Re: [SOLVED] Jessie wget: certificate not trusted, was: Jessie iceweasel: This Connection is Untrusted

[mett]

On 10/04/21 at 11:54, Thomas Schmitt wrote:
> Hi,
> 
> mett wrote:
> > the final solution is:
> > -disable the certs with an ! before the cert name
> > (vi /etc/ca-certificates.conf: !DST_Root_CA_X3.crt)
> > -then, rebuild the cert directory (update-ca-certificates --fresh)
> 
> Indeed this brought success with wget on the Debian 8 machine.
> 
>   $ wget https://lists.debian.org
>   ...
>   2021-10-04 11:48:12 (7.34 MB/s) - ‘index.html’ saved [7533/7533]
>   $
> 
> I copied
>   /usr/share/ca-certificates
>   /etc/ca-certificates.conf
>   /etc/ssl/certs
> from the Debian 10 machine (dist-upgraded last week) to the Debian 8.
> But with or without a run of
>   update-ca-certificates --fresh
> wget did not work.
> The proposal of mett finally got wget to download lists.debian.org with
> certificate check enabled.
> 
> 
> Now i am puzzled why this operation is not necessary on Debian 10 from
> where the file /etc/ca-certificates.conf was copied.
> The entry is in /etc/ca-certificates.conf,
> DST_Root_CA_X3.crt exists in /usr/share/ca-certificates,
> the link DST_Root_CA_X3.pem exists in /etc/ssl/certs.
> Nevertheless wget works on my Debian 10 with https://lists.debian.org.
Maybe the default CA for Let's Encrypt 
are different on Debian 8 and Debian 9/10.

> 
> > -then, restart your servers.
> 
> I am not aware of any servers on the Debian 8 machine which would have to
> do with certificates. I had not to restart anything after
>   update-ca-certificates --fresh
> wget worked immediately after.
> 
> Do SSL clients depend on a local service ?
SSL clients do not depend on a local service.
Just I had a similar problem with 
different parameters:
-a debian 8 server
-and php.
That is why I said restart your servers
(thinking apache and php-fpm).

Sorry for that.

> 
> 
> Have a nice day :)
> 
> Thomas
> 
Have a nice day too!

Re: [SOLVED] Re: Jessie iceweasel: This Connection is Untrusted

[mett]

On 2021年10月2日 1:32:21 JST, Thomas Schmitt  wrote:
>Hi,
>
>as tomas predicted it can be done by handwork.
>
>Tobias Diekershoff gave a good hint but i was not smart enough to make
>use of it before i found out the clicky way.
>
>The solution was to import to iceweasel the certificate file
>
>  /etc/ssl/certs/ISRG_Root_X1.pem
>
>
>Long story:
>
>I replaced the directory trees
>  /etc/ssl/certs
>  /usr/share/ca-certificates
>and the file
>  /etc/ca-certificates.conf
>by their counterparts of Debian 10. Then i ran
>  update-ca-certificates
>This did not help, even with newly started Iceweasel.
>
>So i clicked my way through Preferences -> Advanced -> Cerificates to
>button "View Certificates" which offers me an obscure list and a button
>"Import". This gives me a file browser which i navigate to /etc/ssl/certs.
>There are 128 .pem files from Debian 10.
>
>To reduce the work i diffed the list of .pem files in both /etc/ssl/certs
>and began to add those which are new in Debian 10: 49 files.
>Many new ones did have no effect. But
>  /etc/ssl/certs/ISRG_Root_X1.pem
>gives me back a lot of those sites which were unaccessible since yesterday.
>
>I will have to wait for complaints to see if any of the previously working
>sites still fails. A quick tour over the usual suspects finds none.
>I nevertheless investied the clickwork to import the other new .pem files.
>Just in case i forget what i did today.
>
>
>Tobias Diekershoff wrote:
>> Are the untrusted certificates LetsEncrypt issued certs? Their old
>> R3 cert (signed by DST Root CA X3) expired Sept 29th (see e.g.
>> https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiratio
>> n-september-2021/149190
>
>Looks like you are right.
>In hindsight the hint to "ISRG Root X1" is in there. But i don't understand
>their nomenclature. I looked for "DST*R3*.pem" but found no such file
>in /etc/ssl/certs. (It's like with man pages: I understand their text only
>when i finally found out by try and error.)
>
>-
>Remaining riddles:
>
>How i would be supposed to find the name of the decisive certificate when
>iceweasel refuses ?
>
>Another riddle is why wget still does not work without option
>  --no-check-certificate
>I found no hint in its man page about its default stash of certificates.
>Will have to go on with research next week ...
>
>
>Have a nice day :)
>
>Thomas
>

Hi,

the final solution is:
-disable 
 the certs with an ! before
 the cert name
 (vi /etc/ca-certificates.conf:
   !DST_Root_CA_X3.crt)
-then, rebuild the cert directory
 (update-ca-certificates --fresh)
-then, restart your servers.

HTH

Re: Firefox HTTPS-only mode breaks sites that return 404 for HTTPS connections

[mett]

2021-04-15 21:12 に Celejar さんは書きました:

On Thu, 15 Apr 2021 11:16:59 +0100
piorunz  wrote:


On 15/04/2021 03:15, Celejar wrote:

>> It certainly works fine for me. I use https only mode for many months
>> now. Can you bring an example of a page which returns good page on http,
>> but 404 error on https?
>
> http://www.daat.ac.il/
> https://www.daat.ac.il/
>
> Celejar

Their webserver is misconfigured. AFAIR, if they don't support https,
their server should redirect to http page. Instead, they throw 404 
error.


Do you have a reference for this as required by the standards?


Your web browser behaviour is as intended, everything is fine.
If webadmins of that page don't know their sh*t, are you sure you want
to use that website? Who knows what else they forgot to implement.


No, everything is not fine. The website in question is a very valuable
one - it contains a wealth of important academic articles that are
valuable to my work. The techie attitude that the value of a resource
is somehow correlated to the technical competence of its implementation
is unfortunate and misguided.

I might indeed be reluctant to trust such a site with sensitive
personal information, but to suggest that we should shun websites just
because their administrators should be doing a better job is illogical.


Disclaimer: I never worked in IT, all self taught, but I have webpage
which I put up myself on Debian computer, with https cert (it's free),
TLS 2.0/3.0 only, PFS, HSTS preload with long duration, OCSP stapling,
top spec security. These guys? They can't even redirect to their http 
page.


Celejar


Hi,

The site address you provided support https:


So, indeed, some misconfiguration it seems.
Maybe they simply forget to redirect http to https.


Though I agree no need to shun them.

HTH

Re: Server goes to sleep

[mett]

On 2020年5月16日 4:20:50 JST, Dan Ritter  wrote:
>Chris Rhodin wrote: 
>> Hi,
>> 
>> I've installed Debian Buster on a desktop system I use as a server. 
>I also
>> occasionally use this as a regular desktop system so it has a
>monitor,
>> keyboard, and GUI.  During installation I selected the ssh server in
>> tasksel (so during installation there was some indication this was a
>> server).
>> 
>> The problem I have is that when the console screen goes black and
>locks,
>> the system becomes unresponsive to network activity.  If I have an
>ssh
>> session running when this occurs it stops responding.  It doesn't
>kick me
>> off, the ssh connection is still there.  If I then go to the console
>and
>> shake the mouse the screen lights up and the ssh session starts
>responding
>> like nothings wrong, until the console goes to sleep again.
>> 
>> Searching online I found this command which seems to solve the
>problem:
>> 
>> sudo systemctl mask sleep.target suspend.target hibernate.target
>> hybrid-sleep.target
>> 
>> So my question is what is the correct way to manage this?  Is there a
>> document that goes over the various power states and how they impact
>> running services?
>
>All modern processors have power-reduction features that operate
>pretty much automatically when the system isn't being asked to
>do anything. There are lots of tunables for more aggressive
>savings. The powertop package can help you out there.
>
>You don't have to worry much about those, but they won't
>interfere with running a server.
>
>Laptops, and most desktops, have sleep functions:
>
>- sleep to RAM  
>- sleep to disk and power-off
>- hybrid sleep (first to RAM, then change to disk later)
>
>You can't realistically run a server with those sleep states
>activated.
>
>Your desktop environment probably decided that it was OK to
>sleep when you weren't active. It will have a control to turn
>that behavior off.
>
>-dsr-

Hi

last time I stopped it with
"console blank"
in grub

vi /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"

dont forget to update grub after

i think u ll need reboot as well.

10minutes is the mark to be sure.

Not sure about the correct way...

hth

Re: fail2ban for apache2

[mett]

On 2019年11月9日 16:30:57 JST, Gene Heskett  wrote:
>I have a list of ipv4's I want fail2ban to block. But amongst the 
>numerous subdirs for fail2ban, I cannot find one that looks suitable to
>
>put this list of addresses in so the are blocked forever.  Can someone 
>more familiar with how fail2ban works give me a hand?  These are the 
>ipv4 addresses of bingbot, semrush, yandex etc etc that are DDOSing me 
>by repeatedly downloading my whole site and using up 100% of my upload 
>bandwidth.
>
>Thanks all.
>
>Cheers, Gene Heskett
>-- 
>"There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
>-Ed Howdershelt (Author)
>If we desire respect for the law, we must first make the law
>respectable.
> - Louis D. Brandeis
>Genes Web page 

Hi,

In this case, better to use iptables
directly:

iptables -I INPUT 14 -s IP.ADD.RE.SS -j DROP 

-where I is for "Insert"
-14 is the line nber of insertion
-where s is for "source"
-where j is for "jump to"
-also, u can check current table 
 with line-number by issuing:
 iptables -L -nv --line-numbers

u can even script it for availability
across reboot;

by the way
depending debian version,
iptables might have been
replaced by nft.

hth!

Re: why won't ff look at this url?

[mett]

On 2019年8月27日 8:09:16 JST, Doug McGarrett  wrote:
>
>
>On 08/26/2019 03:22 PM, Andrei POPESCU wrote:
>> On Sb, 24 aug 19, 10:21:59, Gene Heskett wrote:
>>> Greetings folks;
>>>
>>>
>https://abcnews4.com/news/nation-world/w-va-ambulance-ems-director-arrested-accused-of-missing-and-tampering-with-narcotics
>>>
>>> All I get for clicking on it is a blank screen.
>>
>> Two things you could try:
>>
>>  1. firefox --safe-mode
>>  2. stop Firefox, rename ~/.mozilla (i.e. where your profile is)
>and
>>  start Firefox
>>
>> Hope this helps,
>> Andrei
>>
>I don't know what this means, but in OpenSuse Tumbleweed with FossaMail
>
>and Thunderbird, the URL opens perfectly.
>--doug

Not opening in android foss browser.
Opening in android zirco browser.

Re: WiFi without Network Manager

[mett]

On 2019年2月15日 8:23:04 JST, Kenneth Parker  wrote:
>On Tue, Feb 12, 2019 at 9:30 AM  wrote:
>
>> On Tue, Feb 12, 2019 at 09:10:08AM -0500, Kenneth Parker wrote:
>> > I occasionally run, what I will describe as "Coffee House Lan
>Parties".
>> > That means I connect to the Internet via WiFi, and then supply a
>"Local
>> > Ethernet" network (with ipv4), for others to connect with.
>> >
>> > Doing this with Network Manager "worked", but only with "loud
>> complaining"
>> > by Network Manager.
>> >
>> > What I want now, are the "steps" that Network Manager takes, to
>bring up
>> > WiFi, so I can create an "in-demand" Root-level Script that I can
>run,
>> for
>> > the WiFi part.  (The rest works fine, using
>/etc/network/interfaces).
>>
>> Actually ifupdown is perfectly capable of doing the work (well, it
>just
>> orchestrates it, but it commes with all the necessary scripts for
>that).
>>
>> Here's my stanza in /etc/network/interfaces (passphrase somewhat
>decorated,
>> to protect the innocent):
>>
>>   iface wlan0 inet dhcp
>> wpa-ssid dubcek
>> wpa-psk 
>>
>> That's all it is needed for ifup to set up wlan0, go out with DHCP
>and
>> fetch an IP address from our local DHCP server.
>>
>> Of course it relies on wpasupplicant and dhclient to do the actual
>> magic behind the scenes.
>>
>
>What did you have to do, the first time?  When you were determining the
>Network Name (wpa-ssid)?  (Having to know everything in advance isn't
>too
>cool,  when you visit multiple Coffee Houses. And connecting to the
>wrong
>ssid could get you into some  *SERIOUS*  trouble!)
>
>I am doing my own investigation, by the way, finding general
>information
>on a "competing" Distro (Arch):
>
>   https://wiki.archlinux.org/index.php/WPA_supplicant
>
>This site suggests that wpa_cli gives useful information,  so I will
>see
>what that looks like, and then use your interfaces method.
>
>Enjoy simple life :-)
>>
>> Cheers
>> -- t
>>
>
>Thanks!
>
>Kenneth Parker

sudo iwlist wlan0 scan

Re: trying to redirect display output from laptop to a TV through its HDMI port ...

[mett]

On 2018年10月28日 18:35:37 JST, Albretch Mueller  wrote:
>On 10/23/18, deloptes  wrote:
>> I think this should help
>> xrandr --output HDMI1 --auto
>
> For whatever reason it is not clear from the output of the commandd
>that I am indeed using a SAMSUNG LCD Monitor connected to one of its
>HDMI ports:
>
>$ xrandr --output HDMI1 --auto
>warning: output HDMI1 not found; ignoring
>
>$ xrandr --output HDMI2 --auto
>warning: output HDMI2 not found; ignoring
>
>$ xrandr --output HDMI --auto
>warning: output HDMI not found; ignoring
>
># xrandr --output HDMI1 --auto
>warning: output HDMI1 not found; ignoring
>
># xrandr --output HDMI2 --auto
>warning: output HDMI2 not found; ignoring
>
># xrandr --output HDMI --auto
>warning: output HDMI not found; ignoring
>
># xrandr --listmonitors
>Monitors: 1
> 0: +HDMI-1 1280/160x720/90+0+0  HDMI-1
>
># xrandr --listactivemonitors
>Monitors: 1
> 0: +HDMI-1 1280/160x720/90+0+0  HDMI-1
>#
>
>$ lshw -c display
>WARNING: you should run this program as super-user.
>  *-display
>   description: VGA compatible controller
>   product: 2nd Generation Core Processor Family Integrated
>Graphics Controller
>   vendor: Intel Corporation
>   physical id: 2
>   bus info: pci@:00:02.0
>   version: 09
>   width: 64 bits
>   clock: 33MHz
>   capabilities: vga_controller bus_master cap_list rom
>   configuration: driver=i915 latency=0
>   resources: irq:26 memory:c000-c03f
>memory:b000-bfff ioport:4000(size=64) memory:c-d
>WARNING: output may be incomplete or inaccurate, you should run this
>program as super-user.
>
># lshw -c display
>  *-display
>   description: VGA compatible controller
>   product: 2nd Generation Core Processor Family Integrated
>Graphics Controller
>   vendor: Intel Corporation
>   physical id: 2
>   bus info: pci@:00:02.0
>   version: 09
>   width: 64 bits
>   clock: 33MHz
>   capabilities: msi pm vga_controller bus_master cap_list rom
>   configuration: driver=i915 latency=0
>   resources: irq:26 memory:c000-c03f
>memory:b000-bfff ioport:4000(size=64) memory:c-d
>root@niggahme:~#
>
># hwinfo --monitor --short
>monitor:
>   SAMSUNG LCD Monitor
>   SAMSUNG
>#
> lbrtchx


Hi
seems it is written 
HDMI-1
and not
HDMI1

hth

Re: Creating a home network

[mett]

2016-05-12 03:30 に Richard Owlett さんは書きました:

On 5/11/2016 12:09 PM, Peter Ludikovsky wrote:

Not really broke. Eg. the BananaPi Router board comes in at about €75,
with 5 Gb interfaces (4 switched) and a 2.5" SATA connector, and runs 
a

minimally adapted Debian called Bananian. Add to that a small powered
USB hub, starting at about €10, and some cables, and your total should
be at around €100.


Thanks. I also asked on a local users group. The sugesstions vary in
detail but are generally. Google on suggested components should be
educational. Cost estimates are similar.


* Samba
* autofs and/or udev to automagically export USB devices via Samba




Searching souhould give useful related links.




Regards
/peter

Am 11.05.2016 um 16:32 schrieb Richard Owlett:

Underlying question: What should I be reading?

I wish a blackbox which:

1. Connects 4 local machines via Ethernet [WiFi shall *NOT* be 
considered]

 A. A desktop with WinXP and multiple versions of Debian
 B. A laptop with WinXP Pro SP3 whose reason for existence is 
running

SeaMonkey.
Historically it is/was my primary machine. Its future is as a
portable.
 C. A laptop dedicated to Linux experiments. I have erased the 
HDD as

many as
ten times in one week ;/
 D. Misc temporarily connected laptops.
2. It shall provide multiple USB ports in order that a selection of
flash dives
 and a 1 TB HDD can be accessed by any machine.
3. It *SHALL* connect to the internet via a T-Mobile 4G Hotspot Z915
connected
 via USB. The WiFi features have been disabled. I really wanted a 
USB

cell network
 modem. The local T-Mobile outlet was only vendor that didn't try
assaulting me with
 their 'smartphone-du-jour' with an atrociously large data plan. 
this

connection
 shall be protected by a firewall.

How broke will I be?
TIA






did u see debian wiki about creating a router with a pc?
it s kind of old but still working

i created my house/work one with P3 512M ram
Even running mariadb on it(sql is the heaviest, everything else is 
light; except tor maybe)
Actually providing my house network + less than 10 HP, mail servers for 
small companies

Never tried usb wireless stuff but get a wire line if you can
that s the fastest

my place is 2 devian boxes and a cat2960
one vlan is for outside connection, another one is inside connection
Devian boxes are providing NAT/WAN connection
Inside boxes are connected via the switch(cat 2960)

LAN---NAT--Global_IP---WAN

Price:
Pentium 3@512M RAM : 10-20 US
Cat2960: 40 US
everything is 2nd hand of course

Also 2 PCI 1G NIC/routerfw boxes(makes 4)
That was the most expensive(new)
about 10-20 US/card

If you ll use an USB for T-Mobile 4G Hotspot, u don t need 2 outside 
cards;

u can use the onboard or other LAN ether port for your LAN
so 0 cost for the 2PCI 1Gig NIC by 2

*MY case*
WAN(provider's DCE, a kind of nowadays modem)
 |
C a t 2 9 6 0(switch)
||
Dev1Dev2
||
C a t 2 9 6 0
|
LAN(5 ports are already used as above, so u huv 19 ports left for your 
LAN

OS doesnt matter)

*Ur case*
WAN(T-Mobile 4G Hotspot's USB)
|
Devian box(NAT/FW ie. LAN/WAN segregation)
|
LAN(via ethernet, rj45)
|
Cat2960(switch, actually anykind of switch is OK, a hub is even enough 
in your case I think;

|   brand doesn't matter; just cisco's works well for me)
|
24 ports available on the switch to connect any kind of OS boxes

Then as said above, if you need windows/linux shares on devian box
u need samba. And maybe more for USB mouting.
If you want to be able to connect many USB, u need that many USB ports
on the box.

Ill paste my iptables below
Also, my house is wired with ppp to provider(my outside.if is ppp0,
urs might be usb0, I don t know).

I never tried wifi or other kind of wireless stuff from an USB
but I think kernel is able to manage that(wifi as wireless cause the USB 
from t-mobile

is a kind of wireless protocol, 3G or LTE).
Just try first, get the USB, connect it to the box and check if you can 
access the net

(u might need somekind of firmware).
If you can, then above is a 'jeu d'enfants'

IPTABLES
8<---
root@tamerrz:/home/tamerrzusr#cat 
/etc/network/if-up.d/00-firewall_corrected


#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -X

## nat/POSTROUTING
# Masquerade <=> Changed to SNAT
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE(was using 
masquerade nat before, using source nat now, any #one is OK)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT 
--to-source XXX.XXX.XXX.XXX(my public IP)
iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o ppp0 -j SNAT 
--to-source XXX.XXX.XXX.XXX(my public IP)


## filter/FORWARD

# Allow New outgoing connections from the LAN side.
iptables -t filter -A FORWARD -i eth1 -o ppp0 -m state --state NEW -j 
ACCEPT
iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j 
ACCEPT

Re: Mail and POP3

[mett]

On 2015年6月30日 12:10:50 JST, Stuart Longland stua...@longlandclan.yi.org wrote:
On 30/06/15 11:44, Martin G. McCormick wrote:
  I found an example for debian-etch which used fetchmail.
 Is that still the case for squeeze and newer debian releases?
 
  Do I need to leave exim4 alone as it appears that
 fetchmail does all the moving?

I've done this before with numerous distributions in the past.

Basically you set up fetchmail to do the mail collection, and I think
by
default it tries to use the local delivery agents to deliver mail to
local users.  So you set it up as a daemon to collect mail for a number
of users.

Your SMTP server then looks after local delivery and for delivery to a
smarthost outside your network (your ISP).

I don't recall what the exact configuration parameters are for
fetchmail, it's been a while since I've used it, but there is one that
controls who email from a particular account gets delivered to.  Once
you set that, and assuming your SMTP server (exim4 in your case) is set
up correctly, things should JustWork™.

Also, there are very nice tutorial @workaround.org (for postfix/dovecot though 
for the latest ones)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/91ab9761-f3bc-4154-a4e6-9b15f0e16...@pmars.jp

Re: What to do with dead raid 1 partitions under mdadm

[mett]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, 26 Oct 2014 08:05:58 -0400
Gary Dale garyd...@torfree.net wrote:

 On 25/10/14 11:19 PM, mett wrote:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Hi,
(snip)
  -BEGIN PGP SIGNATURE-
  Version: GnuPG v1.4.10 (GNU/Linux)
 
  iF4EAREIAAYFAlRMaDMACgkQGYZUGVwcQVJTNQEAtTFXt5o+TJUA6v7XQiUL1MCQ
  f24zTUpe7Zqrcz6XLi4BAJNEuPRx8QFZZeSHK9f1Qg/zAHhXBVTn3G21ODgEp+XQ
  =eaQS
  -END PGP SIGNATURE-
 As I undertand your issue:
 - you had RAID 1 arrays md0 (sda1+sdb1) and md1 (sda2+sdb2),
 - sdb1  sdb2 showed an error, so you removed them from the arrays
 and added sdb3  sdb4 from the same physical disk,
 - you are now wondering what to do with two partitions on device sdb 
 (sdb1  sdb2).

- --exactly
 
 I'm guessing that sdb is nearly toast. Run smartctl -H /dev/sdb on
 it. If it passes, remove it from the array and repartition it, then
 add it back into the array.
 
 If it fails, remove if from your computer and replace it. Whatever
 new drive you get will probably be larger than your current drives,
 so partition it so that the sdb1 is larger than the current sd1a and
 the rest of the space goes to sdb2. In this way, you can expand md1
 when you eventually have to replace sda (it will happen - disks
 eventually fail).
 
 In general it is a really bad idea to keep a filing disk in your
 system. It not only will fail sooner rather than later but will also
 slow down your system due to i/o failures.
 
 

I'll try that and update the results.

Thanks a lot for both answers
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iF4EAREIAAYFAlRM/jIACgkQGYZUGVwcQVKtXwEAlWMQuEh3OITQpXIjxMe0ldQU
XCYQZwsAgG1GUIm2DsYA/2fyJZ8jZsnVu2XFAFmR9SDkQUODn02wTeaSr58cLXmt
=CqrV
-END PGP SIGNATURE-

What to do with dead raid 1 partitions under mdadm

[mett]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi, 

I'm running Squeeze under raid 1 with mdadm.
One of the raid failed and I replace it with space I had available on
that same disk.

Today, when rebooting I got an error cause the boot flag was still on
both partitions(sdb1 and sdb3 below). I used the rescue part of the
debian installer CD to remove the boot flag with fdisk, and now
everything is working.

My question is what to do with the dead raid partition on that disk
(sdb1 and sdb2 below)?

Can I safely delete them and mark them unusable or similar?

Below are some details about the system.

/dev/sdb is 250G; I had an sdb1 and sdb2 failure. I
created sdb3 and sdb4 and add them to the array. They are the current
member of the md array.

/mett# uname -a
Linux asus 3.2.0-0.bpo.4-686-pae #1 SMP Debian 3.2.57-3+deb7u2~bpo60+1
i686 GNU/Linux 

root@asus:/home/mett# 
root@asus:/home/mett# mdadm --detail /dev/md1
/dev/md1:
Version : 1.2
  Creation Time : Mon Feb  4 22:46:04 2013
 Raid Level : raid1
 Array Size : 97654712 (93.13 GiB 100.00 GB)
  Used Dev Size : 97654712 (93.13 GiB 100.00 GB)
   Raid Devices : 2
  Total Devices : 2
Persistence : Superblock is persistent

Update Time : Sun Oct 26 12:03:37 2014
  State : clean 
 Active Devices : 2
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 0

   Name : asus:1  (local to host asus)
   UUID : 639af1ab:8ec418b5:8254ef0d:ad9a728d
 Events : 75946

Number   Major   Minor   RaidDevice State
   2   820  active sync   /dev/sda2
   3   8   201  active sync   /dev/sdb4

(/dev/md0 is same structure as above with sda1 and sdb3 as raid members)


root@asus:/home/mett# 
Disk /dev/sdb: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00066b3e

   Device Boot  Start End  Blocks   Id  System
/dev/sdb1   1  64  514048+  fd  Linux raid
   autodetect 
/dev/sdb2  65   12515   100012657+  fd  Linux
   raid  
   autodetect 
/dev/sdb3   *   12516   12581   530145   fd  Linux raid
   autodetect 
/dev/sdb4   12582   25636   104864287+  fd  Linux raid
   autodetect

Command (m for help): 

Thanks a lot in advance.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iF4EAREIAAYFAlRMaDMACgkQGYZUGVwcQVJTNQEAtTFXt5o+TJUA6v7XQiUL1MCQ
f24zTUpe7Zqrcz6XLi4BAJNEuPRx8QFZZeSHK9f1Qg/zAHhXBVTn3G21ODgEp+XQ
=eaQS
-END PGP SIGNATURE-

[SOLVED]Re: flakey wifi access

[mett]

On Sun, 14 Sep 2014 12:13:14 -0700
tom arnall kloro2...@gmail.com wrote:

 SOLVED!
 
 i use wicd and i changed a preference:
 
 preferencesexternal programs  and change 'auto' to 'dhclient'
 
 Mett, is this the equivalent of what you suggest doing manually?
 
 thanks everyone for your help.
 
 Tom
 
 On 6/30/14, mett m...@pmars.jp wrote:
  On Mon, 30 Jun 2014 06:39:29 -0400
  ken geb...@mousecar.com wrote:
 
  On 06/29/2014 10:50 PM tom arnall wrote:
   my wicd agent is unable to connect to wifi at mcDonald's, both in
   mexico and the states. it's fine with my home wifi and the coffee
   shop i go to. it also fails on the network at the campus where i
   teach in mexico.
 
  Unable to connect can mean a lot of things.  I recently had a
  wifi connection problem which, using 'ping', I determined to be
  caused by a lot of packets being dropped-- like 30 - 60% of them.
  I found that ping will return a response in some cases even when
  it seems there is no connection.  You'll need to find out the IP
  address of the access point (AP).  If your system doesn't tell you
  this, you might ask some other user.  Get rates from all APs,
  working and non-working, and compare them.
 
  Another utility to use is tcpdump.  This will provide very detailed
  information about the packets constituting the connection attempt.
 
  And iwlist will provide info on the available APs.  Noting the
  relative signal strengths and protocols used and other details
  might point to patterns.
 
 
 
 
  You can try to go the manual way to see if you get better results:
 
  -bring up your wireless interface, if it s not already up
 
  'ifconfig' (if it doesn't appear here, means it is not up)
 
  'ifconfig -a' (you should see it here, as this command lists all the
  available physical interfaces on your machine. Then)
 
  'ifconfig WIRELESS-INTERFACE-NAME up' (to bring it up).
 
  -Then, once up, you can, as ken said, use iwlist to know about the
  AP in your vicinity
 
  'iwlist scan'
 
  You should see mac-donald's AP essid name in the list you get from
  iwlist.
 
  -Finally, for mac-donalds, I saw on their page they re isn't any
  encryption and password to connect to their AP, so you just need to
  run
 
  'iwconfig WIRELESS-INTERFACE-NAME essid MACDO-ESSID-NAME'
 
  and then dhclient to get an IP(with the -v flag to be sure you
  obtained an IP address)
 
  'dhclient -v WIRELESS-INTERFACE-NAME'
 
  -Finally_2, open your browser and you should see mac-do HP,
  and a 'connect' button to connect from there.
 
 
  There is a detailed explanation to connect manually on crunchbang,
  under the three main methods (no password and no encryption, or WEP
  or WPA). Here is the link
  http://crunchbang.org/forums/viewtopic.php?id=16624
 
  Also, you might have to use 'sudo' for all those commands as you
  need to be the root user to run them.
 
  Also_2, stop all the other wifi-network-related daemons as they
  might get in the way when you try to config manually(wicd and
  others if you have).
 
  HTH
 
 
  --
  To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
  with a subject of unsubscribe. Trouble? Contact
  listmas...@lists.debian.org
  Archive:
  https://lists.debian.org/20140701113048.2b0b6e7b@asus.tamerr
 
 

Hey, nice to hear about that.

I just checked wicd and it uses the default dhcp client of the box it
runs on, when set to 'auto'.

I think the default dhcp client on Debian(squeeze at least) is
dhclient(ISC) anyway.
So maybe the problem was not on your side but on the AP one.

At any rate, next time you have a problem try a scan first to check if
you see the AP you want to connect to (iwlist).



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140915152719.7ed42b98@asus.tamerr

Re: IPv6 neighbor solicitations to use link-local source address

[mett]

On Thu, 4 Sep 2014 13:12:38 +0200
Julien b jumbo...@gmail.com wrote:

 2014-09-04 12:32 GMT+02:00 mett m...@pmars.jp:
 
  On Thu, 4 Sep 2014 18:50:01 +0900
  mett m...@pmars.jp wrote:
 
   On Thu, 4 Sep 2014 09:12:46 +0200
   Julien b jumbo...@gmail.com wrote:
  
Hi mett, thank you for your answer. I hope that I'm not
top-posting too ping6 -I doesn't change anything, the box is
still using the global scope address.
   
Best regards
Julien
   
   
   
2014-09-04 2:32 GMT+02:00 mett m...@pmars.jp:
   
 On Thu, 4 Sep 2014 09:04:00 +0900
 mett m...@pmars.jp wrote:

  Hi,
 
  When pinging link-local addresses, u need to specify the
  exit interface. So maybe if u specify the exit interface
  and another link-local as destination, you might be able to
  do it:
 
 
  --
  mett@asus:~$ ip -6 add show
  1: lo: LOOPBACK,UP,LOWER_UP mtu 16436
  inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
  2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen
  1000 inet6 fe80::20c:6eff:fef8:7d1c/64 scope link
 valid_lft forever preferred_lft forever
  mett@asus:
  --
  root@tamirrsso:/var/log# ip -6 add show
  
  3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen
  1000 inet6 fe80::207:95ff:fed5:2fda/64 scope link
 valid_lft forever preferred_lft forever
  root@tamirrsso:/var/log#
  --
  mett@asus:~$ ping6 -I eth0 fe80::207:95ff:fed5:2fda
  PING fe80::207:95ff:fed5:2fda(fe80::207:95ff:fed5:2fda) from
  fe80::20c:6eff:fef8:7d1c eth0: 56 data bytes 64 bytes from
  fe80::207:95ff:fed5:2fda: icmp_seq=1 ttl=64 time=0.433 ms 64
  bytes from fe80::207:95ff:fed5:2fda: icmp_seq=2 ttl=64
  time=0.205 ms 64 bytes from fe80::207:95ff:fed5:2fda:
  icmp_seq=3 ttl=64 time=0.201 ms 64 bytes from
  fe80::207:95ff:fed5:2fda: icmp_seq=4 ttl=64 time=0.256 ms 64
  bytes from fe80::207:95ff:fed5:2fda: icmp_seq=5 ttl=64
  time=0.199 ms
 
 
 
  HTH!
 
 
 
  On Wed, 3 Sep 2014 15:55:38 +0200
  Julien b jumbo...@gmail.com wrote:
 
   Hello everybody
  
   I'm very new to lists.debian.org so please appologize if
   I am doing something wrong by sending this email. I'm
   just out of idea with a behavior in NDP and must find a
   solution. I didn't find anything on the internet.
  
   RFC4861 section 7.2.2 says that the source address in NDP
   neighbor solicitations can be any one of the addresses
   assigned to the interface. It also says that using the
   prompting packet's source address ensures that the
   recipient installs it in its neighbor cache. The latter
   is the behavior I can see on my boxes (a debian 6.0.9 +
   custom kernel 3.2.14) and also on a Centos one.
  
   # ip -6 addr list
   1: lo: LOOPBACK,UP,LOWER_UP mtu 16436
   inet6 ::1/128 scope host
  valid_lft forever preferred_lft forever
   3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen
   1000 inet6 2a10:7e40:edf6:100::32/64 scope global
  valid_lft forever preferred_lft forever
   inet6 fe80::a00:27ff:fe02:3cbd/64 scope link
  valid_lft forever preferred_lft forever
  
   # ping6 2a10:7e40:edf6:100::33 -c 3 /dev/null 
   # tcpdump -nli eth0 icmp6
  
   18:09:04.726908 IP6 2a10:7e40:edf6:100::32 
   ff02::1:ff00:33: ICMP6, neighbor solicitation, who has
   2a10:7e40:edf6:100::33, length 32 18:09:04.727373 IP6
   2a10:7e40:edf6:100::33  2a10:7e40:edf6:100::32: ICMP6,
   neighbor advertisement, tgt is 2a10:7e40:edf6:100::33,
   length 32 18:09:04.727391 IP6 2a10:7e40:edf6:100::32 
   2a10:7e40:edf6:100::33: ICMP6, echo request, seq 1,
   length 64 18:09:04.727738 IP6 2a10:7e40:edf6:100::33 
   2a10:7e40:edf6:100::32: ICMP6, echo reply, seq 1, length
   64
  
  
   My question is : How can I force ndp to use the link-local
   address assigned to that outgoing device ? (in the trace
   above, ndp would then send the neighbor solicitation with
   fe80::a00:27ff:fe02:3cbd source address).
  
   This is requested by our customer for security reasons
   and as far as I can see it complies with RFC4861 as well.
  
   If someone had a clue how to do that or if it's just
   impossible, I would really appreciate your help.
  
   Thank you
   Best resgards
   Julien
 
 

 By the way, sorry for top-posting...


 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact
 listmas...@lists.debian.org
 Archive:
 https://lists.debian.org/20140904093203.696b0eff@asus.tamerr


  
   Hey,
  
   U cannot ping

Re: IPv6 neighbor solicitations to use link-local source address

[mett]

On Thu, 4 Sep 2014 09:12:46 +0200
Julien b jumbo...@gmail.com wrote:

 Hi mett, thank you for your answer. I hope that I'm not top-posting
 too ping6 -I doesn't change anything, the box is still using the
 global scope address.
 
 Best regards
 Julien
 
 
 
 2014-09-04 2:32 GMT+02:00 mett m...@pmars.jp:
 
  On Thu, 4 Sep 2014 09:04:00 +0900
  mett m...@pmars.jp wrote:
 
   Hi,
  
   When pinging link-local addresses, u need to specify the exit
   interface. So maybe if u specify the exit interface and another
   link-local as destination, you might be able to do it:
  
  
   --
   mett@asus:~$ ip -6 add show
   1: lo: LOOPBACK,UP,LOWER_UP mtu 16436
   inet6 ::1/128 scope host
  valid_lft forever preferred_lft forever
   2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
   inet6 fe80::20c:6eff:fef8:7d1c/64 scope link
  valid_lft forever preferred_lft forever
   mett@asus:
   --
   root@tamirrsso:/var/log# ip -6 add show
   
   3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
   inet6 fe80::207:95ff:fed5:2fda/64 scope link
  valid_lft forever preferred_lft forever
   root@tamirrsso:/var/log#
   --
   mett@asus:~$ ping6 -I eth0 fe80::207:95ff:fed5:2fda
   PING fe80::207:95ff:fed5:2fda(fe80::207:95ff:fed5:2fda) from
   fe80::20c:6eff:fef8:7d1c eth0: 56 data bytes 64 bytes from
   fe80::207:95ff:fed5:2fda: icmp_seq=1 ttl=64 time=0.433 ms 64 bytes
   from fe80::207:95ff:fed5:2fda: icmp_seq=2 ttl=64 time=0.205 ms 64
   bytes from fe80::207:95ff:fed5:2fda: icmp_seq=3 ttl=64 time=0.201
   ms 64 bytes from fe80::207:95ff:fed5:2fda: icmp_seq=4 ttl=64
   time=0.256 ms 64 bytes from fe80::207:95ff:fed5:2fda: icmp_seq=5
   ttl=64 time=0.199 ms
  
  
  
   HTH!
  
  
  
   On Wed, 3 Sep 2014 15:55:38 +0200
   Julien b jumbo...@gmail.com wrote:
  
Hello everybody
   
I'm very new to lists.debian.org so please appologize if I am
doing something wrong by sending this email. I'm just out of
idea with a behavior in NDP and must find a solution. I didn't
find anything on the internet.
   
RFC4861 section 7.2.2 says that the source address in NDP
neighbor solicitations can be any one of the addresses assigned
to the interface. It also says that using the prompting
packet's source address ensures that the recipient installs it
in its neighbor cache. The latter is the behavior I can see on
my boxes (a debian 6.0.9 + custom kernel 3.2.14) and also on a
Centos one.
   
# ip -6 addr list
1: lo: LOOPBACK,UP,LOWER_UP mtu 16436
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
inet6 2a10:7e40:edf6:100::32/64 scope global
   valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe02:3cbd/64 scope link
   valid_lft forever preferred_lft forever
   
# ping6 2a10:7e40:edf6:100::33 -c 3 /dev/null 
# tcpdump -nli eth0 icmp6
   
18:09:04.726908 IP6 2a10:7e40:edf6:100::32  ff02::1:ff00:33:
ICMP6, neighbor solicitation, who has 2a10:7e40:edf6:100::33,
length 32 18:09:04.727373 IP6 2a10:7e40:edf6:100::33 
2a10:7e40:edf6:100::32: ICMP6, neighbor advertisement, tgt is
2a10:7e40:edf6:100::33, length 32
18:09:04.727391 IP6 2a10:7e40:edf6:100::32 
2a10:7e40:edf6:100::33: ICMP6, echo request, seq 1, length 64
18:09:04.727738 IP6 2a10:7e40:edf6:100::33 
2a10:7e40:edf6:100::32: ICMP6, echo reply, seq 1, length 64
   
   
My question is : How can I force ndp to use the link-local
address assigned to that outgoing device ? (in the trace above,
ndp would then send the neighbor solicitation with
fe80::a00:27ff:fe02:3cbd source address).
   
This is requested by our customer for security reasons and as
far as I can see it complies with RFC4861 as well.
   
If someone had a clue how to do that or if it's just
impossible, I would really appreciate your help.
   
Thank you
Best resgards
Julien
  
  
 
  By the way, sorry for top-posting...
 
 
  --
  To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
  with a subject of unsubscribe. Trouble? Contact
  listmas...@lists.debian.org
  Archive:
  https://lists.debian.org/20140904093203.696b0eff@asus.tamerr
 
 

Hey,

U cannot ping a global address with a link-local address.
If you want to use your link-local address as source, u need to ping
the link-local address of your destination
(and need to specify exit interface).

Global IP addresses(Layer 3) and Link-local addresses(not Layer 3) are
on different scopes or spans(or layer). 
Because of that, they cannot interact.

Also, not really related but better to reply to the Debian-list than
sending a personal mail. Other readers might benefit of this
exchange.

Finally, better to write your answer down, at the end of the msg; 
easier to follow the whole

Re: IPv6 neighbor solicitations to use link-local source address

[mett]

On Thu, 4 Sep 2014 18:50:01 +0900
mett m...@pmars.jp wrote:

 On Thu, 4 Sep 2014 09:12:46 +0200
 Julien b jumbo...@gmail.com wrote:
 
  Hi mett, thank you for your answer. I hope that I'm not top-posting
  too ping6 -I doesn't change anything, the box is still using the
  global scope address.
  
  Best regards
  Julien
  
  
  
  2014-09-04 2:32 GMT+02:00 mett m...@pmars.jp:
  
   On Thu, 4 Sep 2014 09:04:00 +0900
   mett m...@pmars.jp wrote:
  
Hi,
   
When pinging link-local addresses, u need to specify the exit
interface. So maybe if u specify the exit interface and another
link-local as destination, you might be able to do it:
   
   
--
mett@asus:~$ ip -6 add show
1: lo: LOOPBACK,UP,LOWER_UP mtu 16436
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
inet6 fe80::20c:6eff:fef8:7d1c/64 scope link
   valid_lft forever preferred_lft forever
mett@asus:
--
root@tamirrsso:/var/log# ip -6 add show

3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
inet6 fe80::207:95ff:fed5:2fda/64 scope link
   valid_lft forever preferred_lft forever
root@tamirrsso:/var/log#
--
mett@asus:~$ ping6 -I eth0 fe80::207:95ff:fed5:2fda
PING fe80::207:95ff:fed5:2fda(fe80::207:95ff:fed5:2fda) from
fe80::20c:6eff:fef8:7d1c eth0: 56 data bytes 64 bytes from
fe80::207:95ff:fed5:2fda: icmp_seq=1 ttl=64 time=0.433 ms 64
bytes from fe80::207:95ff:fed5:2fda: icmp_seq=2 ttl=64
time=0.205 ms 64 bytes from fe80::207:95ff:fed5:2fda:
icmp_seq=3 ttl=64 time=0.201 ms 64 bytes from
fe80::207:95ff:fed5:2fda: icmp_seq=4 ttl=64 time=0.256 ms 64
bytes from fe80::207:95ff:fed5:2fda: icmp_seq=5 ttl=64
time=0.199 ms
   
   
   
HTH!
   
   
   
On Wed, 3 Sep 2014 15:55:38 +0200
Julien b jumbo...@gmail.com wrote:
   
 Hello everybody

 I'm very new to lists.debian.org so please appologize if I am
 doing something wrong by sending this email. I'm just out of
 idea with a behavior in NDP and must find a solution. I didn't
 find anything on the internet.

 RFC4861 section 7.2.2 says that the source address in NDP
 neighbor solicitations can be any one of the addresses
 assigned to the interface. It also says that using the
 prompting packet's source address ensures that the recipient
 installs it in its neighbor cache. The latter is the behavior
 I can see on my boxes (a debian 6.0.9 + custom kernel 3.2.14)
 and also on a Centos one.

 # ip -6 addr list
 1: lo: LOOPBACK,UP,LOWER_UP mtu 16436
 inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
 3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
 inet6 2a10:7e40:edf6:100::32/64 scope global
valid_lft forever preferred_lft forever
 inet6 fe80::a00:27ff:fe02:3cbd/64 scope link
valid_lft forever preferred_lft forever

 # ping6 2a10:7e40:edf6:100::33 -c 3 /dev/null 
 # tcpdump -nli eth0 icmp6

 18:09:04.726908 IP6 2a10:7e40:edf6:100::32  ff02::1:ff00:33:
 ICMP6, neighbor solicitation, who has 2a10:7e40:edf6:100::33,
 length 32 18:09:04.727373 IP6 2a10:7e40:edf6:100::33 
 2a10:7e40:edf6:100::32: ICMP6, neighbor advertisement, tgt is
 2a10:7e40:edf6:100::33, length 32
 18:09:04.727391 IP6 2a10:7e40:edf6:100::32 
 2a10:7e40:edf6:100::33: ICMP6, echo request, seq 1, length 64
 18:09:04.727738 IP6 2a10:7e40:edf6:100::33 
 2a10:7e40:edf6:100::32: ICMP6, echo reply, seq 1, length 64


 My question is : How can I force ndp to use the link-local
 address assigned to that outgoing device ? (in the trace
 above, ndp would then send the neighbor solicitation with
 fe80::a00:27ff:fe02:3cbd source address).

 This is requested by our customer for security reasons and as
 far as I can see it complies with RFC4861 as well.

 If someone had a clue how to do that or if it's just
 impossible, I would really appreciate your help.

 Thank you
 Best resgards
 Julien
   
   
  
   By the way, sorry for top-posting...
  
  
   --
   To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
   with a subject of unsubscribe. Trouble? Contact
   listmas...@lists.debian.org
   Archive:
   https://lists.debian.org/20140904093203.696b0eff@asus.tamerr
  
  
 
 Hey,
 
 U cannot ping a global address with a link-local address.
 If you want to use your link-local address as source, u need to ping
 the link-local address of your destination
 (and need to specify exit interface).
 
 Global IP addresses(Layer 3) and Link-local addresses(not Layer 3) are
 on different scopes or spans(or layer). 
 Because of that, they cannot interact.
 
 Also, not really related

Re: IPv6 neighbor solicitations to use link-local source address

[mett]

Hi,

When pinging link-local addresses, u need to specify the exit interface.
So maybe if u specify the exit interface and another link-local as
destination, you might be able to do it:


--
mett@asus:~$ ip -6 add show
1: lo: LOOPBACK,UP,LOWER_UP mtu 16436 
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
inet6 fe80::20c:6eff:fef8:7d1c/64 scope link 
   valid_lft forever preferred_lft forever
mett@asus:
--
root@tamirrsso:/var/log# ip -6 add show

3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
inet6 fe80::207:95ff:fed5:2fda/64 scope link 
   valid_lft forever preferred_lft forever
root@tamirrsso:/var/log# 
--
mett@asus:~$ ping6 -I eth0 fe80::207:95ff:fed5:2fda
PING fe80::207:95ff:fed5:2fda(fe80::207:95ff:fed5:2fda) from
fe80::20c:6eff:fef8:7d1c eth0: 56 data bytes 64 bytes from
fe80::207:95ff:fed5:2fda: icmp_seq=1 ttl=64 time=0.433 ms 64 bytes from
fe80::207:95ff:fed5:2fda: icmp_seq=2 ttl=64 time=0.205 ms 64 bytes from
fe80::207:95ff:fed5:2fda: icmp_seq=3 ttl=64 time=0.201 ms 64 bytes from
fe80::207:95ff:fed5:2fda: icmp_seq=4 ttl=64 time=0.256 ms 64 bytes from
fe80::207:95ff:fed5:2fda: icmp_seq=5 ttl=64 time=0.199 ms



HTH!



On Wed, 3 Sep 2014 15:55:38 +0200
Julien b jumbo...@gmail.com wrote:

 Hello everybody
 
 I'm very new to lists.debian.org so please appologize if I am doing
 something wrong by sending this email. I'm just out of idea with a
 behavior in NDP and must find a solution. I didn't find anything on
 the internet.
 
 RFC4861 section 7.2.2 says that the source address in NDP neighbor
 solicitations can be any one of the addresses assigned to the
 interface. It also says that using the prompting packet's source
 address ensures that the recipient installs it in its neighbor cache.
 The latter is the behavior I can see on my boxes (a debian 6.0.9 +
 custom kernel 3.2.14) and also on a Centos one.
 
 # ip -6 addr list
 1: lo: LOOPBACK,UP,LOWER_UP mtu 16436
 inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
 3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
 inet6 2a10:7e40:edf6:100::32/64 scope global
valid_lft forever preferred_lft forever
 inet6 fe80::a00:27ff:fe02:3cbd/64 scope link
valid_lft forever preferred_lft forever
 
 # ping6 2a10:7e40:edf6:100::33 -c 3 /dev/null 
 # tcpdump -nli eth0 icmp6
 
 18:09:04.726908 IP6 2a10:7e40:edf6:100::32  ff02::1:ff00:33: ICMP6,
 neighbor solicitation, who has 2a10:7e40:edf6:100::33, length 32
 18:09:04.727373 IP6 2a10:7e40:edf6:100::33  2a10:7e40:edf6:100::32:
 ICMP6, neighbor advertisement, tgt is 2a10:7e40:edf6:100::33, length
 32
 18:09:04.727391 IP6 2a10:7e40:edf6:100::32  2a10:7e40:edf6:100::33:
 ICMP6, echo request, seq 1, length 64
 18:09:04.727738 IP6 2a10:7e40:edf6:100::33  2a10:7e40:edf6:100::32:
 ICMP6, echo reply, seq 1, length 64
 
 
 My question is : How can I force ndp to use the link-local address
 assigned to that outgoing device ? (in the trace above, ndp would
 then send the neighbor solicitation with fe80::a00:27ff:fe02:3cbd
 source address).
 
 This is requested by our customer for security reasons and as far as
 I can see it complies with RFC4861 as well.
 
 If someone had a clue how to do that or if it's just impossible, I
 would really appreciate your help.
 
 Thank you
 Best resgards
 Julien


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140904090400.5fe32b98@asus.tamerr

Re: IPv6 neighbor solicitations to use link-local source address

[mett]

On Thu, 4 Sep 2014 09:04:00 +0900
mett m...@pmars.jp wrote:

 Hi,
 
 When pinging link-local addresses, u need to specify the exit
 interface. So maybe if u specify the exit interface and another
 link-local as destination, you might be able to do it:
 
 
 --
 mett@asus:~$ ip -6 add show
 1: lo: LOOPBACK,UP,LOWER_UP mtu 16436 
 inet6 ::1/128 scope host 
valid_lft forever preferred_lft forever
 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
 inet6 fe80::20c:6eff:fef8:7d1c/64 scope link 
valid_lft forever preferred_lft forever
 mett@asus:
 --
 root@tamirrsso:/var/log# ip -6 add show
 
 3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
 inet6 fe80::207:95ff:fed5:2fda/64 scope link 
valid_lft forever preferred_lft forever
 root@tamirrsso:/var/log# 
 --
 mett@asus:~$ ping6 -I eth0 fe80::207:95ff:fed5:2fda
 PING fe80::207:95ff:fed5:2fda(fe80::207:95ff:fed5:2fda) from
 fe80::20c:6eff:fef8:7d1c eth0: 56 data bytes 64 bytes from
 fe80::207:95ff:fed5:2fda: icmp_seq=1 ttl=64 time=0.433 ms 64 bytes
 from fe80::207:95ff:fed5:2fda: icmp_seq=2 ttl=64 time=0.205 ms 64
 bytes from fe80::207:95ff:fed5:2fda: icmp_seq=3 ttl=64 time=0.201 ms
 64 bytes from fe80::207:95ff:fed5:2fda: icmp_seq=4 ttl=64 time=0.256
 ms 64 bytes from fe80::207:95ff:fed5:2fda: icmp_seq=5 ttl=64
 time=0.199 ms
 
 
 
 HTH!
 
 
 
 On Wed, 3 Sep 2014 15:55:38 +0200
 Julien b jumbo...@gmail.com wrote:
 
  Hello everybody
  
  I'm very new to lists.debian.org so please appologize if I am doing
  something wrong by sending this email. I'm just out of idea with a
  behavior in NDP and must find a solution. I didn't find anything on
  the internet.
  
  RFC4861 section 7.2.2 says that the source address in NDP neighbor
  solicitations can be any one of the addresses assigned to the
  interface. It also says that using the prompting packet's source
  address ensures that the recipient installs it in its neighbor
  cache. The latter is the behavior I can see on my boxes (a debian
  6.0.9 + custom kernel 3.2.14) and also on a Centos one.
  
  # ip -6 addr list
  1: lo: LOOPBACK,UP,LOWER_UP mtu 16436
  inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
  3: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qlen 1000
  inet6 2a10:7e40:edf6:100::32/64 scope global
 valid_lft forever preferred_lft forever
  inet6 fe80::a00:27ff:fe02:3cbd/64 scope link
 valid_lft forever preferred_lft forever
  
  # ping6 2a10:7e40:edf6:100::33 -c 3 /dev/null 
  # tcpdump -nli eth0 icmp6
  
  18:09:04.726908 IP6 2a10:7e40:edf6:100::32  ff02::1:ff00:33: ICMP6,
  neighbor solicitation, who has 2a10:7e40:edf6:100::33, length 32
  18:09:04.727373 IP6 2a10:7e40:edf6:100::33  2a10:7e40:edf6:100::32:
  ICMP6, neighbor advertisement, tgt is 2a10:7e40:edf6:100::33, length
  32
  18:09:04.727391 IP6 2a10:7e40:edf6:100::32  2a10:7e40:edf6:100::33:
  ICMP6, echo request, seq 1, length 64
  18:09:04.727738 IP6 2a10:7e40:edf6:100::33  2a10:7e40:edf6:100::32:
  ICMP6, echo reply, seq 1, length 64
  
  
  My question is : How can I force ndp to use the link-local address
  assigned to that outgoing device ? (in the trace above, ndp would
  then send the neighbor solicitation with fe80::a00:27ff:fe02:3cbd
  source address).
  
  This is requested by our customer for security reasons and as far as
  I can see it complies with RFC4861 as well.
  
  If someone had a clue how to do that or if it's just impossible, I
  would really appreciate your help.
  
  Thank you
  Best resgards
  Julien
 
 

By the way, sorry for top-posting...


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140904093203.696b0eff@asus.tamerr

Re: Skype access cancelled for Debian versions before 7

[mett]

On Sun, 3 Aug 2014 03:05:28 -0400
Tom H tomh0...@gmail.com wrote:

 On Sat, Aug 2, 2014 at 1:29 PM, Bret Busby bret.bu...@gmail.com
 wrote:
 
  I have found, in the last day, that Microsoft has apparently
  cancelled Skype access for versions of Debian before 7.x.
 
  With the error message that I encountered, with my Skype 2.2 (beta)
  running on Debian 6, I went to the Skype web site, and found that
  they have cancelled access for all but the latest version of Skype,
  and, for Debian, it apparently needs Debian 7.x, to run.
 
  No notice (on the Skype mailing list) was given.
 
  I thought that anyone like me, who is running and using Debian 6
  (and anyone using earlier versions of Debian), most of the time,
  might like to know.
 
 Debian 6 is oldstable so why shouldn't MS decide to withdraw Skype
 support?
 
 Didn't Google withdraw Chrome support recently? (There was a thread
 about this.)
 
 

  I thought that anyone like me, who is running and using Debian 6
  (and anyone using earlier versions of Debian), most of the time,
  might like to know.

Thanks for the info, I was using Skype with 2 accounts(2.2.025beta)
opened simultaneously on Squeeze.
It was very convenient to speak with persons living in other worlds.
Bye bye Skype! 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140804102640.7343bda8@asus.tamerr

Re: ip address on dhcp client

[mett]

On Mon, 14 Jul 2014 22:33:11 +0530
rajiv chavan rc214...@gmail.com wrote:

 On Mon, 14 Jul 2014 07:53:06 +0530
 - Hide quoted text -
 rajiv chavan rc214...@gmail.com wrote:
 
  Mon, 14 Jul 2014 07:26:20 +0530
 
  Thank you Mett.
  Traceroute packets from another host dropped by ISP netwoek at
  218.248.0.0
 
  netstat -rn
 
  Destination Gateway Genmask Flags   MSS Window
  irtt Iface 0.0.0.0 0.0.0.0 0.0.0.0 U
  0 0  0 ppp0 117.0.0.0   0.0.0.0 255.0.0.0
  U 0 0  0 eth0 117.222.8.1 0.0.0.0
  255.255.255.255 UH0 0  0 ppp0 127.0.0.0
  0.0.0.0 255.0.0.0   U 0 0  0 lo
  192.168.1.0 0.0.0.0 255.255.255.0   U 0
  0  0 eth0 224.0.0.0   0.0.0.0 240.0.0.0
  U 0 0  0 eth0
 
  ifconfig eth0:0 yields:
  ip a
 
  2: eth0:
  link/ether
  inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
  inet 117.222.15.189/8 brd 117.255.255.255 scope global eth0:0
  3: ppp0:
  link/ppp
  inet 117.222.15.189 peer 117.222.8.1/32 scope global ppp0
 
  This is a lone host - no network.
  Address 117.222.15.189 does not map to modem-router. Nmap on modem
  returns ports 23,80,5431 open. All ports on 117.222.15.189 filtered.
  The state may not be reproducible. Oftentiimes eth0 gets only
  192.168.1.2 address (which can be pinged ),and  ppp0 does not exist.
 
 
  On 7/14/14, mett m...@pmars.jp wrote:
   On Mon, 14 Jul 2014 00:31:43 +0530
   rajiv chavan rc214...@gmail.com wrote:
  
   Sun, 13 Jul 2014 23:34:41 +0530
  
   ip a output on an adsl+ (pppoe) client:
   =snip=
   2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc
   pfifo_fast state UP group default qlen 1000
 inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
   3: ppp0: POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP mtu 1460 qdisc
   pfifo_fast state UNKNOWN group default qlen 3
   link/ppp
   inet 117.222.15.189 peer 117.222.8.1/32 scope global ppp0
   =snip=
   Can ping 127.0.0.1 and 192.168.1.1 but not 117.222.15.189 nor
   192.168.1.2 tcpdump on eth0 detcts pppoe packets from
   117.222.15.189 to hosts except 192.168.1.1-2
   nmap reports 117.222.15.189 ip but all posrt 1-1000 filtered.
  
  
  
   Hi,
  
   Everything is on the same interface?
   I don't think Eth0 can be routing for your local network and at
   the same time become ppp0 and route for a global network.
   I think you'll need some kind of subinterfaces if you want to use
   only one physical interface for your local network and the outside
   one.
  
   Maybe try a traceroute and you'll see where the packets are going.
   Also, check the routes(netstat -nr or route -ne).
  
   You might give a try one by one to see at what point it stops
   working: -try only the local network first and once it's working
   try to set up your pppoe link.
  
   hth
  
  
   --
   To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
   with a subject of unsubscribe. Trouble? Contact
   listmas...@lists.debian.org
   Archive:
   https://lists.debian.org/20140714091211.3c1fd4cd@asus.tamerr
  
  
 
 No prob,
 by the way, better to answer to the list than PM to my address,
 as sby who might have same problem can see this thread and benefit of
 the info as well.
 
 Also, on this mailing list, generally you post down the thread,
 like this other persons reading the thread can get an idea of the
 whole thing, easily by scrolling down.
 
 Regarding the issue, if this is a lone host and you are not NATing,
 one easy way of trblshooting would be :
 -no manual ip address at all on eth0
 -no manual routes as well,
 -then run pppoeconf, it's quite straight forward and tells you if it
 finds an aggregator on your ISP side.
 
 With the following top.
 
 PCmodem-Internet
 
 
 Did you try to set up route manually, as I can see many routes under
 netstat -nr ?
 
 By the way, I never tried with subinterfaces on same phy for outside
 and inside, but I don't understand why you have a route for
 multicast(224 smtg) and also a route for the 117.0.0.0 network and
 at the same time one for 192.168, all that on eth0.
 Even if eth0 is showing eth0:0, I don't think you need a route for
 117.0.0.0., neither one for multicast(224).
 
 Try to remove them and see what happened but would be better, faster
 and easier to just run pppoeconf with an eth0 interface without any IP
 address.
 
 Also, I was talking about traceroute from your host to outside.
 If it doesn't go anywhere, you will be sure the problem is on your
 side.
 
 Also, you said your host is alone, no network but eth0 on 192.168.1.2
 can be pinged. I don't understand how that is possible.
 
 
 As a ref, I paste mine down here
 # netstat -nr
 Kernel IP routing table
 Destination Gateway Genmask Flags   MSS Window
 irtt Iface
 ISP.AGG.IP.ADD0.0.0.0 255.255.255.255 UH0 0 0 ppp0
 192.168.1.0 0.0.0.0

Re: ip address on dhcp client

[mett]

On Mon, 14 Jul 2014 00:31:43 +0530
rajiv chavan rc214...@gmail.com wrote:

 Sun, 13 Jul 2014 23:34:41 +0530
 
 ip a output on an adsl+ (pppoe) client:
 =snip=
 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP group default qlen 1000
   inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
 3: ppp0: POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP mtu 1460 qdisc
 pfifo_fast state UNKNOWN group default qlen 3
 link/ppp
 inet 117.222.15.189 peer 117.222.8.1/32 scope global ppp0
 =snip=
 Can ping 127.0.0.1 and 192.168.1.1 but not 117.222.15.189 nor
 192.168.1.2 tcpdump on eth0 detcts pppoe packets from  117.222.15.189
 to hosts except 192.168.1.1-2
 nmap reports 117.222.15.189 ip but all posrt 1-1000 filtered.
 
 

Hi,

Everything is on the same interface? 
I don't think Eth0 can be routing for your local network and at the
same time become ppp0 and route for a global network.
I think you'll need some kind of subinterfaces if you want to use only
one physical interface for your local network and the outside one.

Maybe try a traceroute and you'll see where the packets are going.
Also, check the routes(netstat -nr or route -ne).

You might give a try one by one to see at what point it stops working:
-try only the local network first and once it's working try to set up
your pppoe link.

hth


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140714091211.3c1fd4cd@asus.tamerr

Re: ip address on dhcp client

[mett]

On Mon, 14 Jul 2014 07:53:06 +0530
rajiv chavan rc214...@gmail.com wrote:

 Mon, 14 Jul 2014 07:26:20 +0530
 
 Thank you Mett.
 Traceroute packets from another host dropped by ISP netwoek at
 218.248.0.0
 
 netstat -rn
 
 Destination Gateway Genmask Flags   MSS Window
 irtt Iface 0.0.0.0 0.0.0.0 0.0.0.0 U
 0 0  0 ppp0 117.0.0.0   0.0.0.0 255.0.0.0
 U 0 0  0 eth0 117.222.8.1 0.0.0.0
 255.255.255.255 UH0 0  0 ppp0 127.0.0.0
 0.0.0.0 255.0.0.0   U 0 0  0 lo
 192.168.1.0 0.0.0.0 255.255.255.0   U 0
 0  0 eth0 224.0.0.0   0.0.0.0 240.0.0.0
 U 0 0  0 eth0
 
 ifconfig eth0:0 yields:
 ip a
 
 2: eth0:
 link/ether
 inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
 inet 117.222.15.189/8 brd 117.255.255.255 scope global eth0:0
 3: ppp0:
 link/ppp
 inet 117.222.15.189 peer 117.222.8.1/32 scope global ppp0
 
 This is a lone host - no network.
 Address 117.222.15.189 does not map to modem-router. Nmap on modem
 returns ports 23,80,5431 open. All ports on 117.222.15.189 filtered.
 The state may not be reproducible. Oftentiimes eth0 gets only
 192.168.1.2 address (which can be pinged ),and  ppp0 does not exist.
 
 
 On 7/14/14, mett m...@pmars.jp wrote:
  On Mon, 14 Jul 2014 00:31:43 +0530
  rajiv chavan rc214...@gmail.com wrote:
 
  Sun, 13 Jul 2014 23:34:41 +0530
 
  ip a output on an adsl+ (pppoe) client:
  =snip=
  2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc
  pfifo_fast state UP group default qlen 1000
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
  3: ppp0: POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP mtu 1460 qdisc
  pfifo_fast state UNKNOWN group default qlen 3
  link/ppp
  inet 117.222.15.189 peer 117.222.8.1/32 scope global ppp0
  =snip=
  Can ping 127.0.0.1 and 192.168.1.1 but not 117.222.15.189 nor
  192.168.1.2 tcpdump on eth0 detcts pppoe packets from
  117.222.15.189 to hosts except 192.168.1.1-2
  nmap reports 117.222.15.189 ip but all posrt 1-1000 filtered.
 
 
 
  Hi,
 
  Everything is on the same interface?
  I don't think Eth0 can be routing for your local network and at the
  same time become ppp0 and route for a global network.
  I think you'll need some kind of subinterfaces if you want to use
  only one physical interface for your local network and the outside
  one.
 
  Maybe try a traceroute and you'll see where the packets are going.
  Also, check the routes(netstat -nr or route -ne).
 
  You might give a try one by one to see at what point it stops
  working: -try only the local network first and once it's working
  try to set up your pppoe link.
 
  hth
 
 
  --
  To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
  with a subject of unsubscribe. Trouble? Contact
  listmas...@lists.debian.org
  Archive:
  https://lists.debian.org/20140714091211.3c1fd4cd@asus.tamerr
 
 

No prob, 
by the way, better to answer to the list than PM to my address,
as sby who might have same problem can see this thread and benefit of
the info as well.

Also, on this mailing list, generally you post down the thread,
like this other persons reading the thread can get an idea of the whole
thing, easily by scrolling down.

Regarding the issue, if this is a lone host and you are not NATing,
one easy way of trblshooting would be :
-no manual ip address at all on eth0
-no manual routes as well, 
-then run pppoeconf, it's quite straight forward and tells you if it
finds an aggregator on your ISP side.

With the following top. 

PCmodem-Internet


Did you try to set up route manually, as I can see many routes under
netstat -nr ?

By the way, I never tried with subinterfaces on same phy for outside
and inside, but I don't understand why you have a route for
multicast(224 smtg) and also a route for the 117.0.0.0 network and
at the same time one for 192.168, all that on eth0.
Even if eth0 is showing eth0:0, I don't think you need a route for
117.0.0.0., neither one for multicast(224).

Try to remove them and see what happened but would be better, faster
and easier to just run pppoeconf with an eth0 interface without any IP
address.

Also, I was talking about traceroute from your host to outside.
If it doesn't go anywhere, you will be sure the problem is on your side.

Also, you said your host is alone, no network but eth0 on 192.168.1.2 
can be pinged. I don't understand how that is possible.


As a ref, I paste mine down here
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window
irtt Iface
ISP.AGG.IP.ADD0.0.0.0 255.255.255.255 UH0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0   U 0 0 0 eth0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0

Thing is I have 2 phy interfaces, so ppp0 is not running on eth0 but
eth1, that you cannot see here.
I only ran pppoeconf

Re: flakey wifi access

[mett]

On Mon, 30 Jun 2014 06:39:29 -0400
ken geb...@mousecar.com wrote:

 On 06/29/2014 10:50 PM tom arnall wrote:
  my wicd agent is unable to connect to wifi at mcDonald's, both in
  mexico and the states. it's fine with my home wifi and the coffee
  shop i go to. it also fails on the network at the campus where i
  teach in mexico.
 
 Unable to connect can mean a lot of things.  I recently had a wifi 
 connection problem which, using 'ping', I determined to be caused by
 a lot of packets being dropped-- like 30 - 60% of them.  I found that
 ping will return a response in some cases even when it seems there is
 no connection.  You'll need to find out the IP address of the access
 point (AP).  If your system doesn't tell you this, you might ask some
 other user.  Get rates from all APs, working and non-working, and
 compare them.
 
 Another utility to use is tcpdump.  This will provide very detailed 
 information about the packets constituting the connection attempt.
 
 And iwlist will provide info on the available APs.  Noting the
 relative signal strengths and protocols used and other details might
 point to patterns.
 
 


You can try to go the manual way to see if you get better results:

-bring up your wireless interface, if it s not already up
 
'ifconfig' (if it doesn't appear here, means it is not up)

'ifconfig -a' (you should see it here, as this command lists all the
available physical interfaces on your machine. Then) 

'ifconfig WIRELESS-INTERFACE-NAME up' (to bring it up).

-Then, once up, you can, as ken said, use iwlist to know about the AP
in your vicinity

'iwlist scan'

You should see mac-donald's AP essid name in the list you get from
iwlist.

-Finally, for mac-donalds, I saw on their page they re isn't any
encryption and password to connect to their AP, so you just need to run
 
'iwconfig WIRELESS-INTERFACE-NAME essid MACDO-ESSID-NAME'

and then dhclient to get an IP(with the -v flag to be sure you
obtained an IP address)

'dhclient -v WIRELESS-INTERFACE-NAME'

-Finally_2, open your browser and you should see mac-do HP, 
and a 'connect' button to connect from there.


There is a detailed explanation to connect manually on crunchbang,
under the three main methods (no password and no encryption, or WEP or
WPA). Here is the link
http://crunchbang.org/forums/viewtopic.php?id=16624

Also, you might have to use 'sudo' for all those commands as you need
to be the root user to run them.

Also_2, stop all the other wifi-network-related daemons as they might
get in the way when you try to config manually(wicd and others if you
have).

HTH


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140701113048.2b0b6e7b@asus.tamerr

Re: integrating Debian into a windows 2003 domain

[mett]

On Fri, 28 Feb 2014 15:47:06 +0100
berenger.mo...@neutralite.org wrote:

 Hello.
 
 I am trying to integrate my computer into the domain at work. Until 
 know I did not really tried, but I tried to search around the web for 
 more than 20m and only found documents which were at least 4 years
 old, and so, using tools that were no longer present...
 
 So, do someone have some pointer to a document explaining how to 
 integrate a modern debian ( with samba 4.x ) into a windows 2003
 server ( yes, I know that this windows version is almost not
 maintained, and ... but i do not mind, it's not my enterprise, and
 I'm not a sysadmin :) ).
 
 I would like to at least be able to access shared directories and 
 printers... not really urgent, but might be useful sooner or later.
 
 

did u see the nixCraft page about accessing wintows shares?
http://www.cyberciti.biz/faq/access-windows-shares-from-linux/


Regarding the printer, Im not sure but if the printers are running by
themselves(I mean not under direct ruling from the window server; and
even in this case I don't see how the server could really stop you from
accessing the printer_in a simple environment_), you can access them
with cups.

And, maybe you know it, but you need the driver for the printer on your
box, even if it is a network printer.

HTH


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140331015642.0467a129@hp.tamerr

[Solved] Re: Debian gateway problem

[mett]

On Fri, 27 Dec 2013 10:15:04 +0100
Nemeth Gyorgy fri...@freemail.hu wrote:

 2013-12-26 06:27 keltezéssel, mett írta:
  Hi,
  
  I'm using a debian box as a router and multiserver between my LAN
  and the internet.
(cut)
  It seems(according to tcpdump on both interface) that replies from
  some sites get lost or get an ICMP destination unreachable from the
  gateway somehow.
 
 For me it seems a PMTU problem. Insert the following line in the
 proper place:
 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
 --clamp-mss-to-pmtu
 

Hi and HNY everybody!

Just a final update on this thread.

I end up with the script below working perfectly,
except if I use both following rules at the beginning of the script.
---
iptables -t nat -F
iptables -t mangle -F
---

I don't fully understand why but I'll investigate that later.

script:
--
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F

iptables -X

## nat/POSTROUTING
# Masquerade = Changed to SNAT(seemed wiser in my situation after
#reading doc...).
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT
--to-source EXT.FIX.IP.ADD

## filter/FORWARD

# Allow New outgoing connections from the LAN side.
iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j
ACCEPT

# Allow Established outgoing connections from the LAN side.
iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state
ESTABLISHED,RELATED -j ACCEPT


# Allow forwarding of established connection from WAN side.
iptables -t filter -A FORWARD -i ppp0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Don't forward from the outside to the inside (icmp Port_U).
iptables -t filter -A FORWARD -i ppp0 -o eth0 -j REJECT

## filter/INPUT

# Always accept loopback traffic
iptables -t filter -A INPUT -i lo -j ACCEPT

#log udp port 5060
iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j LOG
--log-level debug

#asterisk
iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT

#tor
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT

#postfix
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT

#dovecot
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT

#apache
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT

#maradns
iptables -t filter -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT

#vsftp
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 5:50010 -j ACCEPT

# Allow established connections
iptables -t filter -A INPUT -i ppp0 -m state --state
ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth0 -m
state --state ESTABLISHED,RELATED -j ACCEPT

# Proto_U everything else on outside interface (-input ppp0)
iptables -t filter -A INPUT -i ppp0 -j REJECT --reject-with
icmp-proto-unreachable


# Enable routing.
echo 1  /proc/sys/net/ipv4/ip_forward
--

Thanks a lot for all the comments.





--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140108161658.121d9606@asus.tamerr

Re: Debian gateway problem

[mett]

On Thu, 26 Dec 2013 20:41:24 +1300
Richard Hector rich...@walnut.gen.nz wrote:

 On 26/12/13 18:27, mett wrote:
  Hi,
  
  I'm using a debian box as a router and multiserver between my LAN
  and the internet.
  
  Everything was working fine till yesterday when I put the box down
  for upgrading memory, for a few hours.
  
  Right now, the external interface of the gateway is fully accessible
  from the net, and I do not have any problem with the different
  services I am providing to the outside(mail, webserver. and dns for
  the web servers).
  
  The problem is on the LAN side, I can access some sites but not all
  the sites as I used to do.
  
  For example, I can access the Start page search engine but not
  Duckduckgo.
 
 That's really strange.
 
 
  iptables -A FORWARD -i ppp0 -o eth0 -m state --state
  ESTABLISHED,RELATED -j ACCEPT
 
 I assume that's really on one line?
Yes
 
 
  # Don't forward from the outside to the inside.
  iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
 
 That looks like outside to outside - you probably want -i ppp0 -o
 eth0
 
 Beyond that, I have no idea, sorry.
 
 I'd be testing with tcpdump, as you have been. Possibly confirm that
 the IP addresses you're getting from DNS inside and on the gateway
 are the same?
 
 Also perhaps try removing everything unrelated to the masquerading bit
 from your script and see if that works, then add bits back in?
 
 I also generally use a policy DROP rule (iptables -P INPUT DROP),
 which I specify at the top of the file, rather than dropping through
 to a DROP/REJECT rule at the end. That shouldn't make any difference,
 though.
 
 Richard
 
 

Hi,

It seems I had many problems in fact...
I couldn't check everything yet but now it's working

I did few dirty things like deleting all the rules one by one
because even when moving the script somewhere else, it still acted
when I restarted interfaces.

Finally I cleaned the original script,
going one rule at a time.

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

#log udp port 5060
iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug

#asterisk
iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT

#tor
iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT

#postfix
iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT

#dovecot
iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT

#apache
iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT

#maradns
iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i ppp0 -o eth0 -j REJECT

# Enable routing.
echo 1  /proc/sys/net/ipv4/ip_forward

 
I realized that if I use the following rules at the beginning,
even wih the POSTROUTING at the end, then it doesn't work.

[iptables -t nat -F]

Also, this one doesn't get accepted by iptables

iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
it's deprecated and you have to put it before the option,
which I tried but the result scared me with words like
nontracked, raw and similar.

I thought the ! was for Not this one.

Anyway, I deleted this rule and changed the one with ppp0 to ppp0 
for ppp0 to eth0.
I thought it made sense ppp0 to ppp0 like don't forward via this
interface. Only INPUT to OUTPUT.

I'll have to check the whole more seriously cause I was planning to
drop,as you advised, all the non accepted ones in the INPUT chain,
before the masquerade problem happened.
 
Thanks for your comment.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131227012612.0f1073a6@hp.tamerr

Debian gateway problem

[mett]

Hi,

I'm using a debian box as a router and multiserver between my LAN and
the internet.

Everything was working fine till yesterday when I put the box down for
upgrading memory, for a few hours.

Right now, the external interface of the gateway is fully accessible
from the net, and I do not have any problem with the different services
I am providing to the outside(mail, webserver. and dns for the web
servers).

The problem is on the LAN side, I can access some sites but not all the
sites as I used to do.

For example, I can access the Start page search engine but not
Duckduckgo.

The gateway can access everything, it's the hosts behind the gateway
that cannot.


I have 2 interfaces on this box:
eth0 which is used as the LAN interface and
eth1 which is used as ppp0 with a static IP from my ISP.

---
/etc/sysctl.conf has the forwarding rule for ipv4
net.ipv4.ip_forward=1
net.ipv4.conf.default.forwarding=1 (maybe useless but I'm kind of
trying everything) 
net.ipv4.conf.all.forwarding=1 (maybe useless but I'm kind of
trying everything) 
---
cat cat /proc/sys/net/ipv4/ip_forward 
1
---
Iptables rules are as follows
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


#log udp port 5060
iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug

#asterisk
iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT


#tor
iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT

#postfix
iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT

#dovecot
iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT

#apache
iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT

#maradns
iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT


# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT



# Enable routing.
echo 1  /proc/sys/net/ipv4/ip_forward


I am totally at loss and was wondering if somebody has an idea about
where the problem might be coming from.

It seems(according to tcpdump on both interface) that replies from some
sites get lost or get an ICMP destination unreachable from the
gateway somehow.


Thanks a lot.


mett



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131226142700.4f9f1be6@asus.tamerr

Re: Suddenly, new types of SSL errors

[mett]

On Fri, 2 Aug 2013 10:32:15 +0100
Darac Marjal mailingl...@darac.org.uk wrote:

 On Fri, Aug 02, 2013 at 09:06:41AM +0200, Jochen Spieker wrote:
  mett:
   
   Since 2, 3 weeks now, I'm getting some new types of log errors,
   related to SSL, on an Apache2 and Dovecot server I'm managing.
  
  Don't worry about them as long as your services appear to work fine
  for you. If you run a public server, it is normal that people send
  random junk your server doesn't understand. Some of it may be
  malicious, some if it is broken clients. You can't do anything
  against this except blocking them at a lower protocol layer (just
  like you do with fail2ban).
 
 If you're worried, use a checker such as
 https://www.ssllabs.com/ssltest/index.html to verify the robustness of
 your server. It may be that, with new attacks such as BEAST and CRIME,
 people are probing your server for vulnerabilities. If you get a good
 rating on the tests, then you can be assured that those knocks on the
 door won't get through.
 

Thanks a lot for all the answers. 
The link to ssllabs is a nice one. 



signature.asc
Description: PGP signature

Suddenly, new types of SSL errors

[mett]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi, 

Since 2, 3 weeks now, I'm getting some new types of log errors, related
to SSL, on an Apache2 and Dovecot server I'm managing.

- --
Apache2:
[Fri Jul 26 09:47:39 2013] [error] [client 222.240.68.221] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 09:47:40 2013] [error]
[client 222.240.68.221] rejecting client initiated renegotiation 

[Fri Jul 26 12:41:32 2013] [error] [client 115.205.7.94] rejecting
client initiated renegotiation 

[Fri Jul 26 15:39:38 2013] [error] [client 24.14.226.8] Invalid method
in request \x80w\x01\x03\x01 

[Fri Jul 26 18:41:33 2013] [error] [client 117.14.153.45] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 22:36:06 2013] [error] [client 175.17.208.60] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 22:36:07 2013] [error] [client 175.184.167.104] rejecting
client initiated renegotiation

Dovecot:
Jul 27 06:28:34 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=112.80.210.152, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message 

Jul 27 06:28:35 HOSTNAME dovecot: pop3-login:
Disconnected (no auth attempts): rip=59.53.131.117, lip=EXT.ERN.AL.IP,
TLS: SSL_read() failed: error:140943F2:SSL
routines:SSL3_READ_BYTES:sslv3 alert unexpected message
- --

The SSL config for A2 and Dovecot(imaps and pop3s) seems OK, 
as I do not get those errors on the only website using SSL on this
server, neither with Dovecot on port 993(imaps) and 995(pop3s).

Most of the IP addresses are from places I am not related with and
look like the IP addresses often getting caught into the Fail2ban net
running on this server.

According to openssl documentation:
UM/unexpected message

An inappropriate message was received. This alert is always fatal
and should never be observed in communication between proper
implementations.

I understood that it is an unexpected message, but I still do not
understand why is that happening.

Does somebody with a server on the net have seen this kind of logs or
have an idea about what can be the reason?

I am running an i686 Squeeze server with very few websites in http and
1 in https under A2, and a mail server with postfix and dovecot.

Thanks!

PS:In the meantime, I have set up some new rules on Fail2ban to ban
those IPs.

PS2:
Sometimes, at the same time on Apache and Dovecot, I got this request
from 3 different IP addresses, as below:
- 
---
Aug  2 01:37:46 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=117.14.149.176, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message (Dovecot's info log) Aug  2 01:37:47 HOSTNAME
dovecot: pop3-login: Disconnected (no auth attempts):
rip=112.67.217.26, lip=EXT.ERN.AL.IP, TLS: SSL_read() failed:
error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected
message (Dovecot's info log)

[Fri Aug 02 01:37:46 2013] [error] [client 210.72.157.240] Invalid
method in request \x16\x03\x01 (Apache2's error log)
- 
---




Below are the logs of the tests I did to check my SSL configs.
- 
-
  mett@asus:~$ telnet EXT.ERN.AL.IP 443 (localhost works as well)
  Trying EXT.ERN.AL.IP... Connected to EXT.ERN.AL.IP.
Escape character is '^]'.
GET /


!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
htmlhead
title400 Bad Request/title
/headbody
h1Bad Request/h1
pYour browser sent a request that this server could not
understand.br / Reason: You're speaking plain HTTP to an SSL-enabled
server port.br / Instead use the HTTPS scheme to access this URL,
please.br / blockquoteHint: a
href=https://Dom.Main/;bhttps://Dom.Main//b/a/blockquote/p
hr addressApache Server at Dom.Main Port 443/address
/body/html
Connection closed by foreign host.
- - - -
- - -
- -
- 
---
- - - -
- - -
- -
- 
---
openssl s_client -connect EXT.ERN.AL.IP:443 (localhost works as well)
- - - - ---
(shortened)
- - - - ---
No client certificate CA names sent
- - - - ---
SSL handshake has read 1466 bytes and written 319 bytes
- - - - ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: DHE

Re: cpu monitor apache

[mett]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 28 May 2013 10:42:16 +0200
Pol Hallen m...@fuckaround.org wrote:

 Hi folks!
 
 I'd like monitoring a single web hosting on my apache web server. I
 need know, when a client connect to my web, how many resources keep
 from my web server.
 
 Can I isolate to single web hosting? (on apache I've virtual host)
 
 thanks!
 
 Pol

Apache Server Status (mod_status);

(Non-related, you might disable your mailer ask for a receipt option).
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRpTRwAAoJELURjTtpxqLuYXIH/0Zn7LPOY47i5pFxu5030yfW
6ggxJulaKOOGd1knJ6cxxS2mlBgnjtaqegnL9Z0EERIaQGCI3GgaUUccg1UX1UEz
sTV43gRc0ZYn0GdiZ/HTQ/d3ketTfA383lgj/Ua/ceg0P4rVmqcLpcEXgGcVHpeG
LD2CtChu+sSkvPszKoGIRLyeKfzr16xkBg56F6zppv8Nv3HQgvJ6Uf1na3OkfHOi
tJuROCWPJF+rvwh9G7Oo3aeM7YqiXB/Y4inQdfliuL+Nw5JC543gd7HtcLSjkxGA
9yFoUokOf98l2/qAHBF9L7VuhH6K5Gw+LPFd6j3qM+aOTBbAL78l/VL7Y+n5Qxs=
=cSz1
-END PGP SIGNATURE-

Re: Odd Network Problem

[mett]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, 19 May 2013 19:15:30 -0400
george cox gc...@mail.com wrote:

 On Sunday 19 May 2013 16:43:31 george cox wrote:  This could still
 be a network config issue. An easy way around might be to  connect
 (wired) both, the print server and the new laptop, to your router 
 (assuming that the router also acts as the dhcp server, and that both
  clients are configured to get their ip address through dhcp). In
  the  router's log you can then see the connected devices and their
  respective IP  addresses. Can you connect from laptop to print
  server now? Klaus I don't  think that can work. The print-server
  doesn't have the ability to connect  it to the router through a
  wired port, it just has the wireless. The  ethernet ports are only
  used to bridge other non-wireless equipment through  the
  printer-server to whatever wireless network the printer-server is 
  configured to use. The rub is the only way to configure what
  wireless  network the print-server uses is to put a computer on
  one of those ethernet  ports, hold the reset button on the print-
  server resetting it to factory  defaults, then configure the
  wireless via a web-page generated by the  print-server. What seems
  weird to me, is using ifconfig command to set an  IP worked on the
  squeeze laptop, but didn't on the wheezy laptop. Both  systems
  seem to take the ip and the output of running ifconfig -a looked 
  the same on both. It was just that on one box I could connect to
  the  print-servers webpage and the other I couldn't. On both I
  took care to  disconnect from all other networks, so I wasn't a
  routing issue. I am interested in your problem and might even be
  able to help, but I cannot cope with this. You have not quoted what
  you are replying to, and there is no air here at all. I could, of
  course, reformat it, but I would still not have the quotation. You
  will of course get help from those who are not bothered by such
  things. But you might get more answers if you made yourself more
  accessible. Lisi I don't know why it wasn't quoted, I'm just
  hitting re ply in the email providers web interface. Not sure what
  you mean by no air. I'll see what this email looks like when I send
  this one, maybe it was just a fluke.

auto eth0 means your system will bring up the interface eth0
automatically while booting or after an invocation to bring the
interface up with ifup -a (from man interfaces).

I am not so sure on Wheezy as I am still on Squeeze(actually it might
be the same), but if your /etc/network/interfaces is set up with 

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

your interface eth0 will work only under dhcp,
which can be the issue if you need to connect to your printer with a
static address.

You could try to edit the /etc/network/interfaces file and set up
a static address there:

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp

auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1

With address being the address of your laptop to connect hardwired to
your printer,and then this network's mask. The gateway address might be
your printer's hardwired address.

The # on the 2 first lines are to disable the original dhcp settings
for eth0. When you have finished with your printer settings, you erase
them and append them before the 5 lines for the static settings.
Simply put, you do the opposite.


Then save, and bring the interface down and up with, for instance,
ifdown eth0
then
ifup eth0.

Check everything went as planned with ifconfig, then try to ping your
printer:ping print.er.add.ress

Sometimes, you need to wait for 15-30 seconds for the ping to work
(I've just tried on my pc and that's what happened).
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRmXv0AAoJELURjTtpxqLuU6sH/A4s+x71KxV6VQBLwFruD/pW
Sjh1FuuPze5jdfPK7+lE3tk8Fh36RzWJ0yTC4e+QFI4l1WozAmtQwru8WviLSjBA
krU23CoR3OehNocTWOKPR/h9DMGwbcdK/x3KmFHq/2VYOApmc7EmrA6/gHXnTC+0
+qxy08UtZWw3F/DYfiR4XiUfzSQ80GWFgavxVW27X7wsJj6Pt7FydOWSaLBbbJLD
xNCBBiVHasImvH7+cOu5GegZ8PhUTARHf0GGZZgdFqdHCC9DFIlZDtGBn/TiF0gi
k8UEUuw0uTdxxohrKzo1/cdOvup6/NQnx6/uBsjhsfmzCtgN6uBOzRQy5I5kjsY=
=qJw8
-END PGP SIGNATURE-