[gentoo-user] iptables wiki

[gentoo-user] iptables wiki

[james]

Hello,

I'm attempting to follow this wiki to build a test firewall running iptables:
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies#QuickStart

Kernel is 'hardened' with netfilter et al activated.

It looks reasonable and is suppose to be up to date.

My nics are set up in /etc/conf.d/net
iface_eth0="192.168.2.20 broadcast 192.168.2.255 netmask 255.255.255.0"
iface_eth1="192.168.3.11 broadcast 192.168.3.255 netmask 255.255.255.0"
iface_eth2="<snipped>  broadcast <snipped> netmask 255.255.255.252"
routes_eth2=( "default gw <snipped>" )

All work fine.

port forwarding is enabled:

Rulesets get saved to /var/lib/iptables/rules-save
As specificed in /etc/conf.d/iptables
and 
/etc/init.d/iptables is the script that launces iptables
plus  rc-update add iptables default

I think all of this is correct(correct me if I'm wrong).

When I go to /etc/init to write my rules into firewall.sh
as specified in the aforementioned wiki I automatically get
this shoved into the script:

#!/sbin/runscript
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
}
start() {
}
stop() {
}
restart() {
}



curiously none of the example talk about this.

Is this the correct place to put my script(/etc/init.d/, 
which is somewhat similar to the one suggested in the
wiki?


None of the examples I found googling discuss the details of where to put
the script, how to launch it and other such details. Any suggestion
are welcome. I have found lots of  example scripts similar to my 3 nic
net/lan/dmz setup though.

Any suggestions are very welcome.

James




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables wiki

[Daniel]

james wrote:
> Hello,
> 
> I'm attempting to follow this wiki to build a test firewall running iptables:
> http://gentoo-wiki.com/HOWTO_Iptables_for_newbies#QuickStart
> 
> Kernel is 'hardened' with netfilter et al activated.
> 
> It looks reasonable and is suppose to be up to date.
> 
> My nics are set up in /etc/conf.d/net
> iface_eth0="192.168.2.20 broadcast 192.168.2.255 netmask 255.255.255.0"
> iface_eth1="192.168.3.11 broadcast 192.168.3.255 netmask 255.255.255.0"
> iface_eth2="<snipped>  broadcast <snipped> netmask 255.255.255.252"
> routes_eth2=( "default gw <snipped>" )
> 
> All work fine.
> 
> port forwarding is enabled:
> 
> Rulesets get saved to /var/lib/iptables/rules-save
> As specificed in /etc/conf.d/iptables
> and 
> /etc/init.d/iptables is the script that launces iptables
> plus  rc-update add iptables default
> 
> I think all of this is correct(correct me if I'm wrong).
> 
> When I go to /etc/init to write my rules into firewall.sh
> as specified in the aforementioned wiki I automatically get
> this shoved into the script:
> 
> #!/sbin/runscript
> # Copyright 1999-2006 Gentoo Foundation
> # Distributed under the terms of the GNU General Public License v2
> # $Header: $
> depend() {
> }
> start() {
> }
> stop() {
> }
> restart() {
> }
> 
> 
> 
> curiously none of the example talk about this.
> 
> Is this the correct place to put my script(/etc/init.d/, 
> which is somewhat similar to the one suggested in the
> wiki?
> 
> 
> None of the examples I found googling discuss the details of where to put
> the script, how to launch it and other such details. Any suggestion
> are welcome. I have found lots of  example scripts similar to my 3 nic
> net/lan/dmz setup though.
> 
> Any suggestions are very welcome.
> 
> James
> 
> 
> 
> 

Actually IMHO gentoo has internal mechanism for dealing with iptables rules.

After you are ready and sure the rules work OK, you do:

1) /etc/init.d/iptables save

This would record your rules in /var/lib/iptables/rules-save as you
issued the command "iptables-save > /var/lib/iptables/rules-save" ]


Then you put iptables in the init sequence so the rules are restored at
every system start:

2) rc-update add iptables default

This would do "iptablebs-restore < /var/lib/iptables/rules-save" at
every boot.


3) Additionally you can set some parameters in /etc/conf.d/iptables


Hope This Helps

--
Best regards
Daniel

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: iptables wiki

[James]

Daniel <danny <at> ilievnet.com> writes:



> > When I go to /etc/init to write my rules into firewall.sh
> > as specified in the aforementioned wiki I automatically get
> > this shoved into the script:
> > 
> > #!/sbin/runscript
> > # Copyright 1999-2006 Gentoo Foundation
> > # Distributed under the terms of the GNU General Public License v2
> > # $Header: $
> > depend() {
> > }
> > start() {
> > }
> > stop() {
> > }
> > restart() {
> > }

> > curiously none of the example talk about this.

> > Is this the correct place to put my script(/etc/init.d/, 
> > which is somewhat similar to the one suggested in the
> > wiki?

> > None of the examples I found googling discuss the details of where to put
> > the script, how to launch it and other such details. Any suggestion
> > are welcome. I have found lots of  example scripts similar to my 3 nic
> > net/lan/dmz setup though.

> > Any suggestions are very welcome.

> > James

> Actually IMHO gentoo has internal mechanism for dealing with iptables rules.

> After you are ready and sure the rules work OK, you do:

> 1) /etc/init.d/iptables save

agreed, but only if I load the rules manually; i.e.
entering the rules via  the command line such as
in D. Robbins doc: 
http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls#Should_I_take_this_tutorial
> This would record your rules in /var/lib/iptables/rules-save as you


> issued the command "iptables-save > /var/lib/iptables/rules-save" ]

This will work if one loads the rules manually at the command line.
Where do I put a scirpt of iptables command, so it is read the
rule sets generated and then saved into /var/lib/iptables/rules-save?



> Then you put iptables in the init sequence so the rules are restored at
> every system start:

Details on were to put the script and how best to 'loaded' into the boot 
sequence via my script, is what is illusive. 

[A]  The best I can figure is
I put a script in /etc/, run it manually at the command line. The
ruleset will then be generated and saved into 
/var/lib/iptables/rules-save. Upon reboot, the /etc/init.d/iptables
script reads the /var/lib/iptables/rules-save file.

After that if I want to modify the rules, I edit my script, run
my script manually, then issue:
"iptables-save > /var/lib/iptables/rules-save" 
and my modifications are in the file that gentoo checks natively.

If I want to then test the rules, without rebooting, I issue:

/etc/init.d/iptables stop
/etc/init.d/iptables start

????
 
> 2) rc-update add iptables default

> This would do "iptablebs-restore < /var/lib/iptables/rules-save" at
> every boot.

yes, understood.

> 3) Additionally you can set some parameters in /etc/conf.d/iptables
understood.


What I'm looking for is the series of steps to 
1. Where best to locate my script?
2. Insert (new) commands into the script.
3. convert new scrited commands into rulesets 
4. Load rulesets into the /var/lib/iptables/rules-save
5.  Restart the iptables/netfilter firewall
6. Test the (new) rulesset
7. Go to step 2 and repeat until a wonderful firewall results.

If what I work above [A] is correct then I just need some suggestions
as to where the scipt should be located under /etc/, for 
consistentcy with gentoo mindsets.

If what I have written is incorrect, please correct with some detail?

PS: I'm not trying to be a pain, I just need to fully understand the
process on Gentoo.


James






-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Richard Fish]

On 7/5/06, James <wireless@tampabay.rr.com> wrote:

> > 1) /etc/init.d/iptables save

> This will work if one loads the rules manually at the command line.
> Where do I put a scirpt of iptables command, so it is read the
> rule sets generated and then saved into /var/lib/iptables/rules-save?

Anywhere you like.  All that matters is that you run it so your
iptables are setup like you want, then run "/etc/init.d/iptables save"
followed by "rc-update -a iptables default".

> After that if I want to modify the rules, I edit my script, run
> my script manually, then issue:
> "iptables-save > /var/lib/iptables/rules-save"

No, "/etc/init.d/iptables save" is the better choice.  The file might
move, or the format change, or something similar.

> If I want to then test the rules, without rebooting, I issue:
>
> /etc/init.d/iptables stop
> /etc/init.d/iptables start

Not necessary.  After running your script, the tables will be setup
according to the script, and you can test away.  You probably want
your script to have the following at the top:

iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

This flushes all rules, and resets the default policies, so that only
the rules that you specify later take effect.  Very useful for
clearing out old artifacts of stuff...

> What I'm looking for is the series of steps to
> 1. Where best to locate my script?

Mine is in ~/bin/.

> 2. Insert (new) commands into the script.

$EDITOR

> 3. convert new scrited commands into rulesets
> 4. Load rulesets into the /var/lib/iptables/rules-save

Don't do this. Run your script, and let "/etc/init.d/iptables save" do
the work for you.

> 5.  Restart the iptables/netfilter firewall

If you flush/reset like I describe above, this is not necessary, just
run your script.

> If what I work above [A] is correct then I just need some suggestions
> as to where the scipt should be located under /etc/, for
> consistentcy with gentoo mindsets.

You can put it anywhere you like.  I prefer ~/bin/ since there I know
it is *not* something that Gentoo created.

-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Dale]

James wrote:
>
> What I'm looking for is the series of steps to 
> 1. Where best to locate my script?
> 2. Insert (new) commands into the script.
> 3. convert new scrited commands into rulesets 
> 4. Load rulesets into the /var/lib/iptables/rules-save
> 5.  Restart the iptables/netfilter firewall
> 6. Test the (new) rulesset
> 7. Go to step 2 and repeat until a wonderful firewall results.
>
> If what I work above [A] is correct then I just need some suggestions
> as to where the scipt should be located under /etc/, for 
> consistentcy with gentoo mindsets.
>
> If what I have written is incorrect, please correct with some detail?
>
> PS: I'm not trying to be a pain, I just need to fully understand the
> process on Gentoo.
>
>
> James
>
>   

You can search around for a script to run.  I found one here:

http://openchemist.net/linux/howto/files/theWall

You can find others though that are more to your liking of course.  What
I did a long time ago is this.  I found a script that did what I needed
and downloaded it.  I then put it in /sbin and made it executable.  I
ran the command to make sure it would work.  After that I did a
/etc/init.d/iptables save and from then on it has worked.  I did have to
change a setting when I started using samba then save it again but it is
not to hard. 

Now figuring out the iptables command is another matter.  It never has
really made much sense to me.  I just searched for a good script and ran it.

Dale

:-)  :-)
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: iptables wiki

[James]

Dale <teendale <at> vista-express.com> writes:


> Now figuring out the iptables command is another matter.  It never has
> really made much sense to me.  I just searched for a good script and ran it.


Well that I can help with.

Get the book LINUX FIREWALLS 
Third Edition
by Steve Suehring and Riboer L. Ziegler

http://www.braingia.org/books/linuxfirewalls/ <has some modern scripts>



Thanks for the information!

James






-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Dale]

James wrote:
> Dale <teendale <at> vista-express.com> writes:
>
>
>   
>> Now figuring out the iptables command is another matter.  It never has
>> really made much sense to me.  I just searched for a good script and ran it.
>>     
>
>
> Well that I can help with.
>
> Get the book LINUX FIREWALLS 
> Third Edition
> by Steve Suehring and Riboer L. Ziegler
>
> http://www.braingia.org/books/linuxfirewalls/ <has some modern scripts>
>
>
>
> Thanks for the information!
>
> James
>   

Yea, but I'm disabled and plus the bookstores around here don't carry
anything Linux.  So between me not having the money and nothing
available locally, I have to depend on the net for stuff.  I don't like
to buy books online because I like to thumb through them first.

Besides, I prefer finding someone's handy work and checking it out.  One
day, my light bulb will go off.

Dale
:-)  :-)
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: iptables wiki

[James]

Richard Fish <bigfish <at> asmallpond.org> writes:


> > Where do I put a scirpt of iptables command, so it is read the
> > rule sets generated and then saved into /var/lib/iptables/rules-save?

> Anywhere you like.  All that matters is that you run it so your
> iptables are setup like you want, then run "/etc/init.d/iptables save"
> followed by "rc-update -a iptables default".

> > After that if I want to modify the rules, I edit my script, run
> > my script manually, then issue:
> > "iptables-save > /var/lib/iptables/rules-save"

> No, "/etc/init.d/iptables save" is the better choice.  The file might
> move, or the format change, or something similar.

> You probably want
> your script to have the following at the top:

> iptables -F
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP

Yes I've seen these.

Should I start the script with the typical shebang?
#! /bin/sh

or I've seen this:
#!/sbin/runscript

???

> This flushes all rules, and resets the default policies, so that only
> the rules that you specify later take effect.  Very useful for
> clearing out old artifacts of stuff...

> > What I'm looking for is the series of steps to
> > 1. Where best to locate my script?

> Mine is in ~/bin/.
not /bin/ ? 
interesting choice, under a user's dir.
/usr/local/bin/ might be appropriate too?

> > 2. Insert (new) commands into the script.
> $EDITOR

> > 3. convert new scrited commands into rulesets
> > 4. Load rulesets into the /var/lib/iptables/rules-save

> Don't do this. Run your script, and let "/etc/init.d/iptables save" do
> the work for you.

So my (edited) scipt  issues new iptables commands
and the gentoo script converts these commands
into rulesets and stores them in /var/lib/iptables/rules-save?

> > 5.  Restart the iptables/netfilter firewall

> If you flush/reset like I describe above, this is not necessary, just
> run your script.

Yes those (4) lines go into my scipt, at the beginning.

Modified  series of steps to use my own script
1. Put the my-firewall.sh scipt in /usr/local/bin/ with '700' permissions.
2. "rc-update -a iptables default" (issue once )
3. Insert (new) commands into the script then run  my-firewall.sh.
4. run "/etc/init.d/iptables save" convert (new) script based
   commands into rulesets and load .   
5. Test the (new) scipt {rulesets}.
6. Go to step 3 and repeat until a wonderful firewall results.

Note, step 4 can be added to the end of my-firewall.sh to 
combine steps 3 and 4?


correct if I missing anyting?


thanks,

James




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Steve Wilson]

Have you tried kmyfirewall ?
Steve
On Wednesday 05 July 2006 12:27, Dale wrote:
> James wrote:
> > Dale <teendale <at> vista-express.com> writes:
> >> Now figuring out the iptables command is another matter.  It never has
> >> really made much sense to me.  I just searched for a good script and ran
> >> it.
> >
> > Well that I can help with.
> >
> > Get the book LINUX FIREWALLS
> > Third Edition
> > by Steve Suehring and Riboer L. Ziegler
> >
> > http://www.braingia.org/books/linuxfirewalls/ <has some modern scripts>
> >
> >
> >
> > Thanks for the information!
> >
> > James
>
> Yea, but I'm disabled and plus the bookstores around here don't carry
> anything Linux.  So between me not having the money and nothing
> available locally, I have to depend on the net for stuff.  I don't like
> to buy books online because I like to thumb through them first.
>
> Besides, I prefer finding someone's handy work and checking it out.  One
> day, my light bulb will go off.
>
> Dale
>
> :-)  :-)

-- 
Steve Wilson
HOBI International, Inc.
7601 Ambassador Row, suite 101
Dallas, TX 75247
ph 214.951.0143
fx 214.951.0144

This email is intended solely for the person or entity to which it is 
addressed and may contain confidential and/or privileged information. 
Copying, forwarding or distributing this message by persons or entities other 
than the addressee is prohibited. If you have received this email in error, 
please contact the sender immediately and delete the material from any 
computer.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Richard Fish]

On 7/5/06, James <wireless@tampabay.rr.com> wrote:
> or I've seen this:
> #!/sbin/runscript

This is only for init scripts in /etc/init.d/.  So no, don't use
this...use #!/bin/bash instead.

> /usr/local/bin/ might be appropriate too?

Yeah, that would work also...

>
> So my (edited) scipt  issues new iptables commands
> and the gentoo script converts these commands
> into rulesets and stores them in /var/lib/iptables/rules-save?

Yep.

> 4. run "/etc/init.d/iptables save" convert (new) script based
>    commands into rulesets and load .
> 5. Test the (new) scipt {rulesets}.
> 6. Go to step 3 and repeat until a wonderful firewall results.
>
> Note, step 4 can be added to the end of my-firewall.sh to
> combine steps 3 and 4?

If you like.  But in fact step 4 can be moved to step 7 (er, step 6
once you renumber stuff), since you don't really need to save anything
until you are happy with the results.

-Richard
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Dale]

Steve Wilson wrote:
> Have you tried kmyfirewall ?
> Steve
> On Wednesday 05 July 2006 12:27, Dale wrote:
>   
>
>   

I didn't know it existed actually.  It would be so nice if there was
somewhere we could go to find out about all this stuff.  There is no
telling how many programs are out there that we have no clue exists.

That said, I use iptables and as long as it works . . . . . . .  I'll
check into it though.  It may be a while.  I'm getting married tomorrow
and I'll be gone for a while, honeymoon ya know.  ;-)

Thanks

Dale
:-)  :-)

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

On Wed, 05 Jul 2006 20:59:09 -0500, Dale wrote:

> > Have you tried kmyfirewall ?

> I didn't know it existed actually.  It would be so nice if there was
> somewhere we could go to find out about all this stuff.  There is no
> telling how many programs are out there that we have no clue exists.

http://packages.gentoo.org/packages/?category=net-firewall

or

eix -C firewall

> It may be a while.  I'm getting married tomorrow
> and I'll be gone for a while, honeymoon ya know.  ;-)

Congratulations!


-- 
Neil Bothwick

Why marry a virgin? If she wasn't good enough for the rest of them,
she isn't good enough for you.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-user] march in /etc/make.conf

[Pawel K]

Hello

I've changed -march from pentrium4 to pentium3 and
wanted to recompile everything. I've used the
following command to do that:

emerge --update --deep --newuse world

but only about 50% packages have been recompiled.

1) How can I recompile all of them ?
I don't want to download new packages, I just want to
recompile existing ones.

2) Can I work on that machine during recompilation. I
mean what happens with binaries that are currently
executed and need to be replaced with pentium3
compiled version ?
How should I replace e.g. /bin/bash or /usr/bin/gcc
with pentium3 version ?
I think that the only way is mount my root partition
on another system and copy the pentium3 binaries
manualy onto current pentium4 binaries. Do you know
other way ?

thank You for help

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] march in /etc/make.conf

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1255 bytes --]

Am Donnerstag, 6. Juli 2006 10:22 schrieb ext Pawel K:

First, please don't start a new thread by replying to an existing one 
(aka "Thread hijacking"). Thanks.

> I've changed -march from pentrium4 to pentium3 and
> wanted to recompile everything. I've used the
> following command to do that:
>
> emerge --update --deep --newuse world
>
> but only about 50% packages have been recompiled.

Yes, but not because of the CFLAGS change. There have been new versions.

> 1) How can I recompile all of them ?

man emerge: --emptytree (-e)

> 2) Can I work on that machine during recompilation. I

Yes. Open files are not overwritten, so you can work with an application 
while a new version of it is beeing installed. However, problems can occur 
with application that load modules at runtime (via dlopen() ). It that 
case, just restart the application after it has been recompiled.

Bye...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Hambornerstraße 55      | Web:  http://www.capgemini.com
D-40472 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: www.keyserver.net

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] march in /etc/make.conf

[Janusz Bossy]

On 7/6/06, Pawel K <pawlaczus@yahoo.com> wrote:
> 1) How can I recompile all of them ?
> I don't want to download new packages, I just want to
> recompile existing ones.

emerge -e

> 2) Can I work on that machine during recompilation. I
> mean what happens with binaries that are currently
> executed and need to be replaced with pentium3
> compiled version ?

There is no problem with that. Yesterday i did an emerge -C xorg-x11
while xorg was running, then compiled xorg-x11 again and restarted the
X server. All is working fine, except I couldn't start the
applications that were built against X when I didn't have it. Don't
worry Linux isn't Windows :)

> How should I replace e.g. /bin/bash or /usr/bin/gcc
> with pentium3 version ?

It will be done automatically.

-- 
Pozdrawiam
Janusz YANOUSHek Bossy
gg# 791964
tlen yanoushek@tlen.pl
jabber yanoushek@chrome.pl
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] march in /etc/make.conf

[Alexander Skwar]

Pawel K wrote:
> Hello
> 
> I've changed -march from pentrium4 to pentium3 and
> wanted to recompile everything.

What does this have to do with the "iptables wiki"? IOW: Please
do *NOT* capture threads! Do *NOT* reply to a message and change
the subject, when you want to start a new thread! Thanks.

> I've used the
> following command to do that:
> 
> emerge --update --deep --newuse world
> 
> but only about 50% packages have been recompiled.
> 
> 1) How can I recompile all of them ?

That's because of the "--newuse" and "--update". If you want
to recompile everything, do "emerge --emptytree --deep world"

> I don't want to download new packages, I just want to
> recompile existing ones.

You might have to download packages; eg. if there were changes
without a revision change.

And if you don#t want new packages, then --update was wrong in
the first place.

> 2) Can I work on that machine during recompilation.

Generally speaking, yes, you can. Your system will be slower,
but that's of course to be expected, as it is busy.

> I
> mean what happens with binaries that are currently
> executed and need to be replaced with pentium3
> compiled version ?

They'll be replaced.



Alexander Skwar
-- 
The more laws and order are made prominent, the more thieves and
robbers there will be.
		-- Lao Tsu
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] march in /etc/make.conf

[Alexander Skwar]

Dirk Heinrichs wrote:

> Yes. Open files are not overwritten,

Uh? Open files *ARE* overwritten! That's Linux, not Windows or HP-UX!

Alexander Skwar
-- 
The more laws and order are made prominent, the more thieves and
robbers there will be.
		-- Lao Tsu
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] march in /etc/make.conf

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 634 bytes --]

Am Donnerstag, 6. Juli 2006 11:27 schrieb ext Alexander Skwar:
> Dirk Heinrichs wrote:
> > Yes. Open files are not overwritten,
>
> Uh? Open files *ARE* overwritten! That's Linux, not Windows or HP-UX!

Hmm, how does it work, then? Because the old version ist still in memory?

Bye...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Hambornerstraße 55      | Web:  http://www.capgemini.com
D-40472 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: www.keyserver.net

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] march in /etc/make.conf

[Uwe Thiem]

On 06 July 2006 10:27, Alexander Skwar wrote:
> Dirk Heinrichs wrote:
> > Yes. Open files are not overwritten,
>
> Uh? Open files *ARE* overwritten! That's Linux, not Windows or HP-UX!

No, open files are not overwritten. The new file with the same name (and path 
of course) is written to disk, true, but the old file still exists and the 
blocks it occupies on disk are not freed until the file is closed.

Uwe

-- 
Mark Twain: I rather decline two drinks than a German adjective.
http://www.SysEx.com.na
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] march in /etc/make.conf

[Alexander Skwar]

Uwe Thiem wrote:
> On 06 July 2006 10:27, Alexander Skwar wrote:
>> Dirk Heinrichs wrote:
>> > Yes. Open files are not overwritten,
>>
>> Uh? Open files *ARE* overwritten! That's Linux, not Windows or HP-UX!
> 
> No, open files are not overwritten. The new file with the same name (and path 
> of course) is written to disk, true, but the old file still exists and the 
> blocks it occupies on disk are not freed until the file is closed.

Well, depends on how you define "open files are overwritten". On
Linux, it is like you say. But on Windows and HP-UX, you CANNOT
replace a file, if it's still opened somewhere. Eg. you cannot
replace /bin/sh. Instead, a new file will be created and after
a reboot, the new file will be moved in place (that's how it
works on HP-UX, on Windows you cannot overwrite opened files.).

What I mean: On Linux, you can replace /bin/sh even if it used.
You cannot overwrite the used inodes/blocks, that's absolutely
correct, but that's not what I meant.

Alexander Skwar
-- 
The more laws and order are made prominent, the more thieves and
robbers there will be.
		-- Lao Tsu
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] march in /etc/make.conf

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 360 bytes --]

On Thu, 06 Jul 2006 11:26:55 +0200, Alexander Skwar wrote:

> Generally speaking, yes, you can. Your system will be slower,
> but that's of course to be expected, as it is busy.

Setting PORTAGE_NICENESS in make.conf will help here, but there'll still
be some slowdown.


-- 
Neil Bothwick

I am Locutus of Borg; your tagline will be assimilated!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: iptables wiki

[Dale]

Neil Bothwick wrote:
> On Wed, 05 Jul 2006 20:59:09 -0500, Dale wrote:
>
>   
>>> Have you tried kmyfirewall ?
>>>       
>
>   
>> I didn't know it existed actually.  It would be so nice if there was
>> somewhere we could go to find out about all this stuff.  There is no
>> telling how many programs are out there that we have no clue exists.
>>     
>
> http://packages.gentoo.org/packages/?category=net-firewall
>
> or
>
> eix -C firewall
>
>   
>> It may be a while.  I'm getting married tomorrow
>> and I'll be gone for a while, honeymoon ya know.  ;-)
>>     
>
> Congratulations!
>
>
>   

OK.  I'm back.  I have a new peice of jewelry now.  ;-) 

I never could figure out that eix command.  Man page may as well be
Greek.  I'm starting to get a !little! used to equery though.  Guess
they'll pull it next.  O_O

Dale
:-)  :-)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] march in /etc/make.conf

[Enrico Weigelt]

* Alexander Skwar <listen@alexander.skwar.name> wrote:

Hi,

> Well, depends on how you define "open files are overwritten". On
> Linux, it is like you say. But on Windows and HP-UX, you CANNOT
> replace a file, if it's still opened somewhere. Eg. you cannot
> replace /bin/sh. Instead, a new file will be created and after
> a reboot, the new file will be moved in place (that's how it
> works on HP-UX, on Windows you cannot overwrite opened files.).
> 
> What I mean: On Linux, you can replace /bin/sh even if it used.
> You cannot overwrite the used inodes/blocks, that's absolutely
> correct, but that's not what I meant.

ACK. 

I'll try to explain the logic behind a little bit more detailed:

On Linux (and probably other Unix'ish kernels), files are not 
identified by names, but inode-id's. The name is just an pointer
to the file, just like an DNS-name->IP-addr mapping ;-)
Many such pointers to some file may exist. Only when all pointers
are removed (open fd's also considered as an pointer) the file
gets actually removed. That's why the syscall used for removing
a file is called unlink(): it just removes the given name but
does not actually delete it.

When you intend to replace some file, you've got two choices:
(from the kernel's view)

a) open the existing file, probably truncate it and write new the 
   data. if someone has opened this file, he will see the changes 
   you made. If the file has been mmap'ed to some process, it will
   see the changes immediately in its address space. therefore files 
   should be locked (at least the used regions), so an accidental 
   overwrite (which may cause ugly crashes) can be prevented. AFAIK 
   on Linux, .TEXT segments are always locked when the get mapped in 
   (you you get "busy" when trying to write there)
  
b) create a new file under the old name. either by renaming or 
   unlink'ing the old file. here you've got no problem w/ other
   processes holding the file opened, since you actually have 
   two different files. the new file only gets accessed when 
   you (re)open the file and thus let the kernel do an new 
   name->inode lookup.
   
  
BTW: when coding installers for running systems (which in fact
is the case in >90%). Do not use cp (at least GNU coreutils), 
since it *overwrites* the existing file (case a). This will 
fail on used .TEXT (=executable code) files, since they're locked
and most likely produce problems with other open files. 
If writing the file does not run almost immediately you should 
first write to some temporary file (on the same filesystem!)
and then do a quick rename (unlink(..) ; rename(..)) so nobody 
tries to use unfinished files. 

And be very careful you reinstall you (running) installer !
Several years ago, glibc had a critical problem, which screwed up 
your system on install over the running system: it first removed 
the /lib/ld.so and /lib/libc* symlinks and then recreated them by 
separate calling /bin/rm and /bin/ln binaries. If they weren't
linked statically, it killed itself - /bin/ln coulnd'n be executed
since libc was unusable in this moment. Using -s flag to ln instead
of calling rm did the trick.

I have no idea how careful emerge is here ...


cu
-- 
---------------------------------------------------------------------
 Enrico Weigelt    ==   metux IT service - http://www.metux.de/
---------------------------------------------------------------------
 Please visit the OpenSource QM Taskforce:
 	http://wiki.metux.de/public/OpenSource_QM_Taskforce
 Patches / Fixes for a lot dozens of packages in dozens of versions:
	http://patches.metux.de/
---------------------------------------------------------------------
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] march in /etc/make.conf

[Enrico Weigelt]

* Janusz Bossy <janusz.bossy@gmail.com> wrote:

Hi,

> There is no problem with that. Yesterday i did an emerge -C xorg-x11
> while xorg was running, then compiled xorg-x11 again and restarted the
> X server. All is working fine, except I couldn't start the
> applications that were built against X when I didn't have it. Don't
> worry Linux isn't Windows :)

yeah, you probably replaced monolithic by modular and forgot to 
emerge several libs. or the ABI has changed.

I'm really glad I got rid of the monolithic monster w/o major
impacts. Yeah, a complete modular build takes a little bit longer
than monolithic due snoozy autofool ... but I can accept this
price for having a smaller and more clear structured installation.


cu
-- 
---------------------------------------------------------------------
 Enrico Weigelt    ==   metux IT service - http://www.metux.de/
---------------------------------------------------------------------
 Please visit the OpenSource QM Taskforce:
 	http://wiki.metux.de/public/OpenSource_QM_Taskforce
 Patches / Fixes for a lot dozens of packages in dozens of versions:
	http://patches.metux.de/
---------------------------------------------------------------------
-- 
gentoo-user@gentoo.org mailing list