simple question

simple question

[Zyman, Andy]

Hello,
I'm trying to figure out why my SMC wireless card is not working.

so far this is my finding ( I should say I'm totally new to this , including
Linux ).
1. Cardbus cards are not handled by PCMCIA package ( kernel 2.4.18-14,
pcmcia 3.1.31 )
2. At the same time pcmcia is needed to be in the memory for hotplug events
to be recognized by kernel.

 Please any comment on this

3. Cardbus network cards ( ethernet and wireless ) trigger the pci.agent
with ethX parameter and <REGISTER> event.
	this basically calls ifup ethX 
	
Now why it calls ETHx, not wlan interface?

Any help even hammering my head against the wall - will help.

Thank You
 Andy


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: simple question

[David Hinds]

On Thu, Jul 31, 2003 at 01:53:05PM -0400, Zyman, Andy wrote:
> Hello,
> I'm trying to figure out why my SMC wireless card is not working.

What model card, specifically?

> 1. Cardbus cards are not handled by PCMCIA package ( kernel 2.4.18-14,
> pcmcia 3.1.31 )

Cardbus cards are not managed by the kernel PCMCIA subsystem.  Some of
their setup is done by the PCMCIA subsystem, but then they are handed
off to the hotplug system.

> 2. At the same time pcmcia is needed to be in the memory for hotplug
> events to be recognized by kernel.

Err not exactly.  The PCMCIA subsystem is needed to handle setup of
the CardBus bridge device.  The hotplug subsystem is a separate and
independent part of the kernel, and generates hotplug events.  Both
are needed for a Cardbus card to be set up properly.

> 3. Cardbus network cards ( ethernet and wireless ) trigger the pci.agent
> with ethX parameter and <REGISTER> event.
> 	this basically calls ifup ethX 
> 	
> Now why it calls ETHx, not wlan interface?

Most wireless drivers call their devices ETHx too.  The "ifup" will be
for whatever the device is actually named.

Perhaps you should describe your problem more specifically (i.e., show
all relevant system log messages), then we can decide if this is the
appropriate forum for your question.

-- Dave


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

RE: simple question

[Zyman, Andy]

Dave,
thank you for response.

> On Thu, Jul 31, 2003 at 01:53:05PM -0400, Zyman, Andy wrote:
> > Hello,
> > I'm trying to figure out why my SMC wireless card is not working.
> What model card, specifically?

SMC2635W. I recently got drivers for it from SMC. And now trying to figure
how to make it work.

<skip>

> > 3. Cardbus network cards ( ethernet and wireless ) trigger 
> the pci.agent
> > with ethX parameter and <REGISTER> event.
> > 	this basically calls ifup ethX 
> > 	
> > Now why it calls ETHx, not wlan interface?
> 
> Most wireless drivers call their devices ETHx too.  The "ifup" will be
> for whatever the device is actually named.

tha nkyou again for explanation. Now is it possible to create ( and store )
different profiles so, for example, on work I'll have this card with this
params and at home the same card with diff. set?


> Perhaps you should describe your problem more specifically (i.e., show
> all relevant system log messages), then we can decide if this is the
> appropriate forum for your question.

the major problem for me right now is that card starting scanning channels
are crazy and .... I'll better give you an url, so you will have the logs
and full description.
http://www.linuxquestions.org/questions/showthread.php?s=&threadidv818&hig
hlight­M811

So it seems that wireless parameters are default... And this is not what i
want. So i guess i need to figure out how to change ( and first of all why
it is not taking /etc/pcmcia/wirelss.opt ?) the default params on it. 


I played with pcmcia - no results, so now I'm here and hope to get at least
some idea where should i look next.



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: simple question

[David Hinds]

On Thu, Jul 31, 2003 at 04:41:59PM -0400, Zyman, Andy wrote:
>
> > What model card, specifically?
> 
> SMC2635W. I recently got drivers for it from SMC. And now trying to figure
> how to make it work.
> 
> thank you again for explanation. Now is it possible to create ( and
> store ) different profiles so, for example, on work I'll have this
> card with this params and at home the same card with diff. set?

This is a general network configuration question, not a hotplug
question, and is beyond the scope of this forum.  Perhaps your Linux
distribution provides tools for managing network profiles.

> the major problem for me right now is that card starting scanning
> channels are crazy and .... I'll better give you an url, so you will
> have the logs and full description.
> http://www.linuxquestions.org/questions/showthread.php?s=&threadidv818&hig
> hlight­M811

This is also not a hotplug problem; the appropriate driver got loaded
(i.e. hotplug did its job).  Your problem is specific to this wireless
driver and you'll have to either report the problem to SMC since
that's where you got the driver, or try to find someone on a wireless
forum who knows more about this driver.

> So it seems that wireless parameters are default... And this is not
> what i want. So i guess i need to figure out how to change ( and
> first of all why it is not taking /etc/pcmcia/wirelss.opt ?) the
> default params on it.

/etc/pcmcia/wireless.opts won't get used for Cardbus cards since they
are managed by the hotplug scripts.  Some distributions' network setup
tools are wireless-networking-aware and would allow you to set these
sorts of parameters so that when hotplug does "ifup eth0" the right
stuff gets done.

I suggest that you take your questions to a wireless networking list.

-- Dave


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: simple question

[Joshua Schmidlkofer]

On Thu, 2003-07-31 at 10:53, Zyman, Andy wrote:
> Hello,
> I'm trying to figure out why my SMC wireless card is not working.
> 
> so far this is my finding ( I should say I'm totally new to this , including
> Linux ).
> 1. Cardbus cards are not handled by PCMCIA package ( kernel 2.4.18-14,
> pcmcia 3.1.31 )
> 2. At the same time pcmcia is needed to be in the memory for hotplug events
> to be recognized by kernel.
> 
>  Please any comment on this
> 
> 3. Cardbus network cards ( ethernet and wireless ) trigger the pci.agent
> with ethX parameter and <REGISTER> event.
> 	this basically calls ifup ethX 
> 	
> Now why it calls ETHx, not wlan interface?
> 
> Any help even hammering my head against the wall - will help.
> 
> Thank You
>  Andy
> 

I had the same problem, but in my case I was using a kernel w/o the
wireless extentions enabled, thus all my wifi card were coming through
as ethX.   Don't know if that helps.

thanks,
  joshua





-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Simple Question

[Jeff]

[-- Attachment #1: Type: text/plain, Size: 181 bytes --]

Hey,
My name is Jeff, just wondering if you'd like to exchange links with 
my area rug site? If so, please let me know and we can go from there. 
Thanks for your time.

Cheers,
Jeff

simple question

[Filka Michal]

Hi,

Can anyone tell me what exactly means an update event. Of course, I have
an idea, but I need to confirm it.

So, does it mean that "state" attribute changed (E.g. connection state,
counter, ... ), or is it related to a "configuration" attribute?

Thanks,

Michal Filka

RE: simple question

[Filka Michal]

I would like to somehow use conntrack's events for very simple
synchronization of two connection tracking tables. So, I need to know
what should be a reason for particular events. As far as I know there
are NEW, UPDATE and DESTROY events available. In case of UPDATE event
I'm not sure when it occurs ... So, when is UPDATE event issued?

Thanks,
Michal Filka


> 
> I'm assuming that "update" originates from the idea of a database
> trigger. A trigger is an action performed after another action occurs.
> For example, when entering a new record, you could call a procedure to
> error check the formatting of the entry. Another example might be to
> add a record to a log table which logs the activity which occurs after
> a record is updated.
> 
> I'd imagine that what you are talking about (update) is an event
> similar to a trigger. This means that the answer would depend on what
> the trigger is set for. Maybe it is when state is updated, or maybe it
> is when the configuration is updated. Maybe both.
> 
> I have no idea to what you are referring or asking about, so beyond
> what I have detailed above, I cannot give you an aswer.
> 
> Sorry.
> 
> On 5/22/07, Filka Michal <Michal.Filka@sitronicsts.com> wrote:
> > Hi,
> >
> > Can anyone tell me what exactly means an update event. Of course, I
have
> > an idea, but I need to confirm it.
> >
> > So, does it mean that "state" attribute changed (E.g. connection
state,
> > counter, ... ), or is it related to a "configuration" attribute?
> >
> > Thanks,
> >
> > Michal Filka
> >
> >
> >
> 
> 
> 
> --
> I thought about building you a boat to survive the river of tears I'm
> crying for you, but the world's smallest violins just aren't a
> reliable source of lumber, and that cross you're nailing yourself to
> seems buoyant enough anyways - Dr Gregory House, M.D.

simple question

[Nebojsa Trpkovic]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do cores in dual-core Athlon64 CPUs change their frequency independent
one from another or they work at the equal clock all the time?

Thanks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEP/emqDH2e5UXzrQRAqDqAJ90/oomAJBujqJG0GCkJxRd8xnIcwCfSpoi
H7kNHvysSv7eS/7U6pA28SE=
=nwzU
-----END PGP SIGNATURE-----

Re: simple question

[Jacob Shin]

Two cores are tied together due to hardware design.

-Jacob Shin

On 4/14/06, Nebojsa Trpkovic <trxman@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Do cores in dual-core Athlon64 CPUs change their frequency independent
> one from another or they work at the equal clock all the time?
>
> Thanks.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFEP/emqDH2e5UXzrQRAqDqAJ90/oomAJBujqJG0GCkJxRd8xnIcwCfSpoi
> H7kNHvysSv7eS/7U6pA28SE=
> =nwzU
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Cpufreq mailing list
> Cpufreq@lists.linux.org.uk
> http://lists.linux.org.uk/mailman/listinfo/cpufreq
>

simple question

[Niv]

Hay,

I read the udev HOWTO and I still dont understand why /dev/cdrom get a 
root:root permision.


I switched to RC_DEVICE_TARBALL="no" - so I guess I am a udev "pureist"


the line in /etc/udev/rules/50-udev.rules say:


# cdrom symlinks and other good cdrom naming

BUS="ide",    KERNEL="hd[a-z]", ACTION="add", IMPORT="/sbin/cdrom_id 
--export $tempnode"
BUS="scsi",    KERNEL="sr[0-9]*", ACTION="add", IMPORT="/sbin/cdrom_id 
--export $tempnode"
BUS="scsi",    KERNEL="scd[a-z]", ACTION="add", IMPORT="/sbin/cdrom_id 
--export $tempnode"
BUS="scsi",    KERNEL="sg[0-9]*", ACTION="add", DRIVER="sr", 
GROUP="cdrom"


#---  look here --


ENV{ID_CDROM}="?*",        SYMLINK+="cdrom%e", GROUP="cdrom"

ENV{ID_CDROM_CD_RW}="?*",    SYMLINK+="cdrw%e"
ENV{ID_CDROM_DVD}="?*",    SYMLINK+="dvd%e"
ENV{ID_CDROM_DVD_R}="?*",    SYMLINK+="dvdrw%e"


so I see GROUP="cdrom" - so It should be root:cdrom - right?


Niv




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid\x103432&bid#0486&dat\x121642
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: simple question

[Greg KH]

On Sun, Feb 19, 2006 at 02:12:42AM +0200, Niv wrote:
> Hay,
> 
> I read the udev HOWTO and I still dont understand why /dev/cdrom get a 
> root:root permision.
> 
> 
> I switched to RC_DEVICE_TARBALL="no" - so I guess I am a udev "pureist"

I'm guessing that you are using gentoo?

If so, please file a bug in their bugzilla, as this is a distro specific
thing.

thanks,

greg k-h


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid\x103432&bid#0486&dat\x121642
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: simple question

[Mark Rosenstand]

On 2/19/06, Niv <nivv@cs.bgu.ac.il> wrote:
> so I see GROUP="cdrom" - so It should be root:cdrom - right?

Are you sure you have a cdrom group?


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: simple question

[Niv]

$ fgrep cdrom /etc/group
cdrom:x:19:haldaemon,mythtv,niv

Mark Rosenstand wrote:

>On 2/19/06, Niv <nivv@cs.bgu.ac.il> wrote:
>  
>
>>so I see GROUP="cdrom" - so It should be root:cdrom - right?
>>    
>>
>
>Are you sure you have a cdrom group?
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://sel.as-us.falkag.net/sel?cmd_______________________________________________
>Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
>Linux-hotplug-devel@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
>  
>



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid\x103432&bid#0486&dat\x121642
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Simple question.

[LWATCDR]

[-- Attachment #1: Type: text/plain, Size: 579 bytes --]

I am just starting to work with Alsa I compiled a test program from one of
the tutorials and I am getting this error message.
Unknown Error 126.
Does anyone know what error 126 is?
I am using "plughw:0,0" as the device name.
and this is the segment of code that generates the error.

for (i = 0; i < 10; ++i) {
if ((err = snd_pcm_writei (playback_handle, buf, 128)) != 128) {
    fprintf (stderr, "write to audio interface failed (%s)\n", snd_strerror
(err));
    exit (1);
    }
}


I am running Suse 9.3+kde 3.5

I hope this is the correct list to ask this.

[-- Attachment #2: Type: text/html, Size: 685 bytes --]

Re: Simple question.

[James Courtier-Dutton]

LWATCDR wrote:
> I am just starting to work with Alsa I compiled a test program from one of
> the tutorials and I am getting this error message.
> Unknown Error 126.
> Does anyone know what error 126 is?
> I am using "plughw:0,0" as the device name.
> and this is the segment of code that generates the error.
> 
> for (i = 0; i < 10; ++i) {
> if ((err = snd_pcm_writei (playback_handle, buf, 128)) != 128) {
>     fprintf (stderr, "write to audio interface failed (%s)\n", snd_strerror
> (err));
>     exit (1);
>     }
> }
> 
> 
> I am running Suse 9.3+kde 3.5
> 
> I hope this is the correct list to ask this.
> 

If the err > 0, it tells you how many frames were written to the sound 
card. As you can see here, 126 frames were written, probably due to 
sound card's hardware buffer being full.

James



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

simple question

[Ivan Georgiev]

Dear friends,

Please forgive me if I ask simple questions.
I read all of the tickets relevant to my hardware ( TYAN S2460 motherboard). 
In all of them you say that I have to enter first the BIOS to initialize the 
HM chips and then boot. But how I can continue without doing POST again?
I reboot and my w83781d is not initialized.

Please let me know how to do it.

Many thanks,

Ivan Georgiev

simple question

[Mark Studebaker]

sorry, don't know.
I suggest you write to the users referenced in the tickets.


Ivan Georgiev wrote:
> Dear friends,
> 
> Please forgive me if I ask simple questions.
> I read all of the tickets relevant to my hardware ( TYAN S2460 motherboard). 
> In all of them you say that I have to enter first the BIOS to initialize the 
> HM chips and then boot. But how I can continue without doing POST again?
> I reboot and my w83781d is not initialized.
> 
> Please let me know how to do it.
> 
> Many thanks,
> 
> Ivan Georgiev

Simple Question

[Craig H. Block]

Hello;

I have a really simple question.  I spent a fair amount of time looking
through the documentation, but could not find an answer.

Does LM_Sensors have an option to display temperature units in Fahrenheit
instead of Celsius?

Thanks,

  - Craig

Simple Question

[Jean Delvare]

> Does LM_Sensors have an option to display temperature units in
> Fahrenheit instead of Celsius?

Yes, it has. Try "sensors -f".

-- 
Jean Delvare
http://www.ensicaen.ismra.fr/~delvare/

simple question

[Askar]

hi list

        If I put  "iptables --policy FORWARD ACCEPT" , still I need a line i-e 

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Regards

Askar
-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: simple question

[Mohamed Eldesoky]

Yes or No, depends on your rules !!

On 4/27/05, Askar <askarali@gmail.com> wrote:
> hi list
> 
>         If I put  "iptables --policy FORWARD ACCEPT" , still I need a line i-e
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Regards
> 
> Askar
> --
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: simple question

[Askar]

you mean if I have rules like

iptables -P FORWARD ACCEPT

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT 

Then putting ESTABLISHED,RELATED thing will helps?
however why should I put ACCEPT rules in FORWARD when the default
policy for it is already to accept everything.

thanks and regards

Askar
On 4/27/05, Mohamed Eldesoky <eldesoky.lists@gmail.com> wrote:
> Yes or No, depends on your rules !!
> 
> On 4/27/05, Askar <askarali@gmail.com> wrote:
> > hi list
> >
> >         If I put  "iptables --policy FORWARD ACCEPT" , still I need a line i-e
> >
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > Regards
> >
> > Askar
> > --
> > I love deadlines. I like the whooshing sound they make as they fly by.
> > Douglas Adams
> >
> >
> 
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: simple question

[Cedric Blancher]

Le mercredi 27 avril 2005 à 16:58 +0600, Askar a écrit :
> you mean if I have rules like
> iptables -P FORWARD ACCEPT

If you have this, then any ACCEPT rule will be useless. As simple as
this.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: simple question

[Cedric Blancher]

Le mercredi 27 avril 2005 à 13:04 +0200, Cedric Blancher a écrit :
> If you have this, then any ACCEPT rule will be useless. As simple as
> this.

Well, not quite.
It is, except if you want to rely on DROP/ACCEPT combinations to make
exclusions and related stuff.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: simple question

[Jason Opperisano]

On Wed, Apr 27, 2005 at 04:35:15PM +0600, Askar wrote:
> hi list
> 
>         If I put  "iptables --policy FORWARD ACCEPT" , still I need a line i-e 
> 
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

two thoughts:

1) if your last rule in the FORWARD chain is:

     iptables -A FORWARD -j DROP

   then your FORWARD chain POLICY will never be enforced, as all packets
   will be matched and dropped by the last rule.  the only reason i
   bring this up is that i keep seeing rule sets that do this:  POLICY
   set to ACCEPT and last rule set to DROP.

2) performance.  the *vast* majority of packets will match the "-m state
   --state ESTABLISHED,RELATED" rule.  putting it first in your built-in
   chains means that the vast majority of your packets will only have
   to traverse one rule before moving on.  relying on the chain POLICY
   to match these packets means these packets have to traverse *every*
   rule before moving on.  for large rule sets, this is just poor design.

final thought:  setting the default policy of your firewall to ACCEPT
isn't very good "firewalling," IMHO--but that's really more of
philosophical debate than a technical one.  no matter how permissive the
rules end up being, I always start with a default deny, and then allow
specific traffic.

-j

--
"Peter: You know, I oughta just give you some beer. Goes straight
 through you. 
 Stewie: Wonderful. And while we're at it, we can light up a doobie and
 watch porn. 
 Peter: Eh... yeah?"
        --Family Guy

Simple question

[Oriol Magrané]

[-- Attachment #1: Type: text/plain, Size: 341 bytes --]


    Hello!
    Just one question...
    I have a firewall with the INPUT, OUTPUT and FORWARD policies set to DROP, and now I want to allow connections from localhost to localhost (any port). Which chains are implied here? INPUT? OUTPUT? Both?
    How should the needed rule(s) be?

    Thank you very much in advance!

    Oriol


[-- Attachment #2: Type: text/html, Size: 1226 bytes --]

Re: Simple question

[Aleksandar Milivojevic]

Oriol Magrané wrote:
>  
>     Hello!
>     Just one question...
>     I have a firewall with the INPUT, OUTPUT and FORWARD policies set to 
> DROP, and now I want to allow connections from localhost to localhost 
> (any port). Which chains are implied here? INPUT? OUTPUT? Both?
>     How should the needed rule(s) be?

You'd need both INPUT and OUTPUT.  Just as if it was connection to 
remote system (just think what rules you would put on both local and 
remote system if it was remote connection, and than apply both sets of 
rules to local system, removing duplicates).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Simple question

[Antony Stone]

On Wednesday 05 May 2004 4:27 pm, Oriol Magrané wrote:

>     Hello!
>     Just one question...
>     I have a firewall with the INPUT, OUTPUT and FORWARD policies set to
> DROP, and now I want to allow connections from localhost to localhost (any
> port). Which chains are implied here? INPUT? OUTPUT? Both? How should the
> needed rule(s) be?

Yes, you need to allow the packets out through OUTPUT, in through INPUT, and 
the interfaces will both be lo.

If in doubt, just add some LOGging rules and see what happens when you try to 
send packets.

Regards,

Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used 
a third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Simple question

[Martijn Lievaart]

Oriol Magrané wrote:

>
>     Hello!
>     Just one question...
>     I have a firewall with the INPUT, OUTPUT and FORWARD policies set
> to DROP, and now I want to allow connections from localhost to
> localhost (any port). Which chains are implied here? INPUT? OUTPUT? Both?
>     How should the needed rule(s) be?
>


This should do it:
-A INPUT -i lo -j ACCEPT
-A OUTPUT -i lo -j ACCEPT

HTH,
M4

Re: Simple question

[Antony Stone]

On Wednesday 05 May 2004 6:43 pm, Martijn Lievaart wrote:

> Oriol Magrané wrote:
> >     Hello!
> >     Just one question...
> >     I have a firewall with the INPUT, OUTPUT and FORWARD policies set
> > to DROP, and now I want to allow connections from localhost to
> > localhost (any port). Which chains are implied here? INPUT? OUTPUT? Both?
> >     How should the needed rule(s) be?
>
> This should do it:
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -i lo -j ACCEPT

Actually, I would suggest instead:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

:)

Antony.

-- 
"When you talk about Linux versus Windows, you're talking about which 
operating system is the best value for money and fit for purpose. That's a 
very basic decision customers can make if they have the information available 
to them. Quite frankly if we lose to Linux because our customers say it's 
better value for money, tough luck for us."

 - Steve Vamos, MD of Microsoft Australia

                                                     Please reply to the list;
                                                           please don't CC me.

Simple question

[j.logsdon]

Hi

In general terms, what does SEL do that I can't do (even if more
complicated) by Access Control Lists?  If I can control the users and
groups that can access files (and these are all properly set) what
advantage do I have in running SEL?

I'm not being rude - just trying to understand the difference and to see
whether it is really necessary to run a bespoke kernel.

TIA

John


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Simple question

[Jesse Pollard]

On Wednesday 12 February 2003 12:32 pm, j.logsdon@lancaster.ac.uk wrote:
> Hi
>
> In general terms, what does SEL do that I can't do (even if more
> complicated) by Access Control Lists?  If I can control the users and
> groups that can access files (and these are all properly set) what
> advantage do I have in running SEL?

ACLs are under the control of the user. The user choses the other users that
may access the files that the user owns.

SELinux is under the control of the security administrator. This includes the
files that the user owns. Even if the user wants a specific other user to have
access to a file, if that user is not in a domain containing the other user 
(ie, both are in the same domain) then the other user still cannot access the 
file.

> I'm not being rude - just trying to understand the difference and to see
> whether it is really necessary to run a bespoke kernel.

The difference is in mandatory access vs descretionary access.

As far as the system files go, if all are carefully given approprate ACLs, 
then they can be protected. However, if the root accout is hacked, the files
are still vulnerable.

If a SELinux system is hacked, unless the hack itself contains an all powerful
label/domain, the hack still doesn't have access to all of the files.. Only 
those belonging to the domain of the hacked daemon.

Others may have more detailed/correct answers, but this should be the
lowest common denominator.

-- 
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Simple question

[j.logsdon]

Thanks Jesse and Russell

You have explained a clear difference but presumably if the ACL for
setfacl etc are themselves restricted to root (or better another
privileged user) and/or they are moved from /usr/bin to /usr/sbin, there
is a another level of protection.  This doesn't protect you from a root
hacker of course, which is the key Unix weakness that SEL is trying to
eradicate.

So far I had the machine hanging from time to time which is probably
because of some inconsistency in the kernel options that I didn't
appreciate.  It's my fault I know but I can't afford that to happen on a
production system so if I can't fix it, at least I have a simple
alternative that does part of the job.  The issue of bind and dhcp as
examples won't come up - they are not needed fortunately but sendmail,
which is another candidate for hacking, and no doubt others will so there
will always be weaknesses.

As with all the moves in security, the ideal would be for them to be
incorporated into the official releases of the kernel but 2.5.x is already
getting pretty big and 2.6 when it is out (Q2/2k3?) will have so much more
in it that it's almost starting a new OS!

Obviously SEL is a much more sophisticated product and I may well go with
it but I am a little nervous at getting into deeper water than I am used
to!

Thanks again.

John

On Wed, 12 Feb 2003, Jesse Pollard wrote:

> On Wednesday 12 February 2003 12:32 pm, j.logsdon@lancaster.ac.uk wrote:
> > Hi
> >
> > In general terms, what does SEL do that I can't do (even if more
> > complicated) by Access Control Lists?  If I can control the users and
> > groups that can access files (and these are all properly set) what
> > advantage do I have in running SEL?
> 
> ACLs are under the control of the user. The user choses the other users that
> may access the files that the user owns.
> 
> SELinux is under the control of the security administrator. This includes the
> files that the user owns. Even if the user wants a specific other user to have
> access to a file, if that user is not in a domain containing the other user 
> (ie, both are in the same domain) then the other user still cannot access the 
> file.
> 
> > I'm not being rude - just trying to understand the difference and to see
> > whether it is really necessary to run a bespoke kernel.
> 
> The difference is in mandatory access vs descretionary access.
> 
> As far as the system files go, if all are carefully given approprate ACLs, 
> then they can be protected. However, if the root accout is hacked, the files
> are still vulnerable.
> 
> If a SELinux system is hacked, unless the hack itself contains an all powerful
> label/domain, the hack still doesn't have access to all of the files.. Only 
> those belonging to the domain of the hacked daemon.
> 
> Others may have more detailed/correct answers, but this should be the
> lowest common denominator.
> 
> -- 
> -------------------------------------------------------------------------
> Jesse I Pollard, II
> Email: pollard@navo.hpc.mil
> 
> Any opinions expressed are solely my own.
> 




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Simple question

[Russell Coker]

On Wed, 12 Feb 2003 22:40, j.logsdon@lancaster.ac.uk wrote:
> You have explained a clear difference but presumably if the ACL for
> setfacl etc are themselves restricted to root (or better another
> privileged user) and/or they are moved from /usr/bin to /usr/sbin, there
> is a another level of protection.  This doesn't protect you from a root
> hacker of course, which is the key Unix weakness that SEL is trying to
> eradicate.

If someone breaks the full administrative level of any common configuration 
then they get everything.  However SE Linux is very configurable and can be 
configured for uncommon configurations where no-one is permitted to make any 
changes.

Also many things that would result in a successful "root hack" on an 
unprotected Linux machine will not get anywhere on SE Linux.

> The issue of bind and dhcp as
> examples won't come up - they are not needed fortunately but sendmail,
> which is another candidate for hacking, and no doubt others will so there
> will always be weaknesses.

Yes, Sendmail is one of the worst.  Then there's FTP servers (almost all FTP 
servers have a bad history), there's database servers, there's game servers, 
and many others.

> As with all the moves in security, the ideal would be for them to be
> incorporated into the official releases of the kernel but 2.5.x is already
> getting pretty big and 2.6 when it is out (Q2/2k3?) will have so much more
> in it that it's almost starting a new OS!

This is in progress in 2.5.  Best to see the LSM list for the details.

> Obviously SEL is a much more sophisticated product and I may well go with
> it but I am a little nervous at getting into deeper water than I am used
> to!

If you compile a kernel with CONFIG_SECURITY_SELINUX_DEVELOP enabled then you 
can switch it to "permissive mode" at any time if something breaks, and you 
can initially run with no enforcement and policy violations are only logged 
not enforced.

Then once you get into it you'll find that it's not so difficult.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Simple question

[Russell Coker]

On Wed, 12 Feb 2003 19:32, j.logsdon@lancaster.ac.uk wrote:
> In general terms, what does SEL do that I can't do (even if more
> complicated) by Access Control Lists?  If I can control the users and
> groups that can access files (and these are all properly set) what
> advantage do I have in running SEL?

Jesse's answer is a good one.

Here's a practical example.  BIND needs root access to bind() to port 53 and 
dhcpd needs root access to get raw network access.  On a default Linux system 
either of those programs can read and write every file on the system if they 
are compromised, and both of them have been compromised in the past...

With SE Linux dhcpd runs in domain dhcpd_t and BIND runs in named_t, these 
domains offer very limited access to the system, they can't kill user 
processes, they can't access home directories, they can't read /etc/shadow, 
etc.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Simple question

[Howard Holm]

In general terms it's difficult to respond in general terms.  One
problem is that "Access Control Lists" means different things to
different people.  Access control lists are a mechanism that could be
used for many of the same controls as SELinux, but typically ACLs are
different from SELinux in many ways.

Some differences between SELinux and what most people think of as ACLs:

1. ACLs are usually "discretionary" meaning that some user is allowed to
change them. SELinux controls are "mandatory" which means that the
policy is set administratively and the controls can't be changed by most
processes on the system.  In real-life terms that means that even if
relatively important processes are compromised the compromise can be
confined.

2. ACLs as most people use the term generally applies to filesystem
objects although it could apply to other system resources as well. 
SELinux controls are intended for all system resources, so for example,
signals generally wouldn't have separate ACLs (and that probably
wouldn't make sense either) but SELinux can control the delivery of
signals.

3. But what kind of control would you want on a file descriptor?  That
brings us to the point that SELinux has finer grained controls.  So
where ACLs are usually just read, write, execute, and delete, with
perhaps a few more options depending on the system you're discussing,
SELinux controls operations on resources specific to that resource. 
(Poor wording on my part, but hopefully understandable.) Additionally,
those controls are always in effect.

4. Another important factor is that SELinux can control access to system
resources (like files) based not just on user identity or credentials,
but on the security identifier of the process which was derived from a
combination of the user and the code the user ran.  Type enforcement
enables access control decisions to be based on such things as the
trustworthiness of the code that's running, and program function, as
well as the user identity.

In summary a good mandatory access control implementation will: 1) Have
an administratively set security policy. 2) Always be in control over
all subjects and objects on the system. 3) Base policy decisions on all
security relevant information.  Even a comprehensive access control list
implementation with administratively set ACLs is not going to be able to
meet the third.

On Wed, 2003-02-12 at 13:32, j.logsdon@lancaster.ac.uk wrote:
> Hi
> 
> In general terms, what does SEL do that I can't do (even if more
> complicated) by Access Control Lists?  If I can control the users and
> groups that can access files (and these are all properly set) what
> advantage do I have in running SEL?
> 
> I'm not being rude - just trying to understand the difference and to see
> whether it is really necessary to run a bespoke kernel.
> 
> TIA
> 
> John
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.