| --- | Log | opened Wed Mar 16 00:00:21 2005 |
| 00:24 | --- | <<-- da-x [~karrde@bzq-79-251.red.bezeqint.net] has quit (Ping timeout: 480 seconds) |
| 00:39 | --- | ---> da-x [karrde@bzq-218-121-51.red.bezeqint.net] has joined #uml |
| 00:42 | --- | <<-- tierra [~tierra@dsl093-225-126.slc1.dsl.speakeasy.net] has quit (Quit: Everybody wants to go to heaven, but nobody wants to die.) |
| 01:12 | --- | <<-- orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has quit (Quit: Leaving) |
| 01:12 | --- | ---> orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has joined #uml |
| 01:22 | --- | ---> Fidget007 [~rpage@adsl-214-114-38.gnv.bellsouth.net] has joined #uml |
| 01:37 | --- | <--- Newsome [~sorenson@byu-gw.customer.csolutions.net] has left #uml (Leaving) |
| 01:53 | --- | <<-- Rituraj [~rituraj@mail.pune.nevisnetworks.com] has quit (Quit: Download Gaim: http://gaim.sourceforge.net/) |
| 01:57 | --- | <<-- Aiken [~james@tooax7-242.dialup.optusnet.com.au] has quit (Quit: Leaving) |
| 02:50 | --- | <<-- david [~dcoulson@muffin.davidcoulson.net] has quit (Ping timeout: 480 seconds) |
| 03:12 | --- | <<-- DEac- [~deac@xdsl-213-196-200-108.netcologne.de] has quit (Read error: Operation timed out) |
| 03:22 | --- | ---> Newsome [~sorenson@byu-gw.customer.csolutions.net] has joined #uml |
| 03:27 | --- | ---> DEac- [~deac@xdsl-213-168-123-61.netcologne.de] has joined #uml |
| 03:39 | --- | ---> leighbb [~leigh@cpc5-heck1-4-0-cust190.hudd.cable.ntl.com] has joined #uml |
| 03:41 | --- | ---> Mephisto_ [~Mephisto@p54864517.dip.t-dialin.net] has joined #uml |
| 03:43 | --- | <<-- Mephisto [~Mephisto@p54864FE1.dip.t-dialin.net] has quit (Ping timeout: 481 seconds) |
| 03:51 | --- | <<-- pirlouit [~peter@duvel.drunkcoders.com] has quit (Remote host closed the connection) |
| 04:00 | --- | ---> lynx [~lynx@007.adsl252.bie05.lan.ch] has joined #uml |
| 04:00 | lynx | hello |
| 04:01 | lynx | is it a good idea to use kernel 2.6.8.1 for UML ? |
| 04:01 | lynx | it should be stable, right ? |
| 04:01 | lynx | I cannot compile it, asm-um/spinlock.h not found |
| 04:04 | Newsome | lynx: use 2.6.11 if possible |
| 04:04 | lynx | Newsome: I tried, but did not find uml patches |
| 04:05 | --- | <<-- tchan [~tchan@c-24-13-81-164.client.comcast.net] has quit (Ping timeout: 480 seconds) |
| 04:05 | Newsome | lynx: no patches needed for 2.6.11. They're in the vanilla kernel. |
| 04:05 | lynx | Newsome: ah ! |
| 04:05 | lynx | stupid me |
| 04:05 | lynx | simply arch=um ? |
| 04:05 | --- | ---> dunc [~dunc@gateway.ash.thebunker.net] has joined #uml |
| 04:05 | Newsome | there have been some big merges into the last several versions |
| 04:06 | Newsome | make xconfig ARCH=um |
| 04:06 | lynx | Newsome: yes, I remember |
| 04:06 | Newsome | make linux ARCH=um |
| 04:06 | lynx | hum... it's a bit early in the morning for me |
| 04:07 | Newsome | hmm, yeah. 2am here |
| 04:07 | lynx | :) |
| 04:08 | lynx | well 10am here |
| 04:08 | lynx | but still early |
| 04:08 | --- | ---> tchan [~tchan@c-24-13-81-164.client.comcast.net] has joined #uml |
| 04:11 | --- | <<-- leighbb [~leigh@cpc5-heck1-4-0-cust190.hudd.cable.ntl.com] has quit (Quit: Download Gaim: http://gaim.sourceforge.net/) |
| 04:22 | --- | <<-- dg [dgl@otherwize.co.uk] has quit (Ping timeout: 480 seconds) |
| 04:23 | --- | ---> loko-london_ [~rbrown@206.165.56.45] has joined #uml |
| 04:25 | --- | ---> dg [dgl@otherwize.co.uk] has joined #uml |
| 04:36 | lynx | problem: |
| 04:36 | lynx | LD .tmp_vmlinux1 |
| 04:36 | lynx | kernel/built-in.o(.text+0x7c44): In function `profile_tick': |
| 04:36 | lynx | kernel/profile.c:387: undefined reference to `profile_pc' |
| 04:36 | lynx | collect2: ld returned 1 exit status |
| 04:36 | lynx | KSYM .tmp_kallsyms1.S |
| 04:36 | lynx | nm: '.tmp_vmlinux1': No such file |
| 04:36 | lynx | make: *** [.tmp_kallsyms1.S] Error 139 |
| 04:36 | lynx | -- |
| 04:36 | lynx | any idea why ? |
| 04:37 | Newsome | haven't had that problem. maybe try turning off profiling, then see if the compile runs okay |
| 04:37 | lynx | it's 2.6.11.4 |
| 04:37 | lynx | Newsome: where can I turn off profiling ? |
| 04:40 | Newsome | nope, that doesn't look like it'll work. Looks like linux/kernel/profile.c is compiled in no matter what. |
| 04:41 | lynx | should I try an older kerne version ? |
| 04:41 | lynx | it's on a gentoo system |
| 04:41 | lynx | does this matter |
| 04:42 | lynx | ? |
| 04:42 | Newsome | not sure. I'm just using 2.6.11 here, without any problems. |
| 04:49 | Newsome | lynx: I just compiled 2.6.11.4 ARCH=um without any problems, so I'm not sure what sort of problem it is you're experiencing. |
| 04:58 | lynx | Newsome: I tried to compile it on a gentoo and on a debian system |
| 04:58 | lynx | Newsome: same problem |
| 04:59 | lynx | gcc version 3.3.5 |
| 04:59 | Newsome | gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3) |
| 05:00 | lynx | hum |
| 05:00 | lynx | thanks for testing |
| 05:02 | lynx | Newsome: should the standard configuration be ok ? just running menuconfig, save and exit ? |
| 05:05 | Newsome | should, but here's the config I used, just in case: http://uml.tuxrocks.com/tmp/config-2.6.11.4 |
| 05:06 | lynx | thanks :) |
| 05:09 | lynx | Newsome: 2.6.11.3 worked without a problem |
| 05:10 | Newsome | very odd |
| 05:11 | lynx | trying 2.6.11.4 with the same .config |
| 05:16 | lynx | hum... works |
| 05:16 | lynx | I must have messed up my config |
| 05:20 | --- | <<-- Newsome [~sorenson@byu-gw.customer.csolutions.net] has quit (Quit: Leaving) |
| 06:28 | --- | <<-- loko-london_ [~rbrown@206.165.56.45] has quit (Quit: Leaving) |
| 06:46 | --- | ---> loko-london_ [~rbrown@206.165.56.45] has joined #uml |
| 06:48 | --- | <<-- UML_ChanLog [~stats@ns.theshore.net] has quit (Remote host closed the connection) |
| 06:48 | --- | ---> VS_StatsLog [~stats@ns.theshore.net] has joined #uml |
| 06:49 | --- | <<-- VS_StatsLog [~stats@ns.theshore.net] has quit (Remote host closed the connection) |
| 06:49 | --- | ---> VS_ChanLog [~stats@ns.theshore.net] has joined #uml |
| 07:00 | --- | <<-- VS_ChanLog [~stats@ns.theshore.net] has quit (Remote host closed the connection) |
| 07:00 | --- | ---> VS_ChanLog [~stats@ns.theshore.net] has joined #uml |
| 07:47 | lynx | VFS: Cannot open root device "98:0" or unknown-block(98,0) |
| 07:57 | sikkh | device is not existant it seems |
| 07:57 | sikkh | you sure you enabled it in config? |
| 07:57 | lynx | I made the default config |
| 07:58 | lynx | make menuconfig, save and exit |
| 07:58 | lynx | do I need to make the ubd0 somewhere ? |
| 07:58 | sikkh | no if it is enabled it should work, also makes sure you have the file ubd0 refers to |
| 07:58 | linbot | ... but if it is the version number that we changed, don't worry about it, sikkh ... |
| 08:00 | lynx | hum.. what's the config option for this udb0 ? |
| 08:04 | lynx | erm... you mean, CONFIG_BLK_DEV_UBD would help ? |
| 08:04 | lynx | stupid /me |
| 08:12 | caker | linbot: botsnack |
| 08:12 | linbot | thanks caker :) |
| 08:19 | lynx | ok, now the VFS is mounted :) but I don't get a login |
| 08:20 | lynx | do I have to disable xterm somewhere when I work over ssh ? |
| 08:31 | --- | Netsplit oxygen.oftc.net <-> xenon.oftc.net quits: Fidget007, Nem^, hfb, lynx, NemLappy^, schlumpf, loko-london_, acklen, tchan, loko-london |
| 08:32 | --- | <<-- qbot_ [~perlbot@64.142.109.130] has quit (Ping timeout: 480 seconds) |
| 08:32 | --- | <<-- flatronf700B [~flatronf7@ns1.clipsalportal.com] has quit (Ping timeout: 480 seconds) |
| 08:34 | --- | ---> qbot__ [~perlbot@64.142.109.130] has joined #uml |
| 08:34 | --- | Netsplit over, joins: Fidget007, loko-london_, loko-london, tchan, lynx, NemLappy^, Nem^, hfb, schlumpf, acklen |
| 08:35 | --- | Channel: services.oftc.net changed the topic of #uml to: Welcome to #UML - current releases: 2.4.27-um1 | 2.4.24-um1 (rock solid) | 2.6.9-bs5 | http://user-mode-linux.sf.net (Mainpage) | http://www.usermodelinux.org (communitypage) | http://www.user-mode-linux.org/~blaisorblade/ (SKAS/guest -bb and -bs patches) | http://uml.harlowhill.com/ (Wiki page for documentation) |
| 08:46 | --- | <<-- Tv [~Tv@hq.inoi.fi] has quit (Quit: Client exiting) |
| 08:56 | lynx | linux-2.6.11.4/linux [(Unknown)] |
| 08:57 | lynx | why is the process name not shown in a ps -ef on the host system ? |
| 08:57 | lynx | can this be enabled somewhere ? |
| 09:00 | --- | ---> Tv [~Tv@hq.inoi.fi] has joined #uml |
| 09:38 | --- | ---> Beirdo__ [~gjhurlbu@li11-45.members.linode.com] has joined #uml |
| 09:38 | --- | <<-- Beirdo__ [~gjhurlbu@li11-45.members.linode.com] has quit (Quit: ) |
| 09:44 | --- | <<-- hfb [~hfb@adsl-69-231-61-84.dsl.irvnca.pacbell.net] has quit (Quit: Client exiting) |
| 09:49 | --- | <<-- rus [~rghf@rus.demon.co.uk] has quit (Quit: JVDS.com - Woo r00t) |
| 09:50 | --- | <<-- Beirdo [~gjhurlbu@beirdo.usercloak.oftc.net] has quit (Quit: leaving) |
| 09:50 | --- | ---> Beirdo_ [~gjhurlbu@li11-45.members.linode.com] has joined #uml |
| 09:52 | --- | User: *** Beirdo_ is now known as Beirdo |
| 10:05 | --- | <<-- dunc [~dunc@gateway.ash.thebunker.net] has quit (Remote host closed the connection) |
| 10:11 | --- | ---> dunc [~dunc@gateway.ash.thebunker.net] has joined #uml |
| 10:24 | --- | ---> Basic [~Basic@gatekeeper.real-time.com] has joined #uml |
| 10:45 | --- | <<-- orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has quit (Quit: Leaving) |
| 10:53 | --- | ---> hfb [~hfb@lsanca2-ar33-4-33-193-001.lsanca2.dsl-verizon.net] has joined #uml |
| 10:56 | --- | ---> timster [~chatzilla@ns2.santarosa.com] has joined #uml |
| 11:06 | --- | <<-- lynx [~lynx@007.adsl252.bie05.lan.ch] has quit (Quit: Leaving) |
| 11:14 | --- | ---> Newsome [~sorenson@byu-gw.customer.csolutions.net] has joined #uml |
| 11:17 | --- | ---> orospakr [~orospakr@ip-211.82.126.206.dsl-cust.ca.inter.net] has joined #uml |
| 11:18 | --- | ---> clava [~fieldofsu@host-84-222-129-13.cust-adsl.tiscali.it] has joined #uml |
| 11:39 | --- | <<-- tchan [~tchan@c-24-13-81-164.client.comcast.net] has quit (Quit: leaving) |
| 11:40 | --- | ---> tchan [~tchan@c-24-13-81-164.client.comcast.net] has joined #uml |
| 11:44 | --- | ---> tomimo [~kurre@a84-231-39-238.elisa-laajakaista.fi] has joined #uml |
| 11:59 | --- | ---> jdike [~jdike@pool-151-203-197-142.bos.east.verizon.net] has joined #uml |
| 11:59 | jdike | hi guys |
| 12:00 | timster | morning |
| 12:00 | Newsome | hey, jdike |
| 12:02 | mikegrb | timster: why do you follow me? |
| 12:02 | timster | you are following me! |
| 12:03 | mikegrb | :< |
| 12:03 | timster | :} |
| 12:18 | --- | <<-- Newsome [~sorenson@byu-gw.customer.csolutions.net] has quit (Quit: Leaving) |
| 12:21 | caker | jdike: hello |
| 12:21 | caker | jdike: what's shakin? |
| 12:26 | --- | <<-- Basic [~Basic@gatekeeper.real-time.com] has quit (Quit: Leaving) |
| 12:28 | --- | <<-- dunc [~dunc@gateway.ash.thebunker.net] has quit (Remote host closed the connection) |
| 12:34 | --- | ---> dunc [~dunc@gateway.ash.thebunker.net] has joined #uml |
| 12:41 | --- | ---> tutt [me@cpe-24-24-93-190.stny.res.rr.com] has joined #uml |
| 12:41 | tutt | i am wondering how to reset a root password in a UML? |
| 12:42 | --- | <<-- loko-london_ [~rbrown@206.165.56.45] has quit (Quit: Leaving) |
| 12:45 | tutt | anyone? |
| 12:50 | jdike | tutt: like any other Linux box |
| 12:50 | jdike | tutt: boot it single-user and change it there |
| 12:51 | tutt | how can i tell it to boot to single-user mode? i don't get any lilo or boot loader type of screen when it boots |
| 12:51 | tutt | it just starts booting and gives me no chance to signal it |
| 12:52 | tutt | is there some command option i need to send to it via the host machine when i intialize it? |
| 12:52 | jdike | tutt: 'single' or 'emergency' on the command line |
| 12:52 | jdike | tutt: or 'init=/bin/bash' |
| 12:53 | tutt | hmm.. |
| 12:53 | tutt | Enter new UNIX password: |
| 12:53 | tutt | Retype new UNIX password: |
| 12:53 | tutt | passwd: Authentication token lock busy |
| 12:53 | tutt | never seen that before |
| 12:54 | tutt | wtf does that mean? |
| 12:57 | --- | <<-- orospakr [~orospakr@ip-211.82.126.206.dsl-cust.ca.inter.net] has quit (Quit: Leaving) |
| 13:00 | --- | ---> orospakr [~orospakr@ip-211.82.126.206.dsl-cust.ca.inter.net] has joined #uml |
| 13:02 | tutt | ok just needed a mount -o rw,remount /dev/ubd/0 |
| 13:07 | --- | ---> leighbb [~leigh@cpc5-heck1-4-0-cust190.hudd.cable.ntl.com] has joined #uml |
| 13:07 | --- | ---> Newsome [~sorenson@obelix.cs.byu.edu] has joined #uml |
| 13:13 | --- | ---> tierra [~tierra@dsl093-225-126.slc1.dsl.speakeasy.net] has joined #uml |
| 13:23 | --- | ---> pirlouit [~peter@duvel.drunkcoders.com] has joined #uml |
| 13:37 | --- | <<-- tutt [me@cpe-24-24-93-190.stny.res.rr.com] has quit (Quit: ) |
| 13:38 | --- | <<-- dunc [~dunc@gateway.ash.thebunker.net] has quit (Remote host closed the connection) |
| 14:03 | --- | ---> tutt [me@cpe-24-24-93-190.stny.res.rr.com] has joined #uml |
| 14:04 | tutt | i am trying to setup a software firewall on the host machine to protect all of the umls.. i am finding that apf (advanced policy firewall - http://www.rfxnetworks.com/apf.php) does not seem to be providing protection to the UMLs.. any ideas why this might be? |
| 14:08 | tutt | will an iptables rule not work for tuntap devices or something? |
| 14:09 | Newsome | tutt: depends on how the UMLs are attached, and where you setup the iptables rules |
| 14:10 | tutt | Newsome: my iptables rules are set on the host machine should deny access to all tcp ports except those i specificly allow |
| 14:10 | tutt | yet i can connect to the denied ports on the UMLs |
| 14:10 | Newsome | tutt: are the iptables ruls set in the INPUT chain? |
| 14:11 | --- | ---> bodo [~bo@217.115.74.14] has joined #uml |
| 14:11 | bodo | Hi all |
| 14:11 | Newsome | welcome, bodo! |
| 14:12 | tutt | newsome: i don't believe so.. how can I tell? the rules are set by the firewall |
| 14:12 | bodo | Newsome: Hi Newsome :-) |
| 14:12 | tutt | iptables -L doesn't say anything about INPUT |
| 14:13 | Newsome | tutt: does iptables -L show the rules on FORWARD? |
| 14:13 | tutt | no |
| 14:14 | tutt | ok i'm an idiot.. the rules are on INPUT |
| 14:18 | tutt | and i have verified that it is indeed protecting the host machine, but definitely not the UML guests |
| 14:18 | Newsome | INPUT will only protect the host |
| 14:19 | tutt | ok, what should it use then? |
| 14:20 | Newsome | probably FORWARD, but it could depend on how your networking is set up |
| 14:20 | Newsome | INPUT only sees packets destined for the local machine |
| 14:21 | tutt | i have the virtual ethernet devices for the UMLS setup as tap devices |
| 14:21 | tutt | each gets their own IP and uses the host machine as the gateway |
| 14:30 | tutt | so would you think that the same rules on the FORWARD chain would work for the other IPs binded to the host machine? |
| 14:31 | Newsome | I would think so |
| 14:31 | Newsome | their network traffic would have to go through the FORWARD chain to get from the rest of the world to the UML's IP |
| 14:31 | tutt | ok i will give it a shot |
| 14:32 | tutt | i have to modify APF to do this somehow |
| 14:33 | tutt | and what about rules under the OUTPUT chain.. will they need to go somewhere else to affect the UMLs as well? |
| 14:33 | Newsome | probably |
| 14:34 | Newsome | the rules in OUTPUT only affect outgoing traffic from the host's IPs |
| 14:35 | tutt | i don't get why it doesn't consider the uml's IPs as also being the "host's IPs" because they are in fact binded to the host machine |
| 14:35 | tutt | but anyway, what would i move the OUTPUT rules to? |
| 14:36 | Newsome | did you have to "echo 1 > /proc/sys/net/ipv4/ip_forward" ? |
| 14:36 | tutt | yes i believe so |
| 14:37 | Newsome | I believe FORWARD is where you'll put any rules that might affect the UMLs |
| 14:37 | tutt | ok i am modifying APF now |
| 14:44 | tutt | and testing it now... |
| 14:46 | tutt | and... unfortunately, it seems to be blocking EVERYTHING to the UMLs now.. hmm |
| 14:49 | Newsome | rules you put into FORWARD will affect traffic both ways, so you'll probably need to make use of "-s <blah>" and "-d <blah>" |
| 14:50 | Newsome | you can split the traffic into FORWARD_IN and FORWARD_OUT that way |
| 14:50 | Newsome | just a thought |
| 14:52 | tutt | hmm |
| 14:52 | tutt | here if you don't mind.. take a look at the output of iptables -L now: |
| 14:52 | tutt | http://www.pastebin.com/258347 |
| 14:52 | tutt | i don't know if there is something better than pastebin.com.. it thinks it is php code but it is still readable :) |
| 14:53 | Newsome | pastebin is fine |
| 14:54 | tutt | i have a feeling some of the syntax it is using for the FORWARD chain doesn't work in the same way it did for the INPUT chain |
| 14:54 | Newsome | doesn't that first rule in FORWARD allow everything? |
| 14:54 | Newsome | "ACCEPT all -- anywhere anywhere" |
| 14:54 | tutt | that's what it would seem like to me, but it doesn't.. when that same rule was in INPUT, the firewall did still work for host server's base IP |
| 14:55 | tutt | i think that means it will accept unless otherwise dropped |
| 14:55 | tutt | and there are places where it says to drop everything (tcp) for example |
| 14:55 | Newsome | that's what the "Chain FORWARD (policy ACCEPT)" should do |
| 14:56 | tutt | hmm.. well it is purposely set by APF for one reason or another |
| 14:56 | Newsome | this looks fine, and should block all tcp 135: "DROP tcp -- anywhere anywhere tcp dpts:135:netbios" |
| 14:56 | tutt | in any case, it is not accepting everything because i can't connect to any port on the UMLs when this policy goes up |
| 14:57 | tutt | i can, however, connect to all ports on the host server's IP |
| 14:57 | Newsome | Looks like this is dropping everyhting: "LD all -- anywhere 0.0.0.0" |
| 14:57 | Newsome | are they showing up in the logs? |
| 14:58 | --- | ---> gorpon [~gorpon@adsl-69-226-1-158.dsl.pltn13.pacbell.net] has joined #uml |
| 14:58 | tutt | yes /var/log/messages |
| 14:59 | tutt | it is showing the DROPS |
| 14:59 | tutt | what line are you referring to? |
| 14:59 | Newsome | line 56 sends everything to LD |
| 14:59 | Newsome | LD starts on line 282, and logs everything, then DROPs it |
| 15:00 | tutt | ok is there some type of INPUT rule that could possibly cause this if the syntax is exactly the same and then changed to a FORWARD rule? |
| 15:00 | tutt | otherwise, what would it look like if i were to manually add that LD rule? |
| 15:01 | tutt | that way i can search for it specifically in APF's code |
| 15:02 | Newsome | that LD rule would probably look something like "-A FORWARD -j LD" or "-A FORWARD -d 0.0.0.0 -j LD" |
| 15:03 | tutt | ok i am seeing in the conf file: |
| 15:03 | tutt | # Create a new log and drop (LD) convenience chain. |
| 15:03 | tutt | $IPT -N LD |
| 15:03 | tutt | $IPT -A LD -j LOG |
| 15:03 | tutt | $IPT -A LD -j DROP |
| 15:04 | tutt | what do you think i should do with this? just comment it out or comment out the DROP or what? |
| 15:04 | Newsome | What you might want to do is to first split up the FORWARD traffic into FORWARD_IN and FORWARD_OUT...something like "iptables -A FORWARD -d <IP_RANGE_OF_UMLS> -j FORWARD_IN" and "iptables -A FORWARD -s <IP_RANGE_OF_UMLS> -j FORWARD_OUT" |
| 15:04 | Newsome | Then put all the rules attached to FORWARD_IN and FORWARD_OUT like they were with INPUT and OUTPUT |
| 15:05 | tutt | ok, so you are saying right now if it is dropping port 23523 traffic for example, it will be dropping it outgoing and incoming for the UMLs, correct? |
| 15:05 | tutt | and obviously that is no good |
| 15:05 | Newsome | right, unless you're specifying the IPs, it'll affect traffic in both directions |
| 15:06 | tutt | hmm that is going to be complicated |
| 15:06 | Newsome | or specifying the interfaces, for example (with "-i tap0") |
| 15:07 | --- | <<-- timster [~chatzilla@ns2.santarosa.com] has quit (Read error: Connection reset by peer) |
| 15:07 | tutt | ok i just got rid of that LD DROP part and that didn't help.. guess i will need to try what you are explaining |
| 15:08 | tutt | unless you simply know of an existing firewall package that will work to protect UMLs by default? |
| 15:08 | tutt | i may have to end up just installing the firewall individually on the UMLs themselves if this becomes too complicated |
| 15:08 | --- | ---> timster [~chatzilla@ns2.santarosa.com] has joined #uml |
| 15:10 | tutt | and do i want to make it -j FORWARD_IN or -A FORWARD_IN (replacing -A FORWARD) |
| 15:10 | tutt | because -j FORWARD_IN will repalce -j ACCEPT and -j DROP for example |
| 15:11 | Newsome | when you're adding the rules back in, you'll add them with "-A FORWARD_IN" (rather than the INPUT they were originally) |
| 15:11 | tutt | ok so i am replacing every occurance of FORWARD with FORWARD_IN, correct? |
| 15:11 | tutt | that makes things easier |
| 15:11 | Newsome | but you do need two rules in the FORWARD chain splitting the traffic out to FORWARD_IN and FORWARD_OUT |
| 15:12 | tutt | would i simply replace all INPUT chains with FORWARD_IN and all OUTPUT with FORWARD_OUT? |
| 15:12 | Newsome | yes, that should work |
| 15:12 | tutt | or do i need to make some other rule fo specify what FORWARD_IN and FORWARD_OUT are |
| 15:12 | tutt | ok so anything that was -A OUTPUT will now be -A FORWARD_OUT and anything that was -A INPUT will now be -A FORWARD_IN, correct? |
| 15:12 | Newsome | then, you add the two rules to specify how to get from FORWARD to FORWARD_INT and FORWARD_OUT |
| 15:13 | Newsome | yes, that sounds right |
| 15:13 | tutt | ok, how do i add those two rules? |
| 15:13 | Newsome | "iptables -A FORWARD -d <IP_RANGE_OF_UMLS> -j FORWARD_IN" and "iptables -A FORWARD -s <IP_RANGE_OF_UMLS> -j FORWARD_OUT" |
| 15:14 | tutt | ok are you sure it is -j FOWARD_IN in that case? normally that is where the action goes like DROP or REJECT? |
| 15:15 | Newsome | meaning, in FORWARD, check the destination IPs, and send the packet to FORWARD_IN if they're to your UMLs, and check the source IPs, and send the packet to FORWARD_OUT if they're from your UMLs. |
| 15:15 | Newsome | DROP and REJECT are chains just like FORWARD_IN |
| 15:16 | tutt | ok i see |
| 15:16 | Newsome | they just don't do anything with the packet |
| 15:17 | tutt | ok for the ip range, can i seperate by commas, can i use xxx.xxx.xxx.111-127 or do i need to use the /8 or /128 notation (i suck at that and never can figure it out) |
| 15:17 | Newsome | I'd use the / notation |
| 15:17 | Newsome | 111-127? |
| 15:17 | tutt | that was a random example |
| 15:18 | tutt | can i msg you the real IPs so you can tell me what the notation is? |
| 15:18 | | * Newsome searches for a subnet mask calculator |
| 15:18 | Newsome | sure, if you'd like |
| 15:20 | --- | ---> schlumpf2 [~schlumpf@dsl-084-056-165-229.arcor-ip.net] has joined #uml |
| 15:21 | tutt | i tried with just one IP and this is what i got: iptables v1.2.8: Couldn't load target `FORWARD_IN':/lib/iptables/libipt_FORWARD_IN.so: cannot open shared object file: No such file or directory |
| 15:21 | Newsome | try doing an "iptables -N FORWARD_IN" first |
| 15:22 | tutt | ok that works |
| 15:24 | --- | <<-- timster [~chatzilla@ns2.santarosa.com] has quit (Quit: ChatZilla 0.9.61 [Mozilla rv:1.7.3/20040910]) |
| 15:24 | tutt | ok i've got everything modified now as you said |
| 15:24 | tutt | when i try to start the firewall, i get a bunch of these: iptables: No chain/target/match by that name |
| 15:25 | tutt | so it is not finding the FORWARD_IN and FORWARD_OUT rules |
| 15:25 | Newsome | must be flushing them first |
| 15:25 | tutt | actually, i added the initializations to the perl files it uses |
| 15:25 | tutt | so i don't think it is flushing them |
| 15:25 | Newsome | try adding the -N FORWARD_IN and FORWARD_OUT rules into it as well |
| 15:25 | Newsome | hmm |
| 15:27 | --- | <<-- schlumpf [~schlumpf@dsl-084-056-153-174.arcor-ip.net] has quit (Ping timeout: 480 seconds) |
| 15:27 | tutt | ok |
| 15:27 | tutt | seems i added it in the script before the flush occured |
| 15:27 | tutt | now it is working |
| 15:27 | tutt | let's test it! |
| 15:28 | tutt | woohoo i can connect to the UMLs |
| 15:28 | tutt | now let's see if the firewall is working to block certain ports... |
| 15:31 | tutt | ok, you ROCK |
| 15:31 | tutt | everything is working perfectly now |
| 15:31 | Newsome | glad it works! :) |
| 15:31 | Newsome | great |
| 15:31 | tutt | and i learned a whole bunch about iptables in the process |
| 15:31 | tutt | sweeeeeeeetttt |
| 15:32 | tutt | now if anyone ever needs APF working so that it protects all UMLs on a machine, i have it pre-modded to do that |
| 15:32 | tutt | thanks for all the time you spent helping my dumbass |
| 15:33 | Newsome | glad to help! |
| 15:33 | tutt | gonna go take a break.. i will cya later.. have a great day! |
| 15:33 | Newsome | wow, I'm next of kin to some Nigerian dude who died? amazing! |
| 15:35 | Newsome | must be important, since I just got 4 emails about it. |
| 15:38 | --- | <<-- DEac- [~deac@xdsl-213-168-123-61.netcologne.de] has quit (Read error: Operation timed out) |
| 15:40 | --- | <<-- orospakr [~orospakr@ip-211.82.126.206.dsl-cust.ca.inter.net] has quit (Quit: Leaving) |
| 15:53 | --- | ---> DEac- [~deac@xdsl-213-168-107-115.netcologne.de] has joined #uml |
| 16:02 | bodo | Bye |
| 16:02 | --- | <--- bodo [~bo@217.115.74.14] has left #uml (Verlassend) |
| 16:30 | --- | ---> loko-london_ [rbrown@213.86.231.218] has joined #uml |
| 16:33 | --- | ---> orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has joined #uml |
| 16:37 | --- | <<-- tutt [me@cpe-24-24-93-190.stny.res.rr.com] has quit (Quit: ) |
| 16:40 | --- | <<-- orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has quit (Remote host closed the connection) |
| 16:43 | --- | ---> orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has joined #uml |
| 17:00 | --- | <<-- schlumpf2 [~schlumpf@dsl-084-056-165-229.arcor-ip.net] has quit (Remote host closed the connection) |
| 17:03 | --- | <<-- orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has quit (Quit: Leaving) |
| 17:03 | --- | ---> orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has joined #uml |
| 17:08 | --- | <<-- orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has quit (Quit: ) |
| 17:09 | --- | ---> schlumpf [~schlumpf@dsl-084-056-165-229.arcor-ip.net] has joined #uml |
| 17:26 | --- | <<-- Cowboy [~Cowboy@129.42.184.35] has quit (Remote host closed the connection) |
| 17:44 | --- | ---> david [~dcoulson@muffin.davidcoulson.net] has joined #uml |
| 17:59 | --- | ---> Aiken [~james@tooax7-206.dialup.optusnet.com.au] has joined #uml |
| 18:00 | --- | ---> orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has joined #uml |
| 18:06 | --- | Netsplit uranium.oftc.net <-> olduuu.oftc.net quits: ElectricElf, armenb, ichilton, Guy- |
| 18:06 | --- | Netsplit over, joins: ElectricElf, armenb, ichilton, Guy- |
| 18:08 | --- | ---> Cowboy [~Cowboy@129.42.184.35] has joined #uml |
| 18:20 | --- | ---> flatronf700B [~flatronf7@ns1.clipsalportal.com] has joined #uml |
| 18:25 | --- | ---> Electric1lf [dbharris@defiant.circainformation.com] has joined #uml |
| 18:25 | --- | Netsplit jupiter.oftc.net <-> olduuu.oftc.net quits: ElectricElf, armenb, ichilton, Guy- |
| 18:25 | --- | Netsplit over, joins: ichilton |
| 18:26 | --- | Netsplit over, joins: armenb |
| 18:27 | --- | Netsplit over, joins: Guy- |
| 18:28 | --- | <<-- schlumpf [~schlumpf@dsl-084-056-165-229.arcor-ip.net] has quit (Remote host closed the connection) |
| 18:29 | --- | ---> schlumpf [~schlumpf@dsl-084-056-165-229.arcor-ip.net] has joined #uml |
| 18:31 | --- | <--- Newsome [~sorenson@obelix.cs.byu.edu] has left #uml (Leaving) |
| 18:32 | --- | ---> timster [~chatzilla@ns2.santarosa.com] has joined #uml |
| 18:45 | --- | Netsplit uranium.oftc.net <-> olduuu.oftc.net quits: Guy- |
| 18:49 | --- | <<-- timster [~chatzilla@ns2.santarosa.com] has quit (Quit: ChatZilla 0.9.61 [Mozilla rv:1.7.3/20040910]) |
| 18:50 | --- | Netsplit over, joins: Guy- |
| 18:54 | --- | Netsplit jupiter.oftc.net <-> olduuu.oftc.net quits: Guy- |
| 18:56 | --- | Netsplit over, joins: Guy- |
| 19:02 | --- | <<-- leighbb [~leigh@cpc5-heck1-4-0-cust190.hudd.cable.ntl.com] has quit (Quit: Download Gaim: http://gaim.sourceforge.net/) |
| 19:06 | --- | User: *** Electric1lf is now known as ElectricElf |
| 19:17 | --- | Netsplit uranium.oftc.net <-> olduuu.oftc.net quits: Guy- |
| 19:21 | --- | <<-- loko-london_ [rbrown@213.86.231.218] has quit (Quit: Leaving) |
| 19:35 | --- | <<-- hfb [~hfb@lsanca2-ar33-4-33-193-001.lsanca2.dsl-verizon.net] has quit (Quit: Client exiting) |
| 19:37 | --- | ---> Guy- [~korn@chardonnay.math.bme.hu] has joined #uml |
| 19:44 | --- | ---> Newsome [~sorenson@byu-gw.customer.csolutions.net] has joined #uml |
| 20:13 | --- | <<-- ichilton [~ian@cpc3-stoc3-4-0-cust189.midd.cable.ntl.com] has quit (Read error: Connection reset by peer) |
| 20:16 | --- | ---> loko-london_ [~rbrown@c-67-171-66-213.client.comcast.net] has joined #uml |
| 20:17 | --- | ---> chairuou [~chairuou@210.245.70.1] has joined #uml |
| 20:20 | --- | <<-- loko-london [rbrown@67.171.66.213] has quit (Ping timeout: 480 seconds) |
| 20:22 | --- | <<-- chairuou [~chairuou@210.245.70.1] has quit (Read error: Connection reset by peer) |
| 20:25 | --- | ---> chairuou [~chairuou@210.245.70.1] has joined #uml |
| 21:09 | --- | ---> hfb [~hfb@adsl-69-231-61-84.dsl.irvnca.pacbell.net] has joined #uml |
| 21:30 | --- | <<-- hfb [~hfb@adsl-69-231-61-84.dsl.irvnca.pacbell.net] has quit (Quit: Client exiting) |
| 21:32 | --- | <<-- Newsome [~sorenson@byu-gw.customer.csolutions.net] has quit (Quit: Leaving) |
| 21:39 | --- | User: *** Cowboy is now known as Cowboy_ |
| 21:55 | --- | <<-- tierra [~tierra@dsl093-225-126.slc1.dsl.speakeasy.net] has quit (Quit: Everybody wants to go to heaven, but nobody wants to die.) |
| 22:35 | --- | <<-- orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has quit (Quit: Leaving) |
| 22:40 | --- | ---> orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has joined #uml |
| 22:48 | --- | <<-- orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has quit (Quit: Leaving) |
| 23:01 | --- | ---> orospakr [~orospakr@CPE0004762b7051-CM001225701f0e.cpe.net.cable.rogers.com] has joined #uml |
| 23:07 | --- | <<-- NemLappy^ [~Nem@p54ABD028.dip.t-dialin.net] has quit (Ping timeout: 480 seconds) |
| 23:07 | --- | <<-- Nem^ [~Nem@p54ABD028.dip.t-dialin.net] has quit (Ping timeout: 480 seconds) |
| 23:20 | --- | ---> Nem^ [~Nem@p54ABDAFE.dip.t-dialin.net] has joined #uml |
| 23:20 | --- | ---> NemLappy^ [~Nem@p54ABDAFE.dip.t-dialin.net] has joined #uml |
| 23:59 | --- | <--- VS_ChanLog [~stats@ns.theshore.net] has left #uml (Rotating Logs) |
| 23:59 | --- | ---> VS_ChanLog [~stats@ns.theshore.net] has joined #uml |
| --- | Log | closed Thu Mar 17 00:00:50 2005 |
