[01:56] New bug: #303835 in openssh (main) "Typo in ssh_config man page" [Undecided,New] https://launchpad.net/bugs/303835 [01:59] Hi, I have this ubuntu server which still does not route packets across its 2 NICs, eventhough I have enabled net.ipv4.ip_forward=1 in /etc/sysctl.conf. Routing on both gateway and clients are as shown at http://paste.ubuntu.com/78524/ . Can anyone help? Thanks. [02:02] vertx: Did you sudo sysctl -p after editing sysctl.conf? [02:08] Hi, I have this ubuntu server which still does not route packets across its 2 NICs, eventhough I have enabled net.ipv4.ip_forward=1 in /etc/sysctl.conf. Routing on both gateway and clients are as shown at http://paste.ubuntu.com/78524/ . Can anyone help? Thanks. [02:10] 15:02:36 < jmarsden> vertx: Did you sudo sysctl -p after editing sysctl.conf? [02:13] vertx: If you ask questions, it is recommended practice to then listen for answers :) [02:28] jmarsden: Sorry for the late reply. I had left my computer for a moment, then the network just went bust on me :( [02:28] hads: I had restarted the server and done what you recommended beforehand. This is the output http://paste.ubuntu.com/78535/ [02:29] hads: As you can see, both subnets are private. Should I do a masquerade through iptables? [02:31] vertx: Routing doesn't care about private or not IPs, it routes the way you tell it to... [02:33] So, did I do anything wrong with the routing? the subnets are 192.168.0.0/24 and 192.168.1.0/24. What do you suggest I do, for client and server? [02:36] The server has eth0 as 192.168.0.1 and eth1 as 192.168.1.1, right? [02:37] on two separate ethernets? [02:40] vertx: No firewalls of any kind active? ufw disabled? No rules visible in sudo /sbin/iptables -L output? [02:40] jmarsden: The server has 192.168.0.2 on eth0 and 192.168.1.1 on eth1. They are physically separate NICs. No iptables rules currently applied [02:42] Sure looks like it should be routing packets between those NICs to me. So at present a client on the 192.168.0.0/24 can ping 182.168.0.2 but not 192.168.1.1 or anything else on that 192.168.1.0/24 subnet? [02:43] Do you want it be routing frames between the networks? [02:44] (or datagrams?) [02:44] ball: I'd say yes... the original q was: "I have this ubuntu server which still does not route packets across its 2 NICs, eventhough I have enabled net.ipv4.ip_forward=1 ..." [02:45] jmarsden: at the moment the client (192.168.1.243) can ping 192.168.1.1 and 192.168.0.2, but cannot ping 192.168.0.3 and others :( [02:45] Ah okay. I missed that. [02:45] I need to add a NIC or two to this server, but I don't want routing or bridging. [02:46] vertx: This is odd. Anything being logged in /var/log/messages that could be relevant? [02:46] hello [02:46] jmarsden: let me check ... [02:47] does anyone know how to access a hostname that is on a dhcp network [02:48] yes [02:48] sort of. [02:48] L1NUX_1NS1DE: from outside, or from the LAN? [02:48] from a lan [02:48] I setup a computer that I want to access [02:49] I setup eth0 connection to get a dhcp address [02:49] L1NUX_1NS1DE: Easiest way may be to tell your DHCP server to give that machine the same IP address every time. That's what I do. [02:49] hmm. [02:49] oko [02:49] cul [02:49] I'll try it [02:50] good luck [02:50] danke [02:50] thanks for the the help [02:50] ;) [02:50] bitte. [02:50] jmarsden: there is only some dhcp related messages that i can see :( [02:51] It sounds like the kernel really is not forwarding your packets. [02:51] I think you should hit it with a hammer [02:52] jmarsden: yes that seems to be the problem. weird huh? [02:53] Does Ubuntu Server come with any power management functionality? [02:53] ball: that would be a great idea :) [02:53] Sorry, got to go for a moment. BRB [02:54] OK... when you get back try cat /proc/sys/net/ipv4/ip_forward and tell us what it says [02:58] ball: I'm sure it does... sudo apt-get install powertop is one way to find out how your system is doing in that regard [02:58] Thanks [02:58] I've not tried that on a Ubuntu Server, only desktop -- but I can't imagine they would have removed all the power mgmt from server kernels... [02:58] I'm tinkering and I wanted to take measurements with a Wattmeter in "suspend" and "hibernate" [02:59] jmarsden: I can see why they might, but if it's there I don't know how to access it. [03:00] I'm not sure if this is a client or server problem, but I am trying to run a PXE client with an NFS root and I can get to a login prompt but when I try to login i get the error "nfs: server [ip] not responding, still trying" [03:00] nemoego: Can you mount that NFS share from another (non PXE) client machine OK? [03:02] jmarsden: yeah, and watching syslog, i can see the client mount the share during the init process, but I'm not sure that it's getting mounted properly as / later.. [03:02] Is there a command-line way to invoke suspend or hibernate? [03:02] http://ubuntuforums.org/showthread.php?t=329902 [03:04] nemoego: Hmm. I'm not a PXE/thin client kind of person... sounds like you need one... [03:05] jmarsden: lol, yeah been working on this all day, suprised my FF hasn't crashed with the number of tabs i have open.. [03:06] nemoego: OK... NFS I'm fairly comfortable with, but not the whole thin client thing. Not needed it (yet)... [03:07] I seem to lack /etc/acpi [03:08] ball: Maybe the machine concerned doesn't support ACPI? [03:08] jmarsden: that's possible [03:09] CAn you play with apmd and maybe find out?? APM is older, ACPI is newer, I think... [03:09] sudo aptitude install acpid [03:10] Ah, dmesg tells me that ACPI interpreter was disabled due to an error of some sort. [03:13] vertx: Are you back here yet? [03:14] how can I download all the Ubuntu Server Guide files from (https://help.ubuntu.com/8.10/serverguide/C/index.html) for OFFLINE Viewing ? [03:14] Bah, can't ACPI and can't apm. [03:14] I'll have to go back to this project on a desktop machine [03:17] nomingzi: I think there is a package ubuntu-serverguide ? [03:17] nomingzi: failing that, you can always use wget [03:17] So you can install that: sudo apt-get install ubuntu-serverguide [03:21] jmarsden: many thanks, I am newbie [03:21] nomingzi: No problem. After installing that package the files are all under /usr/share/ubuntu-serverguide/ [03:23] jmarsden: can u assist me how do I share this folder so that I can view it from other Ubuntu-Desktop ? [03:24] nomingzi: That's more work... easy way is to just install it on each desktop machine? Is that workable for you, or are we talking abut hundreds of desktops? [03:27] If you have openssh-server set up on the machine already and you are accessing it from a user that has shell access to the server, just use sftp. No more setup needed. [03:27] At least in Dolphin (the KDE file manager) you can make a persistent link to it so you don't have to remember it. [03:27] jmarsden: I m just trying to learn Ubuntu-Server [03:27] Dunno about Gnome, but I assume you can do something similar. [03:28] nomingzi: OK, then go through the guide about networking, and then learn about Samba or NFS for file sharing. [03:29] I have to go anyway. [03:30] I am newbie, and expecting more CLI (after I switch from Ubuntu-Desktop), may b you can provide me a better start/guide to learn Ubuntu-Server :P thanks [03:34] jmarsden: do you know the proper fstab entry for a NFS root? I have "/dev/nfs / nfs 1 1 " per https://help.ubuntu.com/community/DisklessUbuntuHowto#Creating%20your%20NFS%20installation [03:36] nemoego: Looks reasonably sane to me. But I'm more commonly using NFS for /home or other (non-root) partitions. [03:39] nemoego: You left out a column? /dev/nfs / nfs defaults 1 1 [03:40] ah, forgot to type, it's there [03:40] OK. [03:40] jmarsden: is there a way i can get more verbose log output from nfs-kernel-server ? maybe filenames as they are accessed? [03:41] Yow! Probably... might be as easy to run wireshark and look at the network traffic though? [03:43] jmarsden: good point. Just commented out NFS root fstab line, no change. Either it never mounted or fstab has nothing to do with it... [03:44] If you want to try it your way, I think rpcdebug may turn on some extra debugging output from the kernel for you. But... I've never used it. [03:45] nomingzi: For basic command line stuff, try http://tldp.org/LDP/intro-linux/html/intro-linux.html [03:56] jmarsden: that helped a lot "sudo rpcdebug -m nfsd -s fileop" logs all acessed files to syslog, client seems to have nfs access when i try to log in (access to shadow) but after i type the password there is access to faillog and then nothing. I checked faillog but it is empty. any ideas? [03:57] Sounds like an authentication issue... the login is failing? [03:58] in that case I should get kicked back to a login prompt, yes? [03:59] i mean, would a bad login attempt break the connection to the NFS server? [04:00] Not sure... as root, if there are existing NFS shares mounted as root? Maybe. man 5 faillog and mail 8 faillog really suggest the login is failing to me. [04:09] created new user, same error. I think I'll try again later using a full install as a base for my nfs root instead of using debootstrap... [04:09] thanks for the help tho [04:09] OK... at least you made some progress... [04:10] yeah, gotta appriciate what you got [05:51] aside from dmesg, is there an easy way to tell whether an Ubuntu server has sound hardware? [06:05] ball: Try aplay -l ? [06:05] lspci === jussio1 is now known as jussi01 [08:12] I am newbie, I use OpenSSH & remote logon to ubuntu-server. HOW DO i use wget to download a folder into my PC ? [08:13] You would need a web/ftp-server to do so [08:13] Then: wget (http|ftp)://URL/FOLDER [08:21] Jeeves_: should i install web/ftp service into my remote ubuntu-server ? [08:22] Or just use scp [08:24] better to use rsync [08:25] Or scp [08:25] nomingzi: scp or rsync will work as well [08:26] many thanks Jeeves_ philsf hads [08:30] moin [08:35] jmarsden: Whew, didn't realize that the meeting took hours. Sorry. FYI, cat /proc/sys/net/ipv4/ip_forward yields a 1. [09:40] <_ruben> hmm .. apt-listchanges can hook into apt at install time, tho i'd rather generate a changelog-overview for packages that would be install by apt-get (dist-)upgrade, any hints on performing such a task? [09:41] <_ruben> using the --download-only option to apt-get might do the trick [10:01] <_ruben> shame, it doenst [11:54] zul: ping === lamont` is now known as lamont [12:24] * \sh needs some advise...php + upload file size + post_max_size == works with sizes <= 2G...everything above the magic 2GB frontier doesn't work (hardy/intrepid + amd64 server) [12:25] what client are you using? [12:25] for example, at some point in history, wget couldn't download files bigger than 2GB [12:26] <\sh> ivoks: it's not a download thing...it's that firefox, ie, safari and opera are uploading the whole 3.5GB file without any problems...but php dies :) [12:26] <\sh> ivoks: well, not exactly dieing...it just throws the upload away [12:27] <\sh> ivoks: simple form in a html gives you that :) [12:27] on which filesystem? [12:28] <\sh> ivoks: choose one...I use ext3 and xfs here :) [12:28] <\sh> ivoks: and tmp location for tmp upload crap..is big enough...I think 1TB is enough :) [12:28] filesystems on linux haven't been an issue for quite some time. is it apache 2.2? [12:29] <\sh> maswan: more php itself...really... [12:29] <\sh> maswan: and yes..apache2.2 + php5 [12:29] \sh: Ok. Well, php is crap, don't use it? ;) [12:29] <\sh> maswan: grmpf..can't development needs it :) [12:31] \sh: Well, you better get started at fixing php then. :) [12:33] <\sh> maswan: looks like :) [12:33] <\sh> maswan: btw..what about your visit to Karlsruhe? any news? :) [12:34] * \sh needs to plan his birthday party ,) [12:37] Oh, right. Let me see when that ended up. [12:40] January 14/15 2009 [12:40] <\sh> maswan: that's wed + thu after the 11th ... are you in .de before that? :) well, actually those days are also quite ok...for having a beer or two in the evening :) [12:44] PHP isn't THAT bad, is it? I have some qualms with it, but meh... I guess Python is the hot new web scripting platform [13:03] yarp yarp [13:05] <\sh> maswan / ivoks: http://bugs.php.net/bug.php?id=44522 <- there it is :) yay [13:10] <\sh> and reading the php source, both variables who could be the cause are already "long" ... which means the bug is somewhere else [13:11] Hi, i'm trying to get the ebox platform running on top of a Jeos 8.04.1 install in virtualbox in oder to set up a virtual fileserver. Unfortunately the ebox network module doesn't seem to like jeos , the network module won't run. google doesn't turn up anything useful, can anyone point me to some specialized support forum or irc channel? [13:14] \sh: oh, nice :D [13:14] <\sh> ivoks: looks like I found the real bugger in rfc1867.c [13:15] <\sh> I'll try to proof my guess and rebuild with a patch which should fix it...and then...let's see :) [13:27] \sh: er...what? [13:27] <\sh> zul: http://bugs.php.net/bug.php?id=44522 [13:27] ah ok [13:28] <\sh> zul: if you set post_max_size and max_upload_filesize to >2GB it doesn't work in php5 ... but sourcewise: post_max_size and max_upload_filesize are already defined as long...but not max_file_size in rfc1867.c which helds later on the max_upload_filesize ;-) [13:29] sounds like fun [13:29] <\sh> zul: but to be sure, I'm rebuilding hardy php5 with a "guessed" fix and test it if I'm right [13:29] k [13:30] <\sh> zul: if I'm right, I'll file a bug on LP...with debdiffs and fixes...for hardy, intrepid and jaunty...hopefully someone can sponsor at least for jaunty...and for {hardy,intrepid}-proposed [13:34] \sh: yep no problem just remember to add the test case for the SRU [13:34] <\sh> zul: hmm...can I upload >2GB files to LP? ,-) [13:35] well no just how to reproduce it :) [13:38] \sh: so, find a big p0rn movie for test case :) [13:48] hi, how would i be able to get a date that is exactly 6 weeks in the past, using the date command [13:49] check google [13:50] oh, i just got it [13:50] date -d "6 weeks ago" [13:56] zul: the fix for bug 286828 is marked "Fix committed", but i couldn't find it in the Changelog... do you know in which update we can expect to find it ? [13:56] Launchpad bug 286828 in linux "Access to samba 3.0.24-3.0.25 shares using CIFS is broken on 8.10" [High,Fix committed] https://launchpad.net/bugs/286828 [13:57] Koon: thats the kernel bug isnt it? [13:57] the nodfs one [13:57] zul: yes, should i ping rtg about it ? [13:57] gimme a sec.. [13:58] yeah [13:58] bug him [14:01] bug who? [14:01] poor rtg, he's too nice [14:02] Koon: its sitting in the git tree though maybe there is an update coming soonish [14:02] zul: yeah, I'm just trying to calm down the "where is the fix that is due to us" lousy MAS owners. [14:03] NAS [14:03] take care guys [14:03] yeah I saw [14:03] Steve's reposnse was obviously a little too complicated for them. [14:04] meh.. [14:04] I simplified it: "your stuff is broken, but since we are extremely nice, we'll help you" [14:05] now I'm trying to counter the "when?" answer [14:06] what's the problem? [14:08] ivoks: the fix is marked 'Fix committed' and a few impatient guys are apt-get-updating every minute to see if there is a new kernel coming up with the fix. [14:09] :) [14:10] someone should tell then that it's easy to git clone kernel tree and build kernel [14:44] Koon: ping where you doing any merges today so we dont duplicate the work? [14:45] zul: nope [14:45] I just pushed a sync this morning (syslog-ng) [14:46] Koon: cool beans Im just doing the samba merge now [15:25] soren: did you get a chance to review the open-iscsi package? [15:41] hello [15:42] Does anyone know how to setup ssh between a server and client computer [15:42] L1NUX_1NS1DE: Lots of us do. Please ask your specific question. [15:43] L1NUX_1NS1DE: It'd also be nice if you could manage a nick that wasn't all caps. [15:45] and less l33t :D [15:45] *shurgs* ... i always see nicks as personal names. do you really want to change your personal name for someone else's perference? [15:46] L1NUX_1NS1DE: install and run openssh [15:48] I'll do some googling on the matter [15:48] if I run into some trouble I'll know who to ask [15:48] I'l just idle [15:48] L1NUX_1NS1DE: why not read the officlal ubuntu documentation about the topic? [15:49] I'm reading a tutorial on setting up shared keys [15:49] but I'll try that to [15:49] thanks [15:49] L1NUX_1NS1DE: that is another topic than your first question [15:50] hmmm.... [15:50] you never ask about setting up key autentication beween client and server [15:50] by default you atenticate againts the ssh server using a user and password [15:51] yes [15:51] well I was able to ssh to the server [15:51] but I did not have the correct password [15:52] I'm reading this: [15:52] http://inside.mines.edu/~gmurray/HowTo/sshNotes.html [15:53] https://help.ubuntu.com/community/SSHHowto [16:14] haha! [16:14] it works! [16:14] I setup a paired key ssh login [16:16] does te host file support ports? [16:16] like localhost:1234 [16:16] ports [16:16] I'm not sure [16:17] I just used the default user@servername.org [16:17] that's a very useful answer [16:17] well I'm sort of a noob with servers [16:18] cumulus007: which host file? [16:18] jmedina: /etc/hosts [16:19] I don't know... [16:20] cumulus007: that is, that file it is useful to resolve host names not ports [16:20] cumulus007: why you want to do that? [16:20] thanks jmedina [16:20] jmedina: I want to configure my PC so: when I go to localhost:portnumber, a web page on a server opens [16:20] oh [16:21] I think you'll have to configure the web server [16:21] you mean with a browser? [16:21] no the webserver [16:21] you'll have to configure the port that apache listens to [16:21] I think the default is 8080 [16:21] jmedina: yes [16:23] never mind, I have already ficed it. [16:27] what is a good ftp server to use [16:27] ? [16:31] I like pure-ftpd [16:32] pure-ftpd [16:32] hmm.. [16:33] right now I'm using vsftd [16:41] mathiaz: Are we having a server team meeting tomorrow? [16:41] ScottK: AFICT yes [16:41] mathiaz: OK. I'll upate the agenda then (just added an item). [16:55] Hey everyone, I just joined the team and I'm still finding my way around [16:56] Could you tell me where the agenda is located? Is it on the team wiki? [16:58] Nevermind - I got it on a lucky guess [17:22] New bug: #304047 in samba (main) "package samba 2:3.2.3-1ubuntu3.3 failed to install/upgrade: subprocess post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/304047 === L1NUX_1NS1DE is now known as cathode === cathode is now known as kizer [17:38] hello again [17:38] I was wondering what actions I should take to secure a server [17:39] What port I should turn of [17:39] or change [17:39] which firewall to use [17:39] etc.. [17:40] kizer: What Ubuntu version are you running? [17:41] I guess it's not the smartest thing to do but I'm running 810 [17:41] why [17:42] just how hacked can a linux server get? [17:42] and could it compromise an entire network [17:42] ?> [17:44] currently I'm running web, torrentflux and pure-ftp (with username/password login) on my server [17:44] *webmin [17:45] kizer, heh 'hacked' [17:45] Well 8.10 is fine to be running. Webmin, not so much. [17:45] a system is only as secure as the person who administers it [17:46] kizer: 8.10 comes with ufw (stands for uncomplicated firewall) installed already, you just need to configure it. [17:46] Ubuntu Server by default does not have any ports open, so nothing to close. Additional stuff you've added will change that, of course. [17:47] kizer, and linux has only one fw that i know of [17:49] ok [17:50] that's a relief [17:51] kizer: I have no idea what webmin opened up though. You've installed that from a 3rd party repository, so we know nothing about what that package does. [17:51] so would it be good practice to change password ever month or so [17:51] with webmin I changed to default port [17:51] Faust-C: That's true, but for someone just starting, writing iptables rules themselves by hand is probably not the best idea. [17:52] ScottK, i was gonna refer to ufw which is just a frontend to iptabes [17:52] from what i read ufw's syntax is similar to pf [17:52] webmin comes with a webgui interface for changing ip rule conveniently enough [17:52] i like that [17:52] Faust-C: yes, I already mentioned ufw to him. [17:52] kizer, imo i wouldnt get to comfy w/ webmin [17:54] well it's certainly a handy way of admin'ing a server [17:54] well I'll see what I could do with ufw [17:54] oh [17:55] what are some useful commands for seeing open ports on and proccesses that or running on certain ip's or ports? [17:56] kizer: see man ufw. [17:56] kizer: netstat -pant [17:56] thanks [17:57] kizer: Shows you open TCP sockets, ans their application names. Use "sudo" with that as the -p switch is restricted.... "sudo netstat -pant" [17:58] yeah that command is really helpfull [17:58] it shows that I'm connected via ssh to the server [17:58] but, there's another port that's open [17:59] you can also do "sudo netstat -panu" (shows UDP ports) [17:59] I don't know what service is running from there [17:59] thanks [17:59] Whats the port ? [18:00] for tcp it's 139 [18:00] Open services are usually in the "LISTEN" state, and the address will give you a hint of what interface is allocated to it. 0.0.0.0 means "all" interfaces. [18:00] grep 139/tcp /etc/services? [18:00] ohh.... [18:00] probably linked to samba [18:01] hmm... [18:01] there are at least ten ports that are listening [18:01] In some cases you can use "telnet

" to investigate the nature of the service running on a certain port. try it with some web-server and you'll see.... just type "GET" once connected to a port 80... [18:01] s/telnet/nc/ [18:01] k [18:02] * jmedina also likes to use lsof to check for open ports [18:02] lsof -i [18:03] oh [18:03] ok all these port make sense [18:04] Simply using "netstat" wont show you firewalls, since the firewall is "above" the OS service layer. That means that even if you can see the open ports in a LISTEN state - the firewall might block those ports. Test that by trying to connect to the ports with - for example - telnet. [18:04] I recognize the port afiliated with there services [18:04] nmap? [18:04] I should change ssh from it's default port [18:04] rich? [18:04] right? [18:05] No need. [18:05] it's ok the way it is [18:05] ? [18:05] Yes. [18:05] New bug: #303458 in samba (main) "segfault in pam_smbpass.so" [Undecided,New] https://launchpad.net/bugs/303458 [18:05] thanks ball nmap is the right tool for the job [18:06] I use it every day. It's a handy thing. [18:06] kizer: By changing ports for the ssh-service, you will not achieve much security wise. A determined hacker will be able to detect a running ssh-service regarless of port-mapping. [18:06] right... [18:06] ok [18:07] ... however, ssh is rather secure if you keep it at a good patch-level. [18:07] noted! [18:07] * ball tends to describe ssh as "less insecure than Telnet" ;-) [18:08] well I think I'm just about ready to deploy my server for ready use [18:08] kizer: what are you using it for? [18:08] ftp server and remote torrent box [18:08] If you are really anal about networking security, you could change it to a really high port, lets say, 63040. I don't know why you would do that tho and how much it would add to security. [18:08] hmmm... [18:09] would protect you against generic scans [18:09] casual hackers looking for easily exploitable machines [18:09] port knocking? ;-) [18:09] rtorrent? [18:09] Deeps: yes. but the scan itself is nothing to worry about. [18:09] well unless my server burst into flames I guess I'll be ok with the security for now [18:09] disabling root logins also helps (stupid that it's enabled by default) [18:09] kizer: If you care about security, pick something other than ftp. [18:09] nafallo: torrentflux! [18:10] what about it? [18:10] sftp [18:10] torrent flux has a webgui [18:10] been there, contributed code, gone back [18:10] I would like some alternative to nfs that was less insecure. [18:10] and it's quit usable [18:11] ball: nfs over vpn? ;) [18:11] kizer: disable root-login, keep a good patchlevel, use passwords that has no real words in it and use a rudimentary firewall and your server will be mega-hard to "hack/break". [18:11] ..via ssh [18:11] sweet [18:11] ... via a network. [18:11] thanks for all you help guys! [18:11] Deeps: Yeah, I suppose that could work at a push. [18:11] if you're running any other internet visible services that aren't firewalled off, they're also exploitable [18:11] kizer: it's not as usable as the fork, tf-b4rt. [18:12] kizer: also, I don't think tflux ever committed my patches for IPv6 support. [18:12] k [18:12] ball: nfs is insecure, do you want something really secure, you can use AFS :D [18:12] * ball suspects jmedina is joking [18:12] Deeps: yeah, however a simple DROP default rule in the firewall will provide all the security needed. [18:12] so I should just set firewall rules to restict access to those services to a select pool of Ip's [18:13] with the ftp [18:13] http://www.openafs.org/ [18:13] I have user name and pasword login enabled [18:13] ball: http://www.openafs.org/ [18:13] kizer: you configure your firewall with ALLOW for only those services you want to expose. Lets say SSH. ALL other protocols are DROP. [18:13] ok [18:13] erik78se: i know that, and you know that, not everyone in here may know that though ;) [18:14] Deeps: cheers =) [18:14] but I could still access the services via the local network? [18:14] just not through the internet gateway? [18:14] kizer: Thats in total 2 rules. <1> from * allow SSH <2> from * deny * [18:14] back shortly [18:15] I saw afs and thought it was part of AppleTalk btw. [18:15] ok [18:15] Then you can refine those rules... [18:15] so I won't be able to access the ssh? [18:15] <1> from internal_network allow SSH <2> from * deny * [18:15] I'm a bit confused [18:16] where would I edit this setting [18:16] !ufw | kizer [18:16] through ufw [18:16] Sorry, I don't know anything about ufw [18:16] ubottu: fail [18:16] Sorry, I don't know anything about fail [18:16] k [18:16] lies [18:16] kizer: Yes. The first rule tells you "who" can access ssh. The second rule say "nobody can access anything". The rules are allied from top to bottom.... [18:16] thanks erik [18:17] oh ohh oh [18:17] sorry you had to explain that [18:17] I understand now [18:17] kizer: good, happy to help. [18:19] iptables is really easy to configure, once you understand that the rules are "applied" from top to bottom and that in the bottom you should ALWAYS have "from * drop *" (the syntax is different ofc). From there, you can create super-safe firewalls. [18:20] You can "practice" iptables by trying out "fwbuilder" and try create a simple firewall. [18:21] Start by doing that "from * drop *". That will effectively shut out everything. Then add one rule at the time until your firewall works as you intend. [18:22] Helpful to debug is to do : "from * drop * log" .... that will show you what is acctually dropped by the firewall. [18:24] I changed to default app policy to "DENY" [18:46] hello again [18:46] has anyone had any experience with setting up wakeup-on-lan [18:47] I reading some documentation on it but it seems abit complicated [18:50] yes [18:50] it works for me [18:50] (at least, to an extent) [18:57] kizer: what are you trying to do? [19:05] I'm trying to setup server to wakeup on LAN [19:05] So I could turn the computer on from anywhere [19:06] kizer: I was going to try that, but couldn't get my Ubuntu Server box to suspend or hibernate. [19:06] Realistically servers are usually on 24/7 anyway, but I have to test these things. [19:08] yeah but I'm sorta on a budget as far as power consumption and wouldn't mind shutting do the system when I know it's not going to be used [19:08] kizer: that's fair enough. [19:08] yup green is good [19:09] make sure you wake it up in time to do its cron jobs though [19:09]