Re: [gentoo-user] Good 'layman' tutorial on IPv4 > IPv6?
On 01/20/12 05:07, Tanstaafl wrote: > On 2012-01-19 5:32 PM, Mick wrote: >> On Thursday 19 Jan 2012 15:48:32 Michael Mol wrote: >>> On Thu, Jan 19, 2012 at 10:37 AM, Tanstaafl >>> wrote: I have a reasonable grasp of how to use IP addresses etc with IPv4, but every time I start rading about IPv6 I get a headache... Does anyone know of a decent tutorial written specifically to those who have an ok (but not hugely in-depth) understanding of IPv4, and doesn't get bogged down in too many technical details, but simply explains what you need to know to be able to transition to it and use it effectively *and securely* - and/or how *not* to have to expose your entire private network to the world (what IPv4 NAT protects you from)? > >>> I've been doing IPv6 presentations at LUGs and tech cons, and I'm >>> getting scheduled for a few IPv6 topics at Penguicon...but I'm pretty >>> sure I'm also not the most knowledgeable on this list wrt IPv6, >>> either. Still, what would you like to know? (I can use your questions >>> as fodder and experience for future presentations. ^^) > >> Now that IPv6 is enabled by default on Linux, is one meant to duplicate all >> the IPv4 iptable rules also for IPv6? I'm using arno ip tables and from what >> I saw in the config file it is either 4 or 6 that one can activate. Perhaps >> this has improved with later versions. > > That was the very first question (and headache) I got from looking at this. > >> The OP would probably have more questions, but if you ever pull together a >> pack of slides I would much appreciate a link to look at them. > > I really wouldn't know where to start... that is why I was looking for a > decent tutorial that covered the topic in total, so I could hopefully > get to the point that I *could* ask some intelligent questions about it... > > One very general question I have is, how can you - or even *can* you - hide > all of your internal devices from the outside world, similar to how > the use of 'private' IP's behind a NAT'd firewall are hidden from the outside > world (nor directly accessible). I definitely do *not* want all of > my internal devices directly accessible from the internet. > If you want a good place to start, try Mark Newton's AusCERT IPv6 talk. http://risky.biz/AusCERT-Newton It's not exactly "laymen", but I still recommend it. It's a good talk taking your IPv4 knowledge and comparing it to the IPv6 equivalents, and brings up some good general ideas that make you think of IPv6 in a practical sense. Unfortunately I haven't found a video version of it. :( I've done a hand full of IPv6 conversions, small to medium networks, I'd be willing to answer some questions if you need help. As for your general question, the short answer is you can't. If you need internet access, then you will have to have public IPs. Question: Why do you want to hide internal devices? I don't expect an answer, this is something you should ask yourself. Is it to protect running services from attack/discovery? Great, that's what your firewall is for, so you don't need to worry about private addresses. Another option is to deploy IPSec for internal services, this would hide internal services even from hosts on the private address space unless they are trusted though IPSec rules. Is it to hide the actual devices? or your network architecture/topology? Scanning for host discovery in IPv6 is not feasible. Consider how big IPv6 is. A typical host discovery scan on an IPv4 private network can be done in a few hours. Given a (really fast) average host discovery of 1000 hosts a second, lets apply some math to your internal IPv6 range. We'll compare both ::/64 and ::/48, which amounts to 2^64 and 2^80 addresses. Your host discovery scan would take between 600 million, and 38 trillion years to check each IP. If you still want private addresses, IPv6 has unique local addresses (fc00::/7 range, http://www.sixxs.net/tools/grh/ula/ has a reg form to help assign a /48 to you). But since there's no address translation, your stuck running dual networks for everything that needs a private address and internet access. It's not entirely a bad thing, but it can be a long tedious process, and some software sucks at it (mysqld). Hope that helps. Chris
Re: [gentoo-user] Good 'layman' tutorial on IPv4 > IPv6?
On Jan 20, 2012, at 9:36 PM, "Walter Dnes" wrote: > On Fri, Jan 20, 2012 at 10:45:08AM -0600, Chris Frederick wrote > >> If you still want private addresses, IPv6 has unique local addresses >> (fc00::/7 range, http://www.sixxs.net/tools/grh/ula/ has a reg form to >> help assign a /48 to you). > > If it's a unique ***LOCAL*** address, then why is it a problem if > multiple places on the planet use it??? Doesn't sound very "local" to > me. The idea being, they are globally unique. Assume network XYZ needs to merge with network ABC. What happens in IPv4 when they both use the same private address space, you could be looking at re-assigning an entire 10/8 address block, including all services. It sucks. For IPv6, you go to the end point router for each network, configure a route to the opposite network, add some optional firewall/IPSec rules, and you're done. This saves days, if not weeks, of work with little, or no downtime. Home users probably won't care, most will probably use the public address space given to them from their ISP. Chris
[gentoo-user] bluetooth keyboard on embeded device
Hi all, I have a C-BOX 134 system that I'm using as a mythtv frontend. It's running a VIA Nehemiah 1Ghz processor, which with XvMC can play dvds and ripped movies just fine, but doesn't have a whole lot of horse power for anything else. I recently received a bluetooth keyboard that I'm trying to get working with the system. I can get it working with bluez using the old-daemons use flag and manually running 'hidd --search' while the keyboard is in discoverable mode, so I know it will work, but I'm having a lot of difficulty setting it up. In order to get the keyboard into discoverable mode you have to press a button with a paperclip. Also since it's not paired yet, when the keyboard enters a "sleep" mode, it won't reattach to the pc when it wakes up. So I can't just add the hidd command to the startup scripts and have it work. I've tried to set up the /etc/init.d/hidd startup script, but it doesn't seem to want to connect to the keyboard that way. I've tried bluez-libs/bluez-utils versions 2.25 and 3.36, and bluez 4.39. The 2.x versions gave me compile errors with some undefined variables. 3.x and 4.x seem to work ok, but I can't make sense of the documentation for either one, and the examples that are provided always error out. Does anyone here have a bluetooth keyboard/mouse setup and working? Or does anyone know where a good, working walkthrough/howto/wiki on how to set one up? Thanks in advance. Chris
Re: [gentoo-user] Is this firewall safe?
Marco wrote: > Hi all, > > I set up my first firewall on my notebook (not running any services > reachable from outside) using iptables. Since I am new to the topic, > could you please verify if the output of 'iptables -L -v' is > considered to be a safe firewall? Thanks! > Hi Marco, Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt inout source destination ACCEPT all -- loany anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOGall -- any any anywhere anywhere LOG level warning prefix `INPUT ' Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- anylo anywhere anywhere ACCEPT all -- anyany anywhere anywhere state RELATED,ESTABLISHED LOGall -- anyany anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Hope that helps. Chris
Re: [gentoo-user] Is this firewall safe?
Daniel Troeder wrote: > On Fri, 2009-04-24 at 18:40 +, Marco wrote: >> On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder wrote: >>> On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: >> [...] >>> While all that is correct, I would also consider it "bad network >>> behavior" (no offense intended). >> So you consider my 'reject-with' settings to be good practice? > Yes :) I'll have to agree and disagree with Daniel on this point. I agree that it is "bad network behavior", but the people we are trying to keep out don't stick to using "good network behavior", so why should we? There's a number of dirty tricks people use to circumvent firewalls/networks, and I strongly believe that it is better to hide your presence as best as you can on a network. Now I'm also keeping in mind that you are on a laptop with no remote services. If you start allowing services, then that will change things. If clients are going to be connection to you for certain services, you should be more accommodating to them and play nice with the network where possible. This is more of a personal preference thing. >>> It feels like "security through obscurity". I agree that it is "security through obscurity", but that's not a bad thing. Relying on "security through obscurity" for protection is a bad thing, but adding a layer of obscurity over a defense in depth strategy is not. >>> It may hamper the well-working of a TCP/IP network, as that relies heavily >>> on ICMP. On a server level, yes. But this is a client with no active/accessible services. A server shouldn't rely on ICMP from a client, but the ICMP packets from the server will be picked up by the RELATED flag on the second rule, allowing the client to see the ICMP error from the server. >> I was not really sure how to configure ICMP (ping) correctly. Any input >> appreciated! > That is really difficult, because ICMP is a family of lots of protocols, > from which ping is just one. Others are important too, like telling > routers/hosts about network congestion, and so on... I don't feel > competent enough to give directions. I do always allow ping, as this is > needed in a server environment to check for uptime, but your case may be > different. I agree with Daniel again. Unless you know what you are doing, blocking ICMP is just going to cause problems. And I would argue that iptables is not the tool to use, even if you know what you are doing. If you really want to filter your ICMP packets, look to /proc/sys/net/ipv4/. The kernel will give you some nice options that are a lot safer that an iptables rule. >>> Also: if you wish to scan (nmap) yourself to check your system >>> (configuration), you'll wish for REJECT instead of DROP :) >> You mean as the default policy? > Yes, and also everywhere you use DROP. It's just, that you'll have to > wait less for timeouts, when connecting to a closed port. I would recommend running nmap in crontab if you want to scan your network (look up ndiff on nmap's website). > If you decide to go with DROP, then you could make it globally > switchable in your script, to change between testing and production > environment/situation. This is great advice. You may not benefit much from it now with this small script, but as it grows, you really want to keep this in mind. If you modularize your tables, you can turn them on and off with a single insert/delete rather than trying to insert/delete large blocks from the rules, or worse, reloading the whole rule set. Chris P.S. Daniel, no offense taken. I enjoy these debates, it helps us think differently and learn new tricks. If we are not challenged once in a while we get complacent, and that's typically when we start making mistakes.
[gentoo-user] Network Monitoring (graphical web app)
Hi all, I've been looking for a monitoring app that I can run on my server/gateway. The more graphical the better, I really like the looks of the graphs from ipac and grapher. But I'd like to get more details than just total interface statistics. I'd like to be able to see a graph for the total, but also a few extra graphs for watching specific ports (21, 22, 25, 80, 443, etc...). Being able to monitor procs, specific procs, and memory and stuff would be nice, but I can get that from other apps if needed. Any suggestions/recommendations? Thanks all, Chris Frederick -- gentoo-user@gentoo.org mailing list
[gentoo-user] insmod for htp370a hangs machine
Hi all, I have a hpt370a card. I recently switched from Mandrake 10 to gentoo. My attempts to get the card working again have been difficult. The card worked fine in Mandrake with the hpt3xx-opensource-v2.0.tgz driver from highpoint. But now when I try to load the module, the entire system hangs. I'm using gentoo-sources for kernel sources, and the drivers compile fine. Any ideas on why this is happening? Thanks in advance for any help Chris Frederick -- gentoo-user@gentoo.org mailing list
[gentoo-user] xorg load module error
Hi all, Can anyone give me a hand with this? I did an emerge update and kernel recompile the other day and since then I cant run xorg. I've changed a few things in the xorg.conf file but nothing seems to help. I've even tried some different use flags to see if that was it, but so far I've got nothing. The only things I changed in the kernel was add a few modules for iptables so I could run snort. I did my `emerge nvidia-kernel madwifi-driver` after the kernel compile so it shouldn't be missing the nvidia driver. Here's the output for merge --pretend -v xorg-x11: [ebuild R ] x11-base/xorg-x11-6.8.2-r1 -3dfx -3dnow +bitmap-fonts -cjk +debug -dlloader -dmx -doc -font-server +hardened -inscure-drivers -ipv6 -minimal +mmx -nls +opengl +pam -sdk -sse -static +truetype-fonts +type1-fonts (-uclibc) +xprint +xv I noticed that the changelog said something about sse no longer being blocked, and I use to have that as a use flag, but I took it out to see if it files anything. I also noticed that google brought up a couple issues with +hardened, but I removed it without any change. I still get the same error. Anyone got any ideas? Thanks, Chris Frederick X Window System Version 6.8.2 Release Date: 9 February 2005 X Protocol Version 11, Revision 0, Release 6.8.2 Build Operating System: Linux 2.6.11-gentoo-r9 i686 [ELF] Current Operating System: Linux server 2.6.11-gentoo-r9 #3 SMP Fri Jun 17 09:44:50 CDT 2005 i686 Build Date: 17 June 2005 Before reporting problems, check http://wiki.X.Org to make sure that you have the latest version. Module Loader present Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: "/var/log/Xorg.0.log", Time: Sat Jun 18 09:50:42 2005 (==) Using config file: "/etc/X11/xorg.conf" (==) ServerLayout "Simple Layout" (**) |-->Screen "Screen 1" (0) (**) | |-->Monitor "KDS" (**) | |-->Device "nVidia" (**) |-->Input Device "Mouse1" (**) |-->Input Device "Keyboard1" (**) FontPath set to "/usr/share/fonts/misc/,/usr/share/fonts/TTF/,/usr/share/fonts/Type1/,/usr/share/fonts/75dpi/,/usr/share/fonts/100dpi/,/usr/share/fonts/local/" (**) RgbPath set to "/usr/lib/X11/rgb" (==) ModulePath set to "/usr/lib/modules" (WW) Open APM failed (/dev/apm_bios) (No such file or directory) (II) Module ABI versions: X.Org ANSI C Emulation: 0.2 X.Org Video Driver: 0.7 X.Org XInput driver : 0.4 X.Org Server Extension : 0.2 X.Org Font Renderer : 0.4 (II) Loader running on linux (II) LoadModule: "bitmap" (II) Loading /usr/lib/modules/fonts/libbitmap.a Duplicate symbol __i686.get_pc_thunk.bx in /usr/lib/modules/fonts/libbitmap.a:bitmapmod.o Also defined in /usr/lib/modules/fonts/libbitmap.a Fatal server error: Module load failure Please consult the The X.Org Foundation support at http://wiki.X.Org for help. Please also check the log file at "/var/log/Xorg.0.log" for additional information. # File generated by xorgconfig. # # Copyright 2004 The X.Org Foundation # # Permission is hereby granted, free of charge, to any person obtaining a # copy of this software and associated documentation files (the "Software"), # to deal in the Software without restriction, including without limitation # the rights to use, copy, modify, merge, publish, distribute, sublicense, # and/or sell copies of the Software, and to permit persons to whom the # Software is furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL # The X.Org Foundation BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF # OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # # Except as contained in this notice, the name of The X.Org Foundation shall # not be used in advertising or otherwise to promote the sale, use or other # dealings in this Software without prior written authorization from # The X.Org Foundation. # # ** # Refer to the xorg.conf(5x) man page for details about the format of # this file. # ** # ** # Module section -- this section is us
Re: [gentoo-user] xorg load module error
Richard Fish wrote:
Chris Frederick wrote:
[ebuild R ] x11-base/xorg-x11-6.8.2-r1 -3dfx -3dnow +bitmap-fonts
-cjk +debug -dlloader -dmx -doc -font-server +hardened -inscure-drivers
-ipv6 -minimal +mmx -nls +opengl +pam -sdk -sse -static +truetype-fonts
+type1-fonts (-uclibc) +xprint +xv
(II) LoadModule: "bitmap"
(II) Loading /usr/lib/modules/fonts/libbitmap.a
Duplicate symbol __i686.get_pc_thunk.bx in
/usr/lib/modules/fonts/libbitmap.a:bitmapmod.o
Also defined in /usr/lib/modules/fonts/libbitmap.a
It seems that the server doesn't like your build of the bitmap fonts
library. Not sure why this is...looks like a bug to me, or possibly a
CFLAGS goof.
I suggest rebuilding x.org with USE=-bitmap-fonts. That should get you
around this problem
-Richard
No dice...
I tried changing the use flags and nothing helped. My CFLAGS shouldn't
be an issue either.
CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j4"
The machine is a dual Xeon 2.6Ghz.
The only thing I can think of is that when I did the emerge update, the
xorg came up because I added xprint to the global use flags. Of course
compiling with it off isn't fixing it. I really have no clue what's
going on, it's not an update problem, it was just a --newuse thing.
I've changed several use flags and emerge -C'd it several times, but
nothings fixing it.
Any ideas?
Chris Frederick
--
gentoo-user@gentoo.org mailing list
[gentoo-user] ATI Radeon Xpress 200 Drivers
Hi all, I just noticed that ati released drivers for my Radeon Xpress card. I installed the drivers for Xorg, and it works great. But when I tried to install the kernel modules, I got a lot of error messages with the build. I know gentoo has the regular ati-drivers package, but they don't support the Xpress series of cards. Can anyone give me a hand at getting this to work? Is there any development being done to include these into the ati-drivers package? or to make an ati-xpress-drivers package? I'm no wiz with C, but I know enough to be comfortable with it. I'll do what I can to help get this working, but I could sure use a hand, or a point in the right direction. Thanks in advance for your help. Chris Frederick Here's ATI's info on the drivers: ATI Proprietary Linux x86_64 Driver 8.13.4 for Radeon Xpress 200 Series https://support.ati.com/ics/support/KBAnswer.asp?questionID=19511 http://www2.ati.com/drivers/linux/64bit/fglrx64_6_8_0-8.13.4-1.x86_64.rpm I ran rpm2targz on the rpm, and extracted it to /, then ran the /lib/modules/fglrx/build_mod/make.sh script to build the kernel modules: # sh make.sh ATI module generator V 2.0 == initializing... cleaning... patching 'highmem.h'... assuming new VMA API since we do have kernel 2.6.x... doing Makefile based build for kernel 2.6.x and higher make -C /lib/modules/2.6.11-gentoo-r11/build SUBDIRS=/lib64/modules/fglrx/build_mod/2.6.x modules make[1]: Entering directory `/usr/src/linux-2.6.11-gentoo-r11' CC [M] /lib64/modules/fglrx/build_mod/2.6.x/agp3.o CC [M] /lib64/modules/fglrx/build_mod/2.6.x/nvidia-agp.o CC [M] /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.o /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c: In function `agp_generic_agp_v2_enable': /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c:721: warning: implicit declaration of function `pci_find_class' /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c:722: warning: assignment makes pointer from integer without a cast /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c:843: warning: assignment makes pointer from integer without a cast /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c: In function `serverworks_agp_enable': /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c:5123: warning: assignment makes pointer from integer without a cast /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c:5221: warning: assignment makes pointer from integer without a cast /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c: In function `agp_find_supported_device': /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c:7313: warning: assignment makes pointer from integer without a cast /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c: In function `__fgl_agp_init': /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c:8454: warning: `pm_register' is deprecated (declared at include/linux/pm.h:106) /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c: In function `__fgl_agp_cleanup': /lib64/modules/fglrx/build_mod/2.6.x/agpgart_be.c:8464: warning: `pm_unregister_all' is deprecated (declared at include/linux/pm.h:116) CC [M] /lib64/modules/fglrx/build_mod/2.6.x/i7505-agp.o CC [M] /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.o /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c: In function `firegl_stub_putminor': /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c:500: warning: `inter_module_put' is deprecated (declared at include/linux/module.h:578) /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c:502: warning: `inter_module_unregister' is deprecated (declared at include/linux/module.h:574) /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c: In function `firegl_stub_register': /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c:522: warning: `inter_module_register' is deprecated (declared at include/linux/module.h:573) /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c:553: warning: `inter_module_put' is deprecated (declared at include/linux/module.h:578) /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c: In function `__ke_get_vm_phys_addr': /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c:1581: error: structure has no member named `pud' /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c: In function `do_vm_shm_nopage': /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c:2092: error: structure has no member named `pud' /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c: In function `do_vm_dma_nopage': /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c:2156: warning: unused variable `kaddr' /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c: In function `__ke_vm_phys_addr_str': /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c:2515: error: structure has no member named `pud' /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.c: At top level: /lib64/modules/fglrx/build_mod/2.6.x/firegl_public.
Re: [gentoo-user] 1/2 OT: What Linux could learn from mainframes ?
Enrico Weigelt wrote: Hi folks, after reading several articles about Mainframes and similar archs (even ancient ones like B7000), I wonder if Linux world could learn something from there. One very interesting point (IMHO) is the storage abstraction. AFAIK, Mainframes work on one large virtual memory (disks for swapping out RAM, tapes for swapping out disks, etc). This way you just allocate some piece of space (like some virtual partition) to an application (of guest). If you need more space, just plug in more disks and the OS will handle all this automatically. I'm currently planning to implement an similar approach for Linux (at least virtual block devices). What do you think about this ? cu Check out LVM (Logical Volume Manager) http://tldp.org/HOWTO/LVM-HOWTO/ http://www.gentoo.org/doc/en/lvm2.xml Seems to do exactly what you're talking about. Chris -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] ldap + tls issues
Hi all, I'm working on migrating a network to allow for more users and easier scaling. I'm also splitting up the main server into separate tasks. As long as I'm doing all this I thought it would be prudent to add an LDAP server for authentication/email/etc... I'm running gentoo-hardened on the ldap server and I have been following the gentoo ldap guides here: http://www.gentoo.org/doc/en/ldap-howto.xml http://gentoo-wiki.com/HOWTO_LDAPv3 This got me a decent setup, and everything works good, but now I'm trying to secure it using TLS and I can't seem to get it working. I've followed both guides, searched google, and still come up with nothing. I've verified the CN is correct, I've copied the cert from the server to the test client, and I've verified that the certs are ok using openssl. running 'ldapsearch -H ldap://valid-cn -D "cn=Manager,dc=secret,dc=com" -W' lists everything that I've imported, but adding the -Z to the command exits with this: ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I'm using the same common name for the ldap:// protocol as was entered in the cert. Here's the relevant config sections: /etc/openldap/slapd.conf (server only) TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap-key.pem TLS_REQCERT allow /etc/openldap/ldap.conf (client and server) TLS_CERT /etc/ssl/ldap.pem TLS_KEY /etc/openldap/ldap-key.pem TLS_REQUEST never Is there anything else I should check with the certs? Also, I've been looking for a decent guide to help with installation and maintenance for LDAP and I'm coming up dead. I've even checked the libraries and bookstores, and apart from a 2-8 page reference in a few general administrative books, I've found nothing. Can anyone recommend a good book/site on how to maintain/administer/install LDAP? I've spent over a week on this and it's still not operational and I'm starting to pull my hair out. Thanks in advance for any help, Chris -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] portage nfs permissions
Hi all, I'm trying to set up the portage directory to be hosted over nfs. Everything is working great but I would like to increase the security a little. I was wondering if there's an easy way to restrict 'emerge --sync' to only work on the server, while still letting all the nfs client machines download sources and emerge packages. I was thinking of doing an 'all_squash' on the server, then changing the /distfiles directory to give group write to the anongid account. I've tried this with no luck. I keep getting an error trying to fetch the package. I'm assuming it has something to do with the lock files that emerge uses to prevent multiple downloads of the same package source. I've tried to google to find a working configuration like this, but so far I've come up empty. Does anyone else have some ideas on how I can get this to work? Thanks, Chris Frederick -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] portage nfs permissions
Uwe Thiem wrote: On Monday 28 April 2008, Albert Hopkins wrote: On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote: Hi all, I'm trying to set up the portage directory to be hosted over nfs. Everything is working great but I would like to increase the security a little. I was wondering if there's an easy way to restrict 'emerge --sync' to only work on the server, while still letting all the nfs client machines download sources and emerge packages. Have clients only mount portage read-only and put distfiles in another fs and make it read-write. Yes, this should work. I have got just one question: How does disabling "emerge --sync" from NFS clients improve security? Uwe I have a number of overlay ebuilds that I need in place that override specific versions of packages, and I don't want various users to 'emerge --sync' too often and break things by installing a non-patched package that has an old overlay. This way I can also keep all the clients at the same revs of everything and avoid various bugs with things like pam/vmware/kernels/graphics drivers/etc... Plus there's the whole bandwidth saving issue. The biggest reason is so someone doesn't get a newer pam_usb or pam_ldap than the overlay versions and then can't login anymore. Chris Frederick -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] portage nfs permissions
Albert Hopkins wrote: On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote: Hi all, I'm trying to set up the portage directory to be hosted over nfs. Everything is working great but I would like to increase the security a little. I was wondering if there's an easy way to restrict 'emerge --sync' to only work on the server, while still letting all the nfs client machines download sources and emerge packages. Have clients only mount portage read-only and put distfiles in another fs and make it read-write. Also you should disable locking on distfiles if you use it over NFS: FEATURES=-distlocks. -a Why would I need to disable locking? Wouldn't that stop multiple users from downloading the same package at the same time and bring up potential race conditions that can break the emerge? Chris Frederick -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] dvdrip help
Mike Myers wrote: Hi everybody! I'm having trouble with the dvdrip program. Whenever I run it, it just gives me: [filterlist] (re)scanning transcode's module path /usr/lib/transcode... but doesn't actually do anything. I don't get a gui or anything. Is there anything I can do to fix this? Or, is there an alternative that I can use to rip dvds and redo them to remove the stupid region codes? Thanks for the help! Mike -- Mike Myers [EMAIL PROTECTED] http://www.yaay.us This is a transcode problem. There's a couple filters for transcode that are bad. Get rid of (or rename) the /usr/lib/transcode/filter_compare.so and /usr/lib/transcode/filter_logo.so files. I had the same problem and I searched the net for hours to find this, and this is what fixed it for me. I don't know if this is a problem with transcode, or if it's a ebuild problem that causes those filters to hang, but I re-emerged dvdrip and transcode several times and those files were recreated every time. Hope that helps Chris Frederick -- gentoo-user@gentoo.org mailing list
[gentoo-user] Linux design software recommendations
Hi all, I was wondering if anyone here had any recommendations for design software for Linux. I've been doing a lot of remodeling in my spare time and I'm getting a pretty good wood shop setup in the garage. I'm getting done with some of the remodeling projects and I'm going to be starting on some furniture soon. I'd like to have some software that I can do the pre-planning in. Currently I use xfig, and this works great. But, it's missing something. I like it because I can do a rough draft of a design, or I can layout cut patterns in the stock material so I can see how much plywood I need to buy. But what I'd like to do is both, and probably in 3D. What I'd like to do is design a book shelf or something, and then take it apart and lay it out flat into various 4x8 foot sheets, and possibly make a few changes and put it back together again and see what the changes I've made have done to the project. Like I said, xfig is great, but it's only a 2D editor, and I really think a 3D system is what I need. With that said, I'm doing all this in my spare time (I'm a programmer full time) and I don't want something that is too difficult. I think I only use about half or less of what xfig can do in 2D. I don't think I need to learn a full fledged 3D CAD system to build a book shelf or and end table or something. I need something simple and easy. Build shapes, change dimensions, rotate, scale, zoom, etc... Of course it needs to run on Linux, and as being a gentoo user, having it in portage is a plus. Since this is only a hobby, I'd like it to be free. A "GPL-ish" license isn't necessary, but it would be cool (I'm a programmer after all). Does anyone have any recommendations for something similar to what I'm describing, or had success with other software that can do some of what I want? Thanks all, Chris Frederick -- gentoo-user@gentoo.org mailing list
[gentoo-user] nfs share /usr/portage between computers?
Hi all, I was just wondering about sharing the /usr/portage directory through nfs between multiple computers. I have everything set up, and I have it running between two so far, but I'm getting QA notices. This got me wondering if there are any issues with sharing /usr/portage between different archs. I have two other computers that I would also like on this setup (p3 laptop, and p3 desktop). I'm assuming that the problems are going to arise with the zeon->amd64 comps rather than the other two. Here's what I'm seeing: SERVER: dual Zeon 2.6Ghz zeon ~ # emerge --sync Performing Global Updates: /usr/portage/profiles/updates/4Q-2005 (Could take a couple of minutes if you have a lot of binary packages.) .='update pass' *='binary update' @='/var/db move' s='/var/db SLOT move' S='binary SLOT move' p='update /etc/portage/package.*' CLIENT: AMD Athlon64 3.0Ghz amd64 ~ # emerge --update --deep --newuse --pretend -v world Performing Global Updates: /usr/portage/profiles/updates/4Q-2005 (Could take a couple of minutes if you have a lot of binary packages.) .='update pass' *='binary update' @='/var/db move' s='/var/db SLOT move' S='binary SLOT move' p='update /etc/portage/package.*' These are the packages that I would merge, in order: Calculating world dependencies \QA Notice: USE Flag 'elibc_uclibc' not in IUSE for sys-devel/libperl-5.8.5-r1 QA Notice: USE Flag 'elibc_uclibc' not in IUSE for sys-devel/libperl-5.8.5 The QA Notices only show up on the first emerge after doing a --sync on the server. Is this something I should be concerned with, or are the QA Notices not that big of deal? And am I going to run into other issues? I haven't emerged anything just yet since I don't feel like rebuilding anything in case it blows up or something. Thanks all, Chris Frederick -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] No DRI for ATI 9250 and xorg 7.2?
Grant Edwards wrote: > I swear I'll never buy another ATI chipset again. If AMD > doesn't straighten out the mess at ATI, I'll switch back to > Intel CPUs as well... > I usually don't offer my opinion to a rant but I just can't resist this one. I've been using an amd64 cpu on a ATI chipset for a mythtv server for the last two years now. The graphics are a Radeon Express 200G. This system is an absolute joke. Graphics drivers aside, I've never seen a more flaky, worthless motherboard in my life. I've done many a kernel update, only to reboot and sit by the TV for the next half hour while I hit the reset button every minute because the BIOS can't get past checking for RAM modules. It shouldn't take 15-20 minutes to do an 'emerge --sync' on a 64bit AMD 3000. You'd think after two years there would be a bios update to patch this ... My nForce motherboards and GeForce graphics card are in the mail. I don't expect to see an ATI label in my house or company for a long time. nVidia may be closed source, but at least they work. Chris -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Dale wrote: > > > I also ran into something like this on a local network. I corrected > this by adding the remote systems to my hosts file and putting the entry > in the host file on the remote system. I'm not sure what affect this > had but it worked like a charm after that. I guess it lets each other > know who the other is or something. > > Hope that helps. > > Dale > > :-) :-) :-) :-) I've had this problem as well. I've added "UseDNS no" to the sshd_config file and that had the same result. I usually only had high latency establishing the connection though. Once the connection was established and I was logged in, everything was fast again. I've also had connection issues while transferring files through ssh, and I got around that (somewhat) by added "-l" to the scp command. This tries to throttle the connection speed, and I can usually keep a connection going with that. I say that is somewhat fixed the issue because I also need to use ssh to port forward to an internal database and run scripts there, but there's no way that I know to do the same throttling with a port forwarding ssh command. Chris -- [EMAIL PROTECTED] mailing list
[gentoo-user] Apache .htaccess not working
Hi all, I was at the office today, and needed to get something from my email at home. So I launched my browser, pointed to my horde installation, and it let me in. I don't have any saved passwords, and to double check it, I ran IE and Firefox and both were let in without any problem. I've done a bit of testing on it, and it seems that the "Satisfy any" directive is not behaving, or it's picking up some "Allow from all" or something somewhere. I can't find it anywhere. If I un-comment the "Satisfy any" line, I can access the site from anywhere without a password. The log file shows that my IP isn't being NATed or anything to a local address, so the "allow from *" lines shouldn't be hitting it. Is there anything else I can check, or has something changed with apache recently? My horde installation is running on my apache server with SSL. My /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf has these defined for the ssl site: Options -Indexes FollowSymLinks MultiViews AllowOverride All Order deny,allow Deny from all My /var/www/htsdocs/horde/.htaccess file lists this: SSLRequireSSL AuthName "Access Restricted" AuthType Basic AuthUserFile /var/www/mail_users #satisfy any order deny,allow #allow from 192.168.1.0/255.255.255.0 #allow from 192.168.0.0/255.255.255.0 #allow from 127.0.0.1 require valid-user # no non-ssl access order deny,allow And "emerge --pretend -v apache" shows: [ebuild R ] net-www/apache-2.0.55-r1 +apache2 -debug -doc -ldap -mpm-leader -mpm-peruser +mpm-prefork -mpm-threadpool -mpm-worker -no-suexec (-selinux) +ssl -static-modules +threads Thanks for any help with this, Chris Frederick -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Lightwheight Gentoo System
Karl Huysmans wrote: Hi All, A friend asked me to install "some" operating system on an old Dell laptop he got for free. The laptop has a pentium 2 400 MHz, 6 GB HD and 256 MB RAM, and will be used by his young children. I have tried to install Edubuntu on it, looks nice, has a lot of very usefull stuff for kids, but it really runs too slow on this machine. So I was thinking Gentoo, optimized for PII, I guess -Os would be a good option for this little machine. Any thoughts anyone? What about the desktop? I guess Gnome or KDE is not really the best choice. But what else could I use? Of course, it's for kids, so I have to be able to make it look nice :-) What would be a good window manager? File manager? Other applications that help to keep it lean an fast? Anyone with any experience building such a system under Gentoo? Thank you Karl I've got an old NEC and Thinkpad that I use for VNC clients to my server. I've also loaded a "bare bones" desktop system in case I take them out somewhere. I've loaded fluxbox, dillo, spruce, mplayer, and some assorted games (pysol, xbomb, xtris, etc...) Surprisingly this system responds better then my Win2k server at work. I have a dual xeon server that I did all the building on, then I just boot the laptop to the minimal cd and partition drives and use the tar file from my server in place of the stage3. Then just load grub, reboot, and you just saved yourself days of compiling. I used -O2 for compiling, and since I use my server to do all the building from, I delete /usr/portage before I load it on the laptops. this puts me around ~850M for a complete system (My laptops only have a 2G/3G hard drives with 96M/128M ram). Chris Frederick -- gentoo-user@gentoo.org mailing list
