=== Lcawte is now known as Lcawte|Away
=== Lcawte|Away is now known as Lcawte
[10:01] <lordievader> Good morning.
=== Lcawte is now known as Lcawte|Away
[13:09] <nasix> Hi every body!
[13:10] <nasix> I have a question regarding apatche. Actually I've done all my search and found nothing!
[13:11] <nasix> I want to run a simple CGI script to execute an application like xterm.
[13:11] <lordievader> Xterm with apache as a parent? Sounds like a bad idea.
[13:12] <bekks> OUCH
[13:12] <nasix> Really?
[13:12] <nasix> Ok
[13:12] <bekks> Yes.
[13:12] <nasix> Thank you for your response
[13:13] <nasix> Actually I want to let some clients to run some application on my server
[13:13] <nasix> and
[13:13] <bekks> No need to use enter as punctuation sign.
[13:14] <nasix> then send the application window to that specific user
[13:14] <bekks> Thats not how a webserver works.
[13:14] <nasix> Is there a good way to do so?
[13:15] <nasix> I don't want to let those client have ssh or something like that to my server
[13:15] <bekks> The only usable solution I do know of is a Citrix XENDesktop Web Server.
[13:17] <nasix> let me google it...
[13:20] <nasix> So this is a Desktop virtualization software.
[13:21] <nasix> But my final target is to let my clients run some specific applications like firefox or so.
[13:22] <nasix> I don't want to let them see the whole desktop environment
[13:22] <Schalla> This sounds borked imho.
[13:22] <Schalla> Where is the usecase for this?
[13:23] <bekks> The usecase is to give a user a desktop or application via web.
[13:23] <nasix> We have a single Linux machine which can access the internet.
[13:23] <maswan> well, if you only want to run command line tools, you can have a browser terminal
[13:23] <nasix> We should not connect any other machine to the internet
[13:23] <maswan> graphical stuff the only reasonable way I know of is complete remote desktops
[13:24] <maswan> or ssh with X forwarding
[13:26] <nasix> can you check my cgi-script: http://paste.ubuntu.com/14457834/
[13:26] <Schalla> bekks: Doesnt make that more sane? Or is it only me?
[13:26] <Schalla> (The idea with apache spawning applications)
[13:27] <bekks> Schalla: Basically its not apache which spawns the processes, but a small application (the citrix receiver, even webbased) which does it. On the client.
[13:27] <nasix> when I run this as a bash script, it goes well
[13:30] <Schalla> Got a small question regarding software raid, I created via ubuntu server installation a degraded raid 1 and added then later on a new partition (this is a vm, but I will do the same later on a physical server), is it normal that the number is 0 and 2?
[13:30] <Schalla> https://i.imgur.com/TU4cE2V.png
[13:30] <Schalla> The sync worked as intended after adding and the degraded state is also gone, just wondering about the number + minor
[13:30] <nasix> bekks: Of course when I set DISPLAY variable to some thing like 192.168.1.108:0 , I can see its window on that client. (192.168.1.108)
[13:31] <bekks> nasix: The mechanism behind that is totally different.
[13:32] <nasix> bekks: I can see the window for a short time and then it closes automatically.
[13:33] <nasix> bekks: what is that mechanism?
[13:34] <nasix> bekks: can you shed light on that or guide me to some reference?
[13:34] <bekks> nasix: citrix provides a lot of technical documentation.
[13:35] <nasix> bekks: can I use critix for just sending a single application window upon client request?
[13:36] <bekks> nasix: Yes.
[13:37] <nasix> bekks: Thank you very much for your help. Is it so hard to achieve that?
[13:37] <bekks> In a safe way - yes.
[13:38] <nasix> bekks: Thank you. I'll try to do that. I was working on this since yesterday!
=== Lcawte|Away is now known as Lcawte
[17:59] <mfaroukg> people i there is issue with the built-in firewall not blocking the google IPs
[17:59] <rokusani> anyone?? i'm stuck with a dlink router port forward works on some survialance ip box but not ubuntu server :(
[18:00] <rokusani> online port checker says port is closed for ufw enable ports
[18:00] <lordievader> mfaroukg: What do you mean?
[18:01] <rokusani> but that same online port checker shows another port i..e cameras ip box as open and is accessible using static ip
[18:02] <mfaroukg> lordievader, i have built-in iptables list they should block the google all sites but still can access google , the main function for the FW is not working
[18:02] <mfaroukg> lordievader, this was discovered yesterday only
[18:03] <lordievader> mfaroukg: Could you pastebin your firewall config?
[18:04] <mfaroukg> lordievader, http://pastebin.com/2RJ7eFSg
[18:05] <lordievader> mfaroukg: Your output policy is accept without any drop rules? So, yes you can still access google.
[18:06] <mfaroukg> lordievader, but how ? i have used for long time it was simply redirect me to my local website before , now it is some times redirect and some times passes it
[18:07] <lordievader> mfaroukg: Are you talking about your forward table? If so, that is a mess.
[18:08] <lordievader> mfaroukg: Anyhow, if you want to block outgoing connections then you need to specify drop rules in the output table.
[18:09] <mfaroukg> lordievader, some thing happened after latest kernel update , or google have done something confuses ubuntu check this http://pastebin.com/TiGEeShm
[18:10] <lordievader> What is wrong with that?
[18:10] <mfaroukg> lordievader, and many many location with different IPs
[18:10] <lordievader> Yeah, it is google ;)
[18:10] <mfaroukg> lordievader, when i block some it passes others
[18:11] <lordievader> That makes sense, doesn't it?
[18:11] <lordievader> Much more effective to black hole the google dns records.
[18:11] <mfaroukg> lordievader, but how i stop the users from searching and watch youtube .. they don't stop and network traffic is f**k
[18:12] <lordievader> mfaroukg: Like I said, use the output table of iptables.
[18:12] <Aboodyman> Can you block a range of IPs
[18:13] <Aboodyman> ?
[18:13] <lordievader> That too, you can block google's ip range.
[18:13] <Aboodyman> But how to know the ip range
[18:14] <mfaroukg> lordievader, Aboodyman, how i can let the tun0 only control that i don't want permanent blockage
[18:14] <lordievader> mfaroukg: What?
[18:15] <Aboodyman> mfaroukg: you can not do that unless you install third party software
[18:15] <mfaroukg> Aboodyman, the range is in the pastebin
[18:16] <mfaroukg> lordievader, Aboodyman, i have coovachilli controlling the traffic with virtual tunnel tun0
[18:16] <Aboodyman> lordievader ?
[18:17] <lordievader> mfaroukg: Do you handle the dns requests?
[18:17] <lordievader> Aboodyman: ?
[18:17] <Aboodyman> Why aren't you talking
[18:17] <mfaroukg> lordievader, I changed the DNS to use the google's 8.8.8.8
[18:18] <lordievader> Hmm, if you controlled it you could black hole google'
[18:18] <lordievader> s domain ;)
[18:18] <mfaroukg> lordievader, it was working like charm but suddenly it is throwing me down on the floor
[18:19] <lordievader> Anyhow, i'd setup an ipset with all the google ip's and drop the output if the set matches.
[18:20] <mfaroukg> lordievader, hard workaround :( -crying-
[18:21] <Aboodyman> mfaroukg: What would you do then
[18:21] <lordievader> mfaroukg: It ain't, it is actually quite lovely. Just one line in iptables and a flexible set.
[18:24] <mfaroukg> lordievader, can you check this script : http://pastebin.com/T3kzb7uE it might just need some modifications
[18:26] <lordievader> Ah, that is where the forward rules come from... did you write this?
[18:27] <lordievader> Looking at your earlier paste of your iptables rules I'd say some variables evaluate to ''.
[18:27] <mfaroukg> lordievader, i have contributed only
[18:29] <mfaroukg> lordievader, do you want the iptables -S ?
[18:29] <lordievader> No.
[18:29] <lordievader> Like I said earlier, I'd go with the ipset approach.
[18:30] <mfaroukg> lordievader, do you suggest DNS changing ?
[18:31] <lordievader> mfaroukg: No, read my answer from before.
[18:33] <mfaroukg> lordievader, but this firewall should redirect ALL to my local hotspot client
[18:34] <lordievader> Then let it do that, besides it is not the firewall doing that, but the routing.
[18:36] <mfaroukg> lordievader, you're right .... would you mind hinting
[18:37] <lordievader> http://unix.stackexchange.com/questions/126595/iptables-forward-all-traffic-to-interface
[18:40] <Aboodyman> 👍
[18:41] <mfaroukg> :-*
=== Zupreme is now known as zupreme
=== zupreme is now known as Zupreme
=== Lcawte is now known as Lcawte|Away
[22:06] <dannymichel> fail2ban keeps stoping dovecot from working. is there anything i can do about that? http://pastebin.com/YMDaZPhf
[22:19] <Schalla> RoyK: Everything worked out fine btw! Tested the procedure first on a VM and did it today on the real host, everything worked fine. :)
[22:19] <Schalla> Just have to configure now the software raid for the 2 data disks and then start with the KVM config
[23:06] <axisys> failing to install lsscsi... looks like linux header dependency needs to be resolved... but apt-get -f install fails too.. any suggestion on how to get around it? here is the apt-get output
[23:06] <axisys> http://dpaste.com/37ZWRJ1
[23:07] <axisys> running Ubuntu 12.04.3 LTS
[23:07] <axisys> on kernel 3.2.0-60-generic
[23:10] <bekks> Read line 42. You ran out of disk space.
[23:13] <axisys> bekks: doh! let me clean up /boot .. 81% now
[23:17] <trippeh_> ahh, all the times I've had a full /boot :))