quota problem.

[Cho Yoonbae]

Hi,

I am making ISP server with debian 2.2.
There are three package. (ecno:30mb, basic:100mb, premium:300mb)

I thought i can solve this problem with quota.
first of all, I will make user account with same group name as package name.
then apply quota by group. (how about this idea?)

but, I have another problem now.
if all customer are in 'users' group with 707 home directory permission,
there can't access other customers home directory.
I have to make three groups(econo, basic, premium)..
maybe it will break directory-security.. how can I do?

last question,
I will serve mysql database account.
mysql creates db files in /var/lib/mysql/username with mysql UID.
I want to combine this space with customer's home-direcotry quota.

is there good idea about these?

Have a nice day.

yoonbae.

satellite connections

[Andrea Glorioso]

Hi debianistas.

Does anybody here use satellite to connect to the internet?  If so,
would anybody be willing to share his experiences with the various
providers?

Thank you,

Andrea Glorioso
-- 
Non e' abbastanza fare dei passi che un giorno ci porteranno ad uno
scopo, ogni passo deve essere lui stesso uno scopo, nello stesso
tempo in cui ci porta avanti.


pgpqeP6Jn1gst.pgp
Description: PGP signature

Re: satellite connections

[Vasil Kolev]

On 11 Feb 2001, Andrea Glorioso wrote:

> Hi debianistas.
> 
> Does anybody here use satellite to connect to the internet?  If so,
> would anybody be willing to share his experiences with the various
> providers?
> 
I have experience with only one satelite provider - Europe OnLine, and,
IMO, they suck big time ... The only reason that we're still using them is
that we don't have any other usage for the DVB card, and if you use
netants ( to make a lot of simultaneous connections ) , it _could_ give
you some good results ( like 2-20 KB/s ), on a good day...

Re: quota problem.

[Russell Coker]

On Sunday 11 February 2001 09:26, Cho Yoonbae wrote:
> I am making ISP server with debian 2.2.
> There are three package. (ecno:30mb, basic:100mb, premium:300mb)
> 
> I thought i can solve this problem with quota.
> first of all, I will make user account with same group name as package
> name.
 then apply quota by group. (how about this idea?)

Group quota applies to the sum of space used by all users in the group.  You 
want a user quota for each user.  The best way to do this is to create a 
template user for each class of service and use the quota copying command 
(forget the syntax, it's in the man page) to give the user the same quota as 
the template user.  Then it's easy to write a script to go through all users 
and set their quotas (in case you want to change how much quota an "ecno" 
user gets).
Then of course there's the issue of email and web space which want separate 
quotas.  For this it's probably easier to set a quota in the applications.

> if all customer are in 'users' group with 707 home directory permission,
> there can't access other customers home directory.
> I have to make three groups(econo, basic, premium)..
> maybe it will break directory-security.. how can I do?

Why not mode 700?  Or mode 710 with the directories being group www-data (and 
the customers not being in that group)?

> I will serve mysql database account.
> mysql creates db files in /var/lib/mysql/username with mysql UID.
> I want to combine this space with customer's home-direcotry quota.

File system quotas on databases is a bad idea.  Databases don't have nice 
failure modes when they run out of disk space.  Create a way of the user 
determining how much space they use in the database and charge them extra if 
they exceed it.

-- 
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/   Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page

Re: sources.list

[Duane Powers]

Matthew H. Ray wrote:
Duane Powers wrote:
  I have a question - I have a dozen boxen that I am maintaining, all withDebian ( almost all potato - one woody) I would like to save bandwidthand centralize administration by utilizing one of the boxes as a apt-getsource. then I can apt-get update ; apt-get dist-upgrade ; done, on onebox, and save all the .deb's then use those .deb's for the other boxenwithout actually mirroring the whole debian site.I know it's configurable - I don't know how.I read the man for sources.list, but I don't know how to set up thewebserver to understand the following;
I have a very similiar setup at work.  There's a debian package calledmirror (apt-get install mirror) that comes with examples that can beused to mirror a Debian mirror (tweak to exclude what you don't need (inmy case everything but i386).  Install it on a box that has a couple ofgigs of HD space for setting up your private mirror.  Then setupanonymous FTP on the mirror box.  Once you have your server mirroringproperly, you simply insert the lines into your sources.list of each ofyour boxen.  Here's mine.deb ftp://internal_mirror potato main contrib non-freedeb ftp://internal_mirror dists/proposed-updates/deb http://non-us.debian.org potato/non-US main contrib non-freedeb http://security.debian.org potato/updates main contrib non-freedeb ftp://ftp.twoguys.org/debian potato main contrib non-freedeb ftp://ftp.twoguys.org/debian dists/proposed-updates/If something isn't on the internal mirror, it pulls it off of theexternal mirror.  Add the mirror call into your crontab (mine updatesnightly at 3 am).

Thanks to everyone for the prompt (and great ) responses, I've implemented
a setup like the above, and it seems to be working, thanks again 

~duane

  
  

quota problem.

[Cho Yoonbae]

Hi,

I am making ISP server with debian 2.2.
There are three package. (ecno:30mb, basic:100mb, premium:300mb)

I thought i can solve this problem with quota.
first of all, I will make user account with same group name as package name.
then apply quota by group. (how about this idea?)

but, I have another problem now.
if all customer are in 'users' group with 707 home directory permission,
there can't access other customers home directory.
I have to make three groups(econo, basic, premium)..
maybe it will break directory-security.. how can I do?

last question,
I will serve mysql database account.
mysql creates db files in /var/lib/mysql/username with mysql UID.
I want to combine this space with customer's home-direcotry quota.

is there good idea about these?

Have a nice day.

yoonbae.¡CRP‚D€Dzf¢–Úy¸šž+)­ê®zËeŠËluæâjz+ƒ­…«.n7œ¶‡îžË›±Êâmäë¢æåx*'µ§-–+-™«-z¹b²Ûy¸šžŠà

satellite connections

[Andrea Glorioso]

Hi debianistas.

Does anybody here use satellite to connect to the internet?  If so,
would anybody be willing to share his experiences with the various
providers?

Thank you,

Andrea Glorioso
-- 
Non e' abbastanza fare dei passi che un giorno ci porteranno ad uno
scopo, ogni passo deve essere lui stesso uno scopo, nello stesso
tempo in cui ci porta avanti.

 PGP signature

Re: satellite connections

[Vasil Kolev]

On 11 Feb 2001, Andrea Glorioso wrote:

> Hi debianistas.
> 
> Does anybody here use satellite to connect to the internet?  If so,
> would anybody be willing to share his experiences with the various
> providers?
> 
I have experience with only one satelite provider - Europe OnLine, and,
IMO, they suck big time ... The only reason that we're still using them is
that we don't have any other usage for the DVB card, and if you use
netants ( to make a lot of simultaneous connections ) , it _could_ give
you some good results ( like 2-20 KB/s ), on a good day...




--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: quota problem.

[Russell Coker]

On Sunday 11 February 2001 09:26, Cho Yoonbae wrote:
> I am making ISP server with debian 2.2.
> There are three package. (ecno:30mb, basic:100mb, premium:300mb)
> 
> I thought i can solve this problem with quota.
> first of all, I will make user account with same group name as package
> name.
 then apply quota by group. (how about this idea?)

Group quota applies to the sum of space used by all users in the group.  You 
want a user quota for each user.  The best way to do this is to create a 
template user for each class of service and use the quota copying command 
(forget the syntax, it's in the man page) to give the user the same quota as 
the template user.  Then it's easy to write a script to go through all users 
and set their quotas (in case you want to change how much quota an "ecno" 
user gets).
Then of course there's the issue of email and web space which want separate 
quotas.  For this it's probably easier to set a quota in the applications.

> if all customer are in 'users' group with 707 home directory permission,
> there can't access other customers home directory.
> I have to make three groups(econo, basic, premium)..
> maybe it will break directory-security.. how can I do?

Why not mode 700?  Or mode 710 with the directories being group www-data (and 
the customers not being in that group)?

> I will serve mysql database account.
> mysql creates db files in /var/lib/mysql/username with mysql UID.
> I want to combine this space with customer's home-direcotry quota.

File system quotas on databases is a bad idea.  Databases don't have nice 
failure modes when they run out of disk space.  Create a way of the user 
determining how much space they use in the database and charge them extra if 
they exceed it.

-- 
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/   Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: sources.list

[Duane Powers]

Matthew H. Ray wrote:
Duane Powers wrote:
  I have a question - I have a dozen boxen that I am maintaining, all withDebian ( almost all potato - one woody) I would like to save bandwidthand centralize administration by utilizing one of the boxes as a apt-getsource. then I can apt-get update ; apt-get dist-upgrade ; done, on onebox, and save all the .deb's then use those .deb's for the other boxenwithout actually mirroring the whole debian site.I know it's configurable - I don't know how.I read the man for sources.list, but I don't know how to set up thewebserver to understand the following;
I have a very similiar setup at work.  There's a debian package calledmirror (apt-get install mirror) that comes with examples that can beused to mirror a Debian mirror (tweak to exclude what you don't need (inmy case everything but i386).  Install it on a box that has a couple ofgigs of HD space for setting up your private mirror.  Then setupanonymous FTP on the mirror box.  Once you have your server mirroringproperly, you simply insert the lines into your sources.list of each ofyour boxen.  Here's mine.deb ftp://internal_mirror potato main contrib non-freedeb ftp://internal_mirror dists/proposed-updates/deb http://non-us.debian.org potato/non-US main contrib non-freedeb http://security.debian.org potato/updates main contrib non-freedeb ftp://ftp.twoguys.org/debian potato main contrib non-freedeb ftp://ftp.twoguys.org/debian dists/proposed-updates/If something isn't on the internal mirror, it pulls it off of theexternal mirror.  Add the mirror call into your crontab (mine updatesnightly at 3 am).

Thanks to everyone for the prompt (and great ) responses, I've implemented
a setup like the above, and it seems to be working, thanks again 

~duane

  
  

NAT problems

[Tobias Geijersson]

Hello,

I've got a problem with my network setup that I can't solve.

It looks like IP tables in kernel 2.4 solves it but I dont have the time
(and courage) to do that right now.

My firewall have these NICs:

eth0 192.168.2.254/24 is connected to my IP-provider using private ip
eth1 a.x.y.z1/27 is connected to my server segment using "real" ip
eth2 a.x.y.z2/27 is connected to my workstation segment using "real" ip

and now I must add a fourth net:
eth3 192.168.10.1/24 ond I want to NAT those adresses when they access
internet (through eth0)

The problem is that when I add the rule for masqurading it translates
all 192.168.10.1/24 to eth0's 192.168.2.254 before routed to my ip
provider, and that adress is a private one and will not work!

How do I solve this in kernel 2.2?

In kernel 2.4 it looks like it's possible to do something like:

iptables -t nat -A POSTROUTING -i eth3 -j SNAT - -to a.x.y.z1

but 2.4 is not an option right now.

Regards
Tobias


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NAT problems

[Fraser Campbell]

Tobias Geijersson <[EMAIL PROTECTED]> writes:

> The problem is that when I add the rule for masqurading it translates
> all 192.168.10.1/24 to eth0's 192.168.2.254 before routed to my ip
> provider, and that adress is a private one and will not work!
> 
> How do I solve this in kernel 2.2?

I'm not sure I entirely understand your dilema but it should be possible
under 2.2.  You need to use the iproute2 package and have an appropriately
compiled Linux kernel.

I've used policy routing in a few places and it enables you to masquerade/NAT
as any address you like.

ip rule add from 192.168.10.0/24 nat 1.2.3.4

If you router's default gateway is on an interface other than the one to
which you wish to NAT then you may have to set up a custom routing table for
that network.

ip route add default via 1.2.3.1 table 192
ip rule add from 192.168.10.0/24 lookup table 192 nat 1.2.3.4

This has the effect of routing all your externally destined packets arriving
from the 192.168.10.0/24 network to your 1.2.3.1 router with a source address
of 1.2.3.4 ... 1.2.3.4 must actually be an address assigned to you Linux box.

Note you will probably have to add throw routes for your local networks to
the new routing table you created so that local traffic works correctly.

We use this in a location with 4 different Internet connections (DSL/T1) and
route different private IP servers out the different gateways ... it works
very well.

-- 
fraser campbell <[EMAIL PROTECTED]>  starnix inc.
tollfree: (905) 771-0017thornhill, ontario, canada
http://www.starnix.com/ professional linux services & products


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NAT problems

[Jeremy Lunn]

On Mon, Feb 12, 2001 at 08:31:42AM +0100, Tobias Geijersson wrote:
> My firewall have these NICs:
> 
> eth0 192.168.2.254/24 is connected to my IP-provider using private ip
> eth1 a.x.y.z1/27 is connected to my server segment using "real" ip
> eth2 a.x.y.z2/27 is connected to my workstation segment using "real" ip
> 
> and now I must add a fourth net:
> eth3 192.168.10.1/24 ond I want to NAT those adresses when they access
> internet (through eth0)
> 
> The problem is that when I add the rule for masqurading it translates
> all 192.168.10.1/24 to eth0's 192.168.2.254 before routed to my ip
> provider, and that adress is a private one and will not work!

Shouldn't it be possible to masquerade using say eth2 instead of eth0?
And therefore appear to be coming from the address taht eth2 has even
though you are being routed back out through eth0?

So something like
/sbin/ipchains -A forward -i eth2 -j MASQ

-- 
Jeremy Lunn
Melbourne, Australia


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]