[Vserver] problem with netfilter and vservers

[Luís Miguel Silva]

Hello Gang,

Ive been having some serious problems with vservers and iptables!

Sometimes i need to had SNAT rules for my vservers to route outside the root
server and, someother times, i cant access my vservers from the outside :o(

Take this script for example:
http://lms.ispgaya.pt/goodies/iptables

On the server where i use it everything worked like a charm!

Until...i had to add support in the kernel for another NIC.

[EMAIL PROTECTED] ~# lspci
00:00.0 Host bridge: Intel Corp.: Unknown device 2570 (rev 02)
00:01.0 PCI bridge: Intel Corp.: Unknown device 2571 (rev 02)
00:1d.0 USB Controller: Intel Corp.: Unknown device 24d2 (rev 02)
00:1d.1 USB Controller: Intel Corp.: Unknown device 24d4 (rev 02)
00:1d.2 USB Controller: Intel Corp.: Unknown device 24d7 (rev 02)
00:1d.3 USB Controller: Intel Corp.: Unknown device 24de (rev 02)
00:1d.7 USB Controller: Intel Corp.: Unknown device 24dd (rev 02)
00:1e.0 PCI bridge: Intel Corp. 82801BA/CA/DB PCI Bridge (rev c2)
00:1f.0 ISA bridge: Intel Corp.: Unknown device 24d0 (rev 02)
00:1f.1 IDE interface: Intel Corp.: Unknown device 24db (rev 02)
00:1f.3 SMBus: Intel Corp.: Unknown device 24d3 (rev 02)
00:1f.5 Multimedia audio controller: Intel Corp.: Unknown device 24d5 (rev 02)
01:00.0 VGA compatible controller: nVidia Corporation RIVA TNT2 Model 64 (rev
15)
02:05.0 Ethernet controller: 3Com Corporation: Unknown device 1700 (rev 12)
02:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
02:0b.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
02:0d.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
[EMAIL PROTECTED] ~#

Since the 3com (gigabit builtin) ethernet device is unknown, i added support to
it and recompiled the kernel.

After rebooting the machine, i couldnt access any services on 192.168.3.81
(vserver called ciisp) from the outside).

I disabled support for that NIC again, recompiled and rebootedand everything
went back to normal again!

Can anybody help me with this? Is this normal behaviour?

I also dont understand why some vservers need for me to -j SNAT --to root-server
and others dont!

Thanks in advance,
+
| Luís Miguel Ferreira da Silva
| Network Administrator @ISPGaya
| Instituto Superior Politécnico Gaya
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Tel: +351 223745730/3/5
| GSM: +351 912671471 +351 936371253
+


Este email foi enviado via o webmail do ISPGaya
Instituto Superior Politécnico Gaya


binUQlPZuJsAl.bin
Description: Chave Pública PGP
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] problem with netfilter and vservers

[Luís Miguel Silva]

Dear Herbert,

Allthough i really thought your email was full of sarcasm (*really* sorry if i
missinterpreted it :o) ), please read along the email to find some comments
replying your comments...


*sigh* well, lets interpret parts of it ...

$IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24 -d 192.168.4.0/24 -j ACCEPT

accept network traffic from 192.168.3 to 192.168.2 and 192.168.4
(unmodified, unconditional)

$IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24
-d 193.126.109.240/255.255.255.248 -j ACCEPT

same for traffic from 192.168.3 to 193.126.109.240-247
hmm, why would KQPT Network Operations want packets from
a private network?
$IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24
-d 193.126.229.32/255.255.255.248 -j ACCEPT

hmm, seems they definitely want private traffic :)

$IPTABLES -A POSTROUTING -t nat -s 192.168.3.0/24
-d ! 192.168.0.0/16 -j SNAT --to 192.168.3.2

everything not destinated at 192.168 will appear as
private IP 192.168.3.2 (strange, why would we want that?)

$IPTABLES -A POSTROUTING -t nat -s 172.28.10.0/24
-d ! 172.28.10.0/24 -j SNAT --to-source 172.28.10.254

and similar for 172.28.10, which had no role yet,
but seem to be valid IPs for output, and we SNAT
them all to 172.28.10.254 ...




so this setup assumes that both 192.168.3.2 and
172.28.10.254 can reach the outside (whatever that
might mean) and that there are either two routes
or the router can handle both IPs ...


On the server where i use it everything worked like a charm!

Until...i had to add support in the kernel for another NIC.

[EMAIL PROTECTED] ~# lspci
00:00.0 Host bridge: Intel Corp.: Unknown device 2570 (rev 02)
00:01.0 PCI bridge: Intel Corp.: Unknown device 2571 (rev 02)
00:1d.0 USB Controller: Intel Corp.: Unknown device 24d2 (rev 02)
00:1d.1 USB Controller: Intel Corp.: Unknown device 24d4 (rev 02)
00:1d.2 USB Controller: Intel Corp.: Unknown device 24d7 (rev 02)
00:1d.3 USB Controller: Intel Corp.: Unknown device 24de (rev 02)
00:1d.7 USB Controller: Intel Corp.: Unknown device 24dd (rev 02)
00:1e.0 PCI bridge: Intel Corp. 82801BA/CA/DB PCI Bridge (rev c2)
00:1f.0 ISA bridge: Intel Corp.: Unknown device 24d0 (rev 02)
00:1f.1 IDE interface: Intel Corp.: Unknown device 24db (rev 02)
00:1f.3 SMBus: Intel Corp.: Unknown device 24d3 (rev 02)
00:1f.5 Multimedia audio controller: Intel Corp.: Unknown device
24d5 (rev 02)
01:00.0 VGA compatible controller: nVidia Corporation RIVA TNT2
Model 64 (rev
15)
02:05.0 Ethernet controller: 3Com Corporation: Unknown device 1700 (rev 12)
02:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
02:0b.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
02:0d.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)


hmm, four different network controllers easily confuse the
unpracticed eye and often also the admin attached to it :)


[EMAIL PROTECTED] ~#

Since the 3com (gigabit builtin) ethernet device is unknown, i added
support to it and recompiled the kernel.

After rebooting the machine, i couldnt access any services on
192.168.3.81 (vserver called ciisp) from the outside).


hmm, lets see .. *turns on the seeing orb* ... ah, looks
like you 3com card got detected _before_ the other three
realtek ones, so it was named eth0, instead of eth4 ...

hmmm, ... and that probably messed up all other NICs, as
they are now eth1 instead of eth0, eth2 instead of eth1 ...

now, most likely some of your guests have the interface
coded (its a little blurry now) and other just an ip


I disabled support for that NIC again, recompiled and rebootedand
everything went back to normal again!

Can anybody help me with this? Is this normal behaviour?


I guess yes, it is the typical linux networking behaviour
so nothing critical ...


I also dont understand why some vservers need for me to -j SNAT --to
root-server and others dont!


this also escapes my imagination (basically because of
lack of information) but I assume that some have real
IPs and/or communicate on private IPs where others have
to use the host IP for outgoing traffic ...

best,
Herbert


There are 4 NICs on the root server called leonardo-root.

eth0 - 192.168.3.2 [connecting to our internal network / outside world]
eth1 - 10.69.69.1 [connecting to the outside world (ADSL connection)]
eth2 - 172.28.10.254 [connecting to some IP cameras]
eth3 - not used...[until i added support for the 3com card off course :o)]

Also, as you stated, after i added support to the 3com card, all the
other NICs
switched names...

Well, a little comment on this :o)
1º of all, im no idiot and i obviously know that and changed all the cables
2º why did you assume that?
3º ever thought i could be using modules in my kernel and aliasing
the NICs?
;o)

Either way...by default, the packets to unknown networks go throw eth1 [gw:
10.69.69.254].

There 

[Vserver] new kernel 2.4.27...

[Luís Miguel Silva]

Hello dear list,

I want to upgrade my servers to kernel 2.4.27 but there isnt a final 2.4.27
patch! :o)

Will there be one soon Herbert?

Best,
+-
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341 
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+-

Este email foi enviado através do site http://webmail.ispgaya.pt/
Instituto Superior Politécnico Gaya



___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] new kernel 2.4.27...

[Luís Miguel Silva]

oh kie, thanks for the quick (as usual) response :o)

Herbert Poetzl [EMAIL PROTECTED] escreveu:

 On Mon, Aug 09, 2004 at 01:49:19PM +0100, Luís Miguel Silva wrote:
  Hello dear list,
  
  I want to upgrade my servers to kernel 2.4.27 but there isnt a final
2.4.27
  patch! :o)
 
 well, I wanted to avoid the 1.29 ooops, 1.30, oops 1.31
 fiasco this time, so I decided to put up some release
 candidate, which I (if nobody else) will test during this
 week ...
 
 http://vserver.13thfloor.at/Experimental/patch-2.4.27-vs1.29-rc1.diff
 
 (probably) it will then get released as final 2.4.27
 patch ...
 
  Will there be one soon Herbert?
 
 so yes ;)
 
 best,
 Herbert
 
  Best,
  +-
  | Luís Miguel Silva
  | Network Administrator@ ISPGaya.pt
  | Rua António Rodrigues da Rocha, 291/341 
  | Sto. Ovídio • 4400-025 V. N. de Gaia
  | Portugal
  | T: +351 22 3745730/3/5  F: +351 22 3745738
  | G: +351 93 6371253  E: [EMAIL PROTECTED]
  | H: http://lms.ispgaya.pt/
  +-
  
  Este email foi enviado através do site http://webmail.ispgaya.pt/
  Instituto Superior Politécnico Gaya
  
  
  
  ___
  Vserver mailing list
  [EMAIL PROTECTED]
  http://list.linux-vserver.org/mailman/listinfo/vserver
 ___
 Vserver mailing list
 [EMAIL PROTECTED]
 http://list.linux-vserver.org/mailman/listinfo/vserver
 
+-
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341 
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+-

Este email foi enviado através do site http://webmail.ispgaya.pt/
Instituto Superior Politécnico Gaya



___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Vservers...cron jobs...

[Luís Miguel Silva]

Im talking about /etc/cron.daily jobs! :o)

I created two files (webalizer and sarg) so my box would run them
daily...

logrotate (on /etc/cron.daily) got executed but my other two scripts
werent! (they where allright and had write permissions).

As i saw logrotate getting executed, i added my webalizer and sarg
scripts to it.

It worked allright. Today i checked that my scripts where executed fine!

Btw, shouldnt crontab -l return the /etc/crontab file?

proxy-adsl:/# crontab -l
no crontab for root
proxy-adsl:/# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file.
# This file also has a username field, that none of the other crontabs
do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
25 6* * *   roottest -e /usr/sbin/anacron || run-parts --report
/etc/cron.daily
47 6* * 7   roottest -e /usr/sbin/anacron || run-parts --report
/etc/cron.weekly
52 61 * *   roottest -e /usr/sbin/anacron || run-parts --report
/etc/cron.monthly
#

It seems all went good...though i dont understand why my scripts did not
ran alone...

Thanks,
Luís Silva


A Dom, 2004-04-25 às 04:44, Nuno Silva escreveu:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Luís Miguel Silva wrote:
 | Hello all,
 |
 | Does anybody else have problems with cron jobs?
 | I cant seem to get my cron jobs executed.
 | I allways had this problem with mini-debian-vserver based vservers.
 |
 | Anybody else?
 |
 
 Olá, Luís!
 
 I don't have problems with that particular image... Are you talking
 about the /etc/cron.* directories (and /etc/crontab) or user's cron
 jobs? I suspect that it's a configuration problem. If you find the
 problem please report so that the image can be fixed :-)
 
 Regards,
 Nuno Silva
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.2.4 (GNU/Linux)
 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
 iD8DBQFAizQsOPig54MP17wRAnt8AKCyVuroxNfHI933262JQ/yqDI8/twCeN0k5
 x+3tgYD4eoCV/773IUL/k2A=
 =78Pa
 -END PGP SIGNATURE-
 ___
 Vserver mailing list
 [EMAIL PROTECTED]
 http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] Vservers...cron jobs...

[Luís Miguel Silva]

Hello all,

Does anybody else have problems with cron jobs?
I cant seem to get my cron jobs executed.
I allways had this problem with mini-debian-vserver based vservers.

Anybody else?

Best,
Luís Silva

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Listas de email direcionadas para divulgação

[Luís Miguel Silva]

Damn...i cant believe it.
We just got a mail from a web directory with email adresses separated
by states, cities, companies, people, activities...

Ahmm...damn spam! this is one of the reasons i dont believe in god! :oP

If god'existed...he would punish these fuck'ups... :o[

A Sex, 2004-04-23 às 21:36, Mariana Coutinho escreveu:
 Listas para mala direta via e-mail. E-mails separados por estados, cidadas, 
 empresas, pessoas físicas, atividades.
 http://www.gueb.de/divulgamail
 
 Programas para divulgação via e-mail. Divulgue seu site e venda muito mais. 
 Listas de email direcionadas para divulgação de homepages ou venda de 
 produtos e serviços via internet. E-mail marketing, spam, listas de mala 
 direta. Visite agora:
 http://www.gueb.de/divulgamail
 ___
 Vserver mailing list
 [EMAIL PROTECTED]
 http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Super Cheap V-1-A-G-R-A!! ($2/dose)

[Luís Miguel Silva]

I thank this wonderfull'list...but i dont need it! :D

A Sáb, 2004-03-06 às 14:46, steve escreveu:
 The lowest price on V I A G R A on the 'net!!
 
 Click here:
 http://royaldrugs.com/sv/index.php?pid=eph9106
 
 
 
 
 
 
 
 
 laura carlchance binky robinhoo center sbdc groovy 
 maria octobersailor cuddles asterix
 surf marvin tanya 
 
 To get off this list, go to http://drugsbusiness.com/gv/applepie.php
 ___
 Vserver mailing list
 [EMAIL PROTECTED]
 http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Linux-Vserver Wiki Hacked ;)

[Luís Miguel Silva]

ROTFL...its typical...stupid brasilian'idiots.
That dewd is brasilian. He wrote in Portuguese something like this:
lol, if this projects security is like the security of this webpage, i
advise everybody to use it! that way we can have so much fun!

I wont even comment! fucking incompetents

S4T4N1C_BR41N was here...

*ROTFL*..no comments! ;o)



A Sex, 2004-02-27 às 18:15, Herbert Poetzl escreveu:
 Hi Folks!
 
 some funny people decided to replace the Linux-VServer
 wiki, with a message ... as the wiki uses version control
 this was not an issue), but I would like to know what
 they wanted to tell us ...
 
 so here is the original message, and what altavista did
 to it ...
 
 --
 = Linux VServer Project =  se o projeto for que nem 
 a segurança entaum aconselho a todos á ele... 
 Pois assim agente vai se divertir muito...
 
 Vo nem fala nada incopetência do caralho viu
 
 S4T4N1C_BR41N was here Need Help?! [EMAIL PROTECTED]
 
 -!e0f!-
 --
 
 altavista: Portugese - English
 --
 = Linux VServer Project =  if the project will be that 
 nor the security entaum I advise to all á it... 
 Therefore thus agent goes to have fun itself very... 
 
 Vo nor says to nothing incompetence of caralho saw...
 
 S4T4N1C_BR41N was here Need Help?! [EMAIL PROTECTED]
 
 -!e0f!-
 --
 
 this change was made from 200-232-205-3.dsl.telesp.net.br
 so maybe you know someone, who knows someone ;)
 
 TIA,
 Herbert
 
 ___
 Vserver mailing list
 [EMAIL PROTECTED]
 http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] TTY logging ...

[Luís Miguel Silva]

  a) do you consider this or a similar feature
very useful for linux-vserver?
  b) would you use such a feature on your hosts?
  c) how do you feel about 'violating the privacy' 
in such cases ...

a) Yeaps, all extra features are welcome
b) sure! especially on a honeypot enviornment!
c) what privacy? ;o) heh...all your users ARE BELONG to us! heh..

Best,
Luís

Herbert Poetzl [EMAIL PROTECTED] escreveu:

 
 Hi Folks!
 
 somebody on the irc channel mentioned a feature 
 called 'tty loggin' which UML provides ... 
 well it isn't strictly an UML feature, and therefore 
 I would like to have your opinion:
 
   http://user-mode-linux.sourceforge.net/tty_logging.html
 
 ... especially:
 
  - do you consider this or a similar feature
very useful for linux-vserver?
  - would you use such a feature on your hosts?
  - how do you feel about 'violating the privacy' 
in such cases ...
 
 TIA,
 Herbert
 
 ___
 Vserver mailing list
 [EMAIL PROTECTED]
 http://list.linux-vserver.org/mailman/listinfo/vserver
 
+-
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341 
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+-

Este email foi enviado através do site http://webmail.ispgaya.pt/
Instituto Superior Politécnico Gaya



___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] new linux 2.4.25

[Luís Miguel Silva]

Yeah...and they're starting giving linux a bad name (on a security
basis).. :o(

Fortunately, more ms windows flaws have been discovered also..heh

A Qua, 2004-02-18 às 15:44, Christian Mayrhuber escreveu:
 Herbert Poetzl wrote:
  On Wed, Feb 18, 2004 at 03:14:40PM +0100, Ond?ej Surý wrote:
  
 Herbert, would you be so kind and make diff against 2.4.25, which was
 release just few minutes ago?
  
  
  can be found at:
  
  http://www.13thfloor.at/vserver/s_release/v1.26/
  
  HTH,
  Herbert
 
 Thanks! Damn are you quick.
 Finally, xfs has made it.
 
 Those root exploits are not doing linux any favour in the
 netcraft uptime survey ;-)

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] Patch not working...more information?

[Luís Miguel Silva]

Hello all,

This time i was able to *apparently* fix the problem by using jacques
tools 0.29!

Sorry for the previous email but i did the upgrade to jacques tools in
the past and the vservers still didnt work!

Thanks,
Luís Silva



___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Patch not working...more information?

[Luís Miguel Silva]

Still, i dont get it!

If jacques broke the tools, why isnt their an official tarball with
everything working?

And...where are they broken?
Perhaps there is something broken on my server and i dont know it yeat!
:oP

Best,
Luís

A Dom, 2004-02-08 às 16:15, Herbert Poetzl escreveu:
 On Sun, Feb 08, 2004 at 04:09:05PM +, Luís Miguel Silva wrote:
  Your page is a little confusing.
  Yes, i saw that you didnt host jacques tools and...saw a fix to
  jacques tools.
  
  But since i tried those tools with your fix and my vservers didnt work,
  i decided not to use the patch today.
  
  Why are they broken? 
 
 because jack was in a hurry, and did to many
 changes at once ... I guess ;)
 
  Apparently, everything is working on my servers now!
 
 if it works for you, it's perfectly fine for me ...
 
 best,
 Herbert
 
  Thanks,
  Luís
  
  A Dom, 2004-02-08 às 16:01, Herbert Poetzl escreveu:
   On Sun, Feb 08, 2004 at 03:53:40PM +, Luís Miguel Silva wrote:
Hello all,

This time i was able to *apparently* fix the problem by using jacques
tools 0.29!
   
   hmm, I hate to dissapoint people, but did
   you have a look at my pages? there is a reason
   why I do not list Jacks 0.29 version and it's 
   simple, because it's broken!
   
   best,
   Herbert
   
Sorry for the previous email but i did the upgrade to jacques tools in
the past and the vservers still didnt work!

Thanks,
Luís Silva



___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
   ___
   Vserver mailing list
   [EMAIL PROTECTED]
   http://list.linux-vserver.org/mailman/listinfo/vserver
  
  ___
  Vserver mailing list
  [EMAIL PROTECTED]
  http://list.linux-vserver.org/mailman/listinfo/vserver
 ___
 Vserver mailing list
 [EMAIL PROTECTED]
 http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] A little complaint from a *sometimes* unhappy user...

[Luís Miguel Silva]

Oh..my idea wasnt to flame Herbert! You rule man ;o)

I just wanted to understand why things failed (at least for me).
I subscribe the mailing list but unfortunatelly i dont have time
to follow all the messages!

Either way, it all is working perfectly now!
The only thing i dont understand is what is the problem with jacques
tools? :o)

Im using them without the fix and they seem to work allright??

Best,
Luís Silva

A Dom, 2004-02-08 às 16:27, Cathy Sarisky escreveu:
  I applied patch 1.25. All went smooth until the boot process.
  The vservers didnt boot again with that Cant change to security context
  #-1 (i think that was the exact message if im not in mistake).
 
 I saw this, but it was swiftly fixed by upgrading the vserver tools.
 
 I wouldn't complain too much - Herbert issued a patch for the 
 vulnerability at blazing speed, and while the first patch wasn't perfect, 
 he was quick to correct it.  Not too bad for someone who is doing this for 
 all of us as a volunteer.
 
 
 
 ___
 Vserver mailing list
 [EMAIL PROTECTED]
 http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] vserver-0.29 not compiling on one server..

[Luís Miguel Silva]

Hello,

I have a trustix 1.5 box and iam having trouble compiling the 
vserver-0.29 tools.

[EMAIL PROTECTED] /usr/src/vservers/vserver-0.29# make
g++-c -o syscall.o syscall.cc
In file included from syscall.cc:1:
linux/vswitch.h:78: syntax error before `;'
linux/vswitch.h:79: syntax error before `;'
linux/vswitch.h:84: syntax error before `;'
linux/vswitch.h:86: syntax error before `;'
linux/vswitch.h:87: syntax error before `;'
linux/vswitch.h:96: syntax error before `;'
linux/vswitch.h:97: syntax error before `;'
linux/vswitch.h:107: syntax error before `;'
linux/vswitch.h:108: syntax error before `;'
linux/vswitch.h:109: syntax error before `;'
linux/vswitch.h:110: syntax error before `;'
linux/vswitch.h:114: syntax error before `;'
linux/vswitch.h:115: syntax error before `;'
linux/vswitch.h:116: syntax error before `;'
syscall.cc:18: `uint32_t' was not declared in this scope
syscall.cc:18: parse error before `,'
syscall.cc: In function `int vserver(...)':
syscall.cc:18: `cmd' undeclared (first use this function)
syscall.cc:18: (Each undeclared identifier is reported only once
syscall.cc:18: for each function it appears in.)
syscall.cc:18: `id' undeclared (first use this function)
syscall.cc:18: `data' undeclared (first use this function)
syscall.cc: In function `int call_new_s_context(int, int *, unsigned
int, unsigned int)':
syscall.cc:40: `struct vcmd_new_s_context_v1' has no member named
`remove_cap'
syscall.cc:41: `struct vcmd_new_s_context_v1' has no member named
`flags'
syscall.cc: In function `int call_set_ipv4root(long unsigned int *, int,
long unsigned int, long unsigned int *)':
syscall.cc:59: `struct vcmd_set_ipv4root_v3' has no member named
`broadcast'
syscall.cc:61: `struct vcmd_set_ipv4root_v3::{anonymous}' has no member
named `ip'
syscall.cc:62: `struct vcmd_set_ipv4root_v3::{anonymous}' has no member
named `mask'
syscall.cc: In function `int call_set_ctxlimit(int, long int)':
syscall.cc:77: `struct vcmd_ctx_rlimit_v0' has no member named `id'
syscall.cc:78: `struct vcmd_ctx_rlimit_v0' has no member named `minimum'
syscall.cc:79: `struct vcmd_ctx_rlimit_v0' has no member named
`softlimit'
syscall.cc:80: `struct vcmd_ctx_rlimit_v0' has no member named `maximum'
make: *** [syscall.o] Error 1
[EMAIL PROTECTED] /usr/src/vservers/vserver-0.29#

This is the output!

Trustix comes with glibc 2.1, can this be the problem?
The thing is i currently have a 2.4.21-ctx17 kernel working perfectly.

Did something dramaticly changed on the latest patches/tools?

This machine will *soon* be fresh installed, but, iam currently running
a exploitable 2.4.21 kernel because of this!

I dont have local access to the machine which narrows down the
possibilites. and a new remote install of the system would be a little
bit risky since this is a production server.

Best,
Luís Silva



___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

RE: [Vserver] [Release] Stable vs1.23 (improved security)

[Luís Miguel Silva]

Hello,

Great to read that :o)

Am I gonna have the problems I had with 2.4.24-vs1.22?
Iam referring to the security context problems.

Currently iam using 2.4.24-vs1.00 because of those!

(after exchanging some mails in the past week with other users, which you
probably saw too, I think those problems had to do with me not being able to
get a random security context)!

Other users complained about the same and said they resolved their problem
by specifying a static security context.

Thanks for the new version,
+---
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+---

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Herbert Poetzl
Sent: segunda-feira, 12 de Janeiro de 2004 6:11
To: [EMAIL PROTECTED]
Subject: [Vserver] [Release] Stable vs1.23 (improved security)


Hello Community!

hopefully the final bugfix release of the second 
linux-vserver stable release (1.23) is now 
available at

  http://www.13thfloor.at/vserver/s_release/v1.23/

you can download an all-in-one patch for 2.4.24
as well as tar archives of the splitup ...
(patches for older kernels available on request)

this release fixes another locking issue, this
time within the /proc filesystem, and adds a very
important security interface, to protect entries
against unwanted access.

older tools (especially tools for 1.22) should
work but util-vserver-0.26 or later is recommended.


new proc security feature:

by using the vproc tool (provided in vproc-0.1.tar)
it is now possible to limit the visibility of proc
entries to either the host, the special context one, 
or both, according to your preference.

note: by default all proc entries are visible and
therefore accessible via read and write on all 
contexts, only restricted by the linux capability
system, which is equivalent to the setup in all
earlier versions.

(using the entry meminfo as example)

 vproc /proc/meminfo(shows current visibility)
 
 vproc -d /proc/meminfo (hide in user context)
 vproc -D /proc/meminfo  (hide in any context)
 vproc -E /proc/meminfo (show only in ctx one)
 vproc -e /proc/meminfo (default: visible)

please make sure to disable dangerous entries
which are not required in a vserver anyway, like
hardware interfaces (ide,bus,pci,scsi) or kernel
interfaces (kmem,iomem,ioports,sys,...)

note: symbolic links and dynamically generated
entries like /proc/pid can not be masked by this
interface yet ... 

enjoy,
Herbert

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

RE: [Vserver] High Port Pass through??

[Luís Miguel Silva]

Isnt that because all the traffic which passes from the vservers to another
network is passing by a NAT filter on the root vserver (which uses a high
port for each connection it makes)?

Best,
+---
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+---
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Erik Smit
Sent: sábado, 10 de Janeiro de 2004 18:48
To: [EMAIL PROTECTED]
Subject: Re: [Vserver] High Port Pass through??

On Fri, Jan 09, 2004 at 03:55:20PM -0800, Roderick A. Anderson wrote:
 *snipping to the point*
 We're seeing traffic that appears to be passed through on REALLY high port

 numbers.

Can you install tcpdump on the machine and give a sample of the traffic
you believe is improper? (or a firewall log)

Regards,

Erik Smit
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

RE: [Vserver] Problem with kernel 2.4.24 + vs1.22

[Luís Miguel Silva]

Everything is now working when running kernel 2.4.24-vs1.00 and vserver-0.26
+ util-vserver-0.25

Thank you!
+---
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+---

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Luís Miguel Silva
Sent: quarta-feira, 7 de Janeiro de 2004 7:58
To: [EMAIL PROTECTED]
Subject: RE: [Vserver] Problem with kernel 2.4.24 + vs1.22

As you expected, the last test failed.

Im going to try to use the old tools and then downgrade vs-1.22 to vs-1.00
using kernel 2.4.24

[EMAIL PROTECTED] ~# sh testme.sh
Linux-VServer Test [V0.05] (C) 2003-2004 H.Poetzl
chcontext is working.
chbind is working.
Linux 2.4.24-vs1.22 i686/chcontext 0.29/chbind 0.29 [J]
---
[001]# succeeded.
[011]# succeeded.
[031]# succeeded.
[101]# succeeded.
[102]# succeeded.
[201]# succeeded.
[202]# failed.
[EMAIL PROTECTED] ~#

Thanks for all,
+---
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+---

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Herbert Poetzl
Sent: quarta-feira, 7 de Janeiro de 2004 7:45
To: Luís Miguel Silva
Cc: [EMAIL PROTECTED]
Subject: Re: [Vserver] Problem with kernel 2.4.24 + vs1.22

On Wed, Jan 07, 2004 at 07:19:54AM -, Luís Miguel Silva wrote:
 I forgot to mention that this is happening on ALL my vservers since I
 upgraded to kernel 2.4.24-vs1.22!

please download and execute the following script
on one of your 'failing' machines ...

http://vserver.13thfloor.at/Stuff/testme.sh
(it is okay, when the last test fails)

if you get any errors in the tests  202
try again with -v, and send the output

if everything looks okay, please try to upgrade/update 
one thing at a time so in your case, just try the 'new' 
kernel with the 'old' tools you where using with 
2.4.23-vs1.00 or downgrade/change the tools ...

my vs1.22 installation, running for 23 days without
any issues (2.4.23-vs1.22) uses util-vserver 0.26
from enrico

HTH,
Herbert

 Best,
 +---
 | Luís Miguel Silva
 | Network Administrator@ ISPGaya.pt
 | Rua António Rodrigues da Rocha, 291/341
 | Sto. Ovídio • 4400-025 V. N. de Gaia
 | Portugal
 | T: +351 22 3745730/3/5  F: +351 22 3745738
 | G: +351 93 6371253  E: [EMAIL PROTECTED]
 | H: http://lms.ispgaya.pt/
 +---
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Luís Miguel
Silva
 Sent: quarta-feira, 7 de Janeiro de 2004 7:14
 To: 'Herbert Poetzl'
 Cc: [EMAIL PROTECTED]
 Subject: RE: [Vserver] Problem with kernel 2.4.24 + vs1.22
 
 Hello Herbert (and all others),
 
 Here are my configurations and tools versions:
 [EMAIL PROTECTED] /usr/src/installs/new-vserver# ls
 patch-vserver-0.29-fix01.diff  util-vserver-0.26/
util-vserver-0.26.tar.bz2
 vserver-0.29/  vserver-0.29.src.tar.gz
 [EMAIL PROTECTED] /usr/src/installs/new-vserver# cat /etc/vservers.conf
 # Configuration file for the vservers service
 # BACKGROUND=yes
 # start the vservers on tty9, in background so the rest of the
 # boot process end early
 BACKGROUND=no
 # This variable controls where the vservers are stored.
 # This file is sourced by the various vservers configuration files
 # in /etc/vservers. Each vserver may redefine the value so it points
 # elsewhere. So vservers may be located in various places on the system.
 # To make it simple, when you want to learn what is the vserver root
 # source one vserver configuration and you will learn what is the
 # actual vserver root for this vserver
 VSERVERS_ROOT=/vservers
 # When starting or entering a vserver, its /etc/mtab is generated on
 # the fly so it matches the various volumes mounted inside the vserver
 GENERATEMTAB=yes
 
 [EMAIL PROTECTED] /usr/src/installs/new-vserver# cat
 /etc/vservers/srmi.conf
 # Description: sapienflex-rmi
 # Select an unused context (this is optional)
 # The default is to allocate a free context on the fly
 # In general you don't need to force a context
 #S_CONTEXT=
 # Select the IP number assigned to the virtual server
 # This IP must be one IP of the server, either an interface
 # or an IP alias
 IPROOT=192.168.3.86
 # You can define on which device the IP alias will be done
 # The IP alias will be set when the server is started and unset
 # when the server is stopped
 # The netmask and broadcast are computed by default from IPROOTDEV

[Vserver] Problem with kernel 2.4.24 + vs1.22

[Luís Miguel Silva]

Hello all,

Today I updated my servers kernel to 2.4.24-vs1.22 and im having some
trouble when I try to stop the vserver.

[EMAIL PROTECTED] /usr/src/installs/new-vserver# vserver srmi stop
Stopping the virtual server srmi
Server srmi is running
ipv4root is now 192.168.3.86
Can't set the new security context
: Invalid argument
sleeping 5 seconds
Killing all processes
chcontext version 0.29
chcontext [ options ] command arguments ...
chcontext allocate a new security context and executes
a command in that context.
By default, a new/unused context is allocated
--cap CAP_NAME
Add a capability from the command. This option may be
repeated several time.
See /usr/include/linux/capability.h
In general, this option is used with the --secure option
--secure removes most critical capabilities and --cap
adds specific ones.
--cap !CAP_NAME
Remove a capability from the command. This option may be
repeated several time.
See /usr/include/linux/capability.h
--ctx num
Select the context. On root in context 0 is allowed to
select a specific context.
Context number 1 is special. It can see all processes
in any contexts, but can't kill them though.
Option --ctx may be repeated several times to specify up to 16
contexts.
--disconnect
Start the command in background and make the process
a child of process 1.
--domainname new_domainname
Set the domainname (NIS) in the new security context.
Use none to unset the domain name.
--flag
Set one flag in the new or current security context. The following
flags are supported. The option may be used several time.

fakeinit: The new process will believe it is process number 1.
Useful to run a real /sbin/init in a vserver.
lock: The new process is trapped and can't use chcontext anymore.
sched: The new process and its children will share a common
 execution priority.
nproc: Limit the number of process in the vserver according to
 ulimit setting. Normally, ulimit is a per user thing.
 With this flag, it becomes a per vserver thing.
private: No one can join this security context once created.
ulimit: Apply the current ulimit to the whole context
--hostname new_hostname
Set the hostname in the new security context
This is need because if you create a less privileged
security context, it may be unable to change its hostname
--secure
Remove all the capabilities to make a virtual server trustable
--silent
Do not print the allocated context number.

Information about context is found in /proc/self/status
[EMAIL PROTECTED] /usr/src/installs/new-vserver# uname -a
Linux leonardo-root.ispgaya.pt 2.4.24-vs1.22 #1 SMP Tue Jan 6 09:52:07 WET
2004 i686 unknown unknown GNU/Linux
[EMAIL PROTECTED] /usr/src/installs/new-vserver#


Is this the problem with vkill you mention on your site (Herbert)?

Best, 
+---
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+---


___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

RE: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24

[Luís Miguel Silva]

Hello Herbert,

What about quota support for 2.4.24? ;oP

Hugz,
+---
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+---

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Herbert Poetzl
Sent: segunda-feira, 5 de Janeiro de 2004 21:52
To: [EMAIL PROTECTED]
Subject: [Vserver] [Release] vs1.00, vs1.22 and vs1.3.3 for 2.4.24


Hi Community!

for those who read about the newly discovered
exploits in 2.4.23 ... and those who haven't 
yet, I decided to update the latest vserver
patches (including the first stable release)
to 2.4.24 ...

you can find them together with updated, signed
md5sums on http://www.13thfloor.at/vserver/project/

HTH,
Herbert

vulnerabilities:
  http://isec.pl/vulnerabilities/isec-0013-mremap.txt
  http://www.securityfocus.com/bid/9154


___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] Kernel 2.6.0..

[Luís Miguel Silva]

Hello all,

Im sorry if this as already been discussed on this mailing list but, is
there going to be any vserver support for the 2.6.x kernel series?

Best regards and happy new year!
+---
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341 
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+---


___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

RE: [Vserver] Greetings

[Luís Miguel Silva]

It seems to me that you're missing the kernel headers from your system?

[EMAIL PROTECTED] ~# locate ext2fs
/usr/include/ext2fs
/usr/include/ext2fs/ext2_ext_attr.h
/usr/include/ext2fs/bitops.h
/usr/include/ext2fs/ext2_err.h
/usr/include/ext2fs/ext2_types.h
/usr/include/ext2fs/ext2_fs.h
/usr/include/ext2fs/ext2_io.h
/usr/include/ext2fs/ext2fs.h
/usr/lib/libext2fs.a
/usr/lib/libext2fs.so
/usr/lib/libext2fs.so.2
/lib/libext2fs.so.2.4
/lib/libext2fs.so.2
[EMAIL PROTECTED] ~#

Check to see if you have them installed...

Best,
+-
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341 
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+- 


-Mensagem original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] nome de John Francis Lee
Enviada: domingo, 14 de Dezembro de 2003 13:14
Para: [EMAIL PROTECTED]
Assunto: [Vserver] Greetings


Hello,

I've downloaded and applied the patches (1.22) to a 2.4.22 kernel and am
now trying to get the vserver, util-vserver and admin-vserver to work.

I run rh8.0

I tried the mdk rpms but vserver choked asking for a different version
of libstdc++.

So I got the source.

There's no configure and no instructions so I just typed make
[EMAIL PROTECTED] vserver-0.29]# make
g++-c -o syscall.o syscall.cc
g++-c -o old_syscall.o old_syscall.cc
g++ -funsigned-char -Wall -g -O -DVERSION=\0.29\ chbind.cc syscall.o
old_syscall.o -o chbind
g++ -funsigned-char -Wall -g -O -DVERSION=\0.29\ chcontext.cc
syscall.o old_syscall.o -o chcontext
g++ -funsigned-char -Wall -g -O -DVERSION=\0.29\ reducecap.cc
syscall.o old_syscall.o -o reducecap
g++-c -o vutil.o vutil.cc
vutil.cc:12:28: ext2fs/ext2_fs.h: No such file or directory
vutil.cc: In function `int setext2flag(const char*, bool, int)':
vutil.cc:73: `EXT2_IOC_SETFLAGS' undeclared (first use this function)
vutil.cc:73: (Each undeclared identifier is reported only once for each
   function it appears in.)
make: *** [vutil.o] Error 1

Any help with what's wrong here?

Thanks in advance.

-- 
John Francis Lee [EMAIL PROTECTED]

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserverVÇ«½êæj)bž
b²Õlz»Þ®X¬¶X§»ìz»Þ®Šà†Ûiÿùb²Ùbžìo±êïzº+ƒùšŠYšŸùb²Ø§~ï±êïz

[Vserver] problem setting user limits...

[Luís Miguel Silva]

Hello all,

I have a question regarding the ulimit on the vserver.
On vserver.conf i have
ULIMIT=-HS -u 250

now i want to set some extra flags for each user that logs on to the server.
so i changed /etc/profile to have a:
ulimit -S -c 0 -p 8

This doesnt work.
But i can set
ulimit -S -c 0 -t 2048 for example.

Is there a patch or something i should do to only allow for X processes for
EACH users that log on to my server using shell access?

Best,
+-
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341 
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+-

Este email foi enviado através do site http://webmail.ispgaya.pt/
Instituto Superior Politécnico Gaya



___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] Patch for kernel 2.4.23...remote root = 2.4.22

[Luís Miguel Silva]

Hello all,

I have been using kernel 2.4.21 + ctx17 (because of all the trouble i had using a 
different vserver patchset).
also, i have been trying to keep from using other versions till the vserver project 
went back in line again (which it
seems to have :o).

Either way, because of the new local root vulnerability on kernels = 2.4.22, i 
really need urgently
to patch all my boxes to 2.4.23.

When will there be a patch for it?

Best,
+-
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341 
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253  E: [EMAIL PROTECTED]
| H: http://lms.ispgaya.pt/
+- VÇ«½êæj)bž   
b²Õlz»Þ®X¬¶X§»ìz»Þ®Šà†Ûiÿùb²Ùbžìo±êïzº+ƒùšŠYšŸùb²Ø§~ï±êïz