Re: Unable To Install In Graphic Mode
On 12/31/2009 12:11 PM, David Dembrow wrote: Attempting to install fedora 12, I get a message that there is not enough memory to install in graphic mode and it reverts to a text mode and installs some prepackaged set of applications. It is a system with 384 megabytes of memory and the graphic installer worked with fedora 11. How much memory does the graphic installer need and/or is there another way I can get to select a complete set of packages with the text based installer? If you use the key choice at the boot menu of the installer to edit options and add ' vnc' to the boot command line, then during the initial installation configuration screens pick a viable network configuration for your situation. You will later be informed of the ip address and screen to connect to the computer with vncviewer from another computer. This is a good alternative to perform a graphic installation if you have a local network to connect to and another computer available on that network. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: How to determine if a file is in use
Donald Russell wrote: Another system uses FTP to drop files in a directory for me to process. I have a bash script to process the incoming files. The script is started by cron periodically. There's a problem if the FTP transfer is still in progress because the process begins reading the file even though it isn't complete yet. Do you have control of the FTP procedure that drops the files? If so, transfer the files with one filename, and when complete, use ftp to rename the file. The rename is atomic. e.g.: put foo.bar foo.bar.xfer rename foo.bar.xfer foo.bar Then have the cron job only process files without the .xfer appended to name. Chris -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: iptables on FC11
paul van der meij wrote: I upgraded from FC9 to FC11 (new install) but iptables is behaving strange. My /etc/sysconfig/iptables file shows a number of ports as accept, but nmap tells a different story. e.g. imap port 143 is closed in nmap (and in truce), open in iptables file. I did use the iptables GUI to configure. Any idea what I am overlooking. greetings, Paul van der Meij What does 'netstat -atn' tell you? If iptables allows connections to tcp 143 but there is no application listening on the port, that could explain what you describe. Chris -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Fedora 10, software RAID weirdness
Kanwar Ranbir Sandhu wrote: Hello, I wanted to upgrade my F10 system to F11 (fresh install), but F11's anaconda wouldn't detect my md RAID sets. I booted back into F10 and after a bit of investigation, I discovered fdisk can't even read the partition table of my 3 drive RAID 5 set. But, a look at /proc/mdstat reveals md is happy. Disk /dev/sdb doesn't contain a valid partition table Disk /dev/sdd doesn't contain a valid partition table Disk /dev/sde doesn't contain a valid partition table Personalities : [raid1] [raid6] [raid5] [raid4] md2 : active raid5 sdb[0] sde[2] sdd[1] 976772992 blocks level 5, 64k chunk, algorithm 2 [3/3] [UUU] Not weird given that the 3 block devices used by md2 are not partitions, but the entire drives. Without the partition table and partitions marked as type linux raid autodetect, it is not surprising that anaconda does not recognize and assemble md2. I cannot recommend exactly how to solve this since I don't know what you have on md2, nor what backup options you have. So I don't know whether you need to boot in rescue to do this. But I would recommend you backup md2, deconstruct it, create a single large partition on each of sdb, sdd, sde, of type linux raid autodetect, and construct a new md2 using those sdb1, sdd1, and sde1 partitions, then restore the data. Chris -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: What development rpm am I missing?
Robert Moskowitz wrote:
Mogens Kjaer wrote:
On 09/23/2009 01:35 PM, Robert Moskowitz wrote:
'/test1: line 1: syntax error near unexpected token `{
Starting the script with
#!/bin/bash
might be a good idea.
I used vi to insert this line and I get:
./test1
-bash: ./test1: /bin/bash^M: bad interpreter: No such file or directory
I don't see that control M in vi or gedit...
vi -b test1
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Automatic page numbering in OpenOffice
gil...@altern.org wrote: Sometimes OpenOffice reminds me of the bad old days of WordPerfect. Everything is so complicated, even though the document formatting I need is just elementary. For now, all I want to do is set automatic page numbering in the x/y format, e.g.: 1/5, 2/5, 3/5, etc., for every new document I create. How do I do this? Thanks! I'm not sure whether there is any way to set this up automatically other than creating a document or document template which you open for each new document you start. Insert footer, then click within the footer, set centered line justification, insert field page, type '/', insert field page count. Chris -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Excluding two subdirectories in rsync
Robert Moskowitz wrote: I have been using an rsync for Centos updates like: rsync -auv rsync://mirrors/updates/i386/ --delete --exclude=debug/ /repos/centos/updates/i386 But for Fedora 11, I see there is a drpms subdirectory that I ASSuME I don't need, drpms. How do I exclude two subdirectories? I can't figure it out from the man pages. --exclude=debug/ drpms/ ??? Add another --exclude instead. rsync -auv rsync://mirrors/updates/i386/ --delete --exclude=debug/ --exclude=drpms/ /repos/centos/updates/i386 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Unable to kill runaway app. -
Bob Goodwin wrote: I just had perhaps the third occurrence of this problem. I tried to shut down gthumb which was displaying a a photo from the nfs server. It would not shut down, at least not in a reasonable amount if time. Gkrellm showed cup1 running at max. and top indicated the cup at 99.5%. Something did eventually time out but that did not calm the cup activity.: . 3487 bobg 20 0 2928 1068 932 R 99.5 0.0 445:55.55 gam_server Kill 3487 does not stop it. In fact nothing seems to. I told it to poweroff and it got as far as halting system and stayed there until I pressed the power button for five seconds or so. This happened once last night and it sat there saying it was busy, the power button was required to kill it then too. I don't expect anyone to troubleshoot the problem but would like to know what other commands I might try to restore things without shutting down and rebooting. This is an F-10 system pretty much up to date, certainly all security updates and perhaps all the rest, I've lost track at the moment. I suspect the problem is related to some horse photo files from my daughters Mac. But I need a way to stop things when this happens ... Any help appreciated. Bob Try soft option on the nfs mount in case the root cause is a problem with the nfs access to the image file. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Samba Issues [ALMOST SOLVED] still need help
Mike Adolf wrote: Could the problem be due to the ntfs file system on the shared folder? If I change it to ext how does windows use it? Mike How does which windows use it? If the ntfs partition is solely mounted by your Linux OS, and shared with Windows on other boxes via Samba, then the shared filesystem should be ext3 or ext4 (F11) and then selinux can label the files correctly and it should work. The other Windows boxes will see it only through Samba and do not need to know whether it is or is not ntfs. If you intend to dual boot the system with the ntfs partition and boot into windows on that hardware sometimes, then you need to keep the filesystem as ntfs. In the latter case you will not be able to set selinux labelling on the subdirectories and files in that filesystem, only for the mount point. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Common F11 Bugs
David wrote: On 6/5/2009 5:22 PM, Paul W. Frields wrote: On Fri, Jun 05, 2009 at 05:06:36PM -0400, David wrote: On 6/5/2009 4:25 PM, Robert P. J. Day wrote: On Fri, 5 Jun 2009, Paul W. Frields wrote: Hello list, All software has bugs. Some are known, and some are unknown. Fortunately with free/libre and open source software, we have the ability to diagnose and understand bugs. In advance of Fedora 11 release, of course everyone has been hard at work stomping out bugs, but there are still issues we know are not fixed in the release. For many of these we have workarounds. We've made a wiki page that records these bugs: http://fedoraproject.org/wiki/Common_F11_bugs do any of those bugs refer to the fact that (at least for me) firefox is still teeth-grindingly slow? i've mentioned this before and i've tried everything i can think of to speed it up but, at this point, it's utterly unusable. even sitting there, it perpetually sucks up 100% of the CPU on a dual core system, while seamonkey will happily sit there, idling along at about 0.8%. i'll give it another shot with F11 but, really, i can't believe how utterly useless firefox is. First off Firefox in F11 is FF 3.5 beta 4. I have seen you mention this problem before today. And I have not seen any 'me too' replies. This must be a problem with your setup or system. Is this with *all* sites? Or just some? Surely not just one site? Give an example URL please. Do you have the same extensions installed in both Firefox and Seamonkey? Do you use Flash Block? If a site is blocked, the default, it can slow the site down as it fights to display. Another thing to look at is the 'languages' installed in Firefox by Fedora. You, I figure, speak English which is built in. Disable the many other languages. I have a couple of other ideas but start here. I tend to start by creating a new user account to see if the problem persists there. If not, it's related to my account, which is somewhat of a different situation than having a useless app. Another good suggestion. I agree. And something else I have seen impact Firefox performance more obviously than other kinds of applications is whether IPV6 is enabled or not. Apparently it has to do with how name resolution is attempted, and the kinds of responses or timeouts that occur in your environment. It is an easy thing to test by blocking the ipv6 module from loading and rebooting. On F10 I add a line to /etc/modprobe.d/modprobe.conf.dist: # Prevent ipv6 being loaded install net-pf-10 /bin/true -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: ssh connects to originating host
Geoffrey Leach wrote: Two systems A and B, connected via wireless. A and B both have the same /etc/hosts. Connecting from B to A, ssh A, works fine. However on A, ssh B logs me into A. This used to work fine; the only clue I have is that ssh did not like the stored RSA key. I let it fix it, and that's when the trouble started. Rebooting A did not fix, nor did removing the saved key and repeating. Any suggestions? Thanks. My best guess: The stored key issue was symptomatic of the problem resolving host to ip address incorrectly. There are three things to check: 1) Logged on at host A, what does 'host B' command return for information? Is it the correct address for B? If the wrong address then you need to research whether your dns server or an /etc/hosts entry is the cause. 2) Whatever user you do this as on host A, is there a ~/.ssh/config file? And if so, does it have a stanza that defines how to contact host B, but do so with the wrong name or ip address? 3) It is also possible, but less likely, that on host A you have dnat rules in iptables causing the endpoint for that ssh tcp connection to be changed to a local host based address. Chris -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: ssh connects to originating host
Tom Horsley wrote: On Tue, 12 May 2009 14:12:42 -0400 Christopher K. Johnson wrote: The stored key issue was symptomatic of the problem resolving host to ip address incorrectly. There is a command who's name I forget for printing the arp tables, so you can find out what mac address the system thinks is hooked to the IP address and if you know the mac of the network interfaces you can tell for sure which one it is talking to. That would be 'arp' with no arguments, or 'arp -n' to show ip addresses without inverse resolution to hostnames. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: screen blanks with nomodeset
Jack Howarth wrote: Is anyone else still having the stock ati drivers in Fedora 10 occasionally blank out the screen? I have been resorting to the use of the nomodeset kernel argument in an attempt to disable modesetting, but, while less frequent, the black screens still appear. Normally, it will return back to the same display but on occasion, I get a reboot. This is on a Radeon X1650 Pro with Fedora 10 x86_64. Jack It happens to me occasionally, and when it does it becomes completely unresponsive to power button, keyboard, mouse, and network. I have to force power off. I have nomodeset kernel option in grub. Mine is ATI Technologies Inc Radeon XPRESS 200M 5955 on kernel 2.6.27.19-170.2.35.fc10.i686. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: FC9 Compromised...
Jack Lauman wrote: Yes, I need to add root back in... Not necessarily. You would be safer to boot rescue from an installer DVD, then choose to mount the filesystems for your compromised F9. Shutdown each system, move it to a trusted network, or off-net and attach an external disk to save files onto, put in the F9 DVD, then boot that DVD, not the compromised system's disk. If you choose to start the network during rescue startup dialogs then you could save off files from the filesystems to elsewhere on the network, and could reasonably expect that there is no malicious software watching you do so since you booted the DVD not the compromised system. Chris -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Update Broke NFS Exports
Jameson wrote: Ok, now, I've set up a reverse zone containing just the two entries for the 192.168.1.55 client and my server at 192.168.1.51. Forward look ups work fine. host 192.168.1.55 gives me: Host 55.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN) Well, I fixed this.. I accidentally setup my reverse zone as 192.168.1.0 as apposed to 192.168.1. It looks like this also fixed my NFS woes. I wonder why it worked before if I need this now. Hopefully, if it stops working anywhere else someone will come across this, and learn that they now need reverse DNS working to get NFS working. Which is kind of a shame, as I doubt most home users will even have forward DNS setup. =-Jameson I would expect adding an entry for 192.168.1.51 to your /etc/hosts on the nfs server to also be a solution, in lieu of configuring private dns. I was hoping to find an argument that could be added in /etc/sysconfig/nfs to turn off the inverse lookup requirement, but have only found rpc.mountd's -r option which is the opposite of what you need. -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Update Broke NFS Exports
Jameson wrote: All of my NFS exports suddenly stopped working last night after updating my F10 server. The only thing I can think of that has changed has been the updates. In messages, I'm getting: mountd Warning: Client IP address '192.168.1.55' not found in host lookup mountd: connect from 192.168.1.55 to proc (0) in mountd: request from unauthorized host Is 192.168.1.55 one of the other hosts trying to mount the export? And if so, what does 'host 192.168.1.55' command yield at the nfs server? Updates included bind. Perhaps your private dns is broken. Assuming you do have a private dns configuration for the private network did you try 'service named restart'? -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Virtual DNS questiona and reverse lookup table conflicts
Bruno Wolff III wrote: On Sat, Dec 06, 2008 at 13:34:06 -0800, Daniel B. Thurman [EMAIL PROTECTED] wrote: Is it possible to have a single DNS server support two different domain names, with each domain name having it's own forward and reverse lookups? It is possible for PTR lookups to return different results based on the IP address that the request comes from. I don't use bind and so can't give you advice on how to set this up (assuming that it will solve your problem), but googling for split horizon and bind should find help in doing that. Check out bind views. -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: fedora 9 live firewall
Eric Penrose wrote: I find it confusing that the settings on fedora 9 live for firewall are such that we tick the options that we trust such as secure http or http. If firewall is on anyway, what is the implication of setting these internet options to trust as opposed to leaving firewall on, but without these trust settings when going on line? The options for service connections to trust do not impact your use of such services elsewhere. They control whether the firewall will permit other machines to connect to those service ports on YOUR box - the one you are setting the firewall options on. Thus the http option for example is relevant only if you wish to run a web server on the box and make it available to others on the network. Examine the file /etc/sysconfig/iptables that is produced by this gui tool, and research 'iptables' if you wish to understand what is going on in greater detail. Chris -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: set up NAT (network address translation) on local server
Does /etc/sysconfig/iptables actually contain the lines *nat :PREROUTING ACCEPT [1:233] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 COMMIT It seems unlikely that it was written correctly since the restart did not implement your SNAT rule, and this file is what a restart reads. Perhaps there is a bug in iptables-save? I edit /etc/sysconfig/iptables directly, and recommend that if you are not using some firewall front-end or tool to do this, that you do the same. There is another problem in the rules you listed. It would not prevent the SNAT rule from being implemented, so this is an unrelated problem. But it would prevent the forwarding you wanted: -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT Note that the REJECT is above your ACCEPT rules. You need to move it below them because the REJECT is very general and will catch everything, preventing the ACCEPT rules from being applied. -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited I presume from the addresses that this is natting one private network onto another private network. So this last note is not critical as it would be if connecting onto the Internet. Once you get this working as you intended, I recommend you alter or remove these rules too, depending on whether you wish people on the 10 network to have access to services on your server: # Permit IPSEC peer communications. Unless you are configuring IPSEC tunnels, you should comment these out. #-A RH-Firewall-1-INPUT -p esp -j ACCEPT #-A RH-Firewall-1-INPUT -p ah -j ACCEPT # Permit hosts to announce themselves to the avahi-daemon's multicast dns service -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT # Permit connections to the CUPS service (successful connections may be governed by the CUPS config) -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT # Permit access to the ssh server. There is nothing wrong with that as long as you harden /etc/ssh/sshd_config # to be more restrictive. By default it allows password authentication of all users including root, and # other service accounts. -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT Antonio Olivares wrote: *nat :PREROUTING ACCEPT [1:233] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 COMMIT # Completed on Thu Nov 20 06:52:04 2008 # Generated by iptables-save v1.4.1.1 on Thu Nov 20 06:52:04 2008 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [8:452] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Nov 20 06:52:04 2008 -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list
Re: set up NAT (network address translation) on local server
I would add the *nat through COMMIT before the existing *filter line. I don't believe it matters as long as you do not mix them together. But usually the *nat is much briefer than *filter, thus a good convention to put it first to find easily later. Antonio Olivares wrote: It seems that it does not contain those lines :( I will need to edit the file manually and save it. Then try it again. Regards, Antonio -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: set up NAT (network address translation) on local server
If you send me off-list the iptables file you want as an attachment, I will send you back notes and a corrected file. Clearly there is some simple mis-communication or editing going on because this is a basic iptables configuration. Chris -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: set up NAT (network address translation) on local server
Tim wrote: On Thu, 2008-11-20 at 07:46 -0800, Antonio Olivares wrote: [EMAIL PROTECTED] ~]# cat /etc/sysconfig/iptables *nat :PREROUTING ACCEPT [1:233] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210 COMMIT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT # manually added the changes 2008/11/20 # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT Shouldn't there be ONLY one COMMIT command at the end of the file? You've got two. No, there should be one COMMIT for each table, and he has *nat and *filter tables. -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: set up NAT (network address translation) on local server
What does this command produce? (shows whether your snat rule is implemented correctly) iptables -vnL -t nat And this one? (tells if ip forwarding is on) cat /proc/sys/net/ipv4/ip_forward Chris -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: set up NAT (network address translation) on local server
No snat rule in effect! Was the rule you provided in your original post verbatim? Because it had 'a' instead of the public address. In fact the rule seemed overly specific in other ways too. Here is what I have for a snat rule where the public (Internet) interface is eth1 (substitute your public ip address for a.b.c.d: -A POSTROUTING -o eth1 -j SNAT --to-source a.b.c.d Resulting in (again substituted a.b.c.d for the real public address): Chain POSTROUTING (policy ACCEPT 36819 packets, 4482K bytes) pkts bytes target prot opt in out source destination 39065 2513K SNAT all -- * eth10.0.0.0/0 0.0.0.0/0 to:a.b.c.d If your rule is correct, then you need to activate your iptables file rules by: service iptables restart Chris pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: 54 GB in /var/log!! -- UPDATE
Beartooth wrote: I'd like to pipe that into top, or some such, to make it display only the files of 100K and up; but trying to read the man page for top, as usual for powerful commands, makes me think of standing at the foot of a huge cliff of ice How about looking at the largest 30 files and directories there sorted by size in megabytes? cd /var/log du -ms * | sort -rn | head -n 30 Chris -- A society grows great when old men plant trees whose shade they know they shall never sit in - Greek Proverb -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Beeping while running
I don't know if this is a silly suggestion, because I don't know your physical setup. Any chance that the beeping is actually from an adjacent UPS instead? Some provide similar indications when tested and there is an issue such as weak batteries, and your software for the UPS could be initiating hourly tests. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: bind update keeps messing up write-rights
Gijs wrote:
Sam Varshavchik wrote:
Gijs writes:
Hey List,
Not sure why this is happening so perhaps someone can explain this
to me.
Whenever I update bind it messes up/resets access rights on my zone
files. Now normally this wouldn't be a bad thing, but because I have
dynamic updates on, for which named creates journalizing files, I
end up having non-writeable journalizing files. So after every
update I end up having to manually change the access rights on my
jnl files.
Is anyone else having the same problem and/or is it supposed to be
like this?
You must have bind configured to run in chroot.
rpm's %post script runs /usr/sbin/bind-chroot-admin where, if you
have chroot configured, it runs this lovely bit of code:
chown -h root:named /var/named/* /dev/null 21;
chown -h root:named ${BIND_CHROOT_PREFIX}/var/named/* /dev/null
21;
chown -h root:named /etc/{named,rndc}.* /dev/null 21;
chown -h root:named ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*
/dev/null 21;
chown -h named:named /var/log/named.log /dev/null 21;
chown -h named:named ${BIND_CHROOT_PREFIX}/var/log/named.log
/dev/null 21;
chmod 750 ${pfx}/var/named /dev/null 21;
chmod 640 ${pfx}/var/named/* /dev/null 21;
chmod 750 ${pfx}/var/named/*/. /dev/null 21;
chmod 660 ${pfx}/var/log/named.log /dev/null 21;
chown -h named:named
/var/named/{data{,/*},slaves{,/*},dynamic{,/*}} /dev/null 21;
chown -h named:named
${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
/dev/null 21;
chmod 770 ${pfx}/var/named/{data,slaves,dynamic} /dev/null 21;
chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*} /dev/null
21;
chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}
/dev/null 21;
Lovely.
Heh, that's indeed lovely. And yea, I've got named configured to run
in chroot as it is the default nowadays (at least on Fedora).
You should note that the 'dynamic' subfolder contents are set to mode 660.
Move your updateable zone files there and update the referenced paths in
named.conf accordingly.
Chris
--
Spend less! Do more! Go Open Source... -- Dirigo.net
Chris Johnson, RHCE #804005699817957
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: ssh reverse tunnel
Rick Bilonick wrote: This works fine. The only problem is the connection always times out even though I've changed the sshd_config files on both machines to keep it alive. I've restarted the sshd daemon also. Not sure why the connection keeps closing. Some firewalls have a time limit on connections, and the connections will fail as soon as that timeout occurs. Note when the ssh session is started, and when it times out. See if there is a consistent connection duration. If that is occuring the only solutions are to alter the timeout on the firewall (I did that on some checkpoint firewalls a few years ago) or re-initiate the connection whenever it goes down (yum install autossh). Obviously the latter is not ideal because your inbound session is lost uncleanly and you cannot predict when it will happen unless you know what the firewall connection timeout is for that port, and when the session was initiated. But if it means that getting a connection remains possible that would be better than losing the capability until you are next in the office. Chris -- Spend less! Do more! Go Open Source... -- Dirigo.net Chris Johnson, RHCE #804005699817957 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
