Slashdot Mirror

I tried to check an old Kernelnote message. But this site seems to be hacked. I know Slashdot is not the place to report it, but where is the best place for a hacked site?!

This seems like a nice opportunity to add iptables to *BSD. Iptables is the linux version of ipf. Some people claim that iptables is superior (or at least more flexible and easier to understand) to ipf ....

The main site for iptables is: http://netfilter.kernelnotes.org but that site has been down for some time now, use http://www.samba.org/netfilter/ instead.

http://netfilter.kernelnotes.org/unreliable-guides /packet-filtering-HOWTO/index.html

It's well written, short, to the point. What else would you need?

Sorry for the offtopic post, but there is a PNG available of the 2.3.18 version he did originally. It's 1.5 mb, and I don't know how much bandwidth the server has, so you may want to mirror it.
Anyway, sorry about that, feel free to mod me down.
--Shoeboy

Hey now, I wouldn't say that just yet. It's probably harder than installing RedHat 7 on a 486, (boot disk doesn't support it by default) but if this guy thinks it's doable, then I might have to get a TI-92+. :)
---
pb Reply or e-mail; don't vaguely moderate.

Here's a link to a few kernel hackers talking about it.
Doesn't look good for Linux on a TI-89/92(+).

--

2.4.x uses netfilter for packet mangling. Here is the relevant portion of the FAQ: http://netfilter.kernelnotes.org/netfilter-faq-1.h tml#ss1.4.

You can use ipchains to control the filters, NAT, etc., I believe, but iptables is the new user-space tool du jour. The page for the project is http://netfilter.kernelnotes.org/. I can't make a personal testimonial yet, I haven't had much chance to play with iptables/netfilter/2.4.x firewalling.

--

2.4.x uses netfilter for packet mangling. Here is the relevant portion of the FAQ: http://netfilter.kernelnotes.org/netfilter-faq-1.h tml#ss1.4.

You can use ipchains to control the filters, NAT, etc., I believe, but iptables is the new user-space tool du jour. The page for the project is http://netfilter.kernelnotes.org/. I can't make a personal testimonial yet, I haven't had much chance to play with iptables/netfilter/2.4.x firewalling.

--

Read the howto

I have a cable modem, and to get IP forwarding working I used:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

eth0 is connected to the cable modem, eth1 is connected to my other computer.
For more information try: http://netfilter.kernelnotes.org/unreliable-guides /NAT-HOWTO.html

Linux has been moving in that direction. Linux can run nicely on IBM mainframes now. SGI, IBM, and Compaq are all working to make sure Linux can run on their big machines. The 2.4 kernel goes a long way in this.

Check out these boot logs:

Linux has been moving in that direction. Linux can run nicely on IBM mainframes now. SGI, IBM, and Compaq are all working to make sure Linux can run on their big machines. The 2.4 kernel goes a long way in this.

Check out these boot logs:

In the test kernels, NetFilter (the official name) is not that much fun, but not terribly bad either. You have to use a program called iptables instead of ipchains (duh) which never seems to be compiled correctly for the kernel modules I have at the time. The syntax for iptables is a little different, but my is fairly basic so I can't help much there. However, you still have to option to use ipchains in the 2.4 kernel if you have extensive config stuff already written.

You can find some FAQs and HOWTO's (scroll down) at the NetFilter homesite.

Hi,

I've found my home LAN to be relatively secure. I started with these two things:

One) Purchase a WatchGuard SOHO Firewall/Gateway device. Only $350 at Outpost.com (free overnight shipping!). This little beauty does DCHP and NATs your LAN as well. You can plug 5 machines directly into it, or extend it with a hub. There is also a VPN option if you want it. It is configurable via a web interface, and can basically upgrade itself from their website.

Two) Start running iptables on the 2.4 Linux boxes, and ipchains on the 2.2 boxes. Here is a version of the firewall.sh script that I run to configure iptables to keep the box reasonably safe, without going overboard.

Hi,

I've found my home LAN to be relatively secure. I started with these two things:

One) Purchase a WatchGuard SOHO Firewall/Gateway device. Only $350 at Outpost.com (free overnight shipping!). This little beauty does DCHP and NATs your LAN as well. You can plug 5 machines directly into it, or extend it with a hub. There is also a VPN option if you want it. It is configurable via a web interface, and can basically upgrade itself from their website.

Two) Start running iptables on the 2.4 Linux boxes, and ipchains on the 2.2 boxes. Here is a version of the firewall.sh script that I run to configure iptables to keep the box reasonably safe, without going overboard.

Linux's security isn't so hot, and any commercial OS is better! (Holy shit,let's mod this guy up!)

Wow, what a brilliant comment!


I can't wait till the 2.4 kernel is old news. All the anti-linux "*nix users" posting FUD like this are going to be shutting up so they can go download ISO's from cdrom.com.
Linux is going to be one sweet kernel (it's not bad now), and I'm amazed at the progress the kernel developers are making.

www.kernelnotes.org

the firewall/NAT functionality of the kernel and iptables utility will allow you to track the number of packets and nuber of bytes traveling across each port that you are monitoring.

You can also use the logging module to log particular firewall/NAT ruels to gain more detailed info.

For more info check out the netfilter home page.

Linux 2.2 does this, but not as nicely and without the logging functionality.

There are a couple of tidbits from kernel traffic which may be helpful. One is a discussion on Joe Pranevich's DRAFT of his The Wonderful World Of Linux 2.4. The other is the DISCUSSION of the DRAFT of a PROPOSED press release which highlights the big features for when 2.4 comes out.

If you're into finding out things before they are final and are an early adopter, these may be of use to you. They are certainly not finished documents and should not be treated as such. They may contain misleading statements, misunderstandable statements, misunderstood points, mention of features that don't make it, and/or outright lies with the intention of deceit.

See sections 7 and eight of the Firewall and Proxy Server HOWTO for ipfwadm and ipchains, respectively; and the Linu x 2.4 Packet Filtering HOWTO for netfilter.

(Of course, everything-off should be the default setting in the first place, but that's another story altogether.)

There was a huge discussion on the Linux Kernel mailing list in the last few weeks about how best to do floppy handling.

Replying to myself:

The discussion on floppy handling begins with this message by Richard Stallman in week 2 of June and continues through the next two weeks. The thread was summarized in Kernel Traffic #73.

Anomalous: inconsistent with or deviating from what is usual, normal, or expected

err...and what exactly is the reason for having to unmount a floppy ? how bout a straight push this button and it ejects thing?

Because it you do it at the wrong moment, it can scramble the disk beyiond all repair.

Because the floppy is a slow device and the OS can buffer the disk contents for faster I/O if
it knows when the disk has changed.

Because a program might have a file open on the floppy and it would be very unhappy not to be able to save when it needs to.

Just because MSDOS used a stupid floppy model, dosn't mean all OSes have to slavishly follow.
The Mac has *good* floppy handling. Better floppy handling than PCs. New devices like the Zip Drive have Mac-like media locking.

There was a huge discussion on the Linux Kernel mailing list in the last few weeks about how best to do floppy handling. Even if you have no interest in Linux, it is informitive on the limitations of PC hardware and OSes in this regard.

Anomalous: inconsistent with or deviating from what is usual, normal, or expected

I've got one of those Intellimouse Explorers (the huge silver ones with the superfluous tail light and like three extra buttons; well, what the hell, here's a http://www.microsoft.com/Mouse/explorer.htm link) and sites that won't let you back out are an incredible annoyance. See, two of the buttons on there serve as Forward/Back (respectively) while browsing the web, and after about 20 minutes of using them, I was hooked. You wouldn't believe how simple (and remarkably intuitive) to navigate with your thumb. Now if I could just find a good use for those buttons in Half-Life... I mean, sure, it's easy enough to hold down the back button and select the page before the offending site, but that would require moving my cursor over six or so linear inches of desktop space. Isn't that just a little bit unreasonable? No? Ah well.

DevFS: Linus mandated its inclusion. End of story. Also, it is a simple filesystem, like Ext2, and doesn't tickle problems with the VFS.

shmfs: don't know history of this one, but it is a simple filesystem; prob. doesn't hit the VFS limitations.

ramfs/cramfs: simple filesystems, look like Ext2. Actually support fewer features than does Ext2.

Reiser: Linus said that ResierFS would not be included in 2.4. It also has to do a lot of work around shortcomings of the VFS, for which Viro has been unhelpful. Fat chance it'll be included when working against that. It's irrelevant that Reiser makes his living off of his FS, although stupid of him to make that argument.

The whole "ReiserFS thing" is not a red herring. Regardless of how "together" Hans gets his act, fact remains that his ideas and patches are being ignored. And he's bringing up real problems. HFS has to resort to some of the same silly kludges as he does. This problem has been popularized by Reiser, but isn't just Reiser's problem.

SurfsUp said 2.5 was going to focus on fixing the VFS. I hope so. A generic, stackable filesystem interface would be a good thing.

Start here.

(Posted anonymously to avoid karma whore allegations)

Lookup the upgrade notes on thiswebpage.

The comments on how to have different platforms be binary compatible are interesting in their own right. What I find interesting is how the same idea in a different form is implicit in what Torvalds writes. For instance read his essay on the kernel from Open Sources carefully. Here is a more technical explanation. In both cases you abstract out from the architecture, OS, library, whatever the interface you want to program to, and then (with appropriate macros etc) set up that interface. Then when you go to port it, you merely need to figure out how to set up all of your macros and the bulk of the code remains untouched.

Look at that sideways. That is *exactly* what IBM did to make code binary portable. That is the principle that the AS400 uses. If you peek in well-known and widely ported projects (eg Perl) you will often find that they take the same approach. (For good reason!)

The key to wisdom lies in seeing how good ideas about foo look like good ideas about bar and then trying to apply that. There is a good lesson here about portability...

Cheers,
Ben

I have YET to recieve ANY of the 'vbs' email worms in any email i've ever recieved

Hehe, subscribe to linux-kernel, I laughed my ass off when I got this email.
There followed two or three automated virus warnings no human bothered to answer. Pretty ironic it was.

:wq!

How many times a week do you reboot?

Let's not forget this isn't Windows -- the "ads" will rarely be displayed on your console (unless you dual boot often). Save the hysterics (no gender offence intended) for real battles.

off of lkml, right here

There's a patch on the kernel mailing list for the parport problem. The message and patch can be seen here.

One of the things that was a big headache for a lot of people going from 2.0 to 2.2 was firewalls.

Well one of the changes that people don't appear to be aware of was that it was completely rewritten again.

But relax, the new stuff was designed to be something to be easy to develop stuff on top of. So 2.4's firewall code will transparently work both like 2.2 and like 2.0 did, and there are hooks to do virtually anything you want.

But still if you want to find out what changed, wander on over to the Netfilter page.

Cheers,
Ben

Just a little side note, but Linux itself can sleep to disk. Check out one of the patches linked to on Kernel Notes.

Anyone know why the Cutting Edge Linux site hasn't been updated for Kernel 2.3.x notes in over a month and a half? I really loved that page...

EraseMe

OT:
ReGet spawns multiple connections to an FTP server with different offsets and kills them after a small transfer. This is a nasty thing to do to a server since they are optimized for full file transfers.

linux-kernel note about ReGet
--

There is a one line typo in ll_rw_blk.c. The name of a variable had an 's' added to it accidentally. See this linux-kernel message or just apply this diff:

diff -u linux/drivers/block/ll_rw_blk.c.orig linux/drivers/block/ll_rw_blk.c
--- linux/drivers/block/ll_rw_blk.c.orig Wed Feb 16 20:15:56 2000
+++ linux/drivers/block/ll_rw_blk.c Wed Feb 16 20:45:56 2000
@@ -253,7 +253,7 @@
INIT_LIST_HEAD(&q->queue_head);
q->elevator = ELEVATOR_DEFAULTS;
q->request_fn = rfn;
- q->back_merges_fn = ll_back_merge_fn;
+ q->back_merge_fn = ll_back_merge_fn;
q->front_merge_fn = ll_front_merge_fn;
q->merge_requests_fn = ll_merge_requests_fn;
q->make_request_fn = NULL;

(modulo the way that Slashdot mangles quotes, of course.)

According to linux-kernel, try this:

diff -u linux/drivers/block/ll_rw_blk.c.orig linux/drivers/block/ll_rw_blk.c
--- linux/drivers/block/ll_rw_blk.c.orig Wed Feb 16 20:15:56 2000
+++ linux/drivers/block/ll_rw_blk.c Wed Feb 16 20:45:56 2000
@@ -253,7 +253,7 @@
INIT_LIST_HEAD(&q->queue_head);
q->elevator = ELEVATOR_DEFAULTS;
q->request_fn = rfn;
- q->back_merges_fn = ll_back_merge_fn;
+ q->back_merge_fn = ll_back_merge_fn;
q->front_merge_fn = ll_front_merge_fn;
q->merge_requests_fn = ll_merge_requests_fn;
q->make_request_fn = NULL;

Well, you get the idea even if it looks like crap on slashdot.

(Original linux-kernel post)

Normally, I agree that announcing the latest development kernel on Slashdot is a little silly - after all, if you're running the devel kernels, you know where to look for them.

However, this kernel release IS newsworthy. Why? Well, take a look at this posting to the linux-kernel mailing list:

[PATCH] devfs v158 available

If you can't be bothered to follow the link, here's the important sentence from that posting: This is the patch that was sent to Linus and included in 2.3.46-pre5. That's right boys and girls, DevFS is now part of the standard Linux kernel. This is wonderful news, and amazingly hasn't yet sparked off any great flamewars on the mailing list (those of you that read the list will know that mentioning DevFS on it has seemed akin to posting about atheism on an evangenical Christian newsgroup). For more information about DevFS, have a look at Richard Gooch's kernal patch page.

I'm still amazed that this has happened.

Incidentally, I don't see any support for such tricks as using tables to lay out a page. Will this force people to recode their layouts with CSS (which they probably should do anyway), or just give coders another excuse to ignore W3C recommendations?

It doesn't look like anything really major; just a driver update here, a driver update there. Progress as usual...

David E. Weekly (dew, Think)

KernelNotes.org has changelists and things but hasn't been updated for 2.2.14 yet.

The changelist will be appearing here at some point in the future.

Hopefully soon :)

3. Quick Translation From 2.0 and 2.2 Kernels
Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to 2.2 (ipchains) transition.
There's good and bad news.
Firstly, you can simply use ipchains and ipfwadm as before. To do this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel modules found in the latest netfilter distribution. These are mutually exclusive (you have been warned), and should not be combined with any other netfilter modules.

Look to the kernelnotes site for more details. I expect the changes list will appear there first....

...holy penguin pee!
--

I will be brief:

Linux.
FreeBSD.
NetBSD.
OpenBSD.

They are all free (beer and speech). They are all Unix-like. Three of them are descended from the same code. Two of them were the same code four years ago. All of them, the last I heard, have growing user bases.

Stupid article, would probably have been ignored on Usenet, not worth mentioning on Slashdot.

• Changelog for 2.2.12
• Alan's 2.0.38 announcement
• Linus' 2.3.15 mail

The changelog takes a few days to be milked out of http://edge.kernelnotes.org The kernel programmers are too lazy to do one themselves apparently. Sometimes you get release notes from Linus though, usually about it being blessed with something penguinish.

Until then you can just use the 2.2.x patch browser at http://www.kernelnotes.org/v22patch/ (click on the breakdown)

Whatever is shown got tweaked a little (or a lot). You can figgure out where the changes were made quickly. Finding out what the changes were requires more effort however.

~Kevin
:)

The changelog takes a few days to be milked out of http://edge.kernelnotes.org The kernel programmers are too lazy to do one themselves apparently. Sometimes you get release notes from Linus though, usually about it being blessed with something penguinish.

Until then you can just use the 2.2.x patch browser at http://www.kernelnotes.org/v22patch/ (click on the breakdown)

Whatever is shown got tweaked a little (or a lot). You can figgure out where the changes were made quickly. Finding out what the changes were requires more effort however.

~Kevin
:)

You can see what have changed at: www.kernelnotes.org. And since it is Alan Cox who takes care of the 2.2-tree now - probably also at his diary, www.uk.linux.org/diary.