Menu
▾
▴
astlinux-users — AstLinux Users Mailing List
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
(20) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(91) |
Feb
(111) |
Mar
(226) |
Apr
(65) |
May
(197) |
Jun
(202) |
Jul
(92) |
Aug
(87) |
Sep
(120) |
Oct
(133) |
Nov
(89) |
Dec
(155) |
| 2008 |
Jan
(251) |
Feb
(136) |
Mar
(174) |
Apr
(149) |
May
(56) |
Jun
(32) |
Jul
(36) |
Aug
(171) |
Sep
(245) |
Oct
(244) |
Nov
(218) |
Dec
(272) |
| 2009 |
Jan
(113) |
Feb
(119) |
Mar
(192) |
Apr
(117) |
May
(93) |
Jun
(46) |
Jul
(80) |
Aug
(54) |
Sep
(109) |
Oct
(70) |
Nov
(145) |
Dec
(110) |
| 2010 |
Jan
(137) |
Feb
(87) |
Mar
(45) |
Apr
(157) |
May
(58) |
Jun
(99) |
Jul
(188) |
Aug
(136) |
Sep
(101) |
Oct
(100) |
Nov
(61) |
Dec
(60) |
| 2011 |
Jan
(84) |
Feb
(43) |
Mar
(70) |
Apr
(17) |
May
(69) |
Jun
(28) |
Jul
(43) |
Aug
(21) |
Sep
(151) |
Oct
(120) |
Nov
(84) |
Dec
(101) |
| 2012 |
Jan
(119) |
Feb
(82) |
Mar
(70) |
Apr
(115) |
May
(66) |
Jun
(131) |
Jul
(70) |
Aug
(65) |
Sep
(66) |
Oct
(86) |
Nov
(197) |
Dec
(81) |
| 2013 |
Jan
(65) |
Feb
(48) |
Mar
(32) |
Apr
(68) |
May
(98) |
Jun
(59) |
Jul
(41) |
Aug
(52) |
Sep
(42) |
Oct
(37) |
Nov
(10) |
Dec
(27) |
| 2014 |
Jan
(61) |
Feb
(34) |
Mar
(30) |
Apr
(52) |
May
(45) |
Jun
(40) |
Jul
(28) |
Aug
(9) |
Sep
(39) |
Oct
(69) |
Nov
(55) |
Dec
(19) |
| 2015 |
Jan
(13) |
Feb
(21) |
Mar
(5) |
Apr
(14) |
May
(30) |
Jun
(51) |
Jul
(31) |
Aug
(12) |
Sep
(29) |
Oct
(15) |
Nov
(24) |
Dec
(16) |
| 2016 |
Jan
(62) |
Feb
(76) |
Mar
(30) |
Apr
(43) |
May
(46) |
Jun
(62) |
Jul
(21) |
Aug
(49) |
Sep
(67) |
Oct
(27) |
Nov
(26) |
Dec
(38) |
| 2017 |
Jan
(7) |
Feb
(12) |
Mar
(69) |
Apr
(59) |
May
(54) |
Jun
(40) |
Jul
(76) |
Aug
(82) |
Sep
(92) |
Oct
(51) |
Nov
(32) |
Dec
(30) |
| 2018 |
Jan
(22) |
Feb
(25) |
Mar
(34) |
Apr
(35) |
May
(37) |
Jun
(21) |
Jul
(69) |
Aug
(55) |
Sep
(17) |
Oct
(67) |
Nov
(9) |
Dec
(5) |
| 2019 |
Jan
(19) |
Feb
(12) |
Mar
(15) |
Apr
(19) |
May
|
Jun
(27) |
Jul
(27) |
Aug
(25) |
Sep
(25) |
Oct
(27) |
Nov
(10) |
Dec
(14) |
| 2020 |
Jan
(22) |
Feb
(20) |
Mar
(36) |
Apr
(40) |
May
(52) |
Jun
(35) |
Jul
(21) |
Aug
(32) |
Sep
(71) |
Oct
(27) |
Nov
(11) |
Dec
(16) |
| 2021 |
Jan
(16) |
Feb
(21) |
Mar
(21) |
Apr
(27) |
May
(17) |
Jun
|
Jul
(2) |
Aug
(22) |
Sep
(23) |
Oct
(7) |
Nov
(11) |
Dec
(28) |
| 2022 |
Jan
(23) |
Feb
(18) |
Mar
(9) |
Apr
(15) |
May
(15) |
Jun
(7) |
Jul
(8) |
Aug
(15) |
Sep
(1) |
Oct
|
Nov
(11) |
Dec
(10) |
| 2023 |
Jan
(14) |
Feb
(10) |
Mar
(11) |
Apr
(13) |
May
(2) |
Jun
(30) |
Jul
(1) |
Aug
(15) |
Sep
(13) |
Oct
(3) |
Nov
(25) |
Dec
(5) |
| 2024 |
Jan
(3) |
Feb
(10) |
Mar
(9) |
Apr
|
May
(1) |
Jun
(15) |
Jul
(7) |
Aug
(10) |
Sep
(3) |
Oct
(8) |
Nov
(6) |
Dec
(15) |
| 2025 |
Jan
(3) |
Feb
(1) |
Mar
(7) |
Apr
(5) |
May
(13) |
Jun
(16) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Dan R. <da...@ry...> - 2022-08-07 16:29:24
|
Thanks Michael! -------- Original message --------From: Michael Keuter <li...@mk...> Date: 8/7/22 11:25 AM (GMT-05:00) To: AstLinux Users Mailing List <ast...@li...> Subject: Re: [Astlinux-users] MSMTP: E-Mail From root? You need to define SMTP_FROM="us...@ho..."for your sender address in your user.confSent from a mobile device.Michael KeuterAm 07.08.2022 um 17:02 schrieb Dan Ryson <da...@ry...>:All,I've been trying to figure out why I'm experiencing a new MSMTP symptom on two completely separate PBXs; both running AstLinux 1.4.6. Within the last few weeks, I've started seeing bounce messages like the one pasted below. For some reason, mail appears to be going out with a "from" address of root. sip mail.err msmtp: host=smtp.ryson.org tls=on auth=on user=da...@ry... from=ro...@ry... recipients=da...@ry... smtpstatus=550 smtpmsg='550 sorry, you can?t send as this user' errormsg='envelope from address ro...@ry... not accepted by the server' exitcode=EX_DATAERR I see the same thing with the Test SMTP Mail Relay dialog under the Network tab while entering my e-mail address to both the "to" and "from" text boxes. The symptom also occurs from the command line (with some portions redacted):sip kd # echo "hello there username." | msmtp --debug -a default da...@ry...loaded system configuration file /etc/msmtprcignoring user configuration file /root/.msmtprc: No such file or directoryusing account default from /etc/msmtprchost = smtp.ryson.orgport = 465source ip = (not set)proxy host = (not set)proxy port = 0socket = (not set)timeout = 30 secondsprotocol = smtpdomain = localhostauth = LOGIN<-- 235 ok, go ahead (#2.0.0)--> MAIL FROM:<ro...@ry...>--> RCPT TO:<da...@ry...>--> DATA<-- 550 sorry, you can't send as this usermsmtp: envelope from address ro...@ry... not accepted by the servermsmtp: server message: 550 sorry, you can't send as this usermsmtp: could not send mail (account default from /etc/msmtprc)As always, I'd appreciate any insight.Thanks,Dan _______________________________________________Astlinux-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/astlinux-usersDonations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Dan R. <da...@ry...> - 2022-08-07 16:28:29
|
Yes. It's the same provider with both. During our brief dialog, I didn't ask and they didn't say if this was a recent change.I'll try the suggested change shortly.Thank you.Dan -------- Original message --------From: Lonnie Abelbeck <li...@lo...> Date: 8/7/22 11:26 AM (GMT-05:00) To: AstLinux Users Mailing List <ast...@li...> Subject: Re: [Astlinux-users] MSMTP: E-Mail From root? Hi Dan,Is the issue with the same email provider?Try adding to your /mnt/kd/rc.conf.d/user.conf file (example)--SMTP_FROM="da...@ry..."--Then from the CLI to apply the change:--gen-rc-confservice msmtp restart--Lonnie> On Aug 7, 2022, at 9:35 AM, Dan Ryson <da...@ry...> wrote:> > All,> > I've been trying to figure out why I'm experiencing a new MSMTP symptom on two completely separate PBXs; both running AstLinux 1.4.6. Within the last few weeks, I've started seeing bounce messages like the one pasted below. For some reason, mail appears to be going out with a "from" address of root. > > sip mail.err msmtp: host=smtp.ryson.org tls=on auth=on user=da...@ry... from=ro...@ry... recipients=da...@ry... smtpstatus=550 smtpmsg='550 sorry, you can?t send as this user' errormsg='envelope from address ro...@ry... not accepted by the server' exitcode=EX_DATAERR > > I see the same thing with the Test SMTP Mail Relay dialog under the Network tab while entering my e-mail address to both the "to" and "from" text boxes. > > <image.png>> > The symptom also occurs from the command line (with some portions redacted):> > sip kd # echo "hello there username." | msmtp --debug -a default da...@ry...> loaded system configuration file /etc/msmtprc> ignoring user configuration file /root/.msmtprc: No such file or directory> using account default from /etc/msmtprc> host = smtp.ryson.org> port = 465> source ip = (not set)> proxy host = (not set)> proxy port = 0> socket = (not set)> timeout = 30 seconds> protocol = smtp> domain = localhost> auth = LOGIN> <-- 235 ok, go ahead (#2.0.0)> --> MAIL FROM:<ro...@ry...>> --> RCPT TO:<da...@ry...>> --> DATA> <-- 550 sorry, you can't send as this user> msmtp: envelope from address ro...@ry... not accepted by the server> msmtp: server message: 550 sorry, you can't send as this user> msmtp: could not send mail (account default from /etc/msmtprc)> > As always, I'd appreciate any insight.> > Thanks,> > Dan> _______________________________________________> Astlinux-users mailing list> Ast...@li...> https://lists.sourceforge.net/lists/listinfo/astlinux-users> > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr...._______________________________________________Astlinux-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/astlinux-usersDonations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2022-08-07 15:26:27
|
Hi Dan, Is the issue with the same email provider? Try adding to your /mnt/kd/rc.conf.d/user.conf file (example) -- SMTP_FROM="da...@ry..." -- Then from the CLI to apply the change: -- gen-rc-conf service msmtp restart -- Lonnie > On Aug 7, 2022, at 9:35 AM, Dan Ryson <da...@ry...> wrote: > > All, > > I've been trying to figure out why I'm experiencing a new MSMTP symptom on two completely separate PBXs; both running AstLinux 1.4.6. Within the last few weeks, I've started seeing bounce messages like the one pasted below. For some reason, mail appears to be going out with a "from" address of root. > > sip mail.err msmtp: host=smtp.ryson.org tls=on auth=on user=da...@ry... from=ro...@ry... recipients=da...@ry... smtpstatus=550 smtpmsg='550 sorry, you can?t send as this user' errormsg='envelope from address ro...@ry... not accepted by the server' exitcode=EX_DATAERR > > I see the same thing with the Test SMTP Mail Relay dialog under the Network tab while entering my e-mail address to both the "to" and "from" text boxes. > > <image.png> > > The symptom also occurs from the command line (with some portions redacted): > > sip kd # echo "hello there username." | msmtp --debug -a default da...@ry... > loaded system configuration file /etc/msmtprc > ignoring user configuration file /root/.msmtprc: No such file or directory > using account default from /etc/msmtprc > host = smtp.ryson.org > port = 465 > source ip = (not set) > proxy host = (not set) > proxy port = 0 > socket = (not set) > timeout = 30 seconds > protocol = smtp > domain = localhost > auth = LOGIN > <-- 235 ok, go ahead (#2.0.0) > --> MAIL FROM:<ro...@ry...> > --> RCPT TO:<da...@ry...> > --> DATA > <-- 550 sorry, you can't send as this user > msmtp: envelope from address ro...@ry... not accepted by the server > msmtp: server message: 550 sorry, you can't send as this user > msmtp: could not send mail (account default from /etc/msmtprc) > > As always, I'd appreciate any insight. > > Thanks, > > Dan > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <li...@mk...> - 2022-08-07 15:25:09
|
You need to define SMTP_FROM="us...@ho..." for your sender address in your user.conf Sent from a mobile device. Michael Keuter > Am 07.08.2022 um 17:02 schrieb Dan Ryson <da...@ry...>: > > > All, > > I've been trying to figure out why I'm experiencing a new MSMTP symptom on two completely separate PBXs; both running AstLinux 1.4.6. Within the last few weeks, I've started seeing bounce messages like the one pasted below. For some reason, mail appears to be going out with a "from" address of root. > > sip mail.err msmtp: host=smtp.ryson.org tls=on auth=on user=da...@ry... from=ro...@ry... recipients=da...@ry... smtpstatus=550 smtpmsg='550 sorry, you can?t send as this user' errormsg='envelope from address ro...@ry... not accepted by the server' exitcode=EX_DATAERR > > I see the same thing with the Test SMTP Mail Relay dialog under the Network tab while entering my e-mail address to both the "to" and "from" text boxes. > > > > The symptom also occurs from the command line (with some portions redacted): > > sip kd # echo "hello there username." | msmtp --debug -a default da...@ry... > loaded system configuration file /etc/msmtprc > ignoring user configuration file /root/.msmtprc: No such file or directory > using account default from /etc/msmtprc > host = smtp.ryson.org > port = 465 > source ip = (not set) > proxy host = (not set) > proxy port = 0 > socket = (not set) > timeout = 30 seconds > protocol = smtp > domain = localhost > auth = LOGIN > <-- 235 ok, go ahead (#2.0.0) > --> MAIL FROM:<ro...@ry...> > --> RCPT TO:<da...@ry...> > --> DATA > <-- 550 sorry, you can't send as this user > msmtp: envelope from address ro...@ry... not accepted by the server > msmtp: server message: 550 sorry, you can't send as this user > msmtp: could not send mail (account default from /etc/msmtprc) > > As always, I'd appreciate any insight. > > Thanks, > > Dan > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Dan R. <da...@ry...> - 2022-08-07 15:02:07
|
All, I've been trying to figure out why I'm experiencing a new MSMTP symptom on two completely separate PBXs; both running AstLinux 1.4.6. Within the last few weeks, I've started seeing bounce messages like the one pasted below. For some reason, mail appears to be going out with a "from" address of root. sip mail.err msmtp: host=smtp.ryson.org tls=on auth=on user=da...@ry... from=ro...@ry... recipients=da...@ry... smtpstatus=550 smtpmsg='550 sorry, you can?t send as this user' errormsg='envelope from address ro...@ry... not accepted by the server' exitcode=EX_DATAERR I see the same thing with the Test SMTP Mail Relay dialog under the Network tab while entering my e-mail address to both the "to" and "from" text boxes. The symptom also occurs from the command line (with some portions redacted): sip kd # echo "hello there username." | msmtp --debug -a default da...@ry... loaded system configuration file /etc/msmtprc ignoring user configuration file /root/.msmtprc: No such file or directory using account default from /etc/msmtprc host = smtp.ryson.org port = 465 source ip = (not set) proxy host = (not set) proxy port = 0 socket = (not set) timeout = 30 seconds protocol = smtp domain = localhost auth = LOGIN MAIL FROM: --> RCPT TO: --> DATA |
|
From: Michael K. <mic...@ip...> - 2022-08-06 23:20:33
|
Thanks guys for your input.
Regards
Michael Knill
On 7/8/2022, 2:41 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Good catch David, it is good practice to always remove the /etc/udev/rules.d/70-persistent-net.rules file (if it exists) when creating a template AstLinux system.
Though for the VM case, the standard udev rules do not generate /etc/udev/rules.d/70-persistent-net.rules for virtual interfaces.
But for bare-metal you will need to remove the /etc/udev/rules.d/70-persistent-net.rules file for a template system.
As you know David, for very special cases where you have a VM with a mix of virtual NICs and PCIe passthrough real NICs the /etc/udev/rules.d/70-persistent-net.rules file will be created, but without the virtual interfaces.
Regardless, as you suggested, remove /etc/udev/rules.d/70-persistent-net.rules for template systems.
Lonnie
> On Aug 6, 2022, at 9:47 AM, David Kerr <Da...@Ke...> wrote:
>
> Lonnie,
> What about /etc/udev/rules.d/70-persistent-net.rules does it need to be regenerated too?
>
> David.
>
> On Sat, Aug 6, 2022 at 9:57 AM Lonnie Abelbeck <li...@lo...> wrote:
> Hi Michael,
>
> You are missing an important set of keys:
> --
> Server SSH Keys – 'rm /mnt/kd/ssh/ssh_host_*' are removed so host server keys are regenerated
> --
>
> BTW, the ssh/ssh_host_* are for the sshd server, the ssh_root_keys/ are for outbound 'root' user ssh keys.
>
> As you mentioned (implied), everything in /mnt/kd/ssl/* should be removed (including dirs).
>
> As for the Zabbix keys, AstLinux does not generate those ... possibly Zabbix does with the proper configuration path to /mnt/kd/ssl/...
>
> Off hand, I can't think of any other secure identity bits and shouldn't be propagated from VM to VM.
>
>
> Lonnie
>
>
> > From: Michael Knill <mic...@ip...>
> > Reply to: AstLinux List <ast...@li...>
> > Date: Saturday, 6 August 2022 at 12:38 pm
> > To: AstLinux List <ast...@li...>
> > Subject: [Astlinux-users] Using VMware Templates
> >
> > Hi Group
> >
> > I'm using Astlinux in VMware vCloud and for quick deployment I have build a base system and created a template from it. This means I can rapidly deploy a new system without having to build it.
> >
> > I'm just wanting to check that I haven’t missed anything regarding what I do to the template build and what I do after provisioning a new system. Note I have not included Asterisk configuration in this list.
> >
> > • Network configuration – Build template will be DHCP only. The new address and hostname will added into the Network Tab or rc.conf.d/gui.network.conf directly
> > • HTTPS and TLS Certs – These will be regenerated on the new provisioned system with an ACME Issue
> > • Root SSH Keys – ssh_root_keys directory is removed in the template so it is regenerated
> > • Wireguard Key – wireguard/wg0.privatekey is removed in the template so it is regenerated
> > • Zabbix Key – ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe)
> > • OpenVPN Keys – These are not generated by default in the build system so will need to be created if required anyway
> > • Tarsnap – tarsnap directory is removed in the template so it needs to be generated
> >
> > Can you think of anything else I require?
> > Thanks all.
> >
> > Regards
> >
> > Michael Knill
> > Managing Director
> >
> > D: +61 2 6189 1360
> > P: +61 2 6140 4656
> > E: mic...@ip...
> > W: ipcsolutions.com.au
> >
> > <image001.png>
> > Smarter Business Communications
> >
> > _______________________________________________
> > Astlinux-users mailing list
> > Ast...@li...
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2022-08-06 16:40:46
|
Good catch David, it is good practice to always remove the /etc/udev/rules.d/70-persistent-net.rules file (if it exists) when creating a template AstLinux system. Though for the VM case, the standard udev rules do not generate /etc/udev/rules.d/70-persistent-net.rules for virtual interfaces. But for bare-metal you will need to remove the /etc/udev/rules.d/70-persistent-net.rules file for a template system. As you know David, for very special cases where you have a VM with a mix of virtual NICs and PCIe passthrough real NICs the /etc/udev/rules.d/70-persistent-net.rules file will be created, but without the virtual interfaces. Regardless, as you suggested, remove /etc/udev/rules.d/70-persistent-net.rules for template systems. Lonnie > On Aug 6, 2022, at 9:47 AM, David Kerr <Da...@Ke...> wrote: > > Lonnie, > What about /etc/udev/rules.d/70-persistent-net.rules does it need to be regenerated too? > > David. > > On Sat, Aug 6, 2022 at 9:57 AM Lonnie Abelbeck <li...@lo...> wrote: > Hi Michael, > > You are missing an important set of keys: > -- > Server SSH Keys – 'rm /mnt/kd/ssh/ssh_host_*' are removed so host server keys are regenerated > -- > > BTW, the ssh/ssh_host_* are for the sshd server, the ssh_root_keys/ are for outbound 'root' user ssh keys. > > As you mentioned (implied), everything in /mnt/kd/ssl/* should be removed (including dirs). > > As for the Zabbix keys, AstLinux does not generate those ... possibly Zabbix does with the proper configuration path to /mnt/kd/ssl/... > > Off hand, I can't think of any other secure identity bits and shouldn't be propagated from VM to VM. > > > Lonnie > > > > From: Michael Knill <mic...@ip...> > > Reply to: AstLinux List <ast...@li...> > > Date: Saturday, 6 August 2022 at 12:38 pm > > To: AstLinux List <ast...@li...> > > Subject: [Astlinux-users] Using VMware Templates > > > > Hi Group > > > > I'm using Astlinux in VMware vCloud and for quick deployment I have build a base system and created a template from it. This means I can rapidly deploy a new system without having to build it. > > > > I'm just wanting to check that I haven’t missed anything regarding what I do to the template build and what I do after provisioning a new system. Note I have not included Asterisk configuration in this list. > > > > • Network configuration – Build template will be DHCP only. The new address and hostname will added into the Network Tab or rc.conf.d/gui.network.conf directly > > • HTTPS and TLS Certs – These will be regenerated on the new provisioned system with an ACME Issue > > • Root SSH Keys – ssh_root_keys directory is removed in the template so it is regenerated > > • Wireguard Key – wireguard/wg0.privatekey is removed in the template so it is regenerated > > • Zabbix Key – ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) > > • OpenVPN Keys – These are not generated by default in the build system so will need to be created if required anyway > > • Tarsnap – tarsnap directory is removed in the template so it needs to be generated > > > > Can you think of anything else I require? > > Thanks all. > > > > Regards > > > > Michael Knill > > Managing Director > > > > D: +61 2 6189 1360 > > P: +61 2 6140 4656 > > E: mic...@ip... > > W: ipcsolutions.com.au > > > > <image001.png> > > Smarter Business Communications > > > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: David K. <da...@ke...> - 2022-08-06 15:10:04
|
Lonnie, What about /etc/udev/rules.d/70-persistent-net.rules does it need to be regenerated too? David. On Sat, Aug 6, 2022 at 9:57 AM Lonnie Abelbeck <li...@lo...> wrote: > Hi Michael, > > You are missing an important set of keys: > -- > Server SSH Keys – 'rm /mnt/kd/ssh/ssh_host_*' are removed so host server > keys are regenerated > -- > > BTW, the ssh/ssh_host_* are for the sshd server, the ssh_root_keys/ are > for outbound 'root' user ssh keys. > > As you mentioned (implied), everything in /mnt/kd/ssl/* should be removed > (including dirs). > > As for the Zabbix keys, AstLinux does not generate those ... possibly > Zabbix does with the proper configuration path to /mnt/kd/ssl/... > > Off hand, I can't think of any other secure identity bits and shouldn't be > propagated from VM to VM. > > > Lonnie > > > > From: Michael Knill <mic...@ip...> > > Reply to: AstLinux List <ast...@li...> > > Date: Saturday, 6 August 2022 at 12:38 pm > > To: AstLinux List <ast...@li...> > > Subject: [Astlinux-users] Using VMware Templates > > > > Hi Group > > > > I'm using Astlinux in VMware vCloud and for quick deployment I have > build a base system and created a template from it. This means I can > rapidly deploy a new system without having to build it. > > > > I'm just wanting to check that I haven’t missed anything regarding what > I do to the template build and what I do after provisioning a new system. > Note I have not included Asterisk configuration in this list. > > > > • Network configuration – Build template will be DHCP only. The > new address and hostname will added into the Network Tab or > rc.conf.d/gui.network.conf directly > > • HTTPS and TLS Certs – These will be regenerated on the new > provisioned system with an ACME Issue > > • Root SSH Keys – ssh_root_keys directory is removed in the > template so it is regenerated > > • Wireguard Key – wireguard/wg0.privatekey is removed in the > template so it is regenerated > > • Zabbix Key – ssl/zabbix_secret.psk is removed in the template so > it is regenerated (when you access the Zabbix Tab I believe) > > • OpenVPN Keys – These are not generated by default in the build > system so will need to be created if required anyway > > • Tarsnap – tarsnap directory is removed in the template so it > needs to be generated > > > > Can you think of anything else I require? > > Thanks all. > > > > Regards > > > > Michael Knill > > Managing Director > > > > D: +61 2 6189 1360 > > P: +61 2 6140 4656 > > E: mic...@ip... > > W: ipcsolutions.com.au > > > > <image001.png> > > Smarter Business Communications > > > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2022-08-06 13:57:37
|
Hi Michael, You are missing an important set of keys: -- Server SSH Keys – 'rm /mnt/kd/ssh/ssh_host_*' are removed so host server keys are regenerated -- BTW, the ssh/ssh_host_* are for the sshd server, the ssh_root_keys/ are for outbound 'root' user ssh keys. As you mentioned (implied), everything in /mnt/kd/ssl/* should be removed (including dirs). As for the Zabbix keys, AstLinux does not generate those ... possibly Zabbix does with the proper configuration path to /mnt/kd/ssl/... Off hand, I can't think of any other secure identity bits and shouldn't be propagated from VM to VM. Lonnie > From: Michael Knill <mic...@ip...> > Reply to: AstLinux List <ast...@li...> > Date: Saturday, 6 August 2022 at 12:38 pm > To: AstLinux List <ast...@li...> > Subject: [Astlinux-users] Using VMware Templates > > Hi Group > > I'm using Astlinux in VMware vCloud and for quick deployment I have build a base system and created a template from it. This means I can rapidly deploy a new system without having to build it. > > I'm just wanting to check that I haven’t missed anything regarding what I do to the template build and what I do after provisioning a new system. Note I have not included Asterisk configuration in this list. > > • Network configuration – Build template will be DHCP only. The new address and hostname will added into the Network Tab or rc.conf.d/gui.network.conf directly > • HTTPS and TLS Certs – These will be regenerated on the new provisioned system with an ACME Issue > • Root SSH Keys – ssh_root_keys directory is removed in the template so it is regenerated > • Wireguard Key – wireguard/wg0.privatekey is removed in the template so it is regenerated > • Zabbix Key – ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) > • OpenVPN Keys – These are not generated by default in the build system so will need to be created if required anyway > • Tarsnap – tarsnap directory is removed in the template so it needs to be generated > > Can you think of anything else I require? > Thanks all. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: mic...@ip... > W: ipcsolutions.com.au > > <image001.png> > Smarter Business Communications > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2022-08-06 03:07:34
|
Whoops typo: * Zabbix Key – ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) Regards Michael Knill From: Michael Knill <mic...@ip...> Reply to: AstLinux List <ast...@li...> Date: Saturday, 6 August 2022 at 12:38 pm To: AstLinux List <ast...@li...> Subject: [Astlinux-users] Using VMware Templates Hi Group I'm using Astlinux in VMware vCloud and for quick deployment I have build a base system and created a template from it. This means I can rapidly deploy a new system without having to build it. I'm just wanting to check that I haven’t missed anything regarding what I do to the template build and what I do after provisioning a new system. Note I have not included Asterisk configuration in this list. * Network configuration – Build template will be DHCP only. The new address and hostname will added into the Network Tab or rc.conf.d/gui.network.conf directly * HTTPS and TLS Certs – These will be regenerated on the new provisioned system with an ACME Issue * Root SSH Keys – ssh_root_keys directory is removed in the template so it is regenerated * Wireguard Key – wireguard/wg0.privatekey is removed in the template so it is regenerated * Zabbix Key – wireguard/ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) * OpenVPN Keys – These are not generated by default in the build system so will need to be created if required anyway * Tarsnap – tarsnap directory is removed in the template so it needs to be generated Can you think of anything else I require? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: mic...@ip...<mailto:mic...@ip...> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications |
|
From: Michael K. <mic...@ip...> - 2022-08-06 02:37:56
|
Hi Group I'm using Astlinux in VMware vCloud and for quick deployment I have build a base system and created a template from it. This means I can rapidly deploy a new system without having to build it. I'm just wanting to check that I haven’t missed anything regarding what I do to the template build and what I do after provisioning a new system. Note I have not included Asterisk configuration in this list. * Network configuration – Build template will be DHCP only. The new address and hostname will added into the Network Tab or rc.conf.d/gui.network.conf directly * HTTPS and TLS Certs – These will be regenerated on the new provisioned system with an ACME Issue * Root SSH Keys – ssh_root_keys directory is removed in the template so it is regenerated * Wireguard Key – wireguard/wg0.privatekey is removed in the template so it is regenerated * Zabbix Key – wireguard/ssl/zabbix_secret.psk is removed in the template so it is regenerated (when you access the Zabbix Tab I believe) * OpenVPN Keys – These are not generated by default in the build system so will need to be created if required anyway * Tarsnap – tarsnap directory is removed in the template so it needs to be generated Can you think of anything else I require? Thanks all. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: mic...@ip...<mailto:mic...@ip...> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications |
|
From: Lonnie A. <li...@lo...> - 2022-08-05 15:18:13
|
Announcing AstLinux Pre-Release: astlinux-1.4-5547-ae3467
** The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own.
-- Linux Kernel 4.19.254 (version bump), security and bug fixes
-- RUNNIX, version bump to runnix-0.6.12, with Linux Kernel 4.19.254
== gnu-efi, version bump to 3.0.14
-- igc, backport from linux-5.4.208, Intel i225 2.5-Gigabit Ethernet Network Driver
-- r8125, version 9.009.02, Realtek RTL8125 2.5-Gigabit Ethernet Network Driver
-- igb, version bump to 5.11.4, Intel 1.0-Gigabit Ethernet Network Driver
-- OpenSSL, version bump to 1.1.1q, security fixes: CVE-2022-2068, CVE-2022-2097
-- WireGuard VPN, module 1.0.20220627 (version bump), tools 1.0.20210914 (no change)
-- OpenSSH, version 8.1p1, close SSH connections on shutdown, poweroff, reboot and kernel-reboot
-- libcurl (curl) version bump to 7.84.0, security fixes: CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208
-- htop, version bump to 3.2.1
-- sqlite, version bump to 3.39.2, security fix: CVE-2022-35737
-- unbound, version bump to 1.16.2, security fixes: CVE-2022-30698, CVE-2022-30699
-- zabbix, version bump to 4.0.43
-- Asterisk 13.38.3 ('13se' no change)
Last Asterisk 13.x "Legacy" version, built --without-pjproject
-- Asterisk 16.27.0 (version bump) and 18.13.0 (version bump)
-- pjsip 2.12 (version bump)
-- Complete Pre-Release ChangeLog:
https://astlinux-project.org/beta/astlinux-changelog/ChangeLog.txt
The "AstLinux Pre-Release ChangeLog" and "Pre-Release Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ...
AstLinux Project -> Development
https://www.astlinux-project.org/dev.html
AstLinux Team
|
|
From: David K. <da...@ke...> - 2022-07-22 15:43:14
|
The issue is when I am working from home and using my employer's VPN to connect to work, it takes over the network... even to the extent that it blocks firing up a 2nd VPN, for obvious security reasons. When I work from an office location I have no problems firing up my own VPN if I need to access something at home, that is not blocked as in the office I don't need my employer's VPN. David. On Fri, Jul 22, 2022 at 10:26 AM Lonnie Abelbeck <li...@lo...> wrote: > David, > > Thanks for closing the loop, indicating that solution works. > > Question, is there any reason you can't use WireGuard from work to > AstLinux, hence using your AstLinux local DNS within the tunnel? > > If your work outbound is filtered, you can enable the WireGuard -> > Firewall Options ... > > > to redirect WG UDP traffic to a different port at the AstLinux endpoint if > the standard UDP 51820 is blocked outbound. > > It goes without saying, don't do anything your employer forbids or could > get you in trouble. > > Lonnie > > > > > On Jul 22, 2022, at 7:23 AM, David Kerr <da...@ke...> wrote: > > I tested from outside and the firewall rules do block access. I've been > scratching my head for a long time now on how to solve the problem where my > employer's VPN takes over DNS. Complaints to our IT team did no good. But > now I have a work-around. > > David > > On Wed, Jul 20, 2022 at 11:59 AM Lonnie Abelbeck < > li...@lo...> wrote: > Hi David, > > Interesting ... yes, as you suggested, setting the NAT EXT->LAN "Source" > rule to only the local LAN(s) (ex. 192.168.1.0/24) should be what you > need to limit "loopback" to only local IPs for a particular NATed port. > > Can't say I ever needed that, but should work. > > Best to test hitting you external interface from the outside with the > associated "loopback" port and make sure it is not allowed in. > > Lonnie > > > > > > On Jul 20, 2022, at 8:31 AM, David Kerr <da...@ke...> wrote: > > > > Is it possible to configure NAT Loopback on its own... ie, without > opening NAT->LAN for all sources? > > > > I have a problem where my employer's VPN is hijacking DNS so name > resolution for my internal hosts is always getting routed to the VPN's > supplied DNS which will not resolve to my internal IP address, so traffic > is getting sent to my external IP address. > > > > Loopback works, I can set a port number to forward but I don't want to > open the firewall port to any external client, only to a client on my > internal network. > > > > It looks like I can set Source IP to e.g. 192.168.1.0/24 and that will > setup the firewall rules. But is that the best and/or safe way to do it? > > > > Thanks > > David > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2022-07-22 14:26:42
|
David, Thanks for closing the loop, indicating that solution works. Question, is there any reason you can't use WireGuard from work to AstLinux, hence using your AstLinux local DNS within the tunnel? If your work outbound is filtered, you can enable the WireGuard -> Firewall Options ... to redirect WG UDP traffic to a different port at the AstLinux endpoint if the standard UDP 51820 is blocked outbound. It goes without saying, don't do anything your employer forbids or could get you in trouble. Lonnie > On Jul 22, 2022, at 7:23 AM, David Kerr <da...@ke...> wrote: > > I tested from outside and the firewall rules do block access. I've been scratching my head for a long time now on how to solve the problem where my employer's VPN takes over DNS. Complaints to our IT team did no good. But now I have a work-around. > > David > > On Wed, Jul 20, 2022 at 11:59 AM Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > Interesting ... yes, as you suggested, setting the NAT EXT->LAN "Source" rule to only the local LAN(s) (ex. 192.168.1.0/24) should be what you need to limit "loopback" to only local IPs for a particular NATed port. > > Can't say I ever needed that, but should work. > > Best to test hitting you external interface from the outside with the associated "loopback" port and make sure it is not allowed in. > > Lonnie > > > > > > On Jul 20, 2022, at 8:31 AM, David Kerr <da...@ke...> wrote: > > > > Is it possible to configure NAT Loopback on its own... ie, without opening NAT->LAN for all sources? > > > > I have a problem where my employer's VPN is hijacking DNS so name resolution for my internal hosts is always getting routed to the VPN's supplied DNS which will not resolve to my internal IP address, so traffic is getting sent to my external IP address. > > > > Loopback works, I can set a port number to forward but I don't want to open the firewall port to any external client, only to a client on my internal network. > > > > It looks like I can set Source IP to e.g. 192.168.1.0/24 and that will setup the firewall rules. But is that the best and/or safe way to do it? > > > > Thanks > > David > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: David K. <da...@ke...> - 2022-07-22 12:49:21
|
I tested from outside and the firewall rules do block access. I've been scratching my head for a long time now on how to solve the problem where my employer's VPN takes over DNS. Complaints to our IT team did no good. But now I have a work-around. David On Wed, Jul 20, 2022 at 11:59 AM Lonnie Abelbeck <li...@lo...> wrote: > Hi David, > > Interesting ... yes, as you suggested, setting the NAT EXT->LAN "Source" > rule to only the local LAN(s) (ex. 192.168.1.0/24) should be what you > need to limit "loopback" to only local IPs for a particular NATed port. > > Can't say I ever needed that, but should work. > > Best to test hitting you external interface from the outside with the > associated "loopback" port and make sure it is not allowed in. > > Lonnie > > > > > > On Jul 20, 2022, at 8:31 AM, David Kerr <da...@ke...> wrote: > > > > Is it possible to configure NAT Loopback on its own... ie, without > opening NAT->LAN for all sources? > > > > I have a problem where my employer's VPN is hijacking DNS so name > resolution for my internal hosts is always getting routed to the VPN's > supplied DNS which will not resolve to my internal IP address, so traffic > is getting sent to my external IP address. > > > > Loopback works, I can set a port number to forward but I don't want to > open the firewall port to any external client, only to a client on my > internal network. > > > > It looks like I can set Source IP to e.g. 192.168.1.0/24 and that will > setup the firewall rules. But is that the best and/or safe way to do it? > > > > Thanks > > David > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > |
|
From: Michael K. <mic...@ip...> - 2022-07-21 04:05:04
|
Hi Lonnie Its a great IaaS solution. Here is a good explanation from one of our cloud providers https://www.serversaustralia.com.au/products/virtual-data-centre Thanks for the info here. Yes htop is nice. I only have 1.4 in build so not much disk traffic so will need to check later. From what I saw in our build environment I think we will be fine. Regards Michael Knill On 21/7/2022, 9:11 am, "Lonnie Abelbeck" <li...@lo...> wrote: Hi Michael, Out of curiosity, what do you mean by "Virtual DC" ? I'm not familiar with that term. If you are using AstLinux 1.4.3 or later, the kernel /proc/[pid]/io stats are enabled. So, look for "read_bytes" and "write_bytes" in the output of the 'init' process: -- cat /proc/1/io -- For Asterisk, this should work: -- cat /proc/$(pgrep -f '^asterisk')/io -- See how quickly "read_bytes" and "write_bytes" increase over a set period of time. Next convert into IOP by guessing an average block size. Note: some of this Disk IO is to RAM based tmpfs, but would give you a worst case scenario. Additionally, 'htop' supports IO_RATE column (DISK R/W) that can monitor IO. Lonnie > On Jul 20, 2022, at 2:29 PM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > I am virtualising most Astlinux installs and now moving to Virtual DC’s where I have more control of the type of resources I allocate. One of these is the type of storage and usually in the form of IOP’s. > For example I can purchase storage ranging from 100 IOP’s to 25,000 IOP’s. Now although the difference in price is not huge, it does add up and I want to try to minimise costs where possible. > I have been using 250 IOP’s and I have not seen any problems but just wondering if this is too low? Even though am writing logs to KD, I assumed that the Astlinux architecture was still pretty light on in regards to disk writes. > > Thanks > Mike > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2022-07-20 23:11:12
|
Hi Michael, Out of curiosity, what do you mean by "Virtual DC" ? I'm not familiar with that term. If you are using AstLinux 1.4.3 or later, the kernel /proc/[pid]/io stats are enabled. So, look for "read_bytes" and "write_bytes" in the output of the 'init' process: -- cat /proc/1/io -- For Asterisk, this should work: -- cat /proc/$(pgrep -f '^asterisk')/io -- See how quickly "read_bytes" and "write_bytes" increase over a set period of time. Next convert into IOP by guessing an average block size. Note: some of this Disk IO is to RAM based tmpfs, but would give you a worst case scenario. Additionally, 'htop' supports IO_RATE column (DISK R/W) that can monitor IO. Lonnie > On Jul 20, 2022, at 2:29 PM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > I am virtualising most Astlinux installs and now moving to Virtual DC’s where I have more control of the type of resources I allocate. One of these is the type of storage and usually in the form of IOP’s. > For example I can purchase storage ranging from 100 IOP’s to 25,000 IOP’s. Now although the difference in price is not huge, it does add up and I want to try to minimise costs where possible. > I have been using 250 IOP’s and I have not seen any problems but just wondering if this is too low? Even though am writing logs to KD, I assumed that the Astlinux architecture was still pretty light on in regards to disk writes. > > Thanks > Mike > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2022-07-20 19:29:22
|
Hi Group I am virtualising most Astlinux installs and now moving to Virtual DC’s where I have more control of the type of resources I allocate. One of these is the type of storage and usually in the form of IOP’s. For example I can purchase storage ranging from 100 IOP’s to 25,000 IOP’s. Now although the difference in price is not huge, it does add up and I want to try to minimise costs where possible. I have been using 250 IOP’s and I have not seen any problems but just wondering if this is too low? Even though am writing logs to KD, I assumed that the Astlinux architecture was still pretty light on in regards to disk writes. Thanks Mike |
|
From: Lonnie A. <li...@lo...> - 2022-07-20 15:59:29
|
Hi David, Interesting ... yes, as you suggested, setting the NAT EXT->LAN "Source" rule to only the local LAN(s) (ex. 192.168.1.0/24) should be what you need to limit "loopback" to only local IPs for a particular NATed port. Can't say I ever needed that, but should work. Best to test hitting you external interface from the outside with the associated "loopback" port and make sure it is not allowed in. Lonnie > On Jul 20, 2022, at 8:31 AM, David Kerr <da...@ke...> wrote: > > Is it possible to configure NAT Loopback on its own... ie, without opening NAT->LAN for all sources? > > I have a problem where my employer's VPN is hijacking DNS so name resolution for my internal hosts is always getting routed to the VPN's supplied DNS which will not resolve to my internal IP address, so traffic is getting sent to my external IP address. > > Loopback works, I can set a port number to forward but I don't want to open the firewall port to any external client, only to a client on my internal network. > > It looks like I can set Source IP to e.g. 192.168.1.0/24 and that will setup the firewall rules. But is that the best and/or safe way to do it? > > Thanks > David > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: David K. <da...@ke...> - 2022-07-20 15:19:55
|
Is it possible to configure NAT Loopback on its own... ie, without opening NAT->LAN for all sources? I have a problem where my employer's VPN is hijacking DNS so name resolution for my internal hosts is always getting routed to the VPN's supplied DNS which will not resolve to my internal IP address, so traffic is getting sent to my external IP address. Loopback works, I can set a port number to forward but I don't want to open the firewall port to any external client, only to a client on my internal network. It looks like I can set Source IP to e.g. 192.168.1.0/24 and that will setup the firewall rules. But is that the best and/or safe way to do it? Thanks David |
|
From: Michael K. <mic...@ip...> - 2022-06-26 04:03:03
|
Thanks Lonnie. Yeah that's way too hard. I will wait for them to open up the firewall.
Regards
Michael Knill
On 26/6/2022, 1:20 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Hi Michael,
Do you have physical access? If "yes" a local attached USB drive can be used as a "local repo".
Below is an example, using an PC Engines APU2 "genx86_64-serial" image.
======================
Insert FAT formatted USB drive.
pbx4 ~ # fdisk -l
--
...
Device Boot Start End Sectors Size Id Type
/dev/sdb1 * 63 524159 524097 255.9M 6 FAT16
--
pbx4 ~ # mkdir /tmp/disk
pbx4 ~ # mount -t vfat /dev/sdb1 /tmp/disk
## Only needed to create a local repo on the USB drive, could be performed outside of AstLinux if desired.
## Requires public network access.
pbx4 ~ # mkdir -p /tmp/disk/ast13se-firmware-1.x/genx86_64-serial
pbx4 ~ # cd /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/
pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/ver
pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz
pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz.sha1
## End of create a local repo on the USB drive
## Now assume the USB drive was pre-configured and skip the above "create a local repo" commands.
## Check the local repo files:
pbx4 ~ # cd
pbx4 ~ # find /tmp/disk/ast13se-firmware-1.x/
/tmp/disk/ast13se-firmware-1.x/
/tmp/disk/ast13se-firmware-1.x/genx86_64-serial
/tmp/disk/ast13se-firmware-1.x/genx86_64-serial/ver
/tmp/disk/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz
/tmp/disk/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz.sha1
## Upgrade using the local (pre-configured) USB drive:
pbx4 ~ # upgrade-run-image check file:///tmp/disk/ast13se-firmware-1.x
Current version is: astlinux-1.4-5507-f21c6b, Newest available version is: astlinux-1.4.6
pbx4 ~ # upgrade-run-image upgrade file:///tmp/disk/ast13se-firmware-1.x
Successful upgrade to: astlinux-1.4.6 [after reboot]
pbx4 ~ # cd
pbx4 ~ # umount /tmp/disk
pbx4 ~ # reboot ; exit
======================
And yes, this local repo method can be used for Runnix as well.
Lonnie
Tip -> For AstLinux 1.4.2 or later: If you have a exFAT formatted drive use "mount -t exfat ..." instead of "mount -t vfat ..." above.
> On Jun 24, 2022, at 8:52 PM, Michael Knill <mic...@ip...> wrote:
>
> Is this easy to do?
> I have a site where they are tough with security and I cant reach the download server currently.
>
> Along with my previous question, a Runnix upgrade without network connectivity may be handy too.
>
> Regards
>
> Michael Knill
> Managing Director
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <mic...@ip...> - 2022-06-25 23:27:49
|
Thanks Lonnie. I think we will set up our own repo for Runnix.
Regards
Michael Knill
On 25/6/2022, 11:51 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
Hi Michael, (comments inline)
> On Jun 24, 2022, at 8:07 PM, Michael Knill <mic...@ip...> wrote:
>
> A couple of questions regarding Runnix:
> • I did a Runnix upgrade and it went to 0.6.11. Is this ok on Astlinux 1.3.10?
Should be fine. Test by upgrading to Runnix 0.6.11 and "reboot" from the CLI ... it should boot AstLinux.
AstLinux 1.3.10 uses x86_64 Linux 3.16.85, Runnix 0.6.11 is based on x86_64 Linux 4.19.242.
Over the years we have changed Runnix from 32-bit (0.4.x) to 32-bit PAE (0.5.x) to 64-bit (0.6.x)
The "upgrade-RUNNIX-image" automatically uses the proper Runnix series. You can force the Runnix repo URL, the AstLinux 1.3.10 and later default is:
--
upgrade-RUNNIX-image check https://astlinux-project.org/mirror/runnix6
--
> • Can I upgrade to a specific Runnix version or is there no point?
You could with a private Runnix repo, but there is no reason to do so that I am aware of.
Note that any Runnix upgrades would need to be done via the CLI, the Web Interface uses the default Runnix repo URL.
> • Can I manage my own repository of Runnix?
Yes, (see above) ... just as with the AstLinux repo file format, for example:
-- On an external reachable HTTPS server "HOST/PATH" --
mkdir runnix6
cd runnix6
curl -LO https://astlinux-project.org/mirror/runnix6/runnix-0.6.11.tar.gz
curl -LO https://astlinux-project.org/mirror/runnix6/runnix-0.6.11.tar.gz.sha1
curl -LO https://astlinux-project.org/mirror/runnix6/ver
--
Then in AstLinux:
--
upgrade-RUNNIX-image check https://HOST/PATH/runnix6
--
Adjust as desired.
Lonnie
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2022-06-25 15:19:43
|
Hi Michael, Do you have physical access? If "yes" a local attached USB drive can be used as a "local repo". Below is an example, using an PC Engines APU2 "genx86_64-serial" image. ====================== Insert FAT formatted USB drive. pbx4 ~ # fdisk -l -- ... Device Boot Start End Sectors Size Id Type /dev/sdb1 * 63 524159 524097 255.9M 6 FAT16 -- pbx4 ~ # mkdir /tmp/disk pbx4 ~ # mount -t vfat /dev/sdb1 /tmp/disk ## Only needed to create a local repo on the USB drive, could be performed outside of AstLinux if desired. ## Requires public network access. pbx4 ~ # mkdir -p /tmp/disk/ast13se-firmware-1.x/genx86_64-serial pbx4 ~ # cd /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/ pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/ver pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz pbx4 genx86_64-serial # curl -LO https://astlinux-project.org/mirror/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz.sha1 ## End of create a local repo on the USB drive ## Now assume the USB drive was pre-configured and skip the above "create a local repo" commands. ## Check the local repo files: pbx4 ~ # cd pbx4 ~ # find /tmp/disk/ast13se-firmware-1.x/ /tmp/disk/ast13se-firmware-1.x/ /tmp/disk/ast13se-firmware-1.x/genx86_64-serial /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/ver /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz /tmp/disk/ast13se-firmware-1.x/genx86_64-serial/astlinux-1.4.6.tar.gz.sha1 ## Upgrade using the local (pre-configured) USB drive: pbx4 ~ # upgrade-run-image check file:///tmp/disk/ast13se-firmware-1.x Current version is: astlinux-1.4-5507-f21c6b, Newest available version is: astlinux-1.4.6 pbx4 ~ # upgrade-run-image upgrade file:///tmp/disk/ast13se-firmware-1.x Successful upgrade to: astlinux-1.4.6 [after reboot] pbx4 ~ # cd pbx4 ~ # umount /tmp/disk pbx4 ~ # reboot ; exit ====================== And yes, this local repo method can be used for Runnix as well. Lonnie Tip -> For AstLinux 1.4.2 or later: If you have a exFAT formatted drive use "mount -t exfat ..." instead of "mount -t vfat ..." above. > On Jun 24, 2022, at 8:52 PM, Michael Knill <mic...@ip...> wrote: > > Is this easy to do? > I have a site where they are tough with security and I cant reach the download server currently. > > Along with my previous question, a Runnix upgrade without network connectivity may be handy too. > > Regards > > Michael Knill > Managing Director |
|
From: Lonnie A. <li...@lo...> - 2022-06-25 13:50:42
|
Hi Michael, (comments inline) > On Jun 24, 2022, at 8:07 PM, Michael Knill <mic...@ip...> wrote: > > A couple of questions regarding Runnix: > • I did a Runnix upgrade and it went to 0.6.11. Is this ok on Astlinux 1.3.10? Should be fine. Test by upgrading to Runnix 0.6.11 and "reboot" from the CLI ... it should boot AstLinux. AstLinux 1.3.10 uses x86_64 Linux 3.16.85, Runnix 0.6.11 is based on x86_64 Linux 4.19.242. Over the years we have changed Runnix from 32-bit (0.4.x) to 32-bit PAE (0.5.x) to 64-bit (0.6.x) The "upgrade-RUNNIX-image" automatically uses the proper Runnix series. You can force the Runnix repo URL, the AstLinux 1.3.10 and later default is: -- upgrade-RUNNIX-image check https://astlinux-project.org/mirror/runnix6 -- > • Can I upgrade to a specific Runnix version or is there no point? You could with a private Runnix repo, but there is no reason to do so that I am aware of. Note that any Runnix upgrades would need to be done via the CLI, the Web Interface uses the default Runnix repo URL. > • Can I manage my own repository of Runnix? Yes, (see above) ... just as with the AstLinux repo file format, for example: -- On an external reachable HTTPS server "HOST/PATH" -- mkdir runnix6 cd runnix6 curl -LO https://astlinux-project.org/mirror/runnix6/runnix-0.6.11.tar.gz curl -LO https://astlinux-project.org/mirror/runnix6/runnix-0.6.11.tar.gz.sha1 curl -LO https://astlinux-project.org/mirror/runnix6/ver -- Then in AstLinux: -- upgrade-RUNNIX-image check https://HOST/PATH/runnix6 -- Adjust as desired. Lonnie |
|
From: Michael K. <mic...@ip...> - 2022-06-25 01:53:02
|
Is this easy to do? I have a site where they are tough with security and I cant reach the download server currently. Along with my previous question, a Runnix upgrade without network connectivity may be handy too. Regards Michael Knill Managing Director D: +61 2 6189 1360 P: +61 2 6140 4656 E: mic...@ip...<mailto:mic...@ip...> W: ipcsolutions.com.au<https://ipcsolutions.com.au/> [Icon Description automatically generated] Smarter Business Communications |
63 messages has been excluded from this view by a project administrator.
