theYinYeti

Hello,

The drive is obviously “absent†on the hardware side, if neither OS can see it. It may be broken, or simply disconnected.

You should ensure all plugs are well fitted on the motherboard (both power and data cables).

Yves.

An antivirus can be usefull if the files you're serving can be read by Windows PCs; else it us useless.

Yves.

You seem to have a system-wide bug related to applications not shutting down properly; I don't know why, though… As for the command you were looking for, I think it is “chkconfigâ€.

Yves.

Hello,

There's obviously a problem with booting this CD. You're not supposed to do anything at this “Boot†word, as this simply is not supposed to happen…

I’m not too sure how you can check a CD is correctly burnt, but at least you may try booting the CD with the “noapic nolapic†boot options.

I hope this will work. Linux is a nice OS, provided you're not plagued with hardware compatibility problems.

Yves.

Hello,

I have my own server now (reuse of former “salonâ€). And I thought it would be nice to have this server hooked up to the HiFi, and thus enable any PC on the LAN to send sound to the HiFi!

Setup was not straightforward, none the least because Mandriva's paprefs seems to be partly broken, and there's ZERO documentation on Pulseaudio networking on Mandriva. Still, I managed; all in all, it's just a matter of:

— adding

load-module module-native-protocol-tcp
load-module module-zeroconf-publish

to /etc/pulse/default.pa on the (Debian) server,

— adding

load-module module-zeroconf-discover

to /etc/pulse/default.pa on the (Mandriva) client,

— managing authentication, either through ACL or with cookies.

Alternately, the whole zeroconf parts can be replaced by a single line on the client side (I got this line thanks to paman; it was probably generated by zeroconf-discover in the first place):

load-module module-tunnel-sink server=[my_server_IP]:4713 sink=alsa_output.hw_0 format=s16le channels=2 rate=44100 sink_name=tunnel.sphinx.local.alsa_output.hw_0 channel_map=front-left,front-right

Anyway, I still have two problems, which are probably related:

1/ Very chopped sound, and freezed video, when using the tunnelled sink

When I play a wav file with VLC, I only get an occasional bit of sound once in a while, even though VLC's slider seems to run fine.

Curiously, when I play the same wav file with mplayer, the sound gets perfectly to the speakers. However, mplayer itself seems to be lost. It displays a line about like this:

A:   0.1 (00.1) of 1.0 (00:01.0)  0.1% 

with no apparent trend up in the numbers and a regular flash of “unknown†(if I saw correctly) between the first pair of brackets.

As for video, still with mplayer, it takes ages to actually start, and then, I have sound but no video, and mplayer is extremely slow to respond to key strokes.

I must add that networking itself is not at fault. If, instead of relying on the tunnelled sink, I change of server with

PULSE_SERVER=my_server mplayer ~/my_wav_file.wav

then it is as good as with a local sink (which is not perfect, see below)…

So it is obviously a tunnel-specific problem. Unfortunately, changing of PA server is not an option for me, because Mandriva's pavucontrol (pulseaudio 0.9.21) seems unable to connect to Debian's daemon (pulseaudio 0.9.10): I get an error about pa_context_get_card_info_list being “Not supportedâ€.

2/ Spurious pauses in video playback when using local sinks

Now with local playback. As soon as a remote sink is available, be it through zeroconf, or directly with the tunnel-sink module, then local video playback on local sinks with any player (VLC, mplayer, xine) plays fine, EXCEPT (that's a big except…) every 5 minutes or so, there's a more-or-less-15-second pause in playback!

So for now, I'm back to square one, with both “module-zeroconf-discover†and “module-tunnel-sink†disabled on the client side (no Pulseaudio network)…

Is there a Pulseaudio veteran here that would have advice, tips, or anything to help me?

Thanks,

Yves.

This may be a solution (it will erase any line in your file with the “PATH†sentence in it):

/bin/sed -i /PATH/d ~/.bashrc

Or you may try and cure the problem instead, by adding the “normal†path after your own:

/bin/sed -ri 's#^PATH=(.*[^[:blank:]]):*[[:blank:]]*$#PATH=\1:$PATH#' ~/.bashrc

Yves.

top -bn 1 | sed '1,/^$/d' | awk '$9>9{print $1 "," $12}' >/path/to/file.csv

Yves.

For those interested, here's a follow-up.

It happens the 4850 did not have the SVideo plug as advertised. So I sent it back and got a 4770 instead:

— more silent

— more economic

— less hot

— almost as powerfull :)

Conclusion: I'm really happy with the result, using ATI proprietary driver. The TV output works fine, in all available modes, and performances are good enough. There's one strange thing though: although the desktop is fine at 1680x1050, any game will behave strangely (slow and saccaded) if its window is 1024x768 or bigger…

Yves.

Much like neddie, I'm tired of things that work… and then not anymore!

Example : I used to be able to record TV, now I can't.

Yves.

I finally bought the HD 4850. I hope it'll be fine.

Were I you, I would use LVM, and the ReiserFS(3) filesystem.

Not because ReiserFS is better (although I find it fast and never had a single failure since using it in Mandrake 7.2), but rather because, to my knowledge, ReiserFS is the only journaled filesystem you can both grow and shrink (it can even be growed online!).

Yves.

Hello,

I currently have an Asrock ConRoe945G-DVI, thus an integrated Intel 945G chipset.

I need something more powerfull for Need for Speed Carbon (commercial) and Rigs of Rods (free). Besides, I need:

- PCI Express (because of the motherboard),

- S-Video or Video (because my TV is an old cathodic with SCART/video),

- DVI (because of my current 22″ LCD monitor).

Finally, given the choice, I prefer low noise and low electricity consumption over unneeded performance (the two titles I mentioned are not very demanding).

I first thought I'd never find a card with both S-Video output and PCI Express format. But looking harder, it seems quite a number of older AMD, and a few older NVidia are still available for sell.

Basically, it seems to me the best choices still to be found are:

- 65€: the Radeon HD 4730 (like this: HD 4730 example)

- 100€: the Radeon HD 4850 (HD 4850 example) or the NVidia GTS 250 (GTS 250 example).

Even though I don't want to buy a gaming beast of a card (I play very few games), I'm the kind to change of PC every 8 years, and of graphics card barely more... So I don't want too lame a card!

I have zero experience with graphics cards and PC games (NFS is the first “modern†commercial game I have), and I fear the HD 4730 is already too old to last until my TV becomes HD (five years from now?).

What do you think? What would you advise?

Yves.

Done :)

You're right :) although the “default†in case statements is no more mandatory than “else†is for if/then statements. It's good practice, but you may have a good reason for not using it.

Yves.

The difference is:

— switch/case allow several comparison based on the same value.

— if/else allow several independant comparisons.

As a consequence, if you write (that's no particular language…):

if a+b == 5 then echo "five"

else-if a+b == 20 then echo "twenty"

else-if a+b == callFunction() then echo "other permited"

then the sentence “a+b†is computed for comparison three times, once for each comparison. Whereas if you write:

switch a+b:

case 5: echo "five", break

case 20: echo "twenty", break

case callFunction(): echo "other permited"

then the sentence “a+b†is computed only once, which can be a big improvement if instead of “a+b†you have a complex function call.

On the other hand, your language may not allow this last line of code I wrote in its syntax.

Besides, you can write something like:

if a == 5 then echo "first param is five"

else-if b == 10 then echo "second param is ten"

else echo "illegal combination of parameters"

which cannot be expressed with switch/case because the sentence being compared is different each time.

Yves.

Well, I've finally found the missing bit in my knowledge. I should have thought of this sooner:

http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html

At the source! :)

Now my (seemingly working) firewall is defined like that:

# default rules
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

# clear specific rules
iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT

# allow continuation of already-started connections
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -f -j ACCEPT

# allow local connections
iptables -t filter -A INPUT -i lo -j ACCEPT

# allowed ports (running servers):
# ping
iptables -t filter -A INPUT -p icmp -j ACCEPT
# ssh
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# smtp
iptables -t filter -A INPUT -p tcp --dport 25 -j REJECT
# http
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
# portmapper
iptables -t filter -A INPUT -p tcp --dport 111 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 111 -s 192.168.1.0/24 -j ACCEPT
# imap
iptables -t filter -A INPUT -p tcp --dport 143 -s 192.168.1.0/24 -j ACCEPT
# https
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# samba
iptables -t filter -A INPUT -p tcp --dport 445 -s 192.168.1.0/24 -j ACCEPT
# smtps
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
# ipp
iptables -t filter -A INPUT -p tcp --dport 631 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 631 -s 192.168.1.0/24 -j ACCEPT
# rsync
iptables -t filter -A INPUT -p tcp --dport 873 -s 192.168.1.0/24 -j ACCEPT
# imaps
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
# nfs
iptables -t filter -A INPUT -p tcp --dport 2049 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2049 -s 192.168.1.0/24 -j ACCEPT
# statd
iptables -t filter -A INPUT -p tcp --dport 2050 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2050 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2051 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2051 -s 192.168.1.0/24 -j ACCEPT
# mountd
iptables -t filter -A INPUT -p tcp --dport 2052 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2052 -s 192.168.1.0/24 -j ACCEPT
# zeroconf
iptables -t filter -A INPUT -p udp --dport 5353 -s 192.168.1.0/24 -j ACCEPT
# nlockmgr
iptables -t filter -A INPUT -p tcp --dport 32000 -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 32000 -s 192.168.1.0/24 -j ACCEPT

To those who have experience in firewall rules, do you see flaws in this initial setup?

Yves.

The server has only one network interface and is connected to my home LAN. There, 192.168.1.X PCs can access the server. Besides, my ADSL router is configured so that all connections from internet on ports from 1 to 10000 are redirected to the server. Thus, the server can also be accessed from internet, but with a bit more restrictions (hence the -s parameters).

Reading a bit more, I came up with this. Is it any better? Or even good? :)

# default rules
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

# reset specific rules
iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT

# allow continuation of already-started connections
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow local connections
iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

# allowed ports (running servers):
# 1/ TCP
# echo
iptables -t filter -A INPUT -p tcp --dport 7 --syn -j ACCEPT
# ssh
iptables -t filter -A INPUT -p tcp --dport 22 --syn -j ACCEPT
# smtp
iptables -t filter -A INPUT -p tcp --dport 25 --syn -j ACCEPT
# http
iptables -t filter -A INPUT -p tcp --dport 80 --syn -j ACCEPT
# imap
iptables -t filter -A INPUT -p tcp --dport 143 --syn -s 192.168.1.0/24 -j ACCEPT
# https
iptables -t filter -A INPUT -p tcp --dport 443 --syn -j ACCEPT
# samba
iptables -t filter -A INPUT -p tcp --dport 445 --syn -s 192.168.1.0/24 -j ACCEPT
# smtps
iptables -t filter -A INPUT -p tcp --dport 465 --syn -j ACCEPT
# ipp
iptables -t filter -A INPUT -p tcp --dport 631 --syn -s 192.168.1.0/24 -j ACCEPT
# rsync
iptables -t filter -A INPUT -p tcp --dport 873 --syn -s 192.168.1.0/24 -j ACCEPT
# imaps
iptables -t filter -A INPUT -p tcp --dport 993 --syn -j ACCEPT
# nfs
iptables -t filter -A INPUT -p tcp --dport 2049 --syn -s 192.168.1.0/24 -j ACCEPT
# Transmission
iptables -t filter -A INPUT -p tcp --dport 51413 --syn -j ACCEPT
# 2/ UDP
# ipp
iptables -t filter -A INPUT -p udp --dport 631 --syn -s 192.168.1.0/24 -j ACCEPT
# zeroconf
iptables -t filter -A INPUT -p udp --dport 5353 --syn -s 192.168.1.0/24 -j ACCEPT
# Transmission
iptables -t filter -A INPUT -p udp --dport 51413 --syn -j ACCEPT

Yves.

Hi! Happy New Year!

I have installed a server on a USB key, and there is very little space available, so I want to write my firewall rules myself instead of installing a firewall front-end software.

I'm doing tests on my main PC, currently running Shorewall, so IMO I have to do some “house-cleaning†first, hence the flush at the start of my script. Before any attempt, here was the output from nmap:

[root@sedentaire ~]# nmap -sS -sU 192.168.1.21

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-31 16:37 CET
Interesting ports on sedentaire (192.168.1.21):
Not shown: 1983 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
139/tcp  open          netbios-ssn
143/tcp  open          imap
445/tcp  open          microsoft-ds
631/tcp  open          ipp
993/tcp  open          imaps
3128/tcp open          squid-http
6566/tcp open          unknown
8080/tcp open          http-proxy
68/udp   open|filtered dhcpc
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
177/udp  open|filtered xdmcp
631/udp  open|filtered ipp
3130/udp open|filtered squid-ipc
5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds

Following explanations from linuxhomenetworking.com, I wrote this simple basic firewall, just as a test:

iptables -t filter -F
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 51413 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 51413 -j ACCEPT
iptables -t filter -A INPUT -j DROP

But it does not work. Instead of telling me that one port is opened (51413), nmap seems to just hang…

What is wrong with my rules?

Yves.

Actually, as mentionned before, it does work :)

I did this test on my machine (yves.Xdomain):

ssh -g -L 7890:serverA.Xdomain:443 yves@serverA.Xdomain

and then I was to display in Firefox:

https://yves.Xdomain:7890/

instead of

https://serverA.Xdomain:443/

And anyone in the team could access the former instead of the latter, as well.

Now the question really is: is it TCP over TCP or not? If it is, then in case of network congestion, it may “self-destroy†any time; if not, all's well :unsure:

Yves.

I'll definitely look into Pound. If our current problem with sockets can be worked around by using pound instead of Apache (which serves no content by itself), it would be good news; well worth a try :-)

Now to be more precise on the question about the SSH tunnel, I've read this:

http://sites.inka.de/~W1011/devel/tcp-tcp.html

where they explain that using PPP/SSH as a poor-man-VPN is a bad idea because you end up having:

<top protocol>/TCP/IP/PPP/SSH/TCP/IP

and TCP/…/TCP is bad.

And I wonder: if I run a simple “ssh -L†or “ssh -R†on port 443 (https), will I have:

HTTPS/SSH/TCP/IP (would be good)

or

HTTPS/TCP/IP/SSH/TCP/IP (would be bad)

or

something else entirely?

Yves.

Hot news… our “sockets problem†isn't quite over… So I'm all the more interested in facts that would prove the SSH solution to be a working one, or ideas for alternatives.

Now that they see, that the AJP problem partially remains (or so it seems…), they ponder the possibility of letting HTTPS through the firewall, after all… So I'll propose your proxy idea, Ian. Thank you for your help :)

Yves.

I realize you're right Ian. And you actually help me precisely define the situation.

Because… I'm in the Java developer position (sort of), with no direct link with the network security team. And I don't have the rules ; I just know that I've made propositions and been given answers like « no, not possible » and very little more. So I'm kind of trying to find out the rules based on those short answers.

Well… One more information on why I was thinking about a tunnel: probably by fear of someone breaking past server B and into local network Y, they don't want to have the HTTPS port open in the firewall. They'll probably prefer an exotic/binary protocol (AJP), or a secure authenticated one (like SSH).

As a matter of fact, AJP was already tried but led to problems (sockets remaining in open state), and that's why I asked about SSH tunnels in the first place. I know it works in theory (and I tried for real to be sure, minus the firewall), but I don't know how well suited it is for production use.

Now to be honnest, a few days after I started this topic, it was discovered the problem with AJP was in the Apache front-end ; an upgrade cured the problem. Still, I'd like to know about alternatives.

Yves

You're right, I need to explain better :-)

JBoss is on server A, completely shielded from any Internet access, or any access from local network Y for that matter.

Visible from Internet is server B.

Server A can access server B, and server B is allowed to access server A, although it is an exception, with secure chanels only (more generally, local network Y can't see local network X).

The aim is for JBoss to be browsable on HTTPS by anyone from anywhere.

Yves.

Hello,

First the theory. I've read over and over again that “TCP over TCP is badâ€, and I even think I understand why. But most of those reads were about PPP over SSH, which means a TCP network through PPP over another TCP network, if I understand correctly.

1st question: As I understand it, an SSH tunnel is simply this: SSH listens on localhost:XXXX, encrypts the data, forwards it through the SSH connection to remote:22, decrypts it, and makes it all available on remote:YYYY. Even though SSH connects over TCP, and in my case the data is HTTP(S), I have the feeling that this setup is not “TCP over TCPâ€. Or is it ?

Now in practice. I have this setup:

JBoss/machine A <---( local network X )--->[Firewall]<---( local network Y )---> machine B <---( internet )

Aim: view JBoss pages from Internet.

Considering HTTPS is already encrypted, I suppose using SSH for the tunnel is a bit overkill. Is there a more efficient solution?

Yves.

I use Unison. Based on rsync, but two-way.

Yves.