A lan_in_new -p tcp --syn --dport 21 -m recent \ --set--name ftp_hits_list2 iptables -A wan_in_new -p tcp --syn --dport 21 -m recent --rcheck \ --seconds 300 --hitcount 4 --name ftp_hits_list2 -j reject_all iptables -A lan_in_new -p tcp --syn --dport 21 -j ACCEPT First of all, I add ip address to the list, then I update counters (4hits/300s) and drop packets if it doe no match this rules. Otherwise I ACCEPT packets. This is just an example you may have to update according to your default policy and ruleset. > but that didn't throttle back the attempts. I tried '-i eth0' instead of > ethLRZ, but no effect. What do you mean you tried *-i eth0* ? You have defined ethLRZ, haven't you ? > 'iptables -L' shows: > Take a look at *iptables -L -v* in order to make sure your rules are set on the right interfaces. Moreover, you will be able to know how many packets a rules has matched. > Chain INPUT (policy ACCEPT) > target prot opt source destination > tcp -- anywhere anywhere tcp dpt:ssh state NEW > recent: SET name: SSH side: source > DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW > recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: SSH side: source > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination You may have forgotten to set your default policy. According to what you wrote, your default policy is ACCEPT for INPUT, FORWARD, and OUTPUT chains. This is not safe, since you accept all incoming and outgoing traffic. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: (root) AUTH (crontab command not allowed)
On Sat, Apr 14, 2007 at 10:41:16AM +0200, Kay Smarczewski wrote: > On Fri, Apr 13, 2007 at 07:02:09PM +0200, Franck Joncourt wrote: > > > > According to the manpage, root overrides the rights you put in both > > /etc/cron.allow and /etc/cron.deny. > > > > So, have you tried just to remove root from those files, and see what > > happened ? > /etc/cron.deny doesn't exist. so from this file there should be no > "danger". > since if have removed root from cron.allow all goes the right way. > > but i don't understand that fact: if i add root to cron.allow i > will explicitly grant executing crontab commands to root. > if i don't add it to the file, access for root is granted by > default. > > so i think it should not matter if which way i go, should it? I see your point, but it would not have come to my mind to add root to /etc/cron.allow, or as for example, to /etc/shutdown.allow. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: (root) AUTH (crontab command not allowed)
On Fri, Apr 13, 2007 at 10:55:52AM +0200, Kay Smarczewski wrote: > On Tue, Apr 10, 2007 at 09:30:38PM +0200, Kay Smarczewski wrote: > > On Tue, Apr 10, 2007 at 05:08:52PM +0300, Andrei Popescu wrote: > > > Kay Smarczewski <[EMAIL PROTECTED]> wrote: > > > > > > > > Me too, and it works fine. I do not edit /etc/crontab, but prefer > > > > > adding files to the cron directories. > > > > > (/etc/cron.d, /etc/cron.hourly ...) > > > > Checksecurity also installed itself this way. But I wonder why all > > > > cron jobs work fine but this does not. > > > > > my crontabs are empty. i have removed the crontab for my user account > > and the crontab for root with "crontab -r". so that is another problem: > > i do not really know where to search for the "bad" command because the > > error message is not very expressive. i seem it is the chkrootkit or the > > checksecurity script. but i do not know. > > > > how can i find out which file is the bad one? > ok, it seems the problem is gone. but i do not know why. i changed the > group of cron.allow to "crontab" and removed the root user from > cron.allow. but i do not see a connection between the error message and > the changes. According to the manpage, root overrides the rights you put in both /etc/cron.allow and /etc/cron.deny. So, have you tried just to remove root from those files, and see what happened ? -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: eth0_rename
On Thu, Apr 12, 2007 at 09:31:00PM +0100, Hans du Plooy wrote: > On Thu, 2007-04-12 at 22:07 +0200, Mathias Brodala wrote: > > Hans du Plooy, 12.04.2007 22:00: > > > When I load my wireless driver, be it ndiswrapper or bcm43xxx, the > > > interface comes up as eth0_rename or wlan0_rename, and I see this in > > > dmesg: > > > > > > ndiswrapper: changing interface name from 'wlan0' to 'wlan0_rename' > > > usbcore: registered new interface driver ndiswrapper > > > > > > Anybody know why? It's not too much of a problem, the interface still > > > works, it just looks out of place. > > > > Do you have ifrename installed? If yes, just get rid of it and run > > /lib/udev/write_net_rules instead; this will generate udev-based persistent > > naming rules for your network devices; you can modify them by editing the > > file > > /etc/udev/rules.d/z25_persistent-net.rules. > > Hi Thanks. I have looked at /etc/udev/rules.d/z25_persistent-net.rules > before - the devicenames in there were correct but for some reason they > were getting renamed. It seemed not to be reading that file but nothing > turned up in the logs. And I don't have ifrename installed. > > I deleted the z25_persistent-net.rules before and > ran /lib/udev/write_net_rules all_interfaces - it generated a new file > with the device names as they currently were (with _rename). Edited the > file, restarted udev and now it's right. Not sure why it didn't work > right in the first place. > Is it still working after : /etc/init.d/networking restart ? -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: apache2 + ssl
On Thu, Apr 12, 2007 at 01:27:46PM -0400, Greg Folkert wrote: > On Thu, 2007-04-12 at 19:21 +0200, Franck Joncourt wrote: > > Hi, > > > > > The package now comes with the mod_ssl DSO by default. There is no > > > apache2-ssl like there was an apache-ssl. > > > > I have no problem with apache and ssl, but what does DSO mean ? =( > > http://www.google.com/search?q=Apache+DSO Oups, I apologize for that. > Dynamic Shared Object. Thanks. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: apache2 + ssl
Hi, > The package now comes with the mod_ssl DSO by default. There is no > apache2-ssl like there was an apache-ssl. I have no problem with apache and ssl, but what does DSO mean ? =( -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: (root) AUTH (crontab command not allowed)
On Tue, Apr 10, 2007 at 12:29:07AM +0200, Kay Smarczewski wrote: > Hello, Hi, > I get always the error message > > (root) AUTH (crontab command not allowed) > in my logs. I interpret this that root is not allowed to run crontab. > But my cron.allow contains the root user: > > cat /etc/cron.allow > > root > So root should be allowed to run crontab, shouldn't it? By default, /etc/cron.allow and /etc/cron.deny do not exist, and it means all users are able to run a crontab, root as well. Are you sure you have to add root in /etc/cron.allow ? I believed it was not compulsory. > The rights on the files should be ok, I think: > > -rw-r--r-- 1 root crontab /etc/cron.allow > > -rwxr-sr-x 1 root crontab /usr/bin/crontab > > drwx-wx--T 2 root crontab /var/spool/cron/crontabs/ > > In my opinion, I get the warning since I have installed checksecurity. > But tiger seems to work good and weekly. (I installed checksecurity at > the same time like tiger.) > > I have read the manuals and searched for the problem in the net. But I > did not found an answer. > > I am using cron version 3.0pl1-100 and Debian/Linux 4.0 AMD64. Me too, and it works fine. I do not edit /etc/crontab, but prefer adding files to the cron directories. (/etc/cron.d, /etc/cron.hourly ...) Hope it helps. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: SSH port 22 is invisible from the internet!! :(
On Mon, Apr 09, 2007 at 07:33:31PM +0200, csanyipal wrote: > On Mon, Apr 09, 2007 at 07:18:58PM +0200, Franck Joncourt wrote: > > $ sudo telnet 127.0.0.1 22 > Trying 127.0.0.1... > Connected to 127.0.0.1. > Escape character is '^]'. > SSH-2.0-OpenSSH_4.3p2 Debian-9 > ^] > Protocol mismatch. > Connection closed by foreign host. Good point. At least we know, your ssh server is running on port 22. > > Afterwards, you could worry a bit more with iptables if it does not work. > > If the present iptables setup don't work, then I have no idea further how to > setup iptables to solve this problem? > > Any advices will be appreciated! > Here is a piece of a script, which will allow you to connect through ssh. (I have not checked out your iptables output) ### # Flush rules iptables -F iptables -F -t nat iptables -F -t mangle # Remove user-defined chains iptables -X iptables -X -t nat iptables -X -t mangle # Reset counters iptables -Z iptables -Z -t mangle iptables -Z -t nat # Set policy for the filter table iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow ssh clients iptables -A INPUT -i eth0 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT ### Just written. So there may be some mistypes ! Otherwise, have you turned on the debug ? [EMAIL PROTECTED]:~/smhfw$ ssh -v [EMAIL PROTECTED] OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to sid [192.168.0.1] port 22. debug1: Connection established. debug1: identity file /home/thialme/.ssh/identity type -1 debug1: identity file /home/thialme/.ssh/id_rsa type -1 debug1: identity file /home/thialme/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-9 [...] -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: SSH port 22 is invisible from the internet!! :(
On Mon, Apr 09, 2007 at 03:01:32PM +0200, csanyipal wrote: > Hello! > > I have installed on Etch openssh-client & openssh-server. > > I can to login to localhost with ssh. > > I want to allow a remote user to login with ssh on to my system. > > I use iptables as a firewall and have added a rule to open the port 22: > $ sudo iptables -L > ... > target prot opt source destination > ACCEPT 0-- anywhere anywherestate > RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywheretcp dpt:smtp > ACCEPT tcp -- anywhere anywheretcp dpt:ssh > ACCEPT tcp -- anywhere anywheretcp dpt:www > ... > > > I use a website > http://wigwam.sztaki.hu:8080/varazslatok/tuzfalteszt.php > to see whethear is my port 22 visible and the test says that that the > port 22 is invisible. > > The remote user can't to login with ssh too on to my system. > My system has a FQDN csanyi-pal.info and a public IP: 85.222.164.132 > > My exim4 and apache2 works fine, but ssh won't to works. :( > > Why is the port 22 invisible from the internet? > > Any advices will be appreciated! > First of all, if I were you, I would try to get an access to your ssh server through 127.0.0.1. # telnet 127.0.0.1 22 should display SSH banner. Something like this : ### Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-9 ^[ Connection closed by foreign host. ### Afterwards, you could worry a bit more with iptables if it does not work. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Bonding problems
On Fri, Mar 30, 2007 at 07:39:05PM +0200, Listas Locatel wrote: > Hi, I am configuring a bonding in linux (Debian) and I have many > problems. Always Only one card it's receiving and sending packets. > > My config is: > > iface bond0 inet static > address 192.168.18.210 > netmask 255.255.255.0 > network 192.168.18.0 > broadcast 192.168.18.255 > gateway 192.168.18.254 > up ifenslave bond0 eth0 eth1 > down ifenslave -d bond0 eth0 eth1 > Here is my configuration : http://smhteam.info/wiki/index.linux.php5?wiki=ChannelBonding The link is in french but you should be able to find what you need and compare your configuration to mine. If you want more informations, let me know. > Other problem is when I "ifdown" then bonding device the OS goes to a > infinite loop and I have to shutdown uncleanly, it's strange > I load the module with mode=0 and mode=4 options, with miimon=100 and > without miimon option... I don't know. I haven't a 803.2ad switch > capable and the mode=4 fails and it's OK. > > The ethernet cards I'm using are a Realtek 8169 (From DLINK and KTI) .. > I don't know what can be the problem ... > > You know ?? Yes. I had the same problem using Realtek 8169, too. But as a matter fact, I get out of this mess by using two other cards. So, you are not alone 8)! -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Tool to monitor system downtimes?
On Wed, Mar 28, 2007 at 02:37:30PM -0600, Hugo Vanwoerkom wrote: > Joerg Lange wrote: > >Hi all, > > > >is there a simple tool to monitor high system loads and outages in debian? > > > >For me, it would be completely sufficient if there would be a tool > >that samples every minute or every few minutes (e.g. in a cron job) > >the system load and reports any issues to the user in a simple way > >like this: > > > > day > load 5 | > load 10 | > load 15 | DOWN > >+-+-+-- > > 26.01. 6.31% | 1.20% | 0.53% | 0.00% > > 27.01. 6.31% | 1.20% | 0.53% | 0.00% > > 28.01. 6.31% | 1.20% | 0.53% | 0.00% > > 29.01. 6.31% | 1.20% | 0.53% | 4.43% > > 30.01. 6.31% | 1.20% | 0.53% | 0.00% > >+-+-+-- > > Average: 6.31% | 1.20% | 0.53% | 1.31% > > > >Purpose is to get an overview about the "performance" of the server > >provider in case of "sandbox" vservers, so where I would not be aware > >of any issues like the server is not available some hours during > >nighttime for example. > > > >I have started writing such a program in perl, it works great but > >monitors only real downtimes at the moment, so not by system load as > >the figure above indicates. Waht about cacti : http://cacti.net/ Could it be of any help to you ? -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: nVidia MCP55 (was: Slow internet on AMD64 running Etch)
On Sun, Mar 25, 2007 at 10:35:11PM +0200, Florian Kulzer wrote: > On Sun, Mar 25, 2007 at 22:17:35 +0200, Florian Kulzer wrote: > > On Sun, Mar 25, 2007 at 07:24:25 -0700, Dave Stephenson wrote: > > > > [...] > > > > > The network interface is integrated into the Asus M2N-e motherboard > > > > > > from lspci: > > > 00:08.0 Bridge: nVidia Corporation MCP55 Ethernet (rev a2) > > > > > > from ifconfig > > > eth0 Link encap:Ethernet HWaddr 00:18:F3:86:8C:92 > > > inet addr:192.168.0.7 Bcast:192.168.0.255 Mask: 255.255.255.0 > > > UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1 > ^^^ > > I had missed this when I sent my last message: Your MTU (Maximum > Transfer Unit) is a bit small. Try to run as root > > ifconfig eth0 mtu 1500 If this does not solve your problem, I will be able to give your more information as I am using a M2N32-SLI ... motherboard. (So forcedeth dirver). It works fine for me. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: restricting internet access for some users
On Sun, Mar 11, 2007 at 04:07:54PM -0400, H.S. wrote: > > Hello, > > On a computer connected to a router, which in turn is connected to the > internet (more or less constantly), how do I restrict some users from > accessing the internet. > > The lan is actually in a small community office. A couple of computers > are for the staff, but a third is set aside for a number of public users > to use. It is running Ubuntu. I was asked how to restrict internet > access from that computer (for example, users should be allowed to > connect to the internet only during certain hours of a day) on a user by > user basis. I am more familiar with Debian, hence the query here. > Apparently, they want the administrator to have free access, but > restricted access for other users on that computer. I have never used it before but you can take a look at the iptables owner match. http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.OWNERMATCH Hope it helps. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: NTPDate Broken? (SOLVED)
On Sun, Mar 11, 2007 at 03:12:29PM -0400, Rick Thomas wrote: > Based on your email address, you seem to be located in Israel. If > so, do "host il.pool.ntp.org". That will give you the IP addresses > of a small number of nearby ntp servers. Put three of them as > servers in your /etc/ntp.conf and your /etc/default/ntpdate files, > and mention all three as trusted in your firewall DMZ. > You may find one here, as well : http://ntp.isc.org/bin/view/Servers/WebHome -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Graphical bittorrent clients in etch
On Sun, Mar 11, 2007 at 12:33:16AM -0800, Steve Lamb wrote: > Anyway, the point of this long message is that if anyone else is reading > and not liking the prospect of Azureus, give uTorrent + Wine a try. Maybe > someone will pick up Rufus and run with it as it is on Sourceforge. It's way > above my level of Python-fu or I'd give it a shot. But wine + utorrent = 200x > less CPU usage and 30x less RAM usage. That's not chump change for people > with smaller boxes. :) I do not know much about utorrent, and I have used Azureus before. Now, I use torrentflux : http://www.torrentflux.com/ It based on php, and as I have an apache 2 server running on my debian, I am able to start, upload torrents from other workstations. You can manage differents accounts as well. I think it's a pretty useful package. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: NTPDate Broken?
On Sat, Mar 10, 2007 at 12:59:07PM -0600, Ron Johnson wrote: > On 03/10/07 12:34, David Baron wrote: > > Has anyone had a problem with the more recent ntpdate from Sid? > > Fix, Workaround? > > > > Cannot find suitable server. > > Works for me just fine with these NTP servers. I have not seen any error about it over here. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Empty crontab
On Sat, Mar 10, 2007 at 02:57:01PM +0200, Andrei Popescu wrote: > Marko Randjelovic <[EMAIL PROTECTED]> wrote: > > > > If I am not mistaken crontab -e edits root's crontab, however, > > > according to me, you are looking for /etc/crontab, aren't you ? > > > > > > > > I thaught root's crontab is /etc/crontab. Thanks. Which command then > > to run to edit this file (sometime ago I read it is not recommended > > to edit it directly)? > > From 'man crontab' > > "Each user can have their own crontab, and though these are files > in /var/spool/cron/crontabs, they are not intended to be edited > directly." > > No mention about /etc/crontab. Someone correct me if I'm wrong, but > AFAIU you are safe to edit it. From 'man /etc/crontab' : # /etc/crontab: system‐wide crontab # Unlike any other crontab you don’t have to run the ‘crontab’ # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. It seems you can do it ! -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Empty crontab
On Sat, Mar 10, 2007 at 01:15:18PM +0100, Marko Randjelovic wrote: > Franck Joncourt wrote: > >On Sat, Mar 10, 2007 at 12:49:19PM +0100, Marko Randjelovic wrote: > > > >>I see tasks from directories /etc/cron.* are ran regulary, but when I > >>run "crontab -e" as root, the file is empty. Where are these tasks > >>schedualed? I am asking because I want to know at what time of the day > >>are tasks from cron.daily ran and how to change it. > >> > > > >If I am not mistaken crontab -e edits root's crontab, however, according > >to me, you are looking for /etc/crontab, aren't you ? > > > > > I thaught root's crontab is /etc/crontab. Thanks. Which command then to > run to edit this file (sometime ago I read it is not recommended to edit > it directly)? > Looking at /etc/crontab you can see when cron.hourly and its friends start. I think if you want to add some tasks for the root user, you can add them to /etc/cron.d, /etc/cron.hourly ... according to your needs. I would do this way. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Empty crontab
On Sat, Mar 10, 2007 at 12:49:19PM +0100, Marko Randjelovic wrote: > I see tasks from directories /etc/cron.* are ran regulary, but when I > run "crontab -e" as root, the file is empty. Where are these tasks > schedualed? I am asking because I want to know at what time of the day > are tasks from cron.daily ran and how to change it. If I am not mistaken crontab -e edits root's crontab, however, according to me, you are looking for /etc/crontab, aren't you ? -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Thoughts on zsh? (was Re: vim like completion in bash?)
On Tue, Mar 06, 2007 at 10:47:40AM -0500, cga2000 wrote: > > I was also surprised that bash can do this. I played around with it a > > bit and found that my bash can do the "*xx*" completion only if I > > do not source /etc/bash_completion. I have to choose between having the > > "*xx*" completion behavior and having the handy features offered by > > /etc/bash_completion. I use bash 3.1dfsg-8 on a Sid system. > > > > Can anybody confirm this? Is this a bug or a consequence of the way > > /etc/bash_completion works? (I would expect that bash_completion is > > supposed to add features without removing existing ones.) > I wrote in an other email : > > I may have missed something ; I am running Sid. > > Enabling bash completion, it does not work. However, without bash > > completion it does work ! Where is the trick ? Well, so I am not crazy. That is good :p! I had the same behaviour on Sid (bash : 3.1dfsg-8) and Etch (bash 3.1dfsg-8). > Maybe the "problem" is caused by the use of for two different > mechanisms: > > 1. "completion" .. you type the first 0-n characters of an entity, hit > and bash will complete what you typed if only one match is >found and beep otherwise. In the latter case you can issue a second > and bash will display the list of matches. This feature is >programmable - ie. you can define completion rules to filter >out entities that do not make sense in a given context. > > 2. "pathname expansion": you use special characters and .. optionally >literals to build a pattern, hit and bash expands your pattern >into a list of matching entities. > > Since pathname expansion returns a list of fully-named entities it seems > that a different filtering mechanism than programmable completion would > be needed: something that lets you filter out fully-named entities that > do not make sense in a given context -- rather than what programmable > completion offers: conditionally completing your input according to the > rules specified in /etc/bash_completion. > > Kinda hard to explain but it doesn't strike me as a bug -- functional > or otherwise. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: vim like completion in bash?
On Mon, Mar 05, 2007 at 02:04:05AM -0500, cga2000 wrote: > On Sun, Mar 04, 2007 at 06:54:45PM EST, Steve Lamb wrote: > > Wayne Topa wrote: > > > zhengquan zhang([EMAIL PROTECTED]) is reported to have said: > > >> Hello: > > >> I can :e *doc* in vim, pressing tab and it can help me find the document > > >> I > > >> need, > > >> but in bash if I use vi *doc* and press tab, nothing would happen, it can > > >> not find the file I want to edit > > >> Is there any switches to make it possible? > > >> Thank you. > > > $ mkdir ss > $ touch ss/tt ss/uu > $ vim ss/*t* +/* results in */ > $ vim ss/tt > > $ rm -rf ss I may have missed something ; I am running Sid. Enabling bash completion, it does not work. However, without bash completion it does work ! Where is the trick ? -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: relaying POP3
On Sun, Mar 04, 2007 at 10:14:06AM -0700, [EMAIL PROTECTED] wrote: > Debian Users, > > My favourite MUA has an implementation of POP3 > which is not compatible with the POP3 of my ISP. > > Until I can fix POP3 in the MUA, I want my > home Debian router machine to fetch messages > from the ISP and deliver them by POP3 to my > workstation. > > Currently fetchmail and exim get messages from > the ISP and put them in /var/mail/peter. I can > read them with mutt. What packages and > configurations are needed to allow forwarding > via POP3? What about setting up qpopper on your router to get messages to your workstation ? -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: vim like completion in bash?
On Sun, Mar 04, 2007 at 05:47:43PM +0800, Zhengquan Zhang wrote: > I mean bash can not expand the wildcard after I press tab. > In a directory, there are two files: aaa and bbb > I type vi *aa* in the command line and press tab > it can not be expaned to vi aaa > I want this kind of effect although it may not be possible. > > Thank you. > I do not see any solution except for the writing of little bash script. Something like that : <<<<< #!/bin/sh for file in *$1*; do echo $file; done ; vim $file; <<<<< ./test.sh aaa should work if you have only one file. To make it easy to use you can add an alias in your .bashrc file. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: vim like completion in bash?
On Sun, Mar 04, 2007 at 04:48:53PM +0800, Zhengquan Zhang wrote: > thank you, > ok I will try zsh then. > > On Sun, Mar 04, 2007 at 12:33:10AM -0800, Steve Lamb wrote: > > zhengquan zhang wrote: > > > I can :e *doc* in vim, pressing tab and it can help me find the document > > > I need, > > > but in bash if I use vi *doc* and press tab, nothing would happen, it > > > can not find the file I want to edit > > > Is there any switches to make it possible? Maybe I have not understood your problem, but are you looking for bash completion ? If you are, enable it in /etc/bash.bashrc. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Two identical usb networking cards problem
On Sat, Mar 03, 2007 at 04:34:37PM +, Wackojacko wrote: > David Fokkema wrote: > >It is irritating > >to discover that linux does not log everything (as I always tell windows > >users who're tracking down fathomable problems). > > > >David > > > > > Just had a quick look at /etc/udev/ and it may be worth uncommenting the > log lines in some or all of the files here. > > e.g. the last line of hotplug.rules has an additional logging function, > it may help you track down what happens when you insert the device which > is not happening on boot? > Maybe you can try with the following rule, if the above solution does not work : SUBSYSTEM=="net", ACTION=="add", RUN+="/bin/sh -c 'echo FOUND NETWORK INTERFACE %k >/dev/console'" I did not test it :p! But it might help. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Two identical usb networking cards problem
On Sat, Mar 03, 2007 at 02:19:20PM +0100, David Fokkema wrote: > Hi group, Hi, > I installed debian etch on an NSLU2. It has an internal network card > which is brought up automatically at boot time. I have two additional > usb network cards attached to a hub which are identical. Only one of > them is brought up at boot time. Which one, that is (well, seems to be, > anyway) completely random, :-/ > > My /etc/network/interfaces: > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > # The loopback network interface > auto lo > iface lo inet loopback > > # The primary network interface > allow-hotplug eth0 > iface eth0 inet static > address 192.168.20.10 > netmask 255.255.255.0 > > allow-hotplug eth1 > iface eth1 inet static > address 192.168.31.10 > netmask 255.255.255.0 > > allow-hotplug eth2 > iface eth2 inet dhcp > pre-up ethtool -s eth2 autoneg off speed 10 > > > If I change the allow-hotplug to auto, my problem is solved. > My question: how can I find out which daemon/script is bringing up my > two out of three interfaces and how can I make sure it brings up all > three (without resorting to auto lines, apparently allow-hotplug > should > work). > Take a look here : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=403706 The following commands are your friends : # ip link or # ifconfig -a If you can see an interface names as ethX_rename or something like that, it means udev mess it up. You can fix it, by writing udev rules. This is the way I do to ensure my interfaces get the right name. By the way, you can see the name supply by udev : <<<<<<<<<<< sid:/var/lib# cat /etc/udev/rules.d/z25_persistent-net.rules # This file was automatically generated by the /lib/udev/write_net_rules # program, probably run by the persistent-net-generator.rules rules # file. # # You can modify it, as long as you keep each rule on a single line. # Firewire device 0011d8b05f6c (ohci1394) SUBSYSTEM=="net", DRIVERS=="?*", ATTRS{address}=="00:11:d8:00:00:b0:5f:6c", NAME="eth0" # PCI device 0x10de:0x0373 (forcedeth) #SUBSYSTEM=="net", DRIVERS=="?*", ATTRS{address}=="00:17:31:a4:0b:4e", NAME="eth1" # PCI device 0x10de:0x0373 (forcedeth) #SUBSYSTEM=="net", DRIVERS=="?*", ATTRS{address}=="00:17:31:a3:ff:31", NAME="eth2" # PCI device 0x1113:0x1211 (8139too) #SUBSYSTEM=="net", DRIVERS=="?*", ATTRS{address}=="00:10:b5:e1:5c:e5", NAME="eth3" # PCI device 0x10ec:0x8139 (8139too) #SUBSYSTEM=="net", DRIVERS=="?*", ATTRS{address}=="00:08:a1:96:82:35", NAME="eth4" <<<<<<<<< Hope it helps. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Firestarter VS Shorewall
On Sat, Mar 03, 2007 at 08:08:36AM +, David Hart wrote: > On Thu 2007-03-01 16:05:32 -0500 Roberto C. Sanchez wrote: > > On Thu, Mar 01, 2007 at 09:45:41PM +0100, Franck Joncourt wrote: > > > On Thu, Mar 01, 2007 at 11:56:41AM -0800, Jordi wrote: > > > > > > > > John, that seems to complicated for me, but seems good as it is a > > > > hardware firewall. > > > > Roverto, seems you like to do a control of all parameters, you must be > > > > an expert. I will try to do as you say, and learn a bit. > > > > > > Want to set up a firewall ; it is better to know what you do :)! > > > I started using iptables first, and now it is quite difficult to change, > > > even to try other stuff. So if you want to learn more, take a look at the > > > iptables tutorial. However, I should admit it is time consuming. > > > > Right, like when you want a firewall to manage a half-dozen different > > zones on your network, which is connected to several different ISPs, > > while performing traffic shaping functions? > > If you need to manage a half-dozen zones the chances are that you'll > be doing packet filtering on specialized hardware so shorewall will > be of no use. > I have never said using iptables was the best solution, however, I think the understanding of netfilter/iptables might help. It is up to everyone to choose whether they want to get a better understanding of what they are doing, or not. He may not need to bother with all that. Anyway, iptables, fwbuilder, shorewall and ohters have their own advantages and drawbacks. > > > Having this in mind, do you know a good and simple solution? I will > > have much time to learn for future, it is just to have a start point. > > I recommend > http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html > written by Rusty Russell, the initial author and one of the current main > developers of iptables/netfilter. > > He shows a simple six line firewall script at > http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html. Here is the link I use where you can get pretty useful information (for the future maybe 8)! ), as well : - protocol description - connection tracking - iptables itself http://iptables-tutorial.frozentux.net/iptables-tutorial.html There are some examples too. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Firestarter VS Shorewall
On Thu, Mar 01, 2007 at 11:56:41AM -0800, Jordi wrote: > I take note, John and Roberto. > > John, that seems to complicated for me, but seems good as it is a > hardware firewall. > Roverto, seems you like to do a control of all parameters, you must be > an expert. I will try to do as you say, and learn a bit. > Want to set up a firewall ; it is better to know what you do :)! I started using iptables first, and now it is quite difficult to change, even to try other stuff. So if you want to learn more, take a look at the iptables tutorial. However, I should admit it is time consuming. http://iptables-tutorial.frozentux.net/iptables-tutorial.html -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: setting-up a dmz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 mess-mate wrote: > Roberto C. Sanchez <[EMAIL PROTECTED]> wrote: > | On Sat, Feb 24, 2007 at 06:22:30PM +0100, mess-mate wrote: > | > > | > What did i wrong ?? > | > > | No use shorewall? Not provide any actual log messages? > | > No shorewall, i prefer a own debian iptables firewall :) > The only bad error messages are these i mentioned. > > But i've seen now after a reboot, just before grub come up, > a message from 3Com to do the choice of MBA (?) and choosing XPE or > TCP/IP, local..netware... and so what.Has to little time to see it > exactly. In order to log all messages you get at boot time, you can edit /etc/default/bootlogd and the option for yes. Everything will go to /var/log/boot. By the way, you can also change, VERBOSE=no for VERBOSE=yes in /etc/default/rcS file to get more information. > What does that mean ? Did a bought a netboot card ?? > Is a 3com detected as a RTL8139 by the kernel but with the 3C59x > driver. > Right now, I do not know, but it should be easier to track the problem down with a full message. > Franck Joncourt <[EMAIL PROTECTED]> wrote: > | mess-mate wrote: > | > Hi list, > | > | Hi, > | > | > A '/etc/init.d/networking start' give an error about eth2: > | > eth2: ERROR while getting interface flags: No such device. > | > > | > | What about dmesg | grep eth2 ? Does it give to you more information on > | the interface ? Are you sure, eth2 is used by your card. I mean, it may > | be possible that this one is used by another ressource. > | > A dmesg|grep eth give : > eth1: VIA Rhine at 0x1e800, 00:80:c8:ec:92:b5, IRQ 10. > eth1: MII PHY found at address 8, status 0x7809 advertising 05e1 > Link . > eth2: RealTek RTL8139 at 0xec00, 00:e0:29:3c:34:bd, IRQ 12 > eth2: Identified 8139 chip type 'RTL-8139A' > ( remark: 3C59x driver ) > eth1: link up, 10Mbps, half-duplex, lpa 0x > eth0: setting half-duplex. > ADDRCONF(NETDEV_UP): eth0: link is not ready > eth1: no IPv6 routers present > eth1: link up, 10Mbps, half-duplex, lpa 0x > eth1: no IPv6 routers present > > Eth0 is normally connected to the modem but had to put the cable t > another router to communicate. This is why the link of eth0 is not > ready. > To me, it looks like a driver probleme as you mentionned above about the message you got at boot time. - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF4Vq0xJBTTnXAif4RAiUqAJ4g7lDLOMfdHs1ssYUvoArPn8b6GQCgu7fo ZIttiqN4RNLrX7fE6Jzoe30= =CYvS -END PGP SIGNATURE- ___ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" � The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: setting-up a dmz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 mess-mate wrote: > Hi list, Hi, > A '/etc/init.d/networking start' give an error about eth2: > eth2: ERROR while getting interface flags: No such device. > What about dmesg | grep eth2 ? Does it give to you more information on the interface ? Are you sure, eth2 is used by your card. I mean, it may be possible that this one is used by another ressource. > The 'lsmod' give : mii 5536 via_rhine, 8139too, 3c59x > The 3 cards works. > > The internet connection seems on (checked syslog). > but can't establish a connection 'links www.debian.org' nor from any > other workstation. > > What did i wrong ?? > - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF4I0PxJBTTnXAif4RAlQzAKDNAfBnFgbaqnh2xu/MUFzq7O052gCfUdts ym7cuXsAgrslMB2RFOLt+fg= =GKgO -END PGP SIGNATURE- ___ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Securing debian box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Wasmuth wrote: > * Jim Hyslop wrote: > >> PermitRootLogin no >> RSAAuthentication no >> PubkeyAuthentication yes >> IgnoreRhosts yes >> RhostsRSAAuthentication no >> HostbasedAuthentication no >> PermitEmptyPasswords no >> ChallengeResponseAuthentication no >> PasswordAuthentication no >> UsePAM yes >> Subsystem sftp /usr/lib/openssh/sftp-server > > I've also added "Protocol 2" to omit ssh 1 and I set UsePam to no > because I wasn't able to prohibit password authentication with PAM > enabled. > > Restricting the allowed users is probably a good idea, too: > > AllowUsers you > > Also I am using iptables to limit the per-ip connection tries in a given > amount of time: <http://www.debian-administration.org/articles/187>. > > Cheers, > Alex > > Hi, Using "Protocol 2" should be more secure. About changing the port 22 for another one, I would prefer to use port knocking(iptables rules or knockd package) or something like that : http://www.cipherdyne.com/fwknop/ Here is an example : >>>>>>>>>>>>>>>> etch:/home/franck# telnet 192.168.0.1 22 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-8 ^[ Protocol mismatch. Connection closed by foreign host. As you can see, I get the SSH banner when I listen on port 22, and so do I when I change it for port 1022. etch:/home/franck# telnet 192.168.0.1 1022 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-8 ^[ Protocol mismatch. Connection closed by foreign host. <<<<<<<<<<<<<<<<<< Here is the explanation : http://www.openssh.com/faq.html#2.14 Hope it helps. - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF3/rBxJBTTnXAif4RAumqAJwLxFf/cqkFTPPUxIUDC1kX6gyPjgCaAzdC nhpOzgyL9kTYnWeCaolQTcQ= =iKQt -END PGP SIGNATURE- ___ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" � The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: The following signatured couldn't be verified...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael S. Peek wrote: > Hi gurus, > > I tried adding debian-multimedia.org to /etc/apt/sources.list and got > the following warning: > >> W: GPG error: http://debian-multimedia.org etch Release: The following >> signatures couldn't be verified because the public key is not >> available: NO_PUBKEY 07DC563D1F41B907 >> W: You may want to run apt-get update to correct these problems > I've re-run apt-get several times as per instruction, but to no avail. > How do I make this go away? > > Thanks for your help, > > Michael Peek > > Get the GPG key. It will be better afterwards :p! - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF30WBxJBTTnXAif4RAr4DAJ9aHDNri9ZpLOTgqghxXSM2GeX4MQCeNa04 zufFHHjMS+GFumqueJdDRRY= =fRbb -END PGP SIGNATURE- ___ The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: executing ntpdate on boot - seems it doesn't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rick Thomas wrote: > > On Feb 17, 2007, at 5:34 PM, Franck Joncourt wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Rolf Bode-Meyer wrote: >>> Hi! >> >> Hi, >> >>> I currently try to figure out if ntpdate is called on boottime in my >>> system or not. >>> >>> It *should* be called when the network interfaces come up (ifup), >>> therefore the /etc/network/if-up.d/ntpdate is present. And it's indeed >>> called when I manually call ifup -a after booting--an entry in the >>> syslog then shows something like "adjust time server ... offset ...". >>> But I don't see such a syslog entry for boottime, so I fear there's >>> something wrong. Any ideas what that could be or how to be sure >>> everything is ok? >>> >> >> If it manually works, maybe you can add more lines to your >> /etc/network/if-up/ntpdate file in order to track down where the >> probleme comes from. > > Try turning on bootlogd (change "No" to "Yes" in > /etc/default/bootlogd). That will copy everything that goes onto the > console (from the "S05" point on in rsS.d) into /var/log/boot . > I did not know that, thanks. Maybe you can update your /etc/default/rcS file with the following option : VERBOSE=yes, too. You should get more information at boot time. I do not know whether it is going to help or not, but you can give it a try. > >>> >>> And another oddity: ifup is called by the network script which is >>> rcS.d/S40networking. So if everything works well, ntpdate sets the >>> system clock at S40. But *after* that S50hwclock.sh calls hwclock >>> --hctosys which sets the system clock to the hardware clock. >>> So doesn't hwclock needs to be called before ntpdate? >>> >> >> According to me you are right, hwclock should be start before ntpdate, >> since ntpdate sets the system clock, and as you said, hwclock sets the >> hardware clock from the system clock. It would be odd to do it in a >> different way. I have checked my rcS.d directory, and I have : >> S11hwclock and S40networking. > > That's (S11hwclock.sh) where hwclock gets called on my Etch test machine > too. I have no S50hwclock.sh on that machine. > > But I *do* have S18hwclockfirst.sh *and* S50hwclock in /etc/rcS.d on my > Sarge server. So, did you upgrade this machine from Sarge? > By the way, I am running Sid. > Actually, if you don't use dynamic networking (as on a laptop with WiFi > and modems and such -- you can't tell where your next internet > connection is coming from) then the current recommendation from the NTP > maintainers is to use ntp, not ntpdate. The latest ntp included in Etch > has the ability to sync the system clock quickly on reboot, thus making > ntpdate unnecessary. The upstream NTP development group (Dave Mills et > al) would like to have ntpdate go the way of the dodo-bird. The last > remaining place where it's got a serious application is on machines with > intermittent network connections. > > Enjoy! > > Rick - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF2EWAxJBTTnXAif4RAoOvAJ9xhnL0n9ZIeZ7j5RbuAc7zEH6zPQCfTRT8 ZuZE1vhxrE+PPHCsHMsYveQ= =nfNW -END PGP SIGNATURE- ___ Yahoo! Messenger - with free PC-PC calling and photo sharing. http://uk.messenger.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: executing ntpdate on boot - seems it doesn't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rolf Bode-Meyer wrote: > Hi! Hi, > I currently try to figure out if ntpdate is called on boottime in my > system or not. > > It *should* be called when the network interfaces come up (ifup), > therefore the /etc/network/if-up.d/ntpdate is present. And it's indeed > called when I manually call ifup -a after booting--an entry in the > syslog then shows something like "adjust time server ... offset ...". > But I don't see such a syslog entry for boottime, so I fear there's > something wrong. Any ideas what that could be or how to be sure > everything is ok? > If it manually works, maybe you can add more lines to your /etc/network/if-up/ntpdate file in order to track down where the probleme comes from. > > And another oddity: ifup is called by the network script which is > rcS.d/S40networking. So if everything works well, ntpdate sets the > system clock at S40. But *after* that S50hwclock.sh calls hwclock > --hctosys which sets the system clock to the hardware clock. > So doesn't hwclock needs to be called before ntpdate? > According to me you are right, hwclock should be start before ntpdate, since ntpdate sets the system clock, and as you said, hwclock sets the hardware clock from the system clock. It would be odd to do it in a different way. I have checked my rcS.d directory, and I have : S11hwclock and S40networking. - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF14LbxJBTTnXAif4RAl4FAJ9a5XpFDvqboZz89ealqDyOlqJQGgCdGayB 1RSJwf8D8m/qbATdNpQIU9c= =wAzo -END PGP SIGNATURE- ___ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Introduction
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joe Hart wrote: > Hello everyone, > > I just wanted to introduce myself. I am a new Debian Etch user. I've > switched from Kubuntu since I read about the new partnership of Ubuntu > and Linspire. While I think the merging of the systems might be a good > idea for new Linux users, those who have some experience with Linux will > most likely feel that CNR is not the way to go. > Welcome. > Needless to say, I will do my best to contribute to THIS community and > not THAT one. I find that both of those projects take far too much than > they give back. If it weren't for Debian, neither would exist. > > I am looking forward to Etch being marked Stable, and am quite curious > to what the name of the next Testing Branch will be. > Lenny. - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFze99xJBTTnXAif4RAuFVAJ4snpEhESe/LUWP9IYf5A4LbvvxBgCfTuzb q/OijEuQtaWO6MHYsQ3lLZE= =pr16 -END PGP SIGNATURE- ___ Yahoo! Messenger - with free PC-PC calling and photo sharing. http://uk.messenger.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mysql server won't start,
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 tom arnall wrote: > On Friday 09 February 2007 13:46, Alberto Isaac wrote: >> 2007/2/9, tom arnall <[EMAIL PROTECTED]>: >>> recently did upgrade of etch system and now mysql server won't start, >>> system >>> giving instead the msg: >>> >>> /var/log/mysql/mysql-bin.index' not found >>> >>> any ideas welcomed. >>> Hi, What don't you try to create it yourself. This file contains the path for all file in /var/log/mysql/. sid:/var/www/apache2_ssl# ll /var/log/mysql/ total 67692 - -rw-rw 1 mysql adm 29073807 2007-01-28 00:46 mysql-bin.000168 - -rw-rw 1 mysql adm 117 2007-01-28 00:46 mysql-bin.000169 - -rw-rw 1 mysql adm 510697 2007-01-28 00:46 mysql-bin.000170 - -rw-rw 1 mysql adm 272 2007-01-28 00:46 mysql-bin.000171 - -rw-rw 1 mysql adm 538 2007-01-28 00:46 mysql-bin.000172 - -rw-rw 1 mysql adm 695 2007-01-28 00:46 mysql-bin.000173 - -rw-rw 1 mysql adm 117 2007-01-28 00:46 mysql-bin.000174 - -rw-rw 1 mysql adm13823 2007-01-28 00:49 mysql-bin.000175 - -rw-rw 1 mysql adm 4568005 2007-01-29 20:26 mysql-bin.000176 - -rw-rw 1 mysql adm13823 2007-01-29 20:30 mysql-bin.000177 - -rw-rw 1 mysql adm24697 2007-01-29 20:35 mysql-bin.000178 - -rw-rw 1 mysql adm 18041971 2007-02-04 14:26 mysql-bin.000179 - -rw-rw 1 mysql adm24680 2007-02-04 14:33 mysql-bin.000180 - -rw-rw 1 mysql adm 4265674 2007-02-05 23:06 mysql-bin.000181 - -rw-rw 1 mysql adm 12626104 2007-02-09 23:10 mysql-bin.000182 - -rw-rw 1 mysql adm 480 2007-02-05 23:07 mysql-bin.index sid:/var/www/apache2_ssl# cat /var/log/mysql/mysql-bin.index /var/log/mysql/mysql-bin.000168 /var/log/mysql/mysql-bin.000169 /var/log/mysql/mysql-bin.000170 /var/log/mysql/mysql-bin.000171 /var/log/mysql/mysql-bin.000172 /var/log/mysql/mysql-bin.000173 /var/log/mysql/mysql-bin.000174 /var/log/mysql/mysql-bin.000175 /var/log/mysql/mysql-bin.000176 /var/log/mysql/mysql-bin.000177 /var/log/mysql/mysql-bin.000178 /var/log/mysql/mysql-bin.000179 /var/log/mysql/mysql-bin.000180 /var/log/mysql/mysql-bin.000181 /var/log/mysql/mysql-bin.000182 Hope it helps. - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFzPI/xJBTTnXAif4RAosRAJ9GUsFZ4CIt6aO1Az6zDZuGqnyZbQCgt86P IbykzPAN3Uw73EMccLdgHfE= =cI+o -END PGP SIGNATURE- ___ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" � The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Default firewall in etch
Marc D Ronell <[EMAIL PROTECTED]> wrote: Hi, Thanks for all of the suggestions. Isn't there a *default* firewall install when you setup a basic version of etch? If I didn't specifically install a firewall, does that mean that there is currently no firewall setup? I am happy to write and work with iptables using a script from /etc/init.d, but I thought etch might have a *default* firewall pre-configured? Maybe not? :). Thanks, marc I do not think there is a default firewall ; in any case, I have never heard about it. The default policy is ACCEPT for all iptables chains. -- Franck - All New Yahoo! Mail Tired of unwanted email come-ons? Let our SpamGuard protect you.
Re: Default firewall in etch
Chris Lale <[EMAIL PROTECTED]> wrote: Marc D Ronell wrote: > Hi, > > What is Etch using as its default firewall? How do I change that > firewall's settings? > > I am seeking a pointer to the right manual. > > Thanks, > > marc > > If you just want a personal firewall for a PC, try Guarddog - see http://newbiedoc.berlios.de/wiki/Setting_up_a_personal_firewall_on_Debian_using_Guarddog . You can give a try to fwbuilder, too. --- Franck - What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship.