=== Lcawte is now known as Lcawte|Away | ||
=== Lcawte|Away is now known as Lcawte | ||
lordievader | Good morning. | 10:01 |
---|---|---|
=== Lcawte is now known as Lcawte|Away | ||
nasix | Hi every body! | 13:09 |
nasix | I have a question regarding apatche. Actually I've done all my search and found nothing! | 13:10 |
nasix | I want to run a simple CGI script to execute an application like xterm. | 13:11 |
lordievader | Xterm with apache as a parent? Sounds like a bad idea. | 13:11 |
bekks | OUCH | 13:12 |
nasix | Really? | 13:12 |
nasix | Ok | 13:12 |
bekks | Yes. | 13:12 |
nasix | Thank you for your response | 13:12 |
nasix | Actually I want to let some clients to run some application on my server | 13:13 |
nasix | and | 13:13 |
bekks | No need to use enter as punctuation sign. | 13:13 |
nasix | then send the application window to that specific user | 13:14 |
bekks | Thats not how a webserver works. | 13:14 |
nasix | Is there a good way to do so? | 13:14 |
nasix | I don't want to let those client have ssh or something like that to my server | 13:15 |
bekks | The only usable solution I do know of is a Citrix XENDesktop Web Server. | 13:15 |
nasix | let me google it... | 13:17 |
nasix | So this is a Desktop virtualization software. | 13:20 |
nasix | But my final target is to let my clients run some specific applications like firefox or so. | 13:21 |
nasix | I don't want to let them see the whole desktop environment | 13:22 |
Schalla | This sounds borked imho. | 13:22 |
Schalla | Where is the usecase for this? | 13:22 |
bekks | The usecase is to give a user a desktop or application via web. | 13:23 |
nasix | We have a single Linux machine which can access the internet. | 13:23 |
maswan | well, if you only want to run command line tools, you can have a browser terminal | 13:23 |
nasix | We should not connect any other machine to the internet | 13:23 |
maswan | graphical stuff the only reasonable way I know of is complete remote desktops | 13:23 |
maswan | or ssh with X forwarding | 13:24 |
nasix | can you check my cgi-script: http://paste.ubuntu.com/14457834/ | 13:26 |
Schalla | bekks: Doesnt make that more sane? Or is it only me? | 13:26 |
Schalla | (The idea with apache spawning applications) | 13:26 |
bekks | Schalla: Basically its not apache which spawns the processes, but a small application (the citrix receiver, even webbased) which does it. On the client. | 13:27 |
nasix | when I run this as a bash script, it goes well | 13:27 |
Schalla | Got a small question regarding software raid, I created via ubuntu server installation a degraded raid 1 and added then later on a new partition (this is a vm, but I will do the same later on a physical server), is it normal that the number is 0 and 2? | 13:30 |
Schalla | https://i.imgur.com/TU4cE2V.png | 13:30 |
Schalla | The sync worked as intended after adding and the degraded state is also gone, just wondering about the number + minor | 13:30 |
nasix | bekks: Of course when I set DISPLAY variable to some thing like 192.168.1.108:0 , I can see its window on that client. (192.168.1.108) | 13:30 |
bekks | nasix: The mechanism behind that is totally different. | 13:31 |
nasix | bekks: I can see the window for a short time and then it closes automatically. | 13:32 |
nasix | bekks: what is that mechanism? | 13:33 |
nasix | bekks: can you shed light on that or guide me to some reference? | 13:34 |
bekks | nasix: citrix provides a lot of technical documentation. | 13:34 |
nasix | bekks: can I use critix for just sending a single application window upon client request? | 13:35 |
bekks | nasix: Yes. | 13:36 |
nasix | bekks: Thank you very much for your help. Is it so hard to achieve that? | 13:37 |
bekks | In a safe way - yes. | 13:37 |
nasix | bekks: Thank you. I'll try to do that. I was working on this since yesterday! | 13:38 |
=== Lcawte|Away is now known as Lcawte | ||
mfaroukg | people i there is issue with the built-in firewall not blocking the google IPs | 17:59 |
rokusani | anyone?? i'm stuck with a dlink router port forward works on some survialance ip box but not ubuntu server :( | 17:59 |
rokusani | online port checker says port is closed for ufw enable ports | 18:00 |
lordievader | mfaroukg: What do you mean? | 18:00 |
rokusani | but that same online port checker shows another port i..e cameras ip box as open and is accessible using static ip | 18:01 |
mfaroukg | lordievader, i have built-in iptables list they should block the google all sites but still can access google , the main function for the FW is not working | 18:02 |
mfaroukg | lordievader, this was discovered yesterday only | 18:02 |
lordievader | mfaroukg: Could you pastebin your firewall config? | 18:03 |
mfaroukg | lordievader, http://pastebin.com/2RJ7eFSg | 18:04 |
lordievader | mfaroukg: Your output policy is accept without any drop rules? So, yes you can still access google. | 18:05 |
mfaroukg | lordievader, but how ? i have used for long time it was simply redirect me to my local website before , now it is some times redirect and some times passes it | 18:06 |
lordievader | mfaroukg: Are you talking about your forward table? If so, that is a mess. | 18:07 |
lordievader | mfaroukg: Anyhow, if you want to block outgoing connections then you need to specify drop rules in the output table. | 18:08 |
mfaroukg | lordievader, some thing happened after latest kernel update , or google have done something confuses ubuntu check this http://pastebin.com/TiGEeShm | 18:09 |
lordievader | What is wrong with that? | 18:10 |
mfaroukg | lordievader, and many many location with different IPs | 18:10 |
lordievader | Yeah, it is google ;) | 18:10 |
mfaroukg | lordievader, when i block some it passes others | 18:10 |
lordievader | That makes sense, doesn't it? | 18:11 |
lordievader | Much more effective to black hole the google dns records. | 18:11 |
mfaroukg | lordievader, but how i stop the users from searching and watch youtube .. they don't stop and network traffic is f**k | 18:11 |
lordievader | mfaroukg: Like I said, use the output table of iptables. | 18:12 |
Aboodyman | Can you block a range of IPs | 18:12 |
Aboodyman | ? | 18:13 |
lordievader | That too, you can block google's ip range. | 18:13 |
Aboodyman | But how to know the ip range | 18:13 |
mfaroukg | lordievader, Aboodyman, how i can let the tun0 only control that i don't want permanent blockage | 18:14 |
lordievader | mfaroukg: What? | 18:14 |
Aboodyman | mfaroukg: you can not do that unless you install third party software | 18:15 |
mfaroukg | Aboodyman, the range is in the pastebin | 18:15 |
mfaroukg | lordievader, Aboodyman, i have coovachilli controlling the traffic with virtual tunnel tun0 | 18:16 |
Aboodyman | lordievader ? | 18:16 |
lordievader | mfaroukg: Do you handle the dns requests? | 18:17 |
lordievader | Aboodyman: ? | 18:17 |
Aboodyman | Why aren't you talking | 18:17 |
mfaroukg | lordievader, I changed the DNS to use the google's 8.8.8.8 | 18:17 |
lordievader | Hmm, if you controlled it you could black hole google' | 18:18 |
lordievader | s domain ;) | 18:18 |
mfaroukg | lordievader, it was working like charm but suddenly it is throwing me down on the floor | 18:18 |
lordievader | Anyhow, i'd setup an ipset with all the google ip's and drop the output if the set matches. | 18:19 |
mfaroukg | lordievader, hard workaround :( -crying- | 18:20 |
Aboodyman | mfaroukg: What would you do then | 18:21 |
lordievader | mfaroukg: It ain't, it is actually quite lovely. Just one line in iptables and a flexible set. | 18:21 |
mfaroukg | lordievader, can you check this script : http://pastebin.com/T3kzb7uE it might just need some modifications | 18:24 |
lordievader | Ah, that is where the forward rules come from... did you write this? | 18:26 |
lordievader | Looking at your earlier paste of your iptables rules I'd say some variables evaluate to ''. | 18:27 |
mfaroukg | lordievader, i have contributed only | 18:27 |
mfaroukg | lordievader, do you want the iptables -S ? | 18:29 |
lordievader | No. | 18:29 |
lordievader | Like I said earlier, I'd go with the ipset approach. | 18:29 |
mfaroukg | lordievader, do you suggest DNS changing ? | 18:30 |
lordievader | mfaroukg: No, read my answer from before. | 18:31 |
mfaroukg | lordievader, but this firewall should redirect ALL to my local hotspot client | 18:33 |
lordievader | Then let it do that, besides it is not the firewall doing that, but the routing. | 18:34 |
mfaroukg | lordievader, you're right .... would you mind hinting | 18:36 |
lordievader | http://unix.stackexchange.com/questions/126595/iptables-forward-all-traffic-to-interface | 18:37 |
Aboodyman | 👍 | 18:40 |
mfaroukg | :-* | 18:41 |
=== Zupreme is now known as zupreme | ||
=== zupreme is now known as Zupreme | ||
=== Lcawte is now known as Lcawte|Away | ||
dannymichel | fail2ban keeps stoping dovecot from working. is there anything i can do about that? http://pastebin.com/YMDaZPhf | 22:06 |
Schalla | RoyK: Everything worked out fine btw! Tested the procedure first on a VM and did it today on the real host, everything worked fine. :) | 22:19 |
Schalla | Just have to configure now the software raid for the 2 data disks and then start with the KVM config | 22:19 |
axisys | failing to install lsscsi... looks like linux header dependency needs to be resolved... but apt-get -f install fails too.. any suggestion on how to get around it? here is the apt-get output | 23:06 |
axisys | http://dpaste.com/37ZWRJ1 | 23:06 |
axisys | running Ubuntu 12.04.3 LTS | 23:07 |
axisys | on kernel 3.2.0-60-generic | 23:07 |
bekks | Read line 42. You ran out of disk space. | 23:10 |
axisys | bekks: doh! let me clean up /boot .. 81% now | 23:13 |
trippeh_ | ahh, all the times I've had a full /boot :)) | 23:17 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!