[gentoo-user] Re: best way to backup
Alkis Evlogimenos writes: On Saturday 24 January 2004 11:41 am, Glenn English wrote: On Sat, 2004-01-24 at 09:42, Alkis Evlogimenos wrote: On Saturday 24 January 2004 10:18 am, Andrej Kacian wrote: (Sat, 24 Jan 2004 10:10:09 -0600) And Alkis Evlogimenos [EMAIL PROTECTED] said: What I have right now is a script running daily and backups everything (using cpio piped though gzip) except temp directories and media files. I also added some estimates on free space so that the earliest backup is removed if it is estimated that the remaining space is not enough. This way I maximize the number of previous daily backups. Approximately how much space does one daily backup use there? 7 gigs and it takes about 45 minutes to be created. I'm using amanda. A cron job runs it and sends me email about what happened. Then I change the tape. I've been watching this thread, and Amanda seems an obvious solution. It takes a little doing to get it set up, but hey, this is *nix. Is there a problem with Amanda that I don't know about? Also my network is wireless so backing up over it is not an option :-) This question may go a bit off-topic, but why is backing up over a wireless network not an option? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] qmail vs. sendmail
Mike Williams wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 12 January 2004 01:16, Ben Munat wrote: Okay, that's two votes for postfix and none for qmail... and the words simpler to setup and manage are music to my ear... thanks for the help. Then I'll put my vote in for qmail. qmail is simple to setup, and manage. More so with webmin, but still simple from the command line. Can't say I've found anything remotely difficult. Simple? Welldoable. My experience with qmail in a high-spam environment, more than a million attempted deliveries per month for just one domain due to joe-job attacks, is less than adequate. I hate to say it, but Sendmail was actually working better to stop the joe-job attacks. The biggest problem I had with qmail was recipient verification--there wasn't anything available that could check against a standard user database, like /etc/passwd or vpopmail's vpasswd files. I had to use the moregootrcptto patch for this--and that requires some additional administration overhead. I recently started investigating Postfix and found that it has MANY /built-in/ UCE features--none of which qmail has. Which Postfix, I can reject mail at the SMTP connection level if the HELO/EHLO, MAIL FROM, or RCPT TO has an invalid domain name. I can also specify recipient maps that allow me to add users without having to update any files other than the user database. For virtuals, wellit doesn't get any easier. One can simply create a MySQL database (or a flat file, if preferred) that contains the necassary data about the virtual users like home directory, quotas, etc. If you want to talke about manageability, with qmail I have 10 to 15 programs that I need for each server: qmail and patches, vpopmail, Courier-IMAP, Maildrop, checkpasswd, qmail-scanner, .SqWebmail, SpamAssassin, F-Prot, and others. With Postfix, I need only Postfix, Courier-IMAP, Maildrop, MySQL (for virtual support), SqWebmail, SpamAssassin, and F-Prot. Both are good MTAs. But when it comes to manageablity and UCE controls, Postfix has the heads up--for me, anyway. I've replaced qmail-smtpd with qpsmtpd, a drop in perl replacement. It's so cool to be able to change *anything* I wish with minimal effort. Want to allow one host, or mail to one user to bypass max file size? 2-3 lines of perl and your done (well, I was when I had a user needing to send a few slightly larger files than the max 5meg). This is actually a nifty idea. The only problem I'd see here is the overhead generated by Perl--using qmail-scanner (all Perl) has more than tripled the CPU/RAM overhead of my server. Most people who write these types of filters disclaim upfront that this type of overhead /will/ occur. Spamassassin filtering for incoming mail only? Another line or two and the spamassassin plugin is modified to not scan mail from local users. Yeah, Postfix can do that too! ;-) -- [EMAIL PROTECTED] mailing list
[gentoo-user] Disabling checkfs functions
I'm building a monolithic kernel (i.e. no module support) and an initrd that loads all my RAID and LVM drivers prior to mounting the root partition. The problem I'm finding is two fold: 1) The checkfs script (/etc/init.d/checkfs) tries to reload these drivers. It appears to be checking for certain userland programs and, if they're there, it attempts to start the RAID and LVM partitions. 2) I've got a RAID0 array with the persistent-superblock enabled--the checkfs script doesn't like this. In fact, it kills the boot up and drops me to single user mode. I've been able to workaround these issues by removing the offending code from the checkfs script. The question is this: Is there a way to disable those functions in such a way that they're not effected by updates? For example, with the initrd I can edit linuxrc and change the variables from yes to no for specific things I don't want to run; and visa versa for those I do. This makes it relatively easy to update the initrd after upgrading the kernel as I can simply enable or disable functions by modifying the values of a couple variables. This isn't the case with checkfs. It searches for the existence of certain userland programs and, if they exist, assumes that certain things are setup and need to be loaded--such as RAID, LVM, and EVMS. -- [EMAIL PROTECTED] mailing list
[gentoo-user] grsecurity vs. SELinux
I first encoundered security protocols like this when I read an article on SELinux. What I'm curious to know, being new to these types of technologies, is which one is more effective at its job. From a layman's perspective, they seem to do essentially the same thing. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] kernel boot errors
Paul Varner wrote: On Wed, 2003-12-17 at 21:47, Joel Konkle-Parker wrote: Thomas Smith wrote: Trying to move old root to /initrd ... failed I get the second of your errors as well... no idea why though. That error is innocuous. The kernel is trying to copy the contents of the initial ram disk to /initrd. Since most people haven't created that directory, it fails. If you want the error to go away and be able to see what is in the initial ran disk, just do a mkdir /initrd Cool, that's what I was looking for--I'll give it a shot. I don't use lvm, so I can't comment on the first. Have you tried using google to search for lvm_blk_ioctl: unknown cmd I;ve searched google as well as Sistina archives. All I've been able to find is that the message is of no concern; but no one has described /why/ it occurs. I believe it's a problem with the LVM binaries or libraries I'm using in the initrd--but I don't know how to confirm it. I do know that it wasn't occuring initially. I spent a lot of time tweaking the kernel and the initrd to get everything working properly and to trimmed down. When I was done with everything else these errors cropped up. The LVM error I mentioned occurs right after vgchange -ay (the last command in the initrd) so I don't believe it to be a kernel problem. The binaries and libraries came from ebuilds. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Availabillity of gentoo
Gerhard W. Gruber wrote: I was wondering on how gentoo is financed and kept running. Up till now I was using Suse which is pretty stable and I can expect that Sue will continue living. In the worst case it will probably be bought (like now from Novell) but the distribution itself will survive. I now installed gentoo last week in a seperate installation to get a feel for it and I like it because it solves some issues I have with Suse. The only thing I wonder about is if I can expect gentoo being still available in a year (so to speak). I would hate to change to a distribution and after some time it dies and I will have to switch again. There are no guarantees for *any* software--commercial, open source, or otherwise. I chose Gentoo because it has features I'm looking for and is the most configurable distro I've found (beyond going to LFS). I'm came from Red Hat Linux 9 which I've used since version 6. I never thought it would go away, but it did--so here I am. Fact is, if Gentoo goes away (knock on wood) I'll seek out other options--just as I did with Red Hat. This is a part of life--nothing lives for ever. If Gentoo suites your needs and you like it, use it. The more people who use it the stronger it'll become and the less likely it'll fade into the distance. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Availabillity of gentoo
Manuel Pérez López wrote: El Jueves, 18 de Diciembre de 2003 19:49, Thomas Smith escribió: There are no guarantees for *any* software--commercial, open source, or otherwise. Yes but... if a big community supports the development of a Linux distribution, perhaps this distribution is more surely his permanence in the time. Has Gentoo a big community? I do not know it. Perphas someone into this email-list can give us an answer. If ISO downloads are tracked then one could /estimate/ the number of Gentoo users based on the number of downloads from unique IPs. The user base could also be estimated by web site activity--how many IPs are accessing Gentoo user/admin/developor docs? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Availabillity of gentoo
Ciaran McCreesh wrote: On Thu, 18 Dec 2003 11:49:57 -0700 Thomas Smith [EMAIL PROTECTED] wrote: | I chose Gentoo because it has features I'm looking for and is the most | configurable distro I've found (beyond going to LFS). IMO Gentoo is more configurable than LFS. Why? Because if you try to deviate even slightly from the LFS guide, they scream Follow Book, Book Good at you. I hadn't actually tried LFS. I selected Gentoo over it for some of the more advanced and useful features like Portage. Once I got into, I found that there was more to like than originally met the eye--thus, I'm now a Gentoo user and, in time, a contributor. -- [EMAIL PROTECTED] mailing list
[gentoo-user] Upgrading kernels
I emerged gentoo-sources (linux-2.4.20-gentoo-r9) which is an upgrade from linux-2.4.20-gentoo-r6. The problem is that when I run genkernel --config it loads the r6 release. How can I tell genkernel to use the new, r9 sources? Pointers to docs are also helpful--I wasn't able to find any for this and there's no man page for genkernel. -- [EMAIL PROTECTED] mailing list
[gentoo-user] kernel boot errors
I'm getting two boot errors that I think are related. They are: lvm -- lvm_blk_ioctl: unknown cmd 0x5310 Trying to move old root to /initrd ... failed The errors themselves are located a few lines apart (line 245 and 250, respectively, in the attached dmesg.txt). Otherwise, the system boots fine. I've searched and searched for these two errors but haven't been able to locate and information about /why/ they occur or how to correct them. Any information regarding these errors is appreciated. Tom Linux version 2.4.20-gentoo-r6 ([EMAIL PROTECTED]) (gcc version 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r1, propolice)) #1 Wed Dec 17 08:18:47 MST 2003 BIOS-provided physical RAM map: BIOS-e820: - 0009fc00 (usable) BIOS-e820: 0009fc00 - 000a (reserved) BIOS-e820: 000f - 0010 (reserved) BIOS-e820: 0010 - 1f7f (usable) BIOS-e820: 1f7f - 1f7f3000 (ACPI NVS) BIOS-e820: 1f7f3000 - 1f80 (ACPI data) BIOS-e820: 1f80 - 2000 (reserved) BIOS-e820: fec0 - 0001 (reserved) 503MB LOWMEM available. ACPI: have wakeup address 0xc0001000 On node 0 totalpages: 129008 zone(0): 4096 pages. zone(1): 124912 pages. zone(2): 0 pages. ACPI: RSDP (v000 GBT) @ 0x000f6590 ACPI: RSDT (v001 GBTAWRDACPI 16944.11825) @ 0x1f7f3000 ACPI: FADT (v001 GBTAWRDACPI 16944.11825) @ 0x1f7f3040 ACPI: MADT (v001 GBTAWRDACPI 16944.11825) @ 0x1f7f6a00 ACPI: DSDT (v001 GBTAWRDACPI 0.04096) @ 0x ACPI: BIOS passes blacklist Kernel command line: root=/dev/vg/root Initializing CPU#0 Detected 2411.733 MHz processor. Console: colour VGA+ 80x25 Calibrating delay loop... 4810.34 BogoMIPS Memory: 502960k/516032k available (1688k kernel code, 10508k reserved, -2064k data, 108k init, 0k highmem) Dentry cache hash table entries: 65536 (order: 7, 524288 bytes) Inode cache hash table entries: 32768 (order: 6, 262144 bytes) Mount-cache hash table entries: 8192 (order: 4, 65536 bytes) Buffer-cache hash table entries: 32768 (order: 5, 131072 bytes) Page-cache hash table entries: 131072 (order: 7, 524288 bytes) Proc Config support by [EMAIL PROTECTED] proc config counted 3963 bytes in names proc config counted 438 bytes in value handles CPU: L1 I cache: 0K, L1 D cache: 8K CPU: L2 cache: 512K CPU: After generic, caps: bfebfbff CPU: Common caps: bfebfbff CPU: Intel(R) Pentium(R) 4 CPU 2.40GHz stepping 07 Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Checking 'hlt' instruction... OK. Checking for popad bug... OK. POSIX conformance testing by UNIFIX mtrr: v1.40 (20010327) Richard Gooch ([EMAIL PROTECTED]) mtrr: detected mtrr type: Intel ACPI: Subsystem revision 20021122 PCI: PCI BIOS revision 2.10 entry at 0xf9d80, last bus=1 PCI: Using configuration type 1 ACPI-0511: *** Info: GPE Block0 defined as GPE0 to GPE31 ACPI: Interpreter enabled ACPI: Using PIC for interrupt routing ACPI: System [ACPI] (supports S0 S1 S4 S5) ACPI: PCI Root Bridge [PCI0] (00:00) PCI: Probing PCI hardware (bus 00) Transparent bridge - Intel Corp. 82801BA/CA/DB PCI Bridge ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.HUB0._PRT] ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 5 6 7 *9 10 11 12 14 15) ACPI: PCI Interrupt Link [LNKB] (IRQs 3 4 5 6 7 9 10 *11 12 14 15) ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 5 6 7 *9 10 11 12 14 15) ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 5 6 7 9 10 *11 12 14 15) ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 5 6 7 9 10 11 12 14 15, disabled) ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 *5 6 7 9 10 11 12 14 15) ACPI: PCI Interrupt Link [LNK0] (IRQs 3 4 5 6 7 9 10 *11 12 14 15) ACPI: PCI Interrupt Link [LNK1] (IRQs 3 4 *5 6 7 9 10 11 12 14 15) PCI: Probing PCI hardware ACPI: PCI Interrupt Link [LNKE] enabled at IRQ 10 PCI: Using ACPI for IRQ routing PCI: if you experience problems, try using option 'pci=noacpi' or even 'acpi=off' Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd Journalled Block Device driver loaded devfs: v1.12c (20020818) Richard Gooch ([EMAIL PROTECTED]) devfs: boot_options: 0x0 pty: 256 Unix98 ptys configured Real Time Clock Driver v1.10e Uniform Multi-Platform E-IDE driver Revision: 6.31 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx ICH4: IDE controller on PCI bus 00 dev f9 PCI: Device 00:1f.1 not available because of resource collisions ICH4: BIOS setup was incomplete. ICH4: chipset revision 2 ICH4: not 100% native mode: will probe irqs later ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:DMA, hdb:DMA ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:DMA, hdd:pio hda: WDC AC418000D, ATA DISK drive hdb: WDC AC418000D, ATA DISK drive
[gentoo-user] LVM and LiveCD
I'm having a problem with LVM after rebooting my stage3 install of Gentoo. Here's the filesystem layout: /dev/md0 - RAID1 - /dev/hda1 /dev/hdb1 - /boot /dev/md1 - RAID0 - /dev/hda2 /dev/hdb2 - / swap VG - vgroot LV - /dev/vgroot/swap /dev/vgroot/root RAID LVM are compiled into the Kernel (no modules). I also emerged (after chroot-ing to /mnt/gentoo) lvm-user, the LVM user-space tools, and created an initrd files for booting / from LVM. The problem occurs when the Kernel runs vgscan during boot. Here's the error: vgscan -- reading all physical volumes (this may take a while...) cdrom: open failed. vgscan -- /etc/lvmtab and /etc/lvmtab.d successfully created vgscan -- WARNING: This program does not do a VGDA backup of your volume group vgchange -- no volume groups found VFS: Cannot open root device vgroot/root or 00:00 Please append a correct root= boot option Kernel panic: VFS: Unable to mount root fs on 00:00 I've confirmed that the RAID devices are properly loading from the output during boot. Ideas? -- [EMAIL PROTECTED] mailing list
[gentoo-user] mkraid on LiveCD
I'd like to setup Gentoo using RAID1 (/boot)and RAID5 (the rest). When I run /any/ of the RAID commands (in particular, mkraid) I get the following error: cannot determine md version: no MD device file in /dev I'm believe this is telling me that the /dev/md* devices have to be created, yes? I've searched the Gentoo site for information to setup RAID during installation but there doesn't seem to be any. Can anyone offer pointers to documentation (Gentoo or otherwise) that will get me started down the right path? -- [EMAIL PROTECTED] mailing list
[gentoo-user] HP NetServer LH3000
I'm planning to install Gentoo on a customer's HP NetServer LH3000 with an external HP DLT drive. Has anyone setup Gentoo on this server? If so, would you mind providing me with some feedback on the experience (problems, incompatibilities, etc)? -- [EMAIL PROTECTED] mailing list
[gentoo-user] Gentoo Guide to OpenLDAP Authentication
I've followed this guide to a tee and things aren't working like I
thought they would. To sum it up, I figured that using this guide would
allow me to replace /etc/passwd and associated files and authenticate
against the LDAP directory (via pam_ldap and nss_ldap).
For users with REAL system account (/etc/passwd), I see entries in the
syslog like this:
Dec 5 17:12:25 uacp-demo slapd[1882]: conn=294 op=0 BIND dn= method=128
Dec 5 17:12:25 uacp-demo slapd[1882]: conn=294 op=0 RESULT tag=97 err=0
text=
Dec 5 17:12:25 uacp-demo slapd[1882]: conn=294 op=1 SRCH
base=ou=People,dc=uccinc,dc=net scope=2
filter=((objectClass=posixAccount)(uid=nagios))
Dec 5 17:12:26 uacp-demo slapd[1882]: conn=294 op=1 SEARCH RESULT
tag=101 err=0 text=
Dec 5 17:12:26 uacp-demo slapd[1881]: conn=294 op=2 UNBIND
It seems to be authenticating okay...but...
When I create a user in the LDAP directory (one that's not listed in
/etc/passwd), I'm not able to authenticate this user.
Any ideas as to why this isn't working?
The relevant config files are attached (please let me know if I missed any):
/etc/ldap.conf
/etc/openldap/slapd.conf
/etc/conf.d/slapd
/etc/pam.d/sshd (this file wasn't discussed in the Guide)
/etc/pam.d/system-auth
#suffix dc=uccinc,dc=net
#pam_filter objectclass=posixAccount
#pam_member_attribute memberuid
#host 127.0.0.1
uri ldap://uacp-demo.uccinc.net
ldap_version 3
base dc=uccinc,dc=net
scope sub
timelimit 30
pam_login_attribute uid
pam_filter objectclass=posixAccount
nss_base_passwd ou=People,dc=uccinc,dc=net
nss_base_shadow ou=People,dc=uccinc,dc=net
nss_base_group ou=People,dc=uccinc,dc=net
#scope one
#pam_password exop
#nss_base_passwdou=People,dc=uccinc,dc=net
#nss_base_shadowou=People,dc=uccinc,dc=net
#nss_base_group ou=Group,dc=uccinc,dc=net
#nss_base_hosts ou=Hosts,dc=uccinc,dc=net
#ssl start_tls
#ssl on
# conf.d file for the openldap-2.1 series
#
# To enable both the standard unciphered server and the ssl encrypted
# one uncomment this line or set any other server starting options
# you may desire.
#
# OPTS=-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'
OPTS=-h ldap:// ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
password-hash {crypt}
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile/etc/ssl/ldap.pem
# Define global ACLs to disable default read access.
access to dn=.*,dc=uccinc,dc=net attr=userPassword
by dn=uid=root,ou=People,dc=uccinc,dc=net write
by anonymous auth
by self write
by * search
access to *
by dn=uid=root,ou=People,dc=uccinc,dc=net write
by * read
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath/usr/lib/openldap/openldap
# moduleloadback_ldap.la
# moduleloadback_ldbm.la
# moduleloadback_passwd.la
# moduleloadback_shell.la
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn= by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
###
# ldbm database definitions
###
databaseldbm
suffix dc=uccinc,dc=net
#suffix o=My Organization Name,c=US
rootdn cn=Manager,dc=uccinc,dc=net
#rootdn cn=Manager,o=My Organization Name,c=US
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {MD5}bCnpzEBC2XKxX/AwTmNohg==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/openldap-ldbm
# Indices to maintain
index objectClass eq
#%PAM-1.0
#auth requiredpam_stack.so service=system-auth
#auth required pam_shells.so
#auth required pam_nologin.so
#accountrequiredpam_stack.so service=system-auth
#password requiredpam_stack.so
Re: [gentoo-user] Ping errors
Jason Stubbs wrote: On Wednesday 19 November 2003 14:24, Thomas Smith wrote: I've had Gentoo setup and running on a test server for about a month now and didn't notice any of these errors until I configured Nagios--it immediately started reporting WARNINGs regarding this error.. I've googled for this problem and every body seems to agree that it's an issue with the Kernel but no one has offered a solution. The error I get is: WARNING: failed to install socket filter : Protocol not available This error occurs when PINGing /any/ host. It doesn't happen with every ping--that is, it occurs after every few responses. It doesn't seem to be causing any other functionality problems. I've set up a little Gentoo server at work that I believe experiences exactly the same thing. I'll confirm tomorrow, but for the time being I'll list some details of how it's configured network-wise. * one interface with multiple IPs * IP fowarding enabled * TCP packets with destination of port 80 redirected to localhost * connection tracking for everything the kernel supports * traffic shaping for both incoming and outgoing traffic That's all that I can remember at the moment. If you could supply the same thing, we can use the similarities to hopefully track the source of the problem down. Well, it's currently a pretty basic setup--no packet filtering, no traffic shaping. It does have two interfaces, though--one unroutable, the other live. (It's stricly a test server to plan our migration from Red Hat to Gentoo.) I'm going to investigate the previous post regarding CONFIG_FILTER=y. I'm not quite sure what the poster meant by It's used for attack filter to any socket, used by the program. or how this option will affect other aspects of the server. If you or anyone can elaborate on this option please do so. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] What is the best way to start iptables on boot time?
gabriel wrote: On November 19, 2003 02:59 pm, Tiago Lima wrote: Sorry for this newbie question but what is the best way to start iptables (and rules) on boot time? hmmm. while i can't tell you the best way, i can tell you what i did. i wrote a startup script with the following contents. it may not have been the best route to go, but this way, i have a panic button if i need it ;-) ebegin Disabling firewall iptables --policy INPUT ACCEPT iptables --policy OUTPUTACCEPT iptables --policy FORWARD ACCEPT iptables -t filter --flush iptables -t filter --delete-chain eend $? } This script is a good idea but wouldn't it be better to block all traffic when you clear the iptables rules? From a security perspective, /all/ traffic should be stopped in the event of a security threat. What I do in my scripts is write into the stop portion of the script rules to drop and log all inbound traffice and allow access to only one port (SSH) from one IP (my office network's firewall). There should also be some rate-limiting rules loaded, too, to prevent DoS attacks (including those that flood the syslog). A descent script, with some explaination of the types of firewalls and how to configure Gentoo to use iptables, can be had at http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12 This is a pretty good script--I haven't used it yet as I have my own scripts and layout (which differs from their structure). I'm also implementing some features to make these types of scripts work out of the box. Hope this helps. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] What is the best way to start iptables on boot time?
Bryan Whitehead wrote:
In Mandrake the iptables init script is executed before the network to
prevent this.
the same should be true for gentoo...
there is a bug already:
http://bugs.gentoo.org/show_bug.cgi?id=27087
Comment 14 on this Bug is of interest to me and I think this is the way
to do it--in part, anyway. Starting iptables immediately /after/ the
network interfaces doesn't allow the compromise of any userland
programs. This also allows one to configure their script to pull certain
information from ifconfig if, for example, they're using DHCP on the WAN
interface.
To have a pre-if and post-if is a bit redundant (see the Bug for
details)--why go through the process of configuring iptables twice. The
system isn't really vulnerable to any threat until network-aware
services begin to load--which doesn't occur until after the network
interfaces are loaded. If iptables is configured to load /immediately/
after the network interfaces then it will be protecting the system when
those services begin to load--thus closing the gaping hole that was
referred to in the bug.
Thomas T. Veldhouse wrote:
The problem I see with this method of using the iptables initscript
is that
it starts after network (obviously). Network starts via net.ethX and
has
defaulted everything to WIDE OPEN ... accept all packets! It is not
until
after the iptables script is run that the network becomes protected
(assuming a decent firewall). Granted, the period of time things are
open
is small, it is a security hole. FreeBSD for instance will default
to all
network traffic denied until firewall rules are set to tell it
otherwise.
This should be the Linux default as well IMHO.
There probably should be a knob in the network scripts to block all
network
activity until the firewall scripts run to tell it otherwise. Perhaps a
simple switch in /etc/conf.d/net that says FIREWALL=true which would
force
the default to be to deny all packets.
Tom Veldhouse
gabriel wrote:
On November 19, 2003 02:59 pm, Tiago Lima wrote:
Sorry for this newbie question but what is the best way to start
iptables (and rules) on boot time?
hmmm. while i can't tell you the best way, i can tell you what i
did. i wrote a startup script with the following contents. it may
not have been the best route to go, but this way, i have a panic
button if i need it ;-)
#!/sbin/runscript
#
# rc.firewall
# firewall script for alexandria
#
opts=start stop panic
depend() {
need net
}
start() {
ebegin Enabling firewall
# firewall rules go here
eend $?
}
stop() {
ebegin Disabling firewall
iptables --policy INPUT ACCEPT
iptables --policy OUTPUTACCEPT
iptables --policy FORWARD ACCEPT
iptables -t filter --flush
iptables -t filter --delete-chain
eend $?
}
panic() {
ebegin SHIELDS! WHERE ARE MY SHIELDS???
iptables -t filter --flush
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables --policy INPUT DROP
iptables --policy OUTPUTDROP
iptables -t filter --delete-chain
eend $?
}
--
understand that legal and illegal are political, and often arbitrary,
categorizations; use and abuse are medical, or clinical, distinctions.
- abbie hoffman
--
[EMAIL PROTECTED] mailing list
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] What is the best way to start iptables on boot time?
Bryan Whitehead wrote: Thomas Smith wrote: Bryan Whitehead wrote: In Mandrake the iptables init script is executed before the network to prevent this. the same should be true for gentoo... there is a bug already: http://bugs.gentoo.org/show_bug.cgi?id=27087 Comment 14 on this Bug is of interest to me and I think this is the way to do it--in part, anyway. Starting iptables immediately /after/ the network interfaces doesn't allow the compromise of any userland programs. This also allows one to configure their script to pull certain information from ifconfig if, for example, they're using DHCP on the WAN interface. To have a pre-if and post-if is a bit redundant (see the Bug for details)--why go through the process of configuring iptables twice. The system isn't really vulnerable to any threat until network-aware services begin to load--which doesn't occur until after the network interfaces are loaded. If iptables is configured to load /immediately/ after the network interfaces then it will be protecting the system when those services begin to load--thus closing the gaping hole that was referred to in the bug. You might want to add comments to the bug as it looks like many of the developers think it's not a big deal... might want to reference this thread to show it is a concern of users... and other distro's correctly run iptables first. I actually just finished adding similar comments to the mentioned Bug. I didn't, however, reference this thread--I'll do that now, though. Thanks for the input. -- [EMAIL PROTECTED] mailing list
[gentoo-user] Frontpage support for Apache
I haven't seen any support for Frontpage and Apache on Gentoo--is there none? The only packages I've found are external and require patching Apache to work. If this is the case, is there a good/better/best way to integrate patches into the Portage system so it can be managed as part of it? (I'm new to Gentoo so I don't yet have experience with ebuilds and such--I'm simply looking for a way to patch Apache, maybe even manually, and be able to manage it with Portage and its tools: emerge, qpkg, etc.) -- [EMAIL PROTECTED] mailing list
[gentoo-user] Ping errors
I've had Gentoo setup and running on a test server for about a month now and didn't notice any of these errors until I configured Nagios--it immediately started reporting WARNINGs regarding this error.. I've googled for this problem and every body seems to agree that it's an issue with the Kernel but no one has offered a solution. The error I get is: WARNING: failed to install socket filter : Protocol not available This error occurs when PINGing /any/ host. It doesn't happen with every ping--that is, it occurs after every few responses. It doesn't seem to be causing any other functionality problems. I've installed many other progs (Gnome, LDAP, and related tools, and updated the system) but nothing that seems to be related to the kernel--the kernel version is 2.4.20-gentoo-r6 (the same as when I initially setup the system). The kernel was compiled with: USE=aavm genkernel -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] LVM and mirroring
Peter van Eck wrote: I don't think the open source version of LVM supports mirroring. I've never setup LVM in this way. However, one could assume you could layer several mechanism to get what you're looking for. For example, you could create your base partitions, create your RAID devices, and then start the LVM setup on top of those. So instead of defining /dev/hd* as part of the volume group(s) you'd define /dev/md* (the RAID devices). I haven't tried this setup but have given it some thought as I'm looking at something similar with RAID5. If you try it, post the results as inquiring minds want to know ;-). Tom Guy Van Sanden wrote: Hi I'm wondering if Logical Volume Manager can handle a setup I am considering. I have a system with two 40 GB IDE drives. hda / /boot swap /tmp /data (includes home) /usr The second disk (hdb) should contain the same partitions, but mirrored. The ultimate goal would be that if either hda or hdb failed, the system would keep running until I could replace a disk. Is any of this possible with LVM? Is it stable? Could the system still boot if one disk failed (e.g. hdb)? Can I disable the mirrors temporary when performing an upgrade? (to get the chance to turn it back). I've seen this stuff done with Veritas, and I'd be cool to have it on a Free Linux box. Thanks Guy -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] virtual mailhosting - controlling it?
[EMAIL PROTECTED] wrote: This is mainly directed at those of you that have used the virtual-mailhosting guide. Have you searched any mailing list archives? I know there has been some discussion on your questions in the [EMAIL PROTECTED] list. There's also more documentation and information regarding this topic (including what's covered in the Virtual Mailhosting document you're referring to) at their site. That said... * How are you controlling it? custom PHP frontend? Postfix Admin? If you use the MySQL backend, you can manage the database from the command line (if you know MySQL) or you can use one of a few GUIs. I don't recall the names of the packages but if you look at some of the MySQL how-tos at postfix.org, they should mention them. * Have you found it to be reliable stable? Postfix itself is known to be reliable and stable. MySQL, of course, has the same reputation. * Did you choose to use maildrop or procmail, and why? Do you like green apples or red? Both of these programs do their job and filter your mail--they're simply different varieties of apples. I chose Maildrop for performance and for its language--it said to be a better performer than Postfix and the filtering language is structered whereas Procmail's is not. ...just trying to gather some information. I am using it and so far, it's been working great but I have zilch for easy admin tools and I wanted to know what others were using. I'd like to be able to have users add mailboxes to their own domains and for users to be able to edit .mailfilter files but so far I haven't really found a workable way to do that. I was thinknig of attempting to re-write the nice looking Postfix Admin for usage with the Gentoo guide but I don't have the time and I certainly don't have the PHP knowledge. =/ Here again, check out the Postfix site--there's quite a bit of information regarding virtual setups. As for .mailfilter, the only program I'm aware of that would edit this files directly is SqWebmail. I'm not certain (yet) that it does this as I haven't tested it. -- [EMAIL PROTECTED] mailing list
[gentoo-user] Querying the Portage database
I'm new to Gentoo (switching from RH9) and have become used to RPMs and their query tools. I've been looking for a way to query the Portage database to determine what's installed and get general info regarding the packages--I'm looking for something similar to rpm -qa. At the end of this section--http://www.gentoo.org/doc/en/portage-manual.xml#doc_chap3--in the Portage user manual it indicates that there's an app-admin/gentoolkit to assist with Portage queries. I have yet to find this package or a way to query the Portage database. Can anyone direct me to the package or tools that I need in order to do this? -- [EMAIL PROTECTED] mailing list
