CentOS 5 Networking :: Preventing 5.3 From Using A NIC?
Aug 25, 2009
I have a virtualbox installation on top of CentOS, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
Host OS: CentOS 5.3 64bit
VBox: 3.0.4
Guest OS: Fedora 11 64bit
Hardware: dual NIC, Intel server
Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G).
So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host (i.e. CentOS) to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H?
View 5 Replies
ADVERTISEMENT
Aug 3, 2011
I've recently installed cacti on one of my servers and grimaced a bit when I had to install additional third-party yum repositories for CentOS 6. My question is, how does one go about preventing potential conflicts with certain dependencies overwriting key/critical dependencies relied upon from packages that might share them, i.e. apache? I understand yum priorities and have read the discussions regarding pros/cons from the threads involving one of the YUM maintainers. Since I need my servers to act as production-class equipment and, hence, be as reliable as they can, I'm always hesitant to allow yum to automate package upgrades when third-party repos are involved. How best to handle this?
View 3 Replies
View Related
Feb 3, 2010
I am running Postfix on my CentOS (latest) powered box with SELinux at Enforcing mode.
This is what I get each time Postfix tries to send e-mail:
Quote:SELinux is preventing postdrop (postfix_postdrop_t) "write" to pipe (initrc_t).
View 4 Replies
View Related
Jul 9, 2010
I am trying to lock down our application and server with iptables. Anybody have any idea how to prevent accesses to the application from another application? Basically I opened up the ports 80 and 443 for the application server. However, the application points to other apps (ie. database, ldap). I want to limit what it can connect to or who can connect to it. Bascially I can limit who connects to the server itself but the application can still get input from outside servers.
View 4 Replies
View Related
Aug 26, 2009
I have a virtualbox installation, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
VBox: 3.0.4
Guest OS: Fedora 11 64bit
Hardware: dual NIC, Intel server
Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G). So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H? I've been reading route and arp manuals all day, but I can't seem to figure anything on this - mainly because arp and route don't know about host/guest processes, and I guess weren't designed with this in mind...
View 4 Replies
View Related
Jul 3, 2010
Does anyone know if it is possible to filter/block network traffic between internal hosts on a lan?
Eg. : Linux firewall/router ( 192.168.0.1) - LAN Default G/W - all internal > external traffic gets filtered.
How would you filter tcp/ICMP/UDP traffic from internal host a ( 192.168.0.2 ) to host b ( 192.168.0.3)
All the internal hosts have the linux f/w as the default gateway, and are all on the same /24 subnet.
I would like to know if I can filter traffic between internal hosts.
View 3 Replies
View Related
Sep 2, 2010
I have finally gotten around to installing Ubuntu 10.4, and I really like it, but it does irk me that OpenOffice is installed by default. Is it possible to prevent OpenOffice from being installed?
View 7 Replies
View Related
Oct 31, 2009
just a quick question: I have an external HD with 2 partitions, one ext3 and one FAT32.When I plug in the HD both partitions get automatically mounted, but as I only use I use the FAT32 partition to transfer data from/to Windows machines (which does not happen so often) I would like only the ext3 partition to be mounted automatically.
View 2 Replies
View Related
Feb 5, 2010
I'm using the Fedora Eee kernel for Fedora 12 (it's an unofficial kernel for the Eee PC), and want to update my system (I just set it up today). How can I update via command line and prevent an update to the default kernel?
View 1 Replies
View Related
Jun 14, 2011
i need to restrict access of deleting to directory and partitions os disk? how do i do it?
View 5 Replies
View Related
May 15, 2010
I have a problem as following: "using iptables to prevent IP spoofing".
View 4 Replies
View Related
Aug 5, 2010
I have Googled and searched dozens of forums and mailing list archives for a couple days now, and I haven't found a straightforward answer to what is REALLY required in a Postfix main.cf file to stop backscatter.
A couple of our servers are stil being flagged as sending backscatter. Is it possible to send a bounce message these days without it being considered backscatter?
I keep adding suggested "fixes" to my main.cf file, but Backscatterer.org still says we're doing it.
Here's my postconf -n output:
Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
[Code].....
View 6 Replies
View Related
Jun 8, 2010
We are seeing some dropped SSH connections because of which some of the process are failing . The main likely reason for the connection drops is that both the client and server remains 100% busy during a certain time interval and during that time interval we see those occassional connection closed by the server.
[Code]...
View 1 Replies
View Related
Feb 19, 2010
I just started setting up a linux box in the office...I have some experience with ssh commands but not setting up a linux system and stuff.The box is connected to our network but I have no clue how to make windows & osx talk with it. How can I go by doing that and also setting up an apache server to be able to connect through network. Right now I have apache/linux/mysql running it works when i go to localhost, but I would also like to let all the computers in office to access it. I would guess that will deal with virtual host which I know how to setup. I just need to setup an IP.
View 19 Replies
View Related
Sep 11, 2011
I will move my VPS account between hosting services. When I do this I am concerned about losing emails sent between the last user's download and when the IP number changes as the change propagates through the DNS.
View 3 Replies
View Related
Jul 5, 2010
I'm running F13 with KDE 4.4.4 on my desktop PC. A few months ago I had occasion to run Kalarm (invoked via "Kickoff" app launcher). Ever since that time, the Kalarm icon appears in my KDE "system tray" after I login. I power down my PC when I'm finished using it for the day.In an effort to get rid of the Kalarm icon, I changed my KDE "session manager" (System settings -> Advanced -> Session Manager) settings to: "on login: start with an empty session". But the Kalarm icon still appears in my "system tray" after the next reboot/login.I've also tried right-clicking on the Kalarm icon and selecting "quit". The icon still re-appears after the next reboot/login.Why didn't the session manager setting: "on login: start with an empty session" get rid of the Kalarm icon?
View 2 Replies
View Related
Jul 19, 2010
I'm having trouble booting after a recent bunch of updates (haven't been able to boot F12 from hard disk for a couple of days). The boot process gets as far as "NetworkManager daemon [OK]", then just stops. I get this for all 3 kernels that I can choose from the grub menu (2.6.32.16-141, 2.6.32.14-127, 2.6.32.12-115)Mounting the hard drive with a liveUSB, a quick inspection of /var/log/messages reveals that things go smoothly until: etc. until I hit the power button.I ought to mention that I wireless card that requires the Realtek RTL8192SE driver, which requires
Code:
sudo su
make
[code]....
View 1 Replies
View Related
Mar 15, 2011
I have a 2 monitor configuration, with the second monitor uses exclusively for mythtv. When I'm not actually watching tv or a muvie or watching visualizations with music playing, I actually use the machine for more productive uses. As the result the second monitor is typically not turned on, might have something to do the the fact it's a crt design, consumes a fair bit of power and does a good job keeping the media room overly warm.
The question is, does Fedora 11 or newer have a means to prevent applications from opening on the second monitor? I've checked the obvious places and nothing jumps out .
btw: According to the nvidia x server settings control panel the second monitor is set up as in twinview mode. This mode was chosen to allow the gpu to do most of the video decoding tasks using vdupau or something as I recall.
View 5 Replies
View Related
Jun 4, 2011
is it possible to block an application from using the network? If yes, how? I read it's possible with iptables and with selinux... Also, what about creating a user who can't connect and run the application with that user?
View 7 Replies
View Related
Aug 30, 2011
Does anyone know of a linux utility which will prevent all memory in a forked process from being swapped out to disk? I've seen the 'mlockall' call, but hacking the app sounds like overkill.My reason for needing this is that I'm running Windows XP under VirtualBox on my linux netbook, and I'm concerned there are basically two levels of swapping going on, which on a single dinky netbook hard disk isn't
View 3 Replies
View Related
May 13, 2010
I have a headless Jaunty server that I need to access from both mac and PC clients. If the server has been rebooted, I can SSH into it, but I can not VNC into it unless I unlock the keychain. The problem is that I can't figure out how to unlock the keychain from SSH connections, so the only available method is to attach a keyboard to the physical box and enter the keychain password at the server itself.Is there a Terminal command that I can use to unlock the keychain? I have seen references to the 'security' command but that appears to be unavailable to Jaunty?
Is there an even better method than a Terminal command? I don't want to be putting passwords into the Terminal log if I can help it. Ideally, I would connect via SSH, confirm the keychain somehow, and tunnel in through VNC.
View 6 Replies
View Related
Jul 22, 2010
This is a bit of an odd one, it's not so much about using Ubuntu but about *not* using Ubuntu. I am just setting up a new computer for my daughter. I have spent days configuring parental controls and lockdowns and such to stop her from being able to view unsuitable content, download programs I don't want, anything that can mess up the computer, etc. etc. At this age I am going to be over her shoulder 100% of the time while she works anyway, but something that occurs to me is that having set up all this control software in Windows, she could actually override the entire thing really easily by booting from a live CD, USB key or similar, she can keep a whole OS in her pocket and I'd never know. You can only watch so much of the time as they grow up.Can I prevent a computer from being capable of booting from external media without some kind of password? How would you begin to go about that?
View 3 Replies
View Related
Jul 24, 2010
I just want to prevent updates from certain repos, which are intended only for installation purposes. Those repos, however, also include updates for officially bundled packages, and i dont want to update them - just want to keep those as official versions.
View 9 Replies
View Related
Nov 3, 2010
I do not want my windows to be dragged and placed partially in two desktops. However, I have enabled Edge flipping to move window to next desktop. My problem is with partial overlap. Something which makes the windows stay completely in the desktop, but at the same time allow edge flipping.
View 1 Replies
View Related
May 1, 2011
I'm in the process of installing the usual Python/Numpy/Scipy/Matplotlib combination. I'm using the installed version of Python (2.7) on Ubuntu 11.04 but I've compiled Numpy and Scipy (and ATLAS/LAPACK etc.) from source. I now want to install matplotlib from the repositories but every time I do python-numpy is installed as a dependency of python-matplotlib. I've tried "apt-get hold python-numpy" etc. and also locking the version of each package in synaptic but both synaptic and apt-get will happily install the packages when requested, I assume because hold/lock version don't work on packages that aren't yet installed.
How can I prevent these packages being installed? Or is there a way to tell Ubuntu that I already have versions?
View 6 Replies
View Related
Feb 26, 2010
I decided to hit the update icon.It did not finish updating before the power was interrupted. How I get an Error occurred. stating, " E:dpkg was interrupted, you must manually run'dpkg--configure -a'to correct the problem. E:_cache->open()failed,please report. I am lost how to correct this script error.I am sure it is easy. I can open google earth that was downloaded, but not the web.
View 4 Replies
View Related
Jan 13, 2011
I'd like to grant /usr/sbin/sendmail.sendmail "connectto" access to the unix_stream_socket /var/lib/imap/socket/lmtp.How do I do that?I want to eliminate error messages that keep appearing in my message log:
/var/log/messages:Jan 13 11:45:29 e setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from connectto access on the unix_stream_socket /var/lib/imap/socket/lmtp. For complete SELinux messages. run sealert -l 05df828f-4402-
[code]....
View 1 Replies
View Related
Sep 22, 2010
Since my desktop (Ubuntu 10.4.1 for now) has no need for anyone trying to ssh into it, I want to prevent ssh from starting as a service when I boot up.
If I type: sudo update-rc.d -f ssh-agent remove
in terminal, will that stop the service for all boots (until I run: sudo update-rc.d ssh-agent defaults -- in terminal)?
I've already removed (unchecked) ssh agent key from my startup applications
View 1 Replies
View Related
Apr 10, 2011
I am not sure where to post that so I'll just try here.My main question is: How can I prevent the system from changing my cpufreq settings? I'd like to keep the CPU load as low as possible so these settings are probably the best.However when I run some applications that require a higher CPU load the system changes the governor to performance and the rang to 0.8 - 2.4 GHz.And that's my problem. I neither know what application exactly is responsible for changing my cpufreq settings nor do I know how to turn that off.Or is it supposed to be that way?
View 11 Replies
View Related
Mar 5, 2010
I removed my .gnome and .nautilus folders and .notifier file. it is working now. I do not know exactly which of these 3 fixed it but I hope this might help someone else!I have some major issue with nautilus which is preventing me from loogging in into my system which is kind of criticle this weekend.I'm running Squeeze with latest updates.
The problem:Today gnome gave some problems caus my taskbar was suddently gone. I couldn't get it back to i reinstall gnome-desktop and updated my whole system. At the update some yes/no questions on a blue screen asking me to restart cups etc had corrupted yes/no buttons. Weird character sets were shown. Well that can happen sometimes i thought.After reinstalling gnome i can't login anymore. My screen keeps flashing while it shows the loading icon of the mouse.Anyone got suggestions? I can't find similar problems on the internet, only problems that happen while already logged in. In my case the segfault prevents gdm starting!
Maurice
View 1 Replies
View Related
