Monday, December 31, 2007

using pkg-config

Need to compile a gtkglextmm program?


try


pkg-config gtkglextmm-1.2 --cflags --libs
thus

g++ button.cc `pkg-config gtkglextmm-1.2 --cflags --libs`

where button was the example program in the directory.

works

Thursday, December 27, 2007

pogl - perl opengl makes it in to debian libopengl-perl

I noticed that we dont have to install pogl directly it is now in sid!

Sunday, December 16, 2007

dosemu issue

I had dosemu working with an old application which required a hasp plug on my linux box.

i got it partialy working. the issues are

1) get dosemu working (dont need windows just the dos version)
2) redirect input from hard drive copy of the atm databasee disk so i can use it without loading the disk in cdrom player
3) need to have permission to use the hardware parallel port.
this requires an edit of the global /etc/dosemu/dosemu.conf to access the parallel port
as well as being ROOT user in order to have it work (or setuid or something) see the
readme in the /doc directory of the dosemu which i put in /oldmachine2/me/dosemu-1.2.2

need to play with it more. seem to need to be root and set it up. oops i wonder if the
settings are specific to the workstation
looks like
$_ports= "..."
$_ports= $_ports, " device /dev/lp0 fast range 0x378 0x37a"

cat /proc/ioports |grep parport
if no parport, need to enable it in the bios :).
then match the above line to the to the memmory range....

but please review this.

Wednesday, December 12, 2007

browse over ssh issues

i copied this from

http://www.debuntu.org/port-forwarding-and-channel-3-open-failed-connect-failed-Connection-refused
need to think about this....


Ssh Port Forwarding and "channel 3: open failed: connect failed: Connection refused"

In relation to a tutorial I previously made on how-to connect to a remote mysql server by forwarding port with ssh, I found out that some distributions like debian sarge where not using a default configuration that allow you to do that by default.People who get an error like:

ERROR 2013 (HY000): Lost connection to MySQL server during query

or

channel 3: open failed: connect failed: Connection refused

might find an answer to their problem.

By default and for security reasons, Linux distribution don't let mysqld server accessible from the outside. There is actually 2 ways to achieve this:

  1. binding the service to address 127.0.0.1, this is the default on ubuntu
  2. skipping networking, in that case, only local (non TCP/IP) connections will be allowed, on Unix, connections will be made through a Unix socket. This is the default on debian sarge

In the first solution, you need to add in the [mysqld] section of /etc/mysql/my.cnf the directive:

bind-address = 127.0.0.1

the second solution use:

skip-networking

instead.

While you can connect on a localhost server which skip networking like you could with a server which only listen on 127.0.0.1 address using:

$mysql -u root -p -h localhost

you can not connect to it using an ssh tunnel with port forwarding.
as you will get an error like:

channel 3: open failed: connect failed: Connection refused

on the remote host
and:

ERROR 2013 (HY000): Lost connection to MySQL server during query

on the client host.

So in order to be able to connect to a remote mysql server which is only accessible from localhost, comment the directive:

skip-netwoking

and replace it with

bind-address = 127.0.0.1

This will not make your server less secure (as the service won't be accessible from the outside) and you will be able to access your database server remotely with tools like mysql-query-browser, mysql-administrator using a ssh tunnel.

Hope this helped.

***********************************************
previous thing was

In a previous article we saw how to connect to a remote mysql server running both ssh and mysql.

This time, we are going a bit further and will see howto connect to a remote server running ssh in order to be able to access a sql server on the remote LAN.

This system allow to hide the SQL server from the outside. Please, keep in mind that in this example, we are connecting to a MySQL server, but it could be any service running there.

Let's put it on the table. Imagine that we have got a web server which is put under high load, a clever way to soften the effect of the load and in the same way protect our SQL datas from the outside will be to have the HTTP server available to the outside (so it can serve the web pages), and hide our MySQL server from the outside.

This will look like this:

We saw last time, that in order to securely connect to a remote MySQL server running both mysql and ssh, we had to create a tunnel between our desktop and the server where we had to forward port 3307 on our desktop to port 3306 running locally on the remote server by giving the following intruction to ~/.ssh/config:

Localforward 3307 localhost:3306

This time, we want to forward port 3307 on our desktop to port 3306 on the MySQL server (let says it as 192.168.0.3 as IP adress). The only change we have to make to the previous configuration is to change the Localforward instruction by:

Localforward 3307 192.168.0.3:3306

And simply use the same mysqlcc configuration as the one given in the How To Connect to a remote mysql server using mysqlcc and ssh tunneling Tutorial. It is as simple as that :). Here is an overview of the final configuration we have deployed:

.

People which do not want to use ~/.ssh/config might use the following command:

tester@laptop:~$ssh -L 3307:192.168.0.3:3306 myuser@remotesshserver.com

Now, you can play around with port forwarding, later on, I will show you how to go even further and just do some useless be geeky thing.

cheerio


Tuesday, December 11, 2007

Panel disappears Sound stops?

1) Panel sometimes disappears from bottom of KDE. How to get it back?

* run-> panel

panel name is "kicker" significance? think about look into kasbar too

2) Sound stops. Who knows why?

* Run /etc/init.d/alsa-utils start
seems to work

who knows what goes wrong?

Thursday, November 22, 2007

Gtk2::GLext install

Ok, I wanted to have
gtkglext
gtkglextmm
Gtk2::GLext all installed.
let us get latest one of them all
first two use
./configure --prefix=/usr
to get to right debian locations
then for the last guy
need to edit Makefile.PL
to move line
mkdir 'build', 0777;
above the line for the pod that enables compilation
got 2 errors
unrecognized argument in LIBS ignored: '-Wl, --export-dynamic'
unrecognized argument in LIBS ignored: '-pthread'
then did make
make test
make install

Friday, November 16, 2007

mac os upgrade dual boot setup

Ok I have a dual boot mac g4. i wanted to upgrade to leopard
so i noted that the hard drive partition setup is
/dev/hda1 Apple_partition_map
/dev/hda2 bootstrap yaboot
/dev/hda3 swap
/dev/hda4 Linux / 15.6G
/dev/hda5 Mac OsX 11.8G


so then i booted into new leopard installer disk, wiped out old Tiger, reinstalled from scratch to mac partition
then i did
power on
hold down apple,option, o,f buttons (yes 4 buttons)
then at > prompt type
>boot hd:2,yaboot

here 2 is /dev/hda2 ie yaboot bootstrap partion
then type
>Linux
then

Login to linux system
run as root
fdisk -l
and look to what the macosx partition is

ON my system it changed from /dev/hda5 to /dev/hda6!!! with the new install, wasting a good 120M of space on the drive...

Then edit /etc/yaboot.conf to set
macosx=/dev/hda6 or whatever

then as root run
ybin
this will reinitialize the boot sector to boot to yaboot and
choose Linux as default or Leopard.

Then install OsiriX to MacOsX partition :)

ecb and semantic-cache files

i may want to get rid of ecb, but while it is on my system:

Emacs and semantic.cache

How can i prevent contaminating each directory with a file semantic-cache?
Set semanticdb-default-save-directory to a directory, by putting the following in your emacs init file (usually .emacs in your home directory):

(setq semanticdb-default-save-directory “~/.semantic”)
(replace ~/.semantic with a different directory, if you wish.)

From http://ecb.sourceforge.net/docs/FAQ.html

Saturday, November 3, 2007

browse over ssh

ssh -ND 8080 you@yourserver.com
sign in
then set up firefox to use socks host : localhost 8080
and you are done.

need to also set up

Set your proxy server to resolve DNS requests instead of your computer; in Firefox's about:config area, set network.proxy.socks_remote_dns = true.

then you cant be traced by your dns queries.....

Thursday, November 1, 2007

emacs commands

1. how to turn on syntax hylighting

M-X font-lock-mode

2. how to indent code?

C-M-\


3. how to comment out code in region? select region then
M-x comment-region
M-x uncomment-region

4. comment on line
M- ; (ie alt-; or esc then ;) creates a comment on the line
M-j then creates another comment line
remove comment on line ??



4. To move the cursor to a specific line:
M-x goto-line
when prompted in the minibuffer
Goto line:

Friday, October 26, 2007

pgplot5

Just for posterities sake, in case you need to compile pgplot on debian,
the makefile created does not point to the right location for
the includes for
pndriv.o : /usr/include/png.h /usr/include/pngconf.h /usr/include/zlib.h /usr/include/zconf.h

so you correc them to that.
also the problem with tcl and tk is due to the lack of
symlinks
libtk.so -> libtk8.5.so.0
and
libtcl.so -> libtcl8.5.so.0
in
/usr/lib/

once i added them the compilation was fine.

however i then found pgplot in non-free repository so this is not neccesary.

pdl and perl and pgplot5 and dh-install-perl

To use PDL the perl data language with graphics, you need to

1) install pgplot5 the plotting package ( Fortran! amazing)
which is located in debian non-free.

apt-get install pgplot5

2) install PGPLOT, the cpan module for working with pgplot5
it is currently not in Debian (it fell out a while ago... :( ).

Thus you need to download the PGPLOT module
from CPAN.

But we want a debian package for it!
It will be called libpgplot-perl_2.20-1_amd64.deb

so:

apt-get install dh-install-perl

this will enable us to make a debian package for PGPLOT

then create a directory to work in

mkdir libperl-pgplot
cd libperl-pg-plot
dh-install-perl --cpan PGPLOT
then
dh-install-perl --build PGPLOT-2.20
then
dpkg -i libpgplot-perl_2.20-1_amd64.deb

Of course you will have gotchas along the way :)

When dh-install-perl makes an error in the build,
say because you are missing say g77 or
libextutils-f77-perl,

so you have to delete the debian created directory
rm -rf PGPLOT-2.20/debian
so that you can recompile the binaries.
then you run
dh-install-perl --build PGPLOT-2.20
again.

Of course you could just do
dh-install-perl --install --cpan PGPLOT
which should do it all, but is fun to do it step by step.

Wednesday, August 1, 2007

minicom setup and acpi questions

you need the string for the modem

AT&F1E0Q0V1&C1&D2S0=0

for the aceex modem check out later information

http://gentoo-wiki.com/HOWTO_Fix_Common_ACPI_Problems

has page for averatec laptop info for corrected DSDT for it read more about this issue
also more about sleeping
http://acpi.sourceforge.net/dsdt/view.php?manufacturer=Averatec&name=3250HX-01

Sunday, June 24, 2007

debian, nvidia driver Linux Kernel 2.6.2x with paravirtualization

just to remind us
take a look
http://grizach.servebeer.com/nvpatch/

where he discusses what to do.

issue - i would rather not recompile the kernel.
maybe with the next 2.6.22 kernels we will be ok.

at leas,t according to this thread

http://www.nvnews.net/vbulletin/showthread.php?t=93059

Thursday, June 21, 2007

saving sound from internet

vsound will capture sound
Description: Virtual loopback sound recorder and real audio converter
This program allows you to record the output of any standard OSS
program (one that uses /dev/dsp for sound) without having to modify or
recompile the program. It uses sox to convert and save the raw data
into the desired file format and can help to convert real audio files
to some other non-proprietary format.

you can probably use

mplayer -v -dumpstream rtsp://linktoaudofile.rm -dumpfile audio.rm
Replace the rtsp://linktoaudofile.rm with the corresponding link you want to
download.

screenshots in linux

I believe the Gimp has a pretty straightforward tool for this.
And there is "import" that comes with ImageMagick.
It is a commandline app and works very well, in my experience. The online documentation has a

Try "scrot", it’s extremely small but still provides a lot of functionality.


I use ksnapshot, don't know how big it is, but it does a good job,
allowing to save in a number of different formats. I will try
"scrot", by the way, as I keep taking screenshots quite often.



nice import command from imagemagick

import -frame ~/Images/Screenshots/image_of_the_window_or_frame.jpg

display ~/Images/Screenshots/image_of_the_window_or_frame.jpg

What a great bunch of knowledgable and helpful people - I'd say
Imagemagick and scrot are the handiest - xwd and xwud to display have
the advantage of being on my machine already ( but they do put out HUGE
files). The Kseries suffers from the same problem as Gnome...I don't
run either so aptitude wants to pull in dozens of libraries.
Thanks to everyone!

I'm glad you asked, as I'd been wondering about this too. From the
advice you got I found my answer. I've added the following to my
.fluxbox/keys file, and I'm all set.

Mod4 s :ExecCommand /usr/bin/import -window root ~/screenshots/scrshot$(date +%s).png

gimp. open File -> Acquire -> Screenshot,
choose Single Window or Whole Screen, then click Grab. Now your next
mouse click will capture the window or screen clicked on as an image
in the GIMP. Crop and resize the image as necessary, using the
instructions at http://www.gimp.org/tutorials/Lite_Quickies/#crop

My favorite program for screenshots is ksnapshot. But that might be heavy
for you.

There's always xwd in the xbase-clients package (which is probably
installed already).

Cons:
- It writes in .xwd format. Only. not png or even jpeg. xwd only. But
gimp and others should have no problem reading it.
- Command-line only. No GUI.

Pros:
- You probably have got it installed already
- scriptable from the command line
Not a real issue. You can always use

xwd | convert - screenshot.jpg


What's the point of using xwd, then?

import -window root screenshot.png

(since if convert is installed, then import is installed).

alsa problems

I have noticed that sound goes silent sometimes. i dont know why
i have been
redoing alsaconf and alsactl store
and speaker-test

what is wrong?

i noticed on debian-user

> Sound works OK from a variety of applications, including alsaplayer,
> realplayer, and mplayer. However, when any application changes a mixer
> setting, sound goes silent until alsa is force-reloaded. Any thoughts?
>
> joehill:/var/log# lsmod

I have the same motherboard and i was facing same problem. after
searching through google and various linux-related site, I found two
steps to solve this problem.

NOTE: install alsa-oss, alsa-utils packages
1. edit: /etc/modprobe.d/alsa-base
Add the following line at the end of the file,
"options snd-hda-intel position-fix=1 model=3stack" (withour
quotes)

After step 1, force-restart alsa module and see if it works or not.

2. edit: /boot/grub/menu.lst
add "noapic" option at the end of the kernel options.
reboot the machine. everything should work fine.

Thank you! This worked fine. There was no need for step 2 -- just the
above fixed the problem.

Andy

**************
now i dont have that mother board
but what is reloading alsa
/etc/init.d/alsa force-reload
i will try that next time.

How to convert CHM files under Linux

http://madphilosopher.ca/2006/09/how-to-convert-chm-files-under-linux/

$ sudo apt-get install libchm-bin
$ extract_chmLib book.chm outdir

where book.chm is the path to your CHM file and outdir is a new directory that will be created to contain the HTML extracted from the CHM file.

After running the utility to extract the HTML files from your CHM file, the extracted files will appear in . There won’t be an “index.html” file, unfortunately. So you’ll have to inspect the filenames and/or their contents to find the appropriate main page or Table of Contents.

Now the HTML is yours to enjoy!


Controlling your X - really deep down

amazing post by From: Andrew Sackville-West
If you want to experiment, there are a few things you can try. I would
start with, as root:

update-rc.d -f gdm remove

this will remove the symlinks to gdm in the your rc levels so that you
can start up your machine without gdm starting up. If you later want
to start up gdm manually, as root do:

/etc/init.d/gdm start

if you later want to redo gdm so it start automatically, then do, as
root:

update-rc.d gdm defaults

to recreate the symlinks for automatic start-up. Will take effect next
reboot, or next time you change run-levels.

Okay, now you can start your machine and log in from the command line
on a VT. edit a new file in your home directory and call it
".xinitrc". The "." is important.

put one thing in that file

x-terminal-emulator

and save the file. now logged in as yourself, type

startx

you should see the usual X screen come up and then it will pop-up an
xterminal for you. you cna play around for a bit and then type exit
from the xterm and you will drop out of X and return to the CLI. Some
fun things you can do here are: 'iceweasel &' in the xterm to start up
iceweasel. you can use this xterm as a sort of session manager by
starting whatever x apps you need from it.

what happened? you started a bare X session, without a *dm and using
~/.xinitrc, told it to run the X app pointed to by
"x-terminal-emulator" (part of the alternatives system, which is
another issue altogether).

you could have easily specified *any* x app. change .xinitrc so that
it has only the line:

iceweasel

and then try startx again. you should get a screen full of iceweasel
only. When you quit, you'll drop back to the CLI again.
onwe more quick lesson and then we'll move on:

edit xinitrc again and put in

x-terminal-emulator &

save it and try startx. It should start an xsession, launch an xterm
and then because the xterm is backgrounded (by the &) then X will move
to the next line of xinitrc, and with nothing there, will kickout and
drop back to the command line. This is proper behavior. X will run
until it reaches the end of your .xinitrc and then it will die. To
keep your x session running, the last program in xinitrc must stay
running in the foreground.

Now have fun. install a few window managers. edit your .xinitrc:

icewm

and run startx. a window manager is just like any other x program. It
keeps your x session going until it exits. But a wm has lots of other
cool features -- it lets you launch other x apps, it helps you contorl
the size and placement of the windows. it provides handy menus, etc
etc etc.

you can put lots of things into your xinitrc... at one point mine
looked like this, which is pretty simple, but give syou an idea

eval `gpg-agent --daemon --sh`
numlockx on
xscreensaver -no-splash &
rox-filer --pinboard=mypinbd
xsetbg -fullscreen /home/andrew/earth2a1.jpg &
icewm-session

this did several things: started my gpg-agent, turned on numlock (must
be on for my sanity), launched the screensaver, started up rox-filer
and my desktop stuff from there (rox-filer daemonizes itself and
doesn't need the &), set my background image with xsetbg and finally
launched icewm-session, which pulls in a whole bunch of icewm
stuff. I used that setup for about a year before moving on to wmii for
a while.

The point of all this is, if you *really* want control of your
desktop, this is a way to do it. have fun
Andrew Sackville-West
***************************

You don't have to uninstall anything. Just install a lightweight window
manager such as IceWm and change the preferred x-session-manager to
icewm-session, e.g.:
# aptitude install icewm
# update-alternatives --config x-session-manager
(Select icewm-session)

what is links2 browser
What will the end result look like? Personally, I don't use any gdm or
any other *dm, I just log into a normal terminal and run startx, which
starts icewm (on my PII) and Xfce on my Athlon. I went with Xfce over
icewm simply because I can edit the tool bar and other stuff with a
simple config applet instead of editing config files for icewm.
However, my PII only has 64 MB ram whereas my Athlon has 1 GB. Xfce
tends to leak memory.

nice debian information on paranoid setup

http://www.hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system
http://www.hermann-uwe.de/blog/howto-anonymous-communication-with-tor-some-hints-and-some-pitfalls
http://www.hermann-uwe.de/security/my-firewall-iptables-scripts

firewall script http://www.hermann-uwe.de/files/fw_laptop
#!/bin/sh
#------------------------------------------------------------------------------
# File: fw_laptop
# Author: Uwe Hermann
# URL: http://www.hermann-uwe.de/files/fw_laptop
# License: GNU GPL (version 2, or any later version).
# $Id: fw_laptop 529 2006-06-10 15:11:40Z uh1763 $
#------------------------------------------------------------------------------

# A firewall script intended to be used on workstations / laptops. It basically
# blocks all incoming traffic and only allows minimal outgoing traffic.
# It helps to mitigate certains attacks, misconfigurations of local daemons,
# misbehaving local users or applications, and can prevent untrusted
# applications from "phoning home", among other things.

# Note: This is work in progress! Any comments and suggestions are welcome!

# Thanks for comments and suggestions:
# * Jean Christophe André
# * Ryan Giobbi
# * Pascal Hambourg


#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------

# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"

# Logging options.
# Note: We use --log-level debug, so that the messages are not output
# to all virtual consoles (which would be quite annoying).
# Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
# /etc/init.d/klogd startup-script.
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Defaults for rate limiting (to prevent DoS attacks and excessive logging).
# TODO: What is a good value for --limit and --limit-burst?
# TODO: Test rate limiting.
RLIMIT="-m limit --limit 3/s --limit-burst 8"

# Unprivileged ports.
PHIGH="1024:65535"

# Common SSH source ports.
PSSH="1000:1023"

# Load required kernel modules (if automatic module loading is disabled).
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc


#------------------------------------------------------------------------------
# Mitigate ARP spoofing/poisoning and similar attacks.
# For details see:
# * http://en.wikipedia.org/wiki/ARP_spoofing
# * http://www.grc.com/nat/arp.htm
#------------------------------------------------------------------------------

# Hardcode static ARP cache entries here (e.g. for the network gateway).
# $ARP -s IP-ADDRESS MAC-ADDRESS


#------------------------------------------------------------------------------
# Kernel configuration.
# For details see:
# * http://www.securityfocus.com/infocus/1711
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------

# Disable IP forwarding.
# Note: We turn this on and off to reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done

# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

# Don't accept source routed packets.
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done

# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
# for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done

# Disable proxy_arp. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done

# Disable bootp_relay. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done

# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time

# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.


#------------------------------------------------------------------------------
# Default policies.
#------------------------------------------------------------------------------

# Drop everything by default.
# Note: The default policies are set _before_ flushing the chains, to prevent
# a short timespan between flushing the chains and setting policies where
# any traffic would be allowed.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them).
# Packets will simply pass through these tables unchanged.
# TODO: What happens if the modules aren't loaded?
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

# TODO: Correct? Remove this?
# $IPTABLES -t raw -P PREROUTING ACCEPT
# $IPTABLES -t raw -P OUTPUT ACCEPT


#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------

# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


#------------------------------------------------------------------------------
# Completely disable IPv6.
#------------------------------------------------------------------------------

# Block all IPv6 traffic, otherwise the firewall might be circumvented by an
# attacker who simply sends IPv6 traffic instead of IPv4 traffic.
# Note: The safest way to prevent IPv6 traffic is to not enable support for
# IPv6 in the kernel in the first place (neither built-in nor as a module).

# If the ip6tables command is available, try to block all IPv6 traffic.
if test -x $IP6TABLES; then
# Set the default policies (drop everything).
$IP6TABLES -P INPUT DROP 2>/dev/null
$IP6TABLES -P FORWARD DROP 2>/dev/null
$IP6TABLES -P OUTPUT DROP 2>/dev/null

# The mangle table can pass everything through unaltered (we don't use it).
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null

# Delete all rules.
$IP6TABLES -F 2>/dev/null
$IP6TABLES -t mangle -F 2>/dev/null

# Delete all (non-builtin) user-defined chains.
$IP6TABLES -X 2>/dev/null
$IP6TABLES -t mangle -X 2>/dev/null

# Zero all packet and byte counters.
$IP6TABLES -Z 2>/dev/null
$IP6TABLES -t mangle -Z 2>/dev/null
fi


#------------------------------------------------------------------------------
# Custom user-defined chains.
#------------------------------------------------------------------------------

# LOG packets, then ACCEPT them.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT

# LOG packets, then DROP them.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP

# LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT

# A custom chain which only allows minimal (RELATED) ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG


#------------------------------------------------------------------------------
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
# For details see:
# * http://tools.ietf.org/html/792
# * http://tools.ietf.org/html/1122
# * http://www.iana.org/assignments/icmp-parameters
# * http://www.daemon.be/maarten/icmpfilter.html
#------------------------------------------------------------------------------

# Note: Be careful if you're using kernels older than 2.4.29. Some locally
# generated ICMP error types (going through OUTPUT) are erroneously tagged
# as INVALID (instead of RELATED).
# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.

# TODO: This section needs a lot of testing!

# First, drop all fragmented ICMP packets (almost always malicious).
$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG

# Allow all ESTABLISHED ICMP traffic.
# TODO: Tighten this some more?
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT

# Allow some parts of the RELATED ICMP traffic, block the rest.
# TODO: FORWARD?
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT

# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Allow outgoing ICMP echo requests (ping), but only rate-limited.
# TODO: Really do rate limiting here?
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG


#------------------------------------------------------------------------------
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------

# Allow all incoming and outgoing connections on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections related to existing allowed connections.
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Uncomment this (and comment the above line) to allow all outgoing
# connections (except for INVALID ones).
# $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# TODO: Read Securing Debian Manual's "Disabling weak-end hosts issues".
# For details see:
# * http://www.debian.org/doc/manuals/securing-debian-howto/
# * ftp://ftp.isi.edu/in-notes/rfc1122.txt

# TODO: Split the ESTABLISHED,RELATED rules by state, protocol, type?


#------------------------------------------------------------------------------
# Miscellaneous.
#------------------------------------------------------------------------------

# Drop SMB/CIFS, and related Windows traffic without logging. We don't care.
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
$IPTABLES -A INPUT -p tcp -m multiport \
--dports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A INPUT -p udp -m multiport \
--dports 135,137,138,139,445,1433,1434 -j DROP

# Explicitly drop invalid incoming traffic (use DROPLOG if you want logging).
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Drop invalid outgoing traffic, too.
# Note: This may prevent you from performing certain scans. Also, see above
# comment about ICMP packets being erroneously marked as INVALID instead of
# RELATED in kernels older than 2.4.29. Remove this rule if needed.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# This is not needed, as we use policy DROP for FORWARD, and we disabled
# ip_forward anyways. However, if we would use NAT, INVALID packets would
# bypass our rules, so we block them explicitly here, just in case.
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Hinder portscanners a bit.
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

# TODO: Some more anti-spoofing rules? For example:
# TODO: Test.
# $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG


#------------------------------------------------------------------------------
# Drop any traffic from IANA-reserved IPs.
# Note: You could easily block valid traffic, e.g. if your ISP uses private
# addresses (see RFC 1918) in their network. If in doubt, remove these rules.
# For details see:
# * ftp://ftp.iana.org/assignments/ipv4-address-space
# * http://www.cymru.com/Documents/bogon-bn-agg.txt
#------------------------------------------------------------------------------

$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
$IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
# $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
$IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP


#------------------------------------------------------------------------------
# Selectively allow certain outbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow outgoing DNS requests. Few things will work without this.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow outgoing HTTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow outgoing HTTPS requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT

# Allow outgoing "submission" requests.
# Submission (RFC 2476) is used for sending email, and uses port 587.
# This can be encrypted or unencrypted, depending on the server (I think).
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT

# Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow outgoing SSH requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow outgoing FTP requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_ftp kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow outgoing NNTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow outgoing NTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT

# Allow outgoing IRC requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_irc kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT

# Allow outgoing requests to various proxies. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT

# Allow outgoing DHCP requests. Unencrypted, use with care.
# TODO: This is completely untested, I have no idea whether it works!
# TODO: I think this can be tightened a bit more.
$IPTABLES -A OUTPUT -m state --state NEW -p udp \
--sport 67:68 --dport 67:68 -j ACCEPT

# Allow outgoing CVS requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT

# Allow outgoing SVN requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT

# Allow outgoing Tor (http://tor.eff.org) requests.
# Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT

# Allow outgoing Bacula (http://www.bacula.org) requests.
# Unencrypted (usually), use with care.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9101 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9103 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9102:9103 -j ACCEPT

# Allow outgoing OpenVPN requests.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT

# TODO: ICQ, ...


#------------------------------------------------------------------------------
# Selectively allow certain inbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow incoming DNS requests.
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow incoming HTTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow incoming HTTPS requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow incoming POP3 requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

# Allow incoming POP3S requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow incoming SMTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# Allow incoming SSH requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow incoming FTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow incoming NNTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow incoming BitTorrent requests.
# TODO: Are these already handled by ACCEPTing established/related traffic?
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT

# Allow incoming nc requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT

# Allow incoming Bacula (http://www.bacula.org) requests.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9102 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9101:9103 -j ACCEPT


#------------------------------------------------------------------------------
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------

# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECTLOG
$IPTABLES -A OUTPUT -j REJECTLOG
$IPTABLES -A FORWARD -j REJECTLOG


#------------------------------------------------------------------------------
# Testing the firewall.
#------------------------------------------------------------------------------

# You should check/test that the firewall really works, using for example
# iptables -vnL, nmap, ping, telnet, ...


#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------

exit 0
-----------------------------------

now to block everything

fw_blockall!!
cute
---------------------------




#!/bin/sh
#------------------------------------------------------------------------------
# File: fw_blockall
# Author: Uwe Hermann
# URL: http://www.hermann-uwe.de/files/fw_blockall
# License: GNU GPL (version 2, or any later version).
# $Id: fw_blockall 223 2005-06-27 19:34:07Z uh1763 $
#------------------------------------------------------------------------------

# This is a firewall script which blocks ALL access from/to everyone (INPUT,
# OUTPUT and FORWARD). Not even traffic to/from localhost is allowed.
# All pings are disabled (normal and broadcast).

# Note: This is work in progress! Any comments and suggestions are welcome!


#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------

# For debugging:
# IPTABLES="/sbin/iptables -v"

IPTABLES="/sbin/iptables"


#------------------------------------------------------------------------------
# Kernel configuration.
#
# For details see:
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------

# Disable IP forwarding.
# Note: Turning this on and off should reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# IP spoofing protection (i.e. source address verification).
# TODO: Only effective if IP forwarding is turned on?
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Enable protection against SYN flood attacks.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore all ICMP ECHO requests (i.e. disable PING).
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP ECHO requests to broadcast/multicast addresses only.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Don't accept or send ICMP redirects.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route


#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------

# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


#------------------------------------------------------------------------------
# Default policies.
#------------------------------------------------------------------------------

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP


#------------------------------------------------------------------------------
# Drop / reject everything explicitly, just to be sure.
#------------------------------------------------------------------------------

# Use REJECT if you want to be nicer.
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A FORWARD -j DROP


#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------

exit 0



how to do stuff with c similar to standard perl stuff

#include
#include
#include

int main(int argc,char **argv)
{
/* FIXME: This list is still insufficient. */
putenv("PATH=/usr/bin:/bin");
putenv("IFS= \t\n");
putenv("ENV=");
setuid(geteuid());
execv("/path/to/MYSCRIPT",argv);
fprintf(stderr,"Could not execute script /path/to/MYSCRIPT\n");
perror("exec");
return 1;
}

Saturday, June 16, 2007

Printer keeps printing spewing pages

I print using cupsys.
Sometimes an error develops in the printing chain. The printer
begins spewing forth sheets with a single line of ascii on it.
I can delete the job, via the kde control panel or the cups web interface,
However this does not stop the problem. I detach the printer plug. i replug in
and the printer continues to malfease.

What to do?

ps aux|grep lp
kill -9 {all processes owned by lp}
and turn off printer.
then it will stop and you can go back to printing.

Yay!

Wednesday, May 30, 2007

useful posts at verizon issues of mailing

http://lists.alioth.debian.org/pipermail/pkg-exim4-users/2006-July/000714.html

Tuesday, May 29, 2007

Email for the single user in Debian


This is a simple tutorial aimed at those wishing to setup their Debian box to work with their ISP email account. Please send any corrections or comments to nlativy at gmail dot com. Right now on with the tutorial...

The first thing to do is get the needed packages which can be accomplished by running:

# apt-get install exim4 fetchmail mutt procmail cron vim

Of these packages you probably already have cron and exim4 also you may have noticed I slipped in vim which is unessential as you can use any other editor if you want, although why would you ;-).

Exim4

Hopefully you should have already set this up when you installed Debian, if not you can simply run:

# dpkg-reconfigure --priority=medium exim4-config

and choose "mail sent by smarthost; recieved via SMTP or Fetchmail" and set the smarthost to whatever the SMTP server of your ISP is. Note here that we are telling dpkg-reconfigure to only ask us medium priority questions and deal with the rest automatically.

Next, for exim to put the correct From: line on outgoing mail we need to add the following line to the /etc/email-addresses file:

user: someone@isp.com

substituting in your local username and your email address of course.

For myisp you need to edit
1
) /etc/exim4/email-addresses
(a symlink to /etc/email-addresses
which had a single line
loginname: loginuser@myisp.net

2) /etc/exim4/passwd.client
which had a line
outgoing.myisp.net:myisplogin:myisppasswd

3) /etc/exim4/exim4.conf.template
where we set
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS='true'



Procmail

Procmail is a program for filtering mail, especially useful if you are subscribed to mailing lists. Setting up Procmail is pretty simple, just put the following in the ~/.procmailrc file:

MAILDIR=$HOME/mail/
LOGFILE=$HOME/.procmaillog
VERBOSE=no

# Mailing lists

# debian-user
:0
* ^TO_debian-user
debian-user/

# All other mail goes to inbox
:0
inbox/

Note the trailing "/" on the mail boxes, this tells Procmail to use the maildir format. Also now would be a good time to create the maildirs we are going to use. Simply run the following commands:

$ mkdir -p ~/mail/inbox/{cur,new,tmp}
$ mkdir -p ~/mail/sent/{cur,new,tmp}
$ mkdir -p ~/mail/debian-user/{cur,new,tmp}

You can obviously skip the last command if you aren't subscribed to debian-user.

Fetchmail

Since we are only talking about a single user the simplest way to configure fetchmail will be to run it as the user who you are collecting mail for, so in the ~/.fetchmailrc file put the following:

poll pop.isp.com with protocol pop3,
user isp_username there is local_username here,
with password isp_password;

mda '/usr/bin/procmail -f fetchmail'

replacing pop.isp.com, isp_username, local_username and isp_password with the appropriate values. Notice we are passing the mail on to procmail. Also if you use a protocol other that pop3 (which I recommend you do since POP3 sends your password over the network unencrypted) or your ISP supports some form of authentication on top of POP3 then you need to simply replace pop3 with the desired protocol -- see the fetchmail man page for a complete list of supported protocols.

Now you can test if it is all working by running:

$ fetchmail -vk

I would recommend the -v and -k flags first time in case there is a problem v makes it run verbosely and k tells it to leave the messaged on the server. Of course running fetchmail manually is a pain so we can add a cron job for it: run crontab -e, which will launch your default editor, and enter the text:

*/10 * * * * fetchmail -s

this will run fetchmail every 10 minutes and check for any new mail. The -s flag tells fetchmail to run silently (unless something goes wrong) and if you miss it out you will be emailed fetchmail's output every 10 minutes which is obviously undesirable.

What to do if your connection isn't always on

Unfortunately on my laptop the '-s' flag isn't sufficient as when I'm not on the network I get a mail every 10 minutes about fetchmail not being able to connect. To combat this I rustled up the following bash script:

#!/bin/bash

DEVICES='wlan0:eth0'
FETCHMAIL='/usr/bin/fetchmail'
OPTIONS='-s'

devices=`echo $DEVICES | sed 's/:/\\\|/g'`
ifstate=`grep '\('$devices'\)' /etc/network/ifstate`
if [[ $ifstate != "" ]] ; then
$FETCHMAIL $OPTIONS
fi

Now I run this bash script in my cron job instead of fetchmail itself and no longer get error messages just because the network is down. To save you copying and pasting this you can download the script then simply put it somewhere convenient (I use ~/bin for all my scripts) make it executable (chmod 700 whatever-you-named-the-script) and replace fetchmail -s in the above cron job with the path to wherever you put the script on your machine, for example I have:

*/10 * * * * /home/nrl/bin/fetchmail

Mutt

Finally we can setup mutt, this step should be pretty simple as most of the work is done by the aforementioned programs. All we really need is the following in the ~/.muttrc file (the first five lines are the only really essential ones):

set mbox_type=maildir
set mbox="~/mail/inbox/"
set spoolfile="~/mail/inbox/"
set folder="~/mail/"
set record="~/mail/sent/"

# Add an item for each mailbox
mailboxes ~/mail/debian-user

# unessential niceties:

# Show only important stuff in the header
ignore *
unignore from resent-from reply-to x-mailer user-agent date to cc subject

# Order to display the headers in
hdr_order From: Resent-From: Reply-To: X-Mailer: User-Agent: Date: To: Cc: Subject:

# sort messages by thread
set sort=threads

# Automatically quote message in reply
set include=yes

# Set quotemark to 1 byte
set indent_str="> "

# Only show the body when I edit a message
unset edit_headers

# for when you just can't wait for the cron job :)
# set up mutt so i can run fetchmail at any time by pressing G
macro index G "!fetchmail\n" "Invoke fetchmail"
macro pager G "!fetchmail\n" "Invoke fetchmail"

# tell mutt about my mailing lists
subscribe debian-user

I also noticed that in mutt (or at least the Debian package at time of writing) the default display of the list of messages will show the list name rather than the author when the message came from a mailing list. This is perhaps useful if all your mail is together but since we have filtered it into different maildirs it would be more useful to see the author of the message. So if you wish you can add the following line to your ~/.muttrc

set index_format="%4C %Z %{%b %d} %-15.15F (%?l?%4l&%4c?) %s"

Another thing worth noting is that we did not set your real name in the ~/.muttrc file, this is so that mutt will pull it from the /etc/passwd file. For this to work you must have set your real name when prompted during the Debian install process, if you did not do this you should now run the chfn command and set your real name as you would like it to appear on all outgoing email.

Vim

You can set vim up to run a few commands when it recognises that it is editing a mail message by adding the following to your ~/.vimrc:

augroup mail
autocmd!
autocmd FileType mail set textwidth=70 wrap nonumber
autocmd FileType mail :nmap :w:!aspell -e -c %:e
augroup END

This turns on line wrapping and sets the width of lines to 70 characters, it also turns off line numbering if you have it enabled elsewhere. The fourth line sets up vim so that you can spell check a message by simply pressing F8. This, of course, requires that aspell is installed. Note: you may prefer vimspell (see below) which offers "MS Word like" highlighting of spelling errors as you type.

muttprint, abook and urlview

What follows is unessential but thoroughly recommended for a nice mutt setup. First let's install some more programs:

# apt-get install muttprint urlview abook

Now add the following to your ~/.muttrc file:

set query_command="abook --mutt-query '%s'"
set print_command="muttprint"
macro index \cb "|urlview\n"
macro pager \cb "|urlview\n"
macro index a "|abook --add-email\n" 'add sender to abook'
macro pager a "|abook --add-email\n" 'add sender to abook'

Now mutt will run muttprint when you press "p" which will print the message nicely formatted, run abook when you press "Q" to query you address book, add the sender of the current message to your address book by pressing "a" and run urlview so you can easily view URLs in a message when you press C-b (control and b). You can also invoke abook from the command line (with the abook command surprisingly enough) to edit your address book in more detail.

Attachments and HTML mail

Another thing you need to deal with these days is the inevitable arrival of an MS Word document, pdf file or worst of all an HTML email in your inbox. Don't panic though to deal with these we can simply add the following lines to the ~/.mailcap file:

application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc
application/pdf; /usr/bin/pdftotext '%s' -; copiousoutput; description="PDF File"; nametemplate=%s.pdf
text/html; /usr/bin/lynx -force_html '%s'; needsterminal; description=HTML Text; nametemplate=%s.html

This will open up MS Word documents with the handy Antiword program so that you can have a quick look at them without having to wait for a bulky office suite to load up. The remaining two lines will open up pdf files with pdftotext (although you may prefer xpdf for this if you run mutt in X Windows) and use lynx to view HTML email. If you don't have these programs installed then you will need to run:

# apt-get install antiword lynx xpdf

Note that the pdftotext program is provided by the xpdf package.

Further reading

Now that you have mutt set up you are no doubt itching for more information so let me recommend the following:
Fighting spam on Debian with SpamAssassin - this should be the very next page you visit!
Mutt homepage - a good place to find lots of mutt related info
My first Mutt - a very nice page for new Mutt users
Mutt and GnuPG howto - a great guide to getting mutt to work with GnuPG
Exim homepage - home of all things exim :-)
Fetchmail homepage - The home of fetchmail
vimspell - a useful script for spell checking in vim
Antiword - quickly read word documents rather than waiting for an office suite to load.

Also if you are stuck don't forget to look at the man pages and you can also look at my ~/.muttrc file and my ~/.procmailrc file.


Copyright (C) 2004 Nicholas Lativy
Contributors: Florian Schlichting
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the licence can be found here.

uuid instead of /dev/sda1

Sometimes there can be problems identifying some device with install and moving around

use the
/sbin/blkid function to get information
/bin/blkid /dev/sda1

which returns the same uuid for each of the raid1 devices by the way

and

UUID=421535b5-e73d-1a2e-9a16-54b97d2ff4e6 none swap sw 0 3

here is greg folkerts comment on debian-users

How about posting it here?

---------------------------------------------

# /etc/fstab: static file system information.
#
#
proc /proc proc defaults 0 0

# /dev/hda3
UUID=456600fd-b794-4931-8703-bded8a1902bc / xfs defaults 0 1

# /dev/hda1
UUID=8a2ba95b-82d1-4905-a1ec-ceebb8cfc2b7 /boot ext3 defaults 0 2
#/dev/hda2
# /devUUID=f2986c54-13db-453a-80e3-6c75d19de15d none swap sw 0 0

# LVM Logical Volume (could use UUID but didn't)
/dev/mapper/stor-storLV /stor xfs defaults 0 0

# CD and DVD writer
/dev/hdd /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/hdc /media/cdrom1 udf,iso9660 user,noauto 0 0

# No Floppy in this machine
#/dev/ /media/floppy0 auto rw,user,noauto 0 0

#NFS Comments
void:/music /music nfs4 defaults,bg,posix,rsize=32768,wsize=32768 0 0
void:/stor /stor1 nfs4 defaults,bg,posix,rsize=32768,wsize=32768 0 0

Remaining problem:
What if you have a raid so you have 2 devices with same uuid
/dev/sda1 and /dev/sdb1 so what do you put in /etc/fstab
you would like to have
/dev/md0
if you simply put
UUID then if you took away one of the raid devices and then restored it, which would be mounted in /etc/fstab during boot?



Nvidia binary drivers and 2.6.20 and PARAVIRT

To summarize the complicated post before.

I. PARAVIRT

If you like the binary drivers from nvidia. Then
1. if you have an older processor such as a Non AM2 - amd x2
thus it does not have hardware virtualization, so why bother with the PARAVIRT
so just disable the PARAVIRT flag in the kernel config and recompile.

2. If you have a nice AM2 amd x2 processor then you can disable the kernel checks using the kludges given before, and have both paravirt and binary nvidia drivers.

II. Xorg module location update problem

The renaming of xorg to 1. something caused some breakage in location of modules. This is solved by using
 sh NVIDIA-Linux-x86-$NVIDVER-pkg1.run \
--x-module-path=`X -showDefaultModulePath 2>&1 | cut -d, -f1` \
--x-library-path=`X -showDefaultLibPath 2>&1`

to set up the correct location for the copying of the modules.

see
http://www.nvnews.net/vbulletin/showpost.php?p=1225802&postcount=2
1.0-9755 and older on xorg-server-1.3 and its release candidates

The 1.3 series of the X.org server has a bug where the version reported changed from 7.2.* to 1.*. This confuses nvidia-installer into thinking that your X server is very old and it installs the X modules in the wrong place. To work around this problem, use the following options:
# sh NVIDIA-Linux-version.run --x-module-path=`X -showDefaultModulePath 2>&1 | cut -d, -f1` --x-library-path=`X -showDefaultLibPath 2>&1`




Nvidia binary drivers and 2.6.20 and PARAVIRT

Seems to be a problem building nvidia binary drivers with the latest kernels.
see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419943
related to a kernel change
The 2.6.20 kernels in unstable for 686 and k7 have CONFIG_PARAVIRT enabled.
This apparently redefines various operations widely used by kernel modules
(or included via inlined functions) to redirect through a paravirts_ops
table, but the paravirts_ops table is marked GPL-only. This produces
errors like:

FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only
symbol 'paravirt_ops'

I've seen this problem with both nvidia (non-free) and openafs (free, but
under a non-GPL license -- its code predates the existence of Linux). Note
that these modules are not intentionally using anything related to paravirt
themselves; it looks like the paravirt.h header file is selectively
overriding functions that are pulled into the modules and which those
modules were previously using without problems.

This problem does not occur on AMD64.

see also new problems with sid upgrades

ron johnson:
The reason is explained:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419943

Ah. I compile my own kernel on a system and disable PARAVIRT.

said ron johnson search for updated sid cannot fnd nvidia driver

I got the same "can't find nvidia' error this morning when upgrading
Sid to xserver-xorg-core 1.3.0.0.dfsg-2. Thankfully I read this
thread and then the nvidia.com forums.

Running this from the console installs the driver in the new location.

# NVIDVER=1.0-9755
# sh NVIDIA-Linux-x86-$NVIDVER-pkg1.run \
--x-module-path=`X -showDefaultModulePath 2>&1 | cut -d, -f1` \
--x-library-path=`X -showDefaultLibPath 2>&1`

also notice that we have
/usr/lib/xorg/modules/
contains some modules
and
drivers are in
/usr/lib/xorg/modules/drivers

in my older machine it has

NVIDIA-Linux-x86_64-1.0-9746-pkg2.run

notice this from nvnews.net

http://www.nvnews.net/vbulletin/showpost.php?p=1225802&postcount=2
1.0-9755 and older on xorg-server-1.3 and its release candidates

The 1.3 series of the X.org server has a bug where the version reported changed from 7.2.* to 1.*. This confuses nvidia-installer into thinking that your X server is very old and it installs the X modules in the wrong place. To work around this problem, use the following options:
# sh NVIDIA-Linux-version.run --x-module-path=`X -showDefaultModulePath 2>&1 | cut -d, -f1` --x-library-path=`X -showDefaultLibPath 2>&1`
32-bit distributions with 64-bit kernels

Some distributions have the option of installing a 64-bit kernel for use with all 32-bit userspace programs. This configuration is not supported by the NVIDIA Linux Graphics Driver. If you try to install the 64-bit driver package on such a system, you will receive an error like the following:
./nvidia-installer: No such file or directory
If you have this configuration, use your distribution's package manager to install a 32-bit kernel and then install the 32-bit version of the NVIDIA Linux Graphics Driver.
Ron Johnson:
A 2.6.20.x kernel where PARAVIRT is *disabled* definitely works with
the nvidia.com 9755 driver.

here is debian binary nvidia graphics maintainer
http://www.khensu.org/index.php?itemid=182
http://www.khensu.org/index.php?blogid=1

Then there is this post: from Hugo Vanwoerkom:
i,

If you get this message with a nvidia closed driver install:

FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol
‘paravirt_ops’

and you are running Sid's latest Debian stock kernel, then there is a
workaround that was published in the nvidia linux forum:
http://www.nvnews.net/vbulletin/showthread.php?t=87541

I have reworked the solution for Debian based upon another forum thread:
http://www.nvnews.net/vbulletin/showthread.php?t=89844

1. Rebuild the linux-kbuild-2.6.20 .deb:
a. apt-get update
b. apt-get build-dep linux-kbuild-2.6.20
As user:
c. mkdir linux-kbuild-2.6.20-build
d. cd linux-kbuild-2.6.20-build
e. apt-get source linux-kbuild-2.6.20
The linux-kbuild-2.6.20 sources will be downloaded and unpacked
into a folder.
Cd to that folder, then:
f. change
linux-kbuild-2.6.20-build/linux-kbuild-2.6-2.6.20/scripts/mod/mod.c and
delete lines 1197+1198.
g. dpkg-buildpackage -uc -us -rfakeroot (the .deb is created)


2. Install the rebuilt linux-kbuild-2.6.20_2.6.20-1_i386.deb
3. apt-get install linux-image-2.6.20-1-
4. apt-get install linux-headers-2.6.20-1-
5. reboot into that kernel.
6. unpack nvidia-driver (using ”-x”)
7. run ./nvidia-installer -K (This will end with an unknown symbol error!)
8. In the /NVIDIA-Linux-x86-1.0--pkg1/usr/src/nv dir. run:
PARAVIRT_OPS=`grep “D paravirt_ops” /boot/System.map-2.6.20-1-k7 | colrm
9`
9. ld -m elf_i386 —defsym paravirt_ops=0x$PARAVIRT_OPS -r -o nvidia.ko
nvidia.o nvidia.mod.o
10. Install nvidia.ko (by copying the module over into
/lib/modules/2.6.20-1-/kernel/drivers/video
11. depmod -a

It looks like this issue will be around for awhile ;-)

Hugo
rom: ___Jul___
Resent-from: debian-user@lists.debian.org
Date: Fri, 04 May 2007 08:54:12 -0700 (PDT)
To: debian-user@lists.debian.org
Subject: Re: HOWTO:2.6.20-1-k7 + nvidia


Hi,
Based on the previous post in this thread I created a patched version of the
driver archive that consists of fixed version of modpost as well as fixed
version of the Makefile for the driver's kernel module. This all wrapped in
a script that performs the steps automaticaly and tries to ensure system's
compatibilty.

If someone is intereseted in this the package can be found here :

http://grizach.servebeer.com/nvpatch/NVIDIA-Linux-x86-100.14.03-pkg1-patched.run
http://grizach.servebeer.com/nvpatch/NVIDIA-Linux-x86-100.14.03-pkg1-patched.run

And for clarity the disclaimer that is included in the archive :


DISCLAIMER: First of all this is our very own solution and we can not
guarantee
that it will work on your computer. Allthough I don"t think so it
might
even blow your computer, more possibly just wipe something importnat
;-)
NVidia has also nothing to do with this modified version of the
driver
so I guess no official support can be expected from them either
last but not least this binary driver taints the kernel so no
support
is to be expected from Linus too :). The only ones that can help you
are either we or other users that are capable of understanding what
is
going on in here.

According to the NVidia license this version of the driver should be
legally ok:
"...Linux/FreeBSD Exception. Notwithstanding the foregoing terms
of Section 2.1.1, SOFTWARE designed exclusively for use on the Linux
or
FreeBSD operating systems, or other operating systems derived from
the
source code to these operating systems, may be copied and
redistributed,
provided that the binary files thereof are not modified in any way
(except for unzipping of compressed files)."
No binary files have been modified only Makefile.kbuild have been changed
The fixed version of modpost is under GPL and that is why source code is
included
in the archive too.


Cheers and thanks for the original solution from Hugo,
Jul
Because of the many questions how has this package been built and what it
does exactly I have written a small page that clarifies this. Its location
is :

http://grizach.servebeer.com/nvpatch/ http://grizach.servebeer.com/nvpatch/

Julian
**********



Using the NVidia driver on a Linux Kernel 2.6.2x with paravirtualization turned on



With this page I'd like to make a short introduction to how to get the NVidia driver running on a Linux Kernel version 2.6.20 or newer compiled with paravirtualization turned on.

Skip to the easy solution

I just added a new version of the NVidia driver that is tuned to work on a 2.6.21 kernel. That proves that the solution is compatible with newer kernel versions. If there are problem with installing the driver on a 2.6.20 kernel please let me know and I'll publish one assembled for that version.

This description is based on the post from Hugo in the Debian Users mailing list. It can be found here but below is the complete content of this post once again.

HOWTO:2.6.20-1-k7 + nvidia Click to flag this post 3 stars [3 stars] [3 stars] by Hugo Vanwoerkom May 02, 2007; 12:36pm :: Rate this Message: - Use ratings to moderate (?) Reply | Reply to Author | View Threaded | Show Only this Message Hi, If you get this message with a nvidia closed driver install: FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol ‘paravirt_ops’ and you are running Sid's latest Debian stock kernel, then there is a workaround that was published in the nvidia linux forum: http://www.nvnews.net/vbulletin/showthread.php?t=87541 I have reworked the solution for Debian based upon another forum thread: http://www.nvnews.net/vbulletin/showthread.php?t=89844 1. Rebuild the linux-kbuild-2.6.20 .deb: a. apt-get update b. apt-get build-dep linux-kbuild-2.6.20 As user: c. mkdir linux-kbuild-2.6.20-build d. cd linux-kbuild-2.6.20-build e. apt-get source linux-kbuild-2.6.20 The linux-kbuild-2.6.20 sources will be downloaded and unpacked into a folder. Cd to that folder, then: f. change linux-kbuild-2.6.20-build/linux-kbuild-2.6-2.6.20/scripts/mod/mod.c and delete lines 1197+1198. Please take care this is ONLY for 2.6.20. In 2.6.21 there is a case statement starting at approx the same location with two cases that have fatal() function calls in them. You can just delete the two-lined each fatal function call and that will do the same trick. g. dpkg-buildpackage -uc -us -rfakeroot (the .deb is created) 2. Install the rebuilt linux-kbuild-2.6.20_2.6.20-1_i386.deb 3. apt-get install linux-image-2.6.20-1- 4. apt-get install linux-headers-2.6.20-1- 5. reboot into that kernel. 6. unpack nvidia-driver (using ”-x”) 7. run ./nvidia-installer -K (This will end with an unknown symbol error!) 8. In the /NVIDIA-Linux-x86-1.0--pkg1/usr/src/nv dir. run: PARAVIRT_OPS=`grep “D paravirt_ops” /boot/System.map-2.6.20-1-k7 | colrm 9` 9. ld -m elf_i386 —defsym paravirt_ops=0x$PARAVIRT_OPS -r -o nvidia.ko nvidia.o nvidia.mod.o 10. Install nvidia.ko (by copying the module over into /lib/modules/2.6.20-1-/kernel/dricers/video) 11. depmod -a It looks like this issue will be around for awhile ;-) Hugo

I will try to give some hints about how to install the driver a bit easier manually and will present one patched version of this driver that can be installed automatically on most Debian systems and hopefully other distros based on Debian (like Ubuntu, Kubunto, Knoppix etc.).

First of all the steps needed to patch the kbuild system can not be avoided and IMHO are pretty well documented in the article. What a friend of mine noticed is that if you do this like the description suggests you are prompted again to update the package the next time you do apt-get upgrade/dist-upgrade. This can be avoid if you make a little trick. Instead of repackaging your fixed version do the following: [This practically means, do steps 1a - 1f and afterwards continue with the steps below]

1g. cd linux-kbuild-2.6.20-build/linux-kbuild-2.6-2.6.20/scripts/mod make 1h. apt-get install linux-kbuild-2.6.20 1i. cp -r linux-kbuild-2.6.20-build/linux-kbuild-2.6-2.6.20/scripts/mod \ /usr/src/linux-kbuild-2.6.20/scripts/ 2. Just skip this step and continue ahead.

I know this is a bit more unsafe but works well and will keep your fixed version as long as kbuild package stays the save version. I have seen the version is still ending with -1 this means they haven't changed it for the time the 2.6.20 kernel is out.

Next tip is a bit more tricky but actually helps you run nvidia-installer as it should be run without any further options or errors whatsoever.

1. Go to the directory where you have your unpacked driver (the one with nvidia-installer file) 2. cd usr/src/nv/ 3. open with your favourite editor Makefile.kbuild and just after line 77 that should read something like this : EXTRA_CFLAGS += -Wall -Wimplicit -Wreturn-type....bla bla bla.... add the following two lines: PARAVIRT_OPS := $(shell grep "D paravirt_ops" /boot/System.map-$(shell uname -r) | colrm 9) EXTRA_LDFLAGS := --defsym paravirt_ops=0x$(PARAVIRT_OPS) 4. change back to the directory of nvidia-installer ( cd ../../../ ) and run it ( ./nvidia-installer )

After your fix the installer should run without problems and the driver should be up and running as it always was. I think this steps should work for the 2.6.21 kernel as well because as you see we do use uname -r to get the kernel version up there.

Before I describe the easy way to accomplish this let me spill some words about why this problem occurs.

THE PROBLEM WITH THE 2.6.20 KERNEL WITH PARAVIRTUALIZATION

It is a long ongoing discussion about ways for the kernel developers to distinguish between drivers written under GPL(&Co.) and proprietary drivers (Like NVidia's and ATI's). The reason why they do this is because they can't and don't want to give support to people with problems running such drivers because they can not legally debug (and moreover fix) problems occuring in or around the closed-source drivers. That is why when the kernel encounters such driver it sets a so called tainted flag in the kernel. Which means this kernel has been marked once and forever (well until next reboot) as not-supported one. This is the first thing the kernel support team will look for when you post bug-report and will just delete it from their lists. So now back to the problem. Some functions are marked in the 2.6.20 kernel as gpl usage only because maybe they are somewhat related to tainting the kernel and the developers want to prevent bad driver use them at all (this last sentence is however my personal opinion it is not based on facts). What happens is that when paravirtualization support is turned on many functions in the kernel call implicitly paravirt_ops - function marked as gpl only. One of these functions is udelay - function that makes a program stay idle for some period of time. And the nvidia driver uses udelay (I can't imagine a driver that won't use udelay somehow) and therefore you can not compile the driver normally. What one can do however is first fix the tool from the kernel driver building utilities that checks for drivers not marked as GPL and still using the GPL only functions and secondly because of the kbuild package still not linking such function automatically to bad drivers give the appropriate options to the linker to circumvent this and make the driver know of paravirt_ops function. Luckily all kernel functions are listed in the System map found under /boot/System.map-[kernel_version]. That is what enables us to get the driver back running when we perform the described steps.



THE SOLUTION

Now for these of you that read these lines and think of linux being f***ing difficult and only for nuclear scientists I collected these steps in an easy script that checks if your system resembles well enough mine to be relatively sure that you can apply these steps and have the same result. Afterwards it just copies a fixed precompiled version of modpost (the program you actually mess with in steps 1 through 5 from Hugo's manual (replaced partially by steps 1g - 2 maybe :-) ). It then uses the already modified Makefile to start the nvidia installer and conclude the install. Of course as I stat ein the script too you can not hold me responsible for any damage or psycological problems you might receive by using this script. It is without any guarantee and with no obligations whatsoever from my side to help you (although I will gladly try to help you if i can and have time for).
PS. Well a lot of people have already tested and reported these packages to work so I guess they should be pretty safe but this doesn't invalidate my previous statement :).

The package can be downloaded from here
http://grizach.servebeer.com/nvpatch/NVIDIA-Linux-x86-100.14.06-pkg1-patched.run - tuned for 2.6.21
http://grizach.servebeer.com/nvpatch/NVIDIA-Linux-x86-100.14.03-pkg1-patched.run - tuned for 2.6.20
http://grizach.servebeer.com/nvpatch/NVIDIA-Linux-x86-1.0-9631-pkg1-patched.run - tuned for 2.6.20

These packages has been made with the makeself utility avaible here. This is the same tool used by the NVidia people to package their driver. It is free GPL program which does really great thing. I will certainly use it from now on when I need to create some self extracting and self running archives.

Last but not least some credits: First of all thanks to Hugo for describing this easy way to fix the NVidia drivers problem. To close transitively the thanks here I'd like to thank to the people from the mentioned nvnews threads. Last but not least I'd like to thank Peter Velichkov for finding this tutorial and actually testing it before I'd risk changing my kernel. Hell yes! This problem was the only reason I was sticking with a 2.6.18 kernel all the time till now (well the 2.6.19 was miserable mistake IMO [what can you expect from kernel with first message in the changelog - "please post BEFORE you go to parties and not AFTER" from Linus Torvalds :-P ]). Moreover it was his computer that first suffered the wrath of the script after I wrote it.

And just at the bottom the copy once again of the DISCLAIMER to be sure no one got me wrong and thinks I am violation something with this work. (Well in some sense we do overcome some kernel mechanisms to distinguish good from bad drivers, but come on, udelay not usable by any commercial drivers that is redicilous!)





DISCLAIMER: First of all this is our very own solution and we can not guarantee
that it will work on your computer. Although I don"t think so it might
even blow your computer, more possibly just wipe something important ;-)
NVidia has also nothing to do with this modified version of the driver
so I guess no official support can be expected from them either
last but not least this binary driver taints the kernel so no support
is to be expected from Linus too :). The only ones that can help you
are either we or other users that are capable of understanding what is
going on in here.

According to the NVidia license this version of the driver should be legally ok:
"...Linux/FreeBSD Exception. Notwithstanding the foregoing terms
of Section 2.1.1, SOFTWARE designed exclusively for use on the Linux or
FreeBSD operating systems, or other operating systems derived from the
source code to these operating systems, may be copied and redistributed,
provided that the binary files thereof are not modified in any way
(except for unzipping of compressed files)."
No binary files have been modified only Makefile.kbuild have been changed

The fixed version of modpost is under GPL and that is why source code is included
in the archive too.
Thanks for using my script!
Julian


Useful links
http://www.nvnews.net/vbulletin/showthread.php?t=89844
http://www.nvnews.net/vbulletin/showthread.php?t=87541
http://www.nvnews.net/vbulletin/showthread.php?t=90214

in particular
Hi!

For those of you Fedora Core 6 users who like to try out realtime preemption,
but are not willing to patch, compile and install a kernel from scratch, Ingo Molnar
is now maintaining approptiate kernel RPM packages. However, if you like to
use the nvidia linux graphics driver, with the most recent precompiled -rt kernel,
then you need to get around a few obstacles. Here is a step-by-step installation
instruction:


0. Make sure your installation does 3D acceleration with a standard kernel
(i.e. 2.6.19-1.2911.fc6)


1. Install the RT kernel:

wget http://people.redhat.com/mingo/realt...9.rt8.i686.rpm
wget http://people.redhat.com/mingo/realt...9.rt8.i686.rpm
rpm -i kernel-rt-2.6.20-0119.rt8.i686.rpm
rpm -i kernel-rt-devel-2.6.20-0119.rt8.i686.rpm


2. Modifiy "modpost" in order to accept non-GPL modules:

2a. Goto to the modpost directory

Code:
cd /usr/src/kernels/2.6.20-0119.rt8-i686/scripts/mod

2b. Delete the following two lines (1197-1198) in file modpost.c:

Code:
if (!mod->gpl_compatible)
check_for_gpl_usage(exp->export, basename, exp->name);

2c. Recompile modpost

Code:
gcc -o modpost modpost.c file2alias.c sumversion.c


3. Unpack, patch and compile the nvidia driver module

Code:
cd $PATH_TO_NVIDIA_DRIVER_PACKAGE
wget "http://www.nvnews.net/vbulletin/attachment.php?attachmentid=23993&d=1171124108"
sh NVIDIA-Linux-x86-1.0-9746-pkg1.run --extract-only
cd NVIDIA-Linux-x86-1.0-9746-pkg1/usr/src/nv
patch -p1 < ../../../../patch-nv-1.0-9746_realtime-preempt.txt make SYSSRC=/usr/src/kernels/2.6.20-0119.rt8-i686 module

Where $PATH_TO_NVIDIA_DRIVER_PACKAGE is the directory where you have
saved the nvidia driver package.


4. Manually define the missing symbol entry for "paravirt_ops"

Code:
PARAVIRT_OPS=`grep "D paravirt_ops" /boot/System.map-2.6.20-0119.rt8 | colrm 9`
ld -m elf_i386 --defsym paravirt_ops=0x$PARAVIRT_OPS -r -o nvidia.ko nvidia.o nvidia.mod.o


5. Install the nvidia kernel module

Code:
cp nvidia.ko /lib/modules/2.6.20-0119.rt8/kernel/drivers/video/
depmod -a 2.6.20-0119.rt8


Limitations
This instruction has only beed tested with 32-bit FC6. It may work for 64-bit,
but make sure to use "colrm 17" instead of "colrm 9" in step 4.


Feedback appreciated

Bernhard


Join Date: Jul 2005
Location: Munich
Posts: 447
Default Re: [Installation Instruction] nvidia driver with kernel-rt-2.6.20-0119.rt8 on FC6

Hi!

Just to let you know, it is not anymore necessary to patch the nvidia
kernel driver for version 1.0-9755 along with kernel 2.6.20-0119.rt8!

The situation is that nvidia replaced the problematic semaphore
synchronization method by "completions" some times ago, and the
high latency causing "wbinvd" instruction (when PAT support is
enabled) has been replaced in 2.6.19 by a fast and interruptible
sequence of "clflush" instructions.

However, you may still need to manually define missing symbols
for pre-compiled kernels (see earlier post for an example).

regards

Bernhard

hallo,

howto use this with Kernel 2.6.21 ?

modpost.c looks different:

if (!mod->gpl_compatible)
check_for_gpl_usage(exp->export, basename, exp->name);
check_for_unused(exp->export, basename, exp->name); '

what shall i remove - all 3 lines ?

i tested one time and i get this error during compile :

scripts/mod/modpost.c:1172: Warning: »check_for_gpl_usage« defined, but not used

scripts/mod/modpost.c:1197: Warning: »check_for_unused« defined, but not used

Thanks


CooSee ' Ya

My workaround was to disable paravirtualization in kernel
(paravirt_ops have EXPORT_SYMBOL_GPL in Module.symvers and I think this
couses the problem)
I've done this, more or less, that way:

1. Install linux-source-2.6.20-1-686
2. Uncompress /usr/src/linux-source-2.6.20-1-686.tar.bz2
3. delete symlink /lib/modules/2.6.20-1-686/build and make new (ln -s
/usr/src/linux-source-2.6.20 /lib/modules/2.6.20-1-686/build)
4. copy .config from headers to sources (cp
/usr/src/linux-headers-2.6.20-1-686/.config /usr/src/linux-source-2.6.20)
5. in sources dir 'make menuconfig' and disable paravirtualization in
'processor features'
6. make prepare
7. make scripts
8. now i could compile and install nvidia kernel drivers
here's a different solution using instructions from here: http://www.nvnews.net/vbulletin/showthread.php?t=87541

i did these steps (v1.0.9755):
2. Modifiy "modpost" in order to accept non-GPL modules (slightly different however: i recompiled the linux-kbuild-2.6.20 debian package)
unpack nvidia-driver (using "-x"), run ./nvidia-installer -K
4. Manually define the missing symbol entry for "paravirt_ops"
5. Install the nvidia kernel module

works.

debian statement on the issue, btw:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419943
also see the following article
http://kerneltrap.org/node/7545

Linux: KVM Paravirtualization

January 5, 2007 - 4:57pm
Submitted by Jeremy on January 5, 2007 - 4:57pm.

A new feature that will first be availble in the upcoming 2.6.20 kernel is KVM, a Kernel-based Virtual Machine. The project's webpage describes KVM as, "a full virtualization solution for Linux on x86 hardware. It consists of a loadable kernel module (kvm.ko) and a userspace component. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc." The project's FAQ explains that the functionality requires "an x86 machine running a recent Linux kernel on an Intel processor with VT (virtualization technology) extensions, or an AMD processor with SVM extensions (also called AMD-V)." The userland aspect of KVM is a slighlty modified version of qemu, used to instantiate the virtual machine.

Ingo Molnar [interview] announced a new patch introducing paravirtualization support for KVM, outdating the KVM FAQ which in comparing KVM to Xen notes, "Xen supports both full virtualization and a technique called paravirtualization, which allows better performance for modified guests. kvm does not at present support paravirtualization." In describing his patch which is against the 2.6.20-rc3 + KVM trunk kernel, Ingo said it, "includes support for the hardware cr3-cache feature of Intel-VMX CPUs. (which speeds up context switches and TLB flushes)". He went on to add, "some aspects of the code are still a bit ad-hoc and incomplete, but the code is stable enough in my testing and i'd like to have some feedback." In a series of benchmarks, he found 2-task context switch performance to be improved by a factor of four, while "hackbench 1" showed twice as good performance, and "hackbench 5" showed a 30% improvement. His email goes on to detail how the paravirtualization works.