--- Day changed

--- Log opened Mon Jun 30 00:00:01 2003
00:00 < david> caker: just wondering how you implimented ebtables
00:00 < david> caker: one chain per UML, or just dump it all in one chain?
00:01 < caker> one chain per UML that both INPUT and FORWARDING go through
00:02 < caker> for that device
00:05 < caker> then drop anything not matching MAC
00:05 < caker> then allow ipv4 broadcasts
00:05 < caker> then a pair for each IP: allow IP4 from IP, and allow ARP from IP
00:05 < caker> then the drop fall-through
00:06 < david> ok
00:07 < Pahan> caker: How does UML assign MAC addresses, anyway?
00:08 < caker> UML doesn't assign macs, unless you're using uml_net (I think)
00:08 < caker> anyway, it inherits the MAC from the TAP device you create on the host (when you ifconfig tap... the device)
00:08 < caker> you pass that MAC to UML on it's command prompt
00:08 < caker> and you're gold
00:27 < david> caker: doesn't the UML's MAC change each time recreate the tap device?
01:15 -!- Larry [wind@61.149.50.253] has joined #uml
01:34 -!- Larry [wind@61.149.50.253] has quit []
01:38 < caker> when you ifconfig the tap on the host, set it's mac address there
02:46 -!- AquaJo [~torbofh@217.85.147.64] has joined #uml
02:47 < AquaJo> morning
02:48 < Pahan> Not quite!
02:49 < AquaJo> In germany it ist 8:47am
02:49 < AquaJo> I call it morning :-)
02:49  * Pahan stands still while the whole universe revolves around him.
02:50  * Lathiat breaks orbit
02:51 < AquaJo> *g*
04:49 -!- revenger_ [revenger@80.139.59.220] has joined #uml
04:51 -!- revenger2 [revenger@p508B2D11.dip.t-dialin.net] has quit [Ping timeout: 490 seconds]
05:10 -!- snide [~snide@81.49.162.46] has joined #uml
05:11 -!- rob [~rob@nat.office.legend.net.uk] has joined #uml
05:11 < rob> hrm
05:11 < rob> mailer just threw a fit
05:11 < rob> [uml-user] got a message about 5 times :?
05:13 < AquaJo> I got all mails once
05:13 < AquaJo> a mailserver with a hickup (sp?) in the deliverycahin
05:14 < rob> one of the machines in the cluster died
05:14 < rob> and it decided to rerun the queue :/
05:15 < AquaJo> look, on the good side, it's better than deleting all mails in the que ;-)
05:15 < rob> yes
05:16 < rob> but its also embarassing :p
05:21 < AquaJo> I'm waiting for the next uml-patch to take a look if then dazuko and cipe modules compile
05:22 < AquaJo> the last Kernel where I had testet it successfully was 2.4.19-50um ..
05:24 < rob> what are the dazuko and cipe modules? I've not heard of them before
05:25 < AquaJo> cipe is a module for creating encryptet ip-tunnels (vpns)
05:25 < AquaJo> and dazuko dann be used for virusscanners
05:26 < rob> ah :)
05:26 < rob> I'll have to take a look into those
05:26 < rob> have you tried freeswan?
05:26 < snide> AquaJo: cipe is the same as IPSec, just based on UDP.
05:27 < AquaJo> freeswan seems not to make trouble
05:27 < AquaJo> but some peoble wants cipe, and I'm only a poor guy from vd-server :_)
05:32 < AquaJo> well, with a bit of luck it'll run with one of the next patches
06:06 -!- Getty [~Getty@spast.de] has quit [Remote host closed the connection]
06:08 -!- Getty [~Getty@217.69.76.51] has joined #uml
08:46 -!- litost [~sombitch@phynp6.phy-astr.gsu.edu] has joined #uml
08:50 -!- snide [~snide@81.49.162.46] has quit [Ping timeout: 488 seconds]
09:54 -!- DnsInfector [~DnsInfect@ARennes-204-1-2-17.w193-251.abo.wanadoo.fr] has joined #uml
10:40 -!- snide [~snide@AMontsouris-108-1-33-19.w81-53.abo.wanadoo.fr] has joined #uml
11:45 -!- gump [gump@81.5.136.90] has quit [Read error: Connection reset by peer]
12:12 -!- snide [~snide@AMontsouris-108-1-33-19.w81-53.abo.wanadoo.fr] has quit [Quit: [BX] Reserve your copy of BitchX-1.0c19 for the Nintendo Gameboy today!]
13:46 -!- DnsInfector_ [~DnsInfect@ARennes-204-1-2-5.w193-251.abo.wanadoo.fr] has joined #uml
13:47 -!- DnsInfector_ [~DnsInfect@ARennes-204-1-2-5.w193-251.abo.wanadoo.fr] has left #uml []
13:49 -!- DnsInfector [~DnsInfect@ARennes-204-1-2-17.w193-251.abo.wanadoo.fr] has quit [Read error: Connection reset by peer]
13:52 -!- DnsInfector [~DnsInfect@81.53.135.250] has joined #uml
14:02 -!- pirlouit [~peter@64.162.195.202] has quit [Remote host closed the connection]
14:05 -!- pirlouit [~peter@64.162.195.202] has joined #uml
14:28 -!- pirlouit [~peter@64.162.195.202] has quit [Remote host closed the connection]
14:32 < Pahan> Is UML jail secure, provided that the root account is not compromised?
14:32 -!- pirlouit [~peter@64.162.195.202] has joined #uml
14:33 < david> Pahan: don't use jail - it's slow
14:33 < david> Pahan: use skas instead
14:34 < david> Pahan: and define 'secure'
14:34 < Pahan> Oh, are those equivalent?
14:34 < Pahan> david: "protects the host fully"
14:34 < Pahan> Well, plus or minus excessive CPU usage.
14:36 < Pahan> I want to build a COW filesystem for running less-than-reliable stuff.
14:36 < Pahan> Will probably need a separate router UML :(
14:36 < Pahan> Ugh, iptables.
14:38 < AquaJo> Pahan: why don't you route on the host with tap interfaces?
14:38 < david> Pahan: use the fair-sched patch to control CPU usage
14:38 < Pahan> AquaJo: Because even though I do have all necessary kernel modules on the host, I don't want to mess with it in sucha way.
14:38 < david> Pahan: UML is just a process, so can be scheduled as such
14:38 < david> Pahan: use a bridge
14:38 < Pahan> david: Bridge what to what?
14:41 < david> Pahan: all the tap devices from the UMLs
14:43 < Pahan> Oh, no. Not only I lack additional IP addresses, I also don't want those things talking to outside.
14:43 < david> Pahan: use the host to route - it's pointless creatign a UML just for routeing
14:43 < david> Pahan: so?
14:43 < david> Pahan: use NAT on the host
14:44 < Pahan> Ugh.
14:44 < Pahan> No Internet access for my UMLs.
14:44 < david> Pahan: so don't NAT then
14:44 < Pahan> I am not going to.
14:45 < david> Pahan: is this really so complicated?
14:45 < Dave\\> is COW reliable?
14:45 < david> Dave\\: I've not heard of any problems with it
14:45 < Dave\\> it's fsck'able right?
14:46 < Pahan> david: You are giving me random suggestions to solve a problem I never posed.
14:46 < david> Pahan: you were asking questions about UML security and using a UML as a router
14:46 < david> Dave\\: as far as the UML is concerned, it's just a regular image file
14:47 < Pahan> david: The issue is finding a way to set up iptables other than "roll your own" and "download a stupid firewall script".
14:48 < david> Pahan: and what other option is there?
14:48 < david> Either you make your own, or you download a pre-existing script
14:48 < Pahan> Both options suck.
14:48 < david> Pahan: there are some GUI firewall builders 
14:48 < david> Pahan: I can do it for $150/hr if you want
14:48 < caker> same here
14:49 < david> Pahan: either you do it yourself, download an existing script, or pay someone to do it
14:49 < david> Pahan: you apparently don't like any options, so why complain?
14:49 < Pahan> All three options are wildly unacceptable.
14:49 < Pahan> Especially the "existing script" thing.
14:50 < david> Pahan: so what would be your ideal choice?
14:50 < david> Pahan: having the kernel create some random rules to control your IP networking?
14:50 < Pahan> david: Something higher in level than a shell script and lower in level than a drool-proof GUI firewall builder.
14:50 < Pahan> I vaguely remember there being such a thing.
14:51  * Pahan apt-caches.
14:51 < david> Pahan: like I said, google or freshmeat.net
14:51 < david> Pahan: everything is just a front-end to the iptables utility anyway
14:51 < david> why not do yourself a favour, learn to use iptables, then you know what you're doing
14:51 < Pahan> The same reason why I don't program in C.
14:52 < AquaJo> david: is there a version of the fairshed with doesn't conflickt with 2.4.21 an skas-patch?
14:52 < AquaJo> I tryed it once but the kernel stoped while compiling
14:52 < david> AquaJo: AFAIK, the fairsched patch has one reject in sched.h with 2.4.21 - Easily fixed if you check the reject
14:52 < david> AquaJo: hrm, it didn't compile cleanly?
14:52 < david> AquaJo: did you get rejects from the patch and did you fix them?
14:53  * david goes to build a fair-sched patch against 2.4.21 and host-skas3
14:53 < AquaJo> yes, an then I hasn't spend much time on it
14:53 < AquaJo> not fixed it
14:53 < AquaJo> was a patch an test run
14:54 < david> AquaJo: let me get back to you - I don't think host-skas3 and fair-sched interact, but I may be incorrect
14:54 < Pahan> Urgh. Is there a Debian package for this fairsched thing? I can't seem to find it.
14:54 < AquaJo> perhabs it was only a fault in the fairshed patch
14:54 < david> Pahan: no, it's a kernel patch
14:55 < Pahan> david: Debian packages kernel patches just fine.
14:55 < Pahan> It's not in the list under that name.
14:55 < david> Pahan: right, and there isn't a debian package for it
14:55 < david> Pahan: hence it is just a 'kernel patch', rather than a 'Debian package'
14:55 < AquaJo> david: when I've selectet the option the kernelbuild failed ..
14:56 < AquaJo> I don't think that was skas-specifik
14:58 < AquaJo> uml-specific are (I think) sone errors in the inludes, so the cipe and dazuko-module won't compile with the new uml-patches
15:02 < david> AquaJo: I've never used those, so I can't vouch for their functionality with UML
15:04 < AquaJo> with 2.4.19-50um I got cipe running, with the actual I don't
15:04 < Pahan> Heh, fairsched SF project is so dead.
15:04 < david> Pahan: that's not the same thing
15:04 < AquaJo> I mailed it on the devel-ML
15:04 < david> http://www.surriel.com/patches/2.4/2.4.19-fairsched
15:04 < david> is what you want
15:04 < david> HFS is dead/dying, I believe
15:05 < Pahan> david: Is there a website for this thing?
15:06 < Pahan> Oh, there it is.
15:06 < david> no
15:06 < david> it's just a patch
15:07 < caker> i found it googling for "fairsched 2.4.20" or something similar ...
15:07 < Pahan> I envy the people brave enough to install "just a patch" on their production systems.
15:07  * Pahan stays away.
15:07 -!- rob [~rob@nat.office.legend.net.uk] has quit [Ping timeout: 496 seconds]
15:07 < david> Pahan: I've ran it for nearly a year - WOrks just fine
15:07 < david> Pahan: you can look at a code, see what's wrong with it
15:08 < david> it doesn't really need any documentation
15:10 < AquaJo> I'd taken a look into the code, it's really self explaining
15:11 < AquaJo> perhaps I'll try it the days it on my 'experimental' server
15:13 < david> AquaJo: I got fairsched to build fine with 2.4.21 and host-skas3
15:13 < david> AquaJo: building a patch right now
15:13 < david> kernels.usermodelinux.org/host/
15:14 < AquaJo> I'll try these Days
15:15 < AquaJo> could be nice
15:18 < AquaJo> when I'll get cipe compiling, I 'll introduce a new uml-kernel
15:18 < AquaJo> and the fairshedcommes then with the next reboot, so in 100 days or so :-)
15:19 < david> heh
15:20 < AquaJo> on the4 new server comming these days, I might introduce it erlyer
15:20 < AquaJo> but if a system is running, I let it running :-)
15:20 < AquaJo> never cange a winning team
15:20 < AquaJo> *g*
15:21 < david> AquaJo: you patched for the kmod/ptrace exploit in 2.4.20?
15:22 < AquaJo> the umls hasn't the kernelmodule loader, the host no local user (and now .21)
15:24 < AquaJo> the last reboot was before 10 days
15:24 < AquaJo> ist should run now 3 Month, well see if we can take it :-)
15:25 -!- shak [~shak@pc1-hudd4-5-cust78.hudd.cable.ntl.com] has joined #uml
15:26 < david>  20:24:00 up 96 days, 15:28,  2 users,  load average: 0.16, 0.03, 0.01
15:26 < david> UML is pretty stable
15:26 < shak> :)
15:26 < Getty> david: don"t talk about
15:26 < shak> Xchat crashed my UML host (which is also my workstation today)
15:26 < AquaJo> we had some with >100 days
15:26 < Getty> david: cause the UML needs the host
15:26 < Getty> ;)
15:26 < caker> i want software suspend for uml so bad :-)
15:26 < shak> I left it on today and I get home to see these loadavgs on the host
15:26 < shak>  17:59:30 up 21:27,  6 users,  load average: 256.79, 255.37, 252.75
15:27 < Getty> shak: yeah... ok... next year we will be ready ;)
15:27 < Getty> shak: how you get this load?
15:27 < AquaJo> how do you got something like that?
15:27 < shak> welcome to Xchat :)
15:27 < Getty> lol
15:27 < Getty> someone should really tell me someday why mIRC is so bad ;)) hehe
15:27 < shak> it runs on Windows and its shareware, do you need any more reasons?
15:27 < Getty> even if my windows totally crashed, the mIRC is running.. i hate xchat, these BIG BUTTONS for nothing ;)
15:28 < AquaJo> my peak was 170, shuting down lots of umls on a dual xeon with 4 GB RAM
15:28 < Getty> shak: thats no reason against for me ;)
15:28 < Getty> shak: i heard it runs perfectly in wine
15:28 < Getty> shak: so why not think about ;)
15:28 < shak> its shareware
15:28 < shak> Im fundamentally opposed to shareware
15:29 < shak> I like my software to have the source with it
15:29 < shak> I dont mind if I pay something for that
15:29 < shak> but I want the source
15:29 < david> shak: use fairsched - stops the UML killing the host :-)
15:30 < shak> david: oh the UML was fine, I'd used the CPU Cap patch on that
15:30 < david> shak: I think I still have xchat running under VNC on a UML
15:30 < shak> but I didnt for xchat
15:30 < shak> chuckle
15:30 < shak> I haven't got X on any of my UMLs
15:30 < AquaJo> dito
15:30 < shak> Im just playing with mkrootfs
15:31 < shak> err..
15:31 < shak> no rootstrap
15:31 < shak> that's the one :p
15:31 < AquaJo> (I think I havn#t .. I'm not sure )
15:31 < shak> I keep getting errors though, because it wants tun as a module
15:31 < shak> so I'm on my way to google
15:31 < AquaJo> <- using preconfigured tapdevices
15:31 < AquaJo> no problem
15:31 < shak> this isn't a UMLt
15:32 < shak> this is the debian software
15:32 < shak> that makes the root_fs
15:33 < AquaJo> hmm, its slowly getting late, and I've to get up early ...
15:34  * green finally enjoys working gdb with gcc3, thanks to Tsillas, Demetrios J
15:42 -!- shak [~shak@pc1-hudd4-5-cust78.hudd.cable.ntl.com] has quit [Remote host closed the connection]
15:43 -!- rob [rob@213.230.203.221] has joined #uml
15:43 < rob> right
15:43 < rob> going to install debian on the actual UML host
15:43  * rob likes debian
15:44 < AquaJo> I like debian too
15:44 < rob> Im going to try and make a woody root_fs
15:44 < rob> and then update the system
15:44 < rob> and make a sid root_fs
15:45 < rob> one thing I like too, is KVM switches :)
15:49 < AquaJo> I'll say cu & gn8
15:49 < AquaJo> we'll se us the next days
15:50 < rob> have a nice sleep :)
15:50 < AquaJo> thank you
15:53 -!- AquaJo [~torbofh@217.85.147.64] has quit [Quit: Jedenfalls ist es besser, ein eckiges Etwas zu sein als ein rundes Nichts - Friedrich Hebbel]
16:10 -!- rob [rob@213.230.203.221] has quit [Quit: leaving]
18:01 -!- litost [~sombitch@phynp6.phy-astr.gsu.edu] has quit [Quit: ERC v2.91 $Revision: 1.239 $ (IRC client for Emacs)]
18:27 -!- DnsInfector [~DnsInfect@81.53.135.250] has left #uml [Client exiting]
18:35 -!- pflanze [~chris@dclient80-218-21-43.hispeed.ch] has joined #uml
18:36 < pflanze> Hello. 
18:36 < pflanze> Has anyone a grsecurity patched uml kernel working?
18:36 < mistik1> enablr ptrace in grsec
18:37 < mistik1> enable even
18:37 < pflanze> Then the rest works?
18:37 < pflanze> Even PAX?
18:37 < mistik1> I cant say
18:38 < mistik1> I've never used it i'm just stating what I heard regarding the topic
18:38 < pflanze> Ok, thanks.
18:50 < Dave\\> hey
18:50 < Dave\\> does anybody use dhcp w/ UML?
18:50 < Dave\\> to give the UML ips?
19:04 -!- mistral [mistral@jstevenson.plus.com] has quit [Ping timeout: 490 seconds]
19:07 -!- pflanze [~chris@dclient80-218-21-43.hispeed.ch] has quit [Quit: [x]chat]
19:07 -!- nxtw [nxtw@68.76.176.193] has joined #uml
19:08 < Dave\\> hi nxtw'
19:08 < nxtw> hey
19:09 < nxtw> Hey.. I was wondering, is it possible to change the mac addr of the uml? Like, make it something besids fe:fd:00:00:00:00 or fe:fd:ip:address
19:09 < nxtw> Using tuntap.
19:10 < Dave\\> yes
19:10 < Dave\\> ip link set device eth0 111111111111
19:10 < nxtw> from the host side.
19:11 < Dave\\> eth0=tuntap,tap0,<optional MAC address>
19:11 < Dave\\> in the parameters
19:11 < Dave\\> to start iup
19:12 < nxtw> doesn't work
19:12 < nxtw> its fe:fd:00:00:00:00
19:14 < Dave\\> have you tried it like
19:14 < Dave\\> eth2=tuntap,umlc1,00:00:00:00:03:01,10.0.3.1
19:14 < Dave\\> with the last one as the IP of the sys
19:14 < Dave\\> host*
19:18 < nxtw> no luck
19:18 < Dave\\> :(
19:18 < Dave\\> caker is really good at this stuff
19:18 < Dave\\> *points to caker*
19:19 < Dave\\> I think caker runs Linode.com
19:19 < Dave\\> the automated UML host 
19:37 -!- mistral [mistral@212.159.71.212] has joined #uml
19:41 < david> hello
19:41 < nxtw> hi
19:45 < Dave\\> hi david
19:48 -!- adama [adama@pie.methinks.co.uk] has quit [Ping timeout: 496 seconds]
20:03 -!- mistral [mistral@212.159.71.212] has quit [Read error: No route to host]
20:03 -!- mistral [mistral@jstevenson.plus.com] has joined #uml
21:36 < caker> What would cause a remote host to appear down to a UML, but up on normal machines?
21:36 < caker> Anyone care to try from inside a UML for me?
21:38 < caker> if so: "telnet mta01.cdpd.airdata.com 25" and tell me if you get the smtp banner
21:44 < david> works for me
21:44 < caker> hmm .. something is strange then - would it have anything to do with the fact that the remote machine doesn't return pings
21:44 < caker> and/or something I compiled into my uml 2.4.20 and 2.4.21 kernels?
21:46 < david> does it have ECN compiled in?
21:46 < caker> Yes
21:48 < david> ok
21:48 < david> that's ba
21:48 < david> d
21:48 < caker> is there a proc I can turn it off with or am I looking at a recompile? :-)
21:48 < david> yes, there is
21:48 < david> no, I don't know what it is off the top of my head
21:49 < david> find /proc -name "*ecn*"
21:49 < caker>  echo 0 > /proc/sys/net/ipv4/tcp_ecn
21:49 < caker> hah! that fixed it
21:49  * caker bows before david
21:50 < david> caker: not a problem
21:51 < david> caker: generally with networking, if ECN is on and it broke, then turn it off :-)
21:52 < caker> I had a hunch - I couldn't remember which config opt sounded dangerous when I made my .config :-)
21:52 < caker> thanks
22:07 < david> caker: ECN is perfectly fine, assuming all the networks you're using support it
22:07 < david> unfortunatly, plenty don't
22:45 -!- ElectricElf [david@elf.noc.oftc.net] has quit [Quit: Reboot.]
22:49 -!- ElectricElf [david@elf.noc.oftc.net] has joined #uml
23:14 -!- arthur [~arthur@adsl-67-120-107-148.dsl.snfc21.pacbell.net] has joined #uml
23:14 < arthur> is ther a skas patch for 2.5.72?
23:15 < arthur> how can i apply the host-skas3 patch to a 2.4 kernel along with the openmosix patch?
23:51 < david> no
23:51 < david> there is no skas patch for 2.5.x
23:51 < david> arthur: as for applying it along side openmosix - Try it, fix the rejects
--- Log closed Tue Jul 01 00:00:01 2003