Re: Oh, NO! Not that same No Sound question again... (Sound now working)
Just in case anyone can use the two bits of information I turned up... Having tried everything I could find to try to make the OSS (i810_audio) driver work, based on what little information I could find about it in the docs or online , I finally gave up and compiled and installed Alsa drivers for my 2.4.18-bf2.4 kernel. Then, by using alsamixer and unmuting the usual suspects, I was able to get sound working. None of the other mixers I had previously installed (aumix, kmix, and xamixer2 (which crashed completely)) would enable sound to work. One point of interest was that the alsamixer GUI has a slider for headphone, which none of the other mixers have, and which was what I discovered by trial and error to be what controlled the sound output jack on my MB. I'm wondering if the i810_audio OSS driver was really at fault or if the mixers I was using with it were just incapable of controlling the output to the jack on my motherboard (and more significantly, how one could make such a determination). But, I gather there's no way do diagnose such things, so I guess I'll just Move On. I am disappointed, saddened, troubled, disheartened, and discouraged (did I miss any?) that it was only possible to get this working by trial and error. Auto mechanics discriminate between real mechanics who troubleshoot problems and fix them, and parts replacers who, just keep on replacing things (and charging the customer for it) until something works. The latter are generally considered by their cow orkers to be subhumans at best. If there's no way to actually troubleshoot these problems, and we have to resort to swapping modules in and out until something works, we're no better than the parts replacers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Unidentified subject!
i810_audio 21248 0 ac97_codec 9568 0 [i810_audio] soundcore 3236 2 [i810_audio] What kernel version is this? 2.4.18-bf2.4 (sorry, should have included that originally) How recent is the alsaconf package? If you try unloading all OSS modules (including all three above) and then run alsaconf does it work then? Try commenting the above modules out from being loaded, then reboot to be totally clean, and *then* (without these modules having been loaded at all) run alsaconf. I haven't tried switching to ALSA yet. I really would like to (a) be sure that the i810_audio driver really is inoperable with the setup I have, (b) have some reason to believe that the ALSA drivers will work, before switching drivers. It seems to me that there should be some way to *troubleshoot* this problem, rather than just trying one thing after another until I either find something that works or just give up - I mean, isn't that the advantage to having open source? Is the i810_audio driver known to be inoperative with my combination of processor/chipset/etc., or is the ALSA setup known to work? This is what did it for me. I have a different card but you can see what I did at http://dione.no-ip.org/~alexis/computing/ahdg/ahdg/node58.html (Look this week 'cos the document will be upgraded this weekend and node numbering is bound to change.) Thanks... I saved a copy of it. (I'm amassing quite a collection of sound setup sections from Linux port Web pages). These responses don't seem to be threading on the list, so I'm copying people at their private email addresses; my apologies for the redundancy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Oh, NO! Not that same No Sound question again...
i810_audio 21248 0 ac97_codec 9568 0 [i810_audio] soundcore 3236 2 [i810_audio] What kernel version is this? 2.4.18-bf2.4 (sorry, should have included that originally) How recent is the alsaconf package? If you try unloading all OSS modules (including all three above) and then run alsaconf does it work then? Try commenting the above modules out from being loaded, then reboot to be totally clean, and *then* (without these modules having been loaded at all) run alsaconf. I haven't tried switching to ALSA yet. I really would like to (a) be sure that the i810_audio driver really is inoperable with the setup I have, (b) have some reason to believe that the ALSA drivers will work, before switching drivers. It seems to me that there should be some way to *troubleshoot* this problem, rather than just trying one thing after another until I either find something that works or just give up - I mean, isn't that the advantage to having open source? Is the i810_audio driver known to be inoperative with my combination of processor/chipset/etc., or is the ALSA setup known to work? This is what did it for me. I have a different card but you can see what I did at http://dione.no-ip.org/~alexis/computing/ahdg/ahdg/node58.html (Look this week 'cos the document will be upgraded this weekend and node numbering is bound to change.) Thanks... I saved a copy of it. (I'm amassing quite a collection of sound setup sections from Linux port Web pages). These responses don't seem to be threading on the list, so I'm copying people at their private email addresses; my apologies for the redundancy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Oh, NO! Not that same No Sound question again...
lsmod? Does your driver show up? Yes... following is snipped from lsmod output: i810_audio 21248 0 ac97_codec 9568 0 [i810_audio] soundcore 3236 2 [i810_audio] In syslog, does it get activated? Like: debian kernel: ad1848/cs4248 codec driver Copyright (C) by Hannu Savolainen 1993-1996 *NO*, I do not see anything like that in syslog... The only kernel messages there are: Nov 8 18:10:03 dork kernel: CSLIP: code copyright 1989 Regents of the University of California Nov 8 18:10:03 dork kernel: PPP generic driver version 2.4.1 Nov 8 18:10:04 dork kernel: PPP BSD Compression module registered Nov 8 18:10:04 dork kernel: PPP Deflate Compression module registered Nov 8 18:10:05 dork kernel: ip_tables: (C) 2000-2002 Netfilter core team Nov 8 18:10:12 dork kernel: ip_conntrack (4095 buckets, 32760 max) But there are several modules listed in /etc/modules, all of them except the i810_audio driver having been put there by the Debian install, usb-uhci input usbkbd keybdev lp i810_audio and none of the others show up as kernel messages either. Is that an issue? Should I be getting a kernel message for drivers not built into the kernel (loaded via /etc/modules)? Also, if the answer to the above is affirmative, there is no sound as root? There's no sound as root either (already ran into the file permission problem...) Thanks for your response -- any ideas? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Lilo boot from second drive?
If you're trying to do what I think you're trying to do (make the second (Linux) hard drive your default boot drive while allowing the choice of booting on the first (Gatesjunk) drive, I just (finally after a knock-down drag-out) solved that problem... (it's actually documented more or less). You have to fix the BIOS so it boots off the second drive (but it sounds like you already did that). Then you have to set up lilo.conf... there are a couple of tricks: First, you need to inform LILO that the first HD BIOS vector actually point at the second HD: # Overrides the default mapping between harddisk names and the BIOS' # harddisk order. Use with caution. #disk=/dev/sda #bios=0x80 disk=/dev/hdc bios=0x80 (I'm assuming you've got the rest of lilo.conf right) Then, you have to *reverse* the BIOS vector mapping *for the case where you're using LILO on the *second* drive to boot the OS on the *first* drive. # If you have another OS on this machine to boot, you can uncomment the # following lines, changing the device name on the `other' line to # where your other OS' partition is. other=/dev/hda label=Gatesjunk map-drive=0x80 to=0x81 map-drive=0x81 to=0x80 If you don't understand this stuff, you'd better read up on it to make sure you get the settings right for YOUR system; don't trust my entries verbatim. That Screen Full of 01's dump that you're getting is well known. try plugging LILO 01010101010101 into a search engine. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Oh, NO! Not that same No Sound question again...
Yeah, that same No Sound question again. But I can't find an answer that's gotten my sound working anywhere, so I'll give this list a try. I have an Intel 82820 (Camino 2) chipset and a stable Woody. I've installed the i810_audio driver (via /etc/modules). lspci output looks OK. both /dev/audio and /dev/dsp are there. I don't see any sound-related (at least to my ability to determine) error messages in the log files. Sound works OK in Windoze. I don't get any sound when I cat a .wav or .au file to either /dev/audio or /dev/dsp. I've tried both kmix and aumix, to make sure sound isn't muted,and neither makes any difference. I have not Tried the ALSA drivers. I don't like Trying things to see if they work - I like DEBUGGING things. (I'm a little testy about that because of all the random flailing I've been reading about on the net, by people trying anything and everything to get their sound working.) Questions: (1) Does anyone know how to get this particularly configuration to work? I.e., if there is anyone who has had success with this exact configuration, please tell me what I'm missing here. More specifically, (2) Is it possible that doing a cat of a sound file directly to /dev/audio or /dev/dsp simply won't work, and that I need Yet Another Driver (/dev/mixer or /dev/sound, FI (neither of which I have)) to make sound work with this setup? Should the mixer utilities even have any effect when I try to cat a file directly to the driver? (2) Is there a patch or updated i810_audio driver for this chipset (and if so, where should I have searched for it, since I've already searched and haven't found anything)? (As a related issue, I'm not sure how to determine the exact version of the driver I'm running - I haven't seen it in lsmod or in the system log files, etc., but maybe I've missed it). (3) Is there any *specific*, KNOWN reason to think that it is *impossible* to get this combination working with the i810_audio driver? (4) Correspondingly, is it *known* to work with the ALSA drivers? (5) Is there any solid reason to try compiling and installing the i810_audio driver from source (I've been loading the i810_audio.o out of the /lib tree; I'm assuming, however accurately, that it corresponds to the source from which the kernel was built, since I loaded it all off the Debian CD-ROMs)? (6) I notice that OSS also *sells* drivers... is there any reason to expect that whatever I might buy from them, can be expected to work (or that it will be any simpler to deal with than the ALSA installation, which looks like a convoluted mess)? I've been at this for weeks, off and on, and have fixed any number of problems along the way, but I still don't have sound, and I'm running out of ideas (and websites to troll for information). I'm not trying to bring up God's own sound mixing and recording system; I just want things like Netscape plugins or whatever that happens to want to output sound, to be able to output sound. I'm somewhat mystified by all the suggestions to try this and try that and see if it works, that I find on the net - I thought the advantage of having an open-source environment was that it was possible to *identify* what was going on, and that speculatively flailing around in every direction was the provenance of the Gatesware droids. Am I missing something here? Do I need to become a specialist in sound system architectures and rewrite a driver in order to get sound working? (I'm well on the way to becoming a network engineer just to get my LAN up, so why not, I guess...) Re: OSS - I'm curious about the relationship between the apparently-OSS-based driver I'm trying to use, and the commercial OSS drivers that are available... did somebody decide to try to make money off doing it right for a change, or something? Thanks in advance. I sincerely hope somebody has a very simple fix and I end up feeling like a complete idiot for posting this; it would be more than worth the humiliation, after all of the fruitless effort I've expended. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Xserver authorization/security
I'm trying to get my single-user system set up so that programs running as root to be able to open windows, etc. (ref. the infernal message Not allowed to connect to server, etc. etc.) Thus far, I've been able to get this to work by five methods: (1) login and start xdm as root, (2) use su -m from a normal account and run the root-owned program from the resulting shell, (3) use xauth to export a Magic Cookie from the account that started the server, log in as root and use xauth to absorb the Magic Cookie (some people seem to think that this convoluted mess is somehow something that an ordinary user should be happy to put up with), (4) use xhost +local from the account which started xdm prior to running a program owned by root, (5) turn off security in the server by setting the correct resource switch (forget the name right offhand) to false in the xdm configuration file. The first four methods require manual intervention, and the last is probably a security risk. I have as yet been unable to get any script that I have installed anywhere in any startup file for the system (init.d, et. al.) or the X server (Xaccess, et. al.) to successfully allow server access to root. I run into $DISPLAY not having been set yet because the server hasn't started yet, or xhost not being able to accept a -display argument, or the server not having been started, or things just not having any effect for reasons unknown (the /etc/X0.hosts file is an example of the latter; even *when* putting an argument like local in there *does* cause xhost to report LOCAL: in its query output, it *still* doesn't allow root access to the display). Etc., etc., etc. Does turning off authorization checking in the server config file allow access to the server from outside the local host? Is there any way, in the server config file (since that seems to be the only place where anything I've done has any affect at all), that I can selectively authorize server access? Why doesn't the X0.hosts file have any effect? The documentation (which is distributed randomly around 8 different manuals etc. as usual, but, whatever) implies that that file will only have an effect if all other security methods (Magic Cookies, etc. etc.) are disabled - is that true, and if so, how can I turn all of those off? Does anyone have any *other* ideas w/r/t how to install a system-level shell script somewhere, that will run an xhost +local command that will establish root access to the server? W/r/t this last question, when I say system-level, I mean as opposed to user-level i.e. run from an initialization file in the home directory of whatever user started the server (and incidentally, does Linux support use of a .login file? I don't see any reference to it anywhere). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Xserver authorization/security
Thanks - and, you're right, and I had forgotten that; .login is a shell feature. (I probably didn't look in the csh or tcsh manuals...) The Xauthority tactic, if I understand correctly, is similar to using xauth; you have to run something from your login shell one way or another. What I'm trying to figure out, is how to get a system-level solution to the problem, so that it wouldn't be necessary, in the case of a system with several users any of whom might be the one to spawn the X server when they log in, for each user to have to have something in their login shell. On Tue, 7 Sep 2004 16:54:04 -0700, Stefan O'Rear [EMAIL PROTECTED] said: On Tue, Sep 07, 2004 at 02:47:58PM -0700, [EMAIL PROTECTED] wrote: I'm trying to get my single-user system set up so that programs running as root to be able to open windows, etc. (ref. the infernal message Not allowed to connect to server, etc. etc.) /usr/src/linuxen/kernel-source-2.2.20 %% sudo /bin/sh sh-2.05a# HOME=/root sh-2.05a# export HOME sh-2.05a# xclock Xlib: connection to :0.0 refused by server Xlib: Client is not authorized to connect to Server Error: Can't open display: :0.0 sh-2.05a# export XAUTHORITY=/home/stefan/.Xauthority sh-2.05a# xclock sh-2.05a# exit /usr/src/linuxen/kernel-source-2.2.20 %% snipped W/r/t this last question, when I say system-level, I mean as opposed to user-level i.e. run from an initialization file in the home directory of whatever user started the server (and incidentally, does Linux support use of a .login file? I don't see any reference to it anywhere). Try putting: export XAUTHORITY=$HOME/.Xauthority at the end of your ~/.bashrc . Linux does not support .login. tcsh does. bash doesn't. If you want to use tcsh, use chsh to set your preferences. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Configuring X
maybe somebody already suggested this, but, you can make xdm write a default config file if you feed it the right option - xdm --help will list the options, I think (and it may not be in the docs...) I had to do that to get the display to work at all; the default config file that the Debian install generated had display modes that caused my monitor to go berserk. I then compared the config file written by xdm with the one that the install generated and did a manual sort/merge to get things working... I had to do all that from a command prompt login since I didn't have KDE up. On Fri, 03 Sep 2004 10:07:11 -0700, Paul Johnson [EMAIL PROTECTED] said: #secure method=pgp mode=sign -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Akkermans [EMAIL PROTECTED] writes: I have just a simple question (I hope). I am trying to configure my Xfree86 (version 4.1.0.1) but I don't know how to do this. Can anybody help me? The easiest, fastest way to do this right now... 1. Go get yourself a Knoppix CD. 2. Boot to Knoppix. Go to /etc/X11/XF86Config-4 and copy it to your hard drive's /etc/X11/XF86Config-4 3. Shut down Knoppix, eject the CD, reboot. 4. Start X. It should work. There's an established Debian way, but it's considerably more involved. If you use an nVidia card, it's far more involved (thanks to nVidia's assenine licensing policies for it's barely-workable drivers...they should either free the drivers and keep their customers or eliminate them entirely and lose the customer base instead of this bullshit license limbo self-installer crap). -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBOKS/UzgNqloQMwcRAmKGAJ0VlJJM9gjOhpsK8E6AQS3OYDDFgQCeKbxS J8XPSKK2tbI6Qm+5AO3F3A0= =klFN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
So what are exactly are you worried about? A program uploading sensitive data to a random server? Well the easiest way for a program to do that is to invoke sendmail to e-mail the information to the server. In which case the program never attempts to open a port, your m-t-a does. Your m-t-a opening a port is the most normal thing in the world. Or if for some reason you don't have your m-t-a properly configured, it could invoke ssh or lynx or ... You're right; there are as many opportunities for paranoia WRT what on my system could phone home in which manner. I think for Linux to be secured against that sort of thing, there would have to be a kernel hook that logged PIDs of processes that got spawned, and then watched to see if that PID attempted an outgoing access of some sort. (I'm not volunteering to write *that*...). I've similarly wondered if the Gatesware equivalents (the personal firewalls) are capable of detecting outgoing accesses by things that aren't invoked by the user... probably not, and the corresponding vulnerability is probably there for Windoze systems as well, as I mentioned earlier... The thing is, that sort of malicious code could be embedded in anything you install. The only thing protecting you is the traceability of the code and concomitant liability of the perpetrator to prosecution. Otherwise half the frustrated geeks in the world would be embedding their little projects in their employer's products. I don't know about you, but that sort of protection doesn't make me feel secure in general - I want some sort of process monitoring that can detect outgoing communication attempts. The fact that it hasn't happened yet, doesn't reduce my paranoia one bit. Moreover, the attitude of Linux people that they're somehow immune because of the limited distribution of Linux compared to the Gatesware installed base, is just whistling in the dark, cum laude. From the responses I get in general, the general attitude seems to be to shrug it off because no one can do anything about it. Again, you're right, though, that I'm too narrowly focused WRT the real issue. Maybe this discussion really belongs on a linux security list... Thanks for your input - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
On Mon, 23 Aug 2004 13:05:00 +0800, Katipo [EMAIL PROTECTED] said: In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework Even firestarter provides some degree of configurability in this respect. It will block ports on an individual basis, if you can identify them as needing to be blocked - but AFAIK the iptables script it sets up, defaults to forwarding all requests from internal processes. (If I'm wrong about that, or if there is some way to get it even to flag outgoing access attempts by newly spawned processes, I'd like to know about it...) Asking in the right place helps. A number of people here would have the answers you're looking for, but Debian has a firewall list. Yes - I asked about that earlier. I posted to the firewall list earlier, in fact, and got no response at all. Additionally, there is a lot of traffic on here other than my own, WRT firewall and iptables subjects. I'll cross-post this to the firewall list, but I'm really getting the impression it doesn't get used much... maybe I'm wrong, but I'm signed up on it and don't see as much traffic on there as I do about firewall on the users list. Itt might be an idea to check out apps like tinyhoneypot amongst others, also. Thanks... I'll do that - it sounds like there's at least one area I haven't explored yet... (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) Failing that, go run windows. Why, thank you. I needed that. (But not to worry, I'm on my way out of Billyworld permanently, one way or the other, difficulties notwithsatanding...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: anonymous proxy
On Sun, 22 Aug 2004 23:36:45 +0200, messmate [EMAIL PROTECTED] said: Hi, is there an anonymous proxy server available by debian ? If not where else for linux ? Oops!! Look out!!! You've asked Der Verboten Question!! You vill be SHOTT!! You are obviously a spammer and etc. etc. blah blah... (bore... yawn... (I asked the same question on here a couple of weeks back and promptly got dumped all over by what appeared to be a contingent of arrogant no-life nerds and other monocellular life forms who it turned out didn't even undersatand what I was asking for... I think the word anonymous caused various portions of their anatomies to shrivel, or something...) I haven't been able to find one. I haven't trolled *all* the way to the bottom of *every* *single* Google search I've done, but thus far, no equivalent to winproxy or multiproxy or etc. has turned up It's a little surprising, actually. (Am I desperate enough to code one up myself?) (Am I *competent* enough to code one up myself?) (Etc.??) I'm wondering, actually, if the guy who wrote multiproxy would release the code... all he does is play chess, any more, so maybe he wouldn't care. The IP translation could probably be hacked into Linux-submission using sockets... the engine would probably map OK... but, the GUI is probably another story... =- desperation starts to set in) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: anonymous proxy
Can you please point me to the corresponding thread, as it simply can't be the one at http://lists.debian.org/debian-user/2004/08/msg00996.html, at least not according to your description. Yes, that's the one. I am of course being deliberately extreme in my characterization, but the essential facts of the matter, viewed from my perspective, are: (1) I asked a completely innocent question, (2) I was immediately, arrogantly, and ignorantly accused of wanting to spam, based on no evidence at all, (3) There is NO evidence that anyone ever understood what was meant by an anonymous proxy server or a utility for utilizing them, (4) The thread ended with little or no useful information going in either direction. Not that I really *care*, mind you, but... that's the situation - there's the dog. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
If a port is open, and associated with a program which isn't from a debian package and you don't believe you put it there yourself - its time to consider the possibility your machine has been compromised. Okay... that gives me an opening to try this again. At the risk of provoking the usual WELL GO RUN WINDOWS THEN!!! knee-jerk reaction, I will mention that the Gatesware-based firewall packages (like Zone Alarm) will detect *outgoing* connection attempts and query whether they are legitimate. There has been some dicsuscion on the net w/r/t the fact that apparently the later (per)versions of Gatesware have some trojans embedded in the OS, which will connect to Billsoft to report your social security number, sexual preference, etc. etc. - the point being that (allegedly) the commercial firewall products can't detect such attempts to phone home. In any case, I've as yet been unable to find any way of getting detection and authorization of outgoing requests with any of the Linux firewalls, or with IPtables - although I can hardly say that I've thoroughly done my homework - but I have asked here and there and thus far no one seems to know. The Paradigm seems to be that if it's something that got spawned on your machine, and is trying to connect outward, it by definition must be legitimate, so it gets granted a port, unless whatever port it is requesting is *already* explicitly blocked by iptables or whatever for some reason. (Okay, now, everybody yell in unison: WELL GO RUN WINDOWS THEN!!!) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall packages (was: All these open ports)
You could get something close to Zone Alarm (minus the application permissions stuff) with a very short iptables script which set the policies for INPUT and FORWARD to DROP, and OUTPUT to ACCEPT, and adding a couple of rules for allowing related and established connections on the INPUT chain. I'm sure there are basic HOWTOs on this floating around - google for something like iptables introduction and you should find some good hits. Actually, that's sort of what the firestarter (and probably the other firewall packages?) does - it generates a control script with a bunch of iptables entries. And, you're right, there are plenty of sample scripts, etc. available. But thus far, it's the application permissions (and some of the logging) that escapes me. The problem is, I'm lazy and would rather find something already implemented, if possible. But if no such thing exists, I'll eventually hack something together. (Which defines the real issue: how do I prove that no such thing exists? Didn't Aristotle have something to say about that??) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: anonymous proxy
I think there may be a point of confusion here... Are you looking for a packaged proxy server to run on a Linux system? I think - and I'm hardly the one to ask - that you can use squid for this, and I've seen reference to several other implementations. In fact, it's not that difficult to configure one yourself; there's some Perl code out there somewhere. What *I* was looking for, and have (probably inappropriately) been referring to as an anonymous proxy server, is a utility which remaps IP requests, typically only from a browser, to an *external* proxy server somewhere (usually selecting from a list of same, as available). That's what the Windoze utilities (multiproxy, etc.) to which I was referring, will do, and that's what *I* was looking for, and can't find. Actually, the list of proxy servers can contain both anonymous and transparent servers. To further complicate matters, anonymous proxy server commonly also means a server running somewhere on the net which forwards HTTP requests without forwarding the originator's IP address (the referrer), etc. etc. - some servers just forward everything, some forward some things and not others, and some only forward the IP address of the proxy server and the ID of the requestor's browser. There's a terminology Issue here; if anyone knows the correct designations, it would probably clear up any confusion, some of which I've probably created... I guess I just assumed everyone else here knew all of this, since I hardly keep up with net infrastructure. (Sorry for the flurry of postings, btw - while I wasn't watching my mail, the servers unlocked and I found 1300 list messages waiting...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problem installing Sendmail
I'm familiar with, and comfortable with, Sendmail. So, when Debian tries to install Exim I just say, No thank you, and install Sendmail. It was no problem at all. I think... based on what I've heard here on this topic, that If I Had It To Do Over Again, that is what I would do also. But I'm a lot less sanguine about uninstalling exim now and installing sendmail instead, reassurances about clean uninstalls notwithsatanding. This all does remind me, however, of dealing with competing EDA packages: one could always get support out of an EDA vendor as long as they were aware that you might shift allegiance to their competition at the drop of a hat. So maybe competing MDAs aren't such a bad thing... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Update
and make sure your /etc/apt/source.list not pointing to your cd installation( except you want to install new package from it ) Why not? An upgrade will always get the latest packages, and install will do the same, as long as you have an update source as well as the CDs in sources.list. Aha! THANK you. I'm about to confront this myself. I just downloaded the R2 update ISO for Woody and burned it to CD. So now my question is... what do I do with it? Can I just add the appropriate CD-ROM entry to the sources.list file and then use apt-get update? Should I do a blanket update that way, or just let it get the latest versions from the update CD one at a time as needed (assuming it will look there instead of on the R1 CDs, which I'm guessing it will... ?) when I load new packages in the future? I thought there should be some sort of FAQ or release notes that would explain exactly how this update CD is supposed to be used, but I haven't found it (which again doesn't mean it doesn't exist, so feel free to point me at it if anyone knows where it is) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problem installing Sendmail
What do you mean, may come back ... again? I believe sendmail is still the most widely used MTA on the Internet. It's never gone away. Well, I don't keep track of these things in detail. I started hacking sendmail in 1984 or something, I forget. It looked like it worked OK to me. Then sometime a few years back I noticed that it had been replaced with something (smail?) on one of the Sun systems I was working on. Since then I've noticed various other MTAs proliferating. Since I primarily view computers as a means to and end and not an end in themselves, AFAIK cows come and cows go, but the bull stays around forever, so I just deal with whatever has landed in my lap at the moment and try to make it work. When I installed Debian, somehow I ended up with exim, which means it must have installed by default, since I wouldn't have picked it, because I didn't know what it was. So, by dint of the fact that it installed by default, I expect it must be Mail Transfer Agent of the Week, or Current Trendy Mail Transfer Agent, or whateveritis... If I really thought sendmail was going to ultimately triumph and win the Battle of the Mail Transfer Agents, I would probably have installed it, and support is definitely the main issue, since sooner or later whatever trendy MTA I happen to be using is going to break. You could be right; exim and smail and flailmail and everybodybailmail and whatever else could all lose in the end, and I could end up wasting the time I'm spending learning to bludgeon exim into compliance. Wouldn't be the first time I've followed a vapid software trend to perdition... won't be the last... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT:Hardly any messages getting through
I guess now it's my turn in the rape room; I haven't gotten anything from the list after August 15. (I see my subsequent post has showed up there, though.) Ordinarily, I would indulge a paranoid conspiracy theory to the effect that I'd been thrown off the list, but since there are others complaining of the same thing, I'm going to indulge a paranoid conspiracy theory that either (1) due to the high bandwidth we've been designated spam by a cadre of net.insiders who know what's best for everybody (just ask them...), or (2) we've been designated a terrorist organization and FBI's monitoring software has crashed (nh...) and is deleting all our traffic instead of forwarding it to the contract agency in Iran to which they've outsourced the internet terrorism monitoring jobs... oh well. I guess I'll just read the list on the website from now on. maybe there's some nerdware out there somewhere that supports using a mailer to post and using a browser to read, and keeps everything synchronized and can extract headers for the reply function and... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problem installing Sendmail
Nah. Debian's real sane that way. If you install exim, it first uninstalls your other MTA. You mean, it *tries* to uninstall it... all it takes is one screw-up to put me in the O-zone with things like that. What if (*just* for insatance) the other MTA used different versions of some packages than the new MTA? I'm sure all the install software tries to keep track of all that, and probably does a decent job... 96.432% of the time. But, my experience generally is if it works, don't fix it... (we'll see if it really works...) btw, apt-cache search exim mentions exim-doc. Highly recommended. Okay - now you've touched on something I was curious about in an earlier thread, and I've dug into it some more: The man page for exim also mentions exim-doc. I loaded the exim-doc package. It created the /usr/share/doc/exim-doc directory (which is in addition to the usual /usr/share/doc/exim directory). But there's nothing in the exim-doc directory, to speak of. (There is the usual assortment of stuff in the exim directory) However, I think the exim-doc package actually is loaded for the access via the info command - am I right? There is quite a bit of additional information available via info exim. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall packages (was: All these open ports)
There are other available packages: I use FireHOL I used to use iptables + wondershaper in RH. I notice there are many ready-made firewall packages available in Debian. I'm wondering which one is recommended (ease to use/updated frequently, etc)? So am I, but I don't think this is the right place to ask. It seems like most people here just hack iptables directly. There's also a Debian firewall mailing list, but I posted something there and got no replies, so I'm not sure it's used very much. If you do a web search for debian firewall you'll probably find any number of other sites with firewall related forums where you can ask that question (I think there's one on the sourceforge site). I just loaded Firestarter because it seemed to be trendy firewall of the week, so maybe I'd be able to get support for it. But I could be wrong about both of those things... In any case, it doesn't provide all the functionality I want, and I expect to have to hack its iptables infrastructure (actually, being able to get at the iptables commands it uses as a foundation is a plus). Thus far, I haven't been able to find anything that provides canned-up functionality of the nature of the Windows Zone Alarm, although I can probably overcome that by iptables scripting, whereas with the Windows firewalls you get whatever is there and have to live with it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Help using Apt-Get
Reading Package Lists... Error! E: Dynamic MMap ran out of room That, IIRC, is a bug which has been there since day 0 and has to be corrected by putting an entry expanding your cache size, in the apt.conf file. I'm hazy on the details (it's been a MONTH already) but you can google for the error message and you'll find the fix. also, there are references to it on the lists here... Somebody on this list undoubtedly has the exact details as well. My 2 cents re: your other problems...: (1) don't even THINK about installing testing packages in your Woody. You will end up with an inter-release Jihad on your hands. (2) instead of upgrading an existing Woody to a Sarge, load the Sarge into a different bootable partition and get it working and able to support all your Woody-based apps and hookups etc. before burning your bridges. (3) nobody seems to *really* know how apt-pinning works. It doesn't completely work or completely not work, and it will do Some Things And Not Others, depending on how well (or who) it ate this morning. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux help system (Was: -= Re: I hate it when that happens...)
I recently engaged with exim, and if it weren't for the fact that I found an obscure reference buried in the back yard in the dead of night, to the fact that there is an exim-docs package which needed to be loaded *in addition* to the exim docs which turn up in the /usr/share/docs directory, I would never have known it was there - and that package seems to be what turns up via the help command. . . . I think you're confused. You're right. What I *should* have referred to above, was not the help command but the info command, with which (I think? I just asked, on another thread) the exim-docs package is associated). Thanks for your compendium of doc info, btw... I'm pondering some sort of pointer system that would enable me to find Whateveritis Whereveritis out of all that (dream on...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problem installing Sendmail
It is available. Fire up one of the installers, turn off what you don't want, turn on what you do, then let 'er rip. You may need to be in something like Custom Install Mode or something to get this, but that's just to save newbie butts. You can do what you want to. I thought about that, but, (1) since exim is already installed as an MTA, I was dubious about installing *another* one, *whether or not* I would have to uninstall exim. Knowing no more than I do, I would suspect that I might end up in more trouble, and end up spending more time that way, than I would by just learning about exim, (2) I notice that sendmail is a virtual link to the exim executable - which causes me to further suspect possible miscegenation between sendmail support facilities (possibly even in the kernel) and exim support facilities - which then causes further paranoia per (1). (I have many, many burn scars... some of them in unmentionable places...), (3) if, and not when, the MTA I'm using blows up and embeds shrapnel and rice grains in my butt, the most important thing will be, for which MTA I can get some support - which is determined by the multivariable trendiness index of the product... Reason?: THE STUFF IS FREE. If I were paying for it, I'd feel free to Very true, but it is your box. I imagine the sendmail package maintainer needs love just like the others. :-) Then again, maybe not. He may just be doing it so he doesn't have to run exim or postfix; I don't know. Hey, his pet may come back into vogue again, you never know. These things change with the breeze... of course, some things are like tattoos - if you've got one, you better *hope* to hell they don't go seriously out of style (interesting, though - is there some internecine warfare going on between alternately trendy MTA package developers? *That* would be fun to watch... from a healthy distance...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problem installing Sendmail
On Sat, 14 Aug 2004 01:44:04 +0100, Thomas Adam [EMAIL PROTECTED] said: On Sat, Aug 14, 2004 at 01:39:23AM +0100, Carlos Sousa wrote: You mean, the OP decided for himself which MTA to use, instead of just accepting whatever MTA the current Debian Cabal chooses to shove down his throat? Oh, absolutely. Choice is everything, but would you really install an MTA you knew nothing about? I certainly wouldn't want to start learning sendmail. A good middle ground would be postfix. Well, I'd already learned to use sendmail, so I was sort of expecting that the Debian install would make it available, but it installed exim by default - so, having deduced that that was what was Preferred (or, in more colorful terms, shoved down my throat by whatever cabal controls whatever OS with which I'm currently having to negotiate), I've started learning to cope with it. If the Cabal (I think cadre is probably more appropriate for software people in general) changes its collective mind with a subsequent release (which would not surprise me one iota), I'll Go Along To Get Along. Reason?: THE STUFF IS FREE. If I were paying for it, I'd feel free to drive whoever created it to collective suicide if they didn't give me what I want. But I want support, and if it's FREE, it's damned well up to whoever created whatever it is, to decide what it looks like, and what they'll support. Or am I missing something here... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: All these open ports
I've just noticed that my debian testing open many ports by default: tcp0 0 *:dict *:* LISTEN tcp0 0 *:time *:* LISTEN tcp0 0 *:discard *:* LISTEN tcp0 0 *:682 *:* LISTEN I'm curious which utility produced that listing; I haven't seen lsof produce that - ? Buy a firewall or set up iptables. You can just load the Firestarter package; it will allow you to block ports (via a generated iptables script). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Linux help system (Was: -= Re: I hate it when that happens...)
It's built in in - at least in bash ;) Not only that, but (correct me if I'm wrong - that's why I'm posting this) it appears that the docs for some things are split into docs that appear in HTML in /usr/share/docs, and docs that appear via the help command (the data for which is stored somewhere where I haven't found it yet, although I haven't really looked...). Additionally, in some cases it appears that there may be information available via the help docs which is not in the HTML docs, and vice versa. I recently engaged with exim, and if it weren't for the fact that I found an obscure reference buried in the back yard in the dead of night, to the fact that there is an exim-docs package which needed to be loaded *in addition* to the exim docs which turn up in the /usr/share/docs directory, I would never have known it was there - and that package seems to be what turns up via the help command. If the help command is only available in bash, I'll have to do some negotiating... I'm a csh/tcsh nazi and hate anything that looks like the original Bourne shell on general principles (or no principles at all, FTM) Please correct me if I'm wrong about any of this, since this is one area I've been meaning to explore and haven't Gotten Around To It -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Rant] The Endless Search for a Mail Client That Doesn't Suck
FWIW... maybe my demands are just too small, but I've been using MH mail for... for hmmm... 25 years, now? maybe? and because it's command-line oriented, whenever it does something I don't like or doesn't do something I want, I write shell scripts to bludgeon it into submission as necessary, since I can access all its utilities from a shell script. occasionally I have to inflict Perl or even a C program on it. At one time I wrote my own encrypted mail system for it in C, before PGP became available... you can use procmail to direct incoming Stuff to various folders. (Just to strike holy fear into the hearts of any sysadmins out there, I've been known to break security, implement an SUID shell script to hack the sendmail.cf file to change the system identity while I send my mail out of some unsuspecting victim's system and then change it back when it's done, and then embed *that* in my MH control scripts). (okay, now go change your pants...) But I'm not sure about IMAP support... in the past when I've wanted something like that I've been able to just mount the MH mail directory over the network, but there are Issues (to say the least) with trying to do that across the Internet... dep't. I think you have to *build* MH with POP support, and I'm not sure (yet) whether it supports IMAP at all (although I notice fetchmail does, so there's probably a way to map MH folders to IMAP folders... hmmm...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scripts Re: [Rant] The Endless Search for a Mail Client That Doesn't Suck
there's a gui for mh too Yes... thanks for reminding me, I was going to say something about that, for the benefit of whoever is bemoaning his mail system... it's exmh (formerly xmh), and is implemented AFAIK entirely in TCL, which can be customized to change the GUI (or blow it off the air and cause you lots of work) as you please. Thus far, I haven't Gotten Around To customizing the GUI the way I've hacked the shell commands... but if you were bent on being able to access whatever modifications you'd implemented for the shell commands via the GUI, you could just add buttons to invoke them, or (presumably) reconfigure the GUI appearance. I've got MH and exmh installed and running on Woody, but I'm still attempting to get outgoing mail working... sounds like the mta was not hardened ... users should not be able to change the mta config files Oh, I know... and with good reason... but that never deterred me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Rant] The Endless Search for a Mail Client That Doesn't Suck
Downloading the contents of imap folders goes far to defeat the purpose of IMAP: I can read the same mail ising different IMAP clients on different computers and across different operating systems. Well, some of the mailers supposedly will Synchronize (yeah, right) your local folder image with whatever is on the server, which would be nice if it worked, so you could conduct interactive stuff locally and just use the link for keeping stuff synchronized but, yeah, in practice, unfortunately you're right... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Rant] The Endless Search for a Mail Client That Doesn't Suck
Downloading the contents of imap folders goes far to defeat the purpose of IMAP: I can read the same mail ising different IMAP clients on different computers and across different operating systems. Well, some of the mailers supposedly will Synchronize (yeah, right) your local folder image with whatever is on the server, which would be nice if it worked, so you could conduct interactive stuff locally and just use the link for keeping stuff synchronized but, yeah, in practice, unfortunately you're right... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Want anonymous proxy server IP address mapping utility
No, we will not help you spam. I have no idea what you're talking about; AFAIK the anonymous proxies only remap browser requests. Are you implying that some of them will forward *email*?? (That, I find hard to believe...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Want anonymous proxy server IP address mapping utility
I've seen Squid logs where someone was giving it a bloody good go. In any event, you didn't say _what_ you want to proxy. Okay... well, I thought it was just common knowledge, but the various proxy servers out there, with various degrees of transparency and anonymity and this and that, AFAIK just receive HTTP requests on whatever port it is this week and forward them on the standard port. I supposed someone might have conjured up some method of using them for anonymous email, but I don't see why they'd bother. In any case, I'm just (once again...) looking for the functionality of a couple of the Windoze utilities I've been using, in a Linux version. Correct me if I'm wrong, but Squid is designed for setting up a *local* proxy, with various forms of filtering, isn't it? I looked through the docs and it didn't look to me like that was what I was looking for, but maybe I missed it. (naaah... Who, ME?? overlook something right under my nose? I wouldn't do *that*...) I had no idea these things were the subject of such knee-jerk suspicion and paranoia. There are all sorts of commercial products out there for net anonymity; what's the big deal? (other than that I'm getting the impression there's nothing *available* for Linux...) Maybe I'm asking in the wrong place or on the wrong list... I just thought, as with some other functionalities, there might be some Debian-specific package Or Something that would fill the bill... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I hate it when that happens...
Nah, screw all that noise. Half the fun of executing 'rm' is the fact that you know you have a loaded revolver on your temple. Keeps you on your toes, which I think makes me a smarter user. Do I have backups? Is this crisp? Am I thinking clearly? But, half the fun of committing suicide is doing it DELIBERATELY. I don't want to do it by ACCIDENT... Where's the satisfaction in *that*? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I hate it when that happens...
And then you sit down at another machine, blindly type in rm thinking it will babysit your stuff into the trashcan, and it doesn't. Oops. Bandaids are temporary, substandard replacements for real skin. No way. I have NEVER done that. I live in terror of the rm command and am merely relieved when my shell wrapper works and saves me from some screw-up. No way am I going to just assume I can get away with casually removing stuff. (I've never gotten VD, either...) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I hate it when that happens...
Well, I don't want to trade manly quips with you all night, but my point was something like don't mess up, and have backups. Unless you have something like snapshot running, you will invariably lose whatever it is that you've just been working on, backups or not. Additionally, it doesn't take much to accidentally dump an rm command into a shell. You can do it with a screen paste, a shell script error, you name it. Gun safety means always keeping the muzzle pointed in a safe direction even though you *know* the gun is unloaded and the safety is on... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I hate it when that happens...
Unless you have something like snapshot running, you will invariably lose whatever it is that you've just been working on, backups or not. So go use Solaris. Solaris is not optimized for the X86 architecture; also, it is a disk hog. Additionally, as I mentioned, the snapshot feature eats lots of disk space and may require RAID support. So, I'll just put a condom on rm... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Want anonymous proxy server IP address mapping utility
Thus far, my web searches have not turned up anything like the Windows multiproxy, winnow, etc. utilities for Linux. I know I can set up for anonymous proxy use on a one-at-a-time basis, but I want the (very useful) additional features of the above mentioned Gatesware-based utilities. Does anyone here know of the existence of any such? I realize this may not be a Debian-specific question, that it might be more appropriately directed elsewhere, etc. (suggestions welcome...) - but on the other hand, if nothing equivalent exists, I'll have to start digging into how to eventually hash up something myself using whatever proxy facilities exist within Debian, so... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I hate it when that happens...
You should have a soft remove... rm -rf * is a joke so old I can't believe anyone still gets bitten by it. the rm command should be aliased to a script which moves the target file to a trashcan directory somewhere which then gets checked by a cron job which does a permanent remove of any files which haven't been accessed in 10 days. then you implement a mr command which lists the trashcan directory and allows you to retrieve stuff you've fatfingered with the rm command. Somewhere I've got C-shell scripts to do all this (which I'll be using if I can ever get Woody up). Or, of course, you *could* just bring up Solaris and enable snapshot, (which may require RAID), I'm not sure (but it's packaged with Solaris) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How can I get all IP transactions (in/out) logged?
Yes iptables can do this. I know iptables can log to syslog, and believe there are ways to make it log to SQL, but I am unfamiliar with those. . . ... Thanks - that sounds like a plan... (I knew I wouldn't escape dealing with iptables). I would think this capability would be built into one of the firewall products, but I haven't found it. There may be a configuration setting to get iptables to log to something other than syslog, also (I know it's possible with pppd, although the logs seem to go to both places rather than just one). I can postprocess the log file to reduce the data... Thanks again - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What are the dangers of using packages from both stable and testing?
What are the dangers of using packages from both stable and testing? Okay... I got told by someone on this list: (a) that it is system suicide, and (b) that the fact that it is system suicide is well-documented in many places with ample dire warnings in 384 languages including Martian. But I haven't been able to find any such warnings yet, and nobody answered my Where does it say that? question. One thing I *am* certain of, is that if you are running one release, the risk increases proportionally with the number of additional other-release packages that get sucked in with whatever you tried to load from the other release. However, even so, it only takes *one* infernal incompatibility to land you back at the command prompt with X11 whining like a bad alternator bearing, or worse yet trying to resurrect your system via CD-ROM... (Nonetheless, I'd still like to know where all the fabled and legendary DON'T DO THIS warnings are) (especially the one written in Martian) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How can I get all IP transactions (in/out) logged?
It seems to me that the log won't necessarily be very large. It really depends on how the connection is being used, doesn't it? An hours worth of log from a dialup connection couldn't be very large, for example. Of course, on a broadband connection with lots of websites being visited or files being downloaded, the log would become quite large fairly quickly. It would depend on how much information is logged. Logging the contents of packets during a web surfing session would generate a large file. But, all I'm interested in is a source and destination IP for what has gone in and out of my system, along with possibly what port was used, what process ID was using the port, a timestamp, and a packet count. I found a reference on the linuxsecurity website to some sort of utility that will troll the various logfiles in an attempt to reconstruct some of this information, ostensibly in the aftermath of a successful cracking attempt. Another reference suggests running a packet sniffer (snort?) on your system. It seems rather silly to have to resort to that sort of thing, when enough system access is available to facilitate tracking network activity proactively. But what do I know... even my experience at breaking and entering is sadly outdated... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
How can I get all IP transactions (in/out) logged?
I just want a basic log file containing the source and destination addresses for all traffic in and out of via PPP, so that I can keep track of what connections to outside IP addresses are made, and from where (externally, or from something running on my system) they originated. I've turned on the debug mode in PPP but it doesn't seem to provide what I want. For instance, it logs transactions from my system to my ISP, but doesn't log what's happening with any greater resolution (for instance, if I ping a system on the Internet, there's no record of the ping attempt in any of the system log files). The firewall as set up by firestarter logs blocked firewall penetration attempts, but not legitimate transactions in and out (perhaps there's a method, which I haven't found, to change that?) Is there any built-in facility that will accomplish this, or is it necessary/possible to construct something using iptables, or is there a contributed app that will do it? I realize that there are log files for the various servers and utilities (FTP, etc.) that contain this information on a piecemeal basis, but it seems to me that it would make more sense to collect it at the connection point(s) in and out of the system, at least on an interface-by-interface basis. Once again, I'm surprised that a Web search and various site searches haven't turned up a solution to this. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian install breaks on 'Configuring Locales'
Now I've dl'd the Debian CD iso images and burned them to disks. This is with the 'Woody' 30r2-i386 set of seven CD's, plus the updates CD. Okay, that's *exactly* what *I* did... except for the update CD (h) But it breaks each time at 'Configuring Locales'. You can select more locales, but the 'Enter' key will not give an 'accept' - it just sits there. but it looks like I had another Narrow Escape... IIRC, after saying to myself, Duuh... What's A `Locale', I just selected C as the Locale because it looked generic and nerdish and acultural and etc. (and I *think* it's the default...), and that worked OK to finish the install. Then, later on, GTK started whining Locale Not Supported, etc. - so I added the US English locale with (I think) dpkg-reconfigure. (I can go look up the exact procedure I used, if you want, but (Anno Mirabili) it's actually documented somewhere). That shut GTK up (although I can't imagine why it would insist on US English when I gave it C, already... but, whatever turns its crank, I suppose). My usual tactic with installs is to try and get something up, as simply as possible, and then subsequently add things and bludgeon the system into accepting them. I've found that to be particularly necessary when installing this Debian Woody contraption - the more you add at the outset, the more pitfalls (with excrement-smeared punji stakes at the bottom of them) there are down the road. Can't I get a stock version of Linux to run 'out of the box', with decent speed? You want something FREE to work, out of a box it didn't come in, when expensive Gatesware that you PAY for, in a fancy-pants marketing-droid-designed box with a hologram on it, DOESN'T work?? *WHERE* did you get the DRUGS??? I'm not asking a lot, Web access, email, and a functioning floppy drive... Yeah, well, I'm not there either yet, after 3 weeks. I'm still trying to fashion the necessary full-body Internet condom out of the resident firewall stuff, before I trust my system on the net. But I'll get there. I've yet to find a nix system that doesn't eventually submit to domination and slavery under my relentless brutal attacks. Further, the Debian install doc, which was lovingly detailed up to Chapter 8, breaks down and does not deal with several of the screen options presented during setup. Including, of course, the 'Configuring Locales' option, or any way of avoiding it. So, somebody never got finished with it. Their girlfriend was probably screaming at them to come to bed at 3AM. (For pete's sake... he wants *free* *documentation* with his *free* *software*??? and expects ANY of it to WORK) Can I scream now, or must I wait? When it comes to dealing with nix machinations, rather than screaming I'd suggest a blood sacrifice in front of your computer. Start with a chicken (I won't bring partisan politics into this and suggest from which party you should get it...) and work your way up the food chain... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian install breaks on 'Configuring Locales'
Now I find it easier to restore a minimal verion ow Windows from a Linux-made backup rather than reinstall after a major Windows-doesn't-boot-anymore grade disaster. (happens every few months). Everyone using this system has been warned to avoid putting any essential data on the C: partition. Not that that's entirely avoidable. I use Novastor's Instant Recovery to back up my Gatesware system to CD-ROM. Guess what it does... (you're gonna love this): it shuts down Windows, boots a very minimal Linux system off the Instant Recovery CD-ROM, and then writes the entire contents of your Windoze disk partition (whatever one you choose) to CD-ROMs. That way you can restore the exact disk image, including the infernal Registry and whatever other fragile and unpredictable system states (which you can't do from a running Windoze system, of curse). I capture a new image of the C: partition that way every so often, so I'll have a system in a reasonably current state of installation to fall back on if I get a complete crash. (As an interesting side-note, Novastor had this Linux-based backup system talking to my CD writer *long* before they were able to get their regular Windows-based backup system to talk to it... took them almost another year to get the Windows drivers to work). BUt... My conclusion? I consider Linux an essential maintenance tool if you are going to run Windows. you've got a really interesting point... my Windoze drives are mounted as VFAT partitions and visible from within my Linux system, so I should be able to dispense with Insatant Recovery and just run tape backups on the VFAT partitions. Hmmm... Actually... I could just mirror the VFAT partitions somewhere onto my Linux drive... then I could just *copy* the stuff back over to the Windoze drive if it goes T.U.(Thanks... I think I'll get right on that.) My intention, ultimately, is to entrap the Gatesware within VMware under Linux, anyway... but I'm wondering if installation of new Windoze apps from within a VMware workspace will work or if I'll have to actually boot on the Gatesware drive to do that. I guess I'll find out - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Confounded by Firestarter Issues... (update)
Okay... I've figured out a couple of things. I'll post them here in case anyone else gets in the same trouble. There are hints of solutions to all this in various places scattered around the Web, but nothing explicit or in one place, that I could find. Basically, I just spent enough time trying combinations of things and finally got lucky. (I have V0.8xx so any or all of this may or may not apply to later versions.) (1) The setup wizard defaults to device eth0 as the primary communication device. If you *either* fail to select ppp0 *or* the selection somehow changes (which is what happened to me, emphasis on the somehow - rerunning the wizard and regenerating the Firestarter shell script is a common procedure and probably subject to accidents, if nothing else...), Firestarter redirects various (but not all!) IP traffic to the LAN interface - i.e., things which are supposed to go in/out the connection to the ISP, end up forwarded to the Ethernet interface (causing the MAC transaction kernel logging messages to appear in the console window). Interestingly, enabling specific connections to specific IP addresses in the Firestarter rules, does cause those connections to then be directed to whatever running app needs them, on a rule-by-rule basis, while everything else continues to squirt out the Ethernet interface. This setup idiosyncrasy is undoubtedly the result of Firestarter being intended to run on a dedicated firewall machine, rather than being set up as a personal firewall... (2) Starting Firestarter manually as root *before* using kppp to connect with an ISP, does not work. What happens is, Firestarter can't find an existing pppd task to glom onto, and (for whatever reason), guess what - goes about redirecting the IP traffic out onto the network interface, in the same manner as it does if the eth0 device is incorrectly selected. *Restarting* the firewall *after* establishing the PPP connection causes the firewall to start working correctly (at least, apps/utilities (Netscape, ping, etc.) can then access the PPP connection correctly). Based on some snatches of conversation I found on the sourceforge website, I suspect that Firestarter needs to be started by init.d, and at the correct runlevel, in order to avoid this second problem. However, in my case at least, I was forced to disable the (default) startup behavior, because it locked up KDE on startup. There are some gtk errors (e.g., Gtk-WARNING **: invalid cast from (NULL) pointer to `GtkContainer', Gtk-CRITICAL **: file gtkcontainer.c: line 726 (gtk_container_remove):assertion `container != NULL' failed., etc.) which are generated with every call Firestarter makes to the window it puts up (i.e. every time it updates the transaction log in the log window), and apparently that causes KDE to choke on startup. (Interestingly, logging in and starting KDE as root worked, but logging in as a non-privileged user did not - go figure...). There was also a problem involving locale detection, which I've since fixed; I suppose I should try reinstating the init.d links to see if that was what was causing the KDE lockup. But, I'm not sure I want the firewall running until I'm ready to start a dialup connection in any case. Thus far, I haven't found any solution to the gtk error messages, which are commonly discussed in various places on the net w/r/t various apps; they're mentioned specifically w/r/t Firestarter on one of the German Linux security websites, but (to the best of my limited ability to translate German) the problem was deemed unsolvable without an upgrade. (I haven't looked to see if there's a newer stable version of the Gnome toolkit yet... I suppose that's worth a try.) Upgrading woody to Firestarter 0.9xx is more or less unworkable, from what I can tell (as has been previously explored here...) - a complete upgrade to sarge would make more sense. Unless I can find a backport of Firestarter version 0.9xx to Woody, I'll have to work around all the Issues for the time being. I may end up just using the scripts and iptables commands Firestarter has generated, as a starting point for a manually scripted personal firewall implementation. Thanks to everyone who responded, for your help. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Confounded by Firestarter Issues...
Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes calling home... I have it set up and running and I can get data through it. The problem is that I can't seem to dope out how to properly set it up for packet filtering This is not a difficult package to install; I did it as a non-technical newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a Personal firewall...). I can't get Netscape (or even ping) to be able to access any IP address on the net by default - I have to individually make each address trusted, or (in the case of ping) give the DNS servers completely unrestricted access, etc... I run Firestarter 0.9.2 and haven't touched it since installation in November. It just runs automatically from the init script, like all the other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the init script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the sourceforge lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) like. ;) Its GUI is very easy to use to configure your firewall, and I use it to protect this desktop box. If you use the pull-down menu item Edit - Preferences - Services, just check the boxes for services you The key there is services. I don't have any services I want to make available (yet - I'm sure I'll end up with ftpd etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling services has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... want enabled to the public. It's as easy as configuring ZoneAlarm, but even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is program oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) Mine works out-of-the box. I do remember changing some of the settings, as needed, in the preferences from the GUI, as mentioned above. I changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... I thought the idea was to explicitly permit only certain *ports* to communicate, but so far, I can't figure out any way to make *that* work... Use the Preferences to do this for Incoming by type of Service. I don't see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can call home - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP
Re: Confounded by Firestarter Issues...
Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes calling home... I have it set up and running and I can get data through it. The problem is that I can't seem to dope out how to properly set it up for packet filtering This is not a difficult package to install; I did it as a non-technical newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a Personal firewall...). I can't get Netscape (or even ping) to be able to access any IP address on the net by default - I have to individually make each address trusted, or (in the case of ping) give the DNS servers completely unrestricted access, etc... I run Firestarter 0.9.2 and haven't touched it since installation in November. It just runs automatically from the init script, like all the other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the init script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the sourceforge lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) like. ;) Its GUI is very easy to use to configure your firewall, and I use it to protect this desktop box. If you use the pull-down menu item Edit - Preferences - Services, just check the boxes for services you The key there is services. I don't have any services I want to make available (yet - I'm sure I'll end up with ftpd etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling services has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... want enabled to the public. It's as easy as configuring ZoneAlarm, but even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is program oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) Mine works out-of-the box. I do remember changing some of the settings, as needed, in the preferences from the GUI, as mentioned above. I changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... I thought the idea was to explicitly permit only certain *ports* to communicate, but so far, I can't figure out any way to make *that* work... Use the Preferences to do this for Incoming by type of Service. I don't see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can call home - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP
Re: Confounded by Firestarter Issues...
Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes calling home... I have it set up and running and I can get data through it. The problem is that I can't seem to dope out how to properly set it up for packet filtering This is not a difficult package to install; I did it as a non-technical newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a Personal firewall...). I can't get Netscape (or even ping) to be able to access any IP address on the net by default - I have to individually make each address trusted, or (in the case of ping) give the DNS servers completely unrestricted access, etc... I run Firestarter 0.9.2 and haven't touched it since installation in November. It just runs automatically from the init script, like all the other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the init script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the sourceforge lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) like. ;) Its GUI is very easy to use to configure your firewall, and I use it to protect this desktop box. If you use the pull-down menu item Edit - Preferences - Services, just check the boxes for services you The key there is services. I don't have any services I want to make available (yet - I'm sure I'll end up with ftpd etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling services has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... want enabled to the public. It's as easy as configuring ZoneAlarm, but even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is program oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) Mine works out-of-the box. I do remember changing some of the settings, as needed, in the preferences from the GUI, as mentioned above. I changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... I thought the idea was to explicitly permit only certain *ports* to communicate, but so far, I can't figure out any way to make *that* work... Use the Preferences to do this for Incoming by type of Service. I don't see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can call home - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP
Re: Confounded by Firestarter Issues...
Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes calling home... I have it set up and running and I can get data through it. The problem is that I can't seem to dope out how to properly set it up for packet filtering This is not a difficult package to install; I did it as a non-technical newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a Personal firewall...). I can't get Netscape (or even ping) to be able to access any IP address on the net by default - I have to individually make each address trusted, or (in the case of ping) give the DNS servers completely unrestricted access, etc... I run Firestarter 0.9.2 and haven't touched it since installation in November. It just runs automatically from the init script, like all the other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the init script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the sourceforge lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) like. ;) Its GUI is very easy to use to configure your firewall, and I use it to protect this desktop box. If you use the pull-down menu item Edit - Preferences - Services, just check the boxes for services you The key there is services. I don't have any services I want to make available (yet - I'm sure I'll end up with ftpd etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling services has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... want enabled to the public. It's as easy as configuring ZoneAlarm, but even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is program oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) Mine works out-of-the box. I do remember changing some of the settings, as needed, in the preferences from the GUI, as mentioned above. I changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... I thought the idea was to explicitly permit only certain *ports* to communicate, but so far, I can't figure out any way to make *that* work... Use the Preferences to do this for Incoming by type of Service. I don't see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can call home - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP
Re: Confounded by Firestarter Issues...
Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes calling home... I have it set up and running and I can get data through it. The problem is that I can't seem to dope out how to properly set it up for packet filtering This is not a difficult package to install; I did it as a non-technical newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a Personal firewall...). I can't get Netscape (or even ping) to be able to access any IP address on the net by default - I have to individually make each address trusted, or (in the case of ping) give the DNS servers completely unrestricted access, etc... I run Firestarter 0.9.2 and haven't touched it since installation in November. It just runs automatically from the init script, like all the other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the init script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the sourceforge lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) like. ;) Its GUI is very easy to use to configure your firewall, and I use it to protect this desktop box. If you use the pull-down menu item Edit - Preferences - Services, just check the boxes for services you The key there is services. I don't have any services I want to make available (yet - I'm sure I'll end up with ftpd etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling services has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... want enabled to the public. It's as easy as configuring ZoneAlarm, but even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is program oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) Mine works out-of-the box. I do remember changing some of the settings, as needed, in the preferences from the GUI, as mentioned above. I changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... I thought the idea was to explicitly permit only certain *ports* to communicate, but so far, I can't figure out any way to make *that* work... Use the Preferences to do this for Incoming by type of Service. I don't see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can call home - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP
Re: Confounded by Firestarter Issues...
Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes calling home... I have it set up and running and I can get data through it. The problem is that I can't seem to dope out how to properly set it up for packet filtering This is not a difficult package to install; I did it as a non-technical newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a Personal firewall...). I can't get Netscape (or even ping) to be able to access any IP address on the net by default - I have to individually make each address trusted, or (in the case of ping) give the DNS servers completely unrestricted access, etc... I run Firestarter 0.9.2 and haven't touched it since installation in November. It just runs automatically from the init script, like all the other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the init script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the sourceforge lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) like. ;) Its GUI is very easy to use to configure your firewall, and I use it to protect this desktop box. If you use the pull-down menu item Edit - Preferences - Services, just check the boxes for services you The key there is services. I don't have any services I want to make available (yet - I'm sure I'll end up with ftpd etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling services has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... want enabled to the public. It's as easy as configuring ZoneAlarm, but even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is program oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) Mine works out-of-the box. I do remember changing some of the settings, as needed, in the preferences from the GUI, as mentioned above. I changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... I thought the idea was to explicitly permit only certain *ports* to communicate, but so far, I can't figure out any way to make *that* work... Use the Preferences to do this for Incoming by type of Service. I don't see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can call home - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP
Re: Confounded by Firestarter Issues...
Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes calling home... I have it set up and running and I can get data through it. The problem is that I can't seem to dope out how to properly set it up for packet filtering This is not a difficult package to install; I did it as a non-technical newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a Personal firewall...). I can't get Netscape (or even ping) to be able to access any IP address on the net by default - I have to individually make each address trusted, or (in the case of ping) give the DNS servers completely unrestricted access, etc... I run Firestarter 0.9.2 and haven't touched it since installation in November. It just runs automatically from the init script, like all the other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the init script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the sourceforge lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) like. ;) Its GUI is very easy to use to configure your firewall, and I use it to protect this desktop box. If you use the pull-down menu item Edit - Preferences - Services, just check the boxes for services you The key there is services. I don't have any services I want to make available (yet - I'm sure I'll end up with ftpd etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling services has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... want enabled to the public. It's as easy as configuring ZoneAlarm, but even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is program oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) Mine works out-of-the box. I do remember changing some of the settings, as needed, in the preferences from the GUI, as mentioned above. I changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... I thought the idea was to explicitly permit only certain *ports* to communicate, but so far, I can't figure out any way to make *that* work... Use the Preferences to do this for Incoming by type of Service. I don't see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can call home - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP
sorry...
I see the multiple messages. this web mailer is really, really, REALLY screwed up. fortunately, I think I know what the bug is and can avoid triggering it from here on... just damn. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Confounded by Firestarter Issues...
Heresy? Why? There is a consensus of some sort among some security people that (a) personal firewalls are useless, (b) using ipchains, iptables, or anything layered thereupon (like Firestarter)to attempt to construct one is a waste of time. (Obviously I don't care what they think, or I wouldn't be beating on the problem...). this relates in some measure to your comment below regarding running processes calling home... I have it set up and running and I can get data through it. The problem is that I can't seem to dope out how to properly set it up for packet filtering This is not a difficult package to install; I did it as a non-technical newbie. Maybe you're making it more complex than it is? It's installed, just fine. (with minor exceptions). I can get data through it. I can make it completely block an IP address or completely trust an IP address. What I don't seem to be able to do is (generally) figure out how to control which *applications* can communicate (beginning with a browser), and on which ports, etc. etc. (one of the things that distinguishes a Personal firewall...). I can't get Netscape (or even ping) to be able to access any IP address on the net by default - I have to individually make each address trusted, or (in the case of ping) give the DNS servers completely unrestricted access, etc... I run Firestarter 0.9.2 and haven't touched it since installation in November. It just runs automatically from the init script, like all the other Linux services. I just opened it up now to remember what it looks Which release have you got? If you have 0.9.2 running on stable Woody, I am very, very, VERY interested in how you got *that* installed... (pre-emptive question: did you upgrade the C library, and if so how and to what?) At the moment I'm stuck with 0.8xx because what I've determined thus far about the upgrade is that it's only compatible with Sarge I had a problem with running it from the init script. I'm starting it manually. (Could *that* be my problem? There was some dicsucsion of *that* as well, on the sourceforge lists, but I couldn't convince myself that there was a real issue with whether or not it was run from init.d as far as functionality goes...) like. ;) Its GUI is very easy to use to configure your firewall, and I use it to protect this desktop box. If you use the pull-down menu item Edit - Preferences - Services, just check the boxes for services you The key there is services. I don't have any services I want to make available (yet - I'm sure I'll end up with ftpd etc. turned on eventually). I just want things like a browser to be able to communicate. Thus far - and if you've got the magic combination, I'd like to know - turning on various services doesn't seem to enable my browser to work. I have to enable IP addresses for every web site one at a time in the security settings. (There's clearly something really wrong there...). But I can't figure out which services might have to be enabled to make the browser work (if that's what's wrong), and my undersatanding (again) is that a running program just uses one or more ports for communication - enabling services has nothing to do with it - and that just enabling the *ports* on which it communicates should be sufficient. So far, though, no luck... want enabled to the public. It's as easy as configuring ZoneAlarm, but even more configurable, as I recall. Yes and no... it's really a different animal. Zone Alarm is program oriented - it can keep track of what apps are actually running and grant or deny access to them. I'm trying to sort of dummy up that feature with Firestarter... Zone Alarm, OTOH, knows nothing of ports (or if it does, I've never seen evidence of it, except possibly in the log files.) Mine works out-of-the box. I do remember changing some of the settings, as needed, in the preferences from the GUI, as mentioned above. I changed Reject to Deny, for example. I haven't tried every combination of everything, but I already feel like a complete idiot so I suppose trying things that make no sense is probably next on the agenda, unless I can find more information somewhere... I thought the idea was to explicitly permit only certain *ports* to communicate, but so far, I can't figure out any way to make *that* work... Use the Preferences to do this for Incoming by type of Service. I don't see how to do that for Outgoing, or even if that is a capability of It's not important for outgoing data unless (as you warn of below) something is trying to call home. (That question - whether something can call home - is one in which I'm very interested, and about which I've heard ominous tidbits - particularly as regards Gatesware, of curse - and which could occupy plenty of bandwidth here by itself, if it hasn't already...) In any case, I'm not trying to solve *that* problem yet (though I would like to know how to get logging for *all* IP
Re: recommendation for digital camera -= Shameless Nikon plug
I am using Nikon 4300 with linux and I am able to access it as mass storage without any problem. I just have to mount the camera as usb mass storage and copy the image files to my hdd. If any body is interested in having more info, kindly let me know. Yeah, Me! I have a 5700 and will eventually be using it with Linux. But I sort of figured I would end up running the Nikon package under Windows via VMware under Linux. Getting Windows out of the picture completely is a good idea. What you're doing wouldn't get me any of the features of the Nikon software, though (not that I'm *using* any of them yet, mind you, but...) - for that, I'd need the Nikon software to run directly under Linux?. I'm sure my 5700 will hook up the same way as the 4300... maybe you could post the mount command you're using. Did you have to load anything special as far as USB drivers goes, in order to support the camera? Any information I get, I will capture in a file for Future Use... Doesn't this model and many others by Nikon suffer from low light focusing problems? They lack a low-light focusing lamp, Canan doesn't. That is a problem which is very annoying in low light. I haven't noticed that, but I have noticed the autofocus going nuts when I get up close to a tree with light shining through the leaves; it can't decide what to focus on. I've been forced to turn on the manual focus under such circumsatances. Also, it goes wacky when it tries to resolve something against a plain white background, and I've been forced to troll all the way to the bottom of the white correction menus to try to rearrange its attitude. But I'm always getting into performance corners with everything and then demanding too much, and Nikon support will probably fix my problem anyway when I get around to bugging them about it... What are you taking pictures of in really low light, anyway?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to sweep hard disk of confidential data
You guys are all overlooking the obvious. All that is required to completely destroy every bit of data on a disk drive so that it cannot possibly be retrieved, is to make sure the drive is completely filled with absolutely vital data that has not been backed up anywhere. That will guarantee with 100% certainty that it will all be destroyed in an accidental disk crash, so thoroughly that even the FBI and the Air Farce intelligence lab working nights and weekends with an electron microscope could recover it. I can't believe you guys actually work in IS... On Sun, 18 Jul 2004 19:56:56 -0600, Paul E Condon [EMAIL PROTECTED] said: On Sun, Jul 18, 2004 at 08:59:38PM -0400, Silvan wrote: On Sunday 18 July 2004 06:52 pm, Doug Holland wrote: If the answer is yes (usually we're talking about government contractors with classified data), then the only answer is to physically destroy the hard disk's platters. Yeah, and I guess at that you'd have to *really* destroy the platters. Cutting a hard drive in half with a bandsaw is fun, but it sounds like these guys might be able to recover something from it even at that. I guess you'd have to melt it down. Probably not. You only have to heat the platter to a temperature above the Curie point of the ferromagnetic material that coats the platter. This is usually a few hundred degrees C below the melting point. The information is stored in the remanent magnetization of the coating on the platter. Above the its Curie point, the material becomes paramagnetic and is incapable of retaining remanent magnetization and therefore incapable of storing information. But this is a temperature well above what is necessary to turn all the plastic parts of the disk drive into noxious vapor. -- Paul E Condon [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendation for digital camera -= Shameless Nikon plug
Just out of curiosity, what does that SW offer? Well, there are several packages, one of which is always bundled with the camera and the others for sale separately. The Nikon website is a better source of info than I am, actually. But the direct camera support package provides USB detection, automatic downloading, a bunch of cosmetic viewer features... The buy-up packages provide image correction and editing, I think. (I haven't loaded it yet...). Some of those things are built into Windoze XP, I think (I'm not, and never will be, upgraded beyond Win 98), so the Nikon software for older versions of Windoze provides whatever the older versions don't have... The real benefit to having the Windoze apps (Nikon or not) to support the camera is in being able to load camera (or film scanner) images directly into something like Photoshop without having to go through any JPEG or other compression, so that you can manipulate raw images. (Again, I'm picking nits because I usually don't *do* this - but that's where hooking the camera up to Linux might start producing limitations if you don't have whatever Nikon or other software provides the capability...) I think the Nikon load you get with the camera (or scanner) provides the hooks (drivers or driver linkage?) for some of the other commercial apps like Photoshop to get at the camera or scanner directly... not sure though. I added the following two lines to /etc/modules: . . . Thanks You probably just saved me an eventual two or three evenings of website/document/list trolling... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendation for digital camera -= Shameless Nikon plug
In that case I would also suggest you avoid anything Sony. I've never seen worse customer support (and that even for very high end equipment company customers, not just the small end user), and when they do bother making a proper piece of hardware they seriously cripple it with their copyright paranoia (see NetMD for example). Yipes... I've bought some of their consumer electronics and had good luck with it (including service), but never anything support-intensive (i.e. programmable in any way). I can easily believe they could have gone bad when they got into anything with intelligence in it... I just don't buy anything that has copy protection or blocked channels or anything of the sort, without making sure whatever is blocked/banned/etc. can be defeated somehow. It's a matter of principle; as soon as a government or industry decides to ban something, I run out and buy lots of whatever it is immediately whether I want it or not. I am looking at linux support for coolpix 4500, and it seems to exist (haven't had a chance to test yet, its not mine). Nikon seems to support both mass storage and ptp on their cameras. They do on some of their cameras, at least, according to the website you mention below (interesting site, btw...). For some more information have a look http://www.teaser.fr/~hfiguiere/linux/digicam.html Canon may be a bit more troublesome, then nikon. You should look for a camera with both usb-storage support (easiest way to download pictures) and ptp support which will give you access to some more advanced camera features. I am not sure if it will allow you to access all the features of the camera from linux (some of the high end cameras are customizable and may require dedicated software). *That* is the thing I'm concerned about, when thinking about going to direct Linux support, vs. using Linux with VMware to get at the Gatesware to get at the Nikonware. But I haven't dug into the camera features enough to know what features are available that might be impacted, yet... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendation for digital camera -= Shameless Nikon plug
I suppose this has wandered far enough OT from Linux that I can weigh in on it... After using Nikon's website/email support, I will not buy anything else. I bought a dead (as it turned out) Nikon film scanner at a swap meet a couple of years back, plugged it into Windoze, and started in on it. I found every piece of documentation that was supposed to come with the unit on-line. Nikon's support team helped me troubleshoot it, and when their front-line support group couldn't figure it out they quickly transferred me to their specialists who diagnosed a blown SCSI terminator fuse and assisted me in disassembling and repairing the unit. They answered my emails within 2 hours *even on weekends*. They were so efficient that I *never had to make a phone call*. I ended up paying $75.00 for a working $1200 film scanner. After getting that kind of support from Nikon on one of their products that wasn't on warranty and wasn't even bought from one of their dealers, I didn't even bother looking at other cameras when I went to buy a digital camera, because I *know* I'm going to get into software and interface trouble with it just like I do with everything else, and at least with Nikon I know I won't end up having to deal with a third-world something with a third-grade education who only speaks Fungoolistani and can't wait to get rid of me as soon as my question isn't in its hotline cookbook. When it comes to computerized electronics, I'll even give up some performance or features to get support. (What good are the performance and features if you can't get the @#$%^*! thing working??) (P.S.: If anyone knows anything about Linux support for Nikon, please point me at it; I'll probably need it eventually...) (N.B.: I will, for identically converse reasons relating to support, NEVER buy ANYTHING from Fuji EVER again - not even so much as a roll of film. And I hope somebody from both Nikon and Fuji is reading this.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get says file a bug report - Should I?
Oh, fooey. You're corroborating all of my worst suspicions. Oh well... OK, to make sure I'm understanding you, you're running stable, and you want to install firestarter out of testing. Is that right? well, the version of Firestarter that supports KDE is *only* available as a testing version... so yeah, I'm stuck with that. If so, there is no problem with firestarter. The problem is simply that you're trying to do something that is generally considered a Bad Idea, and in this particular case isn't possible. As the documentation (that you've read, right??) at www.debian.org makes clear, mixing software from testing and/or unstable into a system with stable installed is a Bad Idea. I have read Many Documents, but I haven't read that particular dire warning - and that bothers me. Where did I miss *that*? In this case, it appeared to me that the fact that it was only available in the testing release, probably just implied that somebody had only recently enhanced it so it would talk to KDE. But that has turned out to be dramatically not the case - as you mention, upgrading Firestarter would involve sucking in enough other new stuff from testing that I'd nearly end up with Sarge anyway. Now, if I'd read somewhere that installing large numbers of packages from the testing distribution was a Bad Idea, I probably would have bagged this whole thing a lot earlier... and avoided wasting a bunch of time and mailing list bandwidth, etc. So... which document did I miss *this* time? However, that implies realizing that the other packages to be sucked in would all come from the testing distribution. I installed stable Woody off the CD-ROM images which I downloaded. One thing I now realize I'm not clear on (and which is probably explicitly explained in *more* documentation that I somehow didn't find...) is whether or not the Debian archives/mirrors might have packages in their representation of the stable distribution, which have *versions* more recent than the ones on my CD-ROMs? If that were the case, then the fact that I requested a testing version of Firestarter, and then discovered that it wanted all sorts of updated versions of various packages, might only mean that the Firestarter package just needed newer versions of various packages in the *stable* release. So it wasn't clear to me at the outset that *everything* to be pulled in would come from the testing release. In fact, I'd tried (however successfully) to configure the apt preferences file to only pull packages from testing when absolutely necessary... The software in testing and unstable were built using libraries in testing and unstable; they need those libraries, in the versions in testing/unstable, to work. Okay... I'm getting the picture, here... what that implies is that no effort is expended to ensure any *backward* compatibility across releases. (Not surprising, and not unreasonable considering the resources, but worth keeping in mind for people like me who like to wander around in minefields...) Your attempt to install firestarter out of testing failed because the firestarter in testing needed libraries that *are* present in testing, but aren't present in stable. That's not a bug. That's not a problem with apt-get. That's not a problem with the packaging system. That's true, but apt-get's messages shouldn't encourage bomb-throwers like me to file bug reports... The only problem is that you're trying to do something that makes no sense -- install a program without also installing the other software/libraries that it depends upon to work. Well, I *was* trying to install them, but I got the result you predict below, more or less. So what do you do? You could install those libraries out of testing, as well. But as I've indicated, this is a Bad Idea. Those libraries themselves have dependencies, so you'll have to get those, too. Sooner or later, you'll run into a conflict between stuff you want to install, and stuff out of stable that you have installed currently, and your attempt to install the new stuff will cause apt-get to want to remove your stuff from stable. If the stuff out of testing you want to install absolutely depends on a version of the general C libraries in testing (that is, if the version of the C libraries in stable isn't sufficient), then there's no way to install the stuff out of testing without removing the C libraries from stable -- and thus, all the software in stable built against them. Don't try this. It's a Bad Idea. It is a highway to a broken system. Yeah, I found that out... fortunately, dselect took (probably undeserved) pity on me and threw me a lifeline... And, I'd been considering just upgrading the C library package as a first step toward negotiating the package dependencies - you've convinced me that my reservations about so doing are entirely warranted. But: Aren't there multiple versions of packages available within the stable and
Re: apt-get says file a bug report - Should I?
It is a missing dependency problem. | and how do I get | apt-get/dpkg/dselect/whoever to cough up the facts of the case? It did! :-). (see the end of the long apt message where it talks about unmet dependencies) Well, yes and no. It's implying that somehow its inability to resolve the dependency issue is a *bug*, which apparently isn't true... The situation arises from using apt preferences - you set 'stable' as the default release, however you explicitly requested a 'testing' package. apt will not, by default, with those settings upgrade the libraries to the necessary versions. Instead it picks the 'stable' version, by default, and then complains that it is too old. Okay... I didn't go through this earlier, or detail it in my answer to the other respondent, but: By various manipulations of the preferences file, and command line options to apt-get, it is possible to get it to go off and actually try to do the installation. But, while the problem apparently *is*, in this case - just as you say - that it is constrained to packages that are too old (the stable version of firestarter is already installed on my system, so - if I now understand this correctly - what apt-get is complaining about is that it is being forced to use *support packages* that are too old, and doesn't know what to do about it, to the point where it thinks there's a bug somewhere. There are a few ways to solve that. 1) temporarily change the default release # apt-get -t testing install firestarter (or edit /etc/apt/preferences) I did that. It *is* possible to force apt-get to come up with a (stupendous) list of packages required to get the testing release. But because going down that path caused me to fall in quicksand, I decided to open the discussion with the issue of apt-get claiming that it had a bug... 2) explicitly specify which release or version you want the packages from : # apt-get install firestarter libbonoboui2-0/testing libgnome2-0/testing libgnomeui-0/testing I did that also, but only per apt-get install firestarter/testing. I didn't try it on the individual packages it was complaining about all on one command line. However, in general it appears that there are various combinations of sources.list and preference file contents and command line syntax which will *force* apt-get to compute an entire package download configuration to ostensibly solve the problem (not that I trust its judgement one iota, mind you...) Option #1 is ok. Option #2 will soon get tiresome as you iterate through each layer of dependencies. (once you run the above command you'll find out what newer libraries those libraries need and so on) Aptitude's curses interface makes option #2 easier. It also gives a clearer indication of what was wrong in the first place. I did, at one point, end up descending layers of dependencies by successive iteration of something. (It was late at night, or early in the morning, so something will have to suffice as an explanation of whatever it was I was doing...). That was the point at which I started realizing that I was fishing in *really* deep water and probably really looking at an upgrade to sarge before I was done. In general you can't. You need to decide whether or not you are willing to attempt the upgrade and see what happens. I can tell you that the libraries in testing will need a newer libc6 than stable has, and once you upgrade libc6 (and gnome) you will have upgraded almost everything to testing and you won't have a 'stable' system any more. There is nothing inherently wrong with that, unless you really want to stick with stable. If you really don't want to move to testing, then you will probably find it easier to find a backport of the app and all dependent libraries or install the source package and build it yourself. Okay, you've really nailed it there. I was thinking of starting with a libc6 upgrade as a first step to solving the problem, since in the process of examining the entrails I realized that *a lot* of the broken dependencies would be resolved by getting the libc6 package. But - as both you and the other respondent have said - I suspected that doing so would (a) probably break a lot of things, and (b) even if it worked, put me a good distance of the way to a sarge installation anyway. If I'm going down that path, I'll just install sarge on another bootable partition where I can perform unnatural acts on it without jeopardizing my stable installation. | (I've already tried | various things, and APT is *really* tenacious about not liking the | idea of installing this - and I already tried an experiment | in loading the libbonoboui2-0 package which nearly ended in | disaster; see my earlier post today) This is probably due to the chain of dependencies and your setting stable as the default release. Actually, I think the previous respondent's more general
Re: Newbie problems galore
I need to pass things back-and-forth between Linux and Windoze. I see references to VFAT FS on the web site, but for the life of me, I can't find a trace of the software. It's really bad to have to play games with tar at both sides of the route in order not to munge up the magic pathnames. PLEASE don't tell me that the evil beast of Redmond has buried VFAT under a patent claim!! If not, please, where can I find it? When I installed woody from the CDs, during the partitioning and mounting process of the first part of the install, the install found the Windows partitions. It was then possible to identify them as VFAT file systems during the next phase of the install, and the install then generated the correct mtab or fstab or whatever it is this week entries for them and I had access to my Gatesware drives the outset. (I was impressed.) I still haven't figured out how to make the Linux data visible from within Windoze, other than scribbling files from Linux onto one of the VFAT-mounted drives. Right now, I've managed to hork up my package data so dpkg gets hung up trying to fix things. My best bet seems to be to restart from scratch. How do I get dpkg / apt / aptitude to clean my machine totally, or what files should I remove to make all this stuff go away? Or, would it really be quicker to re-init my partitions and start again from the CD? I am the next-to-the-last person on this list to be capable of commenting on this. But, I ended up in a similar situation (read my postings for the agonizing details), and my experience was that dpkg was too low-level and apt-get too limited to help (someone on here commented that it was originally just an experimental implementation which got out of control...) BUT... *dselect* rescued my system. I went through the 6-or-7-step program with it and it was able to compute the correct reload from CD-ROM (using the apt-get method - you do have a correct sources.list file with your CD-ROM entries in it, that got generated when you did the install, right?). (Warning: You will *hate* dselect, if you try it.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: dselect alternatives
What are you thinking dselect does for you that apt-get doesn't? well, this is just an anecdote (the singular of data...), but - Yesterday apt-get maliciously lunched my install(okay, okay, I was trying to upgrade firestarter even though apt-get told me to file a bug report because it thought the install was impossible... more on that coming up soon). The X server died horribly, screaming, as a result of things it needed having been scurrilously removed by apt-get (which did sort of warn me that it was had probably clobbered my X-server install) (but only after having already done it, of curse). I only had terminal login. After a 4-hour late-night knock-down drag-out with apt-get, dpkg, and dselect, trying to figure out a way back to from where I came, I was finally able to rescue the install with dselect. Telling it to reconfigure everything it didn't like and then reinstall everything it did like, brought my install back to life. (I was *really* convinced I was looking at a complete reload...) apt-get and dpkg kept generating interlocking package interdependencies that they *just* *could* *not* resolve... There is probably some obscure combination of command syntax and control file entries for either apt-get or dpkg or both that would accomplish the same thing, but no amount of man-page-reading and website-trolling (via Gatesware, since my Debian install was dead) conveyed the appropriate incantations... dselect, on the other hand, despite its blatant inoperability as regards configuring specific behaviors, *was* able to diagnose the corrupted dependencies and rescue the installation, even when operated by a complete idiot. (Pages and pages of dismal output logs from apt-get and dpkg available on demand, if anyone's interested) (which I wouldn't be, if I were you) (No, I DON'T know what I'm doing, I only do what the voices in my head tell me) (Last night, just before I finally rescued the install, they were telling me to clean my guns) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
apt-get says file a bug report - Should I?
Here's the transaction... floozy:~# apt-get install firestarter Reading Package Lists... Done Building Dependency Tree... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. Since you only requested a single operation it is extremely likely that the package is simply not installable and a bug report against that package should be filed. The following information may help to resolve the situation: Sorry, but the following packages have unmet dependencies: firestarter: Depends: libbonoboui2-0 (= 2.5.4) but it is not going to be installed Depends: libgnome2-0 (= 2.6.0) but it is not going to be installed Depends: libgnomeui-0 (= 2.6.0) but it is not going to be installed E: Sorry, broken packages floozy:~# I'm running stable Woody and I have the Woody version of Firestarter running. It does work (sort of) but it's written for Gnome and I'm running KDM and it scribbles error messages to the invoking shell constantly, whining about various (probably Gnome-related) incompatibilities. I've verified (trust me) that apt-get really is trying to go get the upgraded (testing) version of Firestarter. My usual net trolling has failed to turn up anything about firestarter having install problems of this sort. The newer version of it is supposed to be KDM compatible. Questions: (1) If this isn't a package install bug, what is it? and how do I get apt-get/dpkg/dselect/whoever to cough up the facts of the case? (2) If it's actually some sort of dependency problem, how can I fix the dependencies that apt-get doesn't like, and (since APT generally doesn't seem to like the situation, and therefore there's likely to be something ominous afoot) how can I be sure that whatever I'm fixing doesn't cause more problems elsewhere? (I've already tried various things, and APT is *really* tenacious about not liking the idea of installing this - and I already tried an experiment in loading the libbonoboui2-0 package which nearly ended in disaster; see my earlier post today) (2) I can't believe I'm the first person to encounter this... so why can't I find *anything* about either the apt-get error message generally or the Firestarter install problem? (Yeah, I know, I'm braindamaged and don't know how to use a search engine, etc. etc...) (3) Is it possible that I need to do a complete upgrade to the sarge Kernel, in order to get this new firestarter to work, and if so how do I make that determination (and why doesn't apt-get see fit to inform me thereof... etc...)? (4) ARrrgh!! HElP!!! Grumble... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
is it possible to change apt-get
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
is it possible to change apt-get's access priorities?
(I think a bogus copy of this went out... my apologies) I'm on a dialup, and I have the Woody CD-ROM distribution, so I want apt-get to first try to find packages on the CDs before using the remote archive entries in sources.list. But as soon as I add an http entry to sources.list, it insists on trying the remote archive, and ignores the CD-ROM entries. Thus far, I can't find anything in the docs that explains how to force it to first try the CD-ROMs and use remote access as second priority. If I delete the http (or whatever) remote archive entry from sources.list, that does force it to revert to CD-ROM, but then when I do need to access anything from the testing or unstable distributions, I have to reinstate the entries in the sources.list file and then re-update apt-get with the remote archive locations for the testing, etc., which gets very boring and causes me to start drinking after a few cycles of that at 1AM. I also suspect that if it's looking on the remote archive for a package, it will always look for all dependent packages on the archive, and I'd rather it would look first on the CD-ROM for those also. In fact, I suspect that it's always looking for the most recent copy of whatever it can find, and I'd rather it would use what it can find on the CD-ROM unless the dependencies demand the latest version... (1) Is there a way to set it up to do these things, or am I going to have to either (a) put up with downloading hundreds of megabytes via dialup or (b) hack a solution together with dpkg and dselect ? (2) if the answer to all this is somewhere in the documentation, FAQs, list archives, etc. etc. I'd like to know where it is, as extensive searching has thus far failed to reveal it. I did find some syntax for setting stable as the default for installs in the apt.conf file, which I thought *might* affect its behavior w/r/t whether it would first look on the CD-ROM, since the CD-ROM is ostensibly the only valid entry for stable in the sources.list file, but apt-get didn't like the syntax. If there's a more appropriate list for this posting, please let me know; I didn't find a list dedicated to apt, dpkg, dselect, and the updating process... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is it possible to change apt-get's access priorities?
Well, yes, I had read that... several times. (Not that the answer may not be in there and I'm staring right at it and not seeing it, *but...*). I'm able to make apt-get work from either CD-ROM or from the archive. I've got all the entries for the CD-ROM and the archives correct. The problem is whether or not it's possible to rearrange apt-get's priorities for how it selects packages and dependencies. One quote from the document you pointed at, is what I'd mentioned earlier: It's important to note that APT always looks for the most recent versions of packages. Therefore, if your /etc/apt/sources.list were to list an archive that had a more recent version of a package than the version on the CD, APT would download the package from there. The thing is, what I *want* it to do, in a case where I'm just trying to load something initially and get it running, is to go get whatever it can find from the stable distribution on the CD-ROM, to start with. Then if I don't like that, or whatever it is doesn't work, I want to point it at an upgrade on a distribution archive. But the behavior (as the above quote suggests) seems to be that it will go for the most recent version no matter what. I've tried various things that the documentation suggests... for instance, apt-get install [package_name]/stable is supposed to force access of a stable release... but even though when only testing and unstable releases are defined for remote access in the remote archive entries of my sources.list file, and the CD-ROM entries *do* represent stable Woody, apt-get still goes charging off to the remote archive. Or, the entry APT::Default-Release stable; in the apt.conf file is supposed to at least cause apt-get to not try for a testing or unstable release if it can find a stable one... I think? (The syntax, which I got off another forum, caused apt-get to error... I supposed I shouldn't be surprised, since I don't see that syntax in the documentation for apt-config, but maybe I haven't tried enough variations of it - or maybe I need to upgrade apt-get? (That ought to be good for *at least* a 100MB download...) Maybe what I want to do is just impossible... but that's what I'm trying to find out... As I mentioned, I can *bludgeon* it into doing what I want, by editing the sources.list file to comment out the remote archive entries, re-updating apt-get's internal list, and thereby forcing it to go to the CD-ROMs, but it's really time-consuming (etc...)that way. On Thu, 08 Jul 2004 16:17:39 -0700, Paul Johnson [EMAIL PROTECTED] said: [EMAIL PROTECTED] writes: (I think a bogus copy of this went out... my apologies) I'm on a dialup, and I have the Woody CD-ROM distribution, so I want apt-get to first try to find packages on the CDs before using the remote archive entries in sources.list. But as soon as I add an http entry to sources.list, it insists on trying the remote archive, and ignores the CD-ROM entries. Thus far, I can't find anything in the docs that explains how to force it to first try the CD-ROMs and use remote access as second priority. Googling[1] has come up with this resource[2] which looks like it might be what you're looking for. [1] http://www.google.com/search?q=http%20cdrom%20priority%20aptie=UTF-8oe=UTF-8 [2] http://www.debian.org/doc/manuals/apt-howto/ch-basico.en.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is it possible to change apt-get's access priorities?
Thanks! Yes, that's essentially what I'm after. I don't have an apt.preferences file... I'll generate one as you suggest. I read what docs. I found on the apt.preferences file, and couldn't figure out how it would fix my priority problem with the CD-ROM for the stable release, since the CD-ROM entries are first in order in the sources.list file, which from what I could tell was supposed to guarantee their priority. (I already stumbled over the cache limit problem and fixed that, but the APT::Default-Release stable; entry, which I also tried, caused a Bad syntax at end of apt.conf file error (I'll go recheck the syntax *again*...). Thanks again -- that gives me some new tactics to employ... On Thu, 8 Jul 2004 20:14:05 -0500, Jacob S. [EMAIL PROTECTED] said: On Thu, 08 Jul 2004 17:15:13 -0700 [EMAIL PROTECTED] wrote: Well, yes, I had read that... several times. (Not that the answer may not be in there and I'm staring right at it and not seeing it, *but...*). I'm able to make apt-get work from either CD-ROM or from the archive. I've got all the entries for the CD-ROM and the archives correct. The problem is whether or not it's possible to rearrange apt-get's priorities for how it selects packages and dependencies. One quote from the document you pointed at, is what I'd mentioned earlier: It's important to note that APT always looks for the most recent versions of packages. Therefore, if your /etc/apt/sources.list were to list an archive that had a more recent version of a package than the version on the CD, APT would download the package from there. The thing is, what I *want* it to do, in a case where I'm just trying to load something initially and get it running, is to go get whatever it can find from the stable distribution on the CD-ROM, to start with. Then if I don't like that, or whatever it is doesn't work, I want to point it at an upgrade on a distribution archive. But the behavior (as the above quote suggests) seems to be that it will go for the most recent version no matter what. Hello, If I'm understanding you properly, you want apt-pinning to work with 4 repositories: 1) CDs, 2) stable on debian.org servers, 3) testing on debian.org server and 4) unstable on debian.org servers. You'll need an /etc/apt/preferences file, if you don't have one already. Here's how I had it set for using Woody with an occasional package from Testing and Unstable: Package: * Pin: release a=stable Pin-Priority: 900 Package: * Pin: release a=testing Pin-Priority: 60 Package: * Pin: release a=unstable Pin-Priority: 60 You can also set the following line in /etc/apt/apt.conf, but I didn't find it essential when I was using it: APT::Default-Release stable; You will probably want to set the following line in /etc/apt/apt.conf as well, to avoid apt-get segfaulting during an update. APT::Cache-Limit 1000; This should now give you only packages from stable (Woody), unless you ask for something different. It should also get Woody's packages off the CDs instead of the internet whenever possible. However, keep in mind that a lot has changed in Woody since it was first released, so if your cds are very old it may not use them much. Also, there were a couple of large library upgrades between Woody and Sarge (testing), such as libc6. This may make it so that you can't install that neat package you want from Sarge until you upgrade libc6 and a few other related packages, making for a large download. (There is a library for libc6 to have backwards compatability, however, so you shouldn't have to worry about that part.) Finally, if you use apt-get -t release install packagename (where release is testing or unstable, and packagename is the name of the package you want to install), instead of apt-get packagename/release, it will download the needed dependencies from the same release as packagename, instead of downloading the package and using dependencies from your old release. This can be both good and bad, depending on your circumstances, but most often it's good. HTH HAND, Jacob -- GnuPG Key: 1024D/16377135 Random .signature #20: Windows: Microsoft's tax on computer illiterates. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]