Re: Hundredweight was Re: UK Money, again

[muppet]

On Tuesday, July 1, 2003, at 05:59 AM, Tom Hukins wrote:

http://people.freebsd.org/~tom/tmp/units/


i've always loved the sound of yottabyte.  yotta yotta yotta.

anyway, i read these aloud to my wife:

" kbyte1024 byte
 megabyte   1024 kbyte
 gigabyte   1024 megabyte
+terabyte   1024 gigabyte
+petabyte   1024 terabyte
+exabyte1024 petabyte
+zettabyte  1024 exabyte
+yottabyte  1024 zettabyte"
her reply: "that bytes."

Re: [ot] Mounting Unix Drives in Windows

[muppet]

On Tuesday, July 1, 2003, at 05:38 AM, Dave Cross wrote:

1/ How much chance is there that a Samba installation will cause
problems? How stable is Samba?
i've been using samba at my job for four years.  i started using it to 
share a single filesystem to unix, windows, and mac clients (also had 
nfs and appletalk on the same box[1]).  the IT people never figured out 
that it wasn't a windows machine, and windows users never knew any 
different.  when the company started getting hit by nimda, the samba 
logs helped me track down fifty to a hundred infected machines (set the 
log level up to 3 and then grep the logs every hour for ntoskrnl.exe, 
and whoever made that request was infected -- 100% success rate on that 
one).

turns out, other IT peeps at my company were using samba on solaris and 
samba on AIX to provide what nearly everyone thought were huge NT 
servers... but actually, the unix machines were on a large tape backup 
network...

when i worked at my university, we used samba to serve the students' 
web directories to them via authenticated samba from a big solaris box.

samba is the strong, silent type.  it always works, it's always good, 
people are always fixing it... but it gets none of the hype surrounding 
apache and linux.

of course, all this anectodal evidence doesn't help you secure a 
contract.  instead, secure a *person* who knows samba (or is willing to 
learn) and dedicate that person to support of that server.  do it 
clandestinely, experiment, get a feel for how well it performs.  deploy 
more servers in secret.  *then* ask your services guys to support 
samba; when they balk and claim it's not production strength, you can 
surprise them -- "you've been soaking in it, and we haven't had any 
problems!"


2/ Is there anyone that will provide a commercial support contract
for Samba?
dunno, i've never needed it.


3/ Are there any other solutions we can look at - like, perhaps,
an NFS client for Windows?
you will be uniformly disappointed.  somebody already mentioned 
hummingbird --- i can't say i was impressed.  other options, like sftp, 
are nowhere near as simple and no-thought-required to use.  you may 
wish to check whether somebody's commercial offering is really just 
some decorations surrounding samba.

[1] the actual task was to integrate a mac into a hard-core windows 
shop (former ibm peoples).  i was told by some IT people that macs 
can't be networked (i am not making this up).  others told me that the 
only solution was something called "dave", which either served 
appletalk from NT or smb from mac os9, i can't remember which, but was 
very expensive.  the linux machine was far and away the best solution, 
and nobody knew any different until IT people called me up to make sure 
i had antivirus software up to date on my server.

Re: [ot] Mounting Unix Drives in Windows

[muppet]

On Tuesday, July 1, 2003, at 05:46 AM, Alex Hudson wrote:

You would have to be an a-class muppet though.
/me pouts

now i see how you really feel about me.  i'm going to take my ball and 
go home.

RE: Using LWP for protected pages

[Colin Magee]

Wow -

Thanks for the advice, but I think I'm getting in over my head in terms of
my level of knowledge and expertise!  This looks hellish complicated if you
don't already understand all the options/ technologies...   Perhaps there is
a simpler way which someone could offer advice on which I might find easier
to implement:

Previously (before the racingpost website required registration), I had used
perl to call out to lynx in order to dump the url's text or source out to a
file, then used Perl again read the file back in and extract the required
information and/or find further urls and repeat the process to extract the
required information.

Now I notice that lynx has a "-auth:ID:PWD" argument in its standard
documentation for sites where authorisation is required.  I just tried it
with my login details via the shell prompt and it didn't work for this site;
does anyone know if it is possible to use this option in this context and if
so what I must do (other than replacing ID above with login name and PWD
with the password I'm using) to make it work (the man page just shows the
above arguments).

Thanks
Colin Magee



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul Johnson
Sent: 01 July 2003 19:23
To: [EMAIL PROTECTED]
Subject: Re: Using LWP for protected pages


On Sun, Jun 29, 2003 at 10:45:51PM +0100, Leon Brocard wrote:
> Paul Johnson sent the following bits through the ether:
>
> > Anyone got any time to write a Javascript library and integrate it into
> > WWW:Mechanize?
>
> Handily, the mozilla guys went and wrote a JavaScript library for us:
> http://www.mozilla.org/js/spidermonkey/
>
> And waddaya know, it already has a Perl wrapper:
> http://search.cpan.org/author/CLAESJAC/JavaScript/
>
> Now it's just a simple matter of programming ;-), Leon

Yes, I did consider that option, but my tuits were incompatible with the
SMOP.  In particular it looks like quite a reasonably sized job messing
about with variables in different frames.  (I'm sure I have the
terminology wrong here.)

Another thing I had to do was make sure that the secure connection was
reused, which is something the ssh library that LWP uses cannot do.  I'd
love to be able to find some time to clean up the hack and get a patch
out.

--
Paul Johnson - [EMAIL PROTECTED]
http://www.pjcj.net

[OT] Yet more on UK Money...

[Luis Campos de Carvalho]

  Ladies and gentleman

  (Finally) I'm thinking seriouly about move on to UK (before winter, 
if all goes well).

  Why? Simple: I'm tired to know about the list's social meetings and 
not being able to show myself up. =-]

  Can you please tell me about London, where to stay, what to eat, 
employment, social life, where to study and related things? I would love 
read your considerations and comments.

  Thank you very much.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  Luis Campos de Carvalho
  Computer Scientist,
  Unix Sys Admin & Certified Oracle DBA
  http://br.geocities.com/monsieur_champs/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PS: Please include me in the presence list for the december, 4 social 
meeting! =-]

Re: [ot] Mounting Unix Drives in Windows

[Andrew Beattie]

Microsoft themselves do http://www.microsoft.com/windows/sfu/
which has an NFS client. Its about as supported as all the other Windows
products :)
You can even ask for a 90day eval disk with training material on it.
Microsoft consider telnet to be part of sfu, so when your 90 days
are up you loose [the rather sucky] MS telnet.
Andrew

Re: [Cool] [Nice] [Shiny] [Makes me want to dance[4]] Dave'sRecursive Footnotes

[David Cantrell]

On Thursday, June 26, 2003 9:42 -0300 Luis Campos de Carvalho 
<[EMAIL PROTECTED]> wrote:
David H. Adler wrote:
On Mon, Jun 30, 2003 at 11:33:39AM -0300, Luis Campos de Carvalho wrote:
Dave Cross wrote:
[1] Which I heartily recommend if you haven't already read it[2].
[2] In fact, read all[3] of McEwan's books whilst you're at it.
The man's a bloody star.
[3] Except perhaps "Atonement". Not enjoying that as much as
the others.
 Hey! Look at it! It's recursive footnotes! Is there any Perl Module
to handle this? (peharps in TeX?)
Surely, this is cascading, rather than recursive... :-)
   Ops! Sorry, wrong word! You're right! "Cascading" was the word that I
was looking for...
Hoorah! We love cascades!

[1] NMF
[2] NMF
[3] NMF
[4] This is a lie
--
David Cantrell

Re: Using LWP for protected pages

[Paul Johnson]

On Sun, Jun 29, 2003 at 10:45:51PM +0100, Leon Brocard wrote:
> Paul Johnson sent the following bits through the ether:
> 
> > Anyone got any time to write a Javascript library and integrate it into
> > WWW:Mechanize?
> 
> Handily, the mozilla guys went and wrote a JavaScript library for us:
> http://www.mozilla.org/js/spidermonkey/
> 
> And waddaya know, it already has a Perl wrapper:
> http://search.cpan.org/author/CLAESJAC/JavaScript/
> 
> Now it's just a simple matter of programming ;-), Leon

Yes, I did consider that option, but my tuits were incompatible with the
SMOP.  In particular it looks like quite a reasonably sized job messing
about with variables in different frames.  (I'm sure I have the
terminology wrong here.)

Another thing I had to do was make sure that the secure connection was
reused, which is something the ssh library that LWP uses cannot do.  I'd
love to be able to find some time to clean up the hack and get a patch
out.

-- 
Paul Johnson - [EMAIL PROTECTED]
http://www.pjcj.net

Re: Linux firewall / web server

[David Cantrell]

On the subject of Linux firewalls, a friend who's a security wookie for a 
large insuranceco has been evaluating Astaro over the past few weeks.  He 
is most impressed.  .

Some of his comments can be found in his journal here: 
.

--
David Cantrell

Re: UK Moneyngton, again

[Toby Corkindale]

On Thu, Jun 26, 2003 at 07:43:14PM +0100, David Cantrell wrote:
> >For shame, Mr. Devers! Oh, for shame! The Manchurian Gambit of 1978 has
> >been considered obsolete since 1981, after Lt. Col. Charles Monkfish
> >(rtd.) demonstrated that no feathers could exist at King's Cross station
> >without being attached to a pigeon.
> >
> >In the words of Monkfish himself: "Like, duh!"
> 
> This subthread has reminded me - is platform 9.75 permitted under the 
> current rules?  My gaming group couldn't decide, so we treat it like a 
> clone of platform 9, but this seems inelegant.

I believe the highly unpopular third edition rules included a requirement that
in case of fractions, they be rounded to the nearest integer. In the fourth
edition, this change was rolled back to the prior standard of rounding by
truncation to the lower whole integer.

I know this doesn't result in a solution which is more elegant, but it does
give you some leeway to exploit this little-known rule when playing under the
appropriate editions of the ruleset.

-Toby

-- 
Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold;
Mere anarchy is loosed upon the world.

Re: UK Money, again

[Toby Corkindale]

On Thu, Jun 26, 2003 at 03:31:31PM +, the hatter wrote:
> Another obscure but official unit which I occassionally use in the correct
> context is a jiffy, as in "just a jiffy", which is actually 1/50th (or
> occassionally 1/60th of a second depending on what video standard you're
> using)

Hmm.. Have you checked what the Linux kernel source thinks about jiffies
recently?

tjc

-- 
Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold;
Mere anarchy is loosed upon the world.

Re: XML::LibXML::Common encodeToUTF8() annoyances

[Toby Corkindale]

On Thu, Jun 26, 2003 at 12:35:42AM +0100, Andrew Wilson wrote:
> On Wed, Jun 25, 2003 at 11:00:54AM -0700, Toby Corkindale wrote:
> > Gah! my head->wall;
> 
> Your head has a wall method!  What does it do?

hurt...

Re: Linux firewall / web server

[Chris Benson]

On Tue, Jul 01, 2003 at 01:21:03PM +0100, Shevek wrote:
> 
> # yadda - note -s/-d rather than -i/-o - but we don't have to think about 
> # this from now on. We do have a standard validation chain somewhere, 
> # don't worry.
> FROM_DMZ="-s $NETWORK_DMZ"
> TO_DMZ="-d $NETWORK_DMZ"
[... sample script ...]

I had several issues with the firewall (shell) scripts I looked at:

* they approached/exceeded the length of the rules they output: not much
 saving in labour there.

* one extra/missing quote and the script dies (and we're talking about
scripts that are being edited by chimps): which led me to:

* I wanted an input file I could validate and die() on error instead of
half-way through creating the rules.

Shevek's use of variable names makes his a lot more readable than one
script I saw that looked like a shell obfuscation entry from a .BAT writer ...
but still, one typo and you're dead.

Not that I'll happy with my config-file, but I can say things like:

define $INTERNAL eth0
define $EXTERNAL ippp+
define $DEMON_SMTP_NET 1.2.3.4/24
define $ANY all 0:65355

nat $EXTERNAL 

in_ext counts tcp http
in_ext do connected
in_ext accepts tcp smtp -s $DEMON_SMTP_NET; ssh;
# be nasty - no-one should be trying me for these
in_ext mirror all portmap; netbios-ns; netbios-dgm; netbios-ssn; ftp; printer; telnet
in_ext log "DROPPING:in_ext " 
in_ext drop

count_in counts tcp domain; smtp; http;
count_in counts udp domain; 

on forward from $INTERNAL to $EXTERNAL do fwd_int_ext
on forward from $EXTERNAL to $INTERNAL do fwd_ext_int
on forward log "DROPPING:forward "
# policy is drop
 
on input from lo accept 
on input from $INTERNAL do in_int
on input from $EXTERNAL do in_ext
on input log "DROPPING:input " 
# policy is drop

on output to lo accept
on output to $INTERNAL do out_int
on output to $EXTERNAL do out_ext
on output log "DROPPING:output "
# policy is drop

That gives me 
gamma:~ # wc -l /etc/firewall.conf
130 /etc/firewall.conf
gamma:~ # setup-firewall /etc/firewall.conf | wc -l
201
gamma:~ #
-- 
Chris Benson

[Fwd: RE: Sybase: declare @foo, select @foo Question/HELP!]

[Raf]

Ivor Williams said:
...
>> -Original Message-
>> From: Raf [mailto:[EMAIL PROTECTED]
...
>> I've got a :
>>
>> declare @foo int
>> select @foo=(some subselect)
>>
>> insert into table(f1, .. fn) values (v1, ...(select @foo),..vn)
>>
>> insert into table2(f1, ..., fn) values (v1...(select @foo),..vn)
>>
>
> Why do you want a select on @foo?
>
> @foo is a single (scalar) int

I was trying to avoid another flood of insert_id mails.

It's simply:
   
   @foo=(select @@identity)
with that identity being inserted in a foreign key on each of the
subsequent tables.  I keep it in @foo, to avoid being clobbered by
subsequent @@identities.

>
> Presumably you want something like
> insert into table(f1, .. fn) values (v1, ... @foo, ..vn)

I'll give that a whirl.  I thought that I had to select the local
variable. Hmm.  I just tried it and I get:

DBD::Sybase::db do failed: Server message number=137 severity=15 state=2
line=9 server=pelicanprocedure=DBD6atext=Must declare variable
'@last_insert'.

Thus, I'm assuming that @foo falls out of scope at some stage.
Why?  How?

Please help?

Cheers,

R.

Re: Linux firewall / web server

[Ben]

> > > Anyway, even having looked at filtergen, who really gives a toss if it 
> > > came in on eth0? That's assembly programming for firewalls. What everyone 
> > > really wants to say is, "If it is going to our company web server, let it 
> > > in." and "eth0" is so far separated from any such concept that I disagree 
> > > that "eth0" should EVER appear in a firewall, regardless of how clever the 
> > > syntax.
> > 
> > Nonsense. I am *very* interested in knowing which interface a packet that
> > *claims* to come from my internal network was received on. 
> 
> Note that I stated that there was a validation chain. 

Yes, of course you did. I missed that on first reading, sorry. Post-Glastonbury
and all that *waves hands*.

I'd still rather have all the rules in one place, than separate chains and so on.
People have been known to become confused and have conceptual problems with chains,
etc.

This may say more about the people I have administering firewalls than anything,
though. 

Ben

Sybase: declare @foo, select @foo Question/HELP!

[Raf]

Hi,

I need some help here.  I'm using DBD::Sybase and am trying to run a
transaction.  It's got a bunch of inserts in it and somewhere near the top
I've got a :

declare @foo int
select @foo=(some subselect)

insert into table(f1, .. fn) values (v1, ...(select @foo),..vn)

insert into table2(f1, ..., fn) values (v1...(select @foo),..vn)

type thing.

I set AutoCommit to 0 and then itterate through an array of these with my
$dbh->do.

What I get though is an error stating that I must 'first declare @foo',
when it starts to run through the inserts which (select @foo).

Does anyone know how to do this correctly?
I can run it through ISQL, however

Cheers,

Raf

Re: Linux firewall / web server

[Shevek]

On Tue, 1 Jul 2003, Ben wrote:

> On Tue, Jul 01, 2003 at 01:21:03PM +0100, Shevek wrote:
> > On Tue, 1 Jul 2003, Ben wrote:
> > Anyway, even having looked at filtergen, who really gives a toss if it 
> > came in on eth0? That's assembly programming for firewalls. What everyone 
> > really wants to say is, "If it is going to our company web server, let it 
> > in." and "eth0" is so far separated from any such concept that I disagree 
> > that "eth0" should EVER appear in a firewall, regardless of how clever the 
> > syntax.
> 
> Nonsense. I am *very* interested in knowing which interface a packet that
> *claims* to come from my internal network was received on. 

Note that I stated that there was a validation chain. This means that once 
a packet is validated to have come from a correct interface, you can and 
should then be forgetting entirely about interfaces and talking in logical 
terms only. Otherwise, we might as well all go back to programming in 
assembler.

All these "claims" should be sorted out before proceeding with the 
firewall at all.

S.

-- 
Shevekhttp://www.anarres.org/
I am the Borg. http://www.gothnicity.org/

Re: [Cool] [Nice] Dave's Recursive Footnotes

[Luis Campos de Carvalho]

David H. Adler wrote:
On Mon, Jun 30, 2003 at 11:33:39AM -0300, Luis Campos de Carvalho wrote:

Dave Cross wrote:


[1] Which I heartily recommend if you haven't already read it[2].
[2] In fact, read all[3] of McEwan's books whilst you're at it.
The man's a bloody star.
[3] Except perhaps "Atonement". Not enjoying that as much as
the others.
 Hey! Look at it! It's recursive footnotes! Is there any Perl Module 
to handle this? (peharps in TeX?)


Surely, this is cascading, rather than recursive... :-)
  Ops! Sorry, wrong word! You're right! "Cascading" was the word that I 
was looking for...

  Thank you very much!
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  Luis Campos de Carvalho
  Computer Scientist,
  Unix Sys Admin & Certified Oracle DBA
  http://br.geocities.com/monsieur_champs/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Re: Linux firewall / web server

[Ben]

On Tue, Jul 01, 2003 at 01:21:03PM +0100, Shevek wrote:
> On Tue, 1 Jul 2003, Ben wrote:
> 
> > On Tue, Jul 01, 2003 at 12:47:40PM +0100, Shevek wrote:
> > > I do not understand the need for [the added complexity and perversion
> > > of] [firewall rule management] packages since it is perfectly possible
> > > to write something almost syntactically identical in the shell anyway
> > > using a few shell variables.
> > 
> > I disagree. The syntax of something like filtergen is obvious at a glance,
> > and greatly simplifies the audit process. The filtergen rules can be audited
> > and seen to be correct by someone who is a great deal less competent and
> > knowledgable than the person who wrote them (but who has to support them).
> > 
> > I submit that the case where a system is maintained and supported by people
> > less gifted / experienced than those who architected and built it is
> > sufficiently common that tools that make this easier are useful. 
> > 
> > But, in any case, I'd be interested in seeing the shell stuff that you'd use 
> > to accomplish this task.
> 
> The second point does rather destroy the validity of the first!

Hardly. I'm always interested in alternatives to my current way of doing things
to see if improvements can be made, or if I've missed out on interesting
things. 
 
> Anyway, even having looked at filtergen, who really gives a toss if it 
> came in on eth0? That's assembly programming for firewalls. What everyone 
> really wants to say is, "If it is going to our company web server, let it 
> in." and "eth0" is so far separated from any such concept that I disagree 
> that "eth0" should EVER appear in a firewall, regardless of how clever the 
> syntax.

Nonsense. I am *very* interested in knowing which interface a packet that
*claims* to come from my internal network was received on. 

[snip code example]

Well, yes, you can do that, but for a rulebase of the complexity on the order 
of what I want, this is going to degenerate into an unmaintainable quagmire.

In fact, when one of my SAs decided it would be good to try and remove
filtergen and "just have an rc.firewall script instead" it *was* an 
unmaintainable quagmire.
 
Ben

Re: Linux firewall / web server

[Shevek]

On Tue, 1 Jul 2003, Ben wrote:

> On Tue, Jul 01, 2003 at 12:47:40PM +0100, Shevek wrote:
> > I do not understand the need for [the added complexity and perversion
> > of] [firewall rule management] packages since it is perfectly possible
> > to write something almost syntactically identical in the shell anyway
> > using a few shell variables.
> 
> I disagree. The syntax of something like filtergen is obvious at a glance,
> and greatly simplifies the audit process. The filtergen rules can be audited
> and seen to be correct by someone who is a great deal less competent and
> knowledgable than the person who wrote them (but who has to support them).
> 
> I submit that the case where a system is maintained and supported by people
> less gifted / experienced than those who architected and built it is
> sufficiently common that tools that make this easier are useful. 
> 
> But, in any case, I'd be interested in seeing the shell stuff that you'd use 
> to accomplish this task.

The second point does rather destroy the validity of the first!

Anyway, even having looked at filtergen, who really gives a toss if it 
came in on eth0? That's assembly programming for firewalls. What everyone 
really wants to say is, "If it is going to our company web server, let it 
in." and "eth0" is so far separated from any such concept that I disagree 
that "eth0" should EVER appear in a firewall, regardless of how clever the 
syntax.

IPADDR_EXT=62.49.9.94
NETDEV_EXT=eth0
NETWORK_EXT=62.49.9.80/28
BROADCAST_EXT=62.49.9.95
FROM_EXT="-i $NETDEV_EXT"
TO_EXT="-o $NETDEV_EXT"

# yadda - note -s/-d rather than -i/-o - but we don't have to think about 
# this from now on. We do have a standard validation chain somewhere, 
# don't worry.
FROM_DMZ="-s $NETWORK_DMZ"
TO_DMZ="-d $NETWORK_DMZ"

# yadda
FROM_INT="-s $NETWORK_INT"
TO_INT="-d $NETWORK_INT"

# yadda

iptables -A FORWARD $FROM_INT   $TO_DHCP-j intdhcp
iptables -A FORWARD $FROM_INT   $TO_DMZ -j intdmz
iptables -A FORWARD $FROM_INT   $TO_EXT -j intext

iptables -A FORWARD $FROM_DHCP  $TO_INT -j dhcpint
iptables -A FORWARD $FROM_DHCP  $TO_DMZ -j dhcpdmz
iptables -A FORWARD $FROM_DHCP  $TO_EXT -j dhcpext

iptables -A FORWARD $FROM_DMZ   $TO_INT -j dmzint
iptables -A FORWARD $FROM_DMZ   $TO_DHCP-j dmzdhcp
iptables -A FORWARD $FROM_DMZ   $TO_EXT -j dmzext

iptables -A FORWARD $FROM_EXT   $TO_DMZ -j extdmz

And now we're into the realm of specific hosts, which can be handled in 
exactly the same way.

Actually, with a few more shell variables, you could achieve considerably
more. I'm sure that if you showed me the syntax of any filtergen-like
package, I could construct suitable shell variables for something which 
was, as I originally claimed, "almost syntactically identical".

S.

-- 
Shevekhttp://www.anarres.org/
I am the Borg. http://www.gothnicity.org/

Re: Linux firewall / web server

[Ben]

On Tue, Jul 01, 2003 at 12:47:40PM +0100, Shevek wrote:
> On Tue, 1 Jul 2003, Ben wrote:
> 
> > On Mon, Jun 30, 2003 at 07:38:12PM +0100, Chris Benson wrote:
> > > 
> > > I had a lot of difficulty thinking about the f/wall rules for a system
> > > acting as f/wall and server until I separated the data streams (and
> > > setup a table/chain for each stream):
> > > 
> > >   inet-> f/wall
> [YADDA]
> > >   f/wall  -> internal
> > >   
> > > I've a perl script that writes a set of iptables commands from a
> > > simplified config file ...
> > 
> > People might also be interested in filtergen (http://hairy.beasts.org/filter/
> > also comes as a Debian package and probably an RPM). It was written by
> > a mate of mine, it handles more than just iptables as a backend and I'm 
> > reasonably happy with it.
> 
> I do not understand the need for [the added complexity and perversion of] 
> such packages since it is perfectly possible to write something almost 
> syntactically identical in the shell anyway using a few shell variables.

I disagree. The syntax of something like filtergen is obvious at a glance,
and greatly simplifies the audit process. The filtergen rules can be audited
and seen to be correct by someone who is a great deal less competent and
knowledgable than the person who wrote them (but who has to support them).

I submit that the case where a system is maintained and supported by people
less gifted / experienced than those who architected and built it is
sufficiently common that tools that make this easier are useful. 

But, in any case, I'd be interested in seeing the shell stuff that you'd use 
to accomplish this task.

Ben

Re: Linux firewall / web server

[Shevek]

On Tue, 1 Jul 2003, Ben wrote:

> On Mon, Jun 30, 2003 at 07:38:12PM +0100, Chris Benson wrote:
> > 
> > I had a lot of difficulty thinking about the f/wall rules for a system
> > acting as f/wall and server until I separated the data streams (and
> > setup a table/chain for each stream):
> > 
> > inet-> f/wall
> > inet-> internal network
> > inet-> dmz network
[YADDA]
> > f/wall  -> internal
> > 
> > I've a perl script that writes a set of iptables commands from a
> > simplified config file ...
> 
> People might also be interested in filtergen (http://hairy.beasts.org/filter/
> also comes as a Debian package and probably an RPM). It was written by
> a mate of mine, it handles more than just iptables as a backend and I'm 
> reasonably happy with it.

I do not understand the need for [the added complexity and perversion of] 
such packages since it is perfectly possible to write something almost 
syntactically identical in the shell anyway using a few shell variables.

S.

-- 
Shevekhttp://www.anarres.org/
I am the Borg. http://www.gothnicity.org/

Re: Linux firewall / web server

[Ben]

On Mon, Jun 30, 2003 at 07:38:12PM +0100, Chris Benson wrote:
> 
> I had a lot of difficulty thinking about the f/wall rules for a system
> acting as f/wall and server until I separated the data streams (and
> setup a table/chain for each stream):
> 
>   inet-> f/wall
>   inet-> internal network
>   inet-> dmz network
>   dmz -> inet
>   dmz -> internal
>   dmz -> f/wall
>   int'l   -> f/wall
>   int'l   -> dmz
>   int'l   -> inet
>   f/wall  -> inet
>   f/wall  -> dmz
>   f/wall  -> internal
>   
> I've a perl script that writes a set of iptables commands from a
> simplified config file ...

People might also be interested in filtergen (http://hairy.beasts.org/filter/
also comes as a Debian package and probably an RPM). It was written by
a mate of mine, it handles more than just iptables as a backend and I'm 
reasonably happy with it.

Ben 

Re: [ot] Mounting Unix Drives in Windows

[the hatter]

On Tue, 1 Jul 2003, Dave Cross wrote:

> 1/ How much chance is there that a Samba installation will cause
> problems? How stable is Samba?

Plenty of people here have more informed opinions than me, I'll leave them
to fight it out

> 2/ Is there anyone that will provide a commercial support contract
> for Samba?

You want to give someone moeny for a service ?  Of course someone will
take your money, no idea who is reliable though.

> 3/ Are there any other solutions we can look at - like, perhaps,
> an NFS client for Windows?

NFS on windows has a bit of a chequered history of reliability, however
I'll stick in a good word for OmniNFS and the other NFS stuff from
xlink(.com) - the only on-going reliable nfs server I've ever encounted
for windows (and I've tried several) and they do client and server, but
also full gateway products so you might want to install the on one server,
and then let that proxy between nfs and samba.


the hatter

Re: [ot] Mounting Unix Drives in Windows

[Ben]

On Tue, Jul 01, 2003 at 12:09:56PM +0200, Rafael Garcia-Suarez wrote:
> Robin Berjon wrote:
> > Rafael Garcia-Suarez wrote:
> > > Alternatives :
> > > WebDAV ? IIRC Windows' file explorer supports it natively.
> > 
> > It does. I'm not sure however that using WebDAV as a full time file system is a 
> > happy choice, not sure it's been tested that intensively. It'll also be slow.
> 
> So WebDAV, like Samba, doesn't require any additionnal software on the
> recent clients. Good point for it.

That depends on the quality of the client which comes pre-installed.
 
> The relative performances depends on the use case. I believe that WebDAV
> demands less bandwidth than Samba.

That depends very sensitively on the combination of client and server, and
how they interpret the semantics of the incomplete spec that is WebDAV. 
For example, under some circumstances, some versions of the M$ DAV client
follow a DAV-enhanced PUT /foo with a GET /foo to verify that the PUT
succeeded. This doubles the user-perceived time taken to complete a file
upload.  

In general, I'm unhappy with a solution which has this sort of nasty
mismatch of implementations possibility.[0] 
 
> I'm quite confident in the quality of mod_dav (for apache 2) due to my
> experience with Subversion. But that's a personal impression. We don't
> use WebDAV by itself at work -- just as a support layer for DeltaV, the
> protocol extension used by Subversion over http.

Subversion and DeltaV really aren't that happy a marriage, or weren't
the last time I looked at them. The problem is that completely general version
control systems are actually remarkably difficult to get right, due to
the entirely different (and at times impossible to reconcile) usage
modes that people want to use them in.[1] 

Subversion and DeltaV have different ideas about some fairly fundamental
things, IIRC.
 
> Now there's also the questions of access control, file ownership, rights
> management, etc... which are (to my taste) easier to manage in Apache
> than in Samba. 

YMMV.

Ben
[0] OK, OK. So I should really stop using SSL, then... 

[1] If anyone's tempted to follow up with "I don't see what's so difficult
about general VC systems...", I'd advise them to go read the IETF DELTAV
WG archives. See you in a while.

Re: [ot] Mounting Unix Drives in Windows

[Ben]

On Tue, Jul 01, 2003 at 11:49:02AM +0200, Rafael Garcia-Suarez wrote:
> Dave Cross wrote:
> > So, a few questions:
> > 
> > 3/ Are there any other solutions we can look at - like, perhaps,
> > an NFS client for Windows?
> 
> There are NFS clients for Windows. Alternatives :
> WebDAV ? IIRC Windows' file explorer supports it natively.

WebDAV, especially M$'s implementation of it, should *not* be
used for this sort of file transfer. Especially not for large files.

filesystem-over-HTTP is not necessarily as good an idea as it might
first appear.

As others have noted, Samba really is the solution here.

Ben  

Re: [ot] Mounting Unix Drives in Windows

[Rafael Garcia-Suarez]

Robin Berjon wrote:
> Rafael Garcia-Suarez wrote:
> > Alternatives :
> > WebDAV ? IIRC Windows' file explorer supports it natively.
> 
> It does. I'm not sure however that using WebDAV as a full time file system is a 
> happy choice, not sure it's been tested that intensively. It'll also be slow.

So WebDAV, like Samba, doesn't require any additionnal software on the
recent clients. Good point for it.

The relative performances depends on the use case. I believe that WebDAV
demands less bandwidth than Samba.

I'm quite confident in the quality of mod_dav (for apache 2) due to my
experience with Subversion. But that's a personal impression. We don't
use WebDAV by itself at work -- just as a support layer for DeltaV, the
protocol extension used by Subversion over http.

Now there's also the questions of access control, file ownership, rights
management, etc... which are (to my taste) easier to manage in Apache
than in Samba. Former administrator of both speaking.

Re: [ot] Mounting Unix Drives in Windows

[Robin Berjon]

Rafael Garcia-Suarez wrote:
Alternatives :
WebDAV ? IIRC Windows' file explorer supports it natively.
It does. I'm not sure however that using WebDAV as a full time file system is a 
happy choice, not sure it's been tested that intensively. It'll also be slow.

--
Robin Berjon <[EMAIL PROTECTED]>
Research Engineer, Expwayhttp://expway.fr/
7FC0 6F5F D864 EFB8 08CE  8E74 58E6 D5DB 4889 2488

Re: Hundredweight was Re: UK Money, again

[Tom Hukins]

On Mon, Jun 30, 2003 at 06:44:55PM +0100, Steve Mynott wrote:
> 
> GNU units has 'brhundredweight' defined whereas the FreeBSD 4.5
> units(1) doesn't (and probably should).

You've inspired me to write this simple patch, which is now waiting
for the approval of a src committer:
http://people.freebsd.org/~tom/tmp/units/

Tom

Re: [ot] Mounting Unix Drives in Windows

[Robin Berjon]

Dave Cross wrote:
So, a few questions:

1/ How much chance is there that a Samba installation will cause
problems? How stable is Samba?
I've used Samba for two years at my last company without a hitch. The company 
where I'm at now has been using it for 18 months, again not with the slightest 
trace of trouble. Note that OS X shipped with the Samba client from day one 
(IIRC) and with the Samba server since Jaguar. All the people I know that have 
used found it to be perfectly stable.

--
Robin Berjon <[EMAIL PROTECTED]>
Research Engineer, Expwayhttp://expway.fr/
7FC0 6F5F D864 EFB8 08CE  8E74 58E6 D5DB 4889 2488

Re: [ot] Mounting Unix Drives in Windows

[Rafael Garcia-Suarez]

Dave Cross wrote:
> So, a few questions:
> 
> 1/ How much chance is there that a Samba installation will cause
> problems? How stable is Samba?

Samba is quite stable, but well, it has the same problems than NetBIOS :
it's bandwidth consuming (designed for LANs). And if the machines are
open on the Outside, you must be very careful about security, access
control and software updates.

> 2/ Is there anyone that will provide a commercial support contract
> for Samba?
> 
> 3/ Are there any other solutions we can look at - like, perhaps,
> an NFS client for Windows?

There are NFS clients for Windows. Alternatives :
WebDAV ? IIRC Windows' file explorer supports it natively.
rsync ? (over ssh ?) (hey, that's another fine piece of software A.
Tridgell is reponsible for)

It's difficult to give a advice without knowing the use case.

Re: [ot] Mounting Unix Drives in Windows

[Simon Wilcox]

On Tue, 1 Jul 2003, Dave Cross wrote:

> 1/ How much chance is there that a Samba installation will cause
> problems? How stable is Samba?

Very few although make sure you have a recent version if you're using 
Windows 2000 or XP anywhere. There were some issues that needed to be 
resolved when these OS's came out because they changed the way the 
authentication was done (iirc, maybe it was something else).

Samba is rock solid in my experience. I've run whole companies' data 
storage needs with it.
 
> 2/ Is there anyone that will provide a commercial support contract
> for Samba?

http://uk.samba.org/samba/support/uk.html - no idea if any of them are any 
good though.

> 3/ Are there any other solutions we can look at - like, perhaps,
> an NFS client for Windows?

If you're a win 2k shop, you could always set up WebDAV on the server and 
create webfolders on the win2k boxen.

Failing that http://www.google.com/search?q=nfs+client+windows returns 
lots of options.

Simon.

-- 
"If you've never seen an elephant ski then you've never been on acid!"
 

Re: [ot] Mounting Unix Drives in Windows

[Philip Newton]

On 1 Jul 2003 at 11:01, Dean Wilson wrote:

> Microsoft themselves do http://www.microsoft.com/windows/sfu/
> which has an NFS client. Its about as supported as all the other Windows
> products :)
> 
> You can even ask for a 90day eval disk with training material on it.

I got one free with the most recent issue of _Sys Admin_ magazine. (Two 
CDs, though I think one's mostly training videos.)

You're welcome to it as far as I'm concerned.

Cheers,
Philip
-- 
Philip Newton <[EMAIL PROTECTED]>

Re: [ot] Mounting Unix Drives in Windows

[Dean Wilson]

Roger Burton West wrote:
> On Tue, Jul 01, 2003 at 02:38:07AM -0700, Dave Cross wrote:

> I believe that some commercial SSH clients now give an "explorer-like"
> interface to sftp, but I don't do commercial software so I can't
> comment further.

Some Commercial SSH do, i used the FSecure one at my last workplace[0]. Its
just another explorer window that you type your password/phrase into and
then drag and drop between it and your local desktop. It was quite popular
as most of the developers were Dozer people.

  Dean
[0] Evals from here:
https://europe.f-secure.com/download-purchase/download-forms/sshclientwin.shtml
-- 
Profanity is the one language all programmers understand
--- Anon

Re: [ot] Mounting Unix Drives in Windows

[Alex Hudson]

On Tue, Jul 01, 2003 at 02:38:07AM -0700, Dave Cross wrote:
> 1/ How much chance is there that a Samba installation will cause
> problems? How stable is Samba?

It's possible - if you don't know how to set it up. You can destroy
whole (network) neighborhoods with it ;) PDC wars, constant master
re-elections, all kinds of havoc are possible.

You would have to be an a-class muppet though. Samba has been around ages,
is actively developed by a number of companies to provide the backbone
of various NAS products, and even the forthcoming 3.0 (still in alpha, 
IIRC) is sufficiently stable that people are using it in production.

> 2/ Is there anyone that will provide a commercial support contract
> for Samba?

Couldn't name companies ottomh, but they are definitely out there.

> 3/ Are there any other solutions we can look at - like, perhaps,
> an NFS client for Windows?

Unix Services for Windows, but it's supposed to be a bit sucky. Samba is
really the solution here though. 

Cheers,

Alex.

Re: [ot] Mounting Unix Drives in Windows

[Philip Newton]

On 1 Jul 2003 at 2:38, Dave Cross wrote:

> 3/ Are there any other solutions we can look at - like, perhaps,
> an NFS client for Windows?

There's http://www.hummingbird.com/products/nc/nfs/index.html , for 
example (Hummingbird Maestro). I have no experience with the product, 
though.

Cheers,
Philip
-- 
Philip Newton <[EMAIL PROTECTED]>

Re: [ot] Mounting Unix Drives in Windows

[Dean Wilson]

Dave Cross wrote:
> A bit of general advice needed please people.
> An anonymous client of mine has identified a need to access Unix
> filesystems from Windows PCs.

> 3/ Are there any other solutions we can look at - like, perhaps,
> an NFS client for Windows?


Microsoft themselves do http://www.microsoft.com/windows/sfu/
which has an NFS client. Its about as supported as all the other Windows
products :)

You can even ask for a 90day eval disk with training material on it.

  Dean
-- 
Profanity is the one language all programmers understand
--- Anon

Re: [ot] Mounting Unix Drives in Windows

[Roger Burton West]

On Tue, Jul 01, 2003 at 02:38:07AM -0700, Dave Cross wrote:

>1/ How much chance is there that a Samba installation will cause
>problems? How stable is Samba?

As long as you set os level = 65 or lower, I have seen no problems with
Samba that aren't inherent in the SMB protocol, and I've used it quite a
bit. Rock solid.

>3/ Are there any other solutions we can look at - like, perhaps,
>an NFS client for Windows?

Serious payware, but I'm sure the support company will be glad to sell
it to you at only a slight markup.

I believe that some commercial SSH clients now give an "explorer-like"
interface to sftp, but I don't do commercial software so I can't comment
further.

R

[ot] Mounting Unix Drives in Windows

[Dave Cross]

A bit of general advice needed please people.

An anonymous client of mine has identified a need to access Unix
filesystems from Windows PCs.

We, of course suggested Samba as the perfect solution. Unfortunately
this client has all of its Unix and networking support outsourced
and this outsource company has pursed its lips and shaken its
head at this suggestion. They are claiming that it is unsupported
and not something they can recommend for critical production
systems. They are, instead, recommending that developers use
ftp or scp to transfer files from Unix to Windows.

Now we could overrule them and force them to install Samba, but
the danger with this is that they can then blame Samba for any
network problems we have and this can potentially undermine any
support that we get from them.

So, a few questions:

1/ How much chance is there that a Samba installation will cause
problems? How stable is Samba?

2/ Is there anyone that will provide a commercial support contract
for Samba?

3/ Are there any other solutions we can look at - like, perhaps,
an NFS client for Windows?

Any advice appreciated.

Dave...
-- 


"Let me see you make decisions, without your television"
   - Depeche Mode (Stripped)

RE: Linux firewall / web server

[Blackwell, Lee [IT]]

> I'm going to build a Linux firewall & web server at home (not 
> necessarily the same box) and wondered if anyone can advise of 
> the best route to go.

On the firewall side of things

I use a dual homed FreeBSD box[1].  Sure, I know you said Linux[2], but I'd
recommend it because it's largely set and forget[3], and taking a 'standard'
FreeBSD install to 'firewall' spec is frighteningly easy.

I run it on an ol' P166 with bugger all memory and a tiny disk[4].

Oh, if you consider this a possibility, don't try FreeBSD 5.x yet, stay with
the 4.x stable branch until 5.x is more mature.

> any ideas/tips welcomed.
I gave up using Linux[2] a while back, and found FreeBSD to suit my needs
better.  
But still, learning different flavours of *nix is my idea of fun[5] :)

Lee

[1] And I run Apache on a beefier machine, in my DMZ
[2] No, I'm not trying to start an OS discussion/debate/flameware; lets not
go there...
[3] If you are suitably paranoid like me, you'll leave a terminal up, watch
the log files closely, and ensure the source is regularly updated to fix
holes/VULN's etc
[4] Old hardware is cheap as chips.
[5] Yes, really, I'm that sad.

Re: Linux firewall / web server

[Martin Bower]

all, thanks for the advice.

I *think* I'll start with a smoothwall, and do the apache stuff on a Debian 
box.

Chris,  would you mind sharing your script,  just in case I change my mind 
.again.

Martin

_
Find a cheaper internet access deal - choose one to suit you. 
http://www.msn.co.uk/internetaccess