from:"Tom"

On Friday, March 25, 2016, Gene Heskett <ghesk...@shentel.net> wrote:

> Greetings all;
> ...

> Is this my fault, or firefox?  If my fault, how do I fix it?

I can't help you at the moment, Gene, I have pretty much boycotted Firefox.
But I want you to know I enjoyed your web site and totally concur with your
opinions--may God save our nation!

If I were a Facebook user I would "like" your post.

Cheers from another old-timer!

-Tom

Re: New Deb 8 and no sshd access from other hosts

On Fri, Mar 25, 2016 at 12:33 PM, Jörg-Volker Peetz <jvpe...@web.de> wrote:
> I'd first check file permissions in your .ssh directory (see man ssh).
> If they are o.k.,  I'd call ssh with one or more -v switches.

On, duh, forgot about the '-v' option--I'll work with that and report back.

Thanks, jvp!

-Tom

Re: New Deb 8 and no sshd access from other hosts

On Fri, Mar 25, 2016 at 12:38 PM, David Wright <deb...@lionunicorn.co.uk> wrote:
> On Fri 25 Mar 2016 at 12:12:44 (-0500), Tom Browder wrote:
>> I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
>>
>> I can now ssh into the existing remote servers but cannot ssh into my
>> laptop from them (as a normal user)--I always get asked for a
>> password.  So the remote servers recognize my old Deb 7 keys, but
>> apparently my laptop doesn't recognize the other servers' keys.
...
>> Can anyone suggest where to look next?
>
> What you lost on your laptop is ~/.ssh/authorized_keys which would
> have had the public keys from your ~/.ssh/ on each of the remote hosts.

No, the authorized_keys are still there.

Thanks.

-Tom

Re: New Deb 8 and no sshd access from other hosts

On Fri, Mar 25, 2016 at 12:12 PM, Tom Browder <tom.brow...@gmail.com> wrote:
> I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
...
> that my laptop host's entries in the remote host's known_hosts are of
> type "EDCSA" while the remote host's entries in the laptop's

That should have been "ECDSA."

New Deb 8 and no sshd access from other hosts

I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.

I can now ssh into the existing remote servers but cannot ssh into my
laptop from them (as a normal user)--I always get asked for a
password.  So the remote servers recognize my old Deb 7 keys, but
apparently my laptop doesn't recognize the other servers' keys.

I have compared files:

  /etc/ssh/ssh_conf
  /etc/ssh/sshd_conf
  /etc/pam.d/ssh/sshd

between the laptop and the remote server and can see no significant
difference for a normal user.

I can also see the host names in the .ssh/known_hosts file.  I do see
that my laptop host's entries in the remote host's known_hosts are of
type "EDCSA" while the remote host's entries in the laptop's
known_hosts file are of type "RSA."

Can anyone suggest where to look next?

Thanks.

Best regards,

-Tom

Re: Changing Boot Order

2016-03-24 Thread Tom


Greetings,

I don't have an answer to your question but maybe sharing a personal 
experience will help with the problem entering bios setup.  I recently 
had the same issue using a wireless keyboard and discovered the system 
only responded to a hardwired keyboard at that point in the boot 
process.  By using a USB keyboard instead of the wireless, I was able to 
enter setup and change the boot order.


HTH

Tom Ashley

On 03/24/2016 04:44 PM, Alan McConnell wrote:

Assembled Wisdom!

I am running wheezy, and would like to upgrade to jessie.  To
that end I've bought a CD and a USB stick from LinuxCollections.
My problem: when booting I can't get into my bios to change the
boot order.  No matter what key I press, the system continues
on with a re-boot of my old  wheezy.

Details:  my motherboard is a "Military Class Motherboard", which
I believe is also called MSI.  When the image flashed on the screen,
only for a few seconds, I see at the bottom instructions to press
either the F11 key, or the Delete key.  But when I press either of
these, nothing happens.  So my question is: can I change the boot
order from withing wheezy, after I have booted and wheezy is already
in use?

[  Yes, I should have saved the material that came with my machine.
But I have recently moved, quite hurriedly, and I fear that the paper
manuals were lost.  ]

Thanks in advance for all help and suggestions!

Alan

Re: Upgrade Deb 7 to 8, GNOME Flashback, terminal windows not saved: any way to save?

2016-03-22 Thread Tom Browder

On Tuesday, March 22, 2016, Lisi Reisz <lisi.re...@gmail.com> wrote:
...
> Sorry, I should get to the end before I respond!

That's okay, Lisi, I do that, too, especially when trying to work
e-mail with a tablet.

And this gives me a chance to elucidate on my situation. I have liked
and used Debian for at least 10 years (after 10+ years with Yggdrasil,
Redhat, Fedora), but, as GNOME 2 was giving way to GMOE 3 (ugh), I
tried some of the Debian-like distros like Mint but didn't like them.
Finally, default Deb 8 I thought was the end for me, but Mate has
allowed me to keep my old desktop the way I want it and still keep
using a current Debian, so I am happy for now.

SHAMELESS PLUG: Please keep MATE as part of Deb 9..*!!

BTW, so far I have upgraded two hosts remotely and they went pretty
much flawlessly (I have used in-place upgrade on one server
successfully since Deb 5, and the upgrade process keeps getting better
and better).  I still have to upgrade my two laptops, but I'm going to
wait until I'm completely happy with the other two machines.

Best regards,

-Tom

Re: x86_64 vs i386

On Mon, Mar 21, 2016 at 7:39 PM, John Hasler <jhas...@newsguy.com> wrote:
> Tom Broder writes:
>> I just upgraded to Deb 8 (Jessie), 64bit, and tried Chromium but it
>> didn't work for me.  Downloaded Chrome from Google and it works fine.
>
> That doesn't mean it isn't 32 bit.  Debian has multiarch support.

The file downloaded from Google's Chrome site is:

  google-chrome-stable_current_amd64.deb

-Tom

Re: x86_64 vs i386

On Mon, Mar 21, 2016 at 6:23 PM, Lisi Reisz <lisi.re...@gmail.com> wrote:
> On Monday 21 March 2016 15:11:36 Stefan Monnier wrote:
>> > to Google Chrome, which has indeed "thrown i386 machines under the bus",
>> > and
>>
>> What do you mean by that?
>> There won't be any new versions of Debian's i386 version of the
>> chromium package?

I just upgraded to Deb 8 (Jessie), 64bit, and tried Chromium but it
didn't work for me.  Downloaded Chrome from Google and it works fine.

Best regards,

-Tom

Re: Linux CLI gnuplot-ish program to do maps?

On Sun, Mar 20, 2016 at 6:14 PM, Emanuel Berg <embe8...@student.uu.se> wrote:
> Is there a Linux CLI gnuplot-ish program to do maps?
...

Take a look at the BRL-CAD DSP tutorial here:

  http://brlcad.org/wiki/DSP

Is that anywhere near what you want?

Best regards,

-Tom

[SOLVED] Re: Upgrade Deb 7 to 8, GNOME Flashback, terminal windows not saved: any way to save?

On Mon, Mar 21, 2016 at 12:26 PM, Tom Browder <tom.brow...@gmail.com> wrote:
> On Mon, Mar 21, 2016 at 12:21 PM, Tom Browder <tom.brow...@gmail.com> wrote:
>> On Mon, Mar 21, 2016 at 11:45 AM, Sven Arvidsson <s...@whiz.se> wrote:
>>> On Mon, 2016-03-21 at 11:26 -0400, Tom Browder wrote:
>>>> I just upgraded and am disappointed that, even though browser
>>>> instances can be saved between login sessions, terminal windows
>>>> apparently can't.
> ...
>> If not, are there any other reasonable, debian-packaged, desktop
>> environments that provide auto-saved terminals?
>
> Ah, it looks like I can try MATE.

Okay, I can live with MATE (so far), consider my question SOLVED.

Best regards,

-Tom

Re: Upgrade Deb 7 to 8, GNOME Flashback, terminal windows not saved: any way to save?

On Mon, Mar 21, 2016 at 12:21 PM, Tom Browder <tom.brow...@gmail.com> wrote:
> On Mon, Mar 21, 2016 at 11:45 AM, Sven Arvidsson <s...@whiz.se> wrote:
>> On Mon, 2016-03-21 at 11:26 -0400, Tom Browder wrote:
>>> I just upgraded and am disappointed that, even though browser
>>> instances can be saved between login sessions, terminal windows
>>> apparently can't.
...
> If not, are there any other reasonable, debian-packaged, desktop
> environments that provide auto-saved terminals?

Ah, it looks like I can try MATE.

-Tom

Re: Upgrade Deb 7 to 8, GNOME Flashback, terminal windows not saved: any way to save?

On Mon, Mar 21, 2016 at 11:45 AM, Sven Arvidsson <s...@whiz.se> wrote:
> On Mon, 2016-03-21 at 11:26 -0400, Tom Browder wrote:
>> I just upgraded and am disappointed that, even though browser
>> instances can be saved between login sessions, terminal windows
>> apparently can't.
>>
>> I have used the gconf editor and found setting:
>>
>>   apps | gnome-session | options | auto_save_session
>>
>> which is checked, but the terminals still disappear after logging out
>> and logging back in.
>>
>> Is there any way to recover that most valuable feature of the old
>> GNOME desktop?
>
> AFAICT, Nope.
>
> See https://bugzilla.gnome.org/show_bug.cgi?id=704676

I remember that now.  So is there any way to drop back to using GNOME
Classic as in Deb 7?

If not, are there any other reasonable, debian-packaged, desktop
environments that provide auto-saved terminals?

So sad, UI design following faddish, short-lived form over function,
just like the fashion industry: the emperor has no clothes!

Best regards,

-Tom

Upgrade Deb 7 to 8, GNOME Flashback, terminal windows not saved: any way to save?

I just upgraded and am disappointed that, even though browser
instances can be saved between login sessions, terminal windows
apparently can't.

I have used the gconf editor and found setting:

  apps | gnome-session | options | auto_save_session

which is checked, but the terminals still disappear after logging out
and logging back in.

Is there any way to recover that most valuable feature of the old GNOME desktop?

Thanks.

Best regards,

-Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 4:02 PM, Jeremy T. Bouse
<jeremy.bo...@undergrid.net> wrote:
> On 2/17/2016 3:31 PM, Tom Browder wrote:
>> On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse
>> <jeremy.bo...@undergrid.net> wrote:
...
>>> I do agree locking the root password isn't advisable. As I use
>>> configuration management/automation to handle my servers I simply set the
>>> root password to generated password that only I know the algorithm to
>>> reproduce it when I need to,
>> Can you give more details on the process (at least generally)?
...

Thanks so much, Jeremy!

-Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse
<jeremy.bo...@undergrid.net> wrote:
> Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good
> starts... I'd also check that "ChallengeResponseAuthentication no" is set as
> well as some PAM modules will utilize it and be able to get around passwords
> being entered as well as "UsePAM no"

Okay.

> I do agree locking the root password isn't advisable. As I use
> configuration management/automation to handle my servers I simply set the
> root password to generated password that only I know the algorithm to
> reproduce it when I need to,

Can you give more details on the process (at least generally)?

> but enable sudoers for all other 'root' access.

Can one use that method and restrict use of "sudo su?"

> I also go further by utilizing Duo Security as a MFA for SSH logins to
> my servers for accounts authorized to log in.

Hm, so you do allow some accounts password access?

Thanks, Jeremy!

Best,

-Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 8:24 AM, Darac Marjal <mailingl...@darac.org.uk> wrote:
> On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote:
>>
>> I have several remote Debian 7 servers and would like to secure it in
>> the following manner:
...

I can follow that!  Thanks so much, Darac.

Best,

-Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 8:23 AM, Peter Ludikovsky <pe...@ludikovsky.name> wrote:
> -BEGIN PGP SIGNED MESSAGE-
...

Thanks, Peter.  Do you agree with Darac's solution?

Best,

-Tom

Debian security: need recipe for blocking root ssh access AND all ssh password access

I have several remote Debian 7 servers and would like to secure it in
the following manner:

1. root will not be allowed any external access (access is only via a
user becoming root while logged in)

2. after initial setup, no ssh access will be allowed via a password

I have seen much documentation on securing such a host, but I don't
want to be an expert--I just need a recipe.

Many thanks.

Best regards,

-Tom

[no subject]

2015-11-29 Thread tom arnall

Denice,

You could do me a great favor. Here is the address of the website for
my tutoring service:

BajaSpeakingEnglish.com

Please look at it and give me any suggestions you might have for improving it.

Hugs,

Tom



-- 
"Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency." Francis Knight

fast internet connection but very slow browser response

2015-11-23 Thread tom arnall

My browser connection has become very slow. Pinging will show a very
fast connection, but my browser response is often so slow that a
request times out. Skype will work fine under these conditions, as
well as my torrent agent.

I looked at 'syslog' and the output below seems to me related to the
problem, but I don't have the expertise to have much more than a
suspicion about it. If anyone could help me interpret the stuff
relative to my browser problem, I'd very much appreciate it.

my browser is iceweasel and i'm running Jessie.


==

Nov 23 21:37:03 t400-2 avahi-daemon[520]: Withdrawing address record
for fe80::21e:65fffecd:2b64 on wlan0.
Nov 23 21:37:03 t400-2 avahi-daemon[520]: Joining mDNS multicast group
on interface wlan0.IPv with address 192.168.0.12.
Nov 23 21:37:03 t400-2 kernel: [ 133.648354] IPv6:
ADDRCONF(NETDEV_UP): wlan0: link is not ready
Nov 23 21:37:03 t400-2 kernel: [ 133.648447] cfg80211: Calling CRDA to
update world regulatory domain
Nov 23 21:37:03 t400-2 avahi-daemon[520]: New relevant interface
wlan0.IPv for mDNS.
Nov 23 21:37:03 t400-2 avahi-daemon[520]: Registering new address
record for 192.168.0.12 on wlan0.IPv4.
Nov 23 21:37:03 t400-2 kernel: [ 133.659834] cfg80211: World
regulatory domain updated:
Nov 23 21:37:03 t400-2 kernel: [ 133.659838] cfg80211: DFS Master region: unset
Nov 23 21:37:03 t400-2 kernel: [ 133.659840] cfg80211: (startfreq -
endfreq @ bandwidth), (maxantennagain, maxeirp), (dfscactime)
Nov 23 21:37:03 t400-2 kernel: [ 133.659842] cfg80211: (2402000 KHz -
2472000 KHz @ 4 KHz), (N/A, 2000 mBm), (N/A)
Nov 23 21:37:03 t400-2 kernel: [ 133.659844] cfg80211: (2457000 KHz -
2482000 KHz @ 4 KHz), (N/A, 2000 mBm), (N/A)
Nov 23 21:37:03 t400-2 kernel: [ 133.659846] cfg80211: (2474000 KHz -
2494000 KHz @ 2 KHz), (N/A, 2000 mBm), (N/A)
Nov 23 21:37:03 t400-2 kernel: [ 133.659848] cfg80211: (517 KHz -
525 KHz @ 8 KHz, 16 KHz AUTO), (N/A, 2000 mBm), (N/A)
Nov 23 21:37:03 t400-2 kernel: [ 133.659851] cfg80211: (525 KHz -
533 KHz @ 8 KHz, 16 KHz AUTO), (N/A, 2000 mBm), (0 s)
Nov 23 21:37:03 t400-2 kernel: [ 133.659853] cfg80211: (549 KHz -
573 KHz @ 16 KHz), (N/A, 2000 mBm), (0 s)
Nov 23 21:37:03 t400-2 kernel: [ 133.659854] cfg80211: (5735000 KHz -
5835000 KHz @ 8 KHz), (N/A, 2000 mBm), (N/A)
Nov 23 21:37:03 t400-2 kernel: [ 133.659856] cfg80211: (5724 KHz -
6372 KHz @ 216 KHz), (N/A, 0 mBm), (N/A)
Nov 23 21:37:06 t400-2 kernel: [ 136.853934] wlan0: authenticate with
e8:40:f2:4d:48:12
Nov 23 21:37:06 t400-2 kernel: [ 136.855667] wlan0: send auth to
e8:40:f2:4d:48:12 (try 1/3)
Nov 23 21:37:06 t400-2 kernel: [ 136.858438] wlan0: authenticated
Nov 23 21:37:06 t400-2 kernel: [ 136.860218] wlan0: associate with
e8:40:f2:4d:48:12 (try 1/3)
Nov 23 21:37:06 t400-2 kernel: [ 136.863955] wlan0: RX AssocResp from
e8:40:f2:4d:48:12 (capab=0x431 status=0 aid=1)
Nov 23 21:37:06 t400-2 kernel: [ 136.866701] wlan0: associated
Nov 23 21:37:06 t400-2 kernel: [ 136.866740] IPv6:
ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Nov 23 21:37:08 t400-2 avahi-daemon[520]: Joining mDNS multicast group
on interface wlan0.IPv with address fe80::21e:65fffecd:2b64.
Nov 23 21:37:08 t400-2 avahi-daemon[520]: New relevant interface
wlan0.IPv for mDNS.
Nov 23 21:37:08 t400-2 avahi-daemon[520]: Registering new address
record for fe80::21e:65fffecd:2b64 on wlan0.*.
Nov 23 21:38:05 t400-2 ntpdate[1632]: adjust time server
131.107.13.100 offset 0.360256 sec
Nov 23 21:46:08 t400-2 kernel: [ 678.865239] perf interrupt took too
long (2526 > 2500), lowering kernel.perfeventmaxsamplerate to 5
Nov 23 22:17:01 t400-2 CRON[5212]: (root) CMD ( could / && run-parts
--report /etc/cron.hourly)
Nov 23 22:21:58 t400-2 kernel: [ 2828.643632] perf interrupt took too
long (5002 > 5000), lowering kernel.perfeventmaxsamplerate to 25000
Nov 23 22:29:33 t400-2 pumpd[1410]: renewed lease for interface wlan0

Re: Adobe Flash

2015-11-18 Thread Tom Ashley




On 11/18/2015 01:30 PM, Gene Heskett wrote:

On Wednesday 18 November 2015 10:05:33 Lisi Reisz wrote:


On Wednesday 18 November 2015 14:24:17 Alex Vong wrote:

Hi,

Next time please send your email to <debian-user@lists.debian.org>
for user questions, thanks! (You can also CC me since I don't
subscribe the debian-user list.)

To watch <http://www.bbc.com/news/10462520>, first install
youtube-dl: $ apt-get install youtube-dl

Or just install flashplugin-nonfree with Iceweasel,

That has not worked in >4 months here. On wheezy, I have installed every
new flashplugin-installer thats been released, and thats a bunch of
them, ditto for my ancient lappy with lubuntu 14.04  on it but there is
nothing for it to download.  So quit advertising that it works and just
let flash die the horrible security hole ridden death it deserves.


or watch with
Google Chrome.

Can you stop it from calling home?  Tcpdump and wireshark are quite
educational tools.


I'm sure plenty of other things work, but I know those
do.  I watch that news-site all the time, several times a day most
days, and browse over the whole site; sometimes just to see if there
has been a new newsflash on an important story.  Think of the
disk-space needed if I were to download everything every time!

So do I use chrome, pure and simply because I don't have to click thru 2
or 3 of iceweasels paranoid, are you sure requesters, which it promises
to remember you OK'd it, but it hasn't remembered yet.


Cheers, Gene Heskett 


The package browser-plugin-freshplayer-pepperflash works very well for 
me on iceweasel.


Tom Ashley

Re: Adobe Flash

2015-11-18 Thread Tom Ashley




On 11/18/2015 06:55 PM, Gene Heskett wrote:

On Wednesday 18 November 2015 15:59:45 Tom Ashley wrote:


On 11/18/2015 01:30 PM, Gene Heskett wrote:

On Wednesday 18 November 2015 10:05:33 Lisi Reisz wrote:

On Wednesday 18 November 2015 14:24:17 Alex Vong wrote:

Hi,

Next time please send your email to <debian-user@lists.debian.org>
for user questions, thanks! (You can also CC me since I don't
subscribe the debian-user list.)

To watch <http://www.bbc.com/news/10462520>, first install
youtube-dl: $ apt-get install youtube-dl

Or just install flashplugin-nonfree with Iceweasel,

That has not worked in >4 months here. On wheezy, I have installed
every new flashplugin-installer thats been released, and thats a
bunch of them, ditto for my ancient lappy with lubuntu 14.04  on it
but there is nothing for it to download.  So quit advertising that
it works and just let flash die the horrible security hole ridden
death it deserves.


or watch with
Google Chrome.

Can you stop it from calling home?  Tcpdump and wireshark are quite
educational tools.


I'm sure plenty of other things work, but I know those
do.  I watch that news-site all the time, several times a day most
days, and browse over the whole site; sometimes just to see if
there has been a new newsflash on an important story.  Think of the
disk-space needed if I were to download everything every time!

So do I use chrome, pure and simply because I don't have to click
thru 2 or 3 of iceweasels paranoid, are you sure requesters, which
it promises to remember you OK'd it, but it hasn't remembered yet.




Cheers, Gene Heskett

The package browser-plugin-freshplayer-pepperflash works very well for
me on iceweasel.

Tom Ashley

And what repo has that?

Thanks.

Cheers, Gene Heskett

$ apt-cache policy browser-plugin-freshplayer-pepperflash
browser-plugin-freshplayer-pepperflash:
  Installed: 0.3.2-1+b1
  Candidate: 0.3.2-1+b1
  Version table:
 *** 0.3.2-1+b1 0
900 http://ftp.us.debian.org/debian/ testing/contrib amd64 Packages
600 http://ftp.debian.org/debian/ unstable/contrib amd64 Packages

Tom Ashley

Re: make system boot straight to browser connection

2015-10-16 Thread tom arnall

what prevents Debian from providing an alternate boot option in Jessie
which does not use systemd? My Wheezy system seems to do this.

On 10/7/15, tom arnall <kloro2...@gmail.com> wrote:
> I want to setup a system so that when the power button is pushed on
> the PC, the system connects to the internet and starts a browser
> without a login or any other intervention by the user.
>
> There are no security issues.
>
> Is this doable?
>


-- 
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.

Re: systemd alternative for Jessie?

2015-10-16 Thread tom arnall

what prevents Debian from providing an alternate boot option in Jessie
which does not use systemd? My Wheezy system seems to do this.

Re: systemd alternative for Jessie?

2015-10-14 Thread tom arnall

i read the piece on installing  without systemd. i get the feeling
that the bottom line of it is: good luck. or am i missing something?

who  decided that Debian shd be locked to systemd?

what did they do to poll the views of the user community on the question?

is it true that Red Hat had a major influence on the Debian decision makers?

from what i've read so far, systemd is still very much in beta at
best. wd people on this list agree with that?


On 10/13/15, Joel Rees <joel.r...@gmail.com> wrote:
> 2015/10/14 13:24 "Ric Moore" <wayward4...@gmail.com>:
>>
>> On 10/13/2015 11:20 PM, tom arnall wrote:
>>>
>>> I am running Wheezy and notice that the boot options include but
>>> aren't limited to systemd. Is it possible to have this arrangement
>>> with Jessie?
>>
>>
>> No. :) Ric
>
> I tend to be wandering around way out in left field a lot, but
>
> https://wiki.debian.org/systemd#Installing_without_systemd
>
> Also, this is something I just saw:
>
> http://without-systemd.org/wiki/index.php/Main_Page
>
> Now, I must say, as near as I can tell, there is no escaping from the
> influence of the cabal at this point, but is that what the OP was asking?
>
> Joel Rees
>
> Computer memory is just fancy paper,
> CPUs just fancy pens.
> All is a stream of text
> flowing from the past into the future.
>


-- 
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.





On 10/13/15, Joel Rees <joel.r...@gmail.com> wrote:
> 2015/10/14 13:24 "Ric Moore" <wayward4...@gmail.com>:
>>
>> On 10/13/2015 11:20 PM, tom arnall wrote:
>>>
>>> I am running Wheezy and notice that the boot options include but
>>> aren't limited to systemd. Is it possible to have this arrangement
>>> with Jessie?
>>
>>
>> No. :) Ric
>
> I tend to be wandering around way out in left field a lot, but
>
> https://wiki.debian.org/systemd#Installing_without_systemd
>
> Also, this is something I just saw:
>
> http://without-systemd.org/wiki/index.php/Main_Page
>
> Now, I must say, as near as I can tell, there is no escaping from the
> influence of the cabal at this point, but is that what the OP was asking?
>
> Joel Rees
>
> Computer memory is just fancy paper,
> CPUs just fancy pens.
> All is a stream of text
> flowing from the past into the future.
>


-- 
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.

systemd alternative for Jessie?

2015-10-13 Thread tom arnall

I am running Wheezy and notice that the boot options include but
aren't limited to systemd. Is it possible to have this arrangement
with Jessie?

Re: make system boot straight to browser connection

2015-10-09 Thread tom arnall

Folks!

thanks for your help. the expertise and helpfulness of this list is
the reason i run Debian. hopefully one day i'll be able to make more
of a contribution to the Debian community.

regards,

T


-- 
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.


On 10/7/15, tom arnall <kloro2...@gmail.com> wrote:
> I want to setup a system so that when the power button is pushed on
> the PC, the system connects to the internet and starts a browser
> without a login or any other intervention by the user.
>
> There are no security issues.
>
> Is this doable?
>

make system boot straight to browser connection

2015-10-07 Thread tom arnall

I want to setup a system so that when the power button is pushed on
the PC, the system connects to the internet and starts a browser
without a login or any other intervention by the user.

There are no security issues.

Is this doable?

questions about debian installer prompts re: iwlwifi firmware

2015-09-24 Thread tom arnall

Greetings!

I am trying to install Debian on a Dell620 with USB stick media. When
the installer tried to configure the network software, it asked for an
iwlwifi firmware file.

I put the file on another USB stick, then tried two things:

1. put the firmware USB stick in another slot before booting. The
installer did not recognize when it asks for the iwlwifi file, i.e.,
no success.

2. put the firmware USB stick in another slot when installer requested
the firmware. Same result as 1, i.e., no success

2. replaced the install USB with the firmware USB when the installer
requested the firmware. After Installer configured the network, I
replaced the firmware USB with the installer USB. the installer died
when it tried to partition the disk with message that it can't read
the install media, i.e., no success.

MY QUESTIONS

How do I get the installer to load the firmware file?

What is the reason for the problem in the installer prompts?

Regards,

Tom

P.S. I found what i think is a solution to my installation problem,
but I suspect that it's more complicated then necessary and that the
debian-user list folks have a better one.


>>>
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.

questions re: installing Debian on a Dell620 with USB stick media

2015-09-24 Thread tom arnall

Greetings!

I am trying to install Debian on a Dell620 with USB stick media. When
the installer tried to configure the network software, it asked for an
iwlwifi firmware file.

I put the file on another USB stick, then tried two things:

1. put the firmware USB stick in another slot before booting. The
installer did not recognize when it asks for the iwlwifi file, i.e.,
no success.

2. put the firmware USB stick in another slot when installer requested
the firmware. Same result as 1, i.e., no success

2. replaced the install USB with the firmware USB when the installer
requested the firmware. After Installer configured the network, I
replaced the firmware USB with the installer USB. the installer died
when it tried to partition the disk with message that it can't read
the install media, i.e., no success.

MY QUESTIONS

How do I get the installer to load the firmware file?

What is the reason for the problem in the installer prompts?

Regards,

Tom

P.S. I found what i think is a solution to my installation problem,
but I suspect that it's more complicated then necessary and that the
debian-user list folks have a better one.


>>>
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.

questions about debian installer prompts re: iwlwifi firmware

2015-09-24 Thread tom arnall

Greetings!

I am trying to install Debian on a Dell620 with USB stick media. When
the installer tried to configure the network software, it asked for an
iwlwifi firmware file.

I put the file on another USB stick, then tried two things:

1. put the firmware USB stick in another slot before booting. The
installer did not recognize when it asks for the iwlwifi file, i.e.,
no success.

2. put the firmware USB stick in another slot when installer requested
the firmware. Same result as 1, i.e., no success

2. replaced the install USB with the firmware USB when the installer
requested the firmware. After Installer configured the network, I
replaced the firmware USB with the installer USB. the installer died
when it tried to partition the disk with message that it can't read
the install media, i.e., no success.

MY QUESTIONS

How do I get the installer to load the firmware file?

What is the reason for the problem in the installer prompts?

Regards,

Tom

P.S. I found what i think is a solution to my installation problem,
but I suspect that it's more complicated then necessary and that the
debian-user list folks have a better one.


>>>
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.



-- 
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.

questions about debian installer prompts re: iwlwifi firmware

2015-09-23 Thread tom arnall

Greetings!

I am trying to install Debian on a Dell620 with USB stick media. When
the installer tried to configure the network software, it asked for an
iwlwifi firmware file.

I put the file on another USB stick, then tried two things:

1. put the firmware USB stick in another slot before booting. The
installer did not recognize when it asks for the iwlwifi file, i.e.,
no success.

2. put the firmware USB stick in another slot when installer requested
the firmware. Same result as 1, i.e., no success

2. replaced the install USB with the firmware USB when the installer
requested the firmware. After Installer configured the network, I
replaced the firmware USB with the installer USB. the installer died
when it tried to partition the disk with message that it can't read
the install media, i.e., no success.

MY QUESTIONS

How do I get the installer to load the firmware file?

What is the reason for the problem in the installer prompts?

Regards,

Tom

P.S. I found what i think is a solution to my installation problem,
but I suspect that it's more complicated then necessary and that the
debian-user list folks have a better one.


>>>
Once its survival is on the line, a species will often find powers
unimaginable in the days of its complacency.

Re: wired network connection has stopped working

2015-08-24 Thread tom arnall

Thanks everyone for getting back to me.

ethtool eth0 gets:

   Link detected: no

But it just occurred to me that the first step to see if the problem
is with my Debian configuration or something else, is to test the
connection from my dual-booted Windows. Duh!   I'll get back with the
results soon.



.
“Once you can accept the universe as matter expanding into nothing
that is something, wearing stripes with plaid comes easy.” Albert
Einstein



On 8/21/15, tom arnall kloro2...@gmail.com wrote:
 Greetings!

 About a year ago my wired modem connection stopped working. I can find
 nothing on google which helps.

 In dmesg there is:

 eth0: link is not ready

 Here is ifconfig output, in case it is useful for people trying to
 help me with the problem:

 eth Link encap:Ethernet HWaddr 00:24:7e:6ac3:93
 UP BROADCAST MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
 Interrupt:20 Memoryfc60-fc62

 lo Link encap:Local Loopback
 inet addr:127.0.0.1 Mask:255.0.0.0
 inet addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING MTU:16436 Metric:1
 RX packets:13 errors:0 dropped:0 overruns:0 frame:0
 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:643 (643.0 B) TX bytes:643 (643.0 B)

 wlan Link encap:Ethernet HWaddr 00:22:faf5:a5:78
 inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
 inet addr: fe80::222:fafffef5:a578/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:13351 errors:0 dropped:0 overruns:0 frame:0
 TX packets:13109 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:6861821 (6.5 MiB) TX bytes:2614612 (2.4 MiB)

 I'm running wheezy.

 Regards,

 Tom Arnall
 Baja Norte


 -
 “Once you can accept the universe as matter expanding into nothing
 that is something, wearing stripes with plaid comes easy.” Albert
 Einstein



-

wired network connection has stopped working

2015-08-21 Thread tom arnall

Greetings!

About a year ago my wired modem connection stopped working. I can find
nothing on google which helps.

In dmesg there is:

eth0: link is not ready

Here is ifconfig output, in case it is useful for people trying to
help me with the problem:

eth0  Link encap:Ethernet  HWaddr 00:24:7e:6a:c3:93
  UP BROADCAST MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
  Interrupt:20 Memory:fc60-fc62

loLink encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  inet6 addr: ::1/128 Scope:Host
  UP LOOPBACK RUNNING  MTU:16436  Metric:1
  RX packets:13 errors:0 dropped:0 overruns:0 frame:0
  TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:643 (643.0 B)  TX bytes:643 (643.0 B)

wlan0 Link encap:Ethernet  HWaddr 00:22:fa:f5:a5:78
  inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
  inet6 addr: fe80::222:faff:fef5:a578/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:13351 errors:0 dropped:0 overruns:0 frame:0
  TX packets:13109 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:6861821 (6.5 MiB)  TX bytes:2614612 (2.4 MiB)

I'm running wheezy.

Regards,

Tom Arnall
Baja Norte


-
“Once you can accept the universe as matter expanding into nothing
that is something, wearing stripes with plaid comes easy.” Albert
Einstein

Re: Nova Desktop

2015-06-18 Thread Tom Ashley




On 06/18/2015 07:55 AM, Lisi Reisz wrote:

On Thursday 18 June 2015 11:37:18 rob wrote:

On 18/06/15 10:43, Lisi Reisz wrote:

On Thursday 18 June 2015 00:04:12 Jose Martinez wrote:

Anyone know anything about the Nova Desktop application.  I have it
installed and set it up, but it doesn't seem to affect my desktop
background.  I have several .jpg images that I had wanted to cycle
through the desktop background, and it seemed that Nova was just the
ticket

I have found references to Android and references to Ubuntu.  Are you
sure that it works on Debian?

Which DE are you trying to use it on and why is the DE's own
background manager not adequate?

Lisi

Debian package desktopnova

Thanks, Rob.  But:

Which DE are you (the OP) trying to use it on and why is the DE's own
background manager not adequate?

Lisi


I have no experience with the package but noticed the following in the 
description supplied by aptitude: There is at least one module needed. 
Without a module this package will not work as expected! See packages  
desktopnova-module-*. 


HTH,

Tom Ashley


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5582c2d6@gmail.com

wheezy multiarch: binutils:amd64 conflicts with binutils:i386?

2015-04-22 Thread Tom Roche


summary: 3 questions:

1. Can one install both `binutils:amd64` and `binutils:i386` on the same device?
2. If one can: how? or, what am I doing wrong?
3. If one cannot: why not?

details:

I need to setup a 32-bit app (don't ask!) on a 64-bit linode with

 $ lsb_release -ds
 Debian GNU/Linux 7.8 (wheezy)
 $ cat /etc/debian_version
 7.8
 $ uname -rv
 3.19.1-x86_64-linode53 #1 SMP Tue Mar 10 15:30:28 EDT 2015

 $ dpkg --print-architecture
 amd64
 $ dpkg --print-foreign-architectures
 i386
 $ sudo aptitude update
 ...
 $ sudo aptitude full-upgrade
 ...

 $ aptitude --version
 Thu Apr 23 00:08:02 EDT 2015
 aptitude 0.6.8.2 compiled at Nov  7 2012 07:08:03
 Compiler: g++ 4.7.2
 Compiled against:
   apt version 4.12.0
   NCurses version 5.9
   libsigc++ version: 2.2.10
   Ept support enabled.
   Gtk+ support disabled.
   Qt support disabled.

 Current library versions:
   NCurses version: ncurses 5.9.20110404
   cwidget version: 0.5.16
   Apt version: 4.12.0

 $ apt-get --version
 Thu Apr 23 00:08:39 EDT 2015
 apt 0.9.7.9 for amd64 compiled on Oct 17 2014 09:15:56
 Supported modules:
 *Ver: Standard .deb
 *Pkg:  Debian dpkg interface (Priority 30)
  Pkg:  Debian APT solver interface (Priority -1000)
  S.L: 'deb' Standard Debian binary tree
  S.L: 'deb-src' Standard Debian source tree
  Idx: Debian Source Index
  Idx: Debian Package Index
  Idx: Debian Translation Index
  Idx: Debian dpkg status file
  Idx: EDSP scenario file

Among other packages, I need to install `binutils:i386`. However, I can't seem 
to install that and keep the native/64-bit `binutils`:

 $ date ; sudo apt-get install binutils:i386
 Thu Apr 23 00:08:50 EDT 2015
 Reading package lists... Done
 Building dependency tree   
 Reading state information... Done
 The following extra packages will be installed:
   libstdc++6:i386 zlib1g:i386
 Suggested packages:
   binutils-doc:i386
 The following packages will be REMOVED:
   binutils
 The following NEW packages will be installed:
   binutils:i386 libstdc++6:i386 zlib1g:i386
 0 upgraded, 3 newly installed, 1 to remove and 0 not upgraded.
 Need to get 4,993 kB of archives.
 After this operation, 325 kB disk space will be freed.
 Do you want to continue [Y/n]? ^C

 $ date ; sudo aptitude -s install binutils:i386
 Thu Apr 23 00:08:21 EDT 2015
 The following NEW packages will be installed:
   binutils:i386{b} libstdc++6:i386{a} zlib1g:i386{a} 
 0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
 Need to get 4,993 kB of archives. After unpacking 14.7 MB will be used.
 The following packages have unmet dependencies:
  binutils : Conflicts: binutils:i386 but 2.22-8+deb7u2 is to be installed.
  binutils:i386 : Conflicts: binutils but 2.22-8+deb7u2 is installed.
 The following actions will resolve these dependencies:

  Remove the following packages:
 1) binutils

 Accept this solution? [Y/n/q/?] q

So I have 3 questions:

1. Can one install both `binutils:amd64` and `binutils:i386` on the same device?

2. If one can: how? or, what am I doing wrong?

3. If one cannot: why not?

Apologies if this is a FAQ, but

* I saw no answers relating to this (though several similar questions) when 
DuckDuckGo-ing

* I see nothing @ https://wiki.debian.org/Multiarch/HOWTO indicating that I 
should not be able to do this.

TIA, Tom Roche tom_ro...@pobox.com


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87d22vigvc@pobox.com

Re: network newbie seeks help combining routesets for VPN tunnel

2015-03-09 Thread Tom Roche

 
gets the response

 RTNETLINK answers: Network is unreachable

This appears to be a real failure, in that if I subsequently (i.e., immediately 
after running the above script[9]) do

$ sudo ip route add ${F5VPN_PUBLIC_IPN} via ${OPENVPN_ENDPT_IPN} dev tun0  
metric 1

from the commandline, I get the same failure. And, just to be clear, at this 
point my networking is just as broken as before: both `ping` and DNS fail until 
I disconnect from the F5VPN, stop the OpenVPN, and restore my initial routeset 
and linkset.

So ... how to fix this? What am I doing wrong? Any assistance you can provide 
is much appreciated! and will be paid-forward via the above code and wiki.

TIA, Tom Roche tom_ro...@pobox.com

[1]: first post @ https://lists.debian.org/debian-user/2015/01/msg00732.html , 
last post before this one @ 
https://lists.debian.org/debian-user/2015/01/msg00905.html
[2]: https://bitbucket.org/tlroche/aqmeii-na_n2o/wiki/Home
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-new-architecture-diagram
[5]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-id5
[6]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[7]: https://lists.debian.org/debian-user/2015/01/msg00905.html
[8]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/raw/HEAD/scripts/delete_current_routes.sh
[9]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/raw/HEAD/scripts/set_F5VPN_routes.sh


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/8761a94ibv@pobox.com

Re: network newbie seeks help combining routesets for VPN tunnel

2015-01-25 Thread Tom Roche


Tom Roche Sat, 24 Jan 2015 16:00:37 -0500 [1] (envvar names translated to 
`bash`ian)
 [The original routeset on the client/laptop:]

 1:  default via 192.168.1.1 dev eth0  proto static
 2:  169.254.0.0/16 dev eth0  scope link  metric 1000
 3:  192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}

 [OpenVPN routeset, overwrites the original routeset:]

 1:  0.0.0.0/1 via ${OPEN_VPN_ENDPT_IPN} dev tun0
 # inherited from original route#=1?
 2:  default via 192.168.1.1 dev eth0  proto static
 3:  10.8.0.1 via ${OPEN_VPN_ENDPT_IPN} dev tun0
 4:  ${OPEN_VPN_ENDPT_IPN} dev tun0  proto kernel  scope link  src 10.8.0.6
 5:  128.0.0.0/1 via ${OPEN_VPN_ENDPT_IPN} dev tun0
 # inherited from original route#=2?
 6:  169.254.0.0/16 dev eth0  scope link  metric 1000
 7:  ${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
 # inherited from original route#=3?
 8:  192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}

 [F5VPN routeset, overwrites the OpenVPN routeset:]

 1:  0.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
 # inherited from original route#=1?
 2:  default via 192.168.1.1 dev eth0  proto static
 3:  10.144.0.1 dev ppp0  proto kernel  scope link  src ${F5_VPN_ENDPT_IPN}
 4:  128.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
 5:  ${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0  proto none  
 metric 1

Matt Ventura Sat, 24 Jan 2015 19:26:48 -0800 [2] (slightly reformatted)
 [The new routeset] should look like:

new routeset option 1:

 [192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}]
 ${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
 ${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0 ...
 0.0.0.0/0 via ${F5_VPN_ENDPT_IPN} dev ppp0 ...

 Come to think of it, the set of routes that the F5 VPN puts in place should 
 work, needing only the addition of

 ${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0

 What I wrote above is the cleanest possible set of routes that would
 still work, but just adding that one route should fix the existing
 one. I think you would want to add it just before starting the
 OpenVPN, otherwise do it right after.

Well, the OpenVPN client sets that route itself: the problem is, the F5VPN 
client overwrites it (see above). So I'd need to add it after starting the 
F5VPN client, producing something like

new routeset option 2: F5VPN routes with 1 added route:

1:  0.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
2:  default via 192.168.1.1 dev eth0  proto static
3:  10.144.0.1 dev ppp0  proto kernel  scope link  src ${F5_VPN_ENDPT_IPN}
4:  128.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
5:  ${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
6:  ${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0  proto none  metric 
1

Is that the correct order?

 After starting the F5 VPN, you might need to [also] re-add the

 192.168.1.0/24 dev eth0 ... src ${LOCAL_ETH0_IPN}

so that would be option 3: F5VPN routes with 2 added routes:

1:  192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}
2:  0.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
3:  default via 192.168.1.1 dev eth0  proto static
4:  10.144.0.1 dev ppp0  proto kernel  scope link  src ${F5_VPN_ENDPT_IPN}
5:  128.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
6:  ${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
7:  ${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0  proto none  metric 
1

Is that the correct order?

thanks again, Tom Roche tom_ro...@pobox.com

[1]: https://lists.debian.org/debian-user/2015/01/msg00882.html
[2]: https://lists.debian.org/debian-user/2015/01/msg00892.html


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/871tmjroj7@pobox.com

Re: network newbie seeks help combining routesets for VPN tunnel

2015-01-24 Thread Tom Roche


Tom Roche Sat, 24 Jan 2015 16:00:37 -0500 [1] (envvar names translated to 
`bash`ian)
 [The original routeset on the client/laptop:]

 1:  default via 192.168.1.1 dev eth0  proto static
 2:  169.254.0.0/16 dev eth0  scope link  metric 1000
 3:  192.168.1.0/24 dev eth0  proto kernel  scope link  src LOCAL_ETH0_IPN

 [OpenVPN routeset, overwrites the original routeset:]

 1:  0.0.0.0/1 via OPEN_VPN_ENDPT_IPN dev tun0
 # inherited from original route#=1?
 2:  default via 192.168.1.1 dev eth0  proto static
 3:  10.8.0.1 via OPEN_VPN_ENDPT_IPN dev tun0
 4:  OPEN_VPN_ENDPT_IPN dev tun0  proto kernel  scope link  src 10.8.0.6
 5:  128.0.0.0/1 via OPEN_VPN_ENDPT_IPN dev tun0
 # inherited from original route#=2?
 6:  169.254.0.0/16 dev eth0  scope link  metric 1000
 7:  OPEN_VPN_PUBLIC_IPN via 192.168.1.1 dev eth0
 # inherited from original route#=3?
 8:  192.168.1.0/24 dev eth0  proto kernel  scope link  src LOCAL_ETH0_IPN

 [F5VPN routeset, overwrites the OpenVPN routeset:]

 1:  0.0.0.0/1 via F5_VPN_ENDPT_IPN dev ppp0  proto none  metric 1
 # inherited from original route#=1?
 2:  default via 192.168.1.1 dev eth0  proto static
 3:  10.144.0.1 dev ppp0  proto kernel  scope link  src F5_VPN_ENDPT_IPN
 4:  128.0.0.0/1 via F5_VPN_ENDPT_IPN dev ppp0  proto none  metric 1
 5:  F5_VPN_PUBLIC_IPN via OPEN_VPN_ENDPT_IPN dev tun0  proto none  metric 1

 [my proposed new routeset:]

  # 1st route in Hartge's Trinity == OpenVPN route#=1 (compare with F5VPN 
 route#=1)
  1:  0.0.0.0/1 via OPEN_VPN_ENDPT_IPN dev tun0
  # inherited from original route#=1 == OpenVPN route#=2 == F5VPN 
 route#=2
  2:  default via 192.168.1.1 dev eth0  proto static
  # OpenVPN route#=3
  3:  10.8.0.1 via OPEN_VPN_ENDPT_IPN dev tun0
  # OpenVPN route#=4 , but what is the difference between 'src' and 'via'?
  4:  OPEN_VPN_ENDPT_IPN dev tun0  proto kernel  scope link  src 10.8.0.6
  # F5VPN route#=3
  5:  10.144.0.1 dev ppp0  proto kernel  scope link  src F5_VPN_ENDPT_IPN
  # 2nd route in Hartge's Trinity == OpenVPN route#=5 (compare with F5VPN 
 route#=4)
  6:  128.0.0.0/1 via OPEN_VPN_ENDPT_IPN dev tun0
  # inherited from original route#=2 == OpenVPN route#=6 (absent in 
 F5VPN routeset)
  7:  169.254.0.0/16 dev eth0  scope link  metric 1000
  # OpenVPN route#=7
  8:  OPEN_VPN_PUBLIC_IPN via 192.168.1.1 dev eth0
  # almost F5VPN route#=5 ... but which dev should this take? eth0, ppp0, 
 tun0?
  9:  F5_VPN_PUBLIC_IPN via OPEN_VPN_ENDPT_IPN dev   proto none  metric 1
  # inherited from original route#=3 == OpenVPN route#=8 (absent in 
 F5VPN routeset)
 10:  default via 192.168.1.1 dev eth0  proto static

Matt Ventura Sat, 24 Jan 2015 15:04:55 -0800 [2] (slightly rearranged)
 Basically, your final routing table, in plain English,

always tricky, that plain English :-)

 should look like this:

Please correct me where I get it wrong:

 1. Traffic to 192.168.1.0/24 should go through eth0

192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}

which is original route#=3 == OpenVPN route#=8

 #1 shouldn't ever be touched by either VPN.

OpenVPN respects it, but F5VPN removes it!

 2. Traffic to the OpenVPN server's external IP should go through eth0 to 
 192.168.1.1

${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0

which is OpenVPN route#=7

 #2 is something you'll probably need to manually add before (or after, not 
 sure) starting the F5 VPN.

I should be able to script that (more below).

 3. Traffic to the F5 VPN server's external IP (I assume this is the 134.x.x.x 
 one)

(correct, though F5_VPN_PUBLIC_IPN changes per-connection, hence the 
parameterization)

 should go through the OpenVPN ptp endpoint (10.8.0.5)

on dev=tun0? I.e.

${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0  proto none  metric 1

If so, that's F5VPN route#=5

 4. All other traffic should go through the F5 VPN's ptp endpoint (10.144.x.x).

Does '128.0.0.0/1' == 'all other traffic'? If so,

128.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1

is F5VPN route#=4

 The F5 client seems to be adamant about having route #4 in place, so we don't 
 need to worry about that.

OK.

 As mentioned above, you should remove the default routing to the OpenVPN 
 server

i.e., proposed route#={1, 3, 4}, which are also OpenVPN route#={1, 3, 4}

 and just have [F5_VPN_PUBLIC_IPN] route through the 10.8.0.5, rather than 0/1 
 and 128/1.

i.e., F5VPN route#=5.

But then (IIUC) we're routing 128.0.0.0/1 but not 0.0.0.0/1. If so, does 
0.0.0.0/1 not need routed? (And why did I not take the networking elective when 
I got my BSCS ?-(

Meanwhile, assuming I understand correctly, it sounds like, after I start the 
F5VPN client on my client/laptop, I need to produce the routes given above with 
something like the following bash scriptlet:

### IP-related envvars

## (hopefully) constant IP addresses

# public IP# (as visible to, e.g., whatismyip.com) of linode/jumpbox running 
OpenVPN server

network newbie seeks help combining routesets for VPN tunnel

2015-01-24 Thread Tom Roche

 link  src 10.8.0.6
 # F5VPN route#=3
 5:  10.144.0.1 dev ppp0  proto kernel  scope link  src 10.144.1.8
 # 2nd route in Hartge's Trinity == OpenVPN route#=5 (compare with F5VPN 
route#=4)
 6:  128.0.0.0/1 via 10.8.0.5 dev tun0
 # inherited from original route#=2 == OpenVPN route#=6 (absent in F5VPN 
routeset)
 7:  169.254.0.0/16 dev eth0  scope link  metric 1000
 # OpenVPN route#=7
 8:  SER.VER.IP.NUM via 192.168.1.1 dev eth0
 # almost F5VPN route#=5 ... but which dev should this take? eth0, ppp0, 
tun0?
 9:  F5.VPN.IP.NUM via 10.8.0.5 dev   proto none  metric 1
 # inherited from original route#=3 == OpenVPN route#=8 (absent in F5VPN 
routeset)
10:  192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.142

Question 1: what is the difference between 'src' and 'via' in `ip route` 
syntax? I see

`info ip-route`
 via ADDRESS
 the address of the nexthop router. [The] sense of this field depends 
 on the route type.
 For normal unicast routes it is either the true next hop router or,
 if it is a direct route installed in BSD compatibility mode, it can be 
 a local address of the interface.
 For NAT routes it is the first address of the block of translated IP 
 destinations.

 src ADDRESS
 the source address to prefer when sending to the destinations covered 
 by the route prefix.

but am not sure how to apply this knowledge to route statements.

Question 2: which dev[ice] should traffic to F5.VPN.IP.NUM go on? Such traffic 
has gotta go via the OpenVPN server == SER.VER.IP.NUM (which is usually 
serviced by `dev tun0`) but ultimately wants to go to F5.VPN.IP.NUM (which is 
usually serviced by `dev ppp0`).

Question 3: What am I missing? Conversely, what do I have that is superfluous?

Your assistance is appreciated! Tom Roche tom_ro...@pobox.com

[1]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[2]: https://lists.debian.org/debian-user/2015/01/msg00830.html
[3]: https://lists.debian.org/debian-user/2015/01/msg00831.html
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[5]: https://en.wikipedia.org/wiki/Thesis,_antithesis,_synthesis
[6]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-productive-past
[7]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-connection


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87bnlnsxl6@pobox.com

Re: network newbie seeks assistance debugging iptables for VPN tunnel

2015-01-23 Thread Tom Roche


Back to this task after long detours! well, almost:

Matt Ventura Fri, 23 Jan 2015 12:47:21 -0800 [1]
 The F5 VPN is throwing its default route over the original one, and that's
 causing traffic to the OpenVPN server to try to route over the F5 VPN.
 Obviously this doesn't work because the traffic to the F5 VPN needs to
 go through the OpenVPN link, so it becomes circular.

 What you need to do is add a route, something like:
 route add external IP of OpenVPN server gw 192.168.1.1 dev eth0
 so that the traffic to the OpenVPN server can be routed properly.

Sven Hartge Fri, 23 Jan 2015 21:53:35 +0100 [2] (tweaked)
 That would complete the VPN Trinity:
 * one route   0/1
 * one route 128/1
 * one host route to the other VPN endpoint (making it reachable regardless of 
 other routes)

I will give that a shot ... after I take care of a bit more real life :-(
Meanwhile, I have uploaded a new'n'improved 
client_networking_investigation.txt[3]
(improved notably by my increasing facility with `ip` syntax). However it 
presently lacks

- your routing advice above
- scripting of connectivity checks (e.g., `ping`, `nslookup`)

which I will add (feel free to suggest others). I'm especially interested in 
the 'zombie routes' (i.e., I del a route, it disappears from `ip route show`, 
then reappears later) and other network-restoration oddities I'm observing (see 
states 5-8[3]), so I'd be especially interested in knowing how to prevent that. 
(I suspect it's due to my crude manner of starting/stopping OpenVPN on the 
client, but ICBW.)

Your assistance is appreciated! Tom Roche tom_ro...@pobox.com

[1]: https://lists.debian.org/debian-user/2015/01/msg00830.html
[2]: https://lists.debian.org/debian-user/2015/01/msg00831.html
[3]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87egqlrx06@pobox.com

SIOCDELRT, or: proper syntax to delete default route for an interface?

2015-01-22 Thread Tom Roche

 0.0.0.0 dev ppp0
SIOCDELRT: No such process

me@client:~$ sudo route del -net default netmask 255.255.255.255 gw 0.0.0.0 dev 
ppp0
SIOCDELRT: No such process

`info route` is not helping, nor are my websearches finding helpful doc. What 
am I doing wrong?

TIA, Tom Roche tom_ro...@pobox.com

[1]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[2]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-networking-problem
[3]: https://lists.debian.org/debian-user/2015/01/msg00779.html


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87k30es73k@pobox.com

Re: network newbie seeks assistance debugging iptables for VPN tunnel

2015-01-22 Thread Tom Roche


Tom Roche Thu, 22 Jan 2015 12:43:17 -0500 [1]
 summary: Smells like progress! If I'm guessing correctly, the
 `route` changes imposed by connecting to the F5VPN[2] are
 conflicting with my server/jumpbox's current `iptables`[3] (through
 which my client seeks to tunnel[4]). Does that claim seem warranted?
 If so, how to fix the server firewall?

Matt Ventura Thu, 22 Jan 2015 10:58:38 -0800 [5] (rearranged)
 another option would be to simply run the F5 VPN client on the linode.

Alas, no:

1. Several years ago (when I was first struggling with getting the F5NAP to 
work directly[6]), I tried to find a headless alternative (e.g., something like 
a NetworkManager plugin), but was told by F5 that there was no such client for 
linux (at least, with the make/model of F5VPN that the agency had installed).

2. Several months ago (when linode.com was first recommended to me), I was 
sternly warned that linodes prefer to be run headless, and that running Firefox 
on a linode would be expensive and painful, if it worked at all.

 I'm assuming ppp0 is the F5 VPN interface.

Me, too: connecting to the F5VPN[2] creates that interface on the client, and 
disconnecting from the F5VPN removes it from the client.

 Try deleting the first entry in the routing table after bringing up the F5 
 VPN (something like 'route del default ppp0' if memory serves)

will check

 and see if it fixes the problem. This will probably break connectivity to the 
 VPN until you restart it, but see if you can access the internet in general.

Will do. I've got an appt, but will be back soonest. Thanks in advance!

Hoping soon to get back to work on my *real* project, Tom Roche 
tom_ro...@pobox.com

[1]: https://lists.debian.org/debian-user/2015/01/msg00774.html
[2]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
[3]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[5]: https://lists.debian.org/debian-user/2015/01/msg00779.html
[6]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87mw5asg8x@pobox.com

Re: network newbie seeks assistance debugging iptables for VPN tunnel

2015-01-22 Thread Tom Roche


summary: Smells like progress! If I'm guessing correctly, the `route` changes 
imposed by connecting to the F5VPN[3] are conflicting with my server/jumpbox's 
current `iptables` (through which my client seeks to tunnel[7]. Does that claim 
seem warranted? If so, how to fix the server firewall?

details:

Matt Ventura Wed, 21 Jan 2015 09:58:38 -0800 [1]
 First thing to check would be the routing table while the VPN is active.

Tom Roche Wed, 21 Jan 2015 16:33:43 -0500 [2]
 The `route -n` for while the OpenVPN connection is active is here[3],
 which is part of a longer section[4] with all the gory details ...

Matt Ventura Wed, 21 Jan 2015 22:18:57 -0800 [5]
 I meant the routing table when the F5 VPN is active, when the connectivity 
 breaks.

The bad news is, I should have realized that :-) The good news is, that seems 
quite revealing, esp in the now-upgraded context of the revised 
connectivity-debugging scenario[3] (which I also reran to verify results): 
connecting to the F5VPN (after logging into the remote-access website) creates 
an interface=ppp0 and extensively rewrites the routing table!

https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
 ### 4. After connecting to F5VPN (requires login to remote-access website)
...
 me@client:~$ date ; sudo route -n
 Thu Jan 22 11:48:48 EST 2015
 Kernel IP routing table
 Destination Gateway Genmask Flags Metric RefUse Iface
 0.0.0.0 10.144.15.100   128.0.0.0   UG1  00 ppp0
 0.0.0.0 192.168.1.1 0.0.0.0 UG0  00 eth0
 10.144.0.1  0.0.0.0 255.255.255.255 UH0  00 ppp0
 128.0.0.0   10.144.15.100   128.0.0.0   UG1  00 ppp0
 134.67.15.3010.8.0.5255.255.255.255 UGH   1  00 tun0

So now I'm guessing that:

1. (from `whois 134.67.15.30`) 134.67.15.30 is the agency's VPN server.

2. I need to reconcile the above `route`ing with my server's current firewall 
config[6]:

https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt
 Chain INPUT (policy ACCEPT)
 target prot opt source   destination 
 fail2ban-ssh  tcp  --  anywhere anywhere multiport 
 dports ssh
 ACCEPT all  --  anywhere anywhere
 ACCEPT all  --  anywhere anywhere

 Chain FORWARD (policy ACCEPT)
 target prot opt source   destination 
 ACCEPT all  --  anywhere anywhere state 
 RELATED,ESTABLISHED
 ACCEPT all  --  10.8.0.0/24  anywhere
 REJECT all  --  anywhere anywhere reject-with 
 icmp-port-unreachable
 ACCEPT all  --  anywhere anywhere
 ACCEPT all  --  anywhere anywhere

 Chain OUTPUT (policy ACCEPT)
 target prot opt source   destination 

 Chain fail2ban-ssh (1 references)
 target prot opt source   destination 
 DROP   all  --  222.186.34.202   anywhere
 RETURN all  --  anywhere anywhere

So my questions are:

1. Am I guessing correctly?
2. If so, how to reconcile the `route`ing change imposed by the F5VPN with my 
server's current firewall config[6]?

Thanks again for your prompt assistance, Tom Roche tom_ro...@pobox.com

[1]: https://lists.debian.org/debian-user/2015/01/msg00733.html
[2]: https://lists.debian.org/debian-user/2015/01/msg00744.html
[3]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-dns-problem
[5]: https://lists.debian.org/debian-user/2015/01/msg00761.html
[6]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt
[7]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87ppa6socq@pobox.com

network newbie seeks assistance debugging iptables for VPN tunnel

2015-01-21 Thread Tom Roche


[note: following contains ASCII art in the middle, and footnoted links at the 
end]

summary: I need to tunnel one SSL VPN (F5, running on one debian host) through 
another (OpenVPN, running on another debian host), but lose networking (e.g., 
`ping`) after the F5 VPN connects. I'm not sure whether this is due to my 
firewall/iptables or VPN configuration, but suspect the former. Unfortunately I 
am not knowledgeable regarding networking, so I'd appreciate any assistance you 
could provide.

details:

I need to remotely (off the physical LAN) SSH into some firewalled compute 
clusters to do environmental modeling (e.g., this[1]). Formerly I could do this 
from my debian laptop using the cluster-provider-mandated F5VPN[2]. However, 
access policy changed[3] (notably to require a single registered IP#), so I can 
no longer do this directly (i.e., just running the F5VPN from my laptop). I 
seek to adapt to the new policy (and resume work on my project) by implementing 
a VPN tunnel through a debian linode. Design details here[4], but my design 
can be roughly summarized with the following ASCII art (appropriately rendered 
here[4]):

 -MY CONTROL  AGENCY CONTROLLED-
  firewall
+--+  +---+  +---+   |   +-+
| laptop + |  | linode  + |  | remote-access |   |   | cluster |
| F5NAP  + | -- | OpenVPN + | -- | website + | -|- | node(s) |
| OpenVPN  |  | security  |  | F5VPN |   |   | |
+--+  +---+  +---+   |   +-+

(Implementation details here[5]) The good news is, the following sequence 
works: I can

1. start an OpenVPN server on the linode[6]
2. start an OpenVPN client on my laptop[7], after which 
http://www.whatismyip.com shows the IP# of my linode (which is registered)
3. start the F5VPN client (an F5NAP'ed Firefox[8]), and from that still see my 
linode's IP#.
4. using the F5VPN client, login to the agency's remote-access website, and 
bring up the F5VPN's control UI (e.g., to start/stop/logout).

The bad news is[9], as soon as I start the F5VPN, and see status==Connected in 
its web UI, I lose IP networking. I had originally thought this was just a DNS 
problem, but I cannot even `ping` IP#s, e.g.,

$ ping -c 4 141.101.120.15 # == www.whatismyip.com
PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data.

--- 141.101.120.15 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms

(The only consolation here is that the network failure kills the tunnel, which 
causes my client to regain its networking ... but also its access to the 
registered IP#.)

I had thought that this problem was due to OpenVPN misconfiguration on my part, 
but now suspect that I need to tweak my server firewall[10] (which is 
`iptables`, running on Debian 7.8) in order to allow my OpenVPN configuration 
to work. Unfortunately I don't know enough about IP/TCP/UDP/Linux/Debian 
networking, so I'd appreciate assistance from someone more knowledgeable.

Apologies if this is a FAQ or LMGTFY, but my websearches have not found 
anything that seems to matching my usecase. Pointers to doc or other 
educational resources are also appreciated.

TIA, Tom Roche tom_ro...@pobox.com

[1]: https://bitbucket.org/tlroche/aqmeii-na_n2o/wiki/Home
[2]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access
[3]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-aug-2014-policy-change
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[5]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-id6
[6]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-server-startup
[7]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-client-startup
[8]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[9]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-network-problem
[10]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87vbk0rpkj@pobox.com

Re: network newbie seeks assistance debugging iptables for VPN tunnel

2015-01-21 Thread Tom Roche


Tom Roche Wed, 21 Jan 2015 12:50:04 -0500 [1]

 I need to tunnel one SSL VPN (F5, running on one debian host) through
 another (OpenVPN, running on another debian host), but lose networking
 (e.g., `ping`) after the F5 VPN connects. I'm not sure whether this
 is due to my firewall/iptables or VPN configuration, but suspect the
 former. Unfortunately I am not knowledgeable regarding networking, so
 I'd appreciate any assistance you could provide.

...

slightly revised ASCII art

 -MY CONTROL  AGENCY CONTROL-
  firewall
+--+  +---+  +---+   |   +-+
| laptop + |  | linode  + |  | remote-access |   |   | cluster |
| F5NAP  + | -- | OpenVPN   | -- | website + | -|- | node(s) |
| OpenVPN  |  | server  + |  | F5VPN server  |   |   | |
| client   |  | security  |  |   |   |   | |
+--+  +---+  +---+   |   +-+

Matt Ventura Wed, 21 Jan 2015 09:58:38 -0800 [2]
 First thing to check would be the routing table while the VPN is active.

The `route -n` for while the OpenVPN connection is active is here[3], which is 
part of a longer section[4] with all the gory details ...

and thanks! your prompt assistance is appreciated, Tom Roche 
tom_ro...@pobox.com

[1]: https://lists.debian.org/debian-user/2015/01/msg00732.html
[2]: https://lists.debian.org/debian-user/2015/01/msg00733.html
[3]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-dns-problem


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87sif3sts8@pobox.com

Re: An experiment in backup

2015-01-20 Thread Tom H

On Mon, Jan 19, 2015 at 1:02 PM, Kevin O'Gorman kogor...@gmail.com wrote:
On Sun, Jan 18, 2015 at 9:26 AM, Tom H tomh0...@gmail.com wrote:
On Fri, Jan 16, 2015 at 10:28 PM, Kevin O'Gorman kogor...@gmail.com wrote:
 On Fri, Jan 16, 2015 at 3:54 AM, Tom H tomh0...@gmail.com wrote:

 Have you looked at the logs? Especially Xorg.0.log and xsessions-errors.

 Xorg logs seem normal
 I don't see any xsessions-errors file

~/.xsessions-errors

Xsession: X session started for kevin at Sat Jan 17 10:42:34 PST
2015localuser:kevin being added to access control list
openConnection: connect: No such file or directory
cannot connect to brltty at :0
Script for ibus started at run_im.
Script for auto started at run_im.
Script for default started at run_im.
Unable to create /home/kevin/.dbus/session-bus
Script for ibus started at run_im.
Script for auto started at run_im.
Script for default started at run_im.
x-session-manager[1414]: CRITICAL: We failed, but the fail whale is dead.
Sorry

What are the owner and mode of the .dbus and session-bus dirs?

Re: An experiment in backup

2015-01-18 Thread Tom H

On Fri, Jan 16, 2015 at 10:28 PM, Kevin O'Gorman kogor...@gmail.com wrote:
 On Fri, Jan 16, 2015 at 3:54 AM, Tom H tomh0...@gmail.com wrote:


 Are you using a DM?

 A what? Xubuntu uses xfce4 if that answers the question.

DM = display manager

On Ubuntu, lightdm is the default DM.


 Are you using a WM or a DE?

 A what?

WM = window manager

DE = desktop environment; in your case XFCE


 Have you looked at the logs? Especially Xorg.0.log and xsessions-errors.

 Xorg logs seem normal
 I don't see any xsessions-errors file

~/.xsessions-errors


 Can you launch X after logging in to the console?

 I don't know how.

You can check that the basic functionality of X is OK with
xinit /usr/bin/xterm -- /usr/bin/X :0 -nolisten tcp vt01
(assuming that you're on tty1 when launching X)

Otherwise, you can start X with
xinit [...]
startx [...]
service lightdm [re]start


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAOdo=SzCMuz+ssPHE6S3-WgtRS104JWey1uKMKYVhKK3Nn=z...@mail.gmail.com

Re: An experiment in backup

2015-01-16 Thread Tom H

On Thu, Jan 15, 2015 at 10:19 PM, Kevin O'Gorman kogor...@gmail.com wrote:

I have a tar backup of the entire system, excluding /sys, /proc and /dev.
I have a tar backup of a bind-mount of /dev.
These were taken while the system was running, but quiet. I did it this
way because I cannot get the system to boot into single user mode. Putting
single on the end of the linux like results in a black screen.

I restored these, created /sys and /proc, and tried to boot the resulting
partition. It boots, but X does not come up, or even seem to try. I can do
a console login to my usual account, and stuff is there.

What commands did you run to back up and restore the system?

Is '/tmp' a tmpfs filesystem? If not, did you back up and restore it?

Did you exclude '/run'? If not, did you restore it?

Did you create '/proc' and '/sys' with the right ownership and mode?

If this is a Debian system, is it a non-standard install that doesn't
use udev (AFAIK this is still possible)? If not, there's no point in
backing up and restoring '/dev'.

If this is an Ubuntu system, the default '(recovery)' grub entry will
have 'nomodeset' appended. Try that when you add 'single'.

Are you using a DM?

Are you using a WM or a DE?

Have you looked at the logs? Especially Xorg.0.log and xsessions-errors.

Can you launch X after logging in to the console?

--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/CAOdo=swjn5qggmjo7qta_2otefqgzihwpn35hykxshk4_oa...@mail.gmail.com

Re: LACK OF REPONSE TO REQUESTS FOR HELP WHY?

2014-12-21 Thread tom arnall

Nate,

Thanks for your response. I ended up dealing with the problem by
switching to wicd, but the incident has helped me learn some things
about keyrings. I think my real problem was the one where you flounder
around to the point of desperation looking for a quick fix, instead of
taking the trouble to first get an understanding of the context, in
this case the basic functions of keyrings, before attempting to fix a
specific problem.

Regards,

Tom Arnall
Ensenada, BC

--
Honor Julian Assange. Honor Bradley Manning. Honor Edward Snowden.
Honor all those who have risked all to tell us what we must know to
remain free.

On 12/21/14, Nate Bargmann nnbb.us wrote:
* On 2014 21 Dec 01:40 -0600, tom arnall wrote:
I installed wheezy a week ago (with the installer which includes
xfce), and nm-applet was working fine. But today it won't start and
gives the message:

WARNING: gnome-keyring:: couldn't connect to:
/home/tom/.cache/keyring-4LJPFc/pkcs11: No such file or directory

I am running Sid (Unstable) on my laptop and I have several such
~/.cache/keyring-* directories. One of them shows:

$ ls -l ~/.cache/keyring-6imVnR/
total 0
srwxr-xr-x 1 nate nate 0 Jul 7 2012 control=
srwxr-xr-x 1 nate nate 0 Jul 7 2012 gpg=
srwxr-xr-x 1 nate nate 0 Jul 7 2012 pkcs11=
srwxr-xr-x 1 nate nate 0 Jul 7 2012 ssh=

Are the permissions on your files the same? Is it possible that you
initially logged into the desktop as root and then used NM to connect to
a network? Perhaps just removing that directory (although that specific
directory name may be stored by nm-applet *somewhere* so just removing
the directory might not help) might help.

The files are actually sockets so the leading 's' is apparently
required.

- Nate

The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true.

Ham radio, Linux, bikes, and more: http://www.nnb.us

--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
listmasterlists.debian.org
Archive: https://lists.debian.org/20141221130512.gr2...@nnb.us

--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/cafkyrxp4hfegqhuquhitxh58uot6vwdeepbsaryicrurxoq...@mail.gmail.com

gnome

2014-12-20 Thread Tom Arnall

WHEN I DO:

~/$ gnome-keyring-daemon --start

I GET:

Couldn't access conrol socket:
/home/tom/.cache/keyring-qGnJVR/control: No such file or directory
 GNOME_KEYRING_CONTROL=/home/tom/.cache/keyring-laCd8D
 SSH_AUTH_SOCK=/home/tom/.cache/keyring-laCd8D/ssh
 GPG_AGENT_INFO=/home/tom/.cache/keyring-laCd8D/gpg:0:1


what is this about? i've done a lot of google searching on it but have
found nothing that helps.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cajs6gqc7amciyyoj09e3yd451mouuxhkxa_4bpfdvcw8kob...@mail.gmail.com

LACK OF REPONSE TO REQUESTS FOR HELP WHY?

2014-12-20 Thread tom arnall

about a week ago i posted a question to which no one has responded. i
think it's a reasonable question for this list. clearly folks on this
list don't think it's worthwhile to respond to it. can anyone here at
least tell me why?  below is the email is sent to this list:

i have by the way spent about ten hours googling for an answer. the
community seems very confused on the issue.


==
I installed wheezy a week ago (with the installer which includes
xfce), and nm-applet was working fine. But today it won't start and
gives the message:

WARNING: gnome-keyring:: couldn't connect to:
/home/tom/.cache/keyring-4LJPFc/pkcs11: No such file or directory
** Message: applet now removed from the notification area

(nm-applet:3589): Gdk-WARNING **: nm-applet: Fatal IO error 11
(Resource temporarily unavailable) on X server :0.


Is there a command line procedure to deal with this?

Thanks in advance for your help,

Tom Arnall


--
I don't make jokes. I just watch the government and report the
facts. Will Rogers


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAFKYrxpmkG2W-KM=5qTuYe-KXWsSV3tPmfFG-hUxm94g0q=k...@mail.gmail.com

Can't start nm-applet -- keyring error

2014-12-16 Thread tom arnall

I installed wheezy a week ago (with the installer which includes
xfce), and nm-applet was working fine. But today it won't start and
gives the message:

WARNING: gnome-keyring:: couldn't connect to:
/home/tom/.cache/keyring-4LJPFc/pkcs11: No such file or directory
** Message: applet now removed from the notification area

(nm-applet:3589): Gdk-WARNING **: nm-applet: Fatal IO error 11
(Resource temporarily unavailable) on X server :0.


Is there a command line procedure to deal with this?

Thanks in advance for your help,


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cafkyrxpumpewkatguydr9jmdsyyykrv6f2txp449jso0_v1...@mail.gmail.com

gnome-keyring-daemon problem

2014-12-16 Thread tom arnall

WHEN I DO:

~/$ gnome-keyring-daemon --start

I GET:

Couldn't access conrol socket:
/home/tom/.cache/keyring-qGnJVR/control: No such file or directory
 GNOME_KEYRING_CONTROL=/home/tom/.cache/keyring-laCd8D
 SSH_AUTH_SOCK=/home/tom/.cache/keyring-laCd8D/ssh
 GPG_AGENT_INFO=/home/tom/.cache/keyring-laCd8D/gpg:0:1


what is this about? i've done a lot of google searching on it but have
found nothing that helps.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cafkyrxp70rrgz9gyocug+z-rzn4mqzqotr2obwyjen7jxv6...@mail.gmail.com

Can't start nm-applet keyring error

2014-12-14 Thread tom arnall

I installed wheezy a week ago (with the installer which includes
xfce), and nm-applet was working fine. But today it won't start and
gives the message:

WARNING: gnome-keyring:: couldn't connect to:
/home/tom/.cache/keyring-4LJPFc/pkcs11: No such file or directory
** Message: applet now removed from the notification area

(nm-applet:3589): Gdk-WARNING **: nm-applet: Fatal IO error 11
(Resource temporarily unavailable) on X server :0.


Is there a command line procedure to deal with this?

Thanks in advance for your help,

Tom Arnall


--
I don't make jokes. I just watch the government and report the
facts. Will Rogers


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAFKYrxo91W2YmRcMwdUAB2eGfBZd6CxG=gvsk2jefjmdci3...@mail.gmail.com

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-16 Thread Tom Roche


For the benefit of OP with similar {concerns, interests, problems}, I have 
documented my process @

https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home

Part is scripted, and part is not, but even the part that is *not* scripted 
provides cut'n'pasteable console input. The good news is, at this point

https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-test

the server's IP# is visible from the outside world, e.g., @ 
http://www.whatismyip.com/ . The bad news is, this is only part of what I need, 
which is to run another SSL VPN through the tunnel, which is failing--more on 
that separately (though that may be getting OT for this list).

HTH, Tom Roche tom_ro...@pobox.com


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87r3x2sxuk@pobox.com

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-09 Thread Tom Roche


summary: I have a routing problem on the server side of the VPN, as diagnosed 
by Mart van de Wege[1]: veel dank Mart! I hope to fix that problem using these 
linode instructions[2].

details:

Tom Roche Sat, 08 Nov 2014 23:47:29 -0500 [3]
 My jumpbox/server firewall is currently set to forward everything, using 
 `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:

Pascal Hambourg Sun, 09 Nov 2014 13:13:16 +0100 [4]
 This rule doesn't forward anything, it just enables masquerading.
 IPv4 forwarding is enabled with sysctl net.ipv4.ip_forward=1.

Correct: I also have 

me@jumpbox:~$ fgrep -e 'forward' /etc/sysctl.conf
 # Uncomment the next line to enable packet forwarding for IPv4
 net.ipv4.ip_forward=1
 # Uncomment the next line to enable packet forwarding for IPv6
 #net.ipv6.conf.all.forwarding=1

on the server. Indeed I am a network newbie as previously advertised :-( In any 
case, current firewall behavior is as noted:

 me@jumpbox:~$ date ; sudo iptables -L
 Sat Nov  8 16:42:06 EST 2014
 Chain INPUT (policy ACCEPT)
 target prot opt source destination 
 fail2ban-ssh  tcp  --  anywhereanywhere multiport dports ssh

 Chain FORWARD (policy ACCEPT)
 target prot opt source destination 

 Chain OUTPUT (policy ACCEPT)
 target prot opt source destination 

 Chain fail2ban-ssh (1 references)
 target prot opt source destination 
 RETURN all  --  anywhere   anywhere

Mart van de Wege Sun, 09 Nov 2014 12:02:46 +0100 [1]
 What I suspect is a routing problem on the other side of the VPN.

 Can you ping IP addresses beyond your VPN?

 What does the output of traceroute show?

Good questions! I will add these to the Debian wiki[5] because your suspicions 
are correct. Before starting OpenVPN on either the laptop/client or the 
jumpbox/server:

me@laptop:~$ date ; pgrep -l openvpn | wc -l
 Sun Nov  9 09:24:43 EST 2014
 0

me@laptop:~$ date ; ping -c 4 www.whatismyip.com
 Sun Nov  9 09:24:48 EST 2014
 PING www.whatismyip.com (141.101.120.15) 56(84) bytes of data.
 64 bytes from 141.101.120.15: icmp_seq=1 ttl=57 time=94.7 ms
 64 bytes from 141.101.120.15: icmp_seq=2 ttl=57 time=157 ms
 64 bytes from 141.101.120.15: icmp_seq=3 ttl=57 time=88.3 ms
 64 bytes from 141.101.120.15: icmp_seq=4 ttl=57 time=88.8 ms

 --- www.whatismyip.com ping statistics ---
 4 packets transmitted, 4 received, 0% packet loss, time 15621ms
 rtt min/avg/max/mdev = 88.370/107.325/157.369/29.002 ms

me@laptop:~$ date ; traceroute www.whatismyip.com
 Sun Nov  9 09:25:17 EST 2014
 traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte 
 packets
  1  192.168.15.1 (192.168.15.1)  0.850 ms  0.838 ms  1.378 ms
  2  71-23-64-2.clt.clearwire-wmx.net (71.23.64.2)  75.041 ms  75.040 ms  
 75.030 ms
  3  71.22.7.161 (71.22.7.161)  75.293 ms  75.287 ms  75.661 ms
  4  66-192-62-1.static.twtelecom.net (66.192.62.1)  75.260 ms  75.619 ms  
 75.600 ms
  5  ash1-pr1-xe-2-3-0-0.us.twtelecom.net (66.192.244.214)  84.267 ms  84.467 
 ms  84.456 ms
  6  xe-0.equinix.asbnva01.us.bb.gin.ntt.net (206.126.236.12)  84.429 ms  
 86.913 ms  86.863 ms
  7  ae10.ar2.iad1.us.as4436.gtt.net (69.31.31.168)  96.019 ms  96.242 ms  
 95.980 ms
  8  as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90)  95.604 ms  
 95.585 ms as13335.xe-9-0-2.ar1.iad1.us.as4436.gtt.net (69.31.30.14)  96.170 ms
  9  * as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90)  95.515 ms  
 95.520 ms
 10  141.101.120.15 (141.101.120.15)  96.397 ms  96.392 ms  95.841 ms

After starting OpenVPN on first the jumpbox/server then the laptop/client, 
off-VPN routing is indeed hosed:

me@laptop:~$ date ; pgrep -l openvpn | wc -l
 Sun Nov  9 09:31:27 EST 2014
 1

me@laptop:~$ date ; ping -c 4 www.whatismyip.com
 Sun Nov  9 09:31:33 EST 2014
 PING www.whatismyip.com (141.101.120.14) 56(84) bytes of data.

 --- www.whatismyip.com ping statistics ---
 4 packets transmitted, 0 received, 100% packet loss, time 3023ms

me@laptop:~$ date ; traceroute www.whatismyip.com
 Sun Nov  9 09:33:06 EST 2014
 traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte 
 packets
  1  10.8.0.1 (10.8.0.1)  99.579 ms  99.584 ms  104.230 ms
  2  * * *
...
 30  * * *

Note also that the jumpbox/server is a linode running a stock Debian (`cat 
/etc/debian_version`=='7.7'), which are apparently able to support OpenVPN, per 
these linode.com-hosted instructions[6]. They are vague in places, which made 
me switch to the Debian wiki[5], but now I suspect that I need to switch back 
to its section='Tunneling All Connections through the VPN'[2]. So I'll give 
that a try. (Eventually I prefer only to tunnel ssh and the SSL VPN through the 
OpenVPN to the cluster, so I'll probably be back later :-)

Your assistance is appreciated! Tom Roche tom_ro...@pobox.com

[1] https://lists.debian.org/debian-user/2014/11/msg00463.html
[2] 
https

[newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-08 Thread Tom Roche

Sat Nov  8 17:48:25 2014 ifconfig_pool_read(), in='TomRoche,10.8.0.4', 
TODO: IPv6
Sat Nov  8 17:48:25 2014 succeeded - ifconfig_pool_set()
Sat Nov  8 17:48:25 2014 IFCONFIG POOL LIST
Sat Nov  8 17:48:25 2014 TomRoche,10.8.0.4
Sat Nov  8 17:48:25 2014 Initialization Sequence Completed

me@laptop:~$ sudo openvpn --script-security 2 --config 
/etc/openvpn/client1.conf 
Sat Nov  8 17:49:12 2014 NOTE: the current --script-security setting may 
allow this configuration to call user-defined scripts
Sat Nov  8 17:49:12 2014 Socket Buffers: R=[212992-131072] 
S=[212992-131072]
Sat Nov  8 17:49:12 2014 NOTE: UID/GID downgrade will be delayed because of 
--client, --pull, or --up-delay
Sat Nov  8 17:49:12 2014 UDPv4 link local: [undef]
Sat Nov  8 17:49:12 2014 UDPv4 link remote: [AF_INET]jump.box.IP.num:1194
Sat Nov  8 17:49:12 2014 TLS: Initial packet from 
[AF_INET]jump.box.IP.num:1194, sid=25df7af6 0ece4089
Sat Nov  8 17:49:13 2014 VERIFY OK: depth=1, my config data/
Sat Nov  8 17:49:13 2014 VERIFY OK: nsCertType=SERVER
Sat Nov  8 17:49:13 2014 VERIFY OK: depth=0, my config data/
Sat Nov  8 17:49:14 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized 
with 128 bit key
Sat Nov  8 17:49:14 2014 Data Channel Encrypt: Using 160 bit message hash 
'SHA1' for HMAC authentication
Sat Nov  8 17:49:14 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized 
with 128 bit key
Sat Nov  8 17:49:14 2014 Data Channel Decrypt: Using 160 bit message hash 
'SHA1' for HMAC authentication
Sat Nov  8 17:49:14 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Nov  8 17:49:14 2014 [TomRoche] Peer Connection Initiated with 
[AF_INET]jump.box.IP.num:1194
Sat Nov  8 17:49:16 2014 SENT CONTROL [TomRoche]: 'PUSH_REQUEST' (status=1)
Sat Nov  8 17:49:16 2014 PUSH: Received control message: 
'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 
10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Nov  8 17:49:16 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sat Nov  8 17:49:16 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov  8 17:49:16 2014 OPTIONS IMPORT: route options modified
Sat Nov  8 17:49:16 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option 
options modified
Sat Nov  8 17:49:16 2014 ROUTE_GATEWAY lap.top.gate.way/255.255.255.0 
IFACE=eth0 HWADDR=la:pt:op:MAC:ad:dr
Sat Nov  8 17:49:16 2014 TUN/TAP device tun0 opened
Sat Nov  8 17:49:16 2014 TUN/TAP TX queue length set to 100
Sat Nov  8 17:49:16 2014 do_ifconfig, tt-ipv6=0, 
tt-did_ifconfig_ipv6_setup=0
Sat Nov  8 17:49:16 2014 /sbin/ip link set dev tun0 up mtu 1500
Sat Nov  8 17:49:16 2014 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 
10.8.0.5
Sat Nov  8 17:49:16 2014 /etc/openvpn/update-resolv-conf tun0 1500 1542 
10.8.0.6 10.8.0.5 init
dhcp-option DNS 8.8.8.8
Sat Nov  8 17:49:16 2014 /sbin/ip route add lap.top.IP.num/32 via 
lap.top.gate.way
Sat Nov  8 17:49:16 2014 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sat Nov  8 17:49:16 2014 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sat Nov  8 17:49:16 2014 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Sat Nov  8 17:49:16 2014 GID set to nogroup
Sat Nov  8 17:49:16 2014 UID set to nobody
Sat Nov  8 17:49:16 2014 Initialization Sequence Completed

I then see the following on my client:

* `ifconfig` shows a new entry=`tun0`, which looks correct
* I can `ping` the server using either its real IP# or `10.8.0.1`
* I can `ssh` to the server using either its real IP# or `10.8.0.1`
* `nslookup www.whatismyip.com` gives correct results

... but I get no connection if I open a new instance of Firefox and browse to 
http://www.whatismyip.com/ :-( Looking up www.whatismyip.com... succeeds 
quickly but the status line continues to display Connecting to 
www.whatismyip.com... until the attempt times out. I also get the same 
behavior (connection timeout) if I open a new instance of Chrome, or if I 
browse to http://www.whatismyip.com/ with a Firefox opened prior to starting 
OpenVPN. FWIW I get the same behavior browsing to any URI, including (e.g.) 
Google.

This is a major problem for me! For the SSL VPN to work, I need to start a 
Firefox and run it (since the SSL VPN's vendor only supports it on Linux via a 
Firefox plugin) to access a particular remote-access website. Furthermore I 
need the SSL VPN to run through the jumpbox/OpenVPN. (Don't ask, it's a long, 
sad story ...)

How can I fix this? Alternatively, what should I do to further debug the 
problem? 

your assistance is appreciated, Tom Roche tom_ro...@pobox.com


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87bnoht9dk@pobox.com

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-08 Thread Tom Roche


for completeness, added server firewall settings below:

Tom Roche Sat, 08 Nov 2014 21:07:03 -0500 
https://lists.debian.org/debian-user/2014/11/msg00440.html
 summary: I'm running [OpenVPN] from an LMDE [client through a Debian 
 jumpbox/server]. After I [start the server, start the client] most IP-based 
 applications seem to work from the client, but web browsing fails: e.g., 
 client's Firefox cannot connect to http://www.whatismyip.com/ . How to fix or 
 debug?

 details:

 (Apologies in advance if you feel this is a question better asked elsewhere. 
 If so, please let me know where to ask. The OpenVPN forums are quite slow to 
 respond in my experience, hence I'm asking here first.)

 I have a laptop running up-to-date LMDE (`cat 
 /etc/debian_version`=='jessie/sid'), including Firefox version=33.0. From 
 that laptop I need to access a compute cluster. The cluster formerly required 
 only an SSL VPN (enabled by a Firefox plugin) to access, but now has several 
 additional requirements, which I seek to satisfy by running the SSL VPN 
 through a jumpbox running an OpenVPN server. The jumpbox is a linode running 
 a vanilla Debian (`cat /etc/debian_version`=='7.7').

 Note that I have been using the laptop successfully for a few years with LMDE 
 and without network problems. Currently I have the client/laptop connected by 
 wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on 
 my client/laptop, I see the following:

 * `ifconfig` shows no entry='tun0' (just the usual entries for 'eth0', 
 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'.
 * I can `ping` my jumpbox/server using its real IP#, but cannot `ping 
 10.8.0.1`
 * I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh 
 10.8.0.1`
 * `nslookup www.whatismyip.com` gives correct results
 * browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown 
 in `ifconfig`)

 Both the client and server setups are quite generic OpenVPN-wise, and are 
 almost exactly as described on the Debian wiki here

 https://wiki.debian.org/openvpn%20for%20server%20and%20client

 Note particularly that my client and server configurations are currently 
 near-exact copies of those listed at that Debian wiki page: the only changes 
 are my server IP# (obfuscated below) and the name of my client:

 me@jumpbox:~$ date ; cat /etc/openvpn/server.conf
 Sat Nov  8 16:49:00 EST 2014
 port 1194
 proto udp
 dev tun
 ca /etc/openvpn/ca.crt
 cert /etc/openvpn/server.crt
 key /etc/openvpn/server.key
 dh /etc/openvpn/dh1024.pem
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 push redirect-gateway def1 bypass-dhcp
 push dhcp-option DNS 8.8.8.8 # google public DNS
 keepalive 10 120
 comp-lzo
 user nobody
 group nogroup
 persist-key
 persist-tun
 status openvpn-status.log
 verb 3

 me@laptop:~$ date ; cat /etc/openvpn/client1.conf
 Sat Nov  8 16:51:31 EST 2014
 client
 dev tun
 proto udp
 remote ser.ver.IP.num 1194
 resolv-retry infinite
 nobind
 user nobody
 group nogroup
 persist-key
 persist-tun
 mute-replay-warnings
 ca /etc/openvpn/ca.crt
 cert /etc/openvpn/client1.crt
 key /etc/openvpn/client1.key
 ns-cert-type server
 comp-lzo
 verb 3
 up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf

My jumpbox/server firewall is currently set to forward everything, using 
`iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:

me@jumpbox:~$ date ; sudo iptables -L
Sat Nov  8 16:42:06 EST 2014
Chain INPUT (policy ACCEPT)
target prot opt source   destination 
fail2ban-ssh  tcp  --  anywhere anywhere multiport 
dports ssh

Chain FORWARD (policy ACCEPT)
target prot opt source   destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination 

Chain fail2ban-ssh (1 references)
target prot opt source   destination 
RETURN all  --  anywhere anywhere

 After I start `openvpn` on first the server and then the client, I see no 
 OpenVPN errors on either the server or the client:

 me@jumpbox:~$ sudo openvpn --script-security 2 --config 
 /etc/openvpn/server.conf 
 Sat Nov  8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] 
 [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 
 (2.2RC2)] built on Jun 18 2013
 Sat Nov  8 17:48:25 2014 NOTE: the current --script-security setting may 
 allow this configuration to call user-defined scripts
 Sat Nov  8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key
 Sat Nov  8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 
 ET:0 EL:0 ]
 Sat Nov  8 17:48:25 2014 Socket Buffers: R=[212992-131072] 
 S

systemctl disable/mask

2014-10-08 Thread Tom H

On 28 Sep 2014 04:35:03 +0200, lee l...@yun.yagibdah.de wrote:

 Anyway, it gives me to think that such a misunderstanding has come
 up to begin with and that it hasn't been fixed long ago. Someone who
 doesn't understand what disabled means is programming an init
 system: What other misunderstandings might have gone into it? Why
 obfuscate things and mislead and confuse the users?

I was scrolling last night through the debian-user@ archives, looking
for a non-systemd thread, and clicked on this post [1] through a
fat-fingered error. (I unsubscribed a few weeks ago because a group of
anti-systemd trolls have hijacked the list and are spamming it with
BS.)

You're angered by the fact that the systemd developers have chosen
systemctl disable service to mean disable at boot and systemctl
mask service to mean disable completely.

Since you use both Debian and Fedora, have you ranted or filed a bug
about the fact that:

- apt-get update means update the local cache and yum update
means update the local cache and upgrade all the packages to their
latest versions

- apt-get update and yum makecache both mean update the local cache

- apt-get dist-upgrade means upgrade all the packages to their
latest versions and is therefore more less equivalent to yum update
(if you pre-run yum makecache, apt-get dist-upgrade and yum -C
update are equivalent)

- apt-get upgrade doesn't have a Fedora equivalent

- apt-get dist-upgrade could be considered ambiguous, it could mean
upgrade to the latest version of the distro or upgrade to the next
version of a distro (perhaps you could suggest apt-get
release-upgrade for the latter so as to avoid this ambiguity...)

Furthermore, the MO that the systemd developers have chosen has a
precedent. In /etc/modprobe.conf and /etc/modprobe.d/:

- if you use blacklist module, the module won't be loaded but it can
be loaded manually or as a dependency

- if you use install module /bin/true that module won't be loaded at all

Have you ranted or filed a bug about this because, to paraphrase you,
the modprobe developers don't know what blacklist means?

I can understand that some people dislike systemd but complaints like
this one weaken their already-weak case and make the anti-systemd
whiners look like a bunch of clueless lunatics.

[1] https://lists.debian.org/debian-user/2014/09/msg02105.html


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAOdo=SwHv3fpfc3CtQJzGnOFZFY=XWRjGh=xmhjsj-wtjql...@mail.gmail.com

Debian nolonger claims to be the Universal Operating System

Debian nolonger claims to be the Universal Operating System

On google searches debian pages still turn up like this:
Debian -- Mailing Lists - Debian -- The Universal Operating ...

When you go to the page The Universal Operating System part is gone.
A reflection of the problem with the scumbag debian developers
failing to explain how The Universal Operating System squares
with shoving syst__d, gn_me/gtk3, down our throats, and 
depreciating (as if they have the right to do that) many
programs that rely on gtk2 and non-syst__d.

Ofcourse they ban you from posting the mailing list on the 
first critical mention of systemd.
Worthless trash. They need to be stopped, deposed.

Give us back the debian packagers of an earlier age.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/trinity-7d984845-5a62-4964-8cd2-fa6a61a725f5-1412419482769@3capp-mailcom-lxa15

(Video) Discussion on lennart poettering, syst__d, sysv

Discussion on lennart poettering, syst__d, sysv:
youtu.be/2toVPMHRo8M


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/trinity-8111a0c0-3501-45ee-9023-f0b9fde3e8a1-1412419549952@3capp-mailcom-lxa15

Pieces placed in juxtaposition.

Pieces placed in juxtaposition:

Opensource is going mainstream in 2014 -RedHat CEO

Syst__d presents a large attack surface (where as there are few ways
to communicate with init etc), needlessly manages disc cryptography (amongst 
everything else,
normal inits never cared one way or the other),

Obama Administration Argues For Backdoors In Personal Electronics 
http://it.slashdot.org/story/14/10/01/186228/obama-administration-argues-for-backdoors-in-personal-electronics

(Think of the children, ignore privacy, and religious freedom (that ship set 
sail in Delaware 1870))
Attorney General Eric Holder called it is worrisome that tech companies are 
providing default encryption on consumer electronics, adding that locking 
authorities out of being able to access the contents of devices puts children 
at risk. \u201cIt is fully possible to permit law enforcement to do its job 
while still adequately protecting personal privacy,\u201d Holder said at a 
conference on child sexual abuse, according to a text of his prepared remarks. 
\u201cWhen a child is in danger, law enforcement needs to be able to take every 
legally available step to quickly find and protect the child and to stop those 
that abuse children. It is worrisome to see companies thwarting our ability to 
do so.\u201d


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/trinity-c695869e-5932-496f-ac1d-6675ef213a5d-1412419628121@3capp-mailcom-lxa15

(Song) Fk SystemD