Re: [SCIENTIFIC-LINUX-USERS] ipftiler on SL

2011-07-05 Thread Patrick Riehecky 

On 07/05/2011 03:32 AM, Gabriele Bulfon wrote:
Hi, I have recently selected SL as an alternative to my Solaris / 
OpenSolaris installations.
I have been used to run firewalls with ipfilter for years, so I was 
wandering if there is any chance

I can substitute iptables with ipfilter 5.

Thanx for any help.
Gabriele.


The most up to date information I could find on this was at   
http://www.phildev.net/ipf/IPFlinux.html   It doesn't look impossible, 
but not necessarily promising either.  I'd suggest migration to iptables 
simply because it is the native tool.  Porting applications is a bit of 
a mixed bag in my experience.  And with this page reporting that it 
should work reasonably well that does fill me with confidence.  The 
default firewall made by the installer, while decidedly unfamiliar in 
IPF syntax, is fairly workable with excellent man pages (man iptables).  
Its a pain to change tools, but I fear the headaches caused by porting 
them may be worse.


Pat

Re: [SCIENTIFIC-LINUX-USERS] Why does postfix doesn't get the local hostname?

2011-05-31 Thread Patrick Riehecky 

On 05/31/2011 09:17 AM, Marc Muehlfeld wrote:

Hi,

I'm currently trying SL6 with postfix for local mail delivery (no real mail
server).

But I am wondering, why the sender is always ...@localdomain.localdomain? In
/etc/postfix/main.cf is everything on it's default. myhostname is not set,
what should postfix make getting the hostname via gethostname() as written in
the comments.

A hostname and search domain is configured for the system:
# hostname -f
vm01.test.local

I know, I can set myhostname, but why isn't postfix getting this by itself?

Regards,
Marc

Hello,

If I were to hazard a guess, I would suspect that /etc/hosts is to blame 
here.  If your hostname is on the 127.0.0.1 line, then I've periodically 
seen things get a bit wonky.  I'd be curious what /etc/hosts looks like, 
as well as, postconf -d |grep my and seeing how those match up.


Pat

Re: [SCIENTIFIC-LINUX-USERS] Why does postfix doesn't get the local hostname?

2011-05-31 Thread Patrick Riehecky 

On 05/31/2011 09:39 AM, Marc Muehlfeld wrote:

Am 31.05.2011 16:35, schrieb Patrick Riehecky:

If I were to hazard a guess, I would suspect that /etc/hosts is to blame here.

This was the first place I looked at, but:

127.0.0.1   localhost.localdomain   localhost.localdomain   localhost4
localhost4.localdomain4 localhost

192.168.29.14   vm01.test.localvm01




... as well as, postconf -d |grep my and seeing how those match up.

# postconf -d |grep my
append_at_myorigin = yes
append_dot_mydomain = yes
lmtp_lhlo_name = $myhostname
local_transport = local:$myhostname
milter_macro_daemon_name = $myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = localdomain
myhostname = vm01.localdomain
That is curious  Postfix seems to be automatically determining your 
domain as 'localdomain', exactly as your reported.  If I continue to 
guess, and this is firmly in the guest camp, I'd guess that postfix 
postfix doesn't like '.local' as a tld.  The default in postfix 2.3 and 
later is to revert to 'localdomain' when it doesn't know the domain ( 
http://www.postfix.org/postconf.5.html#mydomain ).  Since .local isn't 
reserved as an official tld, this is my best theory for explaining the 
behaviour.

mynetworks = 127.0.0.0/8 192.168.29.0/24 192.168.20.0/24
mynetworks_style = subnet
myorigin = $myhostname
parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
relay_domains = $mydestination
smtp_helo_name = $myhostname
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_event_limit_exceptions =
${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_proxy_ehlo = $myhostname
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination





myhostname = vm01.localdomain - but where does postfix get the localdomain
from, instead of the real domain of the host.


Just a guess,

Pat

Re: [SCIENTIFIC-LINUX-USERS] SL6, SELinux, openafs

2011-05-13 Thread Patrick Riehecky 

On 05/12/2011 04:31 PM, Orion Poplawski wrote:

On 05/12/2011 03:17 PM, Orion Poplawski wrote:

On 05/12/2011 03:04 PM, Orion Poplawski wrote:

I'm just trying out openafs on SL6 and ran into the following starting the afs
daemon:

Starting AFS client.
afsd: some file missing or bad in /usr/vice/etc

Turns out this was caused by following the quick start guide and linking
/usr/afs/etc/{CellServDB,ThisCell} to /usr/vice/etc. Just copying the files
allows everything to work with SELinux enforcing.


Spoke too soon.  Lots of denials on the server side of things.  Is there any
expectation that you can run openafs in enforcing mode?


Hi Orion,

While I can't promise this as a true fix, and Stephan Wiesand is aiming 
in the right area with his comments, I've had some luck writing my own 
seLinux policies in the past for completely unrelated and much less 
complex applications.  I've never tried on something as complex as AFS.  
It can be a lot of work, but if you need SL6 and AFS under seLinux, this 
may be your fastest solution.


Not having access to an AFS server, I can't make many suggestions on 
specifics.


The extra short process is to, temporarily, place the system in 
Permissive mode (setenforce 0) generate all the audit errors you can for 
AFS, and run audit2allow (yum install policycoreutils-python ; man 
audit2allow ; audit2allow -h ; mkdir -p /etc/selinux/custom ; cat my 
AFS audit log errors only | audit2allow -m custom_afs  
/etc/selinux/custom/custom_afs.te).  Alas this then requires figuring 
out how to reconcile the changes with the existing AFS module, for which 
I'm not sure I can help.  After the .te file doesn't conflict with 
existing settings or open unintended access (I say this like that is the 
easy part - its really not.  You'll need to read the current AFS policy, 
edit the generated one to extend the current policy - without rigging it 
so that future updates to the SL AFS make things confusing on your end.  
Also I've never discovered a sufficiently clean way of documenting 
custom seLinux changes.  If you are like me, you will forget that you 
did this at the least opportune time.), simply checkmodule (cd 
/etc/selinux/custom/ ; checkmodule -M -m -o custom_afs.mod 
custom_afs.te), package the module (cd /etc/selinux/custom ; 
semodule_package -o custom_afs.pp -m custom_afs.mod), and then load it 
(cd /etc/selinux/custom ; semodule -i custom_afs.pp).  Once loaded, 
test, test, test, and test again.  The .pp file can be copied to any 
system sharing a policy version (ie 
selinux-policy-targeted-3.7.19-54.el6_0.5.noarch)


The terribly vague paragraph above represents a serious time investment 
(last time I tried to extend a policy it was a few solid day; though I 
doubt anyone is as terrible at it as I so YMMV) and may not be worth it 
to you at this time.  If you are able to get a working extension to the 
AFS policy, I'm certain the community would love to see it.


If you'd rather spare yourself the hours of frustration, and possible 
unexpected downtime (loading a syntactically valid module, but a bad 
one can require a reboot before things start working right again.  I've 
only done it once, and that in 2002, so this might not happen to you), 
I'd return to Stephan's comment.  SL 5 is a wonderful build.  If you're 
AFS system is in production - or will be soon - trial and error seLinux 
experiments are not wise.


Pat

Re: [SCIENTIFIC-LINUX-USERS] Problems with VMWare tools

2011-04-29 Thread Patrick Riehecky 

If you are willing to walk a little on the wild side,

http://open-vm-tools.sourceforge.net/

Is run by vmware, but it isn't their official release set; some things 
are missing.


Pat

On 04/29/2011 08:55 AM, Larry Linder wrote:

Down load their evaluation set or just buy it and load it.
Works perfectly from their web site.
Larry Linder

On Friday 29 April 2011 3:50 am, Ahmed El Zein wrote:

On Sat, 2011-04-09 at 19:44 -0400, Nico Kadel-Garcia wrote:

On Sat, Apr 9, 2011 at 4:17 PM, Lukas Presslukaspr...@googlemail.com

wrote:

On 04/09/2011 11:34 AM, Eero Volotinen wrote:

2011/4/9 Nikola Wentanikola.we...@nottingham.ac.uk:

Dear all,
I am trying Scientific Linux and want to get VMWare tools installed.
Can someone tell me where I can download the required Kernel C header
files, and under what path they will be installed?
Cheers,
Niko

kernel-headers and kernel-devel packages, both available in sl repos.
The install script will complain that the path to the c header files
are wrong if you install the header files midway through the process,
even if you put the correct path in (/usr/include i think?).  If this
is happening cancel the install and re-run the vmware-install.pl script
after installing the correct packages; it should pick up the header
files automatically then.

Regards
Chris

There's also a bit of nastiness when you update kernels: VMWare has
not selected to incorporate the 'vmware-modules' init script I sent
them, that re-runs the VMware configuration at boot time in case
you're running a new kernel. This is particularly dangerous if you're
using the vmxnet network drivers rather than e1000: the guest host
will be unavailable after a kernel upgrade and reboot until the
configuration tool is re-run, and if you have the wrong network setup,
your hostname will be wrong and you'll have to reboot *AGAIN*. to get
all your services configured correctly.

If you are using ESX (as I am), then you might want to look at the
repository at:
http://packages.vmware.com/tools/esx/index.html

This way you get automatic updates when you upgrade the kernel.

Re: [SCIENTIFIC-LINUX-USERS] a quick poll: what are your favourite linux power tools?

2011-04-25 Thread Patrick Riehecky 

On 04/24/2011 07:57 AM, Robert P. J. Day wrote:

   the background: i'm teaching a 2-day course later this week on
unix/linux power tools, and i've already got the manual, but it looks
like there's maybe 1.5 days worth of content there, so i have the
freedom to fill up another 1/2 day with whatever cool utilities i
want.  i'll be teaching the course off of SL 6.0 so i have the
flexibility to add in whatever's normally available from the SL repos.

   i'm going to add in some package management using yum, plus a quick
tutorial on ssh.  any other topics people here use on a really regular
basis that they find indispensable?  not necessarily admin level, just
really, really handy programs.  i realize it's kind of an open-ended
question, i'm just curious.

   thanks for any suggestions.

rday



Any list without xargs feels incomplete to me.

Pat

Re: [SCIENTIFIC-LINUX-USERS] RHEL/SL and iptables

2011-04-21 Thread Patrick Riehecky 

On 04/20/2011 02:47 PM, Nicolas Kovacs wrote:

Le 20/04/2011 02:26, Tom H a écrit :

On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blairr...@anl.gov   wrote:

There is a sourceforge project called firestarter which has a rather
nice script that does lots of iptables config and provides a gui monitor
of firewall activity.

You could also try APF:
http://www.rfxn.com/projects/advanced-policy-firewall/
(I've never used it so this isn't an experienced-based recommendation
but I've installed it on a test box to check out its rules and they
looked good.)

Shorewall's also an option that you could consider. It's another blind
recommendation though; I've never even seen its default rules...

Thanks very much for the numerous answers. I read through a pile of
documentation, and figured out the most simple solution was a
handcrafted iptables script from scratch. Here goes :

--8---
#!/bin/sh
##/root/bin/firewall-start
IPT=/sbin/iptables
WAN_IFACE=eth0
LAN_IFACE=eth1
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT
$IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix +++ IPv4 packet rejected +++ 
$IPT -A INPUT -j REJECT
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
/sbin/service iptables save
/sbin/service iptables condrestart
--8---

Works like a charm so far. Logging (near the end of the script) tells me
whenever I'm locking myself out of something.

Cheers from South France,

Niki

Please add the following line BEFORE the RELATED,ESTABLISHED line

$IPT -A INPUT -m state --state INVALID -j DROP

This will drop any packet whose flags make no sense or whose size is not 
as advertised.


If you are not intending to do any routing, I'd remove the $IPT -t nat 
-A POSTROUTING -o $WAN_IFACE -j MASQUERADE line as well as $IPT -P 
FORWARD ACCEPT and instead insert some drops.


Adding to the list of firewall management, I'm strangely attached to 
UFW mostly because I can pre-load application rules into it and it 
makes limiting connection rates easier[1].  A current(ish) rpm is hiding 
out at 
http://www.openmamba.org/distribution/distromatic.html?tag=devel-ercolinuxpkg=ufw.source


Pat

[1] http://www.snowman.net/projects/ipt_recent/   you can seriously slow 
brute force logins with this