Re: [SCIENTIFIC-LINUX-USERS] ipftiler on SL
On 07/05/2011 03:32 AM, Gabriele Bulfon wrote: Hi, I have recently selected SL as an alternative to my Solaris / OpenSolaris installations. I have been used to run firewalls with ipfilter for years, so I was wandering if there is any chance I can substitute iptables with ipfilter 5. Thanx for any help. Gabriele. The most up to date information I could find on this was at http://www.phildev.net/ipf/IPFlinux.html It doesn't look impossible, but not necessarily promising either. I'd suggest migration to iptables simply because it is the native tool. Porting applications is a bit of a mixed bag in my experience. And with this page reporting that it should work reasonably well that does fill me with confidence. The default firewall made by the installer, while decidedly unfamiliar in IPF syntax, is fairly workable with excellent man pages (man iptables). Its a pain to change tools, but I fear the headaches caused by porting them may be worse. Pat
Re: [SCIENTIFIC-LINUX-USERS] Why does postfix doesn't get the local hostname?
On 05/31/2011 09:17 AM, Marc Muehlfeld wrote: Hi, I'm currently trying SL6 with postfix for local mail delivery (no real mail server). But I am wondering, why the sender is always ...@localdomain.localdomain? In /etc/postfix/main.cf is everything on it's default. myhostname is not set, what should postfix make getting the hostname via gethostname() as written in the comments. A hostname and search domain is configured for the system: # hostname -f vm01.test.local I know, I can set myhostname, but why isn't postfix getting this by itself? Regards, Marc Hello, If I were to hazard a guess, I would suspect that /etc/hosts is to blame here. If your hostname is on the 127.0.0.1 line, then I've periodically seen things get a bit wonky. I'd be curious what /etc/hosts looks like, as well as, postconf -d |grep my and seeing how those match up. Pat
Re: [SCIENTIFIC-LINUX-USERS] Why does postfix doesn't get the local hostname?
On 05/31/2011 09:39 AM, Marc Muehlfeld wrote: Am 31.05.2011 16:35, schrieb Patrick Riehecky: If I were to hazard a guess, I would suspect that /etc/hosts is to blame here. This was the first place I looked at, but: 127.0.0.1 localhost.localdomain localhost.localdomain localhost4 localhost4.localdomain4 localhost 192.168.29.14 vm01.test.localvm01 ... as well as, postconf -d |grep my and seeing how those match up. # postconf -d |grep my append_at_myorigin = yes append_dot_mydomain = yes lmtp_lhlo_name = $myhostname local_transport = local:$myhostname milter_macro_daemon_name = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost mydomain = localdomain myhostname = vm01.localdomain That is curious Postfix seems to be automatically determining your domain as 'localdomain', exactly as your reported. If I continue to guess, and this is firmly in the guest camp, I'd guess that postfix postfix doesn't like '.local' as a tld. The default in postfix 2.3 and later is to revert to 'localdomain' when it doesn't know the domain ( http://www.postfix.org/postconf.5.html#mydomain ). Since .local isn't reserved as an official tld, this is my best theory for explaining the behaviour. mynetworks = 127.0.0.0/8 192.168.29.0/24 192.168.20.0/24 mynetworks_style = subnet myorigin = $myhostname parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps relay_domains = $mydestination smtp_helo_name = $myhostname smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks} smtpd_proxy_ehlo = $myhostname smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination myhostname = vm01.localdomain - but where does postfix get the localdomain from, instead of the real domain of the host. Just a guess, Pat
Re: [SCIENTIFIC-LINUX-USERS] SL6, SELinux, openafs
On 05/12/2011 04:31 PM, Orion Poplawski wrote: On 05/12/2011 03:17 PM, Orion Poplawski wrote: On 05/12/2011 03:04 PM, Orion Poplawski wrote: I'm just trying out openafs on SL6 and ran into the following starting the afs daemon: Starting AFS client. afsd: some file missing or bad in /usr/vice/etc Turns out this was caused by following the quick start guide and linking /usr/afs/etc/{CellServDB,ThisCell} to /usr/vice/etc. Just copying the files allows everything to work with SELinux enforcing. Spoke too soon. Lots of denials on the server side of things. Is there any expectation that you can run openafs in enforcing mode? Hi Orion, While I can't promise this as a true fix, and Stephan Wiesand is aiming in the right area with his comments, I've had some luck writing my own seLinux policies in the past for completely unrelated and much less complex applications. I've never tried on something as complex as AFS. It can be a lot of work, but if you need SL6 and AFS under seLinux, this may be your fastest solution. Not having access to an AFS server, I can't make many suggestions on specifics. The extra short process is to, temporarily, place the system in Permissive mode (setenforce 0) generate all the audit errors you can for AFS, and run audit2allow (yum install policycoreutils-python ; man audit2allow ; audit2allow -h ; mkdir -p /etc/selinux/custom ; cat my AFS audit log errors only | audit2allow -m custom_afs /etc/selinux/custom/custom_afs.te). Alas this then requires figuring out how to reconcile the changes with the existing AFS module, for which I'm not sure I can help. After the .te file doesn't conflict with existing settings or open unintended access (I say this like that is the easy part - its really not. You'll need to read the current AFS policy, edit the generated one to extend the current policy - without rigging it so that future updates to the SL AFS make things confusing on your end. Also I've never discovered a sufficiently clean way of documenting custom seLinux changes. If you are like me, you will forget that you did this at the least opportune time.), simply checkmodule (cd /etc/selinux/custom/ ; checkmodule -M -m -o custom_afs.mod custom_afs.te), package the module (cd /etc/selinux/custom ; semodule_package -o custom_afs.pp -m custom_afs.mod), and then load it (cd /etc/selinux/custom ; semodule -i custom_afs.pp). Once loaded, test, test, test, and test again. The .pp file can be copied to any system sharing a policy version (ie selinux-policy-targeted-3.7.19-54.el6_0.5.noarch) The terribly vague paragraph above represents a serious time investment (last time I tried to extend a policy it was a few solid day; though I doubt anyone is as terrible at it as I so YMMV) and may not be worth it to you at this time. If you are able to get a working extension to the AFS policy, I'm certain the community would love to see it. If you'd rather spare yourself the hours of frustration, and possible unexpected downtime (loading a syntactically valid module, but a bad one can require a reboot before things start working right again. I've only done it once, and that in 2002, so this might not happen to you), I'd return to Stephan's comment. SL 5 is a wonderful build. If you're AFS system is in production - or will be soon - trial and error seLinux experiments are not wise. Pat
Re: [SCIENTIFIC-LINUX-USERS] Problems with VMWare tools
If you are willing to walk a little on the wild side, http://open-vm-tools.sourceforge.net/ Is run by vmware, but it isn't their official release set; some things are missing. Pat On 04/29/2011 08:55 AM, Larry Linder wrote: Down load their evaluation set or just buy it and load it. Works perfectly from their web site. Larry Linder On Friday 29 April 2011 3:50 am, Ahmed El Zein wrote: On Sat, 2011-04-09 at 19:44 -0400, Nico Kadel-Garcia wrote: On Sat, Apr 9, 2011 at 4:17 PM, Lukas Presslukaspr...@googlemail.com wrote: On 04/09/2011 11:34 AM, Eero Volotinen wrote: 2011/4/9 Nikola Wentanikola.we...@nottingham.ac.uk: Dear all, I am trying Scientific Linux and want to get VMWare tools installed. Can someone tell me where I can download the required Kernel C header files, and under what path they will be installed? Cheers, Niko kernel-headers and kernel-devel packages, both available in sl repos. The install script will complain that the path to the c header files are wrong if you install the header files midway through the process, even if you put the correct path in (/usr/include i think?). If this is happening cancel the install and re-run the vmware-install.pl script after installing the correct packages; it should pick up the header files automatically then. Regards Chris There's also a bit of nastiness when you update kernels: VMWare has not selected to incorporate the 'vmware-modules' init script I sent them, that re-runs the VMware configuration at boot time in case you're running a new kernel. This is particularly dangerous if you're using the vmxnet network drivers rather than e1000: the guest host will be unavailable after a kernel upgrade and reboot until the configuration tool is re-run, and if you have the wrong network setup, your hostname will be wrong and you'll have to reboot *AGAIN*. to get all your services configured correctly. If you are using ESX (as I am), then you might want to look at the repository at: http://packages.vmware.com/tools/esx/index.html This way you get automatic updates when you upgrade the kernel.
Re: [SCIENTIFIC-LINUX-USERS] a quick poll: what are your favourite linux power tools?
On 04/24/2011 07:57 AM, Robert P. J. Day wrote: the background: i'm teaching a 2-day course later this week on unix/linux power tools, and i've already got the manual, but it looks like there's maybe 1.5 days worth of content there, so i have the freedom to fill up another 1/2 day with whatever cool utilities i want. i'll be teaching the course off of SL 6.0 so i have the flexibility to add in whatever's normally available from the SL repos. i'm going to add in some package management using yum, plus a quick tutorial on ssh. any other topics people here use on a really regular basis that they find indispensable? not necessarily admin level, just really, really handy programs. i realize it's kind of an open-ended question, i'm just curious. thanks for any suggestions. rday Any list without xargs feels incomplete to me. Pat
Re: [SCIENTIFIC-LINUX-USERS] RHEL/SL and iptables
On 04/20/2011 02:47 PM, Nicolas Kovacs wrote: Le 20/04/2011 02:26, Tom H a écrit : On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blairr...@anl.gov wrote: There is a sourceforge project called firestarter which has a rather nice script that does lots of iptables config and provides a gui monitor of firewall activity. You could also try APF: http://www.rfxn.com/projects/advanced-policy-firewall/ (I've never used it so this isn't an experienced-based recommendation but I've installed it on a test box to check out its rules and they looked good.) Shorewall's also an option that you could consider. It's another blind recommendation though; I've never even seen its default rules... Thanks very much for the numerous answers. I read through a pile of documentation, and figured out the most simple solution was a handcrafted iptables script from scratch. Here goes : --8--- #!/bin/sh ##/root/bin/firewall-start IPT=/sbin/iptables WAN_IFACE=eth0 LAN_IFACE=eth1 $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT $IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT $IPT -A INPUT -j LOG --log-prefix +++ IPv4 packet rejected +++ $IPT -A INPUT -j REJECT $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE /sbin/service iptables save /sbin/service iptables condrestart --8--- Works like a charm so far. Logging (near the end of the script) tells me whenever I'm locking myself out of something. Cheers from South France, Niki Please add the following line BEFORE the RELATED,ESTABLISHED line $IPT -A INPUT -m state --state INVALID -j DROP This will drop any packet whose flags make no sense or whose size is not as advertised. If you are not intending to do any routing, I'd remove the $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE line as well as $IPT -P FORWARD ACCEPT and instead insert some drops. Adding to the list of firewall management, I'm strangely attached to UFW mostly because I can pre-load application rules into it and it makes limiting connection rates easier[1]. A current(ish) rpm is hiding out at http://www.openmamba.org/distribution/distromatic.html?tag=devel-ercolinuxpkg=ufw.source Pat [1] http://www.snowman.net/projects/ipt_recent/ you can seriously slow brute force logins with this