well, i would not say that your server *should* be outside the natted zone at all costs, but there are three things that spring to mind with such a situation:
- For every port/service you want forwarded, you need to install a ipchain/iptables/whatever rule (or multiple). When you add a service, you have to change the configuration of the server (normal), but also of the NAT-ting server. A mistake might lead to the disruption of the NAT service for other users.
- For heavily loaded servers, the nat-system will have to nat all the traffic, generating extra load on the nat-system. Depending on the nat-machine (dedicated $$$ hardware or linux 486 with 8M ram), this can affect performance for other systems. Note however that this is only for heavily loaded (with network traffic that is) servers, not for a test-server like yours is.
- If there are two servers behind the natting machine,both running a webserver, one can be forwarded from the 80-port of the NAT-machine, but the second can't (as this port is allready in use).
My suggestion: if you use this only as a testserver, leave it this way. If it is a production server with some load on it, inform at your ISP or hosting companys for hosting.
Well, the answer to question 4 is pretty simple. If you have no custom packages, doing apt-get update && apt-get upgrade should keep you pretty safe.
If however you have custom packages, follow the mailing lists discussing those programs, and try to keep your package up-to-date.
Debian is very fast to backport security fixes. Redhat also has such a service, but you have to pay for it, and they only support their latest releases, which means you have to upgrade all your machines once per 8-12 months.
Loose answers to question
1) As far as I know, nothing is wrong with NAT. It is commonly used to bundle a lot of workstations,... behind a single IP. I don't get why you would remove NAT machines. The servers should be outside the NAT-ted zone.
2) There are several packages that can do this. Examples are chrootkit to check for rootkits, tripwire to check changes in files, netstat to list the open ports on a server,... there are also a bunch of tools to check a machine from another machine. Keep in mind that all these programs might be altered by the rootkit. always install them from scratch when you think your system has been hacked... Keeping a list of checksums for the programs in/bin,/sbin and/usr/sbin might be handy... (or install Tripwire, with the checksums on a read-only system)
3) I guess DMZ means de-militarized zone, the zone between the internet and the corporate nat-box..., where the servers are supposed to be that deliver internet services... servers might be placed behind or before the firewall (allthough the first solution is better:))
Without doing a price check it might almost be cheaper to buy several lower spec pcs if you want the overall power (say for the seti programme or cancer curing stuff).
I can say nothing else than... Imagine a Beowulf cluster of those (3.3 GHz models, not the cheaper ones)...
I doubt that many applications might benefit that much from this. Only processor intensive apps will benefit from this, like video players, music players and X.
I wonder how many people know that they can build their own version of packages by using "apt-get -b source ".
People who like to get that extra cpu-cycle that is lost by the i386 compile can compile their own packages... I suggest one begins with the libs (libc6, xlibs,...) and the cpu-intensive apps (multimedia,...)
Try reading the apt-howto, the part about source-packages, build-dependencies, is here...
Computers are not good when it comes to floats...:)
Beside that, if you took a irrational number like PI, anyone knowing it is PI, can calculate the next digits that wil be used. When using a pad, one has to get a copy of the pad (the "book", as they refer to it in the aticle) and a copy of the algorithm used to find the pages in the book... It is a bit harder.
The only concern is the exchange of the "book". The algorithm may be public available, als long as you are lacking the "book", you don't have anything to start from...
It is stated in press announcement at the Fujitsu site (the first link of this story)...:
"Pocket LOOX utilizes a high-performance Intel PXA250 Applications Processor and boasts advanced high-speed network connectivity functions as well as very long battery life."
What "very long battery life" is expressed in days, hours or years, that is up to Fujitsu... It will also depend on the applications you run on the PDA.
Ever travelled by train? People dont even _talk_ to each other. Wild guess: no-one is going to ask a co-traveler to join a high-tech-devices-needing thing like a PDA deathmatch game via your cellphone...
If you want games, buy yourself a GBA or something simular. A phone is made to telephone, a PDA for keeping notes, addresses and a schedule...
If makers of cellular phones intruduce a new phone by saying "Even with more games" or a new technology (like J2ME getting used by Nokia) "Great new games",... Please, fire the development team and search some peaple who want to improve the qualities that matter...
All you guys have really a short memory.:) The previous post on slashdot on this subject (Mono) mentioned that the mono compiler could compile itself. As the example stated in the mail (original post):
Microsoft C# compiler generates mcs.exe mcs.exe compiles itself and genreates mcs2.exe mcs2.exe compiles itself and generates mcs3.exe
As announced 04/07/2002, the compiler compiles on the Linux platform.
Looks like two very, very different things to me... And a big step forward for the Mono project. Kuddos to the team.
The add is based on some javascript-code. Disabeling javascript allowes you to read slashdot, but remove the adds. Just checked it in Opera, and it works...
And as a extra help to addbuster programs, the add-code is delimited with some explicit comment-lines in the html-code.
But after all, I don't think this is much of a problem. I was allready used to reading the story, and then using page-down to skip to some comments. As long as the add doesn't come in between the comments, no problem here... And/. needs money, just like everyone else. There are two places where the money can come from: The readers, or ads to pay for the fee the readers should pay.
That is the american point of view. America was the base of IPv4 (ARPANet,... remember) and there are plenty of IPv4-blocks left to (re)use. No need to use IPv6 there...
But when we look at countries like japan and russia, we see active deployment of IPv6, because there is need to do it, because there is a shortage of IPv4 adresses.
Europe is pushing IPv6 because europe is somewhere in between. There are still enough IPv4 adressess, but not for long...
Your forgetting a large third group of people. The people who are big fans of a certain TV-show, but the show isn't aired (any more) where they live, or runs about 3 seasons behind where they live.
Also, movies are almost always first show in the USA, and 6 months later, the movie is shown in European theaters.
The movie industry could gain a lot more revenue if they released the popular movies (cfr Star Wars, LOTR,...) all over the world at the same time.
Exactly! We are using Debian everywhere (company, home use,...) All the boxes that we have direct access to are running testing or even unstable. These are the boxes that are used for devellopment, mail-reading,...
On the other hand, i dont want to run out, jump in my car and drive 45 min every time a new release of the "what-i-didnt-want-but-got-installed-anyway"-packa ge is broken. Stable is for machines you want to keep running, really a long long time. I'm very glad it exists, and is still maintained through the stable/testing/unstable system.
But hey, i didn't panic when i saw this on slashdot (the update to 2.2r5), i'm pretty sure the security updates went flawless this night. (I didn't receive any phonecalls this night also, so thats helping a relief too...)
Bear in mind that it is only a 0.00001 release. If the creator wants integration between OSX and Simple GNUStep, applications should follow...
Also, I'm quite happy with this development. KDE and Gnome are nice for a home user, but many people dont want all the "all in one" integration. I prefer a fast and light system, configured to my own needs, with the correct application for every task.
I think, people who have to use their PC every day (at home or at work) want a quick and easy-to-use desktop. That is where Windowmaker comes in the picture. They also want a stable system (ah, linux, bsd or any other *nix). And with Apple moving over to the *nix side of the OS market,...
Lets hope it all turns out as an improvement for the *nix market. More apps on the platform i use, is a thing i can only be happy about.
The console makers lose a lot of money on the wages for the designers of the boards, and have to make money on selling the games. While they allready have the board designed, they can only hope that more devices capable of playing their games will improve sales.
Also, people might want to buy a DVD-player from a well-known-source (one only wanting a DVD-player won't buy a Playstation) like Panasonic, but might be willing to spend a couple more bucks for the "extra" capabilities (like playing a game).
I personnally think this is a good idea, because it can only boost the sales of the games, and so the original goal of the sales department of sony is reached.
Slashdot Mirror
But, they need the 007 hack (or something simular without hardware mods) to enable their exploit.
:)...
That would mean they would have to split the price money with the guys who discovered the 007 hack (don't know, it might even be the same group).
Well, $100k is a lot, they can split it up
well, i would not say that your server *should* be outside the natted zone at all costs, but there are three things that spring to mind with such a situation:
- For every port/service you want forwarded, you need to install a ipchain/iptables/whatever rule (or multiple). When you add a service, you have to change the configuration of the server (normal), but also of the NAT-ting server. A mistake might lead to the disruption of the NAT service for other users.
- For heavily loaded servers, the nat-system will have to nat all the traffic, generating extra load on the nat-system. Depending on the nat-machine (dedicated $$$ hardware or linux 486 with 8M ram), this can affect performance for other systems. Note however that this is only for heavily loaded (with network traffic that is) servers, not for a test-server like yours is.
- If there are two servers behind the natting machine,both running a webserver, one can be forwarded from the 80-port of the NAT-machine, but the second can't (as this port is allready in use).
My suggestion: if you use this only as a testserver, leave it this way. If it is a production server with some load on it, inform at your ISP or hosting companys for hosting.
Well, the answer to question 4 is pretty simple. If you have no custom packages, doing apt-get update && apt-get upgrade should keep you pretty safe.
... there are also a bunch of tools to check a machine from another machine. Keep in mind that all these programs might be altered by the rootkit. always install them from scratch when you think your system has been hacked... Keeping a list of checksums for the programs in /bin, /sbin and /usr/sbin might be handy... (or install Tripwire, with the checksums on a read-only system)
:))
If however you have custom packages, follow the mailing lists discussing those programs, and try to keep your package up-to-date.
Debian is very fast to backport security fixes. Redhat also has such a service, but you have to pay for it, and they only support their latest releases, which means you have to upgrade all your machines once per 8-12 months.
Loose answers to question
1) As far as I know, nothing is wrong with NAT. It is commonly used to bundle a lot of workstations,... behind a single IP. I don't get why you would remove NAT machines. The servers should be outside the NAT-ted zone.
2) There are several packages that can do this. Examples are chrootkit to check for rootkits, tripwire to check changes in files, netstat to list the open ports on a server,
3) I guess DMZ means de-militarized zone, the zone between the internet and the corporate nat-box..., where the servers are supposed to be that deliver internet services... servers might be placed behind or before the firewall (allthough the first solution is better
I can say nothing else than... Imagine a Beowulf cluster of those (3.3 GHz models, not the cheaper ones)...
i386 still is the best "average" build-target.
...
I doubt that many applications might benefit that much from this. Only processor intensive apps will benefit from this, like video players, music players and X.
I wonder how many people know that they can build their own version of packages by using "apt-get -b source ".
People who like to get that extra cpu-cycle that is lost by the i386 compile can compile their own packages... I suggest one begins with the libs (libc6, xlibs,...) and the cpu-intensive apps (multimedia,...)
Try reading the apt-howto, the part about source-packages, build-dependencies, is here
Running Windows, i would say... a Blue Fuse
l/p: nologin/nologin
Computers are not good when it comes to floats... :)
Beside that, if you took a irrational number like PI, anyone knowing it is PI, can calculate the next digits that wil be used. When using a pad, one has to get a copy of the pad (the "book", as they refer to it in the aticle) and a copy of the algorithm used to find the pages in the book... It is a bit harder.
The only concern is the exchange of the "book". The algorithm may be public available, als long as you are lacking the "book", you don't have anything to start from...
The part about transmeta is in the second part, close to the end of the article...
It is stated in press announcement at the Fujitsu site (the first link of this story)...:
"Pocket LOOX utilizes a high-performance Intel PXA250
Applications Processor and boasts advanced high-speed network
connectivity functions as well as very long battery life."
What "very long battery life" is expressed in days, hours or years, that is up to Fujitsu... It will also depend on the applications you run on the PDA.
Ever travelled by train? People dont even _talk_ to each other. Wild guess: no-one is going to ask a co-traveler to join a high-tech-devices-needing thing like a PDA deathmatch game via your cellphone...
If you want games, buy yourself a GBA or something simular. A phone is made to telephone, a PDA for keeping notes, addresses and a schedule...
If makers of cellular phones intruduce a new phone by saying "Even with more games" or a new technology (like J2ME getting used by Nokia) "Great new games",... Please, fire the development team and search some peaple who want to improve the qualities that matter...
Just my $.02
Indeed, the date is March 7th 2002, not April 7th 2002.
Kuddos to CaptainMunchies...
As announced 04/07/2002, the compiler compiles on the Linux platform.
Looks like two very, very different things to me... And a big step forward for the Mono project. Kuddos to the team.
The add is based on some javascript-code. Disabeling javascript allowes you to read slashdot, but remove the adds. Just checked it in Opera, and it works...
/. needs money, just like everyone else. There are two places where the money can come from: The readers, or ads to pay for the fee the readers should pay.
And as a extra help to addbuster programs, the add-code is delimited with some explicit comment-lines in the html-code.
But after all, I don't think this is much of a problem. I was allready used to reading the story, and then using page-down to skip to some comments. As long as the add doesn't come in between the comments, no problem here... And
There is no IPv6 because there is no demand.
... remember) and there are plenty of IPv4-blocks left to (re)use. No need to use IPv6 there...
That is the american point of view. America was the base of IPv4 (ARPANet,
But when we look at countries like japan and russia, we see active deployment of IPv6, because there is need to do it, because there is a shortage of IPv4 adresses.
Europe is pushing IPv6 because europe is somewhere in between. There are still enough IPv4 adressess, but not for long...
Your forgetting a large third group of people. The people who are big fans of a certain TV-show, but the show isn't aired (any more) where they live, or runs about 3 seasons behind where they live.
Also, movies are almost always first show in the USA, and 6 months later, the movie is shown in European theaters.
The movie industry could gain a lot more revenue if they released the popular movies (cfr Star Wars, LOTR,...) all over the world at the same time.
Exactly! We are using Debian everywhere (company, home use,...) All the boxes that we have direct access to are running testing or even unstable. These are the boxes that are used for devellopment, mail-reading,...
a ge is broken. Stable is for machines you want to keep running, really a long long time. I'm very glad it exists, and is still maintained through the stable/testing/unstable system.
On the other hand, i dont want to run out, jump in my car and drive 45 min every time a new release of the "what-i-didnt-want-but-got-installed-anyway"-pack
But hey, i didn't panic when i saw this on slashdot (the update to 2.2r5), i'm pretty sure the security updates went flawless this night. (I didn't receive any phonecalls this night also, so thats helping a relief too...)
Bear in mind that it is only a 0.00001 release. If the creator wants integration between OSX and Simple GNUStep, applications should follow...
Also, I'm quite happy with this development. KDE and Gnome are nice for a home user, but many people dont want all the "all in one" integration. I prefer a fast and light system, configured to my own needs, with the correct application for every task.
I think, people who have to use their PC every day (at home or at work) want a quick and easy-to-use desktop. That is where Windowmaker comes in the picture. They also want a stable system (ah, linux, bsd or any other *nix). And with Apple moving over to the *nix side of the OS market,...
Lets hope it all turns out as an improvement for the *nix market. More apps on the platform i use, is a thing i can only be happy about.
The console makers lose a lot of money on the wages for the designers of the boards, and have to make money on selling the games. While they allready have the board designed, they can only hope that more devices capable of playing their games will improve sales.
Also, people might want to buy a DVD-player from a well-known-source (one only wanting a DVD-player won't buy a Playstation) like Panasonic, but might be willing to spend a couple more bucks for the "extra" capabilities (like playing a game).
I personnally think this is a good idea, because it can only boost the sales of the games, and so the original goal of the sales department of sony is reached.