Categories
Misc

Linus on mRNA

Please keep your insane and technically incorrect anti-vax comments to yourself.

You don't know what you are talking about, you don't know what mRNA
is, and you're spreading idiotic lies. Maybe you do so unwittingly,
because of bad education. Maybe you do so because you've talked to
"experts" or watched youtube videos by charlatans that don't know what
they are talking about.

But dammit, regardless of where you have gotten your mis-information
from, any Linux kernel discussion list isn't going to have your
idiotic drivel pass uncontested from me.

Vaccines have saved the lives of literally tens of millions of people.

Just for your edification in case you are actually willing to be
educated: mRNA doesn't change your genetic sequence in any way. It is
the exact same intermediate - and temporary - kind of material that
your cells generate internally all the time as part of your normal
cell processes, and all that the mRNA vaccines do is to add a dose
their own specialized sequence that then makes your normal cell
machinery generate that spike protein so that your body learns how to
recognize it.

The half-life of mRNA is a few hours. Any injected mRNA will be all
gone from your body in a day or two. It doesn't change anything
long-term, except for that natural "your body now knows how to
recognize and fight off a new foreign protein" (which then tends to
fade over time too, but lasts a lot longer than a few days). And yes,
while your body learns to fight off that foreign material, you may
feel like shit for a while. That's normal, and it's your natural
response to your cells spending resources on learning how to deal with
the new threat.

And of the vaccines, the mRNA ones are the most modern, and the most
targeted - exactly because they do *not* need to have any of the other
genetic material that you traditionally have in a vaccine (ie no need
for basically the whole - if weakened - bacterial or virus genetic
material). So the mRNA vaccines actually have *less* of that foreign
material in them than traditional vaccines do. And  a *lot* less than
the very real and actual COVID-19 virus that is spreading in your
neighborhood.

Honestly, anybody who has told you differently, and who has told you
that it changes your genetic material, is simply uneducated.  You need
to stop believing the anti-vax lies, and you need to start protecting
your family and the people around you.  Get vaccinated.

I think you are in Germany, and COVID-19 numbers are going down. It's
spreading a lot less these days, largely because people around you
have started getting the vaccine - about half having gotten their
first dose around you, and about a quarter being fully vaccinated. If
you and your family are more protected these days, it's because of all
those other people who made the right choice, but it's worth noting
that as you see the disease numbers go down in your neighborhood,
those diminishing numbers are going to predominantly be about people
like you and your family.

So don't feel all warm and fuzzy about the fact that covid cases have
dropped a lot around you. Yes, all those vaccinated people around you
will protect you too, but if there is another wave, possibly due to a
more transmissible version - you and your family will be at _much_
higher risk than those vaccinated people because of your ignorance and
mis-information.

Get vaccinated. Stop believing the anti-vax lies.

And if you insist on believing in the crazy conspiracy theories, at
least SHUT THE HELL UP about it on Linux kernel discussion lists.

                Linus

Source.

Categories
Errors Linux Networking

Linux gateway/router + unable to access certain (HTTPS) sites

I’ve had an issue for a while, being unable to access certain websites such as https://fon.com, but also certain parts of the Apple, Fortis and Microsoft site, while other (https) websites worked fine.

Running Wireshark I found that only about 5ish packets got transferred, and all other data to that website abruptly stopped.

I’m using ADSL (EDPnet), which has an MTU of 1492, however, I was able to access all websites from the router (using lynx, for example), but not from any other PC within the network.

# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
inet addr:85.234.196.57  P-t-P:85.234.196.1  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492 Metric:1
RX packets:38804442 errors:0 dropped:0 overruns:0 frame:0
TX packets:28930886 errors:0 dropped:5020 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:45941523311 (42.7 GiB)  TX bytes:2887926670 (2.6 GiB)

As it had worked before without any issues, I was more thinking about a kernel problem (or a module of it), however, stripping down unnecessary modules and updating my kernel a few times didn’t resolve the issue. I even booted an old kernel I had still lying around from when I could access the websites. However, all these attempts were in vain.

Thinking it might have been a firewall issue, I flushed all my iptables rules, and started over from scratch. However, this too didn’t solve my issue.

When I VPN’ed or used my Macbook Pro directly as PPPoE device (by-passing the Gentoo router) I was able to access all the websites as well.

After being close to giving up, I found the following iptables rule:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -t mangle

And try again.

This did solve my issue. 🙂

This is because the default 100mbit MTU is 1500, instead of 1492 for PPPoE.

http://www.edpnet.be/
Categories
Hardware Misc Networking Software www

MRTG

As I often have people asking for the files I use to make my pretty MRTG graphs; I’ll publish them here.

Here are some examples:

ZeroOneFourvm1Sauron

The config files:

Sauron (including Squid stats),

Zero (including fan stats).

List of files included:

  • indexmaker; simple script (included with MRTG) to generate a simple index file with all the graphs
  • snmp-if.sh; will show you the IDs of the interfaces on the server/pc. These IDs have to be edited in the mrtg.cfg file; e.g.:

Target[eth0]: 2:public@localhost:

Make sure 2 is indeed the ID of eth0. Be aware that virtual interfaces, like the TUN/TAP interfaces (using by openVPN for example), can change ID each time they are restarted/rebooted.

  • mrtg.cfg; check the config file as an example.
  • mrtg-<xyz>.sh; bunch of files to generate some data. Not all of  those still work, but I haven’t deleted them yet in case. See the config to check those I’m using.
  • mrtg._1 and mrtg.ok can be deleted/ignores. Those files are generated by MRTG and I was to lazy to remove them. 🙁

  • Some day, I’ll write a decent howto, but for now, you’ll have to do with this.

    If there’s any question, just leave a comment.

    Categories
    Apple Linux Networking

    OpenVPN Linux + Mac howto

    A short howto, as I was unable to find any clear ones on the net.

    I’m using Mac OS X (Leopard) as client, and a Gentoo server as server/host.

    I both tried Viscosity and Tunnelblick on my Mac as OpenVPN software, and Viscosity is probably somewhat easier to configure (using the GUI), it was shareware. So I ended up using Tunnelblick and it seems to be doing its job quite well.

    First of all, make sure Gentoo is set up and working as intended. I used my home router as VPN server (having both eth0 and eth1 (= ppp0).

    Using this howto, you’ll be able to get the server up and running.

    Besides the installation, and perhaps (config) file locations it should be pretty similar on other Linux distros.

    As I have dnsmasq running on my server (taking care of DNS) I added the following to the server.conf:

    push "dhcp-option DNS 10.0.0.1"
    push "redirect-gateway def1"
    client-config-dir ccd
    route 10.20.30.0 255.255.255.252

    Don’t forget to allow DNS requests over tun0 interface in dnsmasq.conf.

    The first line tells the server to hand out 10.0.0.1 as DNS server to its connecting clients (10.0.0.1 being the internal eth0 IP of my server).

    The 2nd line, tells all clients to route ALL of their traffic through the VPN. I used the VPN to access a website that allowed only Belgian IPs, and I was in The Netherlands at the time I had to access the site (Skynet’s Rock Werchter stream). So I connected through my server at home.

    And the 3rd and 4th line are needed if the client access the VPN is on a private IP subnet (like being connected on a WiFi router, using IP 192.168.178.x).

    You’ll have to add, in the client-config directory a file per username connecting to the VPN with something similar to this:

    iroute 192.168.178.0 255.255.255.0

    I’m not entirely sure if you can add multiple iroutes; something I’ll have to figure out when being on a different network.

    This is what my client config looks like (vpn-server-name.conf, located in ~/Library/openvpn/):

    client
    dev tun
    proto udp
    remote home.tiete.be 9000
    resolv-retry infinite
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1200
    persist-key
    persist-tun
    ca "ca.crt"
    cert "yeri.crt"
    key "yeri.key"
    tls-auth "ta.key" 1
    comp-lzo
    verb 3

    Yeri being my username. Don’t forget to download and add the ca.crt, user.crt, user.key (located in /usr/share/openvpn/easy-rsa/keys/) and ta.key (located in /etc/openvpn/) you’ve created on the server.

    If your client asks for “directions”, pick 1.

    Start up server and client software.

    Hitting connect in Tunnelblick should connect you to the VPN server, and (in my case) giving me an IP similar to 10.20.30.6. You can check this using “ifconfig” in Terminal.

    Client:

    tun0: flags=8851 mtu 1500
        inet 10.20.30.6 --> 10.20.30.5 netmask 0xffffffff
        open (pid 20551)

    Server:

    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.20.30.1  P-t-P:10.20.30.2  Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
    RX packets:407595 errors:0 dropped:0 overruns:0 frame:0
    TX packets:574351 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:27473209 (26.2 MiB)  TX bytes:603524377 (575.5 MiB)

    Don’t forget; when using “tun” as driver, your gateway/VPN server will always have the IP ending on .1 (e.g.: 10.20.30.1).

    Now, if you want to route all traffic throug the VPN, like I did, you’ll have to change some stuff in iptables (as the server is also acting as my home router, I already did have a few rules in it).

    Allow all traffic through tun0 interface:

    iptables -A OUTPUT -o tun0 -j ACCEPT
    iptables -A INPUT -i tun0 -j ACCEPT

    Allow traffic through the external port 9000 (UDP):

    iptables -A INPUT -i ppp0 -p udp -m udp --dport 9000 -j ACCEPT

    Enable forwarding and NAT:

    iptables -A FORWARD -s 10.20.30.0/24 -i tun0 -j ACCEPT
    iptables -A FORWARD -d 10.20.30.0/24 -i ppp0 -j ACCEPT
    iptables -A POSTROUTING -o ppp0 -j MASQUERADE

    And lastly, as I have Squid running on my server, I want to transparently forward all port 80 requests to the Squid server running on port 8080:

    iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

    That’s about it. You should have a running VPN from your current location to your VPN server. And you’re able to use it as a gateway.

    You can always traceroute/tracepath to your VPN server (10.20.30.1). It should only find one hop.

    Categories
    Errors Linux

    Multiple Memory Access Vulnerabilities Linux Kernel

    Well, it had to happen…

    Yesterday evening two of our linux boxes were exploited.
    I had to try it out for myself; and yes, it really does work. 😐
    Booted up my Ubuntu in Parallels, installed build-essential & ran that program!

    1
    2
    3
    
    sudo apt-get install build-essential
    gcc what-ever-the-file-name-is.c
    ./a.out

    This is what it looks like:

    Kernel exploit

    My-oh-my…
    I’m pretty sure this doesn’t require any more explanations 😉