Re: Semi-OT: IPP doesn't auto-configure CUPS?

[Curt]

On 2019-11-11, Gene Heskett  wrote:
>>
>> Internet Printing Protocol (http)
>>
>> Internet Printing Protocol (https)
>>
>> Internet Printing Protocol (ipp)
>>
>> Internet Printing Protocol (ipps)
>>
>> even though "ls -l /usr/lib/cups/backend" all show them to all be or
>> symlink to the same file. So I'm left with my original question from
>> my earlier-today post/question: What's the difference between these
>> four protocols, and why would I select one over the others?
>>
> excellent questions. But I be far more interested is setting a printer as 
> shared, and actually being able share it.  When configured as shared, 
> when the page clears back to the printer, its marked not shared and is 
> refusing to allow other computers on my local net to use it.

AFAIK, there's only one protocol in the list above (IPP). http(s) is a
transport binding. ipps is a "URI scheme, which is used to designate the
access to the network location of a secure IPP print service or a
network resource managed by such a service."

https://tools.ietf.org/html/rfc7472

 cupsctl --share-printers
(same subnet)

 lpadmin -p  -o printer-is-shared=true

https://www.cups.org/doc/sharing.html

I didn't do it that way that, though. I turned on sharing via the web
interface and without further ado the printer shared itself on the LAN.
Can't imagine what your difficulty might be (unless your not in
administrative mode or something).

> Thanks for any help that fixes this.
>
>> Thanks!
>
>
> Cheers, Gene Heskett


-- 
“The cradle rocks above an abyss, and common sense tells us that our existence
is but a brief crack of light between two eternities of darkness.” 
"Speak, Memory," Vladimir Nabokov

Re: auxiliary mail client for HTML

[Curt]

On 2019-11-08, Nate Bargmann  wrote:
>
>> I thought everybody just used a mailcap file and was fine.
>
> I do and have it setup to use w3m to deal with most HTML mail.  Some
> does look better in a GUI program and that's why I do this.
>

Well, then

 text/html;  /usr/bin/firefox %s >/dev/null 2>&1; needsterminal
 text/html;  elinks -dump %s; nametemplate=%s.html; copiousoutput

Or something like it. Needing or preferring a gui client doesn't seem
preclude using a mailcap file (or vice versa). 

I'm not a mutt user, though, so maybe I got it wrong. I also forgot what
the "this" was in the "that's why I do this" above.

;-)


-- 
“The cradle rocks above an abyss, and common sense tells us that our existence
is but a brief crack of light between two eternities of darkness.” 
"Speak, Memory," Vladimir Nabokov

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Dan Purgert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Kent West wrote:
> After some testing, I find that selecting "http" creates a working 
> printer; selecting "ipps" does not. The latter generates an error page 
> that says:
>
> Unable to open PPD file:
>
> Missing asterisk in column 1
>
>
> So apparently there is some difference between these protocols, and I'm 
> left wondering what the differences are, and which one I should select.
>

Most likely, the spooler chokes because you don't have a valid SSL
certificate on the printer (or the print-server). Therefore, neither
"IPPS" nor "HTTPS" would work.

Again, the "choice" of protocol comes down to "what does your printer
support" (most everything newish should support IPP). 

Without getting into way too much detail (and needing to google to
refresh my memory), IPP is basically an "enhanced" LPR/LPD, that instead
of you needing to write all the control software "client side" (i.e. the
machine sending the print job having the options in an rc file, on top
of one or more page filters), an extra communications / settings channel
is opened between the printer and machine trying to print, so they can
communicate about capabilities, and change them on the fly (e.g. want
this job to one-off print single-sided? Just tell the printer), rather
than having to edit a config file (and possibly restart services on the
machine printing).

I believe the newest printers offer a way to print "driverless" via IPP
as well -- that is, rather than needing a device-specific PPD, the use
of IPP lets you just send a standardized "printing format" (PDF, PCL,
something like that), and that "printing format" plus the options you
told it via the control channel gets you a nice document.  Though, that
might just be vaporware at the moment.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl3Kl9gACgkQjhHd8xJ5
ooE/tQgAmpK/CEFO7lLaqlQrfkyUXHZURJ5+FKJNYH93FWMMvHwhbgZJtuN9ZiCK
r/MueXhAmmsXXEujvwdUygvIjSfZvflJgqgjxJQSi4YlM5alcsJqFr5IeB70cBe0
faslRcqhuXKrwMVq5DIbaOoF9nN7yqvpa5mHZilRSolMNgw7P56pbgGzTgDYB6va
CgNCGrLmp8DI8m/uxzg+JlV+F37T45ysu5vCaIFi50g1rWTN4T76foUsvYy93ZgE
qP2FridiBqHHdIjk1A5Id5rllcm/sxP22NyIU+8L7FO6h7mAarhFR8vcUwW9MTBC
bRdpIkabdINr/gBtfdKZP+ATy9I3UQ==
=W8xH
-END PGP SIGNATURE-

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Klaus Singvogel]

Dan Purgert wrote:
> Kent West wrote:
> >
> > Unable to open PPD file:
> >
> > Missing asterisk in column 1
[...]

It's your PPD file for the printer, which seams not to be readable,
most likely not existend.

The PPD (PostScript Printer Defintion) file is locate under /etc/cups/ppds
(or similiar pathname) and named as your "printer name" with suffix ".ppd"

Example: printer name is "oki6EX", than it is /etc/cups/ppds/oki6EX.ppd

Check, if file is existend and readable for cups.

Best regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Gene Heskett]

Since I installed stretch on this machine, my printer server since the 
early 2000's, suddenly nothing works. No printers are shared despite 
my checking the box to share it during a reconfiguration of that profile.

What do I do to restore what was an "everything just worked" when this 
machine was running wheezy?  All I get in the logs here when another 
machine attempts to print to one of 4 printer profiles seems to 
indicate no permission.

I only have 1 printer defined because I want to fix whatever is wrong 
before I re-add the others. I have ripped out and, killed the etc/cups
directory in hopes a fresh cops install might fix it.  Didn't happen.

This is my logs:
root@coyote:cups$ cat /var/log/cups/access_log
localhost - - [12/Nov/2019:00:11:00 -0500] "POST / HTTP/1.1" 200 349 
Create-Printer-Subscriptions successful-ok
localhost - - [12/Nov/2019:00:11:00 -0500] "POST / HTTP/1.1" 200 176 
Create-Printer-Subscriptions successful-ok
root@coyote:cups$ cat /var/log/cups/error_log.1
E [11/Nov/2019:00:10:25 -0500] Unable to open listen socket for address 
[v1.::1]:631 - Cannot assign requested address.
E [11/Nov/2019:16:16:00 -0500] [cups-deviced] PID 22513 (gutenprint52+usb) 
stopped with status 1!
E [11/Nov/2019:16:16:00 -0500] [cups-deviced] PID 22511 (begonia) stopped with 
status 1!
W [11/Nov/2019:16:18:17 -0500] CreateProfile failed: 
org.freedesktop.ColorManager.AlreadyExists:profile id 
\'Brother_HL-2140_series-Gray..\' already exists
E [11/Nov/2019:16:18:45 -0500] [cups-deviced] PID 22693 (begonia) stopped with 
status 1!
E [11/Nov/2019:16:18:45 -0500] [cups-deviced] PID 22695 (gutenprint52+usb) 
stopped with status 1!
W [11/Nov/2019:16:20:12 -0500] CreateProfile failed: 
org.freedesktop.ColorManager.AlreadyExists:profile id 
\'Brother_HL-2140_series-Gray..\' already exists

That [v1.::1] looks like shorthand for ipv6, but the nearest ipv6 capable 
connection is probably 185 miles north of here in Pittsburgh PA.
There is not AFAIK, any ipv6 provisioned anyplace on my local ISP the 
local cable folks

So thats probably the first thing to fix, but where is it?

An ip a shows
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
link/ether 00:1f:c6:62:fc:bb brd ff:ff:ff:ff:ff:ff
inet 192.168.71.3/24 brd 192.168.71.255 scope global eth0
   valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc noop state DOWN group default 
qlen 1000
link/ether 00:1f:c6:63:07:97 brd ff:ff:ff:ff:ff:ff

Nothing is connected at eth1, this mobo has 2 rj45's on it.

And all of that looks like ipv6 crap, yet I have an ipv6 disable in the 
/proc system someplace I've forgotten as this install is now several 
months old. Or is that volatile and needs to be done at every reboot?.

Thanks for any help.

Cheers, Gene Heskett

-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Klaus Singvogel]

Gene Heskett wrote:
> 
> This is my logs:
> root@coyote:cups$ cat /var/log/cups/access_log
> localhost - - [12/Nov/2019:00:11:00 -0500] "POST / HTTP/1.1" 200 349 
> Create-Printer-Subscriptions successful-ok
> localhost - - [12/Nov/2019:00:11:00 -0500] "POST / HTTP/1.1" 200 176 
> Create-Printer-Subscriptions successful-ok
> root@coyote:cups$ cat /var/log/cups/error_log.1
> E [11/Nov/2019:00:10:25 -0500] Unable to open listen socket for address 
> [v1.::1]:631 - Cannot assign requested address.
> E [11/Nov/2019:16:16:00 -0500] [cups-deviced] PID 22513 (gutenprint52+usb) 
> stopped with status 1!
> E [11/Nov/2019:16:16:00 -0500] [cups-deviced] PID 22511 (begonia) stopped 
> with status 1!
> W [11/Nov/2019:16:18:17 -0500] CreateProfile failed: 
> org.freedesktop.ColorManager.AlreadyExists:profile id 
> \'Brother_HL-2140_series-Gray..\' already exists
> E [11/Nov/2019:16:18:45 -0500] [cups-deviced] PID 22693 (begonia) stopped 
> with status 1!
> E [11/Nov/2019:16:18:45 -0500] [cups-deviced] PID 22695 (gutenprint52+usb) 
> stopped with status 1!
> W [11/Nov/2019:16:20:12 -0500] CreateProfile failed: 
> org.freedesktop.ColorManager.AlreadyExists:profile id 
> \'Brother_HL-2140_series-Gray..\' already exists
> 
> That [v1.::1] looks like shorthand for ipv6, but the nearest ipv6 capable 
> connection is probably 185 miles north of here in Pittsburgh PA.
> There is not AFAIK, any ipv6 provisioned anyplace on my local ISP the 
> local cable folks

Forget this. This message is hours away from your real issue.

Most proably caused by a "Listen [v1.::1]:631" entry in /etc/cups/cupsd.conf

> So thats probably the first thing to fix, but where is it?

No, forget this. Put your focus on that error message:

CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile ... 
already exists

Best regars,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Curt]

On 2019-11-12, Klaus Singvogel  wrote:
>
> CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile ... 
> already exists

Maybe as simple as "Resume Printer" (wouldn't that be wonderful?).

> Best regars,
>   Klaus.


-- 
“The cradle rocks above an abyss, and common sense tells us that our existence
is but a brief crack of light between two eternities of darkness.” 
"Speak, Memory," Vladimir Nabokov

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Gene Heskett]

On Tuesday 12 November 2019 08:48:41 Klaus Singvogel wrote:

> Gene Heskett wrote:
> > This is my logs:
> > root@coyote:cups$ cat /var/log/cups/access_log
> > localhost - - [12/Nov/2019:00:11:00 -0500] "POST / HTTP/1.1" 200 349
> > Create-Printer-Subscriptions successful-ok localhost - -
> > [12/Nov/2019:00:11:00 -0500] "POST / HTTP/1.1" 200 176
> > Create-Printer-Subscriptions successful-ok root@coyote:cups$ cat
> > /var/log/cups/error_log.1
> > E [11/Nov/2019:00:10:25 -0500] Unable to open listen socket for
> > address [v1.::1]:631 - Cannot assign requested address. E
> > [11/Nov/2019:16:16:00 -0500] [cups-deviced] PID 22513
> > (gutenprint52+usb) stopped with status 1! E [11/Nov/2019:16:16:00
> > -0500] [cups-deviced] PID 22511 (begonia) stopped with status 1! W
> > [11/Nov/2019:16:18:17 -0500] CreateProfile failed:
> > org.freedesktop.ColorManager.AlreadyExists:profile id
> > \'Brother_HL-2140_series-Gray..\' already exists
> > E [11/Nov/2019:16:18:45 -0500] [cups-deviced] PID 22693 (begonia)
> > stopped with status 1! E [11/Nov/2019:16:18:45 -0500] [cups-deviced]
> > PID 22695 (gutenprint52+usb) stopped with status 1! W
> > [11/Nov/2019:16:20:12 -0500] CreateProfile failed:
> > org.freedesktop.ColorManager.AlreadyExists:profile id
> > \'Brother_HL-2140_series-Gray..\' already exists
> >
> > That [v1.::1] looks like shorthand for ipv6, but the nearest ipv6
> > capable connection is probably 185 miles north of here in Pittsburgh
> > PA. There is not AFAIK, any ipv6 provisioned anyplace on my local
> > ISP the local cable folks
>
> Forget this. This message is hours away from your real issue.
>
> Most proably caused by a "Listen [v1.::1]:631" entry in
> /etc/cups/cupsd.conf
is
Listen localhost:631

> > So thats probably the first thing to fix, but where is it?
>
> No, forget this. Put your focus on that error message:
>
> CreateProfile failed:
> org.freedesktop.ColorManager.AlreadyExists:profile ... already exists
>
Thats permissions.. But why can't the same software that wrote that 
profile, rewrite that profile?  I'm in sudoers. Looking for perms to 
admin this presents a requester with root filled and a password about a 
week long, which I change me me and my password so sudo will work, there 
is no root pw on any of my machines, and does not complain until the 
log.  So what do I do to get admin writes, including overwriting the 
edited ppd or whatever when there is no root pw, only sudo.
So if its complaining it can't overwrite the file, when its the exact 
same sw that wrote it three days back up the log.

> Best regars,
>   Klaus.


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: auxiliary mail client for HTML

[Dejan Jocic]

On 12-11-19, Curt wrote:
> On 2019-11-08, Nate Bargmann  wrote:
> >
> >> I thought everybody just used a mailcap file and was fine.
> >
> > I do and have it setup to use w3m to deal with most HTML mail.  Some
> > does look better in a GUI program and that's why I do this.
> >
> 
> Well, then
> 
>  text/html;  /usr/bin/firefox %s >/dev/null 2>&1; needsterminal
>  text/html;  elinks -dump %s; nametemplate=%s.html; copiousoutput
> 
> Or something like it. Needing or preferring a gui client doesn't seem
> preclude using a mailcap file (or vice versa). 
> 
> I'm not a mutt user, though, so maybe I got it wrong. I also forgot what
> the "this" was in the "that's why I do this" above.
> 
> ;-)

text/html;  firefox -new-tab %s & sleep 5; test=test -n "$DISPLAY";
nametemplate=%s.html
text/html;  lynx -dump %s; nametemplate=%s.html; copiousoutput

Or at least that works here. I'm sure that it can be done better though,
but did not have need to dig in more into it.

All best,
Dejan

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Gene Heskett]

On Tuesday 12 November 2019 09:11:04 Curt wrote:

> On 2019-11-12, Klaus Singvogel  wrote:
> > CreateProfile failed:
> > org.freedesktop.ColorManager.AlreadyExists:profile ... already
> > exists
>
> Maybe as simple as "Resume Printer" (wouldn't that be wonderful?).
>
Except there is no place advising printer is paused,
> > Best regars,
> > Klaus.


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Brian]

On Tue 12 Nov 2019 at 08:46:50 +1300, Richard Hector wrote:

> On 12/11/19 8:38 AM, Kent West wrote:
> > 
> > On 11/11/19 10:40 AM, Brian wrote:
> >> On Mon 11 Nov 2019 at 10:18:26 -0600, Kent West wrote:
> >>
> >>> Probably answered somewhere, but I've been DuckDuckGo-ing for the
> >>> past two
> >>> hours and can't find the answer.
> >>>
> >>> When adding a printer via the CUPS web interface (localhost:631) on my
> >>> Debian box, Administration / Add Printer / Other Network Printers,
> >>> there are
> >>> four Internet Printing Protocol options:
> >>>
> >>> https
> >>>
> >>> ipp
> >>>
> >>> http
> >>>
> >>> ipps
> >>>
> >>> Which one do I want to select? What are the differences?
> >> 'ls -l /usr/lib/cups/backend' tells you that it doesn't matter what
> >> choice you make.
> >>
> > 
> > lrwxrwxrwx 1 root root  3 Oct 31 02:44 http -> ipp
> > lrwxrwxrwx 1 root root  3 Oct 31 02:44 https -> ipp
> > -rwxr-xr-x 1 root root  80120 Oct 31 02:44 ipp
> > lrwxrwxrwx 1 root root  3 Oct 31 02:44 ipps -> ipp
> > 
> > Thank you. That does tell me they are all the same.
> 
> It doesn't tell me that.

I've come round to your way of thinking.

> It tells me that they're all the same file, but an executable can find
> out what name it was called with, and change its behaviour accordingly.
> Busybox is an extreme example.

That went through my mind at the time, but I went for the easy (and not
quite correct) response to keep things simple. Essentially, use ipp
unless you have a good reason not to.

> > It does not tell me
> > why CUPS on Debian makes the other three options available (thereby
> > confusing the person adding the printer). There must be some reason why
> > a person would expect to choose X over Y; that's the difference I'm
> > looking for.
> > 
> > But your answer certainly helps. I now know it doesn't matter which of
> > these I select.
> 
> I would guess that the *s versions use TLS, but beyond that I don't
> know. I'd agree with deloptes that it probably depends on what the
> remote end can support.

Not quite. Both ipp and ipps do encryption. The difference is that ipp
does oportunistic encryption (using an http upgrade) whereas, with ipps,
encryption is always on (the encryption is immediate, using https). The
rationale for having a ipps URI is in RFC7472.

http is the transport protocol for ipp and ipps, and ipp and ipps URIs
are mapped to http and https URLs. Every modern printer would support
ipp; in addition, some could support ipps too. I believe the http and
https backends exist to facilitate connections with Windows machines,
which historically have lagged far behind in implementing ipp.

-- 
Brian.

Re: auxiliary mail client for HTML

[David Wright]

On Tue 12 Nov 2019 at 09:23:54 (-), Curt wrote:
> On 2019-11-08, Nate Bargmann  wrote:
> >
> >> I thought everybody just used a mailcap file and was fine.
> >
> > I do and have it setup to use w3m to deal with most HTML mail.  Some
> > does look better in a GUI program and that's why I do this.
> >
> 
> Well, then
> 
>  text/html;  /usr/bin/firefox %s >/dev/null 2>&1; needsterminal
>  text/html;  elinks -dump %s; nametemplate=%s.html; copiousoutput
> 
> Or something like it. Needing or preferring a gui client doesn't seem
> preclude using a mailcap file (or vice versa). 
> 
> I'm not a mutt user, though, so maybe I got it wrong. I also forgot what
> the "this" was in the "that's why I do this" above.

The following is what I use in my mailcap-mutt file. My priorities
in handling HTML emails at all (which I believe should only be
exchanged between consenting adults) are to disentangle running
text into paragraphs and then colour them so that the parties to
the conversation can be distinguished:

## The first occurrence takes priority
# the next line is used immediately the email is opened, so you don't see the 
text alternative
#text/html; /usr/bin/html2text; copiousoutput
# the next line is used immediately the email is opened, so you don't see the 
text alternative
#text/html; /usr/bin/w3m -dump -T text/html; copiousoutput
# the next line is used only when an html attachment is selected in the 
attachments menu
text/html; /usr/bin/lynx -force-html -localhost -stdin
# the next line is used only when an html attachment is selected in the 
attachments menu
#text/html; cat | /usr/bin/elinks -dump -dump-color-mode 4 -force-html 
-localhost 1 | less -r
# the next line is used immediately the email is opened, so you don't see the 
text alternative
#text/html; /usr/bin/elinks -dump -force-html -localhost 1; copiousoutput

The mailcap file is triggered by the lines:

auto_view   text/html # immediate display (without v command), assumes 
mailcap support
set mailcap_path=$HOME/.mutt/mailcap-mutt # needed for auto_view

in my ~/.mutt/muttrc file. As you can see, I prefer to have to choose
to read the HTML whenever the text version is indecipherable, rather
than having it pop up straight away (in favour of the text version).

I might consider using a GUI to display the HTML, but not unless I can
find a browser that has the equivalent of -localhost, which none does¹.
With lynx I can see the links and list them, but not follow them. For
that I use cut and paste.

(On which topic, it took me a while to stumble on this xterm resource:
XTerm*cutNewline:   false
which prevents triple-clicking from including the newline.)

¹ Suggestions welcome.

Cheers,
David.

Re: Difference between ipp, ipps, http, https CUPS protocols?

[David Wright]

On Tue 12 Nov 2019 at 09:26:03 (-0500), Gene Heskett wrote:
> On Tuesday 12 November 2019 08:48:41 Klaus Singvogel wrote:
> > Gene Heskett wrote:
> > > That [v1.::1] looks like shorthand for ipv6, but the nearest ipv6
> > > capable connection is probably 185 miles north of here in Pittsburgh
> > > PA. There is not AFAIK, any ipv6 provisioned anyplace on my local
> > > ISP the local cable folks
> >
> > Forget this. This message is hours away from your real issue.
> >
> > Most proably caused by a "Listen [v1.::1]:631" entry in
> > /etc/cups/cupsd.conf
> is
> Listen localhost:631

And a conventional installation would show:

$ grep localhost /etc/hosts
127.0.0.1  localhost
::1localhost ip6-localhost ip6-loopback
$ 

but has that been nuked?

Cheers,
David.

Re: Semi-OT: IPP doesn't auto-configure CUPS?

[Brian]

On Mon 11 Nov 2019 at 14:02:50 -0600, Kent West wrote:

> I've been trying to wrap my head around printing today, and I have come to
> understand that IPP is the up-and-coming standard for printing (replacing
> the older LPD / AppSocket / HP Jet Direct / etc), and more specifically,
> that IPPEverywhere is the new and up-and-coming standard (of which Apple's
> AirPrint is a variant/extension, more broadly-supported simply by being
> older, although not fully documented as is the newer IPPEverywhere).

More or less. But bear in mind that CUPS has always been based on
IPP. What has changed in the past ten years is that almost all modern
printers now come with decent IPP implementations and offer an AirPrint
service.

> It is further my understanding that IPP is supposed to query the printer for
> its capabilities (double-sided printing? stapling? A4 paper size in the
> tray, etc).

Ok.

> It is further my understanding that IPP can (does?) query the printer for
> this info just prior to each print job.

Not quite. The applications (Firefox, LibreOffice etc) get the printer
attributes when their dialogs are opened.

> But I also thought that IPP would query the printer for this info when the
> printer is added to the client PC. I find that to not be the case, however,
> on my Debian Bullseye/sid box, and on a Mac Catalina MacBook. Am I incorrect
> about this setup-time polling?

No. You are correct.

> What I mean more specifically is, when I go into the CUPS web interface to
> set up a new printer, and go through the Add Printer stuff, and select
> "Other Network Printers" / "Internet Printing Protocol (ipps)" (because the
> printer is on a different subnet/virtual LAN and therefore doesn't get
> autodetected via Bonjour/mDNS/DNS-SD), and then on the next screen enter the
> IP address of the printer, I would have expected the IPP protocol to then
> handle the rest of the printer setup, but instead I'm still asked for the
> printer name and printer model (although I just now noticed that what is
> currently selected (I'm not sure it was when I started this email) is
> "{current_make_and_model} - IPP Everywhere" - perhaps this option is doing
> what I was expecting?).

How does IPP know that you intend calling the printer destination
"charles"?

> (If I select that IPP Everywhere option, the next screen errors out saying
> "Unable to open PPD file: Missing asterisk in column 1", so I suspect that
> option is not doing what I was expecting.)

This is CUPS' way of telling you that an ipps service is not offered by
the printer. With lpadmin you would get "An unexpected TLS packet was
received".

-- 
Brian.

Re: fail2ban for apache2

[Lee]

On 11/11/19, Gene Heskett  wrote:
> On Monday 11 November 2019 08:33:13 Greg Wooledge wrote:
  ... snip ...
>> I *know* I told you to look at your log files, and to turn on
>> user-agent logging if necessary.
>>
>> I don't remember seeing you ever *post* your log files here, not even
>> a single line from a single instance of this bot.  Maybe I missed it.
>
> Only one log file seems to have useful data, the "other..." file, and I
> have posted several single lines here, but here's a  few more:
   ... snip ...
> [11/Nov/2019:12:11:39 -0500] "GET
> /gene/nitros9/level1/coco1_6309/bootfiles/bootfile_covga_cocosdc
> HTTP/1.1" 200 16133 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
>
> I did ask earlier if daum was a bot but no one answered.  They are
> becoming a mite pesky.

Google translate can be your friend:
https://translate.google.com/translate?hl=&sl=ko&tl=en&u=https%3A%2F%2Fcs.daum.net%2Ffaq%2F15%2F4118.html

Note they even tell you how to turn off collection:
I want to automatically exclude documents from my site from web
document search results.
[robots.txt Exclusion using file]
Please write the following in Notepad, and save it as robots.txt file
to the root directory.

User-agent: DAUM
Disallow: /

Using * instead of DAUM can prevent web collection robots from
collecting documents on all search services, not just Daum.

So let's take a look at what you've got:
$ curl http://geneslinuxbox.net:6309/robots.txt
# $Id: robots.txt 410967 2009-08-06 19:44:54Z oden $
# $HeadURL: 
svn+ssh://svn.mandriva.com/svn/packages/cooker/apache-conf/current/SOURCES/robots.txt
$
# exclude help system from robots

User-agent: googlebot-Image
Disallow: /

User-agent: googlebot
Disallow: /

User-agent: *
Disallow: /manual/

User-agent: *
Disallow: /manual-2.2/

User-agent: *
Disallow: /addon-modules/

User-0agent: *
Disallow: /doc/

User-agent: *
Disallow: /images/

# the next line is a spam bot trap, for grepping the logs. you should
_really_ change this to something else...
#Disallow: /all_our_e-mail_addresses
# same idea here...

User-agent: *
Disallow: /admin/

# but allow htdig to index our doc-tree
# User-agent: htdig
# Disallow:

User-agent: *
Disallow: stress test

User-agent: stress-agent
Disallow: /

User-agent *
Disallow: /

$

You're missing a ':' - it should be
User-agent: *
Disallow: /

and I don't think "User-0agent: *" is going to do what you want..

Regards,
Lee

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Klaus Singvogel]

Gene Heskett wrote:
> > CreateProfile failed:
> > org.freedesktop.ColorManager.AlreadyExists:profile ... already exists
> >
> Thats permissions.. But why can't the same software that wrote that 
> profile, rewrite that profile?

Ask the software developer, which I'm not.

> So what do I do to get admin writes, including overwriting the 
> edited ppd or whatever when there is no root pw, only sudo.

ever did: sudo su

> So if its complaining it can't overwrite the file, when its the exact 
> same sw that wrote it three days back up the log.

No, the regular rotated logfile shows the error in the logfile three days
ago. But I think this happened more often - in older logfiles.

Best regars,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Kent West]

On 11/12/19 9:02 AM, Brian wrote:

On Mon 11 Nov 2019 at 10:18:26 -0600, Kent West wrote:

When adding a printer via the CUPS web interface (localhost:631) on my
Debian box, Administration / Add Printer / Other Network Printers,
there are
four Internet Printing Protocol options:

https

ipp

http

ipps

Which one do I want to select? What are the differences?

Essentially, use ipp unless you have a good reason not to.


^

This is the information I needed, which (IMO) should have been on the 
CUPS setup page.




Not quite. Both ipp and ipps do encryption. The difference is that ipp
does oportunistic encryption (using an http upgrade) whereas, with ipps,
encryption is always on (the encryption is immediate, using https). The
rationale for having a ipps URI is in RFC7472.

http is the transport protocol for ipp and ipps, and ipp and ipps URIs
are mapped to http and https URLs. Every modern printer would support
ipp; in addition, some could support ipps too. I believe the http and
https backends exist to facilitate connections with Windows machines,
which historically have lagged far behind in implementing ipp.



And this information helps, too.

Thanks!


--

Kent

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Gene Heskett]

On Tuesday 12 November 2019 10:15:33 David Wright wrote:

> On Tue 12 Nov 2019 at 09:26:03 (-0500), Gene Heskett wrote:
> > On Tuesday 12 November 2019 08:48:41 Klaus Singvogel wrote:
> > > Gene Heskett wrote:
> > > > That [v1.::1] looks like shorthand for ipv6, but the nearest
> > > > ipv6 capable connection is probably 185 miles north of here in
> > > > Pittsburgh PA. There is not AFAIK, any ipv6 provisioned anyplace
> > > > on my local ISP the local cable folks
> > >
> > > Forget this. This message is hours away from your real issue.
> > >
> > > Most proably caused by a "Listen [v1.::1]:631" entry in
> > > /etc/cups/cupsd.conf
> >
> > is
> > Listen localhost:631
>
> And a conventional installation would show:
>
> $ grep localhost /etc/hosts
> 127.0.0.1  localhost
>
> ::1localhost ip6-localhost ip6-loopback
>
> $
>
> but has that been nuked?
>
Yes, no trace of ipv6 stuff. its all been commented out:
127.0.0.1   localhost
192.168.71.1router.coyote.den   router
192.168.71.3coyote.coyote.den   coyote
192.168.71.4shop.coyote.den shop
192.168.71.5lathe.coyote.denlathe
192.168.71.6lappy.coyote.denlappy
192.168.71.7vna.coyote.den  vna
192.168.71.10   GO704.coyote.denGO704
192.168.71.2rock64.coyote.den   rock64
192.168.71.12   picnc.coyote.denpicnc
192.168.71.13   rpi4.coyote.den rpi4
192.168.71.21   scanner.coyote.den  scanner
192.168.71.30   redpitaya.coyote.denred
# The following lines are desirable for IPv6 capable hosts
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
# the following may be dns blacklisted,due to a lawsuit, so
31.184.194.81 Sci-Hub


> Cheers,
> David.

If cups is looking for ipv6 stuff, I don't intend to allow it to find it. 
Any time an ipv6 capability is found, route flat refuses to use a legal 
ipv4 address and I cannot get off the property.  This bit of having ipv6 
everwhere, when the nearest ipv6 connectivity is 100 + mile away is the 
biggest pain in the ass ever about doing a modern os install.  It took 
me  wholesale removal of avahi-* and dhcphd to get a working network 
when I install stretch on anything because with them installed, route 
insisted my gateway was the 169 shit ahahi assigned.  Avahi is, in my 
opinion, a plant from microsoft to screw up linux. Get rid of it with 
prejudice.

I have one buster 10.1 install, from raspbian, and knowing what it took 
to get networking, to just work, that stuff got removed from its sd card 
boot image before it was plugged in and booted the first time, and it 
all Just Works.

But thats not fixing my cups install. So lets do that. Its seems obvious 
I've a perms problem but where is it? To repeat, there is not a root 
password, never been set, and man vi doesn't even tell you how to exit 
visudo which I used to view the contents of sudoers. I have used vi/vim 
but that was 20 years ago and I found many far more convenient editors 
since.  So I guess another reboot to get rid of visudo is coming up.  
Except that will interrupt a download ahh no it won't, the ddos is back 
because an earlier reboot canceled all my iptabes rules. And semrush et 
all is downloading my whole site again and again. usng up all my upload 
bandwidth. I'll be back, when I have regained control of my website.


Thanks David

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: fail2ban for apache2

[Gene Heskett]

On Tuesday 12 November 2019 11:01:08 Lee wrote:

> On 11/11/19, Gene Heskett  wrote:
> > On Monday 11 November 2019 08:33:13 Greg Wooledge wrote:
>
>   ... snip ...
>
> >> I *know* I told you to look at your log files, and to turn on
> >> user-agent logging if necessary.
> >>
> >> I don't remember seeing you ever *post* your log files here, not
> >> even a single line from a single instance of this bot.  Maybe I
> >> missed it.
> >
> > Only one log file seems to have useful data, the "other..." file,
> > and I have posted several single lines here, but here's a  few more:
>
>... snip ...
>
> > [11/Nov/2019:12:11:39 -0500] "GET
> > /gene/nitros9/level1/coco1_6309/bootfiles/bootfile_covga_cocosdc
> > HTTP/1.1" 200 16133 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> > +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
> >
> > I did ask earlier if daum was a bot but no one answered.  They are
> > becoming a mite pesky.
>
> Google translate can be your friend:
> https://translate.google.com/translate?hl=&sl=ko&tl=en&u=https%3A%2F%2
>Fcs.daum.net%2Ffaq%2F15%2F4118.html
>
> Note they even tell you how to turn off collection:
> I want to automatically exclude documents from my site from web
> document search results.
> [robots.txt Exclusion using file]
> Please write the following in Notepad, and save it as robots.txt file
> to the root directory.
>
> User-agent: DAUM
> Disallow: /
>
> Using * instead of DAUM can prevent web collection robots from
> collecting documents on all search services, not just Daum.
>
> So let's take a look at what you've got:
> $ curl http://geneslinuxbox.net:6309/robots.txt
> # $Id: robots.txt 410967 2009-08-06 19:44:54Z oden $
> # $HeadURL:
> svn+ssh://svn.mandriva.com/svn/packages/cooker/apache-conf/current/SOU
>RCES/robots.txt $
> # exclude help system from robots
>
> User-agent: googlebot-Image
> Disallow: /
>
> User-agent: googlebot
> Disallow: /
>
> User-agent: *
> Disallow: /manual/
>
> User-agent: *
> Disallow: /manual-2.2/
>
> User-agent: *
> Disallow: /addon-modules/
>
> User-0agent: *
> Disallow: /doc/
>
> User-agent: *
> Disallow: /images/
>
> # the next line is a spam bot trap, for grepping the logs. you should
> _really_ change this to something else...
> #Disallow: /all_our_e-mail_addresses
> # same idea here...
>
> User-agent: *
> Disallow: /admin/
>
> # but allow htdig to index our doc-tree
> # User-agent: htdig
> # Disallow:
>
> User-agent: *
> Disallow: stress test
>
> User-agent: stress-agent
> Disallow: /
>
> User-agent *
> Disallow: /
>
> $
>
> You're missing a ':' - it should be
> User-agent: *
> Disallow: /
>
> and I don't think "User-0agent: *" is going to do what you want..
>
> Regards,
> Lee
it didn't. So I had been adding iptables rules but had to reboot this 
morning to get a baseline cups start, only to find my iptables rules 
were all gone and the bots are DDOSing me again. Grrr

So I have to find all that in the history and re-invent
a 33 line filter DROP. I'll be baqck when I've stuck a hot tater in 
semrushes exit port.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: fail2ban for apache2

[ghe]

Gene wrote

> So I had been adding iptables rules but had to reboot this 
> morning to get a baseline cups start, only to find my iptables rules 
> were all gone and the bots are DDOSing me again. Grrr

0) Can you block them with an ACL in your router/firewall? And wr mem so
the ACL will be there when it boots. (pardon the Cisco-ese)

1) There's a way (that I haven't needed to use yet) to put all your
iptables rules in a file to be used at every reboot. And I suspect
systemd knows how, or can be asked, to run that file on boot.

You may have to ask iptables to write that file every time you add IPs.

-- 
Glenn English

Re: Backup Times on a Linux desktop

[Charles Curley]

Thanks for the feedback.

On Tue, 05 Nov 2019 23:35:05 +0100
Linux-Fan  wrote:

> Charles Curley writes:
> 

> > https://charlescurley.com/blog/posts/2019/Nov/02/backups-on-linux/index.html
> >   
> 
> [...]
> 
> Thanks for sharing! I appreciate that I am not the only one with a
> backup system composed of multiple tools with different timings and
> occasions of invocation :)

They just metastasize over the years.

> 
> One point where my opinion is slightly different (might boil down to
> taste, but that's part of the feedback?). Quoting from the blog:
> 
> > Some stuff isn't worth the disk space to back up because you can
> > regenerate it or re-install it just as easily. Caches, such as a web
> > proxy's. Executables you can re-install, like your office suite.  
> 
> I personally think it is (especially today) not so easy to keep track
> of all the programs one actually needs and where to get them.
> Additionally, one should take into consideration, whether the
> avaiability of Internet access (needed for software re-installation
> unless other measures are taken) is really part of the assumptions
> for backup restoring? I try to put some effort into
> 100%-offline-restoration.

I see your point. I certainly expect to do bare metal restoration with
local resources only, and see to it that everything I need to do that
is available.

> 
> At the same time, I try to avoid "disk image"-style backups, because
> they are hard to make (usually the system needs to be offline for
> this) and they are hard to restore: What if my server with 4x2T HDDs
> just dies. By tomorrow, I will not have another server, a humble
> laptop with 500 GB HDD might be all there is for the moment.
> Restoring images is infeasible in that situation, a normal
> "reinstallation" is less (but might be: consider borrowing a computer
> frome someone else for some time. In that case it will likely be
> impossible to change the OS and thus the software installation might
> be limited...)

Both good points. That is part of your disaster recovery planning: can
you get a replacement box quickly enough. I've had clients buy a spare
box and keep it off site. Another key part of disaster recovery is: how
quickly do you have to be back up and running?

One reason I like amanda is that you can restore without having amanda
on the machine with the files. I've never actually had to do that,
fortunately. Also amanda lets you select individual files to restore.


> 
> YMMV
> Linux-Fan
> 



-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Brian]

On Tue 12 Nov 2019 at 11:30:33 -, Dan Purgert wrote:

> I believe the newest printers offer a way to print "driverless" via IPP

"Newest" encompasses the past 5-10 years.

> as well -- that is, rather than needing a device-specific PPD, the use
> of IPP lets you just send a standardized "printing format" (PDF, PCL,
> something like that), and that "printing format" plus the options you

PDLS are PDF, Apple Raster and PWG Raster. pclm too (but that is not
PCL).

> told it via the control channel gets you a nice document.  Though, that
> might just be vaporware at the moment.

Vaporware? Are you aware of the effort put in by upstream CUPS and
cups-filters to support modern printers? Driverless printing is a
reality now and is the future.

-- 
Brian.

Re: fail2ban for apache2

[John Hasler]

Gene writes:
> So I had been adding iptables rules but had to reboot this morning to
> get a baseline cups start, only to find my iptables rules were all
> gone and the bots are DDOSing me again.

Install Shorewall.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Dan Purgert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Brian wrote:
> On Tue 12 Nov 2019 at 11:30:33 -, Dan Purgert wrote:
>
>> I believe the newest printers offer a way to print "driverless" via IPP
>
> "Newest" encompasses the past 5-10 years.

Yeah, meant "newer" there.  Have had my current lasers longer than that,
so ... :/

>
>> told it via the control channel gets you a nice document.  Though, that
>> might just be vaporware at the moment.
>
> Vaporware? Are you aware of the effort put in by upstream CUPS and
> cups-filters to support modern printers? Driverless printing is a
> reality now and is the future.

Not really, tbh.  I haven't had to look that deeply into the state of
printing in ... well, much longer than I thought it'd been this morning.

Time flies :| 
>


-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl3LDU4ACgkQjhHd8xJ5
ooGesQf/Xn//kBQdIiJxcMYFR+EGuQqV3OwjBD7k2jfPZAIU9zYSV5zBery6vMVr
iBuKvlr/1ibvtYF9dxVUEOScdx+/tbeYN9FdFhFGzttZaOpobd6T/wSBuK7cylzy
zAxcg3ua9mA6Y1Uk1wwqQQ99uLJyHGHnfTE6TmBoDu9BAEMz+h+BXQA+6ePI0hpE
7mqOO1UxYvTvqHH8Veq8FMNG8vTcl5sT64AjiZiC8zb0CcQSBgXbZ0Y7Tluh4PKN
eQxPTao0VsvAi+WMo9Sf4gOk/rHMvLI+sQH4cy/xKrENY9lmweDTp44q0ELWboK5
OIDKnDfVakdbGdnZW55qdlMtuBN2vA==
=ayJw
-END PGP SIGNATURE-

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Brian]

On Tue 12 Nov 2019 at 19:51:42 -, Dan Purgert wrote:

> Brian wrote:
> > On Tue 12 Nov 2019 at 11:30:33 -, Dan Purgert wrote:
> >
> >> I believe the newest printers offer a way to print "driverless" via IPP
> >
> > "Newest" encompasses the past 5-10 years.
> 
> Yeah, meant "newer" there.  Have had my current lasers longer than that,
> so ... :/
> 
> >
> >> told it via the control channel gets you a nice document.  Though, that
> >> might just be vaporware at the moment.
> >
> > Vaporware? Are you aware of the effort put in by upstream CUPS and
> > cups-filters to support modern printers? Driverless printing is a
> > reality now and is the future.
> 
> Not really, tbh.  I haven't had to look that deeply into the state of
> printing in ... well, much longer than I thought it'd been this morning.
> 
> Time flies :| 

So, when CUPS ceases to support PPDs (probably in a couple of years),
your and mine classic printers will cease to work. Is there a magic
wand someone can wave?

-- 
Brian.

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Dan Purgert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Brian wrote:
>> 
>> Not really, tbh.  I haven't had to look that deeply into the state of
>> printing in ... well, much longer than I thought it'd been this morning.
>> 
>> Time flies :| 
>
> So, when CUPS ceases to support PPDs (probably in a couple of years),
> your and mine classic printers will cease to work. Is there a magic
> wand someone can wave?

LPRng? :)


-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAl3LFZQACgkQjhHd8xJ5
ooEQZwgAroAlDUT57Z8Oag6MPXuwy/CLPxwnzbOTUmQvgxBLYHqURS7YleTyJHNz
OZgIpvx5Wjh4bOjkaDjIUMfZrnNIVeVIqpEJbY6eTD2b2Vkg7x8iVp3ftDWY7MvP
n3SiTfYP62xBRU0ngVcWftZ9b5wHkMNpfBWtXgKx5u5RdI2M3HxbJu6I3RJ3fy42
+3NCQMTxVoDszx5wGSo4ggqLoyifMKpqT01LRUNgBjI5dgwASxbsbxJkzAyC9k7h
fM3Cx3D52xSlF4gOiwqHXxLkaKat2Bt+L2o1+nH2wjC4/CBXFgTX562+AwHVsGa8
wZO6ibd321Io7HdZZXk6WUUGCb0uoQ==
=vIB1
-END PGP SIGNATURE-

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Brian]

On Tue 12 Nov 2019 at 20:27:00 -, Dan Purgert wrote:

> Brian wrote:
> >> 
> >> Not really, tbh.  I haven't had to look that deeply into the state of
> >> printing in ... well, much longer than I thought it'd been this morning.
> >> 
> >> Time flies :| 
> >
> > So, when CUPS ceases to support PPDs (probably in a couple of years),
> > your and mine classic printers will cease to work. Is there a magic
> > wand someone can wave?
> 
> LPRng? :)

A clapped-out, unsupported and ancient printing system. That's
going to go down well with users in 2019.

-- 
Brian

Re: fail2ban for apache2

[tomas]

On Tue, Nov 12, 2019 at 12:40:45PM -0500, Gene Heskett wrote:

[...]

> So I have to find all that in the history and re-invent
> a 33 line filter DROP. I'll be baqck when I've stuck a hot tater in 
> semrushes exit port.

See iptables-save (will dump the currently active iptables to a file)
and iptables-restore (will read that file to set up iptables).

Cheers
-- tomás


signature.asc
Description: Digital signature

Re: Difference between ipp, ipps, http, https CUPS protocols?

[Gene Heskett]

On Tuesday 12 November 2019 11:01:39 Klaus Singvogel wrote:

> Gene Heskett wrote:
> > > CreateProfile failed:
> > > org.freedesktop.ColorManager.AlreadyExists:profile ... already
> > > exists
> >
> > Thats permissions.. But why can't the same software that wrote that
> > profile, rewrite that profile?
>
> Ask the software developer, which I'm not.
>
> > So what do I do to get admin writes, including overwriting the
> > edited ppd or whatever when there is no root pw, only sudo.
>
> ever did: sudo su
Thats not scripted in the permissions user/pw the admin menu presents.

> > So if its complaining it can't overwrite the file, when its the
> > exact same sw that wrote it three days back up the log.

And you are mixing instantly generated logs with old logs, what I'm 
seeing is generated and logged when the modify printer button at the 
bottom of the firefox screen is clicked.
> No, the regular rotated logfile shows the error in the logfile three
> days ago. But I think this happened more often - in older logfiles.

No argument there, with the log blossoming in no permission reports as I 
try to print a linuxcnc config file I want to modify for better machine 
performance. So I get curious a week ago and find I am now denied, no 
permission, from a machine that worked 4 weeks back. The list now 
includes the buster-10.1 install on the rpi4, and all 3 of the wheezy's 
that run my machinery, and they haven't been updated of anything but 
linuxcnc since wheezy support ended.  The key I feel is the install of 
stretch and subsequent updates on this machine. I've had screaming good 
luck building a realtime kernel for the rpi4, runs smoothly at very low 
latency's and I want that to be propagated to other users, but its a 
built kernel=2.5G, which someone is pulling right now.  But the instant 
thats done, I'll be watching the logs and playing whackamole with the 
bots until I've stopped them again.

In the meantime I need to learn how to save those rules and restart 
iptables fully armed at reboot time. But the man page might as well be 
in swahili.

So two things: 

1: How do I save what I have applied already in a reloadable format?

2: how do I restart it at boot time fully armed with those saved rules.

> Best regars,
>   Klaus.

It all worked, for a few days after the stretch install, say till 
synaptic brought it all uptodate, then its gone to hell in a handbasket 
since.

Should I reach around the FF interface with a sudo -i login shell and 
delete all references to that printer in the /etc/cups directory tree 
just before clicking on modify printer the last time? Will that get 
around the no permissions problem? This is after all software, and it 
can be fixed but probably not forever since somebodies paranoia will see 
to it that fix route is blocked eventually. I'd much druther make your 
way work. Currently that doesn't seem possible with the tooling 
provided. But I'd be delighted to be proven wrong. Its certainly holding 
up progress here.

Thank you Klaus.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: fail2ban for apache2

[Gene Heskett]

On Tuesday 12 November 2019 13:30:24 ghe wrote:

> Gene wrote
>
> > So I had been adding iptables rules but had to reboot this
> > morning to get a baseline cups start, only to find my iptables rules
> > were all gone and the bots are DDOSing me again. Grrr
>
> 0) Can you block them with an ACL in your router/firewall? And wr mem
> so the ACL will be there when it boots. (pardon the Cisco-ese)
>
> 1) There's a way (that I haven't needed to use yet) to put all your
> iptables rules in a file to be used at every reboot. And I suspect
> systemd knows how, or can be asked, to run that file on boot.
>
> You may have to ask iptables to write that file every time you add
> IPs.

My thinking runs along those lines too, but the man page is swahili in 
explaining how to do that.

Thanks ghe

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: fail2ban for apache2

[Gene Heskett]

On Tuesday 12 November 2019 14:28:38 John Hasler wrote:

> Gene writes:
> > So I had been adding iptables rules but had to reboot this morning
> > to get a baseline cups start, only to find my iptables rules were
> > all gone and the bots are DDOSing me again.
>
> Install Shorewall.

Did, spent half an hour reading its man page, but I don't see a command 
that will extract and save an existing iptables setup, and a later 
reapply of that saved data. Am I blind?


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: fail2ban for apache2

[Gene Heskett]

On Tuesday 12 November 2019 16:04:07 to...@tuxteam.de wrote:

> On Tue, Nov 12, 2019 at 12:40:45PM -0500, Gene Heskett wrote:
>
> [...]
>
> > So I have to find all that in the history and re-invent
> > a 33 line filter DROP. I'll be baqck when I've stuck a hot tater in
> > semrushes exit port.
>
> See iptables-save (will dump the currently active iptables to a file)
> and iptables-restore (will read that file to set up iptables).
>
Oh goody and I get to name & pick the file and its location. Now, wheres 
a good place to put the restore in the reboot path? Make rc.local 
executable and put it there?

I am amazed that as long as iptables has been around, that it has no 
reserved storage for these rules in /etc, and that I had to create a 
directory for it.

All that has been done.  And shorewall purged.

Thanks Tomas.

> Cheers
> -- tomás


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: fail2ban for apache2

[John Hasler]

I wrote:
> Install Shorewall.

Gene writes:
> Did, spent half an hour reading its man page, but I don't see a
> command that will extract and save an existing iptables setup, and a
> later reapply of that saved data.

I meant use it instead of using Iptables directly: the package takes
care of restoring filter rules on boot and is more user-friendly than
Iptables. Shorewall-save will save the existing rules.

But why aren't you already using Iptables-save and Iptables-restore?
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: fail2ban for apache2

[ghe]

On 11/12/19 5:46 PM, Gene Heskett wrote:

> Oh goody and I get to name & pick the file and its location. Now, wheres 
> a good place to put the restore in the reboot path? 

How about /etc? Or /etc/init.d? That's where mine is...

-- 
Glenn English

Re: fail2ban for apache2

[Gene Heskett]

On Tuesday 12 November 2019 19:53:15 John Hasler wrote:

> I wrote:
> > Install Shorewall.
>
> Gene writes:
> > Did, spent half an hour reading its man page, but I don't see a
> > command that will extract and save an existing iptables setup, and a
> > later reapply of that saved data.
>
> I meant use it instead of using Iptables directly: the package takes
> care of restoring filter rules on boot and is more user-friendly than
> Iptables. Shorewall-save will save the existing rules.
>
> But why aren't you already using Iptables-save and Iptables-restore?

I am now,, so that problem is solved.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: fail2ban for apache2

[Gene Heskett]

On Tuesday 12 November 2019 20:03:12 ghe wrote:

> On 11/12/19 5:46 PM, Gene Heskett wrote:
> > Oh goody and I get to name & pick the file and its location. Now,
> > wheres a good place to put the restore in the reboot path?
>
> How about /etc? Or /etc/init.d? That's where mine is...

I've already put mine in rc.local, right under a bunch of stuff designed 
to override udev, and give heyu a port it can use.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: postgresql-12 - crash. Any hints.

[Kamil Jońca]

kjo...@poczta.onet.pl (Kamil Jońca) writes:

> It is home PC box with debian sid.
> Recently my postgres was upgraded from version 11 to 12.
> I migrate databases, and during last few days I have had 2 server
> crashes.
> Crashes were during different statements. And after crash these
> statements executed successfully.
> In log I have:
> ===
> 2019-11-04 00:07:38 CET LOG:  server process (PID 19244) was terminated by 
> signal 11: Segmentation fault
> 2019-11-04 00:07:38 CET DETAIL:  Failed process was running: update queue set 
> priority = -3 ;
> 2019-11-04 00:07:38 CET LOG:  terminating any other active server processes
> [...]
> 2019-11-04 00:07:39 CET LOG:  all server processes terminated; reinitializing
> 2019-11-04 00:07:39 CET DEBUG:  mmap(150994944) with MAP_HUGETLB failed, huge 
> pages disabled: Cannot allocate memory
> 2019-11-04 00:07:39 CET LOG:  database system was interrupted; last known up 
> at 2019-11-04 00:02:24 CET
> ===
> 2019-11-05 21:43:56 CET LOG:  server process (PID 23233) was terminated by 
> signal 11: Segmentation fault
> 2019-11-05 21:43:56 CET DETAIL:  Failed process was running: SELECT po_nr 
> FROM get_free_numbers(999);
> 2019-11-05 21:43:56 CET LOG:  terminating any other active server processes
> [...]
> 2019-11-05 21:43:57 CET LOG:  all server processes terminated; reinitializing
> 2019-11-05 21:43:57 CET DEBUG:  mmap(150994944) with MAP_HUGETLB failed, huge 
> pages disabled: Cannot allocate memory
> 2019-11-05 21:43:58 CET LOG:  database system was interrupted; last known up 
> at 2019-11-05 21:43:49 CET
> ===
>
> any hints?
>
> KJ


Today was another crash.
Another piece of a puzzle: There is (unlogged) table with 70M+
rows. After crash this table is empty (but table itself exists.)

KJ

-- 
http://wolnelektury.pl/wesprzyj/teraz/
If A equals success, then the formula is _A = _X + _Y + _Z.  _X is work.  
_Y
is play.  _Z is keep your mouth shut.
-- Albert Einstein

Re: Re: The ultimate fate of Debian

[Df Df]

مرسل من هاتف Samsung Galaxy الذكي.