Re: [gentoo-user] Re: driver CardBus bridge Texas Instruments PCI1211 SOLVED

[Hans-Werner Hilse]

Hi,

On Sat, 21 May 2005 22:31:28 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> Even now, pcmcia card works, there is no info in lspci.

Then it's not cardbus but 16 bit. cardctl can tell, i think. Only
cardbus is usually transparently mapped onto the PCI bus.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [OT] Bad performance with external USB disk

[Hans-Werner Hilse]

Hi,

On Thu, 26 May 2005 09:35:13 +0100
Jan Drugowitsch <[EMAIL PROTECTED]> wrote:

> I've got an external USB 2.0 HD with two fat32 partitions (I have to
> use fat32 to make them work with windows). What troubles with me with
> drive is that in windows I get the expected transfer speed, but in
> linux it just won't get faster than 1Mb/s.

Do you use the usb-storage driver or the usb block device drive (which
mentions things like "slow" and "cpu-hungry" and "unstable" in the
kernel config option's help page)? Could you C&P the relevant parts
from the kernel logs when the drivers are loaded (USB host adapter and
device)?

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [OT] Bad performance with external USB disk

[Hans-Werner Hilse]

Hi,

On Fri, 27 May 2005 01:50:26 +0100
Jan Drugowitsch <[EMAIL PROTECTED]> wrote:

> On 5/26/05, Hans-Werner Hilse <[EMAIL PROTECTED]> wrote:
> > Do you use the usb-storage driver or the usb block device drive (which
> > mentions things like "slow" and "cpu-hungry" and "unstable" in the
> > kernel config option's help page)? Could you C&P the relevant parts
> > from the kernel logs when the drivers are loaded (USB host adapter and
> > device)?
> 
> Here's the kernel log message:
> May 27 01:51:06 rpc-jd224 usb 4-4: new high speed USB device using
> ehci_hcd and address 6
> May 27 01:51:06 rpc-jd224 uba: device 6 capacity nsec 312581808 bsize 512

Yep, this is the slow, polling driver (that OTOH does work with more
devices, AFAIK). Just disabling it (it's in "block devices" kernel
config) as Richard mentioned should solve this. You definately want usb-
storage here, bringing up a SCSI compatibility layer. The disk will
then be recognized as sda instead of uba. CPU usage should drop because
the driver handles the timing issues in a different way, I think.

HTH,

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Software suspend

[Hans-Werner Hilse]

Hi,

On Thu, 26 May 2005 22:43:32 -0700
Pingveno <[EMAIL PROTECTED]> wrote:

> I'm trying to get software suspend to work on my computer. While 
> configuring my kernel, I added in support for software suspend aka 
> hibernate. Alas, I have no idea what command to run to suspend the computer.

# emerge hibernate-script
# nano /etc/hibernate/hibernate.conf

this script works for different suspend mechanisms.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Question about ARPing

[Hans-Werner Hilse]

Hi,

On Fri, 27 May 2005 13:45:33 +0200
Martin Tedjawardhana <[EMAIL PROTECTED]> wrote:

> So why is eth0 responding to 192.168.0.1  arping 
> although it does not have that address? How can I remedy this? How can I 
> block arping?

read about the arp_filter sysctl in
KERNELSOURCE/Documentation/networking/ip-sysctl.txt

and then do

echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter

for a short switch to check and afterwards enter the sysctl to your 
/etc/sysctl.conf


HWH

-- 
Nieders. Staats- und Universitätsbibliothek Göttingen   Projekt ProPrint
http://www.proprint-service.de|Tel.:(+49/0)551 39 - 25 23 (neu!)

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Software suspend

[Hans-Werner Hilse]

Hi,

On Fri, 27 May 2005 10:51:21 -0700
Pingveno <[EMAIL PROTECTED]> wrote:

> I just remerged hibernate-script and ran it (after saving everything :P 
> ). The one problem: I have to shut down X11 because the nvidia driver 
> has to be unloaded before hibernation is started. This is, of course, 
> with software suspend (vs. software suspend 2). Does SS2 contain a 
> workaround that would be worth the upgrade?

Did you try to enable just switching to console before hibernating?
There's a configuration entry in hibernate.conf (at the bottom).

I found all suspend implementations being very similar (with the
exception of ACPI standby, which works only in "light" mode - S3 - for
me). So I'd guess it won't work much better with SS2.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ip forwarding question

[Hans-Werner Hilse]

Hi,

On Tue, 21 Jun 2005 20:16:21 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> I have to PCs.
> 1st one used as a router.

Well, I think then you've already set up forwarding, like Kurt G.
mentioned.

> On 2nd PC I have web server installed and would like to setup ip forwarding 
> to the 2nd PC.
> 
> In my iptables rule script I added the line:
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to 
> 192.168.0.2 
> 
> Where 192.168.0.2  is the ip address of the 2nd PC.
> 
> But is seems not correct.

You have to explain this. Why doesn't it seem to be correct?
A few ideas:
- the FORWARD queue must also allow new connections from the outside (-
i ppp0) to 192.168.0.2 (because PREROUTING modifies the packet before
FORWARD sees it, it's not 192.168.0.1 here)
- 192.168.0.2 must have proper routes configured to answer back via the
Router,
- the router must allow that packets are leaving the 192.168.0/24 net
to any address.
- your configuration probably won't work when you're using conntrack
for the forwarding rules at the moment. You may want to issue (see my
first point, too):
$IPTABLES -A FORWARD -i ppp0 -d 192.168.0.2 -p tcp --dport 80 -m state \
--state NEW,RELATED,ESTABLISHED -j ACCEPT

if you didn't already.

otherwise insert a few LOG rules and see what's going on. Are the
packets hitting the web server?

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Odd Ethereal Error

[Hans-Werner Hilse]

Hi,

On Tue, 21 Jun 2005 08:53:43 -0400
fire-eyes <[EMAIL PROTECTED]> wrote:

> I've run into a strange ethereal error. I use system A to log into
> system B, via ssh -Y, then run ethereal from there. It shows up on
> system A.
> 
> This has worked fine for a while, but now as you'll see in the
> screenshot, the buttons along the top are missing their graphics, and
> where you usually have IP's and hostnames in the black area, and lines
> connecting them, well, it's hard to describe.
> 
> http://fire-eyes.org/gal/view_photo.php?full=1&set_albumName=screenshots&id=etherape_error_01

Well, it's "forbidden" for me (not the php, but the actual image).

Anyway, guessing from your description: do you have a pseudocolor
visual on A? You may want to try changing to TrueColor. It's configured
by the "Visual" directive in the Display section of your xorg.conf. In
all other cases colors will be mapped, which can go wrong. But
PseudoColor is usually used on 8 bit color only...

Also, you may want to check the RgbPath in the Files section.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ip forwarding question

[Hans-Werner Hilse]

Hi,

On Tue, 21 Jun 2005 21:22:35 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> On 6/21/05, Kurt Guenther <[EMAIL PROTECTED]> wrote:
> > 
> > As root do:
> > 
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > 
> > where eth0 is your outward facing port to your router. I've used ppp0 with 
> > a dial up connection, and that works too.
> > 
> > --Kurt
> > 
> Thanks, but I already have this script in my iptable rules.
> My router works for PC in LAN.

The rule mentioned by Kurt is not needed. In fact, you'd loose IP
information on 192.168.0.2 which would see the packets coming from
192.168.0.1 if you issued that rule. (you told it to masquerade) Would
make web server logging rather complex ;-) and you'd need to do this
stateful to have the correct target addresses written when the replies
are sent (which would go to 192.168.0.1, initially).

Instead, only rewriting the target address is needed (if you don't have
ill firewalls in your local LAN). But that rule is actually present.

So I suggest removing the above mentioned rule. Well, it maybe breaks
all other kind of stuff, too. I don't think Kurt really meant "-o eth0"
here...

And by all means, get a tcpdump on ppp0 and eth0, the most relevant
being eth0.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ip forwarding question

[Hans-Werner Hilse]

Hi,

I'm gonna comment your script below...

On Tue, 21 Jun 2005 22:13:48 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> The iptables scripts as follows:
> -
> #!/bin/bash
> IPTABLES='/sbin/iptables'
> 
> # Set interface values
> EXTIF='ppp0'
> INTIF1='eth0'
> 
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

Note that this should be better done in the ppp-connect script rather
than here. The iptables should be set up at boot time, I'd suggest. So
you're not imposing a (rather short) open firewall situation. In fact,
iptables doesn't care if interfaces are already available when setting
up routes.

> # flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> 
> # enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

this is OK as it only alters outgoing traffic to ppp0.
 
> # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT

Hm, you may want to add "RELATED" to that state list...

> #echo -e "   - Allowing access to the SSH server"
> $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
> 
> #echo -e "   - Allowing access to the HTTP server"
> $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

Not needed, as all respective packets will get rewritten to 192.168.0.2
and will never hit the INPUT table. That doesn't include packets from
internal LAN, see respective rule below.

> # block out all other Internet access on $EXTIF
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP

Hm, you may switch that to a simple
$IPTABLES -P INPUT DROP
At least, the state matching is completely unneccessary here. SSH would
already be accepted at this point.

[from here use proposed parts below, I'll continue commenting]

> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

?!? This would drop all requests from ppp0, especially the ones to the
www port...

> $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: "
> $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: "

will (almost) never hit, because packets _are_ dropped already.

> $IPTABLES -A FORWARD -i ppp0 -d 192.168.0.2 -p tcp --dport 80 -m state
> --state NEW,RELATED,ESTABLISHED -j ACCEPT

and thus this cannot match, either.


so from above [...] marked point, the approach would be

$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -d 192.168.0.2 \
  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -P FORWARD DROP

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
  -j DNAT --to 192.168.0.2

This will alter the destination IP and let FORWARD rules apply.

Note that any Logging entries must be inserted before the respective
ACCEPTs or DROPs.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] ip forwarding question

[Hans-Werner Hilse]

Hi,

On Wed, 22 Jun 2005 22:50:18 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:

> > Note that this should be better done in the ppp-connect script rather
> > than here. The iptables should be set up at boot time, I'd suggest. So
> > you're not imposing a (rather short) open firewall situation. In fact,
> > iptables doesn't care if interfaces are already available when setting
> > up routes.
> 
> But is it ok if I keep /bin/echo 1 > /proc/sys/net/ipv4/ip_forward in
> my iptables rule? I have never used ppp-connect script. At home I use
> rp-pppoe.

Well, I didn't meant any specific script, but in your case it would be
some script called by rp-pppoe (I'm not using any ppp(oe) thingies
myself).

> > > #echo -e "   - Allowing access to the SSH server"
> > > $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
> > >
> > > #echo -e "   - Allowing access to the HTTP server"
> > > $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
> > 
> > Not needed, as all respective packets will get rewritten to 192.168.0.2
> > and will never hit the INPUT table. That doesn't include packets from
> > internal LAN, see respective rule below.
> Do you mean about dport22 and dport80 both? Or only about dport80?

Only port 80. If those packets hit the nat PREROUTING chain, they'll
get rewritten to destination 192.168.0.2 and therefore aren't hitting
the INPUT chain.

> > > # block out all other Internet access on $EXTIF
> > > $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
> 
> > Hm, you may switch that to a simple
> > $IPTABLES -P INPUT DROP
> $IPTABLES -P INPUT DROP stopped internet connection

You may want to allow all incoming traffic that's been already
established by inserting a rule like
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
but I'd strongly suggest to set the general INPUT policy to DROP. Well,
actually, this should be done carefully to not interrupt other IP based
communication, especially ICMP. But this should be covered by above
mentioned rule.

> > [from here use proposed parts below, I'll continue commenting]
> > 
> > > $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
> > 
> > ?!? This would drop all requests from ppp0, especially the ones to the
> > www port...
> You mean I can leave it as it is?

No, you should remove it. As said, it's definately interrupting all
"NEW" communication, reagrdless if it is to the www port or not. This
should be covered by  "DROP" policy for the "FORWARD" chain.

...

> My iptables rule with taking into account your comments became:
> 
> #!/bin/bash
> IPTABLES='/sbin/iptables'
> 
> # Set interface values
> EXTIF='ppp0'
> INTIF1='eth0'
> 
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

Again, note that at this point ppp0 must be _up_. But if it wasn't, you
would have outgoing connection, either, so I guess it's issued after
connecting and everything is well.
 
> # flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> 
> # enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT

again, I think, you should add RELATED here.

> $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: "
> $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: "

hm, both optional and the text of the log message may be wrong as the
packet may be accepted later, so better remove those...

> # block out all other Internet access on $EXTIF
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

that last one should be removed, the first one too, but you'd need to
insert above mentioned line and the DROP policy for the INPUT chain.

> $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -d 192.168.0.2 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCE$

this should, of course, read "ACCEPT".

> $IPTABLES -P FORWARD DROP
> 
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT
> --to 192.168.0.2
> 
> --
> Unfortunately, I'm still unable to see my web page from LAN, when I
> try to access my domain.com... :(

Try to start with removing those both "DROP" rules and then refine
until everything works with the INPUT chain set to DROP policy.

HWH
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Cannot route dynamic dns name internally

[Hans-Werner Hilse]

Hi,

On Sun, 26 Jun 2005 23:08:35 -0400
Travis Osterman <[EMAIL PROTECTED]> wrote:

> http://my-dynamic-name.no-ip.com from inside my network returns:
> "connection was refused when attempting to contact
> my-dynamic-name.no-ip.com."
> 
> I'm not sure whether this is an iptables issue or dns (or something
> else) which makes the problem hard to google for.  Any leads, tips, or
> ideas would be much appreciated.

1.: routing should tend to do the "short cut" here and never spit out
the packets on the WAN side. That's default, AFAIK.
2.: that means that iptables shouldn't block incoming packets (INPUT
queue) for the WAN address coming from the LAN interface.
3.: a FORWARD rule may also be needed to allow this, I'm not sure here.

You could post your iptables-save output here to allow us to give more
specific hints...

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Cannot route dynamic dns name internally

[Hans-Werner Hilse]

Hi,

On Mon, 27 Jun 2005 11:20:53 -0400
Travis Osterman <[EMAIL PROTECTED]> wrote:

> I cut all port forwarding rules but port 80 and all mac filtering less
> one and commented as such to keep the length down.  Thanks again for
> any suggestions.

I'll comment below...

> *nat
> # [...]
> # snipped other DNAT
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 
> 192.168.1.20
> -A PREROUTING -i ppp0 -p udp -m udp --dport 80 -j DNAT --to-destination 
> 192.168.1.20

Never heard of http-via-udp... But the problem will show up here:
The PREROUTING should apply also for packets coming from eth1 (LAN).
Otherwise they'll hit the router's own tcp stack - where there's
supposedly no http and such the connection would be resetted.


The problem atm seems to be, pointed out:

1. both external clients and internal clients can correctly resolve
http://my-dynamic-name.no-ip.com to the ppp0's IP.
2.a. external clients' requests hit the router coming from ppp0
2.b. internal clients' requests hit the router coming from eth1
3. nat/PREROUTING:
3.a. The packets from 2.a. get rewritten to dst 192.168.1.20
3.b. The other ones don't get rewritten
4. Routing is performed (filter/FORWARD, nat/POSTROUTING):
4.a. The packets from 2.a. will get routed to 192.168.1.20 and leave
  the router if allowed by nat/OUTPUT. (it is) WWW server does its job
  then.
4.b. The packets from 2.b. will hit the router's tcp stack if
  allowed by filter/INPUT (it is). They'll get RSTed if there's no
  open port 80.

Well, and we have some more problems. Your actual POSTROUTING chain
only MASQUERADEs packets leaving through ppp0. With this, and the new
rules, www packets from the LAN would get destination rewritten on the
router and being routed there. The source address will still be set to
the original source address. So the router would answer to that
address. Problem here is the client: It expects an answer from the
router's IP. So the web server's reply gets dropped at the client.

To overcome this, you can setup routing on the web server to generally
send packets via the router. I'd suggest placing it in a different
subnet, e.g. 192.168.3./24, and have the router use an address in that
range to. A little of a DMZ on the LAN wire (not suggested, but not
different from you current solution).

To-Do:

- on the webserver: configure address to 192.168.3.20
- on the router:
- configure a second address for eth1 in /etc/conf.d/net (192.168.3.1 assumed 
here)
- modify iptables settings:

You need to insert a new rule like the ones above but also for "-i
eth1". You'll further need to specify "-d EXTERNAL_IP" (well, of course
with that IP instead) to not get all connections to a www port
rewritten to that destination. I'd suggest using a new chain for this
that you can flush in a script and just place a new rule there if the
IP changes.

e.g. global skript on boot up:

iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT 
--to-destination 192.168.3.20
iptables -t nat -N internalwww
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j internalwww

and e.g. in your dhcp-script:

iptables -t nat -F internalwww
iptables -t nat -A internalwww -d $EXTERNAL_IP -j DNAT --to-destination 
192.168.3.20



-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] gcc 4 and 3.4 in parallel

[Hans-Werner Hilse]

Hi,

On Mon, 27 Jun 2005 19:01:01 +0200
Philip Lawatsch <[EMAIL PROTECTED]> wrote:

> Now I simply emerged gcc4 (its slotted) and then as my user I did export
> the variables a
> 
> gcc-config -E x86_64-pc-linux-gnu-4.0.1-pre20050616
> 
> printed out.
> 
> This way I successfully compiled and linked my programm with gcc4.
> 
> Now my problem is that I can't execute it.
> [...]
> So my querstion now is what else gets changed by gcc-config, and is
> there a chance to have the 3.4 gcc profile selected but still run
> programs compiled with gcc 4?

LDPATH. Have a look at /etc/env.d/05gcc.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Cannot route dynamic dns name internally

[Hans-Werner Hilse]

Hi,

On Mon, 27 Jun 2005 13:09:44 -0400
Travis Osterman <[EMAIL PROTECTED]> wrote:

> My only concern is that while this will
> work for my web server, it appears as though I would have to put all
> my service-providing machines on different subnets and have rules for
> each of them ... am I understanding that correctly?

Hm, depends on the service. But I think fairly all could be placed in
the same "DMZ" subnet. Only DNS-dependent access between the machines
in the DMZ using the "external" DNS name wouldn't work. But clean
design of the services should not allow to let such a situation arise.

> Also, sadly, my
> webserver is doubling as a samba server right now and I'm not overly
> optimistic that windows will see it on the different subnet.

OK, i agree. Probably setting up two networks on the webserver as well
could easily solve this. I tend to now call our "DMZ" just "virtual
other subnet" as there's no clear rule between them.

so we have three networks:
- WAN (ppp0)
- LAN (eth1/192.168.1.x)
- "virtual other subnet" (eth1/192.168.3.x)

where the last share the medium.

The webserver/samba machine should listen on 192.168.3.x for webserver
requests and should serve Samba on the 192.168.1.x address. But it
would work if both services listen on both addresses as well.

> Is there a way to check and see is local traffic is (terminally)
> destined for ppp0 and set up a chain to filter by port and reroute
> that traffic to the appropriate lan computer?

Hm, local traffic destined for ppp0 would show up on nat/POSTROUTING.

> Could dnsmasq point
> my-dynamic-name.no-ip.com to the address of eth1 instead of ppp0 to
> make the routing easier (bypassing NAT)?

Yes, of course. dnsmasq could answer with the _real_ IP address of the
webserver. But if all services are to be distributed from the router to
various other machines instead of (in the LAN) their real IPs, that
wouldn't work as only one IP address can be answered by dnsmasq for one
specific domain name. That's actually the problem's core (translated
freely from German). You want to separate the traffic from the virtual
service provider identified by the domain name transparently to other
machines. So you will not only have to provide the way to the real
machines hidden behind the router but also the way back. With the
iptables approach only, the packets would even be sent back to the
requesting machines. But there they wont (probably, maybe another
network pro could be more clear on this? But I think we've lost most of
the readers down here;-) ) be recognized as correct answers, I think,
and such being dropped (because the request was made to $Router_Machine
and the answer comes back from $Real_Service).

Another possibility would be to setup proxy servers on the Router. But
that scales far worser with the number of services. OTOH, this is
needed if the service itself is not routable.

> I'm still really green at network design issues, but this is a
> fasinating problem to me.  Thanks for your input so far.

Well, it also is to me. Never thought that much on such issues before.
Actually, the approach via routing to a "virtual other subnet" came to
my mind when I finished a reply using only one additional rule in
iptables. Only then I thought about the answers from the servers.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] gcc 4 and 3.4 in parallel

[Hans-Werner Hilse]

Hi,

On Mon, 27 Jun 2005 19:33:25 +0200
Philip Lawatsch <[EMAIL PROTECTED]> wrote:

> > LDPATH. Have a look at /etc/env.d/05gcc.
> 
> Hm, strange enough, this never shows up in my environment. Neither with
> gcc3 or gcc4 profiles.

Aaargh, my fault. This is used by env-update and gets - *grep, grep,
grep* - written by it to /etc/ld.so.conf.

After reading "man ld.so" I remember the LD_LIBRARY_PATH environment
variable ;-)

You've got to set it to the corresponding dir in /usr/... (that LD_PATH
setting).

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] IPtables statefull connection capable

[Hans-Werner Hilse]

Hi,

On Tue, 5 Jul 2005 15:52:20 +0200 (CEST)
"Patrick Marquetecken" <[EMAIL PROTECTED]> wrote:

> If I’m correct then iptables is statefull connection capable, this means I
> should not use rules like:
> If state of connection is ESTABLISHED ...
> If state of connection is RELATED ...
> 
> and i my use only:
> If protocol is TCP and source is bla bla and destination port is bla bla
> and state of connection is NEW

All of the mentioned rules are related to stateful connection matching.
You probably want all ESTABLISHED and RELATED traffic in both the
incoming and outgoing direction, and NEW connections only outgoing.
Additional you'll probably want NEW connections also in the incoming
direction for the services you want to offer - that's how I interpret
your last sentence. But you'll definately want ESTABLISHED and RELATED,
too.

Concept usually is:
INPUT:
- allow ESTABLISHED,RELATED
- allow NEW for selected services
FORWARD:
- allow NEW,ESTABLISHED,RELATED from LAN to WAN
- allow ESTABLISHED,RELATED from WAN to LAN
OUTPUT:
- allow NEW,ESTABLISHED,RELATED

where OUTPUT rules are optional if OUTPUT's policy is set to ACCEPT.

Current connections being monitored are listed and accessible in procfs.
When playing with Linux as a router for UDP traffic, you may want to
play with the state matching related sysctl's (also accessible via
procfs) to adjust the timespan that the information is held. My VPN
connections from LAN to WAN tend to time out otherwise. But that's just
a side note.

-hwh

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] bash_history missing

[Hans-Werner Hilse]

Hi,

On Thu, 7 Jul 2005 21:14:44 -0700 (PDT)
maxim wexler <[EMAIL PROTECTED]> wrote:

> all academic now -- the pc just died :( Not a beep, no
> screen o/p. The green light on front of the box comes
> on for about 1/10 sec, fan turns a few degrees and
> thats IT! Tried another power supply -- no dice. Tried
> bypassing the on switch -- nope. Moved RAM to another
> slot -- nada. re&re'd the 3V battery -- negative. I've
> never seen the like before. 

Sounds like the onboard DC current stabilizers are gone... In my
experiences, it's not unusual that one of the electrolytic capacitors
is burst. Resoldering a new one is not an easy task but possible.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] 161 UDP Constant Connections

[Hans-Werner Hilse]

Hi,

On Fri, 8 Jul 2005 15:46:42 +0100
Michael Thompson <[EMAIL PROTECTED]> wrote:

> > > Any one got any ideas?
> >
> > you could just try blackholing the IP at your firewall, or as i've
> > already mentioned - try and contact your ISP with all you know and see
> > if htey can shed any light on it - its possible a comprimised box.
> 
> It is firewalled, and blacklisted. Has been for months. I am just curious as 
> to why it is coming back to me.

Well, two possibilities.
1.) the packets are already mirrored at your own box
2.) the packets are mirrored at the target box

I guess it's #2, you can find out by tcptracing the wire.

If I were to reproduce this behaviour of the remote box I'd set up an
iptables rule with the "MIRROR" target. See "man iptables" for an
explanation.

This may be some scary tactics to irritate the support persons in
charge of managing the network - and has, according to you notes,
proven to work for that :-)

My interpretion is:
hacked box, shell services running on UDP 161, mirroring everything
else to scare people :-) I think they've chosen SNMP port to hide their
traffic, maybe to get through some firewalls.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] error loading several modules (at boot)

[Hans-Werner Hilse]

Hi,

On Fri, 8 Jul 2005 16:30:22 +0200 (MEST)
"dini mamma" <[EMAIL PROTECTED]> wrote:

> I got the problem, that several modules couldnt be loaded at boot. some of
> them are filesystems (xfs,jfs,ntfs). and some device drivers (aic7xxx,
> 3c59x).. But why?
> At least the device drivers should work. I compiled these ones, that have
> been loaded with the livecd.
> I cant imagine, what happens. This error occurs too, when i only load the
> modules as modules [M].

Don't know exactly what you are speaking of, esp. last sentence.
possible explanations:
- you've compiled the drivers statically into the kernel rather than
modules (that's how I interpret that talking about "[M]"...), then
there's no module to load,
- you haven't installed modules (did you compile manually? did you run
"make modules_install"?)
- the modules don't load because hardware cannot be found

What happens if you manually modprobe those modules? What's the error
being shown then?


-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] 161 UDP Constant Connections

[Hans-Werner Hilse]

Hi,

On Fri, 8 Jul 2005 16:42:43 +0100
Michael Thompson <[EMAIL PROTECTED]> wrote:

> Umm, quite possible. How about they have set their SNMP broadcast to a too 
> wide range, which includes the whole subnet? 

Yes, of course, I've mixed up two items you told, my fault. They're
sending SNMP, and yes, a too big broadcast would explain this. I've
mixed this with the other thing, the telnet access. What's displayed
there looks like a OTP (one time password) login to me :-) I've no clue
whoever CMN might be...

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Apache Sub directorys

[Hans-Werner Hilse]

Hi,

On Thu, 14 Jul 2005 13:40:42 +0100
Michael Thompson <[EMAIL PROTECTED]> wrote:

> On Thursday 14 July 2005 15:23, Emanuele Morozzi wrote:
> > Try giving access to anyone to tost if it's a permissions related
> > problem. (Perhaps using php files need also execution rights).
> 
> The permissions have not changed. They are all apache:apache with a mask of:
> 
> drwxrwxr--  20 apache apache 4096 Jul 14 10:34 htdocs

What about its subdirectories? They need to be executable to allow
access to paths below themselves and need to be readable to allow
directory listing (which also needs to be allowed as per httpd.conf).

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] /usr/bin/man SGID ?

[Hans-Werner Hilse]

Hi,

On Thu, 14 Jul 2005 15:28:57 +0200
Jarry <[EMAIL PROTECTED]> wrote:

> Does /usr/bin/man really have to have SGID-bit on? Why?

For caching the rendered man pages for all users, IMHO.

> I just checked one debian-box, where /usr/bin/man is without SGID...

On debian, if configured to be chatty when installing packages, one is
asked upon installation of the "man" package if it should be set SGID.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Apache Sub directorys

[Hans-Werner Hilse]

Hi,

On Thu, 14 Jul 2005 14:12:56 +0100
Michael Thompson <[EMAIL PROTECTED]> wrote:

> Even the drwxr-xr-x will not run at all. These have not changed since they 
> were working previously. 

Hm. Isn't anything written to the apache error log that could give a hint?

Did you restart apache after installing the new php module? It may even
help to stop and then start it as a "restart" won't kill the apache
master process.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Interesting install experience

[Hans-Werner Hilse]

Hi,

On Thu, 14 Jul 2005 16:27:49 +0100
Jim Hatfield <[EMAIL PROTECTED]> wrote:

> So I just installed another machine, using the 2005.0 CD and using
> the new instructions. It has a Matrox G400 so I added support for
> that in the kernel. This may have been a mistake.
> 
> Everything is fine until I reboot, when after the GRUB screen and
> kernel selection, the screen goes black with lots of pretty blue
> squares all over it.

This may be due to the framebuffer chosing a wrong mode for the kind of
monitor you have. You can set the resolution and frame rate on the
kernel command line. This should be documented in /usr/src/linux/
Documentation/fb/... (don't have it here atm)

> I guess I will rebuild the kernel with Matrox support removed and
> see if that fixes.

This will probably work, too :-)

> BTW, what is the received wistom wrt building things into the
> kernel or building them as modules? As well as the G400 I have
> an Intel NIC and a VIA sound card, and this time round chose to
> build them in, though before I built them as modules. I'm not 
> clear as to the pros and cons.

If the hardware is builtin, and you don't have problems with somewhat
random hardware enumeration (i.e., multiple NICs getting different
devices on each boot), there's little reason to build the drivers as
modules. OTOH, probing a module triggers (if it loads successfully) a
hotplug event, which is not the case during bootup (AFAIK, at least
there are no hotplug scripts available at that moment). So if you chose
to compile them into the kernel, you need to e.g. have "net.eth0" in
the runlevel configuration for "boot" or "default". If you're probing
them as modules, that will trigger hotplug and this should take care of
running the respective start script. If you intend to run a common
kernel on multiple machines, it may be wiser to compile some drivers to
modules, but for e.g. PCI devices this shouldn't matter a lot, you only
will save some RAM on machines that don't need the driver (compiled
into the kernel).

Sound is another matter: The kernel ALSA isn't always the latest
version. So it's best to only configure sound support but no ALSA or
OSS and then later "emerge alsa-driver".

Then there are drivers that have their own code base only. In most
cases it's much more complicated to integrate them into the kernel
sources than to compile them as external modules.


-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Daily dumb question... chron.

[Hans-Werner Hilse]

Hi,

On Mon, 18 Jul 2005 13:06:29 +0100
"Steve [Gentoo]" <[EMAIL PROTECTED]> wrote:

> I've noticed the directories /etc/cron.daily; /etc/cron.hourly; 
> /etc/cron.monthly etc. and therein a bunch of non-user-specific 
> administration tasks... For example, in ./etc/cron.daily I've 
> logrotate.cron and rulesdujour - but none of these appear to have run in 
> the last month.  Are thse system tasks supposed to be fired 
> automatically by fcron?  What would be the easiest way to get all my 
> periodic system administration tasks defined in these directories to be 
> fired automatically?  Did I make a sensible choice with fcron?

Can't tell much about fcron (esp. if its config syntax is similar to my
vixie-cron), but for me, vixie-cron installed a /etc/crontab that
contains the following lines:

0  *  * * * rootrm -f /var/spool/cron/lastrun/cron.hourly
1  3  * * * rootrm -f /var/spool/cron/lastrun/cron.daily
15 4  * * 6 rootrm -f /var/spool/cron/lastrun/cron.weekly
30 5  1 * * rootrm -f /var/spool/cron/lastrun/cron.monthly
*/10  *  * * *  roottest -x /usr/sbin/run-crons && /usr/sbin/run-crons

this does the job.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] aterm do crash displaying long files, konsole don't: swappiness problem?

[Hans-Werner Hilse]

Hi,

On Sun, 24 Jul 2005 10:52:06 +0200
Fabrizio Prosperi <[EMAIL PROTECTED]> wrote:

> Doing a long emerge -up world aterm kept crashing and I thought it was
> an emerge problem, but then I focused on a particular emerge
> (mozilla-firefox) and I realised it was it. 
> 
> Just doing cat /var/log/portage/.log
> is making aterm crash again, but not konsole.
> 
> I guess I something with swappiness settings, but how to fix it? 

Hm, don't know about aterm and its memory management, but that's for
sure: _swappiness_ should have absolutely nothing to do with this. The
swap management isn't up to userspace applications, that's kernel's
matter. Well, there might be some small probability left that your swap
management is somewhat hosed due to bugs in the kernel but that is very
unlikely and wouldn't explain why these conditions only occur with
aterm and only affect aterm.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] PS/2 mouse not working

[Hans-Werner Hilse]

Hi,

On Sun, 24 Jul 2005 12:52:11 +0200
smoke3 <[EMAIL PROTECTED]> wrote:

> On 7/24/05, Michal Pronay <[EMAIL PROTECTED]> wrote:
>  
> > Looks like your mouse is broken, try booting some livecd like knoppix
> > for example.
> 
> Easy way, but not the right one: my mouse is new and does function on
> other computers running M$...

Hm, OK, other computers... What about the computer you want to use it
with? What does it do if you try another OS? When the mouse is
considered OK, then there's the computer left...

I'd also check
* BIOS settings regarding the mouse
* the right PS/2 plug (not that keyboard one...)
* dmesg output regarding the psaux driver
* another PS/2 mouse (this isn't clear from your postings if there was
  one before you bought the new one)

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] PS/2 mouse not working

[Hans-Werner Hilse]

Hi,

On Sun, 24 Jul 2005 13:23:14 +0200
smoke3 <[EMAIL PROTECTED]> wrote:

> It's OK: I had winzoz installed from the seller i bought it from and
> the mouse did function as well!

Hm, OK, it definately _is_ a driver issue then...

> > * the right PS/2 plug (not that keyboard one...)
> nice joke, but... no!

Well, seen it before, and I thought to mention it doesn't harm... :-)
 
> "dmesg | grep PS/2" --> 
>  "PNP: PS/2 Controller... irq 1,12
>   mice: PS/2 mouse device common for all mice
>   input ImExPS/2 Generic Explorer Mouse on isa0060/serio1"

Hm, OK. So it _is_ recognized then... Maybe the kernel choses a level
that's too high. From kernel docs (kernel-parameters.txt):

snip
psmouse.proto=  [HW,MOUSE] Highest PS2 mouse protocol extension to
probe for (bare|imps|exps).
psmouse.rate=   [HW,MOUSE] Set desired mouse report rate, in reports
per second.
psmouse.resetafter=
[HW,MOUSE] Try to reset the device after so many bad 
packets
(0 = never).
snip

So I'd try to begin with the proto setting. Note that this only applies
if the driver actually is compiled into the kernel instead of being a
module. In the latter case, you'd need to edit the module parameters.

On the grub kernel line (or LILO's parameter line, respectively),
append something like:

psmouse.proto=imps

And see what happens. Try with the other values (exps, bare), too. Of
course, this will need a reboot after modifiing the kernel command line.

As a side note, my dmesg reads:
Jul  2 12:59:52 sub00421 input: ImPS/2 Generic Wheel Mouse on isa0060/serio1


Last question: Does this mouse work for any (other) linux box? What
does the dmesg read there?


-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] realtek 8197 wireless card setup

[Hans-Werner Hilse]

Hi,

On Thu, 20 Dec 2007 18:45:26 -0500 Jeff Cranmer
<[EMAIL PROTECTED]> wrote:

> > > The card I have is an 8197, not an 8187.  I wonder if this is
> > > part of the problem.  Could it be that the kernel driver does not
> > > support the 8197?
> [...]
> At the moment, I think the key line in dmesg is .  
> phy0: RF calibration failed! 0
> 
> If I could figure out what this line meant, and what I could do to
> fix it, I might be on my way to a potential solution.

Well, although you managed to bring it to a point where at least the
driver recognized the device, there is still the possibility it won't
work anyway. My guess here is that the driver does not fully support
your device. Probably, some back end mechanics is different. WLAN cards
often consist of separate modules, some of them even being small
computers running a firmware. I guess at that point your hardware
differs from what the driver supports.

Did you find indications on the Web that the 8187 driver should work
for the 8197? Or did you chose to try based on the similarity of the
two numbers? you might also want to try asking on the driver's mailing
list.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] realtek 8197 wireless card setup

[Hans-Werner Hilse]

Hi,

On Sat, 22 Dec 2007 00:08:26 -0500
Jeff Cranmer <[EMAIL PROTECTED]> wrote:

> I think I'm getting closer now.
> I removed the driver from the kernel, and installed ndiswrapper.
> I got the inf driver from a guy from realtek, and used
> ndiswrapper -i drivername.inf  to install it.
> 
> Now, when I run
> iwlist wlan0 scanning, I can actually see my access point listed, plus lots 
> of 
> other local wireless networks.

That's good. It actually receives.

> connecting to it is a different matter, however, as the connection always 
> appears to time out.  I'm using iwconfig to manually set the ESSID, wep key 
> etc. at the moment, and have tried the trick of setting the speed manually to 
> 5.5M to avoid timeouts.
> 
> When I try to run dhcpcd wlan0 the first time, I get Error, wlan0: timed out
> The second time I try to run it, I get an error because dhcpcd is already 
> running.

Try the minimal approach first and configure it manually using
ifconfig/route and ping some host on your network (or the AP if it does
IP). If that does not work, there's something wrong with the driver, if
it does, the culprit is dhcpcd (vram USE flag?).

Start with WEP, if that works switch to WPA.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] I can't send attachments

[Hans-Werner Hilse]

Hi,

On Sun, 6 Jan 2008 08:12:10 -0600 (CST)
"Michael Sullivan" <[EMAIL PROTECTED]> wrote:

> I own espersunited.com, so it is on my end.

...and so should be exim's logs, right? I usually find it easier to read
actual error reports than (stripped) configurations for complex
software that is claimed to be responsible for the error...

Also, I have a hard time trying to understand the problem. A mailbox
unavailable shouldn't occur after SMTP's "DATA" command, it should
happen after the "RCPT TO" (answer code 450). At that point, no data has
been transmitted, so the error does not make sense except if it is
wrongly phrased by the MUA or (sorry) you. SMTP doesn't allow it at
that point. There's only the possibility for much more general error
codes. BTW, what's the MUA? You just introduced the MTA. Did you try
another one?

-hwh
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] I can't send attachments

[Hans-Werner Hilse]

Hi,

On Sun, 06 Jan 2008 11:09:15 -0600
Michael Sullivan <[EMAIL PROTECTED]> wrote:

> We use evolution.  I tried using Squirrelmail and got this:
> 
> Message not sent. Server replied: 
> Requested action not taken: mailbox unavailable
> 550 Rejected: spam score 6.5

Ah, I see. Exim does output a 550 anyway (and it makes some sense, I
guess the SMTP protocol definition is impractical w/ regard to the
allowed errors). But reading the full error report, it seems it's your
spam detection software that leads exim to deny the mail. Your exim
config seems to indicate that everything with a spam score > 6.0 is to
be denied (those numbers in the config are given with a factor of ten,
I guess?). Depending on whether the full spam check report is available
on the logs, you might want to temporarly disable that mail denial and
check the mail headers for the protocol of which certain spam checks
leads your spam filter to the conclusion it is spam, then adjust that.

-hwh
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] How to find USE flags of a tbz2?

[Hans-Werner Hilse]

Hi,

On Sun, 6 Jan 2008 19:05:18 + (UTC)
Konstantinos Agouros <[EMAIL PROTECTED]> wrote:

> if an ebuild was executed with --buildpkg, is there an easy way to extract
> the USE-flags that were in place from the resulting .tbz2?

qtbz2 -xO your.tbz2 | qxpak -xO - USE

-hwh
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Routing problem ?

[Hans-Werner Hilse]

Hi,

On Sun, 13 Jan 2008 16:42:56 +0530
Holla <[EMAIL PROTECTED]> wrote:

> One thing, I cannot understand is the difference in traceroute
> results. What does this say in plain english ? :-)
> 
> At PC2
>  # traceroute  218.248.240.46  (ISP's DNS server)
> traceroute to 218.248.240.46 (218.248.240.46), 30 hops max, 40 byte packets
>  1  192.168.2.43 (192.168.2.43)  1.730 ms  0.840 ms  0.920 ms
>  2  192.168.1.1 (192.168.1.1)  1.440 ms  1.469 ms  1.287 ms
>  3  * * *
>  4  * * *
> 
> At PC1
> 
>  # traceroute  218.248.240.46
> traceroute to 218.248.240.46 (218.248.240.46), 30 hops max, 40 byte packets
>  1  192.168.1.1 (192.168.1.1)  0.848 ms  0.706 ms  0.681 ms
>  2  117.192.128.1 (117.192.128.1)  19.712 ms  18.878 ms  19.920 ms
>  3  218.248.160.134 (218.248.160.134)  19.292 ms  19.796 ms  19.190 ms

I'd say your router (Router1) isn't doing NAT for packets from other
subnets than it's LAN interface is configured for -- regardless of the
(correctly) configured internal additional route.

So your option would be to set up PC1 for doing NAT, not necessarily
for packets 192.168.2/24<->192.168.1/24, but for all packets from
192.168.2/24 going to the internet.

Your provider most likely does not have anything to do with all this.

-hwh
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Create mutli-file .zip archives from the command line?

[Hans-Werner Hilse]

Hi,

On Sun, 13 Jan 2008 16:34:01 + Stroller
<[EMAIL PROTECTED]> wrote:

> The file is the same size in bytes (8056211212) on the destination
> XP machine as it is on the Samba host, but the md5sums (using Sumemr  
> Properties under XP) don't match.

There is also the slight possibility that your md5sum util in Windows
isn't dealing well with file offsets > 4GB. Re-check using a different
one, I'd say.

-hwh
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] RANT: WTF does a *SPREADSHEET* need SVG and unicode?

[Hans-Werner Hilse]

Hi,

On Mon, 14 Jan 2008 08:13:33 +0100 Renat Golubchyk <[EMAIL PROTECTED]>
wrote:

> There is nothing basic about a spreadsheet program. It is a very
> advanced piece of software. From a developer's perspective unicode is
> an obvious requirement, if he tries to write a program for many
> different locales without too much hassle.

And I can well see myself e.g. inserting greek chars that have some
mathematical meaning in my spreadsheets... After all, this isn't
Lotus-123 and I don't use a 9-pin-printer anymore...

And FWIW, SVG (or parts of it and lots of referring definitions) is
integrated in the Open Document Format for Office Applications.

-hwh
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: Horribly off-topic linux distro question...

[Hans-Werner Hilse]

Hi,

On Thu, 07 Feb 2008 13:05:00 -0500 7v5w7go9ub0o
<[EMAIL PROTECTED]> wrote:

> - The SSL connection is established within the Linux VM, so all the
> host sees is an encrypted connection to your bank.

Wrong: It will also see all the virtual memory the virtualized machine
is using, including those parts containing your precious unencrypted
data. All you win by using a VM is that you don't need to boot into the
OS (which might be impossible on some public terminals while running
qemu might work).

-hwh
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Re: grub chainloader

[Hans-Werner Hilse]

Hi,

On Thu, 19 Jul 2007 09:55:58 +0930 Iain Buchanan
<[EMAIL PROTECTED]> wrote:

> I'm happy to leave the info vs man flamewar for someone else, but
> what I _don't_ like is when you have both man and info, and one of
> them is very deficient (in grub's case, man).  The description is
> different, less informative, and quite misleading.  Instead, is
> should say either nothing but "refer to info pages"; or it should be
> the same as the info pages...

Yeah, like a short synopsis and then a clear reference, let's say along
the lines of
snip
The full documentation for grub is maintained as a Texinfo manual.
If the info and grub programs are properly installed at your site,
the command

  info grub

should give you access to the complete manual.
snip

But looking at grub(8), it seems someone was faster. SCNR.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Need to add gd and mysql to PHP.

[Hans-Werner Hilse]

Hi,

On Sun, 22 Jul 2007 21:37:58 -0600 Mike Diehl <[EMAIL PROTECTED]>
wrote:

> I'm needing to update php to include both the gd and mysql extensions.
> 
> I believe I have both packages installed.
> 
> I emerged php with both extensions in my USE flag.
> [...]

Looks alright.

> How do I get these to be recognized by php applications?

They should be configured in /etc/php/php*/php.ini if you want to load
them automatically (extension=mysql.so, extension=gd.so) -- maybe you
just need to run etc-update? (and restart the webserver)

OTOH, you can have your PHP scripts load the extension themselves using
dl() in PHP.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Need to add gd and mysql to PHP.

[Hans-Werner Hilse]

Hi,

On Mon, 23 Jul 2007 18:50:52 -0600 Mike Diehl <[EMAIL PROTECTED]>
wrote:

> On Monday 23 July 2007 06:32:53 pm Norberto Bensa wrote:
> > Mike Diehl wrote:
> > > drwxr-xr-x  4 root root 4096 Jul 23 17:59 apache2-php5
> >
> > There you have it ;-)
> >
> > Look inside...
> 
> Well, I'm getting closer, then.

Errm, yes, sorry, I didn't really look before writing "php*".

> I looked inside the php.ini file in the apache2-php5 directory.  It
> has an extension_dir line:
> 
> extension_dir
> = /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20041030
> 
> I looked at the contents of this directory:
> # ls -la /usr/lib/php5/lib/php/extensions/no-debug-non-zts-20041030
> 
> And this is all I saw:
> -rwxr-xr-x 1 root root 12744 Jun 23  2006 phpcups.so
> 
> 
> So, how do I install the php mysql extension?

Hm, is this an old extension dir? My Zend-ABI-version for PHP (5.2.1)
is 20060613.

But it should not matter -- you emerged PHP with the "sharedext" USE
flag unset. In that case, those extensions should be compiled into the
PHP binary, rather than being shared objects in the mentioned extension
path. So first do as Noberto sugested and check if the extension really
is not enabled (what is it that makes you think so?).

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] insert text onto a PDF

[Hans-Werner Hilse]

Hi,

On Wed, 25 Jul 2007 09:29:52 + Thufir <[EMAIL PROTECTED]>
wrote:

> I just want to add text on top of a PDF, resulting in a new file.  I'm
> not concerned with encryption, authorization, nor really "editing" the
> PDF itself -- just ending up with a new PDF with my text on top.
> 
> I read something about a java app to do this in a magazine a few
> months, but didn't keep the article :(

iText would be a programming library (Java/.NET) that could be used to
do that. See http://lowagie.com/iText -- start with the Tutorials in
order to see how you can modify existing PDFs.

There's also pdftk, which can "stamp" PDFs onto each others. It uses
iText internally and provides a CLI.

Also, there's the Multivalent Tools. Quite nice stuff, too.

If you were more specific about what kind of texts you want to add,
there might be other suggestions.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Excessive processor usage

[Hans-Werner Hilse]

Hi,

On Mon, 06 Aug 2007 14:30:01 +0200 "Xav'" <[EMAIL PROTECTED]> wrote:

> If you want to check there is no such program on your system, I
> advice you to try chkrootkit, to check there is no such rootkit on
> your system...

To put it correctly, since there is _NO_ way to assure that there isn't
a rootkit:

chkrootkit can be used to check whether there _are_ _known_ rootkits.

BTW, there are other, similar programs that do the same.
But my point is: You can never be sure, since a hypothesis can't be
proven correct, just invalid.

If there are indications a rootkit might be present, there's no secure
way to remove it but to reinstall.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: Excessive processor usage

[Hans-Werner Hilse]

Hi,

On Mon, 6 Aug 2007 17:36:36 + (UTC) James
<[EMAIL PROTECTED]> wrote:

> > To put it correctly, since there is _NO_ way to assure that there
> > isn't a rootkit:
> 
> > chkrootkit can be used to check whether there _are_ _known_
> > rootkits.
> 
> > BTW, there are other, similar programs that do the same.
> > But my point is: You can never be sure, since a hypothesis can't be
> > proven correct, just invalid.
> 
> You are right for noobs.

Sheesh! That's an universal scientific concept. Read a bit on
Falsifiability of theories to grab the basics. Don't, if you're a
religious hardliner.

> If the person has a second system and sets up a flat hub and the
> ethernet in stealth mode, you can sniff the ethernet I/O all day
> long and use a variety of tools to discern if nefarious activities
> abound on a given system. Sure it's a bit of work, but all hacked
> systems I've ever seen use the system to ethernet I/O. 

And there's your assumption that you can't prove correct.

> They can
> encrypt that traffic, but if you know what should/not be traversing
> the ethernet, there is no way to hide an actively compromised 
> system. 

Wrong. You might be practically right since most rootkits use means to
communicate, but they might just collect data instead or even just
encrypt all your documents and display the bank account number to
deposit money for getting the private key for decryption.

BTW, this is not about scaring people, but to make them aware that
there is no absolute fail-prove solution to any problem -- since "100%
fail-prove" is an logically invalid concept. But I'm pretty confident
that the OP isn't dealing with a hacked machine. I just jumped on the
rootkit discussions, cause many people talking about rootkits neither
know how rootkits work, nor do they grasp the theories behind rootkit
detection.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Unknown Tool "hd"

[Hans-Werner Hilse]

Hi,

On Mon, 6 Aug 2007 20:13:58 +0100 Linux <[EMAIL PROTECTED]> wrote:

> I have a problem with a script refering to several tools, one is "hd"
> -snip-
> TESTECHO="$($ECHO -e '\061\062' \
> | hd \
> | grep -Eom1 '^[[digit:]]+[[:space:]]+[[digit:]]+[[:space:]]
> | +[[digit:]]+' \ tr -s '\t ' ' '
> -snip-
> Searching has proved fruitless, I *think* it may be a Debian
> tool/script. Any pointers ? Please !!!

It's a symlink to hexdump on debian machines.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Native Language Support

[Hans-Werner Hilse]

Hi,

On Tue, 7 Aug 2007 09:47:41 +0300 "Sergey A. Kobzar"
<[EMAIL PROTECTED]> wrote:

> I have a mail server with UK/US locales support only. Access to
> console have limited number of users only.
> 
> Do I need NLS support? What are consequences if I switch off NLS flag
> in installed packages?
> 
> As I understand NLS gives man pages and docs in few languages.
> Correct?

For most packages that's true. However, it mainly influences the
availability of programs' frontends' languages (libintl/gettext).

Switching it off shouldn't do any harm.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: Mathematica 6 & Gentoo amd64

[Hans-Werner Hilse]

Hi,

On Thu, 9 Aug 2007 15:19:31 +0300 "Aleksey V. Kunitskiy"
<[EMAIL PROTECTED]> wrote:

> Version 6 tells me that it can't find libstdc++.so.5. I tried to
> create this symlink manualy(pointing to the libstdc++ 6.0.8 ) but it
> didn't give me any results

Emerge libcompat to get libstdc++ 5. (and undo that symlink attempt)

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Internet bridge

[Hans-Werner Hilse]

Hi,

On Mon, 13 Aug 2007 19:38:18 + (UTC) Mateus Interciso
<[EMAIL PROTECTED]> wrote:

> Hi, basically, I want to share the internet using a Bridge on a pc
> with two NICS, one for internet, the other for Internal Network.

Uhm, yeah, I'd like a bridge to the internet, too. To bad the internet
is a routed infrastructure and that's technically impossible.

But you mixed up a lot of concepts and terms, so I'd suggest reading a
book about how it all fits together some day.

> Now, I know a easiest approuch would be to use NAT, which is how I'm 
> doing now, but since I really need Level 2 Routing, I can't afford
> doing this with nat.
> [...]
> Now comes the tricky part, since the internet I recieve is via DHCP,
> and on eth1, if I make: dhcpcd eth1, it timesout, but if I use
> dhclient eth1, it works, almost, I can get an IP at least, so I've
> sticked with this

Hm. And what's the bridge supposed to do then? I would agree that using
the bridge, other computers should be able to get IPs assigned using
DHCP (as long as your ISP is issuing IPs for those computers). But that
has nothing to do with the bridge and whether the bridging computer is
able to get an IP assigned. Somehow I have the feeling that your ISP
wouldn't ever issue more than one IP, but since you're that sure...

> 11)dhclient eth1

is unnecessary, except if the bridging PC should have connectivity, too.

> 12)ifconfig eth0 10.0.0.1 netmask 255.255.255.0

is unnecessary, except for internal LAN connectivity.

> Now, you would have to excuse me, because I really don't remember if
> that worked, but I think it didn't, what I made (that at least didn't
> put the whole network down), was all of this, but on step 10 forward:
> 10)ifconfig br0 10.0.0.1 netmask 255.255.255.0 up

Hm, that would for sure collide with the step 12 mentioned above.

> And by this, I can actually browse the internal network, but not the 
> internet, in none of the machines, neither the bridge, with/without a 
> iptables firewall enabled.

You have to use DHCP on all the machines that should have Internet
connectivity. Remember that you have just bridged your ISP link to your
LAN, and so now have level-2 access up to your ISP on all the LANs
computers.

> Can anyone please help me?

In fact, I don't think answering your questions help a lot since I
really doubt your approach makes sense. In order to find that out,
please just tell a bit about your Internet Connection. What you are
trying to archieve only makes sense under the following circumstances:
- your ISP only provides one physical link,
- but the possibility to get more than one IP issued (either fixed, or
DHCP, from what you told, the latter)
- what basically means that there is _no_ point-to-point link involved.
- for whatever reason you don't want to use a switch (which I would
understand for firewalling issues to keep the ISP from getting your
internal traffic running through their machines).

All of that is perfectly fine, I use such a setup for my virtual
servers, for example (although there that internal LAN is just a
software emulation).

So please describe your internet connection and we can tell if your
plan is flawed from the beginning. I'd somehow bet a beer on that.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: Internet bridge

[Hans-Werner Hilse]

Hi,

On Tue, 14 Aug 2007 13:53:51 + (UTC) Mateus Interciso
<[EMAIL PROTECTED]> wrote:

> Ok, so my ISP gives my just one IP, as it you have already guessed,
> and yes, probably I did mixed up a lot of stuff, and I'm terrible
> sorry for this.

Oh, that's just fine for me, it's probably yourself you've caused some
troubles and headaches.

> I really don't need a bridge, as long as I can find a way to fix the 
> VoIP, I tought of the bridge because the win2k3 had it enabled for 
> routing the packages, it picked up on one side the internet
> connection with a valid ip 200.*.*.* and on another NIC it had the
> internal network (in that time 192.168.0.1/28), and it built a bridge
> (if I remember right, using the 192.168.0.1 IP) and we connected to
> the bridge, and the bridge was routing the packages from internal, to
> external.

Hm, I'd really wonder if that's what's called a bridge in Windows. That
sounds like simple routing, easy to set up in Windows using the
"Internet Sharing" options (which basically adds forwarding to the
Internet interface -- you could do that with a registry hack, too) and
add a simple DHCP server on the LAN side. Windows also has regular
bridges and under certain circumstances sets up those automatically.
But that's enough OT talk, this is Gentoo :-)

> Of course I could be wrong, since I wasn't the guy who made
> this, and since we needed a firewall, bether then the w2k3, we putted
> the gentoo box, and I NATed the connection.
> So, basically, this is it.

You'll have to continue using NAT. Drop all bridge-related
configuration (i.e. keep away from brctl), configure the external
interface to forward connections.

Then you have to care for incoming connections. For a good SIP setup
with more than one SIP client, I'd highly suggest looking at SIP
proxies like siproxd. For one SIP client in the internal LAN you
basically need to map a incoming connections on the relevant port
(5060, I think) on the Router/Firewall PC to that internal client. If
extensions or other protocols come into play, you should absolutely
look for proxies for those protocols.

Since there's only one IP, you have no bridging options and all your
computers in the LAN have to look like one machine to the outside. You
_have_ to use port forwarding or proxying.

Feel free to ask further specific questions!

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: Internet bridge

[Hans-Werner Hilse]

Hi,

On Tue, 14 Aug 2007 14:48:30 + (UTC)
Mateus Interciso <[EMAIL PROTECTED]> wrote:

> Ok, thanks a lot, this for sure cleared a lot of troubles I was having on 
> my head.

:-) The thing is, the more deeper you look into things, the more you
get aware that they are more simple than you thought.

> But for the SIP stuff, I have just one client, built the firewall using 
> fwbuilder (sometimes is more easier), and for instance here's the SIP 
> part on the nat table:
> 0 0 DNAT   udp  --  anyany anywhere 
> 200.*.*.* udp dpt:5060 to:10.0.0.112 
> Is this wrong?

Looks right... (actually, I'm unsure about that 200.*.*.*) but... see
below...

> Because the strange thing, is that it works for someplaces, but not for 
> others, and we really didn't had this issues with w2k3 routing stuff.

Yeah, not having done a lot with SIP, I had another look into that
matter. SIP seems to have the IP addresses of the clients that come
into play inside the SIP messages. I.e., if your SIP phone or SIP
client isn't aware of your _external_ IP, it will inform the other end
about a private IP on your end, since that's all the SIP phone/client
has. There is an information protocol that can make the SIP
phone/client make aware of the real address (obviously, the gateway
must support this, and the SIP phone/client too).

I would start to try the netfilter modules, which claim (I didn't
check) that they mangle SIP packages accordingly. A short introduction
is here:
http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html

If that doesn't work and if your phone supports specifying a proxy, I
would go that road instead.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] pendrive mounting problem

[Hans-Werner Hilse]

Hi,

On Wed, 15 Aug 2007 11:34:31 -0400 "Matthew R. Lee"
<[EMAIL PROTECTED]> wrote:

> A friend of mine recently put a pdf on my pendrive using windows
> vista.  When I plugged it into my laptop it wouldn't mount.  I got
> the following output from dmesg:
> [...]

How is it mounted? fstab entry? CLI? please provide the options you're
using. BTW, it's not all that common that those media types are NTFS.
In most cases, VFAT is in use (is that compiled into your kernel? NLS
support is currently missing from your kernel -- or not loaded
automatically if compiled as a module).

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] pendrive mounting problem

[Hans-Werner Hilse]

Hi,

On Wed, 15 Aug 2007 12:06:50 -0400
"Matthew R. Lee" <[EMAIL PROTECTED]> wrote:

> > I'm using udev-104-r13

Hm, but udev doesn't do the mount, does it? I would really be
interested whether there is a fstab entry (and what it is) and what
mount command you use, if any. Some software actually must be
responsible for the mount, right?

The output you have cited was from the kernel log and it looks as if

> > Said pendrive worked fine prior to being inserted into the vista laptop
> > I recently compiled a new kernel 2.6.22-gentoo-r2 with all the same support
> > for file systems as the previous kernel, with the exception that I compiled
> > in support for ntfs.

So I guess the stick, or at least the card, is not NTFS but FAT (since
it worked before), right?

What would be interesting is the output of "file -s /dev/sdb1". It
should print some details about the partition (you need to run it as
root).

> I've just checked the kernel config and all the NLS support is compiled in

Do you have automatic module loading enabled? Otherwise you might need
to probe the NLS module for cp437 manually before mounting (I really
think it is just a warning in the kernel log, but I'm not sure --
especially, if you have autofs in the action, which it also looks like,
since the probing of all the file systems). Try "modprobe nls_cp437".

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] phpMyAdmin

[Hans-Werner Hilse]

Hi,

On Wed, 15 Aug 2007 17:15:17 + (UTC)
Thufir <[EMAIL PROTECTED]> wrote:

> I thought I'd seen a phpmyadmin configuration gui at gentoo.org, but 
> can't seem to locate it again.   gives a 
> list of files.

If those files you see actually are the phpMyAdmin files: Web server
not properly configured to search for an "index.php"? Or no PHP at all?

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] pendrive mounting problem

[Hans-Werner Hilse]

Hi,

On Wed, 15 Aug 2007 14:30:08 -0400
"Matthew R. Lee" <[EMAIL PROTECTED]> wrote:

> fstab doesn't mention /dev/sdb1
> normally I just plug the pendrive in, the icon pops up in media:/ in 
> konqueror, I click on it and do what I need to do

Hm, OK, then other daemons come into action. Unfortunately, I'm not
using KDE, so I've got no idea where that may make a difference.

> > So I guess the stick, or at least the card, is not NTFS but FAT (since
> > it worked before), right?
> Correct it is, was, FAT

Yep:

> /dev/sdb1: x86 boot sector, code offset 0x3c, OEM-ID "MSDOS5.0", 
> sectors/cluster 16, root entries 512, Media descriptor 0xf8, sectors/FAT 248, 
> heads 255, hidden sectors 32, sectors 1015776 (volumes > 32 MB) , serial 
> number 0xb465569d, unlabeled, FAT (16 bit)

> > > I've just checked the kernel config and all the NLS support is compiled
> > > in

Ah, then that might be why there's no nls_cp437 module.

Since I got no idea how to debug the KDE part, all I can suggest is
issuing the following as root: "mount -t vfat /dev/sdb1 /mnt" and see
if it gets mounted beneath /mnt. That way, you can exclude media and
kernel issues. If errors show up, post them and the new lines in the
kernel log.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: phpMyAdmin

[Hans-Werner Hilse]

Hi,

On Thu, 16 Aug 2007 08:24:10 + (UTC) Thufir
<[EMAIL PROTECTED]> wrote:

> It seems that Apache needs configuration?  specifically the 
> documentroot?  Is that required?

No, in that case you wouldn't even see the directory listing. Your
probably just not running the PHP module. Check
your /etc/conf.d/apache2 and set APACHE2_OPTS accordingly (i.e. add 
"-D PHP4" or "-D PHP5").

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] pendrive mounting problem

[Hans-Werner Hilse]

Hi,

On Wed, 15 Aug 2007 17:45:59 -0400 "Matthew R. Lee"
<[EMAIL PROTECTED]> wrote:

> trying to mount it from the command line didn't work, here's the
> output from dmesg

Hm, did you really use "-t vfat"? Your kernel log has other filesystems
complaining after the FAT errors...

> Unable to identify CD-ROM format.
> Unable to load NLS charset cp437
> FAT: codepage cp437 not found
> NTFS-fs warning (device sdb1): is_boot_sector_ntfs(): Invalid boot
> sector checksum.
> NTFS-fs error (device sdb1): read_ntfs_boot_sector(): Primary boot
> sector is invalid.
> NTFS-fs error (device sdb1): read_ntfs_boot_sector(): Mount option 
> errors=recover not used. Aborting without trying to recover.
> NTFS-fs error (device sdb1): ntfs_fill_super(): Not an NTFS volume.
> VFS: Can't find ext3 filesystem on dev sdb1.
> VFS: Can't find an ext2 filesystem on dev sdb1.

It really looks like the autofs-mount sequence. The last error is not a
FAT error.

Please give us the output of 
"grep NLS /lib/modules/$(uname -r)/source/.config" in order to verify
that you really have cp437 support compiled into your kernel.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] pendrive mounting problem

[Hans-Werner Hilse]

Hi,

On Thu, 16 Aug 2007 16:03:46 -0400 "Matthew R. Lee"
<[EMAIL PROTECTED]> wrote:

> Add:  The recompile worked.  Sometimes you can't see what's wrong for
> looking Thanks again for all the help

Fine! You're welcome, of course! (I somehow doubted that NLS support is
required for FAT, too. But it seems it is.)

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: phpMyAdmin

[Hans-Werner Hilse]

Hi,

On Fri, 17 Aug 2007 06:45:28 + (UTC) Thufir
<[EMAIL PROTECTED]> wrote:

> Here's some more data, if it helps:
> [...]
> localhost ~ # cat  /etc/conf.d/apache2
> [...]
> APACHE2_OPTS="-D DEFAULT_VHOST"
> #APACHE2_OPTS="-D PHP5.2.2"

Did you read my earlier post?

rewrite that line to APACHE2_OPTS="-D DEFAULT_VHOST -D PHP5"
and restart apache.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] ALSA hell : master channel permanently at zero volume, no sound

[Hans-Werner Hilse]

Hi,

On Mon, 20 Aug 2007 14:37:27 +0200 "b.n." <[EMAIL PROTECTED]> wrote:

> > Hm, is there a switch for analog vs. digital audio output? The
> > screenshot only shows a few controls. 
> 
> Yes. Just tried to switch them but nothing changes.

Hm. That would include playing with those settings:

Master switch, as you can see, digital output (Playback) is enabled,
digital input (Capture) is disabled:

> Simple mixer control 'IEC958',0
>   Capabilities: pswitch pswitch-joined cswitch cswitch-joined
>   Playback channels: Mono
>   Capture channels: Mono
>   Mono: Playback [on] Capture [off]

I think those two relate to input/capture only:

> Simple mixer control 'IEC958 Capture Monitor',0
>   Capabilities: pswitch pswitch-joined
>   Playback channels: Mono
>   Mono: Playback [on]
> Simple mixer control 'IEC958 Capture Valid',0
>   Capabilities: pswitch pswitch-joined
>   Playback channels: Mono
>   Mono: Playback [on]

I'm not sure about the next two items, maybe playing with them is a
good idea, too:

> Simple mixer control 'IEC958 Playback AC97-SPSA',0
>   Capabilities: volume volume-joined
>   Playback channels: Mono
>   Capture channels: Mono
>   Limits: 0 - 3
>   Mono: 3 [100%]
> Simple mixer control 'IEC958 Playback Source',0
>   Capabilities: enum
>   Items: 'Analog' 'Digital'
>   Item0: 'Digital'

If alsamixer doesn't provide the according settings, you might want to
use "amixer sset  ", see "man amixer" for synopsis and
examples.

I really guess it's due to one of the IEC958 (i.e. digital in/out)
settings.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] ALSA hell : master channel permanently at zero volume, no sound

[Hans-Werner Hilse]

Hi,

On Mon, 20 Aug 2007 17:33:49 +0200
"b.n." <[EMAIL PROTECTED]> wrote:

> >> Simple mixer control 'IEC958',0
> >>   Capabilities: pswitch pswitch-joined cswitch cswitch-joined
> >>   Playback channels: Mono
> >>   Capture channels: Mono
> >>   Mono: Playback [on] Capture [off]
> 
> Where do you see that?

Last line specifies the current settings. The mixer control IEC958
(which is the digital audio standard in use in the "western" world) is
set to "on" for the "Playback" stream direction, and to "off" for the
"Capture" stream direction.

> > If alsamixer doesn't provide the according settings, you might want to
> > use "amixer sset  ", see "man amixer" for synopsis and
> > examples.
> > 
> > I really guess it's due to one of the IEC958 (i.e. digital in/out)
> > settings.
> 
> I am extremly confused. How should those be set?
> I'm not that able to parse the amixer output, probably, so let me know
> more deeply.

first try setting the control 'IEC958' to "off" for the "Playback"
direction:
$ amixer sset 'IEC958',0 playback off

if that doesn't work out well, try the settings 
- 'IEC958 Playback AC97-SPSA',0 (can be set to values ranging between
0-3)
- 'IEC958 Playback Source',0 (can be set to values 'Analog' or
'Digital')
for those two, the option "playback" is optional, since according to
the output you have given, those controls are only present for the
"playback" direction.

I think those controls might be in alsamixer, too, but amixer tends to
be the most reliable and supportable method -- the output you have
given is complete, so that I can at least tell that all the "usual"
settings seem to be correct. I think the problem is hidden in those
extended settings. I might be wrong and it might just be a bug in the
driver, but somehow I doubt that -- although my doubts are not
supported by any obvious hints, yet.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: phpMyAdmin

[Hans-Werner Hilse]

Hi,

On Tue, 21 Aug 2007 06:09:48 + (UTC) Thufir
<[EMAIL PROTECTED]> wrote:

> > Did you read my earlier post?
> > 
> > rewrite that line to APACHE2_OPTS="-D DEFAULT_VHOST -D PHP5" and
> > restart apache.
> 
> Pardon, I may have been distracted, but I think I changed that entry 
> several times.  I tried a couple variations, and restarted apache and
> for good measure mysql.  The above variation still shows text files
> for .php files.

Does /etc/apache2/httpd.conf still contain the line
"Include /etc/apache2/modules.d/*.conf" ?

Is /etc/apache2/modules.d/*_mod_php.conf present? In that file you can
see the exact flag you have to specify.

If you decided to drop the Gentoo configuration style for apache, then
you'll have to provide a *lot* more information about your Apache's
configuration than you did.

BTW, the errors you cited indicate you might be running suexec. What
for? How configured? Did you follow a certain guide?

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] ALSA hell : master channel permanently at zero volume, no sound

[Hans-Werner Hilse]

Hi,

On Tue, 21 Aug 2007 01:09:39 +0200 "b.n." <[EMAIL PROTECTED]> wrote:

> b.n. ha scritto:
> > I think I have to try with the Portage alsa drivers.
> 
> Ok, alsa-driver does not compile.
> Now I feel really lost.

But the error isn't "I won't compile.", isn't it? With the information
you provided (not), I'm currently lost, too :-)

If you decide to compile external ALSA drivers, you have to make sure
that your kernel isn't configured for internal ALSA drivers. It has,
however, to be configured for basic "sound support".

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] ALSA hell : master channel permanently at zero volume, no sound

[Hans-Werner Hilse]

Hi,

On Mon, 20 Aug 2007 19:03:55 +0200 "b.n." <[EMAIL PROTECTED]> wrote:

> What concerns me is that alsamixer nevers shows a volume control on
> Master anymore, and amixer says:
> 
> Simple mixer control 'Master',0
>   Capabilities: pswitch pswitch-joined *<--- no volume/pvolume*
>   Playback channels: Mono
>   Mono: Playback [on]
> 
> Also in alsamixer the IEC958 controls show no volume bar.

Because they are no volume controls. Did you really modify them using
amixer? It will output the new settings after successfully applying
them.

No master volume *does* make some sense for digital out...

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] ALSA hell : master channel permanently at zero volume, no sound

[Hans-Werner Hilse]

Hi,

On Wed, 22 Aug 2007 01:05:59 +0200 "b.n." <[EMAIL PROTECTED]> wrote:

> Managed to install alsa-driver (the unstable ones were needed).
> Nothing changes, except that now PCM has no volume bar, too.

Sorry, I'm now left to some shots in the dark: Re-emerge alsa-libs and
alsa-utils, too?

There's not much that I could suggest otherwise at this point...

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] "Treason uncloaked!" solution?

[Hans-Werner Hilse]

Hi,

On Wed, 22 Aug 2007 12:18:16 -0700
Grant <[EMAIL PROTECTED]> wrote:

> Sometimes I get "Treason uncloaked!" in dmesg when running bittorrent.
>  The solution here:
> 
> http://www.linuxquestions.org/questions/showthread.php?t=127984
> 
> is:
> 
> You'd best set iptables to block all packets from BOGON networks (nets
> that shouldn't exist) so you can avoid this type of attack. You may
> find a list of bogon nets here. Note: unallocated nets change from
> time to time! Just in November IANA allocated two more blocks to RIPE,
> so you really need to pay attention if you're blocking all bogon IPs.
> 
> Which doesn't sound great.  What would you guys recommend I do?  I use
> a Gentoo router.

Hm, I don't think that those "attacks" (which do no harm to Linux
systems since some 1.x version of the kernel -- the warning is a
reminiscence) will always come from wrong nets. I have those
occasionally on all my larger server installs and never really bothered
about them. It usually means that the other side of the TCP connection
reduced the window to zero size, thus leading stupid TCP stacks to save
information on a basically starved connection. The kernel just sends an
information to the log, so in case if you recognize the IP and are in
charge of the sender, you'll know that it has a very broken TCP
stack. Essentially: Just ignore it, if the sender IP doesn't belong to
one of your own networks.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] "Treason uncloaked!" solution?

[Hans-Werner Hilse]

Hi,

On Thu, 23 Aug 2007 12:55:06 -0500
Dan Farrell <[EMAIL PROTECTED]> wrote:

> > It usually means that the other side of the TCP
> > connection reduced the window to zero size, thus leading stupid TCP
> > stacks to save information on a basically starved connection. The
> > kernel just sends an information to the log, so in case if you
> > recognize the IP and are in charge of the sender, you'll know that it
> > has a very broken TCP stack. Essentially: Just ignore it, if the
> > sender IP doesn't belong to one of your own networks.
> > 
> I found a line in my Treason-related output that pointed to an internal
> IP on a distcc port.  Should I be worried about this computer?  It's
> running a brand new gentoo install and is solely for the purpose of
> distcc.  

Hm. I don't think so, but I'm not that deep into TCP that I could
easily tell some circumstances when such things can happen and if it
indicates a bug by all means.

There might be a slight possibility that the packet sender was forged.
It depends on your uplink whether such packets can get through.
Additionally, when inside a potentially hostile LAN, you can't trust
any IP adresses.

If it's just a single line, I'd ignore it, I think. But there's no good
reason I could give for that proposal, except of some absent feeling
that anything would be wrong.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Can't install Gentoo on Dell Inspiron 530

[Hans-Werner Hilse]

Hi,

On Sun, 26 Aug 2007 23:22:56 -0400 "Walter Dnes"
<[EMAIL PROTECTED]> wrote:

>   Now that I have a working keyboard and a busybox shell, I'm trying
> to mount a USB key.  I did...
> 
> mknod /dev/sda b 8 0
> mknod /dev/sda1 b 8 1
> 
> ...inserted a USB key, and tried mounting it.  dmesg indicates that
> the USB driver did find sda and sda1.  However, the "mount" command
> always fails with a cryptic, and useless, error message.  Is there an
> example somewhere of how busybox's "mount" command works?  Or does it
> not support "msdos" or "vfat" filesystem types?

FS support has got to be inside the kernel. When module autoloading
doesn't work, you'll have to make sure that everything needed is
present. While the mount error message might be useless, is there any
reasonable error report in dmesg?

BTW, you can mount /proc and then look for PCI dev information and
partitioning information there.

$ mount -t proc none /proc
$ cat /proc/bus/pci/devices
(vendor/device string is on position 2)
$ cat /proc/partitions

and

$ cat /proc/filesystems

are your friends.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] IMAP server for localhost

[Hans-Werner Hilse]

Hi,

On Thu, 30 Aug 2007 16:16:53 +0200 Alan McKinnon
<[EMAIL PROTECTED]> wrote:

> I use a setup like this - kmail connecting to dovecot @ localhost.
> 
> I pop my mail off the various mail servers I use with
> net-mail/getmail, the docs are quite clear. Performance is slower
> than local mailboxes especially if you have lots of mail, and if you
> need to move 30,000 lkml mails form over her to over there, then it's
> gonna take a while :-)

+1 for getmail/fetchmail. The most important point for me is that no
mail is lost when my local machine goes down, a case in which
forwarding would have its difficulties and can be basically controlled
only by the company you have your "usual" mailbox at.

Also, it's pretty easy to integrate spamassassin & co into the
getmail/fetchmail pipe.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Need help with routing

[Hans-Werner Hilse]

Hi,

On Mon, 10 Sep 2007 20:59:03 +0200
Florian Philipp <[EMAIL PROTECTED]> wrote:

> I'll attach relevant ifconfig, route and iptables -L output.

Hm, OK. This:
snip
Chain FORWARD (policy ACCEPT)
target prot opt source   destination 
ACCEPT all  --  10.8.0.1 anywhere
ACCEPT all  --  anywhere 10.8.0.1
DROP   all  -- !10.8.0.1 anywhere
snip

is on what computer? On the "server" (I guess it's the router) the last
line would effectively prevent routing for the client (but I don't know
why ICMP works...). I would suggest starting without it and then
setting up proper rules -- and then setting the chain's policy to DROP
(plus some REJECT rules for proper answers).

Dan's hint is also worth investigating.
BTW: use route/ifconfig/netstat/iptables' "-n" switch to make analysis
easier!

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] SSH won't restart

[Hans-Werner Hilse]

Hi,

On Mon, 10 Sep 2007 14:28:41 -0500
Dan Farrell <[EMAIL PROTECTED]> wrote:

> You can always start a seperate ssh server on a different port, to test
> the new server and the config files.  
> 
> Then you can get in on a different port and fix it if your upgrade of
> the usual ssh server gets borked.  

And you can always leave one session open. Plus: It's already
configured. Plus: It's pretty secure. Plus: You know exactly whether
the new binary works.

It's as easy as "/usr/sbin/sshd -p 2". (or whatever free port there is)

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Need help with routing

[Hans-Werner Hilse]

Hi,

On Tue, 11 Sep 2007 17:30:51 +0200 Florian Philipp
<[EMAIL PROTECTED]> wrote:

> > Hm, OK. This:
> > snip
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source   destination 
> > ACCEPT all  --  10.8.0.1 anywhere
> > ACCEPT all  --  anywhere 10.8.0.1
> > DROP   all  -- !10.8.0.1 anywhere
> > snip
> > 
> > is on what computer? On the "server" (I guess it's the router) the
> > last line would effectively prevent routing for the client (but I
> > don't know why ICMP works...). I would suggest starting without it
> > and then setting up proper rules -- and then setting the chain's
> > policy to DROP (plus some REJECT rules for proper answers).
> 
> I followed the howto's nomenclature of "server" and "client".
> I'm a bit puzzled right now. Is there anything essentially wrong with
> the howto ( http://gentoo-wiki.com/HOWTO_quick_routing )? I followed
> it word by word.
> The drop rule is explained as "#prevent others ip from conecting to
> my eth0"

Hm, judging from that the article on Routing uses a "Client" and
"Server" nomenclature, I consider the article being at least partly
crap ;-)

And yes, that guide really seems to be a bunch of BS (sorry, but that's
the way it seems to be). It is outright horrible. Personally I hate
discussing on Wikis' Discussion Pages, so, no, I won't correct it (but
looking at its discussion page, others considered it bad, too, and are
planning to correct/delete it).

That iptables setup is absolutely stupid. It accepts packets from and
to the machine itself (note that 10.8.0.1 is the router's IP), but will
drop any packet not originating from 10.8.0.1. The latter should be
true for all packets originating from the client (since it has the
address 10.8.0.2). So all the client's communication is dropped, and
that's it, end of story.

Better have a look at netfilter's set of HOWTOs, especially the NAT
howto. Better learn what you're doing... Otherwise, just take the hints
from my previous posting.

My suggestion for a proper setup would be

$ iptables -F FORWARD
$ iptables -P FORWARD DROP
$ iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED 
-j ACCEPT
$ iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j 
ACCEPT
...plus rules allowing for forwarding designated ports, if any

You'll certainly want to keep this:
$ iptables -A POSTROUTING -o ppp0 -j MASQUERADE
in place, too.

Note that this trusts any box connecting via eth0, not just a single
client.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Need help with routing

[Hans-Werner Hilse]

Hi,

On Tue, 11 Sep 2007 18:50:52 +0200 Florian Philipp
<[EMAIL PROTECTED]> wrote:

> > My suggestion for a proper setup would be
> > 
> > $ iptables -F FORWARD
> > $ iptables -P FORWARD DROP
> > $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state
> > NEW,ESTABLISHED,RELATED -j ACCEPT $ iptables -A FORWARD -i ppp0 -o
> > eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT ...plus rules
> > allowing for forwarding designated ports, if any
> > 
> > You'll certainly want to keep this:
> > $ iptables -A POSTROUTING -o ppp0 -j MASQUERADE
> > in place, too.
> > 
> > Note that this trusts any box connecting via eth0, not just a single
> > client.
> [...]
> When I try to apply the rules you've posted I get:
> 
> $ iptables -A FORWARD -i eth0 -o ppp0 -m state --state \
> NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> iptables: No chain/target/match by that name

Hm, you do not seem to have your kernel configured for connection state
matching.

Just start with basic rules:
$ iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
$ iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT

(instead of the "iptables -A" settings mentioned before)

But note that those would potentially allow inbound connections to get
routed to any desired machine (desired by the party outside your
network, that is). So make sure that either such requests aren't
getting forwarded to your router (and this is most probably already the
case for your setup -- DSL or cable, I guess?) or your LAN doesn't care
(i.e. is secured). Most PPP endpoints, however, would drop such traffic
anyway, so you should be secure if you trust your provider.

Basically I think this is what the Gentoo wiki guide *intended* to do.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Need help with routing

[Hans-Werner Hilse]

Hi,

On Tue, 11 Sep 2007 21:38:26 +0200
Florian Philipp <[EMAIL PROTECTED]> wrote:

> Now the kernel can handle connection state matching :)
> 
> I can apply your rules with one exception:
> iptables -A POSTROUTING -o ppp0 -j MASQUERADE
> 
> The same error message as before.

But a different cause: My brain ;-)  That should rather read
$ iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
(I forgot the "-t nat")

There is, however, a kernel configuration needed for masquerading, too
(CONFIG_IP_NF_TARGET_MASQUERADE on newer kernels, you can search for it
-- or just "MASQUERADE" on older kernels -- using the "/" key in the
kernel's menuconfig). So if iptables keeps complaining, check that too.

BTW: I'm starting to really hate the HOWTO that much that I might even
consider editing it. The HOWTO got this command wrong as well: It
MASQUERADEs the connections going out to the LAN interface...

For a proper durable setup, after performing all steps manually until
you have iptables in the way, you should issue
$ /etc/init.d/iptables save
and have iptables fire up using rc-update, if not yet done. Also put
the sysctl setting in /etc/sysctl.conf. Then routing/masquerading will
be set up right on each boot.

-hwh

-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] SSH won't restart

[Hans-Werner Hilse]

Hi,

On Tue, 11 Sep 2007 12:30:56 -0700
Grant <[EMAIL PROTECTED]> wrote:

> How does my host get root access like that?

Different possibilities, but hardware access in most cases means root
access (although maybe only to encrypted partitions...).

Easiest: Reboot (CTRL-ALT-DEL, no password needed), change kernel
command line in boot loader to 
"/boot/mykernel root=/dev/whatever init=/bin/bash"

And that's it, basically. The admin could have made a backup
of /etc/shadow, resetted root password, rebooted into normal system,
restored /etc/shadow.

If it is a virtual server, this might be even easier.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Need help with routing [OT: Issues with an article on the wiki]

[Hans-Werner Hilse]

Hi,

On Wed, 12 Sep 2007 18:35:41 +0200
Florian Philipp <[EMAIL PROTECTED]> wrote:

> Thank you for your patience, it's finally working!

OK, that's good news :-)

> If you don't edit the wiki, I'll do it (sooner or later). Just tell me
> if you don't want to see your name when I give you credit for the settings.

Reading through it, it'll need a general rewrite.

The more I look at it, the less it makes sense. Though on the
discussion site, the last comment gives a valuable hint to what the
main culprit is: The article doesn't clarify on its focus (and I guess
that's why it hasn't got that much attention yet). Based on the title,
there are many ways to conclude what task is described there. I guess
it was really about routing an internet connection to some "clients",
but the general concept of "Routing" is broader. So I think the article
should
- clarify what it's about (introduction)
- introduce routing and the "route" command (and/or "ip route")
- introduce masquerading (what you wanted and the original article
  intended to describe, I think)

I'll take a try on rewriting it this evening (CEST). Feel free to
further rewrite it or start doing it, but I really think the aspects
noted above are worth following.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] [OT] Problems with USB subsystem after upgrading to 2.6.22

[Hans-Werner Hilse]

Hi,

On Wed, 12 Sep 2007 18:44:23 +0200
Dan Johansson <[EMAIL PROTECTED]> wrote:

> I found myself a solution to this problem (I don't know if it's the best way 
> to do it but it works for me).
> 
> I added the following two files to my system:
> 
> # cat /etc/udev/rules.d/00-local.rules
> SUBSYSTEM=="usb", DRIVERS=="usb", 
> ATTRS{serial}=="2f11211b-0e00-0106-6800-0050bf7a660c",
> RUN+="/usr/local/bin/loox.udev"
> 
> # cat /usr/local/bin/loox.udev
> #!/bin/bash
> 
> if [ ${ACTION} == "add" ]
> then
>         echo "1" > /sys/${DEVPATH}/bConfigurationValue
> fi

I still admire your solution. I think it's exactly as the inventors
intended, so to speak. (/me makes note in brain on that
bConfigurationValue thingy)

-hwh

PS: Sorry for the noise, but since the "OT" was already in the subject
line ;-)
--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Problem mounting USB Drive/MP3 PLayer

[Hans-Werner Hilse]

Hi,

On Wed, 12 Sep 2007 14:01:10 -0500
forgottenwizard <[EMAIL PROTECTED]> wrote:

> Alright, I did that. I tried to enable a few other options within SCSI,
> and none of them did anything. Dmesg still says it sees the device,
> knows it is USB, gives is an address, and designates it a configuration.
> 
> I'm going to look at the USB options and see if there is anything there
> I missed.

You could start by sending the dmesg output that occurs when you 
(re-)plug the device... It should be easier to see what's wrong then...

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] root can't login on console, but can ssh...

[Hans-Werner Hilse]

Hi,

On Thu, 13 Sep 2007 16:07:02 -0400 Philip Webb <[EMAIL PROTECTED]>
wrote:

> 070913 Daevid Vincent wrote:
> > I simply want root to be able to login from console (tty[1-6])
> > or ssh (pts/[0-9]) without a password. Currently ssh does work fine.
> > It's only the physical console that doesn't.
> 
> There is a provision somewhere to disallow root logins,
> so that mb your problem rather than anything to do with passwords:
> have a look in such places as  /etc/login*  &  /etc/security/* .
> Just a quick suggestion in the absence of more informative help.

/etc/pam.d if using PAM. Special attention to the nullok option to
pam_unix. Also see the man page for pam_unix. Exceptionally stupid idea
to do this but since the OP insists... (Free tip: sudo is better in most
cases)

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [ot] Re: [gentoo-user] Re: Re: [gentoo]Block certain websites

[Hans-Werner Hilse]

Hi,

On Sun, 16 Sep 2007 12:19:06 -0300
"Arturo 'Buanzo' Busleiman" <[EMAIL PROTECTED]> wrote:

> The other day something quite funny happened to me. I was with my Laptop 
> trying to find an open AP.
> I found one, but couldn't browser the internet nor get my OpenVPN (against a 
> USA-based server) up
> and running. I started making some tests... and I finally tried sshing into 
> one of my local (i.e in
> argentina) servers.
> 
> It worked. So, they were filtering (or the internet link didn't have) 
> international access. I
> quickly set-up an openvpn server on the argentinian (i.e national) server, a 
> 3proxy-proxy (fast
> enough), and told firefox to use it (over the vpn). Quite funny :)

I just use ssh for this. Using the "-D" flag gives a SOCKS5 proxy,
listening locally, making/accepting connections on the ssh remote end.
You can use it directly in Firefox, no need for full-fledged VPN.
(and for that, there would be the new "-w" option -- when IP-via-TCP is
an option)

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: Re: SSH won't restart

[Hans-Werner Hilse]

Hi,

On Sun, 16 Sep 2007 22:25:07 +0200 Alexander Skwar
<[EMAIL PROTECTED]> wrote:

> A "/etc/init.d/sshd stop" won't kill any SSH sessions. It'll
> simply the sshd "master process". Because of that, additional
> logins won't be possible.

An /etc/init.d/sshd stop/restart can very well fail. Depending on in
what state this happens, it might stop accepting connections. Typical
conditions might be that relevant changes on-disk occurred, e.g. PAM
libraries, libc or similar libs that might dl() things.

OTOH, if signal handling is broken, the KILL might traverse to the
connection handling forked child. And that's enough to kick you out.

So I would definately prefer to always have a guaranteed working sshd
running (I find OpenVPN/telnet a bit strange and an unnecessary
potential security hole).

Your absolutely right in that restarting immediately or delayed after
logging out of all sessions doesn't matter at all. But it's wrong that
it *can't* occur that you kill your current session as well. So the
delay doesn't make any specific sense here. It might reduce the risk of
a zombie master process of sshd, but I don't see much evidence. OTOH,
you lose the possibility of fixing restart problems within the running
session. So you have to weight the risks. The real problem, however,
can only be overcome by another way to login. Firing up another
instance of sshd (on a different port) is just a matter of one simple
command, so I definately prefer that.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: Re: Re: SSH won't restart

[Hans-Werner Hilse]

Hi,

On Mon, 17 Sep 2007 11:15:24 -0300 "Arturo 'Buanzo' Busleiman"
<[EMAIL PROTECTED]> wrote:

> Alexander Skwar wrote:
> > Well, I also found myself being unable to start sshd, but
> > these most often were due to some configuration changes.
> 
> And exactly for this is why test-restart was proposed by me.

I would propose to change the "restart" option (i.e. introduce a
corresponding handler in /etc/init.d/sshd) to actually do checkconfig()
before stopping, not just before starting sshd.

I created a bug for this issue, patch attached:
http://bugs.gentoo.org/show_bug.cgi?id=192825

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: Re: SSH won't restart

[Hans-Werner Hilse]

Hi,

On Mon, 17 Sep 2007 12:56:16 -0300 "Arturo 'Buanzo' Busleiman"
<[EMAIL PROTECTED]> wrote:

> > So I would definately prefer to always have a guaranteed working
> > sshd running (I find OpenVPN/telnet a bit strange and an unnecessary
> > potential security hole).
> 
> If running permanently, then I agree, but I do not see the potential
> security hole if using a correctly designed/configured tunnel.

I just prefer manual "opening" of access means above manual "securing"
them. It's just about what happens if you fail -- when the task was
securing, you might have a security leak, but if it was openiung
access, it is still secured. It's relatively moot, since opening access
is also often error prone in the sense of "opening to much". I think
it's personal taste :-)

> > session. So you have to weight the risks. The real problem, however,
> > can only be overcome by another way to login. Firing up another
> > instance of sshd (on a different port) is just a matter of one
> > simple command, so I definately prefer that.
> 
> As long as there is no issue with the sshd binary, of course :)

Yeah, but in that case you'd know it at that point, and it caused no
other harm than preventing you to setting up that fallback sshd. You
can then still fix it (or set up OpenVPN/telnet ;-)) using the old sshd
that's still listening. Just remember not to do a "killall sshd".

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Hacked by association?

[Hans-Werner Hilse]

Hi,

On Wed, 19 Sep 2007 16:16:09 -0700 Grant <[EMAIL PROTECTED]> wrote:

> With netstat -lp it looks like *:snpp is associated with apache2 and
> is using the same pid as *:http and *:https.  I've never set up
> anything having to do with a pager.  I've never had a pager.  What can
> I do to investigate that further?

Do you by chance run a PHP debugger or similar stuff, i.e. some
specialized apache modules with other interfaces than HTTP(S)?

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Is this drive toast--addendum

[Hans-Werner Hilse]

Hi,

On Wed, 26 Sep 2007 15:06:00 -0700 (PDT) maxim wexler
<[EMAIL PROTECTED]> wrote:

> > If you wouldn't mind satisfying my curiosity, what
> > does the jumper do?
> 
> Determines if the drive is master or slave in the
> BIOS. 
> 
> But perhaps you're thinking of something else. I'm
> astonished that someone doesn't know that. 
> 
> If you ever put a IDE drive in a PC you would have to
> know what the jumper is for.

There are often much more jumper settings on HDs. Many HDs e.g. have
different geometry settings they can work with. Some of them need this
geometry information to be set by a jumper setting. Others have special
monitoring capabilities that are being used for factory checks or even
interfacing the controller. It's not just Master/Slave...

In fact, if you change the geometry setting on the HD, this might cause
major trouble and look a bit like disk errors, I guess.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Help finding a tv tuner card's chipset

[Hans-Werner Hilse]

Hi,

On Thu, 27 Sep 2007 08:59:18 +0100 Neil Bothwick <[EMAIL PROTECTED]>
wrote:

> On Thu, 27 Sep 2007 01:00:33 -0500, forgottenwizard wrote:
> 
> > BTW, if anyone knows of a cheap tuner card (<50US preferably) that
> > is decent and works with either PCI/USB/AGP, I would love to know.
> 
> Analogue or DVB? I've used a Freecom DVB dongle with Gentoo (amd64 and
> ppc) and it worked well. For a cheap PCI card, the KWorld cards are
> decent.

Just a short warning: The US standards are a bit different... (but
KWorld has ATSC equipment, too, not just DVB).

And if commercial HDTV is to be received, special care has to be taken
that everything is HDMI compliant -- I think there are only hardware
based solutions to this problem, and it certainly won't be cheap -- at
least not <50USD, I think...

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Gentoo User Guide XML error : solved ?

[Hans-Werner Hilse]

Hi,

On Sat, 29 Sep 2007 16:34:19 -0400
Philip Webb <[EMAIL PROTECTED]> wrote:

> > On Thu, Sep 27, 2007 at 12:10:17AM -0400, Philip Webb wrote
> >> Following the usual procedure in such cases of trying simple changes,
> >> I changed the file extension to '.html' & Epiphany now has no problem.
> >> Does anyone have any comment on this strange sequence of events ?
> > With HTML, the philosophy is that the parser tries to carry on,
> > even with lots of errors in the HTML code.  XML is much stricter
> > and an error is much more likely to be treated as fatal.
> 
> Well in that case (raises eyebrows), one has to ask
> (1) why does Gentoo offer its docs in such a strict format

It offers it in text/html (MIME type as transmitted by the web server)

> & (2) why there is a bug in the XML sufficient to stall the browsers.

It's not XML (there's no real "file name extension" concept in URI-land).

You probably saved it under a file name resembling the URI, thus
leading your browser to the assumption it might be XML - and it has to
make assumptions for file:// requests, since there's no "Content-Type"
on plain file systems. The conceptual failure is the part that
circumvents this (unreliable) detection algorithm by saving that file
by a name ending in ".xml" (my browser doesn't even offer ".xml" as a
preset for the file format when trying to save the HTML page of the
user guide).

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Re: Lilo & ReiserFS on 64 bits

[Hans-Werner Hilse]

Hi,

On Wed, 3 Oct 2007 12:42:58 -0500 Dan Farrell <[EMAIL PROTECTED]> wrote:

> another great thing about grub is that it has a limited command mode
> that you can enter at boot time.  If your grub config contains a typo
> or error, you can still boot the computer without reaching for a CD.  

And, OTOH, it can install itself to other devices (but only the stage1,
stage 1.5 and/or stage 2 have to be already present on the target
device). So you can take a grub-enabled CD, boot it and restore your
system's hosed boot loader (say you just installed Windows or similar)
from the grub prompt.

Also, I prefer grub's "savedefault" features to the "-R" switch for
lilo (e.g. test boots w/ new kernels -- don't forget the "panic=..."
kernel parameter then!).

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?

[Hans-Werner Hilse]

Hi,

On Thu, 4 Oct 2007 15:47:53 +0200 Alan McKinnon
<[EMAIL PROTECTED]> wrote:

> On Thursday 04 October 2007, Liviu Andronic wrote:
> > And later on: "Now one problem is
> > left. Even with normal RAM a well funded organisation can get the
> > contents after the system is powered off. With the modern SDRAM it's
> > even worse, where the data stays on the RAM permanently until new
> > data is written.
> 
> Pray tell, how does RAM manage to retain data when the power is off? 
> It's either six transistors or one transistor and a cap per cell =
> not persistent.

In theory, for the one transistor and one cap case, you have a loaded
cap that will take "forever" losing its load, won't it? But in
practice, I think, that's not realistic.

> I don't know of any magic persistent RAM that's fast enough for use
> as main RAM. Flash disks are of course another story but you do
> appear to be talking about system RAM

There actually are new RAM types being made for solid-state storage.
But this is in a proof-of-concept stage, I think.

Maybe Liviu's professor had those magnetic drum memory units in mind
when saying that?

Anyway, cleaning memory on a power-off shut down doesn't make much
sense. However, it makes sense to clean up memory after having critical
data in it -- e.g. a reboot doesn't necessarily clean up RAM. And I'm
not sure if some mainboards even keep the RAM powered in certain
situations -- at least, they can as long as the power is not really
switched off (e.g. machine only in ATX soft-off mode).

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Standby

[Hans-Werner Hilse]

Hi,

On Thu, 4 Oct 2007 21:26:28 +0100 Paul Gibbons <[EMAIL PROTECTED]>
wrote:

> Now when I press
> the soft power button the system suspends ( all processes appear to
> stop and the screen goes blank but for a flashing cursor in the top
> left of the 2 screens of my dual headed system) but after a few
> minutes the system resumes. It seems that either a wakeup message is
> being received or the hibernate script cannot actually power off the
> computer and so after a timeout period it resumes.

Sounds as if your BIOS is set to wake up on events that get triggered
when in standby. Things to check would be:
- Interrupts in general, there might be some spurious ones,
- Mouse/Keyboard (at least with a sensitive optical mouse...)
- Network

...but look for all these in the BIOS setup. Otherwise set up
hibernate-script to really shut off the computer.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Can RAM render useless the encryption of the / and swap partitions?

[Hans-Werner Hilse]

Hi,

On Thu, 4 Oct 2007 20:33:40 +0200 "Liviu Andronic"
<[EMAIL PROTECTED]> wrote:

> On 10/4/07, Alan McKinnon <[EMAIL PROTECTED]> wrote:
> > On Thursday 04 October 2007, Hans-Werner Hilse wrote:
> > > However, it makes sense to clean up memory after having
> > > critical data in it -- e.g. a reboot doesn't necessarily clean up
> > > RAM.
> >
> > Yes, this is very true
> 
> BUT
> 
> On 10/4/07, Alan McKinnon <[EMAIL PROTECTED]> wrote:
> > Pray tell, how does RAM manage to retain data when the power is off?
> 
> ...and...
> On 10/4/07, Volker Armin Hemmann
> <[EMAIL PROTECTED]> wrote:
> > In practice, after power is cut, everything in ram is lost.
> 
> So, my eternal question, is it realistic for the "lost" RAM data to be
> recovered? That is, after system shutdown, does the data still
> physically reside on the RAM and can someone with a decent technology
> and know-how recover it? In other words, is this a serious breach in
> any encrypted system?

No, it isn't. Well, I didn't had the full circuit design of today's
DRAMs in mind, and yes, since there's the resistor, the capacitor will
lose its load (very) soon (/me scratches his head, wasn't there
something asymptotically in that graph? But in any way, it would be a
difference of very few electrons on the sides of the capacitor) --
that's not a security breach.

But: We are talking about _powering_ _off_ the DRAM. You are talking
about shutting down. That might be two different things and completely
depend on hardware design. Make shure that RAM's gonna get powered off
and you're save. So pulling the plug should give you a warm good
feeling in that regard. Doing a "sudo halt", however, _might_ have
other consequences and we cannot make a general assumption on that.
Even pulling the plug might have problems: There's such thing as
battery-buffered RAM (although I think they've used it mainly in the
pre-Flash era).

The thing is: You never can guarantee security, that's absolutely
impossible (well, of course you can, but you would automatically be
wrong). You can do all your best, but that's about it. Having security
is a thing you can falsify, but never verify, since theorys can't be
verified without dogmas (and there are no accepted dogmas that would
help here).

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] loopback into gentoo iptables

[Hans-Werner Hilse]

Hi,

On Fri, 5 Oct 2007 10:42:42 -0500
"Walter Willis" <[EMAIL PROTECTED]> wrote:

> I have modem asdl zyxel 660 and activate loopback with command: "ip nat
> loopback on"

Where do you enter that and why? What is the thing _you_ call a
loopback? On what device or machine does it exist? You don't seem to be
talking about the "ifup" tool (since you talk about "ip", which however
does not know the "nat" mode?!?), and you don't seem to be talking
about the lo device either.

> the ask is:
> it is into gentoo linux  with iptables ?

Errm, again: What? Setting up you loopback device on gentoo is done
automatically by /etc/init.d/net.lo. Should be run on bootup by rc,
check "rc-update show".

Setting up NAT works using a sysctl (or the procfs). Restricting the
NAT works using iptables.

> the compiler module especial for function?

E Again, not sure what you are asking here... Yes, you need
kernel modules for both NAT to work and as well netfilter modules for
the chains and targets and matches you want to use with iptables. They
don't really have to be modules, you can compile them statically into
the kernel as well.

If unsure, rephrase your question -- and be a bit more verbose on what
you intend to do... A bit more information might as well cure lack of
proper vocabulary... Give examples, try to describe the setting.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] loopback into gentoo iptables

[Hans-Werner Hilse]

Hi,

On Fri, 5 Oct 2007 17:23:38 -0500
Dan Farrell <[EMAIL PROTECTED]> wrote:

> > Setting up NAT works using a sysctl (or the procfs). Restricting the
> > NAT works using iptables.
> 
> I don't think that's quite right.  Correct me if i'm wrong (please) but
> this should read, 
> 
>   "Setting up forwarding works using a sysctl... and configuring
>   and restricting the NAT works using iptables"
> 
> Network Address Translation is taken care of by iptables itself, not
> just firewalled that way.  

Thanks, I missed that, of course you're right! NAT would be
masquerading, and that's in fact netfilter/iptables' job. I was
probably just thinking about routing/forwarding in general...

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] linux-headers

[Hans-Werner Hilse]

Hi,

On Sat, 6 Oct 2007 23:38:33 -0700
"Hex Star" <[EMAIL PROTECTED]> wrote:

> There is no harm in doing so :)

If you say such things, please add a short explanation what makes you
think that. After all this isn't IRC.

In fact, I would not suggest doing that. While kernel developers do
their best not to break existing interfaces unless they have real urge,
the picture also might get bigger, i.e. more or different APIs. So I
would not suggest running a userland based on headers with higher
version than the actual kernel. Although I have to admit that I don't
know if there candidates for unexpected behaviour and what those might
be.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] linux-headers

[Hans-Werner Hilse]

Hi,

On Mon, 8 Oct 2007 00:44:21 +0200
Volker Armin Hemmann <[EMAIL PROTECTED]> wrote:

> ok, example. I might be totally wrong, so don't believe me:
>  The splice system call was added with 2.6.17 and corresponding headers. If 
> you build an application that has optinal (on compile time) support for this, 
> but downgrade the headers after that to say... 2.6.10 you might see funny 
> stuff happening.

Nah, you won't. Nothing depends on the headers on runtime, they just
matter on compile time. After downgrading, when you compile new stuff,
it will use the now older headers, i.e. it will probably rely on older
feature sets.

Whether the software compiled against newer headers will still work
depends solely on the kernel. In your example, when you also decide to
run a 2.6.10 kernel, then the software relying on newer features (due
to the newer headers on compile time) will have problems.

> Headers are backward compatible, not forward compatible.

That's not true how you have put it. But it is a misleading thing, all
this. The _kernel_ has a backward compatible interface to userland
(most of the time, and almost definitely regarding the syscalls).
That's why you can still run that old statically compiled binary from
19-you-know-what. The _headers_ on the opposite belong more to the
userland software camp. They are what userland knows about the kernel
at compile time. So _if_ the kernel keeps backward compatibility, the
_headers_ are forward compatible.
(The underscoring is meant as emphasis, but not to be harsh)

> glibc is similar - just try to downgrade glibc. You can't, portage won't 
> allow 
> it.

That's the same for downgrading the kernel and it works the same:
Userland is compiled against newer glibc headers.

-hwh

(It's all somewhat complicated, that's why I thought the short
one-liner wasn't a definite answer...)
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] apache: Directory index forbidden by Options directive

[Hans-Werner Hilse]

Hi,

On Mon, 8 Oct 2007 15:25:23 +0200
Arnau Bria <[EMAIL PROTECTED]> wrote:

> You're right, I needed index.php... but now php does not work!!!
>  
> I'm looking for some info in gentoo wiki and I think I have all fine:
> 
> APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP5" 
> in conf.d/apache

And you have Apache config files that actually still uses those
Defines? (i.e. those that were installed with the new Apache)

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] linux-headers

[Hans-Werner Hilse]

Hi,

On Mon, 08 Oct 2007 18:50:56 -0400 Allan Gottlieb <[EMAIL PROTECTED]>
wrote:

> Does that mean I am at some risk with headers at a higher version than
> the kernel?  I followed the advice at the end of the headers emerge
> and remerged glibc.

Most probably no danger here. The interfaces of the kernel seldom
change that radical that a John Doe user would have to care. Also, most
software is supposed to leave the kernel headers alone anyway. And you
took care of glibc, so that's probably not going to cause headaches.
Since that was a re-emerge, it won't produce a new interface for
userland.

I just explained why I found the first answer to your question somewhat
lacking of argumentation and the further answers to my post then were
just plain wrong. The moral is to never believe people who just claim
stuff without giving a good reasoning.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] cyrus-imapd: DBERROR db4: Database handles still open at env

[Hans-Werner Hilse]

Hi,

On Wed, 10 Oct 2007 11:52:25 +0200 Arnau Bria <[EMAIL PROTECTED]>
wrote:

> Error occurred while processing mail:
> -ERR [SYS/PERM] Error initializing TLS
> 
> 
> and I see this in log files:
> 
> Oct  5 18:22:21 afrodita pop3[14410]: DBERROR db4: Database handles
> still open at environment close Oct  5 18:22:21 afrodita pop3[14410]:
> DBERROR db4: Open database handle: /var/imap/tls_sessions.db

Did you try to remove that file? It should probably get recreated on
next start. (Don't kill it now, just move it away for testing and then
try starting Cyrus)

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] alsa problem

[Hans-Werner Hilse]

Hi,

On Wed, 10 Oct 2007 11:04:11 +0800
"Chuanwen Wu" <[EMAIL PROTECTED]> wrote:

> I just setup a gentoo in my dell1400 laptop,and until now,the sound
> problem is not solved yet.
> 
> Here is the problem:
> $ aplay 01.mp3
> ALSA lib pcm_dmix.c:864:(snd_pcm_dmix_open) unable to open slave
> aplay: main:545: audio open error: No such file or directory

This indicates that the dmix module (NOT kernel, but alsa-lib!) might
be missing.

I ran into some similar problems, I think they modified the way
alsa-lib is configured and made it more fine-grained. Missing an
ALSA_PCM_PLUGINS setting in my /etc/make.conf, I had no plugins at all.

So I suggest to check your /etc/make.conf, and if not present and you
want minimum hassle, append that line to /etc/make.conf:
---snip
ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa 
lfloat linear meter mulaw multi null rate route share shm"
---snip
(works for me)
then re-emerge alsa-lib.

> And here is my hardware:
> [...]

looks OK.

-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Easy way to know its public IP address

[Hans-Werner Hilse]

Hi,

On Thu, 11 Oct 2007 14:43:15 +0200 Marc LEURENT <[EMAIL PROTECTED]> wrote:

> I would like to know how is it possible to quickly know its public IP
> address behind a NAT from the console... I'm using links + a My IP
> search but it sucks

You can craft a similar service that just reports the querying IP. You
can e.g. do without the HTTP protocol and just setup a simple server,
e.g. using ucspi-tcp, which sets the TCPREMOTEIP environment variable.

Then you can just use netcat. Of course, for all this you'll need a
server on the net.

OTOH, you could just ask your gateway, if there are means to that (you
didn't tell us anything about it).

And what different methods of NAT are you talking about in this context?


-hwh
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] alsa problem

[Hans-Werner Hilse]

Hi,

On Thu, 11 Oct 2007 23:53:42 +0800
"Chuanwen Wu" <[EMAIL PROTECTED]> wrote:

> I can't find the /dev/dsp :
> # ls /dev/dsp
> ls: cannot access /dev/dsp: No such file or directory
> 
> My os is a 64bit gentoo, so may it be the problem?

No, /dev/dsp is OSS stuff. Aplay shouldn't use that. But it makes me
wonder whether snd_pcm_oss is loaded?

Anyway, that shouldn't bother us here, that's not used by aplay. (BTW:
For me, aplay will play noise when trying to play an MP3, but at least
it *does* play something)

Do you by chance have some older /etc/asound.* files around? Did you
try re-running alsaconf?

If all this doesn't work, try running strace on the aplay process (call
"strace aplay") and post back some output. Also, the contents
of /proc/asound/cards and /proc/asound/devices might be interesting.

-hwh
-- 
[EMAIL PROTECTED] mailing list