Newbie problem

Newbie problem

[Frank Akujobi]

Hi all,
Am a newbie and this is my first post. I just
installed Redhat7.1 (one I downloaded) and it's
working well even hooked it up to the internet. I
checked my /usr/src/ and I don't find a /linux
directory. I find only one directory... /redhat. It
there something wrong somewhere, or do I have to
download a kernel source seperately. Doing uname -r
shows me that I have 2.4.x.x.

Thanks.
Frank.


____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie

Re: Newbie problem

[Joel Jaeggli]

you can install the kernel source from the distribution, or if you want a
new kernel based on the current sources you can grab the sources from one
of the ftp.us.kernel.org mirrors

joelja

 On Tue, 24 Jul 2001, Frank Akujobi wrote:

> Hi all,
> Am a newbie and this is my first post. I just
> installed Redhat7.1 (one I downloaded) and it's
> working well even hooked it up to the internet. I
> checked my /usr/src/ and I don't find a /linux
> directory. I find only one directory... /redhat. It
> there something wrong somewhere, or do I have to
> download a kernel source seperately. Doing uname -r
> shows me that I have 2.4.x.x.
>
> Thanks.
> Frank.
>
>
> ____________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
> or your free @yahoo.ie address at http://mail.yahoo.ie
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

-- 
--------------------------------------------------------------------------
Joel Jaeggli				       joelja@darkwing.uoregon.edu
Academic User Services			     consult@gladstone.uoregon.edu
     PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--------------------------------------------------------------------------
It is clear that the arm of criticism cannot replace the criticism of
arms.  Karl Marx -- Introduction to the critique of Hegel's Philosophy of
the right, 1843.

Re: Newbie problem

[Stephen M. Williams]

On 24 Jul 2001 22:17:26 +0100, Frank Akujobi wrote:
> Hi all,
> Am a newbie and this is my first post. I just
> installed Redhat7.1 (one I downloaded) and it's
> working well even hooked it up to the internet. I
> checked my /usr/src/ and I don't find a /linux
> directory. I find only one directory... /redhat. It
> there something wrong somewhere, or do I have to
> download a kernel source seperately. Doing uname -r
> shows me that I have 2.4.x.x.
> 
> Thanks.
> Frank.
> 

OT, but if you did not tell the installer to install the
source/development part, it doesn't install the kernel source.  Look on
your CD or in the directory you downloaded files into for the RPM with
the word kernel-source in them.

The soure can be had from ftp.kernel.org, then untar it into /usr/src.

HTH,
--
Stephen Williams
mailto:rootusr@midsouth.rr.com

* I've tried killing time, but it keeps making a comeback.

Re: Newbie problem

[Paul G. Allen]

Frank Akujobi wrote:
> 
> Hi all,
> Am a newbie and this is my first post. I just
> installed Redhat7.1 (one I downloaded) and it's
> working well even hooked it up to the internet. I
> checked my /usr/src/ and I don't find a /linux
> directory. I find only one directory... /redhat. It
> there something wrong somewhere, or do I have to
> download a kernel source seperately. Doing uname -r
> shows me that I have 2.4.x.x.
> 
The kernel sources are not installed by default, you have to select them during install or (if you have the disk space) you can select Custom Installation and
then at the bottom of the package selection screen, click the box tha says Everything.

You can also install the RPMs from the CD.

PGA

Newbie problem

[Bahadir Karuv]

Hello All,

I am trying to have to computers communicate over the serial port.
The program below is modified from "Serial Programming Guide for Posix
operating Systems"
I am geting the following output when I send "Testing123" over the
serial port from the second computer


opened 3
just sent Hello
got back - Hello
just sent Hello
got back - HelloTesting123
just sent Hello
got back - Hello

First computer is getting the string echoed back to itself after it
sends "Hello".

What am I doing wrong?

Thanks and regards!




#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <termios.h>
#include <string.h>

int main(void)   /* Serial port */
       {
 time_t tsec;
 int fd;
 struct termios options;
 char buffer[255];
 char *bufptr;
 int  nbytes;
 char *message="Hello";

 /* open the port */
 fd = open("/dev/ttyS0", O_RDWR | O_NOCTTY | O_NDELAY);
 //fcntl(fd, F_SETFL, FNDELAY);
 printf("opened %u\n",fd);
 /* options */
 tcgetattr(fd, &options);
 options.c_cflag     |= (CLOCAL | CREAD);
 options.c_lflag     &= ~(ICANON | ECHO | ECHOE | ISIG);
 options.c_oflag     &= ~OPOST;
 options.c_cc[VMIN]  = 0;
 options.c_cc[VTIME] = 10;
 tcsetattr(fd, TCSANOW, &options);
 /* read characters into our string buffer until CR or NL */
 while(1){
 write(fd, message,strlen(message));
 printf("just sent %s\n",message);
 tsec=time(NULL);
 while(time(NULL)-tsec<1);

 bufptr = buffer;
 buffer[0]='\0';
 while ((nbytes = read(fd, bufptr, bufptr-buffer + sizeof(buffer)-1)) >
0)
 {
  bufptr += nbytes;
  if (bufptr[-1] == '\n' || bufptr[-1] == '\r')
   { printf("break\n");break;}
 }
 if (buffer!=bufptr){
   *(bufptr) = '\0';
   printf("got back - %s\n",buffer);
 }
    }
    close(fd);
}

RE: Newbie problem

[Ed Vance]

Hi,

My guess is that the second computer has "echo" enabled so all characters
received are echoed back to the other end. I see you turn echo off in the
program. I am assuming that the program is only running on the first
computer. 

Regards,
Ed

---------------------------------------------------------------- 
Ed Vance              edv@macrolink.com
Macrolink, Inc.       1500 N. Kellogg Dr  Anaheim, CA  92807
----------------------------------------------------------------

-----Original Message-----
From: Bahadir Karuv [mailto:bahkar@bcacademies.bergen.org]
Sent: Thursday, April 25, 2002 8:59 AM
To: linux-serial@vger.kernel.org
Subject: Newbie problem


Hello All,

I am trying to have to computers communicate over the serial port.
The program below is modified from "Serial Programming Guide for Posix
operating Systems"
I am geting the following output when I send "Testing123" over the
serial port from the second computer


opened 3
just sent Hello
got back - Hello
just sent Hello
got back - HelloTesting123
just sent Hello
got back - Hello

First computer is getting the string echoed back to itself after it
sends "Hello".

What am I doing wrong?

Thanks and regards!




#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <termios.h>
#include <string.h>

int main(void)   /* Serial port */
       {
 time_t tsec;
 int fd;
 struct termios options;
 char buffer[255];
 char *bufptr;
 int  nbytes;
 char *message="Hello";

 /* open the port */
 fd = open("/dev/ttyS0", O_RDWR | O_NOCTTY | O_NDELAY);
 //fcntl(fd, F_SETFL, FNDELAY);
 printf("opened %u\n",fd);
 /* options */
 tcgetattr(fd, &options);
 options.c_cflag     |= (CLOCAL | CREAD);
 options.c_lflag     &= ~(ICANON | ECHO | ECHOE | ISIG);
 options.c_oflag     &= ~OPOST;
 options.c_cc[VMIN]  = 0;
 options.c_cc[VTIME] = 10;
 tcsetattr(fd, TCSANOW, &options);
 /* read characters into our string buffer until CR or NL */
 while(1){
 write(fd, message,strlen(message));
 printf("just sent %s\n",message);
 tsec=time(NULL);
 while(time(NULL)-tsec<1);

 bufptr = buffer;
 buffer[0]='\0';
 while ((nbytes = read(fd, bufptr, bufptr-buffer + sizeof(buffer)-1)) >
0)
 {
  bufptr += nbytes;
  if (bufptr[-1] == '\n' || bufptr[-1] == '\r')
   { printf("break\n");break;}
 }
 if (buffer!=bufptr){
   *(bufptr) = '\0';
   printf("got back - %s\n",buffer);
 }
    }
    close(fd);
}



-
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Newbie problem

[Bahadir Karuv]

Hi Ed,

Thanks for the speedy response. I thought the same but the first
computer keeps getting whatever it is sending ("Hello") eventhough the
serial cable is disconnected. The program I sent is running on the first
computer.

Thanks again and regards,

Karuv

Ed Vance wrote:

> Hi,
>
> My guess is that the second computer has "echo" enabled so all
> characters
> received are echoed back to the other end. I see you turn echo off in
> the
> program. I am assuming that the program is only running on the first
> computer.
>
> Regards,
> Ed
>
> ----------------------------------------------------------------
> Ed Vance              edv@macrolink.com
> Macrolink, Inc.       1500 N. Kellogg Dr  Anaheim, CA  92807
> ----------------------------------------------------------------
>
> -----Original Message-----
> From: Bahadir Karuv [mailto:bahkar@bcacademies.bergen.org]
> Sent: Thursday, April 25, 2002 8:59 AM
> To: linux-serial@vger.kernel.org
> Subject: Newbie problem
>
> Hello All,
>
> I am trying to have to computers communicate over the serial port.
> The program below is modified from "Serial Programming Guide for Posix
>
> operating Systems"
> I am geting the following output when I send "Testing123" over the
> serial port from the second computer
>
> opened 3
> just sent Hello
> got back - Hello
> just sent Hello
> got back - HelloTesting123
> just sent Hello
> got back - Hello
>
> First computer is getting the string echoed back to itself after it
> sends "Hello".
>
> What am I doing wrong?
>
> Thanks and regards!
>
>
>
> #include <stdio.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <termios.h>
> #include <string.h>
>
> int main(void)   /* Serial port */
>        {
>  time_t tsec;
>  int fd;
>  struct termios options;
>  char buffer[255];
>  char *bufptr;
>  int  nbytes;
>  char *message="Hello";
>
>  /* open the port */
>  fd = open("/dev/ttyS0", O_RDWR | O_NOCTTY | O_NDELAY);
>  //fcntl(fd, F_SETFL, FNDELAY);
>  printf("opened %u\n",fd);
>  /* options */
>  tcgetattr(fd, &options);
>  options.c_cflag     |= (CLOCAL | CREAD);
>  options.c_lflag     &= ~(ICANON | ECHO | ECHOE | ISIG);
>  options.c_oflag     &= ~OPOST;
>  options.c_cc[VMIN]  = 0;
>  options.c_cc[VTIME] = 10;
>  tcsetattr(fd, TCSANOW, &options);
>  /* read characters into our string buffer until CR or NL */
>  while(1){
>  write(fd, message,strlen(message));
>  printf("just sent %s\n",message);
>  tsec=time(NULL);
>  while(time(NULL)-tsec<1);
>
>  bufptr = buffer;
>  buffer[0]='\0';
>  while ((nbytes = read(fd, bufptr, bufptr-buffer + sizeof(buffer)-1))
> >
> 0)
>  {
>   bufptr += nbytes;
>   if (bufptr[-1] == '\n' || bufptr[-1] == '\r')
>    { printf("break\n");break;}
>  }
>  if (buffer!=bufptr){
>    *(bufptr) = '\0';
>    printf("got back - %s\n",buffer);
>  }
>     }
>     close(fd);
> }
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe
> linux-serial" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> *** eSafe scanned this email for malicious content ***
> *** IMPORTANT: Do not open attachments from unrecognized senders  ***
>

RE: Newbie problem

[Ed Vance]

Hi Karuv,

Is it not RS-232 interface? RS-485/422 2-wire will do this because the
transmit and receive pairs are the same pair.

Regards,
Ed

---------------------------------------------------------------- 
Ed Vance              edv@macrolink.com
Macrolink, Inc.       1500 N. Kellogg Dr  Anaheim, CA  92807
----------------------------------------------------------------

-----Original Message-----
From: Bahadir Karuv [mailto:bahkar@bcacademies.bergen.org]
Sent: Thursday, April 25, 2002 10:12 AM
To: Ed Vance; linux-serial@vger.kernel.org
Subject: Re: Newbie problem


Hi Ed,

Thanks for the speedy response. I thought the same but the first
computer keeps getting whatever it is sending ("Hello") eventhough the
serial cable is disconnected. The program I sent is running on the first
computer.

Thanks again and regards,

Karuv

Ed Vance wrote:

> Hi,
>
> My guess is that the second computer has "echo" enabled so all
> characters
> received are echoed back to the other end. I see you turn echo off in
> the
> program. I am assuming that the program is only running on the first
> computer.
>
> Regards,
> Ed
>
> ----------------------------------------------------------------
> Ed Vance              edv@macrolink.com
> Macrolink, Inc.       1500 N. Kellogg Dr  Anaheim, CA  92807
> ----------------------------------------------------------------
>
> -----Original Message-----
> From: Bahadir Karuv [mailto:bahkar@bcacademies.bergen.org]
> Sent: Thursday, April 25, 2002 8:59 AM
> To: linux-serial@vger.kernel.org
> Subject: Newbie problem
>
> Hello All,
>
> I am trying to have to computers communicate over the serial port.
> The program below is modified from "Serial Programming Guide for Posix
>
> operating Systems"
> I am geting the following output when I send "Testing123" over the
> serial port from the second computer
>
> opened 3
> just sent Hello
> got back - Hello
> just sent Hello
> got back - HelloTesting123
> just sent Hello
> got back - Hello
>
> First computer is getting the string echoed back to itself after it
> sends "Hello".
>
> What am I doing wrong?
>
> Thanks and regards!
>
>
>
> #include <stdio.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <termios.h>
> #include <string.h>
>
> int main(void)   /* Serial port */
>        {
>  time_t tsec;
>  int fd;
>  struct termios options;
>  char buffer[255];
>  char *bufptr;
>  int  nbytes;
>  char *message="Hello";
>
>  /* open the port */
>  fd = open("/dev/ttyS0", O_RDWR | O_NOCTTY | O_NDELAY);
>  //fcntl(fd, F_SETFL, FNDELAY);
>  printf("opened %u\n",fd);
>  /* options */
>  tcgetattr(fd, &options);
>  options.c_cflag     |= (CLOCAL | CREAD);
>  options.c_lflag     &= ~(ICANON | ECHO | ECHOE | ISIG);
>  options.c_oflag     &= ~OPOST;
>  options.c_cc[VMIN]  = 0;
>  options.c_cc[VTIME] = 10;
>  tcsetattr(fd, TCSANOW, &options);
>  /* read characters into our string buffer until CR or NL */
>  while(1){
>  write(fd, message,strlen(message));
>  printf("just sent %s\n",message);
>  tsec=time(NULL);
>  while(time(NULL)-tsec<1);
>
>  bufptr = buffer;
>  buffer[0]='\0';
>  while ((nbytes = read(fd, bufptr, bufptr-buffer + sizeof(buffer)-1))
> >
> 0)
>  {
>   bufptr += nbytes;
>   if (bufptr[-1] == '\n' || bufptr[-1] == '\r')
>    { printf("break\n");break;}
>  }
>  if (buffer!=bufptr){
>    *(bufptr) = '\0';
>    printf("got back - %s\n",buffer);
>  }
>     }
>     close(fd);
> }
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe
> linux-serial" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> *** eSafe scanned this email for malicious content ***
> *** IMPORTANT: Do not open attachments from unrecognized senders  ***
>

Re: Newbie problem

[Bahadir Karuv]

Hi Ed,

Thanks again for replying, I was wearing the mouse button, clicking New
Msg icon.
It is RS232,  Dell Optiplex COM1.
Best regards.

Karuv

Ed Vance wrote:

> Hi Karuv,
>
> Is it not RS-232 interface? RS-485/422 2-wire will do this because the
>
> transmit and receive pairs are the same pair.
>
> Regards,
> Ed
>
> ----------------------------------------------------------------
> Ed Vance              edv@macrolink.com
> Macrolink, Inc.       1500 N. Kellogg Dr  Anaheim, CA  92807
> ----------------------------------------------------------------
>
> -----Original Message-----
> From: Bahadir Karuv [mailto:bahkar@bcacademies.bergen.org]
> Sent: Thursday, April 25, 2002 10:12 AM
> To: Ed Vance; linux-serial@vger.kernel.org
> Subject: Re: Newbie problem
>
> Hi Ed,
>
> Thanks for the speedy response. I thought the same but the first
> computer keeps getting whatever it is sending ("Hello") eventhough the
>
> serial cable is disconnected. The program I sent is running on the
> first
> computer.
>
> Thanks again and regards,
>
> Karuv
>
> Ed Vance wrote:
>
> > Hi,
> >
> > My guess is that the second computer has "echo" enabled so all
> > characters
> > received are echoed back to the other end. I see you turn echo off
> in
> > the
> > program. I am assuming that the program is only running on the first
>
> > computer.
> >
> > Regards,
> > Ed
> >
> > ----------------------------------------------------------------
> > Ed Vance              edv@macrolink.com
> > Macrolink, Inc.       1500 N. Kellogg Dr  Anaheim, CA  92807
> > ----------------------------------------------------------------
> >
> > -----Original Message-----
> > From: Bahadir Karuv [mailto:bahkar@bcacademies.bergen.org]
> > Sent: Thursday, April 25, 2002 8:59 AM
> > To: linux-serial@vger.kernel.org
> > Subject: Newbie problem
> >
> > Hello All,
> >
> > I am trying to have to computers communicate over the serial port.
> > The program below is modified from "Serial Programming Guide for
> Posix
> >
> > operating Systems"
> > I am geting the following output when I send "Testing123" over the
> > serial port from the second computer
> >
> > opened 3
> > just sent Hello
> > got back - Hello
> > just sent Hello
> > got back - HelloTesting123
> > just sent Hello
> > got back - Hello
> >
> > First computer is getting the string echoed back to itself after it
> > sends "Hello".
> >
> > What am I doing wrong?
> >
> > Thanks and regards!
> >
> >
> >
> > #include <stdio.h>
> > #include <unistd.h>
> > #include <fcntl.h>
> > #include <termios.h>
> > #include <string.h>
> >
> > int main(void)   /* Serial port */
> >        {
> >  time_t tsec;
> >  int fd;
> >  struct termios options;
> >  char buffer[255];
> >  char *bufptr;
> >  int  nbytes;
> >  char *message="Hello";
> >
> >  /* open the port */
> >  fd = open("/dev/ttyS0", O_RDWR | O_NOCTTY | O_NDELAY);
> >  //fcntl(fd, F_SETFL, FNDELAY);
> >  printf("opened %u\n",fd);
> >  /* options */
> >  tcgetattr(fd, &options);
> >  options.c_cflag     |= (CLOCAL | CREAD);
> >  options.c_lflag     &= ~(ICANON | ECHO | ECHOE | ISIG);
> >  options.c_oflag     &= ~OPOST;
> >  options.c_cc[VMIN]  = 0;
> >  options.c_cc[VTIME] = 10;
> >  tcsetattr(fd, TCSANOW, &options);
> >  /* read characters into our string buffer until CR or NL */
> >  while(1){
> >  write(fd, message,strlen(message));
> >  printf("just sent %s\n",message);
> >  tsec=time(NULL);
> >  while(time(NULL)-tsec<1);
> >
> >  bufptr = buffer;
> >  buffer[0]='\0';
> >  while ((nbytes = read(fd, bufptr, bufptr-buffer +
> sizeof(buffer)-1))
> > >
> > 0)
> >  {
> >   bufptr += nbytes;
> >   if (bufptr[-1] == '\n' || bufptr[-1] == '\r')
> >    { printf("break\n");break;}
> >  }
> >  if (buffer!=bufptr){
> >    *(bufptr) = '\0';
> >    printf("got back - %s\n",buffer);
> >  }
> >     }
> >     close(fd);
> > }
> >
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe
> > linux-serial" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > *** eSafe scanned this email for malicious content ***
> > *** IMPORTANT: Do not open attachments from unrecognized senders
> ***
> >
> *** eSafe scanned this email for malicious content ***
> *** IMPORTANT: Do not open attachments from unrecognized senders  ***
>

newbie problem

[Chris Barnes]

[-- Attachment #1: Type: text/plain, Size: 877 bytes --]

hi people i'm new to the list.

anyway, I have a very simple firewall on a web server. I want to deny
access to everything except the web server (port 80)

i have set the poilcy on all chains to drop and i have added a rule to
the input chain which says

iptables -A INPUT -p tcp --sport 80 -j ACCEPT

i've done it like this because the web server has 2 interfaces (eth0 and
eth1) which i would like to have access to the server (eth0 is local
10.3.2.0/24 and eth1 is external)

i also made a rule for output

iptables -A OUTPUT -p tcp -j ACCEPT

the problem is that nothing can get to the web server...the packets are
being dropped...i checked the counters and none of the rules counted any
packets or bytes so the packets are being dropped before the rules.

what am i doing wrong or what is a better way to do this?

thanks heaps for your help.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: newbie problem

[Joel Newkirk]

On Monday 17 February 2003 02:43 am, Chris Barnes wrote:
> hi people i'm new to the list.
>
> anyway, I have a very simple firewall on a web server. I want to deny
> access to everything except the web server (port 80)
>
> i have set the poilcy on all chains to drop and i have added a rule to
> the input chain which says
>
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT

> iptables -A OUTPUT -p tcp -j ACCEPT

> what am i doing wrong or what is a better way to do this?
>
> thanks heaps for your help.

You have to accept connections TO port 80, not FROM port 80...

Try these:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

They will allow clients to connect and retrieve http documents, as well 
as allowing the very useful ICMP controls like source_quench 
fragmentation control and such that really make web browsing work 
properly, but no other communication in OR out is allowed by these 
rules.  (assuming DROP policy on OUTPUT)  Add appropriate ACCEPT rules 
to OUTPUT if the server needs to initiate connections for some reason.

j

Re: newbie problem

[Ralf Spenneberg]

Am Mon, 2003-02-17 um 08.43 schrieb Chris Barnes:
> hi people i'm new to the list.
> 
> anyway, I have a very simple firewall on a web server. I want to deny
> access to everything except the web server (port 80)
> 
> i have set the poilcy on all chains to drop and i have added a rule to
> the input chain which says
> 
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> 
It is --dport 80 if you want to allow packet with the destination port
80 to reach your webserver.

By the way, i hope you have not set PREROUTING and POSTROUTING to DROP,
do you?


Cheers,

Ralf
 
-- 
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34				48565 Steinfurt		Germany
Fon: +49(0)2552 638 755			Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40		

Markt+Technik Buch:                     Intrusion Detection für Linux
Server
IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

RE: newbie problem

[Eugene Joubert]

[-- Attachment #1: Type: text/plain, Size: 1528 bytes --]

Is your webserver on your firewall?

Also your rule for port 80....you're source port is wrong. Remember if I
were to access your webpage on your server I will be coming in with a source
port that my OS has given me. So instead of source port change it to
destination port cause that is were you request is going?

Also I would suggest moving your webserver to another server behind your
firewall.
Just my 5 cents.

PS:
You could also set your OUTPUT Policy to default ACCEPT, but if your really
paranoid then just make it DROP



-----Original Message-----
From: Chris Barnes [mailto:runtimeerror@bigpond.com] 
Sent: 17 02 2003 09:43 AM
To: Netfilter
Subject: newbie problem


hi people i'm new to the list.

anyway, I have a very simple firewall on a web server. I want to deny access
to everything except the web server (port 80)

i have set the poilcy on all chains to drop and i have added a rule to the
input chain which says

iptables -A INPUT -p tcp --sport 80 -j ACCEPT

i've done it like this because the web server has 2 interfaces (eth0 and
eth1) which i would like to have access to the server (eth0 is local
10.3.2.0/24 and eth1 is external)

i also made a rule for output

iptables -A OUTPUT -p tcp -j ACCEPT

the problem is that nothing can get to the web server...the packets are
being dropped...i checked the counters and none of the rules counted any
packets or bytes so the packets are being dropped before the rules.

what am i doing wrong or what is a better way to do this?

thanks heaps for your help.



[-- Attachment #2: Type: text/html, Size: 2511 bytes --]

Re: newbie problem

[Ralf Spenneberg]

Am Mon, 2003-02-17 um 08.43 schrieb Chris Barnes:
> hi people i'm new to the list.
> 
> anyway, I have a very simple firewall on a web server. I want to deny
> access to everything except the web server (port 80)
> 
> i have set the poilcy on all chains to drop and i have added a rule to
> the input chain which says
> 
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> 
It is --dport 80 if you want to allow packet with the destination port
80 to reach your webserver.

By the way, i hope you have not set PREROUTING and POSTROUTING to DROP,
do you?


Cheers,

Ralf
 
-- 
Ralf Spenneberg
UNIX/Linux Trainer and Consultant, RHCE, RHCX
Waldring 34				48565 Steinfurt		Germany
Fon: +49(0)2552 638 755			Fax: +49(0)2552 638 757
Mobil: +49(0)177 567 27 40		

Markt+Technik Buch:                     Intrusion Detection für Linux
Server
IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org
-- 
Ralf Spenneberg
RHCE, RHCX

IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

Re: newbie problem

[Ralf Spenneberg]

Am Mon, 2003-02-17 um 11.26 schrieb Chris Barnes:
> On Mon, 2003-02-17 at 19:20, Ralf Spenneberg wrote:
> 
> > > 
> ahhh man that was so simple! i should have seen that! thanks heaps for
> pointing it out.
> 
> > By the way, i hope you have not set PREROUTING and POSTROUTING to DROP,
> > do you?
> > 
> 
> PREROUTING and POSTROUTING?? do you mean INPUT and OUTPUT??
> the INPUT,FORWARD,and OUTPUT chains are all set to DROP
> 
If you do not know about PREROUTING and POSTROUTING yet, don't worry and
read up on those. They are needed for NAT and Mangling.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org

Re: newbie problem

[Chris Barnes]

[-- Attachment #1: Type: text/plain, Size: 991 bytes --]

On Mon, 2003-02-17 at 19:09, Joel Newkirk wrote:
> 
> You have to accept connections TO port 80, not FROM port 80...
> 
> Try these:
> 
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> They will allow clients to connect and retrieve http documents, as well 
> as allowing the very useful ICMP controls like source_quench 
> fragmentation control and such that really make web browsing work 
> properly, but no other communication in OR out is allowed by these 
> rules.  (assuming DROP policy on OUTPUT)  Add appropriate ACCEPT rules 
> to OUTPUT if the server needs to initiate connections for some reason.
> 

source_quench (sounds like a fruit juice drink :p ) and all that is
really important? hmm, i had no idea such things existed (excuse my
ignorance..newbie here).

I'll make sure i add those rules...

thanks heaps.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: newbie problem

[Chris Barnes]

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

On Mon, 2003-02-17 at 19:49, Eugene Joubert wrote:
> Is your webserver on your firewall?
> 
> Also I would suggest moving your webserver to another server behind your
> firewall.
> Just my 5 cents.

The firewall is on the web server yes. Future plans dictate that we will
be purchasing new machines for a dedicated firewall and web server, etc
but right now we have to make do with 1 machine.


> 
> PS:
> You could also set your OUTPUT Policy to default ACCEPT, but if your really
> paranoid then just make it DROP
> 

Its is set to DROP because i am paranoid :) I'm so paranoid i was hoping
to get away with just the 2 rules in the table, one for web in and one
for web out but as Joel Newkirk pointed out i need to allow some other
"related" packets to traverse as well.

thanks for your help :)


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: newbie problem

[Eric Constantineau]

Is the web server on the same machine that is firewalling or is it behind ?
If it is behind, set it on FORWARD instead of INPUT...

The INPUT chain is for traffic entering the firewall machine itself, OUTPUT
chain is for the packets coming from the firewall machine and FORWARD is for
all other packets passing throught firewall...

Eric


Ralf Spenneberg wrote:

> Am Mon, 2003-02-17 um 08.43 schrieb Chris Barnes:
> > hi people i'm new to the list.
> >
> > anyway, I have a very simple firewall on a web server. I want to deny
> > access to everything except the web server (port 80)
> >
> > i have set the poilcy on all chains to drop and i have added a rule to
> > the input chain which says
> >
> > iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> >
> It is --dport 80 if you want to allow packet with the destination port
> 80 to reach your webserver.
>
> By the way, i hope you have not set PREROUTING and POSTROUTING to DROP,
> do you?
>
> Cheers,
>
> Ralf
>
> --
> Ralf Spenneberg
> UNIX/Linux Trainer and Consultant, RHCE, RHCX
> Waldring 34                             48565 Steinfurt         Germany
> Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757
> Mobil: +49(0)177 567 27 40
>
> Markt+Technik Buch:                     Intrusion Detection für Linux
> Server
> IPsec/PPTP Kernels for Red Hat Linux:
> http://www.spenneberg.com/.net/.org/.de
> Honeynet Project Mirror:                http://honeynet.spenneberg.org
> Snort Mirror:                           http://snort.spenneberg.org

Newbie problem

[Insitu]

Hello, 
I am new to git and gave it a try to version my home dir and
synchronize it between two machines. It works but I think I did some
mistakes in my setup which make its usability non optimal: 
 - push/pull operations need remote address
 - I didn't set up any branch

Here is what I did (lap is for operations on laptop, pc on desktop):
lap> git init
lap> git add ...
lap> git commit ...
lap> scp .git pc:
lap> mv .git git-init
pc> git checkout .
pc> git commit ...
lap> git clone  -n --bare --reference git-init/  ssh://pc/~/.git
lap> git checkout .
lap> git add ...
lap> git commit

Now, I want to be able to do:
lap> git push
or
lap> git pull

instead of 
lap> git push ssh://pc/~/.git

I think I need to reconfigure my remote branches/origin on laptop but
don't want ot break everything.

Help appreciated,
-- 
OQube < software engineering \ génie logiciel >
Arnaud Bailly, Dr.
\web> http://www.oqube.com

Re: Newbie problem

[Junio C Hamano]

Insitu <abailly@oqube.com> writes:

> Now, I want to be able to do:
> lap> git push
> or
> lap> git pull
>
> instead of 
> lap> git push ssh://pc/~/.git
>
> I think I need to reconfigure my remote branches/origin on laptop but
> don't want ot break everything.

The necessary syntax and configuration files are all documented
fairly detailed in the manual pages, but it is a tad hard to
know where to look:

    http://www.kernel.org/pub/software/scm/git/docs/git-fetch.html
    http://www.kernel.org/pub/software/scm/git/docs/git-push.html
    http://www.kernel.org/pub/software/scm/git/docs/git-config.html

If you use recent enough git (post 1.5.0), the recommended way
to keep two boxes in sync is:

On mothership box, in .git/config:

 [remote "origin"]
     url = satellite:.git/
     fetch = +refs/heads/*:refs/remotes/origin/*
     push = refs/heads/*:refs/remotes/origin/*
 [branch "master"]
     remote = origin
     merge = refs/heads/master

On satellite laptop, in .git/config:

 [remote "origin"]
     url = mothership:.git/
     fetch = +refs/heads/*:refs/remotes/origin/*
     push = refs/heads/*:refs/remotes/origin/*
 [branch "master"]
     remote = origin
     merge = refs/heads/master

Then, whenever you start working on the satellite:

	$ git pull

which, while you are on "master" branch, would use 'origin' as
the default remote (thanks to branch.master.remote configuration),
store the copy of mothership's branches in refs/remotes/origin/,
and merges the "master" branch obtained from the mothership to
your "master" branch on the satellite [*1*].  

When you are done working on the satellite:

	$ git push

will push to "origin" by default, which would push all your
branches (thanks to remote.origin.push configuration) to
mothership's refs/remotes/origin/.

When you go back to the mothership, your work done on the
satellite are already pushed into the refs/remote/origin/
tracking branches, so you can merge them in (you can do this
after shutting down your satellite laptop, which is the beauty
of this setup):

	$ git merge origin/master

to merge in the changes you did on the satellite.


[Footnote]

*1* If you prefer to keep a straight history, you may want to
    fetch+rebase instead of pull which is a fetch+merge, in
    which case this step will be:

	$ git fetch
        $ git rebase origin/master

Re: Newbie problem

[Insitu]

Junio C Hamano <gitster@pobox.com> writes:

>
>  [remote "origin"]
>      url = satellite:.git/
>      fetch = +refs/heads/*:refs/remotes/origin/*
>      push = refs/heads/*:refs/remotes/origin/*
>  [branch "master"]
>      remote = origin
>      merge = refs/heads/master
>
> On satellite laptop, in .git/config:
>
>  [remote "origin"]
>      url = mothership:.git/
>      fetch = +refs/heads/*:refs/remotes/origin/*
>      push = refs/heads/*:refs/remotes/origin/*
>  [branch "master"]
>      remote = origin
>      merge = refs/heads/master
>

Thanks a lot for all these details ! 

Yes, I also find Git very well
documented (maybe too much docuemented :) )  and could have come to
the settings with info from the various man pages. But much less
quickly of course.

My question is: can I do this right now that my repositories are up
and running ? 

Regards,
-- 
OQube < software engineering \ génie logiciel >
Arnaud Bailly, Dr.
\web> http://www.oqube.com