Here comes the true European anarchist nation fighting dirty: Let's pass a law if they require it, nevermind, we're going to live our own way anyway...
What do these customers/victims do when you move on to another town or retire?
I figure my post sounded quite funny.
I set up pretty standard boxes with documentation on what I did. This way the clients can turn to any other Linux admin when they need.
There's not that much work once you've sold the box. Just take care that when something goes wrong, reasonable documentation is available in case you're no longer.
I'm looking forward to networking more with other roots, so we can offer an actual network of people.
Medium-sized companies can pay people to learn Linux in-house. Small companies sometimes have someone who's a bit more into computers, and can learn.
practice nice, low-tone, clear-speech advocacy from the clients' point of view rather than technical (total costs,reliability,security)
find a small/medium-size company in need of firewall/file+printer-sharing services
offer a box that does it all, guaranteed, with remote administration when needed, with unbeatable price
check out their needs and environment (SMB password encryption, for instance) and find technical solutions (usually someone has done it already)
install debian, samba, netatalk, apache, lprng
set up netfilter accompanied with squid and postfix to drop dangerous attachments/scripts if sold as a firewall to secure windowses
set up a SIMPLE internal webpage for user account management (ask me)
offer enhancements like RDBMS, extranet (ftp/http-download) - what can we come up with?
repeat until world.domination() == TOTAL
Coming up next year or so:
test out the Linux office packets, make up a desktop solution for office use
promote a solution with 100MB switched LAN, diskless workstations booting from server, centrally, remotely administrated for low cost
remember to spread FUD about viruses;)
I'd do it more given time and customer contacts (best advertisement you can have is a happy customer talking about you to its clients.)
Share administration burden (what? doing something wrong?) with trusted friends.
Take a fair price for your work, but avoid greed.
This can and should be done as a side-job, unless you get very successful in the long term.
Only fix what's broken, security hole, or a client-requested enhancement or new service. Never say "can't do", say "I'll look into it" and go for the web; Never say "you can't afford it", say "I'd be forced to hire people for approximately $this much money, would you like to try something else instead?"
I could go on for hours, but you'll find it all out once you start thinking about it.
I may hurt your feelings, though I try just speak my mind up. I know I'm touchy now, so try to take the following casually. I trust on the moderators to view this as a foreigner's honest, differing viewpoint.
1. US Citizens have not had war in their own continent/country for a few, what, hundred years. It shows somewhat in the shockedness of the commentary. Of course this is awful. It does not happen only to someone else somewhere else, neither is what happens to you unique in this day and age. A few surprise attacks and -strikes from last century come to mind. Some of them out of scale, some changing our world for ever.
2. JFK: one mad US citizen. OKC: a few mad US citizen. Yet every time the foreigners get blamed before the attackers are found.
I am shocked and afraid of the future now. I live on the other side of the world from there. Most of us do. Live in fear of the US reaction and what that will do for the world. The world we all have to live in. There is no escape from this planet just yet, not even for chosen few US citizens. We must get along. Focus on anything else, and the nature will take care of us for good.
Sorry if I hurt your feelings; this is just critique that comes to mind while trying to work over the shock by absorbing as much information and commentary about the situation as possible.
But save your back from the dark side does it not.
Feel the strain in every crumpled muscle, can you? Your own pain come over must you. Only weakness of your own mind is that pain! Full of little knuckles is your spine.
Concentrate a bit to your body, stretch a little and listen to yourself. Daily exercise, not too hard, just to notice and to learn paying attention to what's good and what's bad for your back. You could do any sports, but I've got so bad an attitude against sports that this was practically the only option for me:)
Concentrate a bit to your body, stretch a little and listen to yourself. Daily exercise, not too hard, just to notice and to learn paying attention to what's good and what's bad for your back. You could do any sports, but I've got so bad an attitude against sports that this was practically the only option for me:)
I am very happy with KDE's stability and usability. Konqueror is my primary browser, works like a wonder, or much like IE, and has the best cookie handling I've ever seen.
It's also easy for Windows users to learn, except for the panel. What do dummies need a panel for anyway? Desktop icons and windows should suffice. There're too many options in the K menu for easy use - both in RedHat and Debian, at least.
There seemed to be something weird with font settings (choices in applications seem to affect the global settings), but that's minor.
If only aterm worked as well as Eterm, I'd be all happy with Linux on the desktop.
Shouldn't skip so much... Your question was more like whether there would be any good tool for making easy use of iptables. Well, as you can see, I'm not that much after such tools:) Thus that script is not what you asked for: to change the rules, you need to change the script itself - and it uses only some of the most basic methods of iptables.
Anyway, I'd like some discussion about real-life examples like the one in my lengthy post above.
Below is a server filter configuration of mine. Add NAT if needed. Any weaknesses? (I have chrooted normal users' ssh; unchrooted ssh is available from administrators' home addresses through the telnet port)
#!/bin/sh
# we write log of what we do here
LOG="/var/log/iptables.log"
# local IPv4 addresses:
MYIP="`ifconfig | sed -ne 's/.*addr:\([0-9.]*\).*/\1/p'`"
# Allow incoming traffic for these
TCPOK="ftp-data ftp ssh nameserver domain www pop3 https cvspserver 6667"
UDPOK="domain"
# Addresses allowed to "telnet" (ssh to root dir)
TELNETOK="12.34.56.78/29 12.34.56.90/29"
echo "`/bin/date '+[%x %X]'` $0 $*" >>$LOG
# set up policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# drop all custom tables
for c in `iptables -L -n | sed -ne 's/^Chain \([a-z]*\).*/\1/p'`;
do
echo "Dropping iptable $c" >>$LOG
iptables -F $c
iptables -X $c
done
# create custom tables
iptables -N rootssh # root ssh; default DROP
iptables -N icmps # icmp traffic; default DROP (weakish)
iptables -N foreign # incoming traffic; default DROP
# rootssh: ssh through telnet port to root dir
# accept from local addresses
for A in $MYIP; do iptables -A rootssh -s $A -i lo -j ACCEPT; done
# accept from specified external addresses
for A in $TELNETOK; do iptables -A rootssh -s $A -i eth0 -j ACCEPT; done
iptables -A rootssh -m limit -j LOG
iptables -A rootssh -j DROP
# icmps: restrict ICMP protocol usage ### TODO: learn to do this right
# accept all except "redirect" ICMP messages
iptables -A icmps -p icmp --icmp-type ! redirect -j ACCEPT
iptables -A icmps -m limit -j LOG
iptables -A icmps -j DROP
# foreign: traffic coming from outside
# accept established traffic:
iptables -A foreign -p tcp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A foreign -p udp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept explicitly specified traffic
for A in $TCPOK; do iptables -A foreign -p tcp --dport $A -j ACCEPT; done
for A in $UDPOK; do iptables -A foreign -p udp --dport $A -j ACCEPT; done
iptables -A foreign -m limit -j LOG
iptables -A foreign -j DROP
# filter table
# handle icmp traffic and root ssh separately
iptables -A INPUT -p icmp -j icmps
iptables -A INPUT -p tcp --dport telnet -j rootssh
# accept local traffic
for A in $MYIP; do iptables -A INPUT -s $A -i lo -j ACCEPT; done
# handle external traffic separately
iptables -A INPUT -i eth0 -s ! localhost -j foreign
iptables -A INPUT -m limit -j LOG
# default policy was to drop.
- set up packet filtering,
- include the rudimentary protective measeures against spoofing and flooding in above
- chroot daemons
- enforce hard-to-guess passwords
- ban telnet, use ssh
What more could you reasonably expect from an administrator?
Well, ok, there's
- md5sums
- external logging
What else? Would you expect these from everybody?
Remember, a networked workstation is effectively in the same position as any server: "networked" is "vulnerable". All practical security piled on top of that is just patching. Important patching, though, unless you want to risk your data and being used for attacks.
You don't. You need knowledge of clients sufficient for your task. You can deal the job for them as necessary. Think - uuh, what's the name of that distributed "napster replacement" file sharing system again? A network of clients, each propagizing it's available resources (processing power, memory, storage; price for those?).
two or more distant clients and compare the results.
If there's a virus/worm rampant changing the way the clients compute, N results can be equal but still wrong:( Need workaround for this. Then again, the risk is always there even with "trusted" environments.
Jobs should still be anonymous and abstract, even if the client owner should have right to see what kind of things are happening on its machine. An obvious job should be split into less obvious parts.
"The Net is vast."
WIth this I meant there's always more clients available elsewhere than you have on your network:)
I never was able to solve the data integrity issue in a satisfactory way, though. Rogue clients in this scheme could always submit bogus results to the server. That's not catestrophic, but it means that the distributed platform could not be used in an uncontrolled environment like the Internet.
Same solution as in HA problems: redundancy to avoid SPF. You need trusted server(s) to control the jobs. They can give the same job out to two or more distant clients and compare the results. Comparation can be done by producing MD5's in a second set of clients to reduce server load.
The servers should not handle the programs or data, just schedule works and tell clients whom to ask for what when.
I'm sorry: double, even quadruple work, but you can't have both open and trusted environment. Then again, who cares? "The Net is vast."
Internet will sloowly turn into a big, amorphous of processing power and storage. I'm happy to see that other people are giving thought to this as well.
A GNU project for job distribution VM would be essential in standardizing it.
For that, all you need is command recognition. It's orders of magnitude simpler than dictation and can be done with little or no training.
Sidenote: That's more true in English than in Finnish. Once you get past separating phonems, you can map them straight on letters. The mapping is 1-1 except for a single phonem, "ng", which is separable in itself (though then again n-m separation is guesswork at best). Have a large "words" file and correct to the closest match (possibly accept the 15ish different possible endings for a word that we have).
Still, your voice probably varies so much from time to time that it takes more concentration to make that machine-readable speech than it does to press buttons.
But I digress. It's very important to get this stuff to work if even just to enable less typomatic people to more fully access systems.
Your.sig, Sir, states that it is neither self-referential, nor true. It consists of two separate claims, one of which is blatantly false, and therefore, the other is true. Now, you seem to miss your target of a paradox there, since two separate claims can very wel have different validities.
Now I'm curious whether it is I or you missing the point here?
Let's see, which QT event should I bind *sneeze* to?
Reality checks:
- it's going to take just a few more CPU cycles you have, no matter how many you have
- it's going to take ages to get translated to all these fancy little European languages
- it's going to take longer to tweak up to usability than all those Eterm background pictures
- it's still slower than typing.
Embedded devices, yeah, but they don't have the muscle. And nobody wants to spend hours to teach their coffee machines or garage doors to listen.
We have each other to misunderstand ourselves, the machines don't really care anyway.
Anyway, where's the tarball? This is going to be soo fun. I'll just have to clean up my place so I can convince someone to come over and witness my geeky coolness once it's running...
OT: minicopters should have foldable wings
on
What is 'IT'?
·
· Score: 2
Due to repeated reports on/., I've been thinking about those personal hover vehicles dreamed about in the fifties, still under failing development.
They have a bunch of severe problems:
1. control
I suppose it's a lot harder to fly a vehicle than to drive one. Especially if it's light, and there's going to be hundreds of them flying around above and between city buildings. More so in bad weather.
It would be quite a system that could automatically overcome this.
2. Power
It takes extreme amounts of energy to fight the gravitation. This could be solved by slider-like, foldable wings. Take-off and landing should be vertical to reduce ground area requirements. Once airborne, you should be able to slide.with the wings opened and engine(s) turned horizontal.
See the League write over GF's configuration files right out of package!
Watch in amazement as Gnomies flood the field with features!
Feel the heat of battle at the Slashdot Arena!
They "encrypted" their messages with base64+XOR. That is just like the Microsoft click-thru-license and Samba: under DMCA, workarounds are illegal. Prove me wrong, please?
What a promised land of corporate freedom; freedom of bullies to rule over people.
Slashdot Mirror
Here comes the true European anarchist nation fighting dirty: Let's pass a law if they require it, nevermind, we're going to live our own way anyway...
Wish.
What do these customers/victims do when you move on to another town or retire?
I figure my post sounded quite funny.
I set up pretty standard boxes with documentation on what I did. This way the clients can turn to any other Linux admin when they need.
There's not that much work once you've sold the box. Just take care that when something goes wrong, reasonable documentation is available in case you're no longer.
I'm looking forward to networking more with other roots, so we can offer an actual network of people.
Medium-sized companies can pay people to learn Linux in-house. Small companies sometimes have someone who's a bit more into computers, and can learn.
Coming up next year or so:
I'd do it more given time and customer contacts (best advertisement you can have is a happy customer talking about you to its clients.)
Share administration burden (what? doing something wrong?) with trusted friends.
Take a fair price for your work, but avoid greed.
This can and should be done as a side-job, unless you get very successful in the long term.
Only fix what's broken, security hole, or a client-requested enhancement or new service. Never say "can't do", say "I'll look into it" and go for the web; Never say "you can't afford it", say "I'd be forced to hire people for approximately $this much money, would you like to try something else instead?"
I could go on for hours, but you'll find it all out once you start thinking about it.
Make difference where you can.
I may hurt your feelings, though I try just speak my mind up. I know I'm touchy now, so try to take the following casually. I trust on the moderators to view this as a foreigner's honest, differing viewpoint.
1. US Citizens have not had war in their own continent/country for a few, what, hundred years. It shows somewhat in the shockedness of the commentary. Of course this is awful. It does not happen only to someone else somewhere else, neither is what happens to you unique in this day and age. A few surprise attacks and -strikes from last century come to mind. Some of them out of scale, some changing our world for ever.
2. JFK: one mad US citizen. OKC: a few mad US citizen. Yet every time the foreigners get blamed before the attackers are found.
I am shocked and afraid of the future now. I live on the other side of the world from there. Most of us do. Live in fear of the US reaction and what that will do for the world. The world we all have to live in. There is no escape from this planet just yet, not even for chosen few US citizens. We must get along. Focus on anything else, and the nature will take care of us for good.
Sorry if I hurt your feelings; this is just critique that comes to mind while trying to work over the shock by absorbing as much information and commentary about the situation as possible.
This is what I use with an external HPT366 to have it run stable:
/sbin/hdparm -c 3 -m 16 -u 0
cheers
But save your back from the dark side does it not.
Feel the strain in every crumpled muscle, can you? Your own pain come over must you. Only weakness of your own mind is that pain! Full of little knuckles is your spine.
I am an irrational number, not a mere free man!
Concentrate a bit to your body, stretch a little and listen to yourself. Daily exercise, not too hard, just to notice and to learn paying attention to what's good and what's bad for your back. You could do any sports, but I've got so bad an attitude against sports that this was practically the only option for me
I am an irrational number, not a mere free man!
Concentrate a bit to your body, stretch a little and listen to yourself. Daily exercise, not too hard, just to notice and to learn paying attention to what's good and what's bad for your back. You could do any sports, but I've got so bad an attitude against sports that this was practically the only option for me
I am an irrational number, not a mere free man!
I'd love to get a picture of these. Anyone in the area with a camera? Pictures still around?
This is a memorable laugh, a real mind-boggler.
I am very happy with KDE's stability and usability. Konqueror is my primary browser, works like a wonder, or much like IE, and has the best cookie handling I've ever seen.
It's also easy for Windows users to learn, except for the panel. What do dummies need a panel for anyway? Desktop icons and windows should suffice. There're too many options in the K menu for easy use - both in RedHat and Debian, at least.
There seemed to be something weird with font settings (choices in applications seem to affect the global settings), but that's minor.
If only aterm worked as well as Eterm, I'd be all happy with Linux on the desktop.
Shouldn't skip so much... Your question was more like whether there would be any good tool for making easy use of iptables. Well, as you can see, I'm not that much after such tools
Anyway, I'd like some discussion about real-life examples like the one in my lengthy post above.
Why would you need anything more than iptables?
Below is a server filter configuration of mine. Add NAT if needed. Any weaknesses? (I have chrooted normal users' ssh; unchrooted ssh is available from administrators' home addresses through the telnet port)
#!/bin/sh
# we write log of what we do here
LOG="/var/log/iptables.log"
# local IPv4 addresses:
MYIP="`ifconfig | sed -ne 's/.*addr:\([0-9.]*\).*/\1/p'`"
# Allow incoming traffic for these
TCPOK="ftp-data ftp ssh nameserver domain www pop3 https cvspserver 6667"
UDPOK="domain"
# Addresses allowed to "telnet" (ssh to root dir)
TELNETOK="12.34.56.78/29 12.34.56.90/29"
echo "`/bin/date '+[%x %X]'` $0 $*" >>$LOG
# set up policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# clear filter tables
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
# drop all custom tables
for c in `iptables -L -n | sed -ne 's/^Chain \([a-z]*\)
do
echo "Dropping iptable $c" >>$LOG
iptables -F $c
iptables -X $c
done
# create custom tables
iptables -N rootssh # root ssh; default DROP
iptables -N icmps # icmp traffic; default DROP (weakish)
iptables -N foreign # incoming traffic; default DROP
# rootssh: ssh through telnet port to root dir
# accept from local addresses
for A in $MYIP; do iptables -A rootssh -s $A -i lo -j ACCEPT; done
# accept from specified external addresses
for A in $TELNETOK; do iptables -A rootssh -s $A -i eth0 -j ACCEPT; done
iptables -A rootssh -m limit -j LOG
iptables -A rootssh -j DROP
# icmps: restrict ICMP protocol usage ### TODO: learn to do this right
# accept all except "redirect" ICMP messages
iptables -A icmps -p icmp --icmp-type ! redirect -j ACCEPT
iptables -A icmps -m limit -j LOG
iptables -A icmps -j DROP
# foreign: traffic coming from outside
# accept established traffic:
iptables -A foreign -p tcp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A foreign -p udp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept explicitly specified traffic
for A in $TCPOK; do iptables -A foreign -p tcp --dport $A -j ACCEPT; done
for A in $UDPOK; do iptables -A foreign -p udp --dport $A -j ACCEPT; done
iptables -A foreign -m limit -j LOG
iptables -A foreign -j DROP
# filter table
# handle icmp traffic and root ssh separately
iptables -A INPUT -p icmp -j icmps
iptables -A INPUT -p tcp --dport telnet -j rootssh
# accept local traffic
for A in $MYIP; do iptables -A INPUT -s $A -i lo -j ACCEPT; done
# handle external traffic separately
iptables -A INPUT -i eth0 -s ! localhost -j foreign
iptables -A INPUT -m limit -j LOG
# default policy was to drop.
# done configuring
# log configuration
iptables -L -n >>$LOG
- set up packet filtering,
- include the rudimentary protective measeures against spoofing and flooding in above
- chroot daemons
- enforce hard-to-guess passwords
- ban telnet, use ssh
What more could you reasonably expect from an administrator?
Well, ok, there's
- md5sums
- external logging
What else? Would you expect these from everybody?
Remember, a networked workstation is effectively in the same position as any server: "networked" is "vulnerable". All practical security piled on top of that is just patching. Important patching, though, unless you want to risk your data and being used for attacks.
http://netfilter.kernelnotes.org/unreliable-guide
It's well written, short, to the point. What else would you need?
Encrypted Terminal [Session] : et, or ets
Encrypted Terminal Connection, or rather, "so on to the next [box]": etc
Or just "esh" for Encrypted SHell, because the security is never factual anyway.
This is fun
Just my 0,02 FIM
You need trusted server(s) to control the jobs.
:( Need workaround for this. Then again, the risk is always there even with "trusted" environments.
:)
You don't. You need knowledge of clients sufficient for your task. You can deal the job for them as necessary. Think - uuh, what's the name of that distributed "napster replacement" file sharing system again? A network of clients, each propagizing it's available resources (processing power, memory, storage; price for those?).
two or more distant clients and compare the results.
If there's a virus/worm rampant changing the way the clients compute, N results can be equal but still wrong
Jobs should still be anonymous and abstract, even if the client owner should have right to see what kind of things are happening on its machine. An obvious job should be split into less obvious parts.
"The Net is vast."
WIth this I meant there's always more clients available elsewhere than you have on your network
I never was able to solve the data integrity issue in a satisfactory way, though. Rogue clients in this scheme could always submit bogus results to the server. That's not catestrophic, but it means that the distributed platform could not be used in an uncontrolled environment like the Internet.
Same solution as in HA problems: redundancy to avoid SPF. You need trusted server(s) to control the jobs. They can give the same job out to two or more distant clients and compare the results. Comparation can be done by producing MD5's in a second set of clients to reduce server load.
The servers should not handle the programs or data, just schedule works and tell clients whom to ask for what when.
I'm sorry: double, even quadruple work, but you can't have both open and trusted environment. Then again, who cares? "The Net is vast."
Internet will sloowly turn into a big, amorphous of processing power and storage. I'm happy to see that other people are giving thought to this as well.
A GNU project for job distribution VM would be essential in standardizing it.
For that, all you need is command recognition. It's orders of magnitude simpler than dictation and can be done with little or no training.
Sidenote: That's more true in English than in Finnish. Once you get past separating phonems, you can map them straight on letters. The mapping is 1-1 except for a single phonem, "ng", which is separable in itself (though then again n-m separation is guesswork at best). Have a large "words" file and correct to the closest match (possibly accept the 15ish different possible endings for a word that we have).
Still, your voice probably varies so much from time to time that it takes more concentration to make that machine-readable speech than it does to press buttons.
But I digress. It's very important to get this stuff to work if even just to enable less typomatic people to more fully access systems.
Your
Now I'm curious whether it is I or you missing the point here?
Let's see, which QT event should I bind *sneeze* to?
Reality checks:
- it's going to take just a few more CPU cycles you have, no matter how many you have
- it's going to take ages to get translated to all these fancy little European languages
- it's going to take longer to tweak up to usability than all those Eterm background pictures
- it's still slower than typing.
Embedded devices, yeah, but they don't have the muscle. And nobody wants to spend hours to teach their coffee machines or garage doors to listen.
We have each other to misunderstand ourselves, the machines don't really care anyway.
Anyway, where's the tarball? This is going to be soo fun. I'll just have to clean up my place so I can convince someone to come over and witness my geeky coolness once it's running...
Due to repeated reports on
They have a bunch of severe problems:
1. control
I suppose it's a lot harder to fly a vehicle than to drive one. Especially if it's light, and there's going to be hundreds of them flying around above and between city buildings. More so in bad weather.
It would be quite a system that could automatically overcome this.
2. Power
It takes extreme amounts of energy to fight the gravitation. This could be solved by slider-like, foldable wings. Take-off and landing should be vertical to reduce ground area requirements. Once airborne, you should be able to slide.with the wings opened and engine(s) turned horizontal.
Oh my, here I read about the series like I were to see it someday soon now.
Pity us Nordics - give us our fix,
oh mighty ol' feeders of analog pics
(you know, those pricks who barely know *nix)!
This time I won't even go into my typical "blah, you yankees don't even know good old Lem^H^H^H..." - won't.
TV should be not only digitized but netified sooner than it's going to be. Oh well.
See the League write over GF's configuration files right out of package!
Watch in amazement as Gnomies flood the field with features!
Feel the heat of battle at the Slashdot Arena!
What geeks really miss is sports.
(*urgh* not quite
Refresh my memory, how do you factor n into p and q again?
Simple: p and q such that result in the original message are correct.
They "encrypted" their messages with base64+XOR. That is just like the Microsoft click-thru-license and Samba: under DMCA, workarounds are illegal. Prove me wrong, please?
What a promised land of corporate freedom; freedom of bullies to rule over people.