* Duaine & Laura Hechler <dahechler@att.net> [05-02-09 23:57]:

Cristian Rodríguez wrote:

...

a2enmod rewrite rcapache2 restart And how do I verify it's on ?

a2enmod -q rewrite || echo "module not installed or enabled in apache configuration!"

Last command returns:

-bash: !": event not found

Do you just blindly use commands w/o checking to see what they do? What will you do when someone gives you a command that isn't correct? Intelligent curiosity is required or.... a2enmod --help a2enmode -l |grep rewrite man a2enmode -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sat, 02 May 2009 22:54:41 -0500, Duaine & Laura Hechler wrote:

...

a2enmod -q rewrite || echo "module not installed or enabled in apache configuration!"

Last command returns:

-bash: !": event not found

Sounds like it's interpreting the "!" incorrectly. Try just: a2enmod -q rewrite || echo "no" Does it do the same thing? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sat, 02 May 2009 21:35:15 -0700, Randall R Schulz wrote:

...

Sounds like it's interpreting the "!" incorrectly. ...

It is not. ! is the history access introducer. It is interpreted outside of quotes and inside double-quote strings but not inside single-quote strings.

Yes, I am fully aware of that. However that is the only place "!" is on the line, so for some reason it's being interpreted that way. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sun, 03 May 2009 10:06:36 -0700, Randall R Schulz wrote:

...

...

It is not. ! is the history access introducer. It is interpreted outside of quotes and inside double-quote strings but not inside single-quote strings.

Yes, I am fully aware of that. However that is the only place "!" is on the line, so for some reason it's being interpreted that way.

Being interpreted what way? It was used incorrectly and a diagnostic resulted.

Yes, but for some reason it was picked up and interpreted in a way that caused the diagnostic. So rather than do further troubleshooting or berate Duaine for not knowing Linux well enough to know what it is (as some here did), I changed the text and the desired result was produced. Is there some particular reason you wish to argue about this? Or can we move on? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sunday 03 May 2009 20:02:37 Randall R Schulz wrote:

This is nonsensical. The ! was followed by a character not allowed in history expansions.

Sure it's allowed ~> "echo" foo foo ~> !" "echo" foo foo

That is why BASH rejected the command line and printed a diagnostic.

It just didn't get any hits because no previous command started with a " Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sunday 03 May 2009 20:48:42 Randall R Schulz wrote:

On Sunday May 3 2009, Anders Johansson wrote:

...

On Sunday 03 May 2009 20:02:37 Randall R Schulz wrote:

...

This is nonsensical. The ! was followed by a character not allowed in history expansions.

Sure it's allowed

...

It just didn't get any hits because no previous command started with a "

OK, but Jim H's saying "... it's interpreting the "!" incorrectly" is also not correct.

Sure, since it was in double quotes instead of apostrophes (and not escaped) bash expanded it as it should Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sunday May 3 2009, Jim Henderson wrote:

...

Bash *should* have induced that the "!" was in a quoted line and shouldn't have expanded it. It did for some reason - maybe because Duaine put two single quotes instead of a double quote at the start of the string. I don't know why and I don't particularly care.

No. The grammar of BASH includes history expansion in double-quoted strings. Only single-quoted strings protect against history expansion. If by "should" you mean to express a disagreement with the authors of BASH on when history expansion should be active, well, that's your prerogative, but it's not how things are.

...

In other words, the intention was interpreted incorrectly by the shell.

We're talking about computers here. If we don't speak their language, desired results cannot be exected. If there's a command interpreter you'd like to work with and it doesn't exist, you'll have to create it or commission its creation yourself.

If you want to insist that my read of this is incorrect, fine.

Clearly it is.

...

Jim

Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sunday May 3 2009, Jim Henderson wrote:

...

So perhaps you're assuming the author meant bash when in fact they use a csh derivitive. I note that the original example doesn't specify a shell.

Yes, I did. BASH is the default shell in openSUSE. Absent explicit information to the contrary, it's a reasonable assumption to make.

...

Jim

Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sun, 03 May 2009 15:04:48 -0500, Duaine & Laura Hechler wrote:

The fact still remains that apache is still ignoring the .htaccess file.

Have you got the proper overrides enabled? You might have a look at http://httpd.apache.org/docs/1.3/howto/htaccess.html And see if going over that list helps you narrow down what the problem is.

I have tried various changes to httpd.conf and the default-server.conf

What changes have you tried? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Attached are the files I'm using - and still does not read the .htaccess file Duaine # # Global configuration that will be applicable for all virtual hosts, unless # deleted here, or overriden elswhere. # DocumentRoot "/srv/www/htdocs" # # Configure the DocumentRoot # <Directory "/srv/www/htdocs"> # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs-2.2/mod/core.html#options # for more information. Options None # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit AllowOverride All # Controls who can get stuff from this server. Order allow,deny Allow from all </Directory> # Aliases: aliases can be added as needed (with no limit). The format is # Alias fakename realname # # Note that if you include a trailing / on fakename then the server will # require it to be present in the URL. So "/icons" isn't aliased in this # example, only "/icons/". If the fakename is slash-terminated, then the # realname must also be slash terminated, and if the fakename omits the # trailing slash, the realname must also omit it. # # We include the /icons/ alias for FancyIndexed directory listings. If you # do not use FancyIndexing, you may comment this out. # Alias /icons/ "/usr/share/apache2/icons/" <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/" # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "/srv/www/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Deny from all </Directory> # Include all *.conf files from /etc/apache2/conf.d/. # # This is mostly meant as a place for other RPM packages to drop in their # configuration snippet. # # You can comment this out here if you want those bits include only in a # certain virtual host, but not here. # Include /etc/apache2/conf.d/*.conf # The manual... if it is installed ('?' means it won't complain) Include /etc/apache2/conf.d/apache2-manual?conf ServerName localhost ServerAdmin root@hechler.net <Directory "/srv/www/htdocs/openfreeway"> AllowOverride All Options +FollowSymLinks Order allow,deny Allow from all </Directory> # # /etc/apache2/httpd.conf # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about # the directives. # Based upon the default apache configuration file that ships with apache, # which is based upon the NCSA server configuration files originally by Rob # McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>. # If possible, avoid changes to this file. It does mainly contain Include # statements and global settings that can/should be overridden in the # configuration of your virtual hosts. # Quickstart guide: # http://www.opensuse.org/Apache_Howto_Quickstart # Overview of include files, chronologically: # # httpd.conf # | # |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under # |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...) # |-- sysconfig.d/loadmodule.conf . . . . . [*] load these modules # |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on # |-- mod_log_config.conf . . . . . . . . . define logging formats # |-- sysconfig.d/global.conf . . . . . . . [*] server-wide general settings # |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring) # |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info # |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking # |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings # |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration # |-- errors.conf . . . . . . . . . . . . . customize error responses # |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts # | # |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests # | |--mod_userdir.conf . . . . . . . . enable UserDir (if mod_userdir is loaded) # | `--conf.d/apache2-manual?conf . . . add the docs ('?' = if installed) # | # |-- sysconfig.d/include.conf . . . . . . [*] your include files # | (for each file to be included here, put its name # | into APACHE_INCLUDE_* in /etc/sysconfig/apache2) # | # `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here # `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included) # # # Files marked [*] are created from sysconfig upon server restart: instead of # these files, you edit /etc/sysconfig/apache2 # Filesystem layout: # # /etc/apache2/ # |-- charset.conv . . . . . . . . . . . . for mod_auth_ldap # |-- conf.d/ # | |-- apache2-manual.conf . . . . . . . conf that comes with apache2-doc # | |-- mod_php4.conf . . . . . . . . . . (example) conf that comes with apache2-mod_php4 # | `-- ... . . . . . . . . . . . . . . . other configuration added by packages # |-- default-server.conf # |-- errors.conf # |-- httpd.conf . . . . . . . . . . . . . top level configuration file # |-- listen.conf # |-- magic # |-- mime.types -> ../mime.types # |-- mod_autoindex-defaults.conf # |-- mod_info.conf # |-- mod_log_config.conf # |-- mod_mime-defaults.conf # |-- mod_perl-startup.pl # |-- mod_status.conf # |-- mod_userdir.conf # |-- mod_usertrack.conf # |-- server-tuning.conf # |-- ssl-global.conf # |-- ssl.crl/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Revocation Lists (CRL) # |-- ssl.crt/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificates # |-- ssl.csr/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Signing Requests # |-- ssl.key/ . . . . . . . . . . . . . . PEM-encoded RSA Private Keys # |-- ssl.prm/ . . . . . . . . . . . . . . public DSA Parameter Files # |-- sysconfig.d/ . . . . . . . . . . . . files that are created from /etc/sysconfig/apache2 # | |-- global.conf # | |-- include.conf # | `-- loadmodule.conf # |-- uid.conf # `-- vhosts.d/ . . . . . . . . . . . . . . put your virtual host configuration (*.conf) here # |-- vhost-ssl.template # `-- vhost.template ### Global Environment ###################################################### # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests. # run under this user/group id Include /etc/apache2/uid.conf # - how many server processes to start (server pool regulation) # - usage of KeepAlive Include /etc/apache2/server-tuning.conf # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. ErrorLog /var/log/apache2/error_log # generated from APACHE_MODULES in /etc/sysconfig/apache2 Include /etc/apache2/sysconfig.d/loadmodule.conf # IP addresses / ports to listen on Include /etc/apache2/listen.conf # predefined logging formats Include /etc/apache2/mod_log_config.conf # generated from global settings in /etc/sysconfig/apache2 Include /etc/apache2/sysconfig.d/global.conf # optional mod_status, mod_info Include /etc/apache2/mod_status.conf Include /etc/apache2/mod_info.conf # optional cookie-based user tracking # read the documentation before using it!! Include /etc/apache2/mod_usertrack.conf # configuration of server-generated directory listings Include /etc/apache2/mod_autoindex-defaults.conf # associate MIME types with filename extensions TypesConfig /etc/apache2/mime.types DefaultType text/plain Include /etc/apache2/mod_mime-defaults.conf # set up (customizable) error responses Include /etc/apache2/errors.conf # global (server-wide) SSL configuration, that is not specific to # any virtual host Include /etc/apache2/ssl-global.conf # forbid access to the entire filesystem by default <Directory /> Options None AllowOverride None Order deny,allow Deny from all </Directory> <IfModule mod_rewrite.c> RewriteEngine on RewriteLog /home/family/scanner/rewrite.log RewriteLogLevel 0 </IfModule> # use .htaccess files for overriding, AccessFileName .htaccess # and never show them <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> # List of resources to look for when the client requests a directory DirectoryIndex index.html index.html.var ### 'Main' server configuration ############################################# # # The directives in this section set up the values used by the 'main' # server, which responds to any requests that aren't handled by a # <VirtualHost> definition. These values also provide defaults for # any <VirtualHost> containers you may define later in the file. # # All of these directives may appear inside <VirtualHost> containers, # in which case these default settings will be overridden for the # virtual host being defined. # Include /etc/apache2/default-server.conf # Another way to include your own files # # The file below is generated from /etc/sysconfig/apache2, # include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and # APACHE_CONF_INCLUDE_DIRS Include /etc/apache2/sysconfig.d/include.conf ### Virtual server configuration ############################################ # # VirtualHost: If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs-2.2/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. # Include /etc/apache2/vhosts.d/*.conf # Note: instead of adding your own configuration here, consider # adding it in your own file (/etc/apache2/httpd.conf.local) # putting its name into APACHE_CONF_INCLUDE_FILES in # /etc/sysconfig/apache2 -- this will make system updates # easier :) RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d #RewriteRule ^(.*) "index.php" RewriteRule / http://example.com/

On Sunday May 3 2009, Randall R Schulz wrote:

On Sunday May 3 2009, Duaine & Laura Hechler wrote:

...

Attached are the files I'm using - and still does not read the .htaccess file

Here's a snippet from my /etc/apache2/httpd.conf file. It was part of the default supplied when I installed Apache2 (during system installation):

# use .htaccess files for overriding, AccessFileName .htaccess

# and never show them <Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

Sorry. I searched in your message and it didn't find that portion ('cause it was in an attachment, I guess), but it is there. Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

<snip>

Have you asked the vendor, since they provided a file that doesn't work?

It doesn't matter what is in the file if apache is not reading it O:-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sun, 03 May 2009 20:33:23 +0000, Jim Henderson wrote:

That said, I've got a similar issue I'm trying to troubleshoot on one of my own systems - weirdly, I've got two vhosts set up, and on one .htaccess works and on the other it doesn't - but the same directives are in both vhosts and I can't see where the AllowOverrides directive is being overridden either.

Well, I figured out my issue - had the directory name mistyped in the Directory directive in my vhosts file. I had looked at it several times and hadn't seen it. So that then begs the question - are you sure the path in your file is also correct, Duaine? Same capitalisation, spelling, etc? If you put garbage in the .htaccess file in question, do you get a server error trying to access the page/directory in question? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Randall R Schulz wrote:

On Sunday May 3 2009, Duaine & Laura Hechler wrote:

...

Enough of this bantering.

The fact still remains that apache is still ignoring the .htaccess file.

I have tried various changes to httpd.conf and the default-server.conf

Are you restarting Apache after every change to the configuration file(s)?

Yes

...

...

So what changes are need in what file ?

The on-line documentation for Apache and its many directives are very good and include examples. Have you consulted them?

Yes -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

On Sat, 02 May 2009 22:54:41 -0500, Duaine & Laura Hechler wrote:

...

...

a2enmod -q rewrite || echo "module not installed or enabled in apache configuration!"

Last command returns:

-bash: !": event not found

Sounds like it's interpreting the "!" incorrectly. Try just:

a2enmod -q rewrite || echo "no"

Does it do the same thing?

Jim

That returns nothing - just back to the prompt -- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing & Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home & Business user of Linux - 10 years -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Rajko M. wrote:

On Saturday 02 May 2009 11:41:57 pm Duaine & Laura Hechler wrote:

...

That returns nothing - just back to the prompt

That means rewrite is in action.

Ok, then how do I get apache to read the .htaccess file in /srv/www/htdos/openfreeway directory -- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing & Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home & Business user of Linux - 10 years -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-05-02 at 22:54 -0500, Duaine & Laura Hechler wrote:

...

a2enmod -q rewrite || echo "module not installed or enabled in apache configuration!"

Last command returns:

-bash: !": event not found

The "||" are pipe bars, not exclamations. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkn9dVsACgkQtTMYHG2NR9WcVACeK/IHHDhSRZiHel/7UbqpZt4G 0JoAn2FRf7RRVE4BRnO+11gKSN8QcJTU =enB8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-05-03 at 06:10 -0700, Randall R Schulz wrote:

...

The "||" are pipe bars, not exclamations.

Not when double. The || is a "conditional or," meaning do the command on the right if the command on the left returns a failed (non-zero) exit status.

I know that, but I don't know the English name, so I call them "pipe bars". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkn9m9oACgkQtTMYHG2NR9UT3wCeOAjx95NRT4kt4V+lFH1vX1ef ihIAn2Gw84NbmWFoIYBfwy0AduodNj96 =u6GX -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Prasun Dhara wrote:

Hi, In Suse we have a great tool like YAST to configure firewall but the desktop users faces a problem when they try to run some program which request to open a port are silently dropped by the firewall.. and they need to see the log and then open the port manually and the execute the program again... i believe there should be an interactive tool which will handle this situation..

For Example :If user executes a program(say xyz) which needs a open port, firewall should prompt the user that xyz program wants to open this port and ask for a approval (say user needs to enter super user password) and firewall will automatically allow the request and open the required port.

So, if anybody knows about any interactive firewall which can be used in Suse or OpenSuse.. Please post here.

Thanks Prasun

Are you sure you want users to modify the firewall? That would create a huge security hole. Is there not some other method of doing what you want? -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-05-03 at 08:05 -0700, Prasun Dhara wrote:

Hi,

Your method of posting this email is called "kidnapping a thread". Please don't.

In Suse we have a great tool like YAST to configure firewall but the desktop users faces a problem when they try to run some program which request to open a port are silently dropped by the firewall.. and they need to see the log and then open the port manually and the execute the program again... i believe there should be an interactive tool which will handle this situation..

For Example :If user executes a program(say xyz) which needs a open port, firewall should prompt the user that xyz program wants to open this port and ask for a approval (say user needs to enter super user password) and firewall will automatically allow the request and open the required port.

That would be a security risk, so the answer would be "no". If you really trust a user to do that, you could trust that user with the root password. Or a sudo script. Can you give an example of a desktop app that need such a risky behaviour, in Linux? I can't think of any. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkn973AACgkQtTMYHG2NR9XVegCdHbCIw1zviStl/XYkAd6vFMa6 0AwAoJJ3J+1MkD/5Y3G6ZJf1PaYPd/k0 =nde2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-05-05 at 00:37 +0930, Rodney Baker wrote:

I think what he may be referring to is something like BitTorrent or other uPnP-capable apps. Many DSL-type routers these days support uPnP where BT can punch a hole in the firewall to allow sharing during the period when it is running - when the app closes the firewall should automatically shut off the port again.

Ah, yes. It triggers when it sees certain port going out, and responds by opening certain other ports going in. It may combine with NAT by sending those incoming packets to the computer that "opened" the door in the wall first. I tried it, and didn't work so well, my router hung. A fixed configuration seems to be more reliable.

Personally, I don't like the idea, but it is out there and it does work. I'm not sure though that openSuse firewall (or iptables generally) supports it though.

No, I have no idea how to implement that. Some clever scripting, perhaps. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkn/N0QACgkQtTMYHG2NR9WrvwCfccrudU9HE2YgRn3a6yynI1QO 0LgAnjjdntVMxUhUEFzuD86vaga7mkw7 =4VWV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

I think i need to explain little more about the problem/situation.. Please note i am talking about desktop PC which will be used only by one user (say me). I want a tool which will alert me(may be by opening a popup window) if some program tries to open a port(it may be a incomming or outgoing connection request)  and it also prompt me for approval.If i approve(by providing su password) connection should be accepted automatically. Presently  i have the following senarion :      1.   whenever i am going to execute some program which needs an open port it is dropped silently.      2.  Then I am looking into the log and checking which port the program trying to open      3.  Then I need to open the port manually from YAST Firewall      4.  Then execute the program again      For a desktop PC/laptop user I belive this is too much effort to run a simple IRC/messanger like program. I also want alert message     1.  if some one from a remote machine tries to connect my computer     2.  if some one from a remote machine tries to run a port scanner on my ip Does any one have any idea on how to do this??..I f anyone need any clarification please tell me i will clarify again if needed. Thanks Prasun     ----- Original Message ---- From: John Andersen <jsamyth@gmail.com> Cc: OS-en <opensuse@opensuse.org> Sent: Tuesday, May 5, 2009 1:54:54 AM Subject: Re: [opensuse] Interactive Firewall Needed On Mon, May 4, 2009 at 11:43 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Tuesday, 2009-05-05 at 00:37 +0930, Rodney Baker wrote:

...

I think what he may be referring to is something like BitTorrent or other uPnP-capable apps. Many DSL-type routers these days support uPnP where BT can punch a hole in the firewall to allow sharing during the period when it is running - when the app closes the firewall should automatically shut off the port again.

Ah, yes. It triggers when it sees certain port going out, and responds by opening certain other ports going in. It may combine with NAT by sending those incoming packets to the computer that "opened" the door in the wall first.

I tried it, and didn't work so well, my router hung. A fixed configuration seems to be more reliable.

...

Personally, I don't like the idea, but it is out there and it does work. I'm not sure though that openSuse firewall (or iptables generally) supports it though.

No, I have no idea how to implement that. Some clever scripting, perhaps.

- -- Cheers,       Carlos E. R.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkn/N0QACgkQtTMYHG2NR9WrvwCfccrudU9HE2YgRn3a6yynI1QO 0LgAnjjdntVMxUhUEFzuD86vaga7mkw7 =4VWV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Shorewall supports UPNP. Shorewall is a far easier to manage and more flexible than Susefirewall. Shorewall is simply a tool for setting up iptables. http://www.shorewall.net/UPnP.html But, I agree with others,  UPNP is NOT a good idea. -- ----------JSA--------- Someone stole my tag line, so now I have this rental. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 2009-05-05 at 07:15 -0700, Prasun Dhara wrote:

I think i need to explain little more about the problem/situation..

Please note i am talking about desktop PC which will be used only by one user (say me).

I want a tool which will alert me(may be by opening a popup window) if some program tries to open a port(it may be a incomming or outgoing connection request) and it also prompt me for approval.If i approve(by providing su password) connection should be accepted automatically.

Presently i have the following senarion : 1. whenever i am going to execute some program which needs an open port it is dropped silently. 2. Then I am looking into the log and checking which port the program trying to open 3. Then I need to open the port manually from YAST Firewall 4. Then execute the program again

For a desktop PC/laptop user I belive this is too much effort to run a simple IRC/messanger like program.

I also want alert message 1. if some one from a remote machine tries to connect my computer 2. if some one from a remote machine tries to run a port scanner on my ip

Does any one have any idea on how to do this??..I f anyone need any clarification please tell me i will clarify again if needed.

Thanks Prasun

<SNIP> What you asked for is similar functionality as provided by many MS-Windows based Personal Firewall's E.g., you want everything closed and depending upon the application to open certain port(s). The problem with the current firewall's under U/Linux is that they are based on the previous assumption that you provide services only, so that the ports to use where known in advanced. Now Linux is growing into the consumer realm, this no longer is satisfactory anymore. Simply because consumers must be assumed to be ignorant about the underlying techniques, including technical protocols. So, your question is clear, but I can't answer it at the moment. I never tried it, but maybe AppArmor can? Maybe someone else has a suggestion? Frans. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 2009-05-05 at 10:06 -0500, L. V. Lammert wrote:

At 04:59 PM 5/5/2009 +0200, Frans de Boer wrote:

...

So, your question is clear, but I can't answer it at the moment. I never tried it, but maybe AppArmor can? Maybe someone else has a suggestion?

Frans.

AppArmor is designed for servers, however OpenSuSE's built-in firewall works *almost* like the OP's requirements, the difference being the user is required to know in advance to open the port. A few mouse clicks, and it's done.

The fallacy with the OP's argument about 'popping up a dialog box to allow that application' is that all Windoze users are conditioned to hit that OK button for EVERYTHING, so a confirmation dialog just as bad as no security at all.

Lee

I agree with Lee that it's bad security practice, however, the solution requiring you to know the ports to be used in advance is also not working. Normal customers don't know how to, so just open everything. More skilled users can not always find the required port numbers to open and revert to the practice described before. The best of both is then to use the PF with pop-up windows approach for basic customers and allow legacy behavior for more skilled users. Frans. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

At 05:19 PM 5/5/2009 +0200, Frans de Boer wrote:

...

I agree with Lee that it's bad security practice, however, the solution requiring you to know the ports to be used in advance is also not working. Normal customers don't know how to, so just open everything. More skilled users can not always find the required port numbers to open and revert to the practice described before.

Au contraire, .. that's why we *support* our clients - if they need a port opened for some reason, we just login remotely & do it for them [as we would for all systems affected], or use ZenWorks. Helps justify a support agreement! I would argue that you don't really HAVE such requirements for 'typical' users, as their needs can be predicted by work or fiat well in advance.

Lee It seems that you are talking about corporate users, which is a whole different ballgame. I recall that I was talking about consumers, who do not have remote support. If Linux and/or other OSS is not accepted by consumers, my bet is that

On Tue, 2009-05-05 at 10:31 -0500, L. V. Lammert wrote: the most corporate desktops will have MS-Windows on it for a long time to come. Why: most consumers do not want to learn something new AND become a specialist in the same time. For most of them, a computer is just a box which delivers services on demand, without to much or even any hassle. For comparison: to drive a car you need to know some rules of engagement, but your not required to know anything about the internals of the car. Frans. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tuesday 05 May 2009 05:24:05 pm Carlos E. R. wrote:

It seems that you are talking about corporate users, which is a whole

...

different ballgame. I recall that I was talking about consumers, who do not have remote support.

But they should!

A user either knows how to properly "admin" the equipment he is using, or should hire expert help. Same thing as we do for cars, we pay a mechanic to maintain it.

The request for someone to learn firewall internals in order to open ports is the same as to ask car owner to know how to tune cars in order to use them. Some will do that, but majority see car as a way to go from point A to point B, not a bit more. Having program that will monitor all ports and notify user that some application wants to go out is not out of mind. That is way better option then having all ports closed making application to fail, or forcing user to shut down the firewall. What that monitor will do is the same as user will do with much more hassle. It will record port, destination IP and application name. Notify user and after, [yes], [yes, log traffic], or [no], perform action. Currently to do such thing, you probably have to start application, look logs, note ports, and destinations, open ports and allow traffic to dest. IP in firewall, run application again. In general automating processes is purpose of computer. Advocating hard way of doing things is not really in that spirit. Taking user security as an argument pro a hard way doesn't make much sense. No one can protect person that wants to do something stupid. People run computer as root, go to Internet as root, turn off firewall, use paswordless login, and so on. Making firewall use hard to those that would like to use it, but want also applications that work is counterproductive. Some will turn firewall off, other will erase Linux and go back to OS that has firewall that doesn't make life harder than it should be. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tuesday 05 May 2009 09:34:11 pm L. V. Lammert wrote:

On Tue, 5 May 2009, Rajko M. wrote:

...

On Tuesday 05 May 2009 05:24:05 pm Carlos E. R. wrote:

The request for someone to learn firewall internals in order to open ports is the same as to ask car owner to know how to tune cars in order to use them. Some will do that, but majority see car as a way to go from point A to point B, not a bit more.

Sorry, you have missed the support equation entirely! A *USER* should never be asked to open a port, as that request might have come from some malicious program!

It seems that you never used personal firewall in that other OS, at least not paid for version. User is asked would he let application [name] to access Internet, with offer to give more details if user wants. So, if you see some application attempting to access Internet, and you are not sure, you click link to more information and read what firewall creators have to say. Can you imagine better option for user that is not specialist for computers? You can argue that Windows users are used to OK everything, but such user will ask how to disable firewall, and knowing helpful Linux guys, he will get information, or he will not ask anything and trash Linux.

If they KNOW it is a valid request, it's only three or four mouse clicks to turn on that port - no internal knowledge needed.

How would they know? Today even kwrite is networked, and second, how you as new to Linux should know which application is benevolent and which not. Which port? Applications try to access port, but never tell you which. Some, after failed attempts will tell you what ports are needed, but not many.

...

Having program that will monitor all ports and notify user that some application wants to go out is not out of mind. That is way better option then having all ports closed making application to fail, or forcing user to shut down the firewall.

Sorry, not true either. The system comes configured with standard ports open, and any other required ports would be opened at installation.

Well if applications are installed that way why we have those that like Samba fail royally on my own LAN? CUPS don't work on the same LAN, and probably more.

Under normaly circumstances, the user would never see a request to open a port; if he/she DOES, it is higly likely that some malicous application is the cause, OR a new application is being installed, which should have been monitored by a qualified professional anyway.

Should I hire qualified professional to make Samba or CUPS working? I'm sure, if I would be lesser do-it-yourself guy, I will take another approach, ditch the non working OS and go back to working. Continue to pay for firewall that is a bit more verbose than Linux one, pay for antivirus software, have normal user for everything, but administration, apply common sense in other activities, like don't open attachments, don't visit dark corners of the web, and have OS that prints when I want, connects to other computers on LAN without asking me for PhD in couple of computer disciplines.

...

What that monitor will do is the same as user will do with much more hassle. It will record port, destination IP and application name. Notify user and after, [yes], [yes, log traffic], or [no], perform action.

No, no, no! Training users to always click on the "YES" button is absolutely no security at all. Why do you think Vista had so many problems? USERS are not qualified to make a security decision.

Users that always OK without reading you can't protect. They sign more serious things without reading them. That is just kind of people, that jump first and then hope that all will end good. Harassing the rest would not increase computer security a bit. Although, I can agree that asking user to decide should some application go to Internet, without providing additional informational resources, is equivalent of training them to click OK. The solution is not to give ability to poke the hole in firewall, without providing additional information to those that ask for. IMHO, the second part of solution is actually more demanding on developers, then the first. It requires permanent maintenance and update of information. Taking current problems with similar tasks, like providing current application manuals and troubleshooting guides, it seems that we will wait a bit until community builds resources for such task. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 5 May 2009, Rajko M. wrote:

On Tuesday 05 May 2009 09:34:11 pm L. V. Lammert wrote:

It seems that you never used personal firewall in that other OS, at least not paid for version. User is asked would he let application [name] to access Internet, with offer to give more details if user wants. So, if you see some application attempting to access Internet, and you are not sure, you click link to more information and read what firewall creators have to say.

Sorry, your assumptions are wrong on boht counts. A *USER* should not be put in a position of knowing what is secure or not - that is just good security practice. Besides, if the system is installed and supported correctly, the question will never arise.

Can you imagine better option for user that is not specialist for computers?

Yes. Have them call support! Again, *USERS* are not security knowledgable.

...

If they KNOW it is a valid request, it's only three or four mouse clicks to turn on that port - no internal knowledge needed.

How would they know?

Maybe they need to call help? Again, *USERS* are not links in a security chain, except for training to *NOT* click on 'OK'.

Today even kwrite is networked, and second, how you as new to Linux should know which application is benevolent and which not.

If you don't know, you shouldn't be answering the question.

Which port? Applications try to access port, but never tell you which. Some, after failed attempts will tell you what ports are needed, but not many.

Well, you can always Google, or look at services, or look at the firewall config (standard services are listed). Have YOU ever looked at the firewall that runs with the OS that is the subject of this list? It would appear not.

Well if applications are installed that way why we have those that like Samba fail royally on my own LAN? CUPS don't work on the same LAN, and probably more.

Probably because a qualified sysadmin has not done the setup?

...

Under normaly circumstances, the user would never see a request to open a port; if he/she DOES, it is higly likely that some malicous application is the cause, OR a new application is being installed, which should have been monitored by a qualified professional anyway.

Should I hire qualified professional to make Samba or CUPS working?

If you don't wish to learn what's going on, then yes. If you are supporting clients/customers, that's why we have support agreements.

I'm sure, if I would be lesser do-it-yourself guy, I will take another approach, ditch the non working OS and go back to working.

Why not? Seems like an improvement for all. Lee -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-05-06 at 15:35 -0000, Jim Henderson wrote:

Have you ever used a product like ZoneAlarm on Windows? That's the model they're talking about, and it's very good because it puts the user in control and gives the user information.

It is a model that, AFAIK, can not be ported to Linux, simple as that. See my other mail for "why". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB36IACgkQtTMYHG2NR9XeywCcDUdyA0swEyfhTPFsk3ZWTrnm wKwAn2ySzKPlcYGoVFqTBVPeMRN1AZ4U =K/VK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-05-06 at 19:25 -0000, Jim Henderson wrote:

...

...

Have you ever used a product like ZoneAlarm on Windows? That's the model they're talking about, and it's very good because it puts the user in control and gives the user information.

It is a model that, AFAIK, can not be ported to Linux, simple as that. See my other mail for "why".

I saw your post, but I disagree with the logic behind your reasons.

For one thing, you assert that one Linux app can never know what port another has opened (correct me if I've misread this). Try "lsof -i" on your system sometime.

Yes, that's possible. But the packets are not linked to apps, the firewall doesn't know from which app a packet comes from (unless the packet is previously "marked"). Plus, the SuSEfirewall2 does not block outgoing packets, meaning that an application can freely send packets outside, even binding to a port for incoming packets. What the firewall will not be able to determine is that, an incoming packet from the outside is in fact meant for that application. It can be assumed, but not known, as it comes from outside. Thus the popup message given in Windows is not possible here, the firewall works very differently. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB58IACgkQtTMYHG2NR9Wn4ACePb+mSQgyDDMWgBeI9Y/xKb3n yCIAnRMDVme5PfnoI+tggs9+ihgnu1Vd =6u2v -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wednesday 06 May 2009 21:40:49 Carlos E. R. wrote:

But the packets are not linked to apps

Network packets? Depends on when you look at them. Once they've passed down the protocol stack that is perfectly true, but why wait that long. You could prevent the application from calling the syscalls to open a socket in the first place

Thus the popup message given in Windows is not possible here, the firewall works very differently.

If you restrict yourself to iptables, that may be. But why do that. Still, I'm not sure if the desired security model you're aiming for here is something to be desired Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

(apologies for the direct reply) Jim Henderson wrote:

On Wed, 06 May 2009 08:43:32 -0500, L. V. Lammert wrote:

...

Sorry, your assumptions are wrong on boht counts. A *USER* should not be put in a position of knowing what is secure or not - that is just good security practice.

It's not a question of the user being put in that position, it's (as Prasun points out) a question of the user knowing they launched an application and that application needs access to resources external to the machine.

Have you ever used a product like ZoneAlarm on Windows? That's the model they're talking about, and it's very good because it puts the user in control and gives the user information.

Zonealarm is a commercial product made by people in a country with a vested interest to snoop on everyone else in the world. What ZA itself sends "home" it doesn't tell you.. If you think you're safe with something like that on your PC, then I certainly hope you're behind a firewall managed by a network admin who is smarter then you in these matters. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On 06 May 09, Jim Henderson wrote:

On Wed, 06 May 2009 08:43:32 -0500, L. V. Lammert wrote:

...

Sorry, your assumptions are wrong on boht counts. A *USER* should not be put in a position of knowing what is secure or not - that is just good security practice.

It's not a question of the user being put in that position, it's (as Prasun points out) a question of the user knowing they launched an application and that application needs access to resources external to the machine.

Then they need to leaqrn who to ask to set it up if the application is going to complicate things that way.

Have you ever used a product like ZoneAlarm on Windows? That's the model they're talking about, and it's very good because it puts the user in control and gives the user information.

It "puts a user in control" allright...of nothing they could really give a crud about! Of all the customers I had when I repaired W98 (about 50 +/-), a total of one actually tried to understand how to use ZoneAlarm correctly and even why the heck it was there in the first place. The rest...I would eventually end up at their house again and see they simply made it so ZA would let everything and anything through. The reason(s) given? There was only one reason ever given by all the others - it bothered me too much! "Control" means knowing and caring what the heck one is doing with that control.

You seem to be asserting that all users are conditioned to say "OK" or "Yes" to everything.

Yes, as in my own example above.

That assertion is a false assertion, easily provable by me introducing the example of my mother, who I have trained to not just agree to anything the computer asks her.

Yay for her. One of the extremely few who actually listen...or does she? You say you've trained her, but you don't actually know she follows those rules 100% of the time, unless you're standing there 100% of the time to watch her. Either way, my 49 (my mom uses Linux, so she doesn't count) trumps your 1. -- Any man who says he is an American, but something else also, isn’t an American at all. We have room for but one flag, the American flag… We have room for but one language here, and that is the English language… and we have room for but one sole loyalty and that is a loyalty to the American people.” -Theodore Roosevelt 1907 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wednesday 06 May 2009 08:43:32 am L. V. Lammert wrote:

On Tue, 5 May 2009, Rajko M. wrote:

...

On Tuesday 05 May 2009 09:34:11 pm L. V. Lammert wrote:

It seems that you never used personal firewall in that other OS, at least not paid for version. User is asked would he let application [name] to access Internet, with offer to give more details if user wants. So, if you see some application attempting to access Internet, and you are not sure, you click link to more information and read what firewall creators have to say.

Sorry, your assumptions are wrong on boht counts.

Let we define first what we are talking about. You speak about systems that have paid-for support. I speak about home systems. While your claims are OK in enterprise, they don't apply for home systems, for a very simple reason, the price of support. When user buy computer for $500, how in the world he will afford $100 expert visit? It is the same proportion as asking car owner to pay $2000 for oil change. On the other side, $100 for computer pro is not that much.

A *USER* should not be put in a position of knowing what is secure or not - that is just good security practice.

Well, as a car user I should not decide what action is safe and what not, because that requires expertise, but I should know what is safe and what not. And just as in auto safety, expert knowledge can be summarized in short advices ie. good safety practices. Once it is summarized user doesn't need to consult expert for every step. I'm discussing how to empower home users interested in security, having common sense and not much time to study all computer internals. The tool that will ask and provide information when required is both, protection and learning tool.

Besides, if the system is installed and supported correctly, the question will never arise.

The only way to see that happen is to have well defined computer role. That is even in enterprise possible only for certain workstations that have very limited purpose.

...

Can you imagine better option for user that is not specialist for computers?

Yes. Have them call support!

Can you imagine how much would cost web browsing? Should I visit this link? $10 And this? $10 ...

Again, *USERS* are not security knowledgable.

But users interested in security are not idiots and holly script of setting up security can be simplified, like in car example, to this: * This application wants to access Internet for the first time. Do you want to allow? [yes] [no] [more info] If user is positive that application is OK he will press [yes]. If he is sure that application has no business in Internet it will use [no], and run tests to see what happened. If not sure, he can press [more info] where Gatekeeper will open browser with web page that gives more details that will tell, where application wants to go, what protocol is asking for, what kind of web page is that, location of IP, advice is that activity common etc, which will give user with common sense idea what to do. I'm wondering how expert can do the same better in one visit, then Gatekeeper, as user expert assistant, present all the time.

...

...

If they KNOW it is a valid request, it's only three or four mouse clicks to turn on that port - no internal knowledge needed.

How would they know?

Maybe they need to call help? Again, *USERS* are not links in a security chain, except for training to *NOT* click on 'OK'.

You really have not very high opinion about your users, or you deal only with those that don't use common sense, which is probably the case. Those that use common sense and listen to experts are not good customers.

...

Today even kwrite is networked, and second, how you as new to Linux should know which application is benevolent and which not.

If you don't know, you shouldn't be answering the question.

Why not? No, is valid answer.

...

Which port? Applications try to access port, but never tell you which. Some, after failed attempts will tell you what ports are needed, but not many.

Well, you can always Google, or look at services, or look at the firewall config (standard services are listed).

My favorite Samba, is classic example where one has to spend few hours reading before it finds out how to make it work, and it is well documented package.

Have YOU ever looked at the firewall that runs with the OS that is the subject of this list? It would appear not.

It seems that I did. How otherwise I would come on idea that it is not perfect solution? Besides, as mentioned by Jim to call it Interactive Firewall, is not best idea, because it is not firewall alone.

...

Well if applications are installed that way why we have those that like Samba fail royally on my own LAN? CUPS don't work on the same LAN, and probably more.

Probably because a qualified sysadmin has not done the setup?

Hmm, should I say that if Samba for basic file sharing and printing on home LAN needs sysadmin intervention, then it is seriously broken concept. It is the same case as car that need operator other then owner.

...

...

Under normaly circumstances, the user would never see a request to open a port; if he/she DOES, it is higly likely that some malicous application is the cause, OR a new application is being installed, which should have been monitored by a qualified professional anyway.

Should I hire qualified professional to make Samba or CUPS working?

If you don't wish to learn what's going on, then yes. If you are supporting clients/customers, that's why we have support agreements.

...

I'm sure, if I would be lesser do-it-yourself guy, I will take another approach, ditch the non working OS and go back to working.

Why not? Seems like an improvement for all.

Well, cutting out the rest, doesn't help you Lee. Good ideas should be supported, not opposed with arguments that are not applicable for the situation.

Lee

-- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-05-05 at 22:47 -0500, Rajko M. wrote:

It seems that you never used personal firewall in that other OS, at least not paid for version. User is asked would he let application [name] to access Internet, with offer to give more details if user wants. So, if you see some application attempting to access Internet, and you are not sure, you click link to more information and read what firewall creators have to say.

That situation is impossible in Linux, as the firewall can not track to which application belongs a network packet. The only info available is "this packet on that port was rejected" (past tense), but the application responsible is unknown. Further, the firewall closes ports to incoming packets from the outside, not to outgoing packets, and there is no info to link this to whatever application might have opened that port for listening. The two things, opened port by and app and firewall are disconnected in Linux. Therefore, it is not possible to pop up a window saying that a certain app requests a port to be opened. The port has in fact already being opened, but packets are rejected by the firewall, who has no information about which program might or might not need that rejected packed, and thus can not give that info on the popup window to help in the decision. That's why an informed administrator is needed to make the configuration changes. If the user doesn't know, he/she will have to pay for support, in person or via help desk, or ask a forum or other free help. And yes, the application should clearly document which (fixed) ports it needs to be opened in advance, if it is an application designed for Linux. Else, report a bug against that application. But I recogn that this info is sometimes difficult to locate or interpret. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB3toACgkQtTMYHG2NR9XakwCcDLCHgb26O0tKmeBMwxGwA4eV KuUAnjpksQJc4lHEt3M43DhBg1AdkjFW =2Tsp -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frans de Boer wrote:

On Tue, 2009-05-05 at 10:31 -0500, L. V. Lammert wrote:

It seems that you are talking about corporate users, which is a whole different ballgame. I recall that I was talking about consumers, who do not have remote support. If Linux and/or other OSS is not accepted by consumers, my bet is that the most corporate desktops will have MS-Windows on it for a long time to come. Why: most consumers do not want to learn something new AND

The weakness in this argument is the assumption that those who operate corporate I.T. solutions want ordinary corporate users to be able to configure their machines. This rather like giving the inmates the keys to the asylum with most of the associated risks. While MS desktops can be locked down, with Linux/Unix this process is both simpler and more sophisticated for competent sys admins. One cannot really satisfy the needs of Consumer and Corporate userspace with a single solution. Being good at the Corporate/Technical product delivery is in the mid to long term much more profitable than being good in consumer product delivery. With the development of and increasing focus on 'Cloud' solutions (where basic users effectively outsource their I.T. support requirements) and better internet connectivity, the basic consumer will eventually only need something which can run a browser (and we go full circle from the original ugly dumb terminal for a knowledgeable user to dumb but pretty terminal for the 'dumb' user). Focussing on the consumer desktop is really in some ways looking at yesterdays problem....

Frans.

- -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkoBSTcACgkQasN0sSnLmgLajACfeA84fB9loBudznO/vMFG6C4E Rr4AoL1wHZKql7JPA3xexUQrWHpXm/Oc =DUDy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-05-06 at 08:10 -0300, Everaldo Canuto wrote:

On Wed, May 6, 2009 at 5:24 AM, G T Smith <> wrote:

...

One cannot really satisfy the needs of Consumer and Corporate userspace with a single solution. Being good at the Corporate/Technical product delivery is in the mid to long term much more profitable than being good in consumer product delivery. With the development of and increasing focus on 'Cloud' solutions (where basic users effectively outsource their I.T. support requirements) and better internet connectivity, the basic consumer will eventually only need something which can run a browser (and we go full circle from the original ugly dumb terminal for a knowledgeable user to dumb but pretty terminal for the 'dumb' user).

Focussing on the consumer desktop is really in some ways looking at yesterdays problem....

So, the openSUSE focus is now on corporate users?

And whats about the countries that don't have fast internet connection available for all the people? Do you think that "Cloud" solution can be applied to this countries in the mid to long term?

That's a good point. But he wasn't really talking about openSUSE, but rather linux trends in general. In any case, I prefer in house computing, not cloud computing, trends be dammed! >:-P - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB4eQACgkQtTMYHG2NR9WFMwCeL1fL7AisuLZpZnQR9+chj4Fa lrMAn1w//1e8ltJZopMTpQ6c928cJFhI =wT/e -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Prasun Dhara wrote:

I also want�alert message ��� 1.� if some�one from a remote machine tries to connect my computer ��� 2.� if some one from a remote machine tries to�run a port scanner on my ip

No, Prasun, you do NOT want this. (Trust me). Such an alert message would pop up a hundred times a day. If you have a service running (listening on a port) then connections by remote machines are connected or denied based on that service and the firewall. If nothing is listening on a port, the port is closed and therefore secure. A closed port is a secure port. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Prasun Dhara escribió:

So, if anybody knows about any interactive firewall which can be used in Suse or OpenSuse..

That would be a security disaster. -- "If this is the best God can do, I am not impressed" -George Carlin (1937-2008) Cristian Rodríguez R. Software Developer Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-05-03 at 16:41 -0000, Jim Henderson wrote:

On Sun, 03 May 2009 06:10:58 -0700, Randall R Schulz wrote:

...

...

The "||" are pipe bars, not exclamations.

Not when double. The || is a "conditional or," meaning do the command on the right if the command on the left returns a failed (non-zero) exit status.

The diagnostic came from the ! in the string.

What Carlos is guessing is that instead of "||" Duaine/Laura entered "!!" instead.

Exactly. I tried to mistype the command here, but I didn't get a similar result, so I really don't know. Mmm... looking again, I see an exclamation at the end of the original command. Dunno. :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkn97lsACgkQtTMYHG2NR9VAFQCePnwh0FHL01e1GZkosuEbnlKE xlsAoJeugoMfK6JHTuJanOU2CpiO3IKP =xNul -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-05-03 at 19:38 -0000, Jim Henderson wrote:

...

...

What Carlos is guessing is that instead of "||" Duaine/Laura entered "!!" instead.

Exactly.

I tried to mistype the command here, but I didn't get a similar result, so I really don't know. Mmm... looking again, I see an exclamation at the end of the original command. Dunno. :-?

Based on the discussion with Randall, it seems that perhaps Cristian is using a csh derivitive where history expansion is disabled inside double quotes, and Duaine is using bash which doesn't.

My first attempt to duplicate Duaine's problem resulted in no duplication because I change my default shell to tcsh, and since Cristian didn't specify a shell, I just went with my default.

I see that bash does in fact interpret the line as a history expansion.

Ah... I'm starting to understand. I shortened the message to "no", because in my mail client the entire "line" was two lines". Thus I had no en "!", and didn't see the same error as the OP. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB5bMACgkQtTMYHG2NR9UynQCeIR9LAPGo4XA0oXCLvPP3nF6B S+EAmwQXGvmxCjFl1kPQfbtNRiRyfQLk =ZmCN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org