Please keep your insane and technically incorrect anti-vax comments to yourself. You don't know what you are talking about, you don't know what mRNA is, and you're spreading idiotic lies. Maybe you do so unwittingly, because of bad education. Maybe you do so because you've talked to "experts" or watched youtube videos by charlatans that don't know what they are talking about. But dammit, regardless of where you have gotten your mis-information from, any Linux kernel discussion list isn't going to have your idiotic drivel pass uncontested from me. Vaccines have saved the lives of literally tens of millions of people. Just for your edification in case you are actually willing to be educated: mRNA doesn't change your genetic sequence in any way. It is the exact same intermediate - and temporary - kind of material that your cells generate internally all the time as part of your normal cell processes, and all that the mRNA vaccines do is to add a dose their own specialized sequence that then makes your normal cell machinery generate that spike protein so that your body learns how to recognize it. The half-life of mRNA is a few hours. Any injected mRNA will be all gone from your body in a day or two. It doesn't change anything long-term, except for that natural "your body now knows how to recognize and fight off a new foreign protein" (which then tends to fade over time too, but lasts a lot longer than a few days). And yes, while your body learns to fight off that foreign material, you may feel like shit for a while. That's normal, and it's your natural response to your cells spending resources on learning how to deal with the new threat. And of the vaccines, the mRNA ones are the most modern, and the most targeted - exactly because they do *not* need to have any of the other genetic material that you traditionally have in a vaccine (ie no need for basically the whole - if weakened - bacterial or virus genetic material). So the mRNA vaccines actually have *less* of that foreign material in them than traditional vaccines do. And a *lot* less than the very real and actual COVID-19 virus that is spreading in your neighborhood. Honestly, anybody who has told you differently, and who has told you that it changes your genetic material, is simply uneducated. You need to stop believing the anti-vax lies, and you need to start protecting your family and the people around you. Get vaccinated. I think you are in Germany, and COVID-19 numbers are going down. It's spreading a lot less these days, largely because people around you have started getting the vaccine - about half having gotten their first dose around you, and about a quarter being fully vaccinated. If you and your family are more protected these days, it's because of all those other people who made the right choice, but it's worth noting that as you see the disease numbers go down in your neighborhood, those diminishing numbers are going to predominantly be about people like you and your family. So don't feel all warm and fuzzy about the fact that covid cases have dropped a lot around you. Yes, all those vaccinated people around you will protect you too, but if there is another wave, possibly due to a more transmissible version - you and your family will be at _much_ higher risk than those vaccinated people because of your ignorance and mis-information. Get vaccinated. Stop believing the anti-vax lies. And if you insist on believing in the crazy conspiracy theories, at least SHUT THE HELL UP about it on Linux kernel discussion lists. Linus
Tag: Linux
I’ve had an issue for a while, being unable to access certain websites such as https://fon.com, but also certain parts of the Apple, Fortis and Microsoft site, while other (https) websites worked fine.
Running Wireshark I found that only about 5ish packets got transferred, and all other data to that website abruptly stopped.
I’m using ADSL (EDPnet), which has an MTU of 1492, however, I was able to access all websites from the router (using lynx, for example), but not from any other PC within the network.
# ifconfig ppp0 ppp0 Link encap:Point-to-Point Protocol inet addr:85.234.196.57 P-t-P:85.234.196.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:38804442 errors:0 dropped:0 overruns:0 frame:0 TX packets:28930886 errors:0 dropped:5020 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:45941523311 (42.7 GiB) TX bytes:2887926670 (2.6 GiB)
As it had worked before without any issues, I was more thinking about a kernel problem (or a module of it), however, stripping down unnecessary modules and updating my kernel a few times didn’t resolve the issue. I even booted an old kernel I had still lying around from when I could access the websites. However, all these attempts were in vain.
Thinking it might have been a firewall issue, I flushed all my iptables rules, and started over from scratch. However, this too didn’t solve my issue.
When I VPN’ed or used my Macbook Pro directly as PPPoE device (by-passing the Gentoo router) I was able to access all the websites as well.
After being close to giving up, I found the following iptables rule:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -t mangle
And try again.
This did solve my issue. 🙂
This is because the default 100mbit MTU is 1500, instead of 1492 for PPPoE.
As I often have people asking for the files I use to make my pretty MRTG graphs; I’ll publish them here.
Here are some examples:
Zero – One – Four – vm1 – Sauron
The config files:
Sauron (including Squid stats),
Zero (including fan stats).
List of files included:
- indexmaker; simple script (included with MRTG) to generate a simple index file with all the graphs
- snmp-if.sh; will show you the IDs of the interfaces on the server/pc. These IDs have to be edited in the mrtg.cfg file; e.g.:
Target[eth0]: 2:public@localhost:
Make sure 2 is indeed the ID of eth0. Be aware that virtual interfaces, like the TUN/TAP interfaces (using by openVPN for example), can change ID each time they are restarted/rebooted.
- mrtg.cfg; check the config file as an example.
mrtg._1 and mrtg.ok can be deleted/ignores. Those files are generated by MRTG and I was to lazy to remove them. 🙁
Some day, I’ll write a decent howto, but for now, you’ll have to do with this.
If there’s any question, just leave a comment.
OpenVPN Linux + Mac howto
A short howto, as I was unable to find any clear ones on the net.
I’m using Mac OS X (Leopard) as client, and a Gentoo server as server/host.
I both tried Viscosity and Tunnelblick on my Mac as OpenVPN software, and Viscosity is probably somewhat easier to configure (using the GUI), it was shareware. So I ended up using Tunnelblick and it seems to be doing its job quite well.
First of all, make sure Gentoo is set up and working as intended. I used my home router as VPN server (having both eth0 and eth1 (= ppp0).
Using this howto, you’ll be able to get the server up and running.
Besides the installation, and perhaps (config) file locations it should be pretty similar on other Linux distros.
As I have dnsmasq running on my server (taking care of DNS) I added the following to the server.conf:
push "dhcp-option DNS 10.0.0.1" push "redirect-gateway def1" client-config-dir ccd route 10.20.30.0 255.255.255.252 |
Don’t forget to allow DNS requests over tun0 interface in dnsmasq.conf.
The first line tells the server to hand out 10.0.0.1 as DNS server to its connecting clients (10.0.0.1 being the internal eth0 IP of my server).
The 2nd line, tells all clients to route ALL of their traffic through the VPN. I used the VPN to access a website that allowed only Belgian IPs, and I was in The Netherlands at the time I had to access the site (Skynet’s Rock Werchter stream). So I connected through my server at home.
And the 3rd and 4th line are needed if the client access the VPN is on a private IP subnet (like being connected on a WiFi router, using IP 192.168.178.x).
You’ll have to add, in the client-config directory a file per username connecting to the VPN with something similar to this:
iroute 192.168.178.0 255.255.255.0 |
I’m not entirely sure if you can add multiple iroutes; something I’ll have to figure out when being on a different network.
This is what my client config looks like (vpn-server-name.conf, located in ~/Library/openvpn/):
client dev tun proto udp remote home.tiete.be 9000 resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1200 persist-key persist-tun ca "ca.crt" cert "yeri.crt" key "yeri.key" tls-auth "ta.key" 1 comp-lzo verb 3 |
Yeri being my username. Don’t forget to download and add the ca.crt, user.crt, user.key (located in /usr/share/openvpn/easy-rsa/keys/) and ta.key (located in /etc/openvpn/) you’ve created on the server.
If your client asks for “directions”, pick 1.
Start up server and client software.
Hitting connect in Tunnelblick should connect you to the VPN server, and (in my case) giving me an IP similar to 10.20.30.6. You can check this using “ifconfig” in Terminal.
Client:
tun0: flags=8851 mtu 1500 inet 10.20.30.6 --> 10.20.30.5 netmask 0xffffffff open (pid 20551) |
Server:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.20.30.1 P-t-P:10.20.30.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:407595 errors:0 dropped:0 overruns:0 frame:0 TX packets:574351 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:27473209 (26.2 MiB) TX bytes:603524377 (575.5 MiB) |
Don’t forget; when using “tun” as driver, your gateway/VPN server will always have the IP ending on .1 (e.g.: 10.20.30.1).
Now, if you want to route all traffic throug the VPN, like I did, you’ll have to change some stuff in iptables (as the server is also acting as my home router, I already did have a few rules in it).
Allow all traffic through tun0 interface:
iptables -A OUTPUT -o tun0 -j ACCEPT iptables -A INPUT -i tun0 -j ACCEPT |
Allow traffic through the external port 9000 (UDP):
iptables -A INPUT -i ppp0 -p udp -m udp --dport 9000 -j ACCEPT |
Enable forwarding and NAT:
iptables -A FORWARD -s 10.20.30.0/24 -i tun0 -j ACCEPT iptables -A FORWARD -d 10.20.30.0/24 -i ppp0 -j ACCEPT iptables -A POSTROUTING -o ppp0 -j MASQUERADE |
And lastly, as I have Squid running on my server, I want to transparently forward all port 80 requests to the Squid server running on port 8080:
iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 |
That’s about it. You should have a running VPN from your current location to your VPN server. And you’re able to use it as a gateway.
You can always traceroute/tracepath to your VPN server (10.20.30.1). It should only find one hop.
Well, it had to happen…
Yesterday evening two of our linux boxes were exploited.
I had to try it out for myself; and yes, it really does work. 😐
Booted up my Ubuntu in Parallels, installed build-essential & ran that program!
1 2 3 | sudo apt-get install build-essential gcc what-ever-the-file-name-is.c ./a.out |
This is what it looks like:
My-oh-my…
I’m pretty sure this doesn’t require any more explanations 😉