b
-
Posts
37 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by b
-
-
Hi
Other idea 1:
Don't know enough to critique your iptables setup!
Maybe attack that machine with latest nessus or something?
Other idea 2:
Other kernel ipv4 gizmo's to consider ?
Most of following is in here somewhere:
(no german version yet so)
http://www.gentoo.org/doc/en/gentoo-security.xml
Note: If your are running a firewall/expert system the following may
not be necessary or usefull or advisable.
kernel ipv4 settings
#(Lot's of probably useless feedback on startup messages #in following [included just to make sure they are set as wished]) echo "Options /proc/sys/net/ipv4" if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then # if variable exist echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # set variable msg=`cat /proc/sys/net/ipv4/icmp_echo_ignore_all` # build feedback message echo -e "t${msg} = icmp_echo_ignore_all" # display feedback message fi if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts msg=`cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts` echo -e "t${msg} = icmp_echo_ignore_broadcasts" fi if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses msg=`cat /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses` echo -e "t${msg} = icmp_ignore_bogus_error_responses" fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo "1" > /proc/sys/net/ipv4/ip_forward #echo "0" >... if not gateway machine msg=`cat /proc/sys/net/ipv4/ip_forward` echo -e "t${msg} = ip_forward" fi echo " /proc/sys/net/ipv4/conf/*/rp_filter" for i in /proc/sys/net/ipv4/conf/*; do b_n=`basename ${i}` if [ -e $i/rp_filter ]; then echo "1" > $i/rp_filter msg=`cat $i/rp_filter` echo -e "t${msg} = $b_n" fi done echo " /proc/sys/net/ipv4/conf/all" if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route msg=`cat /proc/sys/net/ipv4/conf/all/accept_source_route` echo -e "t${msg} = accept_source_route" fi if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects msg=`cat /proc/sys/net/ipv4/conf/all/accept_redirects` echo -e "t${msg} = accept_redirects" fi if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians msg=`cat /proc/sys/net/ipv4/conf/all/log_martians` echo -e "t${msg} = log_martians" fi
HIH
-
Hi
One more for the toolbox.
Extremely light use here.
dia
Homepage: http://www.gnome.org/gnome-office/dia.shtml
Description: Diagram Creation Program
(lots of plugins)
dia2code
Homepage: http://dia2code.sourceforge.net
Description: Convert UML diagrams produced with Dia to various source code
flavours.
HIH
-
Hi
Maybe portmap and nfs are not yet running
when filesystems in /etc/fstab are mounted ?
Is there feedback in logs ?
If I am on track, ideas.
Change service startup order so that portamp and nfs
are started after network setup
and before filesytems in fstab are mounted
or
manually 're'mount nfs shares as last entries commands
in your "rc.local" file
(I think in mandrake it's /etc/rc.d/rc.local,
for me it's /etc/conf.d/local.start, no idea for your linux)
i.e. nfs mount instructions just before user get's control
at a cli or in gui.
HIH
-
Hi
Just in case, gateway set?
Output of ifconfig and route would help all reading....
-
Hi
Got the snort email alert too.
Nothing pressing here since RPC does not run here, it is usually not needed.
If it is not running it cannot be exploited !
Will upgrade soon anyway.
Since you don't have a Lan setup yet
you certainly don't need/use NIS, NFS or r services.(might be more rpc uses: don't know)
i.e. you don't need rpc services.
Turn them off (portmap, nfs, nis).
rpcinfo -p (to check)
(you can always turn them back on if needed or if something breaks!?)
However if your router device can firewall too
and you need NFS(soon will be openafs for me) on lan(remove r services use ssh instead)
make sure it does not allow outside(web) connections to ports.(/etc/services)
sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper
My firewall machine often drops port 111 attempts even though that port is not open !
(They are fishing in an empty ocean)
Hope your plain ML security settings include a firewall denying
what you do not what to supply to the www.
Some reading:
The Linux System Administrators' Guide
at
http://www.tldp.org/guides.html
Ch. 12 Remote Procedure Call
HIH
-
Hi
Dont know anything about a mcc wizard setup.
On a 8.1 machine in /etc/ncp.conf
I have
...
# Public Canadian meteorological ... at Dorval, Québec, Canada
server ntp1.cmc.ec.gc.ca
(and that is it for setup)
I found the public time server reading:
http://www.eecis.udel.edu/~mills/ntp/servers.html
then
http://www.eecis.udel.edu/~mills/ntp/clock2a.html
(probably some public ones in there closer to you)
service ntpd.../chkconfig.../wizard... to taste.
The 8.1 setup does a ntpdate ... to sync gross time differences
before launching the ntpd daemon.
The other machine not mandrake I manually launch ntpdate... before
launching the daemon(about same setup as 8.1).
Have not tried yet syncing second machine from other syncing on
public web time server.
-
Just a thought from the dark!
/sbin/ldconfig
-
Hi
Are these it?
rss_glx:
DESCRIPTION="OpenGL screensavers, ported to GLX. Suitable for use with xscreensaver"
HOMEPAGE="http://rss-glx.sourceforge.net/"
SRC_URI="mirror://sourceforge/rss-glx/rss_glx-0.6.8.tar.bz2"
...
/usr/lib/xscreensaver/euphoria
/usr/lib/xscreensaver/lattice
/usr/lib/xscreensaver/cyclone
/usr/lib/xscreensaver/fieldlines
/usr/lib/xscreensaver/flocks
/usr/lib/xscreensaver/flux
/usr/lib/xscreensaver/helios
/usr/lib/xscreensaver/plasma
/usr/lib/xscreensaver/skyrocket
/usr/lib/xscreensaver/solarwinds
/usr/lib/xscreensaver/hufo_smoke
/usr/lib/xscreensaver/hufo_tunnel
/usr/lib/xscreensaver/colorfire
/usr/lib/xscreensaver/sundancer2
-
Have you considered emacs/xemacs ?
I think if I knew how to ask they would
tell me the color of my socks.
-
Longshot: maybe delete some .directory file ?
Fed up & give up: mv .kde .kde-KEEP!
-
Allo
My .02 read is that your kernel is setup and used to 1 only tcpip connection
it now has 2 and does not know how to route them correctly
(not setup for this). Are you getting any feedbackcomplaints in logs ?
On a similar micro lan the machine having the 2 links
has this set to 1
/proc/sys/net/ipv4/ip_forward
The other has it set to 0.
This 1 might be magical, hope it is but dought it.
Anyway for me all this networking voodoo nat, masquerading, forwarding,
filtering was handled by bastille-firewall (now gone from mdk I hear)
while basic networking was through installation then netconf.
(dont remember much of it I am afraid)
How do i connect 192.168.0.0/24 to 192.168.1.0/24?
in Networking
Posted
Your case described and explained.
(LDP free publication, http://www.tldp.org/guides.html
mdk used to have a "nag" rpm for this)
Linux Network Administrator's Guide
From appendix A
Example Network: The Virtual Brewery
...
The Virtual Brewery and the Virtual Winery each have a class C
subnet of the Brewery's class B network, and gateway to each other
via the host vlager, which also supports UUCP connection.
...
Chapter 5: Configuring TCP/IP Networking
...
Howto setup vlager et all.
(Have not done this yet)
HIH