LINUX.ORG.RU

Сообщения mfhunruh

 

Check Point и GNU/Linux (Debian) - VPN site-to-site

Всем привет!

Есть Check Point Gaia Embedded в точке A и Debian в B

Нужно сделать так, чтобы весь трафик из под Check Point проходил через Debian.

Посоветуйте, как это реализовать. Уже пробовал и Libreswan, и Openswan, и Strongswan, везде друг друга отрыгивают.

Пример конфигурации:

# Debian (B)
#######################################################

# cat /etc/ipsec.conf

config setup
	uniqueids = no
  	charondebug=ike 2, knl 2, cfg 2, mgr 2, chd 2, net 2, esp 2

conn %default
 	ikelifetime=28800
	keylife=3600
	rekeymargin=3m
	keyingtries=1
	authby=secret
    	keyexchange=ikev1
	mobike=no

conn mytunnel
	left=2.2.2.2 # Debian
	leftsubnet=0.0.0.0/0
	right=1.1.1.1 # Check Point
	rightsubnet=0.0.0.0/0
	type=tunnel
    	auto=start
    	ike=aes256-sha1-modp1024!
    	esp=aes256-sha1!
    	rekey=yes
    	forceencaps=yes
	lifetime=3600s
	leftfirewall=yes

# cat /etc/ipsec.secrets

include /etc/ipsec.d/*.secrets

1.1.1.1 2.2.2.2 : PSK '1234567890'

Пример логов (Strongswan)

ay 31 23:15:04 cloud charon[3154]: 10[MGR] checkout IKEv1 SA with SPIs 762d19e050b30811_i 8c1d90c15893e39d_r
May 31 23:15:04 cloud charon[3154]: 10[MGR] IKE_SA mytunnel[6] successfully checked out
May 31 23:15:04 cloud charon[3154]: 10[IKE] queueing ISAKMP_DELETE task
May 31 23:15:04 cloud charon[3154]: 10[IKE] activating new tasks
May 31 23:15:04 cloud charon[3154]: 10[IKE]   activating ISAKMP_DELETE task
May 31 23:15:04 cloud charon[3154]: 10[IKE] deleting IKE_SA mytunnel[6] between 2.2.2.2[2.2.2.2]...1.1.1.1[1.1.1.1]
May 31 23:15:04 cloud charon[3154]: 10[IKE] deleting IKE_SA mytunnel[6] between 2.2.2.2[2.2.2.2]...1.1.1.1[1.1.1.1]
May 31 23:15:04 cloud charon[3154]: 10[IKE] sending DELETE for IKE_SA mytunnel[6]
May 31 23:15:04 cloud charon[3154]: 10[IKE] IKE_SA mytunnel[6] state change: ESTABLISHED => DELETING
May 31 23:15:04 cloud charon[3154]: 10[ENC] generating INFORMATIONAL_V1 request 1628196868 [ HASH D ]
May 31 23:15:04 cloud charon[3154]: 10[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (92 bytes)
May 31 23:15:04 cloud charon[3154]: 10[MGR] checkin and destroy IKE_SA mytunnel[6]
May 31 23:15:04 cloud charon[3154]: 10[IKE] IKE_SA mytunnel[6] state change: DELETING => DESTROYING
May 31 23:15:04 cloud charon[3154]: 10[MGR] checkin and destroy of IKE_SA successful
May 31 23:15:04 cloud charon[3154]: 04[NET] sending packet: from 2.2.2.2[4500] to 1.1.1.1[4500]
May 31 23:15:05 cloud charon[3154]: 12[MGR] checkout IKEv1 SA with SPIs 762d19e050b30811_i 8c1d90c15893e39d_r
May 31 23:15:05 cloud charon[3154]: 12[MGR] IKE_SA checkout not successful

UPD: Трафик от Debian до локалки Check Point идет, но внешний IP в локалке Check Point по прежнему остался таким же (хотя галочка на ЧП стоит на «прогонять весь трафик через VPN»)

 ,

mfhunruh
()

FreeBSD на Check Point UTM-1 570

Всем привет!

Кто нибудь пробовал устанавливать или знает как поставить FreeBSD на сабж? Скачивал i386 (и 9-ую версию и последнюю), заливал на флешку, даже меню загрузчика не появляется. Никакого выхлопа нету. С pfSense все норм.

Пробовал эту же флешку с FreeBSD сунуть в Check Point 2200 - все норм загружается.

 ,

mfhunruh
()

command a expects \ followed by text

Всем привет, подскажите, что не так?

У меня есть файл test.txt с текстом: 

# SOME STRINGS
vlans_em1="1"
# SOME STRINGS

Мне нужно sed'ом превратить файл в это 

# SOME STRINGS
vlans_em1="1"
ifconfig_em1_1="inet 10.1.0.1/24"
# SOME STRINGS

Делаю так: 

# sed -i -e "/vlans_em1/a ifconfig_em1_1=\x22inet 10.1.0.1\x2F24\x22" test.txt

Получаю: 

sed: 1: "/vlans_em1/a ifconfig_e ...": command a expects \ followed by text

Кавычки sed -i -e «<...>» нужно обязательно, так как буду вставлять в скрипт и внутри кавычек будут переменные

 

mfhunruh
()
9 комментариев

Несколько подсетей на одном WLAN интерфейсе (Mikrotik)

Всем привет!

Есть Mikrotik у него есть две WiFi сети: WIFI-LAN и WIFI-GUEST

WIFI-LAN с внутренними сервисами, выдает IP из подсети 10.0.0.0\24

WIFI-GUEST изолирована, выдает IP из подсети 10.6.0.0\24

Так получилась что на одном из устройстве, подключенном к WIFI-LAN есть виртуалка, которую я хотел загнать в гостевую сеть.

WIFI-LAN вместе с ethernet1,2,3,4 объединены BRIDGE-LAN

WIFI-GUEST объединен с WAN в BRIDGE-GUEST

Пробовал вешать VLAN-GUEST на физ интерфейс WIFI-LAN, и объединить его с BRIDGE-GUEST, назначить по MAC статический IP 10.6.0.x, но ничего не вышло

 , , ,

mfhunruh
()
13 комментариев

Как на Android отключить автоматическое отключение при разряде батареи

Собственно сабж. Дело в том, что у меня проблемы с аккумулятор и как только доходит до ~50%, он показывает 0% и соответственно poweroff. Хотя в рекавери все норм отображается и не вырубается нечего.

Android 7.1.2

 , ,

mfhunruh
()
9 комментариев

Fedora и /boot

Всем привет. Можете мне объяснить, что это за энтерпрайз решение у федоры? 

Disklabel type: dos
/dev/sda1: LABEL="bootfs" TYPE="ext4"
4.0K	/boot/efi/System/Library/CoreServices
6.0K	/boot/efi/System/Library
8.0K	/boot/efi/System
2.4M	/boot/efi/EFI/BOOT
2.5M	/boot/efi/EFI/fedora/fonts
15M	/boot/efi/EFI/fedora
17M	/boot/efi/EFI
17M	/boot/efi
На какой мне efi? Как можно объяснить ей, что мне далеко до efi? Или постоянно 
rm -rf /boot/efi
???

 , ,

mfhunruh
()
12 комментариев

Squid - access denied

Всем привет! Squid запрещает всем доступ

squid.conf

( читать дальше... )

Следуя из конфига я разрешил доступ для подсетей 10.0.0.0/28 и 10.0.2.0/29, но я пробую подключиться с 10.0.0.5 и получаю Access Denied!

 

mfhunruh
()
11 комментариев

OpenVPN и IPv6 не работают

Всем привет. Собственно сабж. Есть VPS с IPv6 - 2001:aaaa:bbbb:cccc::1/64 Поднимаю OpenVPN:

/etc/openvpn/variables 

# Tunnel subnet prefix
prefix=2001:aaaa:bbbb:cccc:80::
# netmask
prefixlen=112
cat /etc/openvpn/server.conf 
# Listen port
port 443
 
# Protocol
proto tcp-server
 
# IP tunnel
dev tun0
tun-ipv6
push tun-ipv6
 
# Master certificate
ca ca.crt
 
# Server certificate
cert debforvpn.crt
 
# Server private key
key debforvpn.key
 
# Diffie-Hellman parameters
dh debforvpn.pem
 
# Allow clients to communicate with each other
client-to-client
 
# Client config dir
client-config-dir /etc/openvpn/ccd
 
# Run client-specific script on connection and disconnection
script-security 2
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/server-clientdisconnect.sh"
 
# Server mode and client subnets
server 10.8.0.0 255.255.255.0
server-ipv6 2001:aaaa:bbbb:cccc:80::/112
topology subnet
 
# IPv6 routes
push "route-ipv6 2001:aaaa:bbbb:cccc::/64"
push "route-ipv6 2000::/3"
 
# DNS (for Windows)
# These are OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
 
# Configure all clients to redirect their default network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6" #For iOS
 
# Don't need to re-read keys and re-create tun at restart
persist-key
persist-tun
 
# Ping every 10s. Timeout of 120s.
keepalive 10 120
 
# Enable compression
comp-lzo
 
# User and group
user vpn
group vpn
 
# Log a short status
status openvpn-status.log
 
# Logging verbosity
verb 4
/etc/openvpn/ccd/mikrotik 
ifconfig-push 10.8.0.101 255.255.255.0
ifconfig-ipv6-push 2001:aaaa:bbbb:cccc:80::1001/112 2001:aaaa:bbbb:cccc:80::1
iptables -L 
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  <censored>           anywhere             icmp echo-request 
ACCEPT     icmp --  <censored>           anywhere             icmptype 6
ACCEPT     tcp  --  <censored>           anywhere             tcp dpt:22
ACCEPT     tcp  --  <censored>           anywhere             tcp dpt:https

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/etc/sysctl.conf 
# IPv6 configuration
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.accept_ra = 0

# For OpenVPN
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.proxy_ndp = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
И вот что получается: 
Mon Jan 29 19:05:36 2018 us=988898 mikrotik/xx.xxx.xxx.xxx:52839 MULTI: bad source address from client [fe80::xxxx:xxxx:xxxx:xxxx], packet dropped
Прошу помощи

 ,

mfhunruh
()
8 комментариев

Как в bash скрипте вставить черту между строк

Собственно сабж, чтобы при печати была ровно на одну строку, без смещений

 

mfhunruh
()
26 комментариев

iptables пропускает все подряд

Всем привет. Собственно сабж, что не так? 

*filter
:INPUT DROP [2:186]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13:1176]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.136.1/32 -p tcp -m conntrack --ctstate NEW -m tcp --dport 514 -j ACCEPT
-A INPUT -s 192.168.136.1/32 -p udp -m conntrack --ctstate NEW -m udp --dport 514 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 2003 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 2003 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 2003 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 2003 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 51413 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p udp -m conntrack --ctstate NEW -m udp --dport 51413 -j ACCEPT
-A INPUT -s 192.168.136.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 51413 -j ACCEPT
-A INPUT -s 192.168.139.0/24 -p tcp -m conntrack --ctstate NEW -m tcp --dport 51413 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.136.0/24 -j LOG --log-prefix "IPTABLES LOG: "
-A INPUT -s 192.168.139.0/24 -j LOG --log-prefix "IPTABLES LOG: "
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-53beeff4deff -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-53beeff4deff -j DOCKER
-A FORWARD -i br-53beeff4deff ! -o br-53beeff4deff -j ACCEPT
-A FORWARD -i br-53beeff4deff -o br-53beeff4deff -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-53beeff4deff -o br-53beeff4deff -p tcp -m tcp --dport 51413 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-53beeff4deff -o br-53beeff4deff -p tcp -m tcp --dport 9091 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-53beeff4deff -o br-53beeff4deff -p tcp -m tcp --dport 445 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-53beeff4deff -o br-53beeff4deff -p tcp -m tcp --dport 139 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-53beeff4deff -o br-53beeff4deff -p tcp -m tcp --dport 138 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-53beeff4deff -o br-53beeff4deff -p tcp -m tcp --dport 137 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-53beeff4deff -o br-53beeff4deff -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER-ISOLATION -i br-53beeff4deff -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-53beeff4deff -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

 ,

mfhunruh
()
9 комментариев

Не получается раздать SSH SOCKS тунель моей локалки

Всем привет, собственно сабж.

Имеется VPS в Европе, сервер на RHEL7, на нем запущен тунель до этого VPS: 

$ ssh -f -C2qTnN -D \*:2003 12.34.56.78
or 
$ ssh -f -C2qTnN -D 192.168.1.2:2003 12.34.56.78
Настроен iptables 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:cfinger <-- это и есть 2003 порт
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:brutus <--/
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:microsoft-ds
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (0 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION (0 references)
target     prot opt source               destination         

Chain DOCKER-USER (0 references)
target     prot opt source               destination         

$ nmap -sV 192.168.1.2 -p 2003
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-03 00:21 MSK
Nmap scan report for 192.168.1.2
Host is up (0.0020s latency).

PORT     STATE  SERVICE VERSION
2003/tcp closed finger

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.64 seconds

Настроен firefox и не может(

 , , , ,

mfhunruh
()
5 комментариев

Как «ввести пароль» в Dockerfile

Всем привет, собственно сабж и клавиатурой

RUN passwd

Выхлоп 

Enter new UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error
passwd: password unchanged

 

mfhunruh
()
5 комментариев

SSH тунель от Mikrotik до VPS

Всем привет! Есть роутер Микротик с vpn и VPS в Европе. Хотел на микротике поднять ssh тунель до VPS, чтобы, подключившись к VPN, я мог ввести в firefox SOCKS прокси и радоваться. Как это сделать? В инете толком не нашел.

 , , ,

mfhunruh
()
11 комментариев

Шифрование диска в Linux

Всем привет!

Во многих оффтоповых осей присутствует замечательная фича - запуск до шифрования диска и после шифрования на глаз не меняется, никаких luks паролей и т. п., ключ это ваша учетка.

Как такое можно реализовать на Linux? Знаю, что у Ubuntu можно, но там только хомяк.

 , ,

mfhunruh
()
100 комментариев (стр. 2)

Emerge. Error: circular dependencies

Ставлю с нуля gentoo, выставил профиль (default/17.0/desktop), обновляю мир и тут: 

* Error: circular dependencies:

(app-portage/elt-patches-20170815:0/0::gentoo, ebuild scheduled for merge) depends on
 (app-arch/xz-utils-5.2.3:0/0::gentoo, ebuild scheduled for merge) (buildtime)
  (app-portage/elt-patches-20170815:0/0::gentoo, ebuild scheduled for merge) (buildtime)

 * Note that circular dependencies can often be avoided by temporarily
 * disabling USE flags that trigger optional dependencies.

emerge --info 

Portage 2.3.13 (python 3.5.4-final-0, default/linux/x86/17.0/desktop, gcc-6.4.0, unavailable, 4.9.16-gentoo i686)
=================================================================
System uname: Linux-4.9.16-gentoo-i686-Intel-R-_Core-TM-_i5-5250U_CPU_@_1.60GHz-with-gentoo-2.4.1
KiB Mem:      885708 total,    125884 free
KiB Swap:     524284 total,    524244 free
Timestamp of repository gentoo: Mon, 18 Dec 2017 08:00:01 +0000
Head commit of repository gentoo: 2cf2a65b9b897719ba0c3b376e85254146a1dc8f
sh bash
ld GNU ld (Gentoo 2.29.1 p3) 2.29.1
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts: 

ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-Os -march=pentium3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-Os -march=pentium3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -march=i686 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -march=i686 -pipe"
GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus djvu dri dts emboss encode exif fam ffmpeg firefox flac fontconfig fortran gdbm gif glamor gtk iconv jpeg lcms ldap libnotify lm_sensors mad matroska mng modules mp3 mp4 mpeg mplayer mtp ncurses nls nptl ogg opengl openmp pam pango pcre pdf pm-utils png policykit ppds qt3support qt5 raw readline sdl seccomp session spell ssl startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vorbis wifi wxwidgets x264 x86 xattr xcb xft xml xmp xv xvid zlib zsh-completion" ABI_X86="32" ALSA_CARDS="emu10k1" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru_RU ru" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" RUBY_TARGETS="ruby22" SANE_BACKENDS="xerox_mfp" USERLAND="GNU" VIDEO_CARDS="radeon" XFCE_PLUGINS="clock trash power" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Что я делаю не так?

 , , ,

mfhunruh
()
7 комментариев

Squid не открывает заблокированные сайты

Всем привет. Собственно сабж. Помогите. Снимаю сервак в Чехии, squid работает, ip меняется, но, например, на rutracker.org встречает РКН

squid.conf 

http_port 3128
https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl_$

dns_nameservers 8.8.8.8

auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /usr/local/etc/squid/passwd
auth_param basic children 1
auth_param basic realm Welcome to mfhunruh's proxy server!
auth_param basic credentialsttl 2 hours

always_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/var/squid/lib/ssl_db -M 16MB

acl all src all
acl users proxy_auth REQUIRED

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 19055 # torrent
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT

acl purge method PURGE
acl CONNECT method CONNECT                                            



http_access allow users

http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access deny all

forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access All deny all

cache_mem 256 MB
cache_dir ufs /usr/local/var/squid/cache 14448 16 256
shutdown_lifetime 5 seconds

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

access_log none all
cache_store_log none

visible_hostname hostname

redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf
redirect_children 3

 , ,

mfhunruh
()
10 комментариев

SQUID FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Собственно сабж. Пытаюсь настроить https proxy

uname -a 

FreeBSD bsdfsqd 11.1-RELEASE-p1 FreeBSD 11.1-RELEASE-p1 #0: Wed Aug  9 11:55:48 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

squid -v 

Squid Cache: Version 3.5.27
Service Name: squid

This binary uses OpenSSL 1.0.1s-freebsd  1 Mar 2016. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -O2 -pipe  -fstack-protector -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib  -pthread  -fstack-protector' 'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 ' 'KRB5CONFIG=/usr/bin/krb5-config' '--disable-ipf-transparent' '--enable-ipfw-transparent' '--disable-pf-transparent' '--without-nat-devpf' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd rock ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.3' 'build_alias=amd64-portbld-freebsd10.3' 'CC=cc' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing  -Wno-unknown-warning-option -Wno-undefined-bool-conversion -Wno-tautological-undefined-compare -Wno-dynamic-class-memaccess' 'CPP=cpp' --enable-ltdl-convenience

Что делаю: 

# mkdir /usr/local/etc/squid/ssl_cert
# chown -R squid:squid /usr/local/etc/squid/ssl_cert
# cd /usr/local/etc/squid/ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem  -out proxyCA.pem
# openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der
# mkdir -p /usr/local/var/squid/lib/ssl_db
# chown -R squid:squid /usr/local/var/squid/lib/ssl_db
# /usr/local/libexec/squid/ssl_crtd -c -s /usr/local/var/squid/lib/ssl_db

Что получаю: 

2017/11/14 08:41:41 kid1| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2017/11/14 08:41:41 kid1| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2017/11/14 08:41:41 kid1| WARNING: You should probably remove '::/0' from the ACL named 'all'
2017/11/14 08:41:41 kid1| Current Directory is /usr/home/user
2017/11/14 08:41:41 kid1| Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd10.3...
2017/11/14 08:41:41 kid1| Service Name: squid
2017/11/14 08:41:41 kid1| Process ID 1757
2017/11/14 08:41:41 kid1| Process Roles: worker
2017/11/14 08:41:41 kid1| With 28467 file descriptors available
2017/11/14 08:41:41 kid1| Initializing IP Cache...
2017/11/14 08:41:41 kid1| ipcacheAddEntryFromHosts: Bad IP address 'AD'
2017/11/14 08:41:41 kid1| DNS Socket created at [::], FD 6
2017/11/14 08:41:41 kid1| DNS Socket created at 0.0.0.0, FD 7
2017/11/14 08:41:41 kid1| Adding nameserver 62.149.128.4 from /etc/resolv.conf
2017/11/14 08:41:41 kid1| Adding nameserver 62.149.132.4 from /etc/resolv.conf
2017/11/14 08:41:41 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes
2017/11/14 08:41:41 kid1| helperOpenServers: Starting 0/3 'squidGuard' processes
2017/11/14 08:41:41 kid1| helperOpenServers: No 'squidGuard' processes needed.
2017/11/14 08:41:41 kid1| helperOpenServers: Starting 0/1 'basic_ncsa_auth' processes
2017/11/14 08:41:41 kid1| helperOpenServers: No 'basic_ncsa_auth' processes needed.
2017/11/14 08:41:41 kid1| Unlinkd pipe opened on FD 23
2017/11/14 08:41:41 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/11/14 08:41:41 kid1| Store logging disabled
2017/11/14 08:41:41 kid1| Swap maxSize 14794752 + 262144 KB, estimated 1158222 objects
2017/11/14 08:41:41 kid1| Target number of buckets: 57911
2017/11/14 08:41:41 kid1| Using 65536 Store buckets
2017/11/14 08:41:41 kid1| Max Mem  size: 262144 KB
2017/11/14 08:41:41 kid1| Max Swap size: 14794752 KB
2017/11/14 08:41:41 kid1| Rebuilding storage in /usr/local/var/squid/cache (clean log)
2017/11/14 08:41:41 kid1| Using Least Load store dir selection
2017/11/14 08:41:41 kid1| Current Directory is /usr/home/user
2017/11/14 08:41:41 kid1| Finished loading MIME types and icons.
2017/11/14 08:41:41 kid1| HTCP Disabled.
2017/11/14 08:41:41 kid1| Pinger socket opened on FD 29
2017/11/14 08:41:41 kid1| Squid plugin modules loaded: 0
2017/11/14 08:41:41 kid1| Adaptation support is off.
2017/11/14 08:41:41 kid1| Accepting HTTP Socket connections at local=[::]:2002 remote=[::] FD 26 flags=9
2017/11/14 08:41:41 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:2003 remote=[::] FD 27 flags=41
2017/11/14 08:41:41 kid1| Done reading /usr/local/var/squid/cache swaplog (561 entries)
2017/11/14 08:41:41 kid1| Finished rebuilding storage from disk.
2017/11/14 08:41:41 kid1|       561 Entries scanned
2017/11/14 08:41:41 kid1|         0 Invalid entries.
2017/11/14 08:41:41 kid1|         0 With invalid flags.
2017/11/14 08:41:41 kid1|       561 Objects loaded.
2017/11/14 08:41:41 kid1|         0 Objects expired.
2017/11/14 08:41:41 kid1|         0 Objects cancelled.
2017/11/14 08:41:41 kid1|         0 Duplicate URLs purged.
2017/11/14 08:41:41 kid1|         0 Swapfile clashes avoided.
2017/11/14 08:41:41 kid1|   Took 0.04 seconds (15756.66 objects/sec).
2017/11/14 08:41:41 kid1| Beginning Validation Procedure
2017/11/14 08:41:41 kid1|   Completed Validation Procedure
2017/11/14 08:41:41 kid1|   Validated 561 Entries
2017/11/14 08:41:41 kid1|   store_swap_size = 7011.00 KB
2017/11/14 08:41:41 kid1| WARNING: ssl_crtd #Hlpr1 exited
2017/11/14 08:41:41 kid1| Too few ssl_crtd processes are running (need 1/32)
2017/11/14 08:41:41 kid1| Closing HTTP port [::]:2002
2017/11/14 08:41:41 kid1| Closing HTTPS port [::]:2003
2017/11/14 08:41:41 kid1| storeDirWriteCleanLogs: Starting...
2017/11/14 08:41:41 kid1|   Finished.  Wrote 561 entries.
2017/11/14 08:41:41 kid1|   Took 0.00 seconds (1575842.70 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

2017/11/14 08:41:41 kid1| Closing Pinger socket on FD 29

squid.conf 

http_port 2002
https_port 2003 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl_cert/proxyCA.pem key=/usr/locar/local/etc/squid/ssl_cert/proxyCA.pem

auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /usr/local/etc/squid/passwd
auth_param basic children 1
auth_param basic realm Welcome to mfhunruh's proxy server!
auth_param basic credentialsttl 2 hours

always_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/var/squid/lib/ssl_db -M 16MB

acl all src all
acl users proxy_auth REQUIRED

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 19055 # torrent
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT

acl purge method PURGE
acl CONNECT method CONNECT
                                                                      
http_access allow users

http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access deny all

forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access User-Agent deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

cache_mem 256 MB
cache_dir ufs /usr/local/var/squid/cache 14448 16 256
shutdown_lifetime 5 seconds

access_log none all
cache_store_log none

visible_hostname bsdfsqd.mfhunruh.com

redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf
redirect_children 3

Помогите пожалуйста!

 , , ,

mfhunruh
()
3 комментария

Ошибка при сборки ядра AOSP 8.0.0 под kenzo

Собираю AOSP 8.0.0 для Xiaomi Redmi Note 3 Pro.

При сборки выдает: 

FAILED: out/target/product/kenzo/obj/KERNEL_OBJ/usr
/bin/bash -c "(if [ ! -z "kenzo_defconfig" ]; then rm -f ../out/target/product/kenzo/obj/KERNEL_OBJ/.config; make -j1 -C kernel O=../out/target/product/kenzo/obj/KERNEL_OBJ ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- kenzo_defconfig; make -j1 -C kernel O=../out/target/product/kenzo/obj/KERNEL_OBJ ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- headers_install; fi ) && (if [ "kenzo_defconfig" != "kenzo_defconfig" ]; then echo "Used a different defconfig for header generation"; rm -f ../out/target/product/kenzo/obj/KERNEL_OBJ/.config; make -j1 -C kernel O=../out/target/product/kenzo/obj/KERNEL_OBJ ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- kenzo_defconfig; fi ) && (if [ ! -z "" ]; then echo "Overriding kernel config with ''"; echo >> out/target/product/kenzo/obj/KERNEL_OBJ/.config; make -j1 -C kernel O=../out/target/product/kenzo/obj/KERNEL_OBJ ARCH=arm64 CROSS_COMPILE=aarch64-linux-android- oldconfig; fi )"
ninja: build stopped: subcommand failed.
13:55:02 ninja failed with: exit status 1
build/core/main.mk:21: recipe for target 'run_soong_ui' failed
make: *** [run_soong_ui] Error 1

Что здесь не так?

Вот сам .mk файл, на котором возникает ошибка.

Хелп!

 , , ,

mfhunruh
()
3 комментария

Белое пятно на MacBook Air «13 2015

Подскажите, пожалуйста, заметил недавно маленькое белое пятно (можете не разглядеть на фото, посмотрите под углом) внизу дисплея сабжа только на белом фоне, что это? Оффтоп лезет? Можно как нибудь исправить своими руками?

 , , ,

mfhunruh
()
18 комментариев

Как убрать выхлоп squid, образовавшийся вместо заблокированных рекламных баннеров

Сделал себе сервер squid, забанил рекламу, но теперь вместо рекламы «ОШИБКА Запрошенный URL не может быть получен», как сделать чтобы это вообще пропало?

Скрин прилагаю

 , ,

mfhunruh
()
3 комментария
следующие →

RSS подписка на новые темы