Re: [OT] Attention Jonathan M.Slivko
On Tuesday, March 4, 2003, at 10:15 PM, Edward Dekkers wrote:
I know OE is a crap mail client, but in that I don't have a lot of
choice
I'm afraid.
It's not your mail client, though I do agree with your sentiments.. ;)
It's that Jonathan has decided that rather than just digitally signing
his mail, he's encrypting it too. If his goal is to create email that
just about everyone can't read, he's being wildly successful. :)
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Please Check: Firewall Ruleset
On Monday, February 17, 2003, at 02:43 AM, Budi Febrianto wrote:
I just created a firewall using iptables.
If you have the time, please check if it secure enough or not.
You've got a few weirdnesses in there..
You setup your OUTPUT chain to have a default policy of ACCEPT on line
24, but then specify it again on lines 40 and 43. No need for those.
Also, you realize that your lo interface and 127.0.0.1 are the same
thing, right?
So, all you really have to do is say that input to localhost is
ACCEPTed, like you do on line 39. With that, you can get rid of lines
40, 41, 42, 43, 44, 45, 46, 49, 50, 57, 58, 65, 66, 67, 68.
Also, why are you making rules to allow external hosts to talk to the
INTERNAL i/f of your firewall? Nix lines 69, 70, 71, 72.
Typo in ip addr on line 76.
Also, you realize you're not giving your users Internet access, right?
Well, the power users, and the servers, but nothing else, right?
How about something more simple like say,
$IPT -F
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTDEV -s 152.158.247.43 -p tcp --dport 53 -m state
--state NEW -j ACCEPT
$IPT -A INPUT -i $EXTDEV -s 152.158.247.43 -p udp --dport 53 -m state
--state NEW -j ACCEPT
$IPT -A INPUT -i $EXTDEV -s 152.158.247.44 -p tcp --dport 53 -m state
--state NEW -j ACCEPT
$IPT -A INPUT -i $EXTDEV -s 152.158.247.44 -p udp --dport 53 -m state
--state NEW -j ACCEPT
for SERVER in `cat $SERVERS`
do
$IPT -A FORWARD -s $SERVER -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTDEV -s $SERVER -j SNAT --to
202.135.248.8
done
for POWERUSER in `cat $POWERUSERS`
do
$IPT -A FORWARD -s $POWERUSER -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTDEV -s $POWERUSER -j SNAT --to
202.135.248.8
done
$IPT -A FORWARD -m state --state NEW -s $INTLAN -d $DMZLAN -j ACCEPT
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: More VPN info
On Monday, February 3, 2003, at 03:51 AM, Christopher Lyon wrote:
I am sure AH and ESP doesn't care if the IP checksum changes because
that is just down one layer. ESP and AH are separate from TCP and UDP
so
most firewall's won't even perform NAT on these packets.
Unfortunately, AH does care. It's checksums are on the whole packet,
rather than just the payload. NATing an AH packet invalidates it. On
the plus side, almost nobody uses AH, since it only provides
authentication and lacks privacy. If you need that kind of
functionality, you could run ESP with a null cipher.
I've noticed a number of IPsec products have dropped AH support over
the past couple of years in favor of ESP w/null cipher
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: More VPN info
On Sunday, February 2, 2003, at 11:11 PM, Dick St.Peters wrote:
Giving a remote site access to the DMZ over the VPN is exactly the
example intended.
Ok, if that's the case, what's wrong with RFC 1918 space in the DMZ???
If this DMZ is only ever accessed over a VPN, using globally routable
IP space is just plain wasteful.
It's odd to see an IPsec advocate speaking highly of NAT. NAT changes
packets checksums, which disables some things - IPsec being the most
commonly-cited example.
Yes, you're correct, primarily in the case of AH, which because of it's
lack of payload encryption is almost never used. In fact, you're
better off using ESP with a null cipher instead. You cited the example
of a DMZ. When one defines a DMZ (using the generally accepted
definition of such), you're usually exposing services to the Internet.
That's where the NAT comes in. You do realize you can use NAT for
clear traffic and no NAT for VPN traffic, right?
If an IPsec tunnel links net1 to net2, and you establish a route
through it from net1 to net3, the IPsec tunnel will refuse to carry the
packets. You may not call that filtering, but that's what it is.
Not in the examples I've given. In my examples, net2 and net3 are
adjacent, allowing you to define a single tunnel for the solution. Why
do you simply refuse to plan a network, rather than let it grow
willy-nilly?
I've been building networks for 13 years, and VPNs for 7 years. I've
never once had to re-architect a network to deploy an IPsec VPN. Some
IPsec configurations have been easier than others, and those are the
ones done on *well-planned* networks.
Show and tell time, eh? Ok, I built my first IP network in 1983.
That network became one of the two foundation networks for the GE
Corporate network.
Wow, I'm impressed. However, someone with that much experience should
know this stuff. Since this seems to be degenerating into you telling
us what a network genius you are, and me telling you that you aren't,
let's just leave it here, eh? The point of my statement was that I've
built a large number of VPNs and a larger number of networks, and I've
never once had to re-architect a network just to deploy an IPsec VPN.
The way you talk about IPsec, you seem to think that you need to plan
networks around it. My point is simple. If you PLAN your network,
rather than just let it grow willy-nilly, you will never problems
trying to implement a VPN (from the network perspective). That is,
your problems, if any, will stem from human error or software defect.
You also seem hung up on this notion of a virtual wire and how you
seem to think that IPsec doesn't act like one. As another poster has
pointed out, an IPsec tunnel meets your definition of a virtual wire.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: More VPN info
On Monday, February 3, 2003, at 01:38 PM, Dick St.Peters wrote:
Jason Costomiris writes:
On Sunday, February 2, 2003, at 11:11 PM, Dick St.Peters wrote:
Giving a remote site access to the DMZ over the VPN is exactly the
example intended.
Ok, if that's the case, what's wrong with RFC 1918 space in the DMZ???
If this DMZ is only ever accessed over a VPN, using globally routable
IP space is just plain wasteful.
A DMZ accessed _only_ over a VPN isn't much of a DMZ. The usual
purpose for a DMZ is a place to locate bastion hosts that provide
public services and run proxies allowing the internal network to
access the internet without actually exchanging packets between the
internal network and the internet.
Clever editing techniques you're deploying here.. You (conveniently)
removed my explanation of using RFC 1918 space in a DMZ with NAT and
VPN. You don't seem to realize that you can do both.
You want your bastions to be at globally routable IP addresses so the
public can reach your public services, and you don't want NAT in the
way so you don't restrict your proxying to NAT-tolerant applications.
Um. Yeah. Sure. Who even mentioned proxying??? We're not talking
about proxying. Would you care to name me one, just one application
that's going to be in the average DMZ that won't work with NAT? Let's
see.. HTTP and HTTPS both work. So does SMTP, IMAP, IMAPS, POP3,
POP3S, DNS, NNTP and even streaming media servers like Real, QT and M$.
Even if you want to proxy outbound connections through something like
a Squid cache, NATing the outbound connection does no harm. Your
anti-NAT argument just fails to hold water. You can keep making up new
requirements all you want, you're still terribly wrong about IPsec.
Services that aren't NAT-tolerant, like say SQL*Net and friends would
never be exposed to the Internet. Those would be done with controlled
access on a VPN -- where connections are NOT BEING NATed.
You also seem hung up on this notion of a virtual wire and how you
seem to think that IPsec doesn't act like one. As another poster has
pointed out, an IPsec tunnel meets your definition of a virtual
wire.
From the FreeSWAN FAQ:
IPsec tunnels are not just virtual wires; they are virtual wires
with built-in access controls.
Yes, those access controls are pre-shared secrets and x.509 digital
certificates. There is no access control beyond validation of the
shared secret or the signature on the certificate. There are
extensions to IPsec such as X-Auth (from Nortel), Hybrid Mode IKE (from
Check Point) and CRACK (from Network Alchemy, later part of Nokia).
Those add-ons introduce the ability to add a username/password to an
IPsec tunnel. These all involve changes to the IKE (phase 1) process.
FreeSWAN has none of those. Even if it had those extensions, those do
not constitute filters. I don't think you understand IPsec.
I am an advocate of FreeSWAN for cases where I think IPsec is
appropriate. The core difference between us seems to be that you
think IPsec is always apprpriate, whereas I feel that most of the time
its baggage outweighs its advantages. You want people to plan their
networks around IPsec's rigidity, whereas I feel there's no reason to
put up with that rigidity when you don't have to.
Just for giggles, I sent your statements (without your name attached)
to several colleagues. We've all been at this for a long time.
Everyone pretty much laughed at your claims of IPsec's alleged
rigidity and baggage. You can say you have to plan your network
around IPsec until you're blue in the face. It just does not make it
true.
I've explained away every single one of your supposed problems with
IPsec. We're done here.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: More VPN info
On Saturday, February 1, 2003, at 09:31 PM, Dick St.Peters wrote:
Jason Costomiris writes:
On Saturday, February 1, 2003, at 03:17 PM, Dick St.Peters wrote:
net1 -- net2/net3
This requires good network planning.
No, this requires planning your network around IPsec, which is not
the
same thing as good network planning. Other VPN technologies fit into
the network you have ... or that you may want to have for other
reasons.
That's silly. Planning your network so that you can aggregate the
networks at each site into a single network has nothing to do with
planning your network around IPsec. It has everything to do with
minimizing configuration of whatever connectivity solution you deploy,
be it IPsec, some random VPN, private links or even frame relay.
Oh yee of little imagination ... start with the obvious case: two NICs
on the gateway, one in net2, the site's DMZ, another in net3, its
internal network. Aggregate that one.
Well, I'm sure you mean 3 nics, since you're using one in the internal
net, the other in a DMZ, the 3rd on the outside. Aggregate that? Uh,
what's the problem? Both networks are connected to the same gateway.
You *PLAN* and use adjacent subnets, such as say 192.168.10.0/24 for
net2 and 192.168.11.0/24 for net3 (ie. 192.168.10.0/23). Little
imagination my foot. :)
For another, try having net2 and net3 be at different sites, where the
two sites represent two previously different companies that just
merged. One numbered out of 192.168.0.0/16, the other out of 10/8.
Ok, that's not a big deal either. If both sites are well planned, it
doesn't matter that each site came out of different RFC1918 spaces.
You don't aggregate both sites into a single route, at least in your
example. You'd only do that if you were deploying a hub and spoke and
putting routes on the spoke sites. If that's the case, it's one or two
extra routes in what would most likely be a fair number already. In
our example here, we've been talking about doubling or tripling the
size of his routing tables.
Networks are not planned; networks grow (or shrink or divide) under
the influence of things other than networking. People trying to plan
networks have never been any better at predicting the future than
anyone else.
Layer 8 issues have their place, but if you're a smart network manager,
you'll work within them to ensure you don't either create a network
that's difficult to maintain or introduce proprietary solutions that
don't interoperate when perfectly good interoperable solutions exist.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: More VPN info
On Sunday, February 2, 2003, at 11:36 AM, Larry Brown wrote:
I
would like to see RedHat pick up this software for inclusion to its
distro's. The hardest part of implementing FreeSWAN is the
installation.
Configuration is not bad at all.
It's not even hard to install at this point! Take a look over at
www.freeswan.org, where they provide a RH howto and rpms that work fine
on RH...
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: More VPN info
On Friday, January 31, 2003, at 09:57 AM, Dick St.Peters wrote:
I've used FreeSWAN extensively and currently recommend against it to
my users unless they absolutely need IPSEC for some reason.
Err.. You recommend AGAINST using strong encryption?
IPSEC is considerably more complex than most VPN technologies in ways
that are counter-intuitive. IPSEC tunnels are not just virtual wires,
they also include access controls.
IPsec by itself does not include access controls beyond the shared
secret or the x.509 certificate used to authenticate the tunnel. In
most cases, IPsec is paired with some sort of firewalling to provide
the access control.
For example, consider:
net1 --- gateway1 -- {internet} -- gateway2 --- net2 --- net3
A FreeSWAN tunnel between gateway1 and gateway2 can allow net1 and
net2 to talk to each other, but that same tunnel will not allow net1
and net3 to talk to each other. Communication between net1 and net3
would require an additional tunnel. In fact, full connectivity for
this case would require 6 tunnels:
1. net1 -- net2
2. net1 -- gateway2
3. net1 -- net3
4. gateway1 -- net2
5. gateway1 -- gateway2
6. gateway1 -- net3
You've got double the number of tunnels you need. In fact, if you've
setup the site on the right properly, you only need one tunnel
definition.
net1 -- net2/net3
This requires good network planning. For instance, you setup the left
side as 192.168.1.0/24, and the right side as say, 192.168.2.0/24 and
192.168.3.0/24. In this case, your left side's encryption domain
(pardon the check point parlance) is 192.168.1.0/24 and the right side
is 192.168.2.0/23. Creating a tunnel to the gateways themselves is
pointless. The gateways are the endpoints, that's all...
Since these guys seem to be VPN novices and have both site to site as
well as remote client capabilities, I'd recommend they go with a
vendor-supported solution. The Check Point SofaWare line is excellent
for this application. Look, for instance at the Nokia IP30 products.
They come in a 10-user site-site capable unit for a list price of $699
and a 25-user for $1199. These units can also terminate connections
from Check Point's SecuRemote. SR is available for any reasonably
recent Windows platform (WinME, NT, 2000 Pro, XP Home/Pro) for free
from CP's web site.
Configurations of the IP30, or any other SofaWare platform is very
easy, done through an https browser session. It provides a DHCP server
for the LAN, and supports DHCP and PPPoE on the WAN side.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: More VPN info
On Saturday, February 1, 2003, at 03:17 PM, Dick St.Peters wrote:
net1 -- net2/net3
This requires good network planning.
No, this requires planning your network around IPsec, which is not the
same thing as good network planning. Other VPN technologies fit into
the network you have ... or that you may want to have for other
reasons.
That's silly. Planning your network so that you can aggregate the
networks at each site into a single network has nothing to do with
planning your network around IPsec. It has everything to do with
minimizing configuration of whatever connectivity solution you deploy,
be it IPsec, some random VPN, private links or even frame relay.
I take it you don't use traceroute or tracert ... and you expect the
admin to go to the remote site when he/she needs to reconfigure its
gateway.
Hm. I find traceroutes on VPNs like this to be pretty boring. There's
one hop between my system and the remote system, assuming a single
subnet on each end, like this. If you've lost connectivity between the
sites and the Internet is working, then you've narrowed the problem
right down, haven't you?
The gateways are just endoints only if you use specialized boxes.
They can just as easily be general computers performing other roles
such as providing services. One of my systems is currently an
endpoint for 12 VPN tunnels using 4 different VPN technologies and at
the same time is a pop3, smtp, www, and ftp server.
That's nice, but in any security policy that I'd write, this would be a
huge red flag... IMHO, you let your firewall be a firewall (and
terminate VPNs on it if that's required) and you let your servers be
servers. Never shall the two merge. It's the difference between a
single system compromise giving away the keys to the kingdom versus a
foothold. That foothold can be taken away from an attacker.
And remain VPN novices ...
Not at all. Just because you've got a comprehensive solution that's
backed by a vendor doesn't mean you don't use and understand the
technology you're using. It means you've got someone to call when you
find yourself in over your head. And remember, just because it's
vendor supported, doesn't mean it doesn't have to be Open Source.
The question was asked on a RedHat list, so presumably the poster has
RedHat, meaning he already has one good open source VPN solution
(CIPE) and already has the tun/tap kernel driver used by at least two
other easily-added open source VPN solutions (OpenVPN and VTun). He
also has ppp and both stunnel and ssh, so he has a choice of many VPN
solutions.
I can't recommend against non-IPsec VPNs strongly enough.
Interoperability is key. How about the first time they need to connect
to a partner extranet? I bet that partner is using something that does
IPsec.
Recommending solutions like ppp+ssh forwarding is like telling him to
build a wooden fence with bubble gum and duct tape rather than nails.
There's a cost involved in upkeep too. Long term, half-baked solutions
aren't maintainable...
You want to recommend they use a non-vendor solution? Great!
Recommending something interoperable is the way to go. In this case,
that's freeswan.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: firewalls - iptables and emails
On Saturday, January 4, 2003, at 11:52 AM, Jorge Luis Hernández
Valdivia wrote:
Hi
I got a couple of lans joins by a firewall in linux,
something like this:
-- --- --
|Lan 0 |---|Firewall|--|Lan 1|--|Firewall|
| Linux | --- | Windows|
-- --
|
--
|Internet|
--
I need the Linux Firewall to pick a file from the lan
0 and send it automatically (crontab) by email to the
exterior. ¿What should I do?
Write a script that uses scp, rcp, or ftp to pull the file off of the
machine in Lan 0.
Install some sort of MTA on the firewall and carefully configure it to
not listen on the external interface, etc.
Use perl's Mail::* modules to create the message with file attachment
and send.
There probably won't be any changes to iptables, since you're probably
already allowing your firewall to initiate traffic.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Exacutables not executing
On Mon, Dec 16, 2002 at 04:48:23PM -0800, Nicholas Fitzgerald wrote:
: [root@ns1 sbin]# dir
: cached indexer mkind run-splitter searchd splitter stored
: [root@ns1 sbin]# indexer
: -bash: indexer: command not found
Well of course, silly. . is not in your path, and should never be.
Add the directory to your $PATH, or use the full pathname to the executable.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: fsck you!!!!
On Tuesday, December 3, 2002, at 08:31 AM, Scott Skrogstad wrote:
I liked that one... first beer and all. Maybe some sort of filter
could
have blocked this!
Nah, too much like censorship.. Has it occurred to anyone that perhaps
this twit simply forgot to log off from Hotmail and walked away?
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Post your Red Hat Desktop!
On Thursday, November 28, 2002, at 12:29 AM, Michael A. Peters wrote:
I'm curious as to what other people have done with their Red Hat
systems.
http://www.jasons.org/modules.php?op=modloadname=galleryfile=index
screenshot archive...
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
any mod_dav users?
I'm running the httpd-2.x packages from RH8, rebuilt on RH 7.3.
Working great, thus far.. Now I'm trying to configure DAV access to a
directory.. I chgrp'd the dir to apache and made it group writeable.
Next I setup Digest Auth on that directory, loaded mod_dav
mod_dav_fs. I can connect, authenticate, mount the directory (Mac OS X
Clients), see files, pull down files, delete files - no trouble at all
with those operations. However, I can't upload ANYTHING. Every time I
try to upload files, I get told that the file already exists. Also
can't create directories either..
Any suggestions? The webdav faq wasn't helpful on this topic..
--j
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: removing ipchains from 2.4 kernel (fwd)
On Wednesday, November 20, 2002, at 04:55 AM, [EMAIL PROTECTED]
wrote:
I have installed both ipchains and iptables with my new kernel 2.4.x
but now i want to work with iptables only but i donot know how ican
remove ipchains modules from kernel.
i know about
rmmod ipchains
which will remove ipchains when system is running but what is proper
wway
of removing it from kernel as modules so i can build proxy with
iptables.
Don't delete kernel modules..
chkconfig ipchains off
service ipchains stop
would stop and prevent ipchains from starting at boot. if you prefer
to totally remove the ipchains tools, then:
rpm -e ipchains
You may also have to remove things like lokkit, but do what you need...
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Iptables HELP vpn
On Friday, November 15, 2002, at 09:00 PM, Yoink! wrote:
Try something like this if it's imap you are after:
iptables -A INPUT -i ppp0 -p tcp --sport 143 -m state -j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --dport 143 -m state -j ACCEPT
That would only work if the IMAP server was running on the firewall
(and you've got the sport/dport backwards :) ). You most likely want
to use the FORWARD chain.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Iptables HELP vpn
On Saturday, November 16, 2002, at 10:26 AM, Jason Staudenmayer wrote:
Ok here's what I have (the long version).
Here's a very simple configuration that works. This assumes eth0 is
outside, eth1 is inside. You should limit the services that are
permitted to be forwarded from the ppp+ interfaces.
#!/bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state -i eth0 --state NEW --dport 1723 -j
ACCEPT
$IPTABLES -A INPUT -p 47 -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -m state -i eth1 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state -i ppp+ --state NEW -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Iptables HELP vpn
On Friday, November 15, 2002, at 03:14 PM, Jason Staudenmayer wrote:
I can't seem to figure this out.
I have pptp (poptop) server running on my firewall .
VPN connection is good.
VPN client can't see anything on the network.
Iterfaces are as follows.
Eth0 internal private network
Eth1 outside world
Ppp+ vpn client.
Do your iptables rules permit forwarding from the ppp+ interfaces to
the internal net?
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: SMTP/AV/Spm Follow-Up II
On Thursday, November 14, 2002, at 07:17 AM, Kevin MacNeil wrote:
seems like the good old days before Canter Siegal and all of their
Now there's a couple of names I haven't heard in a lng time.
Makes me all misty thinking of ye olden days, and the green card
lottery.
Yay. :)
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Ximian Gnome Crashes my Box
On Tuesday, November 12, 2002, at 01:00 AM, Michael A. Peters wrote:
I can't run the Gnome that comes w/ RH 8 for more than 12 hours without
a crash.
So which is it? The GNOME that comes with RH 8.0, or Ximian GNOME?
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: NAT and speedtouch under RH 8.0
On Saturday, November 9, 2002, at 06:12 PM, Geoffroy Hallard wrote:
I have configured the ip_forward like this :
$ echo 1 /proc/sys/net/ipv4/ip-forward
Take a look at /etc/sysctl.conf and make the change there, so it will
happen automagically every time you boot.
[...chop...]
Use this script to set up your iptables config,
#!/bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state -i eth0 --state NEW -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
then do:
service iptables save
chkconfig iptables on
service iptables restart
and my iptables like this :
The last problem is I can't read mp3 files.
I try to upgrade the my version of XMMS (1.2.7) to the last one (1.3).
I don't receve any error message but when I want to load the XMMS is
the version 1.2.7 that is loaded, I don't understand!!!
No mp3 support in RH8. Visit www.xmms.org to get the mp3 plugin.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: ipsec IKE
On Friday, November 8, 2002, at 03:29 PM, Simpson, Doug wrote:
I am trying to set up a gateway with RH7.3 and IPSEC. I have
reconfigured
the kernel with the latest freeswan and x509. It boots with no
problems. I
then try to connect to it with SSHSentinel off a win2k laptop dialed
into
the internet. I have not put a firewall on this yet (I will).
I get the message on both ends that ike is not supported. The SSH
client is
saying The remote end does not respond tothe IKE proposal (phase-1) or
the
gateway does not initiate the IKE config mode.
And on the RH box in /var/log/secure oakley_des_cbc not supported.
On freeswan they say it is the client, but I have made sure I am
running 3
des on the ssh client.
Can the ssh client run in a debug mode to check that the IKE proposals
match? When you do this, the IKE proposals on both sides have to match
exactly - the cipher (3DES), the integrity alg. (MD5 or SHA1), the
authentication method (x.509 or pre-shared secret), etc...
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: aaa or radius server for linux
On Wednesday, November 6, 2002, at 07:48 AM, Thierry ITTY wrote:
A 14:58 05/11/2002 -0800, vous avez écrit :
any one know a good aaa or radius server software
for linux ? are there any opensource software for this?
I found radius-980618.tar.gz a while ago somewhere on the net
there's also cistron radius server
That crusty old radiusd is lacking a number of features.. He'll most
likely want PAM support, maybe MySQL and maybe even LDAP support.
Cistron does PAM out of the box, and there are patches for MySQL and
LDAP too.
Take a look at FreeRADIUS from www.freeradius.org. Looks like it
supports (out of the box) PAM, MySQL, PostgreSQL, LDAP, Oracle, EAP/MD5
and EAP/TLS. That last one is incredibly useful if you plan to deploy
WinXP wireless clients that you want to authenticate using x.509
digital certs.
For me, I just setup a RADIUS server to use along with my Apple AirPort
base station. Right now, the AirPort's RADIUS support is only for
checking MAC addresses to make a go/no-go decision on whether to permit
the wireless device to associate. I'm hoping they implement something
like EAP or even LEAP in a future firmware release. LEAP looks
somewhat likely even - the client side of AirPort already supports it
for Mac users connecting to Cisco APs running LEAP.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: PHP query string
On Monday, November 4, 2002, at 10:21 AM, Brian Ashe wrote:
Newer versions of PHP all come with register globals turned OFF in
the
php.ini file. Turn it to on and it should solve your problem.
Bad idea. Use the $HTTP_POST_VARS and $HTTP_GET_VARS arrays.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: PHP query string
On Monday, November 4, 2002, at 05:55 PM, Michael Rubin wrote:
Why is it a bad idea to turn on register globals ?
Read the bugtraq advisories...
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RH8 and Apache2, OMG
On Sunday, November 3, 2002, at 08:50 PM, Teodor Georgiev wrote:
Apache 2.0.40 is in RH8.
although it is compiled with DSO support, there is no apxs or apxs2.
any opinions ?
Sure. Install httpd-devel.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Masquerade hacking problem.
On Saturday, November 2, 2002, at 02:50 PM, linux power wrote:
It seems that masqureade use netbios-ns port to broadcast for the
whole world thats its seeking a vacant ip address.That it a major
firewall problem in my computer because I cant close the netbios
ports, and result in hacking attempts all the time.
Nobody told me that when they recommended masqurade.
The netbios-ns service uses tcp/137. Masquerading neither uses it, nor
does it broadcast for the whole world that its seeking a vacant ip
address.
You've posted more than once with stories of your systems being hacked
- I can only assume this means you've had multiple intrusions. Perhaps
you should read some howtos, or read up on securing your systems.
While you're at it, you should also backup data files, and perform a
clean (as in format the drives) installation of your operating systems.
Assuming a simple configuration, eth0 on the inside, eth1 on the
outside, no inbound access, you would be safe with something as simple
as:
# Safe default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow localhost communication
iptables -A INPUT -i lo -j ACCEPT
# allow inbound from internal network, allow internal network to go out
to the Internet
iptables -A INPUT -m state -i eth0 --state NEW -j ACCEPT
iptables -A FORWARD -m state -i eth0 --state NEW -j ACCEPT
# setup NAT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
There, I've fixed your hacking problems in 9 lines. To save that, run
service iptables save.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Masquerade hacking problem.
On Saturday, November 2, 2002, at 04:04 PM, Ernest E Vogelsinger wrote:
At 21:55 02.11.2002, Jason Costomiris said:
[snip]
# Safe default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
[snip]
I beg to disagree - using an output default polica of ACCEPT opens a
wide
door for any Trojans that may make it into your network on one way or
the
other. Maybe this is academic - having DROP as rule for fw input SHOULD
leave anything safe at the fw-box itself, but you never know...
Well, I'll just have to go on ahead and disagree with you. :)
I've been using the Internet since the late 80s, and I've never once
been the victim of a trojan or a virus. As far as I'm concerned,
people who get infected with trojans and virii are generally wearing
the digital equivalent of a kick me sign. It's not hard to manage to
not get infected - even my mother can do this.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: vpn masq builtin to kernels yet?
On Tue, Oct 29, 2002 at 12:02:10AM +, gregory mott wrote:
: is vpn masq builtin to any kernels yet, or must one still follow the
: instructions in the VPN-Masquerade-HOWTO-2?
No longer applies.. netfilter (been in there since 2.3.something) handles
masq'ing of pptp easily.
Most IPSec clients today support some sort of encapsulation, so that their
ESP connections back to the mothership can be NAT'd without trouble.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Redhat v8.0 question
On Tuesday, October 22, 2002, at 12:51 AM, ajTreece wrote:
Starting VPN services: modules/lib/modules/2.4.19-14/COMPvpn/vpnmod:
The module you are trying to load
(lib/modules/2.4.19-14/COMPvpn/vpnmod) is compiled with a gcc version
2 compiler, while the kernel you are running is compiled with a gcc
version 3 compiler. This is known to not work.
Failed (insmod)
But, if I check the version of the gcc compiler (via gcc -v) it states
that it is a 3.2 version.
Where's the mystery? Your kernel was built with gcc 3. The module was
built with gcc 2. Getting the new crisco client may alleviate the
problem, if cisco has bothered to rebuild the appropriate module.
--
Jason Costomiris
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Window Manager Redhat 8
On Fri, Oct 18, 2002 at 12:07:00AM -0400, Aaron Rolett wrote:
: I recently installed a test server running Redhat 8. Switch from Sawfish
: to Metacity was like going backwards, so I installed sawfish and used
: the following command to switch it:
:
: killall metacity sawfish
:
: My question, where is the windowmanger choice stored in Redhat 8? How
: can I change the windowmanger for the individual user and/or systemwide?
I haven't dug enough through to tell you how to do it system-wide, but
if you use the gconf editing tool, you'll find it and be able to change the
WM to sawfish.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Security (was: Tripwire)
On Fri, Oct 18, 2002 at 12:12:33PM +0200, Thomas Ribbrock wrote:
: Further, I've been thinking about portsentry. What's the use of it?
You're not the only one who wonders this.
: If you
: have a firewall set up that's only allowing access to specifically defined
: ports from the outside on which you have services running (no need to have
: any other ports open), portsentry would never see a thing, right?
True. IMO, portsentry does nothing that a reasonable firewall and NIDS
configuration does, except automatically blackhole people. One can achieve
that functionality through snort, built with flexresp. So again, nothing
that can't be done with a reasonable firewall and NIDS config.
: I for example have my firewall set up that way: Everything's blocked except
: a few defined ports on which I have services running (e.g. port 80, as I
: have a web server running[0]. Connections initiated from the inside are no
: problem, as the firewall is stateful (I'm using pf on OpenBSD - can iptables
: do this as well? ipchains couldn't, AFAIR), so am I right in assuming that
: portsentry wouldn't buy me anything?
You're correct, iptables is also stateful. Using portsentry *might* have
some value if you run ipchains and no NIDS, but that's about the only
circumstance where I think it's terribly useful. Such programs often
hamper administrators. It's awfully easy to shoot yourself in the foot,
blocking YOURSELF from accessing your own system.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Connecting two LAN
On Wed, Oct 16, 2002 at 03:43:46PM +0800, Toto Gamez wrote:
: Network B (dial-up server)
: # route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.99
:
: Network A (dial-in server)
: # route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.100
Two things...
1. Go to the bookstore and buy a good intro to TCP/IP book. O'Reilly has
a very good one..
2. Next - pick one of these 3 solutions to your problem:
1. Renumber one of the networks to run out of a different network
(you can't run both sides as 192.168.100/24 as-is).
2. Subnet and possibly re-arrange portions of your IP space.
3. Setup your Linux machine as a bridge.
http://www.linux.org/docs/ldp/howto/BRIDGE-STP-HOWTO/
- You can ignore the parts about patching the kernel, you just
insert the module bridge.o
- You can get the bridge utilities by installing the bridge-utils
package.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RH as router, not recommended??
On Mon, Oct 14, 2002 at 01:26:46PM -0400, Hal Burgiss wrote:
: If you need to fit it on one floppy disk like LRP, then LRP is better
: for obvious reasons. Other than that I can't think of any other
: reasons it would be better. Of course, having less installed, means
: less to configure, and less to worry about. Maybe some benefit there.
: Performance is not a factor. If anything a full blown distro would
: have more networking tools.
Repeat after me gang... :-)
I will not trust a vital piece of network infrastructure to a floppy disk.
Remember, that the floppy disk is one of the most unreliable forms of
magnetic media. If you're going to do this, invest in a flash device.
You get a number of benefits - faster, MUCH longer life-span, and more
reliable, overall. Oh yeah, and it's probably much bigger than 1.44M.
Or, just use a router. A regular router. Also remember - just because
you can pound in a nail using the handle of a screwdriver, that doesn't
make it the best tool for the job. :)
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RH 8.0 Problems
On Sat, Oct 12, 2002 at 07:57:08AM -0500, Ed Wilts wrote:
: 1-Xmms can not play MP3 files. But plays Wav.I think there is a problem with
:plugin.
:
: Read the 8.0 release notes.
And afterwards, pay a visit to www.xmms.org to follow the link to a site
with an RPM to add on that will give you MP3 support for the standard
RH 8.0 xmms package.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Stupid question about SSH keys and security
On 10/10/02 9:31 PM, Peter Kiem [EMAIL PROTECTED] wrote:
Hi,
This might seem a stupid question but I often see people recommending that
you never log into SSH with password but rather use keys.
Doesn't this create a security issue as if someone manages to break into one
computer you own they can simply SSH straight into the other systems without
passwords using the keys stored on that computer?
Only if you create keys that have no passphrase on them...
At least if you are using passwords they need to work out the other
computer's passwords before they can SSH into them?
Again, only if you create keys that have no passphrase.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Bluecurve - where do I edit the RedHat menu??
On 10/10/02 8:46 PM, Chris de Vidal [EMAIL PROTECTED] wrote:
(I sent this before but it doesn't look like it made
it to the list.)
I want to add/edit/delete the Bluecurve (Gnome) menus
but I don't see a menu editor ANYWHERE.
I've right-cliked the RedHat menu, I've gone into the
Control Center, I've right-clicked items in the menu.
I've also looked throughout the documentation and
don't see any help there.
The Help center seems to focus only on Gnome
(shouldn't it focus on all RedHat help topics?) but
even that didn't mention editing the menus, which I
know I've done in Gnome in the past.
I am logged in as a non-root user.
Bluecurve will get dumped for xfce quickly if I can't
(easily) edit menus.
You're overlooking the obvious. :)
Open up the Start Here, and head for Programs. Rearrange to your heart's
content. That's your menu.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Disabling SSL
On 10/2/02 12:24 AM, Joe Giles [EMAIL PROTECTED] wrote:
List,
I run an apache server and have no need for SSL, however, my server is
listening for it. How can I disable this feature. The reason i want to do
this is I did a netstat -ap and noticed that someone was ESTABLISHED on an
https port. This is weird cause I don't have any web pages that support
https. Here is the netstat list...
It seems that everyone has overlooked the obvious...
rpm -e mod_ssl
service httpd restart
It will never try to bind to tcp/443 again.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RH's half-support for devfsd...
On Thu, Sep 19, 2002 at 11:32:14AM -0700, Todd A. Jacobs wrote:
: On Thu, 19 Sep 2002, Jason Costomiris wrote:
:
: Of course, I've changed my /etc/init.d/halt script to stop the devfsd
: and umount /dev, but shouldn't these have already been done by RH?
:
: Most people who implement devfs do it in conjunction with /dev, not as a
: replacement. Even the devfs docs will tell you that replacing /dev is a
: bad thing(tm).
Well yeah, when you umount /dev, what do you think you see in there?
It's the contents of the dev package.
If I boot a non-devfs kernel, my system won't start the devfsd, since
/dev won't get mounted, using the device nodes that actually live on
the root filesystem. There's nothing wrong with how I'm using devfs/devfsd.
What's broken is the RH /etc/init.d/halt script, though only minorly
broken...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: cat?
On Thu, Sep 19, 2002 at 01:42:30AM -0400, Hal Burgiss wrote:
: On Wed, Sep 18, 2002 at 11:37:37PM -0400, Anthony E. Greene wrote:
:
: You want to read a list of host names from a file and prepend 'www'
: to any name that does not already start with 'www'. Try this:
:
: [...]
:
: If in a hurry:
:
: perl -pi -e 's/^/www./ unless /^www\./' $your_file
...and in case you change your mind after you run the command,
make that -pi.bak, so you'll have $your_file.bak to roll back to...
:)
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
RH's half-support for devfsd...
I recently converted a couple of RH 7.3 boxen to use devfs. I did this by
taking the most recent kernel SRPM, changed the configs, and built the
appropriate kernel/modules and kernel-source rpms. I also, of course, built
a nice RPM for devfsd (1.3.25, if anyone cares).
The rc.sysinit file checks to see if we're running devfs, and if so,
will automagically start /sbin/devfsd /dev. So far, so good, right?
Right. Problem is that when the machine is halted or rebooted, the scripts
don't kill the devfsd process, resulting in the inability to umount the
root filesystem.
Of course, I've changed my /etc/init.d/halt script to stop the devfsd and
umount /dev, but shouldn't these have already been done by RH?
I plan on filing a bugzilla report when I get back from my meeting later
today, but I thought I might open this up for discussion...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Slapper Worm on openssl 0.9.6b
On Wed, Sep 18, 2002 at 01:14:19PM -0400, Anthony E. Greene wrote:
: Specifically 0.9.6b-28. Earlier 0.9.6b packages (ie; 0.9.6b-24 and
: 0.9.6b-8) may not have the fix for this vulnerability.
:
: I really wish RH would make some kind of explicit announcement about this.
You mean, like this:
http://rhn.redhat.com/errata/RHSA-2002-160.html
?
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Trouble ticket system
On Mon, Sep 09, 2002 at 08:57:39AM -0400, Chris Mason wrote:
: I don't think PHP supports PAM authentication without patches, how would
: you access the authentication system?
Easy. Use RADIUS. Get this:
http://www.hotscripts.com/Detailed/11675.html
Setup Cistron, or some other RADIUS server, and authenticate against the
system users.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: iptables bug or feature?
On Sat, Sep 07, 2002 at 02:43:37AM -0700, daniel wrote:
: iptables v1.2.7 invalid TCP port/service `2049:2000:1080:3128' specified
: Try `iptables -h' or 'iptables --help' for more information
Do you have the ipt_multiport.o module built?
Check under your /lib/modules/version/kernel/net/ipv4/netfilter directory
to be sure.. Perhaps also try modprobing ipt_multiport before trying
again...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Message To Redhat.com
On Sat, Aug 24, 2002 at 03:32:43PM -0400, Anthony Abby wrote:
: Windows 2000 was indeed marketed to home users as the more powerful, faster
: OS. You're reaching, big time. :)
:
: Oh? How so? Windows NT was never marketed for home use. In fact
: literature on the MS website marketed it directly for business use.
: Windows 2000 was also never marketed for home use, and if you'll recall,
: at that time there were two parallel code bases.. Windows NT/Win2k and
: the Win 9.x codes bases.
You're right, NT 4.0 wasn't marketed for home use. 2000 was. It was
marketed as the bigger, badder, more stable alternative to home users.
There was a huge sign for it in my local compusa at the time.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Kernel compilation - File config
On Mon, Aug 19, 2002 at 10:06:42AM +0200, Yohann DESQUERRE (DSI NOISIEL) wrote:
: I've just installed my RH7.3 and i'd like to compile my kernel with the
: ntfs read only support, I want just add this to my exixtant config but I
: don't find the file to load ( .config sous /usr/src/linux). Is this file
: exist before the first compilation??? or the only way I have is to make
: a new config file
Pick the config file you want from /usr/src/linux-2.4/configs, copy
that to the /usr/src/linux-2.4 directory, name it .config and go to work.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: unsubscribe
On Fri, Aug 16, 2002 at 03:22:53AM -0400, Bill Wetzel wrote:
: I sure don't know .. I have sent three unsubscribe messages and they
: advise me something to the affect that they must hold a board of
: governers
: meeting to see if I can be allowed to unsubscribe
I don't suppose you could be bothered to either read the instructions that
are in the footers of messages sent to the list OR the email you received
when you subscribed...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: apt-get install
On Fri, Aug 16, 2002 at 11:45:11AM -0500, Roger Schmeits wrote:
: I have been trying to install apt-get (RH7.2) using the following rpms.
: This is a new install with no updates from RH.
:
: *
: apt-0.3.19cnc55-fr8.i386.rpm
: apt-devel-0.3.19cnc55-fr8.i386.rpm
: **
:
: These are the error messages that I am getting...
:
:
: [root@localhost root]# rpm -Uvh apt-0.3*.rpm
: error: failed dependencies:
: librpm-4.0.4.so is needed by apt-0.3.19cnc55-fr8
: librpmdb-4.0.4.so is needed by apt-0.3.19cnc55-fr8
: librpmio-4.0.4.so is needed by apt-0.3.19cnc55-fr8
You haven't done the RPM update that's part of RH 7.2. You're also
installing the wrong version of apt-get. The -fr8 release is for RH7.3.
Go back to apt.freshrpms.net and get the right version, and install the
updated rpm package and you'll be an apt-get update apt-get upgrade
away from being up to date.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Postfix and SMTP AUTH
On Thu, Aug 08, 2002 at 02:55:04PM +, jtnelson wrote:
: I've been trying to follow instructions from postfix.org for setting up the
: server to use cyrus-sasl, but haven't gotten it to work yet, and it's getting
: aggravating. I couldn't find any specific documentation from Red Hat about
: this problem.
:
: Does anyone know if there's an easy way to do this with RH 7.3 using Postfix?
Sure, it works great. You'll have to pull postfix out of the chroot
jail though if you want to use PAM to authenticate against
/etc/[passwd|shadow]. Check the master.cf file and your permissions on
/etc/shadow. Don't forget to create the appropriate files in /etc/pam.d.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: iptables
On Wed, Jul 31, 2002 at 10:07:07PM -0400, C. Linus Hicks wrote:
: On Wed, 2002-07-31 at 16:33, Anthony E. Greene wrote:
: This is why I generally recommend creating a shell script that creates all
: firewall rules, then saves them using service iptables save. You update
: the script, run it, and the changes are made and saved. The next time you
: reboot and/or restart iptables, the changes created by the custom shell
: script are re-applied as part of the normal initscript process.
:
: That doesn't solve the problem when the act of booting may cause a new
: IP address to be assigned.
Anthony's correct - make sure you've got a script, so changes are easy
to make.
More to the point, however, is you've been told twice, this will be the
third time about how to get your problem solved. Don't reference the
external IP address in your NAT rule. There's no reason to SNAT an
entire subnet - SNAT is intended for use on single hosts. Use MASQUERADE
to do what you want, and simply reference the interface name of your
external interface.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Wireless PCI Network Card and Driver
On Wed, Jul 31, 2002 at 07:21:55PM -0500, Mike Burger wrote:
: Check Cisco and Orinoco (Lucent)
I've found the PCI-PCMCIA bridge cards have been fairly problematic
under Linux, with the notable exception of the Linksys and Netgear cards.
The Orinoco PCI-PCMCIA bridge card just didn't work at all. The Cisco
card was a bit difficult, but ultimately worked.
The Linksys native PCI card (WMP11) is about $80, which is considerably
cheaper than getting the PCMCIA card and the PCI bridge card...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: iptables
On Thu, Aug 01, 2002 at 11:29:39AM -0400, C. Linus Hicks wrote:
: Using MASQUERADE obviates the need for it, but for completeness, isn't
: it a good idea to answer the question as well? Then he can make up his
: own mind. The wisdom of the list comes from the diversity of the people
: on it.
Is it not clear that in order to do SNAT, one must supply the address to
NAT to? Since that's the case, and your address is changing, that
sort of obviates the ability to use SNAT, so suggesting MASQUERADE not
only answers the question, but also solves your problem. :)
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Wireless PCI Network Card and Driver
On Wed, Jul 31, 2002 at 11:33:15AM -0400, [EMAIL PROTECTED] wrote:
: Where can I acquire a wireless PCI network card and driver?
CompUSA - Linksys WMP11. Should work with the orinoco_pci.o driver.
*Definitely* works with the prism2_pci.o from the wlan-ng drivers.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: iptables
On Wed, Jul 31, 2002 at 10:06:20AM -0600, Ashley M. Kirchner wrote:
:
: The NAT part of my /etc/sysconfig/iptables file currently looks like this:
:
: # Generated by iptables-save v1.2.5 on Sat Jul 6 21:48:37 2002
: *nat
: :PREROUTING ACCEPT [180:25435]
: :POSTROUTING ACCEPT [21:1455]
: :OUTPUT ACCEPT [21:1455]
: -A POSTROUTING -s 10.1.2.0/255.255.255.0 -d ! 10.1.2.0/255.255.255.0 \
:-j SNAT --to-source xxx.xxx.xxx.xxx
: COMMIT
: # Completed on Sat Jul 6 21:48:37 2002
Why are you SNAT'ing a subnet? Use masq instead..
-A POSTROUTING -o eth0 -j MASQUERADE
substitute your external i/f for eth0
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
--
redhat-list mailing list
Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Limbo
On Fri, Jul 19, 2002 at 06:45:53AM -0400, Anthony Abby wrote:
: Is there any documentation or information on the Redhat website where one
: can go to read about Limbo? Find out what's in it... for instance, what
: version of KDE/Gnome is rolled into Limbo??
Sure, you can find out what version of anything from Limbo is right
here:
ftp://ftp.redhat.com/pub/redhat/linux/beta/limbo/en/os/i386/RedHat/RPMS/
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: anyone tried IEEE1394 on linux ?
On Thu, Jul 11, 2002 at 11:46:58AM +1000, [EMAIL PROTECTED] wrote:
: Has anyone out there tried FireWiring Linux ? I read it is supported in
: kernel version 2.4.x
: Could you share your experience :
: (1) chipset and installation
: (2) promised vs actual speed of serial bus
: (3) reliability
: (4) anyone tried a daisy-chain of fire-wired devices which includes
: a CD_RW ?
: THX
1. I've used 3 firewire cards - the WD card, the SB-Link port on the
SB Audigy and most recently the Adaptec DuoConnect card (has 1394 usb2).
All of them used the ohci1394 driver.
2. I'm only using it for a CD-RW drive, and it sure seems faster than the
old SCSI one I had internally. No quantifiable #'s for you.
3. Very.
4. No chain, but the device I've got is a QPS QueFire 16X/10X/40X CD-RW.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: which NIC is which
On Tue, Jul 09, 2002 at 01:52:15PM -0700, John Telford wrote:
: I'm building routers. It's difficult to tell in advance which NIC will
: be assigned eth0 and which will assigned eth1 when using two NICs. Ping
: testing usually clears up this simple problem.
It's largely voodoo that probably only the guy who wrote the pci
bus scanning code understands. You might as well get into the habit
I got into on other platforms. As you install the NICs, print a label
with the MAC address of the card and attach it as you insert the cards.
At that point, determining which card is which takes 5 seconds.
Additionally, it makes it easier for anyone who follows you to identify
the various NICs in the machine.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Intrusion Detection
On Sat, Jun 29, 2002 at 03:59:17PM -0400, Jay Daniels wrote:
: I'm looking for a ids like puresecure, but free and open source. Take a
: look. The screenshots are amazing, but so is the price!!!
Good news for you then. Puresecure just uses snort.
LARC looks like an interesting config interface for the web..
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: saslauthd or pwcheck programs
On Sat, 22 Jun 2002, Andrew Judge wrote:
Anyone know where I can get saslauthd or pwcheck to use SASL with postfix.
None of the cyrus rpms have either for 7.3 I am trying to use UW imap and
postfix with 7.3, but I think I need one of the above programs
You may need to (as Mike noted) get RPMs from another source to have
SASL support in postfix. I'm using SASL for SMTP Auth with Postfix, done
over TLS using the RPMs from:
http://www.pobox.com/~sjmudd/postfix/ftp/SRPMS/
I've built 1.1.11 with TLS, PCRE and SASL support...
You'll need to do a couple of things to get SASL working:
1. Set your /usr/lib/sasl/smtpd.conf to say either:
pwcheck_method: sasldb
or
pwcheck_method: pam
In either event, you'll have to change postfix's master.cf to pull the
smtpd out of the chroot jail.
If you go the sasldb route, you can setup your users with something like:
saslpasswd -c -u `postconf -h myhostname` -a smtpauth username
Make sure you then do something like:
chown root.postfix /etc/sasldb
chmod 640 /etc/sasldb
If you go the PAM route, you'll need to let the smtpd process have read
access to /etc/shadow, perhaps by changing the group ownership on
/etc/shadow to postfix, and permissions to 640.
Also, if you setup SMTP Auth, make sure you also setup TLS, and in
particular require users that are doing SMTP Auth to also be using TLS.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: why do you have to put '21' after /dev/null?
On Thu, Jun 06, 2002 at 05:04:57PM -0700, The Gyzmo wrote:
: Why do you have to put '21' after '/dev/null' when
: piping something to /dev/null, like this:?
:
: [command] /dev/null 21
You've got it backwards.
[command] 21 /dev/null
2 == stderr
1 == stdout
You redir stderr into stdout, then shoot the whole thing into /dev/null.
You don't HAVE to do this, just when you want to discard any output
from a command.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Linux-friendly MP3 player?
On Mon, Jun 03, 2002 at 10:19:39AM -0500, Justin Ellison wrote:
: Looking into freeing up some hard drive space on my laptop, and
: thinking about getting an MP3 player. What does everyone have, how do
: you like it? Windows is not an option - if it doesn't work in Linux,
: I'm not getting it.
I've got a Rio800. I only use it with my winxp notebook (belongs to work),
but could just as easily use it with my other systems (Linux), using
rioutil: http://rioutil.sourceforge.net
When I had a Rio500, it worked great under Linux too.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Knowledgable List?
On Sun, May 26, 2002 at 07:15:45PM -0700, Shin Ji wrote:
: Whoa!! A response.
Ok, I'll bite, since you seem completely incapable of using a
search engine, you get a 1-time pass. After this, you can
either learn how to use a search engine, or not be rude.
: Show me the manual to why RedHat left ip_masq_pptp
: module out of the 7.2 distro and I will shut up, go
: away and read it.
It was not left out at all. It's an old piece of software that's
no longer used. Had you taken the time to search a bit, you'd see
clearly that this module is only used with 2.0 and 2.2 kernels.
Why does it appear in RH 7.0? Install RH 7.0, do a uname -a and
answer your own question. Since PPTP is GRE+udp/1723, configure
your iptables rules to account for ip proto 47 (the GRE tunnel)
and udp/1723 (the control channel). If you need to support multiple
PPTP tunnels from behind the same firewall and are using NAT, you'll
need to track the connections with ip_conntrack. The ip_gre module
has nothing to do with filtering, rather it provides the GRE protocol
for your use.
: Ray Curtis - I have no idea how to make my question
: any easier. Drawing a diagram would be an insult would
: it not? Is crayon okay? I will draw it scan it, send a
: URL to the .jpgs
YOU may find it degrading to draw a network diagram, but you know what?
Too bad. How else are we to be sure that you're trying to not do
something silly/impossible? A diagram removes all ambiguity from
the problem description. If you feel the need to regress to crayons,
that's up to you, but many of us would use a tool like Dia or even Visio
to do this.
: Geesh! This place is just like the linux groups on
: usenet. You gotta find out whos butt to kiss before
: you can get an answer. I haven't asked my question
: there yet. Anyone know whos butt to kiss? It would
: save me some time and be much appreciated.
Well pucker up, big boy. Look, it's not about kissing anyone's butt.
It's about demonstrating a reasonable effort before asking for help,
and not simply demanding solutions to your problems. You want to
talk to a group of people that is obligated to solve your problems?
That costs money - in the form of a support contract.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
QoS configuration?
I've got a very simple configuration for an iptables fw...
Cable Modem--firewall--internal network
firewall: eth0 == outside, assigned by DHCP from cable co.
eth1 == 10.10.10.1/24
I've got a SIP-based VoIP device that's connected to the internal network,
say 10.10.10.50. I'm doing some DNAT to support incoming calls, and MASQ
for the rest of the traffic. The device requires 90 kbps of bandwidth
to operate properly. My downlink from the cable co. is about 1.5 Mbps,
with an uplink of about 128 kbps. Under normal circumstances, everything
works, but if I've got several things going on, sometimes call quality
suffers.
I'd like to configure QoS such that:
1. When active, 10.10.10.50 can be allocated 90 kbps bi-directionally.
2. When 10.10.10.50 isn't active, that 90 kbps in either direction can
be used by other stuff.
Any thoughts on how to script that? I imagine it's not more than 5-10
lines, but I just have no clue how to do this with tc... Thanks..
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Hacked again...
On Sun, May 05, 2002 at 02:32:24PM -0500, Glen Lee Edwards wrote:
: From what I read on their site last night, it's only free for the first box.
: After that you have to pay a fee. I have 3 Red Hat computers.
I will take yet another opportunity to point out the use of apt-rpm.
http://apt-rpm.tuxfamily.org/
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Firewall question
On Mon, Apr 01, 2002 at 10:00:38AM -0500, Lewi wrote:
: for what purpose? I think that for masquerade, it's imposibble
There's no point in creating a firewall that's got both NICs in the
same network. Two NICs in the same collision domain's another story.
Bad, no, make that downright awful, but it could technically work in a
pinch.
: On Thu, Mar 28, 2002 at 04:01:44PM -0800, [EMAIL PROTECTED] wrote:
: Hellp Redhat-lis members.
: I am sorry if I sound like I don't know what I am doing.
: I don't.
:
: Is it possible to set up a firewall with the 2 NIC cards on the
: same network?
:
:
:
:
:
:
: ___
: Redhat-list mailing list
: [EMAIL PROTECTED]
: https://listman.redhat.com/mailman/listinfo/redhat-list
:
: --
: ichtus
: --
: Lewi Supranata .K
: ICQ: 50643061
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: --rebuild openssh package prob
Read the spec file. It will be glaringly apparent how to fix your
dependency problems.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: add mod_ssl to apache under RH 7.2
On Tue, Mar 26, 2002 at 06:09:36AM -0500, Mike Burger wrote:
: The easiest way to add mod_ssl, if it's not already on your system, Leila,
: is to run up2date mod_ssl
Or, get yourself setup with the RH72 port of apt-get and
apt-get install mod_ssl. I much prefer apt-get to up2date. Why? It's
less filling, and it doesn't require registration.
http://apt.freshrpms.net/redhat/7.2/en/i386/RPMS.freshrpms
/apt-0.3.19cnc55-fr7.i386.rpm
Sorry for the breakage...
1. Get that package install it.
2. apt-get update
3. apt-get upgrade (make sure everything's current)
4. apt-get install mod_ssl
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Resin with Apache install question
On Sun, Mar 24, 2002 at 09:00:07PM -0800, Michael Oatman wrote:
: And to complicate matters, it appears that in RH7.2, apache
: gets installed in /etc/httpd, /usr/include/apache, /var/www,
: and /var/log/httpd, the last two being symlinked from
: /etc/httpd.
Wow, you guys sure seem to love making this into something much harder than
it has to be... Stop and think about what the software needs for a
moment - you're building an Apache module. It needs the apache headers,
not the server root or any other such nonsense.
Did anyone try this?
./configure --prefix=/usr
As long as you have apache-devel installed, you just might be surprised
how easily it works. :-)
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: VPN/Ipchains question
On Thu, Mar 21, 2002 at 02:32:10PM -0600, Kerry Miller wrote:
: We have a client using a CheckPoint VPN, we're trying to use the VPN-1
: SecureClient. Does anybody know what ports/protocols I need to open for
: this to work through our firewall? I tried this:
I'm going to make a few assumptions..
1. You're using the Check Point SecuRemote/SecureClient NG version (this
version is still backward compatible with VPN-1 4.1)
2. You've enabled IKE over TCP in the client
3. You've enabled the Force UDP Encapsulation option in the client
The initial network topology download is a TCP connection from a random
local high port to tcp/256 on the remote gateway.
Once you've got the network topology information, the client will
automagically activate when you try to access a resource in the remote
gateway's encryption domain.
Since you've enabled IKE over TCP, your initial authentication with the
remote gateway will be tcp/500 on the local client to tcp/500 on the
remote side. Once you've gone through IKE phase I and phase II, you won't
transmit any more IKE packets, until your SAs are due to renegotiate.
Once IKE/IPSec is up, your ESP traffic will be encapsulated inside UDP
packets that are of the format local client udp/2746 -- gateway udp/2746.
In order to get this to work with ipchains, I believe you'll need to use
the ipsec_masq modules. If you convert to iptables, which I HIGHLY
recommend, you'll get this for free, no additional configuration.
I'll email you a packet trace privately.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Interface for IPTABLES
On Mon, Mar 11, 2002 at 07:45:56PM -, Ragnar Wiencke wrote:
: Is there somewhere a Graphical Interface for IPTABLES? Something that
: makes life a bit easier?
I've got a great one. gvim.
Seriously - spend an hour, learn how to write rules, then do it. Don't
bother with the GUIs. Since there's a translation between what you
say in the GUI and what's actually done, you never know what can happen
between...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: ATT @home
On Tue, Feb 26, 2002 at 10:55:22PM -0600, Alan Mead wrote:
: I was *not* able to use an IPSec VPN client with
: the old (2.2-based) LEAF but I am told that the new versions include needed
: kernel support. The problem with these sorts of protocols is that they are
: encrypted. So the internal IP gets stuffed into a packet, then the packet
: is rendered opaque, then wrapped in a second packet and sent out... the NAT
: router rewrites the IP on the second packet but cannot access the encrypted
: payload.
That's not why at all, unless your VPN uses AH. AH is an almost completely
useless part of IPSec. You get the same benefits by using ESP with a null
cipher - and get the other benefits that ESP adds.
The old kernels used to mangle the source port of IKE packets, causing
confusion. The netfilter code is smart enough not to do this.
Once your IKE SA's are up, ESP with NAT is trivial, at least for
the situation of using only one client behind the firewall. If you need
to have multiple clients behind the firewall, your client will have
to implement some sort of encapsulation, usually UDP or GRE based. This
is very common with IPSec clients.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Anyone using Nortel Contivity behind an IP Tables firewall?
On Wed, Feb 27, 2002 at 01:47:04PM -0500, Matthew Galgoci wrote:
:
: Does your client support tunneling ipsec over udp? You need this in order to
: be able to pass through nat.
Actually, you don't. It just makes it possible to have multiple clients
behind a masq gateway. AH doesn't NAT, ESP can go through NAT. 99.99%
of all IPSec client implementations are ESP. The problem is when a NAT
device/firewall mangles the source port on IKE packets, which are both
src/dst udp/500.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: VPN fustration
On Wed, Feb 27, 2002 at 02:01:01PM -0500, James Pifer wrote:
: I've posted to this list three times asking about VPN, IPSec or PPTP,
: for Redhat 7.2.I've been trying to get linux-pptp working without
: success so far.I can't seem to find any help on it.
Has it occurred to you that nobody on this list is using a VPN client
on Linux?
: Let me keep this simple. Is ANYONE using a VPN client on Redhat 7.2? I'd
: really rather not use freeswan if I have to recompile the kernel.
I think you have your answer. And don't use pptp as a VPN protocol. It's
inherently insecure - flawed at the most basic level. Use IPsec.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: [REDHAT] RE: php upgrade!
On Sat, Feb 23, 2002 at 12:43:28AM -0500, David Kramer wrote:
: I'm coming into this late, but if the only problem is physical access to
: the machine, can you download the installer ISO image and then mount -o
: loop and run it that way?
Or for that matter, just upgrading the packages that satisfy the
dependencies?
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: [OT] Subnets and Classes
On Thu, Feb 21, 2002 at 09:43:24AM +, Gary Stainburn wrote:
:10.0.0.0- 10.255.255.255
:172.16.0.0 - 172.31.255.255
:192.168.0.0 - 192.168.255.255
:
: We will refer to the first block as 24-bit block, the second as 20-bit
: block, and the third as 16-bit block. Note that the first block is
: nothing but a single class A network number, while the second block is a
: set of 16 continuous class B network numbers, and the third block is a set
: of 255
: continuous class C network numbers.
Wow, that reference guide is written to confuse people.
Nobody I know in the industry would refer to 10/8 as anything other than
an 8-bit subnet, or 172.16/12 as a 12-bit subnet, or 192.168/16 as a
16-bit subnet
In the real world of networking, if you asked for a 24-bit block, you would
be given a /24, that is, a subnet consisting of 256 addresses.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: How to set IP Forwarding in RH 7.2 ?
On Wed, Feb 20, 2002 at 12:53:32PM +0800, Kevin Chan wrote:
: I would like to know where I can set the IP Forwarding in RH 7.2 and why I
: can't use the netcfg under Xwindow ?
Crack open an xterm, use the text editor of your choice to modify
/etc/sysctl.conf.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: retrieving https was:Re: sending data from wget into perl?
On Mon, Feb 18, 2002 at 02:30:33PM -0600, dbrett wrote:
: Does anybody know of a program which will get https pages?
Yes, wget. At least the recent versions. Go to rawhide if you have to.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Still Cannot Get SSH To Work
On Fri, Feb 15, 2002 at 03:49:59AM -0800, CM Miller wrote:
: Right, I understand how to redirect the output into a
: file, but I could I copy/paste that output into an
: e-mail espeically for the ipchains -L outupt? I want
: to display the results so people can troubleshoot the
: problem.
Right. And since you make reference to copy and paste,
we're all sure you're familiar with how to use them. Going out
on a limb here, but I bet you're also able to operate a text editor
of some kind too. Put the two together and your problem is solved.
Think outside the box. Just a little... :-)
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: BYOB [WAS RE: Wireless lan cards?]
On Mon, Feb 11, 2002 at 08:13:22PM -0800, David Talkington wrote:
: Chad and Doria Skinner wrote:
:
: 1. Setup DHCP to only assign IPs to specific MAC Addresses
:
: Wrong already. MAC addresses are under client control. You can
: assign a different one to your network card with ifconfig (if the
: driver can handle that). Try it. :-)
Now before you immediately discount that, remember that a would-be
attacker would need to know the MAC address of an *authorized* client.
Any by the way - MAC addresses aren't always under the control of the user
when we're talking about WLAN cards.
It's not what I'd call great security, but it's definitely a part of
a reasonable WLAN security plan. That, coupled with strong authentication,
strong encryption (i.e. NOT WEP!) and physical separation from the wired
LAN would result in a good policy.
Remember, wired LAN jacks aren't magically secure either. How many times
do you see sites that just have jacks all over the place patched in? All
the time! Ok, so I want to infiltrate your building. No problem, I'll get
a job on your cleaning staff, or with the company that cleans your building.
That gives me nearly open access during off-hours. I'd plant a laptop
on your network. Or, how about instead, I plant a wireless access point?
Now I'll hack you from your parking lot.
Properly deployed, WLAN can be just as secure, or MORE secure than wired
LAN technology.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat's Postfix RPMS and Berkeley DB.
On Sun, Feb 10, 2002 at 04:14:40PM -0500, Mike Burger wrote:
: Can anyone tell me if the RedHat compiled Postfix RPMS have Berkeley DB support
: compiled in?
No idea about those, but mine sure does. I'm running postfix 1.1.0,
from the RPMs that Chuck Mead rolled (which I believe are based on
SJ Mudd's work).
RedHat 7.1 system:
$ postconf -m
static
sdbm
pcre
nis
dbm
regexp
environ
btree
unix
hash
$ rpm -q postfix
postfix-1.1.0-2.rh70.1.pcre.tls
Not sure why it says rh70 instead of rh71, I didn't really pay that much
attention to the .spec file.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Forcing ISC DHCPd to only bind to one interface?
On Sat, Feb 09, 2002 at 09:22:17AM -0500, Mike Burger wrote:
: No...that's not necessarily what it means...what that means is that it
: will accept dhcp connections from all IP ranges, from any port on the
: remote machine.
:
: Put a dhcp client on the network connected to your external interface, and
: try to optain an address, and see what happens.
Regardless of whether or not I pass dhcpd the eth1 parameter, it will
only serve addresses on the eth1 port, based on the ip/netmask on my
eth1 and the subnet{ } configuration I've got in the dhcpd.conf file.
The software does the right thing, in that it won't hand out addresses
on the external interface (in my case, eth0), as verified by the messages
dhcpd produces at startup and a test I did (with my iptables rules
unloaded). My concern had to do with the software binding to all
interfaces, despite the fact that it doesn't need to.
My iptables rules already don't permit DHCP requests from outside of my
network, so that's not the real concern. Rather, my concern stems from
the software itself not behaving properly. I'll bugzilla this one.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Forcing ISC DHCPd to only bind to one interface?
This afternoon's project was to build a masq'ing firewall, complete
with DHCP, split DNS, and all the trimmings. Got it done, but I'm
having a bit of a difficult time with telling the ISC dhcpd 3.0
(out of Rawhide) to stop binding to my external i/f.
I don't have a subnet{ } section that covers the particular subnet in
question, so the syslog informs me that because I don't mention anything
about the subnet on that i/f (in my case, eth0), it will not respond to
queries on the interface. That's good and all, but netstat reveals this:
udp0 0 0.0.0.0:67 0.0.0.0:*
So, even though it's not responding to queries on that eth0 interface, it's
still binding the port to the interface. Thoughts on how to get it to stop
behaving like this?
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Forcing ISC DHCPd to only bind to one interface?
On Fri, Feb 08, 2002 at 03:02:53PM -0800, David Talkington wrote:
: Find the script that starts dhcpd, and provide as arguments the
: interfaces you want it to listen to. It's that easy.
Ah, but it's not that easy at all.
# cat /etc/sysconfig/dhcpd
# Command line options here
DHCPDARGS= eth1
the process table does indeed show the running process as
/usr/sbin/dhcpd eth1.
From /var/log/messages:
Feb 9 00:42:00 elvis dhcpd: Listening on LPF/eth1/00:04:5a:68:61:31/x.y.z.0/24
Feb 9 00:42:00 elvis dhcpd: Sending on LPF/eth1/00:04:5a:68:61:31/x.y.z.0/24
This certainly suggests that it is only listening on the eth1 interface.
However:
# netstat -an |grep 67
udp0 0 0.0.0.0:67 0.0.0.0:*
Thus you can see the daemon still binds to all interfaces.
# rpm -q dhcp
dhcp-3.0-6
The same behavior was shown with all other versions of ISC dhcpd tested,
including the standard 2.0pl5 that ships with RH 7.2.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: How to Change Hostname?
On Wed, Jan 30, 2002 at 05:02:20PM -0600, Saul Arias wrote:
: Don't reboot. Reboot is for Windoze and kernel upgrades.
I *did* say easiest.
: service network restart
That's not it. See Rodolfo's posting.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: readme
On Wed, Jan 30, 2002 at 02:43:56AM -0800, Harry Putnam wrote:
: Ani_Adarsh [EMAIL PROTECTED] writes:
:
: cat ./README |less
:
: I smell a UUoC award
He gets bonus points for the spurious use of ./..
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: How to Change Hostname?
On Wed, Jan 30, 2002 at 12:27:37AM -0700, Li Bing wrote:
: Dear all,
:
: I installed a RedHat 7.1 server on my PC. In the procedure of installation,
: I name my PC LiBing. But after the system is started up, in the terminal
: the prompt is a name I have never known. But in the Network
: Configurator, the name is correct.
:
: Could you tell me how to change that?
The first step is getting rid of that ASCII-art .sig. Cute dog.
Save it for alt.fan.warlord, where such an animal can be appreciated.
Now, how to change the hostname of your system? Easiest? Check the
/etc/sysconfig/network file. Adjust the value of HOSTNAME, creating
it if not already there, and reboot.
One last thing - don't name a machine with a mixed-case name - it's tacky.
Check your /etc/hosts file too to make sure you've cleaned up all the
cruft...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Why is vsftpd in Rawhide?
On Mon, Jan 28, 2002 at 01:07:18PM +, Rodolfo J. Paiz wrote:
: The 1.0.1 branch of vsftpd is stable; in fact, remarkably so. Is there a
: reason why it's put in Rawhide? Was it, perhaps, a case of we had nowhere
: else to put it?
I'd guess it's because Rawhide will eventually grow up to be the RH 8.0
release, and they're preparing, that's all...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: PHP?
On Thu, Jan 24, 2002 at 06:08:06PM +0800, Ladislav Bodnar wrote:
: To the original poster: Please structure your sentences to include some
: flowery English words such as please, I would appreciate, could you,
: thank you, etc.
Using flowery language doesn't change the spirit of his request. Tell me
the answer, and don't point me at a web site. I'm sorry, but pointing
him at a web site is a perfectly reasonable response, or do you somehow
disagree?
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: PHP?
On Thu, Jan 24, 2002 at 10:00:36AM +0800, northstone wrote:
: Okayonly provide the answer and dont guide me to other page.
What's the matter? Afraid of learning something? It's considered rude
to demand someone do your work (research) for you.
: I have apache in my redhat.
So install the PHP packages and use PHP.
: 2. i downloaded php 4.1.1 in php.net . i try to install it. i
: only type ./configure . i wantted to try to make but cant
: .then i checked my installed php weather is in the directory
: but it dont exist. does any one know how to install step by
: step together with apache and php together.?
There is a wealth of documentation on this very topic, unfortunately,
you'll have to go to a web page to read about it.
http://www.php.net/manual/
See the Installation section.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Apache Question
On Fri, Jan 18, 2002 at 12:52:30PM -0500, Jeff Bearer wrote:
: I have a website that is being spidered by 1 host at in-opertune times,
: I'm trying to see if there is a way I can block the host in apache for a
: few hours of the day but allow it the rest of the day.
Limit directives?
iptables on the web server?
Router filters?
configure your firewall to disallow the traffic?
: Jeff Bearer, RHCE
Ahem
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RPM --requires question
On Tue, Jan 01, 2002 at 05:07:14PM -0500, Hal Burgiss wrote:
: /usr/local/bin/perl --- WTF?
: /usr/local/bin/perl5
You've got some sort of script in the package that requires the above...
I.e. it begins with:
#!/usr/local/bin/perl5
or
#!/usr/local/bin/perl
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: sourcing a mysql file from perl
On Mon, Dec 31, 2001 at 08:47:27AM -0600, Stephen Spalding wrote:
: insert into crontabs values
: (' ', 'dev2', 'asn', '00', '19', 'ALL', 'ALL', '1');
: insert into crontabs values
: (' ', 'dev2', 'asn', '00', '19', 'ALL', 'ALL', '2');
Are these inserts really broken into two lines for each?
: $connection2 = DBI-connect(DBI:mysql:$database, $user, $message) || die
: Cannot connect to $database;
: $load_sql = source ${CRONLIST_SQL}/load.sql.${file_date};
This is the part the doesn't seem right... I don't believe source is
valid for this use, it's not like this is the shell.
: $cursor2 = $connection2-prepare($load_sql) or die Can't prepare $load_sql:
: $connection2-errstr\n;
: $cursor2-execute;
: $rc2 = $cursor2-finish;
: $rc2 = $connection2-disconnect;
Now, assuming your load file has one statement per line, this is a snap.
If otherwise, you'll have to do multi-line pattern matching to grab your
SQL statements.
Basically:
open(FH, $CRONLIST_SQL/load.sql.$file_date) or die cannot open file;
while(FH){
chomp;
$cursor2 = $connection2-prepare($_);
$cursor2-execute;
}
close(FH);
Also, are you intentionally putting braces around your variable names?
After all, this is perl, not the shell...
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Magic Number
On Sun, Dec 30, 2001 at 02:53:34PM -0500, [EMAIL PROTECTED] wrote:
:
: Can someone out there tell what is a Magic Number is or send me to a website
:explaining what is a Magic number?
:
STFW - for real.
Ask Google about unix magic number, and you will have your answer.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: OT: Compiling multithreaded code
On Mon, Dec 24, 2001 at 11:25:31PM +0800, David wrote:
: I have written some multithreading code using pthread library. But when I
: compile the code, the compiling process is ok but the linking process claims
: undefined reference for pthread_create( ). How can I resolve this problem?
: I have included pthread.h and #define _REENTRANT but still doesn't work. I
: suspect the library libpthread.so is bad but having replaced that file with
: another one from Mandrake 8.0 (the file sizes are different), it
: still doesn't compile. Can anyone help me with this one? Thanks.
You're not linking against the pthread library. You want to do something
like:
gcc -O2 foo.c -o foo -lpthread
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: A few enigmas
On Mon, Dec 24, 2001 at 07:47:50AM -0800, Meph Istopheles wrote:
: Anyone have a way to get the java plugin to actually work with
: mozilla and Enigma? If so could you point me to a good
: FAQ/how-to?
:
: Are you referring to the jre? I'd spent a couple of weeks
: fooling with Sun's jre, jdk, etc to no avail. Went to
: blackdown.org got their jre, worked like a charm. Less hassle
: to do, as well.
No, he's referring to the java plugin for Mozilla. Sun's JRE works
out of the box. Just download the RPM from java.sun.com and put
the appropriate directory in your $PATH. He's got a different
problem that I don't know the answer to..
: Is there a clear how-to for the alsa sound stuff? like what to
: do in what order? Something maybe a bit more clear that their
: site?
:
: What sound? Just in Mozilla, or the box. First you have to
: find out if your sound card is even recognized. What distro are
: you running?
You already know he's running RedHat 7.2 - look at the subject line.
He's asking about ALSA, which RH doesn't support. You can go to the
ALSA site though and build RPMs from their tarballs with minimal
difficulty.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: A few enigmas
On Mon, Dec 24, 2001 at 09:27:57AM -0800, Meph Istopheles wrote:
: Ya know, I have to deal with Raquel knowing my system better
: than I on another list as well, but, after many years of RH, I'm
: growing very tired of it, the less than Linux-like structuring,
: the know-it-all attitude of assholes. You may have pushed me
: over the edge.
And a Merry Christmas to you too. Grow up and dispense with the
name-calling. It doesn't serve you well. Raquel? No idea who that
is.
: 1. The Sun jre does ~not~ work out of the box for everyone --
: check a few other lists, dude.
I'll concede that there are people who can't get the Sun JRE to work.
Their problems stem from one of two things, both related to $PATH.
1. kaffe is installed. get rid of it.
2. the user doesn't have the proper directory in his $PATH.
If you don't install kaffe (which SHOULD be listed as a conflicting
package for the SUN JRE/JDK), and can set a $PATH, your Sun JRE will
fall out of the box working, plain and simple. I assume that people
who have used RH for a while can configure a $PATH. Hopefully in your
case, I haven't assumed too much.
: 2. While I definitely should have realized he's using RH, why
: don't ~you~ check the Subject line? Where is there mention of
: distro or release?
enigma == RedHat 7.2. Haven't seen the login banner on a RH 7.2
machine? Haven't seen the RH7.2-specific list, which is called
enigma-list? With regard to the distro, it's pretty safe to assume
that one would ask RedHat questions on the redhat-list.
: It may have been early (before I'd so much
: as finished a single cup of coffee), but I'm awake now still
: see nothing but the To field referring to it. So sorry that I'm
: not always on, as you obviously are.
Always on? Maybe, maybe not. More observant? Seems more likely.
Don't get your shorts in a wad.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Compiling MySQL From Source (not OT)
On Sat, Dec 22, 2001 at 09:31:55PM -0800, Ben Ocean wrote:
: Why am I
: working from source? More control.
Ok, but why not gain more control and not break the packaging model?
That's what SRPMs are for.
Oh well, back to Star Wars Starfighter SE. Yeah, it's from Redmond, but
the xbox just plain rocks, particularly in DD 5.1... :)
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Compiling MySQL From Source (not OT)
On Sat, Dec 22, 2001 at 02:00:24PM -0800, Ben Ocean wrote:
: Hi;
: I've written this config script for mysql, but this problem appears to be
: unique to RH, so I'm writing this list too:
:
: #!/bin/sh
: cd /usr/local/mysql
: ./configure \
: --with-libwrap=/usr/share/doc/tcp_wrappers \
Eh? Why would you point the configure script at the documents directory?
Besides, is there something you need that the RPMs you can get from:
http://www.mysql.com/downloads/mysql-3.23.html
don't do? You want nifty features like InnoDB suppport? Just
install the MySQL-max package. These packages even upgrade cleanly
from the stock redhat packages.
I've had wonderful success running MySQL 3.23.46 built from the SRPMs
from mysql.com, using InnoDB tables. Very fast, support FKs, and is
transaction safe.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: package management
On Sun, Dec 09, 2001 at 03:00:25PM +0800, Robert Storey wrote:
: I'm in full agreement with you Jim - RPM is good, but some sort of
: package management system that resolves deps is BADLY NEEDED.
Something does exist. apt DOES exist for RPM.
http://apt-rpm.tuxfamily.org/
Makes keeping up to date with those RH packages as easy as:
apt-get update
apt-get upgrade
This is largely due to the work of the Connectiva folks. It would be nice
if RH 8.0 integrated this.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Midrange video card?
On Mon, Dec 03, 2001 at 01:44:45AM -0500, David Kramer wrote:
: -This is NOT for gaming, but I want high-res X with excellent font
: legibility.
:
: -Under $100 ok, under $70 better
:
: -Prolly want 32MB for greater color depth
The Nvidia GeForce 2MX cards are very good, and cheap.
I saw several in CompUSA the other day for $69. 32MB, 2X/4X AGP.
Works great under both XFree86 4.1 as well as Windoze.
--
Jason Costomiris| Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
___
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
